Commit Graph

211607 Commits

Author SHA1 Message Date
Will Deacon
ccdf2e1bca ARM: 6412/1: kprobes-decode: add support for MOVW instruction
The MOVW instruction moves a 16-bit immediate into the bottom halfword
of the destination register.

This patch ensures that kprobes leaves the 16-bit immediate intact, rather
than assume a 12-bit immediate and mask out the upper 4 bits.

Acked-by: Nicolas Pitre <nicolas.pitre@linaro.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2010-10-04 19:21:37 +01:00
Santosh Shilimkar
7f58217bb6 ARM: 6419/1: mmu: Fix MT_MEMORY and MT_MEMORY_NONCACHED pte flags
The commit f1a2481c0 sets up the default flags for MT_MEMORY and
MT_MEMORY_NONCACHED memory types. L_PTE_USER flag is wrongly
set as default for these entries so remove it. Also adding
the 'L_PTE_WRITE' flag so that these pages become read-write
instead of just being read-only

[this stops them being exposed to userspace, which is the main
concern here --rmk]

Reported-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Santosh Shilimkar <santosh.shilimkar@ti.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2010-10-04 19:20:18 +01:00
Will Deacon
475d92fc6e ARM: 6416/1: errata: faulty hazard checking in the Store Buffer may lead to data corruption
On the r2p0, r2p1 and r2p2 versions of the Cortex-A9, data corruption
can occur under very rare conditions due to a store buffer optimisation.

This workaround sets a bit in the diagnostic register of the Cortex-A9,
disabling the optimisation and preventing the problem from occurring.

Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2010-10-04 19:20:14 +01:00
Linus Torvalds
d9f73afcd3 Merge branch 'fix/misc' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6
* 'fix/misc' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6:
  ALSA: i2c/other/ak4xx-adda: Fix a compile warning with CONFIG_PROCFS=n
  ALSA: prevent heap corruption in snd_ctl_new()
2010-10-04 11:15:59 -07:00
Linus Torvalds
53d22d886a Merge branch 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/staging
* 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/staging:
  hwmon: f71882fg: use a muxed resource lock for the Super I/O port
2010-10-04 11:15:06 -07:00
Linus Torvalds
5a4bbd01c8 Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/davej/cpufreq
* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/davej/cpufreq:
  [CPUFREQ] Fix memory leaks in pcc_cpufreq_do_osc
  [CPUFREQ] acpi-cpufreq: add missing __percpu markup
2010-10-04 11:14:21 -07:00
Linus Torvalds
989cd445b4 Merge branch 'merge-spi' of git://git.secretlab.ca/git/linux-2.6
* 'merge-spi' of git://git.secretlab.ca/git/linux-2.6:
  of/spi: Fix OF-style driver binding of spi devices
  spi: spi-gpio.c tests SPI_MASTER_NO_RX bit twice, but not SPI_MASTER_NO_TX
  spi/mpc8xxx: fix buffer overrun on large transfers
2010-10-04 11:13:22 -07:00
Linus Torvalds
4a73a43741 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:
  vlan: dont drop packets from unknown vlans in promiscuous mode
  Phonet: Correct header retrieval after pskb_may_pull
  um: Proper Fix for f25c80a4: remove duplicate structure field initialization
  ip_gre: Fix dependencies wrt. ipv6.
  net-2.6: SYN retransmits: Add new parameter to retransmits_timed_out()
  iwl3945: queue the right work if the scan needs to be aborted
  mac80211: fix use-after-free
2010-10-04 11:11:01 -07:00
Linus Torvalds
c470af0a27 Merge branch 'drm-intel-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/ickle/drm-intel
* 'drm-intel-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/ickle/drm-intel:
  drm/i915: Rephrase pwrite bounds checking to avoid any potential overflow
  drm/i915: Sanity check pread/pwrite
  drm/i915: Use pipe state to tell when pipe is off
  drm/i915: vblank status not valid while training display port
  drivers/gpu/drm/i915/i915_gem.c: Add missing error handling code
  drm/i915: Fix refleak during eviction.
  drm/i915: fix GMCH power reporting
2010-10-04 11:10:26 -07:00
Hugh Dickins
4e31635c36 ksm: fix bad user data when swapping
Building under memory pressure, with KSM on 2.6.36-rc5, collapsed with
an internal compiler error: typically indicating an error in swapping.

Perhaps there's a timing issue which makes it now more likely, perhaps
it's just a long time since I tried for so long: this bug goes back to
KSM swapping in 2.6.33.

Notice how reuse_swap_page() allows an exclusive page to be reused, but
only does SetPageDirty if it can delete it from swap cache right then -
if it's currently under Writeback, it has to be left in cache and we
don't SetPageDirty, but the page can be reused.  Fine, the dirty bit
will get set in the pte; but notice how zap_pte_range() does not bother
to transfer pte_dirty to page_dirty when unmapping a PageAnon.

If KSM chooses to share such a page, it will look like a clean copy of
swapcache, and not be written out to swap when its memory is needed;
then stale data read back from swap when it's needed again.

We could fix this in reuse_swap_page() (or even refuse to reuse a
page under writeback), but it's more honest to fix my oversight in
KSM's write_protect_page().  Several days of testing on three machines
confirms that this fixes the issue they showed.

Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-10-04 11:09:53 -07:00
Hugh Dickins
4829b906cc ksm: fix page_address_in_vma anon_vma oops
2.6.36-rc1 commit 21d0d443cd "rmap:
resurrect page_address_in_vma anon_vma check" was right to resurrect
that check; but now that it's comparing anon_vma->roots instead of
just anon_vmas, there's a danger of oopsing on a NULL anon_vma.

In most cases no NULL anon_vma ever gets here; but it turns out that
occasionally KSM, when enabled on a forked or forking process, will
itself call page_address_in_vma() on a "half-KSM" page left over from
an earlier failed attempt to merge - whose page_anon_vma() is NULL.

It's my bug that those should be getting here at all: I thought they
were already dealt with, this oops proves me wrong, I'll fix it in
the next release - such pages are effectively pinned until their
process exits, since rmap cannot find their ptes (though swapoff can).

For now just work around it by making page_address_in_vma() safe (and
add a comment on why that check is wanted anyway).  A similar check
in __page_check_anon_rmap() is safe because do_page_add_anon_rmap()
already excluded KSM pages.

Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Rik van Riel <riel@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-10-04 11:09:53 -07:00
David Daney
158d6742bc MIPS: Octeon: Place cnmips_cu2_setup in __init memory.
It is an early_initcall, so it should be in __init memory.

Signed-off-by: David Daney <ddaney@caviumnetworks.com>
To: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/1593/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2010-10-04 18:34:00 +01:00
David Daney
4c7106c48a MIPS: Don't place cu2 notifiers in __cpuinitdata
The notifiers may be called at any time, so the notifier_block cannot
be in init memory.

Signed-off-by: David Daney <ddaney@caviumnetworks.com>
To: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/1592/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2010-10-04 18:34:00 +01:00
Shmulik Ladkani
2ccc5b150f MIPS: Calculate VMLINUZ_LOAD_ADDRESS based on the length of vmlinux.bin
Fix VMLINUZ_LOAD_ADDRESS calculation to be based on the length of
vmlinux.bin, the actual uncompressed kernel binary.

Previously it was based on the length of KBUILD_IMAGE (the unstripped ELF
vmlinux), which is bigger than vmlinux.bin.  As a result, vmlinuz was
loaded into a memory address higher then actually needed - a problem for
small memory platforms.

Signed-off-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
To: linux-mips@linux-mips.org
Cc: alex@digriz.org.uk
Cc: manuel.lauss@googlemail.com
Cc: sam@ravnborg.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/1564/
Acked-by: Wu Zhangjin <wuzhangjin@gmail.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2010-10-04 18:34:00 +01:00
Manuel Lauss
2b877a3ff4 MIPS: Alchemy: Resolve prom section mismatches
The function prom_init_cmdline() references the variable __initdata
arcs_cmdline.

The function prom_get_ethernet_addr() references the variable __initdata
arcs_cmdline.

Annotate prom_init_cmdline() as __init, unexport and annotate
prom_get_ethernet_addr() since it's no longer called from within
driver code.

Signed-off-by: Manuel Lauss <manuel.lauss@googlemail.com>
To: Linux-MIPS <linux-mips@linux-mips.org>
Patchwork: https://patchwork.linux-mips.org/patch/1547/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2010-10-04 18:33:59 +01:00
Ralf Baechle
e080e6166a MIPS: Fix syscall 64 bit number comments.
Noticed and original patch by Philby John <pjohn@mvista.com>.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2010-10-04 18:33:59 +01:00
David Daney
5e844b31c2 MIPS: Hookup fanotify_init, fanotify_mark, and prlimit64 syscalls.
Signed-off-by: David Daney <ddaney@caviumnetworks.com>
To: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/1553/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2010-10-04 18:33:59 +01:00
FUJITA Tomonori
c9c4d98b47 MIPS: TX49xx: Rename ARCH_KMALLOC_MINALIGN to ARCH_DMA_MINALIGN
Architectures need to set ARCH_DMA_MINALIGN to the minimum DMA
alignment (commit a6eb9fe105). Defining
ARCH_KMALLOC_MINALIGN doesn't work anymore.

Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Cc: anemo@mba.ocn.ne.jp
Patchwork: https://patchwork.linux-mips.org/patch/1544/
Acked-by: Atsushi Nemoto <anemo@mba.ocn.ne.jp>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2010-10-04 18:33:58 +01:00
Bernhard Walle
e9fb4d84d6 MIPS: N32: Fix getdents64 syscall for n32
Commit 31c984a5ac introduced a new syscall
getdents64. However, in the syscall table, the new syscall still refers to
the old getdents which doesn't work.

The problem appeared with a system that uses the eglibc 2.12-r11187 (that
utilizes that new syscall) is very confused. The fix has been tested with
that eglibc version.

Signed-off-by: Bernhard Walle <walle@corscience.de>
To: linux-mips@linux-mips.org
Cc: ddaney@caviumnetworks.com
Cc: akpm@linux-foundation.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/1567/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2010-10-04 18:33:58 +01:00
Joe Perches
7dde29cb1d MIPS: Remove pr_<level> uses of KERN_<level>
These would result in KERN_<level> actually getting printed.

Signed-off-by: Joe Perches <joe@perches.com>
To: Jiri Kosina <trivial@kernel.org>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/1581/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2010-10-04 18:33:57 +01:00
Ralf Baechle
c1b47e9508 MIPS: PNX8550: Sort out machine halt, restart and powerdown functions.
No rubbish printks - those belong to userspace.  The halt function now
actually halts the system and the poweroff function was deleted because
it didn't actually power down the system.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2010-10-04 18:33:57 +01:00
Ralf Baechle
863cb9bad8 MIPS: GIC: Remove dependencies from Malta files.
This prevents the GIC code from being reusable sanely.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2010-10-04 18:33:56 +01:00
Ralf Baechle
25f12b339c MIPS: Kconfig: Fix and clarify kconfig help text for VSMP and SMTC.
Only VSMP was known as SMVP and generally the help text was too short to
be helpful.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2010-10-04 18:33:56 +01:00
Ralf Baechle
a2e715a86c MIPS: DMA: Fix computation of DMA flags from device's coherent_dma_mask.
This only matters for ISA devices with a 24-bit DMA limit or for devices
with a 32-bit DMA limit on systems with ZONE_DMA32 enabled.  The latter
currently only affects 32-bit PCI cards on Sibyte-based systems with more
than 1GB RAM installed.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2010-10-04 18:33:56 +01:00
Ralf Baechle
244599469f MIPS: Audit: Fix hang in entry.S.
_TIF_WORK_MASK false had _TIF_SYSCALL_AUDIT set.  If a thread's
_TIF_SYSCALL_AUDIT is ever set this will lead to an endless loop on the
way out from a syscall.

Currently this is only a theoretic bug as init/Kconfig doesn't allow
AUDIT_SYSCALL to be enabled for MIPS.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2010-10-04 18:33:55 +01:00
Ralf Baechle
5707bf6bce MIPS: Document why RELOC_HIDE is there.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2010-10-04 18:33:55 +01:00
Andreas Bießmann
1ec0e73976 MIPS: Octeon: Determine if helper needs to be built
This patch adds an config switch to determine if we need to build some
workaround helper files.

The staging driver octeon-ethernet references some symbols which are only
built when PCI is enabled. The new config switch enables these symbols in
bothe cases.

Signed-off-by: Andreas Bießmann <biessmann@corscience.de>
To: linux-kernel@vger.kernel.org
Cc: Andreas Bießmann <biessmann@corscience.de>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/1543/
Acked-by: David Daney <ddaney@caviumnetworks.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2010-10-04 18:33:55 +01:00
Deng-Cheng Zhu
2b78920d19 MIPS: Use generic atomic64 for 32-bit kernels
The 64-bit kernel has already had its atomic64 functions. Except for that,
we use the generic spinlocked version. The atomic64 types and related
functions are needed for the Linux performance counter subsystem.

Signed-off-by: Deng-Cheng Zhu <dengcheng.zhu@gmail.com>
To: linux-mips@linux-mips.org
Cc: a.p.zijlstra@chello.nl
Cc: paulus@samba.org
Cc: mingo@elte.hu
Cc: acme@redhat.com
Cc: jamie.iles@picochip.com
Patchwork: https://patchwork.linux-mips.org/patch/1361/
Acked-by: David Daney <ddaney@caviumnetworks.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2010-10-04 18:33:54 +01:00
Ricardo Mendoza
543001f8d8 MIPS: RM7000: Symbol should be static
Signed-off-by: Ricardo Mendoza <ricmm@gentoo.org>
To: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/1540/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2010-10-04 18:33:54 +01:00
Julia Lawall
26deda5cee MIPS: kspd: Adjust confusing if indentation
Indent the branch of an if.

The semantic match that finds this problem is as follows:
(http://coccinelle.lip6.fr/)

// <smpl>
@r disable braces4@
position p1,p2;
statement S1,S2;
@@

(
if (...) { ... }
|
if (...) S1@p1 S2@p2
)

@script:python@
p1 << r.p1;
p2 << r.p2;
@@

if (p1[0].column == p2[0].column):
  cocci.print_main("branch",p1)
  cocci.print_secs("after",p2)
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
To: linux-mips@linux-mips.org
To: linux-kernel@vger.kernel.org
To: kernel-janitors@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/1539/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2010-10-04 18:33:54 +01:00
Andrea Gelmini
eefc3f329d MIPS: Fix a typo.
"Userpace" -> "Userspace"

Signed-off-by: Andrea Gelmini <andrea.gelmini@gelma.net>
Cc: Andrea Gelmini <andrea.gelmini@gelma.net>
Cc: Jason Wessel <jason.wessel@windriver.com>
Cc: Martin Hicks <mort@sgi.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/1536/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2010-10-04 18:33:54 +01:00
Stephane Eranian
0f940cb7d9 perf trace scripting: Fix extern struct definitions
Both python_scripting_ops and perl_scripting_ops have two global definitions.
One in trace-event-scripting.c and one in their respective scripting-engine
modules.

The issue is that depending on the linker order one definition or the other
is chosen. One is uninitialized (bss), while the other is initialized. If
the uninitialized version is chosen, then perf does not function properly.

This patch fixes this by adding the extern prefix to the definitions in
trace-event-scripting.c.

Cc: David S. Miller <davem@davemloft.net>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Robert Richter <robert.richter@amd.com>
LKML-Reference: <4c97e41a.078fd80a.7a8b.3cc9@mx.google.com>
Signed-off-by: Stephane Eranian <eranian@google.com>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2010-10-04 12:24:51 -03:00
Frederik Deweerdt
c569d3326b perf ui hist browser: Fix segfault on 'a' for annotate
There a typo in util/ui/browsers/hists.c that leads to a segfault when you
press the 'a' key on a non-resolved symbol (plain hex address).

LKML-Reference: <20100923201901.GE31726@gambetta>
Signed-off-by: Frederik Deweerdt <frederik.deweerdt@xprog.eu>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2010-10-04 12:08:37 -03:00
Kusanagi Kouichi
39cfae64df perf tools: Fix build breakage
The patch ecafda6 introduced a problem where all object files would be
always rebuilt, fix it by using:

http://www.gnu.org/software/make/manual/html_node/Prerequisite-Types.html

Reported-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Bernd Petrovitsch <bernd@sysprog.at>
Signed-off-by: Kusanagi Kouichi <slash@ac.auone-net.jp>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2010-10-04 11:58:25 -03:00
Arnaud Lacombe
ff5ff6060b kconfig: delay symbol direct dependency initialization
This fixes the use-after-free and associated crash in kconfig introduced
in commit 246cf9c26b.

Signed-off-by: Arnaud Lacombe <lacombar@gmail.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Michal Marek <mmarek@suse.cz>
2010-10-04 15:13:13 +02:00
Christoph Hellwig
aaead25b95 writeback: always use sb->s_bdi for writeback purposes
We currently use struct backing_dev_info for various different purposes.
Originally it was introduced to describe a backing device which includes
an unplug and congestion function and various bits of readahead information
and VM-relevant flags.  We're also using for tracking dirty inodes for
writeback.

To make writeback properly find all inodes we need to only access the
per-filesystem backing_device pointed to by the superblock in ->s_bdi
inside the writeback code, and not the instances pointeded to by
inode->i_mapping->backing_dev which can be overriden by special devices
or might not be set at all by some filesystems.

Long term we should split out the writeback-relevant bits of struct
backing_device_info (which includes more than the current bdi_writeback)
and only point to it from the superblock while leaving the traditional
backing device as a separate structure that can be overriden by devices.

The one exception for now is the block device filesystem which really
wants different writeback contexts for it's different (internal) inodes
to handle the writeout more efficiently.  For now we do this with
a hack in fs-writeback.c because we're so late in the cycle, but in
the future I plan to replace this with a superblock method that allows
for multiple writeback contexts per filesystem.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
2010-10-04 14:25:33 +02:00
Geert Uytterhoeven
0157443c56 fuse: Initialize total_len in fuse_retrieve()
fs/fuse/dev.c:1357: warning: ‘total_len’ may be used uninitialized in this
function

Initialize total_len to zero, else its value will be undefined.

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
2010-10-04 10:45:32 +02:00
Dan Rosenberg
51e97a12be sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac()
The sctp_asoc_get_hmac() function iterates through a peer's hmac_ids
array and attempts to ensure that only a supported hmac entry is
returned.  The current code fails to do this properly - if the last id
in the array is out of range (greater than SCTP_AUTH_HMAC_ID_MAX), the
id integer remains set after exiting the loop, and the address of an
out-of-bounds entry will be returned and subsequently used in the parent
function, causing potentially ugly memory corruption.  This patch resets
the id integer to 0 on encountering an invalid id so that NULL will be
returned after finishing the loop if no valid ids are found.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-03 21:58:49 -07:00
Dan Rosenberg
d7e0d19aa0 sctp: prevent reading out-of-bounds memory
Two user-controlled allocations in SCTP are subsequently dereferenced as
sockaddr structs, without checking if the dereferenced struct members fall
beyond the end of the allocated chunk.  There doesn't appear to be any
information leakage here based on how these members are used and
additional checking, but it's still worth fixing.

[akpm@linux-foundation.org: remove unfashionable newlines, fix gmail tab->space conversion]
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-03 21:58:48 -07:00
David Stevens
5b7c840667 ipv4: correct IGMP behavior on v3 query during v2-compatibility mode
A recent patch to allow IGMPv2 responses to IGMPv3 queries
bypasses length checks for valid query lengths, incorrectly
resets the v2_seen timer, and does not support IGMPv1.

The following patch responds with a v2 report as required
by IGMPv2 while correcting the other problems introduced
by the patch.

Signed-Off-By: David L Stevens <dlstevens@us.ibm.com>

Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-03 21:58:47 -07:00
Ben Hutchings
10ccff62bd netdev: Depend on INET before selecting INET_LRO
Since 'select' ignores dependencies, drivers that select INET_LRO must
depend on INET.  This fixes the broken configuration reported in
<http://article.gmane.org/gmane.linux.kernel/825646>.

Reported-by: Subrata Modak <subrata@linux.vnet.ibm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-03 21:46:24 -07:00
Ben Hutchings
c5d3557103 Revert "ipv4: Make INET_LRO a bool instead of tristate."
This reverts commit e81963b180.

LRO is now deprecated in favour of GRO, and only a few drivers use it,
so it is desirable to build it as a module in distribution kernels.

The original change to prevent building it as a module was made in an
attempt to avoid the case where some dependents are set to y and some
to m, and INET_LRO can be set to m rather than y.  However, the
Kconfig system will reliably set INET_LRO=y in this case.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-03 21:46:23 -07:00
Nagendra Tomar
482964e56e net: Fix the condition passed to sk_wait_event()
This patch fixes the condition (3rd arg) passed to sk_wait_event() in
sk_stream_wait_memory(). The incorrect check in sk_stream_wait_memory()
causes the following soft lockup in tcp_sendmsg() when the global tcp
memory pool has exhausted.

>>> snip <<<

localhost kernel: BUG: soft lockup - CPU#3 stuck for 11s! [sshd:6429]
localhost kernel: CPU 3:
localhost kernel: RIP: 0010:[sk_stream_wait_memory+0xcd/0x200]  [sk_stream_wait_memory+0xcd/0x200] sk_stream_wait_memory+0xcd/0x200
localhost kernel:
localhost kernel: Call Trace:
localhost kernel:  [sk_stream_wait_memory+0x1b1/0x200] sk_stream_wait_memory+0x1b1/0x200
localhost kernel:  [<ffffffff802557c0>] autoremove_wake_function+0x0/0x40
localhost kernel:  [ipv6:tcp_sendmsg+0x6e6/0xe90] tcp_sendmsg+0x6e6/0xce0
localhost kernel:  [sock_aio_write+0x126/0x140] sock_aio_write+0x126/0x140
localhost kernel:  [xfs:do_sync_write+0xf1/0x130] do_sync_write+0xf1/0x130
localhost kernel:  [<ffffffff802557c0>] autoremove_wake_function+0x0/0x40
localhost kernel:  [hrtimer_start+0xe3/0x170] hrtimer_start+0xe3/0x170
localhost kernel:  [vfs_write+0x185/0x190] vfs_write+0x185/0x190
localhost kernel:  [sys_write+0x50/0x90] sys_write+0x50/0x90
localhost kernel:  [system_call+0x7e/0x83] system_call+0x7e/0x83

>>> snip <<<

What is happening is, that the sk_wait_event() condition passed from
sk_stream_wait_memory() evaluates to true for the case of tcp global memory
exhaustion. This is because both sk_stream_memory_free() and vm_wait are true
which causes sk_wait_event() to *not* call schedule_timeout().
Hence sk_stream_wait_memory() returns immediately to the caller w/o sleeping.
This causes the caller to again try allocation, which again fails and again
calls sk_stream_wait_memory(), and so on.

[ Bug introduced by commit c1cbe4b7ad
  ("[NET]: Avoid atomic xchg() for non-error case") -DaveM ]

Signed-off-by: Nagendra Singh Tomar <tomer_iisc@yahoo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-03 20:41:32 -07:00
Maciej Żenczykowski
ae878ae280 net: Fix IPv6 PMTU disc. w/ asymmetric routes
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-03 14:49:00 -07:00
Chris Wilson
7dcd2499de drm/i915: Rephrase pwrite bounds checking to avoid any potential overflow
... and do the same for pread.

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: stable@kernel.org
2010-10-03 14:16:18 +01:00
Chris Wilson
ce9d419dbe drm/i915: Sanity check pread/pwrite
Move the access control up from the fast paths, which are no longer
universally taken first, up into the caller. This then duplicates some
sanity checking along the slow paths, but is much simpler.
Tracked as CVE-2010-2962.

Reported-by: Kees Cook <kees@ubuntu.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: stable@kernel.org
2010-10-03 14:16:17 +01:00
Giel van Schijndel
cadb86570c hwmon: f71882fg: use a muxed resource lock for the Super I/O port
Sleep while acquiring a resource lock on the Super I/O port. This should
prevent collisions from causing the hardware probe to fail with -EBUSY.

Signed-off-by: Giel van Schijndel <me@mortis.eu>
Acked-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com>
2010-10-03 05:57:04 -07:00
Keith Packard
ab7ad7f645 drm/i915: Use pipe state to tell when pipe is off
Instead of waiting for the display line value to settle, we can simply
wait for the pipe configuration register 'state' bit to turn off.

Contrarywise, disabling the plane will not cause the display line
value to stop changing, so instead we wait for the vblank interrupt
bit to get set. And, we only do this when we're not about to wait for
the pipe to turn off.

Signed-off-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
2010-10-03 10:23:26 +01:00
Keith Packard
b99a9d9bb6 drm/i915: vblank status not valid while training display port
While the display port is in training mode, vblank interrupts don't
occur. Because we have to wait for the display port output to turn on
before starting the training sequence, enable the output in 'normal'
mode so that we can tell when a vblank has occurred, then start the
training sequence.

Signed-off-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
2010-10-03 10:22:25 +01:00
Sinan Akman
2b7a32f7ec of/spi: Fix OF-style driver binding of spi devices
This patch adds the OF hook to the spi core so that devices
can automatically be registered based on device tree data.  This fixes
a problem with spi devices not binding to drivers after the cleanup of
the spi & i2c binding code.

Signed-off-by: Sinan Akman <sinan@writeme.com>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
2010-10-02 21:28:29 -06:00