Hugh Dickins [Tue, 22 Nov 2005 05:32:12 +0000 (21:32 -0800)]
[PATCH] unpaged: private write VM_RESERVED
The PageReserved removal in 2.6.15-rc1 issued a "deprecated" message when you
tried to mmap or mprotect MAP_PRIVATE PROT_WRITE a VM_RESERVED, and failed
with -EACCES: because do_wp_page lacks the refinement to COW pages in those
areas, nor do we expect to find anonymous pages in them; and it seemed just
bloat to add code for handling such a peculiar case. But immediately it
caused vbetool and ddcprobe (using lrmi) to fail.
So revert the "deprecated" messages, letting mmap and mprotect succeed. But
leave do_wp_page's BUG_ON(vma->vm_flags & VM_RESERVED) in place until we've
added the code to do it right: so this particular patch is only good if the
app doesn't really need to write to that private area.
Hugh Dickins [Tue, 22 Nov 2005 05:32:11 +0000 (21:32 -0800)]
[PATCH] unpaged: get_user_pages VM_RESERVED
The PageReserved removal in 2.6.15-rc1 prohibited get_user_pages on the areas
flagged VM_RESERVED in place of PageReserved. That is correct in theory - we
ought not to interfere with struct pages in such a reserved area; but in
practice it broke BTTV for one.
So revert to prohibiting only on VM_IO: if someone gets into trouble with
get_user_pages on VM_RESERVED, it'll just be a "don't do that".
You can argue that videobuf_mmap_mapper shouldn't set VM_RESERVED in the first
place, but now's not the time for breaking drivers without notice.
Jeff Dike [Tue, 22 Nov 2005 05:32:10 +0000 (21:32 -0800)]
[PATCH] uml: eliminate use of libc PAGE_SIZE
On some systems, libc PAGE_SIZE calls getpagesize, which can't happen from a
stub. So, I use UM_KERN_PAGE_SIZE, which is less variable in its definition,
instead.
Signed-off-by: Jeff Dike <jdike@addtoit.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Jeff Dike [Tue, 22 Nov 2005 05:32:09 +0000 (21:32 -0800)]
[PATCH] uml: properly invoke x86_64 system calls
This patch makes stub_segv use the stub_syscall macros. This was needed
anyway, but the bug that prompted this was the discovery that gcc was storing
stuff in RCX, which is trashed across a system call. This is exactly the sort
of problem that the new macros fix.
There is a stub_syscall0 for getpid. stub_segv was changed to be a libc file,
and that caused some include changes.
Signed-off-by: Jeff Dike <jdike@addtoit.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Jeff Dike [Tue, 22 Nov 2005 05:32:04 +0000 (21:32 -0800)]
[PATCH] uml: eliminate use of local in clone stub
We have a bug in the i386 stub_syscall6 which pushes ebp before the system
call and pops it afterwards. Because we use syscall6 to remap the stack, the
old contents of the stack (and the former value of ebp) are no longer
available. Some versions of gcc make from a real local, accessed through ebp,
despite my efforts to make it obvious that references to from are really
constants. This patch attempts to make it even more obvious by eliminating
from and using a macro to access the stub's data explicitly with constants.
My original thinking on this was to replace syscall6 with a remap_stack
interface which saved ebp someplace and restored it afterwards. The problem
is that there are no registers to put it in, except for esp. That could work,
since we can store a constant in esp after the mmap because we just replaced
the stack. However, this approach seems a tad cleaner.
Signed-off-by: Jeff Dike <jdike@addtoit.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
hawkes@sgi.com [Fri, 18 Nov 2005 19:30:34 +0000 (11:30 -0800)]
[IA64] fix bug in sn/ia64 for sparse CPU numbering
The kernel's use of the for_each_*cpu(i) macros has allowed for sparse CPU
numbering. When I hacked the kernel to test sparse cpu_present_map[] and
cpu_possible_map[] cpumasks, I discovered one remaining spot, in
sn_hwperf_ioctl() during sn initialization, that needs to be fixed.
Signed-off-by: John Hawkes <hawkes@sgi.com> Signed-off-by: Dean Roe <roe@sgi.com> Signed-off-by: Tony Luck <tony.luck@intel.com>
Jens Axboe [Mon, 21 Nov 2005 18:49:41 +0000 (19:49 +0100)]
[PATCH] as-iosched: remove state assertion in as_add_request()
Kill the arq->state poison statement in as_add_request(), it can trigger
for perfectly valid code that just reuses a request after io completion
instead of freeing it and allocating a new one. We probably should
introduce a blk_init_request() to start from scratch, but for now just
kill it as we will be removing the as specific poisoning soon.
Russell King [Mon, 21 Nov 2005 15:26:18 +0000 (15:26 +0000)]
[ARM] Add asm/memory.h to asm/numnodes.h
Since the defintion of NODES_SHIFT may be overridden in asm/arch/memory.h
it's important to include asm/memory.h into asm/numnodes.h to ensure
that the correct value is always defined.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Nicolas Kaiser [Mon, 21 Nov 2005 05:11:31 +0000 (21:11 -0800)]
[NETFILTER]: Remove ARRAY_SIZE duplicate
Signed-off-by: Nicolas Kaiser <nikai@nikai.net> Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Yasuyuki Kozakai [Mon, 21 Nov 2005 05:09:55 +0000 (21:09 -0800)]
[NETFILTER]: fixed dependencies between modules related with ip_conntrack
- IP_NF_CONNTRACK_MARK is bool and depends on only IP_NF_CONNTRACK
which is tristate. If a variable depends on IP_NF_CONNTRACK_MARK and
doesn't care about IP_NF_CONNTRACK, it can be y. This must be avoided.
- IP_NF_CT_ACCT has same problem.
- IP_NF_TARGET_CLUSTERIP also depends on IP_NF_MANGLE.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Yan Zheng [Sun, 20 Nov 2005 21:42:20 +0000 (13:42 -0800)]
[IPV6]: Acquire addrconf_hash_lock for read in addrconf_verify(...)
addrconf_verify(...) only traverse address hash table when
addrconf_hash_lock is held for writing, and it may hold
addrconf_hash_lock for a long time. So I think it's better to acquire
addrconf_hash_lock for reading instead of writing
Signed-off-by: Yan Zheng <yanzheng@21cn.com> Signed-off-by: David S. Miller <davem@davemloft.net>
From: Alexandra Kossovsky <Alexandra.Kossovsky@oktetlabs.ru>
From http://bugzilla.kernel.org/show_bug.cgi?id=4746
There is user data corruption when using ioctl(SIOCGIFCONF) in 32-bit
application running amd64 kernel. I do not think that this problem is
exploitable, but any data corruption may lead to security problems.
Following code demonstrates the problem
main()
{
int s = socket(AF_INET, SOCK_DGRAM, 0);
struct ifconf req;
int i;
req.ifc_buf = buf;
req.ifc_len = 41;
printf("Result %d\n", ioctl(s, SIOCGIFCONF, &req));
printf("Len %d\n", req.ifc_len);
for (i = 41; i < 256; i++)
if (buf[i] != 0)
printf("Byte %d is corrupted\n", i);
}
Steps to reproduce:
Compile the code above into 32-bit elf and run it. You'll get
Result 0
Len 32
Byte 48 is corrupted
Byte 52 is corrupted
Byte 53 is corrupted
Byte 54 is corrupted
Byte 55 is corrupted
Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Andrea Bittau [Sun, 20 Nov 2005 21:41:05 +0000 (13:41 -0800)]
[PKT_SCHED]: sch_netem: correctly order packets to be sent simultaneously
If two packets were queued to be sent at the same time in the future,
their order would be reversed. This would occur because the queue is
traversed back to front, and a position is found by checking whether
the new packet needs to be sent before the packet being examined. If
the new packet is to be sent at the same time of a previous packet, it
would end up before the old packet in the queue. This patch places
packets in the correct order when they are queued to be sent at a same
time in the future.
Signed-off-by: Andrea Bittau <a.bittau@cs.ucl.ac.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
Dmitry Torokhov [Sun, 20 Nov 2005 05:56:43 +0000 (00:56 -0500)]
Input: make serio and gameport more swsusp friendly
kseriod and kgameportd used to process all pending events before
checking for freeze condition. This may cause swsusp to time out
while stopping tasks when resuming. Switch to process events one
by one to check freeze status more often.
Dmitry Torokhov [Sun, 20 Nov 2005 05:51:43 +0000 (00:51 -0500)]
Input: uinput - don't use "interruptible" in FF code
If thread that submitted FF request gets interrupted somehow it
will release request structure and ioctl handler will work with
freed memory. TO prevent that from happening switch to using
wait_for_completion instead of wait_for_completion_interruptible.
Input: wistron - add support for Acer Aspire 1500 notebooks
Also fix a potential issue with some notebooks:
The current code assumes the response to bios_wifi_get_default_setting is
either 1 (disabled) or 3 (enabled), or wifi isn't supported. The BIOS
response appears to be a bit field w/ 0x1 indicating hardware presence, 0x2
indicating actiation status, and the other 6 bits being unknown/reserved --
with the patch, these 6 bits are ignored.
Signed-off-by: Bernhard Rosenkraenzer <bero@arklinux.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Dmitry Torokhov [Sun, 20 Nov 2005 05:50:06 +0000 (00:50 -0500)]
Input: add Wistron driver
A driver for laptop buttons using an x86 BIOS interface that is
apparently used on quite a few laptops and seems to be originating
from Wistron.
This driver currently "knows" only about Fujitsu-Siemens Amilo Pro V2000
(i.e. it can detect the laptop using DMI and it contains the
keycode->key meaning mapping for this laptop) and Xeron SonicPro X 155G
(probably can't be reliably autodetected, requires a module parameter),
adding other laptops should be easy.
In addition to reporting button presses to the input layer the driver
also allows enabling/disabling the embedded wireless NIC (using the
"Wifi" button); this is done using the same BIOS interface, so it seems
only logical to keep the implementation together. Any flexibility
possibly gained by allowing users to remap the function of the "Wifi"
button is IMHO not worth it when weighted against the necessity to run
an user-space daemon to convert button presses to wifi state changes.
Dmitry Torokhov [Sun, 20 Nov 2005 05:49:42 +0000 (00:49 -0500)]
Input: atkbd - speed up setting leds/repeat state
Changing led state is pretty slow operation; when there are multiple
requests coming at a high rate they may interfere with normal typing.
Try optimize (skip) changing hardware state when multiple requests
are coming back-to-back.
Russell King [Sat, 19 Nov 2005 11:10:35 +0000 (11:10 +0000)]
[SERIAL] Fix status reporting with PL011 serial driver
The receiver status register reports latched error conditions, which
must be cleared by writing to it. However, the data register reports
unlatched conditions which are associated with the current character.
Use the data register to interpret error status rather than the RSR.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Paul Mackerras [Sat, 19 Nov 2005 10:24:55 +0000 (21:24 +1100)]
powerpc: Fix bug in timebase synchronization on 32-bit SMP powermac
We were using udelay in the loop on the primary cpu waiting for the
secondary cpu to take the timebase value. Unfortunately now that
udelay uses the timebase, and the timebase is stopped at this point,
the udelay never terminated. This fixes it by not using udelay, and
increases the number of loops before we time out to compensate.
[ARM] 3168/1: Update ARM signal delivery and masking
Patch from Daniel Jacobowitz
After delivering a signal (creating its stack frame) we must check for
additional pending unblocked signals before returning to userspace.
Otherwise signals may be delayed past the next syscall or reschedule.
Once that was fixed it became obvious that the ARM signal mask manipulation
was broken. It was a little bit broken before the recent SA_NODEFER
changes, and then very broken after them. We must block the requested
signals before starting the handler or the same signal can be delivered
again before the handler even gets a chance to run.
Signed-off-by: Daniel Jacobowitz <dan@codesourcery.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Paul Mackerras [Sat, 19 Nov 2005 09:46:04 +0000 (20:46 +1100)]
powerpc: Merge pci.h
This involves some minor changes: a few unused functions that the
ppc32 pci.c provides are no longer declared here or exported;
pcibios_assign_all_busses now just refers to the pci_assign_all_buses
variable on both 32-bit and 64-bit; pcibios_scan_all_fns is now
just 0 instead of a function that always returns 0 on 64-bit.
David Gibson [Wed, 16 Nov 2005 04:43:48 +0000 (15:43 +1100)]
[PATCH] powerpc: Remove imalloc.h
asm-ppc64/imalloc.h is only included from files in arch/powerpc/mm.
We already have a header for mm local definitions,
arch/powerpc/mm/mmu_decl.h. Thus, this patch moves the contents of
imalloc.h into mmu_decl.h. The only exception are the definitions of
PHBS_IO_BASE, IMALLOC_BASE and IMALLOC_END. Those are moved into
pgtable.h, next to similar definitions of VMALLOC_START and
VMALLOC_SIZE.
Built for multiplatform 32bit and 64bit (ARCH=powerpc).
Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Paul Mackerras <paulus@samba.org>
Trying to set the priority would just disable the interrupt due to an
incorrect mask used. We rarely use that call, in fact, I think only in
the powermac code for the cmd-power key combo that triggers xmon. So it
got unnoticed for a while.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: Paul Mackerras <paulus@samba.org>
Roland Dreier [Fri, 18 Nov 2005 22:18:26 +0000 (14:18 -0800)]
IB/umad: make sure write()s have sufficient data
Make sure that userspace passes in enough data when sending a MAD. We
always copy at least sizeof (struct ib_user_mad) + IB_MGMT_RMPP_HDR
bytes from userspace, so anything less is definitely invalid. Also,
if the length is less than this limit, it's possible for the second
copy_from_user() to get a negative length and trigger a BUG().
James Bottomley [Fri, 18 Nov 2005 22:13:33 +0000 (23:13 +0100)]
[PATCH] ide: fix ide_toggle_bounce() to not try to bounce if we have an IOMMU
The following patch fixes a crash caused by attempting to bounce buffer
when an IDE CD-ROM is used on a machine with an IO-MMU. [At least, this
patch fixes things so I can use my IDE CD-ROM behind an ns87415 on a
HP PA-RISC workstation.]
Calculation of QP capabilities still isn't exactly right in mthca:
max_send_sge/max_recv_sge fields returned in create_qp can exceed the
handware supported limits.
Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il> Signed-off-by: Roland Dreier <rolandd@cisco.com>
Jody McIntyre [Mon, 7 Nov 2005 11:29:39 +0000 (06:29 -0500)]
sbp2_command_orb_lock must be held when accessing the _orb_inuse list.
Fixes an oops in sbp2util_find_command_for_SCpnt after sbp2scsi_abort:
https://bugzilla.novell.com/show_bug.cgi?id=113734
Signed-off-by: Jody McIntyre <scjody@steamballoon.com> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
(cherry picked from 7945619794314414a5c44df11fca4d3f2a3389cf commit)