1. 20 Jul, 2012 1 commit
    • Alan Stern's avatar
      HID: usbhid: fix use-after-free bug · 668160e5
      Alan Stern authored
      This patch (as1592) fixes an obscure problem in the usbhid driver.
      Under some circumstances, a control or interrupt-OUT URB can be
      submitted twice.  This will happen if the first submission fails; the
      queue pointers aren't updated, so the next time the queue is restarted
      the same URB will be submitted again.
      
      The problem is that raw_report gets deallocated during the first
      submission.  The second submission will then dereference and try to
      free an already-freed region of memory.  The patch fixes the problem
      by setting raw_report to NULL when it is deallocated and checking for
      NULL before dereferencing it.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      CC: Oliver Neukum <oliver@neukum.org>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      668160e5
  2. 19 Jul, 2012 7 commits
  3. 18 Jul, 2012 17 commits
  4. 17 Jul, 2012 15 commits
    • Linus Torvalds's avatar
      Merge branch 'akpm' (Andrew's patch-bomb) · de74646c
      Linus Torvalds authored
      Merge Andrew's remaining patches for 3.5:
       "Nine fixes"
      
      * Merge emailed patches from Andrew Morton <akpm@linux-foundation.org>: (9 commits)
        mm: fix lost kswapd wakeup in kswapd_stop()
        m32r: make memset() global for CONFIG_KERNEL_BZIP2=y
        m32r: add memcpy() for CONFIG_KERNEL_GZIP=y
        m32r: consistently use "suffix-$(...)"
        m32r: fix 'fix breakage from "m32r: use generic ptrace_resume code"' fallout
        m32r: fix pull clearing RESTORE_SIGMASK into block_sigmask() fallout
        m32r: remove duplicate definition of PTRACE_O_TRACESYSGOOD
        mn10300: fix "pull clearing RESTORE_SIGMASK into block_sigmask()" fallout
        bootmem: make ___alloc_bootmem_node_nopanic() really nopanic
      de74646c
    • Aaditya Kumar's avatar
      mm: fix lost kswapd wakeup in kswapd_stop() · 1c7e7f6c
      Aaditya Kumar authored
      Offlining memory may block forever, waiting for kswapd() to wake up
      because kswapd() does not check the event kthread->should_stop before
      sleeping.
      
      The proper pattern, from Documentation/memory-barriers.txt, is:
      
         ---  waker  ---
         event_indicated = 1;
         wake_up_process(event_daemon);
      
         ---  sleeper  ---
         for (;;) {
            set_current_state(TASK_UNINTERRUPTIBLE);
            if (event_indicated)
               break;
            schedule();
         }
      
         set_current_state() may be wrapped by:
            prepare_to_wait();
      
      In the kswapd() case, event_indicated is kthread->should_stop.
      
        === offlining memory (waker) ===
         kswapd_stop()
            kthread_stop()
               kthread->should_stop = 1
               wake_up_process()
               wait_for_completion()
      
        ===  kswapd_try_to_sleep (sleeper) ===
         kswapd_try_to_sleep()
            prepare_to_wait()
                 .
                 .
            schedule()
                 .
                 .
            finish_wait()
      
      The schedule() needs to be protected by a test of kthread->should_stop,
      which is wrapped by kthread_should_stop().
      
      Reproducer:
         Do heavy file I/O in background.
         Do a memory offline/online in a tight loop
      Signed-off-by: default avatarAaditya Kumar <aaditya.kumar@ap.sony.com>
      Acked-by: default avatarKOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
      Reviewed-by: default avatarMinchan Kim <minchan@kernel.org>
      Acked-by: default avatarMel Gorman <mel@csn.ul.ie>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      1c7e7f6c
    • Geert Uytterhoeven's avatar
      m32r: make memset() global for CONFIG_KERNEL_BZIP2=y · 9a75c6e5
      Geert Uytterhoeven authored
      Fix the m32r compile error:
      
        arch/m32r/boot/compressed/misc.c:31:14: error: static declaration of 'memset' follows non-static declaration
        make[5]: *** [arch/m32r/boot/compressed/misc.o] Error 1
        make[4]: *** [arch/m32r/boot/compressed/vmlinux] Error 2
      
      by removing the static keyword.
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Cc: Hirokazu Takata <takata@linux-m32r.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      9a75c6e5
    • Geert Uytterhoeven's avatar
      m32r: add memcpy() for CONFIG_KERNEL_GZIP=y · a8abbca6
      Geert Uytterhoeven authored
      Fix the m32r link error:
      
          LD      arch/m32r/boot/compressed/vmlinux
        arch/m32r/boot/compressed/misc.o: In function `zlib_updatewindow':
        misc.c:(.text+0x190): undefined reference to `memcpy'
        misc.c:(.text+0x190): relocation truncated to fit: R_M32R_26_PLTREL against undefined symbol `memcpy'
        make[5]: *** [arch/m32r/boot/compressed/vmlinux] Error 1
      
      by adding our own implementation of memcpy().
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Cc: Hirokazu Takata <takata@linux-m32r.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a8abbca6
    • Geert Uytterhoeven's avatar
      m32r: consistently use "suffix-$(...)" · df12aef6
      Geert Uytterhoeven authored
      Commit a556bec9 ("m32r: fix arch/m32r/boot/compressed/Makefile")
      changed "$(suffix_y)" to "$(suffix-y)", but didn't update any location
      where "suffix_y" is set, causing:
      
        make[5]: *** No rule to make target `arch/m32r/boot/compressed/vmlinux.bin.', needed by `arch/m32r/boot/compressed/piggy.o'.  Stop.
        make[4]: *** [arch/m32r/boot/compressed/vmlinux] Error 2
        make[3]: *** [zImage] Error 2
      
      Correct the other locations to fix this.
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Cc: Hirokazu Takata <takata@linux-m32r.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      df12aef6
    • Geert Uytterhoeven's avatar
      m32r: fix 'fix breakage from "m32r: use generic ptrace_resume code"' fallout · a6b20297
      Geert Uytterhoeven authored
      Commit acdc0d5e ('m32r: fix breakage from "m32r: use generic
      ptrace_resume code"') tried to fix a problem in commit e34112e3
      ("m32r: use generic ptrace_resume code") by returning values in a
      function returning void, causing:
      
        arch/m32r/kernel/ptrace.c: In function 'user_enable_single_step':
        arch/m32r/kernel/ptrace.c:594:3: warning: 'return' with a value, in function returning void [enabled by default]
        arch/m32r/kernel/ptrace.c:598:3: warning: 'return' with a value, in function returning void [enabled by default]
        arch/m32r/kernel/ptrace.c:601:3: warning: 'return' with a value, in function returning void [enabled by default]
        arch/m32r/kernel/ptrace.c:604:2: warning: 'return' with a value, in function returning void [enabled by default]
      
      Remove the unneeded return values.
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hirokazu Takata <takata@linux-m32r.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a6b20297
    • Geert Uytterhoeven's avatar
      m32r: fix pull clearing RESTORE_SIGMASK into block_sigmask() fallout · f9717f31
      Geert Uytterhoeven authored
      Commit a610d6e6 ("pull clearing RESTORE_SIGMASK into
      block_sigmask()") caused:
      
        arch/m32r/kernel/signal.c: In function 'handle_signal':
        arch/m32r/kernel/signal.c:289:6: warning: 'return' with a value, in function returning void [enabled by default]
      
      Remove the return value it forgot to remove.
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Hirokazu Takata <takata@linux-m32r.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f9717f31
    • Geert Uytterhoeven's avatar
      m32r: remove duplicate definition of PTRACE_O_TRACESYSGOOD · 07f604cc
      Geert Uytterhoeven authored
      Fix the m32r build warning:
      
        include/linux/ptrace.h:66:0: warning: "PTRACE_O_TRACESYSGOOD" redefined [enabled by default]
        arch/m32r/include/asm/ptrace.h:117:0: note: this is the location of the previous definition
      
      We already have it in <linux/ptrace.h>, so remove it from <asm/ptrace.h>
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Cc: Hirokazu Takata <takata@linux-m32r.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      07f604cc
    • Geert Uytterhoeven's avatar
      mn10300: fix "pull clearing RESTORE_SIGMASK into block_sigmask()" fallout · b45f9330
      Geert Uytterhoeven authored
      Commit a610d6e6 ("pull clearing RESTORE_SIGMASK into
      block_sigmask()") caused:
      
        arch/mn10300/kernel/signal.c: In function 'handle_signal':
        arch/mn10300/kernel/signal.c:462:3: warning: 'return' with no value, in function returning non-void [-Wreturn-type]
      
      Add the missing return values, and restore the indentation while we're
      at it.
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: David Howells <dhowells@redhat.com>
      Cc: Koichi Yasutake <yasutake.koichi@jp.panasonic.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b45f9330
    • Yinghai Lu's avatar
      bootmem: make ___alloc_bootmem_node_nopanic() really nopanic · c8f4a2d0
      Yinghai Lu authored
      In reaction to commit 99ab7b19 ("mm: sparse: fix usemap allocation
      above node descriptor section") Johannes said:
      | while backporting the below patch, I realised that your fix busted
      | f5bf18fa again.  The problem was not a panicking version on
      | allocation failure but when the usemap size was too large such that
      | goal + size > limit triggers the BUG_ON in the bootmem allocator.  So
      | we need a version that passes limit ONLY if the usemap is smaller than
      | the section.
      
      after checking the code, the name of ___alloc_bootmem_node_nopanic()
      does not reflect the fact.
      
      Make bootmem really not panic.
      
      Hope will kill bootmem sooner.
      Signed-off-by: default avatarYinghai Lu <yinghai@kernel.org>
      Cc: Johannes Weiner <hannes@cmpxchg.org>
      Cc: <stable@vger.kernel.org>    [3.3.x, 3.4.x]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      c8f4a2d0
    • Linus Torvalds's avatar
      Merge tag 'pm-post-3.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · a5e13512
      Linus Torvalds authored
      Pull a last-minute PM update from Rafael J. Wysocki:
       "This renames CAP_EPOLLWAKEUP to CAP_BLOCK_SUSPEND to encourage future
        reuse of the capability in question in related cases."
      
      * tag 'pm-post-3.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        PM: Rename CAP_EPOLLWAKEUP to CAP_BLOCK_SUSPEND
      a5e13512
    • Michael Kerrisk's avatar
      PM: Rename CAP_EPOLLWAKEUP to CAP_BLOCK_SUSPEND · d9914cf6
      Michael Kerrisk authored
      As discussed in
      http://thread.gmane.org/gmane.linux.kernel/1249726/focus=1288990,
      the capability introduced in 4d7e30d9
      to govern EPOLLWAKEUP seems misnamed: this capability is about governing
      the ability to suspend the system, not using a particular API flag
      (EPOLLWAKEUP). We should make the name of the capability more general
      to encourage reuse in related cases. (Whether or not this capability
      should also be used to govern the use of /sys/power/wake_lock is a
      question that needs to be separately resolved.)
      
      This patch renames the capability to CAP_BLOCK_SUSPEND. In order to ensure
      that the old capability name doesn't make it out into the wild, could you
      please apply and push up the tree to ensure that it is incorporated
      for the 3.5 release.
      Signed-off-by: default avatarMichael Kerrisk <mtk.manpages@gmail.com>
      Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
      Signed-off-by: default avatarRafael J. Wysocki <rjw@sisk.pl>
      d9914cf6
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · a0185401
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) IPVS oops'ers:
         a) Should not reset skb->nf_bridge in forwarding hook (Lin Ming)
         b) 3.4 commit can cause ip_vs_control_cleanup to be invoked after
            the ipvs_core_ops are unregistered during rmmod (Julian ANastasov)
      
       2) ixgbevf bringup failure can crash in TX descriptor cleanup
          (Alexander Duyck)
      
       3) AX25 switch missing break statement hoses ROSE sockets (Alan Cox)
      
       4) CAIF accesses freed per-net memory (Sjur Brandeland)
      
       5) Network cgroup code has out-or-bounds accesses (Eric DUmazet), and
          accesses freed memory (Gao Feng)
      
       6) Fix a crash in SCTP reported by Dave Jones caused by freeing an
          association still on a list (Neil HOrman)
      
       7) __netdev_alloc_skb() regresses on GFP_DMA using drivers because that
          GFP flag is not being retained for the allocation (Eric Dumazet).
      
       8) Missing NULL hceck in sch_sfb netlink message parsing (Alan Cox)
      
       9) bnx2 crashes because TX index iteration is not bounded correctly
          (Michael Chan)
      
      10) IPoIB generates warnings in TCP queue collapsing (via
          skb_try_coalesce) because it does not set skb->truesize correctly
          (Eric Dumazet)
      
      11) vlan_info objects leak for the implicit vlan with ID 0 (Amir
          Hanania)
      
      12) A fix for TX time stamp handling in gianfar does not transfer socket
          ownership from one packet to another correctly, resulting in a
          socket write space imbalance (Eric Dumazet)
      
      13) Julia Lawall found several cases where we do a list iteration, and
          then at the loop termination unconditionally assume we ended up with
          real list object, rather than the list head itself (CNIC, RXRPC,
          mISDN).
      
      14) The bonding driver handles procfs moving incorrectly when a device
          it manages is moved from one namespace to another (Eric Biederman)
      
      15) Missing memory barriers in stmmac descriptor accesses result in
          various crashes (Deepak Sikri)
      
      16) Fix handling of broadcast packets in batman-adv (Simon Wunderlich)
      
      17) Properly check the sanity of sendmsg() lengths in ieee802154's
          dgram_sendmsg().  Dave Jones and others have hit and reported this
          bug (Sasha Levin)
      
      18) Some drivers (b44 and b43legacy) on 64-bit machines stopped working
          because of how netdev_alloc_skb() was adjusted.  Such drivers should
          now use alloc_skb() for obtaining bounce buffers.  (Eric Dumazet)
      
      19) atl1c mis-managed it's link state in that it stops the queue by hand
          on link down.  The generic networking takes care of that and this
          double stop locks the queue down.  So simply removing the driver's
          queue stop call fixes the problem (Cloud Ren)
      
      20) Fix out-of-memory due to mis-accounting in net_em packet scheduler
          (Eric Dumazet)
      
      21) If DCB and SR-IOV are configured at the same time in IXGBE the chip
          will hang because this is not supported (Alexander Duyck)
      
      22) A commit to stop drivers using netdev->base_addr broke the CNIC
          driver (Michael Chan)
      
      23) Timeout regression in ipset caused by an attempt to fix an overflow
          bug (Jozsef Kadlecsik).
      
      24) mac80211 minstrel code allocates memory using incorrect size
          (Thomas Huehn)
      
      25) llcp_sock_getname() needs to check for a NULL device otherwise we
          OOPS (Sasha Levin)
      
      26) mwifiex leaks memory (Bing Zhao)
      
      27) Propagate iwlwifi fix to iwlegacy, even when we're not associated
          we need to monitor for stuck queues in the watchdog handler
          (Stanislaw Geuszka)
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (44 commits)
        ipvs: fix oops in ip_vs_dst_event on rmmod
        ipvs: fix oops on NAT reply in br_nf context
        ixgbevf: Fix panic when loading driver
        ax25: Fix missing break
        MAINTAINERS: reflect actual changes in IEEE 802.15.4 maintainership
        caif: Fix access to freed pernet memory
        net: cgroup: fix access the unallocated memory in netprio cgroup
        ixgbevf: Prevent RX/TX statistics getting reset to zero
        sctp: Fix list corruption resulting from freeing an association on a list
        net: respect GFP_DMA in __netdev_alloc_skb()
        e1000e: fix test for PHY being accessible on 82577/8/9 and I217
        e1000e: Correct link check logic for 82571 serdes
        sch_sfb: Fix missing NULL check
        bnx2: Fix bug in bnx2_free_tx_skbs().
        IPoIB: fix skb truesize underestimatiom
        net: Fix memory leak - vlan_info struct
        gianfar: fix potential sk_wmem_alloc imbalance
        drivers/net/ethernet/broadcom/cnic.c: remove invalid reference to list iterator variable
        net/rxrpc/ar-peer.c: remove invalid reference to list iterator variable
        drivers/isdn/mISDN/stack.c: remove invalid reference to list iterator variable
        ...
      a0185401
    • Linus Torvalds's avatar
      Merge tag 'single-rpmsg-3.5-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/ohad/rpmsg · 635ac119
      Linus Torvalds authored
      Pull rpmsg fix from Ohad Ben-Cohen:
       "A single rpmsg fix for 3.5, coming from Federico Fuga, which
        eliminates the dependency on arbitrary initialization orders."
      
      * tag 'single-rpmsg-3.5-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/ohad/rpmsg:
        rpmsg: fix dependency on initialization order
      635ac119
    • Linus Torvalds's avatar
      Merge branch 'fixes-for-linus' of git://git.linaro.org/people/mszyprowski/linux-dma-mapping · 5bb93f1a
      Linus Torvalds authored
      Pull CMA and DMA-mapping fixes from Marek Szyprowski:
       "Another set of minor fixups for recently merged Contiguous Memory
        Allocator and ARM DMA-mapping changes.  Those patches fix mysterious
        crashes on systems with CMA and Himem enabled as well as some corner
        cases caused by typical off-by-one bug."
      
      * 'fixes-for-linus' of git://git.linaro.org/people/mszyprowski/linux-dma-mapping:
        ARM: dma-mapping: modify condition check while freeing pages
        mm: cma: fix condition check when setting global cma area
        mm: cma: don't replace lowmem pages with highmem
      5bb93f1a