1. 20 Apr, 2011 7 commits
    • Stefan Weinhuber's avatar
      [S390] dasd: check sense type in device change handler · c7a29e56
      Stefan Weinhuber authored
      When evaluating sense data in dasd_eckd_check_for_device_change, we
      must always check for the type of sense data in byte 27, bit 0, to
      make sure that the rest of the sense data is interpreted correctly.
      Signed-off-by: default avatarStefan Weinhuber <wein@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      c7a29e56
    • Heiko Carstens's avatar
      [S390] pfault: fix token handling · e35c76cd
      Heiko Carstens authored
      f6649a7e "[S390] cleanup lowcore access from external interrupts" changed
      handling of external interrupts. Instead of letting the external interrupt
      handlers accessing the per cpu lowcore the entry code of the kernel reads
      already all fields that are necessary and passes them to the handlers.
      The pfault interrupt handler was incorrectly converted. It tries to
      dereference a value which used to be a pointer to a lowcore field. After
      the conversion however it is not anymore the pointer to the field but its
      content. So instead of a dereference only a cast is needed to get the
      task pointer that caused the pfault.
      
      Fixes a NULL pointer dereference and a subsequent kernel crash:
      
      Unable to handle kernel pointer dereference at virtual kernel address (null)
      Oops: 0004 [#1] SMP
      Modules linked in: nfsd exportfs nfs lockd fscache nfs_acl auth_rpcgss sunrpc
                         loop qeth_l3 qeth vmur ccwgroup ext3 jbd mbcache dm_mod
                         dasd_eckd_mod dasd_diag_mod dasd_mod
      CPU: 0 Not tainted 2.6.38-2-s390x #1
      Process cron (pid: 1106, task: 000000001f962f78, ksp: 000000001fa0f9d0)
      Krnl PSW : 0404200180000000 000000000002c03e (pfault_interrupt+0xa2/0x138)
                 R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:0 CC:2 PM:0 EA:3
      Krnl GPRS: 0000000000000000 0000000000000001 0000000000000000 0000000000000001
                 000000001f962f78 0000000000518968 0000000090000002 000000001ff03280
                 0000000000000000 000000000064f000 000000001f962f78 0000000000002603
                 0000000006002603 0000000000000000 000000001ff7fe68 000000001ff7fe48
      Krnl Code: 000000000002c036: 5820d010            l       %r2,16(%r13)
                 000000000002c03a: 1832                lr      %r3,%r2
                 000000000002c03c: 1a31                ar      %r3,%r1
                >000000000002c03e: ba23d010            cs      %r2,%r3,16(%r13)
                 000000000002c042: a744fffc            brc     4,2c03a
                 000000000002c046: a7290002            lghi    %r2,2
                 000000000002c04a: e320d0000024        stg     %r2,0(%r13)
                 000000000002c050: 07f0                bcr     15,%r0
      Call Trace:
       ([<000000001f962f78>] 0x1f962f78)
        [<000000000001acda>] do_extint+0xf6/0x138
        [<000000000039b6ca>] ext_no_vtime+0x30/0x34
        [<000000007d706e04>] 0x7d706e04
      Last Breaking-Event-Address:
        [<0000000000000000>] 0x0
      
      For stable maintainers:
      the first kernel which contains this bug is 2.6.37.
      Reported-by: default avatarStephen Powell <zlinuxman@wowway.com>
      Cc: Jonathan Nieder <jrnieder@gmail.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      e35c76cd
    • Jan Glauber's avatar
      [S390] qdio: reset error states immediately · bffbbd2d
      Jan Glauber authored
      The qdio hardware may surpress further interrupts as long as a SBAL is in
      the error state. That can lead to unnotified data in the SBALs following
      the error state. To prevent this behaviour change the SBAL[s] in error
      state immediately to another program owned state so interrupts are again
      received for further traffic on the device.
      Signed-off-by: default avatarJan Glauber <jang@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      bffbbd2d
    • Jan Glauber's avatar
      [S390] fix page table walk for changing page attributes · e4c031b4
      Jan Glauber authored
      The page table walk for changing page attributes used the wrong
      address for pgd/pud/pmd lookups if the range was bigger than
      a pmd entry. Fix the lookup by using the correct address.
      Signed-off-by: default avatarJan Glauber <jang@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      e4c031b4
    • Jan Glauber's avatar
      [S390] prng: prevent access beyond end of stack · c708c57e
      Jan Glauber authored
      While initializing the state of the prng only the first 8 bytes of
      random data where used, the second 8 bytes were read from the memory
      after the stack. If only 64 bytes of the kernel stack are used and
      CONFIG_DEBUG_PAGEALLOC is enabled a kernel panic may occur because of
      the invalid page access. Use the correct multiplicator to stay within
      the random data buffer.
      Signed-off-by: default avatarJan Glauber <jang@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      c708c57e
    • Stefan Weinhuber's avatar
      [S390] dasd: fix race between open and offline · 65f8da47
      Stefan Weinhuber authored
      The dasd_open function uses the private_data pointer of the gendisk to
      find the dasd_block structure that matches the gendisk. When a DASD
      device is set offline, we set the private_data pointer of the gendisk
      to NULL and later remove the dasd_block structure, but there is still
      a small race window, in which dasd_open could first read a pointer
      from the private_data field and then try to use it, after the structure
      has already been freed.
      To close this race window, we will store a pointer to the dasd_devmap
      structure of the base device in the private_data field. The devmap
      entries are not deleted, and we already have proper locking and
      reference counting in place, so that we can safely get from a devmap
      pointer to the dasd_device and dasd_block structures of the device.
      Signed-off-by: default avatarStefan Weinhuber <wein@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      65f8da47
    • Linus Torvalds's avatar
      Merge branch 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6 · 2f666bcf
      Linus Torvalds authored
      * 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
        drm/radeon/kms: pll tweaks for r7xx
        drm/nouveau: fix allocation of notifier object
        drm/nouveau: fix notifier memory corruption bug
        drm/nouveau: fix pinning of notifier block
        drm/nouveau: populate ttm_alloced with false, when it's not
        drm/nouveau: fix nv30 pcie boards
        drm/nouveau: split ramin_lock into two locks, one hardirq safe
        drm/radeon/kms: adjust evergreen display watermark setup
        drm/radeon/kms: add connectors even if i2c fails
        drm/radeon/kms: fix bad shift in atom iio table parser
      2f666bcf
  2. 19 Apr, 2011 20 commits
  3. 18 Apr, 2011 13 commits