1. 13 Oct, 2006 18 commits
  2. 09 Sep, 2006 3 commits
  3. 08 Sep, 2006 19 commits
    • Greg Kroah-Hartman's avatar
      Linux 2.6.17.12 · 9e1c66a9
      Greg Kroah-Hartman authored
      9e1c66a9
    • Stephen Hemminger's avatar
      sky2: version 1.6.1 · b3c725e4
      Stephen Hemminger authored
      Since this code incorporates some of the fixes from 2.6.18, change
      the version number.
      Signed-off-by: default avatarStephen Hemminger <shemminger@osdl.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      b3c725e4
    • Stephen Hemminger's avatar
      sky2: fix fiber support · 983e6379
      Stephen Hemminger authored
      Fix support for fiber based devices.  Needed to keep track of PMD type to
      add workaround in setup. Add support for gigabit half duplex fiber.
      Signed-off-by: default avatarStephen Hemminger <shemminger@osdl.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      983e6379
    • Stephen Hemminger's avatar
      sky2: MSI test timing · 3489a9e8
      Stephen Hemminger authored
      The test for MSI IRQ could have timing issues. The PCI write needs to be 
      pushed out before waiting, and the wait queue should be initialized before
      the IRQ.
      Signed-off-by: default avatarStephen Hemminger <shemminger@osdl.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      3489a9e8
    • Stephen Hemminger's avatar
      sky2: use dev_alloc_skb for receive buffers · f117ca32
      Stephen Hemminger authored
      Several code paths assume an additional 16 bytes of header padding
      on the receive path. Use dev_alloc_skb to get that padding.
      Signed-off-by: default avatarStephen Hemminger <shemminger@osdl.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      f117ca32
    • Stephen Hemminger's avatar
      sky2: clear status IRQ after empty · 15d658cb
      Stephen Hemminger authored
      Don't clear status IRQ until list has been read to avoid causing
      status list wraparound. Clearing IRQ forces a Transmit Status update
      if it is pending.
      Signed-off-by: default avatarStephen Hemminger <shemminger@osdl.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      15d658cb
    • Stephen Hemminger's avatar
      sky2: accept flow control · 66976367
      Stephen Hemminger authored
      Don't program the GMAC to reject flow control packets.
      This maybe the cause of some of the transmit hangs.
      Signed-off-by: default avatarStephen Hemminger <shemminger@osdl.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      66976367
    • Daniel Kobras's avatar
      dm: Fix deadlock under high i/o load in raid1 setup. · e2b53b19
      Daniel Kobras authored
      On an nForce4-equipped machine with two SATA disk in raid1 setup using dmraid,
      we experienced frequent deadlock of the system under high i/o load.  'cat
      /dev/zero > ~/zero' was the most reliable way to reproduce them: Randomly
      after a few GB, 'cp' would be left in 'D' state along with kjournald and
      kmirrord.  The functions cp and kjournald were blocked in did vary, but
      kmirrord's wchan always pointed to 'mempool_alloc()'.  We've seen this pattern
      on 2.6.15 and 2.6.17 kernels.  http://lkml.org/lkml/2005/4/20/142 indicates
      that this problem has been around even before.
      
      So much for the facts, here's my interpretation: mempool_alloc() first tries
      to atomically allocate the requested memory, or falls back to hand out
      preallocated chunks from the mempool.  If both fail, it puts the calling
      process (kmirrord in this case) on a private waitqueue until somebody refills
      the pool.  Where the only 'somebody' is kmirrord itself, so we have a
      deadlock.
      
      I worked around this problem by falling back to a (blocking) kmalloc when
      before kmirrord would have ended up on the waitqueue.  This defeats part of
      the benefits of using the mempool, but at least keeps the system running.  And
      it could be done with a two-line change.  Note that mempool_alloc() clears the
      GFP_NOIO flag internally, and only uses it to decide whether to wait or return
      an error if immediate allocation fails, so the attached patch doesn't change
      behaviour in the non-deadlocking case.  Path is against current git
      (2.6.18-rc4), but should apply to earlier versions as well.  I've tested on
      2.6.15, where this patch makes the difference between random lockup and a
      stable system.
      Signed-off-by: default avatarDaniel Kobras <kobras@linux.de>
      Acked-by: default avatarAlasdair G Kergon <agk@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      e2b53b19
    • Yingchao Zhou's avatar
      Remove redundant up() in stop_machine() · eeae03f8
      Yingchao Zhou authored
      An up() is called in kernel/stop_machine.c on failure, and also in the
      caller (unconditionally).
      Signed-off-by: default avatarZhou Yingchao <yingchao.zhou@gmail.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      eeae03f8
    • Alan Cox's avatar
      Missing PCI id update for VIA IDE · 1a9546a5
      Alan Cox authored
      The following change from -mm is important to 2.6.18 (actually to 2.6.17
      but its too late for that). This was contributed over three months ago
      by VIA to Bartlomiej and nothing happened. As a result the new chipset
      is now out and Linux won't run on it. By the time 2.6.18 is finalised
      this will be the defacto standard VIA chipset so support would be a good
      plan.
      
      Tested in -mm for a while, its essentially a PCI ident update but for
      the bridge chip because VIA do things in weird ways.
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      
      1a9546a5
    • Chen-Li Tien's avatar
      f3658cfa
    • David S. Miller's avatar
      PKTGEN: Make sure skb->{nh,h} are initialized in fill_packet_ipv6() too. · ee2abb10
      David S. Miller authored
      [PKTGEN]: Make sure skb->{nh,h} are initialized in fill_packet_ipv6() too.
      
      Mirror the bug fix from fill_packet_ipv4()
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      ee2abb10
    • Robin Holt's avatar
      Silent data corruption caused by XPC · d6b7fe9e
      Robin Holt authored
      Jack Steiner identified a problem where XPC can cause a silent
      data corruption.  On module load, the placement may cause the
      xpc_remote_copy_buffer to span two physical pages.  DMA transfers are
      done to the start virtual address translated to physical.
      
      This patch changes the buffer from a statically allocated buffer to a
      kmalloc'd buffer.  Dean Nelson reviewed this before posting.  I have
      tested it in the configuration that was showing the memory corruption
      and verified it works.  I also added a BUG_ON statement to help catch
      this if a similar situation is encountered.
      Signed-off-by: default avatarRobin Holt <holt@sgi.com>
      Signed-off-by: default avatarDean Nelson <dcn@sgi.com>
      Signed-off-by: default avatarJack Steiner <steiner@sgi.com>
      Signed-off-by: default avatarTony Luck <tony.luck@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      d6b7fe9e
    • Alan Stern's avatar
      uhci-hcd: fix list access bug · 4ccc9a4b
      Alan Stern authored
      When skipping to the last TD of an URB, go to the _last_ entry in the
      list instead of the _first_ entry (as780).  This fixes Bugzilla #6747 and
      possibly others.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      4ccc9a4b
    • Ernie Petrides's avatar
      binfmt_elf: fix checks for bad address · 4be6107d
      Ernie Petrides authored
      Fix check for bad address; use macro instead of open-coding two checks.
      
      Taken from RHEL4 kernel update.
      
        For background, the BAD_ADDR() macro should return TRUE if the address is
        TASK_SIZE, because that's the lowest address that is *not* valid for
        user-space mappings.  The macro was correct in binfmt_aout.c but was wrong
        for the "equal to" case in binfmt_elf.c.  There were two in-line validations
        of user-space addresses in binfmt_elf.c, which have been appropriately
        converted to use the corrected BAD_ADDR() macro in the patch you posted
        yesterday.  Note that the size checks against TASK_SIZE are okay as coded.
      
        The additional changes that I propose are below.  These are in the error
        paths for bad ELF entry addresses once load_elf_binary() has already
        committed to exec'ing the new image (following the tearing down of the
        task's original address space).
      
        The 1st hunk deals with the interp-side of the outer "if".  There were two
        problems here.  The printk() should be removed because this path can be
        triggered at will by a bogus interpreter image created and used by a
        malicious user.  Further, the error code should not be ENOEXEC, because that
        causes the loop in search_binary_handler() to continue trying other exec
        handlers (twice, in fact).  But it's too late for this to work correctly,
        because the user address space has already been torn down, and an exec()
        failure cannot be returned to the user code because the code no longer
        exists.  The only recovery is to force a SIGSEGV, but it's best to terminate
        the search loop immediately.  I somewhat arbitrarily chose EINVAL as a
        fallback error code, but any error returned by load_elf_interp() will
        override that (but this value will never be seen by user-space).
      
        The 2nd hunk deals with the non-interp-side of the outer "if".  There were
        two problems here as well.  The SIGSEGV needs to be forced, because a prior
        sigaction() syscall might have set the associated disposition to SIG_IGN.
        And the ENOEXEC should be changed to EINVAL as described above.
      Signed-off-by: default avatarChuck Ebbert <76306.1226@compuserve.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      4be6107d
    • Christian Borntraeger's avatar
      bug in futex unqueue_me · 2cd6b01a
      Christian Borntraeger authored
      This patch adds a barrier() in futex unqueue_me to avoid aliasing of two
      pointers.
      
      On my s390x system I saw the following oops:
      
      Unable to handle kernel pointer dereference at virtual kernel address
      0000000000000000
      Oops: 0004 [#1]
      CPU:    0    Not tainted
      Process mytool (pid: 13613, task: 000000003ecb6ac0, ksp: 00000000366bdbd8)
      Krnl PSW : 0704d00180000000 00000000003c9ac2 (_spin_lock+0xe/0x30)
      Krnl GPRS: 00000000ffffffff 000000003ecb6ac0 0000000000000000 0700000000000000
                 0000000000000000 0000000000000000 000001fe00002028 00000000000c091f
                 000001fe00002054 000001fe00002054 0000000000000000 00000000366bddc0
                 00000000005ef8c0 00000000003d00e8 0000000000144f91 00000000366bdcb8
      Krnl Code: ba 4e 20 00 12 44 b9 16 00 3e a7 84 00 08 e3 e0 f0 88 00 04
      Call Trace:
      ([<0000000000144f90>] unqueue_me+0x40/0xe4)
       [<0000000000145a0c>] do_futex+0x33c/0xc40
       [<000000000014643e>] sys_futex+0x12e/0x144
       [<000000000010bb00>] sysc_noemu+0x10/0x16
       [<000002000003741c>] 0x2000003741c
      
      The code in question is:
      
      static int unqueue_me(struct futex_q *q)
      {
              int ret = 0;
              spinlock_t *lock_ptr;
      
              /* In the common case we don't take the spinlock, which is nice. */
       retry:
              lock_ptr = q->lock_ptr;
              if (lock_ptr != 0) {
                      spin_lock(lock_ptr);
      		/*
                       * q->lock_ptr can change between reading it and
                       * spin_lock(), causing us to take the wrong lock.  This
                       * corrects the race condition.
      [...]
      
      and my compiler (gcc 4.1.0) makes the following out of it:
      
      00000000000003c8 <unqueue_me>:
           3c8:       eb bf f0 70 00 24       stmg    %r11,%r15,112(%r15)
           3ce:       c0 d0 00 00 00 00       larl    %r13,3ce <unqueue_me+0x6>
                              3d0: R_390_PC32DBL      .rodata+0x2a
           3d4:       a7 f1 1e 00             tml     %r15,7680
           3d8:       a7 84 00 01             je      3da <unqueue_me+0x12>
           3dc:       b9 04 00 ef             lgr     %r14,%r15
           3e0:       a7 fb ff d0             aghi    %r15,-48
           3e4:       b9 04 00 b2             lgr     %r11,%r2
           3e8:       e3 e0 f0 98 00 24       stg     %r14,152(%r15)
           3ee:       e3 c0 b0 28 00 04       lg      %r12,40(%r11)
      		/* write q->lock_ptr in r12 */
           3f4:       b9 02 00 cc             ltgr    %r12,%r12
           3f8:       a7 84 00 4b             je      48e <unqueue_me+0xc6>
      		/* if r12 is zero then jump over the code.... */
           3fc:       e3 20 b0 28 00 04       lg      %r2,40(%r11)
      		/* write q->lock_ptr in r2 */
           402:       c0 e5 00 00 00 00       brasl   %r14,402 <unqueue_me+0x3a>
                              404: R_390_PC32DBL      _spin_lock+0x2
      		/* use r2 as parameter for spin_lock */
      
      So the code becomes more or less:
      if (q->lock_ptr != 0) spin_lock(q->lock_ptr)
      instead of
      if (lock_ptr != 0) spin_lock(lock_ptr)
      
      Which caused the oops from above.
      After adding a barrier gcc creates code without this problem:
      [...] (the same)
           3ee:       e3 c0 b0 28 00 04       lg      %r12,40(%r11)
           3f4:       b9 02 00 cc             ltgr    %r12,%r12
           3f8:       b9 04 00 2c             lgr     %r2,%r12
           3fc:       a7 84 00 48             je      48c <unqueue_me+0xc4>
           400:       c0 e5 00 00 00 00       brasl   %r14,400 <unqueue_me+0x38>
                              402: R_390_PC32DBL      _spin_lock+0x2
      
      As a general note, this code of unqueue_me seems a bit fishy. The retry logic
      of unqueue_me only works if we can guarantee, that the original value of
      q->lock_ptr is always a spinlock (Otherwise we overwrite kernel memory). We
      know that q->lock_ptr can change. I dont know what happens with the original
      spinlock, as I am not an expert with the futex code.
      
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: Rusty Russell <rusty@rustcorp.com.au>
      Acked-by: default avatarIngo Molnar <mingo@redhat.com>
      Cc: Thomas Gleixner <tglx@timesys.com>
      Signed-off-by: default avatarChristian Borntraeger <borntrae@de.ibm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      2cd6b01a
    • Trond Myklebust's avatar
      fcntl(F_SETSIG) fix · f4eb9f37
      Trond Myklebust authored
      fcntl(F_SETSIG) no longer works on leases because
      lease_release_private_callback() gets called as the lease is copied in
      order to initialise it.
      
      The problem is that lease_alloc() performs an unnecessary initialisation,
      which sets the lease_manager_ops.  Avoid the problem by allocating the
      target lease structure using locks_alloc_lock().
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      f4eb9f37
    • YOSHIFUJI Hideaki's avatar
      IPV6 OOPS'er triggerable by any user · a13aeb6e
      YOSHIFUJI Hideaki authored
      [IPV6]: Fix kernel OOPs when setting sticky socket options.
      
      Bug noticed by Remi Denis-Courmont <rdenis@simphalempin.com>.
      Signed-off-by: default avatarYOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      a13aeb6e
    • Sridhar Samudrala's avatar
      SCTP: Fix sctp_primitive_ABORT() call in sctp_close(). · e564f8a9
      Sridhar Samudrala authored
      With the recent fix, the callers of sctp_primitive_ABORT()
      need to create an ABORT chunk and pass it as an argument rather
      than msghdr that was passed earlier.
      Signed-off-by: default avatarSridhar Samudrala <sri@us.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e564f8a9