From 5d0726473a6c77d090f6075474e4f4f6699ddf02 Mon Sep 17 00:00:00 2001 From: Marc Fiuczynski Date: Mon, 8 Aug 2005 20:57:39 +0000 Subject: [PATCH] kernel.org 2.6.11.11 --- MAINTAINERS | 5 ++ Makefile | 4 +- REPORTING-BUGS | 4 ++ arch/ppc64/kernel/pSeries_iommu.c | 55 +++++++++++++++++++++- arch/sparc/kernel/ptrace.c | 12 ----- arch/sparc64/kernel/ptrace.c | 19 -------- arch/sparc64/kernel/signal32.c | 5 +- arch/sparc64/kernel/systbls.S | 2 +- arch/um/include/sysdep-i386/syscalls.h | 12 ++--- arch/um/include/sysdep-x86_64/syscalls.h | 5 -- arch/um/kernel/sys_call_table.c | 11 ++--- arch/x86_64/kernel/ptrace.c | 13 ++++-- arch/x86_64/mm/fault.c | 11 ++++- arch/x86_64/mm/ioremap.c | 2 +- drivers/block/ioctl.c | 2 + drivers/block/pktcdvd.c | 4 +- drivers/char/raw.c | 2 +- drivers/i2c/chips/it87.c | 2 +- drivers/i2c/chips/via686a.c | 2 +- drivers/ide/ide-disk.c | 4 +- drivers/media/video/bttv-cards.c | 2 - drivers/net/3c59x.c | 9 ++-- drivers/usb/serial/visor.c | 38 ++++++++++----- drivers/video/matrox/matroxfb_accel.c | 14 ++++-- drivers/video/matrox/matroxfb_base.h | 4 +- fs/binfmt_elf.c | 4 +- fs/ext3/balloc.c | 3 +- include/asm-x86_64/processor.h | 4 +- include/linux/err.h | 4 +- kernel/exit.c | 2 - mm/mmap.c | 59 +++++++++++++----------- net/bridge/netfilter/ebtables.c | 3 +- net/rose/rose_route.c | 3 +- security/keys/key.c | 3 +- sound/usb/usbaudio.c | 2 +- sound/usb/usx2y/usbusx2y.c | 11 +++-- 36 files changed, 209 insertions(+), 132 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index 7cd2c7ad3..0b53772aa 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -1966,6 +1966,11 @@ M: christer@weinigel.se W: http://www.weinigel.se S: Supported +SECURITY CONTACT +P: Security Officers +M: security@kernel.org +S: Supported + SELINUX SECURITY MODULE P: Stephen Smalley M: sds@epoch.ncsc.mil diff --git a/Makefile b/Makefile index 40e308502..19c1b8786 100644 --- a/Makefile +++ b/Makefile @@ -1,8 +1,8 @@ VERSION = 2 PATCHLEVEL = 6 SUBLEVEL = 11 -EXTRAVERSION = .7 -NAME=Woozy Numbat +EXTRAVERSION = .11 +NAME=Woozy Beaver # *DOCUMENTATION* # To see a list of typical targets execute "make help" diff --git a/REPORTING-BUGS b/REPORTING-BUGS index 4160d1a4f..2045eaea2 100644 --- a/REPORTING-BUGS +++ b/REPORTING-BUGS @@ -16,6 +16,10 @@ code relevant to what you were doing. If it occurs repeatably try and describe how to recreate it. That is worth even more than the oops itself. The list of maintainers is in the MAINTAINERS file in this directory. + If it is a security bug, please copy the Security Contact listed +in the MAINTAINERS file. They can help coordinate bugfix and disclosure. +See Documentation/SecurityBugs for more infomation. + If you are totally stumped as to whom to send the report, send it to linux-kernel@vger.kernel.org. (For more information on the linux-kernel mailing list see http://www.tux.org/lkml/). diff --git a/arch/ppc64/kernel/pSeries_iommu.c b/arch/ppc64/kernel/pSeries_iommu.c index 5543aaa56..5f05d6007 100644 --- a/arch/ppc64/kernel/pSeries_iommu.c +++ b/arch/ppc64/kernel/pSeries_iommu.c @@ -401,6 +401,8 @@ static void iommu_bus_setup_pSeriesLP(struct pci_bus *bus) struct device_node *dn, *pdn; unsigned int *dma_window = NULL; + DBG("iommu_bus_setup_pSeriesLP, bus %p, bus->self %p\n", bus, bus->self); + dn = pci_bus_to_OF_node(bus); /* Find nearest ibm,dma-window, walking up the device tree */ @@ -455,6 +457,56 @@ static void iommu_dev_setup_pSeries(struct pci_dev *dev) } } +static void iommu_dev_setup_pSeriesLP(struct pci_dev *dev) +{ + struct device_node *pdn, *dn; + struct iommu_table *tbl; + int *dma_window = NULL; + + DBG("iommu_dev_setup_pSeriesLP, dev %p (%s)\n", dev, dev->pretty_name); + + /* dev setup for LPAR is a little tricky, since the device tree might + * contain the dma-window properties per-device and not neccesarily + * for the bus. So we need to search upwards in the tree until we + * either hit a dma-window property, OR find a parent with a table + * already allocated. + */ + dn = pci_device_to_OF_node(dev); + + for (pdn = dn; pdn && !pdn->iommu_table; pdn = pdn->parent) { + dma_window = (unsigned int *)get_property(pdn, "ibm,dma-window", NULL); + if (dma_window) + break; + } + + /* Check for parent == NULL so we don't try to setup the empty EADS + * slots on POWER4 machines. + */ + if (dma_window == NULL || pdn->parent == NULL) { + /* Fall back to regular (non-LPAR) dev setup */ + DBG("No dma window for device, falling back to regular setup\n"); + iommu_dev_setup_pSeries(dev); + return; + } else { + DBG("Found DMA window, allocating table\n"); + } + + if (!pdn->iommu_table) { + /* iommu_table_setparms_lpar needs bussubno. */ + pdn->bussubno = pdn->phb->bus->number; + + tbl = (struct iommu_table *)kmalloc(sizeof(struct iommu_table), + GFP_KERNEL); + + iommu_table_setparms_lpar(pdn->phb, pdn, tbl, dma_window); + + pdn->iommu_table = iommu_init_table(tbl); + } + + if (pdn != dn) + dn->iommu_table = pdn->iommu_table; +} + static void iommu_bus_setup_null(struct pci_bus *b) { } static void iommu_dev_setup_null(struct pci_dev *d) { } @@ -479,13 +531,14 @@ void iommu_init_early_pSeries(void) ppc_md.tce_free = tce_free_pSeriesLP; } ppc_md.iommu_bus_setup = iommu_bus_setup_pSeriesLP; + ppc_md.iommu_dev_setup = iommu_dev_setup_pSeriesLP; } else { ppc_md.tce_build = tce_build_pSeries; ppc_md.tce_free = tce_free_pSeries; ppc_md.iommu_bus_setup = iommu_bus_setup_pSeries; + ppc_md.iommu_dev_setup = iommu_dev_setup_pSeries; } - ppc_md.iommu_dev_setup = iommu_dev_setup_pSeries; pci_iommu_init(); } diff --git a/arch/sparc/kernel/ptrace.c b/arch/sparc/kernel/ptrace.c index 9cd81b47f..08c549120 100644 --- a/arch/sparc/kernel/ptrace.c +++ b/arch/sparc/kernel/ptrace.c @@ -531,18 +531,6 @@ asmlinkage void do_ptrace(struct pt_regs *regs) pt_error_return(regs, EIO); goto out_tsk; } - if (addr != 1) { - if (addr & 3) { - pt_error_return(regs, EINVAL); - goto out_tsk; - } -#ifdef DEBUG_PTRACE - printk ("Original: %08lx %08lx\n", child->thread.kregs->pc, child->thread.kregs->npc); - printk ("Continuing with %08lx %08lx\n", addr, addr+4); -#endif - child->thread.kregs->pc = addr; - child->thread.kregs->npc = addr + 4; - } if (request == PTRACE_SYSCALL) set_tsk_thread_flag(child, TIF_SYSCALL_TRACE); diff --git a/arch/sparc64/kernel/ptrace.c b/arch/sparc64/kernel/ptrace.c index 1722dc51b..08bac5372 100644 --- a/arch/sparc64/kernel/ptrace.c +++ b/arch/sparc64/kernel/ptrace.c @@ -514,25 +514,6 @@ asmlinkage void do_ptrace(struct pt_regs *regs) pt_error_return(regs, EIO); goto out_tsk; } - if (addr != 1) { - unsigned long pc_mask = ~0UL; - - if ((child->thread_info->flags & _TIF_32BIT) != 0) - pc_mask = 0xffffffff; - - if (addr & 3) { - pt_error_return(regs, EINVAL); - goto out_tsk; - } -#ifdef DEBUG_PTRACE - printk ("Original: %016lx %016lx\n", - child->thread_info->kregs->tpc, - child->thread_info->kregs->tnpc); - printk ("Continuing with %016lx %016lx\n", addr, addr+4); -#endif - child->thread_info->kregs->tpc = (addr & pc_mask); - child->thread_info->kregs->tnpc = ((addr + 4) & pc_mask); - } if (request == PTRACE_SYSCALL) { set_tsk_thread_flag(child, TIF_SYSCALL_TRACE); diff --git a/arch/sparc64/kernel/signal32.c b/arch/sparc64/kernel/signal32.c index 4b060cacf..7f8853213 100644 --- a/arch/sparc64/kernel/signal32.c +++ b/arch/sparc64/kernel/signal32.c @@ -192,10 +192,13 @@ int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from) err |= __put_user(from->si_uid, &to->si_uid); break; case __SI_FAULT >> 16: - case __SI_POLL >> 16: err |= __put_user(from->si_trapno, &to->si_trapno); err |= __put_user((unsigned long)from->si_addr, &to->si_addr); break; + case __SI_POLL >> 16: + err |= __put_user(from->si_band, &to->si_band); + err |= __put_user(from->si_fd, &to->si_fd); + break; case __SI_RT >> 16: /* This is not generated by the kernel as of now. */ case __SI_MESGQ >> 16: err |= __put_user(from->si_pid, &to->si_pid); diff --git a/arch/sparc64/kernel/systbls.S b/arch/sparc64/kernel/systbls.S index 48170f77f..a4ccb65ae 100644 --- a/arch/sparc64/kernel/systbls.S +++ b/arch/sparc64/kernel/systbls.S @@ -75,7 +75,7 @@ sys_call_table32: /*260*/ .word compat_sys_sched_getaffinity, compat_sys_sched_setaffinity, sys32_timer_settime, compat_sys_timer_gettime, sys_timer_getoverrun .word sys_timer_delete, sys32_timer_create, sys_ni_syscall, compat_sys_io_setup, sys_io_destroy /*270*/ .word sys32_io_submit, sys_io_cancel, compat_sys_io_getevents, sys32_mq_open, sys_mq_unlink - .word sys_mq_timedsend, sys_mq_timedreceive, compat_sys_mq_notify, compat_sys_mq_getsetattr, compat_sys_waitid + .word compat_sys_mq_timedsend, compat_sys_mq_timedreceive, compat_sys_mq_notify, compat_sys_mq_getsetattr, compat_sys_waitid /*280*/ .word sys_ni_syscall, sys_add_key, sys_request_key, sys_keyctl #endif /* CONFIG_COMPAT */ diff --git a/arch/um/include/sysdep-i386/syscalls.h b/arch/um/include/sysdep-i386/syscalls.h index 36d9beec4..56fc23fc2 100644 --- a/arch/um/include/sysdep-i386/syscalls.h +++ b/arch/um/include/sysdep-i386/syscalls.h @@ -23,6 +23,9 @@ extern long sys_mmap2(unsigned long addr, unsigned long len, unsigned long prot, unsigned long flags, unsigned long fd, unsigned long pgoff); +/* On i386 they choose a meaningless naming.*/ +#define __NR_kexec_load __NR_sys_kexec_load + #define ARCH_SYSCALLS \ [ __NR_waitpid ] = (syscall_handler_t *) sys_waitpid, \ [ __NR_break ] = (syscall_handler_t *) sys_ni_syscall, \ @@ -101,15 +104,12 @@ extern long sys_mmap2(unsigned long addr, unsigned long len, [ 223 ] = (syscall_handler_t *) sys_ni_syscall, \ [ __NR_set_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \ [ __NR_get_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \ - [ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64, \ [ 251 ] = (syscall_handler_t *) sys_ni_syscall, \ - [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages, \ - [ __NR_utimes ] = (syscall_handler_t *) sys_utimes, \ - [ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall, - + [ 285 ] = (syscall_handler_t *) sys_ni_syscall, + /* 222 doesn't yet have a name in include/asm-i386/unistd.h */ -#define LAST_ARCH_SYSCALL __NR_vserver +#define LAST_ARCH_SYSCALL 285 /* * Overrides for Emacs so that we follow Linus's tabbing style. diff --git a/arch/um/include/sysdep-x86_64/syscalls.h b/arch/um/include/sysdep-x86_64/syscalls.h index 65fd49442..b187a4157 100644 --- a/arch/um/include/sysdep-x86_64/syscalls.h +++ b/arch/um/include/sysdep-x86_64/syscalls.h @@ -71,12 +71,7 @@ extern syscall_handler_t sys_arch_prctl; [ __NR_iopl ] = (syscall_handler_t *) sys_ni_syscall, \ [ __NR_set_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \ [ __NR_get_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \ - [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages, \ [ __NR_semtimedop ] = (syscall_handler_t *) sys_semtimedop, \ - [ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64, \ - [ 223 ] = (syscall_handler_t *) sys_ni_syscall, \ - [ __NR_utimes ] = (syscall_handler_t *) sys_utimes, \ - [ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall, \ [ 251 ] = (syscall_handler_t *) sys_ni_syscall, #define LAST_ARCH_SYSCALL 251 diff --git a/arch/um/kernel/sys_call_table.c b/arch/um/kernel/sys_call_table.c index eda45b820..f4890d6f9 100644 --- a/arch/um/kernel/sys_call_table.c +++ b/arch/um/kernel/sys_call_table.c @@ -48,7 +48,6 @@ extern syscall_handler_t sys_vfork; extern syscall_handler_t old_select; extern syscall_handler_t sys_modify_ldt; extern syscall_handler_t sys_rt_sigsuspend; -extern syscall_handler_t sys_vserver; extern syscall_handler_t sys_mbind; extern syscall_handler_t sys_get_mempolicy; extern syscall_handler_t sys_set_mempolicy; @@ -242,6 +241,7 @@ syscall_handler_t *sys_call_table[] = { [ __NR_epoll_create ] = (syscall_handler_t *) sys_epoll_create, [ __NR_epoll_ctl ] = (syscall_handler_t *) sys_epoll_ctl, [ __NR_epoll_wait ] = (syscall_handler_t *) sys_epoll_wait, + [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages, [ __NR_set_tid_address ] = (syscall_handler_t *) sys_set_tid_address, [ __NR_timer_create ] = (syscall_handler_t *) sys_timer_create, [ __NR_timer_settime ] = (syscall_handler_t *) sys_timer_settime, @@ -252,12 +252,10 @@ syscall_handler_t *sys_call_table[] = { [ __NR_clock_gettime ] = (syscall_handler_t *) sys_clock_gettime, [ __NR_clock_getres ] = (syscall_handler_t *) sys_clock_getres, [ __NR_clock_nanosleep ] = (syscall_handler_t *) sys_clock_nanosleep, - [ __NR_statfs64 ] = (syscall_handler_t *) sys_statfs64, - [ __NR_fstatfs64 ] = (syscall_handler_t *) sys_fstatfs64, [ __NR_tgkill ] = (syscall_handler_t *) sys_tgkill, [ __NR_utimes ] = (syscall_handler_t *) sys_utimes, - [ __NR_fadvise64_64 ] = (syscall_handler_t *) sys_fadvise64_64, - [ __NR_vserver ] = (syscall_handler_t *) sys_vserver, + [ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64, + [ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall, [ __NR_mbind ] = (syscall_handler_t *) sys_mbind, [ __NR_get_mempolicy ] = (syscall_handler_t *) sys_get_mempolicy, [ __NR_set_mempolicy ] = (syscall_handler_t *) sys_set_mempolicy, @@ -267,9 +265,8 @@ syscall_handler_t *sys_call_table[] = { [ __NR_mq_timedreceive ] = (syscall_handler_t *) sys_mq_timedreceive, [ __NR_mq_notify ] = (syscall_handler_t *) sys_mq_notify, [ __NR_mq_getsetattr ] = (syscall_handler_t *) sys_mq_getsetattr, - [ __NR_sys_kexec_load ] = (syscall_handler_t *) sys_ni_syscall, + [ __NR_kexec_load ] = (syscall_handler_t *) sys_ni_syscall, [ __NR_waitid ] = (syscall_handler_t *) sys_waitid, - [ 285 ] = (syscall_handler_t *) sys_ni_syscall, [ __NR_add_key ] = (syscall_handler_t *) sys_add_key, [ __NR_request_key ] = (syscall_handler_t *) sys_request_key, [ __NR_keyctl ] = (syscall_handler_t *) sys_keyctl, diff --git a/arch/x86_64/kernel/ptrace.c b/arch/x86_64/kernel/ptrace.c index eaa725015..cddc37a54 100644 --- a/arch/x86_64/kernel/ptrace.c +++ b/arch/x86_64/kernel/ptrace.c @@ -129,13 +129,13 @@ static int putreg(struct task_struct *child, value &= 0xffff; return 0; case offsetof(struct user_regs_struct,fs_base): - if (!((value >> 48) == 0 || (value >> 48) == 0xffff)) - return -EIO; + if (value >= TASK_SIZE) + return -EIO; child->thread.fs = value; return 0; case offsetof(struct user_regs_struct,gs_base): - if (!((value >> 48) == 0 || (value >> 48) == 0xffff)) - return -EIO; + if (value >= TASK_SIZE) + return -EIO; child->thread.gs = value; return 0; case offsetof(struct user_regs_struct, eflags): @@ -149,6 +149,11 @@ static int putreg(struct task_struct *child, return -EIO; value &= 0xffff; break; + case offsetof(struct user_regs_struct, rip): + /* Check if the new RIP address is canonical */ + if (value >= TASK_SIZE) + return -EIO; + break; } put_stack_long(child, regno - sizeof(struct pt_regs), value); return 0; diff --git a/arch/x86_64/mm/fault.c b/arch/x86_64/mm/fault.c index 572437047..ca1b239c0 100644 --- a/arch/x86_64/mm/fault.c +++ b/arch/x86_64/mm/fault.c @@ -236,6 +236,8 @@ static noinline void pgtable_bad(unsigned long address, struct pt_regs *regs, /* * Handle a fault on the vmalloc or module mapping area + * + * This assumes no large pages in there. */ static int vmalloc_fault(unsigned long address) { @@ -274,7 +276,10 @@ static int vmalloc_fault(unsigned long address) if (!pte_present(*pte_ref)) return -1; pte = pte_offset_kernel(pmd, address); - if (!pte_present(*pte) || pte_page(*pte) != pte_page(*pte_ref)) + /* Don't use pte_page here, because the mappings can point + outside mem_map, and the NUMA hash lookup cannot handle + that. */ + if (!pte_present(*pte) || pte_pfn(*pte) != pte_pfn(*pte_ref)) BUG(); __flush_tlb_all(); return 0; @@ -348,7 +353,9 @@ asmlinkage void do_page_fault(struct pt_regs *regs, unsigned long error_code) * protection error (error_code & 1) == 0. */ if (unlikely(address >= TASK_SIZE)) { - if (!(error_code & 5)) { + if (!(error_code & 5) && + ((address >= VMALLOC_START && address < VMALLOC_END) || + (address >= MODULES_VADDR && address < MODULES_END))) { if (vmalloc_fault(address) < 0) goto bad_area_nosemaphore; return; diff --git a/arch/x86_64/mm/ioremap.c b/arch/x86_64/mm/ioremap.c index 911262d8c..bae79b818 100644 --- a/arch/x86_64/mm/ioremap.c +++ b/arch/x86_64/mm/ioremap.c @@ -266,7 +266,7 @@ void iounmap(volatile void __iomem *addr) if ((p->flags >> 20) && p->phys_addr + p->size - 1 < virt_to_phys(high_memory)) { /* p->size includes the guard page, but cpa doesn't like that */ - change_page_attr(virt_to_page(__va(p->phys_addr)), + change_page_attr_addr((unsigned long)(__va(p->phys_addr)), (p->size - PAGE_SIZE) >> PAGE_SHIFT, PAGE_KERNEL); global_flush_tlb(); diff --git a/drivers/block/ioctl.c b/drivers/block/ioctl.c index 5e03f5157..6d7bcc9da 100644 --- a/drivers/block/ioctl.c +++ b/drivers/block/ioctl.c @@ -237,3 +237,5 @@ long compat_blkdev_ioctl(struct file *file, unsigned cmd, unsigned long arg) } return ret; } + +EXPORT_SYMBOL_GPL(blkdev_ioctl); diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c index 7590000b9..043cd274c 100644 --- a/drivers/block/pktcdvd.c +++ b/drivers/block/pktcdvd.c @@ -2400,7 +2400,7 @@ static int pkt_ioctl(struct inode *inode, struct file *file, unsigned int cmd, u case CDROM_LAST_WRITTEN: case CDROM_SEND_PACKET: case SCSI_IOCTL_SEND_COMMAND: - return ioctl_by_bdev(pd->bdev, cmd, arg); + return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg); case CDROMEJECT: /* @@ -2408,7 +2408,7 @@ static int pkt_ioctl(struct inode *inode, struct file *file, unsigned int cmd, u * have to unlock it or else the eject command fails. */ pkt_lock_door(pd, 0); - return ioctl_by_bdev(pd->bdev, cmd, arg); + return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg); default: printk("pktcdvd: Unknown ioctl for %s (%x)\n", pd->name, cmd); diff --git a/drivers/char/raw.c b/drivers/char/raw.c index a2e33ec79..131465e8d 100644 --- a/drivers/char/raw.c +++ b/drivers/char/raw.c @@ -122,7 +122,7 @@ raw_ioctl(struct inode *inode, struct file *filp, { struct block_device *bdev = filp->private_data; - return ioctl_by_bdev(bdev, command, arg); + return blkdev_ioctl(bdev->bd_inode, filp, command, arg); } static void bind_device(struct raw_config_request *rq) diff --git a/drivers/i2c/chips/it87.c b/drivers/i2c/chips/it87.c index 8988f4fa9..bf91307a0 100644 --- a/drivers/i2c/chips/it87.c +++ b/drivers/i2c/chips/it87.c @@ -631,7 +631,7 @@ static ssize_t show_alarms(struct device *dev, char *buf) struct it87_data *data = it87_update_device(dev); return sprintf(buf,"%d\n", ALARMS_FROM_REG(data->alarms)); } -static DEVICE_ATTR(alarms, S_IRUGO | S_IWUSR, show_alarms, NULL); +static DEVICE_ATTR(alarms, S_IRUGO, show_alarms, NULL); static ssize_t show_vrm_reg(struct device *dev, char *buf) diff --git a/drivers/i2c/chips/via686a.c b/drivers/i2c/chips/via686a.c index cacc2578f..a49dc222b 100644 --- a/drivers/i2c/chips/via686a.c +++ b/drivers/i2c/chips/via686a.c @@ -554,7 +554,7 @@ static ssize_t show_alarms(struct device *dev, char *buf) { struct via686a_data *data = via686a_update_device(dev); return sprintf(buf,"%d\n", ALARMS_FROM_REG(data->alarms)); } -static DEVICE_ATTR(alarms, S_IRUGO | S_IWUSR, show_alarms, NULL); +static DEVICE_ATTR(alarms, S_IRUGO, show_alarms, NULL); /* The driver. I choose to use type i2c_driver, as at is identical to both smbus_driver and isa_driver, and clients could be of either kind */ diff --git a/drivers/ide/ide-disk.c b/drivers/ide/ide-disk.c index db55f241f..e41f7c3b9 100644 --- a/drivers/ide/ide-disk.c +++ b/drivers/ide/ide-disk.c @@ -133,6 +133,8 @@ static ide_startstop_t __ide_do_rw_disk(ide_drive_t *drive, struct request *rq, if (hwif->no_lba48_dma && lba48 && dma) { if (block + rq->nr_sectors > 1ULL << 28) dma = 0; + else + lba48 = 0; } if (!dma) { @@ -146,7 +148,7 @@ static ide_startstop_t __ide_do_rw_disk(ide_drive_t *drive, struct request *rq, /* FIXME: SELECT_MASK(drive, 0) ? */ if (drive->select.b.lba) { - if (drive->addressing == 1) { + if (lba48) { task_ioreg_t tasklets[10]; pr_debug("%s: LBA=0x%012llx\n", drive->name, block); diff --git a/drivers/media/video/bttv-cards.c b/drivers/media/video/bttv-cards.c index 4ee9026fc..8127a34ce 100644 --- a/drivers/media/video/bttv-cards.c +++ b/drivers/media/video/bttv-cards.c @@ -2718,8 +2718,6 @@ void __devinit bttv_init_card2(struct bttv *btv) } btv->pll.pll_current = -1; - bttv_reset_audio(btv); - /* tuner configuration (from card list / autodetect / insmod option) */ if (UNSET != bttv_tvcards[btv->c.type].tuner_type) if(UNSET == btv->tuner_type) diff --git a/drivers/net/3c59x.c b/drivers/net/3c59x.c index b22ed5781..4078ce33e 100644 --- a/drivers/net/3c59x.c +++ b/drivers/net/3c59x.c @@ -1581,7 +1581,8 @@ vortex_up(struct net_device *dev) if (VORTEX_PCI(vp)) { pci_set_power_state(VORTEX_PCI(vp), PCI_D0); /* Go active */ - pci_restore_state(VORTEX_PCI(vp)); + if (vp->pm_state_valid) + pci_restore_state(VORTEX_PCI(vp)); pci_enable_device(VORTEX_PCI(vp)); } @@ -2741,6 +2742,7 @@ vortex_down(struct net_device *dev, int final_down) outl(0, ioaddr + DownListPtr); if (final_down && VORTEX_PCI(vp)) { + vp->pm_state_valid = 1; pci_save_state(VORTEX_PCI(vp)); acpi_set_WOL(dev); } @@ -3243,9 +3245,10 @@ static void acpi_set_WOL(struct net_device *dev) outw(RxEnable, ioaddr + EL3_CMD); pci_enable_wake(VORTEX_PCI(vp), 0, 1); + + /* Change the power state to D3; RxEnable doesn't take effect. */ + pci_set_power_state(VORTEX_PCI(vp), PCI_D3hot); } - /* Change the power state to D3; RxEnable doesn't take effect. */ - pci_set_power_state(VORTEX_PCI(vp), PCI_D3hot); } diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c index 6c0d51638..0bb6262ad 100644 --- a/drivers/usb/serial/visor.c +++ b/drivers/usb/serial/visor.c @@ -386,6 +386,7 @@ struct visor_private { int bytes_in; int bytes_out; int outstanding_urbs; + int throttled; }; /* number of outstanding urbs to prevent userspace DoS from happening */ @@ -415,6 +416,7 @@ static int visor_open (struct usb_serial_port *port, struct file *filp) priv->bytes_in = 0; priv->bytes_out = 0; priv->outstanding_urbs = 0; + priv->throttled = 0; spin_unlock_irqrestore(&priv->lock, flags); /* @@ -602,6 +604,7 @@ static void visor_read_bulk_callback (struct urb *urb, struct pt_regs *regs) struct tty_struct *tty; unsigned long flags; int i; + int throttled; int result; dbg("%s - port %d", __FUNCTION__, port->number); @@ -627,18 +630,21 @@ static void visor_read_bulk_callback (struct urb *urb, struct pt_regs *regs) } spin_lock_irqsave(&priv->lock, flags); priv->bytes_in += urb->actual_length; + throttled = priv->throttled; spin_unlock_irqrestore(&priv->lock, flags); - /* Continue trying to always read */ - usb_fill_bulk_urb (port->read_urb, port->serial->dev, - usb_rcvbulkpipe(port->serial->dev, - port->bulk_in_endpointAddress), - port->read_urb->transfer_buffer, - port->read_urb->transfer_buffer_length, - visor_read_bulk_callback, port); - result = usb_submit_urb(port->read_urb, GFP_ATOMIC); - if (result) - dev_err(&port->dev, "%s - failed resubmitting read urb, error %d\n", __FUNCTION__, result); + /* Continue trying to always read if we should */ + if (!throttled) { + usb_fill_bulk_urb (port->read_urb, port->serial->dev, + usb_rcvbulkpipe(port->serial->dev, + port->bulk_in_endpointAddress), + port->read_urb->transfer_buffer, + port->read_urb->transfer_buffer_length, + visor_read_bulk_callback, port); + result = usb_submit_urb(port->read_urb, GFP_ATOMIC); + if (result) + dev_err(&port->dev, "%s - failed resubmitting read urb, error %d\n", __FUNCTION__, result); + } return; } @@ -683,16 +689,26 @@ exit: static void visor_throttle (struct usb_serial_port *port) { + struct visor_private *priv = usb_get_serial_port_data(port); + unsigned long flags; + dbg("%s - port %d", __FUNCTION__, port->number); - usb_kill_urb(port->read_urb); + spin_lock_irqsave(&priv->lock, flags); + priv->throttled = 1; + spin_unlock_irqrestore(&priv->lock, flags); } static void visor_unthrottle (struct usb_serial_port *port) { + struct visor_private *priv = usb_get_serial_port_data(port); + unsigned long flags; int result; dbg("%s - port %d", __FUNCTION__, port->number); + spin_lock_irqsave(&priv->lock, flags); + priv->throttled = 0; + spin_unlock_irqrestore(&priv->lock, flags); port->read_urb->dev = port->serial->dev; result = usb_submit_urb(port->read_urb, GFP_ATOMIC); diff --git a/drivers/video/matrox/matroxfb_accel.c b/drivers/video/matrox/matroxfb_accel.c index 8f14c9b30..c7f3e1321 100644 --- a/drivers/video/matrox/matroxfb_accel.c +++ b/drivers/video/matrox/matroxfb_accel.c @@ -438,13 +438,21 @@ static void matroxfb_1bpp_imageblit(WPMINFO u_int32_t fgx, u_int32_t bgx, } else if (step == 1) { /* Special case for 1..8bit widths */ while (height--) { - mga_writel(mmio, 0, *chardata); +#if defined(__BIG_ENDIAN) + fb_writel((*chardata) << 24, mmio.vaddr); +#else + fb_writel(*chardata, mmio.vaddr); +#endif chardata++; } } else if (step == 2) { /* Special case for 9..15bit widths */ while (height--) { - mga_writel(mmio, 0, *(u_int16_t*)chardata); +#if defined(__BIG_ENDIAN) + fb_writel((*(u_int16_t*)chardata) << 16, mmio.vaddr); +#else + fb_writel(*(u_int16_t*)chardata, mmio.vaddr); +#endif chardata += 2; } } else { @@ -454,7 +462,7 @@ static void matroxfb_1bpp_imageblit(WPMINFO u_int32_t fgx, u_int32_t bgx, for (i = 0; i < step; i += 4) { /* Hope that there are at least three readable bytes beyond the end of bitmap */ - mga_writel(mmio, 0, get_unaligned((u_int32_t*)(chardata + i))); + fb_writel(get_unaligned((u_int32_t*)(chardata + i)),mmio.vaddr); } chardata += step; } diff --git a/drivers/video/matrox/matroxfb_base.h b/drivers/video/matrox/matroxfb_base.h index a98de7952..1021f3cf5 100644 --- a/drivers/video/matrox/matroxfb_base.h +++ b/drivers/video/matrox/matroxfb_base.h @@ -170,14 +170,14 @@ static inline void mga_memcpy_toio(vaddr_t va, const void* src, int len) { if ((unsigned long)src & 3) { while (len >= 4) { - writel(get_unaligned((u32 *)src), addr); + fb_writel(get_unaligned((u32 *)src), addr); addr++; len -= 4; src += 4; } } else { while (len >= 4) { - writel(*(u32 *)src, addr); + fb_writel(*(u32 *)src, addr); addr++; len -= 4; src += 4; diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index bfb616790..24f6ea075 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -257,7 +257,7 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr * exec, } /* Populate argv and envp */ - p = current->mm->arg_start; + p = current->mm->arg_end = current->mm->arg_start; while (argc-- > 0) { size_t len; __put_user((elf_addr_t)p, argv++); @@ -1279,7 +1279,7 @@ static void fill_prstatus(struct elf_prstatus *prstatus, static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p, struct mm_struct *mm) { - int i, len; + unsigned int i, len; /* first copy the parameters from user space */ memset(psinfo, 0, sizeof(struct elf_prpsinfo)); diff --git a/fs/ext3/balloc.c b/fs/ext3/balloc.c index 03cd803e0..4f7e0c052 100644 --- a/fs/ext3/balloc.c +++ b/fs/ext3/balloc.c @@ -268,7 +268,8 @@ void ext3_discard_reservation(struct inode *inode) if (!rsv_is_empty(&rsv->rsv_window)) { spin_lock(rsv_lock); - rsv_window_remove(inode->i_sb, rsv); + if (!rsv_is_empty(&rsv->rsv_window)) + rsv_window_remove(inode->i_sb, rsv); spin_unlock(rsv_lock); } } diff --git a/include/asm-x86_64/processor.h b/include/asm-x86_64/processor.h index 6dadc6400..31e8d82ce 100644 --- a/include/asm-x86_64/processor.h +++ b/include/asm-x86_64/processor.h @@ -160,9 +160,9 @@ static inline void clear_in_cr4 (unsigned long mask) /* - * User space process size. 47bits. + * User space process size. 47bits minus one guard page. */ -#define TASK_SIZE (0x800000000000UL) +#define TASK_SIZE (0x800000000000UL - 4096) /* This decides where the kernel will search for a free chunk of vm * space during mmap's. diff --git a/include/linux/err.h b/include/linux/err.h index 17c55df13..ff71d2af5 100644 --- a/include/linux/err.h +++ b/include/linux/err.h @@ -13,6 +13,8 @@ * This should be a per-architecture thing, to allow different * error and pointer decisions. */ +#define IS_ERR_VALUE(x) unlikely((x) > (unsigned long)-1000L) + static inline void *ERR_PTR(long error) { return (void *) error; @@ -25,7 +27,7 @@ static inline long PTR_ERR(const void *ptr) static inline long IS_ERR(const void *ptr) { - return unlikely((unsigned long)ptr > (unsigned long)-1000L); + return IS_ERR_VALUE((unsigned long)ptr); } #endif /* _LINUX_ERR_H */ diff --git a/kernel/exit.c b/kernel/exit.c index f40a50f69..d462a1f7c 100644 --- a/kernel/exit.c +++ b/kernel/exit.c @@ -516,8 +516,6 @@ static inline void choose_new_parent(task_t *p, task_t *reaper, task_t *child_re */ BUG_ON(p == reaper || reaper->exit_state >= EXIT_ZOMBIE); p->real_parent = reaper; - if (p->parent == p->real_parent) - BUG(); } static inline void reparent_thread(task_t *p, task_t *father, int traced) diff --git a/mm/mmap.c b/mm/mmap.c index b8af0c8db..136db2d1f 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1315,37 +1315,40 @@ unsigned long get_unmapped_area(struct file *file, unsigned long addr, unsigned long len, unsigned long pgoff, unsigned long flags) { - if (flags & MAP_FIXED) { - unsigned long ret; + unsigned long ret; - if (addr > TASK_SIZE - len) - return -ENOMEM; - if (addr & ~PAGE_MASK) - return -EINVAL; - if (file && is_file_hugepages(file)) { - /* - * Check if the given range is hugepage aligned, and - * can be made suitable for hugepages. - */ - ret = prepare_hugepage_range(addr, len); - } else { - /* - * Ensure that a normal request is not falling in a - * reserved hugepage range. For some archs like IA-64, - * there is a separate region for hugepages. - */ - ret = is_hugepage_only_range(addr, len); - } - if (ret) - return -EINVAL; - return addr; - } + if (!(flags & MAP_FIXED)) { + unsigned long (*get_area)(struct file *, unsigned long, unsigned long, unsigned long, unsigned long); - if (file && file->f_op && file->f_op->get_unmapped_area) - return file->f_op->get_unmapped_area(file, addr, len, - pgoff, flags); + get_area = current->mm->get_unmapped_area; + if (file && file->f_op && file->f_op->get_unmapped_area) + get_area = file->f_op->get_unmapped_area; + addr = get_area(file, addr, len, pgoff, flags); + if (IS_ERR_VALUE(addr)) + return addr; + } - return current->mm->get_unmapped_area(file, addr, len, pgoff, flags); + if (addr > TASK_SIZE - len) + return -ENOMEM; + if (addr & ~PAGE_MASK) + return -EINVAL; + if (file && is_file_hugepages(file)) { + /* + * Check if the given range is hugepage aligned, and + * can be made suitable for hugepages. + */ + ret = prepare_hugepage_range(addr, len); + } else { + /* + * Ensure that a normal request is not falling in a + * reserved hugepage range. For some archs like IA-64, + * there is a separate region for hugepages. + */ + ret = is_hugepage_only_range(addr, len); + } + if (ret) + return -EINVAL; + return addr; } EXPORT_SYMBOL(get_unmapped_area); diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 33dde2be3..771105c92 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -179,9 +179,10 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff **pskb, struct ebt_chainstack *cs; struct ebt_entries *chaininfo; char *base; - struct ebt_table_info *private = table->private; + struct ebt_table_info *private; read_lock_bh(&table->lock); + private = table->private; cb_base = COUNTER_BASE(private->counters, private->nentries, smp_processor_id()); if (private->chainstack) diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c index 92674a1cc..d19d931a1 100644 --- a/net/rose/rose_route.c +++ b/net/rose/rose_route.c @@ -727,7 +727,8 @@ int rose_rt_ioctl(unsigned int cmd, void __user *arg) } if (rose_route.mask > 10) /* Mask can't be more than 10 digits */ return -EINVAL; - + if (rose_route.ndigis > 8) /* No more than 8 digipeats */ + return -EINVAL; err = rose_add_node(&rose_route, dev); dev_put(dev); return err; diff --git a/security/keys/key.c b/security/keys/key.c index e3d0359f5..59402c843 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -57,9 +57,10 @@ struct key_user *key_user_lookup(uid_t uid) { struct key_user *candidate = NULL, *user; struct rb_node *parent = NULL; - struct rb_node **p = &key_user_tree.rb_node; + struct rb_node **p; try_again: + p = &key_user_tree.rb_node; spin_lock(&key_user_lock); /* search the tree for a user record with a matching UID */ diff --git a/sound/usb/usbaudio.c b/sound/usb/usbaudio.c index e7520f990..5ea025155 100644 --- a/sound/usb/usbaudio.c +++ b/sound/usb/usbaudio.c @@ -3276,7 +3276,7 @@ static void snd_usb_audio_disconnect(struct usb_device *dev, void *ptr) } usb_chip[chip->index] = NULL; up(®ister_mutex); - snd_card_free_in_thread(card); + snd_card_free(card); } else { up(®ister_mutex); } diff --git a/sound/usb/usx2y/usbusx2y.c b/sound/usb/usx2y/usbusx2y.c index b06a267e5..89ee8b732 100644 --- a/sound/usb/usx2y/usbusx2y.c +++ b/sound/usb/usx2y/usbusx2y.c @@ -1,6 +1,11 @@ /* * usbusy2y.c - ALSA USB US-428 Driver * +2005-04-14 Karsten Wiese + Version 0.8.7.2: + Call snd_card_free() instead of snd_card_free_in_thread() to prevent oops with dead keyboard symptom. + Tested ok with kernel 2.6.12-rc2. + 2004-12-14 Karsten Wiese Version 0.8.7.1: snd_pcm_open for rawusb pcm-devices now returns -EBUSY if called without rawusb's hwdep device being open. @@ -143,7 +148,7 @@ MODULE_AUTHOR("Karsten Wiese "); -MODULE_DESCRIPTION("TASCAM "NAME_ALLCAPS" Version 0.8.7.1"); +MODULE_DESCRIPTION("TASCAM "NAME_ALLCAPS" Version 0.8.7.2"); MODULE_LICENSE("GPL"); MODULE_SUPPORTED_DEVICE("{{TASCAM(0x1604), "NAME_ALLCAPS"(0x8001)(0x8005)(0x8007) }}"); @@ -430,8 +435,6 @@ static void usX2Y_usb_disconnect(struct usb_device* device, void* ptr) if (ptr) { usX2Ydev_t* usX2Y = usX2Y((snd_card_t*)ptr); struct list_head* p; - if (usX2Y->chip_status == USX2Y_STAT_CHIP_HUP) // on 2.6.1 kernel snd_usbmidi_disconnect() - return; // calls us back. better leave :-) . usX2Y->chip.shutdown = 1; usX2Y->chip_status = USX2Y_STAT_CHIP_HUP; usX2Y_unlinkSeq(&usX2Y->AS04); @@ -443,7 +446,7 @@ static void usX2Y_usb_disconnect(struct usb_device* device, void* ptr) } if (usX2Y->us428ctls_sharedmem) wake_up(&usX2Y->us428ctls_wait_queue_head); - snd_card_free_in_thread((snd_card_t*)ptr); + snd_card_free((snd_card_t*)ptr); } } -- 2.47.0