Proposed fix for ptep_get_and_clear_full PAE bug. Pte_clear had the same bug,
so use the same fix for both. Turns out pmd_clear had it as well, but pgds
are not affected.
The problem is rather intricate. Page table entries in PAE mode are 64-bits
wide, but the only atomic 8-byte write operation available in 32-bit mode is
cmpxchg8b, which is expensive (at least on P4), and thus avoided. But it can
happen that the processor may prefetch entries into the TLB in the middle of an
operation which clears a page table entry. So one must always clear the P-bit
in the low word of the page table entry first when clearing it.
Since the sequence *ptep = __pte(0) leaves the order of the write dependent on
the compiler, it must be coded explicitly as a clear of the low word followed
by a clear of the high word. Further, there must be a write memory barrier
here to enforce proper ordering by the compiler (and, in the future, by the
processor as well).
On > 4GB memory machines, the implementation of pte_clear for PAE was clearly
deficient, as it could leave virtual mappings of physical memory above 4GB
aliased to memory below 4GB in the TLB. The implementation of
ptep_get_and_clear_full has a similar bug, although not nearly as likely to
occur, since the mappings being cleared are in the process of being destroyed,
and should never be dereferenced again.
But, as luck would have it, it is possible to trigger bugs even without ever
dereferencing these bogus TLB mappings, even if the clear is followed fairly
soon after with a TLB flush or invalidation. The problem is that memory above
4GB may now be aliased into the first 4GB of memory, and in fact, may hit a
region of memory with non-memory semantics. These regions include AGP and PCI
space. As such, these memory regions are not cached by the processor. This
introduces the bug.
The processor can speculate memory operations, including memory writes, as long
as they are committed with the proper ordering. Speculating a memory write to
a linear address that has a bogus TLB mapping is possible. Normally, the
speculation is harmless. But for cached memory, it does leave the falsely
speculated cacheline unmodified, but in a dirty state. This cache line will be
eventually written back. If this cacheline happens to intersect a region of
memory that is not protected by the cache coherency protocol, it can corrupt
data in I/O memory, which is generally a very bad thing to do, and can cause
total system failure or just plain undefined behavior.
These bugs are extremely unlikely, but the severity is of such magnitude, and
the fix so simple that I think fixing them immediately is justified. Also,
they are nearly impossible to debug.
Signed-off-by: Zachary Amsden <zach@vmware.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This patch adds support for an ASK RDR 400 series contactless card
reader <http://www.ask.fr/uk/products_and_services/terminals.html> to
the ftdi_sio driver's device ID table. The product ID was supplied by
Adriano Couto on the ftdi-usb-sio-devel list.
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Adds support in ftdi_sio usbserial driver for USB modems sold by
Plus GSM Company in Poland.
Signed-off-by: Luiz Fernando Capitulino <lcapitulino@mandriva.com.br>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch adds recognition of the RR-CirKits LocoBuffer USB
to the existing FTDI driver. http://www.rr-cirkits.com
Signed-off-by: Nathan Bronson <ngb@sns-usa.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
We could use the recently added PCI_CLASS_SERIAL_USB_UHCI,
PCI_CLASS_SERIAL_USB_OHCI and PCI_CLASS_SERIAL_USB_EHCI defines in
more places, for slightly shorter and clearer code.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch (as671) fixes a bug in the error pathway for the net2280
probe routine. A failure during probe will cause the driver to call
pci_get_drvdata before the corresponding pci_set_drvdata has been set.
The patch also does a kzalloc conversion.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch (as670) adds a check for whether a shared IRQ was actually
generated by the net2280 device.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch (as669) fixes a bug in the net2280 driver. Now it will
properly send zero-length packets on ep0 until the control status stage
occurs.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch (as668) fixes a typo in net2280. The handler for 0-length
control-IN requests should check that the endpoint _isn't_ halted before
sending a 0-length packet.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Originally submitted by Olivier Blondeau <zeitoun@gmail.com>, with re-diffing
by me. Adds a new atmel unusual_dev entry.
Signed-off-by: Phil Dibowitz <phil@ipom.com>
This patch removes the Protocol portion of the Iomega Click! device as it's not
needed. Not-needed message reported by Kenneth Crudup <kenny@panix.com>
Signed-off-by: Phil Dibowitz <phil@ipom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Add new iTegno usb CDMA 1x card (usbid '0eba:2080') support to pl2303 driver
Signed-off-by: Wang Jun <wangjun1974@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
We may return from drivers/usb/serial/whiteheat.c::whiteheat_attach()
without freeing `result' if we leave via the no_firmware: label.
Spotted by the coverity checker as #670
Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
In the branch emulation for floating-point exceptions, __compute_return_epc
must determine for bc1f et al which condition code bit to test. This is
based on bits <4:2> of the rt field. The switch statement to distinguish
bc1f et al needs to use only the two low bits of rt, but the old code tests
on the whole rt field. This patch masks off the proper bits.
Signed-off-by: Win Treese <treese@acm.org>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
imajor()/iminor() should be used instead of accessing r_dev directly.
Based on patch from Eric Sesterhenn (snakebyte@gmx.de).
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
It's been a horrible source of confusion and let users to shoot themselves
into both feet with uzis to no end.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
This commit breaks sparse for 64bit kernel. The -m64 option is
required. Also, some macro values (such as _MIPS_TUNE, etc.) contain
double-quote characters so it would be better quoting arguments by
single-quote characters.
Signed-off-by: Atsushi Nemoto <anemo@mba.ocn.ne.jp>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
With recent rewrite for generic bitops, ffs() is defined the same way
as the libc and compiler built-in routines (returns int instead of
unsigned long). Use __ffs() for 64bit value.
Signed-off-by: Atsushi Nemoto <anemo@mba.ocn.ne.jp>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
With recent rewrite for generic bitops, fls() for 32bit kernel with
MIPS64_CPU is broken. Also, ffs(), fls() should be defined the same
way as the libc and compiler built-in routines (returns int instead of
unsigned long).
Signed-off-by: Atsushi Nemoto <anemo@mba.ocn.ne.jp>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Use the new find_get_pages_contig() to potentially look up the entire
splice range in one single call. This speeds up generic_file_splice_read()
quite a bit.
Signed-off-by: Jens Axboe <axboe@suse.de>
find_get_pages_contig() will break out if we hit a hole in the page cache.
From Andrew Morton, small modifications and documentation by me.
Signed-off-by: Jens Axboe <axboe@suse.de>
There was a whole load of crap exposed which should have been inside the
existing #ifdef __KERNEL__ part. Also hide struct sched_param for now,
since glibc has its own and doesn't like being given ours (yet).
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Don't include <linux/sched.h> outside __KERNEL__, and split the EM_xxx
definitions out of elf.h into elf-em.h so that audit.h can include just
that and not pollute the namespace any further than it needs to.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
* master.kernel.org:/home/rmk/linux-2.6-arm:
[ARM] nommu: trivial fixups for head-nommu.S and the Makefile
[ARM] vfp: fix leak of VFP_NAN_FLAG into FPSCR
[ARM] 3484/1: Correct AEABI CFLAGS for correct enum handling
Few of the notifier_chain_register() callers use __init in the definition
of notifier_call. It is incorrect as the function definition should be
available after the initializations (they do not unregister them during
initializations).
This patch fixes all such usages to _not_ have the notifier_call __init
section.
Signed-off-by: Chandra Seetharaman <sekharan@us.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Few of the notifier_chain_register() callers use __devinitdata in the
definition of notifier_block data structure. It is incorrect as the
data structure should be available after the initializations (they do
not unregister them during initializations).
This was leading to an oops when notifier_chain_register() call is
invoked for those callback chains after initialization.
This patch fixes all such usages to _not_ have the notifier_block data
structure in the init data section.
Signed-off-by: Chandra Seetharaman <sekharan@us.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This patch addresses a flaw in LSM, where there is no mediation of readv()
and writev() in for 32-bit compatible apps using a 64-bit kernel.
This bug was discovered and fixed initially in the native readv/writev
code [1], but was not fixed in the compat code. Thanks to Al for spotting
this one.
[1] http://lwn.net/Articles/154282/
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
All modifications of ->i_flags in inodes that might be visible to
somebody else must be under ->i_mutex. That patch fixes ext3 ioctl()
setting S_APPEND and friends.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Switched to use of sys_pread64()/sys_pwrite64() rather than keep duplicating
their guts; among the little things that had been missing there were such as
ret = security_file_permission (file, MAY_READ);
Gotta love the LSM robustness, right?
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
sbi->s_group_desc is an array of pointers to buffer_head. memcpy() of
buffer size from address of buffer_head is a bad idea - it will generate
junk in any case, may oops if buffer_head is close to the end of slab
page and next page is not mapped and isn't what was intended there.
IOW, ->b_data is missing in that call. Fortunately, result doesn't go
into the primary on-disk data structures, so only backup ones get crap
written to them; that had allowed this bug to remain unnoticed until
now.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/netdev-2.6:
[PATCH] forcedeth: fix initialization
[PATCH] sky2: version 1.2
[PATCH] sky2: reset function can be devinit
[PATCH] sky2: use ALIGN() macro
[PATCH] sky2: add fake idle irq timer
[PATCH] sky2: reschedule if irq still pending
[PATCH] bcm43xx: make PIO mode usable
[PATCH] bcm43xx: add to MAINTAINERS
[PATCH] softmac: fix SIOCSIWAP
[PATCH] Fix crash on big-endian systems during scan
e1000: Update truesize with the length of the packet for packet split
[PATCH] Fix locking in gianfar