Commit Graph

234170 Commits

Author SHA1 Message Date
Axel Lin
2ec38a0359 drivers/rtc/rtc-s3c.c: fix prototype for s3c_rtc_setaie()
Fix s3c_rtc_setaie() prototype to eliminate the following compile
warning:

  drivers/rtc/rtc-s3c.c:383: warning: initialization from incompatible pointer type

(akpm: the rtc_class_ops.alarm_irq_enable() handler is being passed two
arguments where it expects just one, presumably with undesired effects)

Signed-off-by: Axel Lin <axel.lin@gmail.com>
Cc: Alessandro Zummo <a.zummo@towertech.it>
Cc: Ben Dooks <ben-linux@fluff.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-03-04 17:53:38 -08:00
Linus Torvalds
212e3499b2 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/vapier/blackfin
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/vapier/blackfin:
  Blackfin: iflush: update anomaly 05000491 workaround
  Blackfin: outs[lwb]: make sure count is greater than 0
2011-03-04 17:31:43 -08:00
Linus Torvalds
971a967bce Merge branch 'rmobile-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6
* 'rmobile-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6:
  ARM: mach-shmobile: mackerel: modify LCDC clock divider value
  ARM: mach-shmobile: ap4evb: modify LCDC clock divider value
  ARM: mach-shmobile: mackerel: fixup memory initialize for zboot
  ARM: mach-shmobile: ap4evb: fixup memory initialize for zboot
  ARM: mach-shmobile: Add sh73a0 MIPI-CSI and CEU clocks
  ARM: mach-shmobile: AG5EVM MIPI-DSI LCD reset delay fix
2011-03-04 17:31:19 -08:00
Linus Torvalds
f0678f3237 Merge branch 'sh-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6
* 'sh-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6:
  sh: Change __nosave_XXX symbols to long
  sh: Flush executable pages in copy_user_highpage
  sh: Ensure ST40-300 BogoMIPS value is consistent
  sh: sh7750: Fix incompatible pointer type
  sh: sh7750: move machtypes.h to include/generated
2011-03-04 17:31:01 -08:00
Linus Torvalds
be91bfebf2 Merge branch 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6
* 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
  drm/nouveau: allocate kernel's notifier object at end of block
2011-03-04 17:30:32 -08:00
Neil Horman
e9e3d724e2 nfs4: Ensure that ACL pages sent over NFS were not allocated from the slab (v3)
The "bad_page()" page allocator sanity check was reported recently (call
chain as follows):

  bad_page+0x69/0x91
  free_hot_cold_page+0x81/0x144
  skb_release_data+0x5f/0x98
  __kfree_skb+0x11/0x1a
  tcp_ack+0x6a3/0x1868
  tcp_rcv_established+0x7a6/0x8b9
  tcp_v4_do_rcv+0x2a/0x2fa
  tcp_v4_rcv+0x9a2/0x9f6
  do_timer+0x2df/0x52c
  ip_local_deliver+0x19d/0x263
  ip_rcv+0x539/0x57c
  netif_receive_skb+0x470/0x49f
  :virtio_net:virtnet_poll+0x46b/0x5c5
  net_rx_action+0xac/0x1b3
  __do_softirq+0x89/0x133
  call_softirq+0x1c/0x28
  do_softirq+0x2c/0x7d
  do_IRQ+0xec/0xf5
  default_idle+0x0/0x50
  ret_from_intr+0x0/0xa
  default_idle+0x29/0x50
  cpu_idle+0x95/0xb8
  start_kernel+0x220/0x225
  _sinittext+0x22f/0x236

It occurs because an skb with a fraglist was freed from the tcp
retransmit queue when it was acked, but a page on that fraglist had
PG_Slab set (indicating it was allocated from the Slab allocator (which
means the free path above can't safely free it via put_page.

We tracked this back to an nfsv4 setacl operation, in which the nfs code
attempted to fill convert the passed in buffer to an array of pages in
__nfs4_proc_set_acl, which gets used by the skb->frags list in
xs_sendpages.  __nfs4_proc_set_acl just converts each page in the buffer
to a page struct via virt_to_page, but the vfs allocates the buffer via
kmalloc, meaning the PG_slab bit is set.  We can't create a buffer with
kmalloc and free it later in the tcp ack path with put_page, so we need
to either:

1) ensure that when we create the list of pages, no page struct has
   PG_Slab set

 or

2) not use a page list to send this data

Given that these buffers can be multiple pages and arbitrarily sized, I
think (1) is the right way to go.  I've written the below patch to
allocate a page from the buddy allocator directly and copy the data over
to it.  This ensures that we have a put_page free-able page for every
entry that winds up on an skb frag list, so it can be safely freed when
the frame is acked.  We do a put page on each entry after the
rpc_call_sync call so as to drop our own reference count to the page,
leaving only the ref count taken by tcp_sendpages.  This way the data
will be properly freed when the ack comes in

Successfully tested by myself to solve the above oops.

Note, as this is the result of a setacl operation that exceeded a page
of data, I think this amounts to a local DOS triggerable by an
uprivlidged user, so I'm CCing security on this as well.

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
CC: Trond Myklebust <Trond.Myklebust@netapp.com>
CC: security@kernel.org
CC: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-03-04 17:28:52 -08:00
Sage Weil
455cec0abf ceph: no .snap inside of snapped namespace
Otherwise you can do things like

# mkdir .snap/foo
# cd .snap/foo/.snap
# ls
<badness>

Signed-off-by: Sage Weil <sage@newdream.net>
2011-03-04 12:25:09 -08:00
Sage Weil
e00de341fd libceph: fix msgr standby handling
The standby logic used to be pretty dependent on the work requeueing
behavior that changed when we switched to WQ_NON_REENTRANT.  It was also
very fragile.

Restructure things so that:
 - We clear WRITE_PENDING when we set STANDBY.  This ensures we will
   requeue work when we wake up later.
 - con_work backs off if STANDBY is set.  There is nothing to do if we are
   in standby.
 - clear_standby() helper is called by both con_send() and con_keepalive(),
   the two actions that can wake us up again.  Move the connect_seq++
   logic here.

Signed-off-by: Sage Weil <sage@newdream.net>
2011-03-04 12:25:05 -08:00
Sage Weil
e76661d0a5 libceph: fix msgr keepalive flag
There was some broken keepalive code using a dead variable.  Shift to using
the proper bit flag.

Signed-off-by: Sage Weil <sage@newdream.net>
2011-03-04 12:24:31 -08:00
Sage Weil
60bf8bf881 libceph: fix msgr backoff
With commit f363e45f we replaced a bunch of hacky workqueue mutual
exclusion logic with the WQ_NON_REENTRANT flag.  One pieces of fallout is
that the exponential backoff breaks in certain cases:

 * con_work attempts to connect.
 * we get an immediate failure, and the socket state change handler queues
   immediate work.
 * con_work calls con_fault, we decide to back off, but can't queue delayed
   work.

In this case, we add a BACKOFF bit to make con_work reschedule delayed work
next time it runs (which should be immediately).

Signed-off-by: Sage Weil <sage@newdream.net>
2011-03-04 12:24:28 -08:00
Dave Kleikamp
3256f80fbb MAINTAINERS: Update shaggy's email address
Signed-off-by: Dave Kleikamp <shaggy@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-03-04 10:44:06 -08:00
Al Viro
1858efd471 minimal fix for do_filp_open() race
failure exits on the no-O_CREAT side of do_filp_open() merge with
those of O_CREAT one; unfortunately, if do_path_lookup() returns
-ESTALE, we'll get out_filp:, notice that we are about to return
-ESTALE without having trying to create the sucker with LOOKUP_REVAL
and jump right into the O_CREAT side of code.  And proceed to try
and create a file.  Usually that'll fail with -ESTALE again, but
we can race and get that attempt of pathname resolution to succeed.

open() without O_CREAT really shouldn't end up creating files, races
or not.  The real fix is to rearchitect the whole do_filp_open(),
but for now splitting the failure exits will do.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2011-03-04 13:14:21 -05:00
Linus Torvalds
e3e89cc535 Mark ptrace_{traceme,attach,detach} static
They are only used inside kernel/ptrace.c, and have been for a long
time.  We don't want to go back to the bad-old-days when architectures
did things on their own, so make them static and private.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-03-04 09:23:30 -08:00
Yinghai Lu
3b28cf32cc x86, numa: Fix numa_emulation code with memory-less node0
This crash happens on a system that does not have RAM on node0.

When numa_emulation is compiled in, and:

 1. we boot the system without numa=fake...
 2. or we boot the system with numa=fake=128 to make emulation fail

we will get:

[    0.076025] ------------[ cut here ]------------
[    0.080004] kernel BUG at arch/x86/mm/numa_64.c:788!
[    0.080004] invalid opcode: 0000 [#1] SMP
[...]

need to use early_cpu_to_node() directly, because cpu_to_apicid
and apicid_to_node will return node0 that is not onlined.

Signed-off-by: Yinghai Lu <yinghai@kernel.org>
Acked-by: Tejun Heo <tj@kernel.org>
Cc: David Rientjes <rientjes@google.com>
LKML-Reference: <4D6ECF72.5010308@kernel.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2011-03-04 15:20:19 +01:00
Balbir Singh
0c3b916801 sched: Fix sched rt group scheduling when hierachy is enabled
The current sched rt code is broken when it comes to hierarchical
scheduling, this patch fixes two problems

1. It adds redundant enqueuing (harmless) when it finds a queue
   has tasks enqueued, but it has no run time and it is not
   throttled.

2. The most important change is in sched_rt_rq_enqueue/dequeue.
   The code just picks the rt_rq belonging to the current cpu
   on which the period timer runs, the patch fixes it, so that
   the correct rt_se is enqueued/dequeued.

Tested with a simple hierarchy

/c/d, c and d assigned similar runtimes of 50,000 and a while
1 loop runs within "d". Both c and d get throttled, without
the patch, the task just stops running and never runs (depends
on where the sched_rt b/w timer runs). With the patch, the
task is throttled and runs as expected.

[ bharata, suggestions on how to pick the rt_se belong to the
  rt_rq and correct cpu ]

Signed-off-by: Balbir Singh <balbir@linux.vnet.ibm.com>
Acked-by: Bharata B Rao <bharata@linux.vnet.ibm.com>
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: stable@kernel.org
LKML-Reference: <20110303113435.GA2868@balbir.in.ibm.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2011-03-04 11:03:18 +01:00
Mark Brown
18b52ca5d0 ARM: S3C64XX: Update regulator names for debugfs compatiblity on SMDK6410
The debugfs support added to the regulator API (which has been merged
in during this merge window) creates directories for regulators named
after the display names for the regulators so replace / as a separator
for multiple supplies with + in the SMDK6410 machine.

Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
2011-03-04 15:46:27 +09:00
Mark Brown
628e7eb5a7 ARM: S3C64XX: Fix build with WM1190 disabled and WM1192 enabled on SMDK6410
Avoid relying on implicit inclusion of machine.h

Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
2011-03-04 15:46:27 +09:00
Ben Dooks
0025283032 ARM: S3C64XX: Reduce output of s3c64xx_dma_init1()
Reduce the logging output of s3c64xx_dma_init1() as it is not useful
for normal bootup (and we get an overall indication of the registration
of the PL180 DMA block).

This removes the following output from the log:

s3c64xx_dma_init1: registering DMA 0 (e0808100)
s3c64xx_dma_init1: registering DMA 1 (e0808120)
s3c64xx_dma_init1: registering DMA 2 (e0808140)
s3c64xx_dma_init1: registering DMA 3 (e0808160)
s3c64xx_dma_init1: registering DMA 4 (e0808180)
s3c64xx_dma_init1: registering DMA 5 (e08081a0)
s3c64xx_dma_init1: registering DMA 6 (e08081c0)
s3c64xx_dma_init1: registering DMA 7 (e08081e0)

Signed-off-by: Ben Dooks <ben-linux@fluff.org>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
2011-03-04 15:46:27 +09:00
Mark Brown
ac1e10bed1 ARM: S3C64XX: Tone down SDHCI debugging
The MMC core calls s3c6400_setup_sdhcp_cfg_card() very frequently, causing
the log message in there at KERN_INFO to be displayed a lot which is slow
and overly chatty. Convert the message into a pr_debug() to tone this down.

Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
2011-03-04 15:46:27 +09:00
Ben Dooks
400b11a784 ARM: S3C64XX: Add clock for i2c1
The clock for i2c1 has been missing for a while, add it to the list of
clocks for the system and ensure it is initialised at startup.

Signed-off-by: Ben Dooks <ben-linux@fluff.org>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
2011-03-04 15:46:26 +09:00
Mark Brown
82e985eb69 ARM: S3C64XX: Staticise non-exported GPIO to interrupt functions
No need to put these in the global namespace and sparse gets upset.

Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
2011-03-04 15:46:26 +09:00
Mark Brown
13c608d244 ARM: SAMSUNG: Include devs.h in dev-uart.c to prototype devices
Ensures that the declaration agrees with the definition and makes sparse
happy.

Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
2011-03-04 15:46:26 +09:00
Ben Dooks
b3f639c4fe ARM: S3C64XX: Fix keypad setup to configure correct number of rows
The call to s3c_gpio_cfgrange_nopull() takes a size and base
but this looks like it is trying to do base and end. This means
it is configuring too many GPIOs and on the case of the Cragganmore
means we're seeing an overflow of the ROW pins causing problems
with the keyboard driver.

Signed-off-by: Ben Dooks <ben-linux@fluff.org>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
2011-03-04 15:46:26 +09:00
Lars-Peter Clausen
6a53048dde ARM: S3C2440: Fix usage gpio bank j pin definitions on GTA02
The gta02 header file still uses the old S3C2410_GPJx defines instead of the
S3C2410_GPJ(x) macro. Since the S3C2410_GPJx defines have already been removed
this causes the following build failure:

	sound/soc/samsung/neo1973_wm8753.c: In function 'lm4853_set_spk':
	sound/soc/samsung/neo1973_wm8753.c:259: error: 'S3C2440_GPJ2' undeclared (first use in this function)
	sound/soc/samsung/neo1973_wm8753.c:259: error: (Each undeclared identifier is reported only once
	sound/soc/samsung/neo1973_wm8753.c:259: error: for each function it appears in.)
	sound/soc/samsung/neo1973_wm8753.c: In function 'lm4853_get_spk':
	sound/soc/samsung/neo1973_wm8753.c:267: error: 'S3C2440_GPJ2' undeclared (first use in this function)
	sound/soc/samsung/neo1973_wm8753.c: In function 'lm4853_event':
	sound/soc/samsung/neo1973_wm8753.c:276: error: 'S3C2440_GPJ1' undeclared (first use in this function)
	sound/soc/samsung/neo1973_wm8753.c: At top level:
	sound/soc/samsung/neo1973_wm8753.c:439: error: 'S3C2440_GPJ2' undeclared here (not in a function)
	sound/soc/samsung/neo1973_wm8753.c:440: error: 'S3C2440_GPJ1' undeclared here (not in a function)

This patches fixes the issue by doing a s,S3C2410_GPJ([\d]+),S3C2410_GPJ(\1),g
on the file.

Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
2011-03-04 15:46:26 +09:00
Banajit Goswami
f33f314961 ARM: S5P64X0: Fix number of GPIO lines in Bank F
This patch modifies the number of total GPIO lines for Bank F
for Samsung S5P6440 and S5P6450 SoCs from 2 to 16.
This is necessary as the GPIO lines from 0 to 13 are reserved
and only lines 14 and 15 are used. As during initialization,
the line number starts at 0, putting 2 does not solve the
intended purpose.

Signed-off-by: Banajit Goswami <banajit.g@samsung.com>
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
2011-03-04 15:46:26 +09:00
Lars-Peter Clausen
8c00ae98d1 ARM: S3C2440: Select missing S3C_DEV_USB_HOST on GTA02
The gta02 mach file references the ohci device.
So we need to select S3C_DEV_USB_HOST to have the device available.

This fixes the following linker errors:
	arch/arm/mach-s3c2440/built-in.o: In function 'gta02_machine_init':
	mach-gta02.c:(.init.text+0x370): undefined reference to 's3c_ohci_set_platdata'
	arch/arm/mach-s3c2440/built-in.o:(.init.data+0xac): undefined reference to 's3c_device_ohci'

Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
2011-03-04 15:46:26 +09:00
Mike Frysinger
be1229b4c5 Blackfin: iflush: update anomaly 05000491 workaround
Recent feedback from design says we need three NOPs in the hardware loop.

Signed-off-by: Mike Frysinger <vapier@gentoo.org>
2011-03-04 01:27:01 -05:00
Mike Frysinger
bb7b11290a Blackfin: outs[lwb]: make sure count is greater than 0
Some devices will use the outs* funcs with a length of zero, so make sure
we do not write any data in that case.

Reported-by: Gilbert Inho <gneny@edevice.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
2011-03-04 01:26:55 -05:00
Kuninori Morimoto
2c34e939f9 ARM: mach-shmobile: mackerel: modify LCDC clock divider value
mackerel WVGA LCDC panel expect 33.3MHz for dot-clock,
but current dot-clock was 50.0MHz.
This patch modify clock divider value.

Signed-off-by: Makoto Ueda <makoto.ueda.ub@renesas.com>
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
2011-03-04 15:01:29 +09:00
Kuninori Morimoto
f60cb470ea ARM: mach-shmobile: ap4evb: modify LCDC clock divider value
ap4evb WVGA LCDC panel expect 33.3MHz for dot-clock,
but current dot-clock was 50.0MHz.
This patch modify clock divider value.

Signed-off-by: Makoto Ueda <makoto.ueda.ub@renesas.com>
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
2011-03-04 15:01:13 +09:00
Ben Skeggs
73412c3854 drm/nouveau: allocate kernel's notifier object at end of block
The nv30/nv40 3d driver is about to start using DMA_FENCE from the 3D
object which, it turns out, doesn't like its DMA object to not be
aligned to a 4KiB boundary.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2011-03-04 11:07:19 +10:00
Linus Torvalds
b65a0e0c84 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
  DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076]
2011-03-03 15:48:01 -08:00
Linus Torvalds
4438a02fc4 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (42 commits)
  MAINTAINERS: Add Andy Gospodarek as co-maintainer.
  r8169: disable ASPM
  RxRPC: Fix v1 keys
  AF_RXRPC: Handle receiving ACKALL packets
  cnic: Fix lost interrupt on bnx2x
  cnic: Prevent status block race conditions with hardware
  net: dcbnl: check correct ops in dcbnl_ieee_set()
  e1000e: disable broken PHY wakeup for ICH10 LOMs, use MAC wakeup instead
  igb: fix sparse warning
  e1000: fix sparse warning
  netfilter: nf_log: avoid oops in (un)bind with invalid nfproto values
  dccp: fix oops on Reset after close
  ipvs: fix dst_lock locking on dest update
  davinci_emac: Add Carrier Link OK check in Davinci RX Handler
  bnx2x: update driver version to 1.62.00-6
  bnx2x: properly calculate lro_mss
  bnx2x: perform statistics "action" before state transition.
  bnx2x: properly configure coefficients for MinBW algorithm (NPAR mode).
  bnx2x: Fix ethtool -t link test for MF (non-pmf) devices.
  bnx2x: Fix nvram test for single port devices.
  ...
2011-03-03 15:43:15 -08:00
Linus Torvalds
fb4b10ab5f Merge branch 'for-linus' of git://git.kernel.dk/linux-2.6-block
* 'for-linus' of git://git.kernel.dk/linux-2.6-block:
  block: kill loop_mutex
  blktrace: Remove blk_fill_rwbs_rq.
  block: blk-flush shouldn't call directly into q->request_fn() __blk_run_queue()
  block: add @force_kblockd to __blk_run_queue()
  block: fix kernel-doc format for blkdev_issue_zeroout
  blk-throttle: Do not use kblockd workqueue for throtl work
2011-03-03 15:42:35 -08:00
Linus Torvalds
8336026942 Merge branch 'i_nlink' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6
* 'i_nlink' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6:
  hfs: fix rename() over non-empty directory
  udf: fix i_nlink limit
  fix reiserfs mkdir() breakage
  exofs: i_nlink races in rename()
  nilfs2: i_nlink races in rename()
  minix: i_nlink races in rename()
  ufs: i_nlink races in rename()
  sysv: i_nlink races in rename()
2011-03-03 15:37:59 -08:00
David Howells
1362fa078d DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076]
When a DNS resolver key is instantiated with an error indication, attempts to
read that key will result in an oops because user_read() is expecting there to
be a payload - and there isn't one [CVE-2011-1076].

Give the DNS resolver key its own read handler that returns the error cached in
key->type_data.x[0] as an error rather than crashing.

Also make the kenter() at the beginning of dns_resolver_instantiate() limit the
amount of data it prints, since the data is not necessarily NUL-terminated.

The buggy code was added in:

	commit 4a2d789267
	Author: Wang Lei <wang840925@gmail.com>
	Date:   Wed Aug 11 09:37:58 2010 +0100
	Subject: DNS: If the DNS server returns an error, allow that to be cached [ver #2]

This can trivially be reproduced by any user with the following program
compiled with -lkeyutils:

	#include <stdlib.h>
	#include <keyutils.h>
	#include <err.h>
	static char payload[] = "#dnserror=6";
	int main()
	{
		key_serial_t key;
		key = add_key("dns_resolver", "a", payload, sizeof(payload),
			      KEY_SPEC_SESSION_KEYRING);
		if (key == -1)
			err(1, "add_key");
		if (keyctl_read(key, NULL, 0) == -1)
			err(1, "read_key");
		return 0;
	}

What should happen is that keyctl_read() reports error 6 (ENXIO) to the user:

	dns-break: read_key: No such device or address

but instead the kernel oopses.

This cannot be reproduced with the 'keyutils add' or 'keyutils padd' commands
as both of those cut the data down below the NUL termination that must be
included in the data.  Without this dns_resolver_instantiate() will return
-EINVAL and the key will not be instantiated such that it can be read.

The oops looks like:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
IP: [<ffffffff811b99f7>] user_read+0x4f/0x8f
PGD 3bdf8067 PUD 385b9067 PMD 0
Oops: 0000 [#1] SMP
last sysfs file: /sys/devices/pci0000:00/0000:00:19.0/irq
CPU 0
Modules linked in:

Pid: 2150, comm: dns-break Not tainted 2.6.38-rc7-cachefs+ #468                  /DG965RY
RIP: 0010:[<ffffffff811b99f7>]  [<ffffffff811b99f7>] user_read+0x4f/0x8f
RSP: 0018:ffff88003bf47f08  EFLAGS: 00010246
RAX: 0000000000000001 RBX: ffff88003b5ea378 RCX: ffffffff81972368
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003b5ea378
RBP: ffff88003bf47f28 R08: ffff88003be56620 R09: 0000000000000000
R10: 0000000000000395 R11: 0000000000000002 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffffffffffffffa1
FS:  00007feab5751700(0000) GS:ffff88003e000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000010 CR3: 000000003de40000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process dns-break (pid: 2150, threadinfo ffff88003bf46000, task ffff88003be56090)
Stack:
 ffff88003b5ea378 ffff88003b5ea3a0 0000000000000000 0000000000000000
 ffff88003bf47f68 ffffffff811b708e ffff88003c442bc8 0000000000000000
 00000000004005a0 00007fffba368060 0000000000000000 0000000000000000
Call Trace:
 [<ffffffff811b708e>] keyctl_read_key+0xac/0xcf
 [<ffffffff811b7c07>] sys_keyctl+0x75/0xb6
 [<ffffffff81001f7b>] system_call_fastpath+0x16/0x1b
Code: 75 1f 48 83 7b 28 00 75 18 c6 05 58 2b fb 00 01 be bb 00 00 00 48 c7 c7 76 1c 75 81 e8 13 c2 e9 ff 4c 8b b3 e0 00 00 00 4d 85 ed <41> 0f b7 5e 10 74 2d 4d 85 e4 74 28 e8 98 79 ee ff 49 39 dd 48
RIP  [<ffffffff811b99f7>] user_read+0x4f/0x8f
 RSP <ffff88003bf47f08>
CR2: 0000000000000010

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Jeff Layton <jlayton@redhat.com>
cc: Wang Lei <wang840925@gmail.com>
Signed-off-by: James Morris <jmorris@namei.org>
2011-03-04 09:56:19 +11:00
Sage Weil
692d20f576 libceph: retry after authorization failure
If we mark the connection CLOSED we will give up trying to reconnect to
this server instance.  That is appropriate for things like a protocol
version mismatch that won't change until the server is restarted, at which
point we'll get a new addr and reconnect.  An authorization failure like
this is probably due to the server not properly rotating it's secret keys,
however, and should be treated as transient so that the normal backoff and
retry behavior kicks in.

Signed-off-by: Sage Weil <sage@newdream.net>
2011-03-03 13:47:40 -08:00
Sage Weil
38815b7802 libceph: fix handling of short returns from get_user_pages
get_user_pages() can return fewer pages than we ask for.  We were returning
a bogus pointer/error code in that case.  Instead, loop until we get all
the pages we want or get an error we can return to the caller.

Signed-off-by: Sage Weil <sage@newdream.net>
2011-03-03 13:47:39 -08:00
Jay Vosburgh
4cd72c6e72 MAINTAINERS: Add Andy Gospodarek as co-maintainer.
Acked-by: Andy Gospodarek <andy@greyhouse.net>

Signed-off-by: David S. Miller <davem@davemloft.net>
2011-03-03 13:29:23 -08:00
Linus Torvalds
4c7fd114c6 Merge branch 'for-linus' of git://oss.sgi.com/xfs/xfs
* 'for-linus' of git://oss.sgi.com/xfs/xfs:
  xfs: zero proper structure size for geometry calls
2011-03-03 12:44:22 -08:00
Linus Torvalds
c640e13f8e Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ryusuke/nilfs2
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ryusuke/nilfs2:
  nilfs2: fix regression that i-flag is not set on changeless checkpoints
2011-03-03 12:42:48 -08:00
Stanislaw Gruszka
ba04c7c93b r8169: disable ASPM
For some time is known that ASPM is causing troubles on r8169, i.e. make
device randomly stop working without any errors in dmesg.

Currently Tomi Leppikangas reports that system with r8169 device hangs
with MCE errors when ASPM is enabled:
https://bugzilla.redhat.com/show_bug.cgi?id=642861#c4

Lets disable ASPM for r8169 devices at all, to avoid problems with
r8169 PCIe devices at least for some users.

Reported-by: Tomi Leppikangas <tomi.leppikangas@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-03-03 11:55:43 -08:00
Tony Lindgren
077f8ec889 Merge branch 'for_2.6.38/pm-fixes' of ssh://master.kernel.org/pub/scm/linux/kernel/git/khilman/linux-omap-pm into devel-fixes 2011-03-03 10:25:18 -08:00
Hari Kanigeri
525a11381b omap: mailbox: resolve hang issue
omap4 interrupt disable bits is different. On rx kfifo full, the mbox rx
interrupts wasn't getting disabled, and this is causing the rcm stress tests
to hang.

Signed-off-by: Hari Kanigeri <h-kanigeri2@ti.com>
Signed-off-by: Armando Uribe <x0095078@ti.com>
Signed-off-by: Fernando Guzman Lugo <fernando.lugo@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
2011-03-03 10:24:19 -08:00
Sage Weil
16a8b70a5a ceph: do not clear I_COMPLETE from d_release
First, this was racy anyway: d_release isn't called until well after the
dentry is unhashed.  Second, this runs afoul of the recent dcache change
that clears d_parent prior to calling d_release (949854d0), causing a NULL
pointer dereference.

Signed-off-by: Sage Weil <sage@newdream.net>
2011-03-03 10:09:52 -08:00
Sage Weil
b545cc1505 ceph: do not set I_COMPLETE
Do not set the I_COMPLETE flag on directories until we resolve races with
dcache pruning.

Signed-off-by: Sage Weil <sage@newdream.net>
2011-03-03 10:09:51 -08:00
Sage Weil
9bde178d05 Revert "ceph: keep reference to parent inode on ceph_dentry"
This reverts commit 97d79b403e.

This fails to account for d_parent changes due to rename or disconnected
dentries due to submounts or NFS reexports.

Signed-off-by: Sage Weil <sage@newdream.net>
2011-03-03 10:09:50 -08:00
Martin Schwidefsky
0c2bd9b24e [S390] tape: deadlock on system work queue
The 34xx and 3590 tape driver uses the system work queue to defer work
from the interrupt function to process context, e.g. a medium sense
after an unsolicited interrupt. The tape commands started by the work
handler need to be asynchronous, otherwise a deadlock on the system
work queue can occur.

Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2011-03-03 17:56:14 +01:00
Dan Carpenter
b652277b09 [S390] keyboard: integer underflow bug
The "ct" variable should be an unsigned int.  Both struct kbdiacrs
->kb_cnt and struct kbd_data ->accent_table_size are unsigned ints.

Making it signed causes a problem in KBDIACRUC because the user could
set the signed bit and cause a buffer overflow.

Cc: <stable@kernel.org>
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2011-03-03 17:56:14 +01:00
Martin Schwidefsky
0c0db0355b [S390] xpram: remove __initdata attribute from module parameters
The module parameter 'devs' and 'sizes' are marked as __initdata. The
memory for the parameters are freed after module_init completed. This
can lead to kernel crashes in param_free_charp. Remove the __initdata
attribute to fix the problem.

Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2011-03-03 17:56:14 +01:00