01 Sep, 2009

1 commit


28 Aug, 2009

9 commits

  • Linus Torvalds
     
  • The root cause is a duplicate section name (.text); is this legal?
    [ Amerigo Wang: "AFAIK, yes." ]

    However, there's a problem with commit
    6d76013381ed28979cd122eb4b249a88b5e384fa in that if you fail to allocate
    a mod->sect_attrs (in this case it's null because of the duplication),
    it still gets used without checking in add_notes_attrs()

    This should fix it

    [ This patch leaves other problems, particularly the sections directory,
    but recent parisc toolchains seem to produce these modules and this
    prevents a crash and is a minimal change -- RR ]

    Signed-off-by: James Bottomley
    Signed-off-by: Rusty Russell
    Tested-by: Helge Deller
    Signed-off-by: Linus Torvalds

    James Bottomley
     
  • The rarely-used symbol_put_addr() needs to use dereference_function_descriptor
    on powerpc.

    Reported-by: Paul Mackerras
    Signed-off-by: Rusty Russell

    Rusty Russell
     
  • As soon as the framebuffer is registered, our methods may be called by the
    kernel. This leads to a crash as xenfb_refresh() gets called before we have
    the irq.

    Connect to the backend before registering our framebuffer with the kernel.

    [ Fixes bug http://bugzilla.kernel.org/show_bug.cgi?id=14059 ]

    Signed-off-by: Michal Schmidt
    Signed-off-by: Jeremy Fitzhardinge
    Signed-off-by: Linus Torvalds

    Jeremy Fitzhardinge
     
  • * 'for-linus' of git://git.infradead.org/users/eparis/notify:
    inotify: Ensure we alwasy write the terminating NULL.
    inotify: fix locking around inotify watching in the idr
    inotify: do not BUG on idr entries at inotify destruction
    inotify: seperate new watch creation updating existing watches

    Linus Torvalds
     
  • We call lmb_end_of_DRAM() to test whether a DMA mask is ok on a machine
    without IOMMU, but this function is marked as __init.

    I don't think there's a clean way to get the top of RAM max_pfn doesn't
    appear to include highmem or I missed (or we have a bug :-) so for now,
    let's just avoid having a broken 2.6.31 by making this function
    non-__init and we can revisit later.

    Signed-off-by: Benjamin Herrenschmidt
    Signed-off-by: Linus Torvalds

    Benjamin Herrenschmidt
     
  • * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ericvh/v9fs:
    9p: update documentation pointers
    9p: remove unnecessary v9fses->options which duplicates the mount string
    net/9p: insulate the client against an invalid error code sent by a 9p server
    9p: Add missing cast for the error return value in v9fs_get_inode
    9p: Remove redundant inode uid/gid assignment
    9p: Fix possible regressions when ->get_sb fails.
    9p: Fix v9fs show_options
    9p: Fix possible memleak in v9fs_inode_from fid.
    9p: minor comment fixes
    9p: Fix possible inode leak in v9fs_get_inode.
    9p: Check for error in return value of v9fs_fid_add

    Linus Torvalds
     
  • Add a check in ip_append_data() for NULL *rtp to prevent future bugs in
    callers from being exploitable.

    Signed-off-by: Julien Tinnes
    Signed-off-by: Tavis Ormandy
    Acked-by: David S. Miller
    Signed-off-by: Linus Torvalds

    Julien TINNES
     
  • kAFS crashes when asked to read a symbolic link because page_getlink()
    passes a NULL file pointer to read_mapping_page(), but afs_readpage()
    expects a file pointer from which to extract a key.

    Modify afs_readpage() to request the appropriate key from the calling
    process's keyrings if a file struct is not supplied with one attached.

    Signed-off-by: David Howells
    Acked-by: Anton Blanchard
    Signed-off-by: Linus Torvalds

    David Howells
     

27 Aug, 2009

30 commits

  • Before the rewrite copy_event_to_user always wrote a terqminating '\0'
    byte to user space after the filename. Since the rewrite that
    terminating byte was skipped if your filename is exactly a multiple of
    event_size. Ouch!

    So add one byte to name_size before we round up and use clear_user to
    set userspace to zero like /dev/zero does instead of copying the
    strange nul_inotify_event. I can't quite convince myself len_to_zero
    will never exceed 16 and even if it doesn't clear_user should be more
    efficient and a more accurate reflection of what the code is trying to
    do.

    Signed-off-by: Eric W. Biederman
    Signed-off-by: Eric Paris

    Eric W. Biederman
     
  • The are races around the idr storage of inotify watches. It's possible
    that a watch could be found from sys_inotify_rm_watch() in the idr, but it
    could be removed from the idr before that code does it's removal. Move the
    locking and the refcnt'ing so that these have to happen atomically.

    Signed-off-by: Eric Paris

    Eric Paris
     
  • If an inotify watch is left in the idr when an fsnotify group is destroyed
    this will lead to a BUG. This is not a dangerous situation and really
    indicates a programming bug and leak of memory. This patch changes it to
    use a WARN and a printk rather than killing people's boxes.

    Signed-off-by: Eric Paris

    Eric Paris
     
  • There is nothing known wrong with the inotify watch addition/modification
    but this patch seperates the two code paths to make them each easy to
    verify as correct.

    Signed-off-by: Eric Paris

    Eric Paris
     
  • * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:
    virtio: net refill on out-of-memory
    smc91x: fix compilation on SMP

    Linus Torvalds
     
  • * 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc:
    powerpc/ps3: Update ps3_defconfig
    powerpc/ps3: Add missing check for PS3 to rtc-ps3 platform device registration

    Linus Torvalds
     
  • Update ps3_defconfig.

    o Refresh for 2.6.31.
    o Remove MTD support.
    o Add more HID drivers.

    Signed-off-by: Geoff Levand
    Signed-off-by: Benjamin Herrenschmidt

    Geoff Levand
     
  • On non-PS3, we get:

    | kernel BUG at drivers/rtc/rtc-ps3.c:36!

    because the rtc-ps3 platform device is registered unconditionally in a kernel
    with builtin support for PS3.

    Reported-by: Sachin Sant
    Signed-off-by: Geert Uytterhoeven
    Acked-by: Geoff Levand
    Signed-off-by: Benjamin Herrenschmidt

    Geert Uytterhoeven
     
  • …s/security-testing-2.6

    * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
    IMA: iint put in ima_counts_get and put

    Linus Torvalds
     
  • * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/linux-m68k:
    m68k,m68knommu: Wire up rt_tgsigqueueinfo and perf_counter_open
    m68k: Fix redefinition of pgprot_noncached
    arch/m68k/include/asm/motorola_pgalloc.h: fix kunmap arg
    m68k: cnt reaches -1, not 0
    m68k: count can reach 51, not 50

    Linus Torvalds
     
  • If we change the inverted attribute to another value, the LED will not be
    inverted until we change the GPIO state.

    Signed-off-by: Thadeu Lima de Souza Cascardo
    Cc: Samuel R. C. Vale
    Cc: Richard Purdie
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Thadeu Lima de Souza Cascardo
     
  • When setting the same GPIO number, multiple IRQ shared requests will be
    done without freing the previous request. It will also try to free a
    failed request or an already freed IRQ if 0 was written to the gpio file.

    All these oops and leaks were fixed with the following solution: keep the
    previous allocated GPIO (if any) still allocated in case the new request
    fails. The alternative solution would desallocate the previous allocated
    GPIO and set gpio as 0.

    Signed-off-by: Thadeu Lima de Souza Cascardo
    Signed-off-by: Samuel R. C. Vale
    Cc: Richard Purdie
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Thadeu Lima de Souza Cascardo
     
  • This failure is very common on many platforms. Handling it in the ACPI
    processor driver is enough, and we don't need a warning message unless
    CONFIG_ACPI_DEBUG is set.

    Based on a patch from Zhang Rui.

    Addresses http://bugzilla.kernel.org/show_bug.cgi?id=13389

    Signed-off-by: Frans Pop
    Acked-by: Zhang Rui
    Cc: Len Brown
    Cc: "Rafael J. Wysocki"
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Frans Pop
     
  • If the BIOS reports an invalid throttling state (which seems to be
    fairly common after system boot), a reset is done to state T0.
    Because of a check in acpi_processor_get_throttling_ptc(), the reset
    never actually gets executed, which results in the error reoccurring
    on every access of for example /proc/acpi/processor/CPU0/throttling.

    Add a 'force' option to acpi_processor_set_throttling() to ensure
    the reset really takes effect.

    Addresses http://bugzilla.kernel.org/show_bug.cgi?id=13389

    This patch, together with the next one, fixes a regression introduced in
    2.6.30, listed on the regression list. They have been available for 2.5
    months now in bugzilla, but have not been picked up, despite various
    reminders and without any reason given.

    Google shows that numerous people are hitting this issue. The issue is in
    itself relatively minor, but the bug in the code is clear.

    The patches have been in all my kernels and today testing has shown that
    throttling works correctly with the patches applied when the system
    overheats (http://bugzilla.kernel.org/show_bug.cgi?id=13918#c14).

    Signed-off-by: Frans Pop
    Acked-by: Zhang Rui
    Cc: Len Brown
    Cc: "Rafael J. Wysocki"
    Cc: Rusty Russell
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Frans Pop
     
  • Summary:
    Kernel panic arise when stack protection is enabled, since strncat will
    add a null terminating byte '\0'; So in functions
    like this one (wmi_query_block):
    char wc[4]="WC";
    ....
    strncat(method, block->object_id, 2);
    ...
    the length of wc should be n+1 (wc[5]) or stack protection
    fault will arise. This is not noticeable when stack protection is
    disabled,but , isn't good either.
    Config used: [CONFIG_CC_STACKPROTECTOR_ALL=y,
    CONFIG_CC_STACKPROTECTOR=y]

    Panic Trace
    ------------
    .... stack-protector: kernel stack corrupted in : fa7b182c
    2.6.30-rc8-obelisco-generic
    call_trace:
    [] ? panic+0x45/0xd9
    [] ? __stack_chk_fail+0x1c/0x40
    [] ? wmi_query_block+0x15a/0x162 [wmi]
    [] ? wmi_query_block+0x15a/0x162 [wmi]
    [] ? acer_wmi_init+0x00/0x61a [acer_wmi]
    [] ? acer_wmi_init+0x135/0x61a [acer_wmi]
    [] ? do_one_initcall+0x50+0x126

    Addresses http://bugzilla.kernel.org/show_bug.cgi?id=13514

    Signed-off-by: Costantino Leandro
    Signed-off-by: Carlos Corbacho
    Cc: Len Brown
    Cc: Bjorn Helgaas
    Cc: "Rafael J. Wysocki"
    Cc:
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Costantino Leandro
     
  • Jens reported early_ioremap messages with old ASUS board...

    > [ 1.507461] pci 0000:00:09.0: Firmware left e100 interrupts enabled; disabling
    > [ 1.532778] early_ioremap(3fffd080, 0000005c) [0] => Pid: 1, comm: swapper Not tainted 2.6.31-rc4 #36
    > [ 1.561007] Call Trace:
    > [ 1.568638] [] ? printk+0x18/0x1d
    > [ 1.581734] [] __early_ioremap+0x74/0x1e9
    > [ 1.596898] [] early_ioremap+0x1a/0x1c
    > [ 1.611270] [] __acpi_map_table+0x18/0x1a
    > [ 1.626451] [] acpi_os_map_memory+0x1d/0x25
    > [ 1.642129] [] acpi_tb_verify_table+0x20/0x49
    > [ 1.658321] [] acpi_get_table_with_size+0x53/0xa1
    > [ 1.675553] [] acpi_get_table+0x10/0x15
    > [ 1.690192] [] acpi_processor_init+0x23/0xab
    > [ 1.706126] [] do_one_initcall+0x33/0x180
    > [ 1.721279] [] ? acpi_processor_init+0x0/0xab
    > [ 1.737479] [] ? register_irq_proc+0xaa/0xc0
    > [ 1.753411] [] ? init_irq_proc+0x67/0x80
    > [ 1.768316] [] kernel_init+0x120/0x176
    > [ 1.782678] [] ? kernel_init+0x0/0x176
    > [ 1.797062] [] kernel_thread_helper+0x7/0x10
    > [ 1.812984] 00000080 + ffe00000

    that is rather later.
    acpi_gbl_permanent_mmap should be set in acpi_early_init()
    if acpi is not disabled

    and we have
    > [ 0.000000] ASUS P2B-DS detected: force use of acpi=ht

    just don't load acpi_processor_init...

    Reported-and-tested-by: Jens Rosenboom
    Signed-off-by: Yinghai Lu
    Acked-by: Ingo Molnar
    Cc: Len Brown
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Yinghai Lu
     
  • The return value of the get_temp function is not checked when doing a
    thermal zone update. This may lead to a critical shutdown if get_temp
    fails and the content of the temp variable is incorrectly set higher than
    the critical trip point.

    This has been observed on a system with incorrect ACPI implementation
    where the corresponding methods were not serialized and therefore
    sometimes triggered ACPI errors (AE_ALREADY_EXISTS). The following
    critical shutdowns indicated a temperature of 2097 C, which was obviously
    wrong.

    The patch adds a return value check that jumps over all trip point
    evaluations printing a warning if get_temp fails. The trip points are
    evaluated again on the next polling interval with successful get_temp
    execution.

    Signed-off-by: Michael Brunner
    Acked-by: Zhang Rui
    Cc: Len Brown
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Michael Brunner
     
  • Spotted by Hiroshi Shimamoto who also provided the test-case below.

    copy_process() uses signal->count as a reference counter, but it is not.
    This test case

    #include
    #include
    #include
    #include
    #include
    #include

    void *null_thread(void *p)
    {
    for (;;)
    sleep(1);

    return NULL;
    }

    void *exec_thread(void *p)
    {
    execl("/bin/true", "/bin/true", NULL);

    return null_thread(p);
    }

    int main(int argc, char **argv)
    {
    for (;;) {
    pid_t pid;
    int ret, status;

    pid = fork();
    if (pid < 0)
    break;

    if (!pid) {
    pthread_t tid;

    pthread_create(&tid, NULL, exec_thread, NULL);
    for (;;)
    pthread_create(&tid, NULL, null_thread, NULL);
    }

    do {
    ret = waitpid(pid, &status, 0);
    } while (ret == -1 && errno == EINTR);
    }

    return 0;
    }

    quickly creates an unkillable task.

    If copy_process(CLONE_THREAD) races with de_thread()
    copy_signal()->atomic(signal->count) breaks the signal->notify_count
    logic, and the execing thread can hang forever in kernel space.

    Change copy_process() to increment count/live only when we know for sure
    we can't fail. In this case the forked thread will take care of its
    reference to signal correctly.

    If copy_process() fails, check CLONE_THREAD flag. If it it set - do
    nothing, the counters were not changed and current belongs to the same
    thread group. If it is not set, ->signal must be released in any case
    (and ->count must be == 1), the forked child is the only thread in the
    thread group.

    We need more cleanups here, in particular signal->count should not be used
    by de_thread/__exit_signal at all. This patch only fixes the bug.

    Reported-by: Hiroshi Shimamoto
    Tested-by: Hiroshi Shimamoto
    Signed-off-by: Oleg Nesterov
    Acked-by: Roland McGrath
    Cc: KAMEZAWA Hiroyuki
    Cc:
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Oleg Nesterov
     
  • An mlocked page might lose the isolatation race. This causes the page to
    clear PG_mlocked while it remains in a VM_LOCKED vma. This means it can
    be put onto the [in]active list. We can rescue it by using try_to_unmap()
    in shrink_page_list().

    But now, As Wu Fengguang pointed out, vmscan has a bug. If the page has
    PG_referenced, it can't reach try_to_unmap() in shrink_page_list() but is
    put into the active list. If the page is referenced repeatedly, it can
    remain on the [in]active list without being moving to the unevictable
    list.

    This patch fixes it.

    Reported-by: Wu Fengguang
    Signed-off-by: Minchan Kim
    Reviewed-by: KOSAKI Motohiro <
    Cc: Lee Schermerhorn
    Acked-by: Rik van Riel
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Minchan Kim
     
  • It's problematic to allow signed element_nr's or total's to be passed as
    part of the flex array API.

    flex_array_alloc() allows total_nr_elements to be set to a negative
    quantity, which is obviously erroneous.

    flex_array_get() and flex_array_put() allows negative array indices in
    dereferencing an array part, which could address memory mapped before
    struct flex_array.

    The fix is to convert all existing element_nr formals to be qualified as
    unsigned. Existing checks to compare it to total_nr_elements or the max
    array size based on element_size need not be changed.

    Signed-off-by: David Rientjes
    Cc: Dave Hansen
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    David Rientjes
     
  • The `parts' member of struct flex_array should evaluate to an incomplete
    type so that sizeof() cannot be used and C99 does not require the
    zero-length specification.

    Signed-off-by: David Rientjes
    Acked-by: Dave Hansen
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    David Rientjes
     
  • flex_array_free_parts() does not take `src' or `element_nr' formals, so
    remove their respective comments.

    Signed-off-by: David Rientjes
    Acked-by: Dave Hansen
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    David Rientjes
     
  • If all array elements fit into the base structure and data is copied using
    flex_array_put() starting at a non-zero index, flex_array_get() will fail
    to return the data.

    This fixes the bug by only checking for NULL parts when all elements do
    not fit in the base structure when flex_array_get() is used. Otherwise,
    fa_element_to_part_nr() will always be 0 since there are no parts
    structures needed and such element may never have been put. Thus, it will
    remain NULL due to the kzalloc() of the base.

    Additionally, flex_array_put() now only checks for a NULL part when all
    elements do not fit in the base structure. This is otherwise unnecessary
    since the base structure is guaranteed to exist (or we would have already
    hit a NULL pointer).

    Signed-off-by: David Rientjes
    Acked-by: Dave Hansen
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    David Rientjes
     
  • Fix incorrect verdict check and returns error if device_create failed,
    otherwise driver triggers kernel oops.

    Signed-off-by: Joonwoo Park
    Cc: Rodolfo Giometti
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Joonwoo Park
     
  • ima_counts_get() calls ima_iint_find_insert_get() which takes a reference
    to the iint in question, but does not put that reference at the end of the
    function. This can lead to a nasty memory leak. Easy enough to reproduce:

    #include
    #include

    int main (void)
    {
    int i;
    void *ptr;

    for (i=0; i < 100000; i++) {
    ptr = mmap(NULL, 4096, PROT_READ|PROT_WRITE,
    MAP_SHARED|MAP_ANONYMOUS, -1, 0);
    if (ptr == MAP_FAILED)
    return 2;
    munmap(ptr, 4096);
    }

    return 0;
    }

    Signed-off-by: Eric Paris
    Signed-off-by: James Morris

    Eric Paris
     
  • Signed-off-by: Geert Uytterhoeven
    Acked-by: Greg Ungerer

    Geert Uytterhoeven
     
  • arch/m68k/include/asm/pgtable_mm.h:148:1: warning: "pgprot_noncached" redefined
    In file included from arch/m68k/include/asm/pgtable_mm.h:138,
    from arch/m68k/include/asm/pgtable.h:4,
    from include/linux/mm.h:40,
    from include/linux/pagemap.h:7,
    from include/linux/blkdev.h:12,
    from arch/m68k/emu/nfblock.c:17:
    include/asm-generic/pgtable.h:133:1: warning: this is the location of the previous definition

    pgprot_noncached() should be defined _before_ including asm-generic/pgtable.h

    Signed-off-by: Alexey Dobriyan
    Signed-off-by: Geert Uytterhoeven

    Alexey Dobriyan
     
  • arch/m68k/include/asm/motorola_pgalloc.h: In function 'pte_alloc_one':
    arch/m68k/include/asm/motorola_pgalloc.h:44: warning: passing argument 1 of 'kunmap' from incompatible pointer type

    Also, remove unneeded test for kmap() failure.

    Signed-off-by: Andrew Morton
    Signed-off-by: Geert Uytterhoeven

    Andrew Morton
     
  • With the postfix decrement cnt reaches -1 rather than 0.

    Signed-off-by: Roel Kluin
    Cc: Geert Uytterhoeven
    Signed-off-by: Andrew Morton
    Signed-off-by: Geert Uytterhoeven

    Roel Kluin
     
  • With while (count++ < 50) { ... } count can reach 51, not 50, so we
    shouldn't give an error message on a count of 50.

    [akpm@linux-foundation.org: coding-style fixes]
    Signed-off-by: Roel Kluin
    Cc: Geert Uytterhoeven
    Signed-off-by: Andrew Morton
    Signed-off-by: Geert Uytterhoeven

    Roel Kluin