Julia Lawall [Sat, 28 Aug 2010 02:31:56 +0000 (19:31 -0700)]
net/ipv4: Eliminate kstrdup memory leak
The string clone is only used as a temporary copy of the argument val
within the while loop, and so it should be freed before leaving the
function. The call to strsep, however, modifies clone, so a pointer to the
front of the string is kept in saved_clone, to make it possible to free it.
The sematic match that finds this problem is as follows:
(http://coccinelle.lip6.fr/)
*x= \(kasprintf\|kstrdup\)(...);
...
if (x == NULL) S
... when != kfree(x)
when != E = x
if (...) {
<... when != kfree(x)
* goto l;
...>
* return ...;
}
// </smpl>
Eric Paris [Sat, 28 Aug 2010 01:42:11 +0000 (21:42 -0400)]
fsnotify: drop two useless bools in the fnsotify main loop
The fsnotify main loop has 2 bools which indicated if we processed the
inode or vfsmount mark in that particular pass through the loop. These
bool can we replaced with the inode_group and vfsmount_group variables
and actually make the code a little easier to understand.
Eric Paris [Sat, 28 Aug 2010 01:24:24 +0000 (21:24 -0400)]
fsnotify: fix list walk order
Marks were stored on the inode and vfsmonut mark list in order from
highest memory address to lowest memory address. The code to walk those
lists thought they were in order from lowest to highest with
unpredictable results when trying to match up marks from each. It was
possible that extra events would be sent to userspace when inode
marks ignoring events wouldn't get matched with the vfsmount marks.
This problem only affected fanotify when using both vfsmount and inode
marks simultaneously.
Barry Song [Wed, 2 Jun 2010 04:22:11 +0000 (04:22 +0000)]
Blackfin: bf52x/bf54x boards: drop unused nand page size
Now that the driver for the Blackfin on-chip NFC no longer uses/respects
the page_size from the platform resources (figures out the needs on the
fly), drop it from the platform resources. This fixes some build errors
since the defines no longer exists.
When file name encryption was enabled, ecryptfs_lookup() failed to use
the encrypted and encoded version of the upper, plaintext, file name
when performing a lookup in the lower file system. This made it
impossible to lookup existing encrypted file names and any newly created
files would have plaintext file names in the lower file system.
ret = 0
... when != ret = e1
*x = \(kmalloc\|kcalloc\|kzalloc\)(...)
... when != ret = e2
if (x == NULL) { ... when != ret = e3
return ret;
}
// </smpl>
Changhwan Youn [Fri, 27 Aug 2010 08:57:44 +0000 (17:57 +0900)]
ARM: S5PV310: Fix on Secondary CPU startup
Following occurs on boot message without this patch.
CPU1: processor failed to boot
Brought up 1 CPUs
SMP: Total of 1 processors activated...
This patch adds SYSRAM mapping for fixing Secondary CPU startup.
CPU1: Booted secondary processor
Brought up 2 CPUs
SMP: Total of 2 processors activated...
Kukjin Kim [Sat, 21 Aug 2010 00:03:16 +0000 (09:03 +0900)]
ARM: SAMSUNG: Fix on build warning regarding VMALLOC_END type
Fix this warning:
arch/arm/mm/init.c: In function 'mem_init':
arch/arm/mm/init.c:644: warning: format '%08lx' expects type
'long unsigned int', but argument 12 has type 'unsigned int'
Jeff Mahoney [Thu, 26 Aug 2010 23:11:08 +0000 (16:11 -0700)]
net/caif/cfrfml.c: use asm/unaligned.h
caif does not build on ia64 starting with 2.6.32-rc1. Using
asm/unaligned.h instead of linux/unaligned/le_byteshift.h fixes the issue.
include/linux/unaligned/le_byteshift.h:40:50: error: redefinition of 'get_unaligned_le16'
include/linux/unaligned/le_byteshift.h:45:50: error: redefinition of 'get_unaligned_le32'
include/linux/unaligned/le_byteshift.h:50:50: error: redefinition of 'get_unaligned_le64'
include/linux/unaligned/le_byteshift.h:55:51: error: redefinition of 'put_unaligned_le16'
include/linux/unaligned/le_byteshift.h:60:51: error: redefinition of 'put_unaligned_le32'
include/linux/unaligned/le_byteshift.h:65:51: error: redefinition of 'put_unaligned_le64'
include/linux/unaligned/le_struct.h:31:51: note: previous definition of 'put_unaligned_le64' was here
Arnd Bergmann [Thu, 26 Aug 2010 22:55:28 +0000 (08:55 +1000)]
drm: fix regression in drm locking since BKL removal.
This locking path needs proper auditing but probably too late for changes at this point for 2.6.36, so lets go with the quick fix, which is to drop the lock around schedule.
I've botched up the range-restriction checks. The result is usually
an X server dying with SIGBUS in libpixman (software fallback rendering).
Change the code to adjust the start and end for range restricted
allocations. IMHO this even makes the code a bit clearer.
Rusty Russell [Fri, 27 Aug 2010 14:39:48 +0000 (08:39 -0600)]
lguest: clean up warnings in demonstration launcher.
These days the headers we use are in glibc. If those are too old, you can
add the -I lines to get the kernel headers.
In file included from ../../include/linux/if_tun.h:19,
from lguest.c:33:
../../include/linux/types.h:13:2: warning: #warning "Attempt to use kernel headers from user space, see http://kernelnewbies.org/KernelHeaders"
lguest.c: In function ‘setup_tun_net’:
lguest.c:1456: warning: dereferencing pointer ‘sin’ does break strict-aliasing rules
lguest.c:1457: warning: dereferencing pointer ‘sin’ does break strict-aliasing rules
lguest.c:1450: note: initialized from here
Dave Airlie [Thu, 26 Aug 2010 23:09:46 +0000 (09:09 +1000)]
Merge remote branch 'nouveau/for-airlied' of /ssd/git/drm-nouveau-next into drm-fixes
* 'nouveau/for-airlied' of /ssd/git/drm-nouveau-next:
drm/nouveau: drop drm_global_mutex before sleeping in submission path
drm: export drm_global_mutex for drivers to use
drm/nv20: Don't use pushbuf calls on the original nv20.
drm/nouveau: Fix TMDS on some DCB1.5 boards.
drm/nouveau: Fix backlight control on PPC machines with an internal TMDS panel.
drm/nv30: Apply modesetting to the correct slave encoder
drm/nouveau: Use a helper function to match PCI device/subsystem IDs.
drm/nv50: add dcb type 14 to enum to prevent compiler complaint
Eric Dumazet [Wed, 25 Aug 2010 23:44:35 +0000 (23:44 +0000)]
l2tp: test for ethernet header in l2tp_eth_dev_recv()
close https://bugzilla.kernel.org/show_bug.cgi?id=16529
Before calling dev_forward_skb(), we should make sure skb head contains
at least an ethernet header, even if length included in upper layer said
so. Use pskb_may_pull() to make sure this ethernet header is present in
skb head.
Takashi Iwai [Fri, 13 Aug 2010 13:53:49 +0000 (15:53 +0200)]
nfsd: fix NULL dereference in nfsd_statfs()
The commit ebabe9a9001af0af56c0c2780ca1576246e7a74b
pass a struct path to vfs_statfs
introduced the struct path initialization, and this seems to trigger
an Oops on my machine.
fh_dentry field may be NULL and set later in fh_verify(), thus the
initialization of path must be after fh_verify().
J. Bruce Fields [Fri, 20 Aug 2010 22:09:31 +0000 (18:09 -0400)]
nfsd4: fix downgrade/lock logic
If we already had a RW open for a file, and get a readonly open, we were
piggybacking on the existing RW open. That's inconsistent with the
downgrade logic which blows away the RW open assuming you'll still have
a readonly open.
Also, make sure there is a readonly or writeonly open available for
locking, again to prevent bad behavior in downgrade cases when any RW
open may be lost.
Suresh Jayaraman [Thu, 26 Aug 2010 09:16:09 +0000 (14:46 +0530)]
Cannot allocate memory error on mount
On 08/26/2010 01:56 AM, joe hefner wrote:
> On a recent Fedora (13), I am seeing a mount failure message that I can not explain. I have a Windows Server 2003ýa with a share set up for access only for a specific username (say userfoo). If I try to mount it from Linux,ýusing userfoo and the correct password all is well. If I try with a bad password or with some other username (userbar), it fails with "Permission denied" as expected. If I try to mount as username = administrator, and give the correct administrator password, I would also expect "Permission denied", but I see "Cannot allocate memory" instead.
> ýfs/cifs/netmisc.c: Mapping smb error code 5 to POSIX err -13
> ýfs/cifs/cifssmb.c: Send error in QPathInfo = -13
> ýCIFS VFS: cifs_read_super: get root inode failed
Looks like the commit 0b8f18e3 assumed that cifs_get_inode_info() and
friends fail only due to memory allocation error when the inode is NULL
which is not the case if CIFSSMBQPathInfo() fails and returns an error.
Fix this by propagating the actual error code back.
Borislav Petkov [Tue, 24 Aug 2010 16:21:42 +0000 (18:21 +0200)]
amd64_edac: Do not report error overflow as a separate error
When the Overflow MCi_STATUS bit is set, EDAC reports the lost error
with a "no information available" message which often puzzles users
parsing the dmesg. This doesn't make much sense since this error has
been lost anyway so no need for reporting it separately. Thus, report
the overflow bit setting in the MCE dump instead. While at it, remove
reporting of MiscV and ErrorEnable (en) which are superfluous.
Now it looks like this:
[ 1501.650024] MC4_STATUS: Corrected error, other errors lost: yes, CPU context corrupt: no, CECC Error
[ 1501.666887] Northbridge Error, node 2
KOSAKI Motohiro [Tue, 24 Aug 2010 16:05:48 +0000 (16:05 +0000)]
tcp: select(writefds) don't hang up when a peer close connection
This issue come from ruby language community. Below test program
hang up when only run on Linux.
% uname -mrsv
Linux 2.6.26-2-486 #1 Sat Dec 26 08:37:39 UTC 2009 i686
% ruby -rsocket -ve '
BasicSocket.do_not_reverse_lookup = true
serv = TCPServer.open("127.0.0.1", 0)
s1 = TCPSocket.open("127.0.0.1", serv.addr[1])
s2 = serv.accept
s2.close
s1.write("a") rescue p $!
s1.write("a") rescue p $!
Thread.new {
s1.write("a")
}.join'
ruby 1.9.3dev (2010-07-06 trunk 28554) [i686-linux]
#<Errno::EPIPE: Broken pipe>
[Hang Here]
FreeBSD, Solaris, Mac doesn't. because Ruby's write() method call
select() internally. and tcp_poll has a bug.
SUS defined 'ready for writing' of select() as following.
| A descriptor shall be considered ready for writing when a call to an output
| function with O_NONBLOCK clear would not block, whether or not the function
| would transfer data successfully.
That said, EPIPE situation is clearly one of 'ready for writing'.
We don't have read-side issue because tcp_poll() already has read side
shutdown care.
Eric Dumazet [Thu, 26 Aug 2010 06:02:17 +0000 (23:02 -0700)]
tcp: fix three tcp sysctls tuning
As discovered by Anton Blanchard, current code to autotune
tcp_death_row.sysctl_max_tw_buckets, sysctl_tcp_max_orphans and
sysctl_max_syn_backlog makes little sense.
The bigger a page is, the less tcp_max_orphans is : 4096 on a 512GB
machine in Anton's case.
(tcp_hashinfo.bhash_size * sizeof(struct inet_bind_hashbucket))
is much bigger if spinlock debugging is on. Its wrong to select bigger
limits in this case (where kernel structures are also bigger)
bhash_size max is 65536, and we get this value even for small machines.
A better ground is to use size of ehash table, this also makes code
shorter and more obvious.
Based on a patch from Anton, and another from David.
Francisco Jerez [Wed, 25 Aug 2010 10:54:53 +0000 (12:54 +0200)]
drm/nv20: Don't use pushbuf calls on the original nv20.
The "return" command is buggy on the original nv20, it jumps back to
the caller address as expected, but it doesn't clear the subroutine
active bit making the subsequent pushbuf calls fail with a "stack"
overflow.
Mark Lord [Fri, 20 Aug 2010 14:13:16 +0000 (10:13 -0400)]
libata-sff: remove harmful BUG_ON from ata_bmdma_qc_issue
Remove harmful BUG_ON() from ata_bmdma_qc_issue(),
as it casts too wide of a net and breaks sata_mv.
It also crashes the kernel while doing the BUG_ON().
There's already a WARN_ON_ONCE() further down to catch
the case of POLLING for a BMDMA operation.
Mark Lord [Fri, 20 Aug 2010 01:40:44 +0000 (21:40 -0400)]
sata_mv: fix broken DSM/TRIM support (v2)
Fix DSM/TRIM commands in sata_mv (v2).
These need to be issued using old-school "BM DMA",
rather than via the EDMA host queue.
Since the chips don't have proper BM DMA status,
we need to be more careful with setting the ATA_DMA_INTR bit,
since DSM/TRIM often has a long delay between "DMA complete"
and "command complete".
GEN_I chips don't have BM DMA, so no TRIM for them.
Tejun Heo [Mon, 23 Aug 2010 09:27:27 +0000 (11:27 +0200)]
libata: be less of a drama queen on empty data commands
ata_qc_issue() BUG_ON()s on data commands w/o data, which may be
submitted via SG_IO. Be less of a drama queen and just trigger
WARN_ON_ONCE() and fail the command with AC_ERR_SYSTEM.
Commit d62f5576 (pata_cmd64x: fix handling of address setup timings)
incorrectly called ata_timing_compute() on UDMA mode on 0 @UT leading
to devide by zero fault. Revert it until better fix is available.
This is reported in bko#16607 by Milan Kocian who also root caused it.
Alan Cox [Wed, 25 Aug 2010 12:26:32 +0000 (13:26 +0100)]
ceph: Fix warnings
Just scrubbing some warnings so I can see real problem ones in the build
noise. For 32bit we need to coax gcc politely into believing we really
honestly intend to the casts. Using (u64)(unsigned long) means we cast from
a pointer to a type of the right size and then extend it. This stops the
warning spew.
Linus Torvalds [Wed, 25 Aug 2010 17:50:07 +0000 (10:50 -0700)]
Merge branch 'perf-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip
* 'perf-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
perf, x86, Pentium4: Clear the P4_CCCR_FORCE_OVF flag
tracing/trace_stack: Fix stack trace on ppc64
* git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6:
Eliminate sparse warning - bad constant expression
cifs: check for NULL session password
missing changes during ntlmv2/ntlmssp auth and sign
[CIFS] Fix ntlmv2 auth with ntlmssp
cifs: correction of unicode header files
cifs: fix NULL pointer dereference in cifs_find_smb_ses
cifs: consolidate error handling in several functions
cifs: clean up error handling in cifs_mknod
Linus Torvalds [Wed, 25 Aug 2010 15:40:56 +0000 (08:40 -0700)]
Merge branch 'sched-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip
* 'sched-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
x86, tsc, sched: Recompute cyc2ns_offset's during resume from sleep states
sched: Fix rq->clock synchronization when migrating tasks
Linus Torvalds [Wed, 25 Aug 2010 15:40:31 +0000 (08:40 -0700)]
Merge branch 'upstream/core' of git://git.kernel.org/pub/scm/linux/kernel/git/jeremy/xen
* 'upstream/core' of git://git.kernel.org/pub/scm/linux/kernel/git/jeremy/xen:
xen: handle events as edge-triggered
xen: use percpu interrupts for IPIs and VIRQs
Linus Torvalds [Wed, 25 Aug 2010 15:39:07 +0000 (08:39 -0700)]
Merge branch '2.6.36-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/dgc/xfsdev
* '2.6.36-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/dgc/xfsdev:
xfs: do not discard page cache data on EAGAIN
xfs: don't do memory allocation under the CIL context lock
xfs: Reduce log force overhead for delayed logging
xfs: dummy transactions should not dirty VFS state
xfs: ensure f_ffree returned by statfs() is non-negative
xfs: handle negative wbc->nr_to_write during sync writeback
writeback: write_cache_pages doesn't terminate at nr_to_write <= 0
xfs: fix untrusted inode number lookup
xfs: ensure we mark all inodes in a freed cluster XFS_ISTALE
xfs: unlock items before allowing the CIL to commit
Andreas Herrmann [Wed, 25 Aug 2010 13:42:12 +0000 (15:42 +0200)]
hwmon: (k8temp) Differentiate between AM2 and ASB1
Commit 8bf0223ed515be24de0c671eedaff49e78bebc9c (hwmon, k8temp: Fix
temperature reporting for ASB1 processor revisions) fixed temperature
reporting for ASB1 CPUs. But those CPU models (model 0x6b, 0x6f, 0x7f)
were packaged both as AM2 (desktop) and ASB1 (mobile). Thus the commit
leads to wrong temperature reporting for AM2 CPU parts.
The solution is to determine the package type for models 0x6b, 0x6f,
0x7f.
This is done using BrandId from CPUID Fn8000_0001_EBX[15:0]. See
"Constructing the processor Name String" in "Revision Guide for AMD
NPT Family 0Fh Processors" (Rev. 3.46).
Jean Delvare [Wed, 25 Aug 2010 13:42:08 +0000 (15:42 +0200)]
hwmon: (coretemp) Fix harmless build warning
Fix the following build warning:
CC [M] drivers/hwmon/coretemp.o
drivers/hwmon/coretemp.c: In function "coretemp_init":
drivers/hwmon/coretemp.c:521: warning: unused variable "n"
drivers/hwmon/coretemp.c:521: warning: unused variable "p"
Anton Blanchard [Wed, 25 Aug 2010 01:32:38 +0000 (11:32 +1000)]
tracing/trace_stack: Fix stack trace on ppc64
save_stack_trace() stores the instruction pointer, not the
function descriptor. On ppc64 the trace stack code currently
dereferences the instruction pointer and shows 8 bytes of
instructions in our backtraces:
David S. Miller [Wed, 25 Aug 2010 09:27:49 +0000 (02:27 -0700)]
tcp: Combat per-cpu skew in orphan tests.
As reported by Anton Blanchard when we use
percpu_counter_read_positive() to make our orphan socket limit checks,
the check can be off by up to num_cpus_online() * batch (which is 32
by default) which on a 128 cpu machine can be as large as the default
orphan limit itself.
Fix this by doing the full expensive sum check if the optimized check
triggers.
Sage Weil [Tue, 24 Aug 2010 15:44:16 +0000 (08:44 -0700)]
ceph: maintain i_head_snapc when any caps are dirty, not just for data
We used to use i_head_snapc to keep track of which snapc the current epoch
of dirty data was dirtied under. It is used by queue_cap_snap to set up
the cap_snap. However, since we queue cap snaps for any dirty caps, not
just for dirty file data, we need to keep a valid i_head_snapc anytime
we have dirty|flushing caps. This fixes a NULL pointer deref in
queue_cap_snap when writing back dirty caps without data (e.g.,
snaptest-authwb.sh).
Dan Carpenter [Tue, 24 Aug 2010 06:53:33 +0000 (06:53 +0000)]
pxa168_eth: fix error handling in prope
A couple issues here:
* Some resources weren't released.
* If alloc_etherdev() failed it would have caused a NULL dereference
because "pep" would be null when we checked "if (pep->clk)".
* Also it's better to propagate the error codes from mdiobus_register()
instead of just returning -ENOMEM.
Dan Carpenter [Tue, 24 Aug 2010 06:52:46 +0000 (06:52 +0000)]
pxa168_eth: remove unneeded null check
"pep->pd" isn't checked consistently in this function. For example it's
dereferenced unconditionally on the next line after the end of the if
condition. This function is only called from pxa168_eth_probe() and
pep->pd is always non-NULL so I removed the check.
Anton Vorontsov [Tue, 24 Aug 2010 21:46:12 +0000 (14:46 -0700)]
phylib: Fix race between returning phydev and calling adjust_link
It is possible that phylib will call adjust_link before returning
from {,of_}phy_connect(), which may cause the following [very rare,
though] oops upon reopening the device:
Unable to handle kernel paging request for data at address 0x0000024c
Oops: Kernel access of bad area, sig: 11 [#1]
PREEMPT SMP NR_CPUS=2 LTT NESTING LEVEL : 0
P1021 RDB
Modules linked in:
NIP: c0345dac LR: c0345dac CTR: c0345d84
TASK = dffab6b0[30] 'events/0' THREAD: c0d24000 CPU: 0
[...]
NIP [c0345dac] adjust_link+0x28/0x19c
LR [c0345dac] adjust_link+0x28/0x19c
Call Trace:
[c0d25f00] [000045e1] 0x45e1 (unreliable)
[c0d25f30] [c036c158] phy_state_machine+0x3ac/0x554
[...]
Here is why. Drivers store phydev in their private structures, e.g.
gianfar driver:
If the device has been opened before, then phydev->state is set to
PHY_HALTED (or undefined if the driver didn't call phy_stop()).
Now, phy_connect starts the PHY state machine before returning phydev to
the driver:
phy_start_machine(phydev, NULL);
if (phydev->irq > 0)
phy_start_interrupts(phydev);
return phydev;
The time between 'phy_start_machine()' and 'return phydev' is undefined.
The start machine routine delays execution for 1 second, which is enough
for most cases. But under heavy load, or if you're unlucky, it is quite
possible that PHY state machine will execute before phy_connect()
returns, and so adjust_link callback will try to dereference phydev,
which is not yet ready.
To fix the issue, simply initialize the PHY's state to PHY_READY during
phy_attach(). This will ensure that phylib won't call adjust_link before
phy_start().
Luck, Tony [Tue, 24 Aug 2010 18:44:18 +0000 (11:44 -0700)]
guard page for stacks that grow upwards
pa-risc and ia64 have stacks that grow upwards. Check that
they do not run into other mappings. By making VM_GROWSUP
0x0 on architectures that do not ever use it, we can avoid
some unpleasant #ifdefs in check_stack_guard_page().
Jesse Barnes [Tue, 24 Aug 2010 18:31:16 +0000 (11:31 -0700)]
drm/i915: fix vblank wait test condition
When converting this to the new wait_for macro I inverted the wait
condition, which causes all sorts of problems. So correct it to fix
several failures caused by the bad wait (flickering, bad output
detection, tearing, etc.).
Xen events are logically edge triggered, as Xen only calls the event
upcall when an event is newly set, but not continuously as it remains set.
As a result, use handle_edge_irq rather than handle_level_irq.
This has the important side-effect of fixing a long-standing bug of
events getting lost if:
- an event's interrupt handler is running
- the event is migrated to a different vcpu
- the event is re-triggered
The most noticable symptom of these lost events is occasional lockups
of blkfront.
Many thanks to Tom Kopec and Daniel Stodden in tracking this down.
IPIs and VIRQs are inherently per-cpu event types, so treat them as such:
- use a specific percpu irq_chip implementation, and
- handle them with handle_percpu_irq
This makes the path for delivering these interrupts more efficient
(no masking/unmasking, no locks), and it avoid problems with attempts
to migrate them.
projects / linux.git / log