Check that the result of kmalloc is not NULL before passing it to other
functions.
The semantic match that finds this problem is as follows:
(http://www.emn.fr/x-info/coccinelle/)
// <smpl>
@@
expression *x;
identifier f;
constant char *C;
@@
x = \(kmalloc\|kcalloc\|kzalloc\)(...);
... when != x == NULL
when != x != NULL
when != (x || ...)
(
kfree(x)
f(...,C,...,x,...)
|
*f(...,x,...)
|
*x->f
)
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Cc: Richard Henderson <rth@twiddle.net>
Signed-off-by: Matt Turner <mattst88@gmail.com>
The kernel.h macro DIV_ROUND_CLOSEST performs the computation (x + d/2)/d
but is perhaps more readable.
The semantic patch that makes this change is as follows:
(http://www.emn.fr/x-info/coccinelle/)
// <smpl>
@haskernel@
@@
@depends on haskernel@
expression x,__divisor;
@@
- (((x) + ((__divisor) / 2)) / (__divisor))
+ DIV_ROUND_CLOSEST(x,__divisor)
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Cc: Richard Henderson <rth@twiddle.net>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Fix mutex function usage, which was overlooked in a previous patch.
Signed-off-by: Pete Eberlein <pete@sensoray.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
As pointed by Stefan Lippers-Hollmann <s.L-H@gmx.de>,
Commit: fd9a40da1d broke s2250
compilation.
This patch re-adds the missing s2250-loader.h
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Lennert Buytenhek noticed that delBA handling in mac80211
was broken and has remotely triggerable problems, some of
which are due to some code shuffling I did that ended up
changing the order in which things were done -- this was
commit d75636ef9c
Author: Johannes Berg <johannes@sipsolutions.net>
Date: Tue Feb 10 21:25:53 2009 +0100
mac80211: RX aggregation: clean up stop session
and other parts were already present in the original
commit d92684e660
Author: Ron Rindjunsky <ron.rindjunsky@intel.com>
Date: Mon Jan 28 14:07:22 2008 +0200
mac80211: A-MPDU Tx add delBA from recipient support
The first problem is that I moved a BUG_ON before various
checks -- thereby making it possible to hit. As the comment
indicates, the BUG_ON can be removed since the ampdu_action
callback must already exist when the state is != IDLE.
The second problem isn't easily exploitable but there's a
race condition due to unconditionally setting the state to
OPERATIONAL when a delBA frame is received, even when no
aggregation session was ever initiated. All the drivers
accept stopping the session even then, but that opens a
race window where crashes could happen before the driver
accepts it. Right now, a WARN_ON may happen with non-HT
drivers, while the race opens only for HT drivers.
For this case, there are two things necessary to fix it:
1) don't process spurious delBA frames, and be more careful
about the session state; don't drop the lock
2) HT drivers need to be prepared to handle a session stop
even before the session was really started -- this is
true for all drivers (that support aggregation) but
iwlwifi which can be fixed easily. The other HT drivers
(ath9k and ar9170) are behaving properly already.
Reported-by: Lennert Buytenhek <buytenh@marvell.com>
Cc: stable@kernel.org
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Lennert Buytenhek noticed a remotely triggerable problem
in mac80211, which is due to some code shuffling I did
that ended up changing the order in which things were
done -- this was in
commit d75636ef9c
Author: Johannes Berg <johannes@sipsolutions.net>
Date: Tue Feb 10 21:25:53 2009 +0100
mac80211: RX aggregation: clean up stop session
The problem is that the BUG_ON moved before the various
checks, and as such can be triggered.
As the comment indicates, the BUG_ON can be removed since
the ampdu_action callback must already exist when the
state is OPERATIONAL.
A similar code path leads to a WARN_ON in
ieee80211_stop_tx_ba_session, which can also be removed.
Cc: stable@kernel.org [2.6.29+]
Cc: Lennert Buytenhek <buytenh@marvell.com>
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
We can have bzip2 compressed images nowadays.
Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
kernel unwinding is broken with gcc >= 4.x. Part of the problem is that
binutils seems very sensitive to where the unwind information is stored.
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Kyle McMartin <kyle@mcmartin.ca>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
pcm->r[1].slots is the double rate slot information, not the
capture information. For capture, 'pcm' will already be the
capture ac97 pcm structure.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Fixes kernel bugzilla #14691
Due to the way netpoll works, it is perfectly legal to see
NAPI already scheduled when new device events are pending
in b44_interrupt().
So logging a message about it is wrong and in fact harmful.
Based upon a patch by Andreas Mohr.
Signed-off-by: David S. Miller <davem@davemloft.net>
The other paths all drop chan->wsem. This was found by a static
checker (smatch).
Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Jan "Yenya" Kasprzak <kas@fi.muni.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
If we happen to have registered the driver without passing
a MAC address, we will print a zero MAC address and register
the interface with this invalid address, this is confusin. This
patch moves the checking of a valid ethernet address and the
generation of a random one down from the open function to
the probe function.
Signed-off-by: Florian Fainelli <florian@openwrt.org>
Acked-by: Lennert Buytenhek <buytenh@wantstofly.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
smc91x.h defines SMC_IRQ_FLAGS to be -1 when it wants the interrupt
flags to be taken from the resource structure. However, d280ead
changed this to checking for non-zero resource flags.
Unfortunately, this means that on some platforms, we end up passing
'-1' to request_irq rather than the desired result. Combine the two
conditions into one so that the IRQ flags are taken from the resource
if either SMC_IRQ_FLAGS is -1 or the resource flags specify an
interrupt trigger.
This restores network on at least the Versatile platform.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Acked-by: Eric Miao <eric.y.miao@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch fixes a null pointer dereference BUG() if ethtool is used on
an smsc9420 interface while it is down, because the phy_dev is only
allocated while the interface is up.
Signed-off-by: Steve Glendinning <steve.glendinning@smsc.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The newer chipsets (all PCI-E) are known that they need full power cycle
(AC or battery removal) to reset MAC address to a hardwired one. Previous
patch to address this problem loads the original MAC address from EEPROM.
But it brought other problem for which it is necessary to introduce a new
module parameter.
However, it might suffice to restore the initial MAC address before
shutdown/reboot/kexec and when removing the module.
Signed-off-by: Ivan Vecera <ivecera@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
ipv4 ip_frag_reasm(), fully replace 'dev_net(dev)' with 'net', defined
previously patched into 2.6.29.
Between 2.6.28.10 and 2.6.29, net/ipv4/ip_fragment.c was patched,
changing from dev_net(dev) to container_of(...). Unfortunately the goto
section (out_fail) on oversized packets inside ip_frag_reasm() didn't
get touched up as well. Oversized IP packets cause a NULL pointer
dereference and immediate hang.
I discovered this running openvasd and my previous email on this is
titled: NULL pointer dereference at 2.6.32-rc8:net/ipv4/ip_fragment.c:566
Signed-off-by: David Ford <david@blue-labs.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
pci_alloc_consistent uses GFP_ATOMIC allocation that may fail on some systems
with limited memory (Bug #14265). pci_pool_alloc allows waiting with
GFP_KERNEL.
Tested-by: Karol Lewandowski <karol.k.lewandowski@gmail.com>
Signed-off-by: Roger Oksanen <roger.oksanen@cs.helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch (as1305) fixes a bug in the irq-enable settings and removes
some related overhead in the runtime PM code.
In __pm_runtime_resume(), within the scope of the original
spin_lock_irq(), we know that irqs are disabled. There's no
reason to go through a pair of enable/disable cycles when
acquiring and releasing the parent's lock.
In __pm_runtime_set_status(), irqs are already disabled when
the parent's lock is acquired, and they must remain disabled
when it is released.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
When retransmitting due to T3 timeout, retransmit all the
in-flight chunks for the corresponding transport/path, including
chunks sent less then 1 rto ago.
This is the correct behaviour according to rfc4960 section 6.3.3
E3 and
"Note: Any DATA chunks that were sent to the address for which the
T3-rtx timer expired but did not fit in one MTU (rule E3 above)
should be marked for retransmission and sent as soon as cwnd
allows (normally, when a SACK arrives). ".
This fixes problems when more then one path is present and the T3
retransmission of the first chunk that timeouts stops the T3 timer
for the initial active path, leaving all the other in-flight
chunks waiting forever or until a new chunk is transmitted on the
same path and timeouts (and this will happen only if the cwnd
allows sending new chunks, but since cwnd was dropped to MTU by
the timeout => it will wait until the first heartbeat).
Example: 10 packets in flight, sent at 0.1 s intervals on the
primary path. The primary path is down and the first packet
timeouts. The first packet is retransmitted on another path, the
T3 timer for the primary path is stopped and cwnd is set to MTU.
All the other 9 in-flight packets will not be retransmitted
(unless more new packets are sent on the primary path which depend
on cwnd allowing it, and even in this case the 9 packets will be
retransmitted only after a new packet timeouts which even in the
best case would be more then RTO).
This commit reverts d0ce92910b and
also removes the now unused transport->last_rto, introduced in
b6157d8e03.
p.s The problem is not only when multiple paths are there. It
can happen in a single homed environment. If the application
stops sending data, it possible to have a hung association.
Signed-off-by: Andrei Pelinescu-Onciul <andrei@iptel.org>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Most of the irq_req_t typedef'd struct can be re-worked quite
easily:
(1) IRQInfo2 was unused in any case, so drop it.
(2) IRQInfo1 was used write-only, so drop it.
(3) Instance (private data to be passed to the IRQ handler):
Most PCMCIA drivers using pcmcia_request_irq() to actually
register an IRQ handler set the "dev_id" to the same pointer
as the "priv" pointer in struct pcmcia_device. Modify the two
exceptions (ipwireless, ibmtr_cs) to also work this waym and
set the IRQ handler's "dev_id" to p_dev->priv unconditionally.
(4) Handler is to be of type irq_handler_t.
(5) Handler != NULL already tells whether an IRQ handler is present.
Therefore, we do not need the IRQ_HANDLER_PRESENT flag in
irq_req_t.Attributes.
CC: netdev@vger.kernel.org
CC: linux-bluetooth@vger.kernel.org
CC: linux-ide@vger.kernel.org
CC: linux-wireless@vger.kernel.org
CC: linux-scsi@vger.kernel.org
CC: alsa-devel@alsa-project.org
CC: Jaroslav Kysela <perex@perex.cz>
CC: Jiri Kosina <jkosina@suse.cz>
CC: Karsten Keil <isdn@linux-pingi.de>
for the Bluetooth parts: Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
pcmcia_request_window() only needs a pointer to struct pcmcia_device, not
a pointer to a pointer.
CC: netdev@vger.kernel.org
CC: linux-wireless@vger.kernel.org
CC: linux-scsi@vger.kernel.org
CC: Jiri Kosina <jkosina@suse.cz>
Acked-by: Karsten Keil <keil@b1-systems.de> (for ISDN)
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
pcmcia_get_window() and pcmcia_get_mem_page() were only called from
pcmcia_ioctl.c. Therefore, move these functions to that file, and
remove the useless EXPORTs.
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
Logic changes based on top of the other patches:
This set of patches changed window_handle_t from being a pointer to an
unsigned long. The unsigned long is now a simple index into socket->win[].
Going from a pointer to unsigned long should leave the user space interface
unchanged unless I'm mistaken.
This change results in code that is less error prone and a user space
interface which is much cleaner and safer. A nice side effect is that we
are also are able to remove all members except one from window_t.
[ linux@dominikbrodowski.net:
Update to 2.6.31. Also, a plain "index" to socket->win[] does not
work, as several codepaths rely on "window_handle_t" being
non-zero if used. Therefore, set the window_handle_t to the
socket->win[] index + 1. ]
CC: netdev@vger.kernel.org
Signed-off-by: Magnus Damm <damm@opensource.se>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
No logic changes, just pass struct pcmcia_socket to pcmcia_get_mem_page()
[linux@dominikbrodowski.net: update to 2.6.31]
Signed-off-by: Magnus Damm <damm@opensource.se>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
Edwin Török found the following:
In function ‘memset’,
inlined from ‘ir_input_init’ at drivers/media/common/ir-functions.c:67:
/home/edwin/builds/linux-2.6/arch/x86/include/asm/string_64.h:61:
warning: call to ‘__warn_memset_zero_len’ declared with attribute
warning: memset used with constant zero length parameter; this could be
due to transposed parameters
memset(ir->ir_codes, sizeof(ir->ir_codes), 0);
In actual practice the only caller I can find happens to already have cleared
the buffer before calling ir_input_init.
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Trivial fix for this compile warning:
v4l/sh_mobile_ceu_camera.c:1789: warning: label 'exit_free_irq' defined but not used
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Address yet another regression introduced by the introduction of the zl10353
disable_i2c_gate field.
djh - I unmangled the patch which apparently got screwed up in the user's
email client.
Signed-off-by: Robert Lowery <rglowery@exemail.com.au>
Signed-off-by: Devin Heitmueller <dheitmueller@kernellabs.com>
CC: stable@kernel.org
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
When building for Sun 3:
drivers/built-in.o: In function `smscore_unregister_device':
drivers/media/dvb/siano/smscoreapi.c:723: undefined reference to `dma_free_coherent'
drivers/built-in.o: In function `smscore_register_device':
drivers/media/dvb/siano/smscoreapi.c:365: undefined reference to `dma_alloc_coherent'
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
This patch fixes two issues:
a) Infinite loop in resume function
b) Writes to non-existing registers in resume function
Cc: stable@kernel.org
Signed-off-by: Anuj Aggarwal <anuj.aggarwal@ti.com>
Acked-by: Liam Girdwood <lrg@slimlogic.co.uk>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
The comment in fuse_open about O_DIRECT:
"VFS checks this, but only _after_ ->open()"
also holds for fuse_create, however, the same kind of check was missing there.
As an impact of this bug, open(newfile, O_RDWR|O_CREAT|O_DIRECT) fails, but a
stub newfile will remain if the fuse server handled the implied FUSE_CREATE
request appropriately.
Other impact: in the above situation ima_file_free() will complain to open/free
imbalance if CONFIG_IMA is set.
Signed-off-by: Csaba Henk <csaba@gluster.com>
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Cc: Harshavardhana <harsha@gluster.com>
Cc: stable@kernel.org
The data that was stored in this table is now available in
dev->archdata.iommu. So this table is not longer necessary.
This patch removes the remaining uses of that variable and
removes it from the code.
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
This patch removes the ugly contruct where the
iommu->lock must be released while before calling the
reset_iommu_command_buffer function.
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
This patch cleans up the code to flush device table entries
in the IOMMU. With this chance the driver can get rid of the
iommu_queue_inv_dev_entry() function.
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
This patch adds a function to flush a DTE entry for a given
struct device and replaces iommu_queue_inv_dev_entry calls
with this function where appropriate.
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
This patch cleans up the attach_device and detach_device
paths and fixes reference counting while at it.
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
This patch introduces a list to each protection domain which
keeps all devices associated with the domain. This can be
used later to optimize certain functions and to completly
remove the amd_iommu_pd_table.
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
This patch adds a reference count to each device to count
how often the device was bound to that domain. This is
important for single devices that act as an alias for a
number of others. These devices must stay bound to their
domains until all devices that alias to it are unbound from
the same domain.
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
This patch changes IOMMU code to use dev->archdata->iommu to
store information about the alias device and the domain the
device is attached to.
This allows the driver to get rid of the amd_iommu_pd_table
in the future.
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
This patch makes device isolation mandatory and removes
support for the amd_iommu=share option. This simplifies the
code in several places.
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
This patch rearranges two dma_ops related functions so that
their forward declarations are not longer necessary.
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
This patch moves alloc_pte() and fetch_pte() into the page
table handling code section so that the forward declarations
for them could be removed.
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
The logic of these two functions is reimplemented (at least
in parts) in places in the code. This patch removes these
code duplications and uses the functions instead. As a side
effect it moves check_device() to the helper function code
section.
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>