From: Alexandra Kossovsky <Alexandra.Kossovsky@oktetlabs.ru>
From http://bugzilla.kernel.org/show_bug.cgi?id=4746
There is user data corruption when using ioctl(SIOCGIFCONF) in 32-bit
application running amd64 kernel. I do not think that this problem is
exploitable, but any data corruption may lead to security problems.
Following code demonstrates the problem
main()
{
int s = socket(AF_INET, SOCK_DGRAM, 0);
struct ifconf req;
int i;
req.ifc_buf = buf;
req.ifc_len = 41;
printf("Result %d\n", ioctl(s, SIOCGIFCONF, &req));
printf("Len %d\n", req.ifc_len);
for (i = 41; i < 256; i++)
if (buf[i] != 0)
printf("Byte %d is corrupted\n", i);
}
Steps to reproduce:
Compile the code above into 32-bit elf and run it. You'll get
Result 0
Len 32
Byte 48 is corrupted
Byte 52 is corrupted
Byte 53 is corrupted
Byte 54 is corrupted
Byte 55 is corrupted
Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Andrea Bittau [Sun, 20 Nov 2005 21:41:05 +0000 (13:41 -0800)]
[PKT_SCHED]: sch_netem: correctly order packets to be sent simultaneously
If two packets were queued to be sent at the same time in the future,
their order would be reversed. This would occur because the queue is
traversed back to front, and a position is found by checking whether
the new packet needs to be sent before the packet being examined. If
the new packet is to be sent at the same time of a previous packet, it
would end up before the old packet in the queue. This patch places
packets in the correct order when they are queued to be sent at a same
time in the future.
Signed-off-by: Andrea Bittau <a.bittau@cs.ucl.ac.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
Dmitry Torokhov [Sun, 20 Nov 2005 05:56:43 +0000 (00:56 -0500)]
Input: make serio and gameport more swsusp friendly
kseriod and kgameportd used to process all pending events before
checking for freeze condition. This may cause swsusp to time out
while stopping tasks when resuming. Switch to process events one
by one to check freeze status more often.
Dmitry Torokhov [Sun, 20 Nov 2005 05:51:43 +0000 (00:51 -0500)]
Input: uinput - don't use "interruptible" in FF code
If thread that submitted FF request gets interrupted somehow it
will release request structure and ioctl handler will work with
freed memory. TO prevent that from happening switch to using
wait_for_completion instead of wait_for_completion_interruptible.
Input: wistron - add support for Acer Aspire 1500 notebooks
Also fix a potential issue with some notebooks:
The current code assumes the response to bios_wifi_get_default_setting is
either 1 (disabled) or 3 (enabled), or wifi isn't supported. The BIOS
response appears to be a bit field w/ 0x1 indicating hardware presence, 0x2
indicating actiation status, and the other 6 bits being unknown/reserved --
with the patch, these 6 bits are ignored.
Signed-off-by: Bernhard Rosenkraenzer <bero@arklinux.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Dmitry Torokhov [Sun, 20 Nov 2005 05:50:06 +0000 (00:50 -0500)]
Input: add Wistron driver
A driver for laptop buttons using an x86 BIOS interface that is
apparently used on quite a few laptops and seems to be originating
from Wistron.
This driver currently "knows" only about Fujitsu-Siemens Amilo Pro V2000
(i.e. it can detect the laptop using DMI and it contains the
keycode->key meaning mapping for this laptop) and Xeron SonicPro X 155G
(probably can't be reliably autodetected, requires a module parameter),
adding other laptops should be easy.
In addition to reporting button presses to the input layer the driver
also allows enabling/disabling the embedded wireless NIC (using the
"Wifi" button); this is done using the same BIOS interface, so it seems
only logical to keep the implementation together. Any flexibility
possibly gained by allowing users to remap the function of the "Wifi"
button is IMHO not worth it when weighted against the necessity to run
an user-space daemon to convert button presses to wifi state changes.
Dmitry Torokhov [Sun, 20 Nov 2005 05:49:42 +0000 (00:49 -0500)]
Input: atkbd - speed up setting leds/repeat state
Changing led state is pretty slow operation; when there are multiple
requests coming at a high rate they may interfere with normal typing.
Try optimize (skip) changing hardware state when multiple requests
are coming back-to-back.
Russell King [Sat, 19 Nov 2005 11:10:35 +0000 (11:10 +0000)]
[SERIAL] Fix status reporting with PL011 serial driver
The receiver status register reports latched error conditions, which
must be cleared by writing to it. However, the data register reports
unlatched conditions which are associated with the current character.
Use the data register to interpret error status rather than the RSR.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Paul Mackerras [Sat, 19 Nov 2005 10:24:55 +0000 (21:24 +1100)]
powerpc: Fix bug in timebase synchronization on 32-bit SMP powermac
We were using udelay in the loop on the primary cpu waiting for the
secondary cpu to take the timebase value. Unfortunately now that
udelay uses the timebase, and the timebase is stopped at this point,
the udelay never terminated. This fixes it by not using udelay, and
increases the number of loops before we time out to compensate.
[ARM] 3168/1: Update ARM signal delivery and masking
Patch from Daniel Jacobowitz
After delivering a signal (creating its stack frame) we must check for
additional pending unblocked signals before returning to userspace.
Otherwise signals may be delayed past the next syscall or reschedule.
Once that was fixed it became obvious that the ARM signal mask manipulation
was broken. It was a little bit broken before the recent SA_NODEFER
changes, and then very broken after them. We must block the requested
signals before starting the handler or the same signal can be delivered
again before the handler even gets a chance to run.
Signed-off-by: Daniel Jacobowitz <dan@codesourcery.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Paul Mackerras [Sat, 19 Nov 2005 09:46:04 +0000 (20:46 +1100)]
powerpc: Merge pci.h
This involves some minor changes: a few unused functions that the
ppc32 pci.c provides are no longer declared here or exported;
pcibios_assign_all_busses now just refers to the pci_assign_all_buses
variable on both 32-bit and 64-bit; pcibios_scan_all_fns is now
just 0 instead of a function that always returns 0 on 64-bit.
David Gibson [Wed, 16 Nov 2005 04:43:48 +0000 (15:43 +1100)]
[PATCH] powerpc: Remove imalloc.h
asm-ppc64/imalloc.h is only included from files in arch/powerpc/mm.
We already have a header for mm local definitions,
arch/powerpc/mm/mmu_decl.h. Thus, this patch moves the contents of
imalloc.h into mmu_decl.h. The only exception are the definitions of
PHBS_IO_BASE, IMALLOC_BASE and IMALLOC_END. Those are moved into
pgtable.h, next to similar definitions of VMALLOC_START and
VMALLOC_SIZE.
Built for multiplatform 32bit and 64bit (ARCH=powerpc).
Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Paul Mackerras <paulus@samba.org>
Trying to set the priority would just disable the interrupt due to an
incorrect mask used. We rarely use that call, in fact, I think only in
the powermac code for the cmd-power key combo that triggers xmon. So it
got unnoticed for a while.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: Paul Mackerras <paulus@samba.org>
Roland Dreier [Fri, 18 Nov 2005 22:18:26 +0000 (14:18 -0800)]
IB/umad: make sure write()s have sufficient data
Make sure that userspace passes in enough data when sending a MAD. We
always copy at least sizeof (struct ib_user_mad) + IB_MGMT_RMPP_HDR
bytes from userspace, so anything less is definitely invalid. Also,
if the length is less than this limit, it's possible for the second
copy_from_user() to get a negative length and trigger a BUG().
James Bottomley [Fri, 18 Nov 2005 22:13:33 +0000 (23:13 +0100)]
[PATCH] ide: fix ide_toggle_bounce() to not try to bounce if we have an IOMMU
The following patch fixes a crash caused by attempting to bounce buffer
when an IDE CD-ROM is used on a machine with an IO-MMU. [At least, this
patch fixes things so I can use my IDE CD-ROM behind an ns87415 on a
HP PA-RISC workstation.]
Calculation of QP capabilities still isn't exactly right in mthca:
max_send_sge/max_recv_sge fields returned in create_qp can exceed the
handware supported limits.
Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il> Signed-off-by: Roland Dreier <rolandd@cisco.com>
Thibaut VARENE [Fri, 18 Nov 2005 21:37:37 +0000 (22:37 +0100)]
[PATCH] pmac IDE: don't release empty interfaces
From: Thibaut VARENE <T-Bone@parisc-linux.org>
Cleaning up the hwif without knowing its previous state in pmac.c is a big
and potentially dangerous job, and there seems to be no generic code interface
that would provide either a way to properly release an hwif or to clean it up.
Fixes OOPS for empty PMAC interface and add-on PCI controller.
Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
Daniel Drake [Fri, 18 Nov 2005 21:08:29 +0000 (22:08 +0100)]
[PATCH] via82cxxx IDE: remove /proc/via entry
This entry adds needless complication to the driver as it requires the use of
global variables to be passed into via_get_info(), making things quite ugly
when we try and make this driver support multiple controllers simultaneously.
This patch removes /proc/via for simplicity.
On 10/13/05, Daniel Drake <dsd@gentoo.org> wrote:
> Per Bart's suggestion, I've created a user-space app which shows identical
> data (and doesn't even rely on the via82cxxx IDE driver).
>
> http://www.reactivated.net/software/viaideinfo/
>
> So, I think we should be clear to drop /proc/ide/via now.
Signed-off-by: Daniel Drake <dsd@gentoo.org> Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
mikem [Fri, 18 Nov 2005 21:05:36 +0000 (22:05 +0100)]
[PATCH 3/3] cciss: add put_disk into cleanup routines
Jeff Garzik pointed me to his code to see how to remove a disk from
the system _properly_. Well, here it is...
Every place we remove disks we are now testing before calling del_gendisk
or blk_cleanup_queue and then call put_disk.
Signed-off-by: Mike Miller <mike.miller@hp.com> Signed-off-by: Jens Axboe <axboe@suse.de>
Jens Axboe [Fri, 18 Nov 2005 21:02:44 +0000 (22:02 +0100)]
[PATCH 2/3] cciss: bug fix for BIG_PASS_THRU
Applications using CCISS_BIG_PASSTHRU complained that the data written
was zeros. The problem is that the buffer is being cleared after the
user copy, unless the user copy has failed... Correct that logic.
Signed-off-by: Mike Miller <mike.miller@hp.com> Signed-off-by: Jens Axboe <axboe@suse.de>
mikem [Fri, 18 Nov 2005 21:00:17 +0000 (22:00 +0100)]
[PATCH 1/3] cciss: bug fix for hpacucli
This patch fixes a bug that breaks hpacucli, a command line interface
for the HP Array Config Utility. Without this fix the utility will
not detect any controllers in the system. I thought I had already fixed
this, but I guess not.
Thanks to all who reported the issue. Please consider this this inclusion.
Signed-off-by: Mike Miller <mikem@beardog.cca.cpqcorp.net> Signed-off-by: Jens Axboe <axboe@suse.de>
Steve French [Fri, 18 Nov 2005 19:31:10 +0000 (11:31 -0800)]
[CIFS] Fix scheduling while atomic when pending writes at file close time
Fix the case in which readdir reset file type when SFU mount option
specified.
Also fix sfu related functions to not request EAs (xattrs) when not
configured in Kconfig
James Ketrenos [Sat, 12 Nov 2005 18:50:12 +0000 (12:50 -0600)]
[PATCH] ipw2100: Fix 'Driver using old /proc/net/wireless...' message
ipw2100: Fix 'Driver using old /proc/net/wireless...' message
Wireless extensions moved the get_wireless_stats handler from being
in net_device into wireless_handler.
A prior instance of this patch resolved the issue for the ipw2200.
This one fixes it for the ipw2100.
Signed-off-by: Benoit Boissinot <benoit.boissinot@ens-lyon.org> Signed-off-by: James Ketrenos <jketreno@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
[PATCH] fec_8xx: make CONFIG_FEC_8XX depend on CONFIG_8xx
Change CONFIG_FEC_8XX to depend on CONFIG_8xx instead of CONFIG_FEC.
CONFIG_FEC depends on ColdFire CPUs, which does not apply for the
PPC 8xx processors.
Signed-off-by: John W. Linville <linville@tuxdriver.com>
[PATCH] Add HOWTO do kernel development document to the Documentation directory
Here's a document that describes the process and procedures of how to do Linux
kernel development. It has gone through a number of rounds of review on the
linux-kernel mailing list, and contains contributions and help from Paolo
Ciarrocchi, Randy Dunlap, Gerrit Huizenga, Pat Mochel, Hanna Linder, Kay
Sievers, Vojtech Pavlik, Jan Kara, Josh Boyer, Kees Cook, Andrew Morton, Andi
Kleen, Vadim Lobanov, Jesper Juhl, Adrian Bunk, Keri Harris, Frans Pop, David
A. Wheeler, Junio Hamano, Michael Kerrisk, and Alex Shepard.
[PATCH] drivers/net/wireless/hermes.c unsigned int comparision
hermas_bap_pread, hermes_bap_pwrite, and hermes_bap_pwrite_pad all have a parameter "len" that is declared unsigned,
but checked for a value less than zero. Auditing the callers, it is possible for len to be passed a negative value, so len should be an int.
Thanks to LinuxICC (http://linuxicc.sf.net)
Signed-off-by: Gabriel A. Devenyi <ace@staticwave.ca> Signed-off-by: Jeff Garzik <jgarzik@pobox.com>
Jesse Brandeburg [Mon, 14 Nov 2005 21:15:49 +0000 (13:15 -0800)]
[PATCH] e100: re-enable microcode with more useful defaults
For the four versions of hardware that we (currently) support microcode
download on, the default configuration of our receive interrupt mitigation
microcode was too aggressive, and caused unnecessary delays when pinging,
and low(er) throughput on single connection latency sensitive performance
tests.
This code adds microcode support, and sets the defaults to more reasonable
settings. It also explains the functionality in the code in more detail.
Compile and load tested, shows expected behavior for slight delay of ping
packets (1-2ms) when ucode is loaded, and decent interrupt moderation for
small packets, while maintaining good throughput.
Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com> Signed-off-by: Jeff Garzik <jgarzik@pobox.com>
Tejun Heo [Fri, 18 Nov 2005 05:22:03 +0000 (14:22 +0900)]
[PATCH] sil24: make error_intr less verbose
sil24_error_intr logs all error interrupts. ATAPI devices generates
many harmless errors which can be ignored and all serious ones are
reported via sense data by SCSI layer. Don't log device errors from
ATAPI devices.
Signed-off-by: Tejun Heo <htejun@gmail.com> Signed-off-by: Jeff Garzik <jgarzik@pobox.com>
Tejun Heo [Fri, 18 Nov 2005 05:14:01 +0000 (14:14 +0900)]
[PATCH] sil24: use SRST for phy_reset
There seems to be no way to obtain device signature from sil24 after
SATA phy reset and SRST is needed anyway for later port multiplier
suppport. This patch converts sil24_phy_reset to use SRST instaed.
Signed-off-by: Tejun Heo <htejun@gmail.com>
--
Jeff, I didn't remove the 10ms sleep just to be on the safe side. I
think we can live with 10ms sleep on SRST. Signed-off-by: Jeff Garzik <jgarzik@pobox.com>
Tejun Heo [Fri, 18 Nov 2005 05:09:05 +0000 (14:09 +0900)]
[PATCH] sil24: add sil24_restart_controller
When an error condition is raised by device via D2H FIS or SDB. sil24
controller should be restarted by setting PORT_CS_INIT and waiting
until PORT_CS_RDY is asserted instead of resetting the controller.
This patch implements sil24_restart_controller for those cases. This
patch also makes sure that PORT_CS_RDY is asserted on
sil24_reset_controller completion.
Signed-off-by: Tejun Heo <htejun@gmail.com>
--
Jeff, delay is reduced to 1us and cnt increased to 10k. My sil3124
turns on PORT_CS_RDY on the second iteration even without any delay.
I think 10k * 1us should be more than enough.
I tried to convert both restart and reset to use msleep's with work
queue, but if we do that, host_set lock should be released after
initiating restart or reset, leading to race condition among
reset/restart, other interrupts and timeout. Implementing
synchronization among those in low-level driver doesn't seem right.
Well, reduced timeout should work for the time being.
Thanks. Signed-off-by: Jeff Garzik <jgarzik@pobox.com>
Russell King [Fri, 18 Nov 2005 17:57:55 +0000 (12:57 -0500)]
[PATCH] smc91x: fix bank mismatch
The smc91x driver relies upon register bank 2 being selected whenever
the interrupt handler is called. This isn't always so, especially if
we have a link change event during PHY configuration.
This results in register bank 0 being selected when the interrupt
handler is called, causing the wrong registers to be read for the
IRQ mask and status. In turn, this causes us to spin with a
permanently asserted IRQ.
The patch ensures that smc_phy_configure always exits with register
bank 2 selected.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> Signed-off-by: Nicolas Pitre <nico@cam.org> Signed-off-by: Jeff Garzik <jgarzik@pobox.com>
Nicolas Pitre [Thu, 17 Nov 2005 19:02:48 +0000 (14:02 -0500)]
[PATCH] smc91x: fix one source of spurious interrupts
Not only SMC_ACK_INT(IM_TX_EMPTY_INT) in in smc_hardware_send_pkt)
appears to be unnecessary (tested with an SMC91C94 and SMC91C111), but
it seems to trigger spurious interrupts on some machines as well.
Removed.
While at it, let's log any remaining spurious interrupts if any (and
clean usage of the max IRQ loop count value).
Signed-off-by: Nicolas Pitre <nico@cam.org> Signed-off-by: Jeff Garzik <jgarzik@pobox.com>