1. 03 Oct, 2008 13 commits
  2. 02 Oct, 2008 14 commits
  3. 01 Oct, 2008 12 commits
    • Mike Rapoport's avatar
      pxa2xx_spi: fix build breakage · 20b918dc
      Mike Rapoport authored
      This patch fixes a build error in the pxa2xx-spi driver,
      introduced by commit 7e964455
      ("pxa2xx_spi: dma bugfixes")
      
        CC      drivers/spi/pxa2xx_spi.o
      drivers/spi/pxa2xx_spi.c: In function 'map_dma_buffers':
      drivers/spi/pxa2xx_spi.c:331: error: invalid operands to binary &
      drivers/spi/pxa2xx_spi.c:331: error: invalid operands to binary &
      drivers/spi/pxa2xx_spi.c: In function 'pump_transfers':
      drivers/spi/pxa2xx_spi.c:897: warning: format '%lu' expects type 'long unsigned int', but argument 4 has type 'unsigned int'
      
      [dbrownell@users.sourceforge.net: fix warning too ]
      Signed-off-by: default avatarMike Rapoport <mike@compulab.co.il>
      Acked-by: default avatarEric Miao <eric.miao@marvell.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarDavid Brownell <dbrownell@users.sourceforge.net>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      20b918dc
    • Linus Torvalds's avatar
      Merge branch 'x86-fixes-for-linus' of... · edfd222f
      Linus Torvalds authored
      Merge branch 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip
      
      * 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
        x86, vmi: fix broken LDT access
        x86: fix typo in enable_mtrr_cleanup early parameter
      edfd222f
    • David Howells's avatar
      MN10300: Fix IRQ handling · d6478fad
      David Howells authored
      Fix the IRQ handling on the MN10300 arch.
      
      This patch makes a number of significant changes:
      
       (1) It separates the irq_chip definition for edge-triggered interrupts from
           the one for level-triggered interrupts.
      
           This is necessary because the MN10300 PIC latches the IRQ channel's
           interrupt request bit (GxICR_REQUEST), even after the device has ceased to
           assert its interrupt line and the interrupt channel has been disabled in
           the PIC.  So for level-triggered interrupts we need to clear this bit when
           we re-enable - which is achieved by setting GxICR_DETECT but not
           GxICR_REQUEST when writing to the register.
      
           Not doing this results in spurious interrupts occurring because calling
           mask_ack() at the start of handle_level_irq() is insufficient - it fails
           to clear the REQUEST latch because the device that caused the interrupt is
           still asserting its interrupt line at this point.
      
       (2) IRQ disablement [irq_chip::disable_irq()] shouldn't clear the interrupt
           request flag for edge-triggered interrupts lest it lose an interrupt.
      
       (3) IRQ unmasking [irq_chip::unmask_irq()] also shouldn't clear the interrupt
           request flag for edge-triggered interrupts lest it lose an interrupt.
      
       (4) The end() operation is now left to the default (no-operation) as
           __do_IRQ() is compiled out.  This may affect misrouted_irq(), but
           according to Thomas Gleixner it's the correct thing to do.
      
       (5) handle_level_irq() is used for edge-triggered interrupts rather than
           handle_edge_irq() as the MN10300 PIC latches interrupt events even on
           masked IRQ channels, thus rendering IRQ_PENDING unnecessary.  It is
           sufficient to call mask_ack() at the start and unmask() at the end.
      
       (6) For level-triggered interrupts, ack() is now NULL as it's not used, and
           there is no effective ACK function on the PIC.  mask_ack() is now the
           same as mask() as the latch continues to latch, even when the channel is
           masked.
      
      Further, the patch discards the disable() op implementation as its now the same
      as the mask() op implementation, which is used instead.
      
      It also discards the enable() op implementations as they're now the same as
      the unmask() op implementations, which are used instead.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      d6478fad
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/agk/linux-2.6-dm · 7ac9c1c2
      Linus Torvalds authored
      * git://git.kernel.org/pub/scm/linux/kernel/git/agk/linux-2.6-dm:
        dm mpath: add missing path switching locking
        dm: cope with access beyond end of device in dm_merge_bvec
        dm: always allow one page in dm_merge_bvec
      7ac9c1c2
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 · ae1cfb11
      Linus Torvalds authored
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:
        af_key: Free dumping state on socket close
        XFRM,IPv6: initialize ip6_dst_blackhole_ops.kmem_cachep
        ipv6: NULL pointer dereferrence in tcp_v6_send_ack
        tcp: Fix NULL dereference in tcp_4_send_ack()
        sctp: Fix kernel panic while process protocol violation parameter
        iucv: Fix mismerge again.
        ipsec: Fix pskb_expand_head corruption in xfrm_state_check_space
      ae1cfb11
    • Chandra Seetharaman's avatar
      dm mpath: add missing path switching locking · 7253a334
      Chandra Seetharaman authored
      Moving the path activation to workqueue along with scsi_dh patches introduced
      a race. It is due to the fact that the current_pgpath (in the multipath data
      structure) can be modified if changes happen in any of the paths leading to
      the lun. If the changes lead to current_pgpath being set to NULL, then it
      leads to the invalid access which results in the panic below.
      
      This patch fixes that by storing the pgpath to activate in the multipath data
      structure and properly protecting it.
      
      Note that if activate_path is called twice in succession with different pgpath,
      with the second one being called before the first one is done, then activate
      path will be called twice for the second pgpath, which is fine.
      
      Unable to handle kernel paging request for data at address 0x00000020
      Faulting instruction address: 0xd000000000aa1844
      cpu 0x1: Vector: 300 (Data Access) at [c00000006b987a80]
          pc: d000000000aa1844: .activate_path+0x30/0x218 [dm_multipath]
          lr: c000000000087a2c: .run_workqueue+0x114/0x204
          sp: c00000006b987d00
         msr: 8000000000009032
         dar: 20
       dsisr: 40000000
        current = 0xc0000000676bb3f0
        paca    = 0xc0000000006f3680
          pid   = 2528, comm = kmpath_handlerd
      enter ? for help
      [c00000006b987da0] c000000000087a2c .run_workqueue+0x114/0x204
      [c00000006b987e40] c000000000088b58 .worker_thread+0x120/0x144
      [c00000006b987f00] c00000000008ca70 .kthread+0x78/0xc4
      [c00000006b987f90] c000000000027cc8 .kernel_thread+0x4c/0x68
      Signed-off-by: default avatarChandra Seetharaman <sekharan@us.ibm.com>
      Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
      7253a334
    • Mikulas Patocka's avatar
      dm: cope with access beyond end of device in dm_merge_bvec · b01cd5ac
      Mikulas Patocka authored
      If for any reason dm_merge_bvec() is given an offset beyond the end of the
      device, avoid an oops and always allow one page to be added to an empty bio.
      We'll reject the I/O later after the bio is submitted.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
      b01cd5ac
    • Mikulas Patocka's avatar
      dm: always allow one page in dm_merge_bvec · 5037108a
      Mikulas Patocka authored
      Some callers assume they can always add at least one page to an empty bio,
      so dm_merge_bvec should not return 0 in this case: we'll reject the I/O
      later after the bio is submitted.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
      5037108a
    • Timo Teras's avatar
      af_key: Free dumping state on socket close · 05238204
      Timo Teras authored
      Fix a xfrm_{state,policy}_walk leak if pfkey socket is closed while
      dumping is on-going.
      Signed-off-by: default avatarTimo Teras <timo.teras@iki.fi>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      05238204
    • Arnaud Ebalard's avatar
      XFRM,IPv6: initialize ip6_dst_blackhole_ops.kmem_cachep · 5dc121e9
      Arnaud Ebalard authored
      ip6_dst_blackhole_ops.kmem_cachep is not expected to be NULL (i.e. to
      be initialized) when dst_alloc() is called from ip6_dst_blackhole().
      Otherwise, it results in the following (xfrm_larval_drop is now set to
      1 by default):
      
      [   78.697642] Unable to handle kernel paging request for data at address 0x0000004c
      [   78.703449] Faulting instruction address: 0xc0097f54
      [   78.786896] Oops: Kernel access of bad area, sig: 11 [#1]
      [   78.792791] PowerMac
      [   78.798383] Modules linked in: btusb usbhid bluetooth b43 mac80211 cfg80211 ehci_hcd ohci_hcd sungem sungem_phy usbcore ssb
      [   78.804263] NIP: c0097f54 LR: c0334a28 CTR: c002d430
      [   78.809997] REGS: eef19ad0 TRAP: 0300   Not tainted  (2.6.27-rc5)
      [   78.815743] MSR: 00001032 <ME,IR,DR>  CR: 22242482  XER: 20000000
      [   78.821550] DAR: 0000004c, DSISR: 40000000
      [   78.827278] TASK = eef0df40[3035] 'mip6d' THREAD: eef18000
      [   78.827408] GPR00: 00001032 eef19b80 eef0df40 00000000 00008020 eef19c30 00000001 00000000
      [   78.833249] GPR08: eee5101c c05a5c10 ef9ad500 00000000 24242422 1005787c 00000000 1004f960
      [   78.839151] GPR16: 00000000 10024e90 10050040 48030018 0fe44150 00000000 00000000 eef19c30
      [   78.845046] GPR24: eef19e44 00000000 eef19bf8 efb37c14 eef19bf8 00008020 00009032 c0596064
      [   78.856671] NIP [c0097f54] kmem_cache_alloc+0x20/0x94
      [   78.862581] LR [c0334a28] dst_alloc+0x40/0xc4
      [   78.868451] Call Trace:
      [   78.874252] [eef19b80] [c03c1810] ip6_dst_lookup_tail+0x1c8/0x1dc (unreliable)
      [   78.880222] [eef19ba0] [c0334a28] dst_alloc+0x40/0xc4
      [   78.886164] [eef19bb0] [c03cd698] ip6_dst_blackhole+0x28/0x1cc
      [   78.892090] [eef19be0] [c03d9be8] rawv6_sendmsg+0x75c/0xc88
      [   78.897999] [eef19cb0] [c038bca4] inet_sendmsg+0x4c/0x78
      [   78.903907] [eef19cd0] [c03207c8] sock_sendmsg+0xac/0xe4
      [   78.909734] [eef19db0] [c03209e4] sys_sendmsg+0x1e4/0x2a0
      [   78.915540] [eef19f00] [c03220a8] sys_socketcall+0xfc/0x210
      [   78.921406] [eef19f40] [c0014b3c] ret_from_syscall+0x0/0x38
      [   78.927295] --- Exception: c01 at 0xfe2d730
      [   78.927297]     LR = 0xfe2d71c
      [   78.939019] Instruction dump:
      [   78.944835] 91640018 9144001c 900a0000 4bffff44 9421ffe0 7c0802a6 bf810010 7c9d2378
      [   78.950694] 90010024 7fc000a6 57c0045e 7c000124 <83e3004c> 8383005c 2f9f0000 419e0050
      [   78.956464] ---[ end trace 05fa1ed7972487a1 ]---
      
      As commented by Benjamin Thery, the bug was introduced by
      f2fc6a54, while adding network
      namespaces support to ipv6 routes.
      Signed-off-by: default avatarArnaud Ebalard <arno@natisbad.org>
      Acked-by: default avatarBenjamin Thery <benjamin.thery@bull.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5dc121e9
    • Denis V. Lunev's avatar
      ipv6: NULL pointer dereferrence in tcp_v6_send_ack · 2a5b8275
      Denis V. Lunev authored
      The following actions are possible:
      tcp_v6_rcv
        skb->dev = NULL;
        tcp_v6_do_rcv
          tcp_v6_hnd_req
            tcp_check_req
              req->rsk_ops->send_ack == tcp_v6_send_ack
      
      So, skb->dev can be NULL in tcp_v6_send_ack. We must obtain namespace
      from dst entry.
      
      Thanks to Vitaliy Gusev <vgusev@openvz.org> for initial problem finding
      in IPv4 code.
      Signed-off-by: default avatarDenis V. Lunev <den@openvz.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2a5b8275
    • Vitaliy Gusev's avatar
      tcp: Fix NULL dereference in tcp_4_send_ack() · 4dd7972d
      Vitaliy Gusev authored
      Fix NULL dereference in tcp_4_send_ack().
      
      As skb->dev is reset to NULL in tcp_v4_rcv() thus OOPS occurs:
      
      BUG: unable to handle kernel NULL pointer dereference at 00000000000004d0
      IP: [<ffffffff80498503>] tcp_v4_send_ack+0x203/0x250
      
      Stack:  ffff810005dbb000 ffff810015c8acc0 e77b2c6e5f861600 a01610802e90cb6d
       0a08010100000000 88afffff88afffff 0000000080762be8 0000000115c872e8
       0004122000000000 0000000000000001 ffffffff80762b88 0000000000000020
      Call Trace:
       <IRQ>  [<ffffffff80499c33>] tcp_v4_reqsk_send_ack+0x20/0x22
       [<ffffffff8049bce5>] tcp_check_req+0x108/0x14c
       [<ffffffff8047aaf7>] ? rt_intern_hash+0x322/0x33c
       [<ffffffff80499846>] tcp_v4_do_rcv+0x399/0x4ec
       [<ffffffff8045ce4b>] ? skb_checksum+0x4f/0x272
       [<ffffffff80485b74>] ? __inet_lookup_listener+0x14a/0x15c
       [<ffffffff8049babc>] tcp_v4_rcv+0x6a1/0x701
       [<ffffffff8047e739>] ip_local_deliver_finish+0x157/0x24a
       [<ffffffff8047ec9a>] ip_local_deliver+0x72/0x7c
       [<ffffffff8047e5bd>] ip_rcv_finish+0x38d/0x3b2
       [<ffffffff803d3548>] ? scsi_io_completion+0x19d/0x39e
       [<ffffffff8047ebe5>] ip_rcv+0x2a2/0x2e5
       [<ffffffff80462faa>] netif_receive_skb+0x293/0x303
       [<ffffffff80465a9b>] process_backlog+0x80/0xd0
       [<ffffffff802630b4>] ? __rcu_process_callbacks+0x125/0x1b4
       [<ffffffff8046560e>] net_rx_action+0xb9/0x17f
       [<ffffffff80234cc5>] __do_softirq+0xa3/0x164
       [<ffffffff8020c52c>] call_softirq+0x1c/0x28
       <EOI>  [<ffffffff8020de1c>] do_softirq+0x34/0x72
       [<ffffffff80234b8e>] local_bh_enable_ip+0x3f/0x50
       [<ffffffff804d43ca>] _spin_unlock_bh+0x12/0x14
       [<ffffffff804599cd>] release_sock+0xb8/0xc1
       [<ffffffff804a6f9a>] inet_stream_connect+0x146/0x25c
       [<ffffffff80243078>] ? autoremove_wake_function+0x0/0x38
       [<ffffffff8045751f>] sys_connect+0x68/0x8e
       [<ffffffff80291818>] ? fd_install+0x5f/0x68
       [<ffffffff80457784>] ? sock_map_fd+0x55/0x62
       [<ffffffff8020b39b>] system_call_after_swapgs+0x7b/0x80
      
      Code: 41 10 11 d0 83 d0 00 4d 85 ed 89 45 c0 c7 45 c4 08 00 00 00 74 07 41 8b 45 04 89 45 c8 48 8b 43 20 8b 4d b8 48 8d 55 b0 48 89 de <48> 8b 80 d0 04 00 00 48 8b b8 60 01 00 00 e8 20 ae fe ff 65 48
      RIP  [<ffffffff80498503>] tcp_v4_send_ack+0x203/0x250
       RSP <ffffffff80762b78>
      CR2: 00000000000004d0
      Signed-off-by: default avatarVitaliy Gusev <vgusev@openvz.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4dd7972d
  4. 30 Sep, 2008 1 commit
    • Zachary Amsden's avatar
      x86, vmi: fix broken LDT access · dc63b526
      Zachary Amsden authored
      This one took a long time to rear up because LDT usage is not very
      common, but the bug is quite serious.  It got introduced along with
      another bug, already fixed, by 75b8bb3e
      
      After investigating a JRE failure, I found this bug was introduced a long time
      ago, and had already managed to survive another bugfix which occurred on the
      same line.  The result is a total failure of the JRE due to LDT selectors not
      working properly.
      Signed-off-by: default avatarZachary Amsden <zach@vmware.com>
      Cc: Glauber de Oliveira Costa <gcosta@redhat.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarIngo Molnar <mingo@elte.hu>
      dc63b526