Linda Knippers [Wed, 17 May 2006 02:03:48 +0000 (22:03 -0400)]
[PATCH] update of IPC audit record cleanup
The following patch addresses most of the issues with the IPC_SET_PERM
records as described in:
https://www.redhat.com/archives/linux-audit/2006-May/msg00010.html
and addresses the comments I received on the record field names.
To summarize, I made the following changes:
1. Changed sys_msgctl() and semctl_down() so that an IPC_SET_PERM
record is emitted in the failure case as well as the success case.
This matches the behavior in sys_shmctl(). I could simplify the
code in sys_msgctl() and semctl_down() slightly but it would mean
that in some error cases we could get an IPC_SET_PERM record
without an IPC record and that seemed odd.
2. No change to the IPC record type, given no feedback on the backward
compatibility question.
3. Removed the qbytes field from the IPC record. It wasn't being
set and when audit_ipc_obj() is called from ipcperms(), the
information isn't available. If we want the information in the IPC
record, more extensive changes will be necessary. Since it only
applies to message queues and it isn't really permission related, it
doesn't seem worth it.
4. Removed the obj field from the IPC_SET_PERM record. This means that
the kern_ipc_perm argument is no longer needed.
5. Removed the spaces and renamed the IPC_SET_PERM field names. Replaced iuid and
igid fields with ouid and ogid in the IPC record.
I tested this with the lspp.22 kernel on an x86_64 box. I believe it
applies cleanly on the latest kernel.
-- ljk
Signed-off-by: Linda Knippers <linda.knippers@hp.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Just a few minor proposed updates. Only the last one will
actually affect behavior. The rest are just misleading
code.
Several AUDIT_SET functions return 'old' value, but only
return value <0 is checked for. So just return 0.
propagate audit_set_rate_limit and audit_set_backlog_limit
error values
In audit_buffer_free, the audit_freelist_count was being
incremented even when we discard the return buffer, so
audit_freelist_count can end up wrong. This could cause
the actual freelist to shrink over time, eventually
threatening to degrate audit performance.
Signed-off-by: Serge E. Hallyn <serue@us.ibm.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 22 May 2006 05:09:24 +0000 (01:09 -0400)]
[PATCH] fix deadlocks in AUDIT_LIST/AUDIT_LIST_RULES
We should not send a pile of replies while holding audit_netlink_mutex
since we hold the same mutex when we receive commands. As the result,
we can get blocked while sending and sit there holding the mutex while
auditctl is unable to send the next command and get around to receiving
what we'd sent.
Solution: create skb and put them into a queue instead of sending;
once we are done, send what we've got on the list. The former can
be done synchronously while we are handling AUDIT_LIST or AUDIT_LIST_RULES;
we are holding audit_netlink_mutex at that point. The latter is done
asynchronously and without messing with audit_netlink_mutex.
Update kernel documentation to include a description of the inotify
kernel API.
Signed-off-by: Amy Griffis <amy.griffis@hp.com> Acked-by: Robert Love <rml@novell.com> Acked-by: John McCutchan <john@johnmccutchan.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Amy Griffis [Thu, 1 Jun 2006 20:11:05 +0000 (13:11 -0700)]
[PATCH] inotify (4/5): allow watch removal from event handler
Allow callers to remove watches from their event handler via
inotify_remove_watch_locked(). This functionality can be used to
achieve IN_ONESHOT-like functionality for a subset of events in the
mask.
Signed-off-by: Amy Griffis <amy.griffis@hp.com> Acked-by: Robert Love <rml@novell.com> Acked-by: John McCutchan <john@johnmccutchan.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Amy Griffis [Thu, 1 Jun 2006 20:11:03 +0000 (13:11 -0700)]
[PATCH] inotify (3/5): add interfaces to kernel API
Add inotify_init_watch() so caller can use inotify_watch refcounts
before calling inotify_add_watch().
Add inotify_find_watch() to find an existing watch for an (ih,inode)
pair. This is similar to inotify_find_update_watch(), but does not
update the watch's mask if one is found.
Add inotify_rm_watch() to remove a watch via the watch pointer instead
of the watch descriptor.
Signed-off-by: Amy Griffis <amy.griffis@hp.com> Acked-by: Robert Love <rml@novell.com> Acked-by: John McCutchan <john@johnmccutchan.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Amy Griffis [Thu, 1 Jun 2006 20:11:01 +0000 (13:11 -0700)]
[PATCH] inotify (2/5): add name's inode to event handler
When an inotify event includes a dentry name, also include the inode
associated with that name.
Signed-off-by: Amy Griffis <amy.griffis@hp.com> Acked-by: Robert Love <rml@novell.com> Acked-by: John McCutchan <john@johnmccutchan.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Amy Griffis [Thu, 1 Jun 2006 20:10:59 +0000 (13:10 -0700)]
[PATCH] inotify (1/5): split kernel API from userspace support
The following series of patches introduces a kernel API for inotify,
making it possible for kernel modules to benefit from inotify's
mechanism for watching inodes. With these patches, inotify will
maintain for each caller a list of watches (via an embedded struct
inotify_watch), where each inotify_watch is associated with a
corresponding struct inode. The caller registers an event handler and
specifies for which filesystem events their event handler should be
called per inotify_watch.
Signed-off-by: Amy Griffis <amy.griffis@hp.com> Acked-by: Robert Love <rml@novell.com> Acked-by: John McCutchan <john@johnmccutchan.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Arnd Bergmann [Thu, 15 Jun 2006 11:15:44 +0000 (21:15 +1000)]
[PATCH] powerpc: Fix 64k pages on non-partitioned machines
The page size encoding passed to tlbie is incorrect for new-style
large pages. This fixes it. This doesn't affect anything on older
machines because mmu_psize_defs[psize].penc (the page size encoding)
is 0 for 4k and 16M pages (the two are distinguished by a separate "is
a large page" bit).
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: Arnd Bergmann <arnd.bergmann@de.ibm.com> Signed-off-by: Paul Mackerras <paulus@samba.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Oleg Nesterov [Thu, 15 Jun 2006 16:12:02 +0000 (20:12 +0400)]
[PATCH] arm_timer: remove a racy and obsolete PF_EXITING check
arm_timer() checks PF_EXITING to prevent BUG_ON(->exit_state)
in run_posix_cpu_timers().
However, for some reason it does so only for CPUCLOCK_PERTHREAD
case (which is imho wrong).
Also, this check is not reliable, PF_EXITING could be set on
another cpu without any locks/barriers just after the check,
so it can't prevent from attaching the timer to the exiting
task.
Oleg Nesterov [Thu, 15 Jun 2006 16:11:43 +0000 (20:11 +0400)]
[PATCH] run_posix_cpu_timers: remove a bogus BUG_ON()
do_exit() clears ->it_##clock##_expires, but nothing prevents
another cpu to attach the timer to exiting process after that.
arm_timer() tries to protect against this race, but the check
is racy.
After exit_notify() does 'write_unlock_irq(&tasklist_lock)' and
before do_exit() calls 'schedule() local timer interrupt can find
tsk->exit_state != 0. If that state was EXIT_DEAD (or another cpu
does sys_wait4) interrupted task has ->signal == NULL.
At this moment exiting task has no pending cpu timers, they were
cleanuped in __exit_signal()->posix_cpu_timers_exit{,_group}(),
so we can just return from irq.
Oleg Nesterov [Thu, 15 Jun 2006 16:11:15 +0000 (20:11 +0400)]
[PATCH] check_process_timers: fix possible lockup
If the local timer interrupt happens just after do_exit() sets PF_EXITING
(and before it clears ->it_xxx_expires) run_posix_cpu_timers() will call
check_process_timers() with tasklist_lock + ->siglock held and
check_process_timers:
t = tsk;
do {
....
do {
t = next_thread(t);
} while (unlikely(t->flags & PF_EXITING));
} while (t != tsk);
the outer loop will never stop.
Actually, the window is bigger. Another process can attach the timer
after ->it_xxx_expires was cleared (see the next commit) and the 'if
(PF_EXITING)' check in arm_timer() is racy (see the one after that).
A couple of fixes that should prevent crashes when using netconsole and
suspend/resume. First, netconsole poll routine shouldn't run unless the
device is up; second, the NAPI poll should be disabled during suspend.
This is only an issue on sky2, because it has to have one NAPI poll
routine for both ports on dual port boards. Normal drivers use
netif_rx_schedule_prep and that checks for netif_running.
Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Jens Axboe [Fri, 16 Jun 2006 11:02:29 +0000 (13:02 +0200)]
[PATCH] Fix missing ret assignment in __bio_map_user() error path
If get_user_pages() returns less pages than what we asked for, we jump
to out_unmap which will return ERR_PTR(ret). But ret can contain a
positive number just smaller than local_nr_pages, so be sure to set it
to -EFAULT always.
Problem found and diagnosed by Damien Le Moal <damien@sdl.hitachi.co.jp>
Jens Axboe [Fri, 16 Jun 2006 05:46:37 +0000 (07:46 +0200)]
[PATCH] fix cdrom open
Some time ago the cdrom open routine was changed so that we call the
driver's open routine before checking to see if it is read only. However,
if we discovered that a read write open was not possible and the open
flags required a writable open, we just returned -EROFS without calling
the driver's release routine. This seems to work for most cdrom drivers,
but breaks the Powerpc iSeries virtual cdrom rather badly.
This just inserts the release call in the error path to balance the call
to "->open()" done by "open_for_data()".
Jens Axboe [Wed, 14 Jun 2006 17:11:57 +0000 (19:11 +0200)]
[PATCH] cfq-iosched: fix crash in do_div()
We don't clear the seek stat values in cfq_alloc_io_context(), and if
->seek_mean is unlucky enough to be set to -36 by chance, the first
invocation of cfq_update_io_seektime() will oops with a divide by zero
in do_div().
Just memset the entire cic instead of filling invididual values
independently.
[PATCH] sky2: stop/start hardware idle timer on suspend/resume
The resume bug was caused not by an early interrupt but because the idle
timeout was not being stopped on suspend. Also disable hardware IRQ's
on suspend. Will need to revisit this with hotplug?
Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
The set power state function is cleaner if it doesn't return anything.
The only caller that could fail is in suspend() and it can check the argument
there.
Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Randy Dunlap [Mon, 12 Jun 2006 22:13:40 +0000 (15:13 -0700)]
[PATCH] alpha: generic hweight build fix
From: Randy Dunlap <rdunlap@xenotime.net>
According to include/asm-alpha/bitops.h, only ALPHA_EV67 has hardware
hweight support, so ALPHA_EV6 needs to use GENERIC_HWEIGHT.
Signed-off-by: Randy Dunlap <rdunlap@xenotime.net> Cc: Richard Henderson <rth@twiddle.net> Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru> Cc: Ernst Herzberg <earny@net4u.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Sergey Vlasov [Mon, 12 Jun 2006 20:53:23 +0000 (21:53 +0100)]
[PATCH] tmpfs: Decrement i_nlink correctly in shmem_rmdir()
shmem_rmdir() must undo the increment of i_nlink done in
shmem_get_inode() for directories, otherwise at least
IN_DELETE_SELF inotify event generation is broken.
Robin H. Johnson [Mon, 12 Jun 2006 20:50:25 +0000 (21:50 +0100)]
[PATCH] tmpfs: time granularity fix for [acm]time going backwards
I noticed a strange behavior in a tmpfs file system the other day, while
building packages - occasionally, and seemingly at random, make decided to
rebuild a target. However, only on tmpfs.
A file would be created, and if checked, it had a sub-second timestamp.
However, after an utimes related call where sub-seconds should be set, they
were zeroed instead. In the case that a file was created, and utimes(...,NULL)
was used on it in the same second, the timestamp on the file moved backwards.
After some digging, I found that this was being caused by tmpfs not having a
time granularity set, thus inheriting the default 1 second granularity.
Hugh adds: yes, we missed tmpfs when the s_time_gran mods went into 2.6.11.
Unfortunately, the granularity of CURRENT_TIME, often used in filesystems,
does not match the default granularity set by alloc_super. A few more such
discrepancies have been found, but this is the most important to fix now.
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> Acked-by: Andi Kleen <ak@suse.de> Signed-off-by: Hugh Dickins <hugh@veritas.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Linus Torvalds [Mon, 12 Jun 2006 19:53:27 +0000 (12:53 -0700)]
[sky2] Fix sky2 network driver suspend/resume
This fixes two independent problems: it would not save the PCI state on
suspend (and thus try to resume a nonexistent state on resume), and
while shut off, if an interrupt happened on the same shared irq, the irq
handler would react very badly to the interrupt status being an invalid
all-ones state.
Acked-by: Jeff Garzik <jgarzik@pobox.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Aki M Nyrhinen [Mon, 12 Jun 2006 04:18:56 +0000 (21:18 -0700)]
[TCP]: continued: reno sacked_out count fix
From: Aki M Nyrhinen <anyrhine@cs.helsinki.fi>
IMHO the current fix to the problem (in_flight underflow in reno)
is incorrect. it treats the symptons but ignores the problem. the
problem is timing out packets other than the head packet when we
don't have sack. i try to explain (sorry if explaining the obvious).
with sack, scanning the retransmit queue for timed out packets is
fine because we know which packets in our retransmit queue have been
acked by the receiver.
without sack, we know only how many packets in our retransmit queue the
receiver has acknowledged, but no idea which packets.
think of a "typical" slow-start overshoot case, where for example
every third packet in a window get lost because a router buffer gets
full.
with sack, we check for timeouts on those every third packet (as the
rest have been sacked). the packet counting works out and if there
is no reordering, we'll retransmit exactly the packets that were
lost.
without sack, however, we check for timeout on every packet and end up
retransmitting consecutive packets in the retransmit queue. in our
slow-start example, 2/3 of those retransmissions are unnecessary. these
unnecessary retransmissions eat the congestion window and evetually
prevent fast recovery from continuing, if enough packets were lost.
Signed-off-by: David S. Miller <davem@davemloft.net>
Andrea Bittau [Mon, 12 Jun 2006 03:58:33 +0000 (20:58 -0700)]
[DCCP] Ackvec: fix soft lockup in ackvec handling code
A soft lockup existed in the handling of ack vector records.
Specifically, when a tail of the list of ack vector records was
removed, it was possible to end up iterating infinitely on an element
of the tail.
Signed-off-by: Andrea Bittau <a.bittau@cs.ucl.ac.uk> Signed-off-by: Ian McDonald <ian.mcdonald@jandi.co.nz> Signed-off-by: David S. Miller <davem@davemloft.net>
Paul Mackerras [Mon, 12 Jun 2006 02:16:26 +0000 (12:16 +1000)]
[PATCH] Fix for the PPTP hangs that have been reported
People have been reporting that PPP connections over ptys, such as
used with PPTP, will hang randomly when transferring large amounts of
data, for instance in http://bugzilla.kernel.org/show_bug.cgi?id=6530.
I have managed to reproduce the problem, and the patch below fixes the
actual cause.
The problem is not in fact in ppp_async.c but in n_tty.c. What
happens is that when pptp reads from the pty, we call read_chan() in
drivers/char/n_tty.c on the master side of the pty. That copies all
the characters out of its buffer to userspace and then calls
check_unthrottle(), which calls the pty unthrottle routine, which
calls tty_wakeup on the slave side, which calls ppp_asynctty_wakeup,
which calls tasklet_schedule. So far so good. Since we are in
process context, the tasklet runs immediately and calls
ppp_async_process(), which calls ppp_async_push, which calls the
tty->driver->write function to send some more output.
However, tty->driver->write() returns zero, because the master
tty->receive_room is still zero. We haven't returned from
check_unthrottle() yet, and read_chan() only updates tty->receive_room
_after_ calling check_unthrottle. That means that the driver->write
call in ppp_async_process() returns 0. That would be fine if we were
going to get a subsequent wakeup call, but we aren't (we just had it,
and the buffer is now empty).
The solution is for n_tty.c to update tty->receive_room _before_
calling the driver unthrottle routine. The patch below does this.
With this patch I was able to transfer a 900MB file over a PPTP
connection (taking about 25 minutes), whereas without the patch the
connection would always stall in under a minute.
Signed-off-by: Paul Mackerras <paulus@samba.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Bug fix: mv_eng_timeout() calls mv_err_intr() without first grabbing the host lock,
which can lead to all sorts of interesting scenarios.
This whole error-handling portion of sata_mv is nasty (and will get fixed for
the new EH stuff), but for now this patch will help keep it on life-support.
Signed-off-by: Mark Lord <liml@rtr.ca> Signed-off-by: Jeff Garzik <jeff@garzik.org>
Dave Jones [Wed, 19 Apr 2006 04:06:51 +0000 (21:06 -0700)]
[PATCH] PCI: Improve PCI config space writeback
At least one laptop blew up on resume from suspend with a black screen due
to a lack of this patch. By only writing back config space that is
different, we minimise the possibility of accidents like this.
Signed-off-by: Dave Jones <davej@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jean Delvare [Tue, 18 Apr 2006 12:49:56 +0000 (14:49 +0200)]
[PATCH] PCI: Error handling on PCI device resume
We currently don't handle errors properly when resuming a PCI device:
* In pci_default_resume() we capture the error code returned by
pci_enable_device() but don't pass it up to the caller.
Introduced by commit 95a629657dbe28e44a312c47815b3dc3f1ce0970
* In pci_resume_device(), the errors possibly returned by the driver's
.resume method or by the generic pci_default_resume() function are
ignored.
This patch fixes both issues.
Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Krzysztof Helt [Sun, 11 Jun 2006 05:03:43 +0000 (22:03 -0700)]
[SPARC]: Migration cost tune up in sparc smp.
This patch sets the max_cache_size value required to tune up
scheduler in SMP systems. Otherwise, the calculated
migration_cost is too high and task scheduling may lock up.
Signed-off-by: Krzysztof Helt <krzysztof.h1@wp.pl> Signed-off-by: David S. Miller <davem@davemloft.net>
* master.kernel.org:/pub/scm/linux/kernel/git/davem/sparc-2.6:
[SPARC64]: Avoid JBUS errors on some Niagara systems.
[FUSION]: Fix mptspi.c build with CONFIG_PM not set.
[TG3]: Handle Sun onboard tg3 chips more correctly.
[SPARC64]: Dump local cpu registers in sun4v_log_error()
Milton Miller [Sat, 10 Jun 2006 16:54:16 +0000 (09:54 -0700)]
[PATCH] powerpc: console_initcall ordering issues
From: Milton Miller <miltonm@bga.com>
The add_preferred_console call in rtas_console.c was not causing the
console to be selected. It turns out that the add_preferred_console was
being called after the hvc_console driver was registered. It only works
when it is called before the console driver is registered.
Reorder hvc_console.o after the hvc_console drivers to allow the selection
during console_initcall processing.
Signed-off-by: Milton Miller <miltonm@bga.com> Signed-off-by: Anton Blanchard <anton@samba.org> Cc: Paul Mackerras <paulus@samba.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
David Howells [Sat, 10 Jun 2006 16:54:12 +0000 (09:54 -0700)]
[PATCH] Further alterations for memory barrier document
From: David Howells <dhowells@redhat.com>
Apply some alterations to the memory barrier document that I worked out
with Paul McKenney of IBM, plus some of the alterations suggested by Alan
Stern.
The following changes were made:
(*) One of the examples given for what can happen with overlapping memory
barriers was wrong.
(*) The description of general memory barriers said that a general barrier is
a combination of a read barrier and a write barrier. This isn't entirely
true: it implies both, but is more than a combination of both.
(*) The first example in the "SMP Barrier Pairing" section was wrong: the
loads around the read barrier need to touch the memory locations in the
opposite order to the stores around the write barrier.
(*) Added a note to make explicit that the loads should be in reverse order to
the stores.
(*) Adjusted the diagrams in the "Examples Of Memory Barrier Sequences"
section to make them clearer. Added a couple of diagrams to make it more
clear as to how it could go wrong without the barrier.
(*) Added a section on memory speculation.
(*) Dropped any references to memory allocation routines doing memory
barriers. They may do sometimes, but it can't be relied on. This may be
worthy of further documentation later.
(*) Made the fact that a LOCK followed by an UNLOCK should not be considered a
full memory barrier more explicit and gave an example.
Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Paul E. McKenney <paulmck@us.ibm.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Russell King [Sat, 10 Jun 2006 11:42:12 +0000 (12:42 +0100)]
[ARM] Fix Integrator and Versatile interrupt initialisation
Both Integrator and Versatile were using set_irq_handler() and
enable_irq(), and working around the initialisation of the
chained interrupt, instead of the more correct
set_irq_chained_handler() function. Fix Integrator and
Versatile to use the right function, and remove these work-arounds.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
David S. Miller [Sat, 10 Jun 2006 08:06:25 +0000 (01:06 -0700)]
[SPARC64]: Avoid JBUS errors on some Niagara systems.
Doing PCI config space accesses to non-present PCI slots
can result in fatal JBUS errors if the PCI config access
hypervisor call is performed on cpus other than the boot
cpu.
PCI config space accesses to present PCI slots works just
fine.
Recursively traverse the OBP device tree under the PCI
controller node and record all present device IDs into
a small hash table.
Avoid the hypervisor call for any PCI config space access
attempt for a device not recorded in the hash table.
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Fri, 9 Jun 2006 18:58:36 +0000 (11:58 -0700)]
[TG3]: Handle Sun onboard tg3 chips more correctly.
Get rid of all the SUN_570X logic and instead:
1) Make sure MEMARB_ENABLE is set when we probe the SRAM
for config information. If that is off we will get
timeouts.
2) Always try to sync with the firmware, if there is no
firmware running do not treat it as an error and instead
just report it the first time we notice this condition.
3) If there is no valid SRAM signature, assume the device
is onboard by setting TG3_FLAG_EEPROM_WRITE_PROT.
Update driver version and release date.
With help from Michael Chan and Fabio Massimo Di Nitto.
Signed-off-by: David S. Miller <davem@davemloft.net>
Arnd Bergmann [Wed, 7 Jun 2006 02:04:18 +0000 (12:04 +1000)]
[PATCH] powerpc: Fix cell blade detection
The IBM Cell blade firmware might confuse the kernel to think it's a
pSeries machine. This fixes it for now. With a bit of luck, the firmware
will be updated to avoid that in the future but currently that patch is
needed.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: Paul Mackerras <paulus@samba.org>
[PATCH] powerpc: Fix call to ibm,client-architecture-support
The code in prom_init.c calling the firmware
ibm,client-architecture-support method on pSeries has a bug where it
fails to properly pass the instance handle of the firmware object when
trying to call a method. Result ranges from the call doing nothing to
the firmware crashing. (Found by Segher, thanks !)
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: Segher Boessenkool <segher@kernel.crashing.org> Signed-off-by: Paul Mackerras <paulus@samba.org>
Paul Mackerras [Fri, 9 Jun 2006 03:02:59 +0000 (13:02 +1000)]
powerpc: Fix machine check problem on 32-bit kernels
This fixes a bug found by Dave Jones that means that it is possible
for userspace to provoke a machine check on 32-bit kernels. This
also fixes a couple of other places where I found similar problems
by inspection.
__futex_atomic_op needs to do an atomic operation in the user address space,
not the kernel address space. Add the missing sacf 256/sacf 0 to switch to
the secondary mode before doing the compare-and-swap. In addition add
another fixup for catch specification exceptions if the compare-and-swap
address is not aligned.
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Jens Axboe [Thu, 8 Jun 2006 08:26:39 +0000 (10:26 +0200)]
[PATCH] debugfs inode leak
Looking at the reiser4 crash, I found a leak in debugfs. In
debugfs_mknod(), we create the inode before checking if the dentry
already has one attached. We don't free it if that is the case.
These bugs happen quite often, I'm starting to think we should disallow
such coding in CodingStyle.
Jens Axboe [Thu, 8 Jun 2006 06:49:06 +0000 (08:49 +0200)]
[PATCH] elevator switching race
There's a race between shutting down one io scheduler and firing up the
next, in which a new io could enter and cause the io scheduler to be
invoked with bad or NULL data.
To fix this, we need to maintain the queue lock for a bit longer.
Unfortunately we cannot do that, since the elevator init requires to be
run without the lock held. This isn't easily fixable, without also
changing the mempool API. So split the initialization into two parts,
and alloc-init operation and an attach operation. Then we can
preallocate the io scheduler and related structures, and run the attach
inside the lock after we detach the old one.
This patch has survived 30 minutes of 1 second io scheduler switching
with a very busy io load.
Malcom Parsons [Thu, 8 Jun 2006 07:43:42 +0000 (00:43 -0700)]
[PATCH] fbcon: fix limited scroll in SCROLL_PAN_REDRAW mode
From: Malcom Parsons <malcolm.parsons@gmail.com>
When scrolling up in SCROLL_PAN_REDRAW mode with a large limited scroll
region, the bottom few lines have to be redrawn. Without this patch, the
wrong text is drawn into these lines, corrupting the display.
Observed in 2.6.14 when running an IRC client in the Nintendo DS linux
port.
I haven't tested if scrolling down has the same problem.
Ralf Baechle [Thu, 8 Jun 2006 07:43:41 +0000 (00:43 -0700)]
[PATCH] Fix mempolicy.h build error
From: Ralf Baechle <ralf@linux-mips.org>
<linux/mempolicy.h> uses struct mm_struct and relies on a definition or
declaration somehow magically being dragged in which may result in a
build:
[...]
CC mm/mempolicy.o
In file included from mm/mempolicy.c:69:
include/linux/mempolicy.h:150: warning: â\80\98struct mm_structâ\80\99 declared inside parameter list
include/linux/mempolicy.h:150: warning: its scope is only this definition or declaration, which is probably not what you want
include/linux/mempolicy.h:175: warning: â\80\98struct mm_structâ\80\99 declared inside parameter list
mm/mempolicy.c:622: error: conflicting types for â\80\98do_migrate_pagesâ\80\99
include/linux/mempolicy.h:175: error: previous declaration of â\80\98do_migrate_pagesâ\80\99 was here
mm/mempolicy.c:1661: error: conflicting types for â\80\98mpol_rebind_mmâ\80\99
include/linux/mempolicy.h:150: error: previous declaration of â\80\98mpol_rebind_mmâ\80\99 was here
make[1]: *** [mm/mempolicy.o] Error 1
make: *** [mm] Error 2
[ralf@denk linux-ip35]$
Including <linux/sched.h> is a step into direction of include hell so
fixed by adding a forward declaration of struct mm_struct instead.
The recent renaming of m48t86's ->readb() and ->writeb() platform driver
methods (2d7b20c1884777e66009be1a533641c19c4705f6) to ->readbyte() and
->writebyte() to fix the ia64 build broke the build of the cirrus ep93xx
ARM platform. This patch fixes it up.
Signed-off-by: Lennert Buytenhek <buytenh@wantstofly.org> Cc: Alessandro Zummo <a.zummo@towertech.it> Cc: Russell King <rmk@arm.linux.org.uk> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Andy Currid [Thu, 8 Jun 2006 07:43:39 +0000 (00:43 -0700)]
[PATCH] Fix HPET operation on 64-bit NVIDIA platforms
From: "Andy Currid" <ACurrid@nvidia.com>
This patch fixes a kernel panic during boot that occurs on NVIDIA platforms
that have HPET enabled.
When HPET is enabled, the standard timer IRQ is routed to IOAPIC pin 2 and is
advertised as such in the ACPI APIC table - but an earlier workaround in the
kernel was ignoring this override. The fix is to honor timer IRQ overrides
from ACPI when HPET is detected on an NVIDIA platform.
Andy Currid [Thu, 8 Jun 2006 07:43:38 +0000 (00:43 -0700)]
[PATCH] Fix HPET operation on 32-bit NVIDIA platforms
From: "Andy Currid" <ACurrid@nvidia.com>
This patch fixes a kernel panic during boot that occurs on NVIDIA platforms
that have HPET enabled.
When HPET is enabled, the standard timer IRQ is routed to IOAPIC pin 2 and is
advertised as such in the ACPI APIC table - but an earlier workaround in the
kernel was ignoring this override. The fix is to honor timer IRQ overrides
from ACPI when HPET is detected on an NVIDIA platform.
Matt Reimer [Thu, 8 Jun 2006 21:46:48 +0000 (22:46 +0100)]
[ARM] 3546/1: PATCH: subtle lost interrupts bug on i.MX
Patch from Matt Reimer
There is a subtle bug in the GPIO interrupt status register
handling in arch/arm/mach-imx/irq.c:imx_gpio_ack_irq(). The
documentation states that a 1 should be written to the relevant bit to
acknowledge a GPIO interrupt, but that is not what the code does.
The problem is that the |= writes back 1s for all the *other*
interrupts represented in the register, so interrupts could get lost.
For example, if interrupts are pending for GPIO B10 and B12, ISR_B
would have the value 0x00001400. Then when the interrupt code handles
GPIO B10, it eventually calls imx_gpio_ack_irq(IRQ_GPIOB(10)), which
effectively does this:
ISR_B |= 1 << 10;
with the result that (0x00001400 | 0x00000400) is written, clearing
the interrupt status bits for *both* GPIO B10 and B12.
The fix is to write 1s only for the interrupts we want to clear.
The same problem seems to be occurring in the DMA code; this patch
does not address those issues.
Acked-by: Sascha Hauer <s.hauer@pengutronix.de> Signed-off-by: Matt Reimer <mreimer@vpop.net> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Richard Purdie [Thu, 8 Jun 2006 21:44:07 +0000 (22:44 +0100)]
[ARM] 3547/1: PXA-OHCI: Allow platforms to specify a power budget
Patch from Richard Purdie
Add a power budget variable to the PXA OHCI platform data and add a
default value for the spitz platform(s) which prevents known failures
with certain USB devices.
Signed-off-by: Richard Purdie <rpurdie@rpsys.net> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Russell King [Thu, 8 Jun 2006 16:59:31 +0000 (17:59 +0100)]
[ARM] Fix Neponset IRQ handling
While testing the genirq code on ARM, a condition was found whereby
the Neponset IRQ handler was being re-entered, causing the system
to deadlock.
Under the ARM IRQ code, this would not have been a visible problem
because the "simple" IRQ handling had no re-entrancy protection.
Resolve this by acknowledging the parent interrupt after we mask it
when we are going to handle one of our "special" level-based sources
(from ethernet or USAR chip.)
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Auke Kok [Thu, 8 Jun 2006 16:28:47 +0000 (09:28 -0700)]
e1000: remove risky prefetch on next_skb->data
It was brought to our attention that the prefetches break e1000 traffic
on xscale/arm architectures. Remove them for now. We'll let them
stay in mm for a while, or find a better solution to enable.
* master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6:
[BRIDGE]: fix locking and memory leak in br_add_bridge
[IRDA]: Missing allocation result check in irlap_change_speed().
[PPPOE]: Missing result check in __pppoe_xmit().
[NET]: Eliminate unused /proc/sys/net/ethernet
[NETCONSOLE]: Clean up initcall warning.
[TCP]: Avoid skb_pull if possible when trimming head
Jiri Benc [Mon, 5 Jun 2006 23:39:34 +0000 (16:39 -0700)]
[BRIDGE]: fix locking and memory leak in br_add_bridge
There are several bugs in error handling in br_add_bridge:
- when dev_alloc_name fails, allocated net_device is not freed
- unregister_netdev is called when rtnl lock is held
- free_netdev is called before netdev_run_todo has a chance to be run after
unregistering net_device
Signed-off-by: Jiri Benc <jbenc@suse.cz> Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Chad Reese [Wed, 31 May 2006 00:16:49 +0000 (17:16 -0700)]
[MIPS] Fix sparsemem support.
Move memory_present() in arch/mips/kernel/setup.c. When using sparsemem
extreme, this function does an allocate for bootmem. This would always
fail since init_bootmem hasn't been called yet.
Move memory_present after free_bootmem. This only marks actual memory
ranges as present instead of the entire address space.
Signed-off-by: Chad Reese <creese@caviumnetworks.com> Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Fix following warnings:
linux/arch/mips/kernel/setup.c:432: warning: field width is not type int (arg 2)
linux/arch/mips/kernel/setup.c:432: warning: field width is not type int (arg 4)
linux/arch/mips/kernel/syscall.c:279: warning: unused variable `len'
linux/arch/mips/kernel/syscall.c:280: warning: unused variable `name'
linux/arch/mips/math-emu/dp_fint.c:32: warning: unused variable `xc'
linux/arch/mips/math-emu/dp_flong.c:32: warning: unused variable `xc'
linux/arch/mips/math-emu/sp_fint.c:32: warning: unused variable `xc'
linux/arch/mips/math-emu/sp_flong.c:32: warning: unused variable `xc'
(original patch by Atsushi, slight changes to the setup.c part by me.)
Atsushi Nemoto [Wed, 31 May 2006 16:00:39 +0000 (01:00 +0900)]
[MIPS] Fix sparse warnings about too big constants.
Fix following warnings:
linux/arch/mips/kernel/setup.c:249:12: warning: constant 0xffffffff00000000 is so big it is unsigned long
linux/arch/mips/kernel/cpu-bugs64.c:209:10: warning: constant 0xffffffffffffdb9a is so big it is unsigned long
linux/arch/mips/kernel/cpu-bugs64.c:227:10: warning: constant 0xffffffffffffdb9a is so big it is unsigned long
linux/arch/mips/kernel/cpu-bugs64.c:283:10: warning: constant 0xffffffffffffdb9a is so big it is unsigned long
linux/arch/mips/kernel/cpu-bugs64.c:299:10: warning: constant 0xffffffffffffdb9a is so big it is unsigned long
Sergei Shtylyov [Sat, 27 May 2006 18:39:39 +0000 (22:39 +0400)]
[MIPS] Fix non-linear memory mapping on MIPS
Fix the non-linear memory mapping done via remap_file_pages() -- it
didn't work on any MIPS CPU because the page offset clashing with
_PAGE_FILE and some other page protection bits which should have been left
zeros for this kind of pages.
Signed-off-by: Konstantin Baydarov <kbaidarov@ru.mvista.com> Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com> Signed-off-by: Ralf Baechle <ralf@linux-mips.org>