1. 04 Oct, 2010 5 commits
    • Linus Torvalds's avatar
      Merge branch 'merge-spi' of git://git.secretlab.ca/git/linux-2.6 · 989cd445
      Linus Torvalds authored
      * 'merge-spi' of git://git.secretlab.ca/git/linux-2.6:
        of/spi: Fix OF-style driver binding of spi devices
        spi: spi-gpio.c tests SPI_MASTER_NO_RX bit twice, but not SPI_MASTER_NO_TX
        spi/mpc8xxx: fix buffer overrun on large transfers
      989cd445
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 · 4a73a437
      Linus Torvalds authored
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:
        vlan: dont drop packets from unknown vlans in promiscuous mode
        Phonet: Correct header retrieval after pskb_may_pull
        um: Proper Fix for f25c80a4: remove duplicate structure field initialization
        ip_gre: Fix dependencies wrt. ipv6.
        net-2.6: SYN retransmits: Add new parameter to retransmits_timed_out()
        iwl3945: queue the right work if the scan needs to be aborted
        mac80211: fix use-after-free
      4a73a437
    • Linus Torvalds's avatar
      Merge branch 'drm-intel-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/ickle/drm-intel · c470af0a
      Linus Torvalds authored
      * 'drm-intel-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/ickle/drm-intel:
        drm/i915: Rephrase pwrite bounds checking to avoid any potential overflow
        drm/i915: Sanity check pread/pwrite
        drm/i915: Use pipe state to tell when pipe is off
        drm/i915: vblank status not valid while training display port
        drivers/gpu/drm/i915/i915_gem.c: Add missing error handling code
        drm/i915: Fix refleak during eviction.
        drm/i915: fix GMCH power reporting
      c470af0a
    • Hugh Dickins's avatar
      ksm: fix bad user data when swapping · 4e31635c
      Hugh Dickins authored
      Building under memory pressure, with KSM on 2.6.36-rc5, collapsed with
      an internal compiler error: typically indicating an error in swapping.
      
      Perhaps there's a timing issue which makes it now more likely, perhaps
      it's just a long time since I tried for so long: this bug goes back to
      KSM swapping in 2.6.33.
      
      Notice how reuse_swap_page() allows an exclusive page to be reused, but
      only does SetPageDirty if it can delete it from swap cache right then -
      if it's currently under Writeback, it has to be left in cache and we
      don't SetPageDirty, but the page can be reused.  Fine, the dirty bit
      will get set in the pte; but notice how zap_pte_range() does not bother
      to transfer pte_dirty to page_dirty when unmapping a PageAnon.
      
      If KSM chooses to share such a page, it will look like a clean copy of
      swapcache, and not be written out to swap when its memory is needed;
      then stale data read back from swap when it's needed again.
      
      We could fix this in reuse_swap_page() (or even refuse to reuse a
      page under writeback), but it's more honest to fix my oversight in
      KSM's write_protect_page().  Several days of testing on three machines
      confirms that this fixes the issue they showed.
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      4e31635c
    • Hugh Dickins's avatar
      ksm: fix page_address_in_vma anon_vma oops · 4829b906
      Hugh Dickins authored
      2.6.36-rc1 commit 21d0d443 "rmap:
      resurrect page_address_in_vma anon_vma check" was right to resurrect
      that check; but now that it's comparing anon_vma->roots instead of
      just anon_vmas, there's a danger of oopsing on a NULL anon_vma.
      
      In most cases no NULL anon_vma ever gets here; but it turns out that
      occasionally KSM, when enabled on a forked or forking process, will
      itself call page_address_in_vma() on a "half-KSM" page left over from
      an earlier failed attempt to merge - whose page_anon_vma() is NULL.
      
      It's my bug that those should be getting here at all: I thought they
      were already dealt with, this oops proves me wrong, I'll fix it in
      the next release - such pages are effectively pinned until their
      process exits, since rmap cannot find their ptes (though swapoff can).
      
      For now just work around it by making page_address_in_vma() safe (and
      add a comment on why that check is wanted anyway).  A similar check
      in __page_check_anon_rmap() is safe because do_page_add_anon_rmap()
      already excluded KSM pages.
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: Rik van Riel <riel@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      4829b906
  2. 03 Oct, 2010 6 commits
  3. 02 Oct, 2010 1 commit
  4. 01 Oct, 2010 28 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6 · c6ea21e3
      Linus Torvalds authored
      * git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6:
        cifs: prevent infinite recursion in cifs_reconnect_tcon
        cifs: set backing_dev_info on new S_ISREG inodes
      c6ea21e3
    • Linus Torvalds's avatar
      Merge branch 'x86-fixes-for-linus' of... · f4a3330d
      Linus Torvalds authored
      Merge branch 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip
      
      * 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
        x86, hpet: Fix bogus error check in hpet_assign_irq()
        x86, irq: Plug memory leak in sparse irq
        x86, cpu: After uncapping CPUID, re-run CPU feature detection
      f4a3330d
    • David Howells's avatar
      MN10300: Fix flush_icache_range() · 57cf4f78
      David Howells authored
      flush_icache_range() is given virtual addresses to describe the region.  It
      deals with these by attempting to translate them through the current set of
      page tables.
      
      This is fine for userspace memory and vmalloc()'d areas as they are governed by
      page tables.  However, since the regions above 0x80000000 aren't translated
      through the page tables by the MMU, the kernel doesn't bother to set up page
      tables for them (see paging_init()).
      
      This means flush_icache_range() as it stands cannot be used to flush regions of
      the VM area between 0x80000000 and 0x9fffffff where the kernel resides if the
      data cache is operating in WriteBack mode.
      
      To fix this, make flush_icache_range() first check for addresses in the upper
      half of VM space and deal with them appropriately, before dealing with any
      range in the page table mapped area.
      
      Ordinarily, this is not a problem, but it has the capacity to make kprobes and
      kgdb malfunction.  It should not affect gdbstub, signal frame setup or module
      loading as gdb has its own flush functions, and the others take place in the
      page table mapped area only.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarAkira Takeuchi <takeuchi.akr@jp.panasonic.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      57cf4f78
    • Linus Torvalds's avatar
      Merge branch 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6 · 18ffe4b1
      Linus Torvalds authored
      * 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
        vmwgfx: Fix fb VRAM pinning failure due to fragmentation
        vmwgfx: Remove initialisation of dev::devname
        vmwgfx: Enable use of the vblank system
        vmwgfx: vt-switch (master drop) fixes
        drm/vmwgfx: Fix breakage introduced by commit "drm: block userspace under allocating buffer and having drivers overwrite it (v2)"
        drm: Hold the mutex when dropping the last GEM reference (v2)
        drm/gem: handlecount isn't really a kref so don't make it one.
        drm: i810/i830: fix locked ioctl variant
        drm/radeon/kms: add quirk for MSI K9A2GM motherboard
        drm/radeon/kms: fix potential segfault in r600_ioctl_wait_idle
        drm: Prune GEM vma entries
        drm/radeon/kms: fix up encoder info messages for DFP6
        drm/radeon: fix PCI ID 5657 to be an RV410
      18ffe4b1
    • Linus Torvalds's avatar
      Merge branch 'for-linus/i2c/2636-rc5' of git://git.fluff.org/bjdooks/linux · b10c4d40
      Linus Torvalds authored
      * 'for-linus/i2c/2636-rc5' of git://git.fluff.org/bjdooks/linux:
        i2c-s3c2410: fix calculation of SDA line delay
        i2c-davinci: Fix race when setting up for TX
        i2c-octeon: Return -ETIMEDOUT in octeon_i2c_wait() on timeout
      b10c4d40
    • Linus Torvalds's avatar
      Merge branch 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-acpi-2.6 · 303a4070
      Linus Torvalds authored
      * 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-acpi-2.6:
        ACPI: invoke DSDT corruption workaround on all Toshiba Satellite
        ACPI, APEI, Fix ERST MOVE_DATA instruction implementation
        ACPI: fan: Fix more unbalanced code block
        ACPI: acpi_pad: simplify code to avoid false gcc build warning
        ACPI, APEI, Fix error path for memory allocation
        ACPI, APEI, HEST Fix the unsuitable usage of platform_data
        ACPI, APEI, Fix acpi_pre_map() return value
        ACPI, APEI, Fix APEI related table size checking
        ACPI: Disable Windows Vista compatibility for Toshiba P305D
        ACPI: Kconfig: fix typo.
        ACPI: add missing __percpu markup in arch/x86/kernel/acpi/cstate.c
        ACPI: Fix typos
        ACPI video: fix a poor warning message
        ACPI: fix build warnings resulting from merge window conflict
        ACPI: EC: add Vista incompatibility DMI entry for Toshiba Satellite L355
        ACPI: expand Vista blacklist to include SP1 and SP2
        ACPI: delete ZEPTO idle=nomwait DMI quirk
        ACPI: enable repeated PCIEXP wakeup by clearing PCIEXP_WAKE_STS on resume
        PM / ACPI: Blacklist systems known to require acpi_sleep=nonvs
        ACPI: Don't report current_now if battery reports in mWh
      303a4070
    • Linus Torvalds's avatar
      Merge branch 'idle-release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-idle-2.6 · 35ec4216
      Linus Torvalds authored
      * 'idle-release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-idle-2.6:
        intel_idle: Voluntary leave_mm before entering deeper
        acpi_idle: add missing \n to printk
        intel_idle: add missing __percpu markup
        intel_idle: Change mode 755 => 644
        cpuidle: Fix typos
        intel_idle: PCI quirk to prevent Lenovo Ideapad s10-3 boot hang
      35ec4216
    • Linus Torvalds's avatar
      Merge branch 'omap-fixes-for-linus' of... · 3c729087
      Linus Torvalds authored
      Merge branch 'omap-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap-2.6
      
      * 'omap-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap-2.6:
        omap: McBSP: tx_irq_completion used in rx_irq_handler
        omap: Fix compile dependency to LEDS_CLASS
      3c729087
    • Frederic Weisbecker's avatar
      reiserfs: fix unwanted reiserfs lock recursion · 9d8117e7
      Frederic Weisbecker authored
      Prevent from recursively locking the reiserfs lock in reiserfs_unpack()
      because we may call journal_begin() that requires the lock to be taken
      only once, otherwise it won't be able to release the lock while taking
      other mutexes, ending up in inverted dependencies between the journal
      mutex and the reiserfs lock for example.
      
      This fixes:
      
        =======================================================
        [ INFO: possible circular locking dependency detected ]
        2.6.35.4.4a #3
        -------------------------------------------------------
        lilo/1620 is trying to acquire lock:
         (&journal->j_mutex){+.+...}, at: [<d0325bff>] do_journal_begin_r+0x7f/0x340 [reiserfs]
      
        but task is already holding lock:
         (&REISERFS_SB(s)->lock){+.+.+.}, at: [<d032a278>] reiserfs_write_lock+0x28/0x40 [reiserfs]
      
        which lock already depends on the new lock.
      
        the existing dependency chain (in reverse order) is:
      
        -> #1 (&REISERFS_SB(s)->lock){+.+.+.}:
               [<c10562b7>] lock_acquire+0x67/0x80
               [<c12facad>] __mutex_lock_common+0x4d/0x410
               [<c12fb0c8>] mutex_lock_nested+0x18/0x20
               [<d032a278>] reiserfs_write_lock+0x28/0x40 [reiserfs]
               [<d0325c06>] do_journal_begin_r+0x86/0x340 [reiserfs]
               [<d0325f77>] journal_begin+0x77/0x140 [reiserfs]
               [<d0315be4>] reiserfs_remount+0x224/0x530 [reiserfs]
               [<c10b6a20>] do_remount_sb+0x60/0x110
               [<c10cee25>] do_mount+0x625/0x790
               [<c10cf014>] sys_mount+0x84/0xb0
               [<c12fca3d>] syscall_call+0x7/0xb
      
        -> #0 (&journal->j_mutex){+.+...}:
               [<c10560f6>] __lock_acquire+0x1026/0x1180
               [<c10562b7>] lock_acquire+0x67/0x80
               [<c12facad>] __mutex_lock_common+0x4d/0x410
               [<c12fb0c8>] mutex_lock_nested+0x18/0x20
               [<d0325bff>] do_journal_begin_r+0x7f/0x340 [reiserfs]
               [<d0325f77>] journal_begin+0x77/0x140 [reiserfs]
               [<d0326271>] reiserfs_persistent_transaction+0x41/0x90 [reiserfs]
               [<d030d06c>] reiserfs_get_block+0x22c/0x1530 [reiserfs]
               [<c10db9db>] __block_prepare_write+0x1bb/0x3a0
               [<c10dbbe6>] block_prepare_write+0x26/0x40
               [<d030b738>] reiserfs_prepare_write+0x88/0x170 [reiserfs]
               [<d03294d6>] reiserfs_unpack+0xe6/0x120 [reiserfs]
               [<d0329782>] reiserfs_ioctl+0x272/0x320 [reiserfs]
               [<c10c3188>] vfs_ioctl+0x28/0xa0
               [<c10c3bbd>] do_vfs_ioctl+0x32d/0x5c0
               [<c10c3eb3>] sys_ioctl+0x63/0x70
               [<c12fca3d>] syscall_call+0x7/0xb
      
        other info that might help us debug this:
      
        2 locks held by lilo/1620:
         #0:  (&sb->s_type->i_mutex_key#8){+.+.+.}, at: [<d032945a>] reiserfs_unpack+0x6a/0x120 [reiserfs]
         #1:  (&REISERFS_SB(s)->lock){+.+.+.}, at: [<d032a278>] reiserfs_write_lock+0x28/0x40 [reiserfs]
      
        stack backtrace:
        Pid: 1620, comm: lilo Not tainted 2.6.35.4.4a #3
        Call Trace:
         [<c10560f6>] __lock_acquire+0x1026/0x1180
         [<c10562b7>] lock_acquire+0x67/0x80
         [<c12facad>] __mutex_lock_common+0x4d/0x410
         [<c12fb0c8>] mutex_lock_nested+0x18/0x20
         [<d0325bff>] do_journal_begin_r+0x7f/0x340 [reiserfs]
         [<d0325f77>] journal_begin+0x77/0x140 [reiserfs]
         [<d0326271>] reiserfs_persistent_transaction+0x41/0x90 [reiserfs]
         [<d030d06c>] reiserfs_get_block+0x22c/0x1530 [reiserfs]
         [<c10db9db>] __block_prepare_write+0x1bb/0x3a0
         [<c10dbbe6>] block_prepare_write+0x26/0x40
         [<d030b738>] reiserfs_prepare_write+0x88/0x170 [reiserfs]
         [<d03294d6>] reiserfs_unpack+0xe6/0x120 [reiserfs]
         [<d0329782>] reiserfs_ioctl+0x272/0x320 [reiserfs]
         [<c10c3188>] vfs_ioctl+0x28/0xa0
         [<c10c3bbd>] do_vfs_ioctl+0x32d/0x5c0
         [<c10c3eb3>] sys_ioctl+0x63/0x70
         [<c12fca3d>] syscall_call+0x7/0xb
      Reported-by: default avatarJarek Poplawski <jarkao2@gmail.com>
      Tested-by: default avatarJarek Poplawski <jarkao2@gmail.com>
      Signed-off-by: default avatarFrederic Weisbecker <fweisbec@gmail.com>
      Cc: Jeff Mahoney <jeffm@suse.com>
      Cc: All since 2.6.32 <stable@kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      9d8117e7
    • Frederic Weisbecker's avatar
      reiserfs: fix dependency inversion between inode and reiserfs mutexes · 3f259d09
      Frederic Weisbecker authored
      The reiserfs mutex already depends on the inode mutex, so we can't lock
      the inode mutex in reiserfs_unpack() without using the safe locking API,
      because reiserfs_unpack() is always called with the reiserfs mutex locked.
      
      This fixes:
      
        =======================================================
        [ INFO: possible circular locking dependency detected ]
        2.6.35c #13
        -------------------------------------------------------
        lilo/1606 is trying to acquire lock:
         (&sb->s_type->i_mutex_key#8){+.+.+.}, at: [<d0329450>] reiserfs_unpack+0x60/0x110 [reiserfs]
      
        but task is already holding lock:
         (&REISERFS_SB(s)->lock){+.+.+.}, at: [<d032a268>] reiserfs_write_lock+0x28/0x40 [reiserfs]
      
        which lock already depends on the new lock.
      
        the existing dependency chain (in reverse order) is:
      
        -> #1 (&REISERFS_SB(s)->lock){+.+.+.}:
               [<c1056347>] lock_acquire+0x67/0x80
               [<c12f083d>] __mutex_lock_common+0x4d/0x410
               [<c12f0c58>] mutex_lock_nested+0x18/0x20
               [<d032a268>] reiserfs_write_lock+0x28/0x40 [reiserfs]
               [<d0329e9a>] reiserfs_lookup_privroot+0x2a/0x90 [reiserfs]
               [<d0316b81>] reiserfs_fill_super+0x941/0xe60 [reiserfs]
               [<c10b7d17>] get_sb_bdev+0x117/0x170
               [<d0313e21>] get_super_block+0x21/0x30 [reiserfs]
               [<c10b74ba>] vfs_kern_mount+0x6a/0x1b0
               [<c10b7659>] do_kern_mount+0x39/0xe0
               [<c10cebe0>] do_mount+0x340/0x790
               [<c10cf0b4>] sys_mount+0x84/0xb0
               [<c12f25cd>] syscall_call+0x7/0xb
      
        -> #0 (&sb->s_type->i_mutex_key#8){+.+.+.}:
               [<c1056186>] __lock_acquire+0x1026/0x1180
               [<c1056347>] lock_acquire+0x67/0x80
               [<c12f083d>] __mutex_lock_common+0x4d/0x410
               [<c12f0c58>] mutex_lock_nested+0x18/0x20
               [<d0329450>] reiserfs_unpack+0x60/0x110 [reiserfs]
               [<d0329772>] reiserfs_ioctl+0x272/0x320 [reiserfs]
               [<c10c3228>] vfs_ioctl+0x28/0xa0
               [<c10c3c5d>] do_vfs_ioctl+0x32d/0x5c0
               [<c10c3f53>] sys_ioctl+0x63/0x70
               [<c12f25cd>] syscall_call+0x7/0xb
      
        other info that might help us debug this:
      
        1 lock held by lilo/1606:
         #0:  (&REISERFS_SB(s)->lock){+.+.+.}, at: [<d032a268>] reiserfs_write_lock+0x28/0x40 [reiserfs]
      
        stack backtrace:
        Pid: 1606, comm: lilo Not tainted 2.6.35c #13
        Call Trace:
         [<c1056186>] __lock_acquire+0x1026/0x1180
         [<c1056347>] lock_acquire+0x67/0x80
         [<c12f083d>] __mutex_lock_common+0x4d/0x410
         [<c12f0c58>] mutex_lock_nested+0x18/0x20
         [<d0329450>] reiserfs_unpack+0x60/0x110 [reiserfs]
         [<d0329772>] reiserfs_ioctl+0x272/0x320 [reiserfs]
         [<c10c3228>] vfs_ioctl+0x28/0xa0
         [<c10c3c5d>] do_vfs_ioctl+0x32d/0x5c0
         [<c10c3f53>] sys_ioctl+0x63/0x70
         [<c12f25cd>] syscall_call+0x7/0xb
      Reported-by: default avatarJarek Poplawski <jarkao2@gmail.com>
      Tested-by: default avatarJarek Poplawski <jarkao2@gmail.com>
      Signed-off-by: default avatarFrederic Weisbecker <fweisbec@gmail.com>
      Cc: Jeff Mahoney <jeffm@suse.com>
      Cc: <stable@kernel.org>		[2.6.32 and later]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3f259d09
    • Kukjin Kim's avatar
      MAINTAINERS: update maintainer for S5P ARM ARCHITECTURES · f556cb07
      Kukjin Kim authored
      Signed-off-by: default avatarKukjin Kim <kgene.kim@samsung.com>
      Acked-by: default avatarBen Dooks <ben-linux@fluff.org>
      Acked-by: default avatarRussell King <rmk@arm.linux.org.uk>
      Cc: Kyungmin Park <kmpark@infradead.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f556cb07
    • Petr Vandrovec's avatar
      MAINTAINERS: update matroxfb & ncpfs status · 52653199
      Petr Vandrovec authored
      I moved couple years ago, so let's update my email and snail mail.
      
      And I do not have any access to Matrox hardware anymore, and I'm quite
      unresponsive to matroxfb bug reports (sorry Alan), so saying that I'm
      maintainer is a bit far fetched.
      
      For ncpfs I do not use ncpfs in my daily life either, but at least I can
      test that one, so I can stay listed here for odd fixes.
      Signed-off-by: default avatarPetr Vandrovec <petr@vandrovec.name>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      52653199
    • Jiri Olsa's avatar
      proc: make /proc/pid/limits world readable · 3036e7b4
      Jiri Olsa authored
      Having the limits file world readable will ease the task of system
      management on systems where root privileges might be restricted.
      
      Having admin restricted with root priviledges, he/she could not check
      other users process' limits.
      
      Also it'd align with most of the /proc stat files.
      Signed-off-by: default avatarJiri Olsa <jolsa@redhat.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Cc: Eugene Teo <eugene@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3036e7b4
    • Don Mullis's avatar
      lib/list_sort: do not pass bad pointers to cmp callback · f015ac3e
      Don Mullis authored
      If the original list is a POT in length, the first callback from line 73
      will pass a==b both pointing to the original list_head.  This is dangerous
      because the 'list_sort()' user can use 'container_of()' and accesses the
      "containing" object, which does not necessary exist for the list head.  So
      the user can access RAM which does not belong to him.  If this is a write
      access, we can end up with memory corruption.
      Signed-off-by: default avatarDon Mullis <don.mullis@gmail.com>
      Tested-by: default avatarArtem Bityutskiy <Artem.Bityutskiy@nokia.com>
      Signed-off-by: default avatarArtem Bityutskiy <Artem.Bityutskiy@nokia.com>
      Cc: <stable@kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f015ac3e
    • Dan Rosenberg's avatar
      sys_semctl: fix kernel stack leakage · 982f7c2b
      Dan Rosenberg authored
      The semctl syscall has several code paths that lead to the leakage of
      uninitialized kernel stack memory (namely the IPC_INFO, SEM_INFO,
      IPC_STAT, and SEM_STAT commands) during the use of the older, obsolete
      version of the semid_ds struct.
      
      The copy_semid_to_user() function declares a semid_ds struct on the stack
      and copies it back to the user without initializing or zeroing the
      "sem_base", "sem_pending", "sem_pending_last", and "undo" pointers,
      allowing the leakage of 16 bytes of kernel stack memory.
      
      The code is still reachable on 32-bit systems - when calling semctl()
      newer glibc's automatically OR the IPC command with the IPC_64 flag, but
      invoking the syscall directly allows users to use the older versions of
      the struct.
      Signed-off-by: default avatarDan Rosenberg <dan.j.rosenberg@gmail.com>
      Cc: Manfred Spraul <manfred@colorfullife.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      982f7c2b
    • Marcin Slusarz's avatar
      i7core_edac: fix panic in udimm sysfs attributes registration · 64aab720
      Marcin Slusarz authored
      Array of udimm sysfs attributes was not ended with NULL marker, leading to
      dereference of random memory.
      
        EDAC DEBUG: edac_create_mci_instance_attributes: edac_create_mci_instance_attributes() file udimm0
        EDAC DEBUG: edac_create_mci_instance_attributes: edac_create_mci_instance_attributes() file udimm1
        EDAC DEBUG: edac_create_mci_instance_attributes: edac_create_mci_instance_attributes() file udimm2
        BUG: unable to handle kernel NULL pointer dereference at 00000000000001a4
        IP: [<ffffffff81330b36>] edac_create_mci_instance_attributes+0x148/0x1f1
        Pid: 1, comm: swapper Not tainted 2.6.36-rc3-nv+ #483 P6T SE/System Product Name
        RIP: 0010:[<ffffffff81330b36>]  [<ffffffff81330b36>] edac_create_mci_instance_attributes+0x148/0x1f1
        (...)
        Call Trace:
         [<ffffffff81330b86>] edac_create_mci_instance_attributes+0x198/0x1f1
         [<ffffffff81330c9a>] edac_create_sysfs_mci_device+0xbb/0x2b2
         [<ffffffff8132f533>] edac_mc_add_mc+0x46b/0x557
         [<ffffffff81428901>] i7core_probe+0xccf/0xec0
        RIP  [<ffffffff81330b36>] edac_create_mci_instance_attributes+0x148/0x1f1
        ---[ end trace 20de320855b81d78 ]---
        Kernel panic - not syncing: Attempted to kill init!
      Signed-off-by: default avatarMarcin Slusarz <marcin.slusarz@gmail.com>
      Cc: Mauro Carvalho Chehab <mchehab@redhat.com>
      Acked-by: default avatarDoug Thompson <dougthompson@xmission.com>
      Cc: <stable@kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      64aab720
    • Andrew Morton's avatar
      drivers/serial/mrst_max3110.c needs linux/irq.h · c044391b
      Andrew Morton authored
      sparc64 allmodconfig:
      
        drivers/serial/mrst_max3110.c: In function `serial_m3110_startup':
        drivers/serial/mrst_max3110.c:470: error: `IRQ_TYPE_EDGE_FALLING' undeclared (first use in this function)
      
      Cc: Greg KH <greg@kroah.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      c044391b
    • Andrew Morton's avatar
      arch/m68k/mac/macboing.c: use unsigned long for irqflags · e53ced1b
      Andrew Morton authored
      Fix the warnings
      
        arch/m68k/mac/macboing.c: In function 'mac_mksound':
        arch/m68k/mac/macboing.c:189: warning: comparison of distinct pointer types lacks a cast
        arch/m68k/mac/macboing.c:211: warning: comparison of distinct pointer types lacks a cast
        arch/m68k/mac/macboing.c: In function 'mac_quadra_start_bell':
        arch/m68k/mac/macboing.c:241: warning: comparison of distinct pointer types lacks a cast
        arch/m68k/mac/macboing.c:263: warning: comparison of distinct pointer types lacks a cast
        arch/m68k/mac/macboing.c: In function 'mac_quadra_ring_bell':
        arch/m68k/mac/macboing.c:283: warning: comparison of distinct pointer types lacks a cast
      
      Cc: Geert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      e53ced1b
    • Andrew Morton's avatar
      drivers/serial/mfd.c needs slab.h · 63d66cab
      Andrew Morton authored
      alpha allmodconfig:
      
        drivers/serial/mfd.c:144: error: implicit declaration of function 'kzalloc'
        drivers/serial/mfd.c:144: warning: assignment makes pointer from integer without a cast
      
      Cc: Greg Kroah-Hartman <gregkh@suse.de>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      63d66cab
    • Ira W. Snyder's avatar
      kfifo: fix scatterlist usage · 399f1e30
      Ira W. Snyder authored
      The kfifo_dma family of functions use sg_mark_end() on the last element in
      their scatterlist.  This forces use of a fresh scatterlist for each DMA
      operation, which makes recycling a single scatterlist impossible.
      
      Change the behavior of the kfifo_dma functions to match the usage of the
      dma_map_sg function.  This means that users must respect the returned
      nents value.  The sample code is updated to reflect the change.
      
      This bug is trivial to cause: call kfifo_dma_in_prepare() such that it
      prepares a scatterlist with a single entry comprising the whole fifo.
      This is the case when you map the entirety of a newly created empty fifo.
      This causes the setup_sgl() function to mark the first scatterlist entry
      as the end of the chain, no matter what comes after it.
      
      Afterwards, add and remove some data from the fifo such that another call
      to kfifo_dma_in_prepare() will create two scatterlist entries.  It returns
      nents=2.  However, due to the previous sg_mark_end() call, sg_is_last()
      will now return true for the first scatterlist element.  This causes the
      sample code to print a single scatterlist element when it should print
      two.
      
      By removing the call to sg_mark_end(), we make the API as similar as
      possible to the DMA mapping API.  All users are required to respect the
      returned nents.
      Signed-off-by: default avatarIra W. Snyder <iws@ovro.caltech.edu>
      Cc: Stefani Seibold <stefani@seibold.net>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      399f1e30
    • Jeff Layton's avatar
      cifs: prevent infinite recursion in cifs_reconnect_tcon · f569599a
      Jeff Layton authored
      cifs_reconnect_tcon is called from smb_init. After a successful
      reconnect, cifs_reconnect_tcon will call reset_cifs_unix_caps. That
      function will, in turn call CIFSSMBQFSUnixInfo and CIFSSMBSetFSUnixInfo.
      Those functions also call smb_init.
      
      It's possible for the session and tcon reconnect to succeed, and then
      for another cifs_reconnect to occur before CIFSSMBQFSUnixInfo or
      CIFSSMBSetFSUnixInfo to be called. That'll cause those functions to call
      smb_init and cifs_reconnect_tcon again, ad infinitum...
      
      Break the infinite recursion by having those functions use a new
      smb_init variant that doesn't attempt to perform a reconnect.
      Reported-and-Tested-by: default avatarMichal Suchanek <hramrach@centrum.cz>
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarSteve French <sfrench@us.ibm.com>
      f569599a
    • Thomas Hellstrom's avatar
      vmwgfx: Fix fb VRAM pinning failure due to fragmentation · abb295f3
      Thomas Hellstrom authored
      If the soon-to-be scanout buffer is partly covering the intended
      VRAM region, move and pin will fail. In that case, just move it out
      to system before attempting to move it in again.
      Signed-off-by: default avatarThomas Hellstrom <thellstrom@vmware.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      abb295f3
    • Thomas Hellstrom's avatar
      vmwgfx: Remove initialisation of dev::devname · f1a28ee2
      Thomas Hellstrom authored
      The removed code causes oopses with newer drms on master drop.
      Signed-off-by: default avatarThomas Hellstrom <thellstrom@vmware.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      f1a28ee2
    • Thomas Hellstrom's avatar
      vmwgfx: Enable use of the vblank system · 7a1c2f6c
      Thomas Hellstrom authored
      This is to avoid accessing uninitialized data during
      drm_irq_uninstall and vblank ioctls. At the same time, enable error check from
      drm_kms_init which previously appeared to ignore all errors.
      Signed-off-by: default avatarThomas Hellstrom <thellstrom@vmware.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      7a1c2f6c
    • Thomas Hellstrom's avatar
      vmwgfx: vt-switch (master drop) fixes · 30c78bb8
      Thomas Hellstrom authored
      We add an option not to enable fbdev, this option is off (0) by default.
      Not enabling fbdev at load time makes it possible to co-operate with
      vga16fb and vga text mode when VT switching.
      
      However, if 3D resources are active when VT switching, we're currently
      not able to switch over to vga, due to device limitations.
      This fixes a bug where we previously lost 3D state during VT switch.
      Signed-off-by: default avatarThomas Hellstrom <thellstrom@vmware.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      30c78bb8
    • Thomas Hellstrom's avatar
      drm/vmwgfx: Fix breakage introduced by commit "drm: block userspace under... · 2854eeda
      Thomas Hellstrom authored
      drm/vmwgfx: Fix breakage introduced by commit "drm: block userspace under allocating buffer and having drivers overwrite it (v2)"
      
      The mentioned commit breaks the vmwgfx ioctl argument sanity check.
      Signed-off-by: default avatarThomas Hellstrom <thellstrom@vmware.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      2854eeda
    • Chris Wilson's avatar
      drm: Hold the mutex when dropping the last GEM reference (v2) · 39b4d07a
      Chris Wilson authored
      In order to be fully threadsafe we need to check that the drm_gem_object
      refcount is still 0 after acquiring the mutex in order to call the free
      function. Otherwise, we may encounter scenarios like:
      
      Thread A:                                        Thread B:
      drm_gem_close
      unreference_unlocked
      kref_put                                         mutex_lock
      ...                                              i915_gem_evict
      ...                                              kref_get -> BUG
      ...                                              i915_gem_unbind
      ...                                              kref_put
      ...                                              i915_gem_object_free
      ...                                              mutex_unlock
      mutex_lock
      i915_gem_object_free -> BUG
      i915_gem_object_unbind
      kfree
      mutex_unlock
      
      Note that no driver is currently using the free_unlocked vfunc and it is
      scheduled for removal, hasten that process.
      
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=30454Reported-and-Tested-by: default avatarMagnus Kessler <Magnus.Kessler@gmx.net>
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Cc: stable@kernel.org
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      39b4d07a
    • Chris Wilson's avatar
      drm/i915: Fix refleak during eviction. · e39a0150
      Chris Wilson authored
      Now that we hold onto a reference whilst evicting objects, we need to
      be sure that we drop all the references taken -- even on the error
      paths.
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      e39a0150