1. 09 4月, 2014 22 次提交
    • H
      s390/smp: fix smp_stop_cpu() for !CONFIG_SMP · e7c46c66
      Heiko Carstens 提交于
      smp_stop_cpu() should stop the current cpu even for !CONFIG_SMP.
      Otherwise machine_halt() will return and and the machine generates a
      panic instread of simply stopping the current cpu:
      
      Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000000
      
      CPU: 0 PID: 1 Comm: systemd-shutdow Not tainted 3.14.0-01527-g2b6ef16a6bc5 #10
      [...]
      Call Trace:
      ([<0000000000110db0>] show_trace+0xf8/0x158)
       [<0000000000110e7a>] show_stack+0x6a/0xe8
       [<000000000074dba8>] panic+0xe4/0x268
       [<0000000000140570>] do_exit+0xa88/0xb2c
       [<000000000016e12c>] SyS_reboot+0x1f0/0x234
       [<000000000075da70>] sysc_nr_ok+0x22/0x28
       [<000000007d5a09b4>] 0x7d5a09b4
      Signed-off-by: NHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: NMartin Schwidefsky <schwidefsky@de.ibm.com>
      e7c46c66
    • M
      s390: fix control register update · a8a934e4
      Martin Schwidefsky 提交于
      The git commit c63badeb
      "s390: optimize control register update" broke the update for
      control register 0. After the update do the lctlg from the correct
      value.
      
      Cc: <stable@vger.kernel.org> # 3.14
      Signed-off-by: NMartin Schwidefsky <schwidefsky@de.ibm.com>
      a8a934e4
    • L
      Merge branch 'for-3.15' of git://linux-nfs.org/~bfields/linux · 75ff24fa
      Linus Torvalds 提交于
      Pull nfsd updates from Bruce Fields:
       "Highlights:
         - server-side nfs/rdma fixes from Jeff Layton and Tom Tucker
         - xdr fixes (a larger xdr rewrite has been posted but I decided it
           would be better to queue it up for 3.16).
         - miscellaneous fixes and cleanup from all over (thanks especially to
           Kinglong Mee)"
      
      * 'for-3.15' of git://linux-nfs.org/~bfields/linux: (36 commits)
        nfsd4: don't create unnecessary mask acl
        nfsd: revert v2 half of "nfsd: don't return high mode bits"
        nfsd4: fix memory leak in nfsd4_encode_fattr()
        nfsd: check passed socket's net matches NFSd superblock's one
        SUNRPC: Clear xpt_bc_xprt if xs_setup_bc_tcp failed
        NFSD/SUNRPC: Check rpc_xprt out of xs_setup_bc_tcp
        SUNRPC: New helper for creating client with rpc_xprt
        NFSD: Free backchannel xprt in bc_destroy
        NFSD: Clear wcc data between compound ops
        nfsd: Don't return NFS4ERR_STALE_STATEID for NFSv4.1+
        nfsd4: fix nfs4err_resource in 4.1 case
        nfsd4: fix setclientid encode size
        nfsd4: remove redundant check from nfsd4_check_resp_size
        nfsd4: use more generous NFS4_ACL_MAX
        nfsd4: minor nfsd4_replay_cache_entry cleanup
        nfsd4: nfsd4_replay_cache_entry should be static
        nfsd4: update comments with obsolete function name
        rpc: Allow xdr_buf_subsegment to operate in-place
        NFSD: Using free_conn free connection
        SUNRPC: fix memory leak of peer addresses in XPRT
        ...
      75ff24fa
    • L
      Merge branch 'akpm' (incoming from Andrew) · 0f386a70
      Linus Torvalds 提交于
      Merge a few more patches from Andrew Morton:
       "A few leftovers"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        fs/ncpfs/dir.c: fix indenting in ncp_lookup()
        ncpfs/inode.c: fix mismatch printk formats and arguments
        ncpfs: remove now unused PRINTK macro
        ncpfs: convert PPRINTK to ncp_vdbg
        ncpfs: convert DPRINTK/DDPRINTK to ncp_dbg
        ncpfs: Add pr_fmt and convert printks to pr_<level>
        arch/x86/mm/kmemcheck/kmemcheck.c: use kstrtoint() instead of sscanf()
        lib/percpu_counter.c: fix bad percpu counter state during suspend
        autofs4: check dev ioctl size before allocating
        mm: vmscan: do not swap anon pages just because free+file is low
      0f386a70
    • D
      fs/ncpfs/dir.c: fix indenting in ncp_lookup() · ffddc5fd
      Dan Carpenter 提交于
      My static checker suggests adding curly braces here.  Probably that was
      the intent, but actually the code works the same either way.  I've just
      changed the indenting and left the code as-is.
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Cc: Petr Vandrovec <petr@vandrovec.name>
      Acked-by: NDave Chiluk <chiluk@canonical.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      ffddc5fd
    • J
      ncpfs/inode.c: fix mismatch printk formats and arguments · 15a03ac6
      Joe Perches 提交于
      Conversions to ncp_dbg showed some format/argument mismatches so fix
      them.
      Signed-off-by: NJoe Perches <joe@perches.com>
      Cc: Petr Vandrovec <petr@vandrovec.name>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      15a03ac6
    • J
      ncpfs: remove now unused PRINTK macro · 485b47f6
      Joe Perches 提交于
      Uses are gone, remove the macro.
      Signed-off-by: NJoe Perches <joe@perches.com>
      Cc: Petr Vandrovec <petr@vandrovec.name>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      485b47f6
    • J
      ncpfs: convert PPRINTK to ncp_vdbg · e45ca8ba
      Joe Perches 提交于
      Use a more current logging style.
      
      Convert the paranoia debug statement to vdbg.
      Remove the embedded function names as dynamic_debug can do that.
      Signed-off-by: NJoe Perches <joe@perches.com>
      Cc: Petr Vandrovec <petr@vandrovec.name>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      e45ca8ba
    • J
      ncpfs: convert DPRINTK/DDPRINTK to ncp_dbg · d3b73ca1
      Joe Perches 提交于
      Use a more current logging style and enable use of dynamic debugging.
      
      Remove embedded function names, dynamic debug can add this instead.
      Signed-off-by: NJoe Perches <joe@perches.com>
      Cc: Petr Vandrovec <petr@vandrovec.name>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      d3b73ca1
    • J
      ncpfs: Add pr_fmt and convert printks to pr_<level> · b41f8b84
      Joe Perches 提交于
      Convert to a more current logging style.
      
      Add pr_fmt to prefix with "ncpfs: ".
      Remove the embedded function names and use "%s: ", __func__
      
      Some previously unprefixed messages now have "ncpfs: "
      Signed-off-by: NJoe Perches <joe@perches.com>
      Cc: Petr Vandrovec <petr@vandrovec.name>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      b41f8b84
    • D
      arch/x86/mm/kmemcheck/kmemcheck.c: use kstrtoint() instead of sscanf() · d0057ca4
      David Rientjes 提交于
      Kmemcheck should use the preferred interface for parsing command line
      arguments, kstrto*(), rather than sscanf() itself.  Use it
      appropriately.
      Signed-off-by: NDavid Rientjes <rientjes@google.com>
      Cc: Vegard Nossum <vegardno@ifi.uio.no>
      Acked-by: NPekka Enberg <penberg@kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      d0057ca4
    • J
      lib/percpu_counter.c: fix bad percpu counter state during suspend · e39435ce
      Jens Axboe 提交于
      I got a bug report yesterday from Laszlo Ersek in which he states that
      his kvm instance fails to suspend.  Laszlo bisected it down to this
      commit 1cf7e9c6 ("virtio_blk: blk-mq support") where virtio-blk is
      converted to use the blk-mq infrastructure.
      
      After digging a bit, it became clear that the issue was with the queue
      drain.  blk-mq tracks queue usage in a percpu counter, which is
      incremented on request alloc and decremented when the request is freed.
      The initial hunt was for an inconsistency in blk-mq, but everything
      seemed fine.  In fact, the counter only returned crazy values when
      suspend was in progress.
      
      When a CPU is unplugged, the percpu counters merges that CPU state with
      the general state.  blk-mq takes care to register a hotcpu notifier with
      the appropriate priority, so we know it runs after the percpu counter
      notifier.  However, the percpu counter notifier only merges the state
      when the CPU is fully gone.  This leaves a state transition where the
      CPU going away is no longer in the online mask, yet it still holds
      private values.  This means that in this state, percpu_counter_sum()
      returns invalid results, and the suspend then hangs waiting for
      abs(dead-cpu-value) requests to complete which of course will never
      happen.
      
      Fix this by clearing the state earlier, so we never have a case where
      the CPU isn't in online mask but still holds private state.  This bug
      has been there since forever, I guess we don't have a lot of users where
      percpu counters needs to be reliable during the suspend cycle.
      Signed-off-by: NJens Axboe <axboe@fb.com>
      Reported-by: NLaszlo Ersek <lersek@redhat.com>
      Tested-by: NLaszlo Ersek <lersek@redhat.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      e39435ce
    • S
      autofs4: check dev ioctl size before allocating · e53d77eb
      Sasha Levin 提交于
      There wasn't any check of the size passed from userspace before trying
      to allocate the memory required.
      
      This meant that userspace might request more space than allowed,
      triggering an OOM.
      Signed-off-by: NSasha Levin <sasha.levin@oracle.com>
      Signed-off-by: NIan Kent <raven@themaw.net>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      e53d77eb
    • J
      mm: vmscan: do not swap anon pages just because free+file is low · 0bf1457f
      Johannes Weiner 提交于
      Page reclaim force-scans / swaps anonymous pages when file cache drops
      below the high watermark of a zone in order to prevent what little cache
      remains from thrashing.
      
      However, on bigger machines the high watermark value can be quite large
      and when the workload is dominated by a static anonymous/shmem set, the
      file set might just be a small window of used-once cache.  In such
      situations, the VM starts swapping heavily when instead it should be
      recycling the no longer used cache.
      
      This is a longer-standing problem, but it's more likely to trigger after
      commit 81c0a2bb ("mm: page_alloc: fair zone allocator policy")
      because file pages can no longer accumulate in a single zone and are
      dispersed into smaller fractions among the available zones.
      
      To resolve this, do not force scan anon when file pages are low but
      instead rely on the scan/rotation ratios to make the right prediction.
      Signed-off-by: NJohannes Weiner <hannes@cmpxchg.org>
      Acked-by: NRafael Aquini <aquini@redhat.com>
      Cc: Rik van Riel <riel@redhat.com>
      Cc: Mel Gorman <mgorman@suse.de>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: Suleiman Souhlal <suleiman@google.com>
      Cc: <stable@kernel.org>		[3.12+]
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      0bf1457f
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · ce7613db
      Linus Torvalds 提交于
      Pull more networking updates from David Miller:
      
       1) If a VXLAN interface is created with no groups, we can crash on
          reception of packets.  Fix from Mike Rapoport.
      
       2) Missing includes in CPTS driver, from Alexei Starovoitov.
      
       3) Fix string validations in isdnloop driver, from YOSHIFUJI Hideaki
          and Dan Carpenter.
      
       4) Missing irq.h include in bnxw2x, enic, and qlcnic drivers.  From
          Josh Boyer.
      
       5) AF_PACKET transmit doesn't statistically count TX drops, from Daniel
          Borkmann.
      
       6) Byte-Queue-Limit enabled drivers aren't handled properly in
          AF_PACKET transmit path, also from Daniel Borkmann.
      
          Same problem exists in pktgen, and Daniel fixed it there too.
      
       7) Fix resource leaks in driver probe error paths of new sxgbe driver,
          from Francois Romieu.
      
       8) Truesize of SKBs can gradually get more and more corrupted in NAPI
          packet recycling path, fix from Eric Dumazet.
      
       9) Fix uniprocessor netfilter build, from Florian Westphal.  In the
          longer term we should perhaps try to find a way for ARRAY_SIZE() to
          work even with zero sized array elements.
      
      10) Fix crash in netfilter conntrack extensions due to mis-estimation of
          required extension space.  From Andrey Vagin.
      
      11) Since we commit table rule updates before trying to copy the
          counters back to userspace (it's the last action we perform), we
          really can't signal the user copy with an error as we are beyond the
          point from which we can unwind everything.  This causes all kinds of
          use after free crashes and other mysterious behavior.
      
          From Thomas Graf.
      
      12) Restore previous behvaior of div/mod by zero in BPF filter
          processing.  From Daniel Borkmann.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (38 commits)
        net: sctp: wake up all assocs if sndbuf policy is per socket
        isdnloop: several buffer overflows
        netdev: remove potentially harmful checks
        pktgen: fix xmit test for BQL enabled devices
        net/at91_ether: avoid NULL pointer dereference
        tipc: Let tipc_release() return 0
        at86rf230: fix MAX_CSMA_RETRIES parameter
        mac802154: fix duplicate #include headers
        sxgbe: fix duplicate #include headers
        net: filter: be more defensive on div/mod by X==0
        netfilter: Can't fail and free after table replacement
        xen-netback: Trivial format string fix
        net: bcmgenet: Remove unnecessary version.h inclusion
        net: smc911x: Remove unused local variable
        bonding: Inactive slaves should keep inactive flag's value
        netfilter: nf_tables: fix wrong format in request_module()
        netfilter: nf_tables: set names cannot be larger than 15 bytes
        netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len
        netfilter: Add {ipt,ip6t}_osf aliases for xt_osf
        netfilter: x_tables: allow to use cgroup match for LOCAL_IN nf hooks
        ...
      ce7613db
    • L
      Merge tag 'staging-3.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 0afccc4c
      Linus Torvalds 提交于
      Pull more staging patches from Greg KH:
       "Here are some more staging patches for 3.15-rc1.
      
        They include a late-submission of a wireless driver that a bunch of
        people seem to have the hardware for now.  As it's stand-alone, it
        should be fine (now passes the 0-day random build bot tests).
      
        There are also some fixes for the unisys drivers, as they were causing
        havoc on a number of different machines.  To resolve all of those
        issues, we just mark the driver as BROKEN now, and we can fix it up
        "properly" over time"
      
      * tag 'staging-3.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: rtl8723au: The 8723 only has two paths
        Staging: unisys: mark drivers as BROKEN
        Staging: unisys: verify that a control channel exists
        staging: unisys: Add missing close parentheses in filexfer.c
        staging: r8723au: Fix build problem when RFKILL is not selected
        staging: r8723au: Fix randconfig build errors
        staging: r8723au: Turn on build of new driver
        staging: r8723au: Additional source patches
        staging: r8723au: Add source files for new driver - part 4
        staging: r8723au: Add source files for new driver - part 3
        staging: r8723au: Add source files for new driver - part 2
        staging: r8723au: Add source files for new driver - part 1
      0afccc4c
    • L
      Merge tag 'arm64-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · e4f30545
      Linus Torvalds 提交于
      Pull second set of arm64 updates from Catalin Marinas:
       "A second pull request for this merging window, mainly with fixes and
        docs clarification:
      
         - Documentation clarification on CPU topology and booting
           requirements
         - Additional cache flushing during boot (needed in the presence of
           external caches or under virtualisation)
         - DMA range invalidation fix for non cache line aligned buffers
         - Build failure fix with !COMPAT
         - Kconfig update for STRICT_DEVMEM"
      
      * tag 'arm64-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: Fix DMA range invalidation for cache line unaligned buffers
        arm64: Add missing Kconfig for CONFIG_STRICT_DEVMEM
        arm64: fix !CONFIG_COMPAT build failures
        Revert "arm64: virt: ensure visibility of __boot_cpu_mode"
        arm64: Relax the kernel cache requirements for boot
        arm64: Update the TCR_EL1 translation granule definitions for 16K pages
        ARM: topology: Make it clear that all CPUs need to be described
      e4f30545
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · d586c86d
      Linus Torvalds 提交于
      Pull second set of s390 patches from Martin Schwidefsky:
       "The second part of Heikos uaccess rework, the page table walker for
        uaccess is now a thing of the past (yay!)
      
        The code change to fix the theoretical TLB flush problem allows us to
        add a TLB flush optimization for zEC12, this machine has new
        instructions that allow to do CPU local TLB flushes for single pages
        and for all pages of a specific address space.
      
        Plus the usual bug fixing and some more cleanup"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/uaccess: rework uaccess code - fix locking issues
        s390/mm,tlb: optimize TLB flushing for zEC12
        s390/mm,tlb: safeguard against speculative TLB creation
        s390/irq: Use defines for external interruption codes
        s390/irq: Add defines for external interruption codes
        s390/sclp: add timeout for queued requests
        kvm/s390: also set guest pages back to stable on kexec/kdump
        lcs: Add missing destroy_timer_on_stack()
        s390/tape: Add missing destroy_timer_on_stack()
        s390/tape: Use del_timer_sync()
        s390/3270: fix crash with multiple reset device requests
        s390/bitops,atomic: add missing memory barriers
        s390/zcrypt: add length check for aligned data to avoid overflow in msg-type 6
      d586c86d
    • D
      net: sctp: wake up all assocs if sndbuf policy is per socket · 52c35bef
      Daniel Borkmann 提交于
      SCTP charges chunks for wmem accounting via skb->truesize in
      sctp_set_owner_w(), and sctp_wfree() respectively as the
      reverse operation. If a sender runs out of wmem, it needs to
      wait via sctp_wait_for_sndbuf(), and gets woken up by a call
      to __sctp_write_space() mostly via sctp_wfree().
      
      __sctp_write_space() is being called per association. Although
      we assign sk->sk_write_space() to sctp_write_space(), which
      is then being done per socket, it is only used if send space
      is increased per socket option (SO_SNDBUF), as SOCK_USE_WRITE_QUEUE
      is set and therefore not invoked in sock_wfree().
      
      Commit 4c3a5bda ("sctp: Don't charge for data in sndbuf
      again when transmitting packet") fixed an issue where in case
      sctp_packet_transmit() manages to queue up more than sndbuf
      bytes, sctp_wait_for_sndbuf() will never be woken up again
      unless it is interrupted by a signal. However, a still
      remaining issue is that if net.sctp.sndbuf_policy=0, that is
      accounting per socket, and one-to-many sockets are in use,
      the reclaimed write space from sctp_wfree() is 'unfairly'
      handed back on the server to the association that is the lucky
      one to be woken up again via __sctp_write_space(), while
      the remaining associations are never be woken up again
      (unless by a signal).
      
      The effect disappears with net.sctp.sndbuf_policy=1, that
      is wmem accounting per association, as it guarantees a fair
      share of wmem among associations.
      
      Therefore, if we have reclaimed memory in case of per socket
      accounting, wake all related associations to a socket in a
      fair manner, that is, traverse the socket association list
      starting from the current neighbour of the association and
      issue a __sctp_write_space() to everyone until we end up
      waking ourselves. This guarantees that no association is
      preferred over another and even if more associations are
      taken into the one-to-many session, all receivers will get
      messages from the server and are not stalled forever on
      high load. This setting still leaves the advantage of per
      socket accounting in touch as an association can still use
      up global limits if unused by others.
      
      Fixes: 4eb701df ("[SCTP] Fix SCTP sendbuffer accouting.")
      Signed-off-by: NDaniel Borkmann <dborkman@redhat.com>
      Cc: Thomas Graf <tgraf@suug.ch>
      Cc: Neil Horman <nhorman@tuxdriver.com>
      Cc: Vlad Yasevich <vyasevic@redhat.com>
      Acked-by: NVlad Yasevich <vyasevic@redhat.com>
      Acked-by: NNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      52c35bef
    • L
      Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux · e9f37d3a
      Linus Torvalds 提交于
      Pull drm updates from Dave Airlie:
       "Highlights:
      
         - drm:
      
           Generic display port aux features, primary plane support, drm
           master management fixes, logging cleanups, enforced locking checks
           (instead of docs), documentation improvements, minor number
           handling cleanup, pseudofs for shared inodes.
      
         - ttm:
      
           add ability to allocate from both ends
      
         - i915:
      
           broadwell features, power domain and runtime pm, per-process
           address space infrastructure (not enabled)
      
         - msm:
      
           power management, hdmi audio support
      
         - nouveau:
      
           ongoing GPU fault recovery, initial maxwell support, random fixes
      
         - exynos:
      
           refactored driver to clean up a lot of abstraction, DP support
           moved into drm, LVDS bridge support added, parallel panel support
      
         - gma500:
      
           SGX MMU support, SGX irq handling, asle irq work fixes
      
         - radeon:
      
           video engine bringup, ring handling fixes, use dp aux helpers
      
         - vmwgfx:
      
           add rendernode support"
      
      * 'drm-next' of git://people.freedesktop.org/~airlied/linux: (849 commits)
        DRM: armada: fix corruption while loading cursors
        drm/dp_helper: don't return EPROTO for defers (v2)
        drm/bridge: export ptn3460_init function
        drm/exynos: remove MODULE_DEVICE_TABLE definitions
        ARM: dts: exynos4412-trats2: enable exynos/fimd node
        ARM: dts: exynos4210-trats: enable exynos/fimd node
        ARM: dts: exynos4412-trats2: add panel node
        ARM: dts: exynos4210-trats: add panel node
        ARM: dts: exynos4: add MIPI DSI Master node
        drm/panel: add S6E8AA0 driver
        ARM: dts: exynos4210-universal_c210: add proper panel node
        drm/panel: add ld9040 driver
        panel/ld9040: add DT bindings
        panel/s6e8aa0: add DT bindings
        drm/exynos: add DSIM driver
        exynos/dsim: add DT bindings
        drm/exynos: disallow fbdev initialization if no device is connected
        drm/mipi_dsi: create dsi devices only for nodes with reg property
        drm/mipi_dsi: add flags to DSI messages
        Skip intel_crt_init for Dell XPS 8700
        ...
      e9f37d3a
    • D
      isdnloop: several buffer overflows · 7563487c
      Dan Carpenter 提交于
      There are three buffer overflows addressed in this patch.
      
      1) In isdnloop_fake_err() we add an 'E' to a 60 character string and
      then copy it into a 60 character buffer.  I have made the destination
      buffer 64 characters and I'm changed the sprintf() to a snprintf().
      
      2) In isdnloop_parse_cmd(), p points to a 6 characters into a 60
      character buffer so we have 54 characters.  The ->eazlist[] is 11
      characters long.  I have modified the code to return if the source
      buffer is too long.
      
      3) In isdnloop_command() the cbuf[] array was 60 characters long but the
      max length of the string then can be up to 79 characters.  I made the
      cbuf array 80 characters long and changed the sprintf() to snprintf().
      I also removed the temporary "dial" buffer and changed it to use "p"
      directly.
      
      Unfortunately, we pass the "cbuf" string from isdnloop_command() to
      isdnloop_writecmd() which truncates anything over 60 characters to make
      it fit in card->omsg[].  (It can accept values up to 255 characters so
      long as there is a '\n' character every 60 characters).  For now I have
      just fixed the memory corruption bug and left the other problems in this
      driver alone.
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7563487c
    • H
  2. 08 4月, 2014 18 次提交