- 02 10月, 2010 7 次提交
-
-
由 Don Mullis 提交于
If the original list is a POT in length, the first callback from line 73 will pass a==b both pointing to the original list_head. This is dangerous because the 'list_sort()' user can use 'container_of()' and accesses the "containing" object, which does not necessary exist for the list head. So the user can access RAM which does not belong to him. If this is a write access, we can end up with memory corruption. Signed-off-by: NDon Mullis <don.mullis@gmail.com> Tested-by: NArtem Bityutskiy <Artem.Bityutskiy@nokia.com> Signed-off-by: NArtem Bityutskiy <Artem.Bityutskiy@nokia.com> Cc: <stable@kernel.org> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Dan Rosenberg 提交于
The semctl syscall has several code paths that lead to the leakage of uninitialized kernel stack memory (namely the IPC_INFO, SEM_INFO, IPC_STAT, and SEM_STAT commands) during the use of the older, obsolete version of the semid_ds struct. The copy_semid_to_user() function declares a semid_ds struct on the stack and copies it back to the user without initializing or zeroing the "sem_base", "sem_pending", "sem_pending_last", and "undo" pointers, allowing the leakage of 16 bytes of kernel stack memory. The code is still reachable on 32-bit systems - when calling semctl() newer glibc's automatically OR the IPC command with the IPC_64 flag, but invoking the syscall directly allows users to use the older versions of the struct. Signed-off-by: NDan Rosenberg <dan.j.rosenberg@gmail.com> Cc: Manfred Spraul <manfred@colorfullife.com> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Marcin Slusarz 提交于
Array of udimm sysfs attributes was not ended with NULL marker, leading to dereference of random memory. EDAC DEBUG: edac_create_mci_instance_attributes: edac_create_mci_instance_attributes() file udimm0 EDAC DEBUG: edac_create_mci_instance_attributes: edac_create_mci_instance_attributes() file udimm1 EDAC DEBUG: edac_create_mci_instance_attributes: edac_create_mci_instance_attributes() file udimm2 BUG: unable to handle kernel NULL pointer dereference at 00000000000001a4 IP: [<ffffffff81330b36>] edac_create_mci_instance_attributes+0x148/0x1f1 Pid: 1, comm: swapper Not tainted 2.6.36-rc3-nv+ #483 P6T SE/System Product Name RIP: 0010:[<ffffffff81330b36>] [<ffffffff81330b36>] edac_create_mci_instance_attributes+0x148/0x1f1 (...) Call Trace: [<ffffffff81330b86>] edac_create_mci_instance_attributes+0x198/0x1f1 [<ffffffff81330c9a>] edac_create_sysfs_mci_device+0xbb/0x2b2 [<ffffffff8132f533>] edac_mc_add_mc+0x46b/0x557 [<ffffffff81428901>] i7core_probe+0xccf/0xec0 RIP [<ffffffff81330b36>] edac_create_mci_instance_attributes+0x148/0x1f1 ---[ end trace 20de320855b81d78 ]--- Kernel panic - not syncing: Attempted to kill init! Signed-off-by: NMarcin Slusarz <marcin.slusarz@gmail.com> Cc: Mauro Carvalho Chehab <mchehab@redhat.com> Acked-by: NDoug Thompson <dougthompson@xmission.com> Cc: <stable@kernel.org> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Andrew Morton 提交于
sparc64 allmodconfig: drivers/serial/mrst_max3110.c: In function `serial_m3110_startup': drivers/serial/mrst_max3110.c:470: error: `IRQ_TYPE_EDGE_FALLING' undeclared (first use in this function) Cc: Greg KH <greg@kroah.com> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Andrew Morton 提交于
Fix the warnings arch/m68k/mac/macboing.c: In function 'mac_mksound': arch/m68k/mac/macboing.c:189: warning: comparison of distinct pointer types lacks a cast arch/m68k/mac/macboing.c:211: warning: comparison of distinct pointer types lacks a cast arch/m68k/mac/macboing.c: In function 'mac_quadra_start_bell': arch/m68k/mac/macboing.c:241: warning: comparison of distinct pointer types lacks a cast arch/m68k/mac/macboing.c:263: warning: comparison of distinct pointer types lacks a cast arch/m68k/mac/macboing.c: In function 'mac_quadra_ring_bell': arch/m68k/mac/macboing.c:283: warning: comparison of distinct pointer types lacks a cast Cc: Geert Uytterhoeven <geert@linux-m68k.org> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Andrew Morton 提交于
alpha allmodconfig: drivers/serial/mfd.c:144: error: implicit declaration of function 'kzalloc' drivers/serial/mfd.c:144: warning: assignment makes pointer from integer without a cast Cc: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Ira W. Snyder 提交于
The kfifo_dma family of functions use sg_mark_end() on the last element in their scatterlist. This forces use of a fresh scatterlist for each DMA operation, which makes recycling a single scatterlist impossible. Change the behavior of the kfifo_dma functions to match the usage of the dma_map_sg function. This means that users must respect the returned nents value. The sample code is updated to reflect the change. This bug is trivial to cause: call kfifo_dma_in_prepare() such that it prepares a scatterlist with a single entry comprising the whole fifo. This is the case when you map the entirety of a newly created empty fifo. This causes the setup_sgl() function to mark the first scatterlist entry as the end of the chain, no matter what comes after it. Afterwards, add and remove some data from the fifo such that another call to kfifo_dma_in_prepare() will create two scatterlist entries. It returns nents=2. However, due to the previous sg_mark_end() call, sg_is_last() will now return true for the first scatterlist element. This causes the sample code to print a single scatterlist element when it should print two. By removing the call to sg_mark_end(), we make the API as similar as possible to the DMA mapping API. All users are required to respect the returned nents. Signed-off-by: NIra W. Snyder <iws@ovro.caltech.edu> Cc: Stefani Seibold <stefani@seibold.net> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
- 30 9月, 2010 7 次提交
-
-
由 Linus Torvalds 提交于
Commit c52c2ddc ("alpha: switch osf_sigprocmask() to use of sigprocmask()") had several problems. The more obvious compile issues got fixed in commit 0f44fbd2 ("alpha: fix compile problem in arch/alpha/kernel/signal.c"), but it also caused a regression. Since _BLOCKABLE is already the set of signals that can be blocked, the code should do "newmask & _BLOCKABLE" rather than inverting _BLOCKABLE before masking. Reported-by: NMichael Cree <mcree@orcon.net.nz> Patch-by: NAl Viro <viro@zeniv.linux.org.uk> Patch-by: NIvan Kokshaysky <ink@jurassic.park.msu.ru> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
git://git.kernel.org/pub/scm/linux/kernel/git/jlbec/ocfs2由 Linus Torvalds 提交于
* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jlbec/ocfs2: ocfs2: Don't walk off the end of fast symlinks.
-
git://git.kernel.org/pub/scm/linux/kernel/git/djbw/async_tx由 Linus Torvalds 提交于
* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/djbw/async_tx: dmaengine: fix interrupt clearing for mv_xor missing inline keyword for static function in linux/dmaengine.h dma/shdma: move dereference below the NULL check
-
由 Joel Becker 提交于
ocfs2 fast symlinks are NUL terminated strings stored inline in the inode data area. However, disk corruption or a local attacker could, in theory, remove that NUL. Because we're using strlen() (my fault, introduced in a731d1 when removing vfs_follow_link()), we could walk off the end of that string. Signed-off-by: NJoel Becker <joel.becker@oracle.com> Cc: stable@kernel.org
-
git://oss.sgi.com/xfs/xfs由 Linus Torvalds 提交于
* 'for-linus' of git://oss.sgi.com/xfs/xfs: xfs: force background CIL push under sustained load
-
git://git.kernel.org/pub/scm/linux/kernel/git/sameo/mfd-2.6由 Linus Torvalds 提交于
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo/mfd-2.6: mfd: Fix max8925 irq control bit incorrect setting mfd: Ignore non-GPIO IRQs when setting wm831x IRQ types
-
由 Daniel J Blueman 提交于
Fix build failure from recent interface change and merge. Tested on OMAP3430. Signed-off-by: NDaniel J Blueman <daniel.blueman@gmail.com> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
- 29 9月, 2010 11 次提交
-
-
由 Dave Chinner 提交于
I have been seeing occasional pauses in transaction throughput up to 30s long under heavy parallel workloads. The only notable thing was that the xfsaild was trying to be active during the pauses, but making no progress. It was running exactly 20 times a second (on the 50ms no-progress backoff), and the number of pushbuf events was constant across this time as well. IOWs, the xfsaild appeared to be stuck on buffers that it could not push out. Further investigation indicated that it was trying to push out inode buffers that were pinned and/or locked. The xfsbufd was also getting woken at the same frequency (by the xfsaild, no doubt) to push out delayed write buffers. The xfsbufd was not making any progress because all the buffers in the delwri queue were pinned. This scan- and-make-no-progress dance went one in the trace for some seconds, before the xfssyncd came along an issued a log force, and then things started going again. However, I noticed something strange about the log force - there were way too many IO's issued. 516 log buffers were written, to be exact. That added up to 129MB of log IO, which got me very interested because it's almost exactly 25% of the size of the log. He delayed logging code is suppose to aggregate the minimum of 25% of the log or 8MB worth of changes before flushing. That's what really puzzled me - why did a log force write 129MB instead of only 8MB? Essentially what has happened is that no CIL pushes had occurred since the previous tail push which cleared out 25% of the log space. That caused all the new transactions to block because there wasn't log space for them, but they kick the xfsaild to push the tail. However, the xfsaild was not making progress because there were buffers it could not lock and flush, and the xfsbufd could not flush them because they were pinned. As a result, both the xfsaild and the xfsbufd could not move the tail of the log forward without the CIL first committing. The cause of the problem was that the background CIL push, which should happen when 8MB of aggregated changes have been committed, is being held off by the concurrent transaction commit load. The background push does a down_write_trylock() which will fail if there is a concurrent transaction commit holding the push lock in read mode. With 8 CPUs all doing transactions as fast as they can, there was enough concurrent transaction commits to hold off the background push until tail-pushing could no longer free log space, and the halt would occur. It should be noted that there is no reason why it would halt at 25% of log space used by a single CIL checkpoint. This bug could definitely violate the "no transaction should be larger than half the log" requirement and hence result in corruption if the system crashed under heavy load. This sort of bug is exactly the reason why delayed logging was tagged as experimental.... The fix is to start blocking background pushes once the threshold has been exceeded. Rework the threshold calculations to keep the amount of log space a CIL checkpoint can use to below that of the AIL push threshold to avoid the problem completely. Signed-off-by: NDave Chinner <dchinner@redhat.com> Reviewed-by: NAlex Elder <aelder@sgi.com> Reviewed-by: NChristoph Hellwig <hch@lst.de>
-
由 Kevin Liu 提交于
In max8925_irq_sync_unlock(), irq control bit is set at the same time. Zero means enabling irq, and one means disabling irq. The original code is: irq_chg[0] &= irq_data->enable; It should be changed to: irq_chg[0] &= ~irq_data->enable; Otherwise, irq control bit is mess. Signed-off-by: NKevin Liu <kliu5@marvell.com> Signed-off-by: NHaojian Zhuang <haojian.zhuang@marvell.com> Signed-off-by: NSamuel Ortiz <sameo@linux.intel.com>
-
由 Mark Brown 提交于
The driver was originally tested with an additional patch which made this unneeded but that patch had issuges and got lost on the way to mainline, causing problems when the errors are reported. Signed-off-by: NMark Brown <broonie@opensource.wolfsonmicro.com> Signed-off-by: NSamuel Ortiz <sameo@linux.intel.com> Cc: stable@kernel.org
-
由 Linus Torvalds 提交于
-
由 David Howells 提交于
When caching is disabled on the MN10300 arch, the sys_cacheflush() function is removed by conditional stuff in the makefiles, but is still referred to by the syscall table. Provide a null version that just returns 0 when caching is disabled (or -EINVAL if the arguments are silly). Signed-off-by: NDavid Howells <dhowells@redhat.com> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Linus Torvalds 提交于
Tssk. Apparently Al hadn't checked commit c52c2ddc ("alpha: switch osf_sigprocmask() to use of sigprocmask()") at all. It doesn't compile. Fixed as per suggestions from Michael Cree. Reported-by: NMichael Cree <mcree@orcon.net.nz> Cc: Al Viro <viro@ftp.linux.org.uk> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/libata-dev由 Linus Torvalds 提交于
* 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/libata-dev: ahci: fix module refcount breakage introduced by libahci split
-
由 Tejun Heo 提交于
libata depends on scsi_host_template for module reference counting and sht's should be owned by each low level driver. During libahci split, the sht was left with libahci.ko leaving the actual low level drivers not reference counted. This made ahci and ahci_platform always unloadable even while they're being actively used. Fix it by defining AHCI_SHT() macro in ahci.h and defining a sht for each low level ahci driver. stable: only applicable to 2.6.35. Signed-off-by: NTejun Heo <tj@kernel.org> Reported-by: NPedro Francisco <pedrogfrancisco@gmail.com> Tested-by: NMichael Tokarev <mjt@tls.msk.ru> Cc: stable@kernel.org Signed-off-by: NJeff Garzik <jgarzik@redhat.com>
-
git://git.kernel.org/pub/scm/linux/kernel/git/groeck/staging由 Linus Torvalds 提交于
* 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/staging: hwmon (coretemp): Fix build breakage if SMP is undefined
-
git://git.kernel.org/pub/scm/linux/kernel/git/jbarnes/pci-2.6由 Linus Torvalds 提交于
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jbarnes/pci-2.6: PCI: fix pci_resource_alignment prototype
-
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6由 Linus Torvalds 提交于
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (47 commits) tcp: Fix >4GB writes on 64-bit. net/9p: Mount only matching virtio channels de2104x: fix ethtool tproxy: check for transparent flag in ip_route_newports ipv6: add IPv6 to neighbour table overflow warning tcp: fix TSO FACK loss marking in tcp_mark_head_lost 3c59x: fix regression from patch "Add ethtool WOL support" ipv6: add a missing unregister_pernet_subsys call s390: use free_netdev(netdev) instead of kfree() sgiseeq: use free_netdev(netdev) instead of kfree() rionet: use free_netdev(netdev) instead of kfree() ibm_newemac: use free_netdev(netdev) instead of kfree() smsc911x: Add MODULE_ALIAS() net: reset skb queue mapping when rx'ing over tunnel br2684: fix scheduling while atomic de2104x: fix TP link detection de2104x: fix power management de2104x: disable autonegotiation on broken hardware net: fix a lockdep splat e1000e: 82579 do not gate auto config of PHY by hardware during nominal use ...
-
- 28 9月, 2010 15 次提交
-
-
由 Guenter Roeck 提交于
Commit e40cc4bd introduced a build breakage if CONFIG_SMP is undefined. This commit fixes the problem. This fix is only a workaround. For a real fix, cpu_sibling_mask() should be defined in UP include code, eg in linux/smp.h, and asm/smp.h should not be included directly. This fix is currently not possible because asm/smp.h defines cpu_sibling_mask() unconditionally and is included directly from many source files. Reported-by: NIngo Molnar <mingo@elte.hu> Tested-by: NIngo Molnar <mingo@elte.hu> Signed-off-by: NGuenter Roeck <guenter.roeck@ericsson.com> Cc: Fenghua Yu <fenghua.yu@intel.com>
-
git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip由 Linus Torvalds 提交于
* 'x86/urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: x86: Avoid 'constant_test_bit()' misoptimization due to cast to non-volatile
-
由 David S. Miller 提交于
Fixes kernel bugzilla #16603 tcp_sendmsg() truncates iov_len to an 'int' which a 4GB write to write zero bytes, for example. There is also the problem higher up of how verify_iovec() works. It wants to prevent the total length from looking like an error return value. However it does this using 'int', but syscalls return 'long' (and thus signed 64-bit on 64-bit machines). So it could trigger false-positives on 64-bit as written. So fix it to use 'long'. Reported-by: NOlaf Bonorden <bono@onlinehome.de> Reported-by: NDaniel Büse <dbuese@gmx.de> Reported-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Dan Rosenberg 提交于
The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a pktcdvd_device from the global pkt_devs array. The index into this array is provided directly by the user and is a signed integer, so the comparison to ensure that it falls within the bounds of this array will fail when provided with a negative index. This can be used to read arbitrary kernel memory or cause a crash due to an invalid pointer dereference. This can be exploited by users with permission to open /dev/pktcdvd/control (on many distributions, this is readable by group "cdrom"). Signed-off-by: NDan Rosenberg <dan.j.rosenberg@gmail.com> [ Rather than add a cast, just make the function take the right type -Linus ] Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 David Howells 提交于
The configuration choice for the port on which the GDB stub listens has a default of GDBSTUB_TTYSM0, but this should be GDBSTUB_ON_TTYSM0 to match the option. Signed-off-by: NDavid Howells <dhowells@redhat.com> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Sven Eckelmann 提交于
p9_virtio_create will only compare the the channel's tag characters against the device name till the end of the channel's tag but not till the end of the device name. This means that if a user defines channels with the tags foo and foobar then he would mount foo when he requested foonot and may mount foo when he requested foobar. Thus it is necessary to check both string lengths against each other in case of a successful partial string match. Signed-off-by: NSven Eckelmann <sven.eckelmann@gmx.de> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Ondrej Zary 提交于
When the interface is up, using ethtool breaks it because: a) link is put down but media_timer interval is not shortened to NO_LINK b) rxtx is stopped but not restarted Also manual 10baseT-HD (and probably FD too - untested) mode does not work - the link is forced up, packets are transmitted but nothing is received. Changing CSR14 value to match documentation (not disabling link check) fixes this. Signed-off-by: NOndrej Zary <linux@rainbow-software.org> Acked-by: NJeff Garzik <jgarzik@redhat.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Ulrich Weber 提交于
as done in ip_route_connect() Signed-off-by: NUlrich Weber <uweber@astaro.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Ulrich Weber 提交于
IPv4 and IPv6 have separate neighbour tables, so the warning messages should be distinguishable. [ Add a suitable message prefix on the ipv4 side as well -DaveM ] Signed-off-by: NUlrich Weber <uweber@astaro.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Yuchung Cheng 提交于
When TCP uses FACK algorithm to mark lost packets in tcp_mark_head_lost(), if the number of packets in the (TSO) skb is greater than the number of packets that should be marked lost, TCP incorrectly exits the loop and marks no packets lost in the skb. This underestimates tp->lost_out and affects the recovery/retransmission. This patch fargments the skb and marks the correct amount of packets lost. Signed-off-by: NYuchung Cheng <ycheng@google.com> Acked-by: NIlpo Järvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband由 Linus Torvalds 提交于
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband: RDMA/cxgb3: Turn off RX coalescing for iWARP connections
-
由 Linus Torvalds 提交于
* master.kernel.org:/home/rmk/linux-2.6-arm: (28 commits) ARM: 6411/1: vexpress: set RAM latencies to 1 cycle for PL310 on ct-ca9x4 tile ARM: 6409/1: davinci: map sram using MT_MEMORY_NONCACHED instead of MT_DEVICE ARM: 6408/1: omap: Map only available sram memory ARM: 6407/1: mmu: Setup MT_MEMORY and MT_MEMORY_NONCACHED L1 entries ARM: pxa: remove pr_<level> uses of KERN_<level> ARM: pxa168fb: clear enable bit when not active ARM: pxa: fix cpu_is_pxa*() not expanding to zero when not configured ARM: pxa168: fix corrected reset vector ARM: pxa: Use PIO for PI2C communication on Palm27x ARM: pxa: Fix Vpac270 gpio_power for MMC ARM: 6401/1: plug a race in the alignment trap handler ARM: 6406/1: at91sam9g45: fix i2c bus speed leds: leds-ns2: fix locking ARM: dove: fix __io() definition to use bus based offset dmaengine: fix interrupt clearing for mv_xor ARM: kirkwood: Unbreak PCIe I/O port ARM: Fix build error when using KCONFIG_CONFIG ARM: 6383/1: Implement phys_mem_access_prot() to avoid attributes aliasing ARM: 6400/1: at91: fix arch_gettimeoffset fallout ARM: 6398/1: add proc info for ARM11MPCore/Cortex-A9 from ARM ...
-
git://git.kernel.org/pub/scm/linux/kernel/git/ericvh/v9fs由 Linus Torvalds 提交于
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ericvh/v9fs: net/9p: fix memory handling/allocation in rdma_request()
-
git://git.kernel.org/pub/scm/linux/kernel/git/bp/bp由 Linus Torvalds 提交于
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/bp/bp: amd64_edac: Fix driver module removal
-