- 31 Aug, 2007 10 commits
-
-
Ilpo Jarvinen authored
Author: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> A similar fix to netfilter from Eric Dumazet inspired me to look around a bit by using some grep/sed stuff as looking for this kind of bugs seemed easy to automate. This is one of them I found where it looks like this semicolon is not valid. Signed-off-by:
Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
Greg Kroah-Hartman <gregkh@suse.de>
-
Wei Yongjun authored
If ICMP6 message with "Packet Too Big" is received after send SCTP DATA, kernel panic will occur when SCTP DATA is send again. This is because of a bad dest address when call to skb_copy_bits(). The messages sequence is like this: Endpoint A Endpoint B <------- SCTP DATA (size=1432) ICMP6 message -------> (Packet Too Big pmtu=1280) <------- Resend SCTP DATA (size=1432) ------------kernel panic--------------- printing eip: c05be62a *pde = 00000000 Oops: 0002 [#1] SMP Modules linked in: scomm l2cap bluetooth ipv6 dm_mirror dm_mod video output sbs battery lp floppy sg i2c_piix4 i2c_core pcnet32 mii button ac parport_pc parport ide_cd cdrom serio_raw mptspi mptscsih mptbase scsi_transport_spi sd_mod scsi_mod ext3 jbd ehci_hcd ohci_hcd uhci_hcd CPU: 0 EIP: 0060:[<c05be62a>] Not tainted VLI EFLAGS: 00010282 (2.6.23-rc2 #1) EIP is at skb_copy_bits+0x4f/0x1ef eax: 000004d0 ebx: ce12a980 ecx: 00000134 edx: cfd5a880 esi: c8246858 edi: 00000000 ebp: c0759b14 esp: c0759adc ds: 007b es: 007b fs: 00d8 gs: 0000 ss: 0068 Process swapper (pid: 0, ti=c0759000 task=c06d0340 task.ti=c0713000) Stack: c0759b88 c0405867 ce12a980 c8bff838 c789c084 00000000 00000028 cfd5a880 d09f1890 000005dc 0000007b ce12a980 cfd5a880 c8bff838 c0759b88 d09bc521 000004d0 fffff96c 00000200 00000100 c0759b50 cfd5a880 00000246 c0759bd4 Call Trace: [<c0405e1d>] show_trace_log_lvl+0x1a/0x2f [<c0405ecd>] show_stack_log_lvl+0x9b/0xa3 [<c040608d>] show_registers+0x1b8/0x289 [<c0406271>] die+0x113/0x246 [<c0625dbc>] do_page_fault+0x4ad/0x57e [<c0624642>] error_code+0x72/0x78 [<d09bc521>] ip6_output+0x8e5/0xab2 [ipv6] [<d09bcec1>] ip6_xmit+0x2ea/0x3a3 [ipv6] [<d0a3f2ca>] sctp_v6_xmit+0x248/0x253 [sctp] [<d0a3c934>] sctp_packet_transmit+0x53f/0x5ae [sctp] [<d0a34bf8>] sctp_outq_flush+0x555/0x587 [sctp] [<d0a34d3c>] sctp_retransmit+0xf8/0x10f [sctp] [<d0a3d183>] sctp_icmp_frag_needed+0x57/0x5b [sctp] [<d0a3ece2>] sctp_v6_err+0xcd/0x148 [sctp] [<d09cf1ce>] icmpv6_notify+0xe6/0x167 [ipv6] [<d09d009a>] icmpv6_rcv+0x7d7/0x849 [ipv6] [<d09be240>] ip6_input+0x1dc/0x310 [ipv6] [<d09be965>] ipv6_rcv+0x294/0x2df [ipv6] [<c05c3789>] netif_receive_skb+0x2d2/0x335 [<c05c5733>] process_backlog+0x7f/0xd0 [<c05c58f6>] net_rx_action+0x96/0x17e [<c042e722>] __do_softirq+0x64/0xcd [<c0406f37>] do_softirq+0x5c/0xac ======================= Code: 00 00 29 ca 89 d0 2b 45 e0 89 55 ec 85 c0 7e 35 39 45 08 8b 55 e4 0f 4e 45 08 8b 75 e0 8b 7d dc 89 c1 c1 e9 02 03 b2 a0 00 00 00 <f3> a5 89 c1 83 e1 03 74 02 f3 a4 29 45 08 0f 84 7b 01 00 00 01 EIP: [<c05be62a>] skb_copy_bits+0x4f/0x1ef SS:ESP 0068:c0759adc Kernel panic - not syncing: Fatal exception in interrupt Arnaldo says: ==================== Thanks! I'm to blame for this one, problem was introduced in: b0e380b1 /* * Copy a block of the IP datagram. */ - if (skb_copy_bits(skb, ptr, frag->h.raw, len)) + if (skb_copy_bits(skb, ptr, skb_transport_header(skb), len)) BUG(); left -= len; ==================== Signed-off-by:Wei Yongjun <yjwei@cn.fujitsu.com> Acked-by:
YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by:
Arnaldo Carvalho de Melo <acme@ghostprotocols.net> Signed-off-by:
-
Gerrit Renker authored
This fixes the following bug reported in syslog: [ 4039.051658] BUG: sleeping function called from invalid context at /usr/src/davem-2.6/mm/slab.c:3032 [ 4039.051668] in_atomic():1, irqs_disabled():0 [ 4039.051670] INFO: lockdep is turned off. [ 4039.051674] [<c0104c0f>] show_trace_log_lvl+0x1a/0x30 [ 4039.051687] [<c0104d4d>] show_trace+0x12/0x14 [ 4039.051691] [<c0104d65>] dump_stack+0x16/0x18 [ 4039.051695] [<c011371e>] __might_sleep+0xaf/0xbe [ 4039.051700] [<c0157b66>] __kmalloc+0xb1/0xd0 [ 4039.051706] [<f090416f>] ccid2_hc_tx_alloc_seq+0x35/0xc3 [dccp_ccid2] [ 4039.051717] [<f09048d6>] ccid2_hc_tx_packet_sent+0x27f/0x2d9 [dccp_ccid2] [ 4039.051723] [<f085486b>] dccp_write_xmit+0x1eb/0x338 [dccp] [ 4039.051741] [<f085603d>] dccp_sendmsg+0x113/0x18f [dccp] [ 4039.051750] [<c03907fc>] inet_sendmsg+0x2e/0x4c [ 4039.051758] [<c033a47d>] sock_aio_write+0xd5/0x107 [ 4039.051766] [<c015abc1>] do_sync_write+0xcd/0x11c [ 4039.051772] [<c015b296>] vfs_write+0x118/0x11f [ 4039.051840] [<c015b932>] sys_write+0x3d/0x64 [ 4039.051845] [<c0103e7c>] syscall_call+0x7/0xb [ 4039.051848] ======================= The problem was that GFP_KERNEL was used; fixed by using gfp_any(). Signed-off-by:
Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by:
-
Oleg Nesterov authored
With this patch any thread can dequeue its own private signals via signalfd, even if it was created by another sub-thread. To do so, we pass "current" to dequeue_signal() if the caller is from the same thread group. This also fixes the scheduling of posix timers broken by the previous patch. If the caller doesn't belong to this thread group, we can't handle __SI_TIMER case properly anyway. Perhaps we should forbid the cross-process signalfd usage and convert ctx->tsk to ctx->sighand. Signed-off-by:
Oleg Nesterov <oleg@tv-sign.ru> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Davide Libenzi <davidel@xmailserver.org> Cc: Ingo Molnar <mingo@elte.hu> Cc: Michael Kerrisk <mtk-manpages@gmx.net> Cc: Roland McGrath <roland@redhat.com> Cc: Thomas Gleixner <tglx@linutronix.de> Signed-off-by:
Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
-
Oleg Nesterov authored
dequeue_signal: if (__SI_TIMER) { spin_unlock(&tsk->sighand->siglock); do_schedule_next_timer(info); spin_lock(&tsk->sighand->siglock); } Unless tsk == curent, this is absolutely unsafe: nothing prevents tsk from exiting. If signalfd was passed to another process, do_schedule_next_timer() is just wrong. Add yet another "tsk == current" check into dequeue_signal(). This patch fixes an oopsable bug, but breaks the scheduling of posix timers if the shared __SI_TIMER signal was fetched via signalfd attached to another sub-thread. Mostly fixed by the next patch. Signed-off-by: -
Zachary Amsden authored
Found this looping Ubuntu installs with VMI. If unlucky enough to hit a vmalloc sync fault during a lazy mode operation (from an IRQ handler for a module which was not yet populated in current page directory, or from inside copy_one_pte, which touches swap_map, and hit in an unused 4M region), the required PDE update would never get flushed, causing an infinite page fault loop. This bug affects any paravirt-ops backend which uses lazy updates, I believe that makes it a bug in Xen, VMI and lguest. It only happens on LOWMEM kernels. Touching vmalloc memory in the middle of a lazy mode update can generate a kernel PDE update, which must be flushed immediately. The fix is to leave lazy mode when doing a vmalloc sync. Signed-off-by:
Zachary Amsden <zach@vmware.com> Cc: Andi Kleen <ak@suse.de> Cc: Jeremy Fitzhardinge <jeremy@goop.org> Signed-off-by:
-
Jeff Dike authored
The previous patch which limited the number of sectors in a single request to a COWed device was correct in concept, but the limit was implemented in the wrong place. By putting it in ubd_add, it covered the cases where the COWing was specified on the command line. However, when the command line only has the COW file specified, the fact that it's a COW file isn't known until it's opened, so the limit is missed in these cases. This patch moves the sector limit from ubd_add to ubd_open_dev. Signed-off-by:
Jeff Dike <jdike@linux.intel.com> Signed-off-by:
-
Stephen Hemminger authored
There are special PHY settings available on Yukon EC-U chip that should not get cleared. This should solve mysterious errors on some motherboards (like Gigabyte DS-3). Signed-off-by:
Stephen Hemminger <shemminger@linux-foundation.org> Signed-off-by:
-
Herbert Xu authored
[NET]: Share correct feature code between bridging and bonding http://bugzilla.kernel.org/show_bug.cgi?id=8797 shows that the bonding driver may produce bogus combinations of the checksum flags and SG/TSO. For example, if you bond devices with NETIF_F_HW_CSUM and NETIF_F_IP_CSUM you'll end up with a bonding device that has neither flag set. If both have TSO then this produces an illegal combination. The bridge device on the other hand has the correct code to deal with this. In fact, the same code can be used for both. So this patch moves that logic into net/core/dev.c and uses it for both bonding and bridging. In the process I've made small adjustments such as only setting GSO_ROBUST if at least one constituent device supports it. Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au> Acked-by:
-
Mark Fasheh authored
[PATCH] ocfs2: Fix bad source start calculation during kernel writes For in-kernel writes ocfs2_get_write_source() should be starting the buffer at a page boundary as the math in ocfs2_map_and_write_user_data() will pad it back out to the correct write offset. Instead, we were passing the raw offset, which caused ocfs2_map_and_write_user_data() start too far into the buffer, resulting in corruptions from nfs client writes. Signed-off-by:
Mark Fasheh <mark.fasheh@oracle.com> Signed-off-by:
-
- 22 Aug, 2007 21 commits
-
-
Greg Kroah-Hartman authored
-
David Woodhouse authored
Commit a491486a introduced a locking problem in JFFS2 -- we up() the alloc_sem when we weren't previously holding it. This leads to all kinds of fun behaviour later. There was a _reason_ for the if (1 /* alternative path needs testing */ || which the above-mentioned commit removed :) Discovered and debugged by Giulio Fedel <giulio.fedel@andorsystems.com> Signed-off-by:
David Woodhouse <dwmw2@infradead.org> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by:
-
Chuck Ebbert authored
The new percpu code has apparently broken the doublefault handler when CONFIG_DEBUG_SPINLOCK is set. Doublefault is handled by a hardware task, making the check SPIN_BUG_ON(lock->owner == current, lock, "recursion"); fault because it uses the FS register to access the percpu data for current, and that register is zero in the new TSS. (The trace I saw was on 2.6.20 where it was GS, but it looks like this will still happen with FS on 2.6.22.) Initializing FS in the doublefault_tss should fix it. AK: Also fix broken ptr_ok() and turn printks into KERN_EMERG AK: And add a PANIC prefix to make clear the system will hang AK: (e.g. x86-64 will recover) Signed-off-by:Chuck Ebbert <cebbert@redhat.com> Signed-off-by:
Andi Kleen <ak@suse.de> Signed-off-by:
-
Andi Kleen authored
I got an oops while booting a 32bit kernel on KVM because it doesn't implement performance counters used by the NMI watchdog. Handle this case. Cc: Avi Kivity <avi@qumranet.com> Signed-off-by:
-
Andi Kleen authored
Very old binutils (2.12.90...) seem to have trouble with newlines in assembler macro invocation. They put them into the resulting argument expansion. In this case this lead to a parse error because a .rept expression ended up spread over multiple lines. Change the PMDS() invocation to a single line. Signed-off-by:
-
Andi Kleen authored
Very old binutils have .cfi_startproc/endproc, but no .cfi_rel_offset. Check for .cfi_rel_offset too. Cc: Jan Beulich <jbeulich@novell.com> Cc: Sam Ravnborg <sam@ravnborg.org> Signed-off-by:
-
Jan Beulich authored
From: Jan Beulich <jbeulich@novell.com> Signed-off-by:
Jan Beulich <jbeulich@novell.com> Signed-off-by:
-
Rafael J. Wysocki authored
On some systems some PFNs reported by the early initialization code as 'nosave' may be invalid. =A0If we try to set the corresponding bits in the hibernation bitmap, BUG_ON() in memory_bm_find_bit() will be triggered and the system won't be able to boot (cf. https://bugzilla.novell.com/show_bug.cgi?id=296242). Prevent this from happening by verifying if the 'nosave' PFNs are valid in mark_nosave_pages(). Signed-off-by:
Rafael J. Wysocki <rjw@sisk.pl> Acked-by:
Pavel Machek <pavel@ucw.cz> Signed-off-by:
-
su henry authored
The SATA controller device ID is different according to the onchip SATA type set in the system BIOS: Device Device ID SATA in IDE mode 0x4390 SATA in AHCI mode 0x4391 SATA in non-raid5 driver 0x4392 SATA in raid5 driver 0x4393 Although the device ID is different, they use the same AHCI driver .The attached file is the patch for adding these device IDs for ATI SB700. Signed-off-by:
su henry <henry.su.ati@gmail.com> Signed-off-by:
Jeff Garzik <jeff@garzik.org> Cc: Chuck Ebbert <cebbert@redhat.com> Signed-off-by:
-
Timo Jantunen authored
If the forcedeth driver receives too much work in an interrupt, it assumes it has a broken hardware with stuck IRQ. It works around the problem by disabling interrupts on the nic but makes a printk while holding device spinlog - which isn't smart thing to do if you have netconsole on the same nic. This patch moves the printk's out of the spinlock protected area. Without this patch the machine hangs hard. With this patch everything still works even when there is significant increase on CPU usage while using the nic. Signed-off-by:
Timo Jantunen <jeti@iki.fi> Signed-off-by:
-
Francois Romieu authored
Theory : though needless, it should not have hurt. Practice: it does not play nice with DEBUG_SHIRQ + LOCKDEP + UP (see https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D242572). The patch makes sense in itself but I should dig why it has an effect on #242572 (assuming that NAPI do not change in a near future). Patch in mainline as 313b0305. Backported to 2.6.22-stable by Thomas M=FCller. Signed-off-by:
Thomas M=FCller <thomas@mathtm.de> Signed-off-by:
Francois Romieu <romieu@fr.zoreil.com> Signed-off-by:
-
Haavard Skinnemoen authored
These functions depend on "result" being initalized to 0, but "result" is not included as an input constraint to the inline assembly block following its initialization, only as an output constraint. Thus gcc thinks it doesn't need to initialize it, so result ends up undefined if the "unless" condition is true. This fixes an oops in sunrpc where the faulty atomics caused rpciod_up() to not start the workqueue as it should. Signed-off-by:
Haavard Skinnemoen <hskinnemoen@atmel.com> Signed-off-by:
-
Bob Moore authored
ACPICA: Clear reserved fields for incoming ACPI 1.0 FADTs Fixed a problem with the internal FADT conversion where ACPI 1.0 FADTs that contained invalid non-zero values in reserved fields could cause later failures because these fields have meaning in later revisions of the FADT. For incoming ACPI 1.0 FADTs, these fields are now always zeroed. (Preferred_PM_Profile, PSTATE_CNT, CST_CNT, IAPC_BOOT_FLAGS.) Signed-off-by:
Bob Moore <robert.moore@intel.com> Signed-off-by:
Len Brown <len.brown@intel.com> Cc: Chuck Ebbert <cebbert@redhat.com> Signed-off-by:
-
Bob Moore authored
ACPICA: Fixed possible corruption of global GPE list Fixed a problem in acpi_ev_delete_gpe_xrupt where the global interrupt list could be corrupted if the interrupt being removed was at the head of the list. Reported by Linn Crosetto. Signed-off-by:
-
Andrew Morton authored
Revert 7e92b4fc. It broke Sébastien Dugué's machine and Jeff said (persuasively) This seems like it will break decades-long-working stuff, in favor of breaking new ground in our favorite area, "trusting the BIOS." It's just not worth it for serial ports, IMO. Serial ports are something that just shouldn't break at this late stage in the game. My new Intel platform boxes don't even have serial ports, so I question the value of messing with serial port probing even more... because... just wait a year, and your box won't have a serial port either! :) I certainly don't object to the use of platform devices (or isa_driver), but the probe change seems questionable. That's sorta analagous to rewriting the floppy driver probe routine. Sure you could do it... but why risk all that damage and go through debugging all over again? It seems clear from this report that we cannot, should not, trust BIOS for something (a) so simple and (b) that has been working for over a decade. Much discussion ensued and we've decided to have another go at all of this. Cc: Sébastien Dugué <sebastien.dugue@bull.net> Cc: Bjorn Helgaas <bjorn.helgaas@hp.com> Cc: Len Brown <lenb@kernel.org> Cc: Adam Belay <ambx1@neo.rr.com> Cc: Matthew Garrett <mjg59@srcf.ucam.org> Cc: Russell King <rmk@arm.linux.org.uk> Cc: Jeff Garzik <jeff@garzik.org> Acked-by:
Alan Cox <alan@lxorguk.ukuu.org.uk> Cc: Michal Piotrowski <michal.k.k.piotrowski@gmail.com> Cc: Sascha Sommer <saschasommer@freenet.de> Signed-off-by:
-
Stephen Hemminger authored
Backport of commit 71749531 If packet larger than MTU is received, the driver uses hardware to truncate the packet. Use the status registers to catch/drop them. Signed-off-by:
-
Stephen Hemminger authored
Backport of commit 5c11ce70 This patch avoids generating another IRQ if more packets arrive while in the NAPI poll routine. Before marking device as finished, it rechecks that the status ring is empty. Signed-off-by:
-
Stephen Hemminger authored
backport of commit 55d7b4e6 Make sky2 handle carrier similar to other drivers, eliminate some possible races in carrier state transistions. Signed-off-by:
-
Stephen Hemminger authored
Backport of commit c59697e0 This patch restores a couple of workarounds from 2.6.16: * restart transmit moderation timer in case it expires during IRQ routine * default to having 10 HZ watchdog timer. At this point it more important not to hang than to worry about the power cost. Signed-off-by:
-
Jean Delvare authored
The smsc47m1 driver no longer creates the name attribute used by libsensors to identify chip types. It was lost during the conversion to a platform driver. I was fooled by the fact that we do have a group with all attributes, but only to delete them all at once. The group is not used to create the attributes, so we have to explicitly create the name attribute. Signed-off-by:
Jean Delvare <khali@linux-fr.org> Signed-off-by:
Mark M. Hoffman <mhoffman@lightlink.com> Signed-off-by:
-
Mark M. Hoffman authored
Commit 34875337 introduced a regression that caused temp2 and temp3 sensor type settings to be written to temp1 instead. The result is that temp sensor readings could be way off. Signed-off-by:
-
- 21 Aug, 2007 2 commits
-
-
Greg Kroah-Hartman authored
-
Marcel Holtmann authored
This fixes a vulnerability in the "parent process death signal" implementation discoverd by Wojciech Purczynski of COSEINC PTE Ltd. and iSEC Security Research. http://marc.info/?l=bugtraq&m=118711306802632&w=2Signed-off-by:
Marcel Holtmann <marcel@holtmann.org> Signed-off-by:
-
- 15 Aug, 2007 7 commits
-
-
Greg Kroah-Hartman authored
-
Venki Pallipadi authored
Due to rounding and inexact jiffy accounting, idle_ticks can sometimes be higher than total_ticks. Make sure those cases are handled as zero load case. Signed-off-by:
Venkatesh Pallipadi <venkatesh.pallipadi@intel.com> Signed-off-by:
Dave Jones <davej@redhat.com> Signed-off-by:
-
Venki Pallipadi authored
With tickless kernel and software coordination os P-states, ondemand can look at wrong idle statistics. This can happen when ondemand sampling is happening on CPU 0 and due to software coordination sampling also looks at utilization of CPU 1. If CPU 1 is in tickless state at that moment, its idle statistics will not be uptodate and CPU 0 thinks CPU 1 is idle for less amount of time than it actually is. This can be resolved by looking at all the busy times of CPUs, which is accurate, even with tickless, and use that to determine idle time in a round about way (total time - busy time). Thanks to Arjan for originally reporting the ondemand bug on Lenovo T61. Signed-off-by:
-
Jeff Garzik authored
[libata] pata_atiixp: add SB700 PCI ID From AMD. Signed-off-by:
-
Helge Deller authored
Visualize-EG, Graffiti and A4450A graphics cards on PARISC can be configured in double-buffer and standard mode, but the stifb driver supports standard mode only. This patch detects double-buffered cards more reliable. It is a real bugfix for a very nasty problem for all parisc users which have wrongly configured their graphic card. The problem: The stifb graphics driver will not detect that the card is wrongly configured and then nevertheless just enables the graphics mode, which it shouldn't. In the end, the user will see no further updates / boot messages on the screen. We had documented this problem already on our FAQ (http://parisc-linux.org/faq/index.html#viseg "Why do I get corrupted graphics with my Vis-EG/Graffiti/A4450A card?") but people still run into this problem. So having this fix in as early as possible can help us. Signed-off-by:
Helge Deller <deller@gmx.de> Signed-off-by:
Antonino Daplas <adaplas@gmail.com> Cc: Kyle McMartin <kyle@mcmartin.ca> Signed-off-by:
-
Badari Pulavarty authored
Need to initialize map_bh.b_state to zero. Otherwise, in case of a faulty user-buffer its possible to go into dio_zero_block() and submit a page by mistake - since it checks for buffer_new(). http://marc.info/?l=linux-kernel&m=118551339032528&w=2 akpm: Linus had a (better) patch to just do a kzalloc() in there, but it got lost. Probably this version is better for -stable anwyay. Signed-off-by:
Badari Pulavarty <pbadari@us.ibm.com> Acked-by:
Joe Jin <joe.jin@oracle.com> Acked-by:
Zach Brown <zach.brown@oracle.com> Cc: gurudas pai <gurudas.pai@oracle.com> Signed-off-by:
-
Benjamin Herrenschmidt authored
My "slices" address space management code that was added in 2.6.22 implementation of get_unmapped_area() doesn't properly check that the size is a multiple of the requested page size. This allows userland to create VMAs that aren't a multiple of the huge page size with hugetlbfs (since hugetlbfs entirely relies on get_unmapped_area() to do that checking) which leads to a kernel BUG() when such areas are torn down. Signed-off-by:
Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by:
Paul Mackerras <paulus@samba.org> Signed-off-by:
-
