ide: make legacy IDE VLB modules check for the "probe" kernel params (v2)
Legacy IDE VLB host drivers didn't check for "probe" options when compiled
as modules, which was obviously wrong as we don't want module to poke at
random I/O ports by simply loading it. Fix it by adding "probe" module param
to legacy IDE VLB host drivers.
v2:
* don't obsolete old "ide0=dtc2278/ht6560b/qd65xx/ali14xx/umc8672"
IDE driver options yet (per Alan Cox's request) and enhance documentation
Akira Iguchi [Sat, 3 Mar 2007 16:48:55 +0000 (17:48 +0100)]
scc_pata: bugfix for checking DMA IRQ status
On Tuesday 27 February 2007, Akira Iguchi wrote:
>
> But since I sent the first patch, I found a bug for checking DMA IRQ status.
> (http://www.spinics.net/lists/linux-ide/msg06903.html)
> Then I sent the fixed patch for libata only. So my drivers/ide patch
> still has same bug and I want to fix it, too.
>
> The following patch fixes this bug. Please apply this patch.
Jan Beulich [Sat, 3 Mar 2007 16:48:54 +0000 (17:48 +0100)]
adjust legacy IDE resource setting (v2)
The change to force legacy mode IDE channels' resources to fixed non-zero
values confuses (at least some versions of) X, because the values reported
by the kernel and those readable from PCI config space aren't consistent
anymore. Therefore, this patch arranges for the respective BARs to also
get updated if possible.
Signed-off-by: Jan Beulich <jbeulich@novell.com> Acked-by: Alan Cox <alan@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
Andrew Morton [Sat, 3 Mar 2007 16:48:54 +0000 (17:48 +0100)]
ide: fix pmac breakage
Fix breakage added in the IDE devel tree.
Add header, then fix
drivers/ide/ppc/pmac.c: In function `pmac_ide_setup_dma':
drivers/ide/ppc/pmac.c:2044: warning: assignment from incompatible pointer type
drivers/ide/ppc/pmac.c: In function `pmac_ide_dma_host_on':
drivers/ide/ppc/pmac.c:1989: warning: control reaches end of non-void function
include/linux/pci.h: In function `pmac_ide_init':
drivers/ide/ppc/pmac.c:1563: warning: ignoring return value of `pci_register_driver', declared with attribute warn_unused_result
Then add some apparently-long-missing error handling.
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Paul Mackerras <paulus@samba.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
The function ide_get_best_pio_mode() fails to return the correct IORDY setting
for the explicitly specified modes -- fix this along with the heading comment,
and also remove the long commented out code.
Also, while at it, correct the misliading comment about the PIO cycle time in
<linux/ide.h> -- it actually consists of only the active and recovery periods,
with only some chips also including the address setup time into equation...
[ bart: sl82c105 seems to be currently the only driver affected by this fix ]
Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com> Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
Sergei Shtylyov [Sat, 3 Mar 2007 16:48:53 +0000 (17:48 +0100)]
piix/slc90e66: more tuneproc() fixing (take 2)
The tuneproc() method in both these drivers failed to set the drive's own speed.
Fix this by renaming the function and "wrapping around it" the new tuneproc()
method. Switch back to calling tuneproc() in the PIO fallback code.
While at it, also convert the rest of the PIO timing code into proper C. :-)
Has been kind of tested on SLC90E66. I'm too lazy to reboot my box and test
on ICH4... :-)
[ bart: I quickly tested it on ICH4. ]
Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com> Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
Tejun Heo [Sat, 3 Mar 2007 16:48:53 +0000 (17:48 +0100)]
ide: fix drive side 80c cable check, take 2
eighty_ninty_three() had word 93 validitity check but not the 80c bit
test itself (bit 13). This increases the chance of incorrect wire
detection especially because host side cable detection is often
unreliable and we sometimes soley depend on drive side cable
detection. Fix it.
[ bart: fix off-by-1 bit name in the patch description ]
Sergei Shtylyov [Sat, 3 Mar 2007 16:48:53 +0000 (17:48 +0100)]
cmd64x: fix PIO mode setup (take 3)
The driver's tuneproc() method fails to set the drive's own speed -- fix this
by renaming the function to cmd64x_tune_pio(), making it return the mode set,
and "wrapping" the new tuneproc() method around it; while at it, also get rid
of the non-working prefetch control code (filtering out related argument values
in the "wrapper"), remove redundant PIO5 mode limitation, make cmdprintk() give
more sensible mode info, and remove mention about the obsolete /proc/ interface.
Get rid of the broken config_chipset_for_pio() which always tried to set PIO4,
switch to always auto-tuning PIO instead.
Oh, and add the missing PIO5 support to the speedproc() method while at it. :-)
Warning: compile tested only -- getting to the real hardware isn't that easy...
On Tuesday 06 February 2007 22:11, Mikael Pettersson <mikpe@it.uu.se> wrote:
>
> Worked fine on my SPARC Ultra5 with a CMD646 IDE controller.
Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com> Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
Sergei Shtylyov [Sat, 3 Mar 2007 16:48:52 +0000 (17:48 +0100)]
alim15x3: fix PIO mode setup
The driver's tuneproc() method fails to set the drive's own speed -- fix this
by renaming the function to ali15x3_tune_pio() and "wrapping" the new tuneproc()
method around it and making it return the mode set, update the heading comment.
Also, setting PIO mode via the speedproc() method does not work due to passing
to the tuneproc() method's a mode number not biased by XFER_PIO_0 -- fix this
along with a typo in the heading comment...
Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com> Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
Michael Krufky [Sat, 3 Mar 2007 12:10:43 +0000 (10:10 -0200)]
V4L/DVB (5260): Cx88-blackbird: allow usage of both 376836 and 262144 sized firmware images
This updates the cx88-blackbird driver to be able to use the new cx23416
firmware image released by Hauppauge Computer Works, while retaining
compatibility with the older firmware images.
cx2341x firmware can be downloaded at: http://dl.ivtvdriver.org/ivtv/firmware/
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Russell King [Sat, 3 Mar 2007 11:54:19 +0000 (11:54 +0000)]
[ARM] EBSA110: Work around build errors
Work around EBSA110 build errors by selecting NO_IOPORT. EBSA110
can't support an IO port to MMIO mapping mechanism because the
MMIO and IO port spaces have quite different and complex addressing
requirements.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Dan Aloni [Sat, 3 Mar 2007 04:44:51 +0000 (20:44 -0800)]
[VLAN]: Avoid a 4-order allocation.
This patch splits the vlan_group struct into a multi-allocated struct. On
x86_64, the size of the original struct is a little more than 32KB, causing
a 4-order allocation, which is prune to problems caused by buddy-system
external fragmentation conditions.
I couldn't just use vmalloc() because vfree() cannot be called in the
softirq context of the RCU callback.
Signed-off-by: Dan Aloni <da-x@monatomic.org> Acked-by: Jeff Garzik <jeff@garzik.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Paul Moore [Fri, 2 Mar 2007 21:19:02 +0000 (13:19 -0800)]
[NetLabel]: Verify sensitivity level has a valid CIPSO mapping
The current CIPSO engine has a problem where it does not verify that
the given sensitivity level has a valid CIPSO mapping when the "std"
CIPSO DOI type is used. The end result is that bad packets are sent
on the wire which should have never been sent in the first place.
This patch corrects this problem by verifying the sensitivity level
mapping similar to what is done with the category mapping. This patch
also changes the returned error code in this case to -EPERM to better
match what the category mapping verification code returns.
Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
[PPPOE]: Key connections properly on local device.
It is based on the assumption that an interface's ifindex is basically
an alias for a local MAC address, so incoming packets now are matched
to sockets based on remote MAC, session id, and ifindex of the
interface the packet came in on/the socket was bound to by connect().
For relayed packets, the socket that's used for relaying is selected
based on destination MAC, session ID and the interface index of the
interface whose name currently matches the name requested by userspace
as the relaying source interface.
Signed-off-by: David S. Miller <davem@davemloft.net>
Wei Dong [Fri, 2 Mar 2007 20:37:26 +0000 (12:37 -0800)]
[NET]: Fix bugs in "Whether sock accept queue is full" checking
when I use linux TCP socket, and find there is a bug in function
sk_acceptq_is_full().
When a new SYN comes, TCP module first checks its validation. If valid,
send SYN,ACK to the client and add the sock to the syn hash table. Next
time if received the valid ACK for SYN,ACK from the client. server will
accept this connection and increase the sk->sk_ack_backlog -- which is
done in function tcp_check_req().We check wether acceptq is full in
function tcp_v4_syn_recv_sock().
Consider an example:
After listen(sockfd, 1) system call, sk->sk_max_ack_backlog is set to
1. As we know, sk->sk_ack_backlog is initialized to 0. Assuming accept()
system call is not invoked now.
1. 1st connection comes. invoke sk_acceptq_is_full(). sk-
>sk_ack_backlog=0 sk->sk_max_ack_backlog=1, function return 0 accept
this connection. Increase the sk->sk_ack_backlog
2. 2nd connection comes. invoke sk_acceptq_is_full(). sk-
>sk_ack_backlog=1 sk->sk_max_ack_backlog=1, function return 0 accept
this connection. Increase the sk->sk_ack_backlog
3. 3rd connection comes. invoke sk_acceptq_is_full(). sk-
>sk_ack_backlog=2 sk->sk_max_ack_backlog=1, function return 1. Refuse
this connection.
I think it has bugs. after listen system call. sk->sk_max_ack_backlog=1
but now it can accept 2 connections.
Signed-off-by: Wei Dong <weid@np.css.fujitsu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
The information contained within platform_data should be self-contained.
Replace the pointer to a MAC address with the actual MAC address in
struct mv643xx_eth_platform_data.
Signed-off-by: Dale Farnsworth <dale@farnsworth.org> Signed-off-by: Jeff Garzik <jeff@garzik.org>
Ralf Baechle [Tue, 27 Feb 2007 18:15:01 +0000 (18:15 +0000)]
jmr3927: do not call tc35815_killall().
No need to stop tc35815 before resetting the board. This fixes the
build of tc35815 as a module. This also means there is no caller of
tc35815_killall left, so remove that function also.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: Jeff Garzik <jeff@garzik.org>
David S. Miller [Fri, 2 Mar 2007 02:29:14 +0000 (18:29 -0800)]
[RADEON]: Fix blanking return value.
If you'll recall, over a year ago, I pointed out that the current
Radeon driver erroneously returns -EINVAL for valid blanking codes,
here is a link to that thread:
http://lkml.org/lkml/2006/1/28/6
No other driver does this, and it confuses the X server into thinking
that the device does not support blanking properly.
I looked again and there is simply no reason for the Radeon driver to
return -EINVAL for FB_BLANK_NORMAL. It claims it wants to do this in
order to convince fbcon to blank in software, right here:
if (fb_blank(info, blank))
fbcon_generic_blank(vc, info, blank);
to software blank the screen. But it only causes that to happen
in the FB_BLANK_NORMAL case.
That makes no sense because the Radeon code does this:
val |= CRTC_DISPLAY_DIS;
in the FB_BLANK_NORMAL case so should be blanking the hardware, and
there is therefore no reason to SW blank by returning -EINVAL.
Signed-off-by: David S. Miller <davem@davemloft.net> Acked-by: Antonino Daplas <adaplas@gmail.com>
Alan Cox noticed several hooks in pata_* drivers were missing, when
he authored his ->cable_detect hook patches. This patch extracts
just those fixes from Alan's patches, adding the necessary hooks
(usually ->freeze, ->thaw, and ->post_internal_cmd) to the drivers.
Jeff Garzik [Fri, 2 Mar 2007 22:47:28 +0000 (17:47 -0500)]
[libata] change master/slave IDENTIFY order
2.6.21-rc has horrible problems with libata and PATA cable types (and
thus speeds). This occurs because Tejun fixed a pile of other bugs and
we now do cable detect enforcement for drive side detection properly.
Unfortunately we don't do the process around cable detection right. Tejun
identified the problem and pointed to the right Annex in the spec, this patch
implements the needed changes.
The basic requirement is that we have to identify the slave before the
master.
The patch switches the identify order so that we can do the drive side
detection correctly.
[NOTE: patch and description extracted from a larger work written
and signed-off-by Alan Cox]
Alan [Thu, 1 Mar 2007 17:36:46 +0000 (17:36 +0000)]
libata-core: Fix simplex handling
The initial simplex handling code is fooled if you suspend and resume.
This also causes problems with some single channel controllers which
claim to be simplex.
The fix is fairly simple, instead of keeping a flag to remember if we
gave away the simplex channel we remember the actual owner. As the owner
is always part of the host_set we don't even need a refcount.
Knowing the owner also means we can reassign simplex DMA channels in
future hotplug code etc if we need to
Signed-off-by: Alan Cox <alan@redhat.com>
(and a signed-off for the patch I sent before while I remember) Signed-off-by: Jeff Garzik <jeff@garzik.org>
Catalin Marinas [Wed, 28 Feb 2007 11:30:38 +0000 (12:30 +0100)]
[ARM] 4241/1: Define mb() as compiler barrier on a uniprocessor system
Currently, the mb() is defined as a DMB operation on ARMv6, even for
UP systems. This patch defines mb() as a compiler barrier only. For
the SMP case, the smp_* variants should be used anyway and the patch
defines them as DMB.
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Ben Dooks [Tue, 27 Feb 2007 23:16:26 +0000 (00:16 +0100)]
[ARM] 4238/1: S3C24XX: docs: update suspend and resume
Remove some of the explicit use of S3C2410 where
it is generic to all the S3C24XX series. Add more
info on the CRC code, and add an example of using
IRQ_EINT0 to resume from suspend
Signed-off-by: Ben Dooks <ben-linux@fluff.org> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Matthew Percival [Fri, 26 Jan 2007 00:24:29 +0000 (16:24 -0800)]
ARM: OMAP: dmtimer.c omap1 register fix
When I went to use dmtimer7 it did not seem to work. I noticed that
the base addresses for dmtimers 7 and 8 were set wrong. A simple patch
to correct a small error. Confirmed to fix the problem on an OSK.
Signed-off-by: Matthew Percival <matthew@capgo.com> Signed-off-by: Tony Lindgren <tony@atomide.com>
Arnaud Patard [Thu, 7 Dec 2006 01:14:06 +0000 (17:14 -0800)]
ARM: OMAP: board-nokia770: correct lcd name
Some time ago, the 'lcd_lph8923' device was renamed to 'lcd_mipid' but
the board-nokia770.c file was not updated accordingly, leading to not
working lcd.
This one-liner fixe the trouble.
Signed-off-by: Arnaud Patard <arnaud.patard@rtp-net.org> Signed-off-by: Tony Lindgren <tony@atomide.com>
Dirk Behme [Thu, 7 Dec 2006 01:14:04 +0000 (17:14 -0800)]
ARM: OMAP: Fix warning in mach-omap1
Fix warning
arch/arm/mach-omap1/pm.c: In function 'omap_pm_init':
arch/arm/mach-omap1/pm.c:765: warning: ignoring return value
of 'subsys_create_file', declared with attribute
warn_unused_result
Signed-off-by: Dirk Behme <dirk.behme_at_gmail.com> Signed-off-by: Tony Lindgren <tony@atomide.com>
Dirk Behme [Thu, 7 Dec 2006 01:14:00 +0000 (17:14 -0800)]
ARM: OMAP: Fix warning in mach-omap2
Fix warning
arch/arm/mach-omap2/timer-gp.c: In function
'omap2_gp_timer_init':
arch/arm/mach-omap2/timer-gp.c:70: warning: implicit
declaration of function 'setup_irq'
Signed-off-by: Dirk Behme <dirk.behme_at_gmail.com> Signed-off-by: Tony Lindgren <tony@atomide.com>
Dirk Behme [Thu, 7 Dec 2006 01:14:00 +0000 (17:14 -0800)]
ARM: OMAP: Fix warnings in plat-omap
Fix warnings
arch/arm/plat-omap/dmtimer.c: In function
'omap_dm_timer_modify_idlect_mask':
arch/arm/plat-omap/dmtimer.c:317: warning: no return
statement in function returning non-void
arch/arm/plat-omap/mailbox.c: In function 'omap_mbox_init':
arch/arm/plat-omap/mailbox.c:231: warning: ignoring return
value of 'class_device_create_file', declared with attribute
warn_unused_result
Signed-off-by: Dirk Behme <dirk.behme_at_gmail.com> Signed-off-by: Tony Lindgren <tony@atomide.com>
Timo Teras [Thu, 7 Dec 2006 01:13:52 +0000 (17:13 -0800)]
ARM: OMAP: Proper handling of DMA4_IRQSTATUS_L0
The register bits are reset by writing one. Remove the unneeded reads and
fix writes to not clear too many bits.
Signed-off-by: Timo Teras <timo.teras@solidboot.com> Signed-off-by: Juha Yrjola <juha.yrjola@solidboot.com> Signed-off-by: Tony Lindgren <tony@atomide.com>
Dirk Behme [Thu, 7 Dec 2006 01:13:51 +0000 (17:13 -0800)]
ARM: OMAP: Fix warning in clock.c
Fix warning:
arch/arm/mach-omap1/clock.c: In function
'omap1_clk_enable_generic':
arch/arm/mach-omap1/clock.c:499: warning: 'return' with no
value, in function returning non-void
Signed-off-by: Dirk Behme <dirk.behme_at_gmail.com> Signed-off-by: Tony Lindgren <tony@atomide.com>
ARM: OMAP: correct misc 15xx and non-15xx platform code
Disable accesses to SOFT_REQ_REG2 and ULPD_SOFT_DISABLE_REQ_REG
registers for 15xx processors that don't have these registers. Enable
level 2 interrupt handler for processors that identify as OMAP 15xx
(e.g 310) and not 1510 specifically. Also fix the following compiler
warning (only visible with CONFIG_OMAP_RESET_CLOCKS):
arch/arm/mach-omap1/clock.c: In function 'omap1_clk_disable_unused':
arch/arm/mach-omap1/clock.c:634: warning: 'return' with a value, in
function returning void
Signed-off-by: Andrzej Zaborowski <balrog@zabor.org> Signed-off-by: Tony Lindgren <tony@atomide.com>
Linus Torvalds [Fri, 2 Mar 2007 03:48:21 +0000 (19:48 -0800)]
Merge branch 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/libata-dev
* 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/libata-dev:
ahci: improve spurious SDB FIS handling
ahci/pata_jmicron: match class not function number
jmicron ATA: reimplement jmicron ATA quirk
pata_jmicron: drop unnecessary device programming in [re]init
libata: blacklist FUJITSU MHT2060BH for NCQ
sata_sil24: kill unused local variable idx in sil24_fill_sg()
libata: clear drvdata in ata_host_release(), take#2
Linus Torvalds [Fri, 2 Mar 2007 01:30:51 +0000 (17:30 -0800)]
Merge branch 'for-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jikos/hid
* 'for-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jikos/hid:
HID: fix Logitech DiNovo Edge touchwheel and Logic3 /SpectraVideo middle button
HID: add git tree information to MAINTAINERS
HID: fix broken Logitech S510 keyboard report descriptor; make extra keys work
HID: fix possible double-free on error path in hid parser
HID: hid-debug.c should #include <linux/hid-debug.h>
HID: fix bug in zeroing the last field byte in output reports
USB HID: use CONFIG_HID_DEBUG for outputting report descriptor
USB HID: Fix USB vendor and product IDs endianness for USB HID devices
Tejun Heo [Tue, 27 Feb 2007 04:24:19 +0000 (13:24 +0900)]
ahci: improve spurious SDB FIS handling
Spurious SDB FIS during NCQ might not contain spurious completions.
It could be spurious TF update or invalid async notification. Treat
as HSM violation iff a spurious SDB FIS contains spurious completions;
otherwise, just whine once about it.
Signed-off-by: Tejun Heo <htejun@gmail.com> Signed-off-by: Jeff Garzik <jeff@garzik.org>
Tejun Heo [Mon, 26 Feb 2007 11:24:03 +0000 (20:24 +0900)]
ahci/pata_jmicron: match class not function number
Make jmiron_ata quirk update pdev->class after programming the device
and update ahci and pata_jmicron such that they match class code
instead of checking function number manually. For ahci, it matches
for vendor and class. For pata_jmicron, it matches vendor, device and
class as IDE class isn't as well defined as AHCI class.
This makes jmicron device matching more conventional and script
friendly.
Signed-off-by: Tejun Heo <htejun@gmail.com> Signed-off-by: Jeff Garzik <jeff@garzik.org>
Tejun Heo [Mon, 26 Feb 2007 11:16:13 +0000 (20:16 +0900)]
jmicron ATA: reimplement jmicron ATA quirk
Reimplement jmicron ATA quirk.
* renamed to quirk_jmicron_ata()
* quirk is invoked only for the affected controllers
* programming is stricter. e.g. conf5 bit24 is cleared if
unnecessary.
* code factored for readability
* JMB360 and JMB368 are programmed into proper mode
Verified on JMB360, 363 and 368.
Signed-off-by: Tejun Heo <htejun@gmail.com> Signed-off-by: Jeff Garzik <jeff@garzik.org>
Tejun Heo [Mon, 26 Feb 2007 11:09:02 +0000 (20:09 +0900)]
pata_jmicron: drop unnecessary device programming in [re]init
Channel redirect and AHCI mode enable programmings are done via PCI
quirk for both probe and resume paths. Drop duplicate and possibly
unsafe device programming from pata_jmicron().
Signed-off-by: Tejun Heo <htejun@gmail.com> Signed-off-by: Jeff Garzik <jeff@garzik.org>
Adam Litke [Thu, 1 Mar 2007 23:46:08 +0000 (15:46 -0800)]
[PATCH] Fix get_unmapped_area and fsync for hugetlb shm segments
This patch provides the following hugetlb-related fixes to the recent stacked
shm files changes:
- Update is_file_hugepages() so it will reconize hugetlb shm segments.
- get_unmapped_area must be called with the nested file struct to handle
the sfd->file->f_ops->get_unmapped_area == NULL case.
- The fsync f_op must be wrapped since it is specified in the hugetlbfs
f_ops.
This is based on proposed fixes from Eric Biederman that were debugged and
tested by me. Without it, attempting to use hugetlb shared memory segments
on powerpc (and likely ia64) will kill your box.
Signed-off-by: Adam Litke <agl@us.ibm.com> Cc: Eric Biederman <ebiederm@xmission.com> Cc: Andrew Morton <akpm@linux-foundation.org> Acked-by: William Irwin <bill.irwin@oracle.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[PATCH] tty_io: fix race in master pty close/slave pty close path
This patch fixes a possible race that leads to double freeing an idr index.
When the master begin to close, release_dev() is called and then
pty_close() is called:
if (tty->driver->close)
tty->driver->close(tty, filp);
This is done without helding any locks other than BKL. Inside pty_close(),
being a master close, the devpts entry will be removed:
#ifdef CONFIG_UNIX98_PTYS
if (tty->driver == ptm_driver)
devpts_pty_kill(tty->index);
#endif
But devpts_pty_kill() will call get_node() that may sleep while waiting for
&devpts_root->d_inode->i_sem. When this happens and the slave is being
opened, tty_open() just found the driver and index:
This part of the code is already protected under tty_mute. The problem is
that the slave close already got an index. Then init_dev() is called and
blocks waiting for the same &devpts_root->d_inode->i_sem.
When the master close resumes, it removes the devpts entry, and the
relation between idr index and the tty is gone. The master then sleeps
waiting for the tty_mutex on release_dev().
Slave open resumes and found no tty for that index. As result, a NULL tty
is returned and init_dev() doesn't flow to fast_track:
/* check whether we're reopening an existing tty */
if (driver->flags & TTY_DRIVER_DEVPTS_MEM) {
tty = devpts_get_tty(idx);
if (tty && driver->subtype == PTY_TYPE_MASTER)
tty = tty->link;
} else {
tty = driver->ttys[idx];
}
if (tty) goto fast_track;
The result of this, is that a new tty will be created and init_dev() returns
sucessfull. After returning, tty_mutex is dropped and master close may resume.
Master close finds it's the only use and both sides are closing, then releases
the tty and the index. At this point, the idr index is free, but slave still
has it.
Slave open then calls pty_open() and finds that tty->link->count is 0,
because there's no master and returns error. Then tty_open() calls
release_dev() which executes without any warning, as it was a case of last
slave close when the master is already closed (master->count == 0,
slave->count == 1). The tty is then released with the already released idr
index.
This normally would only issue a warning on idr_remove() but in case of a
customer's critical application, it's never too simple:
thread1: opens master, gets index X
thread1: begin closing master
thread2: begin opening slave with index X
thread1: finishes closing master, index X released
thread3: opens master, gets index X, just released
thread2: fails opening slave, releases index X <----
thread4: opens master, gets index X, init_dev() then find an already in use
and healthy tty and fails
If no more indexes are released, ptmx_open() will keep failing, as the
first free index available is X, and it will make init_dev() fail because
you're trying to "reopen a master" which isn't valid.
The patch notices when this race happens and make init_dev() fail
imediately. The init_dev() function is called with tty_mutex held, so it's
safe to continue with tty till the end of function because release_dev()
won't make any further changes without grabbing the tty_mutex.
Without the patch, on some machines it's possible get easily idr warnings
like this one:
idr_remove called for id=15 which is not allocated.
[<c02555b9>] idr_remove+0x139/0x170
[<c02a1b62>] release_mem+0x182/0x230
[<c02a28e7>] release_dev+0x4b7/0x700
[<c02a0ea7>] tty_ldisc_enable+0x27/0x30
[<c02a1e64>] init_dev+0x254/0x580
[<c02a0d64>] check_tty_count+0x14/0xb0
[<c02a4f05>] tty_open+0x1c5/0x340
[<c02a4d40>] tty_open+0x0/0x340
[<c017388f>] chrdev_open+0xaf/0x180
[<c017c2ac>] open_namei+0x8c/0x760
[<c01737e0>] chrdev_open+0x0/0x180
[<c0167bc9>] __dentry_open+0xc9/0x210
[<c0167e2c>] do_filp_open+0x5c/0x70
[<c0167a91>] get_unused_fd+0x61/0xd0
[<c0167e93>] do_sys_open+0x53/0x100
[<c0167f97>] sys_open+0x27/0x30
[<c010303b>] syscall_call+0x7/0xb
using this test application available on:
http://www.ruivo.org/~aris/pty_sodomizer.c
Signed-off-by: Aristeu Sergio Rozanski Filho <aris@ruivo.org> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: Chuck Ebbert <cebbert@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Karsten Keil [Thu, 1 Mar 2007 04:13:50 +0000 (20:13 -0800)]
[PATCH] Fix buffer overflow and races in capi debug functions
The CAPI trace debug functions were using a fixed size buffer, which can be
overflowed if wrong formatted CAPI messages were sent to the kernel capi
layer. The code was also not protected against multiple callers. This fix
bug 8028.
Additionally the patch make the CAPI trace functions optional.