Commit Graph

119070 Commits

Author SHA1 Message Date
Rusty Russell
e14c8bf863 stop_machine: fix race with return value (fixes Bug #11989)
Bug #11989: Suspend failure on NForce4-based boards due to chanes in
stop_machine

We should not access active.fnret outside the lock; in theory the next
stop_machine could overwrite it.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Tested-by: "Rafael J. Wysocki" <rjw@sisk.pl>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-11-16 15:09:52 -08:00
Al Viro
5c06fe772d Fix broken ownership of /proc/sys/ files
D'oh...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Reported-and-tested-by: Peter Palfrader <peter@palfrader.org>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-11-16 15:09:52 -08:00
Linus Torvalds
77fb61a04a acpi: fix oops in acpi_system_wakeup_device_seq_show
Commit 0794469da3: ("ACPI: struct device -
replace bus_id with dev_name(), dev_set_name()") introduced a bug by
testing 'dev_name(ldev)' instead of 'ldev->bus' for NULL when printing
out the bus information.

So if ldev->bus was NULL, we'd oops.

Reported-and-tested-by: Bruno Prémont <bonbons@linux-vserver.org>
Cc: Kay Sievers <kay.sievers@vrfy.org>
Cc: Len Brown <len.brown@intel.com>
Cc: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-11-16 10:09:34 -08:00
Linus Torvalds
b42ccbc521 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
  HID: don't grab devices with no input
  HID: fix radio-mr800 hidquirks
  HID: fix kworld fm700 radio hidquirks
  HID: fix start/stop cycle in usbhid driver
  HID: use single threaded work queue for hid_compat
  HID: map macbook keys for "Expose" and "Dashboard"
  HID: support for new unibody macbooks
  HID: fix locking in hidraw_open()
2008-11-15 19:02:48 -08:00
Linus Torvalds
d659fc14cb Merge git://git.kernel.org/pub/scm/linux/kernel/git/brodo/pcmcia-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/brodo/pcmcia-2.6:
  pcmcia: ensure correct logging in do_io_probe
  pcmcia: add another pata/ide ID
  pcmcia: add braces in error path
  pcmcia: struct device - replace bus_id with dev_name(), dev_set_name()
  pcmcia: setup resource information for pseudo multifunction devices.
  pcmcia: fix indentation & braces disagreement - add braces
2008-11-15 18:58:37 -08:00
Linus Torvalds
9bf1a2445f Linux 2.6.28-rc5 2008-11-15 13:42:56 -08:00
Al Viro
8f7b0ba1c8 Fix inotify watch removal/umount races
Inotify watch removals suck violently.

To kick the watch out we need (in this order) inode->inotify_mutex and
ih->mutex.  That's fine if we have a hold on inode; however, for all
other cases we need to make damn sure we don't race with umount.  We can
*NOT* just grab a reference to a watch - inotify_unmount_inodes() will
happily sail past it and we'll end with reference to inode potentially
outliving its superblock.

Ideally we just want to grab an active reference to superblock if we
can; that will make sure we won't go into inotify_umount_inodes() until
we are done.  Cleanup is just deactivate_super().

However, that leaves a messy case - what if we *are* racing with
umount() and active references to superblock can't be acquired anymore?
We can bump ->s_count, grab ->s_umount, which will almost certainly wait
until the superblock is shut down and the watch in question is pining
for fjords.  That's fine, but there is a problem - we might have hit the
window between ->s_active getting to 0 / ->s_count - below S_BIAS (i.e.
the moment when superblock is past the point of no return and is heading
for shutdown) and the moment when deactivate_super() acquires
->s_umount.

We could just do drop_super() yield() and retry, but that's rather
antisocial and this stuff is luser-triggerable.  OTOH, having grabbed
->s_umount and having found that we'd got there first (i.e.  that
->s_root is non-NULL) we know that we won't race with
inotify_umount_inodes().

So we could grab a reference to watch and do the rest as above, just
with drop_super() instead of deactivate_super(), right? Wrong.  We had
to drop ih->mutex before we could grab ->s_umount.  So the watch
could've been gone already.

That still can be dealt with - we need to save watch->wd, do idr_find()
and compare its result with our pointer.  If they match, we either have
the damn thing still alive or we'd lost not one but two races at once,
the watch had been killed and a new one got created with the same ->wd
at the same address.  That couldn't have happened in inotify_destroy(),
but inotify_rm_wd() could run into that.  Still, "new one got created"
is not a problem - we have every right to kill it or leave it alone,
whatever's more convenient.

So we can use idr_find(...) == watch && watch->inode->i_sb == sb as
"grab it and kill it" check.  If it's been our original watch, we are
fine, if it's a newcomer - nevermind, just pretend that we'd won the
race and kill the fscker anyway; we are safe since we know that its
superblock won't be going away.

And yes, this is far beyond mere "not very pretty"; so's the entire
concept of inotify to start with.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Acked-by: Greg KH <greg@kroah.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-11-15 12:26:44 -08:00
Huang Weiyi
0d3b710097 LIS3LV02Dx: remove unused #include <version.h>
The file(s) below do not use LINUX_VERSION_CODE nor KERNEL_VERSION.
  drivers/hwmon/lis3lv02d.c

This patch removes the said #include <version.h>.

Signed-off-by: Huang Weiyi <weiyi.huang@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-11-15 12:11:27 -08:00
Linus Torvalds
537a2f889a Merge branch 'sh/for-2.6.28' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6
* 'sh/for-2.6.28' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6:
  serial: sh-sci: Reorder the SCxTDR write after the TDxE clear.
  sh: __copy_user function can corrupt the stack in case of exception
  sh: Fixed the TMU0 reload value on resume
  sh: Don't factor in PAGE_OFFSET for valid_phys_addr_range() check.
  sh: early printk port type fix
  i2c: fix i2c-sh_mobile rx underrun
  sh: Provide a sane valid_phys_addr_range() to prevent TLB reset with PMB.
  usb: r8a66597-hcd: fix wrong data access in SuperH on-chip USB
  fix sci type for SH7723
  serial: sh-sci: fix cannot work SH7723 SCIFA
  sh: Handle fixmap TLB eviction more coherently.
2008-11-15 12:10:32 -08:00
Linus Torvalds
fab349cceb Merge branch 'doc-subdirs' of git://git.kernel.org/pub/scm/linux/kernel/git/rdunlap/linux-docs
* 'doc-subdirs' of git://git.kernel.org/pub/scm/linux/kernel/git/rdunlap/linux-docs:
  Create/use more directory structure in the Documentation/ tree.
2008-11-15 11:51:03 -08:00
Martin Schwidefsky
d091c2f58b Add 'pr_fmt()' format modifier to pr_xyz macros.
A common reason for device drivers to implement their own printk macros
is the lack of a printk prefix with the standard pr_xyz macros.
Introduce a pr_fmt() macro that is applied for every pr_xyz macro to the
format string.

The most common use of the pr_fmt macro would be to add the name of the
device driver to all pr_xyz messages in a source file.

Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-11-15 11:43:37 -08:00
Linus Torvalds
4d41e12166 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ericvh/v9fs
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ericvh/v9fs:
  9p: restrict RDMA usage
2008-11-15 11:39:09 -08:00
Linus Torvalds
6ca2cb9937 Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-2.6
* 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-2.6:
  V4L/DVB (9624): CVE-2008-5033: fix OOPS on tvaudio when controlling bass/treble
  V4L/DVB (9623): tvaudio: Improve debug msg by printing something more human
  V4L/DVB (9622): tvaudio: Improve comments and remove a unneeded prototype
  V4L/DVB (9621): Avoid writing outside shadow.bytes[] array
  V4L/DVB (9620): tvaudio: use a direct reference for chip description
  V4L/DVB (9619): tvaudio: update initial comments
  V4L/DVB (9618): tvaudio: add additional logic to avoid OOPS
  V4L/DVB (9617): tvtime: remove generic_checkmode callback
  V4L/DVB (9616): tvaudio: cleanup - group all callbacks together
  V4L/DVB (9615): tvaudio: instead of using a magic number, use ARRAY_SIZE
  V4L/DVB (9613): tvaudio: fix a memory leak
2008-11-15 11:38:41 -08:00
Linus Torvalds
011331483d Merge branch 'for-linus' of git://git390.osdl.marist.edu/pub/scm/linux-2.6
* 'for-linus' of git://git390.osdl.marist.edu/pub/scm/linux-2.6:
  [S390] fix s390x_newuname
  [S390] dasd: log sense for fatal errors
  [S390] cpu topology: fix locking
  [S390] cio: Fix refcount after moving devices.
  [S390] ftrace: fix kernel stack backchain walking
  [S390] ftrace: disable tracing on idle psw
  [S390] lockdep: fix compile bug
  [S390] kvm_s390: Fix oops in virtio device detection with "mem="
  [S390] sclp: emit error message if assign storage fails
  [S390] Fix range for add_active_range() in setup_memory()
2008-11-15 11:38:02 -08:00
Linus Torvalds
c98114db2d Merge git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6:
  [SCSI] dpt_i2o: fix transferred data length for scsi_set_resid()
  [SCSI] scsi_error regression: Fix idempotent command handling
  [SCSI] zfcp: Fix hexdump data in s390dbf traces
  [SCSI] zfcp: fix erp timeout cleanup for port open requests
  [SCSI] zfcp: Wait for port scan to complete when setting adapter online
  [SCSI] zfcp: Fix cast warning
  [SCSI] zfcp: Fix request list handling in error path
  [SCSI] zfcp: fix mempool usage for status_read requests
  [SCSI] zfcp: fix req_list_locking.
  [SCSI] zfcp: Dont clear reference from SCSI device to unit
  [SCSI] qla2xxx: Update version number to 8.02.01-k9.
  [SCSI] qla2xxx: Return a FAILED status when abort mailbox-command fails.
  [SCSI] qla2xxx: Do not honour max_vports from firmware for 2G ISPs and below.
  [SCSI] qla2xxx: Use pci_disable_rom() to manipulate PCI config space.
  [SCSI] qla2xxx: Correct Atmel flash-part handling.
  [SCSI] megaraid: fix mega_internal_command oops
2008-11-15 11:37:40 -08:00
David Woodhouse
52168e60f7 Revert "x86: blacklist DMAR on Intel G31/G33 chipsets"
This reverts commit e51af66308, which was
wrongly hoovered up and submitted about a month after a better fix had
already been merged.

The better fix is commit cbda1ba898
("PCI/iommu: blacklist DMAR on Intel G31/G33 chipsets"), where we do
this blacklisting based on the DMI identification for the offending
motherboard, since sometimes this chipset (or at least a chipset with
the same PCI ID) apparently _does_ actually have an IOMMU.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-11-15 11:37:16 -08:00
KOSAKI Motohiro
748f1a2ed7 mm: remove unevictable's show_page_path
Hugh Dickins reported show_page_path() is buggy and unsafe because

 - lack dput() against d_find_alias()
 - don't concern vma->vm_mm->owner == NULL
 - lack lock_page()

it was only for debugging, so rather than trying to fix it, just remove
it now.

Reported-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
CC: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
CC: Rik van Riel <riel@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-11-15 11:36:07 -08:00
Geert Uytterhoeven
fb75109834 misc: C2port needs <linux/sched.h>
m68k allmodconfig:

| drivers/misc/c2port/core.c: In function 'c2port_reset':
| drivers/misc/c2port/core.c:73: error: dereferencing pointer to incomplete type
| drivers/misc/c2port/core.c: In function 'c2port_strobe_ck':
| drivers/misc/c2port/core.c:91: error: dereferencing pointer to incomplete type

Include <linux/sched.h> to fix it, as m68k's local_irq_enable() needs to know
about struct task_struct.

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-11-15 11:36:06 -08:00
Geert Uytterhoeven
27123cbc26 m68k: Fix off-by-one in m68k_setup_user_interrupt()
commit 69961c3752 ("[PATCH] m68k/Atari:
Interrupt updates") added a BUG_ON() with an incorrect upper bound
comparison, which causes an early crash on VME boards, where IRQ_USER is
8, cnt is 192 and NR_IRQS is 200.

Reported-by: Stephen N Chivers <schivers@csc.com.au>
Tested-by: Kars de Jong <jongk@linux-m68k.org>
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-11-15 11:36:06 -08:00
Linus Torvalds
fa0cfc202c Merge branch 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/libata-dev
* 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/libata-dev:
  libata: improve phantom device detection
2008-11-15 11:33:05 -08:00
Linus Torvalds
8141c7f3e7 Move "exit_robust_list" into mm_release()
We don't want to get rid of the futexes just at exit() time, we want to
drop them when doing an execve() too, since that gets rid of the
previous VM image too.

Doing it at mm_release() time means that we automatically always do it
when we disassociate a VM map from the task.

Reported-by: pageexec@freemail.hu
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Nick Piggin <npiggin@suse.de>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Brad Spengler <spender@grsecurity.net>
Cc: Alex Efros <powerman@powerman.name>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-11-15 10:20:36 -08:00
Miquel van Smoorenburg
df81d2371a [SCSI] dpt_i2o: fix transferred data length for scsi_set_resid()
dpt_i2o.c::adpt_i2o_to_scsi() reads the value at (reply+5) which
should contain the length in bytes of the transferred data. This
would be correct if reply was a u32 *. However it is a void * here,
so we need to read the value at (reply+20) instead.

The value at (reply+5) is usually 0xff0000, which is apparently
'large enough' and didn't cause any trouble until 2.6.27 where

commit 427e59f09f
Author: James Bottomley <James.Bottomley@HansenPartnership.com>
Date:   Sat Mar 8 18:24:17 2008 -0600

    [SCSI] make use of the residue value

caused this to become visible through e.g. iostat -x .

Signed-off-by: Miquel van Smoorenburg <mikevs@xs4all.net>
Cc: Stable Tree <stable@kernel.org>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2008-11-15 11:10:14 -06:00
Tejun Heo
6a6b97d360 libata: improve phantom device detection
Currently libata uses four methods to detect device presence.

1. PHY status if available.
2. TF register R/W test (only promotes presence, never demotes)
3. device signature after reset
4. IDENTIFY failure detection in SFF state machine

Combination of the above works well in most cases but recently there
have been a few reports where a phantom device causes unnecessary
delay during probe.  In both cases, PHY status wasn't available.  In
one case, it passed #2 and #3 and failed IDENTIFY with ATA_ERR which
didn't qualify as #4.  The other failed #2 but as it passed #3 and #4,
it still caused failure.

In both cases, phantom device reported diagnostic failure, so these
cases can be safely worked around by considering any !ATA_DRQ IDENTIFY
failure as NODEV_HINT if diagnostic failure is set.

Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
2008-11-14 18:51:57 -05:00
Randy Dunlap
4ff429e658 9p: restrict RDMA usage
linux-next:

Make 9p's RDMA option depend on INET since it uses Infiniband rdma_*
functions and that code depends on INET.  Otherwise 9p can try to
use symbols which don't exist.

ERROR: "rdma_destroy_id" [net/9p/9pnet_rdma.ko] undefined!
ERROR: "rdma_connect" [net/9p/9pnet_rdma.ko] undefined!
ERROR: "rdma_create_id" [net/9p/9pnet_rdma.ko] undefined!
ERROR: "rdma_create_qp" [net/9p/9pnet_rdma.ko] undefined!
ERROR: "rdma_resolve_route" [net/9p/9pnet_rdma.ko] undefined!
ERROR: "rdma_disconnect" [net/9p/9pnet_rdma.ko] undefined!
ERROR: "rdma_resolve_addr" [net/9p/9pnet_rdma.ko] undefined!

I used an if/endif block so that the menu items would remain
presented together.

Also correct an article adjective.

Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com>
2008-11-14 16:14:27 -06:00
Randy Dunlap
31c00fc15e Create/use more directory structure in the Documentation/ tree.
Create Documentation/blockdev/ sub-directory and populate it.
Populate the Documentation/serial/ sub-directory.
Move MSI-HOWTO.txt to Documentation/PCI/.
Move ioctl-number.txt to Documentation/ioctl/.
Update all relevant 00-INDEX files.
Update all relevant Kconfig files and source files.

Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
2008-11-14 17:28:53 +00:00
Martin Schwidefsky
d2f019fe40 [S390] fix s390x_newuname
The uname system call for 64 bit compares current->personality without
masking the upper 16 bits. If e.g. READ_IMPLIES_EXEC is set the result
of a uname system call will always be s390x even if the process uses
the s390 personality.

Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2008-11-14 18:18:55 +01:00
Stefan Haberland
a9cffb227d [S390] dasd: log sense for fatal errors
The logging of sense data for fatal errors was accidentally removed
during Hyper PAV implementation.

Signed-off-by: Stefan Haberland <stefan.haberland@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2008-11-14 18:18:54 +01:00
Heiko Carstens
74af283102 [S390] cpu topology: fix locking
cpu_coregroup_map used to grab a mutex on s390 since it was only
called from process context.
Since c7c22e4d5c "block: add support
for IO CPU affinity" this is not true anymore.
It now also gets called from softirq context.

To prevent possible deadlocks change this in architecture code and
use a spinlock instead of a mutex.

Cc: stable@kernel.org
Cc: Jens Axboe <jens.axboe@oracle.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2008-11-14 18:18:54 +01:00
Cornelia Huck
85acc407bf [S390] cio: Fix refcount after moving devices.
In ccw_device_move_to_orphanage(), a replacing ccw_device
is searched via get_{disc,orphaned}_ccwdev_by_dev_id()
which obtain a reference on the returned ccw_device.
This reference must be given up again after the device
has been moved to its new parent.

Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2008-11-14 18:18:54 +01:00
Heiko Carstens
50bec4ce5d [S390] ftrace: fix kernel stack backchain walking
With CONFIG_IRQSOFF_TRACER the trace_hardirqs_off() function includes
a call to __builtin_return_address(1). But we calltrace_hardirqs_off()
from early entry code. There we have just a single stack frame.
So this results in a kernel stack backchain walk that would walk beyond
the kernel stack. Following the NULL terminated backchain this results
in a lowcore read access.

To fix this we simply call trace_hardirqs_off_caller() and pass the
current instruction pointer.

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2008-11-14 18:18:53 +01:00
Heiko Carstens
632448f650 [S390] ftrace: disable tracing on idle psw
Disable tracing on idle psw. Otherwise it would give us huge
preempt off times for idle. Which is rather pointless.

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2008-11-14 18:18:53 +01:00
Heiko Carstens
af4c68740e [S390] lockdep: fix compile bug
arch/s390/kernel/built-in.o: In function `cleanup_io_leave_insn':
mem_detect.c:(.text+0x10592): undefined reference to `lockdep_sys_exit'

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2008-11-14 18:18:53 +01:00
Christian Borntraeger
cc835f7872 [S390] kvm_s390: Fix oops in virtio device detection with "mem="
The current virtio model on s390 has the descriptor page above the main
memory. The guest virtio detection will oops if the mem= parameter is
used to reduce/change the memory size.
We have to use real_memory_size instead of max_pfn to detect the virtio
descriptor pages.

Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
2008-11-14 18:18:52 +01:00
Heiko Carstens
675be97a32 [S390] sclp: emit error message if assign storage fails
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2008-11-14 18:18:52 +01:00
Gerald Schaefer
fb2e7c5e33 [S390] Fix range for add_active_range() in setup_memory()
add_active_range() expects start_pfn + size as end_pfn value, i.e. not
the pfn of the last page frame but the one behind that.
We used the pfn of the last page frame so far, which can lead to a
BUG_ON in move_freepages(), when the kernelcore parameter is specified
(page_zone(start_page) != page_zone(end_page)).

Signed-off-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2008-11-14 18:18:51 +01:00
Mauro Carvalho Chehab
01a1a3cc1e V4L/DVB (9624): CVE-2008-5033: fix OOPS on tvaudio when controlling bass/treble
This bug were supposed to be fixed by 5ba2f67afb,
where a call to NULL happens.

Not all tvaudio chips allow controlling bass/treble. So, the driver
has a table with a flag to indicate if the chip does support it.

Unfortunately, the handling of this logic were broken for a very long
time (probably since the first module version). Due to that, an OOPS
were generated for devices that don't support bass/treble.

This were the resulting OOPS message before the patch, with debug messages
enabled:

tvaudio' 1-005b: VIDIOC_S_CTRL
BUG: unable to handle kernel NULL pointer dereference at 00000000
IP: [<00000000>]
*pde = 22fda067 *pte = 00000000
Oops: 0000 [#1] SMP
Modules linked in: snd_hda_intel snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device
snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_hwdep snd soundcore tuner_simple tuner_types tea5767 tuner
tvaudio bttv bridgebnep rfcomm l2cap bluetooth it87 hwmon_vid hwmon fuse sunrpc ipt_REJECT
nf_conntrack_ipv4 iptable_filter ip_tables ip6t_REJECT xt_tcpudp nf_conntrack_ipv6 xt_state nf_conntrack
ip6table_filter ip6_tables x_tables ipv6 dm_mirrordm_multipath dm_mod configfs videodev v4l1_compat
ir_common 8139cp compat_ioctl32 v4l2_common 8139too videobuf_dma_sg videobuf_core mii btcx_risc tveeprom
i915 button snd_page_alloc serio_raw drm pcspkr i2c_algo_bit i2c_i801 i2c_core iTCO_wdt
iTCO_vendor_support sr_mod cdrom sg ata_generic pata_acpi ata_piix libata sd_mod scsi_mod ext3 jbdmbcache
uhci_hcd ohci_hcd ehci_hcd [last unloaded: soundcore]

Pid: 15413, comm: qv4l2 Not tainted (2.6.25.14-108.fc9.i686 #1)
EIP: 0060:[<00000000>] EFLAGS: 00210246 CPU: 0
EIP is at 0x0
EAX: 00008000 EBX: ebd21600 ECX: e2fd9ec4 EDX: 00200046
ESI: f8c0f0c4 EDI: f8c0f0c4 EBP: e2fd9d50 ESP: e2fd9d2c
 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process qv4l2 (pid: 15413, ti=e2fd9000 task=ebe44000 task.ti=e2fd9000)
Stack: f8c0c6ae e2ff2a00 00000d00 e2fd9ec4 ebc4e000 e2fd9d5c f8c0c448 00000000
       f899c12a e2fd9d5c f899c154 e2fd9d68 e2fd9d80 c0560185 e2fd9d88 f8f3e1d8
       f8f3e1dc ebc4e034 f8f3e18c e2fd9ec4 00000000 e2fd9d90 f899c286 c008561c
Call Trace:
 [<f8c0c6ae>] ? chip_command+0x266/0x4b6 [tvaudio]
 [<f8c0c448>] ? chip_command+0x0/0x4b6 [tvaudio]
 [<f899c12a>] ? i2c_cmd+0x0/0x2f [i2c_core]
 [<f899c154>] ? i2c_cmd+0x2a/0x2f [i2c_core]
 [<c0560185>] ? device_for_each_child+0x21/0x49
 [<f899c286>] ? i2c_clients_command+0x1c/0x1e [i2c_core]
 [<f8f283d8>] ? bttv_call_i2c_clients+0x14/0x16 [bttv]
 [<f8f23601>] ? bttv_s_ctrl+0x1bc/0x313 [bttv]
 [<f8f23445>] ? bttv_s_ctrl+0x0/0x313 [bttv]
 [<f8b6096d>] ? __video_do_ioctl+0x1f84/0x3726 [videodev]
 [<c05abb4e>] ? sock_aio_write+0x100/0x10d
 [<c041b23e>] ? kmap_atomic_prot+0x1dd/0x1df
 [<c043a0c9>] ? enqueue_hrtimer+0xc2/0xcd
 [<c04f4fa4>] ? copy_from_user+0x39/0x121
 [<f8b622b9>] ? __video_ioctl2+0x1aa/0x24a [videodev]
 [<c04054fd>] ? do_notify_resume+0x768/0x795
 [<c043c0f7>] ? getnstimeofday+0x34/0xd1
 [<c0437b77>] ? autoremove_wake_function+0x0/0x33
 [<f8b62368>] ? video_ioctl2+0xf/0x13 [videodev]
 [<c048c6f0>] ? vfs_ioctl+0x50/0x69
 [<c048c942>] ? do_vfs_ioctl+0x239/0x24c
 [<c048c995>] ? sys_ioctl+0x40/0x5b
 [<c0405bf2>] ? syscall_call+0x7/0xb
 [<c0620000>] ? cpuid4_cache_sysfs_exit+0x3d/0x69
 =======================
Code:  Bad EIP value.
EIP: [<00000000>] 0x0 SS:ESP 0068:e2fd9d2c

Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2008-11-14 14:39:47 -02:00
Mauro Carvalho Chehab
c6241b6c64 V4L/DVB (9623): tvaudio: Improve debug msg by printing something more human
Before the patch, the used ioctl were printed as an hexadecimal code,
hard to be understand without consulting the way _IO macros work.
Instead, use the V4L default handler for printing such errors into a way
that would be easier to understand.

Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2008-11-14 14:24:45 -02:00
Mauro Carvalho Chehab
41f5230f3f V4L/DVB (9622): tvaudio: Improve comments and remove a unneeded prototype
Some comments are not clear enough. Improve it to allow a better
understanding of the driver behavior.

While there, remove an unneeded struct prototype.

Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2008-11-14 14:24:45 -02:00
Mauro Carvalho Chehab
494264379d V4L/DVB (9621): Avoid writing outside shadow.bytes[] array
There were no check about the limits of shadow.bytes array. This offers
a risk of writing values outside the limits, overriding other data
areas.

Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2008-11-14 14:24:45 -02:00
Mauro Carvalho Chehab
81cb5c4f7f V4L/DVB (9620): tvaudio: use a direct reference for chip description
Instead of storing the pointer for the proper entry at chip description
table, the driver were storing an indirect reference, by using an index.
Better to reference directly the data.

Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2008-11-14 14:24:45 -02:00
Mauro Carvalho Chehab
b4ab114cf7 V4L/DVB (9619): tvaudio: update initial comments
A driver used on several bttv boards since 2000 is not experimental
anymore ;) Remove it from the comments.

While there, update copyrights addind a quick note about the "recent"
updates since 2005.

Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2008-11-14 14:24:44 -02:00
Mauro Carvalho Chehab
099b7fcc77 V4L/DVB (9618): tvaudio: add additional logic to avoid OOPS
This patch checks for volume, bass, treble, set mode and get mode
callbacks before actually enabling the code that would use them.

Instead of aborting the driver for load, this patch will allow it to
load with a reduced number of functionatities.

This prevents OOPS if some board entry is missing a needed callback.

Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2008-11-14 14:24:44 -02:00
Mauro Carvalho Chehab
dd03e970a1 V4L/DVB (9617): tvtime: remove generic_checkmode callback
generic_checkmode() were called, via a callback, for some tvaudio chips.
There's just one callback code used on all those boards. So, it makes no
sense on keeping this as a callback.

Since there were some OOPS reported on tvaudio on kerneloops.org, this
patch removes this callback, adding the code at the only place were it
is called: inside chip_tread. A flag were added to indicate the need for
a kernel thread to set stereo mode on cards that needs it.

Using this more direct approach simplifies the code, making it more
robust against human errors.

Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2008-11-14 14:24:44 -02:00
Mauro Carvalho Chehab
af1a9951fc V4L/DVB (9616): tvaudio: cleanup - group all callbacks together
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2008-11-14 14:24:44 -02:00
Mauro Carvalho Chehab
04e6f99025 V4L/DVB (9615): tvaudio: instead of using a magic number, use ARRAY_SIZE
Also, the default standard is the first one. So, fix the comment at the
array.

Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2008-11-14 14:24:44 -02:00
Mauro Carvalho Chehab
5c65335103 V4L/DVB (9613): tvaudio: fix a memory leak
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2008-11-14 14:24:44 -02:00
Jiri Slaby
131d3a7a00 HID: don't grab devices with no input
Some devices have no input interrupt endpoint. These won't be handled
by usbhid, but currently they are not refused and reside on hid bus.

Perform this checking earlier so that we refuse to control such
a device early enough (and not pass it to the hid bus at all).

Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2008-11-14 14:10:01 +01:00
Linus Torvalds
9c7c354645 Merge git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6: (25 commits)
  USB: net: asix: add support for Cables-to-Go USB Ethernet adapter
  USB: gadget: cdc-acm deadlock fix
  USB: EHCI: fix divide-by-zero bug
  USB: EHCI: fix handling of dead controllers
  usb: r8a66597-hcd: fix wrong data access in SuperH on-chip USB
  ub: stub pre_reset and post_reset to fix oops
  USB: SISUSB2VGA driver: add 0x0711, 0x0903
  usb: unusual devs patch for Nokia 7610 Supernova
  USB: remove optional bus bindings in isp1760, fixing runtime warning
  + usb-serial-cp2101-add-enfora-gsm2228.patch added to -mm tree
  USB: storage: adjust comment in Kconfig
  USB: Fix PS3 USB shutdown problems
  USB: unusual_devs entry for Argosy USB mass-storage interface
  USB: cdc-acm.c: fix recursive lock in acm_start_wb error path
  USB: CP2101 Add device ID for AMB2560
  USB: mention URB_FREE_BUFFER in usb_free_urb documentation
  USB: Add YISO u893 usb modem vendor and product IDs to option driver
  usb: musb: fix BULK request on different available endpoints
  usb: musb: fix debug global variable name
  usb: musb: Removes compilation warning in gadget mode
  ...
2008-11-13 15:55:07 -08:00
Linus Torvalds
7e5b95f1ba Merge git://git.kernel.org/pub/scm/linux/kernel/git/agk/linux-2.6-dm
* git://git.kernel.org/pub/scm/linux/kernel/git/agk/linux-2.6-dm:
  dm: avoid destroying table in dm_any_congested
  dm: move pending queue wake_up end_io_acct
  dm mpath: warn if args ignored
  dm mpath: avoid attempting to activate null path
  dm stripe: fix init failure
  dm raid1: flush workqueue before destruction
2008-11-13 15:53:30 -08:00
Chandra Seetharaman
8a57dfc6f9 dm: avoid destroying table in dm_any_congested
dm_any_congested() just checks for the DMF_BLOCK_IO and has no
code to make sure that suspend waits for dm_any_congested() to
complete.  This patch adds such a check.

Without it, a race can occur with dm_table_put() attempting to
destroying the table in the wrong thread, the one running
dm_any_congested() which is meant to be quick and return
immediately.

Two examples of problems:
1. Sleeping functions called from congested code, the caller
   of which holds a spin lock.
2. An ABBA deadlock between pdflush and multipathd. The two locks
   in contention are inode lock and kernel lock.

Signed-off-by: Chandra Seetharaman <sekharan@us.ibm.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
2008-11-13 23:39:14 +00:00