Age | Commit message (Collapse) | Author |
|
for consistency with other Open Firmware interfaces (and Sparc).
This is just a straight replacement.
This leaves the compatibility define in place.
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Paul Mackerras <paulus@samba.org>
|
|
These are all the remaining instances of get_property. Simple rename of
get_property to of_get_property.
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Paul Mackerras <paulus@samba.org>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc
* 'for-2.6.22' of git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc: (255 commits)
[POWERPC] Remove dev_dbg redefinition in drivers/ps3/vuart.c
[POWERPC] remove kernel module option for booke wdt
[POWERPC] Avoid putting cpu node twice
[POWERPC] Spinlock initializer cleanup
[POWERPC] ppc4xx_sgdma needs dma-mapping.h
[POWERPC] arch/powerpc/sysdev/timer.c build fix
[POWERPC] get_property cleanups
[POWERPC] Remove the unused HTDMSOUND driver
[POWERPC] cell: cbe_cpufreq cleanup and crash fix
[POWERPC] Declare enable_kernel_spe in a header
[POWERPC] Add dt_xlate_addr() to bootwrapper
[POWERPC] bootwrapper: CONFIG_ -> CONFIG_DEVICE_TREE
[POWERPC] Don't define a custom bd_t for Xilixn Virtex based boards.
[POWERPC] Add sane defaults for Xilinx EDK generated xparameters files
[POWERPC] Add uartlite boot console driver for the zImage wrapper
[POWERPC] Stop using ppc_sys for Xilinx Virtex boards
[POWERPC] New registration for common Xilinx Virtex ppc405 platform devices
[POWERPC] Merge common virtex header files
[POWERPC] Rework Kconfig dependancies for Xilinx Virtex ppc405 platform
[POWERPC] Clean up cpufreq Kconfig dependencies
...
|
|
|
|
Remove option of making booke_wdt into a kernel module. This watchdog
cannot be disabled. No point being a kernel module.
Signed-off-by: Dave Jiang <djiang@mvista.com>
Signed-off-by: Paul Mackerras <paulus@samba.org>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-acpi-2.6
* 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-acpi-2.6: (105 commits)
sonypi: use mutex instead of semaphore
sony-laptop: remove user visible camera controls as platform attributes
meye: make meye use sony-laptop instead of sonypi
sony-laptop: add a meye-usable include file for camera ops
sony-laptop: complete the motion eye camera support in sony-laptop
sonypi: try to detect if sony-laptop has already taken one of the known ioports
sonypi: suggest sonypi users to try sony-laptop instead
sony-laptop: add edge modem support (also called WWAN)
sony-laptop: add locking on accesses to the ioport and global vars
sony-laptop: add camera enable/disable parameter, better handle possible infinite loop
thinkpad-acpi: make drivers/misc/thinkpad_acpi:fan_mutex static
ACPI: thinkpad-acpi: add sysfs support to wan and bluetooth subdrivers
ACPI: thinkpad-acpi: add sysfs support to hotkey subdriver
ACPI: thinkpad-acpi: improve dock subdriver initialization
ACPI: thinkpad-acpi: improve debugging for acpi helpers
ACPI: thinkpad-acpi: improve fan control documentation
ACPI: thinkpad-acpi: map ENXIO to EINVAL for fan sysfs
ACPI: thinkpad-acpi: fix a fan watchdog invocation
ACPI: thinkpad-acpi: do not arm fan watchdog if it would not work
ACPI: thinkpad-acpi: add a fan-control feature master toggle
...
|
|
|
|
the Sony Programmable I/O Control driver uses a semaphore as
mutex. use the mutex API instead of the (binary) semaphore
Signed-off-by: Matthias Kaehlcke <matthias.kaehlcke@gmail.com>
Acked-by: Mattia Dongili <malattia@linux.it>
Signed-off-by: Len Brown <len.brown@intel.com>
|
|
Get the IO resources list in sony-laptop in the same order as listed
in sonypi and make sonypi check if one of those is already busy.
The sonypi check can be disabled by a module parameter in case the user
thinks we are plainly wrong (check_ioport=0).
Signed-off-by: Mattia Dongili <malattia@linux.it>
Signed-off-by: Len Brown <len.brown@intel.com>
|
|
Try to migrate sonypi users to sony-laptop gracefully.
Signed-off-by: Mattia Dongili <malattia@linux.it>
Signed-off-by: Len Brown <len.brown@intel.com>
|
|
This does drivers/machintosh and the hvc code.
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Paul Mackerras <paulus@samba.org>
|
|
This reverts commit d05c7a80cf39ae7d0f8d0c3e47c93d51fcd393d3,
which included changes which should go via other subsystem
maintainers.
|
|
In order to get more randomness for secure_tcpv6_sequence_number(),
secure_tcp_sequence_number(), secure_dccp_sequence_number() functions,
we can use the high resolution time services, providing nanosec
resolution.
I've also done two kmalloc()/kzalloc() conversions.
Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
To clearly state the intent of copying from linear sk_buffs, _offset being a
overly long variant but interesting for the sake of saving some bytes.
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
|
|
This patch removes the following not or no longer used exports:
- drivers/char/random.c: secure_tcp_sequence_number
- net/dccp/options.c: sysctl_dccp_feat_sequence_window
- net/netlink/af_netlink.c: netlink_set_err
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
There was schedule() missing in the TIOCMIWAIT ioctl. Solve it by moving
the code to the wait_event_interruptible.
Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
Cc: Jan Yenya Kasprzak <kas@fi.muni.cz>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
There was schedule() missing in the TIOCMIWAIT ioctl. Solve it by moving
the code to the wait_event_interruptible.
Cc: Jan "Yenya" Kasprzak <kas@fi.muni.cz>
Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
Signed-off-by: Jan "Yenya" Kasprzak <kas@fi.muni.cz>
Acked-by: Jiri Slaby <jirislaby@gmail.com>
Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
Replaced by of_find_node_by_path.
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Paul Mackerras <paulus@samba.org>
|
|
Fix a handful of comment typos for hvc_console.
Signed-off-by: Will Schmidt <will_schmidt@vnet.ibm.com>
Signed-off-by: Paul Mackerras <paulus@samba.org>
|
|
Add a back-off mechanism to hvc_console's polling logic. This change
drops the timers/second ratio from ~90 to ~1/2 while the console is
idle.
This change is most noticeable when watching /proc/timer_stats output.
This only affects when the hvc_console is running in poll mode, i.e.
power4 and cell systems.
I've tested on Power4, Michael Ellerman has both contributed to the
patch and tested on cell.
Signed-off-by: Will Schmidt <will_schmidt@vnet.ibm.com>
Signed-off-by: Michael Ellerman <michael@ellerman.id.au>
Acked-by: Linas Vepstas <linas@austin.ibm.com>
Signed-off-by: Paul Mackerras <paulus@samba.org>
|
|
While digging through my MAP_FIXED changes, I found that rather obvious
bug in /dev/mem mmap implementation for nommu archs. get_unmapped_area()
is expected to return an address, not a pfn.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Acked-By: David Howells <dhowells@redhat.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Paul Mackerras <paulus@samba.org>
|
|
This is more consistent and gets us closer to the Sparc code.
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Paul Mackerras <paulus@samba.org>
|
|
This is more consistent and gets us closer to the Sparc code.
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Paul Mackerras <paulus@samba.org>
|
|
master.kernel.org:/pub/scm/linux/kernel/git/davej/agpgart
* 'for-2.6.21' of master.kernel.org:/pub/scm/linux/kernel/git/davej/agpgart:
[AGPGART] intel_agp: fix G965 GTT size detect
|
|
On G965, I810_PGETBL_CTL is a mmio offset, but we wrongly take it
as pci config space offset in detecting GTT size. This one line patch
fixs this.
Signed-off-by: Wang Zhenyu <zhenyu.z.wang@intel.com>
Signed-off-by: Dave Jones <davej@redhat.com>
|
|
master.kernel.org:/pub/scm/linux/kernel/git/davej/agpgart
* 'for-2.6.21' of master.kernel.org:/pub/scm/linux/kernel/git/davej/agpgart:
[AGPGART] intel_agp: PCI id update for Intel 965GM
|
|
Update PCI id info for Intel 965GM chipset.
Signed-off-by: Wang Zhenyu <zhenyu.z.wang@intel.com>
Signed-off-by: Dave Jones <davej@redhat.com>
|
|
On a multiprocessor machine the VT_WAITACTIVE ioctl call may return 0 if
fg_console has already been updated in redraw_screen() but the console
switch itself hasn't been completed. Fix this by checking fg_console in
vt_waitactive() with the console sem held.
Signed-off-by: Michal Januszewski <spock@gentoo.org>
Acked-by: Antonino Daplas <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
* master.kernel.org:/pub/scm/linux/kernel/git/davem/sparc-2.6:
[VIDEO]: Fix section mismatch in cg3.c
[SPARC]: sparc64 gcc-4.2.0 20070317 -Werror failure
[VIDEO] ffb: Fix two DAC handling bugs.
[SPARC32]: Fix SMP build regression
[DRM]: Delete sparc64 FFB driver code that never gets built.
|
|
Commit d720bc4b8fc5d6d179ef094908d4fbb5e436ffad partially removed a
private implementation of baud speed decoding. However it doesn't seem
to be complete: after the speed is decoded, it is still being used as an
index to a local speed table (array overrun, no doubt).
This was found by Graham Murray who noticed it caused a 2.6.19 regression
with the SX driver: https://bugs.gentoo.org/170554
Signed-off-by: Daniel Drake <dsd@gentoo.org>
Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Russell King <rmk@arm.linux.org.uk>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
The Kconfig bits were removed long ago, so we should kill off the
driver too.
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
These leaks were reported by: Catalin Marinas <catalin.marians@gmail.com>
and I have been able to very by inspection they are possible.
When converting tty_io.c to store pids as struct pid pointers instead
of pid_t values it appears I overlooked two places where we stop using
the pid value. The very obvious one is in do_tty_hangup, and the one
the less obvious one in __proc_set_tty.
When looking into the code __proc_set_tty only has pids that need to
be put because of failures of other parts of the code to properly
perform hangup processing. Fixing the leak here in __proc_set_tty
is easy and obviously correct so I am doing that first.
Fixing the places that should be performing hangup processing is much
less obviously correct. So those I'm aiming those patches at -mm.
for now, so the can age a while before they are merged.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
drivers/char/watchdog/machzwd.c: In function 'zf_ioctl':
drivers/char/watchdog/machzwd.c:327: warning: passing argument 1 of 'zf_ping' makes integer from pointer without a cast
Also some coding-style repairs.
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Al Viro <viro@ftp.linux.org.uk>
Acked-by: Wim Van Sebroeck <wim@iguana.be>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
* 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus:
[MIPS] Kconfig: Move missplaced NR_CPUS default from SMTC to VSMP.
[MIPS] Lockdep: Fix recursion bug.
[MIPS] RTLX: Handle copy_*_user return values.
[MIPS] RTLX: Protect rtlx_{read,write} with mutex.
[MIPS] RTLX: Harden against compiler reordering and optimization.
[MIPS] RTLX: Don't use volatile; it's fragile.
[MIPS] Lasat: Downgrade 64-bit kernel from experimental to broken.
[MIPS] Compat: Fix build if CONFIG_SYSVIPC is disabled.
[CHAR] lcd: Fix two warnings.
[MIPS] FPU ownership management & preemption fixes
[MIPS] Check FCSR for pending interrupts, alternative version
[MIPS] IP27, IP35: Fix warnings.
|
|
Initialise the SAK member of the vc_cons variable on all virtual terminals,
not only the first one. This prevents an oops when trying Sysrq-C on e.g.
the second virtual terminal:
kernel BUG at kernel/workqueue.c:212!
invalid opcode: 0000 [1] SMP
CPU 0
Modules linked in: i915 drm deflate zlib_deflate twofish twofish_common serpent blowfish des ce
Pid: 0, comm: swapper Not tainted 2.6.21-rc3-default #15
RIP: 0010:[<ffffffff8028c955>] [<ffffffff8028c955>] queue_work+0x32/0x51
RSP: 0018:ffffffff805fada8 EFLAGS: 00010013
RAX: ffffffff80683f38 RBX: ffffffff804ae700 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff80683f30 RDI: ffff81000134a840
RBP: 0000000000000001 R08: 0000000000000005 R09: 0000000000000002
R10: ffffffff805990e0 R11: ffff810037f4c0f0 R12: 000000000000006b
R13: ffff81007aa23000 R14: 0000000000000001 R15: 0000000000000096
FS: 0000000000000000(0000) GS:ffffffff804d8000(0000) knlGS:0000000000000000
CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b
CR2: 00002b72026e9000 CR3: 0000000079175000 CR4: 00000000000006e0
Process swapper (pid: 0, threadinfo ffffffff8059e000, task ffffffff80490840)
Stack: 0000000000000096 ffffffff803635db ffffffff805fadf8 0000000000000001
ffff8100013c2e40 0000000000000025 ffff81007c931c00 ffff81007aa23000
0000000000000001 ffffffff8035e3ee 0000000000000092 ffff810037cc8000
Call Trace:
<IRQ> [<ffffffff803635db>] __handle_sysrq+0x98/0x129
[<ffffffff8035e3ee>] kbd_event+0x32e/0x56a
[<ffffffff8037d502>] input_event+0x422/0x44a
[<ffffffff80381d71>] atkbd_interrupt+0x449/0x503
[<ffffffff8037a42d>] serio_interrupt+0x37/0x6f
[<ffffffff8037affb>] i8042_interrupt+0x1f4/0x20a
[<ffffffff8026bd20>] smp_send_timer_broadcast_ipi+0x2d/0x4e
[<ffffffff8020eee5>] handle_IRQ_event+0x25/0x53
[<ffffffff802a924c>] handle_edge_irq+0xe4/0x128
[<ffffffff802562ac>] call_softirq+0x1c/0x28
[<ffffffff802632eb>] do_IRQ+0x6c/0xd3
[<ffffffff8024f4e7>] mwait_idle+0x0/0x45
[<ffffffff80255631>] ret_from_intr+0x0/0xa
<EOI> [<ffffffff80248a4d>] datagram_poll+0x0/0xc8
[<ffffffff8024f529>] mwait_idle+0x42/0x45
[<ffffffff80242c05>] cpu_idle+0x8b/0xae
[<ffffffff805a8779>] start_kernel+0x2b9/0x2c5
[<ffffffff805a815e>] _sinittext+0x15e/0x162
Code: 0f 0b eb fe 48 8b 07 48 63 d2 48 f7 d0 48 8b 3c d0 e8 13 ff
RIP [<ffffffff8028c955>] queue_work+0x32/0x51
RSP <ffffffff805fada8>
Kernel panic - not syncing: Aiee, killing interrupt handler!
Signed-off-by: Bernhard Walle <bwalle@suse.de>
Acked-by: Eric Biederman <ebiederm@xmission.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
When the console is in VT_AUTO+KD_GRAPHICS mode, switching to the
SUSPEND_CONSOLE fails, resulting in vt_waitactive() waiting indefinitely or
until the task is interrupted. This patch tests if a console switch can
occur in set_console() and returns early if a console switch is not
possible.
[akpm@linux-foundation.org: cleanup]
Signed-off-by: Andrew Johnson <ajohnson@intrinsyc.com>
Acked-by: Pavel Machek <pavel@ucw.cz>
Cc: "Antonino A. Daplas" <adaplas@pol.net>
Cc: "Rafael J. Wysocki" <rjw@sisk.pl>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
In file included from drivers/char/lcd.c:23:
include/linux/mc146818rtc.h:104:1: warning: "RTC_IO_EXTENT" redefined
drivers/char/lcd.c:15:1: warning: this is the location of the previous definition
drivers/char/lcd.c:35: warning: 'lcd_lock' defined but not used
c316eb1eee2c803c33b1f826fe744c922d2e354f deleted the last code using
lcd_lock, so delete definition of lcd_lock.
The definition of RTC_IO_EXTENT is unused and probably always was only
debree copied from drivers/char/rtc.c.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
|
* master.kernel.org:/pub/scm/linux/kernel/git/wim/linux-2.6-watchdog:
[WATCHDOG] i8xx TCO driver - mark for removal
|
|
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
Mark the i8xx TCO driver for removal.
Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
|
|
o Fix use of uninitialized variable sec.
o Make the RTC_ALM_SET ioctl return -EINVAL for non-zero seconds - the
DS1286 has no second field for the alarm time.
o Replace the obscure BIN_TO_BCD macro with BIN2BCD.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
|
The tlclk driver is going on the MPCBL005 so I need to make the Kconfig
more more generic. Just some text changes.
Signed-off-by: Mark Gross <mark.gross@intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
Based on a patch from Don Howard <dhoward@redhat.com>
When calling write() with a buffer larger than 512 bytes, the
driver's write buffer overflows, allowing to overwrite the EIP and
execute arbitrary code with kernel privileges.
In read(), there exists a similar problem, but coming from the device.
A malicous or buggy device sending more than 512 bytes can overflow
of the driver's read buffer, with the same effects as above.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Harald Welte <laforge@gnumonks.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
"drivers/char/epca.c:2741: warning: 'get_termio' defined but not used"
Signed-off-by: Michal Piotrowski <michal.k.k.piotrowski@gmail.com>
Acked-by: Alan Cox <alan@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
ipmi_si_intf tries to access default ports, if no device could be found
elsewhere. On PPC we have a function to check, if these legacy IO ports
are accessible. This patch adds a check for these ports on PPC. This
patch fixes a breakage of IPMI module on PPC machines without a BMC.
Signed-off-by: Christian Krafft <krafft@de.ibm.com>
Acked-by: Michael Ellerman <michael@ellerman.id.au>
Signed-off-by: Corey Minyard <minyard@acm.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
In http://bugzilla.kernel.org/show_bug.cgi?id=8065, Shen points out that the
cyclades driver forget to return closing_wait to userspace.
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Russell King <rmk@arm.linux.org.uk>
Cc: Shen <shanlu@cs.uiuc.edu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
This patch fixes a possible race that leads to double freeing an idr index.
When the master begin to close, release_dev() is called and then
pty_close() is called:
if (tty->driver->close)
tty->driver->close(tty, filp);
This is done without helding any locks other than BKL. Inside pty_close(),
being a master close, the devpts entry will be removed:
#ifdef CONFIG_UNIX98_PTYS
if (tty->driver == ptm_driver)
devpts_pty_kill(tty->index);
#endif
But devpts_pty_kill() will call get_node() that may sleep while waiting for
&devpts_root->d_inode->i_sem. When this happens and the slave is being
opened, tty_open() just found the driver and index:
driver = get_tty_driver(device, &index);
if (!driver) {
mutex_unlock(&tty_mutex);
return -ENODEV;
}
This part of the code is already protected under tty_mute. The problem is
that the slave close already got an index. Then init_dev() is called and
blocks waiting for the same &devpts_root->d_inode->i_sem.
When the master close resumes, it removes the devpts entry, and the
relation between idr index and the tty is gone. The master then sleeps
waiting for the tty_mutex on release_dev().
Slave open resumes and found no tty for that index. As result, a NULL tty
is returned and init_dev() doesn't flow to fast_track:
/* check whether we're reopening an existing tty */
if (driver->flags & TTY_DRIVER_DEVPTS_MEM) {
tty = devpts_get_tty(idx);
if (tty && driver->subtype == PTY_TYPE_MASTER)
tty = tty->link;
} else {
tty = driver->ttys[idx];
}
if (tty) goto fast_track;
The result of this, is that a new tty will be created and init_dev() returns
sucessfull. After returning, tty_mutex is dropped and master close may resume.
Master close finds it's the only use and both sides are closing, then releases
the tty and the index. At this point, the idr index is free, but slave still
has it.
Slave open then calls pty_open() and finds that tty->link->count is 0,
because there's no master and returns error. Then tty_open() calls
release_dev() which executes without any warning, as it was a case of last
slave close when the master is already closed (master->count == 0,
slave->count == 1). The tty is then released with the already released idr
index.
This normally would only issue a warning on idr_remove() but in case of a
customer's critical application, it's never too simple:
thread1: opens master, gets index X
thread1: begin closing master
thread2: begin opening slave with index X
thread1: finishes closing master, index X released
thread3: opens master, gets index X, just released
thread2: fails opening slave, releases index X <----
thread4: opens master, gets index X, init_dev() then find an already in use
and healthy tty and fails
If no more indexes are released, ptmx_open() will keep failing, as the
first free index available is X, and it will make init_dev() fail because
you're trying to "reopen a master" which isn't valid.
The patch notices when this race happens and make init_dev() fail
imediately. The init_dev() function is called with tty_mutex held, so it's
safe to continue with tty till the end of function because release_dev()
won't make any further changes without grabbing the tty_mutex.
Without the patch, on some machines it's possible get easily idr warnings
like this one:
idr_remove called for id=15 which is not allocated.
[<c02555b9>] idr_remove+0x139/0x170
[<c02a1b62>] release_mem+0x182/0x230
[<c02a28e7>] release_dev+0x4b7/0x700
[<c02a0ea7>] tty_ldisc_enable+0x27/0x30
[<c02a1e64>] init_dev+0x254/0x580
[<c02a0d64>] check_tty_count+0x14/0xb0
[<c02a4f05>] tty_open+0x1c5/0x340
[<c02a4d40>] tty_open+0x0/0x340
[<c017388f>] chrdev_open+0xaf/0x180
[<c017c2ac>] open_namei+0x8c/0x760
[<c01737e0>] chrdev_open+0x0/0x180
[<c0167bc9>] __dentry_open+0xc9/0x210
[<c0167e2c>] do_filp_open+0x5c/0x70
[<c0167a91>] get_unused_fd+0x61/0xd0
[<c0167e93>] do_sys_open+0x53/0x100
[<c0167f97>] sys_open+0x27/0x30
[<c010303b>] syscall_call+0x7/0xb
using this test application available on:
http://www.ruivo.org/~aris/pty_sodomizer.c
Signed-off-by: Aristeu Sergio Rozanski Filho <aris@ruivo.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Chuck Ebbert <cebbert@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|