Commit Graph

21265 Commits

Author SHA1 Message Date
Patrick McHardy
cc9a06cd8d [NETLINK]: Fix use-after-free in netlink_recvmsg
The skb given to netlink_cmsg_recv_pktinfo is already freed, move it up
a few lines.

Coverity #948

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-12 20:39:38 -08:00
Patrick McHardy
f8dc01f543 [XFRM]: Fix leak in ah6_input
tmp_hdr is not freed when ipv6_clear_mutable_options fails.

Coverity #650

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-12 20:39:37 -08:00
Patrick McHardy
f6e57464df [NET_SCHED]: act_api: fix skb leak in error path
The skb is allocated by the function, so it needs to be freed instead
of trimmed on overrun.

Coverity #614

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-12 20:39:36 -08:00
Patrick McHardy
406dbfc9ae [NETFILTER]: nfnetlink_queue: fix possible NULL-ptr dereference
Fix NULL-ptr dereference when a config message for a non-existant
queue containing only an NFQA_CFG_PARAMS attribute is received.

Coverity #433

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-12 20:39:35 -08:00
Linus Torvalds
57ddd5c180 Merge branch 'upstream-fixes' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/libata-dev
* 'upstream-fixes' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/libata-dev:
  [PATCH] ahci: fix NULL pointer dereference detected by Coverity
2006-03-12 16:41:27 -08:00
Linus Torvalds
7cafae5238 Merge master.kernel.org:/home/rmk/linux-2.6-arm
* master.kernel.org:/home/rmk/linux-2.6-arm:
  [ARM] iwmmxt thread state alignment
  [ARM] 3350/1: Enable 1-wire on ARM
  [ARM] 3356/1: Workaround for the ARM1136 I-cache invalidation problem
  [ARM] 3355/1: NSLU2: remove propmt depends
  [ARM] 3354/1: NAS100d: fix power led handling
  [ARM] Fix muldi3.S
2006-03-12 14:56:02 -08:00
Russell King
cdaabbd74b [ARM] iwmmxt thread state alignment
This patch removes the reliance of iwmmxt on hand coded alignments.
Since thread_info is always 8K aligned, specifying that fpstate is
8-byte aligned achieves the same effect without needing to resort
to hand coded alignments.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2006-03-12 22:36:06 +00:00
David S. Miller
ba244fe900 [TCP]: Fix tcp_tso_should_defer() when limit>=65536
That's >= a full sized TSO frame, so we should always
return 0 in that case.

Based upon a report and initial patch from Lachlan
Andrew, final patch suggested by Herbert Xu.

Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-11 18:51:49 -08:00
Gregor Maier
c127437641 [NETFILTER]: Fix wrong option spelling in Makefile for CONFIG_BRIDGE_EBT_ULOG
Signed-off-by: Gregor Maier <gregor@net.in.tum.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-11 18:51:25 -08:00
Brian Haley
0d27b42739 [IPV6]: fix ipv6_saddr_score struct element
The scope element in the ipv6_saddr_score struct used in 
ipv6_dev_get_saddr() is an unsigned integer, but __ipv6_addr_src_scope() 
returns a signed integer (and can return -1).

Signed-off-by: Brian Haley <brian.haley@hp.com>
Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-11 18:50:14 -08:00
Adrian Bunk
0ade309be7 [TG3] tg3_bus_string(): remove dead code
The Coverity checker spotted this dead code (note that (clock_ctrl == 7) 
is already handled above).

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-11 18:49:38 -08:00
Dave Jones
8f22757ee8 [TUN]: Fix leak in tun_get_user()
We're leaking an skb in a failure path in this function.

Coverity #632
Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-11 18:49:13 -08:00
Jeff Garzik
ed071adc97 Merge branch 'master' 2006-03-11 19:55:26 -05:00
Tejun Heo
6971ed1fbb [PATCH] ahci: fix NULL pointer dereference detected by Coverity
Fix NULL pointer dereference detected by the Coverity checker.  Kill
dev -> pdev -> dev conversion while at it.

Signed-off-by: Tejun Heo <htejun@gmail.com>
Cc: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-03-11 19:06:02 -05:00
Linus Torvalds
535744878e Linux 2.6.16-rc6
Gaah. Delayed. But all the better for it!
2006-03-11 14:12:55 -08:00
Andrew Morton
0992a5d029 [PATCH] 3c509: bus registration fix
- Don't call eisa_driver_unregister() if eisa_driver_register() failed.

- Properly propagate error values.

Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-03-11 13:29:09 -05:00
Sam Ravnborg
b2cba5b577 [PATCH] de620: fix section mismatch warning
In latest -mm de620 gave following warning:
WARNING: drivers/net/de620.o - Section mismatch: reference to      \
.init.text:de620_probe from .text between 'init_module' (at offset \
0x1682) and 'cleanup_module'

init_module() call de620_probe() which is declared __init.
Fix is to declare init_module() __init too.

Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-03-11 13:29:09 -05:00
Jesper Juhl
28beaf651b [PATCH] NE2000 Kconfig help entry improvement
Improve reference to PCI NE2K support in ISA NE2K documentation.
Original 2.4 patch From: Ged Haywood <ged@jubileegroup.co.uk>

Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-03-11 13:29:09 -05:00
Jon Mason
9ee09d9cd4 [PATCH] dl2k: DMA freeing error
This patch fixes an error in the dl2k driver's DMA mapping/unmapping.
The adapter uses the upper 16bits of the DMA address for the buffer
size.  However, this is not masked off when referencing the DMA
address, and can lead to errors by trying to free a DMA address out of
range.

Thanks,
Jon

Signed-off-by: Jon Mason <jdmason@us.ibm.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-03-11 13:26:51 -05:00
David S. Miller
9e927fb618 [PATCH] Wrong return value corrupts free object in e1000 driver
For some reason, E1000's ->hard_start_xmit() routine returns -EFAULT
instead of one of the NETDEV_TX_* error codes.  In fact, it frees up
the SKB before returning this.  This makes the queueing layer think
the packet should be requeued and subsequently we corrupt a freed
object.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-03-11 13:25:17 -05:00
Jeff Garzik
5ee33b7adc Merge branch 'for-jeff' of git://electric-eye.fr.zoreil.com/home/romieu/linux-2.6 2006-03-11 13:23:48 -05:00
Antonino A. Daplas
ed62178589 [PATCH] radeonfb: Fix static array overrun
radeonfb_parse_monitor_layout() will produce an array overrun if passed with a
substring of length higher than 4 (ie, "XXXXX,YYYYYY").

Coverity Bug 494

Signed-off-by: Antonino Daplas <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-11 09:19:36 -08:00
Antonino A. Daplas
8e6509876c [PATCH] aty128fb: Fix array overrun
Fix static array overrun

Coverity Bug 556

Signed-off-by: Antonino Daplas <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-11 09:19:36 -08:00
Antonino A. Daplas
54243cefdd [PATCH] tdfxfb: Fix buffer overrun
The pseudo_palette has room only for 16 entries, but tdfxfb_setcolreg may
attempt to write more.

Coverity Bug 557

Signed-off-by: Antonino Daplas <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-11 09:19:36 -08:00
Antonino A. Daplas
d301524772 [PATCH] intelfb: Fix buffer overrun
The pseudo_palette has room only for 16 entries, but intelfb_setcolreg will
attempt to write more.

Coverity Bug 558

Signed-off-by: Antonino Daplas <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-11 09:19:35 -08:00
Antonino A. Daplas
8d57f2210e [PATCH] savagefb: Fix kfree before use
par->edid is kfree'd before using in fb_edid_to_monspecs()

Signed-off-by: Antonino Daplas <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-11 09:19:35 -08:00
Antonino A. Daplas
91bc89cf98 [PATCH] imsttfb: Fix resource leak
The struct info and device resource may not be released in the driver's error
path.  Fix.

Coverity Bug 671

Signed-off-by: Antonino Daplas <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-11 09:19:35 -08:00
Antonino A. Daplas
98365f5eb4 [PATCH] s1d13xxxfb: Fix resource leak
struct info may not be released in the driver's error path.

Coverity Bug 672

Signed-off-by: Antonino Daplas <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-11 09:19:35 -08:00
Antonino A. Daplas
939205b273 [PATCH] arcfb: Fix dereference before NULL check
info->par is dereferenced before info is checked for NULL. Fix.

Coverity Bug 833

Signed-off-by: Antonino Daplas <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-11 09:19:35 -08:00
Antonino A. Daplas
16afe814a8 [PATCH] kyrofb: Fix uninitialized value
Initialize Variable 'count' in DisableVGA to zero.

Coverity Bug 874

Signed-off-by: Antonino Daplas <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-11 09:19:35 -08:00
Antonino A. Daplas
604cc999fd [PATCH] arcfb: Fix uninitialized value
Remove insignificant and uninitialized variable "count" from
arcfb_lcd_update_page.

Coverity Bug 894

Signed-off-by: Antonino Daplas <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-11 09:19:35 -08:00
Antonino A. Daplas
6af7ffc414 [PATCH] neofb: Fix uninitialized value
Remove insignificant and unitialized variable "waitcycles" from neo2200_sync.

Coverity Bug 895

Signed-off-by: Antonino Daplas <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-11 09:19:35 -08:00
Chris Wright
1a4520bea6 [PATCH] LSM mail list has moved
LSM mail list has moved.

Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-11 09:19:34 -08:00
Chris Wright
692a2061f6 [PATCH] update email address
Update email address.

Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-11 09:19:34 -08:00
Christoph Hellwig
7cd9013be6 [PATCH] remove __put_task_struct_cb export again
The patch '[PATCH] RCU signal handling' [1] added an export for
__put_task_struct_cb, a put_task_struct helper newly introduced in that
patch.  But the put_task_struct couldn't be used modular previously as
__put_task_struct wasn't exported.  There are not callers of it in modular
code, and it shouldn't be exported because we don't want drivers to hold
references to task_structs.

This patch removes the export and folds __put_task_struct into
__put_task_struct_cb as there's no other caller.

[1] http://www2.kernel.org/git/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e56d090310d7625ecb43a1eeebd479f04affb48b

Signed-off-by: Christoph Hellwig <hch@lst.de>
Acked-by: Paul E. McKenney <paulmck@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-11 09:19:34 -08:00
Pat Gefre
27d162e26a [PATCH] Altix: small ioc4 oversight
Get rid of the local 'flip' variable and no need to 'trim' the buffer.

Signed-off-by: Patrick Gefre <pfg@sgi.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-11 09:19:34 -08:00
Stephen Smalley
341c2d806b [PATCH] selinux: tracer SID fix
Fix SELinux to not reset the tracer SID when the child is already being
traced, since selinux_ptrace is also called by proc for access checking
outside of the context of a ptrace attach.

Signed-off-by:  Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: James Morris <jmorris@namei.org>
Acked-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-11 09:19:34 -08:00
Arjan van de Ven
4136cabff3 [PATCH] edac: disable a few sysfs files to avoid them becoming an ABI
Disable (via ugly #if 0's) the 3 sysfs files that I think by now we all
agree are very much wrong.  These files shouldn't become part of the ABI by
the 2.6.16 release, so I rather have this minimal patch merged to disable
them for now, the real fix can then come during the 2.6.17 devel window.

Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-11 09:19:34 -08:00
Badari Pulavarty
cd6ef84e6a [PATCH] ext3: fix nobh mode for chattr +j inodes
One can do "chattr +j" on a file to change its journalling mode.  Fix
writeback mode with "nobh" handling for it.

Even though, we mount ext3 filesystem in writeback mode with "nobh" option,
some one can do "chattr +j" on a single file to force it to do journalled
mode.  In order to do journaling, ext3_block_truncate_page() need to
fallback to default case of creating buffers and adding them to transaction
etc.

Signed-off-by: Badari Pulavarty <pbadari@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-11 09:19:34 -08:00
Kirill Korotaev
0adb25d2e7 [PATCH] ext3: ext3_symlink should use GFP_NOFS allocations inside
This patch fixes illegal __GFP_FS allocation inside ext3 transaction in
ext3_symlink().  Such allocation may re-enter ext3 code from
try_to_free_pages.  But JBD/ext3 code keeps a pointer to current journal
handle in task_struct and, hence, is not reentrable.

This bug led to "Assertion failure in journal_dirty_metadata()" messages.

http://bugzilla.openvz.org/show_bug.cgi?id=115

Signed-off-by: Andrey Savochkin <saw@saw.sw.com.sg>
Signed-off-by: Kirill Korotaev <dev@openvz.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-11 09:19:34 -08:00
Dmitry Torokhov
8bd0ee93fe [PATCH] Input: psmouse - disable autoresync
Automatic resynchronization in psmouse driver causes problems on some
hardware so disable it by default for now. People with KVM switches
that require resync can still enable it via module parameter or sysfs
attribute.

Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-10 22:09:33 -08:00
Linus Torvalds
35ab0e88c6 Merge branch 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux-2.6
* 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux-2.6:
  [IA64] Fix race in the accessed/dirty bit handlers
2006-03-10 16:39:03 -08:00
Jan Beulich
44f329ab69 [PATCH] kbuild: version.h should depend on .kernelrelease
Rebuilding a previously built tree while using make's -j option from
time to time results in the version.h check running at the same time as
the updating of .kernelrelease, resulting in UTS_RELEASE remaining an
empty string (and as a side effect causing the entire kernel to be
rebuilt).

Signed-Off-By: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-10 15:59:34 -08:00
Alessandro Zummo
04916c0ef4 [ARM] 3350/1: Enable 1-wire on ARM
Patch from Alessandro Zummo

This patches add the 1-wire drivers
to the ARM Kconfig.

Signed-off-by: Alessandro Zummo <a.zummo@towertech.it>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2006-03-10 22:30:01 +00:00
Catalin Marinas
141fa40cff [ARM] 3356/1: Workaround for the ARM1136 I-cache invalidation problem
Patch from Catalin Marinas

ARM1136 erratum 371025 (category 2) specifies that, under rare
conditions, an invalidate I-cache by MVA (line or range) operation can
fail to invalidate a cache line. The recommended workaround is to
either invalidate the entire I-cache or invalidate the range by
set/way rather than MVA.

Note that for a 16K cache size, invalidating a 4K page by set/way is
equivalent to invalidating the entire I-cache.

Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2006-03-10 22:26:47 +00:00
Hugh Dickins
4ceadbf519 [PATCH] fix pcmcia_device_probe oops
Fix pcmcia_device_probe NULL pointer dereference at startup.

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-10 13:40:26 -08:00
Christoph Lameter
8fce4d8e3b [PATCH] slab: Node rotor for freeing alien caches and remote per cpu pages.
The cache reaper currently tries to free all alien caches and all remote
per cpu pages in each pass of cache_reap.  For a machines with large number
of nodes (such as Altix) this may lead to sporadic delays of around ~10ms.
Interrupts are disabled while reclaiming creating unacceptable delays.

This patch changes that behavior by adding a per cpu reap_node variable.
Instead of attempting to free all caches, we free only one alien cache and
the per cpu pages from one remote node.  That reduces the time spend in
cache_reap.  However, doing so will lengthen the time it takes to
completely drain all remote per cpu pagesets and all alien caches.  The
time needed will grow with the number of nodes in the system.  All caches
are drained when they overflow their respective capacity.  So the drawback
here is only that a bit of memory may be wasted for awhile longer.

Details:

1. Rename drain_remote_pages to drain_node_pages to allow the specification
   of the node to drain of pcp pages.

2. Add additional functions init_reap_node, next_reap_node for NUMA
   that manage a per cpu reap_node counter.

3. Add a reap_alien function that reaps only from the current reap_node.

For us this seems to be a critical issue.  Holdoffs of an average of ~7ms
cause some HPC benchmarks to slow down significantly.  F.e.  NAS parallel
slows down dramatically.  NAS parallel has a 12-16 seconds runtime w/o rotor
compared to 5.8 secs with the rotor patches.  It gets down to 5.05 secs with
the additional interrupt holdoff reductions.

Signed-off-by: Christoph Lameter <clameter@sgi.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-09 19:47:38 -08:00
Roman Zippel
7b61fcda8a [PATCH] m68k: fix cmpxchg compile errors if CONFIG_RMW_INSNS=n
We require that all archs implement atomic_cmpxchg(), for the generic
version of atomic_add_unless().

Signed-off-by: Roman Zippel <zippel@linux-m68k.org>
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-09 19:47:38 -08:00
Horst Hummel
b707dbe6c5 [PATCH] s390: dasd proc interface typo
This fixes a typo introduced with 90f0094dc6.

Signed-off-by: Horst Hummel <horst.hummel@de.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-09 19:47:38 -08:00
Yasunori Goto
f2937be589 [PATCH] memory hotadd: pgdat->node_present_pages fix
When pages are onlined, not only zone->present_pages but also
pgdat->node_present_pages should be refreshed.

This parameter is used to show information at
/sys/device/system/node/nodeX/meminfo via si_meminfo_node().

So, it shows strange value for MemUsed which is calculated
(node_present_pages - all zones free pages).

Signed-off-by: Yasunori Goto <y-goto@jp.fujitsu.com>
Cc: Dave Hansen <haveblue@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-09 19:47:38 -08:00