Linus Torvalds [Sat, 5 Mar 2011 01:31:01 +0000 (17:31 -0800)]
Merge branch 'sh-fixes-for-linus' of git://git./linux/kernel/git/lethal/sh-2.6
* 'sh-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6:
sh: Change __nosave_XXX symbols to long
sh: Flush executable pages in copy_user_highpage
sh: Ensure ST40-300 BogoMIPS value is consistent
sh: sh7750: Fix incompatible pointer type
sh: sh7750: move machtypes.h to include/generated
Linus Torvalds [Sat, 5 Mar 2011 01:30:32 +0000 (17:30 -0800)]
Merge branch 'drm-fixes' of git://git./linux/kernel/git/airlied/drm-2.6
* 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
drm/nouveau: allocate kernel's notifier object at end of block
Neil Horman [Sat, 5 Mar 2011 00:26:03 +0000 (19:26 -0500)]
nfs4: Ensure that ACL pages sent over NFS were not allocated from the slab (v3)
The "bad_page()" page allocator sanity check was reported recently (call
chain as follows):
bad_page+0x69/0x91
free_hot_cold_page+0x81/0x144
skb_release_data+0x5f/0x98
__kfree_skb+0x11/0x1a
tcp_ack+0x6a3/0x1868
tcp_rcv_established+0x7a6/0x8b9
tcp_v4_do_rcv+0x2a/0x2fa
tcp_v4_rcv+0x9a2/0x9f6
do_timer+0x2df/0x52c
ip_local_deliver+0x19d/0x263
ip_rcv+0x539/0x57c
netif_receive_skb+0x470/0x49f
:virtio_net:virtnet_poll+0x46b/0x5c5
net_rx_action+0xac/0x1b3
__do_softirq+0x89/0x133
call_softirq+0x1c/0x28
do_softirq+0x2c/0x7d
do_IRQ+0xec/0xf5
default_idle+0x0/0x50
ret_from_intr+0x0/0xa
default_idle+0x29/0x50
cpu_idle+0x95/0xb8
start_kernel+0x220/0x225
_sinittext+0x22f/0x236
It occurs because an skb with a fraglist was freed from the tcp
retransmit queue when it was acked, but a page on that fraglist had
PG_Slab set (indicating it was allocated from the Slab allocator (which
means the free path above can't safely free it via put_page.
We tracked this back to an nfsv4 setacl operation, in which the nfs code
attempted to fill convert the passed in buffer to an array of pages in
__nfs4_proc_set_acl, which gets used by the skb->frags list in
xs_sendpages. __nfs4_proc_set_acl just converts each page in the buffer
to a page struct via virt_to_page, but the vfs allocates the buffer via
kmalloc, meaning the PG_slab bit is set. We can't create a buffer with
kmalloc and free it later in the tcp ack path with put_page, so we need
to either:
1) ensure that when we create the list of pages, no page struct has
PG_Slab set
or
2) not use a page list to send this data
Given that these buffers can be multiple pages and arbitrarily sized, I
think (1) is the right way to go. I've written the below patch to
allocate a page from the buddy allocator directly and copy the data over
to it. This ensures that we have a put_page free-able page for every
entry that winds up on an skb frag list, so it can be safely freed when
the frame is acked. We do a put page on each entry after the
rpc_call_sync call so as to drop our own reference count to the page,
leaving only the ref count taken by tcp_sendpages. This way the data
will be properly freed when the ack comes in
Successfully tested by myself to solve the above oops.
Note, as this is the result of a setacl operation that exceeded a page
of data, I think this amounts to a local DOS triggerable by an
uprivlidged user, so I'm CCing security on this as well.
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
CC: Trond Myklebust <Trond.Myklebust@netapp.com>
CC: security@kernel.org
CC: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Dave Kleikamp [Fri, 4 Mar 2011 16:13:47 +0000 (10:13 -0600)]
MAINTAINERS: Update shaggy's email address
Signed-off-by: Dave Kleikamp <shaggy@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Fri, 4 Mar 2011 17:23:30 +0000 (09:23 -0800)]
Mark ptrace_{traceme,attach,detach} static
They are only used inside kernel/ptrace.c, and have been for a long
time. We don't want to go back to the bad-old-days when architectures
did things on their own, so make them static and private.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Ben Skeggs [Thu, 3 Mar 2011 23:58:36 +0000 (09:58 +1000)]
drm/nouveau: allocate kernel's notifier object at end of block
The nv30/nv40 3d driver is about to start using DMA_FENCE from the 3D
object which, it turns out, doesn't like its DMA object to not be
aligned to a 4KiB boundary.
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Linus Torvalds [Thu, 3 Mar 2011 23:48:01 +0000 (15:48 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/jmorris/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076]
Linus Torvalds [Thu, 3 Mar 2011 23:43:15 +0000 (15:43 -0800)]
Merge git://git./linux/kernel/git/davem/net-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (42 commits)
MAINTAINERS: Add Andy Gospodarek as co-maintainer.
r8169: disable ASPM
RxRPC: Fix v1 keys
AF_RXRPC: Handle receiving ACKALL packets
cnic: Fix lost interrupt on bnx2x
cnic: Prevent status block race conditions with hardware
net: dcbnl: check correct ops in dcbnl_ieee_set()
e1000e: disable broken PHY wakeup for ICH10 LOMs, use MAC wakeup instead
igb: fix sparse warning
e1000: fix sparse warning
netfilter: nf_log: avoid oops in (un)bind with invalid nfproto values
dccp: fix oops on Reset after close
ipvs: fix dst_lock locking on dest update
davinci_emac: Add Carrier Link OK check in Davinci RX Handler
bnx2x: update driver version to 1.62.00-6
bnx2x: properly calculate lro_mss
bnx2x: perform statistics "action" before state transition.
bnx2x: properly configure coefficients for MinBW algorithm (NPAR mode).
bnx2x: Fix ethtool -t link test for MF (non-pmf) devices.
bnx2x: Fix nvram test for single port devices.
...
Linus Torvalds [Thu, 3 Mar 2011 23:42:35 +0000 (15:42 -0800)]
Merge branch 'for-linus' of git://git.kernel.dk/linux-2.6-block
* 'for-linus' of git://git.kernel.dk/linux-2.6-block:
block: kill loop_mutex
blktrace: Remove blk_fill_rwbs_rq.
block: blk-flush shouldn't call directly into q->request_fn() __blk_run_queue()
block: add @force_kblockd to __blk_run_queue()
block: fix kernel-doc format for blkdev_issue_zeroout
blk-throttle: Do not use kblockd workqueue for throtl work
Linus Torvalds [Thu, 3 Mar 2011 23:37:59 +0000 (15:37 -0800)]
Merge branch 'i_nlink' of git://git./linux/kernel/git/viro/vfs-2.6
* 'i_nlink' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6:
hfs: fix rename() over non-empty directory
udf: fix i_nlink limit
fix reiserfs mkdir() breakage
exofs: i_nlink races in rename()
nilfs2: i_nlink races in rename()
minix: i_nlink races in rename()
ufs: i_nlink races in rename()
sysv: i_nlink races in rename()
David Howells [Thu, 3 Mar 2011 11:28:58 +0000 (11:28 +0000)]
DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076]
When a DNS resolver key is instantiated with an error indication, attempts to
read that key will result in an oops because user_read() is expecting there to
be a payload - and there isn't one [CVE-2011-1076].
Give the DNS resolver key its own read handler that returns the error cached in
key->type_data.x[0] as an error rather than crashing.
Also make the kenter() at the beginning of dns_resolver_instantiate() limit the
amount of data it prints, since the data is not necessarily NUL-terminated.
The buggy code was added in:
commit
4a2d789267e00b5a1175ecd2ddefcc78b83fbf09
Author: Wang Lei <wang840925@gmail.com>
Date: Wed Aug 11 09:37:58 2010 +0100
Subject: DNS: If the DNS server returns an error, allow that to be cached [ver #2]
This can trivially be reproduced by any user with the following program
compiled with -lkeyutils:
#include <stdlib.h>
#include <keyutils.h>
#include <err.h>
static char payload[] = "#dnserror=6";
int main()
{
key_serial_t key;
key = add_key("dns_resolver", "a", payload, sizeof(payload),
KEY_SPEC_SESSION_KEYRING);
if (key == -1)
err(1, "add_key");
if (keyctl_read(key, NULL, 0) == -1)
err(1, "read_key");
return 0;
}
What should happen is that keyctl_read() reports error 6 (ENXIO) to the user:
dns-break: read_key: No such device or address
but instead the kernel oopses.
This cannot be reproduced with the 'keyutils add' or 'keyutils padd' commands
as both of those cut the data down below the NUL termination that must be
included in the data. Without this dns_resolver_instantiate() will return
-EINVAL and the key will not be instantiated such that it can be read.
The oops looks like:
BUG: unable to handle kernel NULL pointer dereference at
0000000000000010
IP: [<
ffffffff811b99f7>] user_read+0x4f/0x8f
PGD
3bdf8067 PUD
385b9067 PMD 0
Oops: 0000 [#1] SMP
last sysfs file: /sys/devices/pci0000:00/0000:00:19.0/irq
CPU 0
Modules linked in:
Pid: 2150, comm: dns-break Not tainted 2.6.38-rc7-cachefs+ #468 /DG965RY
RIP: 0010:[<
ffffffff811b99f7>] [<
ffffffff811b99f7>] user_read+0x4f/0x8f
RSP: 0018:
ffff88003bf47f08 EFLAGS:
00010246
RAX:
0000000000000001 RBX:
ffff88003b5ea378 RCX:
ffffffff81972368
RDX:
0000000000000000 RSI:
0000000000000000 RDI:
ffff88003b5ea378
RBP:
ffff88003bf47f28 R08:
ffff88003be56620 R09:
0000000000000000
R10:
0000000000000395 R11:
0000000000000002 R12:
0000000000000000
R13:
0000000000000000 R14:
0000000000000000 R15:
ffffffffffffffa1
FS:
00007feab5751700(0000) GS:
ffff88003e000000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
CR2:
0000000000000010 CR3:
000000003de40000 CR4:
00000000000006f0
DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
DR3:
0000000000000000 DR6:
00000000ffff0ff0 DR7:
0000000000000400
Process dns-break (pid: 2150, threadinfo
ffff88003bf46000, task
ffff88003be56090)
Stack:
ffff88003b5ea378 ffff88003b5ea3a0 0000000000000000 0000000000000000
ffff88003bf47f68 ffffffff811b708e ffff88003c442bc8 0000000000000000
00000000004005a0 00007fffba368060 0000000000000000 0000000000000000
Call Trace:
[<
ffffffff811b708e>] keyctl_read_key+0xac/0xcf
[<
ffffffff811b7c07>] sys_keyctl+0x75/0xb6
[<
ffffffff81001f7b>] system_call_fastpath+0x16/0x1b
Code: 75 1f 48 83 7b 28 00 75 18 c6 05 58 2b fb 00 01 be bb 00 00 00 48 c7 c7 76 1c 75 81 e8 13 c2 e9 ff 4c 8b b3 e0 00 00 00 4d 85 ed <41> 0f b7 5e 10 74 2d 4d 85 e4 74 28 e8 98 79 ee ff 49 39 dd 48
RIP [<
ffffffff811b99f7>] user_read+0x4f/0x8f
RSP <
ffff88003bf47f08>
CR2:
0000000000000010
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Jeff Layton <jlayton@redhat.com>
cc: Wang Lei <wang840925@gmail.com>
Signed-off-by: James Morris <jmorris@namei.org>
Jay Vosburgh [Thu, 3 Mar 2011 10:43:10 +0000 (10:43 +0000)]
MAINTAINERS: Add Andy Gospodarek as co-maintainer.
Acked-by: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Thu, 3 Mar 2011 20:44:22 +0000 (12:44 -0800)]
Merge branch 'for-linus' of git://oss.sgi.com/xfs/xfs
* 'for-linus' of git://oss.sgi.com/xfs/xfs:
xfs: zero proper structure size for geometry calls
Linus Torvalds [Thu, 3 Mar 2011 20:42:48 +0000 (12:42 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/ryusuke/nilfs2
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ryusuke/nilfs2:
nilfs2: fix regression that i-flag is not set on changeless checkpoints
Stanislaw Gruszka [Tue, 22 Feb 2011 02:00:11 +0000 (02:00 +0000)]
r8169: disable ASPM
For some time is known that ASPM is causing troubles on r8169, i.e. make
device randomly stop working without any errors in dmesg.
Currently Tomi Leppikangas reports that system with r8169 device hangs
with MCE errors when ASPM is enabled:
https://bugzilla.redhat.com/show_bug.cgi?id=642861#c4
Lets disable ASPM for r8169 devices at all, to avoid problems with
r8169 PCIe devices at least for some users.
Reported-by: Tomi Leppikangas <tomi.leppikangas@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Petr Uzel [Thu, 3 Mar 2011 16:48:50 +0000 (11:48 -0500)]
block: kill loop_mutex
Following steps lead to deadlock in kernel:
dd if=/dev/zero of=img bs=512 count=1000
losetup -f img
mkfs.ext2 /dev/loop0
mount -t ext2 -o loop /dev/loop0 mnt
umount mnt/
Stacktrace:
[<
c102ec04>] irq_exit+0x36/0x59
[<
c101502c>] smp_apic_timer_interrupt+0x6b/0x75
[<
c127f639>] apic_timer_interrupt+0x31/0x38
[<
c101df88>] mutex_spin_on_owner+0x54/0x5b
[<
fe2250e9>] lo_release+0x12/0x67 [loop]
[<
c10c4eae>] __blkdev_put+0x7c/0x10c
[<
c10a4da5>] fput+0xd5/0x1aa
[<
fe2250cf>] loop_clr_fd+0x1a9/0x1b1 [loop]
[<
fe225110>] lo_release+0x39/0x67 [loop]
[<
c10c4eae>] __blkdev_put+0x7c/0x10c
[<
c10a59d9>] deactivate_locked_super+0x17/0x36
[<
c10b6f37>] sys_umount+0x27e/0x2a5
[<
c10b6f69>] sys_oldumount+0xb/0xe
[<
c1002897>] sysenter_do_call+0x12/0x26
[<
ffffffff>] 0xffffffff
Regression since
2a48fc0ab24241755dc9, which introduced the private
loop_mutex as part of the BKL removal process.
As per [1], the mutex can be safely removed.
[1] http://www.gossamer-threads.com/lists/linux/kernel/1341930
Addresses: https://bugzilla.novell.com/show_bug.cgi?id=669394
Addresses: https://bugzilla.kernel.org/show_bug.cgi?id=29172
Signed-off-by: Petr Uzel <petr.uzel@suse.cz>
Cc: stable@kernel.org
Reviewed-by: Nikanth Karthikesan <knikanth@suse.de>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Tao Ma [Thu, 3 Mar 2011 15:53:20 +0000 (10:53 -0500)]
blktrace: Remove blk_fill_rwbs_rq.
If we enable trace events to trace block actions, We use
blk_fill_rwbs_rq to analyze the corresponding actions
in request's cmd_flags, but we only choose the minor 2 bits
from it, so most of other flags(e.g, REQ_SYNC) are missing.
For example, with a sync write we get:
write_test-2409 [001] 160.013869: block_rq_insert: 3,64 W 0 () 258135 + =
8 [write_test]
Since now we have integrated the flags of both bio and request,
it is safe to pass rq->cmd_flags directly to blk_fill_rwbs and
blk_fill_rwbs_rq isn't needed any more.
With this patch, after a sync write we get:
write_test-2417 [000] 226.603878: block_rq_insert: 3,64 WS 0 () 258135 +=
8 [write_test]
Signed-off-by: Tao Ma <boyu.mt@taobao.com>
Acked-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Al Viro [Thu, 3 Mar 2011 04:46:51 +0000 (23:46 -0500)]
hfs: fix rename() over non-empty directory
merge hfs_unlink() and hfs_rmdir(), while we are at it.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Wed, 2 Mar 2011 15:15:26 +0000 (10:15 -0500)]
udf: fix i_nlink limit
(256 << sizeof(x)) - 1 is not the maximal possible value of x...
In reality, the maximal allowed value for UDF FileLinkCount is
65535.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Wed, 2 Mar 2011 14:35:13 +0000 (09:35 -0500)]
fix reiserfs mkdir() breakage
if directory has so many subdirectories that its link count is set
to 1 (i.e. "can't tell accurately") and reiserfs_new_inode() fails,
we shouldn't decrement the parent's link count in cleanup path;
that's what DEC_DIR_INODE_NLINK() is for. As it is, we end up
with parent suddenly getting zero i_nlink, with very unpleasant
effects.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Wed, 2 Mar 2011 21:42:38 +0000 (16:42 -0500)]
exofs: i_nlink races in rename()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Wed, 2 Mar 2011 17:01:13 +0000 (12:01 -0500)]
nilfs2: i_nlink races in rename()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Wed, 2 Mar 2011 14:41:38 +0000 (09:41 -0500)]
minix: i_nlink races in rename()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Wed, 2 Mar 2011 14:40:21 +0000 (09:40 -0500)]
ufs: i_nlink races in rename()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Wed, 2 Mar 2011 14:38:45 +0000 (09:38 -0500)]
sysv: i_nlink races in rename()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Anton Blanchard [Mon, 28 Feb 2011 03:27:53 +0000 (03:27 +0000)]
RxRPC: Fix v1 keys
commit
339412841d7 (RxRPC: Allow key payloads to be passed in XDR form)
broke klog for me. I notice the v1 key struct had a kif_version field
added:
-struct rxkad_key {
- u16 security_index; /* RxRPC header security index */
- u16 ticket_len; /* length of ticket[] */
- u32 expiry; /* time at which expires */
- u32 kvno; /* key version number */
- u8 session_key[8]; /* DES session key */
- u8 ticket[0]; /* the encrypted ticket */
-};
+struct rxrpc_key_data_v1 {
+ u32 kif_version; /* 1 */
+ u16 security_index;
+ u16 ticket_length;
+ u32 expiry; /* time_t */
+ u32 kvno;
+ u8 session_key[8];
+ u8 ticket[0];
+};
However the code in rxrpc_instantiate strips it away:
data += sizeof(kver);
datalen -= sizeof(kver);
Removing kif_version fixes my problem.
Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David Howells [Mon, 28 Feb 2011 03:27:43 +0000 (03:27 +0000)]
AF_RXRPC: Handle receiving ACKALL packets
The OpenAFS server is now sending ACKALL packets, so we need to handle them.
Otherwise we report a protocol error and abort.
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Thu, 3 Mar 2011 04:02:32 +0000 (20:02 -0800)]
Merge branch 'drm-fixes' of git://git./linux/kernel/git/airlied/drm-2.6
* 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
drm/i915: fix memory corruption with GM965 and >4GB RAM
Linus Torvalds [Thu, 3 Mar 2011 04:01:57 +0000 (20:01 -0800)]
Merge branch 'devicetree/merge' of git://git.secretlab.ca/git/linux-2.6
* 'devicetree/merge' of git://git.secretlab.ca/git/linux-2.6:
of/promtree: allow DT device matching by fixing 'name' brokenness (v5)
x86: OLPC: have prom_early_alloc BUG rather than return NULL
of/flattree: Drop an uninteresting message to pr_debug level
of: Add missing of_address.h to xilinx ehci driver
Linus Torvalds [Thu, 3 Mar 2011 04:01:31 +0000 (20:01 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/mattst88/alpha-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mattst88/alpha-2.6:
alpha: Enable GENERIC_HARDIRQS_NO_DEPRECATED
alpha: irq: Convert affinity to use irq_data
alpha: irq: Remove pointless irq status manipulation
alpha: titan: Convert irq_chip functions
alpha: takara: Convert irq_chip functions
alpha: sable: Convert irq_chip functions
alpha: rx164: Convert irq_chip functions
alpha: noritake: Convert irq_chip functions
alpha: rawhide: Convert irq_chip functions
alpha: mikasa: Convert irq_chip functions
alpha: marvel: Convert irq_chip functions
alpha: eiger: Convert irq_chip functions
alpha: eb64p: Convert irq_chip functions
alpha: dp264: Convert irq_chip functions
alpha: cabriolet: Convert irq_chip functions
alpha: i8259, alcor, jensen wildfire: Convert irq_chip
alpha: srm: Convert irq_chip functions
alpha: Pyxis convert irq_chip functions
Fix typo in call to irq_to_desc()
Linus Torvalds [Thu, 3 Mar 2011 04:01:07 +0000 (20:01 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/sameo/mfd-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo/mfd-2.6:
mfd: Avoid tps6586x burst writes
mfd: Don't suspend WM8994 if the CODEC is not suspended
mfd: Fix DaVinci voice codec device name
mfd: Fix NULL pointer due to non-initialized ucb1x00-ts absinfo
mfd: Fix ASIC3 build with GENERIC_HARDIRQS_NO_DEPRECATED
Linus Torvalds [Thu, 3 Mar 2011 04:00:47 +0000 (20:00 -0800)]
Merge branch 'for_linus' of git://git./linux/kernel/git/jack/linux-fs-2.6
* 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs-2.6:
ext2: Fix link count corruption under heavy link+rename load
Linus Torvalds [Thu, 3 Mar 2011 03:58:31 +0000 (19:58 -0800)]
Merge branch 'fixes' of git://git./linux/kernel/git/davej/cpufreq
* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/davej/cpufreq:
[CPUFREQ] p4-clockmod: print EST-capable warning message only once
[CPUFREQ] fix BUG on cpufreq policy init failure
[CPUFREQ] Fix another notifier leak in powernow-k8.
[CPUFREQ] Missing "unregister_cpu_notifier" in powernow-k8.c
Linus Torvalds [Thu, 3 Mar 2011 03:58:14 +0000 (19:58 -0800)]
Merge branch 'merge' of git://git./linux/kernel/git/benh/powerpc
* 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc:
powerpc: Fix call to flush_ptrace_hw_breakpoint()
powerpc/kexec: Restore ppc_md.machine_kexec
powerpc/mm: Make hpte_need_flush() safe for preemption
Linus Torvalds [Thu, 3 Mar 2011 02:08:03 +0000 (18:08 -0800)]
Merge branch 'idle-release' of git://git./linux/kernel/git/lenb/linux-idle-2.6
* 'idle-release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-idle-2.6:
intel_idle: disable Atom/Lincroft HW C-state auto-demotion
intel_idle: disable NHM/WSM HW C-state auto-demotion
Michael Chan [Wed, 2 Mar 2011 13:00:50 +0000 (13:00 +0000)]
cnic: Fix lost interrupt on bnx2x
We service 2 queues (kcq1 and kcq2) in cnic_service_bnx2x_bh(). If
the status block index has changed when servicing the kcq2, we must
go back and check kcq1. The latest status block index will be used
to acknowledge the interrupt, and without looping back to check kcq1,
we may miss events on kcq1.
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Michael Chan [Wed, 2 Mar 2011 13:00:49 +0000 (13:00 +0000)]
cnic: Prevent status block race conditions with hardware
The status block index is used to acknowledge interrupt events and must
be read before checking for the interrupt events, so we need to add rmb()
to guarantee that.
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Wed, 2 Mar 2011 23:26:57 +0000 (15:26 -0800)]
Merge branch 'release' of git://git./linux/kernel/git/lenb/linux-acpi-2.6
* 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-acpi-2.6:
ACPI / ACPICA: Implicit notify for multiple devices
ACPI / debugfs: Fix buffer overflows, double free
David S. Miller [Wed, 2 Mar 2011 23:06:01 +0000 (15:06 -0800)]
Merge branch 'master' of /linux/kernel/git/jkirsher/net-2.6
John Fastabend [Wed, 2 Mar 2011 10:35:33 +0000 (10:35 +0000)]
net: dcbnl: check correct ops in dcbnl_ieee_set()
The incorrect ops routine was being tested for in
DCB_ATTR_IEEE_PFC attributes. This patch corrects
it.
Currently, every driver implementing ieee_setets also
implements ieee_setpfc so this bug is not actualized
yet.
Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Andres Salomon [Thu, 24 Feb 2011 06:38:22 +0000 (22:38 -0800)]
of/promtree: allow DT device matching by fixing 'name' brokenness (v5)
Commit
e2f2a93b, "of/promtree: add package-to-path support to pdt"
changed dp->name from using the 'name' property to using
package-to-path. This fixed /proc/device-tree creation by eliminating
conflicts between names (the 'name' property provides names like
'battery', whereas package-to-path provides names like
'/foo/bar/battery@0', which we stripped to 'battery@0'). However, it
also breaks of_device_id table matching.
The fix that we _really_ wanted was to keep dp->name based upon
the name property ('battery'), but based dp->full_name upon
package-to-path ('battery@0'). This patch does just that.
This changes all users (except SPARC) of promtree to use the full
result from package-to-path for full_name, rather than stripping the
directory out. In practice, the strings end up being exactly the
same; this change saves time, code, and memory.
SPARC continues to use the existing build_path_component() code.
v2: combine two patches and revert of_pdt_node_name to original version
v3: use dp->phandle instead of passing around node
v4: warn/bail out for non-sparc archs if pkg2path is not set
v5: split of_pdt_build_full_name into sparc & non-sparc versions
v6: Pass NULL to pkg2path before buf gets assigned.
Drop check for pkg2path hook on each and every node.
v7: Don't BUG() when unable to get the full_path; create a
known-unique name instead.
Signed-off-by: Andres Salomon <dilinger@queued.net>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Andres Salomon [Fri, 25 Feb 2011 04:06:31 +0000 (20:06 -0800)]
x86: OLPC: have prom_early_alloc BUG rather than return NULL
..similar to what sparc's prom_early_alloc does.
Signed-off-by: Andres Salomon <dilinger@queued.net>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Paul Bolle [Mon, 14 Feb 2011 21:34:22 +0000 (22:34 +0100)]
of/flattree: Drop an uninteresting message to pr_debug level
This message looks like an error (which it isn't) when booting with a
flattened device tree. Remove the message from normal kernel builds.
Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Michal Simek [Mon, 14 Feb 2011 10:40:09 +0000 (11:40 +0100)]
of: Add missing of_address.h to xilinx ehci driver
Build log:
In file included from drivers/usb/host/ehci-hcd.c:1208:
drivers/usb/host/ehci-xilinx-of.c: In function 'ehci_hcd_xilinx_of_probe':
drivers/usb/host/ehci-xilinx-of.c:168: error: implicit declaration of function 'of_address_to_resource'
Signed-off-by: John Williams <john.williams@petalogix.com>
Signed-off-by: Michal Simek <monstr@monstr.eu>
Acked-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Thomas Gleixner [Sun, 6 Feb 2011 14:33:02 +0000 (14:33 +0000)]
alpha: Enable GENERIC_HARDIRQS_NO_DEPRECATED
All interrupt chips are converted. Mark it clean.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Thomas Gleixner [Sun, 6 Feb 2011 14:33:00 +0000 (14:33 +0000)]
alpha: irq: Convert affinity to use irq_data
affinity is moving to irq_data. Fix it up.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Thomas Gleixner [Sun, 6 Feb 2011 14:32:58 +0000 (14:32 +0000)]
alpha: irq: Remove pointless irq status manipulation
The irq descriptors are initialized IRQ_DISABLED in the generic
code. No need to fiddle with them.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Thomas Gleixner [Sun, 6 Feb 2011 14:32:56 +0000 (14:32 +0000)]
alpha: titan: Convert irq_chip functions
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Thomas Gleixner [Sun, 6 Feb 2011 14:32:53 +0000 (14:32 +0000)]
alpha: takara: Convert irq_chip functions
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Thomas Gleixner [Sun, 6 Feb 2011 14:32:51 +0000 (14:32 +0000)]
alpha: sable: Convert irq_chip functions
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Thomas Gleixner [Sun, 6 Feb 2011 14:32:49 +0000 (14:32 +0000)]
alpha: rx164: Convert irq_chip functions
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Thomas Gleixner [Sun, 6 Feb 2011 14:32:46 +0000 (14:32 +0000)]
alpha: noritake: Convert irq_chip functions
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Thomas Gleixner [Sun, 6 Feb 2011 14:32:44 +0000 (14:32 +0000)]
alpha: rawhide: Convert irq_chip functions
Signed-off-by: Matt Turner <mattst88@gmail.com>
Thomas Gleixner [Sun, 6 Feb 2011 14:32:42 +0000 (14:32 +0000)]
alpha: mikasa: Convert irq_chip functions
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Thomas Gleixner [Sun, 6 Feb 2011 14:32:39 +0000 (14:32 +0000)]
alpha: marvel: Convert irq_chip functions
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Thomas Gleixner [Sun, 6 Feb 2011 14:32:37 +0000 (14:32 +0000)]
alpha: eiger: Convert irq_chip functions
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Thomas Gleixner [Sun, 6 Feb 2011 14:32:35 +0000 (14:32 +0000)]
alpha: eb64p: Convert irq_chip functions
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Thomas Gleixner [Sun, 6 Feb 2011 14:32:33 +0000 (14:32 +0000)]
alpha: dp264: Convert irq_chip functions
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Thomas Gleixner [Sun, 6 Feb 2011 14:32:30 +0000 (14:32 +0000)]
alpha: cabriolet: Convert irq_chip functions
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Thomas Gleixner [Sun, 6 Feb 2011 14:32:28 +0000 (14:32 +0000)]
alpha: i8259, alcor, jensen wildfire: Convert irq_chip
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Thomas Gleixner [Sun, 6 Feb 2011 14:32:26 +0000 (14:32 +0000)]
alpha: srm: Convert irq_chip functions
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Thomas Gleixner [Sun, 6 Feb 2011 14:32:23 +0000 (14:32 +0000)]
alpha: Pyxis convert irq_chip functions
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Morten Holst Larsen [Sun, 23 Jan 2011 12:40:47 +0000 (13:40 +0100)]
Fix typo in call to irq_to_desc()
Fix typo in call to irq_to_desc()
Signed-off-by: Morten H. Larsen <m-larsen@post6.tele.dk>
Signed-off-by: Matt Turner <mattst88@gmail.com>
David S. Miller [Wed, 2 Mar 2011 19:29:31 +0000 (11:29 -0800)]
Merge branch 'master' of git://git./linux/kernel/git/kaber/nf-2.6
Tejun Heo [Wed, 2 Mar 2011 13:48:06 +0000 (08:48 -0500)]
block: blk-flush shouldn't call directly into q->request_fn() __blk_run_queue()
blk-flush decomposes a flush into sequence of multiple requests. On
completion of a request, the next one is queued; however, block layer
must not implicitly call into q->request_fn() directly from completion
path. This makes the queue behave unexpectedly when seen from the
drivers and violates the assumption that q->request_fn() is called
with process context + queue_lock.
This patch makes blk-flush the following two changes to make sure
q->request_fn() is not called directly from request completion path.
- blk_flush_complete_seq_end_io() now asks __blk_run_queue() to always
use kblockd instead of calling directly into q->request_fn().
- queue_next_fseq() uses ELEVATOR_INSERT_REQUEUE instead of
ELEVATOR_INSERT_FRONT so that elv_insert() doesn't try to unplug the
request queue directly.
Reported by Jan in the following threads.
http://thread.gmane.org/gmane.linux.ide/48778
http://thread.gmane.org/gmane.linux.ide/48786
stable: applicable to v2.6.37.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Jan Beulich <JBeulich@novell.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: stable@kernel.org
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Tejun Heo [Wed, 2 Mar 2011 13:48:05 +0000 (08:48 -0500)]
block: add @force_kblockd to __blk_run_queue()
__blk_run_queue() automatically either calls q->request_fn() directly
or schedules kblockd depending on whether the function is recursed.
blk-flush implementation needs to be able to explicitly choose
kblockd. Add @force_kblockd.
All the current users are converted to specify %false for the
parameter and this patch doesn't introduce any behavior change.
stable: This is prerequisite for fixing ide oops caused by the new
blk-flush implementation.
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Jan Beulich <JBeulich@novell.com>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: stable@kernel.org
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Bruce Allan [Wed, 2 Feb 2011 09:30:36 +0000 (09:30 +0000)]
e1000e: disable broken PHY wakeup for ICH10 LOMs, use MAC wakeup instead
When support for 82577/82578 was added[1] in 2.6.31, PHY wakeup was in-
advertently enabled (even though it does not function properly) on ICH10
LOMs. This patch makes it so that the ICH10 LOMs use MAC wakeup instead
as was done with the initial support for those devices (i.e. 82567LM-3,
82567LF-3 and 82567V-4).
[1] commit
a4f58f5455ba0efda36fb33c37074922d1527a10
Reported-by: Aurelien Jarno <aurelien@aurel32.net>
Cc: <stable@kernel.org>
Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Jeff Kirsher [Thu, 17 Feb 2011 18:47:48 +0000 (18:47 +0000)]
igb: fix sparse warning
Reported-by: Stephen Hemminger <shemminger@vyatta.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Stephen Hemminger [Thu, 24 Feb 2011 16:11:42 +0000 (16:11 +0000)]
e1000: fix sparse warning
Sparse complains because the e1000 driver is calling ioread on a pointer
not tagged as __iomem.
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Tested-by: Jeff Pieper <jeffrey.e.pieper@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Jan Engelhardt [Wed, 2 Mar 2011 11:10:13 +0000 (12:10 +0100)]
netfilter: nf_log: avoid oops in (un)bind with invalid nfproto values
Like many other places, we have to check that the array index is
within allowed limits, or otherwise, a kernel oops and other nastiness
can ensue when we access memory beyond the end of the array.
[ 5954.115381] BUG: unable to handle kernel paging request at
0000004000000000
[ 5954.120014] IP: __find_logger+0x6f/0xa0
[ 5954.123979] nf_log_bind_pf+0x2b/0x70
[ 5954.123979] nfulnl_recv_config+0xc0/0x4a0 [nfnetlink_log]
[ 5954.123979] nfnetlink_rcv_msg+0x12c/0x1b0 [nfnetlink]
...
The problem goes back to v2.6.30-rc1~1372~1342~31 where nf_log_bind
was decoupled from nf_log_register.
Reported-by: Miguel Di Ciurcio Filho <miguel.filho@gmail.com>,
via irc.freenode.net/#netfilter
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Josh Hunt [Thu, 24 Feb 2011 10:48:22 +0000 (11:48 +0100)]
ext2: Fix link count corruption under heavy link+rename load
vfs_rename_other() does not lock renamed inode with i_mutex. Thus changing
i_nlink in a non-atomic manner (which happens in ext2_rename()) can corrupt
it as reported and analyzed by Josh.
In fact, there is no good reason to mess with i_nlink of the moved file.
We did it presumably to simulate linking into the new directory and unlinking
from an old one. But the practical effect of this is disputable because fsck
can possibly treat file as being properly linked into both directories without
writing any error which is confusing. So we just stop increment-decrement
games with i_nlink which also fixes the corruption.
CC: stable@kernel.org
CC: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Josh Hunt <johunt@akamai.com>
Signed-off-by: Jan Kara <jack@suse.cz>
vwadekar@nvidia.com [Thu, 24 Feb 2011 04:48:13 +0000 (10:18 +0530)]
mfd: Avoid tps6586x burst writes
tps6586 does not support burst writes. i2c writes have to be
1 byte at a time.
Cc: stable@kernel.org
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Mark Brown [Fri, 4 Feb 2011 14:57:43 +0000 (14:57 +0000)]
mfd: Don't suspend WM8994 if the CODEC is not suspended
ASoC supports keeping the audio subsysetm active over suspend in order
to support use cases such as audio passthrough from a cellular modem
with the main CPU suspended. Ensure that we don't power down the CODEC
when this is happening by checking to see if VMID is up and skipping
suspend and resume when it is. If the CODEC has suspended then it'll
turn VMID off before the core suspend() gets called.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Manjunathappa, Prakash [Thu, 27 Jan 2011 13:28:36 +0000 (18:58 +0530)]
mfd: Fix DaVinci voice codec device name
Fix the device name in DaVinci Voice Codec MFD driver to load
davinci-vcif and cq93vc codec client drivers.
Signed-off-by: Manjunathappa, Prakash <prakash.pm@ti.com>
Acked-by: Liam Girdwood <lrg@slimlogic.co.uk>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Jochen Friedrich [Wed, 26 Jan 2011 10:30:01 +0000 (11:30 +0100)]
mfd: Fix NULL pointer due to non-initialized ucb1x00-ts absinfo
Call input_set_abs_params instead of manually setting absbit only.
This fixes this oops:
Unable to handle kernel NULL pointer dereference at virtual address
00000024
Internal error: Oops:
41b67017 [#1]
CPU: 0 Not tainted (2.6.37 #4)
pc : [<
c016d1fc>] lr : [<
00000000>] psr:
20000093
sp :
c19e5f30 ip :
c19e5e6c fp :
c19e5f58
r10:
00000000 r9 :
c19e4000 r8 :
00000003
r7 :
000001e4 r6 :
00000001 r5 :
c1854400 r4 :
00000003
r3 :
00000018 r2 :
00000018 r1 :
00000018 r0 :
c185447c
Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel
Control:
c1b6717f Table:
c1b6717f DAC:
00000017
Stack: (0xc19e5f30 to 0xc19e6000)
5f20:
00000003 00000003 c1854400 00000013
5f40:
00000001 000001e4 000001c5 c19e5f80 c19e5f5c c016d5e8 c016cf5c 000001e4
5f60:
c1854400 c18b5860 00000000 00000171 000001e4 c19e5fc4 c19e5f84 c01559a4
5f80:
c016d584 c18b5868 00000000 c1bb5c40 c0035afc c18b5868 c18b5868 c1a55d54
5fa0:
c18b5860 c0155750 00000013 00000000 00000000 00000000 c19e5ff4 c19e5fc8
5fc0:
c0050174 c015575c 00000000 c18b5860 00000000 c19e5fd4 c19e5fd4 c1a55d54
5fe0:
c00500f0 c003b464 00000000 c19e5ff8 c003b464 c00500fc 04000400 04000400
Backtrace:
Function entered at [<
c016cf50>] from [<
c016d5e8>]
Function entered at [<
c016d578>] from [<
c01559a4>]
r8:
000001e4 r7:
00000171 r6:
00000000 r5:
c18b5860 r4:
c1854400
Function entered at [<
c0155750>] from [<
c0050174>]
Function entered at [<
c00500f0>] from [<
c003b464>]
r6:
c003b464 r5:
c00500f0 r4:
c1a55d54
Code:
e59520fc e1a03286 e0433186 e0822003 (
e592000c)
>>PC;
c016d1fc <input_handle_event+2ac/5a0> <=====
Trace;
c016cf50 <input_handle_event+0/5a0>
Trace;
c016d5e8 <input_event+70/88>
Trace;
c016d578 <input_event+0/88>
Trace;
c01559a4 <ucb1x00_thread+254/2dc>
Trace;
c0155750 <ucb1x00_thread+0/2dc>
Trace;
c0050174 <kthread+84/8c>
Trace;
c00500f0 <kthread+0/8c>
Trace;
c003b464 <do_exit+0/624>
Signed-off-by: Jochen Friedrich <jochen@scram.de>
CC: stable@kernel.org
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Lennert Buytenhek [Sat, 22 Jan 2011 01:08:30 +0000 (02:08 +0100)]
mfd: Fix ASIC3 build with GENERIC_HARDIRQS_NO_DEPRECATED
Signed-off-by: Lennert Buytenhek <buytenh@secretlab.ca>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Gerrit Renker [Wed, 2 Mar 2011 07:02:07 +0000 (23:02 -0800)]
dccp: fix oops on Reset after close
This fixes a bug in the order of dccp_rcv_state_process() that still permitted
reception even after closing the socket. A Reset after close thus causes a NULL
pointer dereference by not preventing operations on an already torn-down socket.
dccp_v4_do_rcv()
|
| state other than OPEN
v
dccp_rcv_state_process()
|
| DCCP_PKT_RESET
v
dccp_rcv_reset()
|
v
dccp_time_wait()
WARNING: at net/ipv4/inet_timewait_sock.c:141 __inet_twsk_hashdance+0x48/0x128()
Modules linked in: arc4 ecb carl9170 rt2870sta(C) mac80211 r8712u(C) crc_ccitt ah
[<
c0038850>] (unwind_backtrace+0x0/0xec) from [<
c0055364>] (warn_slowpath_common)
[<
c0055364>] (warn_slowpath_common+0x4c/0x64) from [<
c0055398>] (warn_slowpath_n)
[<
c0055398>] (warn_slowpath_null+0x1c/0x24) from [<
c02b72d0>] (__inet_twsk_hashd)
[<
c02b72d0>] (__inet_twsk_hashdance+0x48/0x128) from [<
c031caa0>] (dccp_time_wai)
[<
c031caa0>] (dccp_time_wait+0x40/0xc8) from [<
c031c15c>] (dccp_rcv_state_proces)
[<
c031c15c>] (dccp_rcv_state_process+0x120/0x538) from [<
c032609c>] (dccp_v4_do_)
[<
c032609c>] (dccp_v4_do_rcv+0x11c/0x14c) from [<
c0286594>] (release_sock+0xac/0)
[<
c0286594>] (release_sock+0xac/0x110) from [<
c031fd34>] (dccp_close+0x28c/0x380)
[<
c031fd34>] (dccp_close+0x28c/0x380) from [<
c02d9a78>] (inet_release+0x64/0x70)
The fix is by testing the socket state first. Receiving a packet in Closed state
now also produces the required "No connection" Reset reply of RFC 4340, 8.3.1.
Reported-and-tested-by: Johan Hovold <jhovold@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
K.Prasad [Thu, 10 Feb 2011 04:44:35 +0000 (04:44 +0000)]
powerpc: Fix call to flush_ptrace_hw_breakpoint()
Fix the error in spelling the config option for hw-breakpoints and fix
the build issue that follows.
Signed-off by: K.Prasad <prasad@linux.vnet.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Anton Blanchard [Wed, 23 Feb 2011 12:46:16 +0000 (12:46 +0000)]
powerpc/kexec: Restore ppc_md.machine_kexec
Kyle Moffett points out that mpc85xx has started using the
ppc_md.machine_kexec hook. As such, revert patch
c94868788cf2
(powerpc/kexec: Remove ppc_md.machine_kexec).
Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Peter Zijlstra [Thu, 24 Feb 2011 10:47:32 +0000 (10:47 +0000)]
powerpc/mm: Make hpte_need_flush() safe for preemption
hpte_need_flush() might be called outside of a preempt section
when manipulating the kernel page tables, so we need to use the
appopriate variants of per-cpu variable accesses. There should
be no risk of being in the middle of a batch and a context
switch will flush any pending batch.
[Patch extracted from a larger patch in Peter's preemptible
mmu_gather series]
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Alex Elder [Tue, 1 Mar 2011 17:50:00 +0000 (17:50 +0000)]
xfs: zero proper structure size for geometry calls
Commit
493f3358cb289ccf716c5a14fa5bb52ab75943e5 added this call to
xfs_fs_geometry() in order to avoid passing kernel stack data back
to user space:
+ memset(geo, 0, sizeof(*geo));
Unfortunately, one of the callers of that function passes the
address of a smaller data type, cast to fit the type that
xfs_fs_geometry() requires. As a result, this can happen:
Kernel panic - not syncing: stack-protector: Kernel stack is corrupted
in:
f87aca93
Pid: 262, comm: xfs_fsr Not tainted 2.6.38-rc6-
493f3358cb2+ #1
Call Trace:
[<
c12991ac>] ? panic+0x50/0x150
[<
c102ed71>] ? __stack_chk_fail+0x10/0x18
[<
f87aca93>] ? xfs_ioc_fsgeometry_v1+0x56/0x5d [xfs]
Fix this by fixing that one caller to pass the right type and then
copy out the subset it is interested in.
Note: This patch is an alternative to one originally proposed by
Eric Sandeen.
Reported-by: Jeffrey Hundstad <jeffrey.hundstad@mnsu.edu>
Signed-off-by: Alex Elder <aelder@sgi.com>
Reviewed-by: Eric Sandeen <sandeen@redhat.com>
Tested-by: Jeffrey Hundstad <jeffrey.hundstad@mnsu.edu>
Dave Airlie [Wed, 2 Mar 2011 02:48:23 +0000 (12:48 +1000)]
Merge remote branch 'intel/drm-intel-fixes' of /ssd/git/drm-next into drm-fixes
Ryusuke Konishi [Mon, 28 Feb 2011 04:41:11 +0000 (13:41 +0900)]
nilfs2: fix regression that i-flag is not set on changeless checkpoints
According to the report from Jiro SEKIBA titled "regression in
2.6.37?" (Message-Id: <8739n8vs1f.wl%jir@sekiba.com>), on 2.6.37 and
later kernels, lscp command no longer displays "i" flag on checkpoints
that snapshot operations or garbage collection created.
This is a regression of nilfs2 checkpointing function, and it's
critical since it broke behavior of a part of nilfs2 applications.
For instance, snapshot manager of TimeBrowse gets to create
meaningless snapshots continuously; snapshot creation triggers another
checkpoint, but applications cannot distinguish whether the new
checkpoint contains meaningful changes or not without the i-flag.
This patch fixes the regression and brings that application behavior
back to normal.
Reported-by: Jiro SEKIBA <jir@unicus.jp>
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Tested-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Tested-by: Jiro SEKIBA <jir@unicus.jp>
Cc: stable <stable@kernel.org> [2.6.37]
Naga Chumbalkar [Tue, 15 Feb 2011 17:44:11 +0000 (17:44 +0000)]
[CPUFREQ] p4-clockmod: print EST-capable warning message only once
Print the message only once. I see it 16 times on a 2P box with 16 logical CPUs.
Signed-off-by: Naga Chumbalkar <nagananda.chumbalkar@hp.com>
Jiri Slaby [Tue, 1 Mar 2011 16:41:10 +0000 (17:41 +0100)]
[CPUFREQ] fix BUG on cpufreq policy init failure
cpufreq_register_driver sets cpufreq_driver to a structure owned (and
placed) in the caller's memory. If cpufreq policy fails in its ->init
function, sysdev_driver_register returns nonzero in
cpufreq_register_driver. Now, cpufreq_register_driver returns an error
without setting cpufreq_driver back to NULL.
Usually cpufreq policy modules are unloaded because they propagate the
error to the module init function and return that.
So a later access to any member of cpufreq_driver causes bugs like:
BUG: unable to handle kernel paging request at
ffffffffa00270a0
IP: [<
ffffffff8145eca3>] cpufreq_cpu_get+0x53/0xe0
PGD 1805067 PUD 1809063 PMD
1c3f90067 PTE 0
Oops: 0000 [#1] SMP
last sysfs file: /sys/devices/virtual/net/tun0/statistics/collisions
CPU 0
Modules linked in: ...
Pid: 5677, comm: thunderbird-bin Tainted: G W 2.6.38-rc4-mm1_64+ #1389 To be filled by O.E.M./To Be Filled By O.E.M.
RIP: 0010:[<
ffffffff8145eca3>] [<
ffffffff8145eca3>] cpufreq_cpu_get+0x53/0xe0
RSP: 0018:
ffff8801aec37d98 EFLAGS:
00010086
RAX:
0000000000000202 RBX:
0000000000000000 RCX:
0000000000000001
RDX:
ffffffffa00270a0 RSI:
0000000000001000 RDI:
ffffffff8199ece8
...
Call Trace:
[<
ffffffff8145f490>] cpufreq_quick_get+0x10/0x30
[<
ffffffff8103f12b>] show_cpuinfo+0x2ab/0x300
[<
ffffffff81136292>] seq_read+0xf2/0x3f0
[<
ffffffff8126c5d3>] ? __strncpy_from_user+0x33/0x60
[<
ffffffff8116850d>] proc_reg_read+0x6d/0xa0
[<
ffffffff81116e53>] vfs_read+0xc3/0x180
[<
ffffffff81116f5c>] sys_read+0x4c/0x90
[<
ffffffff81030dbb>] system_call_fastpath+0x16/0x1b
...
It's all cause by weird fail path handling in cpufreq_register_driver.
To fix that, shuffle the code to do proper handling with gotos.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Dave Jones <davej@redhat.com>
Dave Jones [Wed, 24 Nov 2010 02:29:31 +0000 (21:29 -0500)]
[CPUFREQ] Fix another notifier leak in powernow-k8.
Do the notifier registration later, so we don't have to worry
about freeing it if we fail the msr allocation.
Signed-off-by: Dave Jones <davej@redhat.com>
Neil Brown [Wed, 24 Nov 2010 00:28:01 +0000 (11:28 +1100)]
[CPUFREQ] Missing "unregister_cpu_notifier" in powernow-k8.c
It appears that when powernow-k8 finds that
No compatible ACPI _PSS objects found.
and suggests
Try again with latest BIOS.
it fails the module load, but does not unregister the cpu_notifier that was
registered in powernowk8_init
This ends up leaving freed memory on the cpu notifier list for some other
poor module (e.g. md/raid5) to come along and trip over.
The following might be a partial fix, but I suspect there is probably other
clean-up that is needed.
( https://bugzilla.novell.com/show_bug.cgi?id=655215 has full dmesg traces).
Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: Neil Brown <neilb@suse.de>
Jan Niehusmann [Tue, 1 Mar 2011 22:24:16 +0000 (23:24 +0100)]
drm/i915: fix memory corruption with GM965 and >4GB RAM
On a Thinkpad x61s, I noticed some memory corruption when
plugging/unplugging the external VGA connection. The symptoms are that
4 bytes at the beginning of a page get overwritten by zeroes.
The address of the corruption varies when rebooting the machine, but
stays constant while it's running (so it's possible to repeatedly write
some data and then corrupt it again by plugging the cable).
Further investigation revealed that the corrupted address is
(dev_priv->status_page_dmah->busaddr & 0xffffffff), ie. the beginning of
the hardware status page of the i965 graphics card, cut to 32 bits.
So it seems that for some memory access, the hardware uses only 32 bit
addressing. If the hardware status page is located >4GB, this
corrupts unrelated memory.
Signed-off-by: Jan Niehusmann <jan@gondor.com>
Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: stable@kernel.org
Julian Anastasov [Tue, 22 Feb 2011 08:40:25 +0000 (10:40 +0200)]
ipvs: fix dst_lock locking on dest update
Fix dst_lock usage in __ip_vs_update_dest. We need
_bh locking because destination is updated in user context.
Can cause lockups on frequent destination updates.
Problem reported by Simon Kirby. Bug was introduced
in 2.6.37 from the "ipvs: changes for local real server"
change.
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Hans Schillstrom <hans@schillstrom.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
Linus Torvalds [Tue, 1 Mar 2011 21:55:12 +0000 (13:55 -0800)]
Linux 2.6.38-rc7
Linus Torvalds [Tue, 1 Mar 2011 21:23:27 +0000 (13:23 -0800)]
Revert "TPM: Long default timeout fix"
This reverts commit
c4ff4b829ef9e6353c0b133b7adb564a68054979.
Ted Ts'o reports:
"TPM is working for me so I can log into employer's network in 2.6.37.
It broke when I tried 2.6.38-rc6, with the following relevant lines
from my dmesg:
[ 11.081627] tpm_tis 00:0b: 1.2 TPM (device-id 0x0, rev-id 78)
[ 25.734114] tpm_tis 00:0b: Operation Timed out
[ 78.040949] tpm_tis 00:0b: Operation Timed out
This caused me to get suspicious, especially since the _other_ TPM
commit in 2.6.38 had already been reverted, so I tried reverting
commit
c4ff4b829e: "TPM: Long default timeout fix". With this commit
reverted, my TPM on my Lenovo T410 is once again working."
Requested-and-tested-by: Theodore Ts'o <tytso@mit.edu>
Acked-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
David S. Miller [Tue, 1 Mar 2011 20:38:18 +0000 (12:38 -0800)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6
Ben Hutchings [Tue, 1 Mar 2011 18:45:24 +0000 (13:45 -0500)]
block: fix kernel-doc format for blkdev_issue_zeroout
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Vivek Goyal [Tue, 1 Mar 2011 18:40:54 +0000 (13:40 -0500)]
blk-throttle: Do not use kblockd workqueue for throtl work
o Dominik Klein reported a system hang issue while doing some blkio
throttling testing.
https://lkml.org/lkml/2011/2/24/173
o Some tracing revealed that CFQ was not dispatching any more jobs as
queue unplug was not happening. And queue unplug was not happening
because unplug work was not being called as there was one throttling
work on same cpu which as not finished yet. And throttling work had not
finished as it was tyring to dispatch a bio to CFQ but all the request
descriptors were consume to it was put to sleep.
o So basically it is a cyclic dependecny between CFQ unplug work and
throtl dispatch work. Tejun suggested that use separate workqueue for
such cases.
o This patch uses a separate workqueue for throttle related work and
does not rely on kblockd workqueue anymore.
Cc: stable@kernel.org
Reported-by: Dominik Klein <dk@in-telegence.net>
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Linus Torvalds [Tue, 1 Mar 2011 02:09:02 +0000 (18:09 -0800)]
Merge branch 'hwmon-for-linus' of git://git./linux/kernel/git/groeck/staging
* 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/staging:
hwmon: (adt7411) add MODULE_DEVICE_TABLE
hwmon: (ad7414) add MODULE_DEVICE_TABLE
Randy Dunlap [Sat, 26 Feb 2011 18:54:00 +0000 (10:54 -0800)]
fs/block_dev.c: fix new kernel-doc warning
Fix new kernel-doc warning in fs/block_dev.c:
Warning(fs/block_dev.c:937): No description found for parameter 'kill_dirty'
Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Rafael J. Wysocki [Tue, 1 Mar 2011 00:12:19 +0000 (01:12 +0100)]
ACPI: Fix build for CONFIG_NET unset
Several ACPI drivers fail to build if CONFIG_NET is unset, because
they refer to things depending on CONFIG_THERMAL that in turn depends
on CONFIG_NET. However, CONFIG_THERMAL doesn't really need to depend
on CONFIG_NET, because the only part of it requiring CONFIG_NET is
the netlink interface in thermal_sys.c.
Put the netlink interface in thermal_sys.c under #ifdef CONFIG_NET
and remove the dependency of CONFIG_THERMAL on CONFIG_NET from
drivers/thermal/Kconfig.
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Acked-by: Randy Dunlap <randy.dunlap@oracle.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Len Brown <lenb@kernel.org>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Luming Yu <luming.yu@intel.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Tue, 1 Mar 2011 01:58:09 +0000 (17:58 -0800)]
Merge branch 'drm-fixes' of git://git./linux/kernel/git/airlied/drm-2.6
* 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
drm: fix unsigned vs signed comparison issue in modeset ctl ioctl.
drm/nv50-nvc0: make sure vma is definitely unmapped when destroying bo
Linus Torvalds [Tue, 1 Mar 2011 01:57:30 +0000 (17:57 -0800)]
Merge branch 'omap-fixes-for-linus' of git://git./linux/kernel/git/tmlind/linux-omap-2.6
* 'omap-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap-2.6:
omap4: prcm: Fix the CPUx clockdomain offsets
OMAP2+: clocksource: fix crash on boot when !CONFIG_OMAP_32K_TIMER
OMAP2/3: clock: fix fint calculation for DPLL_FREQSEL
OMAP2+: mailbox: fix lookups for multiple mailboxes
OMAP2420: mailbox: fix IVA vs DSP IRQ numbering
mach-omap2: smartreflex: world-writable debugfs voltage files
mach-omap2: pm: world-writable debugfs timer files
mach-omap2: mux: world-writable debugfs files
Linus Torvalds [Tue, 1 Mar 2011 01:55:08 +0000 (17:55 -0800)]
Merge branches 'perf-fixes-for-linus', 'x86-fixes-for-linus' and 'timers-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip
* 'perf-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
perf timechart: Fix max number of cpus
perf timechart: Fix black idle boxes in the title
perf hists: Print number of samples, not the period sum
* 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
x86: Use u32 instead of long to set reset vector back to 0
* 'timers-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
clockevents: Prevent oneshot mode when broadcast device is periodic