Ingo Molnar [Tue, 15 Feb 2011 03:10:35 +0000 (04:10 +0100)]
Merge branch 'urgent' of git://git./linux/kernel/git/rric/oprofile into perf/urgent
Ian Campbell [Fri, 11 Feb 2011 07:44:16 +0000 (07:44 +0000)]
arp_notify: unconditionally send gratuitous ARP for NETDEV_NOTIFY_PEERS.
NETDEV_NOTIFY_PEER is an explicit request by the driver to send a link
notification while NETDEV_UP/NETDEV_CHANGEADDR generate link
notifications as a sort of side effect.
In the later cases the sysctl option is present because link
notification events can have undesired effects e.g. if the link is
flapping. I don't think this applies in the case of an explicit
request from a driver.
This patch makes NETDEV_NOTIFY_PEER unconditional, if preferred we
could add a new sysctl for this case which defaults to on.
This change causes Xen post-migration ARP notifications (which cause
switches to relearn their MAC tables etc) to be sent by default.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Casey Leedom [Mon, 14 Feb 2011 12:56:25 +0000 (12:56 +0000)]
cxgb4vf: Use defined Mailbox Timeout
VF Driver should use mailbox command timeout specified in t4fw_interface.h
rather than hard-coded value of 500ms.
Signed-off-by: Casey Leedom <leedom@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Casey Leedom [Mon, 14 Feb 2011 12:56:24 +0000 (12:56 +0000)]
cxgb4vf: Quiesce Virtual Interfaces on shutdown ...
When a Virtual Machine is rebooted, KVM currently fails to issue a Function
Level Reset against any "Attached PCI Devices" (AKA "PCI Passthrough"). In
addition to leaving the attached device in a random state in the next booted
kernel (which sort of violates the entire idea of a reboot reseting hardware
state), this leaves our peer thinking that the link is still up. (Note that
a bug has been filed with the KVM folks, #25332, but there's been no
response on that as of yet.) So, we add a "->shutdown()" method for the
Virtual Function PCI Device to handle administrative shutdowns like a
reboot.
Signed-off-by: Casey Leedom <leedom@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Casey Leedom [Mon, 14 Feb 2011 12:56:23 +0000 (12:56 +0000)]
cxgb4vf: Behave properly when CONFIG_DEBUG_FS isn't defined ...
When CONFIG_DEBUG_FS we get "ERR_PTR()"s back from the debugfs routines
instead of NULL. Use the right predicates to check for this.
Signed-off-by: Casey Leedom <leedom@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Casey Leedom [Mon, 14 Feb 2011 12:56:22 +0000 (12:56 +0000)]
cxgb4vf: Check driver parameters in the right place ...
Check module parameter validity in the module initialization routine instead
of the PCI Device Probe routine.
Signed-off-by: Casey Leedom <leedom@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Alex Deucher [Mon, 14 Feb 2011 16:43:11 +0000 (11:43 -0500)]
drm/radeon/kms: hopefully fix pll issues for real (v3)
The problematic boards have a recommended reference divider
to be used when spread spectrum is enabled on the laptop panel.
Enable the use of the recommended reference divider along with
the new pll algo.
v2: testing options
v3: When using the fixed reference divider with LVDS, prefer
min m to max p and use fractional feedback dividers.
Fixes:
https://bugzilla.kernel.org/show_bug.cgi?id=28852
https://bugzilla.kernel.org/show_bug.cgi?id=24462
https://bugzilla.kernel.org/show_bug.cgi?id=26552
MacbookPro issues reported by Justin Mattock <justinmattock@gmail.com>
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
Alex Deucher [Mon, 14 Feb 2011 16:43:10 +0000 (11:43 -0500)]
drm/radeon/kms: add bounds checking to avivo pll algo
Prevent divider overflow.
Fixes:
https://bugzilla.kernel.org/show_bug.cgi?id=28932
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
Xiao Jiang [Mon, 14 Feb 2011 09:58:23 +0000 (17:58 +0800)]
drm: fix wrong usages of drm_device in DRM Developer's Guide
A few wrong usages of drm_device, which should be drm_driver.
Signed-off-by: Xiao Jiang <jgq516@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Alex Deucher [Mon, 14 Feb 2011 21:16:22 +0000 (16:16 -0500)]
drm/radeon/kms: fix a few more atombios endian issues
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Linus Torvalds [Mon, 14 Feb 2011 22:49:29 +0000 (14:49 -0800)]
Merge branch 'fixes' of /home/rmk/linux-2.6-arm
* 'fixes' of master.kernel.org:/home/rmk/linux-2.6-arm:
ARM: 6657/1: hw_breakpoint: fix ptrace breakpoint advertising on unsupported arch
ARM: 6656/1: hw_breakpoint: avoid UNPREDICTABLE behaviour when reading DBGDSCR
ARM: 6658/1: collie: do actually pass locomo_info to locomo driver
ARM: 6659/1: Thumb-2: Make CONFIG_OABI_COMPAT depend on !CONFIG_THUMB2_KERNEL
ARM: 6654/1: perf/oprofile: fix off-by-one in stack check
ARM: fixup SMP alternatives in modules
ARM: make SWP emulation explicit on !CPU_USE_DOMAINS
ARM: Avoid building unsafe kernels on OMAP2 and MX3
ARM: pxa: Properly configure PWM period for palm27x
ARM: pxa: only save/restore registers when pm functions are defined
ARM: pxa/colibri: use correct SD detect pin
ARM: pxa: fix mfpr_sync to read from valid offset
Toshiharu Okada [Sun, 13 Feb 2011 22:51:54 +0000 (22:51 +0000)]
pch_gbe: Fix the MAC Address load issue.
With the specification of hardware,
the processing at the time of driver starting was modified.
This device write automatically the MAC address read from serial ROM
into a MAC Adress1A/1B register at the time of power on reset.
However, when stable clock is not supplied,
the writing of MAC Adress1A/1B register may not be completed.
In this case, it is necessary to load MAC address to MAC Address1A/1B register
by the MAC Address1 load register.
This patch always does the above processing,
in order not to be dependent on system environment.
Signed-off-by: Toshiharu Okada <toshiharu-linux@dsn.okisemi.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Mon, 14 Feb 2011 21:28:00 +0000 (13:28 -0800)]
iwlwifi: Delete iwl3945_good_plcp_health.
Fixes this build warning:
drivers/net/wireless/iwlwifi/iwl-3945.c:411:13: warning: 'iwl3945_good_plcp_health' defined but not used
As per Johannes Berg.
Signed-off-by: David S. Miller <davem@davemloft.net>
Tsutomu Itoh [Mon, 14 Feb 2011 00:45:29 +0000 (00:45 +0000)]
Btrfs: check return value of alloc_extent_map()
I add the check on the return value of alloc_extent_map() to several places.
In addition, alloc_extent_map() returns only the address or NULL.
Therefore, check by IS_ERR() is unnecessary. So, I remove IS_ERR() checking.
Signed-off-by: Tsutomu Itoh <t-itoh@jp.fujitsu.com>
Signed-off-by: Chris Mason <chris.mason@oracle.com>
Ilya Dryomov [Sun, 6 Feb 2011 19:58:21 +0000 (19:58 +0000)]
Btrfs - Fix memory leak in btrfs_init_new_device()
Memory allocated by calling kstrdup() should be freed.
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Chris Mason <chris.mason@oracle.com>
Dan Rosenberg [Mon, 14 Feb 2011 21:04:23 +0000 (16:04 -0500)]
btrfs: prevent heap corruption in btrfs_ioctl_space_info()
Commit
bf5fc093c5b625e4259203f1cee7ca73488a5620 refactored
btrfs_ioctl_space_info() and introduced several security issues.
space_args.space_slots is an unsigned 64-bit type controlled by a
possibly unprivileged caller. The comparison as a signed int type
allows providing values that are treated as negative and cause the
subsequent allocation size calculation to wrap, or be truncated to 0.
By providing a size that's truncated to 0, kmalloc() will return
ZERO_SIZE_PTR. It's also possible to provide a value smaller than the
slot count. The subsequent loop ignores the allocation size when
copying data in, resulting in a heap overflow or write to ZERO_SIZE_PTR.
The fix changes the slot count type and comparison typecast to u64,
which prevents truncation or signedness errors, and also ensures that we
don't copy more data than we've allocated in the subsequent loop. Note
that zero-size allocations are no longer possible since there is already
an explicit check for space_args.space_slots being 0 and truncation of
this value is no longer an issue.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Josef Bacik <josef@redhat.com>
Reviewed-by: Josef Bacik <josef@redhat.com>
Signed-off-by: Chris Mason <chris.mason@oracle.com>
Yan, Zheng [Mon, 14 Feb 2011 21:00:03 +0000 (16:00 -0500)]
Btrfs: Fix balance panic
Mark the cloned backref_node as checked in clone_backref_node()
Signed-off-by: Yan, Zheng <zheng.z.yan@intel.com>
Signed-off-by: Chris Mason <chris.mason@oracle.com>
David S. Miller [Mon, 14 Feb 2011 20:51:42 +0000 (12:51 -0800)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6
Kurt Van Dijck [Mon, 14 Feb 2011 19:44:01 +0000 (11:44 -0800)]
net/can/softing: make CAN_SOFTING_CS depend on CAN_SOFTING
The statement 'select CAN_SOFTING' may ignore the dependancies
for CAN_SOFTING while selecting CAN_SOFTING_CS, as is therefore a bad choice.
Signed-off-by: Kurt Van Dijck <kurt.van.dijck@eia.be>
Acked-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Mon, 14 Feb 2011 19:16:12 +0000 (11:16 -0800)]
Merge branch 'master' of git://git./linux/kernel/git/kaber/nf-2.6
Linus Torvalds [Mon, 14 Feb 2011 18:10:37 +0000 (10:10 -0800)]
Merge branch 'devicetree/merge' of git://git.secretlab.ca/git/linux-2.6
* 'devicetree/merge' of git://git.secretlab.ca/git/linux-2.6:
Revert "dt: add documentation of ARM dt boot interface"
Linus Torvalds [Mon, 14 Feb 2011 18:10:07 +0000 (10:10 -0800)]
Merge branch 'rtc-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip
* 'rtc-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
RTC: Fix minor compile warning
RTC: Convert rtc drivers to use the alarm_irq_enable method
RTC: Fix rtc driver ioctl specific shortcutting
Chris Mason [Mon, 14 Feb 2011 17:52:08 +0000 (12:52 -0500)]
Btrfs: don't release pages when we can't clear the uptodate bits
Btrfs tracks uptodate state in an rbtree as well as in the
page bits. This is supposed to enable us to use block sizes other than
the page size, but there are a few parts still missing before that
completely works.
But, our readpage routine trusts this additional range based tracking
of uptodateness, much in the same way the buffer head up to date bits
are trusted for the other filesystems.
The problem is that sometimes we need to allocate memory in order to
split records in the rbtree, even when we are just clearing bits. This
can be difficult when our clearing function is called GFP_ATOMIC, which
can happen in the releasepage path.
So, what happens today looks like this:
releasepage called with GFP_ATOMIC
btrfs_releasepage calls clear_extent_bit
clear_extent_bit fails to allocate ram, leaving the up to date bit set
btrfs_releasepage returns success
The end result is the page being gone, but btrfs thinking the range is
up to date. Later on if someone tries to read that same page, the
btrfs readpage code will return immediately thinking the page is already
up to date.
This commit fixes things to fail the releasepage when we can't clear the
extent state bits. It covers both data pages and metadata tree blocks.
Signed-off-by: Chris Mason <chris.mason@oracle.com>
Chris Mason [Thu, 10 Feb 2011 17:35:00 +0000 (12:35 -0500)]
Btrfs: fix page->private races
There is a race where btrfs_releasepage can drop the
page->private contents just as alloc_extent_buffer is setting
up pages for metadata. Because of how the Btrfs page flags work,
this results in us skipping the crc on the page during IO.
This patch sovles the race by waiting until after the extent buffer
is inserted into the radix tree before it sets page private.
Signed-off-by: Chris Mason <chris.mason@oracle.com>
Patrick McHardy [Mon, 14 Feb 2011 16:35:07 +0000 (17:35 +0100)]
netfilter: nf_iterate: fix incorrect RCU usage
As noticed by Eric, nf_iterate doesn't use RCU correctly by
accessing the prev pointer of a RCU protected list element when
a verdict of NF_REPEAT is issued.
Fix by jumping backwards to the hook invocation directly instead
of loading the previous list element before continuing the list
iteration.
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
J. Bruce Fields [Sun, 6 Feb 2011 21:46:30 +0000 (16:46 -0500)]
nfsd: break lease on unlink due to rename
4795bb37effb7b8fe77e2d2034545d062d3788a8 "nfsd: break lease on unlink,
link, and rename", only broke the lease on the file that was being
renamed, and didn't handle the case where the target path refers to an
already-existing file that will be unlinked by a rename--in that case
the target file should have any leases broken as well.
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
J. Bruce Fields [Tue, 1 Feb 2011 00:20:39 +0000 (19:20 -0500)]
nfsd4: acquire only one lease per file
Instead of acquiring one lease each time another client opens a file,
nfsd can acquire just one lease to represent all of them, and reference
count it to determine when to release it.
This fixes a regression introduced by
c45821d263a8a5109d69a9e8942b8d65bcd5f31a "locks: eliminate fl_mylease
callback": after that patch, only the struct file * is used to determine
who owns a given lease. But since we recently converted the server to
share a single struct file per open, if we acquire multiple leases on
the same file from nfsd, it then becomes impossible on unlocking a lease
to determine which of those leases (all of whom share the same struct
file *) we meant to remove.
Thanks to Takashi Iwai <tiwai@suse.de> for catching a bug in a previous
version of this patch.
Tested-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
J. Bruce Fields [Mon, 7 Feb 2011 21:53:46 +0000 (16:53 -0500)]
nfsd4: modify fi_delegations under recall_lock
Modify fi_delegations only under the recall_lock, allowing us to use
that list on lease breaks.
Also some trivial cleanup to simplify later changes.
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
J. Bruce Fields [Mon, 7 Feb 2011 20:44:12 +0000 (15:44 -0500)]
nfsd4: remove unused deleg dprintk's.
These aren't all that useful, and get in the way of the next steps.
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
J. Bruce Fields [Mon, 31 Jan 2011 22:58:10 +0000 (17:58 -0500)]
nfsd4: split lease setting into separate function
Splitting some code into a separate function which we'll be adding some
more to.
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
J. Bruce Fields [Mon, 31 Jan 2011 22:14:55 +0000 (17:14 -0500)]
nfsd4: fix leak on allocation error
Also share some common exit code.
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
J. Bruce Fields [Mon, 31 Jan 2011 16:55:12 +0000 (11:55 -0500)]
nfsd4: add helper function for lease setup
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
J. Bruce Fields [Mon, 31 Jan 2011 16:54:04 +0000 (11:54 -0500)]
nfsd4: split up nfsd_break_deleg_cb
We'll be adding some more code here soon.
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Konstantin Khorenko [Tue, 1 Feb 2011 14:16:29 +0000 (17:16 +0300)]
NFSD: memory corruption due to writing beyond the stat array
If nfsd fails to find an exported via NFS file in the readahead cache, it
should increment corresponding nfsdstats counter (ra_depth[10]), but due to a
bug it may instead write to ra_depth[11], corrupting the following field.
In a kernel with NFSDv4 compiled in the corruption takes the form of an
increment of a counter of the number of NFSv4 operation 0's received; since
there is no operation 0, this is harmless.
In a kernel with NFSDv4 disabled it corrupts whatever happens to be in the
memory beyond nfsdstats.
Signed-off-by: Konstantin Khorenko <khorenko@openvz.org>
Cc: stable@kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Benny Halevy [Thu, 13 Jan 2011 09:25:31 +0000 (11:25 +0200)]
NFSD: use nfserr for status after decode_cb_op_status
Bugs introduced in
85a56480191ca9f08fc775c129b9eb5c8c1f2c05
"NFSD: Update XDR decoders in NFSv4 callback client"
Cc: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Benny Halevy <bhalevy@panasas.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
J. Bruce Fields [Sat, 15 Jan 2011 01:00:02 +0000 (20:00 -0500)]
nfsd: don't leak dentry count on mnt_want_write failure
The exit cleanup isn't quite right here.
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Grant Likely [Mon, 14 Feb 2011 15:13:20 +0000 (08:13 -0700)]
Revert "dt: add documentation of ARM dt boot interface"
This reverts commit
9830fcd6f6a4781d8b46d2b35c13b39f30915c63.
The ARM dt support has not been merged yet; this documentation update
was premature.
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Tejun Heo [Mon, 14 Feb 2011 13:04:46 +0000 (14:04 +0100)]
workqueue: wake up a worker when a rescuer is leaving a gcwq
After executing the matching works, a rescuer leaves the gcwq whether
there are more pending works or not. This may decrease the
concurrency level to zero and stall execution until a new work item is
queued on the gcwq.
Make rescuer wake up a regular worker when it leaves a gcwq if there
are more works to execute, so that execution isn't stalled.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Ray Jui <rjui@broadcom.com>
Cc: stable@kernel.org
Borislav Petkov [Fri, 11 Feb 2011 17:17:54 +0000 (18:17 +0100)]
x86: Fix mwait_usable section mismatch
We use it in non __cpuinit code now too so drop marker.
Signed-off-by: Borislav Petkov <borislav.petkov@amd.com>
LKML-Reference: <
20110211171754.GA21047@aftab>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Dan Williams [Mon, 14 Feb 2011 08:42:08 +0000 (00:42 -0800)]
dmaengine: add slave-dma maintainer
Slave-dma has become the predominant usage model for dmaengine and needs
special attention. Memory-to-memory dma usage cases will continue to be
maintained by Dan.
Cc: Alan Cox <alan@linux.intel.com>
Acked-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Dan Williams [Mon, 14 Feb 2011 10:40:46 +0000 (02:40 -0800)]
Merge branch 'imx' into dmaengine-fixes
Anatolij Gustschin [Mon, 31 Jan 2011 12:22:29 +0000 (13:22 +0100)]
dma: ipu_idmac: do not lose valid received data in the irq handler
Currently when two or more buffers are queued by the camera driver
and so the double buffering is enabled in the idmac, we lose one
frame comming from CSI since the reporting of arrival of the first
frame is deferred by the DMAIC_7_EOF interrupt handler and reporting
of the arrival of the last frame is not done at all. So when requesting
N frames from the image sensor we actually receive N - 1 frames in
user space.
The reason for this behaviour is that the DMAIC_7_EOF interrupt
handler misleadingly assumes that the CUR_BUF flag is pointing to the
buffer used by the IDMAC. Actually it is not the case since the
CUR_BUF flag will be flipped by the FSU when the FSU is sending the
<TASK>_NEW_FRM_RDY signal when new frame data is delivered by the CSI.
When sending this singal, FSU updates the DMA_CUR_BUF and the
DMA_BUFx_RDY flags: the DMA_CUR_BUF is flipped, the DMA_BUFx_RDY
is cleared, indicating that the frame data is beeing written by
the IDMAC to the pointed buffer. DMA_BUFx_RDY is supposed to be
set to the ready state again by the MCU, when it has handled the
received data. DMAIC_7_CUR_BUF flag won't be flipped here by the
IPU, so waiting for this event in the EOF interrupt handler is wrong.
Actually there is no spurious interrupt as described in the comments,
this is the valid DMAIC_7_EOF interrupt indicating reception of the
frame from CSI.
The patch removes code that waits for flipping of the DMAIC_7_CUR_BUF
flag in the DMAIC_7_EOF interrupt handler. As the comment in the
current code denotes, this waiting doesn't help anyway. As a result
of this removal the reporting of the first arrived frame is not
deferred to the time of arrival of the next frame and the drivers
software flag 'ichan->active_buffer' is in sync with DMAIC_7_CUR_BUF
flag, so the reception of all requested frames works.
This has been verified on the hardware which is triggering the
image sensor by the programmable state machine, allowing to
obtain exact number of frames. On this hardware we do not tolerate
losing frames.
This patch also removes resetting the DMA_BUFx_RDY flags of
all channels in ipu_disable_channel() since transfers on other
DMA channels might be triggered by other running tasks and the
buffers should always be ready for data sending or reception.
Signed-off-by: Anatolij Gustschin <agust@denx.de>
Reviewed-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Tested-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Thomas Gleixner [Mon, 14 Feb 2011 08:00:30 +0000 (09:00 +0100)]
Merge branch 'fortglx/2.6.38/tip/timers/rtc' of git://git.linaro.org/people/jstultz/linux into timers/urgent
Toshiharu Okada [Tue, 8 Feb 2011 22:15:59 +0000 (22:15 +0000)]
pch_gbe: Fix the issue that the receiving data is not normal.
This PCH_GBE driver had an issue that the receiving data is not normal.
This driver had not removed correctly the padding data
which the DMA include in receiving data.
This patch fixed this issue.
Signed-off-by: Toshiharu Okada <toshiharu-linux@dsn.okisemi.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Giuseppe Cavallaro [Mon, 14 Feb 2011 01:00:05 +0000 (17:00 -0800)]
stmmac: enable wol via magic frame by default.
This patch enables it by default when the driver starts.
This has been required by many people and seems to actually be
useful on STB.
At any rate, the WoL modes can be selected and turned-on/off
by using the ethtool at run-time by users.
Signed-off-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jesper Juhl [Sun, 13 Feb 2011 10:49:32 +0000 (10:49 +0000)]
ATM, Solos PCI ADSL2+: Don't deref NULL pointer if net_ratelimit() and alloc_skb() interact badly.
If alloc_skb() fails to allocate memory and returns NULL then we want to
return -ENOMEM from drivers/atm/solos-pci.c::popen() regardless of the
value of net_ratelimit(). The way the code is today, we may not return if
net_ratelimit() returns 0, then we'll proceed to pass a NULL pointer to
skb_put() which will blow up in our face.
This patch ensures that we always return -ENOMEM on alloc_skb() failure
and only let the dev_warn() be controlled by the value of net_ratelimit().
Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jesper Juhl [Sun, 13 Feb 2011 11:15:35 +0000 (11:15 +0000)]
Net, USB, Option, hso: Do not dereference NULL pointer
In drivers/net/usb/hso.c::hso_create_bulk_serial_device() we have this
code:
...
serial = kzalloc(sizeof(*serial), GFP_KERNEL);
if (!serial)
goto exit;
...
exit:
hso_free_tiomget(serial);
...
hso_free_tiomget() directly dereferences its argument, which in the
example above is a NULL pointer, ouch.
I could just add a 'if (serial)' test at the 'exit' label, but since most
freeing functions in the kernel accept NULL pointers (and it seems like
this was also assumed here) I opted to instead change 'hso_free_tiomget()'
so that it is safe to call it with a NULL argument. I also modified the
function to get rid of a pointles conditional before the call to
'usb_free_urb()' since that function already tests for NULL itself -
besides fixing the NULL deref this change also buys us a few bytes in
size.
Before:
$ size drivers/net/usb/hso.o
text data bss dec hex filename
32200 592 9960 42752 a700 drivers/net/usb/hso.o
After:
$ size drivers/net/usb/hso.o
text data bss dec hex filename
32196 592 9960 42748 a6fc drivers/net/usb/hso.o
Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
David Miller [Mon, 14 Feb 2011 00:37:07 +0000 (16:37 -0800)]
klist: Fix object alignment on 64-bit.
Commit
c0e69a5bbc6f ("klist.c: bit 0 in pointer can't be used as flag")
intended to make sure that all klist objects were at least pointer size
aligned, but used the constant "4" which only works on 32-bit.
Use "sizeof(void *)" which is correct in all cases.
Signed-off-by: David S. Miller <davem@davemloft.net>
Acked-by: Jesper Nilsson <jesper.nilsson@axis.com>
Cc: stable <stable@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
David S. Miller [Mon, 14 Feb 2011 00:50:45 +0000 (16:50 -0800)]
hisax: Fix unchecked alloc_skb() return.
Jesper Juhl noticed that l2_pull_iqueue() does not
check to see if alloc_skb() fails.
Fix this by first trying to reallocate the headroom
if necessary, rather than later after we've made hard
to undo state changes.
Reported-by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Dave Airlie [Mon, 14 Feb 2011 00:13:34 +0000 (10:13 +1000)]
Merge remote branch 'intel/drm-intel-fixes' of /ssd/git/drm-next into drm-fixes
* 'intel/drm-intel-fixes' of /ssd/git/drm-next:
drm/i915: Fix resume regression from
5d1d0cc
drm/i915/tv: Use polling rather than interrupt-based hotplug
drm/i915: Trigger modesetting if force-audio changes
drm/i915/sdvo: If we have an EDID confirm it matches the mode of the connection
drm/i915: Disable RC6 on Ironlake
drm/i915/lvds: Restore dithering on native modes for gen2/3
drm/i915: Invalidate TLB caches on SNB BLT/BSD rings
Alex Deucher [Sun, 13 Feb 2011 23:42:41 +0000 (18:42 -0500)]
drm/radeon/kms: improve 6xx/7xx CS error output
Makes debugging CS rejections much easier.
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
Marek Olšák [Mon, 14 Feb 2011 00:01:10 +0000 (01:01 +0100)]
drm/radeon/kms: check AA resolve registers on r300
This is an important security fix because we allowed arbitrary values
to be passed to AARESOLVE_OFFSET. This also puts the right buffer address
in the register.
Signed-off-by: Marek Olšák <maraeo@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Marek Olšák [Mon, 14 Feb 2011 00:01:09 +0000 (01:01 +0100)]
drm/radeon/kms: fix tracking of BLENDCNTL, COLOR_CHANNEL_MASK, and GB_Z on r300
Also move ZB_DEPTHCLEARVALUE to the list of safe regs.
Signed-off-by: Marek Olšák <maraeo@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Alex Deucher [Thu, 10 Feb 2011 19:51:34 +0000 (14:51 -0500)]
drm/radeon/kms: use linear aligned for evergreen/ni bo blits
Not only is linear aligned supposedly more performant,
linear general is only supported by the CB in single
slice mode. The texture hardware doesn't support
linear general, but I think the hw automatically
upgrades it to linear aligned.
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Alex Deucher [Thu, 10 Feb 2011 19:51:33 +0000 (14:51 -0500)]
drm/radeon/kms: use linear aligned for 6xx/7xx bo blits
Not only is linear aligned supposedly more performant,
linear general is only supported by the CB in single
slice mode. The texture hardware doesn't support
linear general, but I think the hw automatically
upgrades it to linear aligned.
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Dave Airlie [Thu, 10 Feb 2011 04:46:06 +0000 (14:46 +1000)]
drm/radeon: fix race between GPU reset and TTM delayed delete thread.
My evergreen has been in a remote PC for week and reset has never once
saved me from certain doom, I finally relocated to the box with a
serial cable and noticed an oops when the GPU resets, and the TTM
delayed delete thread tries to remove something from the GTT.
This stops the delayed delete thread from executing across the GPU
reset handler, and woot I can GPU reset now.
Signed-off-by: Dave Airlie <airlied@redhat.com>
Alex Deucher [Mon, 14 Feb 2011 00:06:33 +0000 (19:06 -0500)]
drm/radeon/kms: evergreen/ni big endian fixes (v2)
Based on 6xx/7xx endian fixes from Cédric Cano.
v2: fix typo in shader
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Cédric Cano [Sat, 12 Feb 2011 00:45:38 +0000 (19:45 -0500)]
drm/radeon/kms: 6xx/7xx big endian fixes
agd5f: minor cleanups
Signed-off-by: Cédric Cano <ccano@interfaceconcept.com>
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Cédric Cano [Sat, 12 Feb 2011 00:45:37 +0000 (19:45 -0500)]
drm/radeon/kms: atombios big endian fixes
agd5f: additional cleanups/fixes
Signed-off-by: Cédric Cano <ccano@interfaceconcept.com>
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Cédric Cano [Sat, 12 Feb 2011 00:45:36 +0000 (19:45 -0500)]
drm/radeon: 6xx/7xx non-kms endian fixes
agd5f: minor cleanups
Signed-off-by: Cédric Cano <ccano@interfaceconcept.com>
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Marek Olšák [Sat, 12 Feb 2011 18:21:35 +0000 (19:21 +0100)]
drm/radeon/kms: optimize CS state checking for r100->r500
The colorbuffer, zbuffer, and texture states are checked only once when
they get changed. This improves performance in the apps which emit
lots of draw packets and few state changes.
This drops performance in glxgears by a 1% or so, but glxgears is not
a benchmark we care about.
The time spent in the kernel when running Torcs dropped from 33% to 23%
and the frame rate is higher, which is a good thing.
r600 might need something like this as well.
Signed-off-by: Marek Olšák <maraeo@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Kees Cook [Sat, 12 Feb 2011 03:29:44 +0000 (19:29 -0800)]
drm: do not leak kernel addresses via /proc/dri/*/vma
In the continuing effort to avoid kernel addresses leaking to unprivileged
users, this patch switches to %pK for /proc/dri/*/vma.
Signed-off-by: Kees Cook <kees.cook@canonical.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Alex Deucher [Mon, 7 Feb 2011 18:15:28 +0000 (13:15 -0500)]
drm/radeon/kms: add connector table for mac g5 9600
PPC Mac cards do not provide connector tables in
their vbios. Their connector/encoder configurations
must be hardcoded in the driver.
verified by nyef on #radeon
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
Jesper Juhl [Sat, 5 Feb 2011 19:51:53 +0000 (20:51 +0100)]
radeon mkregtable: Add missing fclose() calls
drivers/gpu/drm/radeon/mkregtable.c:parser_auth() almost always remembers
to fclose(file) before returning, but it misses two spots.
This is not really important since the process will exit shortly after and
thus close the file for us, but being explicit prevents static analysis
tools from complaining about leaked memory and missing fclose() calls and
it also seems to be the prefered style of the existing code to explicitly
close the file.
So, here's a patch to add the two missing fclose() calls.
Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Alex Deucher [Sun, 6 Feb 2011 19:23:26 +0000 (14:23 -0500)]
drm/radeon/kms: fix interlaced modes on dce4+
- set scaler table clears the interleave bit, need to
reset it in encoder quirks, this was already done for
pre-dce4.
- remove the interleave settings from set_base() functions
this is now handled in the encoder quirks functions, and
isn't technically part of the display base setup.
- rename evergreen_do_set_base() to dce4_do_set_base() since
it's used on both evergreen and NI asics.
Fixes:
https://bugzilla.kernel.org/show_bug.cgi?id=28182
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
Dave Airlie [Mon, 7 Feb 2011 02:00:51 +0000 (12:00 +1000)]
drm/radeon: fix memory debugging since
d961db75ce86a84f1f04e91ad1014653ed7d9f46
The old code dereferenced a value, the new code just needs to pass
the ptr.
fixes an oops looking at files in debugfs.
cc: stable@kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
Jesper Juhl [Thu, 10 Feb 2011 10:58:45 +0000 (10:58 +0000)]
USB Network driver infrastructure: Fix leak when usb_autopm_get_interface() returns less than zero in kevent().
We'll leak the memory allocated to 'urb' in
drivers/net/usb/usbnet.c:kevent() when we 'goto fail_lowmem' and the 'urb'
variable goes out of scope while still completely unused.
Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jesper Juhl [Thu, 10 Feb 2011 11:57:16 +0000 (11:57 +0000)]
Don't potentially dereference NULL in net/dcb/dcbnl.c:dcbnl_getapp()
nla_nest_start() may return NULL. If it does then we'll blow up in
nla_nest_end() when we dereference the pointer.
Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
John Fastabend [Mon, 31 Jan 2011 12:00:59 +0000 (12:00 +0000)]
net: dcb: application priority is per net_device
The app_data priority may not be the same for all net devices.
In order for stacks with application notifiers to identify the
specific net device dcb_app_type should be passed in the ptr.
This allows handlers to use dev_get_by_name() to pin priority
to net devices.
Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Sun, 13 Feb 2011 15:59:48 +0000 (07:59 -0800)]
Merge branch 'spi/merge' of git://git.secretlab.ca/git/linux-2.6
* 'spi/merge' of git://git.secretlab.ca/git/linux-2.6:
devicetree-discuss is moderated for non-subscribers
MAINTAINERS: Add entry for GPIO subsystem
dt: add documentation of ARM dt boot interface
dt: Remove obsolete description of powerpc boot interface
dt: Move device tree documentation out of powerpc directory
spi/spi_sh_msiof: fix wrong address calculation, which leads to an Oops
Linus Torvalds [Sun, 13 Feb 2011 15:58:50 +0000 (07:58 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/tiwai/sound-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6:
ALSA: hda - add quirk for Ordissimo EVE using a realtek ALC662
ALSA: hrtimer: remove superfluous tasklet invocation
ALSA: hrtimer: handle delayed timer interrupts
ALSA: HDA: Add subwoofer quirk for Acer Aspire 8942G
ALSA: hda - Don't handle empty patch files
ALSA: hda - Fix missing CA initialization for HDMI/DP
ALSA: usbaudio - Enable the E-MU 0204 USB
ALSA: hda - switch lfe with side in mixer for 4930g
ASoC: Improve WM8994 digital power sequencing
ASoC: Create an AIF1ADCDAT signal widget to match AIF2
asoc: davinci: da830/omap-l137: correct cpu_dai_name
ASoC: fill in snd_soc_pcm_runtime.card before calling snd_soc_dai_link.init()
Linus Torvalds [Sun, 13 Feb 2011 15:50:50 +0000 (07:50 -0800)]
Revert "pci: use security_capable() when checking capablities during config space read"
This reverts commit
47970b1b2aa64464bc0a9543e86361a622ae7c03.
It turns out it breaks several distributions. Looks like the stricter
selinux checks fail due to selinux policies not being set to allow the
access - breaking X, but also lspci.
So while the change was clearly the RightThing(tm) to do in theory, in
practice we have backwards compatibility issues making it not work.
Reported-by: Dave Young <hidave.darkstar@gmail.com>
Acked-by: David Airlie <airlied@linux.ie>
Acked-by: Alex Riesen <raa.lkml@gmail.com>
Cc: Eric Paris <eparis@redhat.com>
Cc: Chris Wright <chrisw@sous-sol.org>
Cc: James Morris <jmorris@namei.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Takashi Iwai [Sun, 13 Feb 2011 09:05:30 +0000 (10:05 +0100)]
Merge branch 'fix/asoc' into for-linus
Grant Likely [Sun, 13 Feb 2011 06:53:34 +0000 (23:53 -0700)]
Merge branch 'devicetree/merge' into spi/merge
Paul Bolle [Sat, 12 Feb 2011 11:33:59 +0000 (12:33 +0100)]
devicetree-discuss is moderated for non-subscribers
Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Kashyap, Desai [Thu, 10 Feb 2011 06:24:29 +0000 (11:54 +0530)]
[SCSI] mptfusion: Bump version 03.04.18
Signed-off-by: Kashyap Desai <kashyap.desai@lsi.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Kashyap, Desai [Thu, 10 Feb 2011 06:23:44 +0000 (11:53 +0530)]
[SCSI] mptfusion: Fix Incorrect return value in mptscsih_dev_reset
There's a branch at the end of this function that
is supposed to normalize the return value with what
the mid-layer expects. In this one case, we get it wrong.
Also increase the verbosity of the INFO level printk
at the end of mptscsih_abort to include the actual return value
and the scmd->serial_number. The reason being success
or failure is actually determined by the state of
the internal tag list when a TMF is issued, and not the
return value of the TMF cmd. The serial_number is also
used in this decision, thus it's useful to know for debugging
purposes.
Cc: stable@kernel.org
Reported-by: Peter M. Petrakis <peter.petrakis@canonical.com>
Signed-off-by: Kashyap Desai <kashyap.desai@lsi.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Kashyap, Desai [Thu, 10 Feb 2011 06:22:21 +0000 (11:52 +0530)]
[SCSI] mptfusion: mptctl_release is required in mptctl.c
Added missing release callback for file_operations mptctl_fops.
Without release callback there will be never freed. It remains on
mptctl's eent list even after the file is closed and released.
Relavent RHEL bugzilla is 660871
Cc: stable@kernel.org
Signed-off-by: Kashyap Desai <kashyap.desai@lsi.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Nicholas Bellinger [Wed, 9 Feb 2011 23:34:54 +0000 (15:34 -0800)]
[SCSI] target: fix use after free detected by SLUB poison
This patch moves a large number of memory release paths inside of the
configfs callback target_core_hba_item_ops->release() called from
within fs/configfs/item.c: config_item_cleanup() context. This patch
resolves the SLUB 'Poison overwritten' warnings.
Signed-off-by: Nicholas A. Bellinger <nab@linux-iscsi.org>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Nicholas Bellinger [Wed, 9 Feb 2011 23:35:03 +0000 (15:35 -0800)]
[SCSI] target: Remove procfs based target_core_mib.c code
This patch removes the legacy procfs based target_core_mib.c code,
and moves the necessary scsi_index_tables functions and defines into
target_core_transport.c and target_core_base.h code to allow existing
fabric independent statistics to function.
This includes the removal of a handful of 'atomic_t mib_ref_count'
counters used in struct se_node_acl, se_session and se_hba to prevent
removal while using seq_list procfs walking logic.
[jejb: fix up compile failures]
Signed-off-by: Nicholas A. Bellinger <nab@linux-iscsi.org>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Nicholas Bellinger [Wed, 9 Feb 2011 23:35:04 +0000 (15:35 -0800)]
[SCSI] target: Fix SCF_SCSI_CONTROL_SG_IO_CDB breakage
This patch fixes a bug introduced during the v4 control CDB emulation
refactoring that broke SCF_SCSI_CONTROL_SG_IO_CDB operation within
transport_map_control_cmd_to_task(). It moves the BUG_ON() into
transport_do_se_mem_map() after the TRANSPORT(dev)->do_se_mem_map()
RAMDISK_DR special case, and adds the proper struct se_mem assignment
when !list_empty() for normal non RAMDISK_DR backend device cases.
Reported-by: Kai-Thorsten Hambrecht <kai@hambrecht.org>
Signed-off-by: Nicholas A. Bellinger <nab@linux-iscsi.org>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Grant Likely [Sat, 12 Feb 2011 08:48:14 +0000 (01:48 -0700)]
MAINTAINERS: Add entry for GPIO subsystem
I'll probably regret this....
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Nicholas Bellinger [Wed, 9 Feb 2011 23:34:53 +0000 (15:34 -0800)]
[SCSI] target: Fix top-level configfs_subsystem default_group shutdown breakage
This patch fixes two bugs uncovered during testing with
slub_debug=FPUZ during module_exit() -> target_core_exit_configfs()
with release of configfs subsystem consumer default groups, namely how
this should be working with
fs/configfs/dir.c:configfs_unregister_subsystem() release logic for
struct config_group->default_group.
The first issue involves configfs_unregister_subsystem() expecting to
walk+drain the top-level subsys->su_group.default_groups directly in
unlink_group(), and not directly from the configfs subsystem consumer
for the top level struct config_group->default_groups. This patch
drops the walk+drain of subsys->su_group.default_groups from TCM
configfs subsystem consumer code, and moves the top-level
->default_groups kfree() after configfs_unregister_subsystem() has
been called.
The second issue involves calling
core_alua_free_lu_gp(se_global->default_lu_gp) to release the
default_lu_gp->lu_gp_group before configfs_unregister_subsystem() has
been called. This patches also moves the core_alua_free_lu_gp() call
to release default_lu_group->lu_gp_group after the subsys has been
unregistered.
Finally, this patch explictly clears the
[lu_gp,alua,hba]_cg->default_groups pointers after kfree() to ensure
that no stale memory is picked up from child struct
config_group->default_group[] while configfs_unregister_subsystem() is
called.
Reported-by: Fubo Chen <fubo.chen@gmail.com>
Signed-off-by: Nicholas A. Bellinger <nab@linux-iscsi.org>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Fubo Chen [Wed, 9 Feb 2011 23:34:48 +0000 (15:34 -0800)]
[SCSI] target: fixed missing lock drop in error path
The struct se_node_acl->device_list_lock needs to be released if either
sanity check for struct se_dev_entry->se_lun_acl or deve->se_lun fails.
Signed-off-by: Fubo Chen <fubo.chen@gmail.com>
Signed-off-by: Nicholas A. Bellinger <nab@linux-iscsi.org>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Nicholas Bellinger [Wed, 9 Feb 2011 23:34:43 +0000 (15:34 -0800)]
[SCSI] target: Fix demo-mode MappedLUN shutdown UA/PR breakage
This patch fixes a bug in core_update_device_list_for_node() where
individual demo-mode generated MappedLUN's UA + Persistent
Reservations metadata where being leaked, instead of falling through
and calling existing core_scsi3_ua_release_all() and
core_scsi3_free_pr_reg_from_nacl() at the end of
core_update_device_list_for_node().
This bug would manifest itself with the following OOPs w/ TPG
demo-mode endpoints (tfo->tpg_check_demo_mode()=1), and PROUT
REGISTER+RESERVE -> explict struct se_session logout -> struct
se_device shutdown:
[ 697.021139] LIO_iblock used greatest stack depth: 2704 bytes left
[ 702.235017] general protection fault: 0000 [#1] SMP
[ 702.235074] last sysfs file: /sys/devices/virtual/net/lo/operstate
[ 704.372695] CPU 0
[ 704.372725] Modules linked in: crc32c target_core_stgt scsi_tgt target_core_pscsi target_core_file target_core_iblock target_core_mod configfs sr_mod cdrom sd_mod ata_piix mptspi mptscsih libata mptbase [last unloaded: iscsi_target_mod]
[ 704.375442]
[ 704.375563] Pid: 4964, comm: tcm_node Not tainted 2.6.37+ #1 440BX Desktop Reference Platform/VMware Virtual Platform
[ 704.375912] RIP: 0010:[<
ffffffffa00aaa16>] [<
ffffffffa00aaa16>] __core_scsi3_complete_pro_release+0x31/0x133 [target_core_mod]
[ 704.376017] RSP: 0018:
ffff88001e5ffcb8 EFLAGS:
00010296
[ 704.376017] RAX:
6d32335b1b0a0d0a RBX:
ffff88001d952cb0 RCX:
0000000000000015
[ 704.376017] RDX:
ffff88001b428000 RSI:
ffff88001da5a4c0 RDI:
ffff88001e5ffcd8
[ 704.376017] RBP:
ffff88001e5ffd28 R08:
ffff88001e5ffcd8 R09:
ffff88001d952080
[ 704.377116] R10:
ffff88001dfc5480 R11:
ffff88001df8abb0 R12:
ffff88001d952cb0
[ 704.377319] R13:
0000000000000000 R14:
ffff88001df8abb0 R15:
ffff88001b428000
[ 704.377521] FS:
00007f033d15c6e0(0000) GS:
ffff88001fa00000(0000) knlGS:
0000000000000000
[ 704.377861] CS: 0010 DS: 0000 ES: 0000 CR0:
000000008005003b
[ 704.378043] CR2:
00007fff09281510 CR3:
000000001e5db000 CR4:
00000000000006f0
[ 704.378110] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
[ 704.378110] DR3:
0000000000000000 DR6:
00000000ffff0ff0 DR7:
0000000000000400
[ 704.378110] Process tcm_node (pid: 4964, threadinfo
ffff88001e5fe000, task
ffff88001d99c260)
[ 704.378110] Stack:
[ 704.378110]
ffffea0000678980 ffff88001da5a4c0 ffffea0000678980 ffff88001f402b00
[ 704.378110]
ffff88001e5ffd08 ffffffff810ea236 ffff88001e5ffd18 0000000000000282
[ 704.379772]
ffff88001d952080 ffff88001d952cb0 ffff88001d952cb0 ffff88001dc79010
[ 704.380082] Call Trace:
[ 704.380220] [<
ffffffff810ea236>] ? __slab_free+0x89/0x11c
[ 704.380403] [<
ffffffffa00ab781>] core_scsi3_free_all_registrations+0x3e/0x157 [target_core_mod]
[ 704.380479] [<
ffffffffa00a752b>] se_release_device_for_hba+0xa6/0xd8 [target_core_mod]
[ 704.380479] [<
ffffffffa00a7598>] se_free_virtual_device+0x3b/0x45 [target_core_mod]
[ 704.383750] [<
ffffffffa00a3177>] target_core_drop_subdev+0x13a/0x18d [target_core_mod]
[ 704.384068] [<
ffffffffa00960db>] client_drop_item+0x25/0x31 [configfs]
[ 704.384263] [<
ffffffffa00967b5>] configfs_rmdir+0x1a1/0x223 [configfs]
[ 704.384459] [<
ffffffff810fa8cd>] vfs_rmdir+0x7e/0xd3
[ 704.384631] [<
ffffffff810fc3be>] do_rmdir+0xa3/0xf4
[ 704.384895] [<
ffffffff810eed15>] ? filp_close+0x67/0x72
[ 704.386485] [<
ffffffff810fc446>] sys_rmdir+0x11/0x13
[ 704.387893] [<
ffffffff81002a92>] system_call_fastpath+0x16/0x1b
[ 704.388083] Code: 4c 8d 45 b0 41 56 49 89 d7 41 55 41 89 cd 41 54 b9 15 00 00 00 53 48 89 fb 48 83 ec 48 4c 89 c7 48 89 75 98 48 8b 86 28 01 00 00 <48> 8b 80 90 01 00 00 48 89 45 a0 31 c0 f3 aa c7 45 ac 00 00 00
[ 704.388763] RIP [<
ffffffffa00aaa16>] __core_scsi3_complete_pro_release+0x31/0x133 [target_core_mod]
[ 704.389142] RSP <
ffff88001e5ffcb8>
[ 704.389572] ---[ end trace
2a3614f3cd6261a5 ]---
Signed-off-by: Nicholas A. Bellinger <nab@linux-iscsi.org>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Nicholas Bellinger [Wed, 9 Feb 2011 23:34:38 +0000 (15:34 -0800)]
[SCSI] target/iblock: Fix failed bd claim NULL pointer dereference
This patch adds an explict check for struct iblock_dev->ibd_bd in
iblock_free_device() before calling blkdev_put(), which will otherwise hit
the following NULL pointer dereference @ ib_dev->ibd_bd when iblock_create_virtdevice()
fails to claim an already in-use struct block_device via blkdev_get_by_path().
[ 112.528578] Target_Core_ConfigFS: Allocated struct se_subsystem_dev:
ffff88001e750000 se_dev_su_ptr:
ffff88001dd05d70
[ 112.534681] Target_Core_ConfigFS: Calling t->free_device() for se_dev_su_ptr:
ffff88001dd05d70
[ 112.535029] BUG: unable to handle kernel NULL pointer dereference at
0000000000000020
[ 112.535029] IP: [<
ffffffff814987a3>] mutex_lock+0x14/0x35
[ 112.535029] PGD
1e5d0067 PUD
1e274067 PMD 0
[ 112.535029] Oops: 0002 [#1] SMP
[ 112.535029] last sysfs file: /sys/devices/pci0000:00/0000:00:07.1/host2/target2:0:0/2:0:0:0/type
[ 112.535029] CPU 0
[ 112.535029] Modules linked in: iscsi_target_mod target_core_stgt scsi_tgt target_core_pscsi target_core_file target_core_iblock target_core_mod configfs sr_mod cdrom sd_mod ata_piix mptspi mptscsih libata mptbase [last unloaded: scsi_wait_scan]
[ 112.535029]
[ 112.535029] Pid: 3345, comm: python2.5 Not tainted 2.6.37+ #1 440BX Desktop Reference Platform/VMware Virtual Platform
[ 112.535029] RIP: 0010:[<
ffffffff814987a3>] [<
ffffffff814987a3>] mutex_lock+0x14/0x35
[ 112.535029] RSP: 0018:
ffff88001e6d7d58 EFLAGS:
00010246
[ 112.535029] RAX:
0000000000000000 RBX:
0000000000000020 RCX:
0000000000000082
[ 112.535029] RDX:
ffff88001e6d7fd8 RSI:
0000000000000083 RDI:
0000000000000020
[ 112.535029] RBP:
ffff88001e6d7d68 R08:
0000000000000000 R09:
0000000000000000
[ 112.535029] R10:
ffff8800000be860 R11:
ffff88001f420000 R12:
0000000000000020
[ 112.535029] R13:
0000000000000083 R14:
ffff88001d809430 R15:
ffff88001d8094f8
[ 112.535029] FS:
00007ff17ca7d6e0(0000) GS:
ffff88001fa00000(0000) knlGS:
0000000000000000
[ 112.535029] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 112.535029] CR2:
0000000000000020 CR3:
000000001e5d2000 CR4:
00000000000006f0
[ 112.535029] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
[ 112.535029] DR3:
0000000000000000 DR6:
00000000ffff0ff0 DR7:
0000000000000400
[ 112.535029] Process python2.5 (pid: 3345, threadinfo
ffff88001e6d6000, task
ffff88001e2d0760)
[ 112.535029] Stack:
[ 112.535029]
ffff88001e6d7d88 0000000000000000 ffff88001e6d7d98 ffffffff811187fc
[ 112.535029]
ffff88001d809430 ffff88001dd05d70 ffff88001e750860 ffff88001e750000
[ 112.535029]
ffff88001e6d7db8 ffffffffa00e3757 ffff88001e6d7db8 0000000000000004
[ 112.535029] Call Trace:
[ 112.535029] [<
ffffffff811187fc>] blkdev_put+0x28/0x107
[ 112.535029] [<
ffffffffa00e3757>] iblock_free_device+0x1d/0x36 [target_core_iblock]
[ 112.535029] [<
ffffffffa00a319c>] target_core_drop_subdev+0x15f/0x18d [target_core_mod]
[ 112.535029] [<
ffffffffa00960db>] client_drop_item+0x25/0x31 [configfs]
[ 112.535029] [<
ffffffffa00967b5>] configfs_rmdir+0x1a1/0x223 [configfs]
[ 112.535029] [<
ffffffff810fa8cd>] vfs_rmdir+0x7e/0xd3
[ 112.535029] [<
ffffffff810fc3be>] do_rmdir+0xa3/0xf4
[ 112.535029] [<
ffffffff810fc446>] sys_rmdir+0x11/0x13
[ 112.535029] [<
ffffffff81002a92>] system_call_fastpath+0x16/0x1b
[ 112.535029] Code: 8b 04 25 88 b5 00 00 48 2d d8 1f 00 00 48 89 43 18 31 c0 5e 5b c9 c3 55 48 89 e5 53 48 89 fb 48 83 ec 08 e8 c4 f7 ff ff 48 89 df <3e> ff 0f 79 05 e8 1e ff ff ff 65 48 8b 04 25 88 b5 00 00 48 2d
[ 112.535029] RIP [<
ffffffff814987a3>] mutex_lock+0x14/0x35
[ 112.535029] RSP <
ffff88001e6d7d58>
[ 112.535029] CR2:
0000000000000020
[ 132.679636] ---[ end trace
05754bb48eb828f0 ]---
Note it also adds an second explict check for ib_dev->ibd_bio_set before calling
bioset_free() to fix the same possible NULL pointer deference during an early
iblock_create_virtdevice() failure.
Signed-off-by: Nicholas A. Bellinger <nab@linux-iscsi.org>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Dan Carpenter [Wed, 9 Feb 2011 23:34:36 +0000 (15:34 -0800)]
[SCSI] target: iblock/pscsi claim checking for NULL instead of IS_ERR
blkdev_get_by_path() returns an ERR_PTR() or error and it doesn't return
a NULL. It looks like this bug would be easy to trigger by mistake.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Nicholas A. Bellinger <nab@linux-iscsi.org>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Darrick J. Wong [Tue, 1 Feb 2011 02:47:54 +0000 (18:47 -0800)]
[SCSI] scsi_debug: Fix 32-bit overflow in do_device_access causing memory corruption
If I create a scsi_debug device that is larger than 4GB, the multiplication of
(block * scsi_debug_sector_size) can produce a 64-bit value. Unfortunately,
the compiler sees two 32-bit quantities and performs a 32-bit multiplication,
thus truncating the bits above 2^32. This causes the wrong memory location to
be read or written. Change block and rest to be unsigned long long.
Signed-off-by: Darrick J. Wong <djwong@us.ibm.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Linus Torvalds [Sat, 12 Feb 2011 17:10:24 +0000 (09:10 -0800)]
Merge branch 'for_linus' of git://git./linux/kernel/git/tytso/ext4
* 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
jbd2: call __jbd2_log_start_commit with j_state_lock write locked
ext4: serialize unaligned asynchronous DIO
ext4: make grpinfo slab cache names static
ext4: Fix data corruption with multi-block writepages support
ext4: fix up ext4 error handling
ext4: unregister features interface on module unload
ext4: fix panic on module unload when stopping lazyinit thread
Madhuranath Iyengar [Fri, 28 Jan 2011 23:17:56 +0000 (15:17 -0800)]
[SCSI] qla2xxx: Change from irq to irqsave with host_lock
Make the driver safer by using irqsave/irqrestore with host_lock.
Signed-off-by: Madhuranath Iyengar <Madhu.Iyengar@qlogic.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
James Bottomley [Thu, 27 Jan 2011 21:12:37 +0000 (16:12 -0500)]
[SCSI] qla2xxx: Fix race that could hang kthread_stop()
There is a small race window in qla2x00_do_dpc() between
checking for kthread_should_stop() and going to sleep after
setting TASK_INTERRUPTIBLE. If qla2x00_free_device() is called
in this window, kthread_stop will wait forever because there
will be no one to wake up the process.
Fix by making sure we only set TASK_INTERRUPTIBLE before checking
kthread_stop().
Reported-by: Bandan Das <bandan.das@stratus.com>
Acked-by: Madhuranath Iyengar <Madhu.Iyengar@qlogic.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Theodore Ts'o [Sat, 12 Feb 2011 13:18:24 +0000 (08:18 -0500)]
jbd2: call __jbd2_log_start_commit with j_state_lock write locked
On an SMP ARM system running ext4, I've received a report that the
first J_ASSERT in jbd2_journal_commit_transaction has been triggering:
J_ASSERT(journal->j_running_transaction != NULL);
While investigating possible causes for this problem, I noticed that
__jbd2_log_start_commit() is getting called with j_state_lock only
read-locked, in spite of the fact that it's possible for it might
j_commit_request. Fix this by grabbing the necessary information so
we can test to see if we need to start a new transaction before
dropping the read lock, and then calling jbd2_log_start_commit() which
will grab the write lock.
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Eric Sandeen [Sat, 12 Feb 2011 13:17:34 +0000 (08:17 -0500)]
ext4: serialize unaligned asynchronous DIO
ext4 has a data corruption case when doing non-block-aligned
asynchronous direct IO into a sparse file, as demonstrated
by xfstest 240.
The root cause is that while ext4 preallocates space in the
hole, mappings of that space still look "new" and
dio_zero_block() will zero out the unwritten portions. When
more than one AIO thread is going, they both find this "new"
block and race to zero out their portion; this is uncoordinated
and causes data corruption.
Dave Chinner fixed this for xfs by simply serializing all
unaligned asynchronous direct IO. I've done the same here.
The difference is that we only wait on conversions, not all IO.
This is a very big hammer, and I'm not very pleased with
stuffing this into ext4_file_write(). But since ext4 is
DIO_LOCKING, we need to serialize it at this high level.
I tried to move this into ext4_ext_direct_IO, but by then
we have the i_mutex already, and we will wait on the
work queue to do conversions - which must also take the
i_mutex. So that won't work.
This was originally exposed by qemu-kvm installing to
a raw disk image with a normal sector-63 alignment. I've
tested a backport of this patch with qemu, and it does
avoid the corruption. It is also quite a lot slower
(14 min for package installs, vs. 8 min for well-aligned)
but I'll take slow correctness over fast corruption any day.
Mingming suggested that we can track outstanding
conversions, and wait on those so that non-sparse
files won't be affected, and I've implemented that here;
unaligned AIO to nonsparse files won't take a perf hit.
[tytso@mit.edu: Keep the mutex as a hashed array instead
of bloating the ext4 inode]
[tytso@mit.edu: Fix up namespace issues so that global
variables are protected with an "ext4_" prefix.]
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Eric Sandeen [Sat, 12 Feb 2011 13:12:18 +0000 (08:12 -0500)]
ext4: make grpinfo slab cache names static
In 2.6.37 I was running into oopses with repeated module
loads & unloads. I tracked this down to:
fb1813f4 ext4: use dedicated slab caches for group_info structures
(this was in addition to the features advert unload problem)
The kstrdup & subsequent kfree of the cache name was causing
a double free. In slub, at least, if I read it right it allocates
& frees the name itself, slab seems to do something different...
so in slub I think we were leaking -our- cachep->name, and double
freeing the one allocated by slub.
After getting lost in slab/slub/slob a bit, I just looked at other
sized-caches that get allocated. jbd2, biovec, sgpool all do it
more or less the way jbd2 does. Below patch follows the jbd2
method of dynamically allocating a cache at mount time from
a list of static names.
(This might also possibly fix a race creating the caches with
parallel mounts running).
[Folded in a fix from Dan Carpenter which fixed an off-by-one error in
the original patch]
Cc: stable@kernel.org
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Kees Cook [Sat, 12 Feb 2011 03:21:25 +0000 (19:21 -0800)]
timer debug: Hide kernel addresses via %pK in /proc/timer_list
In the continuing effort to avoid kernel addresses leaking to
unprivileged users, this patch switches to %pK for
/proc/timer_list reporting.
Signed-off-by: Kees Cook <kees.cook@canonical.com>
Cc: John Stultz <johnstul@us.ibm.com>
Cc: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: Eugene Teo <eugeneteo@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
LKML-Reference: <
20110212032125.GA23571@outflux.net>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Thomas Gleixner [Sat, 12 Feb 2011 10:51:03 +0000 (11:51 +0100)]
x86: Readd missing irq_to_desc() in fixup_irq()
commit
a3c08e5d(x86: Convert irq_chip access to new functions)
accidentally zapped desc = irq_to_desc(irq); in the vector loop.
So we lock some random irq descriptor.
Add it back.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: <stable@kernel.org> # .37
Herbert Xu [Sat, 12 Feb 2011 09:05:42 +0000 (01:05 -0800)]
bridge: Replace mp->mglist hlist with a bool
As it turns out we never need to walk through the list of multicast
groups subscribed by the bridge interface itself (the only time we'd
want to do that is when we shut down the bridge, in which case we
simply walk through all multicast groups), we don't really need to
keep an hlist for mp->mglist.
This means that we can replace it with just a single bit to indicate
whether the bridge interface is subscribed to a group.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Grant Likely [Sat, 12 Feb 2011 08:45:55 +0000 (01:45 -0700)]
MAINTAINERS: Add entry for GPIO subsystem
I'll probably regret this....
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Herbert Xu [Fri, 11 Feb 2011 12:42:07 +0000 (12:42 +0000)]
bridge: Fix timer typo that may render snooping less effective
In a couple of spots where we are supposed to modify the port
group timer (p->timer) we instead modify the bridge interface
group timer (mp->timer).
The effect of this is mostly harmless. However, it can cause
port subscriptions to be longer than they should be, thus making
snooping less effective.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Herbert Xu [Fri, 11 Feb 2011 12:36:55 +0000 (12:36 +0000)]
bridge: Fix mglist corruption that leads to memory corruption
The list mp->mglist is used to indicate whether a multicast group
is active on the bridge interface itself as opposed to one of the
constituent interfaces in the bridge.
Unfortunately the operation that adds the mp->mglist node to the
list neglected to check whether it has already been added. This
leads to list corruption in the form of nodes pointing to itself.
Normally this would be quite obvious as it would cause an infinite
loop when walking the list. However, as this list is never actually
walked (which means that we don't really need it, I'll get rid of
it in a subsequent patch), this instead is hidden until we perform
a delete operation on the affected nodes.
As the same node may now be pointed to by more than one node, the
delete operations can then cause modification of freed memory.
This was observed in practice to cause corruption in 512-byte slabs,
most commonly leading to crashes in jbd2.
Thanks to Josef Bacik for pointing me in the right direction.
Reported-by: Ian Page Hands <ihands@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>