1. 02 10月, 2010 7 次提交
    • D
      lib/list_sort: do not pass bad pointers to cmp callback · f015ac3e
      Don Mullis 提交于
      If the original list is a POT in length, the first callback from line 73
      will pass a==b both pointing to the original list_head.  This is dangerous
      because the 'list_sort()' user can use 'container_of()' and accesses the
      "containing" object, which does not necessary exist for the list head.  So
      the user can access RAM which does not belong to him.  If this is a write
      access, we can end up with memory corruption.
      Signed-off-by: NDon Mullis <don.mullis@gmail.com>
      Tested-by: NArtem Bityutskiy <Artem.Bityutskiy@nokia.com>
      Signed-off-by: NArtem Bityutskiy <Artem.Bityutskiy@nokia.com>
      Cc: <stable@kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      f015ac3e
    • D
      sys_semctl: fix kernel stack leakage · 982f7c2b
      Dan Rosenberg 提交于
      The semctl syscall has several code paths that lead to the leakage of
      uninitialized kernel stack memory (namely the IPC_INFO, SEM_INFO,
      IPC_STAT, and SEM_STAT commands) during the use of the older, obsolete
      version of the semid_ds struct.
      
      The copy_semid_to_user() function declares a semid_ds struct on the stack
      and copies it back to the user without initializing or zeroing the
      "sem_base", "sem_pending", "sem_pending_last", and "undo" pointers,
      allowing the leakage of 16 bytes of kernel stack memory.
      
      The code is still reachable on 32-bit systems - when calling semctl()
      newer glibc's automatically OR the IPC command with the IPC_64 flag, but
      invoking the syscall directly allows users to use the older versions of
      the struct.
      Signed-off-by: NDan Rosenberg <dan.j.rosenberg@gmail.com>
      Cc: Manfred Spraul <manfred@colorfullife.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      982f7c2b
    • M
      i7core_edac: fix panic in udimm sysfs attributes registration · 64aab720
      Marcin Slusarz 提交于
      Array of udimm sysfs attributes was not ended with NULL marker, leading to
      dereference of random memory.
      
        EDAC DEBUG: edac_create_mci_instance_attributes: edac_create_mci_instance_attributes() file udimm0
        EDAC DEBUG: edac_create_mci_instance_attributes: edac_create_mci_instance_attributes() file udimm1
        EDAC DEBUG: edac_create_mci_instance_attributes: edac_create_mci_instance_attributes() file udimm2
        BUG: unable to handle kernel NULL pointer dereference at 00000000000001a4
        IP: [<ffffffff81330b36>] edac_create_mci_instance_attributes+0x148/0x1f1
        Pid: 1, comm: swapper Not tainted 2.6.36-rc3-nv+ #483 P6T SE/System Product Name
        RIP: 0010:[<ffffffff81330b36>]  [<ffffffff81330b36>] edac_create_mci_instance_attributes+0x148/0x1f1
        (...)
        Call Trace:
         [<ffffffff81330b86>] edac_create_mci_instance_attributes+0x198/0x1f1
         [<ffffffff81330c9a>] edac_create_sysfs_mci_device+0xbb/0x2b2
         [<ffffffff8132f533>] edac_mc_add_mc+0x46b/0x557
         [<ffffffff81428901>] i7core_probe+0xccf/0xec0
        RIP  [<ffffffff81330b36>] edac_create_mci_instance_attributes+0x148/0x1f1
        ---[ end trace 20de320855b81d78 ]---
        Kernel panic - not syncing: Attempted to kill init!
      Signed-off-by: NMarcin Slusarz <marcin.slusarz@gmail.com>
      Cc: Mauro Carvalho Chehab <mchehab@redhat.com>
      Acked-by: NDoug Thompson <dougthompson@xmission.com>
      Cc: <stable@kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      64aab720
    • A
      drivers/serial/mrst_max3110.c needs linux/irq.h · c044391b
      Andrew Morton 提交于
      sparc64 allmodconfig:
      
        drivers/serial/mrst_max3110.c: In function `serial_m3110_startup':
        drivers/serial/mrst_max3110.c:470: error: `IRQ_TYPE_EDGE_FALLING' undeclared (first use in this function)
      
      Cc: Greg KH <greg@kroah.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      c044391b
    • A
      arch/m68k/mac/macboing.c: use unsigned long for irqflags · e53ced1b
      Andrew Morton 提交于
      Fix the warnings
      
        arch/m68k/mac/macboing.c: In function 'mac_mksound':
        arch/m68k/mac/macboing.c:189: warning: comparison of distinct pointer types lacks a cast
        arch/m68k/mac/macboing.c:211: warning: comparison of distinct pointer types lacks a cast
        arch/m68k/mac/macboing.c: In function 'mac_quadra_start_bell':
        arch/m68k/mac/macboing.c:241: warning: comparison of distinct pointer types lacks a cast
        arch/m68k/mac/macboing.c:263: warning: comparison of distinct pointer types lacks a cast
        arch/m68k/mac/macboing.c: In function 'mac_quadra_ring_bell':
        arch/m68k/mac/macboing.c:283: warning: comparison of distinct pointer types lacks a cast
      
      Cc: Geert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      e53ced1b
    • A
      drivers/serial/mfd.c needs slab.h · 63d66cab
      Andrew Morton 提交于
      alpha allmodconfig:
      
        drivers/serial/mfd.c:144: error: implicit declaration of function 'kzalloc'
        drivers/serial/mfd.c:144: warning: assignment makes pointer from integer without a cast
      
      Cc: Greg Kroah-Hartman <gregkh@suse.de>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      63d66cab
    • I
      kfifo: fix scatterlist usage · 399f1e30
      Ira W. Snyder 提交于
      The kfifo_dma family of functions use sg_mark_end() on the last element in
      their scatterlist.  This forces use of a fresh scatterlist for each DMA
      operation, which makes recycling a single scatterlist impossible.
      
      Change the behavior of the kfifo_dma functions to match the usage of the
      dma_map_sg function.  This means that users must respect the returned
      nents value.  The sample code is updated to reflect the change.
      
      This bug is trivial to cause: call kfifo_dma_in_prepare() such that it
      prepares a scatterlist with a single entry comprising the whole fifo.
      This is the case when you map the entirety of a newly created empty fifo.
      This causes the setup_sgl() function to mark the first scatterlist entry
      as the end of the chain, no matter what comes after it.
      
      Afterwards, add and remove some data from the fifo such that another call
      to kfifo_dma_in_prepare() will create two scatterlist entries.  It returns
      nents=2.  However, due to the previous sg_mark_end() call, sg_is_last()
      will now return true for the first scatterlist element.  This causes the
      sample code to print a single scatterlist element when it should print
      two.
      
      By removing the call to sg_mark_end(), we make the API as similar as
      possible to the DMA mapping API.  All users are required to respect the
      returned nents.
      Signed-off-by: NIra W. Snyder <iws@ovro.caltech.edu>
      Cc: Stefani Seibold <stefani@seibold.net>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      399f1e30
  2. 30 9月, 2010 7 次提交
  3. 29 9月, 2010 11 次提交
    • D
      xfs: force background CIL push under sustained load · 80168676
      Dave Chinner 提交于
      I have been seeing occasional pauses in transaction throughput up to
      30s long under heavy parallel workloads. The only notable thing was
      that the xfsaild was trying to be active during the pauses, but
      making no progress. It was running exactly 20 times a second (on the
      50ms no-progress backoff), and the number of pushbuf events was
      constant across this time as well.  IOWs, the xfsaild appeared to be
      stuck on buffers that it could not push out.
      
      Further investigation indicated that it was trying to push out inode
      buffers that were pinned and/or locked. The xfsbufd was also getting
      woken at the same frequency (by the xfsaild, no doubt) to push out
      delayed write buffers. The xfsbufd was not making any progress
      because all the buffers in the delwri queue were pinned. This scan-
      and-make-no-progress dance went one in the trace for some seconds,
      before the xfssyncd came along an issued a log force, and then
      things started going again.
      
      However, I noticed something strange about the log force - there
      were way too many IO's issued. 516 log buffers were written, to be
      exact. That added up to 129MB of log IO, which got me very
      interested because it's almost exactly 25% of the size of the log.
      He delayed logging code is suppose to aggregate the minimum of 25%
      of the log or 8MB worth of changes before flushing. That's what
      really puzzled me - why did a log force write 129MB instead of only
      8MB?
      
      Essentially what has happened is that no CIL pushes had occurred
      since the previous tail push which cleared out 25% of the log space.
      That caused all the new transactions to block because there wasn't
      log space for them, but they kick the xfsaild to push the tail.
      However, the xfsaild was not making progress because there were
      buffers it could not lock and flush, and the xfsbufd could not flush
      them because they were pinned. As a result, both the xfsaild and the
      xfsbufd could not move the tail of the log forward without the CIL
      first committing.
      
      The cause of the problem was that the background CIL push, which
      should happen when 8MB of aggregated changes have been committed, is
      being held off by the concurrent transaction commit load. The
      background push does a down_write_trylock() which will fail if there
      is a concurrent transaction commit holding the push lock in read
      mode. With 8 CPUs all doing transactions as fast as they can, there
      was enough concurrent transaction commits to hold off the background
      push until tail-pushing could no longer free log space, and the halt
      would occur.
      
      It should be noted that there is no reason why it would halt at 25%
      of log space used by a single CIL checkpoint. This bug could
      definitely violate the "no transaction should be larger than half
      the log" requirement and hence result in corruption if the system
      crashed under heavy load. This sort of bug is exactly the reason why
      delayed logging was tagged as experimental....
      
      The fix is to start blocking background pushes once the threshold
      has been exceeded. Rework the threshold calculations to keep the
      amount of log space a CIL checkpoint can use to below that of the
      AIL push threshold to avoid the problem completely.
      Signed-off-by: NDave Chinner <dchinner@redhat.com>
      Reviewed-by: NAlex Elder <aelder@sgi.com>
      Reviewed-by: NChristoph Hellwig <hch@lst.de>
      80168676
    • K
      mfd: Fix max8925 irq control bit incorrect setting · 90182317
      Kevin Liu 提交于
      In max8925_irq_sync_unlock(), irq control bit is set at the same time.
      Zero means enabling irq, and one means disabling irq.
      
      The original code is:
      	irq_chg[0] &= irq_data->enable;
      
      It should be changed to:
      	irq_chg[0] &= ~irq_data->enable;
      
      Otherwise, irq control bit is mess.
      Signed-off-by: NKevin Liu <kliu5@marvell.com>
      Signed-off-by: NHaojian Zhuang <haojian.zhuang@marvell.com>
      Signed-off-by: NSamuel Ortiz <sameo@linux.intel.com>
      90182317
    • M
      mfd: Ignore non-GPIO IRQs when setting wm831x IRQ types · c9d66d35
      Mark Brown 提交于
      The driver was originally tested with an additional patch which
      made this unneeded but that patch had issuges and got lost on the
      way to mainline, causing problems when the errors are reported.
      Signed-off-by: NMark Brown <broonie@opensource.wolfsonmicro.com>
      Signed-off-by: NSamuel Ortiz <sameo@linux.intel.com>
      Cc: stable@kernel.org
      c9d66d35
    • L
      Linux 2.6.36-rc6 · 899611ee
      Linus Torvalds 提交于
      899611ee
    • D
      MN10300: Handle missing sys_cacheflush() when caching disabled · 62bdb288
      David Howells 提交于
      When caching is disabled on the MN10300 arch, the sys_cacheflush()
      function is removed by conditional stuff in the makefiles, but is still
      referred to by the syscall table.
      
      Provide a null version that just returns 0 when caching is disabled (or
      -EINVAL if the arguments are silly).
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      62bdb288
    • L
      alpha: fix compile problem in arch/alpha/kernel/signal.c · 0f44fbd2
      Linus Torvalds 提交于
      Tssk.  Apparently Al hadn't checked commit c52c2ddc ("alpha: switch
      osf_sigprocmask() to use of sigprocmask()") at all. It doesn't compile.
      
      Fixed as per suggestions from Michael Cree.
      Reported-by: NMichael Cree <mcree@orcon.net.nz>
      Cc: Al Viro <viro@ftp.linux.org.uk>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      0f44fbd2
    • L
      Merge branch 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/libata-dev · 7268e3c4
      Linus Torvalds 提交于
      * 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/libata-dev:
        ahci: fix module refcount breakage introduced by libahci split
      7268e3c4
    • T
      ahci: fix module refcount breakage introduced by libahci split · fad16e7a
      Tejun Heo 提交于
      libata depends on scsi_host_template for module reference counting and
      sht's should be owned by each low level driver.  During libahci split,
      the sht was left with libahci.ko leaving the actual low level drivers
      not reference counted.  This made ahci and ahci_platform always
      unloadable even while they're being actively used.
      
      Fix it by defining AHCI_SHT() macro in ahci.h and defining a sht for
      each low level ahci driver.
      
      stable: only applicable to 2.6.35.
      Signed-off-by: NTejun Heo <tj@kernel.org>
      Reported-by: NPedro Francisco <pedrogfrancisco@gmail.com>
      Tested-by: NMichael Tokarev <mjt@tls.msk.ru>
      Cc: stable@kernel.org
      Signed-off-by: NJeff Garzik <jgarzik@redhat.com>
      fad16e7a
    • L
      Merge branch 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/staging · b4d32648
      Linus Torvalds 提交于
      * 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/staging:
        hwmon (coretemp): Fix build breakage if SMP is undefined
      b4d32648
    • L
      0d70397b
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 · a2724f28
      Linus Torvalds 提交于
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (47 commits)
        tcp: Fix >4GB writes on 64-bit.
        net/9p: Mount only matching virtio channels
        de2104x: fix ethtool
        tproxy: check for transparent flag in ip_route_newports
        ipv6: add IPv6 to neighbour table overflow warning
        tcp: fix TSO FACK loss marking in tcp_mark_head_lost
        3c59x: fix regression from patch "Add ethtool WOL support"
        ipv6: add a missing unregister_pernet_subsys call
        s390: use free_netdev(netdev) instead of kfree()
        sgiseeq: use free_netdev(netdev) instead of kfree()
        rionet: use free_netdev(netdev) instead of kfree()
        ibm_newemac: use free_netdev(netdev) instead of kfree()
        smsc911x: Add MODULE_ALIAS()
        net: reset skb queue mapping when rx'ing over tunnel
        br2684: fix scheduling while atomic
        de2104x: fix TP link detection
        de2104x: fix power management
        de2104x: disable autonegotiation on broken hardware
        net: fix a lockdep splat
        e1000e: 82579 do not gate auto config of PHY by hardware during nominal use
        ...
      a2724f28
  4. 28 9月, 2010 15 次提交