From 110712828365ccafcc61a7f4db44c31ed4cf8793 Mon Sep 17 00:00:00 2001 From: Borislav Petkov Date: Mon, 5 Jul 2010 21:23:52 -0700 Subject: ide-cd: Do not access completed requests in the irq handler ide_cd_error_cmd() can complete an erroneous request with leftover buffers. Signal this with its return value so that the request is not accessed after its completion in the irq handler and we oops. Cc: # 32.x 33.x 34.x Signed-off-by: Borislav Petkov Signed-off-by: David S. Miller --- drivers/ide/ide-cd.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/drivers/ide/ide-cd.c b/drivers/ide/ide-cd.c index 64207df8da8..2de76cc08f6 100644 --- a/drivers/ide/ide-cd.c +++ b/drivers/ide/ide-cd.c @@ -506,15 +506,22 @@ int ide_cd_queue_pc(ide_drive_t *drive, const unsigned char *cmd, return (flags & REQ_FAILED) ? -EIO : 0; } -static void ide_cd_error_cmd(ide_drive_t *drive, struct ide_cmd *cmd) +/* + * returns true if rq has been completed + */ +static bool ide_cd_error_cmd(ide_drive_t *drive, struct ide_cmd *cmd) { unsigned int nr_bytes = cmd->nbytes - cmd->nleft; if (cmd->tf_flags & IDE_TFLAG_WRITE) nr_bytes -= cmd->last_xfer_len; - if (nr_bytes > 0) + if (nr_bytes > 0) { ide_complete_rq(drive, 0, nr_bytes); + return true; + } + + return false; } static ide_startstop_t cdrom_newpc_intr(ide_drive_t *drive) @@ -679,7 +686,8 @@ out_end: } if (uptodate == 0 && rq->bio) - ide_cd_error_cmd(drive, cmd); + if (ide_cd_error_cmd(drive, cmd)) + return ide_stopped; /* make sure it's fully ended */ if (blk_fs_request(rq) == 0) { -- cgit v1.2.3-18-g5258 From 2a800b7bd926c739c07c1690579f03bbd6f1b5a3 Mon Sep 17 00:00:00 2001 From: Yann Dirson Date: Sun, 18 Jul 2010 16:11:06 -0700 Subject: via82cxxx: fix typo for VT6415 PCIE PATA IDE Host Controller support. Without this fix, init of the via82cxxx driver causes a oops with a stack resembling the one below, and the boot blocks between init of USB devices and launch of init (was easy to bisect by booting with init=/bin/sh). Pid: 279, comm: work_for_cpu Not tainted 2.6.34.1-00003-ga42ea77 #2 Call Trace: [] ? warn_slowpath_common+0x76/0x8c [] ? warn_slowpath_fmt+0x40/0x45 [] ? printk+0x40/0x47 [] ? enable_irq+0x3e/0x64 [] ? ide_probe_port+0x55c/0x589 [ide_core] [] ? ide_host_register+0x273/0x628 [ide_core] [] ? ide_pci_init_two+0x4da/0x5c5 [ide_core] [] ? up+0xe/0x36 [] ? release_console_sem+0x17e/0x1ae [] ? klist_iter_exit+0x14/0x1e [] ? bus_find_device+0x75/0x83 [] ? via_init_one+0x269/0x28a [via82cxxx] [] ? init_chipset_via82cxxx+0x0/0x1ea [via82cxxx] [] ? do_work_for_cpu+0x0/0x1b [] ? local_pci_probe+0x12/0x16 [] ? do_work_for_cpu+0xb/0x1b [] ? kthread+0x75/0x7d [] ? kernel_thread_helper+0x4/0x10 [] ? kthread+0x0/0x7d [] ? kernel_thread_helper+0x0/0x10 ---[ end trace 89c8cb70379b5bda ]--- The typo was introduced in a354ae8747d0687093ce244e76b15b6174d2f098, and affects 2.6.33-rc4 and later. Signed-off-by: Yann Dirson Signed-off-by: David S. Miller --- drivers/ide/via82cxxx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/ide/via82cxxx.c b/drivers/ide/via82cxxx.c index 101f4002238..d2a0997b78f 100644 --- a/drivers/ide/via82cxxx.c +++ b/drivers/ide/via82cxxx.c @@ -79,7 +79,7 @@ static struct via_isa_bridge { { "vt8261", PCI_DEVICE_ID_VIA_8261, 0x00, 0x2f, ATA_UDMA6, VIA_BAD_AST }, { "vt8237s", PCI_DEVICE_ID_VIA_8237S, 0x00, 0x2f, ATA_UDMA6, VIA_BAD_AST }, { "vt6410", PCI_DEVICE_ID_VIA_6410, 0x00, 0x2f, ATA_UDMA6, VIA_BAD_AST }, - { "vt6415", PCI_DEVICE_ID_VIA_6410, 0x00, 0xff, ATA_UDMA6, VIA_BAD_AST }, + { "vt6415", PCI_DEVICE_ID_VIA_6415, 0x00, 0xff, ATA_UDMA6, VIA_BAD_AST }, { "vt8251", PCI_DEVICE_ID_VIA_8251, 0x00, 0x2f, ATA_UDMA6, VIA_BAD_AST }, { "vt8237", PCI_DEVICE_ID_VIA_8237, 0x00, 0x2f, ATA_UDMA6, VIA_BAD_AST }, { "vt8237a", PCI_DEVICE_ID_VIA_8237A, 0x00, 0x2f, ATA_UDMA6, VIA_BAD_AST }, -- cgit v1.2.3-18-g5258 From 7d543d8468348c44010c7b4e6fdd23a398779668 Mon Sep 17 00:00:00 2001 From: Julia Lawall Date: Fri, 4 Jun 2010 16:11:17 -0700 Subject: drivers/ide: Use memdup_user Use memdup_user when user data is immediately copied into the allocated region. The semantic patch that makes this change is as follows: (http://coccinelle.lip6.fr/) // @@ expression from,to,size,flag; position p; identifier l1,l2; @@ - to = \(kmalloc@p\|kzalloc@p\)(size,flag); + to = memdup_user(from,size); if ( - to==NULL + IS_ERR(to) || ...) { <+... when != goto l1; - -ENOMEM + PTR_ERR(to) ...+> } - if (copy_from_user(to, from, size) != 0) { - <+... when != goto l2; - -EFAULT - ...+> - } // Signed-off-by: Julia Lawall Signed-off-by: David S. Miller --- drivers/ide/ide-taskfile.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/drivers/ide/ide-taskfile.c b/drivers/ide/ide-taskfile.c index 67fb73559fd..34b9872f35d 100644 --- a/drivers/ide/ide-taskfile.c +++ b/drivers/ide/ide-taskfile.c @@ -480,13 +480,9 @@ int ide_taskfile_ioctl(ide_drive_t *drive, unsigned long arg) u16 nsect = 0; char __user *buf = (char __user *)arg; - req_task = kzalloc(tasksize, GFP_KERNEL); - if (req_task == NULL) - return -ENOMEM; - if (copy_from_user(req_task, buf, tasksize)) { - kfree(req_task); - return -EFAULT; - } + req_task = memdup_user(buf, tasksize); + if (IS_ERR(req_task)) + return PTR_ERR(req_task); taskout = req_task->out_size; taskin = req_task->in_size; -- cgit v1.2.3-18-g5258 From cd078af65d5c2f19c0f378062b07a0a79b000723 Mon Sep 17 00:00:00 2001 From: Atsushi Nemoto Date: Fri, 4 Jun 2010 16:19:23 -0700 Subject: tx493xide: use min_t() macro instead of min() This fixes a warning ("comparison of distinct pointer types lacks a cast") introduced by the commit 040f6b4f14adb2ca5babb84e9fb2ebc6661e0be2 ("tx493xide: use ->pio_mode value to determine pair device speed"). Signed-off-by: Atsushi Nemoto Signed-off-by: David S. Miller --- drivers/ide/tx4938ide.c | 2 +- drivers/ide/tx4939ide.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/ide/tx4938ide.c b/drivers/ide/tx4938ide.c index 1d80f1fdbc9..7002765b593 100644 --- a/drivers/ide/tx4938ide.c +++ b/drivers/ide/tx4938ide.c @@ -64,7 +64,7 @@ static void tx4938ide_set_pio_mode(ide_hwif_t *hwif, ide_drive_t *drive) pair = ide_get_pair_dev(drive); if (pair) - safe = min(safe, pair->pio_mode - XFER_PIO_0); + safe = min_t(u8, safe, pair->pio_mode - XFER_PIO_0); tx4938ide_tune_ebusc(pdata->ebus_ch, pdata->gbus_clock, safe); } diff --git a/drivers/ide/tx4939ide.c b/drivers/ide/tx4939ide.c index 3c736775187..bed3e39aac9 100644 --- a/drivers/ide/tx4939ide.c +++ b/drivers/ide/tx4939ide.c @@ -114,7 +114,7 @@ static void tx4939ide_set_pio_mode(ide_hwif_t *hwif, ide_drive_t *drive) pair = ide_get_pair_dev(drive); if (pair) - safe = min(safe, pair->pio_mode - XFER_PIO_0); + safe = min_t(u8, safe, pair->pio_mode - XFER_PIO_0); /* * Update Command Transfer Mode for master/slave and Data * Transfer Mode for this drive. -- cgit v1.2.3-18-g5258