1. 12 9月, 2009 2 次提交
    • S
      firewire: ohci: fix Self ID Count register mask (safeguard against buffer overflow) · 928ec5f1
      Stefan Richter 提交于
      The selfIDSize field of Self ID Count is 9 bits wide, and we are only
      interested in the high 8 bits.  Fix the mask accordingly.  The
      previously too large mask didn't do damage though because the next few
      bits in the register are reserved and therefore zero with presently
      existing hardware.
      
      Also, check for the maximum possible self ID count of 252 (according to
      OHCI 1.1 clause 11.2 and IEEE 1394a-2000 clause 4.3.4.1, i.e. up to four
      self IDs of up to 63 nodes, even though IEEE 1394 up to edition 2008
      defines only up to three self IDs per node).  More than 252 self IDs
      would only happen if the self ID receive DMA unit malfunctioned, which
      would likely be caught by other self ID buffer checks.  However, check
      it early to be sure.  More than 253 quadlets would overflow the Topology
      Map CSR.
      
      Reported-By: PaX Team
      Signed-off-by: NStefan Richter <stefanr@s5r6.in-berlin.de>
      928ec5f1
    • M
      ieee1394: raw1394: Do not leak memory on failed trylock. · 64549e93
      Michael Buesch 提交于
      Do not leak the allocated memory in case the mutex_trylock() failed
      to acquire the lock.
      Signed-off-by: NMichael Buesch <mb@bu3sch.de>
      
      This bug does not happen in practice:  All raw1394 clients use
      libraw1394, and accesses to a libraw1394 handle need to be serialized
      by the client.  This is documented in libraw1394's API reference.
      Signed-off-by: NStefan Richter <stefanr@s5r6.in-berlin.de>
      64549e93
  2. 10 9月, 2009 1 次提交
  3. 09 9月, 2009 3 次提交
    • E
      aoe: allocate unused request_queue for sysfs · 7135a71b
      Ed Cashin 提交于
      Andy Whitcroft reported an oops in aoe triggered by use of an
      incorrectly initialised request_queue object:
      
        [ 2645.959090] kobject '<NULL>' (ffff880059ca22c0): tried to add
      		an uninitialized object, something is seriously wrong.
        [ 2645.959104] Pid: 6, comm: events/0 Not tainted 2.6.31-5-generic #24-Ubuntu
        [ 2645.959107] Call Trace:
        [ 2645.959139] [<ffffffff8126ca2f>] kobject_add+0x5f/0x70
        [ 2645.959151] [<ffffffff8125b4ab>] blk_register_queue+0x8b/0xf0
        [ 2645.959155] [<ffffffff8126043f>] add_disk+0x8f/0x160
        [ 2645.959161] [<ffffffffa01673c4>] aoeblk_gdalloc+0x164/0x1c0 [aoe]
      
      The request queue of an aoe device is not used but can be allocated in
      code that does not sleep.
      
      Bruno bisected this regression down to
      
        cd43e26f
      
        block: Expose stacked device queues in sysfs
      
      "This seems to generate /sys/block/$device/queue and its contents for
       everyone who is using queues, not just for those queues that have a
       non-NULL queue->request_fn."
      
      Addresses http://bugs.launchpad.net/bugs/410198
      Addresses http://bugzilla.kernel.org/show_bug.cgi?id=13942
      
      Note that embedding a queue inside another object has always been
      an illegal construct, since the queues are reference counted and
      must persist until the last reference is dropped. So aoe was
      always buggy in this respect (Jens).
      Signed-off-by: NEd Cashin <ecashin@coraid.com>
      Cc: Andy Whitcroft <apw@canonical.com>
      Cc: "Rafael J. Wysocki" <rjw@sisk.pl>
      Cc: Bruno Premont <bonbons@linux-vserver.org>
      Cc: Martin K. Petersen <martin.petersen@oracle.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NJens Axboe <jens.axboe@oracle.com>
      7135a71b
    • L
      i915: disable interrupts before tearing down GEM state · e6890f6f
      Linus Torvalds 提交于
      Reinette Chatre reports a frozen system (with blinking keyboard LEDs)
      when switching from graphics mode to the text console, or when
      suspending (which does the same thing). With netconsole, the oops
      turned out to be
      
      	BUG: unable to handle kernel NULL pointer dereference at 0000000000000084
      	IP: [<ffffffffa03ecaab>] i915_driver_irq_handler+0x26b/0xd20 [i915]
      
      and it's due to the i915_gem.c code doing drm_irq_uninstall() after
      having done i915_gem_idle(). And the i915_gem_idle() path will do
      
        i915_gem_idle() ->
          i915_gem_cleanup_ringbuffer() ->
            i915_gem_cleanup_hws() ->
              dev_priv->hw_status_page = NULL;
      
      but if an i915 interrupt comes in after this stage, it may want to
      access that hw_status_page, and gets the above NULL pointer dereference.
      
      And since the NULL pointer dereference happens from within an interrupt,
      and with the screen still in graphics mode, the common end result is
      simply a silently hung machine.
      
      Fix it by simply uninstalling the irq handler before idling rather than
      after. Fixes
      
          http://bugzilla.kernel.org/show_bug.cgi?id=13819Reported-and-tested-by: NReinette Chatre <reinette.chatre@intel.com>
      Acked-by: NJesse Barnes <jbarnes@virtuousgeek.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      e6890f6f
    • Z
      drm/i915: fix mask bits setting · 7c8460db
      Zhenyu Wang 提交于
      eDP is exclusive connector too, and add missing crtc_mask
      setting for TV.
      
      This fixes
      
      	http://bugzilla.kernel.org/show_bug.cgi?id=14139Signed-off-by: NZhenyu Wang <zhenyuw@linux.intel.com>
      Reported-and-tested-by: NCarlos R. Mafra <crmafra2@gmail.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      7c8460db
  4. 08 9月, 2009 5 次提交
  5. 07 9月, 2009 2 次提交
  6. 06 9月, 2009 27 次提交