1. 22 May, 2009 4 commits
  2. 21 May, 2009 4 commits
  3. 20 May, 2009 17 commits
  4. 19 May, 2009 15 commits
    • Benjamin Herrenschmidt's avatar
      drm: Round size of SHM maps to PAGE_SIZE · b6741377
      Benjamin Herrenschmidt authored
      Currently, userspace can fail to obtain the SAREA mapping (among other
      reasons) if it passes SAREA_MAX to drmAddMap without aligning it to the
      page size. This breaks for example on PowerPC with 64K pages and radeon
      despite the kernel radeon actually doing the right rouding in the first
      place.
      
      The way SAREA_MAX is defined with a bunch of ifdef's and duplicated
      between libdrm and the X server is gross, ultimately it should be
      retrieved by userspace from the kernel, but in the meantime, we have
      plenty of existing userspace built with bad values that need to work.
      
      This patch works around broken userspace by rounding the requested size
      in drm_addmap_core() of any SHM map to the page size. Since the backing
      memory for SHM maps is also allocated within addmap_core, there is no
      danger of adjacent memory being exposed due to the increased map size.
      The only side effect is that drivers that previously tried to create or
      access SHM maps using a size < PAGE_SIZE and failed (getting -EINVAL),
      will now succeed at the cost of a little bit more memory used if that
      happens to be when the map is created.
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Signed-off-by: default avatarJesse Barnes <jbarnes@virtuousgeek.org>
      b6741377
    • Eric Paris's avatar
      TPM: get_event_name stack corruption · fbaa5869
      Eric Paris authored
      get_event_name uses sprintf to fill a buffer declared on the stack.  It fills
      the buffer 2 bytes at a time.  What the code doesn't take into account is that
      sprintf(buf, "%02x", data) actually writes 3 bytes.  2 bytes for the data and
      then it nul terminates the string.  Since we declare buf to be 40 characters
      long and then we write 40 bytes of data into buf sprintf is going to write 41
      characters.  The fix is to leave room in buf for the nul terminator.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      fbaa5869
    • Thomas Gleixner's avatar
      futex: setup writeable mapping for futex ops which modify user space data · 64d1304a
      Thomas Gleixner authored
      The futex code installs a read only mapping via get_user_pages_fast()
      even if the futex op function has to modify user space data. The
      eventual fault was fixed up by futex_handle_fault() which walked the
      VMA with mmap_sem held.
      
      After the cleanup patches which removed the mmap_sem dependency of the
      futex code commit 4dc5b7a36a49eff97050894cf1b3a9a02523717 (futex:
      clean up fault logic) removed the private VMA walk logic from the
      futex code. This change results in a stale RO mapping which is not
      fixed up.
      
      Instead of reintroducing the previous fault logic we set up the
      mapping in get_user_pages_fast() read/write for all operations which
      modify user space data. Also handle private futexes in the same way
      and make the current unconditional access_ok(VERIFY_WRITE) depend on
      the futex op.
      Reported-by: default avatarAndreas Schwab <schwab@linux-m68k.org>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      CC: stable@kernel.org
      64d1304a
    • Nico Schottelius's avatar
      Fix scripts/setlocalversion with tagged git commit · 33252572
      Nico Schottelius authored
      Produce correct output for
      - tagged commit (v2.6.30-rc6)
      - past tagged commit (v2.6.30-rc5-299-g7c7327d9)
      - no tag
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      33252572
    • Nelson Castillo's avatar
      mfd: pcf50633: fix unsafe disable_irq() · f43ab901
      Nelson Castillo authored
      Without this change Openmoko Freerunner (GTA02) bootstrap will deadlock.
      As pointed out in other patches this issue is in the wild since the merge
      of:
      
      : commit 3aa551c9
      : Author: Thomas Gleixner <tglx@linutronix.de>
      : Date:   Mon Mar 23 18:28:15 2009 +0100
      :
      :    genirq: add threaded interrupt handler support
      :
      :    Add support for threaded interrupt handlers
      Signed-off-by: default avatarNelson Castillo <arhuaco@freaks-unidos.net>
      Cc: Ingo Molnar <mingo@elte.hu>
      Cc: <balajirrao@openmoko.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarSamuel Ortiz <sameo@linux.intel.com>
      f43ab901
    • Mark Brown's avatar
      mfd: Keep a cache of WM8350 volatile values · b126d113
      Mark Brown authored
      Due to the way that the WM8350 audio driver handles CODEC_ENA many of
      the WM8350 audio registers are marked as volatile when they aren't
      actually so. Allow the audio driver to see a cache of these values for
      inspection during interrupt context.
      
      To do this we need to stop satisfying any bits from volatile registers
      from cache - there's no real benefit from doing so anyway, we did the
      read already.
      Signed-off-by: default avatarMark Brown <broonie@opensource.wolfsonmicro.com>
      Signed-off-by: default avatarSamuel Ortiz <sameo@linux.intel.com>
      b126d113
    • Linus Torvalds's avatar
      Merge branch 'fixes-for-linus' of git://git.monstr.eu/linux-2.6-microblaze · 279e677f
      Linus Torvalds authored
      * 'fixes-for-linus' of git://git.monstr.eu/linux-2.6-microblaze:
        microblaze: Fix kind-of-intr checking against number of interrupts
        microblaze: Update Microblaze defconfig
      279e677f
    • Linus Torvalds's avatar
      467999f5
    • Linus Torvalds's avatar
      Avoid ICE in get_random_int() with gcc-3.4.5 · 26a9a418
      Linus Torvalds authored
      Martin Knoblauch reports that trying to build 2.6.30-rc6-git3 with
      RHEL4.3 userspace (gcc (GCC) 3.4.5 20051201 (Red Hat 3.4.5-2)) causes an
      internal compiler error (ICE):
      
          drivers/char/random.c: In function `get_random_int':
          drivers/char/random.c:1672: error: unrecognizable insn:
          (insn 202 148 150 0 /scratch/build/linux-2.6.30-rc6-git3/arch/x86/include/asm/tsc.h:23 (set (reg:SI 0 ax [91])
                  (subreg:SI (plus:DI (plus:DI (reg:DI 0 ax [88])
                              (subreg:DI (reg:SI 6 bp) 0))
                          (const_int -4 [0xfffffffffffffffc])) 0)) -1 (nil)
              (nil))
          drivers/char/random.c:1672: internal compiler error: in extract_insn, at recog.c:2083
      
      and after some debugging it turns out that it's due to the code trying
      to figure out the rough value of the current stack pointer by taking an
      address of an uninitialized variable and casting that to an integer.
      
      This is clearly a compiler bug, but it's not worth fighting - while the
      current stack kernel pointer might be somewhat hard to predict in user
      space, it's also not generally going to change for a lot of the call
      chains for a particular process.
      
      So just drop it, and mumble some incoherent curses at the compiler.
      Tested-by: default avatarMartin Knoblauch <spamtrap@knobisoft.de>
      Cc: Matt Mackall <mpm@selenic.com>
      Cc: Ingo Molnar <mingo@elte.hu>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      26a9a418
    • Jeff Layton's avatar
      cifs: fix pointer initialization and checks in cifs_follow_symlink (try #4) · 8b6427a2
      Jeff Layton authored
      This is the third respin of the patch posted yesterday to fix the error
      handling in cifs_follow_symlink. It also includes a fix for a bogus NULL
      pointer check in CIFSSMBQueryUnixSymLink that Jeff Moyer spotted.
      
      It's possible for CIFSSMBQueryUnixSymLink to return without setting
      target_path to a valid pointer. If that happens then the current value
      to which we're initializing this pointer could cause an oops when it's
      kfree'd.
      
      This patch is a little more comprehensive than the last patches. It
      reorganizes cifs_follow_link a bit for (hopefully) better readability.
      It should also eliminate the uneeded allocation of full_path on servers
      without unix extensions (assuming they can get to this point anyway, of
      which I'm not convinced).
      
      On a side note, I'm not sure I agree with the logic of enabling this
      query even when unix extensions are disabled on the client. It seems
      like that should disable this as well. But, changing that is outside the
      scope of this fix, so I've left it alone for now.
      Reported-by: default avatarJeff Moyer <jmoyer@redhat.com>
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Reviewed-by: default avatarJeff Moyer <jmoyer@redhat.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@inraded.com>
      Signed-off-by: default avatarSteve French <sfrench@us.ibm.com>
      8b6427a2
    • Ian Campbell's avatar
      xen/blkfront: fix warning when deleting gendisk on unplug/shutdown · 31a14400
      Ian Campbell authored
      Currently blkfront gives a warning when hot unplugging due to calling
      del_gendisk() with interrupts disabled (due to blkif_io_lock).
      
      WARNING: at kernel/softirq.c:124 local_bh_enable+0x36/0x84()
      Modules linked in: xenfs xen_netfront ext3 jbd mbcache xen_blkfront
      Pid: 13, comm: xenwatch Not tainted 2.6.29-xs5.5.0.13 #3
      Call Trace:
       [<c012611c>] warn_slowpath+0x80/0xb6
       [<c0104cf1>] xen_sched_clock+0x16/0x63
       [<c0104710>] xen_force_evtchn_callback+0xc/0x10
       [<c0104e32>] check_events+0x8/0xe
       [<c0104d9b>] xen_restore_fl_direct_end+0x0/0x1
       [<c0103749>] xen_mc_flush+0x10a/0x13f
       [<c0105bd2>] __switch_to+0x114/0x14e
       [<c011d92b>] dequeue_task+0x62/0x70
       [<c0123b6f>] finish_task_switch+0x2b/0x84
       [<c0299877>] schedule+0x66d/0x6e7
       [<c0104710>] xen_force_evtchn_callback+0xc/0x10
       [<c0104710>] xen_force_evtchn_callback+0xc/0x10
       [<c012a642>] local_bh_enable+0x36/0x84
       [<c022f9a7>] sk_filter+0x57/0x5c
       [<c0233dae>] netlink_broadcast+0x1d5/0x315
       [<c01c6371>] kobject_uevent_env+0x28d/0x331
       [<c01e7ead>] device_del+0x10f/0x120
       [<c01e7ec6>] device_unregister+0x8/0x10
       [<c015f86d>] bdi_unregister+0x2d/0x39
       [<c01bf6f4>] unlink_gendisk+0x23/0x3e
       [<c01ac946>] del_gendisk+0x7b/0xe7
       [<d0828c19>] blkfront_closing+0x28/0x6e [xen_blkfront]
       [<d082900c>] backend_changed+0x3ad/0x41d [xen_blkfront]
      
      We can fix this by calling del_gendisk() later in blkfront_closing, after
      releasing blkif_io_lock. Since the queue is stopped during the interrupts
      disabled phase I don't think there is any danger of an event occuring between
      releasing the blkif_io_lock and deleting the disk.
      Signed-off-by: default avatarIan Campbell <ian.campbell@citrix.com>
      Cc: Jeremy Fitzhardinge <jeremy@goop.org>
      Signed-off-by: default avatarJens Axboe <jens.axboe@oracle.com>
      31a14400
    • Ian Campbell's avatar
      xen/blkfront: allow xenbus state transition to Closing->Closed when not Connected · 28afea5b
      Ian Campbell authored
      This situation can occur when attempting to attach a block device whose
      backend is an empty physical CD-ROM driver. The backend in this case
      will go directly from the Initialising state to Closing->Closed.
      Previously this would result in a NULL pointer deref on info->gd
      (xenbus_dev_fatal does not return as a1a15ac5 seems to expect)
      
      Cc: stable@kernel.org
      Signed-off-by: default avatarIan Campbell <ian.campbell@citrix.com>
      Acked-by: default avatarJeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
      Signed-off-by: default avatarJens Axboe <jens.axboe@oracle.com>
      28afea5b
    • Frans Pop's avatar
      ipv4: make default for INET_LRO consistent with help text · bc8a5397
      Frans Pop authored
      Commit e81963b1 ("ipv4: Make INET_LRO a bool instead of tristate.")
      changed this config from tristate to bool.  Add default so that it is
      consistent with the help text.
      Signed-off-by: default avatarFrans Pop <elendil@planet.nl>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bc8a5397
    • Thomas Chenault's avatar
      net: fix skb_seq_read returning wrong offset/length for page frag data · 995b3379
      Thomas Chenault authored
      When called with a consumed value that is less than skb_headlen(skb)
      bytes into a page frag, skb_seq_read() incorrectly returns an
      offset/length relative to skb->data. Ensure that data which should come
      from a page frag does.
      Signed-off-by: default avatarThomas Chenault <thomas_chenault@dell.com>
      Tested-by: default avatarShyam Iyer <shyam_iyer@dell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      995b3379
    • Frank Filz's avatar
      nfs: Fix NFS v4 client handling of MAY_EXEC in nfs_permission. · 7ee2cb7f
      Frank Filz authored
      The problem is that permission checking is skipped if atomic open is
      possible, but when exec opens a file, it just opens it O_READONLY which
      means EXEC permission will not be checked at that time.
      
      This problem is observed by the following sequence (executed as root):
      
        mount -t nfs4 server:/ /mnt4
        echo "ls" >/mnt4/foo
        chmod 744 /mnt4/foo
        su guest -c "mnt4/foo"
      Signed-off-by: default avatarFrank Filz <ffilzlnx@us.ibm.com>
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Cc: stable@kernel.org
      Tested-by: default avatarEugene Teo <eugeneteo@kernel.sg>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      7ee2cb7f