Herbert Xu [Wed, 8 Nov 2006 06:47:29 +0000 (07:47 +0100)]
[NET]: Add missing UFO initialisations
This bug was unknowingly fixed the GSO patches (or rather, its effect was
unknown at the time).
Thanks to Marco Berizzi's persistence which is documented in the thread
"ipsec tunnel asymmetrical mtu", we now know that it can have highly
non-obvious symptoms.
What happens is that uninitialised uso_size fields can cause packets to
be incorrectly identified as UFO, which means that it does not get
fragmented even if it's over the MTU.
The fix is simple enough.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
from mm/memory.c:
1434 static inline void cow_user_page(struct page *dst, struct page *src, unsigned long va)
1435 {
1436 /*
1437 * If the source page was a PFN mapping, we don't have
1438 * a "struct page" for it. We do a best-effort copy by
1439 * just copying from the original user address. If that
1440 * fails, we just zero-fill it. Live with it.
1441 */
1442 if (unlikely(!src)) {
1443 void *kaddr = kmap_atomic(dst, KM_USER0);
1444 void __user *uaddr = (void __user *)(va & PAGE_MASK);
1445
1446 /*
1447 * This really shouldn't fail, because the page is there
1448 * in the page tables. But it might just be unreadable,
1449 * in which case we just give up and fill the result with
1450 * zeroes.
1451 */
1452 if (__copy_from_user_inatomic(kaddr, uaddr, PAGE_SIZE))
1453 memset(kaddr, 0, PAGE_SIZE);
1454 kunmap_atomic(kaddr, KM_USER0);
#### D-cache have to be flushed here.
#### It seems it is just forgotten.
1455 return;
1456
1457 }
1458 copy_user_highpage(dst, src, va);
#### Ok here. flush_dcache_page() called from this func if arch need it
1459 }
Signed-off-by: Dmitriy Monakhov <dmonakhov@openvz.org> Acked-by: David Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Thomas Graf [Tue, 7 Nov 2006 14:30:21 +0000 (15:30 +0100)]
PKT_SCHED: Fix error handling while dumping actions
"return -err" and blindly inheriting the error code in the netlink
failure exception handler causes errors codes to be returned as
positive value therefore making them being ignored by the caller.
May lead to sending out incomplete netlink messages.
Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Dave Jones [Tue, 7 Nov 2006 14:14:04 +0000 (15:14 +0100)]
[CPUFREQ] Make powernow-k7 work on SMP kernels.
Even though powernow-k7 doesn't work in SMP environments,
it can work on an SMP configured kernel if there's only
one CPU present, however recalibrate_cpu_khz was returning
-EINVAL on such kernels, so we failed to init the cpufreq driver.
Signed-off-by: Dave Jones <davej@redhat.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
As reported by Mark Dowd <Mark_Dowd@McAfee.com>, ip6_tables is susceptible
to a fragmentation attack causing false negatives on extension header
matches.
When extension headers occur in the non-first fragment after the fragment
header (possibly with an incorrect nexthdr value in the fragment header)
a rule looking for this extension header will never match.
Drop fragments that are at offset 0 and don't contain the final protocol
header regardless of the ruleset, since this should not happen normally.
Since all extension headers are before the protocol header this makes sure
an extension header is either not present or in the first fragment, where
we can properly parse it.
With help from Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>.
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
As reported by Mark Dowd <Mark_Dowd@McAfee.com>, ip6_tables is susceptible
to a fragmentation attack causing false negatives on protocol matches.
When the protocol header doesn't follow the fragment header immediately,
the fragment header contains the protocol number of the next extension
header. When the extension header and the protocol header are sent in
a second fragment a rule like "ip6tables .. -p udp -j DROP" will never
match.
Drop fragments that are at offset 0 and don't contain the final protocol
header regardless of the ruleset, since this should not happen normally.
With help from Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>.
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Neil Brown [Sun, 5 Nov 2006 08:03:18 +0000 (09:03 +0100)]
knfsd: Fix race that can disable NFS server.
This is a long standing bug that seems to have only recently become
apparent, presumably due to increasing use of NFS over TCP - many
distros seem to be making it the default.
The SK_CONN bit gets set when a listening socket may be ready
for an accept, just as SK_DATA is set when data may be available.
It is entirely possible for svc_tcp_accept to be called with neither
of these set. It doesn't happen often but there is a small race in
svc_sock_enqueue as SK_CONN and SK_DATA are tested outside the
spin_lock. They could be cleared immediately after the test and
before the lock is gained.
This normally shouldn't be a problem. The sockets are non-blocking so
trying to read() or accept() when ther is nothing to do is not a problem.
However: svc_tcp_recvfrom makes the decision "Should I accept() or
should I read()" based on whether SK_CONN is set or not. This usually
works but is not safe. The decision should be based on whether it is
a TCP_LISTEN socket or a TCP_CONNECTED socket.
Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Thomas Gleixner [Sun, 5 Nov 2006 08:02:46 +0000 (09:02 +0100)]
posix-cpu-timers: prevent signal delivery starvation
The integer divisions in the timer accounting code can round the result
down to 0. Adding 0 is without effect and the signal delivery stops.
Clamp the division result to minimum 1 to avoid this.
Problem was reported by Seongbae Park <spark@google.com>, who provided
also an inital patch.
Roland sayeth:
I have had some more time to think about the problem, and to reproduce it
using Toyo's test case. For the record, if my understanding of the problem
is correct, this happens only in one very particular case. First, the
expiry time has to be so soon that in cputime_t units (usually 1s/HZ ticks)
it's < nthreads so the division yields zero. Second, it only affects each
thread that is so new that its CPU time accumulation is zero so now+0 is
still zero and ->it_*_expires winds up staying zero. For the VIRT and PROF
clocks when cputime_t is tick granularity (or the SCHED clock on
configurations where sched_clock's value only advances on clock ticks), this
is not hard to arrange with new threads starting up and blocking before they
accumulate a whole tick of CPU time. That's what happens in Toyo's test
case.
Note that in general it is fine for that division to round down to zero,
and set each thread's expiry time to its "now" time. The problem only
arises with thread's whose "now" value is still zero, so that now+0 winds up
0 and is interpreted as "not set" instead of ">= now". So it would be a
sufficient and more precise fix to just use max(ticks, 1) inside the loop
when setting each it_*_expires value.
But, it does no harm to round the division up to one and always advance
every thread's expiry time. If the thread didn't already fire timers for
the expiry time of "now", there is no expectation that it will do so before
the next tick anyway. So I followed Thomas's patch in lifting the max out
of the loops.
This patch also covers the reload cases, which are harder to write a test
for (and I didn't try). I've tested it with Toyo's case and it fixes that.
[toyoa@mvista.com: fix: min_t -> max_t] Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Roland McGrath <roland@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
James Morris [Sun, 5 Nov 2006 08:00:45 +0000 (09:00 +0100)]
[IPV6]: fix lockup via /proc/net/ip6_flowlabel (CVE-2006-5619)
There's a bug in the seqfile handling for /proc/net/ip6_flowlabel, where,
after finding a flowlabel, the code will loop forever not finding any
further flowlabels, first traversing the rest of the hash bucket then just
looping.
This patch fixes the problem by breaking after the hash bucket has been
traversed.
Note that this bug can cause lockups and oopses, and is trivially invoked
by an unpriveleged user.
Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
[S390] fix user readable uninitialised kernel memory, take 2.
The previous patch to correct the copy_from_user padding is quite
broken. The execute instruction needs to be done via the register %r4,
not via %r2 and 31 bit doesn't know the instructions lgr and ahji.
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
[S390] fix user readable uninitialised kernel memory (CVE-2006-5174)
A user space program can read uninitialised kernel memory
by appending to a file from a bad address and then reading
the result back. The cause is the copy_from_user function
that does not clear the remaining bytes of the kernel
buffer after it got a fault on the user space address.
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
David S. Miller [Sat, 14 Oct 2006 08:35:26 +0000 (10:35 +0200)]
[SPARC64]: Kill bogus check from bootmem_init().
There is an ancient and totally incorrect sanity check being
done on the ramdisk location. The check assumes that the
kernel is always loaded to physical address zero, which is
wrong. It was trying to validate the ramdisk value by saying that
if it fell within the kernel image address range it must be wrong.
Anyways, kill this because it actually creates problems. The
'ramdisk_image' should always be adjusted down by KERNBASE.
SILO can easily put the ramdisk in a location which causes
this test to trigger, breaking things.
[ Based almost entirely upon a patch from Ben Collins. ]
Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
David S. Miller [Sat, 14 Oct 2006 08:33:10 +0000 (10:33 +0200)]
[SPARC64]: Fix sched_clock() wrapping every ~17 seconds.
Unfortunately, sparc64 doesn't have an easy way to do a "64 X 64 -->
128" bit multiply like PowerPC and IA64 do. We were doing a
"64 X 64 --> 64" bit multiple which causes overflow very quickly with
a 30-bit quotient shift.
So use a quotientshift count of 10 instead of 30, just like x86 and
ARM do.
This also fixes the wrapping of printk timestamp values every ~17
seconds.
Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Olaf Hering [Fri, 13 Oct 2006 16:16:26 +0000 (18:16 +0200)]
fbdev: add modeline for 1680x1050@60
Add a modeline for the Philips 200W display. aty128fb does not do DDC, it
picks 1920x1440 or similar. It works ok with nvidiafb because it can ask
for DDC data.
Oliver Endriss [Fri, 13 Oct 2006 16:05:48 +0000 (18:05 +0200)]
v4l/dvb: Backport the budget driver DISEQC instability fix
Backport the budget driver DISEQC instability fix.
Signed-off-by: Oliver Endriss <o.endriss@gmx.de> Signed-off-by: Andrew de Quincey <adq_dvb@lidskialf.net> Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Andrew de Quincey <adq_dvb@lidskialf.net> Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
The budget-av needs this GPIO set low for most cards to work.
Signed-off-by: Andrew de Quincey <adq_dvb@lidskialf.net> Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Ang Way Chuang [Fri, 13 Oct 2006 16:01:44 +0000 (18:01 +0200)]
dvb-core: Proper handling ULE SNDU length of 0 (CVE-2006-4623)
ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation
code has a bug that allows an attacker to send a malformed ULE packet
with SNDU length of 0 and bring down the receiving machine. This patch
fix the bug and has been tested on version 2.6.17.11. This bug is 100%
reproducible and the modified source code (GPL) used to produce this bug
will be posted on http://nrg.cs.usm.my/downloads.htm shortly. The
kernel will produce a dump during CRC32 checking on faulty ULE packet.
Signed-off-by: Ang Way Chuang <wcang@nrg.cs.usm.my> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Kirill Korotaev [Fri, 13 Oct 2006 15:58:30 +0000 (17:58 +0200)]
fix fdset leakage
When found, it is obvious. nfds calculated when allocating fdsets is
rewritten by calculation of size of fdtable, and when we are unlucky, we
try to free fdsets of wrong size.
Found due to OpenVZ resource management (User Beancounters).
USB: add YEALINK phones to the HID_QUIRK_IGNORE blacklist
Keys on Yealink based phones will not function properly when using the
generic HID driver. This patch prevents the generic HID code from
grabbing the device before the regular yealink driver can get a grip on
it.
USB: Fix unload oops and memory leak in yealink driver
This patch fixes a memory leak and a kernel oops when trying to unload
the driver, due to an unbalanced cleanup.
Thanks Ivar Jensen for spotting my mistake.
kernel/kmod.c: fix a race condition in usermodehelper.
There is a race between call_usermodehelper_keys, __call_usermodehelper
and wait_for_helper. It should only happen if preemption is enabled or
on a virtualized system.
If the cpu is preempted or put to sleep by the hypervisor in
__call_usermodehelper between the creation of the wait_for_helper
thread and the second check on sub_info->wait, the whole execution
of wait_for_helper including the complete call and the continuation
after the wait_for_completion in call_usermodehelper_keys can have
happened before __call_usermodehelper checks sub_info->wait for the
second time. Since sub_info can already have been clobbered,
sub_info->wait could be zero and complete is called a second time
with an invalid argument. This has happened on s390. It took me only
three days to find out ..
Thanks to Arnd Bergmann for his help to spot this bug.
Kenneth Lee also sent the same patch independently.
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
This patch
- works around a bug in the I2C bridge that makes the initialization
of the TDA10046 fail on recent LifeView cards
- puts the AGC output to tristate in sleep mode. This is necessary for
recent hybrid cards that switch the AGC via tristateing.
Signed-off-by: Hartmut Hackmann <hartmut.hackmann@t-online.de> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org> Acked-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Roland Dreier [Mon, 18 Sep 2006 17:28:17 +0000 (19:28 +0200)]
Convert idr's internal locking to _irqsave variant
Currently, the code in lib/idr.c uses a bare spin_lock(&idp->lock) to do
internal locking. This is a nasty trap for code that might call idr
functions from different contexts; for example, it seems perfectly
reasonable to call idr_get_new() from process context and idr_remove() from
interrupt context -- but with the current locking this would lead to a
potential deadlock.
The simplest fix for this is to just convert the idr locking to use
spin_lock_irqsave().
In particular, this fixes a very complicated locking issue detected by
lockdep, involving the ib_ipoib driver's priv->lock and dev->_xmit_lock,
which get involved with the ib_sa module's query_idr.lock.
Signed-off-by: Roland Dreier <rolandd@cisco.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Michael Rash [Mon, 18 Sep 2006 17:26:29 +0000 (19:26 +0200)]
[TEXTSEARCH]: Fix Boyer Moore initialization bug
The pattern is set after trying to compute the prefix table, which tries
to use it. Initialize it before calling compute_prefix_tbl, make
compute_prefix_tbl consistently use only the data from struct ts_bm
and remove the now unnecessary arguments.
Signed-off-by: Michael Rash <mbr@cipherdyne.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Acked-by: David Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Jay Cliburn [Mon, 18 Sep 2006 17:23:20 +0000 (19:23 +0200)]
via-velocity: fix speed and link status reported by ethtool
The via-velocity driver reports incorrect speed and link detected status
as viewed by ethtool (and probably other tools). This patch fixes those
incorrect reports and prettifies a long line.
Signed-off-by: Jay Cliburn <jacliburn@bellsouth.net> Signed-off-by: Francois Romieu <romieu@fr.zoreil.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Magnus Kessler [Mon, 18 Sep 2006 17:17:43 +0000 (19:17 +0200)]
[AGPGART] VIA PT880 Ultra support.
This patch enables agpgart on a Via "PT880 Ultra" based motherboard
(Asus P4V800D-X). The PCI ID of the PT880 Ultra is 0x0308 instead of
0x0258 of the PT880.
The patched via-agp passes testgart.
Signed-off-by: Magnus Kessler <Magnus.Kessler@gmx.net> Signed-off-by: Dave Jones <davej@redhat.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
- Set outputs to tristate in sleep mode
- Reduce dangerously high firmware download speed with 16MHz xtal
- added tda827x configuration with GPIOs low
- added comments to stupid looking IIC reads that work around bugs in
the tda10046.
- some minor updates
V4L/DVB: Added support for the new Lifeview hybrid cardbus modules
There seem to be many variants of this cards with different
feature sets. This entry supports
analog TV, CVBS and s-video input, FM radio and DVB-T
if they are supported by the hardware.
Michael Krufky [Sat, 16 Sep 2006 21:36:05 +0000 (23:36 +0200)]
V4L/DVB: Medion 7134: Autodetect second bridge chip
The device, Medion 7134, has two saa7134 chips on it, but only one of them
is functional in the current saa7134 driver.
This patch adds autodetection for the second, unsupported saa7134 chip,
as SAA7134_BOARD_MD7134_BRIDGE_2, and displays a message to the user
(in dmesg) indicating that the second chip isn't yet functional.
This is useful for users, since two instances of the saa7134 driver
will spawn. This patch will prevent confusion by warning the user that
only one of the chips on the board are functional.
There are other versions of the SAA7134_BOARD_MD7134 with only a single
saa7134 bridge/decoder -- those devices will not be affected by this patch.
Only devices containing the second chip will display the warning.
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Michael Krufky [Sat, 16 Sep 2006 21:35:11 +0000 (23:35 +0200)]
V4L/DVB: Saa7134: make unsupported secondary decoder message generic
There are already some supported devices that contain two
saa713x chips on-board, where only one of these chips is
currently functional in the driver.
We are already printing a warning message for the second
saa7134 decoder in SAA7134_BOARD_AVERMEDIA_A169_B. This
patch alters that case to make it generic, so that other
cards in the same situation can use it.
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
V4L/DVB: Saa7134: add support for AVerMedia A169 Dual Analog tuner card
- Added support for AVerMedia A169 Dual Analog tuner card
(dual saa7134 decoders - only 1 working right now)
- Added autodetection for both parts of the card.
It shows up like 2 cards, B1 and B
- Enabled tuner B1, SVIDEO on B1 and composite1 through SVIDEO,
FIXME: B is more or less dead at this point and I suspect the
FM-radio is on the B part of the board
Adrian Bunk:
slightly adapted to 2.6.16
Signed-off-by: Rickard Osser <ricky@osser.se> Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
V4L/DVB: Kworld ATSC110: initialize the tuner for analog mode on module load
- Enable the tuv1236 tuner on the Kworld-ATSC110 card so that the
tuner can be identified when tuners.ko loads.
- With this change it is no longer necessary to remove and reload
the tuner module in order to get the tuv1236 identified.
- This code was copied from the ATI HDTV Wonder init routine (in cx88-cards.c)
which also uses the TUV1236D.
Signed-off-by: Curt Meyers <cmeyers@boilerbots.com> Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Add support for ELSA EX-VISION 700TV, which is the ELSA Japan's
flagship model of the software encoding TV capture card.
All inputs (Television, Composite1 and S-Video) have been tested.
Signed-off-by: Tamuki Shoichi <tamuki@linet.gr.jp> Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
V4L/DVB: Added support for the LifeView FlyDVB-T LR301 card
Additionally to the card support, this changeset adds the option
tda10046lifeview to get_dvb_firmware to download tda10046 firmware
from LifeView's site.
Dean Nelson [Wed, 6 Sep 2006 17:25:46 +0000 (19:25 +0200)]
ia64 SGI-SN2: fix silent data corruption caused by XPC
Jack Steiner identified a problem where XPC can cause a silent
data corruption. On module load, the placement may cause the
xpc_remote_copy_buffer to span two physical pages. DMA transfers are
done to the start virtual address translated to physical.
This patch changes the buffer from a statically allocated buffer to a
kmalloc'd buffer. Dean Nelson reviewed this before posting. I have
tested it in the configuration that was showing the memory corruption
and verified it works. I also added a BUG_ON statement to help catch
this if a similar situation is encountered.
Signed-off-by: Robin Holt <holt@sgi.com> Signed-off-by: Dean Nelson <dcn@sgi.com> Signed-off-by: Jack Steiner <steiner@sgi.com> Signed-off-by: Tony Luck <tony.luck@intel.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
[IPV6]: Fix kernel OOPs when setting sticky socket options.
Bug noticed by Remi Denis-Courmont <rdenis@simphalempin.com>.
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Turned out to be a race-condition and NULL ptr deref, here's my fix:
Users of the idr code are supposed to call idr_pre_get without locking, so the
idr code must serialize itself with respect to layer allocations. However, it
fails to do so in an error path in idr_get_new_above_int(). I added the
missing locking to fix this.
Signed-off-by: Sonny Rao <sonny@burdell.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
static int unqueue_me(struct futex_q *q)
{
int ret = 0;
spinlock_t *lock_ptr;
/* In the common case we don't take the spinlock, which is nice. */
retry:
lock_ptr = q->lock_ptr;
if (lock_ptr != 0) {
spin_lock(lock_ptr);
/*
* q->lock_ptr can change between reading it and
* spin_lock(), causing us to take the wrong lock. This
* corrects the race condition.
[...]
and my compiler (gcc 4.1.0) makes the following out of it:
00000000000003c8 <unqueue_me>:
3c8: eb bf f0 70 00 24 stmg %r11,%r15,112(%r15)
3ce: c0 d0 00 00 00 00 larl %r13,3ce <unqueue_me+0x6>
3d0: R_390_PC32DBL .rodata+0x2a
3d4: a7 f1 1e 00 tml %r15,7680
3d8: a7 84 00 01 je 3da <unqueue_me+0x12>
3dc: b9 04 00 ef lgr %r14,%r15
3e0: a7 fb ff d0 aghi %r15,-48
3e4: b9 04 00 b2 lgr %r11,%r2
3e8: e3 e0 f0 98 00 24 stg %r14,152(%r15)
3ee: e3 c0 b0 28 00 04 lg %r12,40(%r11)
/* write q->lock_ptr in r12 */
3f4: b9 02 00 cc ltgr %r12,%r12
3f8: a7 84 00 4b je 48e <unqueue_me+0xc6>
/* if r12 is zero then jump over the code.... */
3fc: e3 20 b0 28 00 04 lg %r2,40(%r11)
/* write q->lock_ptr in r2 */
402: c0 e5 00 00 00 00 brasl %r14,402 <unqueue_me+0x3a>
404: R_390_PC32DBL _spin_lock+0x2
/* use r2 as parameter for spin_lock */
So the code becomes more or less:
if (q->lock_ptr != 0) spin_lock(q->lock_ptr)
instead of
if (lock_ptr != 0) spin_lock(lock_ptr)
Which caused the oops from above.
After adding a barrier gcc creates code without this problem:
[...] (the same)
3ee: e3 c0 b0 28 00 04 lg %r12,40(%r11)
3f4: b9 02 00 cc ltgr %r12,%r12
3f8: b9 04 00 2c lgr %r2,%r12
3fc: a7 84 00 48 je 48c <unqueue_me+0xc4>
400: c0 e5 00 00 00 00 brasl %r14,400 <unqueue_me+0x38>
402: R_390_PC32DBL _spin_lock+0x2
As a general note, this code of unqueue_me seems a bit fishy. The retry logic
of unqueue_me only works if we can guarantee, that the original value of
q->lock_ptr is always a spinlock (Otherwise we overwrite kernel memory). We
know that q->lock_ptr can change. I dont know what happens with the original
spinlock, as I am not an expert with the futex code.
Signed-off-by: Christian Borntraeger <borntrae@de.ibm.com> Acked-by: Ingo Molnar <mingo@redhat.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
With the recent fix, the callers of sctp_primitive_ABORT()
need to create an ABORT chunk and pass it as an argument rather
than msghdr that was passed earlier.
Adrian Bunk:
Ported to 2.6.16.
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Willy Tarreau [Thu, 31 Aug 2006 20:02:56 +0000 (22:02 +0200)]
ethtool: fix oops in ethtool_set_pauseparam()
The function pointers which were checked were for their get_* counterparts.
Typically a copy-paste typo.
Signed-off-by: Willy Tarreau <w@1wt.eu> Acked-by: Jeff Garzik <jeff@garzik.org> Acked-by: David Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Herbert Xu [Thu, 31 Aug 2006 19:59:19 +0000 (21:59 +0200)]
ETHTOOL: Fix UFO typo
The function ethtool_get_ufo was referring to ETHTOOL_GTSO instead of
ETHTOOL_GUFO.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> Acked-by: Matthew Wilcox <matthew@wil.cx> Signed-off-by: Adrian Bunk <bunk@stusta.de>