Forum | Documentation | Website | Blog

Skip to content
Snippets Groups Projects
  1. Nov 22, 2010
    • Greg Kroah-Hartman's avatar
      Linux 2.6.27.56 · 15816687
      Greg Kroah-Hartman authored
      v2.6.27.56
      15816687
    • Christof Schmitt's avatar
      Fix race when removing SCSI devices · 7a951eac
      Christof Schmitt authored
      commit 546ae796
      
       upstream.
      
      Removing SCSI devices through
      echo 1 > /sys/bus/scsi/devices/ ... /delete
      
      while the FC transport class removes the SCSI target can lead to an
      oops:
      
      Unable to handle kernel pointer dereference at virtual kernel address 00000000b6815000
      Oops: 0011 [#1] PREEMPT SMP DEBUG_PAGEALLOC
      Modules linked in: sunrpc qeth_l3 binfmt_misc dm_multipath scsi_dh dm_mod ipv6 qeth ccwgroup [last unloaded: scsi_wait_scan]
      CPU: 1 Not tainted 2.6.35.5-45.x.20100924-s390xdefault #1
      Process fc_wq_0 (pid: 861, task: 00000000b7331240, ksp: 00000000b735bac0)
      Krnl PSW : 0704200180000000 00000000003ff6e4 (__scsi_remove_device+0x24/0xd0)
                 R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:0 CC:2 PM:0 EA:3
      Krnl GPRS: 0000000000000001 0000000000000000 00000000b6815000 00000000bc24a8c0
                 00000000003ff7c8 000000000056dbb8 0000000000000002 0000000000835d80
                 ffffffff00000000 0000000000001000 00000000b6815000 00000000bc24a7f0
                 00000000b68151a0 00000000b6815000 00000000b735bc20 00000000b735bbf8
      Krnl Code: 00000000003ff6d6: a7840001            brc 8,3ff6d8
                 00000000003ff6da: a7fbffd8            aghi %r15,-40
                 00000000003ff6de: e3e0f0980024        stg %r14,152(%r15)
                >00000000003ff6e4: e31021200004        lg %r1,288(%r2)
                 00000000003ff6ea: a71f0000            cghi    %r1,0
                 00000000003ff6ee: a7a40011            brc 10,3ff710
                 00000000003ff6f2: a7390003            lghi    %r3,3
                 00000000003ff6f6: c0e5ffffc8b1        brasl %r14,3f8858
      Call Trace:
      ([<0000000000001000>] 0x1000)
       [<00000000003ff7d2>] scsi_remove_device+0x42/0x54
       [<00000000003ff8ba>] __scsi_remove_target+0xca/0xfc
       [<00000000003ff99a>] __remove_child+0x3a/0x48
       [<00000000003e3246>] device_for_each_child+0x72/0xbc
       [<00000000003ff93a>] scsi_remove_target+0x4e/0x74
       [<0000000000406586>] fc_rport_final_delete+0xb2/0x23c
       [<000000000015d080>] worker_thread+0x200/0x344
       [<000000000016330c>] kthread+0xa0/0xa8
       [<0000000000106c1a>] kernel_thread_starter+0x6/0xc
       [<0000000000106c14>] kernel_thread_starter+0x0/0xc
      INFO: lockdep is turned off.
      Last Breaking-Event-Address:
       [<00000000003ff7cc>] scsi_remove_device+0x3c/0x54
      
      The function __scsi_remove_target iterates through the SCSI devices on
      the host, but it drops the host_lock before calling
      scsi_remove_device. When the SCSI device is deleted from another
      thread, the pointer to the SCSI device in scsi_remove_device can
      become invalid. Fix this by getting a reference to the SCSI device
      before dropping the host_lock to keep the SCSI device alive for the
      call to scsi_remove_device.
      
      Signed-off-by: default avatarChristof Schmitt <christof.schmitt@de.ibm.com>
      Signed-off-by: default avatarJames Bottomley <James.Bottomley@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      7a951eac
    • Dan Carpenter's avatar
      gdth: integer overflow in ioctl · c47f5a57
      Dan Carpenter authored
      commit f63ae56e
      
       upstream.
      
      gdth_ioctl_alloc() takes the size variable as an int.
      copy_from_user() takes the size variable as an unsigned long.
      gen.data_len and gen.sense_len are unsigned longs.
      On x86_64 longs are 64 bit and ints are 32 bit.
      
      We could pass in a very large number and the allocation would truncate
      the size to 32 bits and allocate a small buffer.  Then when we do the
      copy_from_user(), it would result in a memory corruption.
      
      Signed-off-by: default avatarDan Carpenter <error27@gmail.com>
      Signed-off-by: default avatarJames Bottomley <James.Bottomley@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      c47f5a57
    • David Milburn's avatar
      libsas: fix NCQ mixing with non-NCQ · 2415dee5
      David Milburn authored
      commit f0ad30d3
      
       upstream.
      
      Some cards (like mvsas) have issue troubles if non-NCQ commands are
      mixed with NCQ ones.  Fix this by using the libata default NCQ check
      routine which waits until all NCQ commands are complete before issuing
      a non-NCQ one.  The impact to cards (like aic94xx) which don't need
      this logic should be minimal
      
      Signed-off-by: default avatarJames Bottomley <James.Bottomley@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      2415dee5
    • Mathieu Desnoyers's avatar
      sched: Fix string comparison in /proc/sched_features · bfa24c0d
      Mathieu Desnoyers authored
      commit 7740191c
      
       upstream.
      
      Fix incorrect handling of the following case:
      
       INTERACTIVE
       INTERACTIVE_SOMETHING_ELSE
      
      The comparison only checks up to each element's length.
      
      Changelog since v1:
       - Embellish using some Rostedtisms.
        [ mingo:                 ^^ == smaller and cleaner ]
      
      Signed-off-by: default avatarMathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Reviewed-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Tony Lindgren <tony@atomide.com>
      LKML-Reference: <20100913214700.GB16118@Krystal>
      Signed-off-by: default avatarIngo Molnar <mingo@elte.hu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      bfa24c0d
    • Vasiliy Kulikov's avatar
      pcmcia: synclink_cs: fix information leak to userland · 6dbb2b0e
      Vasiliy Kulikov authored
      commit 5b917a14
      
       upstream.
      
      Structure new_line is copied to userland with some padding fields unitialized.
      It leads to leaking of stack memory.
      
      Signed-off-by: default avatarVasiliy Kulikov <segooon@gmail.com>
      Signed-off-by: default avatarDominik Brodowski <linux@dominikbrodowski.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      6dbb2b0e
  2. Oct 29, 2010
  3. Sep 20, 2010
  4. Aug 26, 2010