1. 11 Oct, 2007 2 commits
    • Jesper Juhl's avatar
      backlight: Fix cr_bllcd allocations and error paths · 0b75f2df
      Jesper Juhl authored
      After fixing the too small memory allocation in cr_backlight_probe()
      from drivers/video/backlight/cr_bllcd.c
      (commit e3bbb3f0) I noticed that the
      Coverity checker also thought there were a few memory leaks in there.
      I took a closer look and confirmed that there were indeed several
      leaks.
      
      At the start of the function we allocate storage for a
      'struct cr_panel' and store the pointer in a variable named 'crp'.
      
      Then we call pci_get_device() and pci_read_config_byte() and if
      either of them fail we return without freeing the memory allocated
      for the 'struct cr_panel'. These two leaks are easy to fix since we
      don't even use 'crp' for anything up to this point, so I simply
      moved the allocation further down in the function so it only happens
      just before we actually need it.
      
      A bit further down we call backlight_device_register() and store the
      result in 'crp->cr_backlight_device'. In case of error we return
      'crp->cr_backlight_device' from the function, thus leaking 'crp'
      itself. The same thing happens with the call to lcd_device_register().
      To fix these two leaks I declare two new pointers to hold the return
      values, so that in case of error we can return the pointer (as before)
      but without leaking 'crp'.
      
      This version of the patch also adds missing
      backlight_device_unregister() / lcd_device_unregister() / pci_dev_put()
      calls to error paths.
        Thanks to Richard Purdie <rpurdie@rpsys.net> for noticing.
      Signed-off-by: default avatarJesper Juhl <jesper.juhl@gmail.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarRichard Purdie <rpurdie@rpsys.net>
      0b75f2df
    • Adrian Bunk's avatar
      backlight/leds: Make two structs static · 0ad90efd
      Adrian Bunk authored
      This patch makes two needlessly global structs static.
      Signed-off-by: default avatarAdrian Bunk <bunk@stusta.de>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarRichard Purdie <rpurdie@rpsys.net>
      0ad90efd
  2. 09 Oct, 2007 7 commits
  3. 08 Oct, 2007 11 commits
    • Maarten Bressers's avatar
      Correct Makefile rule for generating custom keymap · e2a57a81
      Maarten Bressers authored
      When building a custom keymap, after setting GENERATE_KEYMAP := 1 in
      drivers/char/Makefile, the kernel build fails like this:
      
          CC      drivers/char/vt.o
        make[2]: *** No rule to make target `drivers/char/%.map', needed by `drivers/char/defkeymap.c'.  Stop.
        make[1]: *** [drivers/char] Error 2
        make: *** [drivers] Error 2
      
      This was caused by commit af8b1287, which
      deleted a necessary colon from the Makefile rule that generates the keymap,
      since that rule contains both a target and a target-pattern.  The following
      patch puts the colon back:
      Signed-off-by: default avatarMaarten Bressers <mbres@gentoo.org>
      Cc: Yoichi Yuasa <yoichi_yuasa@tripeaks.co.jp>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Sam Ravnborg <sam@ravnborg.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      e2a57a81
    • Karsten Keil's avatar
      ISDN: Fix data access out of array bounds · d39d5ed9
      Karsten Keil authored
      Fix against access random data bytes outside the dev->chanmap array.
      Thanks to Oliver Neukum for pointing me to this issue.
      Signed-off-by: default avatarKarsten Keil <kkeil@suse.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      d39d5ed9
    • Linus Torvalds's avatar
      Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 · e46dc1da
      Linus Torvalds authored
      * 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6:
        [IPv6]: Fix ICMPv6 redirect handling with target multicast address
        [PKT_SCHED] cls_u32: error code isn't been propogated properly
        [ROSE]: Fix rose.ko oops on unload
        [TCP]: Fix fastpath_cnt_hint when GSO skb is partially ACKed
      e46dc1da
    • Yan Zheng's avatar
      AIO: fix cleanup in io_submit_one(...) · 87e2831c
      Yan Zheng authored
      When IOCB_FLAG_RESFD flag is set and iocb->aio_resfd is incorrect,
      statement 'goto out_put_req' is executed. At label 'out_put_req',
      aio_put_req(..) is called, which requires 'req->ki_filp' set.
      
      Signed-off-by: Yan Zheng<yanzheng@21cn.com>
      Cc: Zach Brown <zach.brown@oracle.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      87e2831c
    • Yan Zheng's avatar
      fix page release issue in filemap_fault · 745ad48e
      Yan Zheng authored
      find_lock_page increases page's usage count, we should decrease it
      before return VM_FAULT_SIGBUS
      
      Signed-off-by: Yan Zheng<yanzheng@21cn.com>
      Cc: Nick Piggin <nickpiggin@yahoo.com.au>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      745ad48e
    • Yan Zheng's avatar
      fix VM_CAN_NONLINEAR check in sys_remap_file_pages · dd204d63
      Yan Zheng authored
      The test for VM_CAN_NONLINEAR always fails
      
      Signed-off-by: Yan Zheng<yanzheng@21cn.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      dd204d63
    • Peter Zijlstra's avatar
      mm: set_page_dirty_balance() vs ->page_mkwrite() · a200ee18
      Peter Zijlstra authored
      All the current page_mkwrite() implementations also set the page dirty. Which
      results in the set_page_dirty_balance() call to _not_ call balance, because the
      page is already found dirty.
      
      This allows us to dirty a _lot_ of pages without ever hitting
      balance_dirty_pages().  Not good (tm).
      
      Force a balance call if ->page_mkwrite() was successful.
      Signed-off-by: default avatarPeter Zijlstra <a.p.zijlstra@chello.nl>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a200ee18
    • Brian Haley's avatar
      [IPv6]: Fix ICMPv6 redirect handling with target multicast address · bf0b48df
      Brian Haley authored
      When the ICMPv6 Target address is multicast, Linux processes the 
      redirect instead of dropping it.  The problem is in this code in 
      ndisc_redirect_rcv():
      
               if (ipv6_addr_equal(dest, target)) {
                       on_link = 1;
               } else if (!(ipv6_addr_type(target) & IPV6_ADDR_LINKLOCAL)) {
                       ND_PRINTK2(KERN_WARNING
                                  "ICMPv6 Redirect: target address is not 
      link-local.\n");
                       return;
               }
      
      This second check will succeed if the Target address is, for example, 
      FF02::1 because it has link-local scope.  Instead, it should be checking 
      if it's a unicast link-local address, as stated in RFC 2461/4861 Section 
      8.1:
      
             - The ICMP Target Address is either a link-local address (when
               redirected to a router) or the same as the ICMP Destination
               Address (when redirected to the on-link destination).
      
      I know this doesn't explicitly say unicast link-local address, but it's 
      implied.
      
      This bug is preventing Linux kernels from achieving IPv6 Logo Phase II 
      certification because of a recent error that was found in the TAHI test 
      suite - Neighbor Disovery suite test 206 (v6LC.2.3.6_G) had the 
      multicast address in the Destination field instead of Target field, so 
      we were passing the test.  This won't be the case anymore.
      
      The patch below fixes this problem, and also fixes ndisc_send_redirect() 
      to not send an invalid redirect with a multicast address in the Target 
      field.  I re-ran the TAHI Neighbor Discovery section to make sure Linux 
      passes all 245 tests now.
      Signed-off-by: default avatarBrian Haley <brian.haley@hp.com>
      Acked-by: default avatarDavid L Stevens <dlstevens@us.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bf0b48df
    • Stephen Hemminger's avatar
    • Alexey Dobriyan's avatar
      [ROSE]: Fix rose.ko oops on unload · 891e6a93
      Alexey Dobriyan authored
      Commit a3d38402 aka
      "[AX.25]: Fix unchecked rose_add_loopback_neigh uses"
      transformed rose_loopback_neigh var into statically allocated one.
      However, on unload it will be kfree's which can't work.
      
      Steps to reproduce:
      
      	modprobe rose
      	rmmod rose
      
      BUG: unable to handle kernel NULL pointer dereference at virtual address 00000008
       printing eip:
      c014c664
      *pde = 00000000
      Oops: 0000 [#1]
      PREEMPT DEBUG_PAGEALLOC
      Modules linked in: rose ax25 fan ufs loop usbhid rtc snd_intel8x0 snd_ac97_codec ehci_hcd ac97_bus uhci_hcd thermal usbcore button processor evdev sr_mod cdrom
      CPU:    0
      EIP:    0060:[<c014c664>]    Not tainted VLI
      EFLAGS: 00210086   (2.6.23-rc9 #3)
      EIP is at kfree+0x48/0xa1
      eax: 00000556   ebx: c1734aa0   ecx: f6a5e000   edx: f7082000
      esi: 00000000   edi: f9a55d20   ebp: 00200287   esp: f6a5ef28
      ds: 007b   es: 007b   fs: 0000  gs: 0033  ss: 0068
      Process rmmod (pid: 1823, ti=f6a5e000 task=f7082000 task.ti=f6a5e000)
      Stack: f9a55d20 f9a5200c 00000000 00000000 00000000 f6a5e000 f9a5200c f9a55a00 
             00000000 bf818cf0 f9a51f3f f9a55a00 00000000 c0132c60 65736f72 00000000 
             f69f9630 f69f9528 c014244a f6a4e900 00200246 f7082000 c01025e6 00000000 
      Call Trace:
       [<f9a5200c>] rose_rt_free+0x1d/0x49 [rose]
       [<f9a5200c>] rose_rt_free+0x1d/0x49 [rose]
       [<f9a51f3f>] rose_exit+0x4c/0xd5 [rose]
       [<c0132c60>] sys_delete_module+0x15e/0x186
       [<c014244a>] remove_vma+0x40/0x45
       [<c01025e6>] sysenter_past_esp+0x8f/0x99
       [<c012bacf>] trace_hardirqs_on+0x118/0x13b
       [<c01025b6>] sysenter_past_esp+0x5f/0x99
       =======================
      Code: 05 03 1d 80 db 5b c0 8b 03 25 00 40 02 00 3d 00 40 02 00 75 03 8b 5b 0c 8b 73 10 8b 44 24 18 89 44 24 04 9c 5d fa e8 77 df fd ff <8b> 56 08 89 f8 e8 84 f4 fd ff e8 bd 32 06 00 3b 5c 86 60 75 0f 
      EIP: [<c014c664>] kfree+0x48/0xa1 SS:ESP 0068:f6a5ef28
      Signed-off-by: default avatarAlexey Dobriyan <adobriyan@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      891e6a93
    • Ilpo Järvinen's avatar
      [TCP]: Fix fastpath_cnt_hint when GSO skb is partially ACKed · 48611c47
      Ilpo Järvinen authored
      When only GSO skb was partially ACKed, no hints are reset,
      therefore fastpath_cnt_hint must be tweaked too or else it can
      corrupt fackets_out. The corruption to occur, one must have
      non-trivial ACK/SACK sequence, so this bug is not very often
      that harmful. There's a fackets_out state reset in TCP because
      fackets_out is known to be inaccurate and that fixes the issue
      eventually anyway.
      
      In case there was also at least one skb that got fully ACKed,
      the fastpath_skb_hint is set to NULL which causes a recount for
      fastpath_cnt_hint (the old value won't be accessed anymore),
      thus it can safely be decremented without additional checking.
      
      Reported by Cedric Le Goater <clg@fr.ibm.com>
      Signed-off-by: default avatarIlpo Järvinen <ilpo.jarvinen@helsinki.fi>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      48611c47
  4. 07 Oct, 2007 12 commits
  5. 06 Oct, 2007 4 commits
  6. 05 Oct, 2007 4 commits