Jean Delvare [Mon, 21 Nov 2005 18:22:16 +0000 (19:22 +0100)]
[PATCH] hwmon: Fix missing it87 fan div init
Fix a bug where setting the low fan speed limits will not work if no
data was ever read through the sysfs interface and the fan clock
dividers have not been explicitely set yet either. The reason is that
data->fan_div[nr] may currently be used before it is initialized from
the chip register values. The fix is to explicitely initialize
data->fan_div[nr] before using it.
Bug reported, and fix tested, by Nicolas Mailhot.
Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@osdl.org>
Jean Delvare [Mon, 14 Nov 2005 22:11:45 +0000 (23:11 +0100)]
[PATCH] hwmon: Fix lm78 VID conversion
Fix the lm78 VID reading, which I accidentally broke while making
this driver use the common vid_from_reg function rather than
reimplementing its own in 2.6.14-rc1.
I'm not proud of it, trust me.
Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@osdl.org>
Andi Kleen [Sun, 30 Oct 2005 06:49:38 +0000 (01:49 -0500)]
[PATCH] x86_64/i386: Compute correct MTRR mask on early Noconas
Force correct address space size for MTRR on some 64bit Intel Xeons
They report 40bit, but only have 36bits of physical address space.
This caused problems with setting up the correct masks for MTRR,
resulting in incorrect MTRRs.
CPUID workaround for steppings 0F33h(supporting x86) and 0F34h(supporting x86
and EM64T). Detail info can be found at:
http://download.intel.com/design/Xeon/specupdt/30240216.pdf
http://download.intel.com/design/Pentium4/specupdt/30235221.pdf
Harald Welte [Tue, 15 Nov 2005 12:32:36 +0000 (13:32 +0100)]
[PATCH] ip_conntrack: fix ftp/irc/tftp helpers on ports >= 32768
Since we've converted the ftp/irc/tftp helpers to use the new
module_parm_array() some time ago, we ware accidentially using signed data
types - thus preventing those modules from being used on ports >= 32768.
This patch fixes it by using 'ushort' module parameters.
Thanks to Jan Nijs for reporting this bug.
Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
[PATCH] ctnetlink: Fix oops when no ICMP ID info in message
This patch fixes an userspace triggered oops. If there is no ICMP_ID
info the reference to attr will be NULL.
Signed-off-by: Krzysztof Piotr Oledzki <ole@ans.pl> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: Chris Wright <chrisw@osdl.org>
Philip Craig [Tue, 15 Nov 2005 12:32:36 +0000 (13:32 +0100)]
[PATCH] PPTP helper: fix PNS-PAC expectation call id
The reply tuple of the PNS->PAC expectation was using the wrong call id.
So we had the following situation:
- PNS behind NAT firewall
- PNS call id requires NATing
- PNS->PAC gre packet arrives first
then the PNS->PAC expectation is matched, and the other expectation
is deleted, but the PAC->PNS gre packets do not match the gre conntrack
because the call id is wrong.
We also cannot use ip_nat_follow_master().
Signed-off-by: Philip Craig <philipc@snapgear.com> Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Harald Welte [Tue, 15 Nov 2005 12:32:36 +0000 (13:32 +0100)]
[PATCH] ctnetlink: check if protoinfo is present
This fixes an oops triggered from userspace. If we don't pass information
about the private protocol info, the reference to attr will be NULL. This is
likely to happen in update messages.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Harald Welte [Tue, 15 Nov 2005 12:32:36 +0000 (13:32 +0100)]
[PATCH] nf_queue: Fix Ooops when no queue handler registered
With the new nf_queue generalization in 2.6.14, we've introduced a bug
that causes an oops as soon as a packet is queued but no queue handler
registered. This patch fixes it.
Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Rusty Rusty [Tue, 15 Nov 2005 12:32:36 +0000 (13:32 +0100)]
[PATCH] NAT: Fix module refcount dropping too far
The unknown protocol is used as a fallback when a protocol isn't known.
Hence we cannot handle it failing, so don't set ".me". It's OK, since we
only grab a reference from within the same module (iptable_nat.ko), so we
never take the module refcount from 0 to 1.
Also, remove the "protocol is NULL" test: it's never NULL.
Signed-off-by: Rusty Rusty <rusty@rustcorp.com.au> Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Krzysztof Halasa [Fri, 11 Nov 2005 00:54:14 +0000 (01:54 +0100)]
[PATCH] Generic HDLC WAN drivers - disable netif_carrier_off()
As we are currently unable to fix the problem with carrier and protocol
state signaling in net core I've to disable netif_carrier_off() calls
used by WAN protocol drivers. The attached patch should make them
working again.
The remaining netif_carrier_*() calls in hdlc_fr.c are fine as they
don't touch the physical device.
Signed-off-by: Krzysztof Halasa <khc@pm.waw.pl> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
J. Bruce Fields [Fri, 11 Nov 2005 00:08:00 +0000 (19:08 -0500)]
[PATCH] VFS: Fix memory leak with file leases
The patch
http://linux.bkbits.net:8080/linux-2.6/diffs/fs/locks.c@1.70??nav=index.html
introduced a pretty nasty memory leak in the lease code. When freeing
the lease, the code in locks_delete_lock() will correctly clean up
the fasync queue, but when we return to fcntl_setlease(), the freed
fasync entry will be reinstated.
This patch ensures that we skip the call to fasync_helper() when we're
freeing up the lease.
Signed-off-by: J. Bruce Fields <bfields@fieldses.org> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Peter Osterlund [Mon, 14 Nov 2005 00:06:36 +0000 (16:06 -0800)]
[PATCH] packet writing oops fix
There is an old bug in the pkt_count_states() function that causes stack
corruption. When compiling with gcc 3.x or 2.x it is harmless, but gcc 4
allocates local variables differently, which makes the bug visible.
Signed-off-by: Peter Osterlund <petero2@telia.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Linus Torvalds [Wed, 9 Nov 2005 19:37:57 +0000 (11:37 -0800)]
[PATCH] Fix ptrace self-attach rule
Before we did CLONE_THREAD, the way to check whether we were attaching
to ourselves was to just check "current == task", but with CLONE_THREAD
we should check that the thread group ID matches instead.
[PATCH] ipvs: fix connection leak if expire_nodest_conn=1
There was a fix in 2.6.13 that changed the behaviour of
ip_vs_conn_expire_now function not to put reference to connection, its
callers should hold write lock or connection refcnt. But we forgot to
convert one caller, when the real server for connection is unavailable
caller should put the connection reference. It happens only when sysctl
var expire_nodest_conn is set to 1 and such connections never expire.
Thanks to Roberto Nibali who found the problem and tested a 2.4.32-rc2
patch, which is equal to this 2.6 version.
Oleg Nesterov [Wed, 9 Nov 2005 18:22:14 +0000 (10:22 -0800)]
[PATCH] fix de_thread() vs send_group_sigqueue() race
When non-leader thread does exec, de_thread calls release_task(leader) before
calling exit_itimers(). If local timer interrupt happens in between, it can
oops in send_group_sigqueue() while taking ->sighand->siglock == NULL.
However, we can't change send_group_sigqueue() to check p->signal != NULL,
because sys_timer_create() does get_task_struct() only in SIGEV_THREAD_ID
case. So it is possible that this task_struct was already freed and we can't
trust p->signal.
This patch changes de_thread() so that leader released after exit_itimers()
call.
Adrian Bunk [Wed, 9 Nov 2005 18:22:11 +0000 (10:22 -0800)]
[PATCH] airo.c/airo_cs.c: correct prototypes
This patch creates a file airo.h containing prototypes of the global
functions in airo.c used by airo_cs.c .
If you got strange problems with either airo_cs devices or in any other
completely unrelated part of the kernel shortly or long after a airo_cs
device was detected by the kernel, this might have been caused by the
fact that caller and callee disagreed regarding the size of the first
argument to init_airo_card()...
Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
The max growth of BIC TCP is too large. Original code was based on
BIC 1.0 and the default there was 32. Later code (2.6.13) included
compensation for delayed acks, and should have reduced the default
value to 16; since normally TCP gets one ack for every two packets sent.
The current value of 32 makes BIC too aggressive and unfair to other
flows.
[PATCH] USB: always export interface information for modalias
This fixes a problem with some cdc acm devices that were not getting
automatically loaded as the module alias was not being reported
properly.
This check was for back in the days when we only reported hotplug events
for the main usb device, not the interfaces. We should always give the
interface information for MODALIAS/modalias as it can be needed.
Dimitri Puzin [Wed, 9 Nov 2005 18:22:07 +0000 (10:22 -0800)]
[PATCH] fix XFS_QUOTA for modular XFS
This patch by Dimitri Puzin submitted through kernel Bugzilla #5514
fixes the following issue:
Cannot build XFS filesystem support as module with quota support. It
works only when the XFS filesystem support is compiled into the kernel.
Menuconfig prevents from setting CONFIG_XFS_FS=m and CONFIG_XFS_QUOTA=y.
How to reproduce: configure the XFS filesystem with quota support as
module. The resulting kernel won't have quota support compiled into
xfs.ko.
Fix: Changing the fs/xfs/Kconfig file from tristate to bool lets you
configure the quota support to be compiled into the XFS module. The
Makefile-linux-2.6 checks only for CONFIG_XFS_QUOTA=y.
Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Nathan Scott <nathans@sgi.com> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Roger While [Wed, 9 Nov 2005 18:22:06 +0000 (10:22 -0800)]
[PATCH] prism54 : Fix frame length
prism54 is leaking information when passing transmits to the firmware.
There is no requirement to adjust the length to >= ETH_ZLEN.
Just pass the skb length (after possible adjustment).
Signed-off-by: Roger While <simrw@sim-basis.de> Acked-by: Jeff Garzik <jgarzik@pobox.com> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Al Viro [Tue, 8 Nov 2005 15:03:46 +0000 (15:03 +0000)]
[PATCH] CVE-2005-2709 sysctl unregistration oops
You could open the /proc/sys/net/ipv4/conf/<if>/<whatever> file, then
wait for interface to go away, try to grab as much memory as possible in
hope to hit the (kfreed) ctl_table. Then fill it with pointers to your
function. Then do read from file you've opened and if you are lucky,
you'll get it called as ->proc_handler() in kernel mode.
So this is at least an Oops and possibly more. It does depend on an
interface going away though, so less of a security risk than it would
otherwise be.
Herbert Xu [Thu, 27 Oct 2005 08:47:46 +0000 (18:47 +1000)]
[TCP]: Clear stale pred_flags when snd_wnd changes
This bug is responsible for causing the infamous "Treason uncloaked"
messages that's been popping up everywhere since the printk was added.
It has usually been blamed on foreign operating systems. However,
some of those reports implicate Linux as both systems are running
Linux or the TCP connection is going across the loopback interface.
In fact, there really is a bug in the Linux TCP header prediction code
that's been there since at least 2.1.8. This bug was tracked down with
help from Dale Blount.
The effect of this bug ranges from harmless "Treason uncloaked"
messages to hung/aborted TCP connections. The details of the bug
and fix is as follows.
When snd_wnd is updated, we only update pred_flags if
tcp_fast_path_check succeeds. When it fails (for example,
when our rcvbuf is used up), we will leave pred_flags with
an out-of-date snd_wnd value.
When the out-of-date pred_flags happens to match the next incoming
packet we will again hit the fast path and use the current snd_wnd
which will be wrong.
In the case of the treason messages, it just happens that the snd_wnd
cached in pred_flags is zero while tp->snd_wnd is non-zero. Therefore
when a zero-window packet comes in we incorrectly conclude that the
window is non-zero.
In fact if the peer continues to send us zero-window pure ACKs we
will continue making the same mistake. It's only when the peer
transmits a zero-window packet with data attached that we get a
chance to snap out of it. This is what triggers the treason
message at the next retransmit timeout.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
Oleg Nesterov [Wed, 26 Oct 2005 16:26:53 +0000 (20:26 +0400)]
[PATCH] Fix cpu timers expiration time
There's a silly off-by-one error in the code that updates the expiration
of posix CPU timers, causing them to not be properly updated when they
hit exactly on their expiration time (which should be the normal case).
This causes them to then fire immediately again, and only _then_ get
properly updated.
Peter Wainwright [Wed, 26 Oct 2005 08:59:02 +0000 (01:59 -0700)]
[PATCH] Fix HFS+ to free up the space when a file is deleted.
fsck_hfs reveals lots of temporary files accumulating in the hidden
directory "\000\000\000HFS+ Private Data". According to the HFS+
documentation these are files which are unlinked while in use. However,
there may be a bug in the Linux hfsplus implementation which causes this to
happen even when the files are not in use. It looks like the "opencnt"
field is never initialized as (I think) it should be in hfsplus_read_inode.
This means that a file can appear to be still in use when in fact it has
been closed. This patch seems to fix it for me.
Signed-off-by: Anton Altaparmakov <aia21@cantab.net> Cc: Roman Zippel <zippel@linux-m68k.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Jeff Garzik [Wed, 26 Oct 2005 08:59:01 +0000 (01:59 -0700)]
[PATCH] kill massive wireless-related log spam
Although this message is having the intended effect of causing wireless
driver maintainers to upgrade their code, I never should have merged this
patch in its present form. Leading to tons of bug reports and unhappy
users.
Some wireless apps poll for statistics regularly, which leads to a printk()
every single time they ask for stats. That's a little bit _too_ much of a
reminder that the driver is using an old API.
Change this to printing out the message once, per kernel boot.
Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
[PATCH] ppc64: Fix wrong register mapping in mpic driver
The mpic interrupt controller driver (used on G5 and early pSeries among
others) has a bug where it doesn't get the right virtual address for the
timer registers. It causes the driver to poke at the MMIO space of
whatever has been mapped just next to it (ouch !) when initializing and
causes boot failures on some IBM machines.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Magnus Damm [Wed, 26 Oct 2005 08:58:59 +0000 (01:58 -0700)]
[PATCH] NUMA: broken per cpu pageset counters
The NUMA counters in struct per_cpu_pageset (linux/mmzone.h) are never
cleared today. This works ok for CPU 0 on NUMA machines because
boot_pageset[] is already zero, but for other CPU:s this results in
uninitialized counters.
Signed-off-by: Magnus Damm <magnus@valinux.co.jp> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
NeilBrown [Wed, 26 Oct 2005 08:58:58 +0000 (01:58 -0700)]
[PATCH] md: make sure mdthreads will always respond to kthread_stop
There are still a couple of cases where md threads (the resync/recovery
thread) is not interruptible since the change to use kthreads. All places
there it tests "signal_pending", it should also test kthread_should_stop,
as with this patch.
Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Ian Campbell [Wed, 26 Oct 2005 14:04:21 +0000 (15:04 +0100)]
[ARM] 3032/1: sparse: complains about generic_fls() prototype in asm-arm/bitops.h
Patch from Ian Campbell
Sparse complains about the definition of generic_fls in asm-arm/bitops.h:
CHECK /home/icampbell/devel/kernel/2.6/arch/arm/mach-pxa/viper.c
include2/asm/bitops.h:350:34: error: marked inline, but without a definition
The definition is unnecessary since linux/bitops.h defines generic_fls before including asm/bitops.h and asm/bitops.h should not be included directly. There are still some places where asm/bitops.h is directly included, but I think that code should be fixed. I was a little wary of the patch for this reason but lubbock, mainstone and assabet all build OK and so do my in house boards...
ARM is the only arch with the generic_fls prototype in this way.
Signed-off-by: Ian Campbell <icampbell@arcom.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Linus Torvalds [Wed, 26 Oct 2005 03:40:09 +0000 (20:40 -0700)]
PCI: be more verbose about resource quirks
When reserving an PCI quirk, note that in the kernel bootup messages.
Also, parse the strange PIIX4 device resources - they should get their
own PCI resource quirks, but for now just print out what it finds to
verify that the code does the right thing.
Andrew Morton [Tue, 25 Oct 2005 18:00:56 +0000 (11:00 -0700)]
[PATCH] qlogic lockup fix
If qla2x00_probe_one()'s call to qla2x00_iospace_config() fails, we call
qla2x00_free_device() to clean up. But because ha->dpc_pid hasn't been set
yet, qla2x00_free_device() tries to stop a kernel thread which hasn't started
yet. It does wait_for_completion() against an uninitialised completion struct
and the kernel hangs up.
Fix it by initialising ha->dpc_pid a bit earlier.
Cc: Andrew Vasquez <andrew.vasquez@qlogic.com> Cc: James Bottomley <James.Bottomley@steeleye.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Pavel Machek [Mon, 24 Oct 2005 21:30:10 +0000 (22:30 +0100)]
[ARM] fix sharp zaurus c-3000 compile failure without CONFIG_FB_PXA
This fixes compile problem when CONFIG_FB_PXA is not set.
LD .tmp_vmlinux1
arch/arm/mach-pxa/built-in.o(.text+0x1d74): In function
`spitz_get_hsync_len':
: undefined reference to `pxafb_get_hsync_time'
make: *** [.tmp_vmlinux1] Error 1
3.46user 0.46system 5.10 (0m5.106s) elapsed 77.01%CPU
Signed-off-by: Pavel Machek <pavel@suse.cz> Signed-off-by: Richard Purdie <rpurdie@rpsys.net> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Bjorn Helgaas [Mon, 24 Oct 2005 21:11:57 +0000 (22:11 +0100)]
[SERIAL] support the Exsys EX-4055 4S four-port card
Tested by Wolfgang Denk with this device:
00:0f.0 Network controller: PLX Technology, Inc. PCI <-> IOBus Bridge (rev 01)
Subsystem: Exsys EX-4055 4S(16C550) RS-232
Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B-
Status: Cap- 66Mhz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR-
Interrupt: pin A routed to IRQ 10
Region 0: Memory at 80100000 (32-bit, non-prefetchable) [size=128]
Region 1: I/O ports at 7080 [size=128]
Region 2: I/O ports at 7400 [size=32]
00:0f.0 Class 0280: 10b5:9050 (rev 01)
Subsystem: d84d:4055
Results with this patch:
Serial: 8250/16550 driver $Revision: 1.90 $ 32 ports, IRQ sharing enabled
ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
PCI: Found IRQ 10 for device 0000:00:0f.0
ttyS4 at I/O 0x7400 (irq = 10) is a 16550A
ttyS5 at I/O 0x7408 (irq = 10) is a 16550A
ttyS6 at I/O 0x7410 (irq = 10) is a 16550A
ttyS7 at I/O 0x7418 (irq = 10) is a 16550A
Signed-off-by: Bjorn Helgaas <bjorn.helgaas@hp.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Oleg Nesterov [Mon, 24 Oct 2005 14:29:58 +0000 (18:29 +0400)]
[PATCH] posix-timers: fix posix_cpu_timer_set() vs run_posix_cpu_timers() race
This might be harmless, but looks like a race from code inspection (I
was unable to trigger it). I must admit, I don't understand why we
can't return TIMER_RETRY after 'spin_unlock(&p->sighand->siglock)'
without doing bump_cpu_timer(), but this is what original code does.
We are probaly deleting the timer from run_posix_cpu_timers's 'firing'
local list_head while run_posix_cpu_timers() does list_for_each_safe.
Various bad things can happen, for example we can just delete this timer
so that list_for_each() will not notice it and run_posix_cpu_timers()
will not reset '->firing' flag. In that case,
....
if (timer->it.cpu.firing) {
read_unlock(&tasklist_lock);
timer->it.cpu.firing = -1;
return TIMER_RETRY;
}
sys_timer_settime() goes to 'retry:', calls posix_cpu_timer_set() again,
it returns TIMER_RETRY ...
Oleg Nesterov [Mon, 24 Oct 2005 10:34:03 +0000 (14:34 +0400)]
[PATCH] posix-timers: remove false BUG_ON() from run_posix_cpu_timers()
do_exit() clears ->it_##clock##_expires, but nothing prevents
another cpu to attach the timer to exiting process after that.
After exit_notify() does 'write_unlock_irq(&tasklist_lock)' and
before do_exit() calls 'schedule() local timer interrupt can find
tsk->exit_state != 0. If that state was EXIT_DEAD (or another cpu
does sys_wait4) interrupted task has ->signal == NULL.
At this moment exiting task has no pending cpu timers, they were cleaned
up in __exit_signal()->posix_cpu_timers_exit{,_group}(), so we can just
return from irq.
Oleg Nesterov [Sun, 23 Oct 2005 16:25:39 +0000 (20:25 +0400)]
[PATCH] posix-timers: fix cleanup_timers() and run_posix_cpu_timers() races
1. cleanup_timers() sets timer->task = NULL under tasklist + ->sighand locks.
That means that this code in posix_cpu_timer_del() and posix_cpu_timer_set()
lock_timer(timer);
if (timer->task == NULL)
return;
read_lock(tasklist);
put_task_struct(timer->task)
is racy. With this patch timer->task modified and accounted only under
timer->it_lock. Sadly, this means that dead task_struct won't be freed
until timer deleted or armed.
2. run_posix_cpu_timers() collects expired timers into local list under
tasklist + ->sighand again. That means that posix_cpu_timer_del()
should check timer->it.cpu.firing under these locks too.
Roland Dreier [Sun, 23 Oct 2005 19:57:19 +0000 (12:57 -0700)]
[PATCH] ib: mthca: Always re-arm EQs in mthca_tavor_interrupt()
We should always re-arm an event queue's interrupt in
mthca_tavor_interrupt() if the corresponding bit is set in the event cause
register (ECR), even if we didn't find any entries in the EQ. If we don't,
then there's a window where we miss an EQ entry and then get stuck because
we don't get another EQ event.
Signed-off-by: Roland Dreier <rolandd@cisco.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Andrew Morton [Sun, 23 Oct 2005 19:57:18 +0000 (12:57 -0700)]
[PATCH] inotify/idr leak fix
Fix a bug which was reported and diagnosed by
Stefan Jones <stefan.jones@churchillrandoms.co.uk>
IDR trees include a cache of idr_layer objects. There's no way to destroy
this cache, so when we discard an overall idr tree we end up leaking some
memory.
Add and use idr_destroy() for this. v9fs and infiniband also need to use
idr_destroy() to avoid leaks.
Or, we make the cache global, like radix_tree_preload(). Which is probably
better. Later.
Cc: Eric Van Hensbergen <ericvh@ericvh.myip.org> Cc: Roland Dreier <rolandd@cisco.com> Cc: Robert Love <rml@novell.com> Cc: John McCutchan <ttb@tentacle.dhs.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Davi Arnaut [Sun, 23 Oct 2005 19:57:16 +0000 (12:57 -0700)]
[PATCH] SELinux: handle sel_make_bools() failure in selinuxfs
This patch fixes error handling in sel_make_bools(), where currently we'd
get a memory leak via security_get_bools() and try to kfree() the wrong
pointer if called again.
Signed-off-by: James Morris <jmorris@namei.org> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Stephen Smalley [Sun, 23 Oct 2005 19:57:15 +0000 (12:57 -0700)]
[PATCH] selinux: Fix NULL deref in policydb_destroy
This patch fixes a possible NULL dereference in policydb_destroy, where
p->type_attr_map can be NULL if policydb_destroy is called to clean up a
partially loaded policy upon an error during policy load. Please apply.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Randy Dunlap [Sun, 23 Oct 2005 19:57:11 +0000 (12:57 -0700)]
[PATCH] kernel-parameters cleanup
Fix typos & trailing whitespace.
Add blank lines in a few places.
Remove "AM53C974=" option: driver does not exist.
Restrict to < 80 columns in most places (but don't split formatted
command-line arguments).
Add a few option arguments for completeness.
Signed-off-by: Randy Dunlap <rdunlap@xenotime.net> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Linus Torvalds [Sun, 23 Oct 2005 23:31:16 +0000 (16:31 -0700)]
cardbus: limit IO windows to 256 bytes
That's what we've always historically done, and bigger windows seem to
confuse some cardbus bridges. Or something.
Alan reports that this makes the ThinkPad 600x series work properly
again: the 4kB IO window for some reason made IDE DMA not work, which
makes IDE painfully slow even if it works after DMA timeouts.
Linus Torvalds [Sun, 23 Oct 2005 17:02:50 +0000 (10:02 -0700)]
Posix timers: limit number of timers firing at once
Bursty timers aren't good for anybody, very much including latency for
other programs when we trigger lots of timers in interrupt context. So
set a random limit, after which we'll handle the rest on the next timer
tick.
Herbert Xu [Sun, 23 Oct 2005 07:18:00 +0000 (17:18 +1000)]
[NEIGH] Fix timer leak in neigh_changeaddr
neigh_changeaddr attempts to delete neighbour timers without setting
nud_state. This doesn't work because the timer may have already fired
when we acquire the write lock in neigh_changeaddr. The result is that
the timer may keep firing for quite a while until the entry reaches
NEIGH_FAILED.
It should be setting the nud_state straight away so that if the timer
has already fired it can simply exit once we relinquish the lock.
In fact, this whole function is simply duplicating the logic in
neigh_ifdown which in turn is already doing the right thing when
it comes to deleting timers and setting nud_state.
So all we have to do is take that code out and put it into a common
function and make both neigh_changeaddr and neigh_ifdown call it.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Herbert Xu [Sun, 23 Oct 2005 06:37:48 +0000 (16:37 +1000)]
[NEIGH] Fix add_timer race in neigh_add_timer
neigh_add_timer cannot use add_timer unconditionally. The reason is that
by the time it has obtained the write lock someone else (e.g., neigh_update)
could have already added a new timer.
So it should only use mod_timer and deal with its return value accordingly.
This bug would have led to rare neighbour cache entry leaks.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Ralf Baechle [Fri, 14 Oct 2005 20:29:56 +0000 (21:29 +0100)]
[AX.25]: Fix signed char bug
On architectures where the char type defaults to unsigned some of the
arithmetic in the AX.25 stack to fail, resulting in some packets being dropped
on receive.
Credits for tracking this down and the original patch to
Bob Brose N0QBJ <linuxhams@n0qbj-11.ampr.org>.
Julian Anastasov [Sat, 22 Oct 2005 10:39:21 +0000 (13:39 +0300)]
[SK_BUFF]: ipvs_property field must be copied
IPVS used flag NFC_IPVS_PROPERTY in nfcache but as now nfcache was removed the
new flag 'ipvs_property' still needs to be copied. This patch should be
included in 2.6.14.
Further comments from Harald Welte:
Sorry, seems like the bug was introduced by me.
Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
Chris Wright [Fri, 21 Oct 2005 23:56:08 +0000 (16:56 -0700)]
[PATCH] typo fix in last cpufreq powernow patch
Not sure how it slipped by, but here's a trivial typo fix for powernow.
Signed-off-by: Chris Wright <chrisw@osdl.org>
[ It's "nurter" backwards.. Maybe we have a hillbilly The Shining fan? ] Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Roland McGrath [Fri, 21 Oct 2005 22:03:29 +0000 (15:03 -0700)]
[PATCH] Call exit_itimers from do_exit, not __exit_signal
When I originally moved exit_itimers into __exit_signal, that was the only
place where we could reliably know it was the last thread in the group
dying, without races. Since then we've gotten the signal_struct.live
counter, and do_exit can reliably do group-wide cleanup work.
This patch moves the call to do_exit, where it's made without locks. This
avoids the deadlock issues that the old __exit_signal code's comment talks
about, and the one that Oleg found recently with process CPU timers.
AMD recently discovered that on some hardware, there is a race condition
possible when a C-state change request goes onto the bus at the same
time as a P-state change request.
Both requests happen, but the southbridge hardware only acknowledges the
C-state change. The PowerNow! driver is then stuck in a loop, waiting
for the P-state change acknowledgement. The driver eventually times
out, but can no longer perform P-state changes.
It turns out the solution is to resend the P-state change, which the
southbridge will acknowledge normally.
Thanks to Johannes Winkelmann for reporting this and testing the fix.
Signed-off-by: Mark Langsdorf <mark.langsdorf@amd.com> Signed-off-by: Dave Jones <davej@redhat.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
David Gibson [Fri, 21 Oct 2005 03:41:19 +0000 (13:41 +1000)]
[PATCH] ppc64: Fix typo bug in iSeries hash code
This fixes a stupid typo bug in the iSeries hash table code.
When we place a hash PTE in the secondary bucket, instead of setting the
SECONDARY flag bit, as we should, we (redundantly) set the VALID flag.
This was introduced with the patch abolishing bitfields from the hash
table code. Mea culpa, oops. It hasn't been noticed until now because
in practice we don't hit the secondary bucket terribly often.
Signed-off-by: David Gibson <dwg@au1.ibm.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
projects / karo-tx-linux.git / log