Steve French [Wed, 17 Oct 2007 18:01:11 +0000 (18:01 +0000)]
[CIFS] fix bad handling of EAGAIN error on kernel_recvmsg in cifs_demultiplex_thread
When kernel_recvmsg returns -EAGAIN or -ERESTARTSYS, then
cifs_demultiplex_thread sleeps for a bit and then tries the read again.
When it does this, it's not zeroing out the length and that throws off
the value of total_read. Fix it to zero out the length.
Can cause memory corruption:
If kernel_recvmsg returns an error and total_read is a large enough
value, then we'll end up going through the loop again. total_read will
be a bogus value, as will (pdu_length-total_read). When this happens we
end up calling kernel_recvmsg with a bogus value (possibly larger than
the current iov_len).
At that point, memcpy_toiovec can overrun iov. It will start walking
up the stack, casting other things that are there to struct iovecs
(since it assumes that it's been passed an array of them). Any pointer
on the stack at an address above the kvec is a candidate for corruption
here.
Many thanks to Ulrich Obergfell for pointing this out.
Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
Jeff Layton [Tue, 16 Oct 2007 16:50:25 +0000 (16:50 +0000)]
[CIFS]
[CIFS] fix error message about packet signing
When packet signing is disabled and the server requires it, cifs prints
an error message. The current message refers to a file in /proc that no
longer exists. Fix it to refer to the correct file.
Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
Steve French [Thu, 4 Oct 2007 20:05:09 +0000 (20:05 +0000)]
[CIFS] Fix cifsd so shuts down when signing fails during mount
Fixes two problems:
1) we dropped down to negotiating lanman if we did not recognize the
mechanism (krb5 e.g.)
2) we did not stop cifsd (thus will fail when doing rmod cifs with
slab free errors) when we fail tcon but have a bad session (which is
the case in which signing is required but we don't allow signing on
the client)
It also turns on extended security flag in the header when passing
"sec=krb5" on mount command (although kerberos support is not done of
course)
Acked-by: Jeff Layton <jlayton@redhat.com> CC: Shaggy <shaggy@us.ibm.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
This patch does kmalloc + memset conversion to kzalloc and removes some
redundant argument checks.
Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Steve French <sfrench@us.ibm.com>
Steve French [Tue, 2 Oct 2007 01:11:08 +0000 (01:11 +0000)]
[CIFS] Reduce chance of list corruption in find_writable_file
When find_writable_file is racing with close and the session
to the server goes down, Shaggy noticed that there was a
chance that an open file in the list of files off the inode
could have been freed by close since cifs_reconnect can
block (the spinlock thus not held). This means that
we have to start over at the beginning of the list in some
cases.
There is a 2nd change that needs to be made later
(pointed out by Jeremy Allison and Shaggy) in order to
prevent cifs_close ever freeing the cifs per file info
when a write is pending. Although we delay close from
freeing this memory for sufficiently long for all known
cases, ultimately on a very, very slow write
overlapping a close pending we need to allow close to return
(without freeing the cifs file info) and defer freeing the
memory to be the responsibility of the (sloooow) write
thread (presumably have to look at every place wrtPending
is decremented - and add a flag for deferred free for
after wrtPending goes to zero).
Acked-by: Shaggy <shaggy@us.ibm.com> Acked-by: Shirish Pargaonkar <shirishp@us.ibm.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
Steve French [Fri, 28 Sep 2007 22:28:55 +0000 (22:28 +0000)]
[CIFS] CIFS support for named pipes (part 1)
This allows cifs to mount to ipc shares (IPC$)
which will allow user space applications to
layer over authenticated cifs connections
(useful for Wine and others that would want
to put DCE/RPC over CIFS or run CIFS named
pipes)
Acked-by: Rob Shearman <rob@codeweavers.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
Steve French [Thu, 20 Sep 2007 15:16:24 +0000 (15:16 +0000)]
[CIFS] Add warning message when broken server fails SetFSInfo call
A reasonably common NAS server returns an error on the SetFSInfo of
the Unix capabilities. Log a message for this alerting the user
that the server may have problems with the Unix extensions,
and telling them what they can do to workaround it.
Unfortunately the server does not return other clues
that we could easily use to turn the Unix Extension support
off automatically in this case (since they claim to support it).
Steve French [Sun, 16 Sep 2007 23:12:47 +0000 (23:12 +0000)]
[CIFS] fix small memory leak in an error path in new posix mkdir
There is a small memory leak in fs/cifs/inode.c::cifs_mkdir().
Storage for 'pInfo' is allocated with kzalloc(), but if the call
to CIFSPOSIXCreate(...) happens to return 0 and pInfo->Type == -1,
then we'll jump to the 'mkdir_get_info' label without freeing the
storage allocated for 'pInfo'.
This patch adds a kfree() call to free the storage just before
jumping to the label, thus getting rid of the leak.
Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
Jeff [Thu, 13 Sep 2007 18:38:50 +0000 (18:38 +0000)]
[CIFS] Respect umask when using POSIX mkdir
When making a directory with POSIX mkdir calls, cifs_mkdir does not
respect the umask. This patch causes the new POSIX mkdir to create with
the right mode
Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
Steve French [Fri, 7 Sep 2007 22:23:48 +0000 (22:23 +0000)]
[CIFS] Fix oops in find_writable_file
There was a case in which find_writable_file was not waiting long enough
under heavy stress when writepages was racing with close of the file
handle being used by the write.
Steve French [Thu, 30 Aug 2007 21:13:31 +0000 (21:13 +0000)]
[CIFS] fix for incorrect session reconnects
cifs reconnect could end up happening incorrectly due to
the small initial tcp recvmsg response. When the socket
was within three bytes of being full and the recvmsg
returned only 1 to 3 bytes of the initial 4 byte
read of the RFC1001 length field. Fortunately this
seems to be less common on more current kernels, but
this fixes it so cifs tries to retrieve all 4 bytes
of the initial tcp read.
Signed-off-by: Shirish Pargoankar <shirishp@us.ibm.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
Jeff Layton [Fri, 24 Aug 2007 03:16:51 +0000 (03:16 +0000)]
[CIFS] Byte range unlock request to non-Unix server can unlock too much
On a mount without posix extensions enabled, when an unlock request is
made, the client can release more than is intended. To reproduce, on a
CIFS mount without posix extensions enabled:
1) open file
2) do fcntl lock: start=0 len=1
3) do fcntl lock: start=2 len=1
4) do fcntl unlock: start=0 len=1
...on the unlock call the client sends an unlock request to the server
for both locks. The problem is a bad test in cifs_lock.
Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
Robin Getz [Wed, 22 Aug 2007 03:14:58 +0000 (23:14 -0400)]
fix - ensure we don't use bootconsoles after init has been released
Gerd Hoffmann pointed out that my patch from yesterday can lead
to a null pointer dereference if the kernel is booted with no
console, and no earlyprintk defined. This fixes that issue.
Signed-off-by: Robin Getz <rgetz@blackfin.uclinux.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Kumar Gala [Wed, 22 Aug 2007 00:15:31 +0000 (19:15 -0500)]
[POWERPC] Fix PCI Device ID for MPC8544/8533 processors
The initial user manuals for MPC8544/8533 had some issues with properly
documenting the device IDs for MPC8544/8533. These processors are almost
identical and both show up on the reference boards.
Fix up the quirks for PCIe support to handle MPC8533/E.
Signed-off-by: Kumar Gala <galak@kernel.crashing.org>
There are special PHY settings available on Yukon EC-U chip that
should not get cleared. This should solve mysterious errors on some
motherboards (like Gigabyte DS-3).
Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Martin Bachem [Tue, 21 Aug 2007 12:26:21 +0000 (14:26 +0200)]
hisax: update hfc_usb driver
This fixes handling of USB ISO completion error -EXDEV and includes
several other changes to current CVS version at isdn4linux.de (changes
in debug flags, style of code remarks, etc)
Linus Torvalds [Tue, 21 Aug 2007 06:38:44 +0000 (23:38 -0700)]
Revert "USB: EHCI cpufreq fix"
This reverts commit 196705c9bbc03540429b0f7cf9ee35c2f928a534. It was
reported to cause a regression by Daniel Exner, and Arjan van de Ven
points out that we actually already have infrastructure in place for
setting limits on acceptable DMA latency that would be the much more
correct fix for the problem with some Broadcom EHCI controllers.
Fixed up trivial conflicts due to the changes to support big-endian host
controller descriptors in drivers/usb/host/{ehci-sched.c,ehci.h}.
Zach Brown [Tue, 21 Aug 2007 00:12:01 +0000 (17:12 -0700)]
dio: zero struct dio with kzalloc instead of manually
This patch uses kzalloc to zero all of struct dio rather than manually
trying to track which fields we rely on being zero. It passed aio+dio
stress testing and some bug regression testing on ext3.
This patch was introduced by Linus in the conversation that lead up to
Badari's minimal fix to manually zero .map_bh.b_state in commit:
I was unable to measure a stable difference in the number of cpu cycles
spent in blockdev_direct_IO() when pushing aio+dio 256K reads at
~340MB/s.
So the resulting intent of the patch isn't a performance gain but to
avoid exposing ourselves to the risk of finding another field like
.map_bh.b_state where we rely on zeroing but don't enforce it in the
code.
Signed-off-by: Zach Brown <zach.brown@oracle.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Tue, 21 Aug 2007 05:48:24 +0000 (22:48 -0700)]
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/v4l-dvb
* 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/v4l-dvb:
V4L/DVB (6028): Turn an unnecessary mdelay() into msleep().
V4L/DVB (6027): Get rid of an ill-behaved msleep in i2c write
V4L/DVB (6026): Avoid powering up the camera on resume
V4L/DVB (6016): get_dvb_firmware: update script for new location of tda10046 firmware
V4L/DVB (5991): dvb-pll: Set minimum and maximum frequency properly
V4L/DVB (5969): ivtv: report ivtv version in status log
V4L/DVB (5967): ivtv: fix VIDIOC_S_FBUF:new OSD values where never set
V4L/DVB (5968): videodev2.h: remove superfluous FBUF GLOBAL_INV_ALPHA support
David Woodhouse [Mon, 20 Aug 2007 10:05:29 +0000 (11:05 +0100)]
JFFS2 locking regression fix.
Commit a491486a2087ac3dfc00efb4f838c8d684afaf54 introduced a locking
problem in JFFS2 -- we up() the alloc_sem when we weren't previously
holding it. This leads to all kinds of fun behaviour later.
There was a _reason_ for the
if (1 /* alternative path needs testing */ ||
which the above-mentioned commit removed :)
Discovered and debugged by Giulio Fedel <giulio.fedel@andorsystems.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This ensures that a bootconsole is unregistered if it is not replaced.
The current implementation spews garbage out the bootconsole in this case,
since the bootconsole structure is normally in the init section, and is
freed, but still used.
Signed-off-by: Robin Getz <rgetz@blackfin.uclinux.org> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Acked-by: Paul Mundt <lethal@linux-sh.org> Cc: Mike Frysinger <vapier.adi@gmail.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
ide-disk: workaround for buggy HPA support on ST340823A (take 3)
This disk reports total number of sectors instead of maximum sector address
in response to READ_NATIVE_MAX_ADDRESS command and also happily accepts
SET_MAX_ADDRESS command with the bogus value. This results in +1 sector
capacity being used and errors on attempts to use the last sector.
Programming DMA mode may destroy current PIO mode setting so if
CONFIG_HPT34X_AUTODMA=n (the default case) make ide_tune_dma() fail
early by disabling all host DMA masks and re-tune PIO mode.
This fix doesn't help with the driver being broken but is needed
for some other changes.
ide: add cable detection for early UDMA66 devices (take 3)
* Move ide_in_drive_list() from ide-dma.c to ide-iops.c.
* Add ivb_list[] table for listening early UDMA66 devices which don't conform
to ATA4 standard wrt cable detection (bit14 is zero, only bit13 is valid)
and use only device side cable detection for them since host side cable
detection may be unreliable.
* Add model "QUANTUM FIREBALLlct10 05" with firwmare "A03.0900" to the list
(from Craig's bugreport).
v2:
* Improve kernel message basing on suggestion from Sergei.
v3:
* Don't print kernel message when no device side cable detection is done,
plus some minor fixes. (Noticed by Sergei)
* Add DMA blacklist checking (->ide_dma_on check probably can go now).
* Add ->atapi_dma flag checking and remove no longer needed
ns87415_ide_dma_check() from ns87415 host driver.
* Remove now needless __ide_dma_check() wrapper and symbol export.
* Check drive->autodma instead of hwif->autodma (there should be no changes in
behavior as all users of config_drive_for_dma() set both ->autodma flags).
ide: fix hidden dependencies on CONFIG_IDE_GENERIC
Some host drivers depend on CONFIG_IDE_GENERIC to do the probing but their
config options lack explicit dependencies on IDE_GENERIC. In the long-term
these host drivers should be fixed to do the probing themselves but for now
fix them by making their config options select CONFIG_IDE_GENERIC.
Tejun Heo [Mon, 20 Aug 2007 20:42:53 +0000 (22:42 +0200)]
ide: make CONFIG_IDE_GENERIC default to N
These days, CONFIG_IDE_GENERIC causes more confusion and
misconfiguration than it helps. Especially so because libata is
linked after the generic driver. Default to N.
Jonathan Corbet [Fri, 17 Aug 2007 04:02:33 +0000 (01:02 -0300)]
V4L/DVB (6027): Get rid of an ill-behaved msleep in i2c write
Configuring the OLPC camera requires something over 150 register
writes. Unfortunately, querying the CAFE i2c controller too
soon after a write causes the hardware to flake. The problem had
been "solved" with an msleep() call, but, between the number of
registers and how msleep() behaves, that resulted in a 3-second
delay on camera initialization. Instead, we hand-code a wait for
the completion interrupt which avoids reading the status registers.
Signed-off-by: Jonathan Corbet <corbet@lwn.net> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Al Viro [Sun, 19 Aug 2007 03:51:26 +0000 (04:51 +0100)]
missing return in bridge sysfs code
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Acked-by: David S. Miller <davem@davemloft.net> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Avi Kivity [Sun, 19 Aug 2007 12:57:26 +0000 (15:57 +0300)]
KVM: Avoid calling smp_call_function_single() with interrupts disabled
When taking a cpu down, we need to hardware_disable() it.
Unfortunately, the CPU_DYING notifier is called with interrupts
disabled, which means we can't use smp_call_function_single().
Fortunately, the CPU_DYING notifier is always called on the dying cpu,
so we don't need to use the function at all and can simply call
hardware_disable() directly.
Tested-by: Paolo Ornati <ornati@fastwebnet.it> Signed-off-by: Avi Kivity <avi@qumranet.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Christian Heim [Sun, 19 Aug 2007 11:07:59 +0000 (13:07 +0200)]
Remove double inclusion of linux/capability.h
Remove the second inclusion of linux/capability.h, which has been
introduced with "[PATCH] move capable() to capability.h" (commit c59ede7b78db329949d9cdcd7064e22d357560ef)
Signed-off-by: Christian Heim <phreak@gentoo.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Chris Wright [Sat, 18 Aug 2007 21:31:41 +0000 (14:31 -0700)]
x86: properly initialize temp insn buffer for paravirt patching
With commit ab144f5ec64c42218a555ec1dbde6b60cf2982d6 the patching code
now collects the complete new instruction stream into a temp buffer
before finally patching in the new insns. In some cases the paravirt
patchers will choose to leave the patch site unpatched (length mismatch,
clobbers mismatch, etc).
This causes the new patching code to copy an uninitialized temp buffer,
i.e. garbage, to the callsite. Simply make sure to always initialize
the buffer with the original instruction stream. A better fix is to
audit all the patchers and return proper length so that apply_paravirt()
can skip copies when we leave the patch site untouched.
Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Andi Kleen [Wed, 15 Aug 2007 00:40:36 +0000 (02:40 +0200)]
x86_64: Change PMDS invocation to single macro
Very old binutils (2.12.90...) seem to have trouble with newlines
in assembler macro invocation. They put them into the resulting
argument expansion. In this case this lead to a parse error because
a .rept expression ended up spread over multiple lines. Change the PMDS()
invocation to a single line.
Daniel Gollub [Wed, 15 Aug 2007 00:40:35 +0000 (02:40 +0200)]
x86_64: Fix to keep watchdog disabled by default for i386/x86_64
Fixed wrong expression which enabled watchdogs even if nmi_watchdog kernel
parameter wasn't set. This regression got slightly introduced with commit b7471c6da94d30d3deadc55986cc38d1ff57f9ca.
Introduced NMI_DISABLED (-1) which allows to switch the value of NMI_DEFAULT
without breaking the APIC NMI watchdog code (again).
Fixes:
https://bugzilla.novell.com/show_bug.cgi?id=298084
http://bugzilla.kernel.org/show_bug.cgi?id=7839
And likely some more nmi_watchdog=0 related issues.
Andi Kleen [Wed, 15 Aug 2007 00:40:34 +0000 (02:40 +0200)]
x86_64: Fail dma_alloc_coherent on dma less devices
This should fix an oops with PCMCIA PATA devices
http://bugzilla.kernel.org/show_bug.cgi?id=8424
This is not a full fix for the problem, but probably
still the right thing to do.
[ I'm almost certain it's *not* the right thing to do, but it avoids an
oops, and I want comments from others on what the right thing would
actually be.. I suspect we should just remove the use of dma_mask
entirely in this function, and just use coherent_dma_mask. - Linus ]
Timo Jantunen [Tue, 14 Aug 2007 18:56:57 +0000 (21:56 +0300)]
fix random hang in forcedeth driver when using netconsole
If the forcedeth driver receives too much work in an interrupt, it
assumes it has a broken hardware with stuck IRQ. It works around the
problem by disabling interrupts on the nic but makes a printk while
holding device spinlog - which isn't smart thing to do if you have
netconsole on the same nic.
This patch moves the printk's out of the spinlock protected area.
Without this patch the machine hangs hard. With this patch everything
still works even when there is significant increase on CPU usage while
using the nic.
Signed-off-by: Timo Jantunen <jeti@iki.fi> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Satyam Sharma [Thu, 16 Aug 2007 00:39:25 +0000 (06:09 +0530)]
i386: Fix a couple busy loops in mach_wakecpu.h:wait_for_init_deassert()
Use cpu_relax() in the busy loops, as atomic_read() doesn't automatically
imply volatility for i386 and x86_64. x86_64 doesn't have this issue because
it open-codes the while loop in smpboot.c:smp_callin() itself that already
uses cpu_relax().
For i386, however, smpboot.c:smp_callin() calls wait_for_init_deassert()
which is buggy for mach-default and mach-es7000 cases.
[ I test-built a kernel -- smp_callin() itself got inlined in its only
callsite, smpboot.c:start_secondary() -- and the relevant piece of
code disassembles to the following:
0xc1019704 <start_secondary+12>: mov 0xc144c4c8,%eax
0xc1019709 <start_secondary+17>: test %eax,%eax
0xc101970b <start_secondary+19>: je 0xc1019709 <start_secondary+17>
init_deasserted (at 0xc144c4c8) gets fetched into %eax only once and
then we loop over the test of the stale value in the register only,
so these look like real bugs to me. With the fix below, this becomes: