1. 16 Sep, 2008 2 commits
  2. 13 Sep, 2008 32 commits
  3. 12 Sep, 2008 6 commits
    • Yinghai Lu's avatar
      PCI: re-add debug prints for unmodified BARs · 395a125c
      Yinghai Lu authored
      Print out for device BAR values before the kernel tries to update them.
      Also make related output use KERN_DEBUG.
      Signed-off-by: default avatarYinghai Lu <yhlu.kernel@gmail.com>
      Signed-off-by: default avatarJesse Barnes <jbarnes@virtuousgeek.org>
      395a125c
    • Santwona Behera's avatar
      niu: panic on reset · cff502a3
      Santwona Behera authored
      The reset_task function in the niu driver does not reset the tx and rx
      buffers properly. This leads to panic on reset. This patch is a
      modified implementation of the previously posted fix.
      Signed-off-by: default avatarSantwona Behera <santwona.behera@sun.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cff502a3
    • David S. Miller's avatar
      sparc: Fix user_regset 'n' field values. · 7d4ee289
      David S. Miller authored
      As noticed by Russell King, we were not setting this properly
      to the number of entries, but rather the total size.
      
      This results in the core dumping code allocating waayyyy too
      much memory.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7d4ee289
    • David S. Miller's avatar
      sparc64: Fix PCI error interrupt registry on PSYCHO. · 80a56ab6
      David S. Miller authored
      We need to pass IRQF_SHARED, otherwise we get things like:
      
      IRQ handler type mismatch for IRQ 33
      current handler: PSYCHO_UE
      Call Trace:
       [000000000048394c] request_irq+0xac/0x120
       [00000000007c5f6c] psycho_scan_bus+0x98/0x158
       [00000000007c2bc0] pcibios_init+0xdc/0x12c
       [0000000000426a5c] do_one_initcall+0x1c/0x160
       [00000000007c0180] kernel_init+0x9c/0xfc
       [0000000000427050] kernel_thread+0x30/0x60
       [00000000006ae1d0] rest_init+0x10/0x60
      
      on e3500 and similar systems.
      
      On a single board, the UE interrupts of two Psycho nodes
      are funneled through the same interrupt, from of_debug=3
      dump:
      
      /pci@b,4000: direct translate 2ee --> 21
       ...
      /pci@b,2000: direct translate 2ee --> 21
      
      Decimal "33" mentioned above is the hex "21" mentioned here.
      
      Thanks to Meelis Roos for dumps and testing.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      80a56ab6
    • David S. Miller's avatar
    • Vegard Nossum's avatar
      netlink: fix overrun in attribute iteration · 1045b03e
      Vegard Nossum authored
      kmemcheck reported this:
      
        kmemcheck: Caught 16-bit read from uninitialized memory (f6c1ba30)
        0500110001508abf050010000500000002017300140000006f72672e66726565
         i i i i i i i i i i i i i u u u u u u u u u u u u u u u u u u u
                                         ^
      
        Pid: 3462, comm: wpa_supplicant Not tainted (2.6.27-rc3-00054-g6397ab9-dirty #13)
        EIP: 0060:[<c05de64a>] EFLAGS: 00010296 CPU: 0
        EIP is at nla_parse+0x5a/0xf0
        EAX: 00000008 EBX: fffffffd ECX: c06f16c0 EDX: 00000005
        ESI: 00000010 EDI: f6c1ba30 EBP: f6367c6c ESP: c0a11e88
         DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
        CR0: 8005003b CR2: f781cc84 CR3: 3632f000 CR4: 000006d0
        DR0: c0ead9bc DR1: 00000000 DR2: 00000000 DR3: 00000000
        DR6: ffff4ff0 DR7: 00000400
         [<c05d4b23>] rtnl_setlink+0x63/0x130
         [<c05d5f75>] rtnetlink_rcv_msg+0x165/0x200
         [<c05ddf66>] netlink_rcv_skb+0x76/0xa0
         [<c05d5dfe>] rtnetlink_rcv+0x1e/0x30
         [<c05dda21>] netlink_unicast+0x281/0x290
         [<c05ddbe9>] netlink_sendmsg+0x1b9/0x2b0
         [<c05beef2>] sock_sendmsg+0xd2/0x100
         [<c05bf945>] sys_sendto+0xa5/0xd0
         [<c05bf9a6>] sys_send+0x36/0x40
         [<c05c03d6>] sys_socketcall+0x1e6/0x2c0
         [<c020353b>] sysenter_do_call+0x12/0x3f
         [<ffffffff>] 0xffffffff
      
      This is the line in nla_ok():
      
        /**
         * nla_ok - check if the netlink attribute fits into the remaining bytes
         * @nla: netlink attribute
         * @remaining: number of bytes remaining in attribute stream
         */
        static inline int nla_ok(const struct nlattr *nla, int remaining)
        {
                return remaining >= sizeof(*nla) &&
                       nla->nla_len >= sizeof(*nla) &&
                       nla->nla_len <= remaining;
        }
      
      It turns out that remaining can become negative due to alignment in
      nla_next(). But GCC promotes "remaining" to unsigned in the test
      against sizeof(*nla) above. Therefore the test succeeds, and the
      nla_for_each_attr() may access memory outside the received buffer.
      
      A short example illustrating this point is here:
      
        #include <stdio.h>
      
        main(void)
        {
                printf("%d\n", -1 >= sizeof(int));
        }
      
      ...which prints "1".
      
      This patch adds a cast in front of the sizeof so that GCC will make
      a signed comparison and fix the illegal memory dereference. With the
      patch applied, there is no kmemcheck report.
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@gmail.com>
      Acked-by: default avatarThomas Graf <tgraf@suug.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1045b03e