1. 25 May, 2004 2 commits
    • Olaf Hering's avatar
      [PATCH] USB: out of bounds access in hiddev_cleanup · 3a386413
      Olaf Hering authored
      hiddev_table[] is an array of pointers.  the minor number is used as an
      offset.  hiddev minors start either with zero, or with 96.  If they start
      with 96, the offset must be reduced by HIDDEV_MINOR_BASE because only 16
      minors are available.  unplugging a hiddevice will zero data outside the
      hiddev_table array.
      
      this was spotted by Takashi Iwai.
      3a386413
    • James Lamanna's avatar
      [PATCH] USB: Fix down() in hard IRQ in powermate driver · 6dbb845a
      James Lamanna authored
      Fixes this warning:
      
      May 18 06:56:01 Knoppix kernel: Debug: sleeping function called from
      invalid context at include/asm/semaphore.h:119
      May 18 06:56:01 Knoppix kernel: in_atomic():1, irqs_disabled():0
      May 18 06:56:01 Knoppix kernel: Call Trace:
      May 18 06:56:01 Knoppix kernel:  [<c0117083>] __might_sleep+0xb2/0xd3
      May 18 06:56:01 Knoppix kernel:  [<f88b92f4>] powermate_config_complete+0x33/0x77 [powermate]
      May 18 06:56:01 Knoppix kernel:  [<c02c6760>] usb_hcd_giveback_urb+0x25/0x39
      May 18 06:56:01 Knoppix kernel:  [<c02d7194>] uhci_finish_urb+0x54/0xa1
      May 18 06:56:01 Knoppix kernel:  [<c02d7224>] uhci_finish_completion+0x43/0x55
      May 18 06:56:01 Knoppix kernel:  [<c02d737d>] uhci_irq+0xf8/0x179
      May 18 06:56:01 Knoppix kernel:  [<c02c67aa>] usb_hcd_irq+0x36/0x67
      May 18 06:56:01 Knoppix kernel:  [<c01060c6>] handle_IRQ_event+0x3a/0x64
      May 18 06:56:01 Knoppix kernel:  [<c0106479>] do_IRQ+0xb8/0x192
      May 18 06:56:01 Knoppix kernel:  [<c0104850>] common_interrupt+0x18/0x20
      
      Attached patch uses spinlocks instead of a semaphore so that we can't sleep
      when in_atomic().
      6dbb845a
  2. 24 May, 2004 12 commits
    • Thomas Wahrenbruch's avatar
      [PATCH] USB: Fix kobil_sct with uhci · 8639d2a4
      Thomas Wahrenbruch authored
      the kobil_sct didn't work with uhci hcds.
      It used usb_fill_bulk_urb instead of usb_fill_int_urb.
      The attached patch fixes this.
      
      It starts reading in open now - this gives apps (CT-API) the chance to
      detect the p'n'p string correctly.
      8639d2a4
    • Mordechai Ovits's avatar
      [PATCH] USB: add support for MS adapter to usb pegasus net driver · f1022df9
      Mordechai Ovits authored
      I took the relevant parts from the patch (not some PHY stuff that was
      irrelevant).  Attached is the patch against stock 2.6.6.
      f1022df9
    • David Brownell's avatar
      [PATCH] USB: PXA 2xx UDC and RNDIS g_ether · e6f3d6a3
      David Brownell authored
      I noticed some problems with the PXA 2xx UDC and the
      RNDIS version of the ethernet-over-usb link:
      
        - Static linking needs more than just two endpoints now
      
        - The endpoint autoconfig misbehaves (sounds like what
          Stefan reported a couple weeks ago)
      
      This patch fixes those two problems, though there are
      a couple others lurking too.
      e6f3d6a3
    • Luiz Capitulino's avatar
      [PATCH] USB: /usb/gadget/serial.c warning fix. · 7234f3cb
      Luiz Capitulino authored
       that code is generating the fallowing warning:
      
      drivers/usb/gadget/serial.c:162: warning: `debug' defined but not used
      
       When G_SERIAL_DEBUG is not defined, `debug' is not used, because
      the gs_debug() function is compiled only when G_SERIAL_DEBUG is
      defined.
      
       Thus, a solution is to define `debug' only when G_SERIAL_DEBUG
      is defined. That includes the use of `debug' as a module parameter
      (this last part I'm not sure).
      
       The patch bellow does that (compiles ok, not tested because I don't
      have that hardware):
      7234f3cb
    • Oliver Neukum's avatar
      [PATCH] USB: fix fix to kaweth.c · 461b6851
      Oliver Neukum authored
      the previous patch was buggy. The state must be set _before_ the
      condition is checked, or there's a window missing a wakeup.
      This incremental change set fixes that.
      
        - fix race condition with current->state
      461b6851
    • Oliver Neukum's avatar
      [PATCH] USB: waitqueue related problem in kaweth · b0eef108
      Oliver Neukum authored
      this was buggy for the same reason that the old msleep was buggy.
      
        - safe waiting in case we are left on other wait queues
      b0eef108
    • Oliver Neukum's avatar
      [PATCH] USB: yet another place for msleep · 662be4ac
      Oliver Neukum authored
      this is in kobil_sct.
      It uses msleep() and replaces needless GFP_ATOMICs with GFP_NOIO
      as this function can sleep.
      
        - no need for GFP_ATOMIC
        - use msleep()
      662be4ac
    • Oliver Neukum's avatar
      [PATCH] USB: clean delays for ehci · 1a9461b6
      Oliver Neukum authored
      Here's one you overlooked.
      
        - safe sleep helper
      1a9461b6
    • Martin Habets's avatar
      [PATCH] USB: usblp printer GET_DEVICE_ID fix · 83d55856
      Martin Habets authored
      There is a problem in the usblp GET_DEVICE_ID ioctl() implementation. The patch
      below (against 2.6 current) fixes the code to be according to the official usb
      printer spec.
      
      Most printers are not affected by this fix, as they use interface 0 and
      alternate 0. For those, nothing changes. But my printer/scanner uses interface
      1 for the printer.
      83d55856
    • Linus Torvalds's avatar
      Merge http://linux-sound.bkbits.net/linux-sound · 91d7f4e3
      Linus Torvalds authored
      into ppc970.osdl.org:/home/torvalds/v2.6/linux
      91d7f4e3
    • James Bottomley's avatar
      [PATCH] pa-risc: kernel/fork.c broken by the new rmap · be4284e3
      James Bottomley authored
      Any architecture (like pa-risc) that makes use of the helper function
      flush_dcache_mmap_lock() won't compile with the new rmap due to use of
      the wrong "mapping". 
      
      Trivial fix.
      be4284e3
    • Linus Torvalds's avatar
      Merge bk://linux-scsi.bkbits.net/scsi-for-linus-2.6 · dcde1f6f
      Linus Torvalds authored
      into ppc970.osdl.org:/home/torvalds/v2.6/linux
      dcde1f6f
  3. 23 May, 2004 16 commits
  4. 22 May, 2004 10 commits
    • Linus Torvalds's avatar
      Linux 2.6.7-rc1 · 86042707
      Linus Torvalds authored
      86042707
    • Roland McGrath's avatar
      [PATCH] bogus sigaltstack calls by rt_sigreturn · ce34221e
      Roland McGrath authored
      There is a longstanding bug in the rt_sigreturn system call.
      This exists in both 2.4 and 2.6, and for almost every platform.
      
      I am referring to this code in sys_rt_sigreturn (arch/i386/kernel/signal.c):
      
      	if (__copy_from_user(&st, &frame->uc.uc_stack, sizeof(st)))
      		goto badframe;
      	/* It is more difficult to avoid calling this function than to
      	   call it and ignore errors.  */
      	/*
      	 * THIS CANNOT WORK! "&st" is a kernel address, and "do_sigaltstack()"
      	 * takes a user address (and verifies that it is a user address). End
      	 * result: it does exactly _nothing_.
      	 */
      	do_sigaltstack(&st, NULL, regs->esp);
      
      As the comment says, this is bogus.  On vanilla i386 kernels, this is just
      harmlessly stupid--do_sigaltstack always does nothing and returns -EFAULT.
      
      However this code actually bites users on kernels using Ingo Molnar's 4G/4G
      address space layout changes.  There some kernel stack address might very
      well be a lovely and readable user address as well.  When that happens, we
      make a sigaltstack call with some random buffer, and then the fun begins.
      
      To my knowledge, this has produced trouble in the real world only for 4G
      i386 kernels (RHEL and Fedora "hugemem" kernels) on machines that actually
      have several GB of physical memory (and in programs that are actually using
      sigaltstack and handling a lot of signals).  However, the same clearly
      broken code has been blindly copied to most other architecture ports, and
      off hand I don't know the address space details of any other well enough to
      know if real kernel stack addresses and real user addresses are in fact
      disjoint as they are on i386 when not using the nonstandard 4GB address
      space layout.
      
      The obvious intent of the call being there in the first place is to permit
      a signal handler to diddle its ucontext_t.uc_stack before returning, and
      have this effect a sigaltstack call on the signal handler return.  This is
      not only an optimization vs doing the extra system call, but makes it
      possible to make a sigaltstack change when that handler itself was running
      on the signal stack.  AFAICT this has never actually worked before, so
      certainly noone depends on it.  But the code certainly suggests that
      someone intended at one time for that to be the behavior.  Thus I am
      inclined to fix it so it works in that way, though it has not done so before.
      It would also be reasonable enough to simply rip out the bogus call and not
      have this functionality.
      
      From the current state of code in both 2.4 and 2.6, there is no fathoming
      how this broken code came about.  It's actually much simpler to just make
      it work!  I can only presume that at some point in the past the sigaltstack
      implementation functions were different such that this made sense.  Of the
      few ports I've looked at briefly, only the ppc/pc64 porters (go paulus!)
      actually tried to understand what the i386 code was doing and implemented
      it correctly rather than just carefully transliterating the bug.
      
      The patch below fixes only the i386 and x86_64 versions.  The x86_64
      patches I have not actually tested.  I think each and every arch (except
      ppc and ppc64) need to make the corresponding fixes as well.  Note that
      there is a function to fix for each native arch, and then one for each
      emulation flavor.  The details differ minutely for getting the calls right
      in each emulation flavor, but I think that most or all of the arch's with
      biarch/emulation support have similar enough code that each emulation
      flavor's fix will look very much like the arch/x86_64/ia32/ia32_signal.c
      patch here.
      ce34221e
    • Andrew Morton's avatar
      [PATCH] partial prefetch for vma_prio_tree_next · ad9beb31
      Andrew Morton authored
      From: Rajesh Venkatasubramanian <vrajesh@umich.edu>
      
      This patch adds prefetches for walking a vm_set.list.  Adding prefetches
      for prio tree traversals is tricky and may lead to cache trashing.  So this
      patch just adds prefetches only when walking a vm_set.list.
      
      I haven't done any benchmarks to show that this patch improves performance.
       However, this patch should help to improve performance when vm_set.lists
      are long, e.g., libc.  Since we only prefetch vmas that are guaranteed to
      be used in the near future, this patch should not result in cache trashing,
      theoretically.
      
      I didn't add any NULL checks before prefetching because prefetch.h clearly
      says prefetch(0) is okay.
      ad9beb31
    • Andrew Morton's avatar
      [PATCH] rmap 40 better anon_vma sharing · 17e8935f
      Andrew Morton authored
      From: Hugh Dickins <hugh@veritas.com>
      
      anon_vma rmap will always necessarily be more restrictive about vma merging
      than before: according to the history of the vmas in an mm, they are liable to
      be allocated different anon_vma heads, and from that point on be unmergeable.
      
      Most of the time this doesn't matter at all; but in two cases it may matter.
      One case is that mremap refuses (-EFAULT) to span more than a single vma: so
      it is conceivable that some app has relied on vma merging prior to mremap in
      the past, and will now fail with anon_vma.  Conceivable but unlikely, let's
      cross that bridge if we come to it: and the right answer would be to extend
      mremap, which should not be exporting the kernel's implementation detail of
      vma to user interface.
      
      The other case that matters is when a reasonable repetitive sequence of
      syscalls and faults ends up with a large number of separate unmergeable vmas,
      instead of the single merged vma it could have.
      
      Andrea's mprotect-vma-merging patch fixed some such instances, but left other
      plausible cases unmerged.  There is no perfect solution, and the harder you
      try to allow vmas to be merged, the less efficient anon_vma becomes, in the
      extreme there being one to span the whole address space, from which hangs
      every private vma; but anonmm rmap is clearly superior to that extreme.
      
      Andrea's principle was that neighbouring vmas which could be mprotected into
      mergeable vmas should be allowed to share anon_vma: good insight.  His
      implementation was to arrange this sharing when trying vma merge, but that
      seems to be too early.  This patch sticks to the principle, but implements it
      in anon_vma_prepare, when handling the first write fault on a private vma:
      with better results.  The drawback is that this first write fault needs an
      extra find_vma_prev (whereas prev was already to hand when implementing
      anon_vma sharing at try-to-merge time).
      17e8935f
    • Andrew Morton's avatar
      [PATCH] rmap 39 add anon_vma rmap · 8aa3448c
      Andrew Morton authored
      From: Hugh Dickins <hugh@veritas.com>
      
      Andrea Arcangeli's anon_vma object-based reverse mapping scheme for anonymous
      pages.  Instead of tracking anonymous pages by pte_chains or by mm, this
      tracks them by vma.  But because vmas are frequently split and merged
      (particularly by mprotect), a page cannot point directly to its vma(s), but
      instead to an anon_vma list of those vmas likely to contain the page - a list
      on which vmas can easily be linked and unlinked as they come and go.  The vmas
      on one list are all related, either by forking or by splitting.
      
      This has three particular advantages over anonmm: that it can cope
      effortlessly with mremap moves; and no longer needs page_table_lock to protect
      an mm's vma tree, since try_to_unmap finds vmas via page -> anon_vma -> vma
      instead of using find_vma; and should use less cpu for swapout since it can
      locate its anonymous vmas more quickly.
      
      It does have disadvantages too: a lot more change in mmap.c to deal with
      anon_vmas, though small straightforward additions now that the vma merging has
      been refactored there; more lowmem needed for each anon_vma and vma structure;
      an additional restriction on the merging of vmas (cannot be merged if already
      assigned different anon_vmas, since then their pages will be pointing to
      different heads).
      
      (There would be no need to enlarge the vma structure if anonymous pages
      belonged only to anonymous vmas; but private file mappings accumulate
      anonymous pages by copy-on-write, so need to be listed in both anon_vma and
      prio_tree at the same time.  A different implementation could avoid that by
      using anon_vmas only for purely anonymous vmas, and use the existing prio_tree
      to locate cow pages - but that would involve a long search for each single
      private copy, probably not a good idea.)
      
      Where before the vm_pgoff of a purely anonymous (not file-backed) vma was
      meaningless, now it represents the virtual start address at which that vma is
      mapped - which the standard file pgoff manipulations treat linearly as vmas
      are split and merged.  But if mremap moves the vma, then it generally carries
      its original vm_pgoff to the new location, so pages shared with the old
      location can still be found.  Magic.
      
      Hugh has massaged it somewhat: building on the earlier rmap patches, this
      patch is a fifth of the size of Andrea's original anon_vma patch.  Please note
      that this posting will be his first sight of this patch, which he may or may
      not approve.
      8aa3448c
    • Andrew Morton's avatar
      [PATCH] rmap 38 remove anonmm rmap · a89cd0f0
      Andrew Morton authored
      From: Hugh Dickins <hugh@veritas.com>
      
      Before moving on to anon_vma rmap, remove now what's peculiar to anonmm rmap:
      the anonmm handling and the mremap move cows.  Temporarily reduce
      page_referenced_anon and try_to_unmap_anon to stubs, so a kernel built with
      this patch will not swap anonymous at all.
      a89cd0f0
    • Andrew Morton's avatar
      [PATCH] rmap 37 page_add_anon_rmap vma · e1fd9cc9
      Andrew Morton authored
      From: Hugh Dickins <hugh@veritas.com>
      
      Silly final patch for anonmm rmap: change page_add_anon_rmap's mm arg to vma
      arg like anon_vma rmap, to smooth the transition between them.
      e1fd9cc9
    • Andrew Morton's avatar
      [PATCH] rmap 36 mprotect use vma_merge · 2b2e2a36
      Andrew Morton authored
      From: Hugh Dickins <hugh@veritas.com>
      
      Earlier on, in 2.6.6, we took the vma merging code out of mremap.c and let it
      rely on vma_merge instead (via copy_vma).  Now take the vma merging code out
      of mprotect.c and let it rely on vma_merge too: so vma_merge becomes the sole
      vma merging engine.  The fruit of this consolidation is that mprotect now
      merges file-backed vmas naturally.  Make this change now because anon_vma will
      complicate the vma merging rules, let's keep them all in one place.
      
      vma_merge remains where the decisions are made, whether to merge with prev
      and/or next; but now [addr,end) may be the latter part of prev, or first part
      or whole of next, whereas before it was always a new area.
      
      vma_adjust carries out vma_merge's decision, but when sliding the boundary
      between vma and next, must temporarily remove next from the prio_tree too. 
      And it turned out (by oops) to have a surer idea of whether next needs to be
      removed than vma_merge, so the fput and freeing moves into vma_adjust.
      
      Too much decipherment of what's going on at the start of vma_adjust?  Yes, and
      there's a delicate assumption that you may use vma_adjust in sliding a
      boundary, or splitting in two, or growing a vma (mremap uses it in that way),
      but not for simply shrinking a vma.  Which is so, and must be so (how could
      pages mapped in the part to go, be zapped without first splitting?), but would
      feel better with some protection.
      
      __vma_unlink can then be moved from mm.h to mmap.c, and mm.h's more misleading
      than helpful can_vma_merge is deleted.
      2b2e2a36
    • Andrew Morton's avatar
      [PATCH] rmap 35 mmap.c cleanups · 06ecc0db
      Andrew Morton authored
      From: Hugh Dickins <hugh@veritas.com>
      
      Before some real vma_merge work in mmap.c in the next patch, a patch of
      miscellaneous cleanups to cut down the noise:
      
      - remove rb_parent arg from vma_merge: mm->mmap can do that case
      - scatter pgoff_t around to ingratiate myself with the boss
      - reorder is_mergeable_vma tests, vm_ops->close is least likely
      - can_vma_merge_before take combined pgoff+pglen arg (from Andrea)
      - rearrange do_mmap_pgoff's ever-confusing anonymous flags switch
      - comment do_mmap_pgoff's mysterious (vm_flags & VM_SHARED) test
      - fix ISO C90 warning on browse_rb if building with DEBUG_MM_RB
      - stop that long MNT_NOEXEC line wrapping
      
      Yes, buried in amidst these is indeed one pgoff replaced by "next->vm_pgoff -
      pglen" (reverting a mod of mine which took pgoff supplied by user too
      seriously in the anon case), and another pgoff replaced by 0 (reverting
      anon_vma mod which crept in with NUMA API): neither of them really matters,
      except perhaps in /proc/pid/maps.
      06ecc0db
    • Andrew Morton's avatar
      [PATCH] rmap 34 vm_flags page_table_lock · 4877b14f
      Andrew Morton authored
      From: Hugh Dickins <hugh@veritas.com>
      
      First of a batch of seven rmap patches, based on 2.6.6-mm3.  Probably the
      final batch: remaining issues outstanding can have isolated patches.  The
      first half of the batch is good for anonmm or anon_vma, the second half of the
      batch replaces my anonmm rmap by Andrea's anon_vma rmap.
      
      Judge for yourselves which you prefer.  I do think I was wrong to call
      anon_vma more complex than anonmm (its lists are easier to understand than my
      refcounting), and I'm happy with its vma merging after the last patch.  It
      just comes down to whether we can spare the extra 24 bytes (maximum, on
      32-bit) per vma for its advantages in swapout and mremap.
      
      rmap 34 vm_flags page_table_lock
      
      Why do we guard vm_flags mods with page_table_lock when it's already
      down_write guarded by mmap_sem?  There's probably a historical reason, but no
      sign of any need for it now.  Andrea added a comment and removed the instance
      from mprotect.c, Hugh plagiarized his comment and removed the instances from
      madvise.c and mlock.c.  Huge leap in scalability...  not expected; but this
      should stop people asking why those spinlocks.
      4877b14f