- 08 Sep, 2006 26 commits
-
-
David S. Miller authored
[PKTGEN]: Make sure skb->{nh,h} are initialized in fill_packet_ipv6() too. Mirror the bug fix from fill_packet_ipv4() Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Robin Holt authored
Jack Steiner identified a problem where XPC can cause a silent data corruption. On module load, the placement may cause the xpc_remote_copy_buffer to span two physical pages. DMA transfers are done to the start virtual address translated to physical. This patch changes the buffer from a statically allocated buffer to a kmalloc'd buffer. Dean Nelson reviewed this before posting. I have tested it in the configuration that was showing the memory corruption and verified it works. I also added a BUG_ON statement to help catch this if a similar situation is encountered. Signed-off-by: Robin Holt <holt@sgi.com> Signed-off-by: Dean Nelson <dcn@sgi.com> Signed-off-by: Jack Steiner <steiner@sgi.com> Signed-off-by: Tony Luck <tony.luck@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Alan Stern authored
When skipping to the last TD of an URB, go to the _last_ entry in the list instead of the _first_ entry (as780). This fixes Bugzilla #6747 and possibly others. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Ernie Petrides authored
Fix check for bad address; use macro instead of open-coding two checks. Taken from RHEL4 kernel update. For background, the BAD_ADDR() macro should return TRUE if the address is TASK_SIZE, because that's the lowest address that is *not* valid for user-space mappings. The macro was correct in binfmt_aout.c but was wrong for the "equal to" case in binfmt_elf.c. There were two in-line validations of user-space addresses in binfmt_elf.c, which have been appropriately converted to use the corrected BAD_ADDR() macro in the patch you posted yesterday. Note that the size checks against TASK_SIZE are okay as coded. The additional changes that I propose are below. These are in the error paths for bad ELF entry addresses once load_elf_binary() has already committed to exec'ing the new image (following the tearing down of the task's original address space). The 1st hunk deals with the interp-side of the outer "if". There were two problems here. The printk() should be removed because this path can be triggered at will by a bogus interpreter image created and used by a malicious user. Further, the error code should not be ENOEXEC, because that causes the loop in search_binary_handler() to continue trying other exec handlers (twice, in fact). But it's too late for this to work correctly, because the user address space has already been torn down, and an exec() failure cannot be returned to the user code because the code no longer exists. The only recovery is to force a SIGSEGV, but it's best to terminate the search loop immediately. I somewhat arbitrarily chose EINVAL as a fallback error code, but any error returned by load_elf_interp() will override that (but this value will never be seen by user-space). The 2nd hunk deals with the non-interp-side of the outer "if". There were two problems here as well. The SIGSEGV needs to be forced, because a prior sigaction() syscall might have set the associated disposition to SIG_IGN. And the ENOEXEC should be changed to EINVAL as described above. Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Christian Borntraeger authored
This patch adds a barrier() in futex unqueue_me to avoid aliasing of two pointers. On my s390x system I saw the following oops: Unable to handle kernel pointer dereference at virtual kernel address 0000000000000000 Oops: 0004 [#1] CPU: 0 Not tainted Process mytool (pid: 13613, task: 000000003ecb6ac0, ksp: 00000000366bdbd8) Krnl PSW : 0704d00180000000 00000000003c9ac2 (_spin_lock+0xe/0x30) Krnl GPRS: 00000000ffffffff 000000003ecb6ac0 0000000000000000 0700000000000000 0000000000000000 0000000000000000 000001fe00002028 00000000000c091f 000001fe00002054 000001fe00002054 0000000000000000 00000000366bddc0 00000000005ef8c0 00000000003d00e8 0000000000144f91 00000000366bdcb8 Krnl Code: ba 4e 20 00 12 44 b9 16 00 3e a7 84 00 08 e3 e0 f0 88 00 04 Call Trace: ([<0000000000144f90>] unqueue_me+0x40/0xe4) [<0000000000145a0c>] do_futex+0x33c/0xc40 [<000000000014643e>] sys_futex+0x12e/0x144 [<000000000010bb00>] sysc_noemu+0x10/0x16 [<000002000003741c>] 0x2000003741c The code in question is: static int unqueue_me(struct futex_q *q) { int ret = 0; spinlock_t *lock_ptr; /* In the common case we don't take the spinlock, which is nice. */ retry: lock_ptr = q->lock_ptr; if (lock_ptr != 0) { spin_lock(lock_ptr); /* * q->lock_ptr can change between reading it and * spin_lock(), causing us to take the wrong lock. This * corrects the race condition. [...] and my compiler (gcc 4.1.0) makes the following out of it: 00000000000003c8 <unqueue_me>: 3c8: eb bf f0 70 00 24 stmg %r11,%r15,112(%r15) 3ce: c0 d0 00 00 00 00 larl %r13,3ce <unqueue_me+0x6> 3d0: R_390_PC32DBL .rodata+0x2a 3d4: a7 f1 1e 00 tml %r15,7680 3d8: a7 84 00 01 je 3da <unqueue_me+0x12> 3dc: b9 04 00 ef lgr %r14,%r15 3e0: a7 fb ff d0 aghi %r15,-48 3e4: b9 04 00 b2 lgr %r11,%r2 3e8: e3 e0 f0 98 00 24 stg %r14,152(%r15) 3ee: e3 c0 b0 28 00 04 lg %r12,40(%r11) /* write q->lock_ptr in r12 */ 3f4: b9 02 00 cc ltgr %r12,%r12 3f8: a7 84 00 4b je 48e <unqueue_me+0xc6> /* if r12 is zero then jump over the code.... */ 3fc: e3 20 b0 28 00 04 lg %r2,40(%r11) /* write q->lock_ptr in r2 */ 402: c0 e5 00 00 00 00 brasl %r14,402 <unqueue_me+0x3a> 404: R_390_PC32DBL _spin_lock+0x2 /* use r2 as parameter for spin_lock */ So the code becomes more or less: if (q->lock_ptr != 0) spin_lock(q->lock_ptr) instead of if (lock_ptr != 0) spin_lock(lock_ptr) Which caused the oops from above. After adding a barrier gcc creates code without this problem: [...] (the same) 3ee: e3 c0 b0 28 00 04 lg %r12,40(%r11) 3f4: b9 02 00 cc ltgr %r12,%r12 3f8: b9 04 00 2c lgr %r2,%r12 3fc: a7 84 00 48 je 48c <unqueue_me+0xc4> 400: c0 e5 00 00 00 00 brasl %r14,400 <unqueue_me+0x38> 402: R_390_PC32DBL _spin_lock+0x2 As a general note, this code of unqueue_me seems a bit fishy. The retry logic of unqueue_me only works if we can guarantee, that the original value of q->lock_ptr is always a spinlock (Otherwise we overwrite kernel memory). We know that q->lock_ptr can change. I dont know what happens with the original spinlock, as I am not an expert with the futex code. Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> Cc: Rusty Russell <rusty@rustcorp.com.au> Acked-by: Ingo Molnar <mingo@redhat.com> Cc: Thomas Gleixner <tglx@timesys.com> Signed-off-by: Christian Borntraeger <borntrae@de.ibm.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Trond Myklebust authored
fcntl(F_SETSIG) no longer works on leases because lease_release_private_callback() gets called as the lease is copied in order to initialise it. The problem is that lease_alloc() performs an unnecessary initialisation, which sets the lease_manager_ops. Avoid the problem by allocating the target lease structure using locks_alloc_lock(). Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
YOSHIFUJI Hideaki authored
[IPV6]: Fix kernel OOPs when setting sticky socket options. Bug noticed by Remi Denis-Courmont <rdenis@simphalempin.com>. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Sridhar Samudrala authored
With the recent fix, the callers of sctp_primitive_ABORT() need to create an ABORT chunk and pass it as an argument rather than msghdr that was passed earlier. Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David S. Miller authored
[SPARC64]: Fix X server hangs due to large pages. This problem was introduced by changeset 14778d90 Unlike the hugetlb code paths, the normal fault code is not setup to propagate PTE changes for large page sizes correctly like the ones we make for I/O mappings in io_remap_pfn_range(). It is absolutely necessary to update all sub-ptes of a largepage mapping on a fault. Adding special handling for this would add considerably complexity to tlb_batch_add(). So let's just side-step the issue and forcefully dirty any writable PTEs created by io_remap_pfn_range(). The only other real option would be to disable to large PTE code of io_remap_pfn_range() and we really don't want to do that. Much thanks to Mikael Pettersson for tracking down this problem and testing debug patches. Signed-off-by: David S. Miller <davem@davemloft.net>
-
Michael Chan authored
Disable TSO by default on some chips due to hardware errata. Enabling TSO can lead to tx timeouts in some cases when the TSO header size exceeds 80 bytes on the affected chips. This limit can be exceeded when the TCP header contains the timestamp option plus 2 SACK blocks, for example. A more complete workaround is available in the next 2.6.18 kernel. Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Neil Brown authored
The device-mapper core does not perform any remapping of bios before passing them to the targets. If a particular mapping begins part-way into a device, targets obtain the sector relative to the start of the mapping by subtracting ti->begin. The dm-raid1 target didn't do this everywhere: this patch fixes it, taking care to subtract ti->begin exactly once for each bio. [akpm: too late for 2.6.17 - suitable for 2.6.17.x after it has settled] Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Alasdair G Kergon <agk@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Jeff Mahoney authored
In alloc_dev(), we register the device with the block layer and then continue to initialize the device. But register_disk() makes the device available to be opened before we have completed initialising it. This patch moves the final bits of the initialization above the disk registration. [akpm: too late for 2.6.17 - suitable for 2.6.17.x after it has settled] Signed-off-by: Jeff Mahoney <jeffm@suse.com> Signed-off-by: Alasdair G Kergon <agk@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Jeff Mahoney authored
The reference counting on dm-mod is zero if no mapped devices are open. This is incorrect, and can lead to an oops if the module is unloaded while mapped devices exist. This patch claims a reference to the module whenever a device is created, and drops it again when the device is freed. Devices must be removed before dm-mod is unloaded. [akpm: too late for 2.6.17 - suitable for 2.6.17.x after it has settled] Signed-off-by: Jeff Mahoney <jeffm@suse.com> Signed-off-by: Alasdair G Kergon <agk@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Jeff Mahoney authored
To avoid races, _minor_lock must be held while changing mapped device reference counts. There are a few paths where a mapped_device pointer is returned before a reference is taken. This patch fixes them. [akpm: too late for 2.6.17 - suitable for 2.6.17.x after it has settled] Signed-off-by: Jeff Mahoney <jeffm@suse.com> Signed-off-by: Alasdair G Kergon <agk@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Jeff Mahoney authored
There is a chicken and egg problem between the block layer and dm in which the gendisk associated with a mapping keeps a reference-less pointer to the mapped_device. This patch uses a new flag DMF_FREEING to indicate when the mapped_device is no longer valid. This is checked to prevent any attempt to open the device from succeeding while the device is being destroyed. [akpm: too late for 2.6.17 - suitable for 2.6.17.x after it has settled] Signed-off-by: Jeff Mahoney <jeffm@suse.com> Signed-off-by: Alasdair G Kergon <agk@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Jeff Mahoney authored
While removing a device, another another thread might attempt to resurrect it. This patch replaces the _minor_lock mutex with a spinlock and uses atomic_dec_and_lock() to serialize reference counting in dm_put(). [akpm: too late for 2.6.17 - suitable for 2.6.17.x after it has settled] Signed-off-by: Jeff Mahoney <jeffm@suse.com> Signed-off-by: Alasdair G Kergon <agk@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Jeff Mahoney authored
idr_pre_get() can sleep while allocating memory. The next patch will change _minor_lock into a spinlock, so this patch moves idr_pre_get() outside the lock in preparation. [akpm: too late for 2.6.17 - suitable for 2.6.17.x after it has settled] Signed-off-by: Jeff Mahoney <jeffm@suse.com> Signed-off-by: Alasdair G Kergon <agk@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Jeff Mahoney authored
One part of the system can attempt to use a mapped device before another has finished initialising it or while it is being freed. This patch introduces a place holder value, MINOR_ALLOCED, to mark the minor as allocated but in a state where it can't be used, such as mid-allocation or mid-free. At the end of the initialization, it replaces the place holder with the pointer to the mapped_device, making it available to the rest of the dm subsystem. [akpm: too late for 2.6.17 - suitable for 2.6.17.x after it has settled] Signed-off-by: Jeff Mahoney <jeffm@suse.com> Signed-off-by: Alasdair G Kergon <agk@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Alasdair G Kergon authored
Persistent snapshots currently store a private copy of the chunk size. Userspace also supplies the chunk size when loading a snapshot. Ensure consistency by only storing the chunk_size in one place instead of two. Currently the two sizes will differ if the chunk size supplied by userspace does not match the chunk size an existing snapshot actually uses. Amongst other problems, this causes an incorrect 'percentage full' to be reported. The patch ensures consistency by only storing the chunk_size in one place, removing it from struct pstore. Some initialisation is delayed until the correct chunk_size is known. If read_header() discovers that the wrong chunk size was supplied, the 'area' buffer (which the header already got read into) is reinitialised to the correct size. [akpm: too late for 2.6.17 - suitable for 2.6.17.x after it has settled] Signed-off-by: Alasdair G Kergon <agk@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Neil Brown authored
This prevents bad inode numbers from triggering errors in ext2_get_inode. Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Stephen Hemminger authored
There are black box devices out there, routers and firewalls and whatnot, that simply cannot grok the TCP window scaling option correctly. People should and do bark at the site running the device causing the problems, but in the mean time folks do want a way to deal with the problem. We don't want them to turn off window scaling completely as that hurts performance of connections that would run just fine with window scaling enabled. So give a way to do this on a per-route basis by limiting the window scaling by the per-connection window clamp. Stephen's changelog message explains how to do this using a route metric. [TCP]: Limit window scaling if window is clamped. This small change allows for easy per-route workarounds for broken hosts or middleboxes that are not compliant with TCP standards for window scaling. Rather than having to turn off window scaling globally. This patch allows reducing or disabling window scaling if window clamp is present. Example: Mark Lord reported a problem with 2.6.17 kernel being unable to access http://www.everymac.com # ip route add 216.145.246.23/32 via 10.8.0.1 window 65535 Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Stephen Hemminger authored
The bridge netfilter code needs to check for space at the front of the skb before overwriting; otherwise if skb from device doesn't have headroom, then it will cause random memory corruption. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Fernando Vazquez authored
The commit 8833ebaa introduced a change that broke IA64 compilation as shown below: gcc -Wp,-MD,arch/ia64/kernel/.entry.o.d -nostdinc -isystem /usr/lib/gcc/ia64-linux-gnu/4.1.2/include -D__KERNEL__ -Iinclude -include include/linux/autoconf.h -DHAVE_WORKING_TEXT_ALIGN -DHAVE_MODEL_SMALL_ATTRIBUTE -DHAVE_SERIALIZE_DIRECTIVE -D__ASSEMBLY__ -mconstant-gp -c -o arch/ia64/kernel/entry.o arch/ia64/kernel/entry.S include/asm/mman.h: Assembler messages: include/asm/mman.h:13: Error: Unknown opcode `int ia64_map_check_rgn(unsigned long addr,unsigned long len,' include/asm/mman.h:14: Error: Unknown opcode `unsigned long flags)' make[1]: *** [arch/ia64/kernel/entry.o] Error 1 make: *** [arch/ia64/kernel] Error 2 The reason is that "asm/mman.h" is being included from entry.S indirectly through "asm/pgtable.h" (see code snips below). * arch/ia64/kernel/entry.S: ... #include <asm/pgtable.h> ... * include/asm-ia64/pgtable.h: ... #include <asm/mman.h> ... * include/asm-ia64/mman.h ... #ifdef __KERNEL__ #define arch_mmap_check ia64_map_check_rgn int ia64_map_check_rgn(unsigned long addr, unsigned long len, unsigned long flags); #endif ... Signed-off-by: Fernando Vazquez <fernando@intellilink.co.jp> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Herbert Xu authored
[INET]: Use pskb_trim_unique when trimming paged unique skbs The IPv4/IPv6 datagram output path was using skb_trim to trim paged packets because they know that the packet has not been cloned yet (since the packet hasn't been given to anything else in the system). This broke because skb_trim no longer allows paged packets to be trimmed. Paged packets must be given to one of the pskb_trim functions instead. This patch adds a new pskb_trim_unique function to cover the IPv4/IPv6 datagram output path scenario and replaces the corresponding skb_trim calls with it. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Richard Purdie authored
This fixes firmware upload failures which prevent the driver from working. Signed-off-by: Richard Purdie <rpurdie@rpsys.net> Cc: Dominik Brodowski <linux@dominikbrodowski.net> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Michael Rash authored
[TEXTSEARCH]: Fix Boyer Moore initialization bug The pattern is set after trying to compute the prefix table, which tries to use it. Initialize it before calling compute_prefix_tbl, make compute_prefix_tbl consistently use only the data from struct ts_bm and remove the now unnecessary arguments. Signed-off-by: Michael Rash <mbr@cipherdyne.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Acked-by: David Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
- 23 Aug, 2006 14 commits
-
-
Greg Kroah-Hartman authored
-
Danny Tholen authored
Recently a patch was added for preliminary suspend/resume handling on !PPC_PMAC. However, this broke both suspend and firewire on powerpc because it saves the pci state after the device has already been disabled. This moves the save state to before the pmac specific code. Signed-off-by: Danny Tholen <obiwan@mailmij.org> Cc: Stefan Richter <stefanr@s5r6.in-berlin.de> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Ben Collins <bcollins@ubuntu.com> Cc: Jody McIntyre <scjody@modernduck.com> Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
NeilBrown authored
At the point where this 'atomic_add' is, rdev could be NULL, as seen by the fact that we test for this in the very next statement. Further is it is really the wrong place of the add. We could add to the count of corrected errors once the are sure it was corrected, not before trying to correct it. Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> diff .prev/drivers/md/raid1.c ./drivers/md/raid1.c
-
Rafael J. Wysocki authored
There is a bug in mm/swapfile.c#swap_type_of() that makes swsusp only be able to use the first active swap partition as the resume device. Fix it. Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl> Cc: Hugh Dickins <hugh@veritas.com> Acked-by: Pavel Machek <pavel@suse.cz> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Michal Miroslaw authored
Fix BUG I tripped on while testing failover and multipathing. BUG shows up on error path in multipath_ctr() when parse_priority_group() fails after returning at least once without error. The fix is to initialize m->ti early - just after alloc()ing it. BUG: unable to handle kernel NULL pointer dereference at virtual address 00000000 printing eip: c027c3d2 *pde = 00000000 Oops: 0000 [#3] Modules linked in: qla2xxx ext3 jbd mbcache sg ide_cd cdrom floppy CPU: 0 EIP: 0060:[<c027c3d2>] Not tainted VLI EFLAGS: 00010202 (2.6.17.3 #1) EIP is at dm_put_device+0xf/0x3b eax: 00000001 ebx: ee4fcac0 ecx: 00000000 edx: ee4fcac0 esi: ee4fc4e0 edi: ee4fc4e0 ebp: 00000000 esp: c5db3e78 ds: 007b es: 007b ss: 0068 Process multipathd (pid: 15912, threadinfo=c5db2000 task=ef485a90) Stack: ec4eda40 c02816bd ee4fc4c0 00000000 f7e89498 f883e0bc c02816f6 f7e89480 f7e8948c c0281801 ffffffea f7e89480 f883e080 c0281ffe 00000001 00000000 00000004 dfe9cab8 f7a693c0 f883e080 f883e0c0 ca4b99c0 c027c6ee 01400000 Call Trace: <c02816bd> free_pgpaths+0x31/0x45 <c02816f6> free_priority_group+0x25/0x2e <c0281801> free_multipath+0x35/0x67 <c0281ffe> multipath_ctr+0x123/0x12d <c027c6ee> dm_table_add_target+0x11e/0x18b <c027e5b4> populate_table+0x8a/0xaf <c027e62b> table_load+0x52/0xf9 <c027ec23> ctl_ioctl+0xca/0xfc <c027e5d9> table_load+0x0/0xf9 <c0152146> do_ioctl+0x3e/0x43 <c0152360> vfs_ioctl+0x16c/0x178 <c01523b4> sys_ioctl+0x48/0x60 <c01029b3> syscall_call+0x7/0xb Code: 97 f0 00 00 00 89 c1 83 c9 01 80 e2 01 0f 44 c1 88 43 14 8b 04 24 59 5b 5e 5f 5d c3 53 89 c1 89 d3 ff 4a 08 0f 94 c0 84 c0 74 2a <8b> 01 8b 10 89 d8 e8 f6 fb ff ff 8b 03 8b 53 04 89 50 04 89 02 EIP: [<c027c3d2>] dm_put_device+0xf/0x3b SS:ESP 0068:c5db3e78 Signed-off-by: Michal Miroslaw <mirq-linux@rere.qmqm.pl> Acked-by: Alasdair G Kergon <agk@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Alexey Kuznetsov authored
[IPV4]: severe locking bug in fib_semantics.c Found in 2.4 by Yixin Pan <yxpan@hotmail.com>. > When I read fib_semantics.c of Linux-2.4.32, write_lock(&fib_info_lock) = > is used in fib_release_info() instead of write_lock_bh(&fib_info_lock). = > Is the following case possible: a BH interrupts fib_release_info() while = > holding the write lock, and calls ip_check_fib_default() which calls = > read_lock(&fib_info_lock), and spin forever. Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Kirill Korotaev authored
This patch prevents cross-region mappings on IA64 and SPARC which could lead to system crash. davem@ confirmed: "This looks fine to me." :) Signed-Off-By: Pavel Emelianov <xemul@openvz.org> Signed-Off-By: Kirill Korotaev <dev@openvz.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Patrick McHardy authored
[NETFILTER]: ip_tables: fix table locking in ipt_do_table table->private might change because of ruleset changes, don't use it without holding the lock. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Daniel Ritz authored
- add the ICH6(R) LPC to the ICH6 ACPI quirks. currently only the ICH6-M is handled. [ PCI_DEVICE_ID_INTEL_ICH6_1 is the ICH6-M LPC, ICH6_0 is the ICH6(R) ] - remove the wrong quirk calling asus_hides_smbus_lpc() for ICH6. the register modified in asus_hides_smbus_lpc() has a different meaning in ICH6. Signed-off-by: Daniel Ritz <daniel.ritz@gmx.ch> Cc: Jean Delvare <khali@linux-fr.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Olaf Hering authored
The icom driver uses request_firmware() and thus needs to select FW_LOADER. Signed-off-by: maximilian attems <maks@sternwelten.at> Signed-off-by: Olaf Hering <olh@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Kirill Korotaev authored
sys_getppid() optimization can access a freed memory. On kernels with DEBUG_SLAB turned ON, this results in Oops. As Dave Hansen noted, this optimization is also unsafe for memory hotplug. So this patch always takes the lock to be safe. [oleg@tv-sign.ru: simplifications] Signed-off-by: Kirill Korotaev <dev@openvz.org> Cc: Dave Hansen <haveblue@us.ibm.com> Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Mark Huang authored
[NETFILTER]: ulog: fix panic on SMP kernels Fix kernel panic on various SMP machines. The culprit is a null ub->skb in ulog_send(). If ulog_timer() has already been scheduled on one CPU and is spinning on the lock, and ipt_ulog_packet() flushes the queue on another CPU by calling ulog_send() right before it exits, there will be no skbuff when ulog_timer() acquires the lock and calls ulog_send(). Cancelling the timer in ulog_send() doesn't help because it has already been scheduled and is running on the first CPU. Similar problem exists in ebt_ulog.c and nfnetlink_log.c. Signed-off-by: Mark Huang <mlhuang@cs.princeton.edu> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Kylene Jo Hall authored
Under stress testing I found that the interrupt is not always cleared. This is a bug and this patch should go into 2.6.18 and 2.6.17.x. Signed-off-by: Kylene Hall <kjhall@us.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Stephen Hemminger authored
This patch will linearize and check there is enough data. It handles the pprop case as well as avoiding a whole audit of the routing code. Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
-