Commit Graph

50019 Commits

Author SHA1 Message Date
Dan Aloni
5c15bdec5c [VLAN]: Avoid a 4-order allocation.
This patch splits the vlan_group struct into a multi-allocated struct. On
x86_64, the size of the original struct is a little more than 32KB, causing
a 4-order allocation, which is prune to problems caused by buddy-system
external fragmentation conditions.

I couldn't just use vmalloc() because vfree() cannot be called in the
softirq context of the RCU callback.

Signed-off-by: Dan Aloni <da-x@monatomic.org>
Acked-by: Jeff Garzik <jeff@garzik.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-03-02 20:44:51 -08:00
Krzysztof Halasa
b5284e5aa9 [HDLC] Fix dev->header_cache_update having a random value.
Switching HDLC devices from Ethernet-framing mode caused stale ethernet
function assignments within net_device.

Signed-off-by: Krzysztof Halasa <khc@pm.waw.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-03-02 20:37:37 -08:00
Paul Moore
c6387a8694 [NetLabel]: Verify sensitivity level has a valid CIPSO mapping
The current CIPSO engine has a problem where it does not verify that
the given sensitivity level has a valid CIPSO mapping when the "std"
CIPSO DOI type is used.  The end result is that bad packets are sent
on the wire which should have never been sent in the first place.
This patch corrects this problem by verifying the sensitivity level
mapping similar to what is done with the category mapping.  This patch
also changes the returned error code in this case to -EPERM to better
match what the category mapping verification code returns.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-03-02 20:37:36 -08:00
Florian Zumbiehl
90719dbeaf [PPPOE]: Key connections properly on local device.
It is based on the assumption that an interface's ifindex is basically
an alias for a local MAC address, so incoming packets now are matched
to sockets based on remote MAC, session id, and ifindex of the
interface the packet came in on/the socket was bound to by connect().

For relayed packets, the socket that's used for relaying is selected
based on destination MAC, session ID and the interface index of the
interface whose name currently matches the name requested by userspace
as the relaying source interface.

Signed-off-by: David S. Miller <davem@davemloft.net>
2007-03-02 20:37:35 -08:00
David S. Miller
248f06726e [AF_UNIX]: Test against sk_max_ack_backlog properly.
This brings things inline with the sk_acceptq_is_full() bug
fix.  The limit test should be x >= sk_max_ack_backlog.

Signed-off-by: David S. Miller <davem@davemloft.net>
2007-03-02 20:37:34 -08:00
Wei Dong
8488df894d [NET]: Fix bugs in "Whether sock accept queue is full" checking
when I use linux TCP socket, and find there is a bug in function
sk_acceptq_is_full().

	When a new SYN comes, TCP module first checks its validation. If valid,
send SYN,ACK to the client and add the sock to the syn hash table. Next
time if received the valid ACK for SYN,ACK from the client. server will
accept this connection and increase the sk->sk_ack_backlog -- which is
done in function tcp_check_req().We check wether acceptq is full in
function tcp_v4_syn_recv_sock().

Consider an example:

 After listen(sockfd, 1) system call, sk->sk_max_ack_backlog is set to
1. As we know, sk->sk_ack_backlog is initialized to 0. Assuming accept()
system call is not invoked now.

1. 1st connection comes. invoke sk_acceptq_is_full(). sk-
>sk_ack_backlog=0 sk->sk_max_ack_backlog=1, function return 0 accept
this connection. Increase the sk->sk_ack_backlog
2. 2nd connection comes. invoke sk_acceptq_is_full(). sk-
>sk_ack_backlog=1 sk->sk_max_ack_backlog=1, function return 0 accept
this connection. Increase the sk->sk_ack_backlog
3. 3rd connection comes. invoke sk_acceptq_is_full(). sk-
>sk_ack_backlog=2 sk->sk_max_ack_backlog=1, function return 1. Refuse
this connection.

I think it has bugs. after listen system call. sk->sk_max_ack_backlog=1
but now it can accept 2 connections.

Signed-off-by: Wei Dong <weid@np.css.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-03-02 20:37:33 -08:00
Linus Torvalds
bb648a0d22 Merge branch 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/libata-dev
* 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/libata-dev:
  libata: add CONFIG_PM to libata core layer
  libata: add missing CONFIG_PM in LLDs
  libata: add missing PM callbacks
  pata_qdi: Fix initialisation
  [libata] pata_cmd64x: fix driver description in comments
  [libata] pata_{legacy,sc1200,sl82c105}: add missing hooks
  [libata] change master/slave IDENTIFY order
  libata-core: Fix simplex handling
2007-03-02 17:58:52 -08:00
Jeff Garzik
8b453397da [netdrvr] tulip, de2104x: fix typo: s/__sparc_/__sparc__/
Noticed by Doug Nazar (via David Miller).

Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-03-02 20:21:56 -05:00
Dale Farnsworth
5ada386bad mv643xx_eth: move mac_addr inside mv643xx_eth_platform_data
The information contained within platform_data should be self-contained.
Replace the pointer to a MAC address with the actual MAC address in
struct mv643xx_eth_platform_data.

Signed-off-by: Dale Farnsworth <dale@farnsworth.org>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-03-02 20:16:10 -05:00
Dave Jones
471a567144 Fix mv643xx_eth compilation.
Commit 908b637fe7 removed ETH_DMA_ALIGN
but missed a usage of it in a macro, which broke the build.

Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-03-02 20:16:10 -05:00
Ron Mercer
63f779261f qla3xxx: bugfix for line omitted in previous patch.
This missing line caused transmit errors on the Qlogic 4032 chip.

Signed-off-by: Ron Mercer <ron.mercer@qlogic.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-03-02 20:16:10 -05:00
Linsys Contractor Mithlesh Thukral
e0e20a1a08 NetXen: Fix second rmmod failure observed on PowerPC machines.
Signed-off by: Mithlesh Thukral <mithlesh@netxen.com>

Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-03-02 20:02:28 -05:00
Linsys Contractor Mithlesh Thukral
0c25cfe18a NetXen: Updates, removal of unsupported features and minor bug fixes.
Signed-off-by: Mithlesh Thukral <mithlesh@netxen.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-03-02 20:02:28 -05:00
Divy Le Ray
d518725fa6 cxgb3 - Tag driver version
This patch adds a "-ko" tag to the driver version.

Signed-off-by: Divy Le Ray <divy@chelsio.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-03-02 19:55:07 -05:00
Brice Goglin
4a2e612a3b myri10ge: fix copyright and license
Fix copyright and license ("regents" should not have ever been used).

Signed-off-by: Brice Goglin <brice@myri.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-03-02 19:55:07 -05:00
Ralf Baechle
c8d64f8a05 jmr3927: do not call tc35815_killall().
No need to stop tc35815 before resetting the board.  This fixes the
build of tc35815 as a module.  This also means there is no caller of
tc35815_killall left, so remove that function also.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-03-02 19:55:07 -05:00
Jeff Garzik
db7ce76f6b Merge branch 'upstream-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 into upstream-fixes 2007-03-02 19:40:24 -05:00
Tejun Heo
6ffa01d88c libata: add CONFIG_PM to libata core layer
Conditionalize all PM related stuff in libata core layer using
CONFIG_PM.

Signed-off-by: Tejun Heo <htejun@gmail.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-03-02 18:30:35 -05:00
Tejun Heo
438ac6d5e3 libata: add missing CONFIG_PM in LLDs
Add missing #ifdef CONFIG_PM conditionals around all PM related parts
in libata LLDs.

Signed-off-by: Tejun Heo <htejun@gmail.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-03-02 18:30:35 -05:00
Tejun Heo
b23ff24436 libata: add missing PM callbacks
Some LLDs were missing scsi device PM callbacks while having host/port
suspend support.  Add missing ones.

Signed-off-by: Tejun Heo <htejun@gmail.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-03-02 18:27:34 -05:00
David S. Miller
43ecf5295b [AOE]: Add get_unaligned() calls where needed.
Based upon a report by Andrew Walrond.

Signed-off-by: David S. Miller <davem@davemloft.net>
2007-03-02 15:22:55 -08:00
David S. Miller
7ab876703d [RADEON]: Fix blanking return value.
If you'll recall, over a year ago, I pointed out that the current
Radeon driver erroneously returns -EINVAL for valid blanking codes,
here is a link to that thread:

	http://lkml.org/lkml/2006/1/28/6

No other driver does this, and it confuses the X server into thinking
that the device does not support blanking properly.

I looked again and there is simply no reason for the Radeon driver to
return -EINVAL for FB_BLANK_NORMAL.  It claims it wants to do this in
order to convince fbcon to blank in software, right here:

			if (fb_blank(info, blank))
				fbcon_generic_blank(vc, info, blank);

to software blank the screen.  But it only causes that to happen
in the FB_BLANK_NORMAL case.

That makes no sense because the Radeon code does this:

		val |= CRTC_DISPLAY_DIS;

in the FB_BLANK_NORMAL case so should be blanking the hardware, and
there is therefore no reason to SW blank by returning -EINVAL.

Signed-off-by: David S. Miller <davem@davemloft.net>
Acked-by: Antonino Daplas <adaplas@gmail.com>
2007-03-02 15:22:54 -08:00
David S. Miller
c4c31fe0e2 [SPARC]: Provide 'get_property()' alias for of_get_property().
Another powerpc compatibility item, this will allow us to share
more code with them.

Signed-off-by: David S. Miller <davem@davemloft.net>
2007-03-02 15:22:53 -08:00
David S. Miller
f6d0f9ea55 [SPARC]: Provide pci_device_to_OF_node() just like powerpc.
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-03-02 15:22:51 -08:00
David S. Miller
45bcca67ed [SPARC]: Handle unresolvable resources better in of_device.c
Just leave them as zero if we couldn't calculate it.

Signed-off-by: David S. Miller <davem@davemloft.net>
2007-03-02 15:22:50 -08:00
David S. Miller
b85cdd490a [SPARC]: Fix bus handling in build_device_resources().
We mistakedly modify 'bus' in the innermost loop.  What
should happen is that at each register index iteration,
we start with the same 'bus'.

So preserve it's value at the top level, and use a loop
local variable 'dbus' for iteration.

This bug causes registers other than the first to be
decoded improperly.

Signed-off-by: David S. Miller <davem@davemloft.net>
2007-03-02 15:22:49 -08:00
Alan Cox
cc7c15ec16 pata_qdi: Fix initialisation
The QDI init code contains some bugs which mean it only works if you have
a test setup that causes both a successful and failed probe. Fix this

Found by Philip Guo

(Who found it working on code analysis tools not running VLB IDE
controllers)

Signed-off-by: Alan Cox <alan@redhat.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-03-02 18:18:38 -05:00
Jeff Garzik
fb9f8905a8 [libata] pata_cmd64x: fix driver description in comments
Trivial comment fix, taken out of a larger Alan Cox patch.

Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-03-02 18:17:22 -05:00
Jeff Garzik
bf7551c441 [libata] pata_{legacy,sc1200,sl82c105}: add missing hooks
Alan Cox noticed several hooks in pata_* drivers were missing, when
he authored his ->cable_detect hook patches.  This patch extracts
just those fixes from Alan's patches, adding the necessary hooks
(usually ->freeze, ->thaw, and ->post_internal_cmd) to the drivers.

Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-03-02 18:09:05 -05:00
Jeff Garzik
f31f0cc2f0 [libata] change master/slave IDENTIFY order
2.6.21-rc has horrible problems with libata and PATA cable types (and
thus speeds). This occurs because Tejun fixed a pile of other bugs and
we now do cable detect enforcement for drive side detection properly.

Unfortunately we don't do the process around cable detection right. Tejun
identified the problem and pointed to the right Annex in the spec, this patch
implements the needed changes.

The basic requirement is that we have to identify the slave before the
master.

The patch switches the identify order so that we can do the drive side
detection correctly.

[NOTE: patch and description extracted from a larger work written
and signed-off-by Alan Cox]

Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-03-02 17:47:28 -05:00
Alan
032af1ce16 libata-core: Fix simplex handling
The initial simplex handling code is fooled if you suspend and resume.
This also causes problems with some single channel controllers which
claim to be simplex.

The fix is fairly simple, instead of keeping a flag to remember if we
gave away the simplex channel we remember the actual owner. As the owner
is always part of the host_set we don't even need a refcount.

Knowing the owner also means we can reassign simplex DMA channels in
future hotplug code etc if we need to

Signed-off-by: Alan Cox <alan@redhat.com>
(and a signed-off for the patch I sent before while I remember)
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-03-02 17:42:48 -05:00
Linus Torvalds
562aa1d4c6 Merge branch 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/libata-dev
* 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/libata-dev:
  ahci: improve spurious SDB FIS handling
  ahci/pata_jmicron: match class not function number
  jmicron ATA: reimplement jmicron ATA quirk
  pata_jmicron: drop unnecessary device programming in [re]init
  libata: blacklist FUJITSU MHT2060BH for NCQ
  sata_sil24: kill unused local variable idx in sil24_fill_sg()
  libata: clear drvdata in ata_host_release(), take#2
2007-03-01 19:48:21 -08:00
Linus Torvalds
b4350861dd Merge branch 'for-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jikos/hid
* 'for-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jikos/hid:
  HID: fix Logitech DiNovo Edge touchwheel and Logic3 /SpectraVideo middle button
  HID: add git tree information to MAINTAINERS
  HID: fix broken Logitech S510 keyboard report descriptor; make extra keys work
  HID: fix possible double-free on error path in hid parser
  HID: hid-debug.c should #include <linux/hid-debug.h>
  HID: fix bug in zeroing the last field byte in output reports
  USB HID: use CONFIG_HID_DEBUG for outputting report descriptor
  USB HID: Fix USB vendor and product IDs endianness for USB HID devices
2007-03-01 17:30:51 -08:00
Linus Torvalds
132a69c6cc Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/sparc-2.6
* master.kernel.org:/pub/scm/linux/kernel/git/davem/sparc-2.6:
  [SPARC64]: Fix parport_pc build.
  [SPARC64]: Update defconfig.
2007-03-01 17:28:31 -08:00
Linus Torvalds
fb7d404566 Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
* master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6:
  [TCP]: Fix minisock tcp_create_openreq_child() typo.
  [TCP]: Document several sysctls.
  [NET]: Fix kfree(skb)
  [NET]: Handle disabled preemption in gfp_any()
  [BRIDGE]: Fix locking of set path cost.
  [IPV6]: /proc/net/anycast6 unbalanced inet6_dev refcnt
  [IPX]: Remove ancient changelog
  [IPX]: Remove outdated information from Kconfig
  [NET]: Revert socket.h/stat.h ifdef hacks.
  [IPV6]: anycast refcnt fix
  [XFRM] xfrm_user: Fix return values of xfrm_add_sa_expire.
2007-03-01 17:27:01 -08:00
Linus Torvalds
100b425480 Merge master.kernel.org:/pub/scm/linux/kernel/git/mchehab/v4l-dvb
* master.kernel.org:/pub/scm/linux/kernel/git/mchehab/v4l-dvb:
  V4L/DVB (5305): Mark VIDIOC_DBG_S/G_REGISTER as experimental
  V4L/DVB (5271): Add VIDIOC_TRY_ENCODER_CMD and VIDIOC_ENCODER_CMD ioctls.
  V4L/DVB (5270): Add VIDIOC_G_ENC_INDEX ioctl
  V4L/DVB (5276): Cxusb: fix firmware patch for big endian systems
  V4L/DVB (5258): Cafe_ccic: fix compiler warning
  V4L/DVB (5295): Digitv: open nxt6000 i2c_gate for TDED4 tuner handling
  V4L/DVB (5304): Improve chip matching in v4l2_register
  V4L/DVB (5255): Fix cx25840 firmware loading.
2007-03-01 17:25:23 -08:00
Ralf Baechle
d701d8a3bc [PATCH] Fix sysfs build breakage if !CONFIG_SYSFS
B0rkage introduced by dfa87c824a.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-03-01 17:22:04 -08:00
Tejun Heo
afb2d552bc ahci: improve spurious SDB FIS handling
Spurious SDB FIS during NCQ might not contain spurious completions.
It could be spurious TF update or invalid async notification.  Treat
as HSM violation iff a spurious SDB FIS contains spurious completions;
otherwise, just whine once about it.

Signed-off-by: Tejun Heo <htejun@gmail.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-03-01 20:19:45 -05:00
Tejun Heo
e34bb370de ahci/pata_jmicron: match class not function number
Make jmiron_ata quirk update pdev->class after programming the device
and update ahci and pata_jmicron such that they match class code
instead of checking function number manually.  For ahci, it matches
for vendor and class.  For pata_jmicron, it matches vendor, device and
class as IDE class isn't as well defined as AHCI class.

This makes jmicron device matching more conventional and script
friendly.

Signed-off-by: Tejun Heo <htejun@gmail.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-03-01 20:19:45 -05:00
Tejun Heo
5ee2ae7fb2 jmicron ATA: reimplement jmicron ATA quirk
Reimplement jmicron ATA quirk.

* renamed to quirk_jmicron_ata()
* quirk is invoked only for the affected controllers
* programming is stricter.  e.g. conf5 bit24 is cleared if
  unnecessary.
* code factored for readability
* JMB360 and JMB368 are programmed into proper mode

Verified on JMB360, 363 and 368.

Signed-off-by: Tejun Heo <htejun@gmail.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-03-01 20:19:45 -05:00
Tejun Heo
960627b7ad pata_jmicron: drop unnecessary device programming in [re]init
Channel redirect and AHCI mode enable programmings are done via PCI
quirk for both probe and resume paths.  Drop duplicate and possibly
unsafe device programming from pata_jmicron().

Signed-off-by: Tejun Heo <htejun@gmail.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-03-01 20:19:45 -05:00
Adam Litke
516dffdcd8 [PATCH] Fix get_unmapped_area and fsync for hugetlb shm segments
This patch provides the following hugetlb-related fixes to the recent stacked
shm files changes:
 - Update is_file_hugepages() so it will reconize hugetlb shm segments.
 - get_unmapped_area must be called with the nested file struct to handle
   the sfd->file->f_ops->get_unmapped_area == NULL case.
 - The fsync f_op must be wrapped since it is specified in the hugetlbfs
   f_ops.

This is based on proposed fixes from Eric Biederman that were debugged and
tested by me.  Without it, attempting to use hugetlb shared memory segments
on powerpc (and likely ia64) will kill your box.

Signed-off-by: Adam Litke <agl@us.ibm.com>
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Acked-by: William Irwin <bill.irwin@oracle.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-03-01 17:18:39 -08:00
Tejun Heo
09125ea617 libata: blacklist FUJITSU MHT2060BH for NCQ
Blacklist FUJITSU MHT2060BH for NCQ.  On this drive, NCQ works iff
queue depth is equal to or less than 4.  Just turn it off.

Signed-off-by: Tejun Heo <htejun@gmail.com>
Cc: Mike Accetta <maccetta@laurelnetworks.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-03-01 20:16:29 -05:00
Tejun Heo
4fc00cb4d5 sata_sil24: kill unused local variable idx in sil24_fill_sg()
Kill unused local variable idx in sil24_fill_sg().

Spotted by Jeff Garzik.

Signed-off-by: Tejun Heo <htejun@gmail.com>
Cc: Jeff Garzik <jeff@garzik.org>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-03-01 20:16:29 -05:00
Tejun Heo
1aa56cca5b libata: clear drvdata in ata_host_release(), take#2
Clearing drvdata in ->remove_one causes NULL pointer deference.  Clear
drvdata only in ata_host_release() after all resources are freed.

Signed-off-by: Tejun Heo <htejun@gmail.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-03-01 20:16:28 -05:00
Trond Myklebust
7b965e0884 [PATCH] VM: invalidate_inode_pages2_range() should not exit early
Fix invalidate_inode_pages2_range() so that it does not immediately exit
just because a single page in the specified range could not be removed.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-03-01 14:53:39 -08:00
Aristeu Sergio Rozanski Filho
5a39e8c6d6 [PATCH] tty_io: fix race in master pty close/slave pty close path
This patch fixes a possible race that leads to double freeing an idr index.
 When the master begin to close, release_dev() is called and then
pty_close() is called:

        if (tty->driver->close)
                tty->driver->close(tty, filp);

This is done without helding any locks other than BKL.  Inside pty_close(),
being a master close, the devpts entry will be removed:

#ifdef CONFIG_UNIX98_PTYS
                if (tty->driver == ptm_driver)
                        devpts_pty_kill(tty->index);
#endif

But devpts_pty_kill() will call get_node() that may sleep while waiting for
&devpts_root->d_inode->i_sem.  When this happens and the slave is being
opened, tty_open() just found the driver and index:

        driver = get_tty_driver(device, &index);
        if (!driver) {
                mutex_unlock(&tty_mutex);
                return -ENODEV;
        }

This part of the code is already protected under tty_mute.  The problem is
that the slave close already got an index.  Then init_dev() is called and
blocks waiting for the same &devpts_root->d_inode->i_sem.

When the master close resumes, it removes the devpts entry, and the
relation between idr index and the tty is gone.  The master then sleeps
waiting for the tty_mutex on release_dev().

Slave open resumes and found no tty for that index.  As result, a NULL tty
is returned and init_dev() doesn't flow to fast_track:

        /* check whether we're reopening an existing tty */
        if (driver->flags & TTY_DRIVER_DEVPTS_MEM) {
                tty = devpts_get_tty(idx);
                if (tty && driver->subtype == PTY_TYPE_MASTER)
                        tty = tty->link;
        } else {
                tty = driver->ttys[idx];
        }
        if (tty) goto fast_track;

The result of this, is that a new tty will be created and init_dev() returns
sucessfull. After returning, tty_mutex is dropped and master close may resume.

Master close finds it's the only use and both sides are closing, then releases
the tty and the index. At this point, the idr index is free, but slave still
has it.

Slave open then calls pty_open() and finds that tty->link->count is 0,
because there's no master and returns error.  Then tty_open() calls
release_dev() which executes without any warning, as it was a case of last
slave close when the master is already closed (master->count == 0,
slave->count == 1).  The tty is then released with the already released idr
index.

This normally would only issue a warning on idr_remove() but in case of a
customer's critical application, it's never too simple:

thread1: opens master, gets index X
thread1: begin closing master
thread2: begin opening slave with index X
thread1: finishes closing master, index X released
thread3: opens master, gets index X, just released
thread2: fails opening slave, releases index X         <----
thread4: opens master, gets index X, init_dev() then find an already in use
	 and healthy tty and fails

If no more indexes are released, ptmx_open() will keep failing, as the
first free index available is X, and it will make init_dev() fail because
you're trying to "reopen a master" which isn't valid.

The patch notices when this race happens and make init_dev() fail
imediately.  The init_dev() function is called with tty_mutex held, so it's
safe to continue with tty till the end of function because release_dev()
won't make any further changes without grabbing the tty_mutex.

Without the patch, on some machines it's possible get easily idr warnings
like this one:

idr_remove called for id=15 which is not allocated.
 [<c02555b9>] idr_remove+0x139/0x170
 [<c02a1b62>] release_mem+0x182/0x230
 [<c02a28e7>] release_dev+0x4b7/0x700
 [<c02a0ea7>] tty_ldisc_enable+0x27/0x30
 [<c02a1e64>] init_dev+0x254/0x580
 [<c02a0d64>] check_tty_count+0x14/0xb0
 [<c02a4f05>] tty_open+0x1c5/0x340
 [<c02a4d40>] tty_open+0x0/0x340
 [<c017388f>] chrdev_open+0xaf/0x180
 [<c017c2ac>] open_namei+0x8c/0x760
 [<c01737e0>] chrdev_open+0x0/0x180
 [<c0167bc9>] __dentry_open+0xc9/0x210
 [<c0167e2c>] do_filp_open+0x5c/0x70
 [<c0167a91>] get_unused_fd+0x61/0xd0
 [<c0167e93>] do_sys_open+0x53/0x100
 [<c0167f97>] sys_open+0x27/0x30
 [<c010303b>] syscall_call+0x7/0xb

using this test application available on:
 http://www.ruivo.org/~aris/pty_sodomizer.c

Signed-off-by: Aristeu Sergio Rozanski Filho <aris@ruivo.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Chuck Ebbert <cebbert@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-03-01 14:53:39 -08:00
Yoichi Yuasa
3a0ee2ce8c [PATCH] fix memory leak in dma_declare_coherent_memory()
When it goes to free1_out, dev->dma_mem has not been freed.

Signed-off-by: Yoichi Yuasa <yoichi_yuasa@tripeaks.co.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-03-01 14:53:39 -08:00
Karsten Keil
17f0cd2f35 [PATCH] Fix buffer overflow and races in capi debug functions
The CAPI trace debug functions were using a fixed size buffer, which can be
overflowed if wrong formatted CAPI messages were sent to the kernel capi
layer.  The code was also not protected against multiple callers.  This fix
bug 8028.

Additionally the patch make the CAPI trace functions optional.

Signed-off-by: Karsten Keil <kkeil@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-03-01 14:53:39 -08:00
Oleg Nesterov
34bbd70405 [PATCH] adapt page_lock_anon_vma() to PREEMPT_RCU
page_lock_anon_vma() uses spin_lock() to block RCU.  This doesn't work with
PREEMPT_RCU, we have to do rcu_read_lock() explicitely.  Otherwise, it is
theoretically possible that slab returns anon_vma's memory to the system
before we do spin_unlock(&anon_vma->lock).

[ Hugh points out that this only matters for PREEMPT_RCU, which isn't merged
  yet, and may never be.  Regardless, this patch is conceptually the
  right thing to do, even if it doesn't matter at this point.  - Linus ]

Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Paul McKenney <paulmck@linux.vnet.ibm.com>
Cc: Nick Piggin <nickpiggin@yahoo.com.au>
Cc: Christoph Lameter <clameter@engr.sgi.com>
Acked-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-03-01 14:53:39 -08:00