- 08 Oct, 2010 3 commits
-
-
Kees Cook authored
Calling ETHTOOL_GRXCLSRLALL with a large rule_cnt will allocate kernel heap without clearing it. For the one driver (niu) that implements it, it will leave the unused portion of heap unchanged and copy the full contents back to userspace. Signed-off-by: Kees Cook <kees.cook@canonical.com> Acked-by: Ben Hutchings <bhutchings@solarflare.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Dan Carpenter authored
setup.phone and setup.eazmsn are 32 character buffers. rcvmsg.msg_data.byte_array is a 48 character buffer. sc_adapter[card]->channel[rcvmsg.phy_link_no - 1].dn is 50 chars. The rcvmsg struct comes from the memcpy_fromio() in receivemessage(). I guess that means it's data off the wire. I'm not very familiar with this code but I don't see any reason to assume these strings are NULL terminated. Also it's weird that "dn" in a 50 character buffer but we only seem to use 32 characters. In drivers/isdn/sc/scioc.h, "dn" is only a 49 character buffer. So potentially there is still an issue there. The important thing for now is to prevent the memory corruption. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 07 Oct, 2010 3 commits
-
-
John W. Linville authored
This reverts commit 5ed3bc72. It turns-out that not all drivers are calling ieee80211_tx_status from a compatible context. Revert this for now and try again later... Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
David S. Miller authored
-
- 06 Oct, 2010 10 commits
-
-
Linus Torvalds authored
-
git://git.linux-mips.org/pub/scm/upstream-linusLinus Torvalds authored
* 'upstream' of git://git.linux-mips.org/pub/scm/upstream-linus: MIPS: Octeon: Place cnmips_cu2_setup in __init memory. MIPS: Don't place cu2 notifiers in __cpuinitdata MIPS: Calculate VMLINUZ_LOAD_ADDRESS based on the length of vmlinux.bin MIPS: Alchemy: Resolve prom section mismatches MIPS: Fix syscall 64 bit number comments. MIPS: Hookup fanotify_init, fanotify_mark, and prlimit64 syscalls. MIPS: TX49xx: Rename ARCH_KMALLOC_MINALIGN to ARCH_DMA_MINALIGN MIPS: N32: Fix getdents64 syscall for n32 MIPS: Remove pr_<level> uses of KERN_<level> MIPS: PNX8550: Sort out machine halt, restart and powerdown functions. MIPS: GIC: Remove dependencies from Malta files. MIPS: Kconfig: Fix and clarify kconfig help text for VSMP and SMTC. MIPS: DMA: Fix computation of DMA flags from device's coherent_dma_mask. MIPS: Audit: Fix hang in entry.S. MIPS: Document why RELOC_HIDE is there. MIPS: Octeon: Determine if helper needs to be built MIPS: Use generic atomic64 for 32-bit kernels MIPS: RM7000: Symbol should be static MIPS: kspd: Adjust confusing if indentation MIPS: Fix a typo.
-
Johannes Berg authored
We never delete the addBA response timer, which is typically fine, but if the station it belongs to is deleted very quickly after starting the BA session, before the peer had a chance to reply, the timer may fire after the station struct has been freed already. Therefore, we need to delete the timer in a suitable spot -- best when the session is being stopped (which will happen even then) in which case the delete will be a no-op most of the time. I've reproduced the scenario and tested the fix. This fixes the crash reported at http://mid.gmane.org/4CAB6F96.6090701@candelatech.com Cc: stable@kernel.org Reported-by: Ben Greear <greearb@candelatech.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Felix Fietkau authored
wireless-testing commit 37e5bf65 Author: Luis R. Rodriguez <lrodriguez@atheros.com> Date: Sat Jun 12 00:33:40 2010 -0400 ath9k_hw: fix clock rate calculations for ANI This commit accidentally broke clock rate calculation by doubling the calculated clock rate Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
git://git.kernel.dk/linux-2.6-blockLinus Torvalds authored
* 'for-linus' of git://git.kernel.dk/linux-2.6-block: writeback: always use sb->s_bdi for writeback purposes
-
git://xenbits.xen.org/people/sstabellini/linux-pvhvmLinus Torvalds authored
* 'v2.6.36-rc6-urgent-fixes' of git://xenbits.xen.org/people/sstabellini/linux-pvhvm: xen: do not initialize PV timers on HVM if !xen_have_vector_callback xen: do not set xenstored_ready before xenbus_probe on hvm
-
git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuseLinus Torvalds authored
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse: fuse: Initialize total_len in fuse_retrieve()
-
Eric Dumazet authored
caif_connect() might dereference a netdevice after dev_put() it. It also doesnt check dev_get_by_index() return value and could dereference a NULL pointer. Fix it, using RCU to avoid taking a reference. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> CC: Sjur Braendeland <sjur.brandeland@stericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Neil Horman authored
Fix a WARN_ON failure in bond_masters sysfs file Got a report of this warning recently bonding: bond0 is being created... ------------[ cut here ]------------ WARNING: at fs/proc/generic.c:590 proc_register+0x14d/0x185() Hardware name: ProLiant BL465c G1 proc_dir_entry 'bonding/bond0' already registered Modules linked in: bonding ipv6 tg3 bnx2 shpchp amd64_edac_mod edac_core ipmi_si ipmi_msghandler serio_raw i2c_piix4 k8temp edac_mce_amd hpwdt microcode hpsa cc iss radeon ttm drm_kms_helper drm i2c_algo_bit i2c_core [last unloaded: scsi_wai t_scan] Pid: 935, comm: ifup-eth Not tainted 2.6.33.5-124.fc13.x86_64 #1 Call Trace: [<ffffffff8104b54c>] warn_slowpath_common+0x77/0x8f [<ffffffff8104b5b1>] warn_slowpath_fmt+0x3c/0x3e [<ffffffff8114bf0b>] proc_register+0x14d/0x185 [<ffffffff8114c20c>] proc_create_data+0x87/0xa1 [<ffffffffa0211e9b>] bond_create_proc_entry+0x55/0x95 [bonding] [<ffffffffa0215e5d>] bond_init+0x95/0xd0 [bonding] [<ffffffff8138cd97>] register_netdevice+0xdd/0x29e [<ffffffffa021240b>] bond_create+0x8e/0xb8 [bonding] [<ffffffffa021c4be>] bonding_store_bonds+0xb3/0x1c1 [bonding] [<ffffffff812aec85>] class_attr_store+0x27/0x29 [<ffffffff8115423d>] sysfs_write_file+0x10f/0x14b [<ffffffff81101acf>] vfs_write+0xa9/0x106 [<ffffffff81101be2>] sys_write+0x45/0x69 [<ffffffff81009b02>] system_call_fastpath+0x16/0x1b ---[ end trace a677c3f7f8b16b1e ]--- bonding: Bond creation failed. It happens because a user space writer to bond_master can try to register an already existing bond interface name. Fix it by teaching bond_create to check for the existance of devices with that name first in cases where a non-NULL name parameter has been passed in Signed-off-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Stephen Rothwell authored
Since powerpc uses -Werror on arch powerpc, the build was broken like this: cc1: warnings being treated as errors arch/powerpc/kernel/module.c: In function 'module_finalize': arch/powerpc/kernel/module.c:66: error: unused variable 'err' Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
- 05 Oct, 2010 12 commits
-
-
Stanislaw Gruszka authored
Skge devices installed on some Gigabyte motherboards are not able to perform 64 dma correctly due to board PCI implementation, so limit DMA to 32bit if such boards are detected. Bug was reported here: https://bugzilla.redhat.com/show_bug.cgi?id=447489Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> Tested-by: Luya Tshimbalanga <luya@fedoraproject.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jeff Kirsher authored
- Add ixgbevf and docs files to the maintainers file Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jeff Kirsher authored
Adds documentation for the e1000e networking driver. Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jeff Kirsher authored
Updated the e1000 networking driver documentation. Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jeff Kirsher authored
Update the documentation for the ixgbevf (ixgbe virtual function driver). Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Linus Torvalds authored
Merge branch 'core-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip * 'core-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: rcu: rcu_read_lock_bh_held(): disabling irqs also disables bh generic-ipi: Fix deadlock in __smp_call_function_single
-
Linus Torvalds authored
Merge branch 'perf-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip * 'perf-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: perf trace scripting: Fix extern struct definitions perf ui hist browser: Fix segfault on 'a' for annotate perf tools: Fix build breakage perf, x86: Handle in flight NMIs on P4 platform oprofile, ARM: Release resources on failure oprofile: Add Support for Intel CPU Family 6 / Model 29
-
Evgeny Kuznetsov authored
The "flags" member of "struct wait_queue_t" is used in several places in the kernel code without beeing initialized by init_wait(). "flags" is used in bitwise operations. If "flags" not initialized then unexpected behaviour may take place. Incorrect flags might used later in code. Added initialization of "wait_queue_t.flags" with zero value into "init_wait". Signed-off-by: Evgeny Kuznetsov <EXT-Eugeny.Kuznetsov@nokia.com> [ The bit we care about does end up being initialized by both prepare_to_wait() and add_to_wait_queue(), so this doesn't seem to cause actual bugs, but is definitely the right thing to do -Linus ] Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
Linus Torvalds authored
With all the recent module loading cleanups, we've minimized the code that sits under module_mutex, fixing various deadlocks and making it possible to do most of the module loading in parallel. However, that whole conversion totally missed the rather obscure code that adds a new module to the list for BUG() handling. That code was doubly obscure because (a) the code itself lives in lib/bugs.c (for dubious reasons) and (b) it gets called from the architecture-specific "module_finalize()" rather than from generic code. Calling it from arch-specific code makes no sense what-so-ever to begin with, and is now actively wrong since that code isn't protected by the module loading lock any more. So this commit moves the "module_bug_{finalize,cleanup}()" calls away from the arch-specific code, and into the generic code - and in the process protects it with the module_mutex so that the list operations are now safe. Future fixups: - move the module list handling code into kernel/module.c where it belongs. - get rid of 'module_bug_list' and just use the regular list of modules (called 'modules' - imagine that) that we already create and maintain for other reasons. Reported-and-tested-by: Thomas Gleixner <tglx@linutronix.de> Cc: Rusty Russell <rusty@rustcorp.com.au> Cc: Adrian Bunk <bunk@kernel.org> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
Stefano Stabellini authored
if !xen_have_vector_callback do not initialize PV timer unconditionally because we still don't know how many cpus are available and if there is more than one we won't be able to receive the timer interrupts on cpu > 0. This patch fixes an hang at boot when Xen does not support vector callbacks and the guest has multiple vcpus. Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Jeremy Fitzhardinge <jeremy@goop.org>
-
Stefano Stabellini authored
Register_xenstore_notifier should guarantee that the caller gets notified even if xenstore is already up. Therefore we revert "do not notify callers from register_xenstore_notifier" and set xenstored_read at the right time for PV on HVM guests too. In fact in case of PV on HVM guests xenstored is ready only after the platform pci driver has completed the initialization, so do not set xenstored_ready before the call to xenbus_probe(). This patch fixes a shutdown_event watcher registration bug that causes "xm shutdown" not to work properly. Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Jeremy Fitzhardinge <jeremy@goop.org>
-
Dan Carpenter authored
skb_headroom() is unsigned so "skb_headroom(skb) + toff" is also unsigned and can't be less than zero. This test was added in 66d50d25: "u32: negative offset fix" It was supposed to fix a regression. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 04 Oct, 2010 12 commits
-
-
Gustavo F. Padovan authored
L2CAP doesn't permit change like MTU, FCS, TxWindow values while the connection is alive, we can only set that before the connection/configuration process. That can lead to bugs in the L2CAP operation. Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
-
git://git.kernel.org/pub/scm/linux/kernel/git/lrg/voltage-2.6Linus Torvalds authored
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lrg/voltage-2.6: regulator: max8649 - fix setting extclk_freq regulator: fix typo in current units regulator: fix device_register() error handling
-
git://git.secretlab.ca/git/linux-2.6Linus Torvalds authored
* 'merge-powerpc' of git://git.secretlab.ca/git/linux-2.6: powerpc/5200: tighten up ac97 reset timing powerpc/5200: efika.c: Add of_node_put to avoid memory leak powerpc/512x: fix clk_get() return value
-
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6Linus Torvalds authored
* 'fix/misc' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6: ALSA: i2c/other/ak4xx-adda: Fix a compile warning with CONFIG_PROCFS=n ALSA: prevent heap corruption in snd_ctl_new()
-
git://git.kernel.org/pub/scm/linux/kernel/git/groeck/stagingLinus Torvalds authored
* 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/staging: hwmon: f71882fg: use a muxed resource lock for the Super I/O port
-
git://git.kernel.org/pub/scm/linux/kernel/git/davej/cpufreqLinus Torvalds authored
* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/davej/cpufreq: [CPUFREQ] Fix memory leaks in pcc_cpufreq_do_osc [CPUFREQ] acpi-cpufreq: add missing __percpu markup
-
git://git.secretlab.ca/git/linux-2.6Linus Torvalds authored
* 'merge-spi' of git://git.secretlab.ca/git/linux-2.6: of/spi: Fix OF-style driver binding of spi devices spi: spi-gpio.c tests SPI_MASTER_NO_RX bit twice, but not SPI_MASTER_NO_TX spi/mpc8xxx: fix buffer overrun on large transfers
-
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6Linus Torvalds authored
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: vlan: dont drop packets from unknown vlans in promiscuous mode Phonet: Correct header retrieval after pskb_may_pull um: Proper Fix for f25c80a4: remove duplicate structure field initialization ip_gre: Fix dependencies wrt. ipv6. net-2.6: SYN retransmits: Add new parameter to retransmits_timed_out() iwl3945: queue the right work if the scan needs to be aborted mac80211: fix use-after-free
-
git://git.kernel.org/pub/scm/linux/kernel/git/ickle/drm-intelLinus Torvalds authored
* 'drm-intel-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/ickle/drm-intel: drm/i915: Rephrase pwrite bounds checking to avoid any potential overflow drm/i915: Sanity check pread/pwrite drm/i915: Use pipe state to tell when pipe is off drm/i915: vblank status not valid while training display port drivers/gpu/drm/i915/i915_gem.c: Add missing error handling code drm/i915: Fix refleak during eviction. drm/i915: fix GMCH power reporting
-
Hugh Dickins authored
Building under memory pressure, with KSM on 2.6.36-rc5, collapsed with an internal compiler error: typically indicating an error in swapping. Perhaps there's a timing issue which makes it now more likely, perhaps it's just a long time since I tried for so long: this bug goes back to KSM swapping in 2.6.33. Notice how reuse_swap_page() allows an exclusive page to be reused, but only does SetPageDirty if it can delete it from swap cache right then - if it's currently under Writeback, it has to be left in cache and we don't SetPageDirty, but the page can be reused. Fine, the dirty bit will get set in the pte; but notice how zap_pte_range() does not bother to transfer pte_dirty to page_dirty when unmapping a PageAnon. If KSM chooses to share such a page, it will look like a clean copy of swapcache, and not be written out to swap when its memory is needed; then stale data read back from swap when it's needed again. We could fix this in reuse_swap_page() (or even refuse to reuse a page under writeback), but it's more honest to fix my oversight in KSM's write_protect_page(). Several days of testing on three machines confirms that this fixes the issue they showed. Signed-off-by: Hugh Dickins <hughd@google.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Andrea Arcangeli <aarcange@redhat.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
Hugh Dickins authored
2.6.36-rc1 commit 21d0d443 "rmap: resurrect page_address_in_vma anon_vma check" was right to resurrect that check; but now that it's comparing anon_vma->roots instead of just anon_vmas, there's a danger of oopsing on a NULL anon_vma. In most cases no NULL anon_vma ever gets here; but it turns out that occasionally KSM, when enabled on a forked or forking process, will itself call page_address_in_vma() on a "half-KSM" page left over from an earlier failed attempt to merge - whose page_anon_vma() is NULL. It's my bug that those should be getting here at all: I thought they were already dealt with, this oops proves me wrong, I'll fix it in the next release - such pages are effectively pinned until their process exits, since rmap cannot find their ptes (though swapoff can). For now just work around it by making page_address_in_vma() safe (and add a comment on why that check is wanted anyway). A similar check in __page_check_anon_rmap() is safe because do_page_add_anon_rmap() already excluded KSM pages. Signed-off-by: Hugh Dickins <hughd@google.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Andrea Arcangeli <aarcange@redhat.com> Cc: Rik van Riel <riel@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
David Daney authored
It is an early_initcall, so it should be in __init memory. Signed-off-by: David Daney <ddaney@caviumnetworks.com> To: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/1593/Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
-