Suresh Siddha [Tue, 15 Aug 2006 07:03:01 +0000 (00:03 -0700)]
[NET]: Fix potential stack overflow in net/core/utils.c
On High end systems (1024 or so cpus) this can potentially cause stack
overflow. Fix the stack usage.
Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Tue, 15 Aug 2006 00:08:36 +0000 (17:08 -0700)]
[VLAN]: Make sure bonding packet drop checks get done in hwaccel RX path.
Since __vlan_hwaccel_rx() is essentially bypassing the
netif_receive_skb() call that would have occurred if we did the VLAN
decapsulation in software, we are missing the skb_bond() call and the
assosciated checks it does.
Export those checks via an inline function, skb_bond_should_drop(),
and use this in __vlan_hwaccel_rx().
Signed-off-by: David S. Miller <davem@davemloft.net>
In some situations PAV alias devices on LPAR are not accessible.
The initialization procedure required to enable access to PAV alias
devices has to be performed per storage server subsystem and not
only once per storage server.
Signed-off-by: Peter Oberparleiter <peter.oberparleiter@de.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Hans de Goede [Tue, 15 Aug 2006 10:09:27 +0000 (12:09 +0200)]
[PATCH] PATCH: 1 line 2.6.18 bugfix: modpost-64bit-fix.patch
There is a small but annoying bug in scripts/mod/file2alias.c which causes
it to generate invalid aliases for input devices on 64 bit archs. This causes
joydev.ko to not be automaticly loaded when inserting a joystick, resulting in
a non working joystick (for the average user).
In scripts/mod/file2alias.c is the following code for generating the input
aliases:
static void do_input(char *alias,
kernel_ulong_t *arr, unsigned int min, unsigned int max)
{
unsigned int i;
for (i = min; i < max; i++)
if (arr[i / BITS_PER_LONG] & (1 << (i%BITS_PER_LONG)))
sprintf(alias + strlen(alias), "%X,*", i);
}
On 32 bits systems, this correctly generates "0,*" for the first alias, "8,*"
for the second etc.
However on 64 bits it generates: "0,*20,*" resp "8,*28,*" Notice how it adds 20
+ first entry (hex) ! to the list of hex codes, which is 32 more then the first
entry, thus is because the bit test above wraps at 32 bits instead of 64.
scripts/mod/file2alias.c, line 379 reads:
if (arr[i / BITS_PER_LONG] & (1 << (i%BITS_PER_LONG)))
That should be:
if (arr[i / BITS_PER_LONG] & (1L << (i%BITS_PER_LONG)))
Notice the added 'L' after the 1, otherwise that is an 32 bit int instead of a
64 bit long, and when that int gets shifted >= 32 times, appearantly the number
by which to shift is wrapped at 5 bits ( % 32) causing it to test a bit 32 bits
too low.
The patch below makes the nescesarry 1 char change :)
Signed-off-by: Hans de Goede <j.w.r.degoede@hhs.nl> Acked-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Trond Myklebust [Mon, 14 Aug 2006 15:54:48 +0000 (08:54 -0700)]
[PATCH] fcntl(F_SETSIG) fix
fcntl(F_SETSIG) no longer works on leases because
lease_release_private_callback() gets called as the lease is copied in
order to initialise it.
The problem is that lease_alloc() performs an unnecessary initialisation,
which sets the lease_manager_ops. Avoid the problem by allocating the
target lease structure using locks_alloc_lock().
[PATCH] fbdev: include backlight.h only when __KERNEL__ is defined
linux/backlight.h pulls in header files (eg. ioport.h) that break
compilation of userspace programs. To solve the problem, only include
backlight.h in fb.h if compiling kernel stuff.
Signed-off-by: Michal Januszewski <spock@gentoo.org> Cc: "Antonino A. Daplas" <adaplas@pol.net> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
john stultz [Mon, 14 Aug 2006 06:24:24 +0000 (23:24 -0700)]
[PATCH] futex_handle_fault always fails
We found this issue last week w/ the -RT kernel, but it seems the same
issue is in mainline as well.
Basically it is possible for futex_unlock_pi to return without actually
freeing the lock. This is due to buggy logic in the use of
futex_handle_fault() and its attempt argument in a failure case.
Looking at futex.c the logic is as follows:
1) In futex_unlock_pi() we start w/ ret=0 and we go down to the first
futex_atomic_cmpxchg_inatomic(), where we find uval==-EFAULT. We then
jump to the pi_faulted label.
2) From pi_faulted: We increment attempt, unlock the sem and hit the
retry label.
3) From the retry label, with ret still zero, we again hit EFAULT on the
first futex_atomic_cmpxchg_inatomic(), and again goto the pi_faulted
label.
4) Again from pi_faulted: we increment attempt and enter the
conditional, where we call futex_handle_fault.
5) futex_handle_fault fails, and we goto the out_unlock_release_sem
label.
6) From out_unlock_release_sem we return, and since ret is still zero,
we return without error, while never actually unlocking the lock.
Issue #1: at the first futex_atomic_cmpxchg_inatomic() we should probably
be setting ret=-EFAULT before jumping to pi_faulted: However in our case
this doesn't really affect anything, as the glibc we're using ignores the
error value from futex_unlock_pi().
Issue #2: Look at futex_handle_fault(), its first conditional will return
-EFAULT if attempt is >= 2. However, from the "if(attempt++)
futex_handle_fault(attempt)" logic above, we'll *never* call
futex_handle_fault when attempt is less then two. So we never get a chance
to even try to fault the page in.
The following patch addresses these two issues by 1) Always setting ret to
-EFAULT if futex_handle_fault fails, and 2) Removing the = in
futex_handle_fault's (attempt >= 2) check.
I'm really not sure this is the right fix, but wanted to bring it up so
folks knew the issue is alive and well in the current -git tree. From
looking at the git logs the logic was first introduced (then later copied
to other places) in the following commit almost a year ago:
Kirill Korotaev [Mon, 14 Aug 2006 06:24:23 +0000 (23:24 -0700)]
[PATCH] sys_getppid oopses on debug kernel
sys_getppid() optimization can access a freed memory. On kernels with
DEBUG_SLAB turned ON, this results in Oops. As Dave Hansen noted, this
optimization is also unsafe for memory hotplug.
Horms [Mon, 14 Aug 2006 06:24:22 +0000 (23:24 -0700)]
[PATCH] Change panic_on_oops message to "Fatal exception"
Previously the message was "Fatal exception: panic_on_oops", as introduced
in a recent patch whith removed a somewhat dangerous call to ssleep() in
the panic_on_oops path. However, Paul Mackerras suggested that this was
somewhat confusing, leadind people to believe that it was panic_on_oops
that was the root cause of the fatal exception. On his suggestion, this
patch changes the message to simply "Fatal exception". A suitable oops
message should already have been displayed.
Signed-off-by: Simon Horman <horms@verge.net.au> Cc: Paul Mackerras <paulus@samba.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Michal Miroslaw [Mon, 14 Aug 2006 06:24:20 +0000 (23:24 -0700)]
[PATCH] dm: BUG/OOPS fix
Fix BUG I tripped on while testing failover and multipathing.
BUG shows up on error path in multipath_ctr() when parse_priority_group()
fails after returning at least once without error. The fix is to
initialize m->ti early - just after alloc()ing it.
Dan Bastone [Mon, 14 Aug 2006 06:24:18 +0000 (23:24 -0700)]
[PATCH] initialize parts of udf inode earlier in create
Eric says:
> I saw an oops down this path when trying to create a new file on a UDF
> filesystem which was internally marked as readonly, but mounted rw:
>
> udf_create
> udf_new_inode
> new_inode
> alloc_inode
> udf_alloc_inode
> udf_new_block
> returns EIO due to readonlyness
> iput (on error)
I ran into the same issue today, but when listing a directory with
invalid/corrupt entries:
udf_lookup
udf_iget
get_new_inode_fast
alloc_inode
udf_alloc_inode
__udf_read_inode
fails for any reason
iput (on error)
...
The following patch to udf_alloc_inode() should take care of both (and
other similar) cases, but I've only tested it with udf_lookup().
Signed-off-by: Dan Bastone <dan@pwienterprises.com> Cc: Eric Sandeen <sandeen@sandeen.net> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Herbert Xu [Mon, 14 Aug 2006 03:12:58 +0000 (20:12 -0700)]
[INET]: Use pskb_trim_unique when trimming paged unique skbs
The IPv4/IPv6 datagram output path was using skb_trim to trim paged
packets because they know that the packet has not been cloned yet
(since the packet hasn't been given to anything else in the system).
This broke because skb_trim no longer allows paged packets to be
trimmed. Paged packets must be given to one of the pskb_trim functions
instead.
This patch adds a new pskb_trim_unique function to cover the IPv4/IPv6
datagram output path scenario and replaces the corresponding skb_trim
calls with it.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Mark Huang [Mon, 14 Aug 2006 01:57:54 +0000 (18:57 -0700)]
[NETFILTER]: ulog: fix panic on SMP kernels
Fix kernel panic on various SMP machines. The culprit is a null
ub->skb in ulog_send(). If ulog_timer() has already been scheduled on
one CPU and is spinning on the lock, and ipt_ulog_packet() flushes the
queue on another CPU by calling ulog_send() right before it exits,
there will be no skbuff when ulog_timer() acquires the lock and calls
ulog_send(). Cancelling the timer in ulog_send() doesn't help because
it has already been scheduled and is running on the first CPU.
Similar problem exists in ebt_ulog.c and nfnetlink_log.c.
Signed-off-by: Mark Huang <mlhuang@cs.princeton.edu> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Fix from Aji_Srinivas@emc.com, STP packets are incorrectly received on
all LLC datagram sockets, whichever interface they are bound to. The
llc_sap datagram receive logic sends packets with a unicast
destination MAC to one socket bound to that SAP and MAC, and multicast
packets to all sockets bound to that SAP. STP packets are multicast,
and we do need to know on which interface they were received.
Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Mon, 14 Aug 2006 01:55:53 +0000 (18:55 -0700)]
[IPSEC]: Validate properly in xfrm_dst_check()
If dst->obsolete is -1, this is a signal from the
bundle creator that we want the XFRM dst and the
dsts that it references to be validated on every
use.
I misunderstood this intention when I changed
xfrm_dst_check() to always return NULL.
Now, when we purge a dst entry, by running dst_free()
on it. This will set the dst->obsolete to a positive
integer, and we want to return NULL in that case so
that the socket does a relookup for the route.
Thus, if dst->obsolete<0, let stale_bundle() validate
the state, else always return NULL.
In general, we need to do things more intelligently
here because we flush too much state during rule
changes. Herbert Xu has some ideas wherein the key
manager gives us some help in this area. We can also
use smarter state management algorithms inside of
the kernel as well.
Signed-off-by: David S. Miller <davem@davemloft.net>
Orjan Friberg [Wed, 9 Aug 2006 06:31:40 +0000 (23:31 -0700)]
USB: usbtest.c: unsigned retval makes ctrl_out return 0 in case of error
In my quest to try and figure out why test 14 (control write) doesn't
work with my EZ-USB board, I noticed that sometimes testusb reported
no error even though the kernel log complained "byte 0 is 0 not 2" etc.
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Johannes Berg [Wed, 19 Jul 2006 13:39:46 +0000 (15:39 +0200)]
USB: appletouch: fix atp_disconnect
appletouch uses urb->transfer_dma after having freed the urb, this shows
up only if the system is compiled with slab debugging. This patch fixes
it by reordering the free calls.
Steven Rostedt [Thu, 3 Aug 2006 16:28:11 +0000 (12:28 -0400)]
Add stable branch to maintainers file
While helping someone to submit a patch to the stable branch, I noticed
that the stable branch is not listed in the MAINTAINERS file. This was
after I went there to look for the email addresses for the stable branch
list (stable@kernel.org).
This patch adds the stable branch to the maintainers file so that people
can find where to send patches when they have a fix for the stable team.
Signed-off-by: Steven Rostedt <rostedt@goodmis.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Nathan Scott [Thu, 10 Aug 2006 04:40:41 +0000 (14:40 +1000)]
[XFS] Fix xfs_free_extent related NULL pointer dereference.
We recently fixed an out-of-space deadlock in XFS, and part of that fix
involved the addition of the XFS_ALLOC_FLAG_FREEING flag to some of the
space allocator calls to indicate they're freeing space, not allocating
it. There was a missed xfs_alloc_fix_freelist condition test that did not
correctly test "flags". The same test would also test an uninitialised
structure field (args->userdata) and depending on its value either would
or would not return early with a critical buffer pointer set to NULL.
This fixes that up, adds asserts to several places to catch future botches
of this nature, and skips sections of xfs_alloc_fix_freelist that are
irrelevent for the space-freeing case.
Dmitry Mishin [Wed, 9 Aug 2006 09:25:54 +0000 (02:25 -0700)]
[NET]: add_timer -> mod_timer() in dst_run_gc()
Patch from Dmitry Mishin <dim@openvz.org>:
Replace add_timer() by mod_timer() in dst_run_gc
in order to avoid BUG message.
CPU1 CPU2
dst_run_gc() entered dst_run_gc() entered
spin_lock(&dst_lock) .....
del_timer(&dst_gc_timer) fail to get lock
.... mod_timer() <--- puts
timer back
to the list
add_timer(&dst_gc_timer) <--- BUG because timer is in list already.
Found during OpenVZ internal testing.
At first we thought that it is OpenVZ specific as we
added dst_run_gc(0) call in dst_dev_event(),
but as Alexey pointed to me it is possible to trigger
this condition in mainstream kernel.
F.e. timer has fired on CPU2, but the handler was preeempted
by an irq before dst_lock is tried.
Meanwhile, someone on CPU1 adds an entry to gc list and
starts the timer.
If CPU2 was preempted long enough, this timer can expire
simultaneously with resuming timer handler on CPU1, arriving
exactly to the situation described.
Signed-off-by: Dmitry Mishin <dim@openvz.org> Signed-off-by: Kirill Korotaev <dev@openvz.org> Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Signed-off-by: David S. Miller <davem@davemloft.net>
Horst Hummel [Wed, 9 Aug 2006 08:30:22 +0000 (10:30 +0200)]
[S390] dasd set offline kernel bug.
The request queue flush function of the dasd driver has to dequeue
the requests first and then call the end request function. Otherwise
a kernel bug in ll_rw_block.c might get triggered.
Signed-off-by: Horst Hummel <horst.hummel@de.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Tejun Heo [Tue, 8 Aug 2006 05:08:59 +0000 (14:08 +0900)]
[PATCH] libata: clear sdev->locked on door lock failure
SCSI EH locks door if sdev->locked is set. Sometimes door lock
command fails continuously (e.g. when medium is not present) and as
libata uses EH to acquire sense data, this easily creates a loop where
a failed lock door invokes EH and EH issues lock door on completion.
This patch clears sdev->locked on door lock failure to break this
loop. This problem has been spotted and diagnosed by Unicorn Chang
<uchang@tw.ibm.com>.
Signed-off-by: Tejun Heo <htejun@gmail.com> Signed-off-by: Jeff Garzik <jeff@garzik.org>
Brice Goglin [Wed, 9 Aug 2006 04:07:53 +0000 (00:07 -0400)]
[PATCH] myri10ge: always re-enable dummy rdmas in myri10ge_resume
Dummy RDMA are always enabled on device startup since commit 9a71db721a2cbb9921b929b2699ab181f5a3c6c0 (to work around buggy
PCIe chipsets which do not implement resending properly). But,
we also need to always re-enable them when resuming the device.
Signed-off-by: Brice Goglin <brice@myri.com> Signed-off-by: Jeff Garzik <jeff@garzik.org>
Need to check some more cases in IPX receive. If the skb is purely
fragments, the IPX header needs to be extracted. The function
pskb_may_pull() may in theory invalidate all the pointers in the skb,
so references to ipx header must be refreshed.
Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Tue, 8 Aug 2006 23:47:37 +0000 (16:47 -0700)]
[RTNETLINK]: Fix IFLA_ADDRESS handling.
The ->set_mac_address handlers expect a pointer to a
sockaddr which contains the MAC address, whereas
IFLA_ADDRESS provides just the MAC address itself.
So whip up a sockaddr to wrap around the netlink
attribute for the ->set_mac_address call.
Signed-off-by: David S. Miller <davem@davemloft.net>
In bugzilla #6943, Maxim Britov reported:
"I can enable Logitech quickcam support in .config, but it want be compile.
I have to add into drivers/media/video/Makefile:
obj-$(CONFIG_USB_QUICKCAM_MESSENGER) += usbvideo/"
He's right, just enable that driver as module while disabling every other
driver that gets into that directory, nothing will get compiled.
This patch fixes the Makefile.
Signed-off-by: Diego Calleja <diegocg@gmail.com> Acked-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
V4L/DVB (4395): Restore compat_ioctl in pwc driver
The compat_ioctl support of the pwc driver was dropped during the last update of the driver.
I suppose it was by mistake. If yes here is the patch to restore the support.
Signed-off-by: Luc Van Oostenryck <luc.vanoostenryck@looxix.net> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Michael Chan [Tue, 8 Aug 2006 04:46:02 +0000 (21:46 -0700)]
[TG3]: Fix tx race condition
Fix a subtle race condition between tg3_start_xmit() and tg3_tx()
discovered by Herbert Xu <herbert@gondor.apana.org.au>:
CPU0 CPU1
tg3_start_xmit()
if (tx_ring_full) {
tx_lock
tg3_tx()
if (!netif_queue_stopped)
netif_stop_queue()
if (!tx_ring_full)
update_tx_ring
netif_wake_queue()
tx_unlock
}
Even though tx_ring is updated before the if statement in tg3_tx() in
program order, it can be re-ordered by the CPU as shown above. This
scenario can cause the tx queue to be stopped forever if tg3_tx() has
just freed up the entire tx_ring. The possibility of this happening
should be very rare though.
The following changes are made:
1. Add memory barrier to fix the above race condition.
2. Eliminate the private tx_lock altogether and rely solely on
netif_tx_lock. This eliminates one spinlock in tg3_start_xmit()
when the ring is full.
3. Because of 2, use netif_tx_lock in tg3_tx() before calling
netif_wake_queue().
4. Change TX_BUFFS_AVAIL to an inline function with a memory barrier.
Herbert and David suggested using the memory barrier instead of
volatile.
5. Check for the full wake queue condition before getting
netif_tx_lock in tg3_tx(). This reduces the number of unnecessary
spinlocks when the tx ring is full in a steady-state condition.
6. Update version to 3.65.
Signed-off-by: Michael Chan <mchan@broadcom.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Kirill Korotaev [Tue, 8 Aug 2006 03:44:22 +0000 (20:44 -0700)]
[IPV4]: Limit rt cache size properly.
From: Kirill Korotaev <dev@sw.ru>
During OpenVZ stress testing we found that UDP traffic with random src
can generate too much excessive rt hash growing leading finally to OOM
and kernel panics.
It was found that for 4GB i686 system (having 1048576 total pages and
225280 normal zone pages) kernel allocates the following route hash:
syslog: IP route cache hash table entries: 262144 (order: 8, 1048576
bytes) => ip_rt_max_size = 4194304 entries, i.e. max rt size is 4194304 * 256b = 1Gb of RAM > normal_zone
Attached the patch which removes HASH_HIGHMEM flag from
alloc_large_system_hash() call.
Signed-off-by: David S. Miller <davem@davemloft.net>
Sam Ravnborg [Mon, 7 Aug 2006 19:01:36 +0000 (21:01 +0200)]
kbuild: external modules shall not check config consistency
external modules needs include/linux/autoconf.h and include/config/auto.conf
but skip the integrity test of these. Even with a newer Kconfig file we
shall just proceed since external modules simply uses the kernel source and
shall not attempt to modify it.
Error out if a config fiel is missing since they are mandatory.
Sam Ravnborg [Mon, 7 Aug 2006 18:58:28 +0000 (20:58 +0200)]
kbuild: do not try to build content of initramfs
When a file supplied via CONFIG_INITRAMFS pointed to a file
for which kbuild had a rule to compile it (foo.c => foo.o)
then kbuild would compile the file before adding the
file to the initramfs.
Teach make that files included in initramfs shall not be updated by adding
an 'empty command'. (See "Using Empty Commands" in info make).
Mark Fasheh [Mon, 5 Jun 2006 20:41:00 +0000 (16:41 -0400)]
ocfs2: allocation hints
Record the most recently used allocation group on the allocation context, so
that subsequent allocations can attempt to optimize for contiguousness.
Local alloc especially should benefit from this as the current chain search
tends to let it spew across the disk.
Signed-off-by: Mark Fasheh <mark.fasheh@oracle.com>
Mark Fasheh [Thu, 4 May 2006 00:46:50 +0000 (17:46 -0700)]
ocfs2: better group descriptor consistency checks
Try to catch corrupted group descriptors with some stronger checks placed in
a couple of strategic locations. Detect a failed resizefs and refuse to
allocate past what bitmap i_clusters allows.
Signed-off-by: Mark Fasheh <mark.fasheh@oracle.com>
Mark Fasheh [Wed, 3 May 2006 00:54:45 +0000 (17:54 -0700)]
ocfs2: limit cluster bitmap information saved at mount
We were storing cluster count on the ocfs2_super structure, but never
actually using it so remove that. Also, we don't want to populate the
uptodate cache with the unlocked block read - it is technically safe as is,
but we should change it for correctness.
Signed-off-by: Mark Fasheh <mark.fasheh@oracle.com>