Commit Graph

21095 Commits

Author SHA1 Message Date
Nathan Scott
3fb962bde4 Fix a direct I/O locking issue revealed by the new mutex code.
Affects only XFS (i.e. DIO_OWN_LOCKING case) - currently it is
not possible to get i_mutex locking correct when using DIO_OWN
direct I/O locking in a filesystem due to indeterminism in the
possible return code/lock/unlock combinations.  This can cause
a direct read to attempt a double i_mutex unlock inside XFS.

We're now ensuring __blockdev_direct_IO always exits with the
inode i_mutex (still) held for a direct reader.

Tested with the three different locking modes (via direct block
device access, ext3 and XFS) - both reading and writing; cannot
find any regressions resulting from this change, and it clearly
fixes the mutex_unlock warning originally reported here:
http://marc.theaimsgroup.com/?l=linux-kernel&m=114189068126253&w=2

Signed-off-by: Nathan Scott <nathans@sgi.com>
Acked-by: Christoph Hellwig <hch@lst.de>
2006-03-15 15:14:45 +11:00
Dave Kleikamp
a488edc914 [PATCH] JFS: Take logsync lock before testing mp->lsn
This fixes a race where lsn could be cleared before taking the lock

Signed-off-by: Dave Kleikamp <shaggy@austin.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-14 14:00:48 -08:00
Linus Torvalds
0f511ea706 Merge master.kernel.org:/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6
* master.kernel.org:/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6:
  [SCSI] zfcp: fix device registration issues
  [SCSI] scsi_transport_fc: fix FC_HOST_NUM_ATTRS
  [SCSI] scsi: aha152x pcmcia driver needs spi transport
  [SCSI] zfcp: correctly set this_id for hosts
  [SCSI] Add Brownie to blacklist
2006-03-14 11:03:50 -08:00
Maneesh Soni
6796313263 [PATCH] Plug kdump shutdown race window
lapic_shutdown() re-enables interrupts which is un-desirable for panic
case, so use local_irq_save() and local_irq_restore() to keep the irqs
disabled for kexec on panic case, and close a possible race window while
kdump shutdown as shown in this stack trace

   -- BUG: spinlock lockup on CPU#1, bash/4396, c52781a0
   [<c01c1870>] _raw_spin_lock+0xb7/0xd2
   [<c029e148>] _spin_lock+0x6/0x8
   [<c011b33f>] scheduler_tick+0xe7/0x328
   [<c0128a7c>] update_process_times+0x51/0x5d
   [<c0114592>] smp_apic_timer_interrupt+0x4f/0x58
   [<c01141ff>] lapic_shutdown+0x76/0x7e
   [<c0104d7c>] apic_timer_interrupt+0x1c/0x30
   [<c01141ff>] lapic_shutdown+0x76/0x7e
   [<c0116659>] machine_crash_shutdown+0x83/0xaa
   [<c013cc36>] crash_kexec+0xc1/0xe3
   [<c029e148>] _spin_lock+0x6/0x8
   [<c013cc22>] crash_kexec+0xad/0xe3
   [<c0215280>] __handle_sysrq+0x84/0xfd
   [<c018d937>] write_sysrq_trigger+0x2c/0x35
   [<c015e47b>] vfs_write+0xa2/0x13b
   [<c015ea73>] sys_write+0x3b/0x64
   [<c0103c69>] syscall_call+0x7/0xb

Signed-off-by: Maneesh Soni <maneesh@in.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-14 08:26:44 -08:00
Linus Torvalds
cbf0ec6ee0 Revert "[PATCH] x86-64: Fix up handling of non canonical user RIPs"
This reverts commit c33d4568ac.

Andrew Clayton and Hugh Dickins report that it's broken for them and
causes strange page table and slab corruption, and spontaneous reboots.

Let's get it right next time.

Cc: Andrew Clayton <andrew@rootshell.co.uk>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-14 08:01:47 -08:00
Dave Peterson
ceb2ca9cb0 [PATCH] EDAC: disable sysfs interface
- Disable the EDAC sysfs code.  The sysfs interface that EDAC presents to
  user space needs more thought, and is likely to change substantially.
  Therefore disable it for now so users don't start depending on it in its
  current form.

- Disable the default behavior of calling panic() when an uncorrectible
  error is detected (since for now, there is no sysfs interface that allows
  the user to configure this behavior).

Signed-off-by: David S. Peterson <dsp@llnl.gov>
Cc: Greg KH <greg@kroah.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-14 07:57:18 -08:00
Trond Myklebust
30f4e20a0d [PATCH] NLM: Ensure we do not Oops in the case of an unlock
In theory, NLM specs assure us that the server will only reply LCK_GRANTED or
LCK_DENIED_GRACE_PERIOD to our NLM_UNLOCK request.

In practice, we should not assume this to be the case, and the code will
currently Oops if we do.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-14 07:57:18 -08:00
Trond Myklebust
e6d83d5569 [PATCH] SUNRPC: Fix potential deadlock in RPC code
In rpc_wake_up() and rpc_wake_up_status(), it is possible for the call to
__rpc_wake_up_task() to fail if another thread happens to be calling
rpc_wake_up_task() on the same rpc_task.

Problem noticed by Bruno Faccini.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-14 07:57:18 -08:00
Trond Myklebust
c12e87f465 [PATCH] NFSv4: fix mount segfault on errors returned that are < -1000
It turns out that nfs4_proc_get_root() may return raw NFSv4 errors instead of
mapping them to kernel errors.  Problem spotted by Neil Horman
<nhorman@tuxdriver.com>

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-14 07:57:18 -08:00
Adrian Bunk
712917d1c0 [PATCH] SUNRPC: fix a NULL pointer dereference in net/sunrpc/clnt.c
The Coverity checker spotted this possible NULL pointer dereference in
rpc_new_client().

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-14 07:57:17 -08:00
Trond Myklebust
143f412eb4 [PATCH] NFS: Fix a potential panic in O_DIRECT
Based on an original patch by Mike O'Connor and Greg Banks of SGI.

Mike states:

A normal user can panic an NFS client and cause a local DoS with
'judicious'(?) use of O_DIRECT.  Any O_DIRECT write to an NFS file where the
user buffer starts with a valid mapped page and contains an unmapped page,
will crash in this way.  I haven't followed the code, but O_DIRECT reads with
similar user buffers will probably also crash albeit in different ways.

Details: when nfs_get_user_pages() calls get_user_pages(), it detects and
correctly handles get_user_pages() returning an error, which happens if the
first page covered by the user buffer's address range is unmapped.  However,
if the first page is mapped but some subsequent page isn't, get_user_pages()
will return a positive number which is less than the number of pages requested
(this behaviour is sort of analagous to a short write() call and appears to be
intentional).  nfs_get_user_pages() doesn't detect this and hands off the
array of pages (whose last few elements are random rubbish from the newly
allocated array memory) to it's caller, whence they go to
nfs_direct_write_seg(), which then totally ignores the nr_pages it's given,
and calculates its own idea of how many pages are in the array from the user
buffer length.  Needless to say, when it comes to transmit those uninitialised
page* pointers, we see a crash in the network stack.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-14 07:57:17 -08:00
GOTO Masanori
f9a3879abf [PATCH] Fix sigaltstack corruption among cloned threads
This patch fixes alternate signal stack corruption among cloned threads
with CLONE_SIGHAND (and CLONE_VM) for linux-2.6.16-rc6.

The value of alternate signal stack is currently inherited after a call of
clone(...  CLONE_SIGHAND | CLONE_VM).  But if sigaltstack is set by a
parent thread, and then if multiple cloned child threads (+ parent threads)
call signal handler at the same time, some threads may be conflicted -
because they share to use the same alternative signal stack region.
Finally they get sigsegv.  It's an undesirable race condition.  Note that
child threads created from NPTL pthread_create() also hit this conflict
when the parent thread uses sigaltstack, without my patch.

To fix this problem, this patch clears the child threads' sigaltstack
information like exec().  This behavior follows the SUSv3 specification.
In SUSv3, pthread_create() says "The alternate stack shall not be inherited
(when new threads are initialized)".  It means that sigaltstack should be
cleared when sigaltstack memory space is shared by cloned threads with
CLONE_SIGHAND.

Note that I chose "if (clone_flags & CLONE_SIGHAND)" line because:
  - If clone_flags line is not existed, fork() does not inherit sigaltstack.
  - CLONE_VM is another choice, but vfork() does not inherit sigaltstack.
  - CLONE_SIGHAND implies CLONE_VM, and it looks suitable.
  - CLONE_THREAD is another candidate, and includes CLONE_SIGHAND + CLONE_VM,
    but this flag has a bit different semantics.
I decided to use CLONE_SIGHAND.

[ Changed to test for CLONE_VM && !CLONE_VFORK after discussion --Linus ]

Signed-off-by: GOTO Masanori <gotom@sanori.org>
Cc: Roland McGrath <roland@redhat.com>
Cc: Ingo Molnar <mingo@elte.hu>
Acked-by: Linus Torvalds <torvalds@osdl.org>
Cc: Ulrich Drepper <drepper@redhat.com>
Cc: Jakub Jelinek <jakub@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-14 07:57:17 -08:00
Benjamin Herrenschmidt
63e1fd41c7 [PATCH] macintosh: correct AC Power info in /proc/pmu/info
Report AC Power present in /proc/pmu/info if there is no battery.

Signed-off-by: Olaf Hering <olh@suse.de>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Cc: Paul Mackerras <paulus@samba.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-14 07:57:17 -08:00
Michael Hunold
6acaba8e22 [PATCH] Restore tuning capabilities in V4L2 MXB driver
The behaviour of the all-in-one Video4Linux tuner driver apparently
changed.  It now wants to know the tv standard, otherwise it refuses to
tune.

Restore tuning functionality in my driver for the "Multimedia eXtension
Board".  The all-in-one tuner driver apparently changed its behaviour.

Signed-off-by: Michael Hunold <hunold@linuxtv.org>
Cc: Mauro Carvalho Chehab <mchehab@infradead.org>
Cc: Johannes Stezenbach <js@linuxtv.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-14 07:57:17 -08:00
David Brownell
3cb4f09fc2 [PATCH] mtd_dataflash, fix block vs page erase
Fix a bug in the block-erase optimization for Dataflash; it was using block
erase even for smaller segments that need page erase.

That wouldn't matter for JFFS2, which never erases less than one block
(sometimes several blocks), but for other callers it might.

Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Acked-by: David Woodhouse <dwmw2@infradead.org>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-14 07:57:17 -08:00
Paul Mackerras
82dfdcae0d powerpc: Disallow lparcfg being a module
The lparcfg code needs several things which are pretty arcane internal
details and which we don't want to export, which means that lparcfg
doesn't work when built as a module.  This makes it a bool instead of
a tristate in the Kconfig so that users can't try to build it as a
module.

Signed-off-by: Paul Mackerras <paulus@samba.org>
2006-03-14 11:35:37 +11:00
Herbert Xu
3759fa9c55 [TCP]: Fix zero port problem in IPv6
When we link a socket into the hash table, we need to make sure that we
set the num/port fields so that it shows us with a non-zero port value
in proc/netlink and on the wire.  This code and comment is copied over
from the IPv4 stack as is.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2006-03-13 14:26:12 -08:00
Andi Kleen
c33d4568ac [PATCH] x86-64: Fix up handling of non canonical user RIPs
EM64T CPUs have somewhat weird error reporting for non canonical RIPs in
SYSRET.

We can't handle any exceptions there because the exception handler would
end up running on the user stack which is unsafe.

To avoid problems any code that might end up with a user touched pt_regs
should return using int_ret_from_syscall.  int_ret_from_syscall ends up
using IRET, which allows safe exceptions.

Cc: Ernie Petrides <petrides@redhat.com>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-12 22:56:29 -08:00
Patrick McHardy
31fe4d3317 [NETFILTER]: arp_tables: fix NULL pointer dereference
The check is wrong and lets NULL-ptrs slip through since !IS_ERR(NULL)
is true.

Coverity #190

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-12 20:40:43 -08:00
Patrick McHardy
baa829d892 [IPV4/6]: Fix UFO error propagation
When ufo_append_data fails err is uninitialized, but returned back.
Strangely gcc doesn't notice it.

Coverity #901 and #902

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-12 20:39:40 -08:00
Patrick McHardy
4a1ff6e2bd [TCP]: tcp_highspeed: fix AIMD table out-of-bounds access
Covertiy #547

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-12 20:39:39 -08:00
Patrick McHardy
cc9a06cd8d [NETLINK]: Fix use-after-free in netlink_recvmsg
The skb given to netlink_cmsg_recv_pktinfo is already freed, move it up
a few lines.

Coverity #948

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-12 20:39:38 -08:00
Patrick McHardy
f8dc01f543 [XFRM]: Fix leak in ah6_input
tmp_hdr is not freed when ipv6_clear_mutable_options fails.

Coverity #650

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-12 20:39:37 -08:00
Patrick McHardy
f6e57464df [NET_SCHED]: act_api: fix skb leak in error path
The skb is allocated by the function, so it needs to be freed instead
of trimmed on overrun.

Coverity #614

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-12 20:39:36 -08:00
Patrick McHardy
406dbfc9ae [NETFILTER]: nfnetlink_queue: fix possible NULL-ptr dereference
Fix NULL-ptr dereference when a config message for a non-existant
queue containing only an NFQA_CFG_PARAMS attribute is received.

Coverity #433

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-12 20:39:35 -08:00
Linus Torvalds
57ddd5c180 Merge branch 'upstream-fixes' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/libata-dev
* 'upstream-fixes' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/libata-dev:
  [PATCH] ahci: fix NULL pointer dereference detected by Coverity
2006-03-12 16:41:27 -08:00
Linus Torvalds
7cafae5238 Merge master.kernel.org:/home/rmk/linux-2.6-arm
* master.kernel.org:/home/rmk/linux-2.6-arm:
  [ARM] iwmmxt thread state alignment
  [ARM] 3350/1: Enable 1-wire on ARM
  [ARM] 3356/1: Workaround for the ARM1136 I-cache invalidation problem
  [ARM] 3355/1: NSLU2: remove propmt depends
  [ARM] 3354/1: NAS100d: fix power led handling
  [ARM] Fix muldi3.S
2006-03-12 14:56:02 -08:00
Russell King
cdaabbd74b [ARM] iwmmxt thread state alignment
This patch removes the reliance of iwmmxt on hand coded alignments.
Since thread_info is always 8K aligned, specifying that fpstate is
8-byte aligned achieves the same effect without needing to resort
to hand coded alignments.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2006-03-12 22:36:06 +00:00
David S. Miller
ba244fe900 [TCP]: Fix tcp_tso_should_defer() when limit>=65536
That's >= a full sized TSO frame, so we should always
return 0 in that case.

Based upon a report and initial patch from Lachlan
Andrew, final patch suggested by Herbert Xu.

Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-11 18:51:49 -08:00
Gregor Maier
c127437641 [NETFILTER]: Fix wrong option spelling in Makefile for CONFIG_BRIDGE_EBT_ULOG
Signed-off-by: Gregor Maier <gregor@net.in.tum.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-11 18:51:25 -08:00
Brian Haley
0d27b42739 [IPV6]: fix ipv6_saddr_score struct element
The scope element in the ipv6_saddr_score struct used in 
ipv6_dev_get_saddr() is an unsigned integer, but __ipv6_addr_src_scope() 
returns a signed integer (and can return -1).

Signed-off-by: Brian Haley <brian.haley@hp.com>
Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-11 18:50:14 -08:00
Adrian Bunk
0ade309be7 [TG3] tg3_bus_string(): remove dead code
The Coverity checker spotted this dead code (note that (clock_ctrl == 7) 
is already handled above).

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-11 18:49:38 -08:00
Dave Jones
8f22757ee8 [TUN]: Fix leak in tun_get_user()
We're leaking an skb in a failure path in this function.

Coverity #632
Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-11 18:49:13 -08:00
Jeff Garzik
ed071adc97 Merge branch 'master' 2006-03-11 19:55:26 -05:00
Tejun Heo
6971ed1fbb [PATCH] ahci: fix NULL pointer dereference detected by Coverity
Fix NULL pointer dereference detected by the Coverity checker.  Kill
dev -> pdev -> dev conversion while at it.

Signed-off-by: Tejun Heo <htejun@gmail.com>
Cc: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-03-11 19:06:02 -05:00
Linus Torvalds
535744878e Linux 2.6.16-rc6
Gaah. Delayed. But all the better for it!
2006-03-11 14:12:55 -08:00
Andrew Morton
0992a5d029 [PATCH] 3c509: bus registration fix
- Don't call eisa_driver_unregister() if eisa_driver_register() failed.

- Properly propagate error values.

Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-03-11 13:29:09 -05:00
Sam Ravnborg
b2cba5b577 [PATCH] de620: fix section mismatch warning
In latest -mm de620 gave following warning:
WARNING: drivers/net/de620.o - Section mismatch: reference to      \
.init.text:de620_probe from .text between 'init_module' (at offset \
0x1682) and 'cleanup_module'

init_module() call de620_probe() which is declared __init.
Fix is to declare init_module() __init too.

Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-03-11 13:29:09 -05:00
Jesper Juhl
28beaf651b [PATCH] NE2000 Kconfig help entry improvement
Improve reference to PCI NE2K support in ISA NE2K documentation.
Original 2.4 patch From: Ged Haywood <ged@jubileegroup.co.uk>

Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-03-11 13:29:09 -05:00
Jon Mason
9ee09d9cd4 [PATCH] dl2k: DMA freeing error
This patch fixes an error in the dl2k driver's DMA mapping/unmapping.
The adapter uses the upper 16bits of the DMA address for the buffer
size.  However, this is not masked off when referencing the DMA
address, and can lead to errors by trying to free a DMA address out of
range.

Thanks,
Jon

Signed-off-by: Jon Mason <jdmason@us.ibm.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-03-11 13:26:51 -05:00
David S. Miller
9e927fb618 [PATCH] Wrong return value corrupts free object in e1000 driver
For some reason, E1000's ->hard_start_xmit() routine returns -EFAULT
instead of one of the NETDEV_TX_* error codes.  In fact, it frees up
the SKB before returning this.  This makes the queueing layer think
the packet should be requeued and subsequently we corrupt a freed
object.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-03-11 13:25:17 -05:00
Jeff Garzik
5ee33b7adc Merge branch 'for-jeff' of git://electric-eye.fr.zoreil.com/home/romieu/linux-2.6 2006-03-11 13:23:48 -05:00
Antonino A. Daplas
ed62178589 [PATCH] radeonfb: Fix static array overrun
radeonfb_parse_monitor_layout() will produce an array overrun if passed with a
substring of length higher than 4 (ie, "XXXXX,YYYYYY").

Coverity Bug 494

Signed-off-by: Antonino Daplas <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-11 09:19:36 -08:00
Antonino A. Daplas
8e6509876c [PATCH] aty128fb: Fix array overrun
Fix static array overrun

Coverity Bug 556

Signed-off-by: Antonino Daplas <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-11 09:19:36 -08:00
Antonino A. Daplas
54243cefdd [PATCH] tdfxfb: Fix buffer overrun
The pseudo_palette has room only for 16 entries, but tdfxfb_setcolreg may
attempt to write more.

Coverity Bug 557

Signed-off-by: Antonino Daplas <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-11 09:19:36 -08:00
Antonino A. Daplas
d301524772 [PATCH] intelfb: Fix buffer overrun
The pseudo_palette has room only for 16 entries, but intelfb_setcolreg will
attempt to write more.

Coverity Bug 558

Signed-off-by: Antonino Daplas <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-11 09:19:35 -08:00
Antonino A. Daplas
8d57f2210e [PATCH] savagefb: Fix kfree before use
par->edid is kfree'd before using in fb_edid_to_monspecs()

Signed-off-by: Antonino Daplas <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-11 09:19:35 -08:00
Antonino A. Daplas
91bc89cf98 [PATCH] imsttfb: Fix resource leak
The struct info and device resource may not be released in the driver's error
path.  Fix.

Coverity Bug 671

Signed-off-by: Antonino Daplas <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-11 09:19:35 -08:00
Antonino A. Daplas
98365f5eb4 [PATCH] s1d13xxxfb: Fix resource leak
struct info may not be released in the driver's error path.

Coverity Bug 672

Signed-off-by: Antonino Daplas <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-11 09:19:35 -08:00
Antonino A. Daplas
939205b273 [PATCH] arcfb: Fix dereference before NULL check
info->par is dereferenced before info is checked for NULL. Fix.

Coverity Bug 833

Signed-off-by: Antonino Daplas <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-11 09:19:35 -08:00