Marcelo Tosatti [Thu, 5 Jun 2008 03:08:11 +0000 (00:08 -0300)]
KVM: IOAPIC: only set remote_irr if interrupt was injected
There's a bug in the IOAPIC code for level-triggered interrupts. Its
relatively easy to trigger by sharing (virtio-blk + usbtablet was the
testcase, initially reported by Gerd von Egidy).
The "remote_irr" variable is used to indicate accepted but not yet acked
interrupts. Its cleared from the EOI handler.
Problem is that the EOI handler clears remote_irr unconditionally, even
if it reinjected another pending interrupt.
In that case, kvm_ioapic_set_irq() proceeds to ioapic_service() which
sets remote_irr even if it failed to inject (since the IRR was high due
to EOI reinjection).
Since the TMR bit has been cleared by the first EOI, the second one
fails to clear remote_irr.
End result is interrupt line dead.
Fix it by setting remote_irr only if a new pending interrupt has been
generated (and the TMR bit for vector in question set).
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com> Signed-off-by: Avi Kivity <avi@qumranet.com>
Eli Collins [Mon, 2 Jun 2008 03:24:40 +0000 (20:24 -0700)]
KVM: VMX: Clear CR4.VMXE in hardware_disable
Clear CR4.VMXE in hardware_disable. There's no reason to leave it set
after doing a VMXOFF.
VMware Workstation 6.5 checks CR4.VMXE as a proxy for whether the CPU is
in VMX mode, so leaving VMXE set means we'll refuse to power on. With this
change the user can power on after unloading the kvm-intel module. I
tested on kvm-67 and kvm-69.
Signed-off-by: Eli Collins <ecollins@vmware.com> Signed-off-by: Avi Kivity <avi@qumranet.com>
Marcelo Tosatti [Tue, 27 May 2008 15:10:20 +0000 (12:10 -0300)]
KVM: migrate PIT timer
Migrate the PIT timer to the physical CPU which vcpu0 is scheduled on,
similarly to what is done for the LAPIC timers, otherwise PIT interrupts
will be delayed until an unrelated event causes an exit.
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com> Signed-off-by: Avi Kivity <avi@qumranet.com>
Hollis Blanchard [Wed, 21 May 2008 23:22:53 +0000 (18:22 -0500)]
KVM: ppc: Remove unmatched kunmap() call
We're not calling kmap() now, so we shouldn't call kunmap() either. This has no
practical effect in the non-highmem case, which is why it hasn't caused more
obvious problems.
Pointed out by Anthony Liguori.
Signed-off-by: Hollis Blanchard <hollisb@us.ibm.com> Signed-off-by: Avi Kivity <avi@qumranet.com>
Carsten Otte [Wed, 21 May 2008 11:37:44 +0000 (13:37 +0200)]
KVM: s390: Fix race condition in kvm_s390_handle_wait
The call to add_timer was issued before local_int.lock was taken and before
timer_due was set to 0. If the timer expires before the lock is being taken,
the timer function will set timer_due to 1 and exit before the vcpu falls
asleep. Depending on other external events, the vcpu might sleep forever.
This fix pulls setting timer_due to the beginning of the function before
add_timer, which ensures correct behavior.
Signed-off-by: Carsten Otte <cotte@de.ibm.com> Signed-off-by: Avi Kivity <avi@qumranet.com>
Carsten Otte [Wed, 21 May 2008 11:37:40 +0000 (13:37 +0200)]
KVM: s390: Send program check on access error
If the guest accesses non-existing memory, the sie64a function returns
-EFAULT. We must check the return value and send a program check to the
guest if the sie instruction faulted, otherwise the guest will loop at
the faulting code.
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: Carsten Otte <cotte@de.ibm.com> Signed-off-by: Avi Kivity <avi@qumranet.com>
Carsten Otte [Wed, 21 May 2008 11:37:37 +0000 (13:37 +0200)]
KVM: s390: fix interrupt delivery
The current code delivers pending interrupts before it checks for
need_resched. On a busy host, this can lead to a longer interrupt
latency if the interrupt is injected while the process is scheduled
away. This patch moves delivering the interrupt _after_ schedule(),
which makes more sense.
Signed-off-by: Carsten Otte <cotte@de.ibm.com> Signed-off-by: Avi Kivity <avi@qumranet.com>
KVM: s390: handle machine checks when guest is running
The low-level interrupt handler on s390 checks for _TIF_WORK_INT and
exits the guest context, if work is pending.
TIF_WORK_INT is defined as_TIF_SIGPENDING | _TIF_NEED_RESCHED |
_TIF_MCCK_PENDING. Currently the sie loop checks for signals and
reschedule, but it does not check for machine checks. That means that
we exit the guest context if a machine check is pending, but we do not
handle the machine check.
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> CC: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Carsten Otte <cotte@de.ibm.com> Signed-off-by: Avi Kivity <avi@qumranet.com>
KVM: s390: fix locking order problem in enable_sie
There are potential locking problem in enable_sie. We take the task_lock
and the mmap_sem. As exit_mm uses the same locks vice versa, this triggers
a lockdep warning.
The second problem is that dup_mm and mmput might sleep, so we must not
hold the task_lock at that moment.
The solution is to dup the mm unconditional and use the task_lock before and
afterwards to check if we can use the new mm. dup_mm and mmput are called
outside the task_lock, but we run update_mm while holding the task_lock,
protection us against ptrace.
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: Carsten Otte <cotte@de.ibm.com> Acked-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Avi Kivity <avi@qumranet.com>
KVM: s390: use yield instead of schedule to implement diag 0x44
diag 0x44 is the common way on s390 to yield the cpu to the hypervisor.
It is called by the guest in cpu_relax and in the spinlock code to
yield to other guest cpus.
This semantic is similar to yield. Lets replace the call to schedule with
yield to make sure that current is really yielding.
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: Carsten Otte <cotte@de.ibm.com> Signed-off-by: Avi Kivity <avi@qumranet.com>
Avi Kivity [Wed, 21 May 2008 12:34:25 +0000 (15:34 +0300)]
KVM: x86 emulator: fix hypercall return value on AMD
The hypercall instructions on Intel and AMD are different. KVM allows the
guest to choose one or the other (the default is Intel), and if the guest
chooses incorrectly, KVM will patch it at runtime to select the correct
instruction. This allows live migration between Intel and AMD machines.
This patching occurs in the x86 emulator. The current code also executes
the hypercall. Unfortunately, the tail end of the x86 emulator code also
executes, overwriting the return value of the hypercall with the original
contents of rax (which happens to be the hypercall number).
Fix not by executing the hypercall in the emulator context; instead let the
guest reissue the patched instruction and execute the hypercall via the
normal path.
Jes Sorensen [Tue, 20 May 2008 11:13:50 +0000 (13:13 +0200)]
KVM: ia64: fix zero extending for mmio ld1/2/4 emulation in KVM
Only copy in the data actually requested by the instruction emulation
and zero pad the destination register first. This avoids the problem
where emulated mmio access got garbled data from ld2.acq instructions
in the vga console driver.
Ben Collins [Thu, 5 Jun 2008 23:10:21 +0000 (19:10 -0400)]
mmc: Fix crash in mmc_block on 64-bit
Fairly simple. "dev_use" was being allocated as a zero length array
because of bad math on 64-bit systems, causing a crash in
find_first_zero_bit(). One-liner follows:
Signed-off-by: Ben Collins <ben.collins@canonical.com> Acked-by: Pierre Ossman <drzeus@drzeus.cx> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Thu, 5 Jun 2008 21:29:53 +0000 (14:29 -0700)]
Merge branch 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus
* 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus:
Fix divide by zero error in build_clear_page() and build_copy_page()
[MIPS] Fix typo in header guard
[MIPS] Fix build error - Delete debugging crap that crept in with CMP
[MIPS] Add accessors for random register.
[MIPS] IP27: misc fixes
[MIPS] IP27: Fix clockevent setup
[MIPS] IP27: Fix bootmem memory setup
[MIPS] remove CONFIG_CPU_R4000 line from Makefile
[MIPS] Fix check for valid stack pointer during backtrace
[MIPS] Add missing braces to pte_mkyoung
[MIPS] R4700: Fix build_tlb_probe_entry
[MIPS] Alchemy: dbdma: add API to delete custom DDMA device ids.
[MIPS] Alchemy: export get_au1x00_speed for modules
Chris Wright [Wed, 4 Jun 2008 16:16:33 +0000 (09:16 -0700)]
asn1: additional sanity checking during BER decoding
- Don't trust a length which is greater than the working buffer.
An invalid length could cause overflow when calculating buffer size
for decoding oid.
- An oid length of zero is invalid and allows for an off-by-one error when
decoding oid because the first subid actually encodes first 2 subids.
- A primitive encoding may not have an indefinite length.
Thanks to Wei Wang from McAfee for report.
Cc: Steven French <sfrench@us.ibm.com> Cc: stable@kernel.org Acked-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
David Howells [Thu, 5 Jun 2008 16:07:35 +0000 (17:07 +0100)]
FRV: ip_fast_csum() requires a memory clobber on its inline asm
ip_fast_csum() requires a memory clobber on its inline asm as it accesses
memory in a fashion that gcc can't predict.
The GCC manual says:
If your assembler instructions access memory in an unpredictable
fashion, add `memory' to the list of clobbered registers. This will
cause GCC to not keep memory values cached in registers across the
assembler instruction and not optimize stores or loads to that memory.
The bug hasn't been noticed in FRV, but it has been seen in PA-RISC.
Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Changes in the generic bootmem code broke memory setup for IP27. This
patch fixes this by replacing lots of special IP27 code with generic
bootmon code. This has been tested only on a single node.
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de> Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
[MIPS] Fix check for valid stack pointer during backtrace
The newly added check for valid stack pointer address breaks at least for
64bit kernels. Use __get_user() for accessing stack content to avoid crashes,
when doing the backtrace.
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de> Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Ilpo Järvinen [Fri, 2 May 2008 11:08:20 +0000 (14:08 +0300)]
[MIPS] Add missing braces to pte_mkyoung
Only the version pte_mkyoung for 36-bit pagetables on 32-bit hw was
affected and with this bug being around since November 29, 2004 there
is evidence to suport the assumption it was benign ;-)
Hugh Dickins [Thu, 5 Jun 2008 13:44:39 +0000 (14:44 +0100)]
libata: fix G5 SATA broken on -rc5
Fix G5 SATA irq 18: nobody cared, reported on -rc5 by Olaf Hering:
fixlet to a57c1bade5a0ee5cd8b74502db9cbebb7f5780b2 libata-sff:
Fix oops reported in kerneloops.org for pnp devices with no ctl
Signed-off-by: Hugh Dickins <hugh@veritas.com> Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk> Tested-by: Olaf Hering <olaf@aepfle.de> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Michael Krufky [Sat, 31 May 2008 21:18:55 +0000 (18:18 -0300)]
V4L/DVB (7983): tda18271_calc_rf_cal must return the return value of tda18271_lookup_map
On the TDA18271HD/C1, we perform RF tracking filter correction for VHF low
band, only. If supplied a frequency out of range, the error must be returned
to the caller (tda18271c1_rf_tracking_filter_calibration) so that it can
decide whether or not to write to register EB14, RFC_CPROG[7:0]
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
LD .tmp_vmlinux1
drivers/built-in.o: In function `generic_set_freq':
tuner-xc2028.c:(.text+0xbd896): undefined reference to `request_firmware'
tuner-xc2028.c:(.text+0xbdd7a): undefined reference to `release_firmware'
drivers/built-in.o: In function `xc_load_fw_and_init_tuner':
xc5000.c:(.text+0xc68e6): undefined reference to `request_firmware'
xc5000.c:(.text+0xc6abe): undefined reference to `release_firmware'
the reason is another kconfig tool bug that has to be worked around in
the driver's Kconfig file: if FW_LOADER is selected in a second
dependency, that is not properly propagated up the dependencies.
in this case, FW_LOADER is selected from MEDIA_TUNER_XC2028:
config MEDIA_TUNER_XC2028
tristate "XCeive xc2028/xc3028 tuners"
depends on VIDEO_MEDIA && I2C
depends on HOTPLUG
select FW_LOADER
which got selected by MEDIA_TUNER:
config MEDIA_TUNER
tristate
default VIDEO_MEDIA && I2C
depends on VIDEO_MEDIA && I2C
select FW_LOADER if !MEDIA_TUNER_CUSTOMIZE && HOTPLUG
but the kconfig tool did not pick up this second-order dependency and
allowed CONFIG_FW_LOADER=m to be selected - in which case the build
fails.
the workaround i found was to move the select of FW_LOADER one level up,
so that the buggy kconfig tool can notice it and can act appropriately.
This problem can probably be worked around in other ways as well, i went
for the minimal fix.
Obviously, the kconfig tool should be fixed, it is not reasonable to
expect driver authors to do manual dependency resolution (that kconfig
itself already does) and uglify the Kconfig files. The kconfig tool did
nothing to warn about this situation and did not prevent this faulty
.config from being constructed.
But there was no warning in Documentation/feature-removal-schedule.txt
and I'm receiving reports that it's breaking userspace apps (the
gstreamer-v4l2 plugin breaks in Fedora rawhide). You can't just pull
things from the published userspace API like that.
Please can we revert the addition of _DEPRECATED to these ioctl
definitions. Perhaps we can add a runtime warning if they actually get
used? Or a compile-time warning if we can manage that?
Signed-off-by: David Woodhouse <dwmw2@infradead.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Create a macro to report the number of instances of the tuner driver
currently in use. This will allow drivers to perform specific cleanups
before destroying the last instance of a tuner.
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Hans Verkuil [Sun, 25 May 2008 14:21:27 +0000 (11:21 -0300)]
V4L/DVB (7931): cx18: allow for simultaneous digital and analog capture
The HVR-1600 can do both analog and digital capture at the same time.
Due to a driver bug -EBUSY would be returned when attempting to setup an
analog capture while a digital capture was already in progress.
Separate the two internally.
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Andy Walls [Mon, 26 May 2008 04:31:17 +0000 (01:31 -0300)]
V4L/DVB (7922): tuner-simple: fix tuner_warn() induced kernel oops in simple_tuner_attach()
The tuner_warn() macro relies on the local variable "priv" to be a valid
pointer. There was a case in simple_tuner_attach() where this cannot be the
case yet, so tuner_warn() would dereference a NULL "priv" pointer. Changed
the tuner_warn() to a printk() with the originally intended output format.
Signed-off-by: Andy Walls <awalls@radix.net> Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Michael Krufky [Sun, 25 May 2008 02:48:16 +0000 (23:48 -0300)]
V4L/DVB (7918): au0828: remove irrelevent analog tuner standby code
This code is irrelevant to this driver and should be removed. This was
copied from a hack in cx88-dvb.c, which prevents noise coming from the
analog tuner (via an audio patch cable from the pci card to the sound
hardware) when in digital mode by muting the tda988x. This issue does
not apply to this USB hybrid chip design, where a single piece of
silicon handles both analog and digital demodulation.
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Adrian Bunk [Mon, 26 May 2008 17:23:49 +0000 (14:23 -0300)]
V4L/DVB (7908): always enter drivers/media/video/
After commit 039d40019f3c5e26ea50ec5af4270189f63365e1
(V4L/DVB (7898): Fix VIDEO_MEDIA Kconfig logic)
VIDEO_MEDIA is no longer usable in Makefile's for deciding
which directories we enter, resulting in compile errors like the
following with CONFIG_VIDEO_DEV=y, CONFIG_DVB_CORE=m:
Andrew Morton [Thu, 15 May 2008 02:14:04 +0000 (23:14 -0300)]
V4L/DVB (7901): zoran: use correct type for CPU flags
locking-add-typecheck-on-irqsave-and-friends-for-correct-flags.patch will cause
drivers/media/video/zoran_driver.c: In function 'zoran_close_end_session':
drivers/media/video/zoran_driver.c:1172: warning: comparison of distinct pointer types lacks a cast
Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (56 commits)
l2tp: Fix possible oops if transmitting or receiving when tunnel goes down
tcp: Fix for race due to temporary drop of the socket lock in skb_splice_bits.
tcp: Increment OUTRSTS in tcp_send_active_reset()
raw: Raw socket leak.
lt2p: Fix possible WARN_ON from socket code when UDP socket is closed
USB ID for Philips CPWUA054/00 Wireless USB Adapter 11g
ssb: Fix context assertion in ssb_pcicore_dev_irqvecs_enable
libertas: fix command size for CMD_802_11_SUBSCRIBE_EVENT
ipw2200: expire and use oldest BSS on adhoc create
airo warning fix
b43legacy: Fix controller restart crash
sctp: Fix ECN markings for IPv6
sctp: Flush the queue only once during fast retransmit.
sctp: Start T3-RTX timer when fast retransmitting lowest TSN
sctp: Correctly implement Fast Recovery cwnd manipulations.
sctp: Move sctp_v4_dst_saddr out of loop
sctp: retran_path update bug fix
tcp: fix skb vs fack_count out-of-sync condition
sunhme: Cleanup use of deprecated calls to save_and_cli and restore_flags.
xfrm: xfrm_algo: correct usage of RIPEMD-160
...
James Chapman [Wed, 4 Jun 2008 22:54:07 +0000 (15:54 -0700)]
l2tp: Fix possible oops if transmitting or receiving when tunnel goes down
Some problems have been experienced in the field which cause an oops
in the pppol2tp driver if L2TP tunnels fail while passing data.
The pppol2tp driver uses private data that is referenced via the
sk->sk_user_data of its UDP and PPPoL2TP sockets. This patch makes
sure that the driver uses sock_hold() when it holds a reference to the
sk pointer. This affects its sendmsg(), recvmsg(), getname(),
[gs]etsockopt() and ioctl() handlers.
Tested by ISP where problem was seen. System has been up 10 days with
no oops since running this patch. Without the patch, an oops would
occur every 1-2 days.
Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
tcp: Fix for race due to temporary drop of the socket lock in skb_splice_bits.
skb_splice_bits temporary drops the socket lock while iterating over
the socket queue in order to break a reverse locking condition which
happens with sendfile. This, however, opens a window of opportunity
for tcp_collapse() to aggregate skbs and thus potentially free the
current skb used in skb_splice_bits and tcp_read_sock.
This patch fixes the problem by (re-)getting the same "logical skb"
after the lock has been temporary dropped.
Based on idea and initial patch from Evgeniy Polyakov.
Signed-off-by: Octavian Purdila <opurdila@ixiacom.com> Acked-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru> Signed-off-by: David S. Miller <davem@davemloft.net>
Corked packet is allocated via sock_wmalloc which holds the owner socket,
so one should uncork it and flush all pending data on close. Do this in the
same way as in UDP.
Signed-off-by: Denis V. Lunev <den@openvz.org> Acked-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Signed-off-by: David S. Miller <davem@davemloft.net>
James Chapman [Wed, 4 Jun 2008 22:07:32 +0000 (15:07 -0700)]
lt2p: Fix possible WARN_ON from socket code when UDP socket is closed
If an L2TP daemon closes a tunnel socket while packets are queued in
the tunnel's reorder queue, a kernel warning is logged because the
socket is closed while skbs are still referencing it. The fix is to
purge the queue in the socket's release handler.