- Jul 30, 2009
-
-
Greg Kroah-Hartman authored
-
Ramon de Carvalho Valle authored
commit f151cd2c upstream. The parse_tag_3_packet function does not check if the tag 3 packet contains a encrypted key size larger than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES. Signed-off-by:
Ramon de Carvalho Valle <ramon@risesecurity.org> [tyhicks@linux.vnet.ibm.com: Added printk newline and changed goto to out_free] Signed-off-by:
Tyler Hicks <tyhicks@linux.vnet.ibm.com> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by:
Greg Kroah-Hartman <gregkh@suse.de>
-
Tyler Hicks authored
commit 6352a293 upstream. Tag 11 packets are stored in the metadata section of an eCryptfs file to store the key signature(s) used to encrypt the file encryption key. After extracting the packet length field to determine the key signature length, a check is not performed to see if the length would exceed the key signature buffer size that was passed into parse_tag_11_packet(). Thanks to Ramon de Carvalho Valle for finding this bug using fsfuzzer. Signed-off-by:
-
Paul Mundt authored
commit 35f2c2f6 upstream. With the "security: use mmap_min_addr indepedently of security models" change, mmap_min_addr is used in common areas, which susbsequently blows up the nommu build. This stubs in the definition in the nommu case as well. Signed-off-by:
Paul Mundt <lethal@linux-sh.org> Cc: Mike Frysinger <vapier.adi@gmail.com> Signed-off-by:
James Morris <jmorris@namei.org>
-
Tejun Heo authored
commit fe2c4d01 upstream. ata_eh_reset() was missing error return handling after follow-up SRST allowing EH to continue the normal probing path after reset failure. This was discovered while testing new WD 2TB drives which take longer than 10 secs to spin up and cause the first follow-up SRST to time out. Signed-off-by:
Tejun Heo <tj@kernel.org> Signed-off-by:
Jeff Garzik <jgarzik@redhat.com> Signed-off-by:
-
Giuseppe Mazzotta authored
commit e705cee4 upstream. This patch adds DMI information to automatically load the correct layout for the Maxdata Pro 7000X/DX notebook models. Such notebooks are clones of Fujitsu Amilo V2000, the hook for the v2000 is being used and I have tested that perfectly works. The immediate result of integrating this patch is that the five special buttons will work on these specific notebook models and that the RF killswitch will not be activated after suspend. This patch definitively obsoletes the fsam7400 module which I was still needing to enable wifi and to fix the RF killswitch suspend problem; in the current 2.6.30 kernel it is necessary to load the wistron_btns module with options 'force=1 keymap=1557/MS2141', which was not anyway a complete workaround. Signed-off-by:
Giuseppe Mazzotta <g.mazzotta@iragan.com> Signed-off-by:
Dmitry Torokhov <dtor@mail.ru> Signed-off-by:
-
Ben Hutchings authored
commit 635ecaa7 upstream netdev: restore MTU change operation alloc_etherdev() used to install a default implementation of this operation, but it must now be explicitly installed in struct net_device_ops. Signed-off-by:
Ben Hutchings <ben@decadent.org.uk> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
-
Ben Hutchings authored
commit 240c102d upstream. alloc_etherdev() used to install default implementations of these operations, but they must now be explicitly installed in struct net_device_ops. Signed-off-by:
-
Eric Dumazet authored
commit 941297f4 upstream. When a slab cache uses SLAB_DESTROY_BY_RCU, we must be careful when allocating objects, since slab allocator could give a freed object still used by lockless readers. In particular, nf_conntrack RCU lookups rely on ct->tuplehash[xxx].hnnode.next being always valid (ie containing a valid 'nulls' value, or a valid pointer to next object in hash chain.) kmem_cache_zalloc() setups object with NULL values, but a NULL value is not valid for ct->tuplehash[xxx].hnnode.next. Fix is to call kmem_cache_alloc() and do the zeroing ourself. As spotted by Patrick, we also need to make sure lookup keys are committed to memory before setting refcount to 1, or a lockless reader could get a reference on the old version of the object. Its key re-check could then pass the barrier. Signed-off-by:
Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by:
Patrick McHardy <kaber@trash.net> Acked-by:
Paul E. McKenney <paulmck@linux.vnet.ibm.com> Signed-off-by:
-
Patrick McHardy authored
commit a3a9f79e upstream. When NAT helpers change the TCP packet size, the highest seen sequence number needs to be corrected. This is currently only done upwards, when the packet size is reduced the sequence number is unchanged. This causes TCP conntrack to falsely detect unacknowledged data and decrease the timeout. Fix by updating the highest seen sequence number in both directions after packet mangling. Tested-by:
Krzysztof Piotr Oledzki <ole@ans.pl> Signed-off-by:
-
Patrick McHardy authored
commit 4d900f9d upstream. As noticed by Trk Edwin <edwintorok@gmail.com>: Compiling the kernel with clang has shown this warning: net/netfilter/xt_rateest.c:69:16: warning: self-comparison always results in a constant value ret &= pps2 == pps2; ^ Looking at the code: if (info->flags & XT_RATEEST_MATCH_BPS) ret &= bps1 == bps2; if (info->flags & XT_RATEEST_MATCH_PPS) ret &= pps2 == pps2; Judging from the MATCH_BPS case it seems to be a typo, with the intention of comparing pps1 with pps2. http://bugzilla.kernel.org/show_bug.cgi?id=13535 Signed-off-by:
-
Jan Engelhardt authored
commit 6d62182f upstream. Commit v2.6.29-rc5-872-gacc738f ("xtables: avoid pointer to self") forgot to copy the initial quota value supplied by iptables into the private structure, thus counting from whatever was in the memory kmalloc returned. Signed-off-by:
Jan Engelhardt <jengelh@medozas.de> Signed-off-by:
-
Patrick McHardy authored
commit 24955619 upstream. Signed-off-by:
-
Patrick McHardy authored
commit 8d8890b7 upstream. The RCU protected conntrack hash lookup only checks whether the entry has a refcount of zero to decide whether it is stale. This is not sufficient, entries are explicitly removed while there is at least one reference left, possibly more. Explicitly check whether the entry has been marked as dying to fix this. Signed-off-by:
-
Patrick McHardy authored
commit 5c8ec910 upstream. New connection tracking entries are inserted into the hash before they are fully set up, namely the CONFIRMED bit is not set and the timer not started yet. This can theoretically lead to a race with timer, which would set the timeout value to a relative value, most likely already in the past. Perform hash insertion as the final step to fix this. Signed-off-by:
-
Patrick McHardy authored
commit 266d07cb upstream. Fix regression introduced by 17625274 "netfilter: sysctl support of logger choice": BUG: sleeping function called from invalid context at /mnt/s390test/linux-2.6-tip/arch/s390/include/asm/uaccess.h:234 in_atomic(): 1, irqs_disabled(): 0, pid: 3245, name: sysctl CPU: 1 Not tainted 2.6.30-rc8-tipjun10-02053-g39ae214 #1 Process sysctl (pid: 3245, task: 000000007f675da0, ksp: 000000007eb17cf0) 0000000000000000 000000007eb17be8 0000000000000002 0000000000000000 000000007eb17c88 000000007eb17c00 000000007eb17c00 0000000000048156 00000000003e2de8 000000007f676118 000000007eb17f10 0000000000000000 0000000000000000 000000007eb17be8 000000000000000d 000000007eb17c58 00000000003e2050 000000000001635c 000000007eb17be8 000000007eb17c30 Call Trace: (<00000000000162e6> show_trace+0x13a/0x148) <00000000000349ea> __might_sleep+0x13a/0x164 <0000000000050300> proc_dostring+0x134/0x22c <0000000000312b70> nf_log_proc_dostring+0xfc/0x188 <0000000000136f5e> proc_sys_call_handler+0xf6/0x118 <0000000000136fda> proc_sys_read+0x26/0x34 <00000000000d6e9c> vfs_read+0xac/0x158 <00000000000d703e> SyS_read+0x56/0x88 <0000000000027f42> sysc_noemu+0x10/0x16 Use the nf_log_mutex instead of RCU to fix this. Reported-and-tested-by:
Maran Pakkirisamy <maranpsamy@in.ibm.com> Signed-off-by:
-
Benjamin Herrenschmidt authored
commit 5a2642f6 upstream. Commit 31207dab "Fix incorrect allocation of interrupt rev-map" introduced a regression crashing on boot on machines using a "DCR" based MPIC, such as the Cell blades. The reason is that the irq host data structure is initialized much later as a result of that patch, causing our calls to mpic_map() do be done before we have a host setup. Unfortunately, this breaks _mpic_map_dcr() which uses the mpic->irqhost to get to the device node. This fixes it by, instead, passing the device node explicitely to mpic_map(). Signed-off-by:
Benjamin Herrenschmidt <benh@kernel.crashing.org> Acked-by:
Akira Tsukamoto <akirat@rd.scei.sony.co.jp> Signed-off-by:
-
Jiri Slaby authored
commit 025dc740 upstream. Add omitted update_lock to one switch/case in set_div. Signed-off-by:
Jiri Slaby <jirislaby@gmail.com> Acked-by:
Hans J. Koch <hjk@linutronix.de> Signed-off-by:
Jean Delvare <khali@linux-fr.org> Signed-off-by:
-
Amerigo Wang authored
commit e2dbe125 upstream. Check before use it. Signed-off-by:
WANG Cong <amwang@redhat.com> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: David Howells <dhowells@redhat.com> Acked-by:
Roland McGrath <roland@redhat.com> Acked-by:
-
Josef Bacik authored
commit c8236db9 upstream. In testing a backport of the write_begin/write_end AOPs, a 10% re-read regression was noticed when running iozone. This regression was introduced because the old AOPs would always do a mark_page_accessed(page) after the commit_write, but when the new AOPs where introduced, the only place this was kept was in pagecache_write_end(). This patch does the same thing in the generic case as what is done in pagecache_write_end(), which is just to mark the page accessed before we do write_end(). Signed-off-by:
Josef Bacik <jbacik@redhat.com> Acked-by:
Nick Piggin <npiggin@suse.de> Signed-off-by:
Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
-
Linus Torvalds authored
[ Upstream commit 7f818906 - modified for stable to not use the sloppy __VIRTUAL_MASK_SHIFT ] It's really not right to use 'access_ok()', since that is meant for the normal "get_user()" and "copy_from/to_user()" accesses, which are done through the TLB, rather than through the page tables. Why? access_ok() does both too few, and too many checks. Too many, because it is meant for regular kernel accesses that will not honor the 'user' bit in the page tables, and because it honors the USER_DS vs KERNEL_DS distinction that we shouldn't care about in GUP. And too few, because it doesn't do the 'canonical' check on the address on x86-64, since the TLB will do that for us. So instead of using a function that isn't meant for this, and does something else and much more complicated, just do the real rules: we don't want the range to overflow, and on x86-64, we want it to be a canonical low address (on 32-bit, all addresses are canonical). Acked-by:
Ingo Molnar <mingo@elte.hu> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Thomas Gleixner <tglx@linutronix.de> Signed-off-by:
-
Mel Gorman authored
commit fa5e084e upstream. vmscan: do not unconditionally treat zones that fail zone_reclaim() as full On NUMA machines, the administrator can configure zone_reclaim_mode that is a more targetted form of direct reclaim. On machines with large NUMA distances for example, a zone_reclaim_mode defaults to 1 meaning that clean unmapped pages will be reclaimed if the zone watermarks are not being met. The problem is that zone_reclaim() failing at all means the zone gets marked full. This can cause situations where a zone is usable, but is being skipped because it has been considered full. Take a situation where a large tmpfs mount is occuping a large percentage of memory overall. The pages do not get cleaned or reclaimed by zone_reclaim(), but the zone gets marked full and the zonelist cache considers them not worth trying in the future. This patch makes zone_reclaim() return more fine-grained information about what occured when zone_reclaim() failued. The zone only gets marked full if it really is unreclaimable. If it's a case that the scan did not occur or if enough pages were not reclaimed with the limited reclaim_mode, then the zone is simply skipped. There is a side-effect to this patch. Currently, if zone_reclaim() successfully reclaimed SWAP_CLUSTER_MAX, an allocation attempt would go ahead. With this patch applied, zone watermarks are rechecked after zone_reclaim() does some work. This bug was introduced by commit 9276b1bc ("memory page_alloc zonelist caching speedup") way back in 2.6.19 when the zonelist_cache was introduced. It was not intended that zone_reclaim() aggressively consider the zone to be full when it failed as full direct reclaim can still be an option. Due to the age of the bug, it should be considered a -stable candidate. Signed-off-by:
Mel Gorman <mel@csn.ul.ie> Reviewed-by:
Wu Fengguang <fengguang.wu@intel.com> Reviewed-by:
Rik van Riel <riel@redhat.com> Reviewed-by:
KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> Cc: Christoph Lameter <cl@linux-foundation.org> Signed-off-by:
-
Jorrit Schippers authored
commit 8dfb0057 upstream. Add the USB id 0x0DF6,0x003F to the rt2870.h file such that the Sitecom WL-608 device will be recognized by this driver. Signed-off-by:
Jorrit Schippers <jorrit@ncode.nl> Signed-off-by:
-
Marc Aurele La France authored
Note: this is not in upstream since upstream is not affected due to the new "BIOS glovebox" subsystem. As coded, most INT10 calls in video-vga.c allow the compiler to assume EAX remains unchanged across them, which is not always the case. This triggers an optimisation issue that causes vga_set_vertical_end() to be called with an incorrect number of scanlines. Fix this by beefing up the asm constraints on these calls. Reported-by:Marc Aurele La France <tsi@xfree86.org> Signed-off-by:
H. Peter Anvin <hpa@zytor.com> Signed-off-by:
-
Helge Deller authored
commit 7d17e276 upstream. There are two reasons to expose the memory *a in the asm: 1) To prevent the compiler from discarding a preceeding write to *a, and 2) to prevent it from caching *a in a register over the asm. The change has had a few days testing with a SMP build of 2.6.22.19 running on a rp3440. This patch is about the correctness of the __ldcw() macro itself. The use of the macro should be confined to small inline functions to try to limit the effect of clobbering memory on GCC's optimization of loads and stores. Signed-off-by:
Dave Anglin <dave.anglin@nrc-cnrc.gc.ca> Signed-off-by:
Helge Deller <deller@gmx.de> Signed-off-by:
Kyle McMartin <kyle@mcmartin.ca> Signed-off-by:
-
Helge Deller authored
commit e82a3b75 upstream. The TLB flushing functions on hppa, which causes PxTLB broadcasts on the system bus, needs to be protected by irq-safe spinlocks to avoid irq handlers to deadlock the kernel. The deadlocks only happened during I/O intensive loads and triggered pretty seldom, which is why this bug went so long unnoticed. Signed-off-by:
-
Andi Kleen authored
commit 429b2b31 upstream. Need to clear both nodes and nodes_add state for start/end. Signed-off-by:
Andi Kleen <ak@linux.intel.com> LKML-Reference: <20090718065657.GA2898@basil.fritz.box> Signed-off-by:
-
Oleksij Rempel authored
commit 6aa542a6 upstream. AMI BIOS with low memory corruption was found on Intel DG45ID board (Bug 13710). Add this board to the blacklist - in the (somewhat optimistic) hope of future boards/BIOSes from Intel not having this bug. Also see: http://bugzilla.kernel.org/show_bug.cgi?id=13736 Signed-off-by:
Alexey Fisher <bug-track@fisher-privat.net> Cc: ykzhao <yakui.zhao@intel.com> Cc: alan@lxorguk.ukuu.org.uk Cc: <stable@kernel.org> LKML-Reference: <1247660169-4503-1-git-send-email-bug-track@fisher-privat.net> Signed-off-by:
-
H. Peter Anvin authored
commit ebe119cd upstream. The movq instruction, generated by __put_user_asm() when used for 64-bit data, takes a sign-extended immediate ("e") not a zero-extended immediate ("Z"). Signed-off-by:
-
Uros Bizjak authored
commit 155b7352 upstream. arch/x86/include/asm/uaccess_64.h uses wrong asm operand constraint ("ir") for movq insn. Since movq sign-extends its immediate operand, "er" constraint should be used instead. Attached patch changes all uses of __put_user_asm in uaccess_64.h to use "er" when "q" insn suffix is involved. Patch was compile tested on x86_64 with defconfig. Signed-off-by:
Uros Bizjak <ubizjak@gmail.com> Signed-off-by:
-
Thomas Gleixner authored
commit d6c585a4 upstream. Timer interrupts are excluded from being disabled during suspend. The clock events code manages the disabling of clock events on its own because the timer interrupt needs to be functional before the resume code reenables the device interrupts. The mfgpt timer request its interrupt without setting the IRQF_TIMER flag so suspend_device_irqs() disables it as well which results in a fatal resume failure. Adding IRQF_TIMER to the interupt flags when requesting the mrgpt timer interrupt solves the problem. Signed-off-by:
Thomas Gleixner <tglx@linutronix.de> LKML-Reference: <new-submission> Cc: Andres Salomon <dilinger@debian.org> Signed-off-by:
-
Mikulas Patocka authored
commit 69885683 upstream. The recent commit 7513c2a7 (dm raid1: add is_remote_recovering hook for clusters) changed do_writes() to update the ms->writes list but forgot to wake up kmirrord to process it. The rule is that when anything is being added on ms->reads, ms->writes or ms->failures and the list was empty before we must call wakeup_mirrord (for immediate processing) or delayed_wake (for delayed processing). Otherwise the bios could sit on the list indefinitely. Signed-off-by:
Mikulas Patocka <mpatocka@redhat.com> Signed-off-by:
Alasdair G Kergon <agk@redhat.com> Signed-off-by:
-
Thomas Gleixner authored
commit 6301cb95 upstream. commit e3c8ca83 (sched: do not count frozen tasks toward load) broke the nr_uninterruptible accounting on freeze/thaw. On freeze the task is excluded from accounting with a check for (task->flags & PF_FROZEN), but that flag is cleared before the task is thawed. So while we prevent that the task with state TASK_UNINTERRUPTIBLE is accounted to nr_uninterruptible on freeze we decrement nr_uninterruptible on thaw. Use a separate flag which is handled by the freezing task itself. Set it before calling the scheduler with TASK_UNINTERRUPTIBLE state and clear it after we return from frozen state. Signed-off-by:
-
Yinghai Lu authored
commit 857fdc53 upstream. Stephen reported that his DL585 G2 needed noapic after 2.6.22 (?) Dann bisected it down to: commit 30a18d6c Date: Tue Feb 19 03:21:20 2008 -0800 x86: multi pci root bus with different io resource range, on 64-bit It turns out that: 1. that AMD-based systems have two HT chains. 2. BIOS doesn't allocate resources for BAR 6 of devices under 8132 etc 3. that multi-peer-root patch will try to split root resources to peer root resources according to PCI conf of NB 4. PCI core assigns unassigned resources, but they overlap with BARs that are used by ioapic addr of io4 and 8132. The reason: at that point ioapic address are not inserted yet. Solution is to insert ioapic resources into the tree a bit earlier. Reported-by:
Stephen Frost <sfrost@snowman.net> Reported-and-Tested-by:
dann frazier <dannf@hp.com> Signed-off-by:
Yinghai Lu <yinghai@kernel.org> Signed-off-by:
Jesse Barnes <jbarnes@virtuousgeek.org> Signed-off-by:
-
Xiao Guangrong authored
commit 04aef32d upstream. ftrace_trace_onoff_callback() will return an error even if we do the right operation, for example: # echo _spin_*:traceon:10 > set_ftrace_filter -bash: echo: write error: Invalid argument # cat set_ftrace_filter #### all functions enabled #### _spin_trylock_bh:traceon:count=10 _spin_unlock_irq:traceon:count=10 _spin_unlock_bh:traceon:count=10 _spin_lock_irq:traceon:count=10 _spin_unlock:traceon:count=10 _spin_trylock:traceon:count=10 _spin_unlock_irqrestore:traceon:count=10 _spin_lock_irqsave:traceon:count=10 _spin_lock_bh:traceon:count=10 _spin_lock:traceon:count=10 We want to set _spin_*:traceon:10 to set_ftrace_filter, it complains with "Invalid argument", but the operation is successful. This is because ftrace_process_regex() returns the number of functions that matched the pattern. If the number is not 0, this value is returned by ftrace_regex_write() whereas we want to return the number of bytes virtually written. Also the file offset pointer is not updated in this case. If the number of matched functions is lower than the number of bytes written by the user, this results to a reprocessing of the string given by the user with a lower size, leading to a malformed ftrace regex and then a -EINVAL returned. So, this patch fixes it by returning 0 if no error occured. The fix also applies on 2.6.30 Signed-off-by:
Xiao Guangrong <xiaoguangrong@cn.fujitsu.com> Reviewed-by:
Li Zefan <lizf@cn.fujitsu.com> Signed-off-by:
Frederic Weisbecker <fweisbec@gmail.com> Signed-off-by:
-
Peter Zijlstra authored
commit a1ba4d8b upstream. Fixes an easily triggerable BUG() when setting process affinities. Make sure to count the number of migratable tasks in the same place: the root rt_rq. Otherwise the number doesn't make sense and we'll hit the BUG in set_cpus_allowed_rt(). Also, make sure we only count tasks, not groups (this is probably already taken care of by the fact that rt_se->nr_cpus_allowed will be 0 for groups, but be more explicit) Tested-by:
Peter Zijlstra <a.p.zijlstra@chello.nl> Acked-by:
Gregory Haskins <ghaskins@novell.com> LKML-Reference: <1247067476.9777.57.camel@twins> Signed-off-by:
-
Jiro SEKIBA authored
commit d9a0a345 upstream. This fixes a bug that checkpoint count gets wrong on errors when deleting a series of checkpoints. The count error is persistent since the checkpoint count is stored on disk. Some userland programs refer to the count via ioctl, and this bugfix is needed to prevent malfunction of such programs. Signed-off-by:
Jiro SEKIBA <jir@unicus.jp> Signed-off-by:
Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp> Signed-off-by:
-
Ryusuke Konishi authored
commit 4a52df77 upstream. In case of write-failure retries, the following KERN_CRIT level messages are mistakenly output by nilfs_dat_commit_start() function: nilfs_dat_commit_start: vbn = 408463, start = 12506, end = 18446744073709551615, pbn = 530210 nilfs_dat_commit_start: vbn = 408515, start = 12506, end = 18446744073709551615, pbn = 530211 nilfs_dat_commit_start: vbn = 408464, start = 12506, end = 18446744073709551615, pbn = 530212 ... This suppresses these messages. Signed-off-by:
-
Ryusuke Konishi authored
commit 8227b297 upstream. Leandro Lucarella gave me a report that nilfs gets stuck after its write function fails. The problem turned out to be caused by bugs which leave writeback flag on pages. This fixes the problem by ensuring to clear the writeback flag in error path. Reported-by:
Leandro Lucarella <llucax@gmail.com> Signed-off-by:
-
Ryusuke Konishi authored
commit 0cfae3d8 upstream. The following error code handling in nilfs_segctor_write() function wrongly converted negative error codes to a truth value (i.e. 1): err = unlikely(err) ? : res; which originaly meant to be err = err ? : res; This mis-conversion caused that write or sync functions receive the unexpected error code. This fixes the bug by removing the unlikely directive. Signed-off-by:
-
