The skb allocation may fail, which can result in a NULL pointer dereference
in irlap_queue_xmit().
Coverity CID: 434.
Signed-off-by: Florin Malita <fmalita@gmail.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
skb_clone() may fail, we should check the result.
Coverity CID: 1215.
Signed-off-by: Florin Malita <fmalita@gmail.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
The /proc/sys/net/ethernet directory has been sitting empty for more than
10 years! Time to eliminate it!
Signed-off-by: Jes Sorensen <jes@sgi.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
From: Matt Mackall <mpm@selenic.com>
netconsole is being wrong here. If it wasn't enabled there's no error.
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Trimming the head of an skb by calling skb_pull can cause the packet
to become unaligned if the length pulled is odd. Since the length is
entirely arbitrary for a FIN packet carrying data, this is actually
quite common.
Unaligned data is not the end of the world, but we should avoid it if
it's easily done. In this case it is trivial. Since we're discarding
all of the head data it doesn't matter whether we move skb->data forward
or back.
However, it is still possible to have unaligned skb->data in general.
So network drivers should be prepared to handle it instead of crashing.
This patch also adds an unlikely marking on len < headlen since partial
ACKs on head data are extremely rare in the wild. As the return value
of __pskb_trim_head is no longer ever NULL that has been removed.
Signed-off-by: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
* master.kernel.org:/pub/scm/linux/kernel/git/brodo/pcmcia-fixes-2.6:
[PATCH] pcmcia: fix zeroing of cm4000_cs.c data
[PATCH] pcmcia: missing pcmcia_get_socket() result check
From: Jeff Dike <jdike@addtoit.com>
This fixes the undefined reference to strcpy seen when building modules on
i386. Tracked down by Al Viro.
Signed-off-by: Jeff Dike <jdike@addtoit.com>
Cc: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
From: Al Viro <viro@zeniv.linux.org.uk>
uml __user annotations
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jeff Dike <jdike@addtoit.com>
Cc: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
From: Al Viro <viro@zeniv.linux.org.uk>
fix uml/amd64 prctl()
put_user() there should go to (long __user *)addr, not &addr
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jeff Dike <jdike@addtoit.com>
Cc: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
From: Jeff Dike <jdike@addtoit.com>
We had a spurious semicolon somehow.
Signed-off-by: Jeff Dike <jdike@addtoit.com>
Cc: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
From: Jeff Dike <jdike@addtoit.com>
Initialize wall_to_monotonic correctly. This fixes a problem where sleeps
lasted about one secone less than they should. This also called for a bit of
code restructuring, following a patch which Blaisorblade had been keeping.
Signed-off-by: Jeff Dike <jdike@addtoit.com>
Cc: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
From: Jeff Dike <jdike@addtoit.com>
Add an empty asm/irqflags.h, which seems to satisfy the lock validator enough
that UML builds.
Signed-off-by: Jeff Dike <jdike@addtoit.com>
Cc: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
From: Andrew Morton <akpm@osdl.org>
drivers/rtc/rtc-m48t86.c: In function `m48t86_rtc_read_time':
drivers/rtc/rtc-m48t86.c:51: error: structure has no member named `ia64_mv'
drivers/rtc/rtc-m48t86.c:55: error: structure has no member named `ia64_mv'
drivers/rtc/rtc-m48t86.c:56: error: structure has no member named `ia64_mv'
drivers/rtc/rtc-m48t86.c:57: error: structure has no member named `ia64_mv'
drivers/rtc/rtc-m48t86.c:58: error: structure has no member named `ia64_mv'
drivers/rtc/rtc-m48t86.c:60: error: structure has no member named `ia64_mv'
readb() and writeb() are macros on ia64.
Cc: Alessandro Zummo <a.zummo@towertech.it>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
From: Stefan Richter <stefanr@s5r6.in-berlin.de>
I added a failure check in patch "sbp2: variable status FIFO address (fix
login timeout)" --- alas for a wrong error value. This is a bug since
Linux 2.6.16. Leads to NULL pointer dereference if the call failed, and
bogus failure handling if call succeeded.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Cc: <stable@kernel.org>
Cc: Ben Collins <bcollins@debian.org>
Cc: Jody McIntyre <scjody@modernduck.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
This fixes request_irq() potentially called from atomic context.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
From: Trond Myklebust <Trond.Myklebust@netapp.com>
We're presently running lock_kernel() under fs_lock via nfs's ->permission
handler. That's a ranking bug and sometimes a sleep-in-spinlock bug. This
problem was introduced in the openat() patchset.
We should not need to hold the current->fs->lock for a codepath that doesn't
use current->fs.
[vsu@altlinux.ru: fix error path]
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Cc: Al Viro <viro@ftp.linux.org.uk>
Signed-off-by: Sergey Vlasov <vsu@altlinux.ru>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
From: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
After removal of fixup_cpu_present_map() function Alpha ended up with an empty
cpu_present_map, so secondary CPUs on SMP systems are not being started.
Worse, on some platforms we route interrupts to secondary CPUs using
cpu_possible_map which is still populated properly. As a result, these
interrupts go nowhere so the machines like DP264 aren't able to boot even with
a primary CPU.
Fixed basically by s/cpu_present_mask/cpu_present_map/.
Thanks to Ernst Herzberg for reporting the bug and testing the fix.
Cc: Ernst Herzberg <list-lkml@net4u.de>
Cc: Richard Henderson <rth@twiddle.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
From: Stephen Smalley <sds@tycho.nsa.gov>
Fix unsafe nesting of sb_lock inside sb_security_lock in
selinux_complete_init. Detected by the kernel locking validator.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
From: Ralf Baechle <ralf@linux-mips.org>
<linux/mmzone.h> uses PAGE_SIZE, PAGE_SHIFT from <asm/page.h> without
including that header itself. For some sparsemem configurations this may
result in build errors like:
CC init/initramfs.o
In file included from include/linux/gfp.h:4,
from include/linux/slab.h:15,
from include/linux/percpu.h:4,
from include/linux/rcupdate.h:41,
from include/linux/dcache.h:10,
from include/linux/fs.h:226,
from init/initramfs.c:2:
include/linux/mmzone.h:498:22: warning: "PAGE_SHIFT" is not defined
In file included from include/linux/gfp.h:4,
from include/linux/slab.h:15,
from include/linux/percpu.h:4,
from include/linux/rcupdate.h:41,
from include/linux/dcache.h:10,
from include/linux/fs.h:226,
from init/initramfs.c:2:
include/linux/mmzone.h:526: error: `PAGE_SIZE' undeclared here (not in a function)
include/linux/mmzone.h: In function `__pfn_to_section':
include/linux/mmzone.h:573: error: `PAGE_SHIFT' undeclared (first use in this function)
include/linux/mmzone.h:573: error: (Each undeclared identifier is reported only once
include/linux/mmzone.h:573: error: for each function it appears in.)
include/linux/mmzone.h: In function `pfn_valid':
include/linux/mmzone.h:578: error: `PAGE_SHIFT' undeclared (first use in this function)
make[1]: *** [init/initramfs.o] Error 1
make: *** [init] Error 2
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Seems-reasonable-to: Andy Whitcroft <apw@shadowen.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
From: Peter Oberparleiter <peter.oberparleiter@de.ibm.com>
The path grouping can fail due to non-unique pathgroup-IDs. The source for
the CPU-ID part of the ID was incorrectly specified on 64 bit systems.
Additionally, the length of the ID was too large due to incorrect data packing
declaration. Fix CPU-ID lowcore address and add missing packing declaration.
Signed-off-by: Peter Oberparleiter <peter.oberparleiter@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
From: Florin Malita <fmalita@gmail.com>
The skb may be gone after netif_rx(), we can't use 'skb->len' to update the
stats. 'pkt_len' should work instead.
Coverity CID: 911.
Signed-off-by: Florin Malita <fmalita@gmail.com>
Cc: Dominik Brodowski <linux@dominikbrodowski.net>
Acked-by: Jeff Garzik <jeff@garzik.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Patch from Steve Yang
MACHINE_START struct doesn't have any bootargs location for the
mainstone. Result is no kernel command args get passed; no serial driver
is selected for console and results in a silent boot failure.
Signed-off-by: Steve Yang <steve.yang@windriver.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
When ipoib_stop() is called it first calls netif_stop_queue() to stop
the kernel from passing more packets to the network driver. However,
the completion handler may call netif_wake_queue() re-enabling packet
transfer.
This might result in leaks (we see AH leaks which we think can be
attributed to this bug) as new packets get posted while the interface
is going down.
Signed-off-by: Eli Cohen <eli@mellanox.co.il>
Signed-off-by: Michael Tsirkin <mst@mellanox.co.il>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
Replacing mistyped "buad" with "baud" where applicable.
Signed-off-by: Horst Schirmeier <horst@schirmeier.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Both csum_partial() and the csum_partial_copy*() family of routines
forget to do a final fold on the computed checksum value on sparc64.
So do the standard Sparc "add + set condition codes, add carry"
sequence, then make sure the high 32-bits of the return value are
clear.
Based upon some excellent detective work and debugging done by
Richard Braun and Samuel Thibault.
Signed-off-by: David S. Miller <davem@davemloft.net>
The driver is selectable on other than Au1200 Alchemy systems but won't
build nor work - there is no MMC hw.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
* master.kernel.org:/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6:
[SCSI] scsi_lib.c: properly count the number of pages in scsi_req_map_sg()
[SCSI] scsi_transport_sas: make write attrs writeable
[SCSI] scsi_transport_sas; fix user_scan
[SCSI] ppa: fix for machines with highmem
[SCSI] mptspi: reset handler shouldn't be called for other bus protocols
[SCSI] Blacklist entry for HP dat changer
When snd_cwnd is smaller than 38 and the connection is in
congestion avoidance phase (snd_cwnd > snd_ssthresh), the snd_cwnd
seems to stop growing.
The additive increase was confused because C array's are 0 based.
Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
* master.kernel.org:/home/rmk/linux-2.6-arm:
[ARM] 3540/1: ixp23xx: deal with gap in interrupt bitmasks
[ARM] 3539/1: ixp23xx: fix __arch_ixp23xx_is_coherent() for A1 stepping
* master.kernel.org:/pub/scm/linux/kernel/git/davem/sparc-2.6:
[SPARC64]: Fix D-cache corruption in mremap
[SPARC64]: Make smp_processor_id() functional before start_kernel()
Patch from Lennert Buytenhek
On the ixp23xx, the microengine thread interrupt sources are numbered
56..119, but their mask/status bits are located in bit positions 64..127
in the various registers in the interrupt controller (bit positions
56..63 are unused.)
We don't deal with this, so currently, when asked to enable IRQ 64, we
will enable IRQ 56 instead.
The only interrupts >= 64 are the thread interrupt sources, and there
are no in-tree users of those yet, so this is fortunately not a big
problem, but this needs fixing anyway.
Signed-off-by: Lennert Buytenhek <buytenh@wantstofly.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Patch from Lennert Buytenhek
The current __ixp23xx_arch_is_coherent() check assumes that the
lower byte of IXP23XX_PRODUCT_ID is identical to the lower byte of
processor_id, but this is not the case, and because of this we were
incorrectly enabling coherency on A1 stepping CPUs.
Stepping A1 of the ixp2350, which has a PRODUCT_ID of 0x401, has '02'
in the lower byte of processor_id, while A2, with a PRODUCT_ID of
0x402, has '04' in the lower byte of processor_id.
So, to check for >= A2, we really need to check the lower byte of
processor_id against >= 4.
Signed-off-by: Lennert Buytenhek <buytenh@wantstofly.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
mm/slab.c's offlab_limit logic is totally broken.
Firstly, "offslab_limit" is a global variable while it should either be
calculated in situ or should be passed in as a parameter.
Secondly, the more serious problem with it is that the condition for
calculating it:
if (!(OFF_SLAB(sizes->cs_cachep))) {
offslab_limit = sizes->cs_size - sizeof(struct slab);
offslab_limit /= sizeof(kmem_bufctl_t);
is in total disconnect with the condition that makes use of it:
/* More than offslab_limit objects will cause problems */
if ((flags & CFLGS_OFF_SLAB) && num > offslab_limit)
break;
but due to offslab_limit being a global variable this breakage was
hidden.
Up until lockdep came along and perturbed the slab sizes sufficiently so
that the first off-slab cache would still see a (non-calculated) zero
value for offslab_limit and would panic with:
kmem_cache_create: couldn't create cache size-512.
Call Trace:
[<ffffffff8020a5b9>] show_trace+0x96/0x1c8
[<ffffffff8020a8f0>] dump_stack+0x13/0x15
[<ffffffff8022994f>] panic+0x39/0x21a
[<ffffffff80270814>] kmem_cache_create+0x5a0/0x5d0
[<ffffffff80aced62>] kmem_cache_init+0x193/0x379
[<ffffffff80abf779>] start_kernel+0x17f/0x218
[<ffffffff80abf263>] _sinittext+0x263/0x26a
Kernel panic - not syncing: kmem_cache_create(): failed to create slab `size-512'
Paolo Ornati's config on x86_64 managed to trigger it.
The fix is to move the calculation to the place that makes use of it.
This also makes slab.o 54 bytes smaller.
Btw., the check itself is quite silly. Its intention is to test whether
the number of objects per slab would be higher than the number of slab
control pointers possible. In theory it could be triggered: if someone
tried to allocate 4-byte objects cache and explicitly requested with
CFLGS_OFF_SLAB. So i kept the check.
Out of historic interest i checked how old this bug was and it's
ancient, 10 years old! It is the oldest hidden and then truly triggering
bugs i ever saw being fixed in the kernel!
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Update documentation to match reality. INPCK controls whether input
parity checking is enabled.
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
If we move a mapping from one virtual address to another,
and this changes the virtual color of the mapping to those
pages, we can see corrupt data due to D-cache aliasing.
Check for and deal with this by overriding the move_pte()
macro. Set things up so that other platforms can cleanly
override the move_pte() macro too.
Signed-off-by: David S. Miller <davem@davemloft.net>
Fix the incorrect calculation of how much to zero out in struct cm4000_dev
on device initialization.
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
The result of pcmcia_get_socket() may be NULL but ds_event() uses it
without checking.
Coverity CID: 436.
Signed-off-by: Florin Malita <fmalita@gmail.com>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
Now that we select busy_rr for possible service, insert entries at the
back of that list instead of at the front.
Signed-off-by: Jens Axboe <axboe@suse.de>
The calculation of nr_pages in scsi_req_map_sg() doesn't account for
the fact that the first page could have an offset that pushes the end
of the buffer onto a new page.
Signed-off-by: Bryan Holty <lgeek@frontiernet.net>
Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>