Jesper Juhl [Fri, 19 May 2006 09:15:13 +0000 (02:15 -0700)]
[NETFILTER]: Fix memory leak in ipt_recent
The Coverity checker spotted that we may leak 'hold' in
net/ipv4/netfilter/ipt_recent.c::checkentry() when the following
is true:
if (!curr_table->status_proc) {
...
if(!curr_table) {
...
return 0; <-- here we leak.
Simply moving an existing vfree(hold); up a bit avoids the possible leak.
Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Stefan Richter [Mon, 15 May 2006 20:08:09 +0000 (22:08 +0200)]
[PATCH] sbp2: add ability to override hardwired blacklist
In case the blacklist with workarounds for device bugs yields a false
positive, the module load parameter can now also be used as an override
instead of an addition to the blacklist.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Stefan Richter [Mon, 15 May 2006 20:06:37 +0000 (22:06 +0200)]
[PATCH] sbp2: add read_capacity workaround for iPod
Apple decided to copy some USB stupidity over to FireWire.
The sector number returned by iPods from read_capacity is one too many.
This may cause I/O errors, especially if the kernel is configured for EFI
partition support. We use the same workaround as usb-storage but have to
check for different model IDs.
Acknowledgements:
Diagnosis and therapy by Mathieu Chouquet-Stringer <ml2news@free.fr>,
additional data about affected and unaffected Apple hardware from
Vladimir Kotal, Sander De Graaf, Bryan Olmstead and Hugh Dixon.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Stefan Richter [Mon, 15 May 2006 20:04:59 +0000 (22:04 +0200)]
[PATCH] sbp2: consolidate workarounds
Grand unification of the three types of workarounds we have so far.
The "skip mode page 8" workaround is now limited to devices which
pretend to be of TYPE_DISK instead of TYPE_RBC. This workaround is no
longer enabled for Initio bridges.
Patch update in anticipation of more workarounds:
- Add module parameter "workarounds".
- Deprecate parameter "force_inquiry_hack".
- Compose the blacklist of a compound type for better readability and
extensibility.
- Remove a now unused #define.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/netdev-2.6:
sky2: prevent dual port receiver problems
x86_64: Check for bad dma address in b44 1GB DMA workaround
The ixp2000 driver for the enp2611 was developed on a board with
Linus Torvalds [Wed, 17 May 2006 23:11:41 +0000 (16:11 -0700)]
Merge branch 'upstream-linus' of git://oss.oracle.com/home/sourcebo/git/ocfs2
* 'upstream-linus' of git://oss.oracle.com/home/sourcebo/git/ocfs2:
configfs: Make sure configfs_init() is called before consumers.
configfs: configfs_mkdir() failed to cleanup linkage.
configfs: Fix a reference leak in configfs_mkdir().
ocfs2: fix gfp mask in some file system paths
ocfs2: Don't populate uptodate cache in ocfs2_force_read_journal()
ocfs2: take meta data lock in ocfs2_file_aio_read()
ocfs2: take data locks around extend
Joel Becker [Wed, 3 May 2006 18:38:53 +0000 (11:38 -0700)]
configfs: Make sure configfs_init() is called before consumers.
configfs_init() needs to be called first to register configfs before anyconsumers try to access it. Move up configfs in fs/Makefile to make
sure it is initialized early.
Signed-off-by: Joel Becker <joel.becker@oracle.com> Signed-off-by: Mark Fasheh <mark.fasheh@oracle.com>
Joel Becker [Wed, 12 Apr 2006 04:37:20 +0000 (21:37 -0700)]
configfs: configfs_mkdir() failed to cleanup linkage.
If configfs_mkdir() errored in certain ways after the parent<->child
linkage was already created, it would not undo the linkage. Also,
comment the reference counting for clarity.
Signed-off-by: Joel Becker <joel.becker@oracle.com> Signed-off-by: Mark Fasheh <mark.fasheh@oracle.com>
Mark Fasheh [Sat, 6 May 2006 02:04:03 +0000 (19:04 -0700)]
ocfs2: take data locks around extend
We need to take a data lock around extends to protect the pages that
ocfs2_zero_extend is going to be pulling into the page cache. Otherwise an
extend on one node might populate the page cache with data pages that have
no lock coverage.
Signed-off-by: Mark Fasheh <mark.fasheh@oracle.com>
Chen, Kenneth W [Tue, 16 May 2006 23:34:57 +0000 (16:34 -0700)]
[IA64] one-line cleanup on set_irq_affinity_info
Calls to set_irq_info in set_irq_affinity_info() is redundant because
irq_affinity mask was set just one line immediately above it. Remove
that duplicate call.
Signed-off-by: Ken Chen <kenneth.w.chen@intel.com> Signed-off-by: Tony Luck <tony.luck@intel.com>
From: "Angelo P. Castellani" <angelo.castellani+lkml@gmail.com>
Using NewReno, if a sk_buff is timed out and is accounted as lost_out,
it should also be removed from the sacked_out.
This is necessary because recovery using NewReno fast retransmit could
take up to a lot RTTs and the sk_buff RTO can expire without actually
being really lost.
Linus Torvalds [Tue, 16 May 2006 22:16:14 +0000 (15:16 -0700)]
Merge master.kernel.org:/home/rmk/linux-2.6-arm
* master.kernel.org:/home/rmk/linux-2.6-arm:
[ARM] arch/arm/kernel/dma-isa.c: named initializers
[ARM] 3527/1: MPCore Boot Lockup Fix
[ARM] arch/arm/kernel/process.c: Fix warning
[ARM] 3526/1: ioremap should use vunmap instead of vfree on ARM
[ARM] 3524/1: ARM EABI: more 64-bit aligned stack fixes
[ARM] 3517/1: move definition of PROC_INFO_SZ from procinfo.h to asm-offsets.h
David Brownell [Fri, 7 Apr 2006 05:25:56 +0000 (22:25 -0700)]
[PATCH] SPI: spi_bitbang: clocking fixes
This fixes two problems triggered by the MMC stack updating clocks:
- SPI masters driver should accept a max clock speed of zero; that's one
convention for marking idle devices. (Presumably that helps controllers
that don't autogate clocks to "off" when not in use.)
- There are more than 1000 nanoseconds per millisecond; setting the clock
down to 125 KHz now works properly.
Showing once again that Zero (http://en.wikipedia.org/wiki/Zero) is still
an inexhaustible number of bugs.
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Stephen Street [Tue, 28 Mar 2006 22:05:23 +0000 (14:05 -0800)]
[PATCH] spi: Update to PXA2xx SPI Driver
Fix two outstanding issues with the pxa2xx_spi driver:
1) Bad cast in the function u32_writer. Thanks to Henrik Bechmann
2) Adds support for per transfer changes to speed and bits per word
Signed-off-by: Stephen Street <stephen@streetfiresound.com> Cc: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
David Brownell [Mon, 3 Apr 2006 22:46:22 +0000 (15:46 -0700)]
[PATCH] SPI: devices can require LSB-first encodings
Add spi_device hook for LSB-first word encoding, and update all the
(in-tree) controller drivers to reject such devices. Eventually,
some controller drivers will be updated to support lsb-first encodings
on the wire; no current drivers need this.
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Kumar Gala [Sun, 2 Apr 2006 21:06:35 +0000 (16:06 -0500)]
[PATCH] SPI: Renamed bitbang_transfer_setup to spi_bitbang_setup_transfer and export it
Renamed bitbang_transfer_setup to follow convention of other exported symbols
from spi-bitbang. Exported spi_bitbang_setup_transfer to allow users of
spi-bitbang to use the function in their own setup_transfer.
Signed-off-by: Kumar Gala <galak@kernel.crashing.org> Cc: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Stephen Street [Wed, 8 Mar 2006 07:53:24 +0000 (23:53 -0800)]
[PATCH] SPI: add PXA2xx SSP SPI Driver
This driver turns a PXA2xx synchronous serial port (SSP) into a SPI master
controller (see Documentation/spi/spi_summary). The driver has the following
features:
- Support for any PXA2xx SSP
- SSP PIO and SSP DMA data transfers.
- External and Internal (SSPFRM) chip selects.
- Per slave device (chip) configuration.
- Full suspend, freeze, resume support.
Signed-off-by: Stephen Street <stephen@streetfiresound.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Cc: David Brownell <david-b@pacbell.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Imre Deak [Fri, 17 Feb 2006 18:02:18 +0000 (10:02 -0800)]
[PATCH] SPI: per-transfer overrides for wordsize and clocking
Some protocols (like one for some bitmap displays) require different clock
speed or word size settings for each transfer in an SPI message. This adds
those parameters to struct spi_transfer. They are to be used when they are
nonzero; otherwise the defaults from spi_device are to be used.
The patch also adds a setup_transfer callback to spi_bitbang, uses it for
messages that use those overrides, and implements it so that the pure
bitbanging code can help resolve any questions about how it should work.
Signed-off-by: Imre Deak <imre.deak@nokia.com> Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Linus Torvalds [Tue, 16 May 2006 15:46:10 +0000 (08:46 -0700)]
Merge branch 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc
* 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc:
[PATCH] Fix pSeries identification in prom_init.c
[PATCH] powerpc: fix kernel version display on pseries boxes
Roland Dreier [Mon, 15 May 2006 18:41:00 +0000 (11:41 -0700)]
[PATCH] slab: Fix kmem_cache_destroy() on NUMA
With CONFIG_NUMA set, kmem_cache_destroy() may fail and say "Can't
free all objects." The problem is caused by sequences such as the
following (suppose we are on a NUMA machine with two nodes, 0 and 1):
* Allocate an object from cache on node 0.
* Free the object on node 1. The object is put into node 1's alien
array_cache for node 0.
* Call kmem_cache_destroy(), which ultimately ends up in __cache_shrink().
* __cache_shrink() does drain_cpu_caches(), which loops through all nodes.
For each node it drains the shared array_cache and then handles the
alien array_cache for the other node.
However this means that node 0's shared array_cache will be drained,
and then node 1 will move the contents of its alien[0] array_cache
into that same shared array_cache. node 0's shared array_cache is
never looked at again, so the objects left there will appear to be in
use when __cache_shrink() calls __node_shrink() for node 0. So
__node_shrink() will return 1 and kmem_cache_destroy() will fail.
This patch fixes this by having drain_cpu_caches() do
drain_alien_cache() on every node before it does drain_array() on the
nodes' shared array_caches.
The problem was originally reported by Or Gerlitz <ogerlitz@voltaire.com>.
Signed-off-by: Roland Dreier <rolandd@cisco.com> Acked-by: Christoph Lameter <clameter@sgi.com> Acked-by: Pekka Enberg <penberg@cs.helsinki.fi> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Andi Kleen [Mon, 15 May 2006 16:19:47 +0000 (18:19 +0200)]
[PATCH] x86_64: Don't schedule on exception stack on preemptive kernels
Extends an earlier patch from John Blackwood to more exception handlers
that also run on the exception stacks.
Expand the use of preempt_conditional_{sti,cli} to all cases where
interrupts are to be re-enabled during exception handling while running
on an IST stack.
Andi Kleen [Mon, 15 May 2006 16:19:44 +0000 (18:19 +0200)]
[PATCH] x86_64: Fix memory hotadd heuristics
This fixes some boot failures on Dell and Unisys systems with memory
hotadd added.
- Set hotadd_percent to 0 by default. This means anybody using hotadd
memory needs to specify the value on the command line. That's
because there are lots of Intel boxes which have a bogus hotplug area
in their SRAT and they would waste a lot of memory before.
- Fix calculation of how much memory to use when the hotplug area
exceeds hotadd_percent
- Fix fallback when the
- Fix fallback if memory hotadd is not compiled in.
Andi Kleen [Mon, 15 May 2006 16:19:41 +0000 (18:19 +0200)]
[PATCH] i386/x86_64: Force pci=noacpi on HP XW9300
This is needed to see all devices.
The system has multiple PCI segments and we don't handle that properly
yet in PCI and ACPI. Short term before this is fixed blacklist it to
pci=noacpi.
The OF trampoline code prom_init.c still needs to identify IBM pSeries
(PAPR) machines in order to run some platform specific code on them like
instanciating the TCE tables. The code doing that detection was changed
recently in 2.6.17 early stages but was done slightly incorrectly. It
should be testing for an exact match of "chrp" and it currently tests
for anything that begins with "chrp". That means it will incorrectly
match with platforms using Maple-like device-trees and have open
firmware. This fixes it by using strcmp instead of strncmp to match what
the actual platform detection code does.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: Paul Mackerras <paulus@samba.org>
Anton Blanchard [Wed, 10 May 2006 03:05:54 +0000 (13:05 +1000)]
[PATCH] powerpc: fix kernel version display on pseries boxes
We are displaying the wrong thing on the operator panel (2x40
character LCD). This got broken in commit cebb21b5, when UTS_RELEASE
got changed to system_utsname.version.
Signed-off-by: Anton Blanchard <anton@samba.org> Signed-off-by: Paul Mackerras <paulus@samba.org>
Uwe Zeisberger [Wed, 10 May 2006 17:11:05 +0000 (18:11 +0100)]
[ARM] 3517/1: move definition of PROC_INFO_SZ from procinfo.h to asm-offsets.h
Patch from Uwe Zeisberger
The symbol is only used in arch/arm/kernel/head-common.S. This in turn
is included from arch/arm/kernel/head.S and arch/arm/kernel/head-nommu.S
which include asm-offsets.h .
Signed-off-by: Uwe Zeisberger <Uwe_Zeisberger@digi.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
When both ports are receiving simultaneously, the receive logic gets confused
and may pass up a packet before it is full. This causes hangs, and IP will see
lots of garbage packets. There is even the potential for data corruption if
a later arriving packet DMA's into freed memory.
It looks like a hardware bug because status arrives for a packet but no
data is there. Until this bug is worked out, block the user from bringing
up both ports at once.
Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
The ixp2000 driver for the enp2611 was developed on a board with
three gigabit ports, but some enp2611 models only have two ports
(and only one onboard PM3386.) The current driver assumes there
are always three ports and so it doesn't work on the two-port
version of the board at all.
This patch adds a bit of logic to the enp2611 driver to limit the
number of ports to 2 if the second PM3386 isn't detected.
Signed-off-by: Lennert Buytenhek <buytenh@wantstofly.org> Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Andrew Morton [Mon, 15 May 2006 16:44:43 +0000 (09:44 -0700)]
[PATCH] dl2k needs dma-mapping.h
On alpha:
drivers/net/dl2k.c: In function `rio_free_tx':
drivers/net/dl2k.c:768: error: `DMA_48BIT_MASK' undeclared (first use in this function)
drivers/net/dl2k.c:768: error: (Each undeclared identifier is reported only once
drivers/net/dl2k.c:768: error: for each function it appears in.)
drivers/net/dl2k.c: In function `receive_packet':
drivers/net/dl2k.c:896: error: `DMA_48BIT_MASK' undeclared (first use in this function)
drivers/net/dl2k.c: In function `rio_close':
drivers/net/dl2k.c:1803: error: `DMA_48BIT_MASK' undeclared (first use in this function)
Cc: Jeff Garzik <jeff@garzik.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Andrew Morton [Mon, 15 May 2006 16:44:42 +0000 (09:44 -0700)]
[PATCH] jffs2 warning fixes
fs/jffs2/nodelist.c: In function `check_node_data':
fs/jffs2/nodelist.c:441: warning: unsigned int format, different type arg (arg 4)
fs/jffs2/nodelist.c:464: warning: int format, different type arg (arg 5)
Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Peter Osterlund [Mon, 15 May 2006 16:44:40 +0000 (09:44 -0700)]
[PATCH] devices.txt: remove pktcdvd entry
Changing the driver to use dynamic device numbers was one of the many
changes that were made in order to have the driver accepted into the
mainline kernel. Therefore I would say that the entry in devices.txt is
obsolete. This patch removes it.
Signed-off-by: Peter Osterlund <petero2@telia.com> Cc: Torben Mathiasen <device@lanana.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Do not enable the SMBus device on Asus boards if suspend is used. We do
not reenable the device on resume, leading to all sorts of undesirable
effects, the worst being a total fan failure after resume on Samsung P35
laptop.
Signed-off-by: Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006@gmx.net> Signed-off-by: Pavel Machek <pavel@suse.cz> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Valdis.Kletnieks@vt.edu wrote:
>
> There seems to have been a bug introduced in this changeset:
>
> Am running 2.6.17-rc3-mm1. When this changeset is applied, 'mount --bind'
> misbehaves:
>
> > # mkdir /foo
> > # mount -t tmpfs -o rw,nosuid,nodev,noexec,noatime,nodiratime none /foo
> > # mkdir /foo/bar
> > # mount --bind /foo/bar /foo
> > # tail -2 /proc/mounts
> > none /foo tmpfs rw,nosuid,nodev,noexec,noatime,nodiratime 0 0
> > none /foo tmpfs rw 0 0
>
> Reverting this changeset causes both mounts to have the same options.
>
> (Thanks to Stephen Smalley for tracking down the changeset...)
>
Cc: Herbert Poetzl <herbert@13thfloor.at> Cc: Christoph Hellwig <hch@infradead.org> Cc: <Valdis.Kletnieks@vt.edu> Cc: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Andy Whitcroft [Mon, 15 May 2006 16:44:29 +0000 (09:44 -0700)]
[PATCH] root mount failure: emit filesystems attempted
When we fail to mount from a valid root device list out the filesystems we
have tried to mount it with. This gives the user vital diagnostics as to
what is missing from their kernel.
For example in the fragment below the kernel does not have CRAMFS compiled
into the kernel and yet appears to recognise it at the RAMDISK detect
stage. Later the mount fails as we don't have the filesystem.
RAMDISK: cramfs filesystem found at block 0
RAMDISK: Loading 1604KiB [1 disk] into ram disk... done.
XFS: bad magic number
XFS: SB validate failed
No filesystem could mount root, tried: reiserfs ext3 ext2 msdos vfat
iso9660 jfs xfs
Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(8,1)
Signed-off-by: Andy Whitcroft <apw@shadowen.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Benjamin LaHaise [Mon, 15 May 2006 16:44:24 +0000 (09:44 -0700)]
[PATCH] Add Core Solo and Core Duo support to oprofile
Add support to oprofile for the Intel Core Solo and Core Duo processors.
See also the patch to add support to oprofile-0.9.1-8.1.1 at
http://www.kvack.org/~bcrl/patches/oprofile/oprofile-core-0.9.1.diff .
Signed-off-by: Benjamin LaHaise <benjamin.c.lahaise@intel.com> Cc: Philippe Elie <phil.el@wanadoo.fr> Cc: John Levon <levon@movementarian.org> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Hua Zhong [Mon, 15 May 2006 16:44:22 +0000 (09:44 -0700)]
[PATCH] fix can_share_swap_page() when !CONFIG_SWAP
can_share_swap_page() is used to check if the page has the last reference.
This avoids allocating a new page for COW if it's the last page.
However, if CONFIG_SWAP is not set, can_share_swap_page() is defined as 0,
thus always causes a copy for the last COW page. The below simple patch
fixes it.
Signed-off-by: Hua Zhong <hzhong@gmail.com> Cc: David Howells <dhowells@redhat.com> Cc: Hugh Dickins <hugh@veritas.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Latchesar Ionkov [Mon, 15 May 2006 16:44:21 +0000 (09:44 -0700)]
[PATCH] v9fs: signal handling fixes
Multiple races can happen when v9fs is interrupted by a signal and Tflush
message is sent to the server. After v9fs sends Tflush it doesn't wait
until it receives Rflush, and possibly the response of the original
message. This behavior may confuse v9fs what fids are allocated by the
file server.
This patch fixes the races and the fid allocation.
Signed-off-by: Latchesar Ionkov <lucho@ionkov.net> Cc: Eric Van Hensbergen <ericvh@hera.kernel.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Richard Purdie [Mon, 15 May 2006 16:44:17 +0000 (09:44 -0700)]
[PATCH] LED: Fix sysfs store function error handling
Fix the error handling of some LED _store functions. This corrects them to
return -EINVAL if the value is not numeric with an optional byte of trailing
whitespace.
Signed-off-by: Richard Purdie <rpurdie@rpsys.net> Cc: Greg KH <greg@kroah.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
The backlight and LCD class _store functions currently accept values like "34
some random strings" without error. This corrects them to return -EINVAL if
the value is not numeric with an optional byte of trailing whitespace.
Signed-off-by: Richard Purdie <rpurdie@rpsys.net> Cc: Greg KH <greg@kroah.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Mike Kravetz [Mon, 15 May 2006 16:44:13 +0000 (09:44 -0700)]
[PATCH] add slab_is_available() routine for boot code
slab_is_available() indicates slab based allocators are available for use.
SPARSEMEM code needs to know this as it can be called at various times
during the boot process.
Signed-off-by: Mike Kravetz <kravetz@us.ibm.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Jan Niehusmann [Mon, 15 May 2006 16:44:12 +0000 (09:44 -0700)]
[PATCH] smbfs: Fix slab corruption in samba error path
Yesterday, I got the following error with 2.6.16.13 during a file copy from
a smb filesystem over a wireless link. I guess there was some error on the
wireless link, which in turn caused an error condition for the smb
filesystem.
In the log, smb_file_read reports error=4294966784 (0xfffffe00), which also
shows up in the slab dumps, and also is -ERESTARTSYS. Error code 27499
corresponds to 0x6b6b, so the rq_errno field seems to be the only one being
set after freeing the slab.
In smb_add_request (which is the only place in smbfs where I found
ERESTARTSYS), I found the following:
if (!timeleft || signal_pending(current)) {
/*
* On timeout or on interrupt we want to try and remove the
* request from the recvq/xmitq.
*/
smb_lock_server(server);
if (!(req->rq_flags & SMB_REQ_RECEIVED)) {
list_del_init(&req->rq_queue);
smb_rput(req);
}
smb_unlock_server(server);
}
[...]
if (signal_pending(current))
req->rq_errno = -ERESTARTSYS;
I guess that some codepath like smbiod_flush() caused the request to be
removed from the queue, and smb_rput(req) be called, without
SMB_REQ_RECEIVED being set. This violates an asumption made by the quoted
code.
Then, the above code calls smb_rput(req) again, the req gets freed, and
req->rq_errno = -ERESTARTSYS writes into the already freed slab. As
list_del_init doesn't cause an error if called multiple times, that does
cause the observed behaviour (freed slab with rq_errno=-ERESTARTSYS).
If this observation is correct, the following patch should fix it.
I wonder why the smb code uses list_del_init everywhere - using list_del
instead would catch such situations by poisoning the next and prev
pointers.
May 4 23:29:21 knautsch kernel: [17180085.456000] ipw2200: Firmware error detected. Restarting.
May 4 23:29:21 knautsch kernel: [17180085.456000] ipw2200: Sysfs 'error' log captured.
May 4 23:33:02 knautsch kernel: [17180306.316000] ipw2200: Firmware error detected. Restarting.
May 4 23:33:02 knautsch kernel: [17180306.316000] ipw2200: Sysfs 'error' log already exists.
May 4 23:33:02 knautsch kernel: [17180306.968000] smb_file_read: //some_file validation failed, error=4294966784
May 4 23:34:18 knautsch kernel: [17180383.256000] smb_file_read: //some_file validation failed, error=4294966784
May 4 23:34:18 knautsch kernel: [17180383.284000] SMB connection re-established (-5)
May 4 23:37:19 knautsch kernel: [17180563.956000] smb_file_read: //some_file validation failed, error=4294966784
May 4 23:40:09 knautsch kernel: [17180733.636000] smb_file_read: //some_file validation failed, error=4294966784
May 4 23:40:26 knautsch kernel: [17180750.700000] smb_file_read: //some_file validation failed, error=4294966784
May 4 23:43:02 knautsch kernel: [17180907.304000] smb_file_read: //some_file validation failed, error=4294966784
May 4 23:43:08 knautsch kernel: [17180912.324000] smb_file_read: //some_file validation failed, error=4294966784
May 4 23:43:34 knautsch kernel: [17180938.416000] smb_errno: class Unknown, code 27499 from command 0x6b
May 4 23:43:34 knautsch kernel: [17180938.416000] Slab corruption: start=c4ebe09c, len=244
May 4 23:43:34 knautsch kernel: [17180938.416000] Redzone: 0x5a2cf071/0x5a2cf071.
May 4 23:43:34 knautsch kernel: [17180938.416000] Last user: [<e087b903>](smb_rput+0x53/0x90 [smbfs])
May 4 23:43:34 knautsch kernel: [17180938.416000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b
May 4 23:43:34 knautsch kernel: [17180938.416000] 0f0: 00 fe ff ff
May 4 23:43:34 knautsch kernel: [17180938.416000] Next obj: start=c4ebe19c, len=244
May 4 23:43:34 knautsch kernel: [17180938.416000] Redzone: 0x5a2cf071/0x5a2cf071.
May 4 23:43:34 knautsch kernel: [17180938.416000] Last user: [<00000000>](_stext+0x3feffde0/0x30)
May 4 23:43:34 knautsch kernel: [17180938.416000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
May 4 23:43:34 knautsch kernel: [17180938.416000] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
May 4 23:43:34 knautsch kernel: [17180938.460000] SMB connection re-established (-5)
May 4 23:43:42 knautsch kernel: [17180946.292000] ipw2200: Firmware error detected. Restarting.
May 4 23:43:42 knautsch kernel: [17180946.292000] ipw2200: Sysfs 'error' log already exists.
May 4 23:45:04 knautsch kernel: [17181028.752000] ipw2200: Firmware error detected. Restarting.
May 4 23:45:04 knautsch kernel: [17181028.752000] ipw2200: Sysfs 'error' log already exists.
May 4 23:45:05 knautsch kernel: [17181029.868000] smb_file_read: //some_file validation failed, error=4294966784
May 4 23:45:36 knautsch kernel: [17181060.984000] smb_errno: class Unknown, code 27499 from command 0x6b
May 4 23:45:36 knautsch kernel: [17181060.984000] Slab corruption: start=c4ebe09c, len=244
May 4 23:45:36 knautsch kernel: [17181060.984000] Redzone: 0x5a2cf071/0x5a2cf071.
May 4 23:45:36 knautsch kernel: [17181060.984000] Last user: [<e087b903>](smb_rput+0x53/0x90 [smbfs])
May 4 23:45:36 knautsch kernel: [17181060.984000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b
May 4 23:45:36 knautsch kernel: [17181060.984000] 0f0: 00 fe ff ff
May 4 23:45:36 knautsch kernel: [17181060.984000] Next obj: start=c4ebe19c, len=244
May 4 23:45:36 knautsch kernel: [17181060.984000] Redzone: 0x5a2cf071/0x5a2cf071.
May 4 23:45:36 knautsch kernel: [17181060.984000] Last user: [<00000000>](_stext+0x3feffde0/0x30)
May 4 23:45:36 knautsch kernel: [17181060.984000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
May 4 23:45:36 knautsch kernel: [17181060.984000] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
May 4 23:45:36 knautsch kernel: [17181061.024000] SMB connection re-established (-5)
May 4 23:46:17 knautsch kernel: [17181102.132000] smb_file_read: //some_file validation failed, error=4294966784
May 4 23:47:46 knautsch kernel: [17181190.468000] smb_errno: class Unknown, code 27499 from command 0x6b
May 4 23:47:46 knautsch kernel: [17181190.468000] Slab corruption: start=c4ebe09c, len=244
May 4 23:47:46 knautsch kernel: [17181190.468000] Redzone: 0x5a2cf071/0x5a2cf071.
May 4 23:47:46 knautsch kernel: [17181190.468000] Last user: [<e087b903>](smb_rput+0x53/0x90 [smbfs])
May 4 23:47:46 knautsch kernel: [17181190.468000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b
May 4 23:47:46 knautsch kernel: [17181190.468000] 0f0: 00 fe ff ff
May 4 23:47:46 knautsch kernel: [17181190.468000] Next obj: start=c4ebe19c, len=244
May 4 23:47:46 knautsch kernel: [17181190.468000] Redzone: 0x5a2cf071/0x5a2cf071.
May 4 23:47:46 knautsch kernel: [17181190.468000] Last user: [<00000000>](_stext+0x3feffde0/0x30)
May 4 23:47:46 knautsch kernel: [17181190.468000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
May 4 23:47:46 knautsch kernel: [17181190.468000] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
May 4 23:47:46 knautsch kernel: [17181190.492000] SMB connection re-established (-5)
May 4 23:49:20 knautsch kernel: [17181284.828000] smb_file_read: //some_file validation failed, error=4294966784
May 4 23:49:39 knautsch kernel: [17181303.896000] smb_file_read: //some_file validation failed, error=4294966784
Signed-off-by: Jan Niehusmann <jan@gondor.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Trent Piepho [Mon, 15 May 2006 16:44:06 +0000 (09:44 -0700)]
[PATCH] symbol_put_addr() locks kernel
Even since a previous patch:
Fix race between CONFIG_DEBUG_SLABALLOC and modules
Sun, 27 Jun 2004 17:55:19 +0000 (17:55 +0000)
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/old-2.6-bkcvs.git;a=commit;h=92b3db26d31cf21b70e3c1eadc56c179506d8fbe
The function symbol_put_addr() will deadlock the kernel.
symbol_put_addr() would acquire modlist_lock, then while holding the lock call
two functions kernel_text_address() and module_text_address() which also try
to acquire the same lock. This deadlocks the kernel of course.
This patch changes symbol_put_addr() to not acquire the modlist_lock, it
doesn't need it since it never looks at the module list directly. Also, it
now uses core_kernel_text() instead of kernel_text_address(). The latter has
an additional check for addr inside a module, but we don't need to do that
since we call module_text_address() (the same function kernel_text_address
uses) ourselves.
Signed-off-by: Trent Piepho <xyzzy@speakeasy.org> Cc: Zwane Mwaikambo <zwane@fsmlabs.com> Acked-by: Rusty Russell <rusty@rustcorp.com.au> Cc: Johannes Stezenbach <js@linuxtv.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Add new vmsplice system call and add missing __NR_xxx defines for
sys_set_robust_list, sys_get_robust_list, sys_splice, sys_sync_file_range
and sys_tee.
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Mark Huang [Mon, 15 May 2006 16:44:03 +0000 (09:44 -0700)]
[PATCH] initramfs: fix CPIO hardlink check
Copy the filenames of hardlinks when inserting them into the hash, since
the "name" pointer may point to scratch space (name_buf). Not doing so
results in corruption if the scratch space is later overwritten: the wrong
file may be hardlinked, or, if the scratch space contains garbage, the link
will fail and a 0-byte file will be created instead.
Signed-off-by: Mark Huang <mlhuang@cs.princeton.edu> Acked-by: Al Viro <viro@zeniv.linux.org.uk> Cc: "H. Peter Anvin" <hpa@zytor.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Greg Smith [Mon, 15 May 2006 16:44:02 +0000 (09:44 -0700)]
[PATCH] s390: lcs incorrect test
While debugging why our LCS emulator is having some problems I noticed the
following weirdness in drivers/s390/net/lcs.c routine lcs_irq. The `if'
statement is always true since SCHN_STAT_PCI is defined as 0x80.
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> Cc: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Andrew Morton [Mon, 15 May 2006 16:43:59 +0000 (09:43 -0700)]
[PATCH] setup_per_zone_pages_min() overflow fix
As pointed out in http://bugzilla.kernel.org/show_bug.cgi?id=6490, this
function can experience overflows on 32-bit machines, causing our response to
changed values of min_free_kbytes to go whacky.
Fixing it efficiently is all too hard, so fix it with 64-bit math instead.
Cc: Ake Sandgren <ake.sandgren@hpc2n.umu.se> Cc: Martin Bligh <mbligh@google.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Heiko Carstens [Mon, 15 May 2006 16:43:58 +0000 (09:43 -0700)]
[PATCH] RCU: introduce rcu_needs_cpu() interface
With "Paul E. McKenney" <paulmck@us.ibm.com>
Introduce rcu_needs_cpu() interface. This can be used to tell if there
will be a new rcu batch on a cpu soon by looking at the curlist pointer.
This can be used to avoid to enter a tickless idle state where the cpu
would miss that a new batch is ready when rcu_start_batch would be called
on a different cpu.
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> Cc: "Paul E. McKenney" <paulmck@us.ibm.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Olaf Kirch [Mon, 15 May 2006 16:43:57 +0000 (09:43 -0700)]
[PATCH] smbfs chroot issue (CVE-2006-1864)
Mark Moseley reported that a chroot environment on a SMB share can be left
via "cd ..\\". Similar to CVE-2006-1863 issue with cifs, this fix is for
smbfs.
Steven French <sfrench@us.ibm.com> wrote:
Looks fine to me. This should catch the slash on lookup or equivalent,
which will be all obvious paths of interest.
Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Chris Wedgwood [Mon, 15 May 2006 16:43:55 +0000 (09:43 -0700)]
[PATCH] VIA quirk fixup, additional PCI IDs
An earlier commit (75cf7456dd87335f574dcd53c4ae616a2ad71a11) changed an
overly-zealous PCI quirk to only poke those VIA devices that need it.
However, some PCI devices were not included in what I hope is now the full
list. Consequently we're failing to run the quirk on all machines which need
it, causing IRQ routing failures.
This should I hope correct this.
Thanks to Masoud Sharbiani <masouds@masoud.ir> for pointing this out
and testing the fix.
Signed-off-by: Chris Wedgwood <cw@f00f.org> Cc: Greg KH <greg@kroah.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Kylene Jo Hall [Mon, 15 May 2006 16:43:53 +0000 (09:43 -0700)]
[PATCH] tpm: update module dependencies
The TIS driver is dependent upon information from the ACPI table for device
discovery thus it compiles but does no actual work without this dependency.
Signed-off-by: Kylene Hall <kjhall@us.ibm.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Stefan Schweizer [Mon, 15 May 2006 16:43:52 +0000 (09:43 -0700)]
[PATCH] Fix capi reload by unregistering the correct major
I am having the bug FATAL: Error inserting capi ([..]/capi.ko): Device or
resource busy when I try to reload capi after loading it. in dmesg:
capi20: unable to get major 68
Fix the issue which is caused by setting the major to zero when registering
the chrdev succeeded.
(akpm: this means that we can again not use `major=0' (dynamic major
allocation) for this driver).
Ian Kent [Mon, 15 May 2006 16:43:51 +0000 (09:43 -0700)]
[PATCH] autofs4: NFY_NONE wait race fix
This patch fixes two problems.
First, the comparison of entries in the waitq.c was incorrect.
Second, the NFY_NONE check was incorrect. The test of whether the dentry
is mounted if ineffective, for example, if an expire fails then we could
wait forever on a non existant expire. The bug was identified by Jeff
Moyer.
The patch changes autofs4 to wait on expires only as this is all that's
needed. If there is no existing wait when autofs4_wait is call with a type
of NFY_NONE it delays until either a wait appears or the the expire flag is
cleared.
Signed-off-by: Ian Kent <raven@themaw.net> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
The resource struct is still 32-bit, so trying to save a 64-bit memory
size there obviously won't work.
When we merge the 64-bit resource series, we can re-enable this.
Thanks to Sachin Sant and Maneesh Soni for debugging
Cc: Maneesh Soni <maneesh@in.ibm.com> Cc: Sachin Sant <sachinp@in.ibm.com> Cc: Russell King <rmk+lkml@arm.linux.org.uk> Cc: Sharyathi Nagesh <sharyath@in.ibm.com> Cc: Arjan van de Ven <arjan@infradead.org> Cc: Vivek Goyal <vgoyal@in.ibm.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Linus Torvalds [Sat, 13 May 2006 01:42:09 +0000 (18:42 -0700)]
Alternative fix for MMC oops on unmount after removal
Make sure to clear the driverfs_dev pointer when we do del_gendisk() (on
disk removal), so that other users that may still have a ref to the disk
won't try to use the stale pointer.
Also move the KOBJ_REMOVE uevent handler up, so that the uevent still
has access to the driverfs_dev data.