- 06 Sep, 2006 3 commits
-
-
Christian Borntraeger authored
This patch adds a barrier() in futex unqueue_me to avoid aliasing of two pointers. On my s390x system I saw the following oops: Unable to handle kernel pointer dereference at virtual kernel address 0000000000000000 Oops: 0004 [#1] CPU: 0 Not tainted Process mytool (pid: 13613, task: 000000003ecb6ac0, ksp: 00000000366bdbd8) Krnl PSW : 0704d00180000000 00000000003c9ac2 (_spin_lock+0xe/0x30) Krnl GPRS: 00000000ffffffff 000000003ecb6ac0 0000000000000000 0700000000000000 0000000000000000 0000000000000000 000001fe00002028 00000000000c091f 000001fe00002054 000001fe00002054 0000000000000000 00000000366bddc0 00000000005ef8c0 00000000003d00e8 0000000000144f91 00000000366bdcb8 Krnl Code: ba 4e 20 00 12 44 b9 16 00 3e a7 84 00 08 e3 e0 f0 88 00 04 Call Trace: ([<0000000000144f90>] unqueue_me+0x40/0xe4) [<0000000000145a0c>] do_futex+0x33c/0xc40 [<000000000014643e>] sys_futex+0x12e/0x144 [<000000000010bb00>] sysc_noemu+0x10/0x16 [<000002000003741c>] 0x2000003741c The code in question is: static int unqueue_me(struct futex_q *q) { int ret = 0; spinlock_t *lock_ptr; /* In the common case we don't take the spinlock, which is nice. */ retry: lock_ptr = q->lock_ptr; if (lock_ptr != 0) { spin_lock(lock_ptr); /* * q->lock_ptr can change between reading it and * spin_lock(), causing us to take the wrong lock. This * corrects the race condition. [...] and my compiler (gcc 4.1.0) makes the following out of it: 00000000000003c8 <unqueue_me>: 3c8: eb bf f0 70 00 24 stmg %r11,%r15,112(%r15) 3ce: c0 d0 00 00 00 00 larl %r13,3ce <unqueue_me+0x6> 3d0: R_390_PC32DBL .rodata+0x2a 3d4: a7 f1 1e 00 tml %r15,7680 3d8: a7 84 00 01 je 3da <unqueue_me+0x12> 3dc: b9 04 00 ef lgr %r14,%r15 3e0: a7 fb ff d0 aghi %r15,-48 3e4: b9 04 00 b2 lgr %r11,%r2 3e8: e3 e0 f0 98 00 24 stg %r14,152(%r15) 3ee: e3 c0 b0 28 00 04 lg %r12,40(%r11) /* write q->lock_ptr in r12 */ 3f4: b9 02 00 cc ltgr %r12,%r12 3f8: a7 84 00 4b je 48e <unqueue_me+0xc6> /* if r12 is zero then jump over the code.... */ 3fc: e3 20 b0 28 00 04 lg %r2,40(%r11) /* write q->lock_ptr in r2 */ 402: c0 e5 00 00 00 00 brasl %r14,402 <unqueue_me+0x3a> 404: R_390_PC32DBL _spin_lock+0x2 /* use r2 as parameter for spin_lock */ So the code becomes more or less: if (q->lock_ptr != 0) spin_lock(q->lock_ptr) instead of if (lock_ptr != 0) spin_lock(lock_ptr) Which caused the oops from above. After adding a barrier gcc creates code without this problem: [...] (the same) 3ee: e3 c0 b0 28 00 04 lg %r12,40(%r11) 3f4: b9 02 00 cc ltgr %r12,%r12 3f8: b9 04 00 2c lgr %r2,%r12 3fc: a7 84 00 48 je 48c <unqueue_me+0xc4> 400: c0 e5 00 00 00 00 brasl %r14,400 <unqueue_me+0x38> 402: R_390_PC32DBL _spin_lock+0x2 As a general note, this code of unqueue_me seems a bit fishy. The retry logic of unqueue_me only works if we can guarantee, that the original value of q->lock_ptr is always a spinlock (Otherwise we overwrite kernel memory). We know that q->lock_ptr can change. I dont know what happens with the original spinlock, as I am not an expert with the futex code. Signed-off-by:Christian Borntraeger <borntrae@de.ibm.com> Acked-by:
Ingo Molnar <mingo@redhat.com> Signed-off-by:
Adrian Bunk <bunk@stusta.de>
-
maximilian attems authored
The icom driver uses request_firmware() and thus needs to select FW_LOADER. Signed-off-by:
maximilian attems <maks@sternwelten.at> Signed-off-by:
Olaf Hering <olh@suse.de> Signed-off-by:
-
Alan Cox authored
Signed-off-by:
-
- 05 Sep, 2006 8 commits
-
-
Sridhar Samudrala authored
With the recent fix, the callers of sctp_primitive_ABORT() need to create an ABORT chunk and pass it as an argument rather than msghdr that was passed earlier. Adrian Bunk: Ported to 2.6.16. Signed-off-by:
Sridhar Samudrala <sri@us.ibm.com> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
-
Remy Bruno authored
Signed-off-by:
Jaroslav Kysela <perex@suse.cz> Acked-by:
Takashi Iwai <tiwai@suse.de> Signed-off-by:
-
Takashi Iwai authored
Call iounmap after free_irq to avoid invalid accesses in the shared irq. The patch is taken from https://bugzilla.novell.com/show_bug.cgi?id=167869Signed-off-by: -
Takashi Iwai authored
Fix the workaround for AD1988A rev2 codec not to apply to AD1988B codec chips. Signed-off-by:
-
Takashi Iwai authored
Changed the assigned model for HP dc7600 with ALC260 codec to match better with the actual I/O assignment. Patch taken from ALSA bug#2157. Signed-off-by:
-
Takashi Iwai authored
Fixed the missing array terminators in AD1988 codec support code. Signed-off-by:
-
Takashi Iwai authored
Fix an occasional deadlock occuring with snd-rtctimer driver, added irqsave to the lock in tasklet (ALSA bug#952). Signed-off-by:
-
Takashi Iwai authored
Fix 64bit address of MPU401 MMIO port on au88x0 chip. Signed-off-by:
-
- 31 Aug, 2006 2 commits
-
-
Willy Tarreau authored
The function pointers which were checked were for their get_* counterparts. Typically a copy-paste typo. Signed-off-by:
Willy Tarreau <w@1wt.eu> Acked-by:
Jeff Garzik <jeff@garzik.org> Acked-by:
-
Herbert Xu authored
The function ethtool_get_ufo was referring to ETHTOOL_GTSO instead of ETHTOOL_GUFO. Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by:
Matthew Wilcox <matthew@wil.cx> Signed-off-by:
-
- 30 Aug, 2006 6 commits
-
-
Kirill Korotaev authored
2.6.16 leaks like hell. While testing, I found massive filp leakage (reproduced in openvz) in the bowels of namei.c. Signed-off-by:
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Signed-off-by:
-
Eric Sandeen authored
blatantly ripped off from Neil Brown's ext2 patch. Signed-off-by:
Eric Sandeen <sandeen@sandeen.net> Acked-by:
"Theodore Ts'o" <tytso@mit.edu> Signed-off-by:
-
Neil Brown authored
The inode number out of an NFS file handle gets passed eventually to ext3_get_inode_block() without any checking. If ext3_get_inode_block() allows it to trigger an error, then bad filehandles can have unpleasant effect - ext3_error() will usually cause a forced read-only remount, or a panic if `errors=panic' was used. So remove the call to ext3_error there and put a matching check in ext3/namei.c where inode numbers are read off storage. Andrew Morton fixed an off-by-one error. Dann Frazier ported the patch to 2.6.16. Signed-off-by:
Neil Brown <neilb@suse.de> Signed-off-by:
-
Alexey Dobriyan authored
* MODE_MASK is unused in eicon driver. * Conflicts with a ptrace stuff on arm. drivers/isdn/hardware/eicon/divasync.h:259:1: warning: "MODE_MASK" redefined include2/asm/ptrace.h:48:1: warning: this is the location of the previous definition Signed-off-by:
Alexey Dobriyan <adobriyan@gmail.com> Acked-by:
Karsten Keil <kkeil@suse.de> Acked-by:
Armin Schindler <armin@melware.de> Signed-off-by:
-
Patrick McHardy authored
table->private might change because of ruleset changes, don't use it without holding the lock. Signed-off-by:
Patrick McHardy <kaber@trash.net> Signed-off-by:
-
Hannes Reinecke authored
This patch fixes the aic79xx driver to properly respond to BIOS settings. Signed-off-by:
Hannes Reinecke <hare@suse.de> Signed-off-by:
James Bottomley <James.Bottomley@SteelEye.com> Signed-off-by:
-
- 27 Aug, 2006 1 commit
-
-
Paul Fulghum authored
Serialize processing of tty buffers in flush_to_ldisc to fix (very rare) corruption of tty buffer free list on SMP systems. Signed-off-by:
Paul Fulghum <paulkf@microgate.com> Acked-by:
Alan Cox <alan@redhat.com> Signed-off-by:
-
- 26 Aug, 2006 7 commits
-
-
Mark Huang authored
Fix kernel panic on various SMP machines. The culprit is a null ub->skb in ulog_send(). If ulog_timer() has already been scheduled on one CPU and is spinning on the lock, and ipt_ulog_packet() flushes the queue on another CPU by calling ulog_send() right before it exits, there will be no skbuff when ulog_timer() acquires the lock and calls ulog_send(). Cancelling the timer in ulog_send() doesn't help because it has already been scheduled and is running on the first CPU. Similar problem exists in ebt_ulog.c and nfnetlink_log.c. Signed-off-by:
Mark Huang <mlhuang@cs.princeton.edu> Signed-off-by:
-
Neil Brown authored
At the point where this 'atomic_add' is, rdev could be NULL, as seen by the fact that we test for this in the very next statement. Further is it is really the wrong place of the add. We could add to the count of corrected errors once the are sure it was corrected, not before trying to correct it. Signed-off-by:
-
Tsutomu Fujii authored
Right now, every time we increase our rwnd by more then MTU bytes, we trigger a SACK. When processing large messages, this will generate a SACK for almost every other SCTP fragment. However since we are freeing the entire message at the same time, we might as well collapse the SACK generation to 1. Signed-off-by:
Tsutomu Fujii <t-fujii@nb.jp.nec.com> Signed-off-by:
Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by:
-
Vlad Yasevich authored
Signed-off-by:
-
Vlad Yasevich authored
When using ASSOCINFO socket option, we need to limit the number of maximum association retransmissions to be no greater than the sum of all the path retransmissions. This is specified in Section 7.1.2 of the SCTP socket API draft. However, we only do this if the association has multiple paths. If there is only one path, the protocol stack will use the assoc_max_retrans setting when trying to retransmit packets. Signed-off-by:
-
Neil Horman authored
In the event that our entire receive buffer is full with a series of chunks that represent a single gap-ack, and then we accept a chunk (or chunks) that fill in the gap between the ctsn and the first gap, we renege chunks from the end of the buffer, which effectively does nothing but move our gap to the end of our received tsn stream. This does little but move our missing tsns down stream a little, and, if the sender is sending sufficiently large retransmit frames, the result is a perpetual slowdown which can never be recovered from, since the only chunk that can be accepted to allow progress in the tsn stream necessitates that a new gap be created to make room for it. This leads to a constant need for retransmits, and subsequent receiver stalls. The fix I've come up with is to deliver the frame without reneging if we have a full receive buffer and the receiving sockets sk_receive_queue is empty(indicating that the receive buffer is being blocked by a missing tsn). Signed-off-by:
Neil Horman <nhorman@tuxdriver.com> Signed-off-by:
-
Vlad Yasevich authored
Make SCTP handle broadcast properly Signed-off-by:
-
- 25 Aug, 2006 1 commit
-
-
Adrian Bunk authored
-
- 23 Aug, 2006 4 commits
-
-
Adrian Bunk authored
-
Danny Tholen authored
Recently a patch was added for preliminary suspend/resume handling on !PPC_PMAC. However, this broke both suspend and firewire on powerpc because it saves the pci state after the device has already been disabled. This moves the save state to before the pmac specific code. Signed-off-by:
Danny Tholen <obiwan@mailmij.org> Acked-by:
Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by:
Andrew Morton <akpm@osdl.org> Signed-off-by:
Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by:
-
Sridhar Samudrala authored
sctp_make_abort_user() now takes the msg_len along with the msg so that we don't have to recalculate the bytes in iovec. It also uses memcpy_fromiovec() so that we don't go beyond the length allocated. It is good to have this fix even if verify_iovec() is fixed to return error on overflow. Signed-off-by:
-
Jan Kara authored
UDF code is not really ready to handle extents larger that 1GB. This is the easy way to forbid creating those. Also truncation code did not count with the case when there are no extents in the file and we are extending the file. Signed-off-by:
Jan Kara <jack@suse.cz> Signed-off-by:
-
- 22 Aug, 2006 1 commit
-
-
Adrian Bunk authored
-
- 18 Aug, 2006 5 commits
-
-
Olof Johansson authored
Clear HID0[en_attn] at CPU init time on PPC970. Closes CVE-2006-4093. Signed-off-by:
Olof Johansson <olof@lixom.net> Signed-off-by:
Paul Mackerras <paulus@samba.org> Signed-off-by:
-
Jens Axboe authored
The code really means to mask off the high bits, not assign 0xff. Reported by Marcus Meissner <meissner@suse.de>. Signed-off-by:
Jens Axboe <axboe@suse.de> Signed-off-by:
-
Al Boldi authored
During an STR resume cycle, the ide master disk times-out when there is also a slave present (especially CD). Increasing the timeout in ide-io from 10,000 to 100,000 fixes this problem. Acked-by:
Alan Cox <alan@lxorguk.ukuu.org.uk> Signed-off-by:
-
David S. Miller authored
Something is wrong with the 3-multiply (vs. 4-multiply) optimized version of _FP_MUL_MEAT_2_*(), so just use the slower version which actually computes correct values. Noticed by Rene Rebe Signed-off-by:
-
Bob Breuer authored
Fix the calculation of the end address when flushing iotlb entries to ram. This bug has been a cause of esp dma errors, and it affects HyperSPARC systems much worse than SuperSPARC systems. Signed-off-by:
Bob Breuer <breuerr@mc.net> Signed-off-by:
William Lee Irwin III <wli@holomorphy.com> Signed-off-by:
-
- 12 Aug, 2006 2 commits
-
-
Adrian Bunk authored
-
Adrian Bunk authored
The i386 defconfig wasn't updated for ages. Instead of running "make oldconfig" on the old defconfig and trying to give reasonable answers at all new options, this patch replaces it with the one I'm using in 2.6.16-rc1. This way, it's a .config that is confirmed to work on at least one computer in the world. ;-) Signed-off-by:
-
