Jiri Slaby [Sun, 10 Oct 2010 21:50:44 +0000 (21:50 +0000)]
ATM: solos-pci, remove use after free
Stanse found we do in console_show:
kfree_skb(skb);
return skb->len;
which is not good. Fix that by remembering the len and use it in the
function instead.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Chas Williams <chas@cmf.nrl.navy.mil>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Oskar Schirmer [Thu, 7 Oct 2010 02:30:30 +0000 (02:30 +0000)]
net/fec: carrier off initially to avoid root mount failure
with hardware slow in negotiation, the system did freeze
while trying to mount root on nfs at boot time.
the link state has not been initialised so network stack
tried to start transmission right away. this caused instant
retries, as the driver solely stated business upon link down,
rendering the system unusable.
notify carrier off initially to prevent transmission until
phylib will report link up.
Signed-off-by: Oskar Schirmer <oskar@linutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stanislaw Gruszka [Fri, 8 Oct 2010 04:25:01 +0000 (04:25 +0000)]
r8169: use device model DMA API
Use DMA API as PCI equivalents will be deprecated. This change also
allow to allocate with GFP_KERNEL where possible.
Tested-by: Neal Becker <ndbecker2@gmail.com>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stanislaw Gruszka [Fri, 8 Oct 2010 04:25:00 +0000 (04:25 +0000)]
r8169: allocate with GFP_KERNEL flag when able to sleep
We have fedora bug report where driver fail to initialize after
suspend/resume because of memory allocation errors:
https://bugzilla.redhat.com/show_bug.cgi?id=629158
To fix use GFP_KERNEL allocation where possible.
Tested-by: Neal Becker <ndbecker2@gmail.com>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Kees Cook [Thu, 7 Oct 2010 10:03:48 +0000 (10:03 +0000)]
net: clear heap allocation for ETHTOOL_GRXCLSRLALL
Calling ETHTOOL_GRXCLSRLALL with a large rule_cnt will allocate kernel
heap without clearing it. For the one driver (niu) that implements it,
it will leave the unused portion of heap unchanged and copy the full
contents back to userspace.
Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Fri, 8 Oct 2010 17:36:51 +0000 (10:36 -0700)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6
Dan Carpenter [Fri, 8 Oct 2010 17:21:22 +0000 (10:21 -0700)]
isdn: strcpy() => strlcpy()
setup.phone and setup.eazmsn are 32 character buffers.
rcvmsg.msg_data.byte_array is a 48 character buffer.
sc_adapter[card]->channel[rcvmsg.phy_link_no - 1].dn is 50 chars.
The rcvmsg struct comes from the memcpy_fromio() in receivemessage().
I guess that means it's data off the wire. I'm not very familiar with
this code but I don't see any reason to assume these strings are NULL
terminated.
Also it's weird that "dn" in a 50 character buffer but we only seem to
use 32 characters. In drivers/isdn/sc/scioc.h, "dn" is only a 49
character buffer. So potentially there is still an issue there.
The important thing for now is to prevent the memory corruption.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
John W. Linville [Thu, 7 Oct 2010 15:35:40 +0000 (11:35 -0400)]
Revert "mac80211: use netif_receive_skb in ieee80211_tx_status callpath"
This reverts commit
5ed3bc7288487bd4f891f420a07319e0b538b4fe.
It turns-out that not all drivers are calling ieee80211_tx_status from a
compatible context. Revert this for now and try again later...
Signed-off-by: John W. Linville <linville@tuxdriver.com>
David S. Miller [Thu, 7 Oct 2010 07:59:39 +0000 (00:59 -0700)]
Merge branch 'master' of git://git./linux/kernel/git/padovan/bluetooth-2.6
David S. Miller [Thu, 7 Oct 2010 02:11:17 +0000 (19:11 -0700)]
Merge branch 'master' of /linux/kernel/git/torvalds/linux-2.6
Linus Torvalds [Wed, 6 Oct 2010 20:39:52 +0000 (13:39 -0700)]
Linux 2.6.36-rc7
Linus Torvalds [Wed, 6 Oct 2010 20:27:19 +0000 (13:27 -0700)]
Merge branch 'upstream' of git://git.linux-mips.org/upstream-linus
* 'upstream' of git://git.linux-mips.org/pub/scm/upstream-linus:
MIPS: Octeon: Place cnmips_cu2_setup in __init memory.
MIPS: Don't place cu2 notifiers in __cpuinitdata
MIPS: Calculate VMLINUZ_LOAD_ADDRESS based on the length of vmlinux.bin
MIPS: Alchemy: Resolve prom section mismatches
MIPS: Fix syscall 64 bit number comments.
MIPS: Hookup fanotify_init, fanotify_mark, and prlimit64 syscalls.
MIPS: TX49xx: Rename ARCH_KMALLOC_MINALIGN to ARCH_DMA_MINALIGN
MIPS: N32: Fix getdents64 syscall for n32
MIPS: Remove pr_<level> uses of KERN_<level>
MIPS: PNX8550: Sort out machine halt, restart and powerdown functions.
MIPS: GIC: Remove dependencies from Malta files.
MIPS: Kconfig: Fix and clarify kconfig help text for VSMP and SMTC.
MIPS: DMA: Fix computation of DMA flags from device's coherent_dma_mask.
MIPS: Audit: Fix hang in entry.S.
MIPS: Document why RELOC_HIDE is there.
MIPS: Octeon: Determine if helper needs to be built
MIPS: Use generic atomic64 for 32-bit kernels
MIPS: RM7000: Symbol should be static
MIPS: kspd: Adjust confusing if indentation
MIPS: Fix a typo.
Johannes Berg [Tue, 5 Oct 2010 19:40:33 +0000 (21:40 +0200)]
mac80211: delete AddBA response timer
We never delete the addBA response timer, which
is typically fine, but if the station it belongs
to is deleted very quickly after starting the BA
session, before the peer had a chance to reply,
the timer may fire after the station struct has
been freed already. Therefore, we need to delete
the timer in a suitable spot -- best when the
session is being stopped (which will happen even
then) in which case the delete will be a no-op
most of the time.
I've reproduced the scenario and tested the fix.
This fixes the crash reported at
http://mid.gmane.org/
4CAB6F96.
6090701@candelatech.com
Cc: stable@kernel.org
Reported-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Felix Fietkau [Sun, 3 Oct 2010 17:07:19 +0000 (19:07 +0200)]
ath9k_hw: fix regression in ANI listen time calculation
wireless-testing
commit
37e5bf6535a4d697fb9fa6f268a8354a612cbc00
Author: Luis R. Rodriguez <lrodriguez@atheros.com>
Date: Sat Jun 12 00:33:40 2010 -0400
ath9k_hw: fix clock rate calculations for ANI
This commit accidentally broke clock rate calculation by doubling the
calculated clock rate
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Linus Torvalds [Wed, 6 Oct 2010 18:11:18 +0000 (11:11 -0700)]
Merge branch 'for-linus' of git://git.kernel.dk/linux-2.6-block
* 'for-linus' of git://git.kernel.dk/linux-2.6-block:
writeback: always use sb->s_bdi for writeback purposes
Linus Torvalds [Wed, 6 Oct 2010 16:51:28 +0000 (09:51 -0700)]
Merge branch 'v2.6.36-rc6-urgent-fixes' of git://xenbits.xen.org/people/sstabellini/linux-pvhvm
* 'v2.6.36-rc6-urgent-fixes' of git://xenbits.xen.org/people/sstabellini/linux-pvhvm:
xen: do not initialize PV timers on HVM if !xen_have_vector_callback
xen: do not set xenstored_ready before xenbus_probe on hvm
Linus Torvalds [Wed, 6 Oct 2010 16:50:41 +0000 (09:50 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/mszeredi/fuse
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse:
fuse: Initialize total_len in fuse_retrieve()
Eric Dumazet [Mon, 4 Oct 2010 22:42:08 +0000 (22:42 +0000)]
caif: fix two caif_connect() bugs
caif_connect() might dereference a netdevice after dev_put() it.
It also doesnt check dev_get_by_index() return value and could
dereference a NULL pointer.
Fix it, using RCU to avoid taking a reference.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
CC: Sjur Braendeland <sjur.brandeland@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Neil Horman [Tue, 5 Oct 2010 03:39:21 +0000 (03:39 +0000)]
bonding: fix WARN_ON when writing to bond_master sysfs file
Fix a WARN_ON failure in bond_masters sysfs file
Got a report of this warning recently
bonding: bond0 is being created...
------------[ cut here ]------------
WARNING: at fs/proc/generic.c:590 proc_register+0x14d/0x185()
Hardware name: ProLiant BL465c G1
proc_dir_entry 'bonding/bond0' already registered
Modules linked in: bonding ipv6 tg3 bnx2 shpchp amd64_edac_mod edac_core
ipmi_si
ipmi_msghandler serio_raw i2c_piix4 k8temp edac_mce_amd hpwdt microcode hpsa
cc
iss radeon ttm drm_kms_helper drm i2c_algo_bit i2c_core [last unloaded:
scsi_wai
t_scan]
Pid: 935, comm: ifup-eth Not tainted 2.6.33.5-124.fc13.x86_64 #1
Call Trace:
[<
ffffffff8104b54c>] warn_slowpath_common+0x77/0x8f
[<
ffffffff8104b5b1>] warn_slowpath_fmt+0x3c/0x3e
[<
ffffffff8114bf0b>] proc_register+0x14d/0x185
[<
ffffffff8114c20c>] proc_create_data+0x87/0xa1
[<
ffffffffa0211e9b>] bond_create_proc_entry+0x55/0x95 [bonding]
[<
ffffffffa0215e5d>] bond_init+0x95/0xd0 [bonding]
[<
ffffffff8138cd97>] register_netdevice+0xdd/0x29e
[<
ffffffffa021240b>] bond_create+0x8e/0xb8 [bonding]
[<
ffffffffa021c4be>] bonding_store_bonds+0xb3/0x1c1 [bonding]
[<
ffffffff812aec85>] class_attr_store+0x27/0x29
[<
ffffffff8115423d>] sysfs_write_file+0x10f/0x14b
[<
ffffffff81101acf>] vfs_write+0xa9/0x106
[<
ffffffff81101be2>] sys_write+0x45/0x69
[<
ffffffff81009b02>] system_call_fastpath+0x16/0x1b
---[ end trace
a677c3f7f8b16b1e ]---
bonding: Bond creation failed.
It happens because a user space writer to bond_master can try to
register an already existing bond interface name. Fix it by teaching
bond_create to check for the existance of devices with that name first
in cases where a non-NULL name parameter has been passed in
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stephen Rothwell [Wed, 6 Oct 2010 00:06:44 +0000 (11:06 +1100)]
powerpc: remove unused variable
Since powerpc uses -Werror on arch powerpc, the build was broken like
this:
cc1: warnings being treated as errors
arch/powerpc/kernel/module.c: In function 'module_finalize':
arch/powerpc/kernel/module.c:66: error: unused variable 'err'
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Stanislaw Gruszka [Tue, 5 Oct 2010 22:11:40 +0000 (15:11 -0700)]
skge: add quirk to limit DMA
Skge devices installed on some Gigabyte motherboards are not able to
perform 64 dma correctly due to board PCI implementation, so limit
DMA to 32bit if such boards are detected.
Bug was reported here:
https://bugzilla.redhat.com/show_bug.cgi?id=447489
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Tested-by: Luya Tshimbalanga <luya@fedoraproject.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jeff Kirsher [Tue, 5 Oct 2010 01:15:17 +0000 (01:15 +0000)]
MAINTAINERS: update Intel LAN Ethernet info
- Add ixgbevf and docs files to the maintainers file
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jeff Kirsher [Tue, 5 Oct 2010 01:17:27 +0000 (01:17 +0000)]
e1000e.txt: Add e1000e documentation
Adds documentation for the e1000e networking driver.
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jeff Kirsher [Tue, 5 Oct 2010 01:17:05 +0000 (01:17 +0000)]
e1000.txt: Update e1000 documentation
Updated the e1000 networking driver documentation.
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jeff Kirsher [Tue, 5 Oct 2010 01:16:44 +0000 (01:16 +0000)]
ixgbevf.txt: Update ixgbevf documentation
Update the documentation for the ixgbevf (ixgbe virtual
function driver).
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Tue, 5 Oct 2010 20:07:43 +0000 (13:07 -0700)]
Merge branch 'core-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip
* 'core-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
rcu: rcu_read_lock_bh_held(): disabling irqs also disables bh
generic-ipi: Fix deadlock in __smp_call_function_single
Linus Torvalds [Tue, 5 Oct 2010 18:57:37 +0000 (11:57 -0700)]
Merge branch 'perf-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip
* 'perf-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
perf trace scripting: Fix extern struct definitions
perf ui hist browser: Fix segfault on 'a' for annotate
perf tools: Fix build breakage
perf, x86: Handle in flight NMIs on P4 platform
oprofile, ARM: Release resources on failure
oprofile: Add Support for Intel CPU Family 6 / Model 29
Evgeny Kuznetsov [Tue, 5 Oct 2010 08:47:57 +0000 (12:47 +0400)]
wait: using uninitialized member of wait queue
The "flags" member of "struct wait_queue_t" is used in several places in
the kernel code without beeing initialized by init_wait(). "flags" is
used in bitwise operations.
If "flags" not initialized then unexpected behaviour may take place.
Incorrect flags might used later in code.
Added initialization of "wait_queue_t.flags" with zero value into
"init_wait".
Signed-off-by: Evgeny Kuznetsov <EXT-Eugeny.Kuznetsov@nokia.com>
[ The bit we care about does end up being initialized by both
prepare_to_wait() and add_to_wait_queue(), so this doesn't seem to
cause actual bugs, but is definitely the right thing to do -Linus ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Tue, 5 Oct 2010 18:29:27 +0000 (11:29 -0700)]
modules: Fix module_bug_list list corruption race
With all the recent module loading cleanups, we've minimized the code
that sits under module_mutex, fixing various deadlocks and making it
possible to do most of the module loading in parallel.
However, that whole conversion totally missed the rather obscure code
that adds a new module to the list for BUG() handling. That code was
doubly obscure because (a) the code itself lives in lib/bugs.c (for
dubious reasons) and (b) it gets called from the architecture-specific
"module_finalize()" rather than from generic code.
Calling it from arch-specific code makes no sense what-so-ever to begin
with, and is now actively wrong since that code isn't protected by the
module loading lock any more.
So this commit moves the "module_bug_{finalize,cleanup}()" calls away
from the arch-specific code, and into the generic code - and in the
process protects it with the module_mutex so that the list operations
are now safe.
Future fixups:
- move the module list handling code into kernel/module.c where it
belongs.
- get rid of 'module_bug_list' and just use the regular list of modules
(called 'modules' - imagine that) that we already create and maintain
for other reasons.
Reported-and-tested-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Adrian Bunk <bunk@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Stefano Stabellini [Fri, 1 Oct 2010 16:35:46 +0000 (17:35 +0100)]
xen: do not initialize PV timers on HVM if !xen_have_vector_callback
if !xen_have_vector_callback do not initialize PV timer unconditionally
because we still don't know how many cpus are available and if there is
more than one we won't be able to receive the timer interrupts on
cpu > 0.
This patch fixes an hang at boot when Xen does not support vector
callbacks and the guest has multiple vcpus.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Jeremy Fitzhardinge <jeremy@goop.org>
Stefano Stabellini [Mon, 4 Oct 2010 15:10:06 +0000 (16:10 +0100)]
xen: do not set xenstored_ready before xenbus_probe on hvm
Register_xenstore_notifier should guarantee that the caller gets
notified even if xenstore is already up.
Therefore we revert "do not notify callers from
register_xenstore_notifier" and set xenstored_read at the right time for
PV on HVM guests too.
In fact in case of PV on HVM guests xenstored is ready only after the
platform pci driver has completed the initialization, so do not set
xenstored_ready before the call to xenbus_probe().
This patch fixes a shutdown_event watcher registration bug that causes
"xm shutdown" not to work properly.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Jeremy Fitzhardinge <jeremy@goop.org>
Dan Carpenter [Mon, 4 Oct 2010 02:28:36 +0000 (02:28 +0000)]
cls_u32: signedness bug
skb_headroom() is unsigned so "skb_headroom(skb) + toff" is also
unsigned and can't be less than zero. This test was added in
66d50d25:
"u32: negative offset fix" It was supposed to fix a regression.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gustavo F. Padovan [Mon, 4 Oct 2010 22:28:52 +0000 (19:28 -0300)]
Bluetooth: Disallow to change L2CAP_OPTIONS values when connected
L2CAP doesn't permit change like MTU, FCS, TxWindow values while the
connection is alive, we can only set that before the
connection/configuration process. That can lead to bugs in the L2CAP
operation.
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Linus Torvalds [Mon, 4 Oct 2010 20:35:48 +0000 (13:35 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/lrg/voltage-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lrg/voltage-2.6:
regulator: max8649 - fix setting extclk_freq
regulator: fix typo in current units
regulator: fix device_register() error handling
Linus Torvalds [Mon, 4 Oct 2010 18:45:35 +0000 (11:45 -0700)]
Merge branch 'merge-powerpc' of git://git.secretlab.ca/git/linux-2.6
* 'merge-powerpc' of git://git.secretlab.ca/git/linux-2.6:
powerpc/5200: tighten up ac97 reset timing
powerpc/5200: efika.c: Add of_node_put to avoid memory leak
powerpc/512x: fix clk_get() return value
Linus Torvalds [Mon, 4 Oct 2010 18:15:59 +0000 (11:15 -0700)]
Merge branch 'fix/misc' of git://git./linux/kernel/git/tiwai/sound-2.6
* 'fix/misc' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6:
ALSA: i2c/other/ak4xx-adda: Fix a compile warning with CONFIG_PROCFS=n
ALSA: prevent heap corruption in snd_ctl_new()
Linus Torvalds [Mon, 4 Oct 2010 18:15:06 +0000 (11:15 -0700)]
Merge branch 'hwmon-for-linus' of git://git./linux/kernel/git/groeck/staging
* 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/staging:
hwmon: f71882fg: use a muxed resource lock for the Super I/O port
Linus Torvalds [Mon, 4 Oct 2010 18:14:21 +0000 (11:14 -0700)]
Merge branch 'fixes' of git://git./linux/kernel/git/davej/cpufreq
* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/davej/cpufreq:
[CPUFREQ] Fix memory leaks in pcc_cpufreq_do_osc
[CPUFREQ] acpi-cpufreq: add missing __percpu markup
Linus Torvalds [Mon, 4 Oct 2010 18:13:22 +0000 (11:13 -0700)]
Merge branch 'merge-spi' of git://git.secretlab.ca/git/linux-2.6
* 'merge-spi' of git://git.secretlab.ca/git/linux-2.6:
of/spi: Fix OF-style driver binding of spi devices
spi: spi-gpio.c tests SPI_MASTER_NO_RX bit twice, but not SPI_MASTER_NO_TX
spi/mpc8xxx: fix buffer overrun on large transfers
Linus Torvalds [Mon, 4 Oct 2010 18:11:01 +0000 (11:11 -0700)]
Merge git://git./linux/kernel/git/davem/net-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:
vlan: dont drop packets from unknown vlans in promiscuous mode
Phonet: Correct header retrieval after pskb_may_pull
um: Proper Fix for
f25c80a4: remove duplicate structure field initialization
ip_gre: Fix dependencies wrt. ipv6.
net-2.6: SYN retransmits: Add new parameter to retransmits_timed_out()
iwl3945: queue the right work if the scan needs to be aborted
mac80211: fix use-after-free
Linus Torvalds [Mon, 4 Oct 2010 18:10:26 +0000 (11:10 -0700)]
Merge branch 'drm-intel-fixes' of git://git./linux/kernel/git/ickle/drm-intel
* 'drm-intel-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/ickle/drm-intel:
drm/i915: Rephrase pwrite bounds checking to avoid any potential overflow
drm/i915: Sanity check pread/pwrite
drm/i915: Use pipe state to tell when pipe is off
drm/i915: vblank status not valid while training display port
drivers/gpu/drm/i915/i915_gem.c: Add missing error handling code
drm/i915: Fix refleak during eviction.
drm/i915: fix GMCH power reporting
Hugh Dickins [Sun, 3 Oct 2010 00:49:08 +0000 (17:49 -0700)]
ksm: fix bad user data when swapping
Building under memory pressure, with KSM on 2.6.36-rc5, collapsed with
an internal compiler error: typically indicating an error in swapping.
Perhaps there's a timing issue which makes it now more likely, perhaps
it's just a long time since I tried for so long: this bug goes back to
KSM swapping in 2.6.33.
Notice how reuse_swap_page() allows an exclusive page to be reused, but
only does SetPageDirty if it can delete it from swap cache right then -
if it's currently under Writeback, it has to be left in cache and we
don't SetPageDirty, but the page can be reused. Fine, the dirty bit
will get set in the pte; but notice how zap_pte_range() does not bother
to transfer pte_dirty to page_dirty when unmapping a PageAnon.
If KSM chooses to share such a page, it will look like a clean copy of
swapcache, and not be written out to swap when its memory is needed;
then stale data read back from swap when it's needed again.
We could fix this in reuse_swap_page() (or even refuse to reuse a
page under writeback), but it's more honest to fix my oversight in
KSM's write_protect_page(). Several days of testing on three machines
confirms that this fixes the issue they showed.
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Hugh Dickins [Sun, 3 Oct 2010 00:46:06 +0000 (17:46 -0700)]
ksm: fix page_address_in_vma anon_vma oops
2.6.36-rc1 commit
21d0d443cdc1658a8c1484fdcece4803f0f96d0e "rmap:
resurrect page_address_in_vma anon_vma check" was right to resurrect
that check; but now that it's comparing anon_vma->roots instead of
just anon_vmas, there's a danger of oopsing on a NULL anon_vma.
In most cases no NULL anon_vma ever gets here; but it turns out that
occasionally KSM, when enabled on a forked or forking process, will
itself call page_address_in_vma() on a "half-KSM" page left over from
an earlier failed attempt to merge - whose page_anon_vma() is NULL.
It's my bug that those should be getting here at all: I thought they
were already dealt with, this oops proves me wrong, I'll fix it in
the next release - such pages are effectively pinned until their
process exits, since rmap cannot find their ptes (though swapoff can).
For now just work around it by making page_address_in_vma() safe (and
add a comment on why that check is wanted anyway). A similar check
in __page_check_anon_rmap() is safe because do_page_add_anon_rmap()
already excluded KSM pages.
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Rik van Riel <riel@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
David Daney [Thu, 23 Sep 2010 18:24:09 +0000 (11:24 -0700)]
MIPS: Octeon: Place cnmips_cu2_setup in __init memory.
It is an early_initcall, so it should be in __init memory.
Signed-off-by: David Daney <ddaney@caviumnetworks.com>
To: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/1593/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
David Daney [Thu, 23 Sep 2010 18:23:29 +0000 (11:23 -0700)]
MIPS: Don't place cu2 notifiers in __cpuinitdata
The notifiers may be called at any time, so the notifier_block cannot
be in init memory.
Signed-off-by: David Daney <ddaney@caviumnetworks.com>
To: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/1592/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Shmulik Ladkani [Tue, 31 Aug 2010 10:24:19 +0000 (13:24 +0300)]
MIPS: Calculate VMLINUZ_LOAD_ADDRESS based on the length of vmlinux.bin
Fix VMLINUZ_LOAD_ADDRESS calculation to be based on the length of
vmlinux.bin, the actual uncompressed kernel binary.
Previously it was based on the length of KBUILD_IMAGE (the unstripped ELF
vmlinux), which is bigger than vmlinux.bin. As a result, vmlinuz was
loaded into a memory address higher then actually needed - a problem for
small memory platforms.
Signed-off-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
To: linux-mips@linux-mips.org
Cc: alex@digriz.org.uk
Cc: manuel.lauss@googlemail.com
Cc: sam@ravnborg.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/1564/
Acked-by: Wu Zhangjin <wuzhangjin@gmail.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Manuel Lauss [Thu, 19 Aug 2010 11:37:13 +0000 (13:37 +0200)]
MIPS: Alchemy: Resolve prom section mismatches
The function prom_init_cmdline() references the variable __initdata
arcs_cmdline.
The function prom_get_ethernet_addr() references the variable __initdata
arcs_cmdline.
Annotate prom_init_cmdline() as __init, unexport and annotate
prom_get_ethernet_addr() since it's no longer called from within
driver code.
Signed-off-by: Manuel Lauss <manuel.lauss@googlemail.com>
To: Linux-MIPS <linux-mips@linux-mips.org>
Patchwork: https://patchwork.linux-mips.org/patch/1547/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Ralf Baechle [Mon, 20 Sep 2010 14:00:19 +0000 (15:00 +0100)]
MIPS: Fix syscall 64 bit number comments.
Noticed and original patch by Philby John <pjohn@mvista.com>.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
David Daney [Mon, 23 Aug 2010 21:10:37 +0000 (14:10 -0700)]
MIPS: Hookup fanotify_init, fanotify_mark, and prlimit64 syscalls.
Signed-off-by: David Daney <ddaney@caviumnetworks.com>
To: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/1553/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
FUJITA Tomonori [Sat, 14 Aug 2010 07:02:37 +0000 (16:02 +0900)]
MIPS: TX49xx: Rename ARCH_KMALLOC_MINALIGN to ARCH_DMA_MINALIGN
Architectures need to set ARCH_DMA_MINALIGN to the minimum DMA
alignment (commit
a6eb9fe105d5de0053b261148cee56c94b4720ca). Defining
ARCH_KMALLOC_MINALIGN doesn't work anymore.
Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Cc: anemo@mba.ocn.ne.jp
Patchwork: https://patchwork.linux-mips.org/patch/1544/
Acked-by: Atsushi Nemoto <anemo@mba.ocn.ne.jp>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Bernhard Walle [Fri, 3 Sep 2010 08:15:34 +0000 (10:15 +0200)]
MIPS: N32: Fix getdents64 syscall for n32
Commit
31c984a5acabea5d8c7224dc226453022be46f33 introduced a new syscall
getdents64. However, in the syscall table, the new syscall still refers to
the old getdents which doesn't work.
The problem appeared with a system that uses the eglibc 2.12-r11187 (that
utilizes that new syscall) is very confused. The fix has been tested with
that eglibc version.
Signed-off-by: Bernhard Walle <walle@corscience.de>
To: linux-mips@linux-mips.org
Cc: ddaney@caviumnetworks.com
Cc: akpm@linux-foundation.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/1567/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Joe Perches [Sun, 12 Sep 2010 05:10:52 +0000 (22:10 -0700)]
MIPS: Remove pr_<level> uses of KERN_<level>
These would result in KERN_<level> actually getting printed.
Signed-off-by: Joe Perches <joe@perches.com>
To: Jiri Kosina <trivial@kernel.org>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/1581/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Ralf Baechle [Sat, 18 Sep 2010 23:09:09 +0000 (00:09 +0100)]
MIPS: PNX8550: Sort out machine halt, restart and powerdown functions.
No rubbish printks - those belong to userspace. The halt function now
actually halts the system and the poweroff function was deleted because
it didn't actually power down the system.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Ralf Baechle [Fri, 17 Sep 2010 16:07:48 +0000 (17:07 +0100)]
MIPS: GIC: Remove dependencies from Malta files.
This prevents the GIC code from being reusable sanely.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Ralf Baechle [Thu, 16 Sep 2010 10:40:41 +0000 (11:40 +0100)]
MIPS: Kconfig: Fix and clarify kconfig help text for VSMP and SMTC.
Only VSMP was known as SMVP and generally the help text was too short to
be helpful.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Ralf Baechle [Thu, 2 Sep 2010 21:22:23 +0000 (23:22 +0200)]
MIPS: DMA: Fix computation of DMA flags from device's coherent_dma_mask.
This only matters for ISA devices with a 24-bit DMA limit or for devices
with a 32-bit DMA limit on systems with ZONE_DMA32 enabled. The latter
currently only affects 32-bit PCI cards on Sibyte-based systems with more
than 1GB RAM installed.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Ralf Baechle [Thu, 2 Sep 2010 20:59:58 +0000 (22:59 +0200)]
MIPS: Audit: Fix hang in entry.S.
_TIF_WORK_MASK false had _TIF_SYSCALL_AUDIT set. If a thread's
_TIF_SYSCALL_AUDIT is ever set this will lead to an endless loop on the
way out from a syscall.
Currently this is only a theoretic bug as init/Kconfig doesn't allow
AUDIT_SYSCALL to be enabled for MIPS.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Ralf Baechle [Tue, 17 Aug 2010 15:01:59 +0000 (16:01 +0100)]
MIPS: Document why RELOC_HIDE is there.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Andreas Bießmann [Wed, 11 Aug 2010 16:49:53 +0000 (18:49 +0200)]
MIPS: Octeon: Determine if helper needs to be built
This patch adds an config switch to determine if we need to build some
workaround helper files.
The staging driver octeon-ethernet references some symbols which are only
built when PCI is enabled. The new config switch enables these symbols in
bothe cases.
Signed-off-by: Andreas Bießmann <biessmann@corscience.de>
To: linux-kernel@vger.kernel.org
Cc: Andreas Bießmann <biessmann@corscience.de>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/1543/
Acked-by: David Daney <ddaney@caviumnetworks.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Deng-Cheng Zhu [Wed, 9 Jun 2010 04:35:25 +0000 (12:35 +0800)]
MIPS: Use generic atomic64 for 32-bit kernels
The 64-bit kernel has already had its atomic64 functions. Except for that,
we use the generic spinlocked version. The atomic64 types and related
functions are needed for the Linux performance counter subsystem.
Signed-off-by: Deng-Cheng Zhu <dengcheng.zhu@gmail.com>
To: linux-mips@linux-mips.org
Cc: a.p.zijlstra@chello.nl
Cc: paulus@samba.org
Cc: mingo@elte.hu
Cc: acme@redhat.com
Cc: jamie.iles@picochip.com
Patchwork: https://patchwork.linux-mips.org/patch/1361/
Acked-by: David Daney <ddaney@caviumnetworks.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Ricardo Mendoza [Fri, 6 Aug 2010 15:42:57 +0000 (11:12 -0430)]
MIPS: RM7000: Symbol should be static
Signed-off-by: Ricardo Mendoza <ricmm@gentoo.org>
To: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/1540/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Julia Lawall [Thu, 5 Aug 2010 20:17:22 +0000 (22:17 +0200)]
MIPS: kspd: Adjust confusing if indentation
Indent the branch of an if.
The semantic match that finds this problem is as follows:
(http://coccinelle.lip6.fr/)
// <smpl>
@r disable braces4@
position p1,p2;
statement S1,S2;
@@
(
if (...) { ... }
|
if (...) S1@p1 S2@p2
)
@script:python@
p1 << r.p1;
p2 << r.p2;
@@
if (p1[0].column == p2[0].column):
cocci.print_main("branch",p1)
cocci.print_secs("after",p2)
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
To: linux-mips@linux-mips.org
To: linux-kernel@vger.kernel.org
To: kernel-janitors@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/1539/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Andrea Gelmini [Thu, 5 Aug 2010 13:51:25 +0000 (15:51 +0200)]
MIPS: Fix a typo.
"Userpace" -> "Userspace"
Signed-off-by: Andrea Gelmini <andrea.gelmini@gelma.net>
Cc: Andrea Gelmini <andrea.gelmini@gelma.net>
Cc: Jason Wessel <jason.wessel@windriver.com>
Cc: Martin Hicks <mort@sgi.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/1536/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Stephane Eranian [Mon, 20 Sep 2010 22:45:01 +0000 (00:45 +0200)]
perf trace scripting: Fix extern struct definitions
Both python_scripting_ops and perl_scripting_ops have two global definitions.
One in trace-event-scripting.c and one in their respective scripting-engine
modules.
The issue is that depending on the linker order one definition or the other
is chosen. One is uninitialized (bss), while the other is initialized. If
the uninitialized version is chosen, then perf does not function properly.
This patch fixes this by adding the extern prefix to the definitions in
trace-event-scripting.c.
Cc: David S. Miller <davem@davemloft.net>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Robert Richter <robert.richter@amd.com>
LKML-Reference: <
4c97e41a.
078fd80a.7a8b.3cc9@mx.google.com>
Signed-off-by: Stephane Eranian <eranian@google.com>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Frederik Deweerdt [Thu, 23 Sep 2010 20:19:01 +0000 (22:19 +0200)]
perf ui hist browser: Fix segfault on 'a' for annotate
There a typo in util/ui/browsers/hists.c that leads to a segfault when you
press the 'a' key on a non-resolved symbol (plain hex address).
LKML-Reference: <
20100923201901.GE31726@gambetta>
Signed-off-by: Frederik Deweerdt <frederik.deweerdt@xprog.eu>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Kusanagi Kouichi [Sun, 26 Sep 2010 17:17:42 +0000 (14:17 -0300)]
perf tools: Fix build breakage
The patch
ecafda6 introduced a problem where all object files would be
always rebuilt, fix it by using:
http://www.gnu.org/software/make/manual/html_node/Prerequisite-Types.html
Reported-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Bernd Petrovitsch <bernd@sysprog.at>
Signed-off-by: Kusanagi Kouichi <slash@ac.auone-net.jp>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Christoph Hellwig [Mon, 4 Oct 2010 12:25:33 +0000 (14:25 +0200)]
writeback: always use sb->s_bdi for writeback purposes
We currently use struct backing_dev_info for various different purposes.
Originally it was introduced to describe a backing device which includes
an unplug and congestion function and various bits of readahead information
and VM-relevant flags. We're also using for tracking dirty inodes for
writeback.
To make writeback properly find all inodes we need to only access the
per-filesystem backing_device pointed to by the superblock in ->s_bdi
inside the writeback code, and not the instances pointeded to by
inode->i_mapping->backing_dev which can be overriden by special devices
or might not be set at all by some filesystems.
Long term we should split out the writeback-relevant bits of struct
backing_device_info (which includes more than the current bdi_writeback)
and only point to it from the superblock while leaving the traditional
backing device as a separate structure that can be overriden by devices.
The one exception for now is the block device filesystem which really
wants different writeback contexts for it's different (internal) inodes
to handle the writeout more efficiently. For now we do this with
a hack in fs-writeback.c because we're so late in the cycle, but in
the future I plan to replace this with a superblock method that allows
for multiple writeback contexts per filesystem.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Geert Uytterhoeven [Thu, 30 Sep 2010 20:06:21 +0000 (22:06 +0200)]
fuse: Initialize total_len in fuse_retrieve()
fs/fuse/dev.c:1357: warning: ‘total_len’ may be used uninitialized in this
function
Initialize total_len to zero, else its value will be undefined.
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Dan Rosenberg [Fri, 1 Oct 2010 11:51:47 +0000 (11:51 +0000)]
sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac()
The sctp_asoc_get_hmac() function iterates through a peer's hmac_ids
array and attempts to ensure that only a supported hmac entry is
returned. The current code fails to do this properly - if the last id
in the array is out of range (greater than SCTP_AUTH_HMAC_ID_MAX), the
id integer remains set after exiting the loop, and the address of an
out-of-bounds entry will be returned and subsequently used in the parent
function, causing potentially ugly memory corruption. This patch resets
the id integer to 0 on encountering an invalid id so that NULL will be
returned after finishing the loop if no valid ids are found.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Dan Rosenberg [Fri, 1 Oct 2010 11:16:58 +0000 (11:16 +0000)]
sctp: prevent reading out-of-bounds memory
Two user-controlled allocations in SCTP are subsequently dereferenced as
sockaddr structs, without checking if the dereferenced struct members fall
beyond the end of the allocated chunk. There doesn't appear to be any
information leakage here based on how these members are used and
additional checking, but it's still worth fixing.
[akpm@linux-foundation.org: remove unfashionable newlines, fix gmail tab->space conversion]
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
David Stevens [Thu, 30 Sep 2010 14:29:40 +0000 (14:29 +0000)]
ipv4: correct IGMP behavior on v3 query during v2-compatibility mode
A recent patch to allow IGMPv2 responses to IGMPv3 queries
bypasses length checks for valid query lengths, incorrectly
resets the v2_seen timer, and does not support IGMPv1.
The following patch responds with a v2 report as required
by IGMPv2 while correcting the other problems introduced
by the patch.
Signed-Off-By: David L Stevens <dlstevens@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ben Hutchings [Sun, 3 Oct 2010 15:42:05 +0000 (15:42 +0000)]
netdev: Depend on INET before selecting INET_LRO
Since 'select' ignores dependencies, drivers that select INET_LRO must
depend on INET. This fixes the broken configuration reported in
<http://article.gmane.org/gmane.linux.kernel/825646>.
Reported-by: Subrata Modak <subrata@linux.vnet.ibm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ben Hutchings [Sun, 3 Oct 2010 15:37:42 +0000 (15:37 +0000)]
Revert "ipv4: Make INET_LRO a bool instead of tristate."
This reverts commit
e81963b180ac502fda0326edf059b1e29cdef1a2.
LRO is now deprecated in favour of GRO, and only a few drivers use it,
so it is desirable to build it as a module in distribution kernels.
The original change to prevent building it as a module was made in an
attempt to avoid the case where some dependents are set to y and some
to m, and INET_LRO can be set to m rather than y. However, the
Kconfig system will reliably set INET_LRO=y in this case.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Nagendra Tomar [Sat, 2 Oct 2010 23:45:06 +0000 (23:45 +0000)]
net: Fix the condition passed to sk_wait_event()
This patch fixes the condition (3rd arg) passed to sk_wait_event() in
sk_stream_wait_memory(). The incorrect check in sk_stream_wait_memory()
causes the following soft lockup in tcp_sendmsg() when the global tcp
memory pool has exhausted.
>>> snip <<<
localhost kernel: BUG: soft lockup - CPU#3 stuck for 11s! [sshd:6429]
localhost kernel: CPU 3:
localhost kernel: RIP: 0010:[sk_stream_wait_memory+0xcd/0x200] [sk_stream_wait_memory+0xcd/0x200] sk_stream_wait_memory+0xcd/0x200
localhost kernel:
localhost kernel: Call Trace:
localhost kernel: [sk_stream_wait_memory+0x1b1/0x200] sk_stream_wait_memory+0x1b1/0x200
localhost kernel: [<
ffffffff802557c0>] autoremove_wake_function+0x0/0x40
localhost kernel: [ipv6:tcp_sendmsg+0x6e6/0xe90] tcp_sendmsg+0x6e6/0xce0
localhost kernel: [sock_aio_write+0x126/0x140] sock_aio_write+0x126/0x140
localhost kernel: [xfs:do_sync_write+0xf1/0x130] do_sync_write+0xf1/0x130
localhost kernel: [<
ffffffff802557c0>] autoremove_wake_function+0x0/0x40
localhost kernel: [hrtimer_start+0xe3/0x170] hrtimer_start+0xe3/0x170
localhost kernel: [vfs_write+0x185/0x190] vfs_write+0x185/0x190
localhost kernel: [sys_write+0x50/0x90] sys_write+0x50/0x90
localhost kernel: [system_call+0x7e/0x83] system_call+0x7e/0x83
>>> snip <<<
What is happening is, that the sk_wait_event() condition passed from
sk_stream_wait_memory() evaluates to true for the case of tcp global memory
exhaustion. This is because both sk_stream_memory_free() and vm_wait are true
which causes sk_wait_event() to *not* call schedule_timeout().
Hence sk_stream_wait_memory() returns immediately to the caller w/o sleeping.
This causes the caller to again try allocation, which again fails and again
calls sk_stream_wait_memory(), and so on.
[ Bug introduced by commit
c1cbe4b7ad0bc4b1d98ea708a3fecb7362aa4088
("[NET]: Avoid atomic xchg() for non-error case") -DaveM ]
Signed-off-by: Nagendra Singh Tomar <tomer_iisc@yahoo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Maciej Żenczykowski [Sun, 3 Oct 2010 21:49:00 +0000 (14:49 -0700)]
net: Fix IPv6 PMTU disc. w/ asymmetric routes
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Chris Wilson [Sun, 26 Sep 2010 19:21:44 +0000 (20:21 +0100)]
drm/i915: Rephrase pwrite bounds checking to avoid any potential overflow
... and do the same for pread.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: stable@kernel.org
Chris Wilson [Sun, 26 Sep 2010 19:50:05 +0000 (20:50 +0100)]
drm/i915: Sanity check pread/pwrite
Move the access control up from the fast paths, which are no longer
universally taken first, up into the caller. This then duplicates some
sanity checking along the slow paths, but is much simpler.
Tracked as CVE-2010-2962.
Reported-by: Kees Cook <kees@ubuntu.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: stable@kernel.org
Giel van Schijndel [Sun, 3 Oct 2010 12:09:49 +0000 (08:09 -0400)]
hwmon: f71882fg: use a muxed resource lock for the Super I/O port
Sleep while acquiring a resource lock on the Super I/O port. This should
prevent collisions from causing the hardware probe to fail with -EBUSY.
Signed-off-by: Giel van Schijndel <me@mortis.eu>
Acked-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com>
Keith Packard [Sun, 3 Oct 2010 07:33:06 +0000 (00:33 -0700)]
drm/i915: Use pipe state to tell when pipe is off
Instead of waiting for the display line value to settle, we can simply
wait for the pipe configuration register 'state' bit to turn off.
Contrarywise, disabling the plane will not cause the display line
value to stop changing, so instead we wait for the vblank interrupt
bit to get set. And, we only do this when we're not about to wait for
the pipe to turn off.
Signed-off-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Keith Packard [Sun, 3 Oct 2010 07:33:05 +0000 (00:33 -0700)]
drm/i915: vblank status not valid while training display port
While the display port is in training mode, vblank interrupts don't
occur. Because we have to wait for the display port output to turn on
before starting the training sequence, enable the output in 'normal'
mode so that we can tell when a vblank has occurred, then start the
training sequence.
Signed-off-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Sinan Akman [Sun, 3 Oct 2010 03:28:29 +0000 (21:28 -0600)]
of/spi: Fix OF-style driver binding of spi devices
This patch adds the OF hook to the spi core so that devices
can automatically be registered based on device tree data. This fixes
a problem with spi devices not binding to drivers after the cleanup of
the spi & i2c binding code.
Signed-off-by: Sinan Akman <sinan@writeme.com>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Roel Kluin [Sat, 2 Oct 2010 12:03:32 +0000 (14:03 +0200)]
spi: spi-gpio.c tests SPI_MASTER_NO_RX bit twice, but not SPI_MASTER_NO_TX
The SPI_MASTER_NO_TX bit (can't do buffer write) wasn't tested. This
code was introduced in commit
3c8e1a84 (spi/spi-gpio: add support for
controllers without MISO or MOSI pin). This patch fixes a bug in
choosing which transfer ops to use.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Julia Lawall [Sat, 2 Oct 2010 13:59:17 +0000 (15:59 +0200)]
drivers/gpu/drm/i915/i915_gem.c: Add missing error handling code
Extend the error handling code with operations found in other nearby error
handling code
A simplified version of the sematic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)
// <smpl>
@r exists@
@r@
statement S1,S2,S3;
constant C1,C2,C3;
@@
*if (...)
{... S1 return -C1;}
...
*if (...)
{... when != S1
return -C2;}
...
*if (...)
{... S1 return -C3;}
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: stable@kernel.org
Axel Lin [Fri, 1 Oct 2010 05:56:27 +0000 (13:56 +0800)]
regulator: max8649 - fix setting extclk_freq
The SYNC bits are BIT6 and BIT7 of MAX8649_SYNC register.
pdata->extclk_freq could be [0|1|2].
(MAX8649_EXTCLK_26MHZ|MAX8649_EXTCLK_13MHZ|MAX8649_EXTCLK_19MHZ)
It requires to left shift 6 bits to properly set extclk_freq.
Signed-off-by: Axel Lin <axel.lin@gmail.com>
Acked-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Liam Girdwood <lrg@slimlogic.co.uk>
Cyril Chemparathy [Wed, 22 Sep 2010 16:30:15 +0000 (12:30 -0400)]
regulator: fix typo in current units
This patch fixes a typo that incorrectly reports mA numbers as uA.
Signed-off-by: Cyril Chemparathy <cyril@ti.com>
Acked-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Liam Girdwood <lrg@slimlogic.co.uk>
Vasiliy Kulikov [Sun, 19 Sep 2010 12:55:01 +0000 (16:55 +0400)]
regulator: fix device_register() error handling
If device_register() fails then call put_device().
See comment to device_register.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Acked-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Liam Girdwood <lrg@slimlogic.co.uk>
Linus Torvalds [Fri, 1 Oct 2010 22:03:37 +0000 (15:03 -0700)]
Merge git://git./linux/kernel/git/sfrench/cifs-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6:
cifs: prevent infinite recursion in cifs_reconnect_tcon
cifs: set backing_dev_info on new S_ISREG inodes
Linus Torvalds [Fri, 1 Oct 2010 22:02:41 +0000 (15:02 -0700)]
Merge branch 'x86-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip
* 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
x86, hpet: Fix bogus error check in hpet_assign_irq()
x86, irq: Plug memory leak in sparse irq
x86, cpu: After uncapping CPUID, re-run CPU feature detection
David Howells [Fri, 1 Oct 2010 09:31:03 +0000 (10:31 +0100)]
MN10300: Fix flush_icache_range()
flush_icache_range() is given virtual addresses to describe the region. It
deals with these by attempting to translate them through the current set of
page tables.
This is fine for userspace memory and vmalloc()'d areas as they are governed by
page tables. However, since the regions above 0x80000000 aren't translated
through the page tables by the MMU, the kernel doesn't bother to set up page
tables for them (see paging_init()).
This means flush_icache_range() as it stands cannot be used to flush regions of
the VM area between 0x80000000 and 0x9fffffff where the kernel resides if the
data cache is operating in WriteBack mode.
To fix this, make flush_icache_range() first check for addresses in the upper
half of VM space and deal with them appropriately, before dealing with any
range in the page table mapped area.
Ordinarily, this is not a problem, but it has the capacity to make kprobes and
kgdb malfunction. It should not affect gdbstub, signal frame setup or module
loading as gdb has its own flush functions, and the others take place in the
page table mapped area only.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Akira Takeuchi <takeuchi.akr@jp.panasonic.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Fri, 1 Oct 2010 17:58:31 +0000 (10:58 -0700)]
Merge branch 'drm-fixes' of git://git./linux/kernel/git/airlied/drm-2.6
* 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
vmwgfx: Fix fb VRAM pinning failure due to fragmentation
vmwgfx: Remove initialisation of dev::devname
vmwgfx: Enable use of the vblank system
vmwgfx: vt-switch (master drop) fixes
drm/vmwgfx: Fix breakage introduced by commit "drm: block userspace under allocating buffer and having drivers overwrite it (v2)"
drm: Hold the mutex when dropping the last GEM reference (v2)
drm/gem: handlecount isn't really a kref so don't make it one.
drm: i810/i830: fix locked ioctl variant
drm/radeon/kms: add quirk for MSI K9A2GM motherboard
drm/radeon/kms: fix potential segfault in r600_ioctl_wait_idle
drm: Prune GEM vma entries
drm/radeon/kms: fix up encoder info messages for DFP6
drm/radeon: fix PCI ID 5657 to be an RV410
Linus Torvalds [Fri, 1 Oct 2010 17:55:54 +0000 (10:55 -0700)]
Merge branch 'for-linus/i2c/2636-rc5' of git://git.fluff.org/bjdooks/linux
* 'for-linus/i2c/2636-rc5' of git://git.fluff.org/bjdooks/linux:
i2c-s3c2410: fix calculation of SDA line delay
i2c-davinci: Fix race when setting up for TX
i2c-octeon: Return -ETIMEDOUT in octeon_i2c_wait() on timeout
Linus Torvalds [Fri, 1 Oct 2010 17:54:58 +0000 (10:54 -0700)]
Merge branch 'release' of git://git./linux/kernel/git/lenb/linux-acpi-2.6
* 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-acpi-2.6:
ACPI: invoke DSDT corruption workaround on all Toshiba Satellite
ACPI, APEI, Fix ERST MOVE_DATA instruction implementation
ACPI: fan: Fix more unbalanced code block
ACPI: acpi_pad: simplify code to avoid false gcc build warning
ACPI, APEI, Fix error path for memory allocation
ACPI, APEI, HEST Fix the unsuitable usage of platform_data
ACPI, APEI, Fix acpi_pre_map() return value
ACPI, APEI, Fix APEI related table size checking
ACPI: Disable Windows Vista compatibility for Toshiba P305D
ACPI: Kconfig: fix typo.
ACPI: add missing __percpu markup in arch/x86/kernel/acpi/cstate.c
ACPI: Fix typos
ACPI video: fix a poor warning message
ACPI: fix build warnings resulting from merge window conflict
ACPI: EC: add Vista incompatibility DMI entry for Toshiba Satellite L355
ACPI: expand Vista blacklist to include SP1 and SP2
ACPI: delete ZEPTO idle=nomwait DMI quirk
ACPI: enable repeated PCIEXP wakeup by clearing PCIEXP_WAKE_STS on resume
PM / ACPI: Blacklist systems known to require acpi_sleep=nonvs
ACPI: Don't report current_now if battery reports in mWh
Linus Torvalds [Fri, 1 Oct 2010 17:53:45 +0000 (10:53 -0700)]
Merge branch 'idle-release' of git://git./linux/kernel/git/lenb/linux-idle-2.6
* 'idle-release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-idle-2.6:
intel_idle: Voluntary leave_mm before entering deeper
acpi_idle: add missing \n to printk
intel_idle: add missing __percpu markup
intel_idle: Change mode 755 => 644
cpuidle: Fix typos
intel_idle: PCI quirk to prevent Lenovo Ideapad s10-3 boot hang
Linus Torvalds [Fri, 1 Oct 2010 17:53:06 +0000 (10:53 -0700)]
Merge branch 'omap-fixes-for-linus' of git://git./linux/kernel/git/tmlind/linux-omap-2.6
* 'omap-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap-2.6:
omap: McBSP: tx_irq_completion used in rx_irq_handler
omap: Fix compile dependency to LEDS_CLASS
Frederic Weisbecker [Thu, 30 Sep 2010 22:15:38 +0000 (15:15 -0700)]
reiserfs: fix unwanted reiserfs lock recursion
Prevent from recursively locking the reiserfs lock in reiserfs_unpack()
because we may call journal_begin() that requires the lock to be taken
only once, otherwise it won't be able to release the lock while taking
other mutexes, ending up in inverted dependencies between the journal
mutex and the reiserfs lock for example.
This fixes:
=======================================================
[ INFO: possible circular locking dependency detected ]
2.6.35.4.4a #3
-------------------------------------------------------
lilo/1620 is trying to acquire lock:
(&journal->j_mutex){+.+...}, at: [<
d0325bff>] do_journal_begin_r+0x7f/0x340 [reiserfs]
but task is already holding lock:
(&REISERFS_SB(s)->lock){+.+.+.}, at: [<
d032a278>] reiserfs_write_lock+0x28/0x40 [reiserfs]
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&REISERFS_SB(s)->lock){+.+.+.}:
[<
c10562b7>] lock_acquire+0x67/0x80
[<
c12facad>] __mutex_lock_common+0x4d/0x410
[<
c12fb0c8>] mutex_lock_nested+0x18/0x20
[<
d032a278>] reiserfs_write_lock+0x28/0x40 [reiserfs]
[<
d0325c06>] do_journal_begin_r+0x86/0x340 [reiserfs]
[<
d0325f77>] journal_begin+0x77/0x140 [reiserfs]
[<
d0315be4>] reiserfs_remount+0x224/0x530 [reiserfs]
[<
c10b6a20>] do_remount_sb+0x60/0x110
[<
c10cee25>] do_mount+0x625/0x790
[<
c10cf014>] sys_mount+0x84/0xb0
[<
c12fca3d>] syscall_call+0x7/0xb
-> #0 (&journal->j_mutex){+.+...}:
[<
c10560f6>] __lock_acquire+0x1026/0x1180
[<
c10562b7>] lock_acquire+0x67/0x80
[<
c12facad>] __mutex_lock_common+0x4d/0x410
[<
c12fb0c8>] mutex_lock_nested+0x18/0x20
[<
d0325bff>] do_journal_begin_r+0x7f/0x340 [reiserfs]
[<
d0325f77>] journal_begin+0x77/0x140 [reiserfs]
[<
d0326271>] reiserfs_persistent_transaction+0x41/0x90 [reiserfs]
[<
d030d06c>] reiserfs_get_block+0x22c/0x1530 [reiserfs]
[<
c10db9db>] __block_prepare_write+0x1bb/0x3a0
[<
c10dbbe6>] block_prepare_write+0x26/0x40
[<
d030b738>] reiserfs_prepare_write+0x88/0x170 [reiserfs]
[<
d03294d6>] reiserfs_unpack+0xe6/0x120 [reiserfs]
[<
d0329782>] reiserfs_ioctl+0x272/0x320 [reiserfs]
[<
c10c3188>] vfs_ioctl+0x28/0xa0
[<
c10c3bbd>] do_vfs_ioctl+0x32d/0x5c0
[<
c10c3eb3>] sys_ioctl+0x63/0x70
[<
c12fca3d>] syscall_call+0x7/0xb
other info that might help us debug this:
2 locks held by lilo/1620:
#0: (&sb->s_type->i_mutex_key#8){+.+.+.}, at: [<
d032945a>] reiserfs_unpack+0x6a/0x120 [reiserfs]
#1: (&REISERFS_SB(s)->lock){+.+.+.}, at: [<
d032a278>] reiserfs_write_lock+0x28/0x40 [reiserfs]
stack backtrace:
Pid: 1620, comm: lilo Not tainted 2.6.35.4.4a #3
Call Trace:
[<
c10560f6>] __lock_acquire+0x1026/0x1180
[<
c10562b7>] lock_acquire+0x67/0x80
[<
c12facad>] __mutex_lock_common+0x4d/0x410
[<
c12fb0c8>] mutex_lock_nested+0x18/0x20
[<
d0325bff>] do_journal_begin_r+0x7f/0x340 [reiserfs]
[<
d0325f77>] journal_begin+0x77/0x140 [reiserfs]
[<
d0326271>] reiserfs_persistent_transaction+0x41/0x90 [reiserfs]
[<
d030d06c>] reiserfs_get_block+0x22c/0x1530 [reiserfs]
[<
c10db9db>] __block_prepare_write+0x1bb/0x3a0
[<
c10dbbe6>] block_prepare_write+0x26/0x40
[<
d030b738>] reiserfs_prepare_write+0x88/0x170 [reiserfs]
[<
d03294d6>] reiserfs_unpack+0xe6/0x120 [reiserfs]
[<
d0329782>] reiserfs_ioctl+0x272/0x320 [reiserfs]
[<
c10c3188>] vfs_ioctl+0x28/0xa0
[<
c10c3bbd>] do_vfs_ioctl+0x32d/0x5c0
[<
c10c3eb3>] sys_ioctl+0x63/0x70
[<
c12fca3d>] syscall_call+0x7/0xb
Reported-by: Jarek Poplawski <jarkao2@gmail.com>
Tested-by: Jarek Poplawski <jarkao2@gmail.com>
Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jeff Mahoney <jeffm@suse.com>
Cc: All since 2.6.32 <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Frederic Weisbecker [Thu, 30 Sep 2010 22:15:37 +0000 (15:15 -0700)]
reiserfs: fix dependency inversion between inode and reiserfs mutexes
The reiserfs mutex already depends on the inode mutex, so we can't lock
the inode mutex in reiserfs_unpack() without using the safe locking API,
because reiserfs_unpack() is always called with the reiserfs mutex locked.
This fixes:
=======================================================
[ INFO: possible circular locking dependency detected ]
2.6.35c #13
-------------------------------------------------------
lilo/1606 is trying to acquire lock:
(&sb->s_type->i_mutex_key#8){+.+.+.}, at: [<
d0329450>] reiserfs_unpack+0x60/0x110 [reiserfs]
but task is already holding lock:
(&REISERFS_SB(s)->lock){+.+.+.}, at: [<
d032a268>] reiserfs_write_lock+0x28/0x40 [reiserfs]
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&REISERFS_SB(s)->lock){+.+.+.}:
[<
c1056347>] lock_acquire+0x67/0x80
[<
c12f083d>] __mutex_lock_common+0x4d/0x410
[<
c12f0c58>] mutex_lock_nested+0x18/0x20
[<
d032a268>] reiserfs_write_lock+0x28/0x40 [reiserfs]
[<
d0329e9a>] reiserfs_lookup_privroot+0x2a/0x90 [reiserfs]
[<
d0316b81>] reiserfs_fill_super+0x941/0xe60 [reiserfs]
[<
c10b7d17>] get_sb_bdev+0x117/0x170
[<
d0313e21>] get_super_block+0x21/0x30 [reiserfs]
[<
c10b74ba>] vfs_kern_mount+0x6a/0x1b0
[<
c10b7659>] do_kern_mount+0x39/0xe0
[<
c10cebe0>] do_mount+0x340/0x790
[<
c10cf0b4>] sys_mount+0x84/0xb0
[<
c12f25cd>] syscall_call+0x7/0xb
-> #0 (&sb->s_type->i_mutex_key#8){+.+.+.}:
[<
c1056186>] __lock_acquire+0x1026/0x1180
[<
c1056347>] lock_acquire+0x67/0x80
[<
c12f083d>] __mutex_lock_common+0x4d/0x410
[<
c12f0c58>] mutex_lock_nested+0x18/0x20
[<
d0329450>] reiserfs_unpack+0x60/0x110 [reiserfs]
[<
d0329772>] reiserfs_ioctl+0x272/0x320 [reiserfs]
[<
c10c3228>] vfs_ioctl+0x28/0xa0
[<
c10c3c5d>] do_vfs_ioctl+0x32d/0x5c0
[<
c10c3f53>] sys_ioctl+0x63/0x70
[<
c12f25cd>] syscall_call+0x7/0xb
other info that might help us debug this:
1 lock held by lilo/1606:
#0: (&REISERFS_SB(s)->lock){+.+.+.}, at: [<
d032a268>] reiserfs_write_lock+0x28/0x40 [reiserfs]
stack backtrace:
Pid: 1606, comm: lilo Not tainted 2.6.35c #13
Call Trace:
[<
c1056186>] __lock_acquire+0x1026/0x1180
[<
c1056347>] lock_acquire+0x67/0x80
[<
c12f083d>] __mutex_lock_common+0x4d/0x410
[<
c12f0c58>] mutex_lock_nested+0x18/0x20
[<
d0329450>] reiserfs_unpack+0x60/0x110 [reiserfs]
[<
d0329772>] reiserfs_ioctl+0x272/0x320 [reiserfs]
[<
c10c3228>] vfs_ioctl+0x28/0xa0
[<
c10c3c5d>] do_vfs_ioctl+0x32d/0x5c0
[<
c10c3f53>] sys_ioctl+0x63/0x70
[<
c12f25cd>] syscall_call+0x7/0xb
Reported-by: Jarek Poplawski <jarkao2@gmail.com>
Tested-by: Jarek Poplawski <jarkao2@gmail.com>
Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jeff Mahoney <jeffm@suse.com>
Cc: <stable@kernel.org> [2.6.32 and later]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Kukjin Kim [Thu, 30 Sep 2010 22:15:35 +0000 (15:15 -0700)]
MAINTAINERS: update maintainer for S5P ARM ARCHITECTURES
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
Acked-by: Ben Dooks <ben-linux@fluff.org>
Acked-by: Russell King <rmk@arm.linux.org.uk>
Cc: Kyungmin Park <kmpark@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Petr Vandrovec [Thu, 30 Sep 2010 22:15:34 +0000 (15:15 -0700)]
MAINTAINERS: update matroxfb & ncpfs status
I moved couple years ago, so let's update my email and snail mail.
And I do not have any access to Matrox hardware anymore, and I'm quite
unresponsive to matroxfb bug reports (sorry Alan), so saying that I'm
maintainer is a bit far fetched.
For ncpfs I do not use ncpfs in my daily life either, but at least I can
test that one, so I can stay listed here for odd fixes.
Signed-off-by: Petr Vandrovec <petr@vandrovec.name>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Jiri Olsa [Thu, 30 Sep 2010 22:15:33 +0000 (15:15 -0700)]
proc: make /proc/pid/limits world readable
Having the limits file world readable will ease the task of system
management on systems where root privileges might be restricted.
Having admin restricted with root priviledges, he/she could not check
other users process' limits.
Also it'd align with most of the /proc stat files.
Signed-off-by: Jiri Olsa <jolsa@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Cc: Eugene Teo <eugene@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Don Mullis [Thu, 30 Sep 2010 22:15:32 +0000 (15:15 -0700)]
lib/list_sort: do not pass bad pointers to cmp callback
If the original list is a POT in length, the first callback from line 73
will pass a==b both pointing to the original list_head. This is dangerous
because the 'list_sort()' user can use 'container_of()' and accesses the
"containing" object, which does not necessary exist for the list head. So
the user can access RAM which does not belong to him. If this is a write
access, we can end up with memory corruption.
Signed-off-by: Don Mullis <don.mullis@gmail.com>
Tested-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>