Ben Dooks [Mon, 28 May 2007 18:17:54 +0000 (19:17 +0100)]
[MTD] [NAND] nand_base.c: fix type of eccpos pointer
The nand_base.c driver implicitly casts the uint32_t
eccpos array to 'int *', which is not only not guaranteed
to be the same sign as the source, but is not guaranteed
to be the same size.
Fix by changing nand_base.c to use uint32_t
referencing the eccpos fields.
Signed-off-by: Ben Dooks <ben-linux@fluff.org> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
When we mark block bad we have to get chip because this involves
writing to the page's OOB. We hit this bug in UBI - we observed
random obscure crashes when it marks block bad from the background
thread and there is some parallel task which utilizes flash.
This patch also adds a TODO note about BBT table protection which
it seems does not exist.
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Roland Stigge [Wed, 18 Jul 2007 12:56:11 +0000 (14:56 +0200)]
[MTD] [NAND] Fix refactoring of EDB7312 hwcontrol function.
The patch ensures that the current code (kernel 2.6.22) uses the bits
like the code prior to the refactoring. The variable "bits" is employed
in a useful way now.
Signed-off-by: Roland Stigge <stigge@antcom.de> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Thu, 28 Jun 2007 18:49:36 +0000 (19:49 +0100)]
[JFFS2] Fix suspend failure with JFFS2 GC thread.
The try_to_freeze() call was in the wrong place; we need it in the
signal-pending loop now that a pending freeze also makes
signal_pending() return true.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Joakim Tjernlund [Sun, 24 Jun 2007 17:22:29 +0000 (19:22 +0200)]
[JFFS2] Prevent oops after 'node added in wrong place' debug check
jffs2_add_physical_node_ref() should never really return error -- it's
an internal debugging check which triggered. We really need to work out
why and stop it happening. But in the meantime, let's make the failure
mode a little less nasty.
Signed-off-by: Joakim Tjernlund <Joakim.Tjernlund@transmode.se> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
H. Peter Anvin [Thu, 2 Aug 2007 17:50:43 +0000 (13:50 -0400)]
[x86 setup] Document grub < 0.93 as broken
Grub older than 0.93 are broken when the kernel setup is bigger than
8K. This was fixed in 2002, and 0.93 was the first grub version which
fixed this bug.
Paul Moore [Wed, 1 Aug 2007 15:12:59 +0000 (11:12 -0400)]
Net/Security: fix memory leaks from security_secid_to_secctx()
The security_secid_to_secctx() function returns memory that must be freed
by a call to security_release_secctx() which was not always happening. This
patch fixes two of these problems (all that I could find in the kernel source
at present).
Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
Paul Moore [Mon, 30 Jul 2007 20:33:26 +0000 (16:33 -0400)]
SELinux: restore proper NetLabel caching behavior
A small fix to the SELinux/NetLabel glue code to ensure that the NetLabel
cache is utilized when possible. This was broken when the SELinux/NetLabel
glue code was reorganized in the last kernel release.
Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
Peter Williams [Thu, 2 Aug 2007 15:41:40 +0000 (17:41 +0200)]
[PATCH] sched: tidy up left over smpnice code
1. The only place that RTPRIO_TO_LOAD_WEIGHT() is used is in the call to
move_tasks() in the function active_load_balance() and its purpose here
is just to make sure that the load to be moved is big enough to ensure
that exactly one task is moved (if there's one available). This can be
accomplished by using ULONG_MAX instead and this allows
RTPRIO_TO_LOAD_WEIGHT() to be deleted.
2. This, in turn, allows PRIO_TO_LOAD_WEIGHT() to be deleted.
3. This allows load_weight() to be deleted which allows
TIME_SLICE_NICE_ZERO to be deleted along with the comment above it.
Signed-off-by: Peter Williams <pwil3058@bigpond.net.au> Signed-off-by: Ingo Molnar <mingo@elte.hu>
USB HID: fix a possible NULL pointer dereference when we fail to allocate memory
If, in usb_hid_configure(), we fail to allocate storage for 'usbhid',
"if (!(usbhid = kzalloc(sizeof(struct usbhid_device), GFP_KERNEL)))",
then we'll jump to the 'fail:' label where we have this code:
usb_free_urb(usbhid->urbin);
usb_free_urb(usbhid->urbout);
usb_free_urb(usbhid->urbctrl);
Since we got here because we couldn't allocate storage for 'usbhid',
what we have here is a NULL pointer dereference - ouch...
This patch solves that little problem by adding a new
'fail_no_usbhid:' label after the problematic calls to
usb_free_urb() and jumps to that one instead, in the problem case.
Some of ASUS' notebooks (e.g G Series) include a tiny oled display, which is
attached to an internal USB bus. Unfortunatly the device reports a wrong
DeviceDescriptor and is therefore identified as a HID device...
Signed-off-by: Christian Lamparter <chunkeey@web.de> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Phil Dibowitz [Mon, 30 Jul 2007 10:00:48 +0000 (12:00 +0200)]
USB HID: Add all Logitech Harmonies to blacklist
This patch adds the entire range of Logitech's ProductIDs that are reserved
for their Harmony remotes. The in-kernel HID driver can't do anything with
these, and now there is a GPL user-space application that can handle them:
http://www.sf.net/projects/harmonycontrol
Signed-off-by: Phil Dibowitz <phil@ipom.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
HID: remove the Applie IR sensor from the hid_blacklist
The IR sensor in some newer Apple computers has no other
driver in the kernel, yet. However, the macmini driver in lirc
requires a HID device for the IR sensor.
Linus Torvalds [Thu, 2 Aug 2007 03:48:54 +0000 (20:48 -0700)]
Merge branch 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux-2.6
* 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux-2.6:
[IA64] ITC: Reduce rating for ITC clock if ITCs are drifty
[IA64] SN2: Fix up sn2_rtc clock
[IA64] Fix wrong access to irq_desc[] in iosapic_register_intr().
[IA64] Fix possible race in destroy_and_reserve_irq()
[IA64] Fix registered interrupt check
[IA64] Remove a few duplicate includes
[IA64] Allow smp_call_function_single() to current cpu
[IA64] fix a few section mismatch warnings
* master.kernel.org:/pub/scm/linux/kernel/git/bart/ide-2.6:
scc_pata: PIO fixes
piix/slc90e66: fix PIO1 handling in ->speedproc method (take 2)
jmicron: PIO fixes
it8213: PIO fixes (take 2)
cs5535: PIO fixes
cs5520: fix PIO auto-tuning in ->ide_dma_check method
drivers/scsi/ide-scsi.c: kmalloc + memset conversion to kzalloc
drivers/ide/arm/icside.c: kmalloc + memset conversion to kzalloc
ide: eliminate warnings in ide-tape.c
ide: fix runtogether printk's in cmd64x IDE driver
sis5513: Add FSC Amilo A1630 PCI subvendor/dev to laptops
alim15x3: Correct HP detect
ide: Fix an overrun found in the CS5535 IDE driver
David Howells [Wed, 1 Aug 2007 18:04:51 +0000 (19:04 +0100)]
FRV: Enable the MB86943 PCI arbiter correctly
Enable the MB93090 motherboard's MB86943 PCI arbiter correctly by assigning to
the register rather than comparing against it. This is required to support
bus mastering.
Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Thomas Gleixner [Wed, 1 Aug 2007 15:13:19 +0000 (17:13 +0200)]
genirq: temporary fix for level-triggered IRQ resend
Marcin Slusarz reported a ne2k-pci "hung network interface" regression.
delayed disable relies on the ability to re-trigger the interrupt in the
case that a real interrupt happens after the software disable was set.
In this case we actually disable the interrupt on the hardware level
_after_ it occurred.
On enable_irq, we need to re-trigger the interrupt. On i386 this relies
on a hardware resend mechanism (send_IPI_self()).
Actually we only need the resend for edge type interrupts. Level type
interrupts come back once enable_irq() re-enables the interrupt line.
I assume that the interrupt in question is level triggered because it is
shared and above the legacy irqs 0-15:
17: 12 IO-APIC-fasteoi eth1, eth0
Looking into the IO_APIC code, the resend via send_IPI_self() happens
unconditionally. So the resend is done for level and edge interrupts.
This makes the problem more mysterious.
* Use pio == 255 == "auto-tune" in scc_config_drive_for_dma() instead of
forcing PIO4 on PIO fallback. Fix comment while at it.
* Rename scc_tuneproc() to scc_tune_pio() and add scc_tuneproc() wrapper.
Move finding of the best PIO mode and setting of transfer mode on the device
to the new wrapper.
* Fix scc_tune_chipset() to tune PIO modes. Do a small cleanup while at it.
Acked-by: Sergei Shtylyov <sshtylyov@ru.mvista.com> Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
* Fix cs5535_tuneproc() to pass PIO transfer mode value instead of PIO mode
number to cs5535_set_speed() (fixes random PIO timings being programmed
and a possible OOPS). Do a little cleanup while at it.
* Fix cs5535_set_speed() to check if the mate device is present (fixes PIO0
taskfile timings being used if there is no other device on the cable).
* Use cs5535_tuneproc() in cs5535_dma_check(). The old code had the same
issue as cs5535_tuneproc() and add additionally caused 0x00-0x04 transfer
mode values (== default PIO, default PIO w/ IORDY + two invalid values)
being set on the device instead of values 0x08-0x0c (XFER_PIO_[0,4]).
Acked-by: Sergei Shtylyov <sshtylyov@ru.mvista.com> Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
drivers/ide/arm/icside.c: kmalloc + memset conversion to kzalloc
Is this a bug? In original verison memset cleared sizeof(state) bytes
instead of sizeof(*state). If it was intentional then this patch is invalid.
If not intentional -> valid :) Please review.
Bart: Yes, it is a bug so this patch is a valid bugfix. :-)
drivers/ide/ide-tape.c: In function '__idetape_kmalloc_stage':
drivers/ide/ide-tape.c:2588: warning: large integer implicitly truncated to unsigned type
drivers/ide/ide-tape.c:2616: warning: large integer implicitly truncated to unsigned type
b_size in struct idetape_bh is an unsigned short. We sometimes assigne
PAGE_SIZE to it and PAGE_SIZE can be 64K or larger, so make it a u32.
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
Jordan Crouse [Wed, 1 Aug 2007 21:46:42 +0000 (23:46 +0200)]
ide: Fix an overrun found in the CS5535 IDE driver
As found by the Coverity checker, and reported by Adrian Bunk, this
fixes a overrun error in the CS5535 IDE driver. Somebody got a little
excited with the if() statement - the CS5535 only supports UDMA 0-4.
Bart:
Not a bug per se since the upper layer will never feed this function
with speed > XFER_UDMA_4 (thanks to ->ultra_mask being set to 0x1f).
Worth fixing anyway.
Signed-off-by: Jordan Crouse <jordan.crouse@amd.com> Cc: Adrian Bunk <bunk@stusta.de> Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
[IA64] ITC: Reduce rating for ITC clock if ITCs are drifty
Make sure to reduce the rating of the ITC clock if ITCs are drifty. If they
are drifting then we have not synchronized the ITC values, nor are we doing
the jitter compensation (useless since drift may increase the differentials
arbitrarily).
Without this patch it is possible that the ITC clock becomes selected as
the system clock on systems with drifty ITCs which will result in
nanosleep hanging.
One can still select the itc clock manually on such systems via
clocksource=itc
(Produces nice hangs on SGI Altix.)
Signed-off-by: Christoph Lameter <clameter@sgi.com> Signed-off-by: Tony Luck <tony.luck@intel.com>
If the sn2_rtc clock is present then it is a must have since sn2_rtc
provides a synchronized time source on Altix systems. So elevate
the priority to 450. Otherwise the ITC would take precendence. Altix
systems currently do not boot because the ITC clocksource is broken. It
seems to assume that ITCs are synchronized and as a result nanosleep
hangs (may be fixed in a different patch).
While we are at it: Remove the sn2_mc definition. The sn2_rtc has a fixed
address. No point in reading the address from memory. Removing it avoids
touching one cacheline.
Signed-off-by: Christoph Lameter <clameter@sgi.com> Signed-off-by: Tony Luck <tony.luck@intel.com>
pata_sis: fix MWDMA for <= UDMA66 chipsets and UDMA for UDMA33 chipsets
* Fix MWDMA timings setup in sis_old_set_dmamode() and sis_66_set_dmamode().
The old timings were overclocked (even worse behavior than sis5513 IDE driver
which depends on BIOS to program correct timings), the new timings are taken
from the datasheet (they match timings from ATA spec).
* Fix UDMA timings setup in sis_old_set_dmamode().
Misplaced pci_write_config_word() call resulted in UDMA timings never
being set.
* Fix comments for sis_133_early_set_dmamode() and sis_133_set_dmamode():
- only the former function handles early SiS 961 bridges
- both functions lack MWDMA timings setup
* Fix typos in sis_100_set_piomode() and sis_133_set_piomode() comments.
* Bump driver version.
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com> Signed-off-by: Jeff Garzik <jeff@garzik.org>
Linus Torvalds [Wed, 1 Aug 2007 04:12:07 +0000 (21:12 -0700)]
Fix WARN_ON() on bitfield ops
Alexey Dobriyan noticed that the new WARN_ON() semantics that were
introduced by commit 684f978347deb42d180373ac4c427f82ef963171 (to also
return the value to be warned on) didn't compile when given a bitfield,
because the typeof doesn't work for bitfields.
So instead of the typeof trick, use an "int" variable together with a
"!!(x)" expression, as suggested by Al Viro.
To make matters more interesting, Paul Mackerras points out that that is
sub-optimal on Power, but the old asm-coded comparison seems to be buggy
anyway on 32-bit Power if the conditional was 64-bit, so I think there
are more problems there.
Regardless, the new WARN_ON() semantics may have been a bad idea. But
this at least avoids the more serious complications.
Cc: Alexey Dobriyan <adobriyan@sw.ru> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Paul Mackerras <paulus@samba.org> Cc: Al Viro <viro@ftp.linux.org.uk> Cc: Ingo Molnar <mingo@elte.hu> Cc: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* git://git.kernel.org/pub/scm/linux/kernel/git/wim/linux-2.6-watchdog: (28 commits)
[WATCHDOG] Fix pcwd_init_module crash
[WATCHDOG] ICH9 support for iTCO_wdt
[WATCHDOG] 631xESB/632xESB support for iTCO_wdt - add all LPC bridges
[WATCHDOG] 631xESB/632xESB support for iTCO_wdt
[WATCHDOG] omap_wdt.c - default error for IOCTL is -ENOTTY
[WATCHDOG] Return value of nonseekable_open
[WATCHDOG] mv64x60_wdt: Rework the timeout register manipulation
[WATCHDOG] mv64x60_wdt: disable watchdog timer when driver is probed
[WATCHDOG] mv64x60_wdt: Support the WDIOF_MAGICCLOSE feature
[WATCHDOG] mv64x60_wdt: Add a module parameter to change nowayout setting
[WATCHDOG] mv64x60_wdt: Add WDIOC_SETOPTIONS ioctl support
[WATCHDOG] mv64x60_wdt: Support for WDIOC_SETTIMEOUT ioctl
[WATCHDOG] mv64x60_wdt: Fix WDIOC_GETTIMEOUT return value
[WATCHDOG] mv64x60_wdt: Check return value of nonseekable_open
[WATCHDOG] mv64x60_wdt: Add arch/powerpc platform support
[WATCHDOG] mv64x60_wdt: Get register address from platform data
[WATCHDOG] mv64x60_wdt: set up platform_device in platform code
[WATCHDOG] ensure mouse and keyboard ignored in w83627hf_wdt
[WATCHDOG] s3c2410_wdt: fixup after arch include moves
[WATCHDOG] git-watchdog-typo
...
Linus Torvalds [Wed, 1 Aug 2007 03:40:50 +0000 (20:40 -0700)]
Merge branch 'release' of git://lm-sensors.org/kernel/mhoffman/hwmon-2.6
* 'release' of git://lm-sensors.org/kernel/mhoffman/hwmon-2.6:
hwmon: fscher read control bugfix
hwmon: (adm1031) Fix broken links in documentation
hwmon: make abituguru3_read_increment_offset() static
hwmon: Fix regression caused by typo in lm90.c
hwmon: (applesmc) add temperature sensors set for Macbook
hwmon: fscher control update bugfix
hwmon: fix dme1737 temp fault attribute
hwmon: Add missing __devexit tags in various drivers
hwmon: clean up duplicate includes
hwmon: fix lm78 detection regression
hwmon: fix array overruns in lm93.c
hwmon: add support for THMC50 and ADM1022
Len Brown [Wed, 1 Aug 2007 03:27:10 +0000 (23:27 -0400)]
ACPI: delete CONFIG_ACPI_PROCFS_SLEEP (again)
CONFIG_ACPI_PROCFS_SLEEP is a NO-OP -- delete it (again).
Apparently 296699de6bdc717189a331ab6bbe90e05c94db06 creating CONFIG_SUSPEND
and CONFIG_PM_SLEEP was based on an out-dated version of drivers/acpi/Kconfig,
as it erroneously restored this recently deleted config option.
Signed-off-by: Len Brown <len.brown@intel.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hpa/linux-2.6-x86setup
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hpa/linux-2.6-x86setup:
[x86 setup] EDD: Fix the computation of the MBR sector buffer
[x86 setup] Newline after setup signature failure message
x86 boot code comments typos
Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
* 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6: (41 commits)
[RTNETLINK]: Fix warning for !CONFIG_KMOD
[IPV4] ip_options.c: kmalloc + memset conversion to kzalloc
[DECNET]: kmalloc + memset conversion to kzalloc
[NET]: ethtool_perm_addr only has one implementation
[NET]: ethtool ops are the only way
[PPPOE]: Improve hashing function in hash_item().
[XFRM]: State selection update to use inner addresses.
[IPSEC]: Ensure that state inner family is set
[TCP]: Bidir flow must not disregard SACK blocks for lost marking
[TCP]: Fix ratehalving with bidirectional flows
[PPPOL2TP]: Add CONFIG_INET Kconfig dependency.
[NET]: Page offsets and lengths need to be __u32.
[AF_UNIX]: Make code static.
[NETFILTER]: Make nf_ct_ipv6_skip_exthdr() static.
[PKTGEN]: make get_ipsec_sa() static and non-inline
[PPPoE]: move lock_sock() in pppoe_sendmsg() to the right location
[PPPoX/E]: return ENOTTY on unknown ioctl requests
[IPV6]: ipv6_addr_type() doesn't know about RFC4193 addresses.
[NET]: Fix prio_tune() handling of root qdisc.
[NET]: Fix sch_api to properly set sch->parent on the root.
...
David Brownell [Tue, 31 Jul 2007 07:39:45 +0000 (00:39 -0700)]
spi device setup gets better error checking
This updates some error reporting paths in SPI device setup:
- Move validation logic for SPI chipselects to spi_new_device(),
which is where it should always have been.
- In spi_new_device(), emit error messages if the device can't
be created. This is LOTS better than a silent failure; though
eventually, the calling convention should probably change to
use the <linux/err.h> conventions.
- Includes one previously-missing check: SPI masters must always
have at least one chipselect, even for dedicated busses which
always keep it selected!
It also adds a FIXME (IDR for dynamic ID allocation) so the issue doesn't live
purely in my mailbox.
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Meelis Roos [Tue, 31 Jul 2007 07:39:41 +0000 (00:39 -0700)]
fix integer overflow warning in i2o_block
drivers/message/i2o/i2o_block.c: In function 'i2o_block_transfer':
drivers/message/i2o/i2o_block.c:837: warning: integer overflow in expression
msg->u.head[1] = cpu_to_le32(I2O_CMD_PRIVATE << 24 | HOST_TID << 12 | tid);
and I2O_CMD_PRIVATE is defined as 0xFF. This gets "0xFF0100 | tid" and fits
into 32-bit unsigned but not into 32-bit signed integer properly. Target
value is defined as u32 so the claculation does not fit during computation.
Change local variable tid to u32 so the whole expression is of u32 type and
fits well into u32 result.
Signed-off-by: Meelis Roos <mroos@linux.ee> Cc: "Salyzyn, Mark" <mark_salyzyn@adaptec.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This patch fix weird behaviour of UDF mounting procedure. To get UID
changed (for now) we have to type
mount -t udf -o uid=some_user,uid=ignore /dev/device /mnt/moun_point
and specifying two uid at once is strange a bit. So with the patch we are
able to mount without additional 'uid=ignore' option. The same for GID
option is done.
This patch will not break current mount scheme (with two option).
Btw this does fix (I hope) the following
[BUG 6124] mount of UDF fs ignores UID and GID options
http://bugzilla.kernel.org/show_bug.cgi?id=6124
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com> Cc: Jan Kara <jack@ucw.cz> Cc: Michael <auslands-kv@gmx.de> Cc: Eric Sandeen <sandeen@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This is a set of small fixes addressing points raised with the original
driver submission. In particular, __maybe_unused is used rather than a
local hack and sbd_ops is made const. Additionally I have made two local
string variables automatic as rodata space was wasted for pointers
unnecessarily.
Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org> Cc: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Gabriel Craciunescu <nix.or.die@googlemail.com> Cc: Jeff Garzik <jeff@garzik.org> Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> Cc: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Fix a use after free bug in kernel->userspace relay file support
Coverity spotted what looks like a real possible case of using a variable
after it has been freed. The problem is in
kernel/relay.c::relay_open_buf()
If the code hits "goto free_buf;" it ends up in this code :
free_buf:
relay_destroy_buf(buf); <--- calls kfree() on 'buf'.
free_name:
kfree(tmpname);
end:
return buf; <-- use after free of 'buf'.
I read through the callers and they all handle a NULL return from this
function as an error (and hitting the 'free_buf' label only happens on
failure to chan->cb->create_buf_file(), so that looks like a clear error to
me).
The patch simply sets 'buf' to NULL after the call to
relay_destroy_buf(buf); - as far as I can see that should take care of the
problem.
The patch also corrects a reference to a documentation file while
I was at it.
Note from Mathieu: the documentation reference change should have been
done in a separate patch, but I guess no one will really care.
Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com> Acked-by: "David J. Wilder" <wilder@us.ibm.com> Tested-by: "David J. Wilder" <wilder@us.ibm.com> Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@polymtl.ca> Cc: Tom Zanussi <zanussi@us.ibm.com> Cc: Karim Yaghmour <karim@opersys.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
WARNING: kernel/built-in.o(.text+0x16910): Section mismatch:
reference to .init.text: (between 'kthreadd' and 'init_waitqueue_head')
comes because kernel/kthread.c:kthreadd() is not __init but calls
kthreadd_setup() which is __init. But this is ok, because kthreadd_setup()
is only ever called at init time, and then kthreadd() proceeds into its
"for (;;)" loop. We could mark kthreadd __init_refok, but kthreadd_setup()
with just one callsite and 4 lines in it (it's been that small since 10ab825bdef8df51) doesn't need to be a separate function at all -- so let's
just move those four lines at beginning of kthreadd() itself.
Signed-off-by: Satyam Sharma <ssatyam@cse.iitk.ac.in> Acked-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
david m. richter [Tue, 31 Jul 2007 07:39:12 +0000 (00:39 -0700)]
VFS: fix a race in lease-breaking during truncate
It is possible that another process could acquire a new file lease right
after break_lease() is called during a truncate, but before lease-granting
is disabled by the subsequent get_write_access(). Merely switching the
order of the break_lease() and get_write_access() calls prevents this race.
Signed-off-by: David M. Richter <richterd@citi.umich.edu> Signed-off-by: "J. Bruce Fields" <bfields@citi.umich.edu> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Mike Frysinger [Tue, 31 Jul 2007 07:39:11 +0000 (00:39 -0700)]
use __val in __get_unaligned
Use "__val" rather than "val" in the __get_unaligned macro in
asm-generic/unaligned.h. This way gcc wont warn if you happen to also name
something in the same scope "val".
Signed-off-by: Mike Frysinger <vapier@gentoo.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Dave Young [Tue, 31 Jul 2007 07:39:11 +0000 (00:39 -0700)]
hpet.txt: broken link fix
The specification link in hpet document is broken.
Signed-off-by: Dave Young <hidave.darkstar@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>