1. 26 Mar, 2015 2 commits
  2. 06 Mar, 2015 4 commits
  3. 14 Nov, 2014 1 commit
  4. 17 Sep, 2014 2 commits
  5. 01 Jul, 2014 1 commit
  6. 07 Jun, 2014 3 commits
  7. 27 Apr, 2014 1 commit
  8. 22 Feb, 2014 1 commit
    • Paul Bolle's avatar
      raw: test against runtime value of max_raw_minors · 5f32e463
      Paul Bolle authored
      commit 5bbb2ae3d6f896f8d2082d1eceb6131c2420b7cf upstream.
      
      bind_get() checks the device number it is called with. It uses
      MAX_RAW_MINORS for the upper bound. But MAX_RAW_MINORS is set at compile
      time while the actual number of raw devices can be set at runtime. This
      means the test can either be too strict or too lenient. And if the test
      ends up being too lenient bind_get() might try to access memory beyond
      what was allocated for "raw_devices".
      
      So check against the runtime value (max_raw_minors) in this function.
      Signed-off-by: default avatarPaul Bolle <pebolle@tiscali.nl>
      Acked-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5f32e463
  9. 06 Feb, 2014 2 commits
    • Peter Huewe's avatar
      tpm/tpm_ppi: Do not compare strcmp(a,b) == -1 · 2e59688b
      Peter Huewe authored
      commit 747d35bd9bb4ae6bd74b19baa5bbe32f3e0cee11 upstream.
      
      Depending on the implementation strcmp might return the difference between
      two strings not only -1,0,1 consequently
       if (strcmp (a,b) == -1)
      might lead to taking the wrong branch
      
      -> compare with < 0  instead,
      which in any case is more canonical.
      Signed-off-by: default avatarPeter Huewe <peterhuewe@gmx.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2e59688b
    • Peter Huewe's avatar
      tpm/tpm_i2c_stm_st33: Check return code of get_burstcount · 9bf4d6c3
      Peter Huewe authored
      commit 85c5e0d451125c6ddb78663972e40af810b83644 upstream.
      
      The 'get_burstcount' function can in some circumstances 'return -EBUSY' which
      in tpm_stm_i2c_send is stored in an 'u32 burstcnt'
      thus converting the signed value into an unsigned value, resulting
      in 'burstcnt' being huge.
      Changing the type to u32 only does not solve the problem as the signed
      value is converted to an unsigned in I2C_WRITE_DATA, resulting in the
      same effect.
      
      Thus
      -> Change type of burstcnt to u32 (the return type of get_burstcount)
      -> Add a check for the return value of 'get_burstcount' and propagate a
      potential error.
      
      This makes also sense in the 'I2C_READ_DATA' case, where the there is no
      signed/unsigned conversion.
      
      found by coverity
      Signed-off-by: default avatarPeter Huewe <peterhuewe@gmx.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9bf4d6c3
  10. 15 Jan, 2014 1 commit
  11. 12 Dec, 2013 1 commit
  12. 18 Oct, 2013 1 commit
  13. 15 Aug, 2013 7 commits
    • Amit Shah's avatar
      virtio: console: return -ENODEV on all read operations after unplug · 61ffac73
      Amit Shah authored
      commit 96f97a83910cdb9d89d127c5ee523f8fc040a804 upstream.
      
      If a port gets unplugged while a user is blocked on read(), -ENODEV is
      returned.  However, subsequent read()s returned 0, indicating there's no
      host-side connection (but not indicating the device went away).
      
      This also happened when a port was unplugged and the user didn't have
      any blocking operation pending.  If the user didn't monitor the SIGIO
      signal, they won't have a chance to find out if the port went away.
      
      Fix by returning -ENODEV on all read()s after the port gets unplugged.
      write() already behaves this way.
      Signed-off-by: default avatarAmit Shah <amit.shah@redhat.com>
      Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      61ffac73
    • Amit Shah's avatar
      virtio: console: fix raising SIGIO after port unplug · 2817b99f
      Amit Shah authored
      commit 92d3453815fbe74d539c86b60dab39ecdf01bb99 upstream.
      
      SIGIO should be sent when a port gets unplugged.  It should only be sent
      to prcesses that have the port opened, and have asked for SIGIO to be
      delivered.  We were clearing out guest_connected before calling
      send_sigio_to_port(), resulting in a sigio not getting sent to
      processes.
      
      Fix by setting guest_connected to false after invoking the sigio
      function.
      Signed-off-by: default avatarAmit Shah <amit.shah@redhat.com>
      Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2817b99f
    • Amit Shah's avatar
      virtio: console: clean up port data immediately at time of unplug · 707ea94e
      Amit Shah authored
      commit ea3768b4386a8d1790f4cc9a35de4f55b92d6442 upstream.
      
      We used to keep the port's char device structs and the /sys entries
      around till the last reference to the port was dropped.  This is
      actually unnecessary, and resulted in buggy behaviour:
      
      1. Open port in guest
      2. Hot-unplug port
      3. Hot-plug a port with the same 'name' property as the unplugged one
      
      This resulted in hot-plug being unsuccessful, as a port with the same
      name already exists (even though it was unplugged).
      
      This behaviour resulted in a warning message like this one:
      
      -------------------8<---------------------------------------
      WARNING: at fs/sysfs/dir.c:512 sysfs_add_one+0xc9/0x130() (Not tainted)
      Hardware name: KVM
      sysfs: cannot create duplicate filename
      '/devices/pci0000:00/0000:00:04.0/virtio0/virtio-ports/vport0p1'
      
      Call Trace:
       [<ffffffff8106b607>] ? warn_slowpath_common+0x87/0xc0
       [<ffffffff8106b6f6>] ? warn_slowpath_fmt+0x46/0x50
       [<ffffffff811f2319>] ? sysfs_add_one+0xc9/0x130
       [<ffffffff811f23e8>] ? create_dir+0x68/0xb0
       [<ffffffff811f2469>] ? sysfs_create_dir+0x39/0x50
       [<ffffffff81273129>] ? kobject_add_internal+0xb9/0x260
       [<ffffffff812733d8>] ? kobject_add_varg+0x38/0x60
       [<ffffffff812734b4>] ? kobject_add+0x44/0x70
       [<ffffffff81349de4>] ? get_device_parent+0xf4/0x1d0
       [<ffffffff8134b389>] ? device_add+0xc9/0x650
      
      -------------------8<---------------------------------------
      
      Instead of relying on guest applications to release all references to
      the ports, we should go ahead and unregister the port from all the core
      layers.  Any open/read calls on the port will then just return errors,
      and an unplug/plug operation on the host will succeed as expected.
      
      This also caused buggy behaviour in case of the device removal (not just
      a port): when the device was removed (which means all ports on that
      device are removed automatically as well), the ports with active
      users would clean up only when the last references were dropped -- and
      it would be too late then to be referencing char device pointers,
      resulting in oopses:
      
      -------------------8<---------------------------------------
      PID: 6162   TASK: ffff8801147ad500  CPU: 0   COMMAND: "cat"
       #0 [ffff88011b9d5a90] machine_kexec at ffffffff8103232b
       #1 [ffff88011b9d5af0] crash_kexec at ffffffff810b9322
       #2 [ffff88011b9d5bc0] oops_end at ffffffff814f4a50
       #3 [ffff88011b9d5bf0] die at ffffffff8100f26b
       #4 [ffff88011b9d5c20] do_general_protection at ffffffff814f45e2
       #5 [ffff88011b9d5c50] general_protection at ffffffff814f3db5
          [exception RIP: strlen+2]
          RIP: ffffffff81272ae2  RSP: ffff88011b9d5d00  RFLAGS: 00010246
          RAX: 0000000000000000  RBX: ffff880118901c18  RCX: 0000000000000000
          RDX: ffff88011799982c  RSI: 00000000000000d0  RDI: 3a303030302f3030
          RBP: ffff88011b9d5d38   R8: 0000000000000006   R9: ffffffffa0134500
          R10: 0000000000001000  R11: 0000000000001000  R12: ffff880117a1cc10
          R13: 00000000000000d0  R14: 0000000000000017  R15: ffffffff81aff700
          ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
       #6 [ffff88011b9d5d00] kobject_get_path at ffffffff8126dc5d
       #7 [ffff88011b9d5d40] kobject_uevent_env at ffffffff8126e551
       #8 [ffff88011b9d5dd0] kobject_uevent at ffffffff8126e9eb
       #9 [ffff88011b9d5de0] device_del at ffffffff813440c7
      
      -------------------8<---------------------------------------
      
      So clean up when we have all the context, and all that's left to do when
      the references to the port have dropped is to free up the port struct
      itself.
      Reported-by: default avatarchayang <chayang@redhat.com>
      Reported-by: default avatarYOGANANTH SUBRAMANIAN <anantyog@in.ibm.com>
      Reported-by: default avatarFuXiangChun <xfu@redhat.com>
      Reported-by: default avatarQunfang Zhang <qzhang@redhat.com>
      Reported-by: default avatarSibiao Luo <sluo@redhat.com>
      Signed-off-by: default avatarAmit Shah <amit.shah@redhat.com>
      Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      707ea94e
    • Amit Shah's avatar
      virtio: console: fix race in port_fops_open() and port unplug · 60391483
      Amit Shah authored
      commit 671bdea2b9f210566610603ecbb6584c8a201c8c upstream.
      
      Between open() being called and processed, the port can be unplugged.
      Check if this happened, and bail out.
      
      A simple test script to reproduce this is:
      
      while true; do for i in $(seq 1 100); do echo $i > /dev/vport0p3; done; done;
      
      This opens and closes the port a lot of times; unplugging the port while
      this is happening triggers the bug.
      Signed-off-by: default avatarAmit Shah <amit.shah@redhat.com>
      Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      60391483
    • Amit Shah's avatar
      virtio: console: fix race with port unplug and open/close · 7b9f0c23
      Amit Shah authored
      commit 057b82be3ca3d066478e43b162fc082930a746c9 upstream.
      
      There's a window between find_port_by_devt() returning a port and us
      taking a kref on the port, where the port could get unplugged.  Fix it
      by taking the reference in find_port_by_devt() itself.
      
      Problem reported and analyzed by Mateusz Guzik.
      Reported-by: default avatarMateusz Guzik <mguzik@redhat.com>
      Signed-off-by: default avatarAmit Shah <amit.shah@redhat.com>
      Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7b9f0c23
    • Yoshihiro YUNOMAE's avatar
      virtio/console: Add pipe_lock/unlock for splice_write · 98c9710e
      Yoshihiro YUNOMAE authored
      commit 2b4fbf029dff5a28d9bf646346dea891ec43398a upstream.
      
      Add pipe_lock/unlock for splice_write to avoid oops by following competition:
      
      (1) An application gets fds of a trace buffer, virtio-serial, pipe.
      (2) The application does fork()
      (3) The processes execute splice_read(trace buffer) and
          splice_write(virtio-serial) via same pipe.
      
              <parent>                   <child>
        get fds of a trace buffer,
               virtio-serial, pipe
                |
              fork()----------create--------+
                |                           |
            splice(read)                    |           ---+
            splice(write)                   |              +-- no competition
                |                       splice(read)       |
                |                       splice(write)   ---+
                |                           |
            splice(read)                    |
            splice(write)               splice(read)    ------ competition
                |                       splice(write)
      
      Two processes share a pipe_inode_info structure. If the child execute
      splice(read) when the parent tries to execute splice(write), the
      structure can be broken. Existing virtio-serial driver does not get
      lock for the structure in splice_write, so this competition will induce
      oops.
      
      <oops messages>
       BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
       IP: [<ffffffff811a6b5f>] splice_from_pipe_feed+0x6f/0x130
       PGD 7223e067 PUD 72391067 PMD 0
       Oops: 0000 [#1] SMP
       Modules linked in: lockd bnep bluetooth rfkill sunrpc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables snd_hda_intel snd_hda_codec snd_hwdep snd_pcm snd_page_alloc snd_timer snd soundcore pcspkr virtio_net virtio_balloon i2c_piix4 i2c_core microcode uinput floppy
       CPU: 0 PID: 1072 Comm: compete-test Not tainted 3.10.0ws+ #55
       Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
       task: ffff880071b98000 ti: ffff88007b55e000 task.ti: ffff88007b55e000
       RIP: 0010:[<ffffffff811a6b5f>]  [<ffffffff811a6b5f>] splice_from_pipe_feed+0x6f/0x130
       RSP: 0018:ffff88007b55fd78  EFLAGS: 00010287
       RAX: 0000000000000000 RBX: ffff88007b55fe20 RCX: 0000000000000000
       RDX: 0000000000001000 RSI: ffff88007a95ba30 RDI: ffff880036f9e6c0
       RBP: ffff88007b55fda8 R08: 00000000000006ec R09: ffff880077626708
       R10: 0000000000000003 R11: ffffffff8139ca59 R12: ffff88007a95ba30
       R13: 0000000000000000 R14: ffffffff8139dd00 R15: ffff880036f9e6c0
       FS:  00007f2e2e3a0740(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
       CR2: 0000000000000018 CR3: 0000000071bd1000 CR4: 00000000000006f0
       DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
       DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
       Stack:
        ffffffff8139ca59 ffff88007b55fe20 ffff880036f9e6c0 ffffffff8139dd00
        ffff8800776266c0 ffff880077626708 ffff88007b55fde8 ffffffff811a6e8e
        ffff88007b55fde8 ffffffff8139ca59 ffff880036f9e6c0 ffff88007b55fe20
       Call Trace:
        [<ffffffff8139ca59>] ? alloc_buf.isra.13+0x39/0xb0
        [<ffffffff8139dd00>] ? virtcons_restore+0x100/0x100
        [<ffffffff811a6e8e>] __splice_from_pipe+0x7e/0x90
        [<ffffffff8139ca59>] ? alloc_buf.isra.13+0x39/0xb0
        [<ffffffff8139d739>] port_fops_splice_write+0xe9/0x140
        [<ffffffff8127a3f4>] ? selinux_file_permission+0xc4/0x120
        [<ffffffff8139d650>] ? wait_port_writable+0x1b0/0x1b0
        [<ffffffff811a6fe0>] do_splice_from+0xa0/0x110
        [<ffffffff811a951f>] SyS_splice+0x5ff/0x6b0
        [<ffffffff8161facf>] tracesys+0xdd/0xe2
       Code: 49 8b 87 80 00 00 00 4c 8d 24 d0 8b 53 04 41 8b 44 24 0c 4d 8b 6c 24 10 39 d0 89 03 76 02 89 13 49 8b 44 24 10 4c 89 e6 4c 89 ff <ff> 50 18 85 c0 0f 85 aa 00 00 00 48 89 da 4c 89 e6 4c 89 ff 41
       RIP  [<ffffffff811a6b5f>] splice_from_pipe_feed+0x6f/0x130
        RSP <ffff88007b55fd78>
       CR2: 0000000000000018
       ---[ end trace 24572beb7764de59 ]---
      
      V2: Fix a locking problem for error
      V3: Add Reviewed-by lines and stable@ line in sign-off area
      Signed-off-by: default avatarYoshihiro YUNOMAE <yoshihiro.yunomae.ez@hitachi.com>
      Reviewed-by: default avatarAmit Shah <amit.shah@redhat.com>
      Reviewed-by: default avatarMasami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
      Cc: Amit Shah <amit.shah@redhat.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      98c9710e
    • Yoshihiro YUNOMAE's avatar
      virtio/console: Quit from splice_write if pipe->nrbufs is 0 · 81b80fb8
      Yoshihiro YUNOMAE authored
      commit 68c034fefe20eaf7d5569aae84584b07987ce50a upstream.
      
      Quit from splice_write if pipe->nrbufs is 0 for avoiding oops in virtio-serial.
      
      When an application was doing splice from a kernel buffer to virtio-serial on
      a guest, the application received signal(SIGINT). This situation will normally
      happen, but the kernel executed a kernel panic by oops as follows:
      
       BUG: unable to handle kernel paging request at ffff882071c8ef28
       IP: [<ffffffff812de48f>] sg_init_table+0x2f/0x50
       PGD 1fac067 PUD 0
       Oops: 0000 [#1] SMP
       Modules linked in: lockd sunrpc bnep bluetooth rfkill ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables snd_hda_intel snd_hda_codec snd_hwdep snd_pcm snd_page_alloc snd_timer snd microcode virtio_balloon virtio_net pcspkr soundcore i2c_piix4 i2c_core uinput floppy
       CPU: 1 PID: 908 Comm: trace-cmd Not tainted 3.10.0+ #49
       Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
       task: ffff880071c64650 ti: ffff88007bf24000 task.ti: ffff88007bf24000
       RIP: 0010:[<ffffffff812de48f>]  [<ffffffff812de48f>] sg_init_table+0x2f/0x50
       RSP: 0018:ffff88007bf25dd8  EFLAGS: 00010286
       RAX: 0000001fffffffe0 RBX: ffff882071c8ef28 RCX: 0000000000000000
       RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff880071c8ef48
       RBP: ffff88007bf25de8 R08: ffff88007fd15d40 R09: ffff880071c8ef48
       R10: ffffea0001c71040 R11: ffffffff8139c555 R12: 0000000000000000
       R13: ffff88007506a3c0 R14: ffff88007c862500 R15: ffff880071c8ef00
       FS:  00007f0a3646c740(0000) GS:ffff88007fd00000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: ffff882071c8ef28 CR3: 000000007acbb000 CR4: 00000000000006e0
       DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
       DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
       Stack:
        ffff880071c8ef48 ffff88007bf25e20 ffff88007bf25e88 ffffffff8139d6fa
        ffff88007bf25e28 ffffffff8127a3f4 0000000000000000 0000000000000000
        ffff880071c8ef48 0000100000000000 0000000000000003 ffff88007bf25e08
       Call Trace:
        [<ffffffff8139d6fa>] port_fops_splice_write+0xaa/0x130
        [<ffffffff8127a3f4>] ? selinux_file_permission+0xc4/0x120
        [<ffffffff8139d650>] ? wait_port_writable+0x1b0/0x1b0
        [<ffffffff811a6fe0>] do_splice_from+0xa0/0x110
        [<ffffffff811a951f>] SyS_splice+0x5ff/0x6b0
        [<ffffffff8161f8c2>] system_call_fastpath+0x16/0x1b
       Code: c1 e2 05 48 89 e5 48 83 ec 10 4c 89 65 f8 41 89 f4 31 f6 48 89 5d f0 48 89 fb e8 8d ce ff ff 41 8d 44 24 ff 48 c1 e0 05 48 01 c3 <48> 8b 03 48 83 e0 fe 48 83 c8 02 48 89 03 48 8b 5d f0 4c 8b 65
       RIP  [<ffffffff812de48f>] sg_init_table+0x2f/0x50
        RSP <ffff88007bf25dd8>
       CR2: ffff882071c8ef28
       ---[ end trace 86323505eb42ea8f ]---
      
      It seems to induce pagefault in sg_init_tabel() when pipe->nrbufs is equal to
      zero. This may happen in a following situation:
      
      (1) The application normally does splice(read) from a kernel buffer, then does
          splice(write) to virtio-serial.
      (2) The application receives SIGINT when is doing splice(read), so splice(read)
          is failed by EINTR. However, the application does not finish the operation.
      (3) The application tries to do splice(write) without pipe->nrbufs.
      (4) The virtio-console driver tries to touch scatterlist structure sgl in
          sg_init_table(), but the region is out of bound.
      
      To avoid the case, a kernel should check whether pipe->nrbufs is empty or not
      when splice_write is executed in the virtio-console driver.
      
      V3: Add Reviewed-by lines and stable@ line in sign-off area.
      Signed-off-by: default avatarYoshihiro YUNOMAE <yoshihiro.yunomae.ez@hitachi.com>
      Reviewed-by: default avatarAmit Shah <amit.shah@redhat.com>
      Reviewed-by: default avatarMasami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
      Cc: Amit Shah <amit.shah@redhat.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      81b80fb8
  14. 12 Aug, 2013 2 commits
    • Arnd Bergmann's avatar
      hwrng: bcm2835: fix MODULE_LICENSE tag · d35fdd8c
      Arnd Bergmann authored
      commit 22e8099f4f6621b8d165e238cdef2a1cf655e159 upstream.
      
      The MODULE_LICENSE macro invocation must use either "GPL" or "GPL v2",
      but not "GPLv2" in order to be detected by the module loader.
      
      This fixes the allmodconfig build error:
      
      FATAL: modpost: GPL-incompatible module bcm2835-rng.ko uses GPL-only symbol 'platform_driver_unregister'
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarLubomir Rintel <lkundrak@v3.sk>
      Cc: Dom Cobley <popcornmix@gmail.com>
      Cc: Stephen Warren <swarren@wwwdotorg.org>
      Cc: Matt Mackall <mpm@selenic.com>
      Cc: linux-rpi-kernel@lists.infradead.org
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: Guenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d35fdd8c
    • Alex Ivanov's avatar
      parisc: agp/parisc-agp: allow binding of user memory to the AGP GART · 6a3f7e9e
      Alex Ivanov authored
      commit 06f0cce43a32bd2357cea1d8733bba48693d556b upstream.
      
      Allow binding of user memory to the AGP GART on systems with HP
      Quicksilver AGP bus. This resolves 'bind memory failed' error seen in
      dmesg:
      
       [29.365973] [TTM] AGP Bind memory failed.
       …
       [29.367030] [drm] Forcing AGP to PCI mode
      
      The system doesn't more fail to bind the memory, and hence not falling
      back to the PCI mode (if other failures aren't detected).
      
      This is just a simple write down from the following patches:
      agp/amd-k7: Allow binding user memory to the AGP GART
      agp/hp-agp: Allow binding user memory to the AGP GART
      Signed-off-by: default avatarAlex Ivanov <gnidorah@p0n4ik.tk>
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6a3f7e9e
  15. 24 May, 2013 2 commits
    • Jiri Kosina's avatar
      random: fix accounting race condition with lockless irq entropy_count update · 10b3a32d
      Jiri Kosina authored
      Commit 902c098a ("random: use lockless techniques in the interrupt
      path") turned IRQ path from being spinlock protected into lockless
      cmpxchg-retry update.
      
      That commit removed r->lock serialization between crediting entropy bits
      from IRQ context and accounting when extracting entropy on userspace
      read path, but didn't turn the r->entropy_count reads/updates in
      account() to use cmpxchg as well.
      
      It has been observed, that under certain circumstances this leads to
      read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets
      corrupted and becomes negative, which in turn results in propagating 0
      all the way from account() to the actual read() call.
      
      Convert the accounting code to be the proper lockless counterpart of
      what has been partially done by 902c098a.
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Cc: Theodore Ts'o <tytso@mit.edu>
      Cc: Greg KH <greg@kroah.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      10b3a32d
    • Jarod Wilson's avatar
      drivers/char/random.c: fix priming of last_data · 1e7e2e05
      Jarod Wilson authored
      Commit ec8f02da ("random: prime last_data value per fips
      requirements") added priming of last_data per fips requirements.
      
      Unfortuantely, it did so in a way that can lead to multiple threads all
      incrementing nbytes, but only one actually doing anything with the extra
      data, which leads to some fun random corruption and panics.
      
      The fix is to simply do everything needed to prime last_data in a single
      shot, so there's no window for multiple cpus to increment nbytes -- in
      fact, we won't even increment or decrement nbytes anymore, we'll just
      extract the needed EXTRACT_SIZE one time per pool and then carry on with
      the normal routine.
      
      All these changes have been tested across multiple hosts and
      architectures where panics were previously encoutered.  The code changes
      are are strictly limited to areas only touched when when booted in fips
      mode.
      
      This change should also go into 3.8-stable, to make the myriads of fips
      users on 3.8.x happy.
      Signed-off-by: default avatarJarod Wilson <jarod@redhat.com>
      Tested-by: default avatarJan Stancek <jstancek@redhat.com>
      Tested-by: default avatarJan Stodola <jstodola@redhat.com>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Matt Mackall <mpm@selenic.com>
      Cc: "Theodore Ts'o" <tytso@mit.edu>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      1e7e2e05
  16. 21 May, 2013 1 commit
  17. 17 May, 2013 1 commit
    • salina@us.ibm.com's avatar
      Char: lp, protect LPGETSTATUS with port_mutex · 221ba151
      salina@us.ibm.com authored
      The patch fixes a problem in the lp driver that can cause oopses as
      follows:
      process A:	calls lp_write, which in turn calls
      		parport_ieee1284_write_compat, and that invokes
      		parport_wait_peripheral
      process B:	meanwhile does an ioctl(LPGETSTATUS), which call
      		lp_release_parport when done. This function will set
      		physport->cad = NULL.
      process A:	parport_wait_peripheral tries to dereference
      		physport->cad and dies
      
      So, protect that code with the port_mutex in order to protect against
      simultaneous calls to lp_read/lp_write.
      
      Similar protection is probably required for ioctl(LPRESET)...
      
      This patch was done by IBM a while back and we (at suse) have that
      since at least 2004 in our repos. Let's make it upstream.
      
      Signed-off-by: okir@suse.de
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      221ba151
  18. 16 May, 2013 4 commits
  19. 12 May, 2013 1 commit
  20. 08 May, 2013 2 commits