Al Viro [Thu, 18 Aug 2011 19:07:29 +0000 (20:07 +0100)]
um: shared/syscall.h is not even included
... and functions declared in it do not exist
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:07:19 +0000 (20:07 +0100)]
um: don't include kern.h unless it's needed
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:07:09 +0000 (20:07 +0100)]
um: trim kern.h
most of the functions in there are not used in anything that ends up
including that header...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:06:59 +0000 (20:06 +0100)]
um: make load_initrd() static, kill shared/initrd.h
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:06:49 +0000 (20:06 +0100)]
um: bury unused macros around ptrace.h
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:06:39 +0000 (20:06 +0100)]
um: take arch/um/sys-x86 to arch/x86/um
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:06:29 +0000 (20:06 +0100)]
um: merge Makefile-{i386,x86_64}
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:06:19 +0000 (20:06 +0100)]
um: trim detritus from Makefile-i386
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:06:09 +0000 (20:06 +0100)]
um: arch_hweight.h is needed only on uml-x86
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:05:59 +0000 (20:05 +0100)]
um: merge kernel_offsets_*.h
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:05:49 +0000 (20:05 +0100)]
um: merge skas_ptrace.h 32/64bit variants
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:05:39 +0000 (20:05 +0100)]
um: sysdep/barrier.h is not used for anything
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:05:29 +0000 (20:05 +0100)]
um: shared/process.h is empty now; kill it
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:05:19 +0000 (20:05 +0100)]
um: finish conversion to mcontext_t
now we don't mix host and guest signal frame layouts anymore; moreover,
we don't need host's struct sigcontext at all.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:05:09 +0000 (20:05 +0100)]
um: start switching the references to host mcontext_t to its userland type
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:04:59 +0000 (20:04 +0100)]
um: take userland definition of barrier() to user.h
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:04:49 +0000 (20:04 +0100)]
um: take system.h out of shared/sysdep
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:04:39 +0000 (20:04 +0100)]
um: fill the handlers array at build time
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:04:29 +0000 (20:04 +0100)]
um: simplify set_handler()
For one thing, we always block the same signals (IRQ ones - IO, WINCH, VTALRM),
so there's no need to pass sa_mask elements in arguments. For another, the
flags depend only on whether it's an IRQ signal or not (we add SA_RESTART
for them).
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:04:19 +0000 (20:04 +0100)]
um: don't bother blocking SIGARLM and SIGUSR1
We used to generate those, but we hadn't done that for a long
time. No need to bother blocking them for signal handlers.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:04:09 +0000 (20:04 +0100)]
um: switch stub_segv_handler to SA_SIGINFO variant, get rid of magic crap in there
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:03:59 +0000 (20:03 +0100)]
um: kill includes of sysdep/sigcontext.h from stuff built with kernel headers
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:03:49 +0000 (20:03 +0100)]
um: merge arch/um/os-Linux/sys-{i386,x86_64}
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:03:39 +0000 (20:03 +0100)]
um: merge hard_handler() instances, switch to use of SA_SIGINFO
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:03:29 +0000 (20:03 +0100)]
um: kill dead code around uaccess
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:03:19 +0000 (20:03 +0100)]
um: merge arch/um/sys-{i386,x86_64}
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:03:09 +0000 (20:03 +0100)]
um: merge arch/um/sys-{i386,x86_64}/shared
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:02:59 +0000 (20:02 +0100)]
um: merge arch/um/sys-{i386,x86_64}/asm
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:02:49 +0000 (20:02 +0100)]
um: get rid of unused macros in ptrace_user.h
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:02:39 +0000 (20:02 +0100)]
um: get rid of sysdep/sc.h
only sysdep/sigcontext.h uses it and very few definitions are
actually used. The rest refers to symbols that don't even
exist anymore anyway.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:02:29 +0000 (20:02 +0100)]
um: Get rid of UPT_SET/UPT_REG macros
the only users are arch getreg()/putreg() and it's easier to handle
it there instead of playing with macros from hell
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:02:19 +0000 (20:02 +0100)]
um: take vm-flags.h to sys-*/asm
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:02:09 +0000 (20:02 +0100)]
um: get rid of sysdep/checksum.h
Move those to sys-.../asm/checksum.h, kill include/asm/checksum.h
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:01:59 +0000 (20:01 +0100)]
um: trim unused junk from user.h
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:01:49 +0000 (20:01 +0100)]
um: get rid of kern_constants.h
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:01:39 +0000 (20:01 +0100)]
um: kill a couple of useless includes of kern_constants.h
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:01:29 +0000 (20:01 +0100)]
um: -include user.h for USER_OBJ, trim includes
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:01:19 +0000 (20:01 +0100)]
um: take user_constants.h to include/generated
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:01:09 +0000 (20:01 +0100)]
um: kill skas_ptregs.h
It's a plain include of user_constants.h and all (2) users are
including user_constants.h directly prior to that.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:00:59 +0000 (20:00 +0100)]
um: switch to -idirafter, get saner kern_constants.h out of that
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:00:49 +0000 (20:00 +0100)]
um: series of __get_user() is costly in sigframe handling
It's not x86, where __get_user() is a single dereference; here it's
a single ptrace(2) call in host, which obviously costs a lot more.
IOW, it's cheaper to do copy_{to,from}_user() once than bother with
fields one by one...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:00:39 +0000 (20:00 +0100)]
um: make copy_sc() static
... and kill it in amd64 - not used.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:00:29 +0000 (20:00 +0100)]
um: don't rely on sc.fpstate not having been reassigned prior to rt_sigreturn()
native rt_sigreturn() doesn't...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:00:19 +0000 (20:00 +0100)]
um: switch {rt_,}sigreturn() to set_current_blocked()
same story as on x86 native...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Al Viro [Thu, 18 Aug 2011 19:00:09 +0000 (20:00 +0100)]
um: use subarch-obj instead of copying...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Linus Torvalds [Mon, 24 Oct 2011 07:10:05 +0000 (09:10 +0200)]
Linux 3.1
Linus Torvalds [Mon, 24 Oct 2011 05:08:24 +0000 (07:08 +0200)]
Merge git://git.infradead.org/iommu-2.6
* git://git.infradead.org/iommu-2.6:
intel-iommu: fix superpage support in pfn_to_dma_pte()
intel-iommu: set iommu_superpage on VM domains to lowest common denominator
intel-iommu: fix return value of iommu_unmap() API
MAINTAINERS: Update VT-d entry for drivers/pci -> drivers/iommu move
intel-iommu: Export a flag indicating that the IOMMU is used for iGFX.
intel-iommu: Workaround IOTLB hang on Ironlake GPU
intel-iommu: Fix AB-BA lockdep report
Linus Torvalds [Mon, 24 Oct 2011 05:05:38 +0000 (07:05 +0200)]
Merge branch 'for-linus' of people.redhat.com/agk/git/linux-dm
* 'for-linus' of http://people.redhat.com/agk/git/linux-dm:
dm kcopyd: fix job_pool leak
Takashi Iwai [Sun, 23 Oct 2011 21:19:12 +0000 (23:19 +0200)]
x86: Fix S4 regression
Commit
4b239f458 ("x86-64, mm: Put early page table high") causes a S4
regression since 2.6.39, namely the machine reboots occasionally at S4
resume. It doesn't happen always, overall rate is about 1/20. But,
like other bugs, once when this happens, it continues to happen.
This patch fixes the problem by essentially reverting the memory
assignment in the older way.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Cc: <stable@kernel.org>
Cc: Rafael J. Wysocki <rjw@sisk.pl>
Cc: Yinghai Lu <yinghai.lu@oracle.com>
[ We'll hopefully find the real fix, but that's too late for 3.1 now ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Alasdair G Kergon [Sun, 23 Oct 2011 19:55:17 +0000 (20:55 +0100)]
dm kcopyd: fix job_pool leak
Fix memory leak introduced by commit
a6e50b409d3f9e0833e69c3c9cca822e8fa4adbb
(dm snapshot: skip reading origin when overwriting complete chunk).
When allocating a set of jobs from kc->job_pool, job->master_job must be
set (to point to itself) so that the mempool item gets freed when the
master_job completes.
master_job was introduced by commit
c6ea41fbbe08f270a8edef99dc369faf809d1bd6
(dm kcopyd: preallocate sub jobs to avoid deadlock)
Reported-by: Michael Leun <ml@newton.leun.net>
Cc: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Linus Torvalds [Sun, 23 Oct 2011 07:44:40 +0000 (10:44 +0300)]
Merge branch 'samsung-fixes-4' of git://github.com/kgene/linux-samsung
* 'samsung-fixes-4' of git://github.com/kgene/linux-samsung:
ARM: S3C24XX: Fix s3c24xx build errors if !CONFIG_PM
ARM: S5P: fix offset calculation on gpio-interrupt
Linus Torvalds [Sun, 23 Oct 2011 07:43:31 +0000 (10:43 +0300)]
Merge branch 'hwmon-for-linus' of git://git./linux/kernel/git/groeck/linux-staging
* 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
hwmon: (w83627ehf) Fix negative 8-bit temperature values
Domenico Andreoli [Fri, 21 Oct 2011 19:00:53 +0000 (04:00 +0900)]
ARM: S3C24XX: Fix s3c24xx build errors if !CONFIG_PM
v2:
- register_syscore_ops(&s3c24xx_irq_syscore_ops) does not need to be
conditionally compiled out, it is already optimized out on !CONFIG_PM
- fix also s3c2412 and s3c2416 affected by the same build issue
v1:
s3c2440.c fails to build if !CONFIG_PM because in such case
s3c2410_pm_syscore_ops is not defined. Same error should happen also
in s3c2410.c and s3c2442.c
Signed-off-by: Domenico Andreoli <cavokz@gmail.com>
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
Linus Torvalds [Fri, 21 Oct 2011 14:02:18 +0000 (17:02 +0300)]
Merge git://github.com/herbertx/crypto
* git://github.com/herbertx/crypto:
crypto: ghash - Avoid null pointer dereference if no key is set
Linus Torvalds [Fri, 21 Oct 2011 14:01:21 +0000 (17:01 +0300)]
Merge branch 'fix/hda' of git://github.com/tiwai/sound
* 'fix/hda' of git://github.com/tiwai/sound:
ALSA: HDA: conexant support for Lenovo T520/W520
ALSA: hda - Add position_fix quirk for Dell Inspiron 1010
Nick Bowler [Thu, 20 Oct 2011 12:16:55 +0000 (14:16 +0200)]
crypto: ghash - Avoid null pointer dereference if no key is set
The ghash_update function passes a pointer to gf128mul_4k_lle which will
be NULL if ghash_setkey is not called or if the most recent call to
ghash_setkey failed to allocate memory. This causes an oops. Fix this
up by returning an error code in the null case.
This is trivially triggered from unprivileged userspace through the
AF_ALG interface by simply writing to the socket without setting a key.
The ghash_final function has a similar issue, but triggering it requires
a memory allocation failure in ghash_setkey _after_ at least one
successful call to ghash_update.
BUG: unable to handle kernel NULL pointer dereference at
00000670
IP: [<
d88c92d4>] gf128mul_4k_lle+0x23/0x60 [gf128mul]
*pde =
00000000
Oops: 0000 [#1] PREEMPT SMP
Modules linked in: ghash_generic gf128mul algif_hash af_alg nfs lockd nfs_acl sunrpc bridge ipv6 stp llc
Pid: 1502, comm: hashatron Tainted: G W
3.1.0-rc9-00085-ge9308cf #32 Bochs Bochs
EIP: 0060:[<
d88c92d4>] EFLAGS:
00000202 CPU: 0
EIP is at gf128mul_4k_lle+0x23/0x60 [gf128mul]
EAX:
d69db1f0 EBX:
d6b8ddac ECX:
00000004 EDX:
00000000
ESI:
00000670 EDI:
d6b8ddac EBP:
d6b8ddc8 ESP:
d6b8dda4
DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process hashatron (pid: 1502, ti=
d6b8c000 task=
d6810000 task.ti=
d6b8c000)
Stack:
00000000 d69db1f0 00000163 00000000 d6b8ddc8 c101a520 d69db1f0 d52aa000
00000ff0 d6b8dde8 d88d310f d6b8a3f8 d52aa000 00001000 d88d502c d6b8ddfc
00001000 d6b8ddf4 c11676ed d69db1e8 d6b8de24 c11679ad d52aa000 00000000
Call Trace:
[<
c101a520>] ? kmap_atomic_prot+0x37/0xa6
[<
d88d310f>] ghash_update+0x85/0xbe [ghash_generic]
[<
c11676ed>] crypto_shash_update+0x18/0x1b
[<
c11679ad>] shash_ahash_update+0x22/0x36
[<
c11679cc>] shash_async_update+0xb/0xd
[<
d88ce0ba>] hash_sendpage+0xba/0xf2 [algif_hash]
[<
c121b24c>] kernel_sendpage+0x39/0x4e
[<
d88ce000>] ? 0xd88cdfff
[<
c121b298>] sock_sendpage+0x37/0x3e
[<
c121b261>] ? kernel_sendpage+0x4e/0x4e
[<
c10b4dbc>] pipe_to_sendpage+0x56/0x61
[<
c10b4e1f>] splice_from_pipe_feed+0x58/0xcd
[<
c10b4d66>] ? splice_from_pipe_begin+0x10/0x10
[<
c10b51f5>] __splice_from_pipe+0x36/0x55
[<
c10b4d66>] ? splice_from_pipe_begin+0x10/0x10
[<
c10b6383>] splice_from_pipe+0x51/0x64
[<
c10b63c2>] ? default_file_splice_write+0x2c/0x2c
[<
c10b63d5>] generic_splice_sendpage+0x13/0x15
[<
c10b4d66>] ? splice_from_pipe_begin+0x10/0x10
[<
c10b527f>] do_splice_from+0x5d/0x67
[<
c10b6865>] sys_splice+0x2bf/0x363
[<
c129373b>] ? sysenter_exit+0xf/0x16
[<
c104dc1e>] ? trace_hardirqs_on_caller+0x10e/0x13f
[<
c129370c>] sysenter_do_call+0x12/0x32
Code: 83 c4 0c 5b 5e 5f c9 c3 55 b9 04 00 00 00 89 e5 57 8d 7d e4 56 53 8d 5d e4 83 ec 18 89 45 e0 89 55 dc 0f b6 70 0f c1 e6 04 01 d6 <f3> a5 be 0f 00 00 00 4e 89 d8 e8 48 ff ff ff 8b 45 e0 89 da 0f
EIP: [<
d88c92d4>] gf128mul_4k_lle+0x23/0x60 [gf128mul] SS:ESP 0068:
d6b8dda4
CR2:
0000000000000670
---[ end trace
4eaa2a86a8e2da24 ]---
note: hashatron[1502] exited with preempt_count 1
BUG: scheduling while atomic: hashatron/1502/0x10000002
INFO: lockdep is turned off.
[...]
Signed-off-by: Nick Bowler <nbowler@elliptictech.com>
Cc: stable@kernel.org [2.6.37+]
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Marek Szyprowski [Fri, 21 Oct 2011 09:04:54 +0000 (18:04 +0900)]
ARM: S5P: fix offset calculation on gpio-interrupt
Offsets of the irq controller registers were calculated
correctly only for first GPIO bank. This patch fixes
calculation of the register offsets for all GPIO banks.
Reported-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
Linus Torvalds [Thu, 20 Oct 2011 19:16:28 +0000 (22:16 +0300)]
Merge git://git./linux/kernel/git/davem/sparc
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
sparc: Add alignment flag to PCI expansion resources
sparc: Avoid calling sigprocmask()
sparc: Use set_current_blocked()
sparc32,leon: SRMMU MMU Table probe fix
Linus Torvalds [Thu, 20 Oct 2011 19:15:20 +0000 (22:15 +0300)]
Merge git://git./linux/kernel/git/davem/net
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
fib_rules: fix unresolved_rules counting
r8169: fix wrong eee setting for rlt8111evl
r8169: fix driver shutdown WoL regression.
ehea: Change maintainer to me
pptp: pptp_rcv_core() misses pskb_may_pull() call
tproxy: copy transparent flag when creating a time wait
pptp: fix skb leak in pptp_xmit()
bonding: use local function pointer of bond->recv_probe in bond_handle_frame
smsc911x: Add support for SMSC LAN89218
tg3: negate USE_PHYLIB flag check
netconsole: enable netconsole can make net_device refcnt incorrent
bluetooth: Properly clone LSM attributes to newly created child connections
l2tp: fix a potential skb leak in l2tp_xmit_skb()
bridge: fix hang on removal of bridge via netlink
x25: Prevent skb overreads when checking call user data
x25: Handle undersized/fragmented skbs
x25: Validate incoming call user data lengths
udplite: fast-path computation of checksum coverage
IPVS netns shutdown/startup dead-lock
netfilter: nf_conntrack: fix event flooding in GRE protocol tracker
Jean Delvare [Thu, 20 Oct 2011 07:06:45 +0000 (03:06 -0400)]
hwmon: (w83627ehf) Fix negative 8-bit temperature values
Since 8-bit temperature values are now handled in 16-bit struct
members, values have to be cast to s8 for negative temperatures to be
properly handled. This is broken since kernel version 2.6.39
(commit
bce26c58df86599c9570cee83eac58bdaae760e4.)
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Cc: Guenter Roeck <guenter.roeck@ericsson.com>
Cc: stable@kernel.org # 2.6.39+
Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com>
Hugh Dickins [Wed, 19 Oct 2011 19:50:35 +0000 (12:50 -0700)]
mm: fix race between mremap and removing migration entry
I don't usually pay much attention to the stale "? " addresses in
stack backtraces, but this lucky report from Pawel Sikora hints that
mremap's move_ptes() has inadequate locking against page migration.
3.0 BUG_ON(!PageLocked(p)) in migration_entry_to_page():
kernel BUG at include/linux/swapops.h:105!
RIP: 0010:[<
ffffffff81127b76>] [<
ffffffff81127b76>]
migration_entry_wait+0x156/0x160
[<
ffffffff811016a1>] handle_pte_fault+0xae1/0xaf0
[<
ffffffff810feee2>] ? __pte_alloc+0x42/0x120
[<
ffffffff8112c26b>] ? do_huge_pmd_anonymous_page+0xab/0x310
[<
ffffffff81102a31>] handle_mm_fault+0x181/0x310
[<
ffffffff81106097>] ? vma_adjust+0x537/0x570
[<
ffffffff81424bed>] do_page_fault+0x11d/0x4e0
[<
ffffffff81109a05>] ? do_mremap+0x2d5/0x570
[<
ffffffff81421d5f>] page_fault+0x1f/0x30
mremap's down_write of mmap_sem, together with i_mmap_mutex or lock,
and pagetable locks, were good enough before page migration (with its
requirement that every migration entry be found) came in, and enough
while migration always held mmap_sem; but not enough nowadays, when
there's memory hotremove and compaction.
The danger is that move_ptes() lets a migration entry dodge around
behind remove_migration_pte()'s back, so it's in the old location when
looking at the new, then in the new location when looking at the old.
Either mremap's move_ptes() must additionally take anon_vma lock(), or
migration's remove_migration_pte() must stop peeking for is_swap_entry()
before it takes pagetable lock.
Consensus chooses the latter: we prefer to add overhead to migration
than to mremapping, which gets used by JVMs and by exec stack setup.
Reported-and-tested-by: Paweł Sikora <pluto@agmk.net>
Signed-off-by: Hugh Dickins <hughd@google.com>
Acked-by: Andrea Arcangeli <aarcange@redhat.com>
Acked-by: Mel Gorman <mgorman@suse.de>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Kjetil Oftedal [Wed, 19 Oct 2011 23:20:50 +0000 (16:20 -0700)]
sparc: Add alignment flag to PCI expansion resources
Currently no type of alignment is specified for PCI expansion roms while
parsing the openfirmware tree. This causes calls to pci_map_rom() to fail.
IORESOURCE_SIZEALIGN is the default alignment used for rom resouces in
pci/probe.c, and has been verified to work with various cards on a ultra 10.
Signed-off-By: Kjetil Oftedal <oftedal@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Yan, Zheng [Mon, 17 Oct 2011 15:20:28 +0000 (15:20 +0000)]
fib_rules: fix unresolved_rules counting
we should decrease ops->unresolved_rules when deleting a unresolved rule.
Signed-off-by: Zheng Yan <zheng.z.yan@intel.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
hayeswang [Thu, 13 Oct 2011 20:14:37 +0000 (20:14 +0000)]
r8169: fix wrong eee setting for rlt8111evl
Correct the wrong parameter for setting EEE for RTL8111E-VL.
Signed-off-by: Hayes Wang <hayeswang@realtek.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
françois romieu [Fri, 14 Oct 2011 00:57:45 +0000 (00:57 +0000)]
r8169: fix driver shutdown WoL regression.
Due to commit
92fc43b4159b518f5baae57301f26d770b0834c9 ("r8169: modify the
flow of the hw reset."), rtl8169_hw_reset stomps during driver shutdown on
RxConfig bits which are needed for WOL on some versions of the hardware.
As these bits were formerly set from the r81{0x, 68}_pll_power_down methods,
factor them out for use in the driver shutdown (rtl_shutdown) handler.
I favored __rtl8169_get_wol() -hardware state indication- over
RTL_FEATURE_WOL as the latter has become a good candidate for removal.
Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
Cc: Hayes <hayeswang@realtek.com>
Tested-by: Marc Ballarin <ballarin.marc@gmx.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Thadeu Lima de Souza Cascardo [Thu, 13 Oct 2011 09:56:19 +0000 (09:56 +0000)]
ehea: Change maintainer to me
Breno Leitao has passed the maintainership to me.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
Cc: Breno Leitao <leitao@linux.vnet.ibm.com>
Acked-by: Breno Leitão <leitao@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Wed, 19 Oct 2011 13:44:11 +0000 (06:44 -0700)]
Merge branch 'v4l_for_linus' of git://linuxtv.org/mchehab/for_linus
* 'v4l_for_linus' of git://linuxtv.org/mchehab/for_linus:
[media] videodev: fix a NULL pointer dereference in v4l2_device_release()
Linus Torvalds [Wed, 19 Oct 2011 13:43:24 +0000 (06:43 -0700)]
Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
drm/radeon/kms/atom: fix handling of FB scratch indices
drm/radeon/kms/DCE4.1: fix Select_CrtcSource EncodeMode setting for DP bridges (v2)
drm/radeon/kms/DCE4.1: ss is not supported on the internal pplls
drm/radeon/kms/DCE4.1: fix dig encoder to transmitter mapping
ttm: Fix error-path using an uninitialized value
Antonio Ospite [Wed, 12 Oct 2011 20:59:26 +0000 (17:59 -0300)]
[media] videodev: fix a NULL pointer dereference in v4l2_device_release()
The change in
8280b66 does not cover the case when v4l2_dev is already
NULL, fix that.
With a Kinect sensor, seen as an USB camera using GSPCA in this context,
a NULL pointer dereference BUG can be triggered by just unplugging the
device after the camera driver has been loaded.
Signed-off-by: Antonio Ospite <ospite@studenti.unina.it>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Allen Kay [Fri, 14 Oct 2011 19:32:46 +0000 (12:32 -0700)]
intel-iommu: fix superpage support in pfn_to_dma_pte()
If target_level == 0, current code breaks out of the while-loop if
SUPERPAGE bit is set. We should also break out if PTE is not present.
If we don't do this, KVM calls to iommu_iova_to_phys() will cause
pfn_to_dma_pte() to create mapping for 4KiB pages.
Signed-off-by: Allen Kay <allen.m.kay@intel.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Allen Kay [Fri, 14 Oct 2011 19:32:17 +0000 (12:32 -0700)]
intel-iommu: set iommu_superpage on VM domains to lowest common denominator
set dmar->iommu_superpage field to the smallest common denominator
of super page sizes supported by all active VT-d engines. Initialize
this field in intel_iommu_domain_init() API so intel_iommu_map() API
will be able to use iommu_superpage field to determine the appropriate
super page size to use.
Signed-off-by: Allen Kay <allen.m.kay@intel.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Allen Kay [Fri, 14 Oct 2011 19:31:54 +0000 (12:31 -0700)]
intel-iommu: fix return value of iommu_unmap() API
iommu_unmap() API expects IOMMU drivers to return the actual page order
of the address being unmapped. Previous code was just returning page
order passed in from the caller. This patch fixes this problem.
Signed-off-by: Allen Kay <allen.m.kay@intel.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Roland Dreier [Tue, 11 Oct 2011 00:07:15 +0000 (17:07 -0700)]
MAINTAINERS: Update VT-d entry for drivers/pci -> drivers/iommu move
Commit
166e9278a3f9 ("x86/ia64: intel-iommu: move to drivers/iommu/")
moved the VT-d driver to drivers/iommu, but left the "F:" line in
MAINTAINERS pointing to drivers/pci, which breaks scripts/get_maintainer.pl.
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Alex Deucher [Wed, 19 Oct 2011 00:10:05 +0000 (20:10 -0400)]
drm/radeon/kms/atom: fix handling of FB scratch indices
FB scratch indices are dword indices, but we were treating
them as byte indices. As such, we were getting the wrong
FB scratch data for non-0 indices. Fix the indices and
guard the indexing against indices larger than the scratch
allocation.
Fixes memory corruption on some boards if data was written
past the end of the FB scratch array.
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Reported-by: Dave Airlie <airlied@redhat.com>
Tested-by: Dave Airlie <airlied@redhat.com>
Cc: stable@kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
Eric Dumazet [Mon, 17 Oct 2011 17:59:53 +0000 (17:59 +0000)]
pptp: pptp_rcv_core() misses pskb_may_pull() call
e1000e uses paged frags, so any layer incorrectly pulling bytes from skb
can trigger a BUG in skb_pull()
[951.142737] [<
ffffffff813d2f36>] skb_pull+0x15/0x17
[951.142737] [<
ffffffffa0286824>] pptp_rcv_core+0x126/0x19a [pptp]
[951.152725] [<
ffffffff813d17c4>] sk_receive_skb+0x69/0x105
[951.163558] [<
ffffffffa0286993>] pptp_rcv+0xc8/0xdc [pptp]
[951.165092] [<
ffffffffa02800a3>] gre_rcv+0x62/0x75 [gre]
[951.165092] [<
ffffffff81410784>] ip_local_deliver_finish+0x150/0x1c1
[951.177599] [<
ffffffff81410634>] ? ip_local_deliver_finish+0x0/0x1c1
[951.177599] [<
ffffffff81410846>] NF_HOOK.clone.7+0x51/0x58
[951.177599] [<
ffffffff81410996>] ip_local_deliver+0x51/0x55
[951.177599] [<
ffffffff814105b9>] ip_rcv_finish+0x31a/0x33e
[951.177599] [<
ffffffff8141029f>] ? ip_rcv_finish+0x0/0x33e
[951.204898] [<
ffffffff81410846>] NF_HOOK.clone.7+0x51/0x58
[951.214651] [<
ffffffff81410bb5>] ip_rcv+0x21b/0x246
pptp_rcv_core() is a nice example of a function assuming everything it
needs is available in skb head.
Reported-by: Bradley Peterson <despite@gmail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
KOVACS Krisztian [Tue, 18 Oct 2011 10:17:35 +0000 (10:17 +0000)]
tproxy: copy transparent flag when creating a time wait
The transparent socket option setting was not copied to the time wait
socket when an inet socket was being replaced by a time wait socket. This
broke the --transparent option of the socket match and may have caused
that FIN packets belonging to sockets in FIN_WAIT2 or TIME_WAIT state
were being dropped by the packet filter.
Signed-off-by: KOVACS Krisztian <hidden@balabit.hu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Mon, 17 Oct 2011 17:01:47 +0000 (17:01 +0000)]
pptp: fix skb leak in pptp_xmit()
In case we cant transmit skb, we must free it
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
CC: Dmitry Kozlov <xeb@mail.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mitsuo Hayasaka [Wed, 12 Oct 2011 16:04:29 +0000 (16:04 +0000)]
bonding: use local function pointer of bond->recv_probe in bond_handle_frame
The bond->recv_probe is called in bond_handle_frame() when
a packet is received, but bond_close() sets it to NULL. So,
a panic occurs when both functions work in parallel.
Why this happen:
After null pointer check of bond->recv_probe, an sk_buff is
duplicated and bond->recv_probe is called in bond_handle_frame.
So, a panic occurs when bond_close() is called between the
check and call of bond->recv_probe.
Patch:
This patch uses a local function pointer of bond->recv_probe
in bond_handle_frame(). So, it can avoid the null pointer
dereference.
Signed-off-by: Mitsuo Hayasaka <mitsuo.hayasaka.hu@hitachi.com>
Cc: Jay Vosburgh <fubar@us.ibm.com>
Cc: Andy Gospodarek <andy@greyhouse.net>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: WANG Cong <xiyou.wangcong@gmail.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Phil Edworthy [Wed, 12 Oct 2011 02:29:39 +0000 (02:29 +0000)]
smsc911x: Add support for SMSC LAN89218
LAN89218 is register compatible with LAN911x.
Signed-off-by: Phil Edworthy <phil.edworthy@renesas.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jiri Pirko [Tue, 11 Oct 2011 23:00:41 +0000 (23:00 +0000)]
tg3: negate USE_PHYLIB flag check
USE_PHYLIB flag in tg3_remove_one() is being checked incorrectly. This
results tg3_phy_fini->phy_disconnect is never called and when tg3 module
is removed.
In my case this resulted in panics in phy_state_machine calling function
phydev->adjust_link.
So correct this check.
Signed-off-by: Jiri Pirko <jpirko@redhat.com>
Acked-by: Matt Carlson <mcarlson@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gao feng [Tue, 11 Oct 2011 16:08:11 +0000 (16:08 +0000)]
netconsole: enable netconsole can make net_device refcnt incorrent
There is no check if netconsole is enabled current.
so when exec echo 1 > enabled;
the reference of net_device will increment always.
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
Acked-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Paul Moore [Fri, 7 Oct 2011 09:40:59 +0000 (09:40 +0000)]
bluetooth: Properly clone LSM attributes to newly created child connections
The Bluetooth stack has internal connection handlers for all of the various
Bluetooth protocols, and unfortunately, they are currently lacking the LSM
hooks found in the core network stack's connection handlers. I say
unfortunately, because this can cause problems for users who have have an
LSM enabled and are using certain Bluetooth devices. See one problem
report below:
* http://bugzilla.redhat.com/show_bug.cgi?id=741703
In order to keep things simple at this point in time, this patch fixes the
problem by cloning the parent socket's LSM attributes to the newly created
child socket. If we decide we need a more elaborate LSM marking mechanism
for Bluetooth (I somewhat doubt this) we can always revisit this decision
in the future.
Reported-by: James M. Cape <jcape@ignore-your.tv>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Fri, 7 Oct 2011 05:35:46 +0000 (05:35 +0000)]
l2tp: fix a potential skb leak in l2tp_xmit_skb()
l2tp_xmit_skb() can leak one skb if skb_cow_head() returns an error.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
stephen hemminger [Thu, 6 Oct 2011 11:19:41 +0000 (11:19 +0000)]
bridge: fix hang on removal of bridge via netlink
Need to cleanup bridge device timers and ports when being bridge
device is being removed via netlink.
This fixes the problem of observed when doing:
ip link add br0 type bridge
ip link set dev eth1 master br0
ip link set br0 up
ip link del br0
which would cause br0 to hang in unregister_netdev because
of leftover reference count.
Reported-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Acked-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Peter Zijlstra [Mon, 17 Oct 2011 09:50:30 +0000 (11:50 +0200)]
cputimer: Cure lock inversion
There's a lock inversion between the cputimer->lock and rq->lock;
notably the two callchains involved are:
update_rlimit_cpu()
sighand->siglock
set_process_cpu_timer()
cpu_timer_sample_group()
thread_group_cputimer()
cputimer->lock
thread_group_cputime()
task_sched_runtime()
->pi_lock
rq->lock
scheduler_tick()
rq->lock
task_tick_fair()
update_curr()
account_group_exec()
cputimer->lock
Where the first one is enabling a CLOCK_PROCESS_CPUTIME_ID timer, and
the second one is keeping up-to-date.
This problem was introduced by
e8abccb7193 ("posix-cpu-timers: Cure
SMP accounting oddities").
Cure the problem by removing the cputimer->lock and rq->lock nesting,
this leaves concurrent enablers doing duplicate work, but the time
wasted should be on the same order otherwise wasted spinning on the
lock and the greater-than assignment filter should ensure we preserve
monotonicity.
Reported-by: Dave Jones <davej@redhat.com>
Reported-by: Simon Kirby <sim@hostway.ca>
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: stable@kernel.org
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Link: http://lkml.kernel.org/r/1318928713.21167.4.camel@twins
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Alex Deucher [Wed, 12 Oct 2011 22:49:53 +0000 (18:49 -0400)]
drm/radeon/kms/DCE4.1: fix Select_CrtcSource EncodeMode setting for DP bridges (v2)
Settings in this table reflect the physical panel/connector rather
than the internal dig encoding.
v2: fix typo for DRM_MODE_CONNECTOR_VGA case.
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Alex Deucher [Wed, 12 Oct 2011 22:44:33 +0000 (18:44 -0400)]
drm/radeon/kms/DCE4.1: ss is not supported on the internal pplls
It's handled via external clock. It should already be protected
by the external ss flag, but add an explicit check just in case.
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Alex Deucher [Wed, 12 Oct 2011 22:44:32 +0000 (18:44 -0400)]
drm/radeon/kms/DCE4.1: fix dig encoder to transmitter mapping
llano has fully routeable dig encoders similar to DCE3.2 while
ontario has a hardcoded mapping similar to DCE4.0.
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Daniel Suchy [Tue, 18 Oct 2011 09:09:44 +0000 (11:09 +0200)]
ALSA: HDA: conexant support for Lenovo T520/W520
This is patch for Conexant codec of Intel HDA driver, adding new quirk
for Lenovo Thinkpad T520 and W520. Conexant autodetection works fine for
T520 (similar subsystem ID is used also in W520 model) and detects more
mixer features compared to generic (fallback) Lenovo quirk with
hardcoded options in Conexant codec.
Patch was activelly tested with Linux 3.0.4, 3.0.6 and 3.0.7 without any
problems.
Signed-off-by: Daniel Suchy <danny@danysek.cz>
Cc: <stable@kernel.org> [3.0+]
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Takashi Iwai [Tue, 18 Oct 2011 08:44:05 +0000 (10:44 +0200)]
ALSA: hda - Add position_fix quirk for Dell Inspiron 1010
The previous fix for the position-buffer check gives yet another
regression on a Dell laptop. The safest fix right now is to add a
static quirk for this device (and better to apply it for stable
kernels too).
Reported-by: Éric Piel <Eric.Piel@tremplin-utc.net>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Thomas Hellstrom [Mon, 17 Oct 2011 11:27:34 +0000 (13:27 +0200)]
ttm: Fix error-path using an uninitialized value
Pointed out by Michel Daenzer.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Linus Torvalds [Tue, 18 Oct 2011 04:06:23 +0000 (21:06 -0700)]
Linux 3.1-rc10
David S. Miller [Mon, 17 Oct 2011 23:38:03 +0000 (19:38 -0400)]
Merge branch 'nf' of git://1984.lsi.us.es/net
Matthew Daley [Fri, 14 Oct 2011 18:45:05 +0000 (18:45 +0000)]
x25: Prevent skb overreads when checking call user data
x25_find_listener does not check that the amount of call user data given
in the skb is big enough in per-socket comparisons, hence buffer
overreads may occur. Fix this by adding a check.
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Andrew Hendry <andrew.hendry@gmail.com>
Cc: stable <stable@kernel.org>
Acked-by: Andrew Hendry <andrew.hendry@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Matthew Daley [Fri, 14 Oct 2011 18:45:04 +0000 (18:45 +0000)]
x25: Handle undersized/fragmented skbs
There are multiple locations in the X.25 packet layer where a skb is
assumed to be of at least a certain size and that all its data is
currently available at skb->data. These assumptions are not checked,
hence buffer overreads may occur. Use pskb_may_pull to check these
minimal size assumptions and ensure that data is available at skb->data
when necessary, as well as use skb_copy_bits where needed.
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Andrew Hendry <andrew.hendry@gmail.com>
Cc: stable <stable@kernel.org>
Acked-by: Andrew Hendry <andrew.hendry@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Matthew Daley [Fri, 14 Oct 2011 18:45:03 +0000 (18:45 +0000)]
x25: Validate incoming call user data lengths
X.25 call user data is being copied in its entirety from incoming messages
without consideration to the size of the destination buffers, leading to
possible buffer overflows. Validate incoming call user data lengths before
these copies are performed.
It appears this issue was noticed some time ago, however nothing seemed to
come of it: see http://www.spinics.net/lists/linux-x25/msg00043.html and
commit
8db09f26f912f7c90c764806e804b558da520d4f.
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Tested-by: Andrew Hendry <andrew.hendry@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gerrit Renker [Mon, 17 Oct 2011 23:07:30 +0000 (19:07 -0400)]
udplite: fast-path computation of checksum coverage
Commit
903ab86d195cca295379699299c5fc10beba31c7 of 1 March this year ("udp: Add
lockless transmit path") introduced a new fast TX path that broke the checksum
coverage computation of UDP-lite, which so far depended on up->len (only set
if the socket is locked and 0 in the fast path).
Fixed by providing both fast- and slow-path computation of checksum coverage.
The latter can be removed when UDP(-lite)v6 also uses a lockless transmit path.
Reported-by: Thomas Volkert <thomas@homer-conferencing.com>
Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Mon, 17 Oct 2011 15:24:24 +0000 (08:24 -0700)]
Avoid using variable-length arrays in kernel/sys.c
The size is always valid, but variable-length arrays generate worse code
for no good reason (unless the function happens to be inlined and the
compiler sees the length for the simple constant it is).
Also, there seems to be some code generation problem on POWER, where
Henrik Bakken reports that register r28 can get corrupted under some
subtle circumstances (interrupt happening at the wrong time?). That all
indicates some seriously broken compiler issues, but since variable
length arrays are bad regardless, there's little point in trying to
chase it down.
"Just don't do that, then".
Reported-by: Henrik Grindal Bakken <henribak@cisco.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Sun, 16 Oct 2011 20:08:27 +0000 (13:08 -0700)]
Merge branch 'fixes' of ftp.arm.linux.org.uk/pub/linux/arm/kernel/git-cur/linux-2.6-arm
* 'fixes' of http://ftp.arm.linux.org.uk/pub/linux/arm/kernel/git-cur/linux-2.6-arm:
ARM: 7128/1: vic: Don't write to the read-only register VIC_IRQ_STATUS
ARM: 7122/1: localtimer: add header linux/errno.h explicitly
ARM: 7117/1: perf: fix HW_CACHE_* events on Cortex-A9
ARM: 7113/1: mm: Align bank start to MAX_ORDER_NR_PAGES
Zoltan Devai [Mon, 10 Oct 2011 13:54:12 +0000 (14:54 +0100)]
ARM: 7128/1: vic: Don't write to the read-only register VIC_IRQ_STATUS
This is unneeded and causes an abort on the SPMP8000 platform.
Acked-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Zoltan Devai <zoss@devai.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>