Oleg Nesterov [Sun, 8 Jun 2008 17:20:41 +0000 (21:20 +0400)]
sched: fix TASK_WAKEKILL vs SIGKILL race
schedule() has the special "TASK_INTERRUPTIBLE && signal_pending()" case,
this allows us to do
current->state = TASK_INTERRUPTIBLE;
schedule();
without fear to sleep with pending signal.
However, the code like
current->state = TASK_KILLABLE;
schedule();
is not right, schedule() doesn't take TASK_WAKEKILL into account. This means
that mutex_lock_killable(), wait_for_completion_killable(), down_killable(),
schedule_timeout_killable() can miss SIGKILL (and btw the second SIGKILL has
no effect).
Introduce the new helper, signal_pending_state(), and change schedule() to
use it. Hopefully it will have more users, that is why the task's state is
passed separately.
Note this "__TASK_STOPPED | __TASK_TRACED" check in signal_pending_state().
This is needed to preserve the current behaviour (ptrace_notify). I hope
this check will be removed soon, but this (afaics good) change needs the
separate discussion.
The fast path is "(state & (INTERRUPTIBLE | WAKEKILL)) + signal_pending(p)",
basically the same that schedule() does now. However, this patch of course
bloats schedule().
Ben Collins [Thu, 5 Jun 2008 23:10:21 +0000 (19:10 -0400)]
mmc: Fix crash in mmc_block on 64-bit
Fairly simple. "dev_use" was being allocated as a zero length array
because of bad math on 64-bit systems, causing a crash in
find_first_zero_bit(). One-liner follows:
Signed-off-by: Ben Collins <ben.collins@canonical.com> Acked-by: Pierre Ossman <drzeus@drzeus.cx> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Thu, 5 Jun 2008 21:29:53 +0000 (14:29 -0700)]
Merge branch 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus
* 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus:
Fix divide by zero error in build_clear_page() and build_copy_page()
[MIPS] Fix typo in header guard
[MIPS] Fix build error - Delete debugging crap that crept in with CMP
[MIPS] Add accessors for random register.
[MIPS] IP27: misc fixes
[MIPS] IP27: Fix clockevent setup
[MIPS] IP27: Fix bootmem memory setup
[MIPS] remove CONFIG_CPU_R4000 line from Makefile
[MIPS] Fix check for valid stack pointer during backtrace
[MIPS] Add missing braces to pte_mkyoung
[MIPS] R4700: Fix build_tlb_probe_entry
[MIPS] Alchemy: dbdma: add API to delete custom DDMA device ids.
[MIPS] Alchemy: export get_au1x00_speed for modules
Chris Wright [Wed, 4 Jun 2008 16:16:33 +0000 (09:16 -0700)]
asn1: additional sanity checking during BER decoding
- Don't trust a length which is greater than the working buffer.
An invalid length could cause overflow when calculating buffer size
for decoding oid.
- An oid length of zero is invalid and allows for an off-by-one error when
decoding oid because the first subid actually encodes first 2 subids.
- A primitive encoding may not have an indefinite length.
Thanks to Wei Wang from McAfee for report.
Cc: Steven French <sfrench@us.ibm.com> Cc: stable@kernel.org Acked-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
David Howells [Thu, 5 Jun 2008 16:07:35 +0000 (17:07 +0100)]
FRV: ip_fast_csum() requires a memory clobber on its inline asm
ip_fast_csum() requires a memory clobber on its inline asm as it accesses
memory in a fashion that gcc can't predict.
The GCC manual says:
If your assembler instructions access memory in an unpredictable
fashion, add `memory' to the list of clobbered registers. This will
cause GCC to not keep memory values cached in registers across the
assembler instruction and not optimize stores or loads to that memory.
The bug hasn't been noticed in FRV, but it has been seen in PA-RISC.
Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Changes in the generic bootmem code broke memory setup for IP27. This
patch fixes this by replacing lots of special IP27 code with generic
bootmon code. This has been tested only on a single node.
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de> Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
[MIPS] Fix check for valid stack pointer during backtrace
The newly added check for valid stack pointer address breaks at least for
64bit kernels. Use __get_user() for accessing stack content to avoid crashes,
when doing the backtrace.
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de> Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Ilpo Järvinen [Fri, 2 May 2008 11:08:20 +0000 (14:08 +0300)]
[MIPS] Add missing braces to pte_mkyoung
Only the version pte_mkyoung for 36-bit pagetables on 32-bit hw was
affected and with this bug being around since November 29, 2004 there
is evidence to suport the assumption it was benign ;-)
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Hugh Dickins [Thu, 5 Jun 2008 13:44:39 +0000 (14:44 +0100)]
libata: fix G5 SATA broken on -rc5
Fix G5 SATA irq 18: nobody cared, reported on -rc5 by Olaf Hering:
fixlet to a57c1bade5a0ee5cd8b74502db9cbebb7f5780b2 libata-sff:
Fix oops reported in kerneloops.org for pnp devices with no ctl
Signed-off-by: Hugh Dickins <hugh@veritas.com> Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk> Tested-by: Olaf Hering <olaf@aepfle.de> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Michael Krufky [Sat, 31 May 2008 21:18:55 +0000 (18:18 -0300)]
V4L/DVB (7983): tda18271_calc_rf_cal must return the return value of tda18271_lookup_map
On the TDA18271HD/C1, we perform RF tracking filter correction for VHF low
band, only. If supplied a frequency out of range, the error must be returned
to the caller (tda18271c1_rf_tracking_filter_calibration) so that it can
decide whether or not to write to register EB14, RFC_CPROG[7:0]
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
LD .tmp_vmlinux1
drivers/built-in.o: In function `generic_set_freq':
tuner-xc2028.c:(.text+0xbd896): undefined reference to `request_firmware'
tuner-xc2028.c:(.text+0xbdd7a): undefined reference to `release_firmware'
drivers/built-in.o: In function `xc_load_fw_and_init_tuner':
xc5000.c:(.text+0xc68e6): undefined reference to `request_firmware'
xc5000.c:(.text+0xc6abe): undefined reference to `release_firmware'
the reason is another kconfig tool bug that has to be worked around in
the driver's Kconfig file: if FW_LOADER is selected in a second
dependency, that is not properly propagated up the dependencies.
in this case, FW_LOADER is selected from MEDIA_TUNER_XC2028:
config MEDIA_TUNER_XC2028
tristate "XCeive xc2028/xc3028 tuners"
depends on VIDEO_MEDIA && I2C
depends on HOTPLUG
select FW_LOADER
which got selected by MEDIA_TUNER:
config MEDIA_TUNER
tristate
default VIDEO_MEDIA && I2C
depends on VIDEO_MEDIA && I2C
select FW_LOADER if !MEDIA_TUNER_CUSTOMIZE && HOTPLUG
but the kconfig tool did not pick up this second-order dependency and
allowed CONFIG_FW_LOADER=m to be selected - in which case the build
fails.
the workaround i found was to move the select of FW_LOADER one level up,
so that the buggy kconfig tool can notice it and can act appropriately.
This problem can probably be worked around in other ways as well, i went
for the minimal fix.
Obviously, the kconfig tool should be fixed, it is not reasonable to
expect driver authors to do manual dependency resolution (that kconfig
itself already does) and uglify the Kconfig files. The kconfig tool did
nothing to warn about this situation and did not prevent this faulty
.config from being constructed.
But there was no warning in Documentation/feature-removal-schedule.txt
and I'm receiving reports that it's breaking userspace apps (the
gstreamer-v4l2 plugin breaks in Fedora rawhide). You can't just pull
things from the published userspace API like that.
Please can we revert the addition of _DEPRECATED to these ioctl
definitions. Perhaps we can add a runtime warning if they actually get
used? Or a compile-time warning if we can manage that?
Signed-off-by: David Woodhouse <dwmw2@infradead.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Create a macro to report the number of instances of the tuner driver
currently in use. This will allow drivers to perform specific cleanups
before destroying the last instance of a tuner.
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Hans Verkuil [Sun, 25 May 2008 14:21:27 +0000 (11:21 -0300)]
V4L/DVB (7931): cx18: allow for simultaneous digital and analog capture
The HVR-1600 can do both analog and digital capture at the same time.
Due to a driver bug -EBUSY would be returned when attempting to setup an
analog capture while a digital capture was already in progress.
Separate the two internally.
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Andy Walls [Mon, 26 May 2008 04:31:17 +0000 (01:31 -0300)]
V4L/DVB (7922): tuner-simple: fix tuner_warn() induced kernel oops in simple_tuner_attach()
The tuner_warn() macro relies on the local variable "priv" to be a valid
pointer. There was a case in simple_tuner_attach() where this cannot be the
case yet, so tuner_warn() would dereference a NULL "priv" pointer. Changed
the tuner_warn() to a printk() with the originally intended output format.
Signed-off-by: Andy Walls <awalls@radix.net> Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Michael Krufky [Sun, 25 May 2008 02:48:16 +0000 (23:48 -0300)]
V4L/DVB (7918): au0828: remove irrelevent analog tuner standby code
This code is irrelevant to this driver and should be removed. This was
copied from a hack in cx88-dvb.c, which prevents noise coming from the
analog tuner (via an audio patch cable from the pci card to the sound
hardware) when in digital mode by muting the tda988x. This issue does
not apply to this USB hybrid chip design, where a single piece of
silicon handles both analog and digital demodulation.
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Adrian Bunk [Mon, 26 May 2008 17:23:49 +0000 (14:23 -0300)]
V4L/DVB (7908): always enter drivers/media/video/
After commit 039d40019f3c5e26ea50ec5af4270189f63365e1
(V4L/DVB (7898): Fix VIDEO_MEDIA Kconfig logic)
VIDEO_MEDIA is no longer usable in Makefile's for deciding
which directories we enter, resulting in compile errors like the
following with CONFIG_VIDEO_DEV=y, CONFIG_DVB_CORE=m:
Andrew Morton [Thu, 15 May 2008 02:14:04 +0000 (23:14 -0300)]
V4L/DVB (7901): zoran: use correct type for CPU flags
locking-add-typecheck-on-irqsave-and-friends-for-correct-flags.patch will cause
drivers/media/video/zoran_driver.c: In function 'zoran_close_end_session':
drivers/media/video/zoran_driver.c:1172: warning: comparison of distinct pointer types lacks a cast
Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (56 commits)
l2tp: Fix possible oops if transmitting or receiving when tunnel goes down
tcp: Fix for race due to temporary drop of the socket lock in skb_splice_bits.
tcp: Increment OUTRSTS in tcp_send_active_reset()
raw: Raw socket leak.
lt2p: Fix possible WARN_ON from socket code when UDP socket is closed
USB ID for Philips CPWUA054/00 Wireless USB Adapter 11g
ssb: Fix context assertion in ssb_pcicore_dev_irqvecs_enable
libertas: fix command size for CMD_802_11_SUBSCRIBE_EVENT
ipw2200: expire and use oldest BSS on adhoc create
airo warning fix
b43legacy: Fix controller restart crash
sctp: Fix ECN markings for IPv6
sctp: Flush the queue only once during fast retransmit.
sctp: Start T3-RTX timer when fast retransmitting lowest TSN
sctp: Correctly implement Fast Recovery cwnd manipulations.
sctp: Move sctp_v4_dst_saddr out of loop
sctp: retran_path update bug fix
tcp: fix skb vs fack_count out-of-sync condition
sunhme: Cleanup use of deprecated calls to save_and_cli and restore_flags.
xfrm: xfrm_algo: correct usage of RIPEMD-160
...
James Chapman [Wed, 4 Jun 2008 22:54:07 +0000 (15:54 -0700)]
l2tp: Fix possible oops if transmitting or receiving when tunnel goes down
Some problems have been experienced in the field which cause an oops
in the pppol2tp driver if L2TP tunnels fail while passing data.
The pppol2tp driver uses private data that is referenced via the
sk->sk_user_data of its UDP and PPPoL2TP sockets. This patch makes
sure that the driver uses sock_hold() when it holds a reference to the
sk pointer. This affects its sendmsg(), recvmsg(), getname(),
[gs]etsockopt() and ioctl() handlers.
Tested by ISP where problem was seen. System has been up 10 days with
no oops since running this patch. Without the patch, an oops would
occur every 1-2 days.
Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
tcp: Fix for race due to temporary drop of the socket lock in skb_splice_bits.
skb_splice_bits temporary drops the socket lock while iterating over
the socket queue in order to break a reverse locking condition which
happens with sendfile. This, however, opens a window of opportunity
for tcp_collapse() to aggregate skbs and thus potentially free the
current skb used in skb_splice_bits and tcp_read_sock.
This patch fixes the problem by (re-)getting the same "logical skb"
after the lock has been temporary dropped.
Based on idea and initial patch from Evgeniy Polyakov.
Signed-off-by: Octavian Purdila <opurdila@ixiacom.com> Acked-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru> Signed-off-by: David S. Miller <davem@davemloft.net>
Corked packet is allocated via sock_wmalloc which holds the owner socket,
so one should uncork it and flush all pending data on close. Do this in the
same way as in UDP.
Signed-off-by: Denis V. Lunev <den@openvz.org> Acked-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Signed-off-by: David S. Miller <davem@davemloft.net>
James Chapman [Wed, 4 Jun 2008 22:07:32 +0000 (15:07 -0700)]
lt2p: Fix possible WARN_ON from socket code when UDP socket is closed
If an L2TP daemon closes a tunnel socket while packets are queued in
the tunnel's reorder queue, a kernel warning is logged because the
socket is closed while skbs are still referencing it. The fix is to
purge the queue in the socket's release handler.
Dan Williams [Thu, 29 May 2008 18:38:28 +0000 (14:38 -0400)]
ipw2200: expire and use oldest BSS on adhoc create
If there are no networks on the free list, expire the oldest one when
creating a new adhoc network. Because ipw2200 and the ieee80211 stack
don't actually cull old networks and place them back on the free list
unless they are needed for new probe responses, over time the free list
would become empty and creating an adhoc network would fail due to the !
list_empty(...) check.
Signed-off-by: Dan Williams <dcbw@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Andrew Morton [Wed, 28 May 2008 19:40:39 +0000 (12:40 -0700)]
airo warning fix
WARNING: space prohibited between function name and open parenthesis '('
#22: FILE: drivers/net/wireless/airo.c:2907:
+ while ((IN4500 (ai, COMMAND) & COMMAND_BUSY) && (delay < 10000)) {
total: 0 errors, 1 warnings, 8 lines checked
./patches/wireless-airo-waitbusy-wont-delay.patch has style problems, please review. If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
Please run checkpatch prior to sending patches
Cc: Dan Williams <dcbw@redhat.com> Cc: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Vlad Yasevich [Wed, 4 Jun 2008 19:40:15 +0000 (12:40 -0700)]
sctp: Fix ECN markings for IPv6
Commit e9df2e8fd8fbc95c57dbd1d33dada66c4627b44c ("[IPV6]: Use
appropriate sock tclass setting for routing lookup.") also changed the
way that ECN capable transports mark this capability in IPv6. As a
result, SCTP was not marking ECN capablity because the traffic class
was never set. This patch brings back the markings for IPv6 traffic.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Vlad Yasevich [Wed, 4 Jun 2008 19:39:36 +0000 (12:39 -0700)]
sctp: Flush the queue only once during fast retransmit.
When fast retransmit is triggered by a sack, we should flush the queue
only once so that only 1 retransmit happens. Also, since we could
potentially have non-fast-rtx chunks on the retransmit queue, we need
make sure any chunks eligable for fast retransmit are sent first
during fast retransmission.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Tested-by: Wei Yongjun <yjwei@cn.fujitsu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Vlad Yasevich [Wed, 4 Jun 2008 19:39:11 +0000 (12:39 -0700)]
sctp: Start T3-RTX timer when fast retransmitting lowest TSN
When we are trying to fast retransmit the lowest outstanding TSN, we
need to restart the T3-RTX timer, so that subsequent timeouts will
correctly tag all the packets necessary for retransmissions.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Tested-by: Wei Yongjun <yjwei@cn.fujitsu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Vlad Yasevich [Wed, 4 Jun 2008 19:38:43 +0000 (12:38 -0700)]
sctp: Correctly implement Fast Recovery cwnd manipulations.
Correctly keep track of Fast Recovery state and do not reduce
congestion window multiple times during sucht state.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Tested-by: Wei Yongjun <yjwei@cn.fujitsu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Gui Jianfeng [Wed, 4 Jun 2008 19:38:07 +0000 (12:38 -0700)]
sctp: Move sctp_v4_dst_saddr out of loop
There's no need to execute sctp_v4_dst_saddr() for each
iteration, just move it out of loop.
Signed-off-by: Gui Jianfeng <guijianfeng@cn.fujitsu.com> Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Gui Jianfeng [Wed, 4 Jun 2008 19:37:33 +0000 (12:37 -0700)]
sctp: retran_path update bug fix
If the current retran_path is the only active one, it should
update it to the the next inactive one.
Signed-off-by: Gui Jianfeng <guijianfeng@cn.fujitsu.com> Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Ilpo Järvinen [Wed, 4 Jun 2008 19:07:44 +0000 (12:07 -0700)]
tcp: fix skb vs fack_count out-of-sync condition
This bug is able to corrupt fackets_out in very rare cases.
In order for this to cause corruption:
1) DSACK in the middle of previous SACK block must be generated.
2) In order to take that particular branch, part or all of the
DSACKed segment must already be SACKed so that we have that
in cache in the first place.
3) The new info must be top enough so that fackets_out will be
updated on this iteration.
...then fack_count is updated while skb wasn't, then we walk again
that particular segment thus updating fack_count twice for
a single skb and finally that value is assigned to fackets_out
by tcp_sacktag_one.
It is safe to call tcp_sacktag_one just once for a segment (at
DSACK), no need to call again for plain SACK.
Potential problem of the miscount are limited to premature entry
to recovery and to inflated reordering metric (which could even
cancel each other out in the most the luckiest scenarios :-)).
Both are quite insignificant in worst case too and there exists
also code to reset them (fackets_out once sacked_out becomes zero
and reordering metric on RTO).
This has been reported by a number of people, because it occurred
quite rarely, it has been very evasive. Andy Furniss was able to
get it to occur couple of times so that a bit more info was
collected about the problem using a debug patch, though it still
required lot of checking around. Thanks also to others who have
tried to help here.
This is listed as Bugzilla #10346. The bug was introduced by
me in commit 68f8353b48 ([TCP]: Rewrite SACK block processing &
sack_recv_cache use), I probably thought back then that there's
need to scan that entry twice or didn't dare to make it go
through it just once there. Going through twice would have
required restoring fack_count after the walk but as noted above,
I chose to drop the additional walk step altogether here.
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
This patch fixes the usage of RIPEMD-160 in xfrm_algo which in turn
allows hmac(rmd160) to be used as authentication mechanism in IPsec
ESP and AH (see RFC 2857).
Signed-off-by: Adrian-Ken Rueegsegger <rueegsegger@swiss-it.ch> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>