- 27 Apr, 2006 2 commits
-
-
Zachary Amsden authored
Proposed fix for ptep_get_and_clear_full PAE bug. Pte_clear had the same bug, so use the same fix for both. Turns out pmd_clear had it as well, but pgds are not affected. The problem is rather intricate. Page table entries in PAE mode are 64-bits wide, but the only atomic 8-byte write operation available in 32-bit mode is cmpxchg8b, which is expensive (at least on P4), and thus avoided. But it can happen that the processor may prefetch entries into the TLB in the middle of an operation which clears a page table entry. So one must always clear the P-bit in the low word of the page table entry first when clearing it. Since the sequence *ptep = __pte(0) leaves the order of the write dependent on the compiler, it must be coded explicitly as a clear of the low word followed by a clear of the high word. Further, there must be a write memory barrier here to enforce proper ordering by the compiler (and, in the future, by the processor as well). On > 4GB memory machines, the implementation of pte_clear for PAE was clearly deficient, as it could leave virtual mappings of physical memory above 4GB aliased to memory below 4GB in the TLB. The implementation of ptep_get_and_clear_full has a similar bug, although not nearly as likely to occur, since the mappings being cleared are in the process of being destroyed, and should never be dereferenced again. But, as luck would have it, it is possible to trigger bugs even without ever dereferencing these bogus TLB mappings, even if the clear is followed fairly soon after with a TLB flush or invalidation. The problem is that memory above 4GB may now be aliased into the first 4GB of memory, and in fact, may hit a region of memory with non-memory semantics. These regions include AGP and PCI space. As such, these memory regions are not cached by the processor. This introduces the bug. The processor can speculate memory operations, including memory writes, as long as they are committed with the proper ordering. Speculating a memory write to a linear address that has a bogus TLB mapping is possible. Normally, the speculation is harmless. But for cached memory, it does leave the falsely speculated cacheline unmodified, but in a dirty state. This cache line will be eventually written back. If this cacheline happens to intersect a region of memory that is not protected by the cache coherency protocol, it can corrupt data in I/O memory, which is generally a very bad thing to do, and can cause total system failure or just plain undefined behavior. These bugs are extremely unlikely, but the severity is of such magnitude, and the fix so simple that I think fixing them immediately is justified. Also, they are nearly impossible to debug. Signed-off-by: Zachary Amsden <zach@vmware.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-
Linus Torvalds authored
-
- 26 Apr, 2006 33 commits
-
-
Linus Torvalds authored
* master.kernel.org:/home/rmk/linux-2.6-mmc: [MMC] pxamci: fix data timeout calculation
-
Linus Torvalds authored
* master.kernel.org:/home/rmk/linux-2.6-arm: [ARM] nommu: trivial fixups for head-nommu.S and the Makefile [ARM] vfp: fix leak of VFP_NAN_FLAG into FPSCR [ARM] 3484/1: Correct AEABI CFLAGS for correct enum handling
-
Russell King authored
-
Chandra Seetharaman authored
Few of the notifier_chain_register() callers use __init in the definition of notifier_call. It is incorrect as the function definition should be available after the initializations (they do not unregister them during initializations). This patch fixes all such usages to _not_ have the notifier_call __init section. Signed-off-by: Chandra Seetharaman <sekharan@us.ibm.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-
Chandra Seetharaman authored
Few of the notifier_chain_register() callers use __devinitdata in the definition of notifier_block data structure. It is incorrect as the data structure should be available after the initializations (they do not unregister them during initializations). This was leading to an oops when notifier_chain_register() call is invoked for those callback chains after initialization. This patch fixes all such usages to _not_ have the notifier_block data structure in the init data section. Signed-off-by: Chandra Seetharaman <sekharan@us.ibm.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-
James Morris authored
This patch addresses a flaw in LSM, where there is no mediation of readv() and writev() in for 32-bit compatible apps using a 64-bit kernel. This bug was discovered and fixed initially in the native readv/writev code [1], but was not fixed in the compat code. Thanks to Al for spotting this one. [1] http://lwn.net/Articles/154282/Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-
Al Viro authored
All modifications of ->i_flags in inodes that might be visible to somebody else must be under ->i_mutex. That patch fixes ext3 ioctl() setting S_APPEND and friends. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-
Al Viro authored
Switched to use of sys_pread64()/sys_pwrite64() rather than keep duplicating their guts; among the little things that had been missing there were such as ret = security_file_permission (file, MAY_READ); Gotta love the LSM robustness, right? Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-
Al Viro authored
sbi->s_group_desc is an array of pointers to buffer_head. memcpy() of buffer size from address of buffer_head is a bad idea - it will generate junk in any case, may oops if buffer_head is close to the end of slab page and next page is not mapped and isn't what was intended there. IOW, ->b_data is missing in that call. Fortunately, result doesn't go into the primary on-disk data structures, so only backup ones get crap written to them; that had allowed this bug to remain unnoticed until now. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-
Al Viro authored
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-
git://brick.kernel.dk/data/git/linux-2.6-blockLinus Torvalds authored
* 'splice' of git://brick.kernel.dk/data/git/linux-2.6-block: [PATCH] splice: add ->splice_write support for /dev/null [PATCH] splice: rearrange moving to/from pipe helpers [PATCH] Add support for the sys_vmsplice syscall [PATCH] splice: fix offset problems [PATCH] splice: fix min() warning
-
Linus Torvalds authored
* 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/netdev-2.6: [PATCH] forcedeth: fix initialization [PATCH] sky2: version 1.2 [PATCH] sky2: reset function can be devinit [PATCH] sky2: use ALIGN() macro [PATCH] sky2: add fake idle irq timer [PATCH] sky2: reschedule if irq still pending [PATCH] bcm43xx: make PIO mode usable [PATCH] bcm43xx: add to MAINTAINERS [PATCH] softmac: fix SIOCSIWAP [PATCH] Fix crash on big-endian systems during scan e1000: Update truesize with the length of the packet for packet split [PATCH] Fix locking in gianfar
-
Linus Torvalds authored
* master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6: [BRIDGE]: allow full size vlan packets
-
Jens Axboe authored
Useful for testing. Signed-off-by: Jens Axboe <axboe@suse.de>
-
Jens Axboe authored
We need these for people writing their own ->splice_read/write hooks. Signed-off-by: Jens Axboe <axboe@suse.de>
-
Ayaz Abdulla authored
This patch fixes the nic initialization. If the nic was in low power mode, it brings it back to normal power. Also, it utilizes a new hardware reset during the init. I am resending based on feedback, I corrected the register size mapping and delay after posted write. Signed-Off-By: Ayaz Abdulla <aabdulla@nvidia.com> Signed-off-by: Jeff Garzik <jeff@garzik.org>
-
Stephen Hemminger authored
Update to version 1.2 Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Jeff Garzik <jeff@garzik.org>
-
Stephen Hemminger authored
The sky2_reset function only called from sky2_probe. Maybe the compiler was smart enough to figure this out already. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Jeff Garzik <jeff@garzik.org>
-
Stephen Hemminger authored
The ALIGN() macro in kernel.h does the same math that the sky2 driver was using for padding. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Jeff Garzik <jeff@garzik.org>
-
Stephen Hemminger authored
Add an fake NAPI schedule once a second. This is an attempt to work around for broken configurations with edge-triggered interrupts. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Jeff Garzik <jeff@garzik.org>
-
Stephen Hemminger authored
This is a workaround for the case edge-triggered irq's. Several users seem to have broken configurations sharing edge-triggered irq's. To avoid losing IRQ's, reshedule if more work arrives. The changes to netdevice.h are to extract the part that puts device back in list into separate inline. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Jeff Garzik <jeff@garzik.org>
-
Jeff Garzik authored
Merge branch 'upstream-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 into upstream-fixes
-
-
Jeff Garzik authored
-
Stephen Hemminger authored
Need to allow for VLAN header when bridging. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jens Axboe authored
sys_splice() moves data to/from pipes with a file input/output. sys_vmsplice() moves data to a pipe, with the input being a user address range instead. This uses an approach suggested by Linus, where we can hold partial ranges inside the pages[] map. Hopefully this will be useful for network receive support as well. Signed-off-by: Jens Axboe <axboe@suse.de>
-
Miklos Szeredi authored
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
-
Miklos Szeredi authored
BKL does not protect against races if the task may sleep between checking and setting a value. So move checking of file->private_data near to setting it in fuse_fill_super(). Found by Al Viro. Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
-
Miklos Szeredi authored
A deadlock was possible, when the last reference to the superblock was held due to a background request containing a file reference. Releasing the file would release the vfsmount which in turn would release the superblock. Since sbput_sem is held during the fput() and fuse_put_super() tries to acquire this same semaphore, a deadlock results. The solution is to move the fput() outside the region protected by sbput_sem. Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
-
Miklos Szeredi authored
This reverts 73ce8355 commit. It was wrong, because it didn't take into account the requirement, that iput() for background requests must be performed synchronously with ->put_super(), otherwise active inodes may remain after unmount. The right solution is to keep the sbput_sem and perform iput() within the locked region, but move fput() outside sbput_sem. Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
-
Jens Axboe authored
Make the move_from_pipe() actors return number of bytes processed, then move_from_pipe() can decide more cleverly when to move on to the next buffer. This fixes problems with pipe offset and differing file offset. Signed-off-by: Jens Axboe <axboe@suse.de>
-
Andrew Morton authored
Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Jens Axboe <axboe@suse.de>
-
Auke Kok authored
Update skb with the real packet size. Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com> Signed-off-by: Auke Kok <auke-jan.h.kok@intel.com> Signed-off-by: John Ronciak <john.ronciak@intel.com>
-
- 25 Apr, 2006 5 commits
-
-
Russell King authored
The VFP code can leak VFP_NAN_FLAG into the FPSCR. It doesn't correspond to any real FPSCR bit (and overlaps one of the exception flags). Bug report from Daniel Jacobowitz Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
-
Richard Purdie authored
Patch from Richard Purdie The AAPCS says that enums can be variably sized depending on the range of valid values. This is not the accepted behaviour under linux so for compatibility gcc has an aapcs-linux target, the main difference being that enums are always of type int. Change the ARM Makefile to use this target. Signed-off-by: Richard Purdie <rpurdie@rpsys.net> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
-
Ivan Kokshaysky authored
As it turned out after recent SCSI changes, strncpy() was broken - it mixed up the return values from __stxncpy() in registers $24 and $27. Thanks to Mathieu Chouquet-Stringer for tracking down the problem and providing an excellent test case. Signed-off-by: Ivan Kokshaysky <ink@jurassic.park.msu.ru> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-
Linus Torvalds authored
* master.kernel.org:/pub/scm/linux/kernel/git/sfrench/cifs-2.6-stable: [CIFS] Fix compile error when CONFIG_CIFS_EXPERIMENTAL is undefined
-
Patrick McHardy authored
The targets don't do the basic verification themselves anymore so the ipt action needs to take care of it. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-