[PATCH] setting ACLs on readonly mounted NFS filesystems (CVE-2005-3623)
We must check for MAY_SATTR before setting acls, which includes
checking for read-only exports: the lower-level setxattr operation
that eventually sets the acl cannot check export-level restrictions.
Bug reported by Martin Walter <mawa@uni-freiburg.de>.
Signed-off-by: Andreas Gruenbacher <agruen@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Stefan Richter [Wed, 14 Dec 2005 22:34:11 +0000 (23:34 +0100)]
[PATCH] SCSI: fix transfer direction in scsi_lib and st
SCSI: fix transfer direction in scsi_lib and st
scsi_prep_fn and st_init_command could issue WRITE requests with zero
buffer length. This may lead to kernel panic or oops with some SCSI
low-level drivers.
Derived from -rc patches from Jens Axboe and James Bottomley.
Patch is reassembled for -stable from patches:
[SCSI] fix panic when ejecting ieee1394 ipod
[SCSI] Consolidate REQ_BLOCK_PC handling path (fix ipod panic)
Depends on patch "SCSI: fix transfer direction in sd (kernel panic when
ejecting iPod)". Also modifies the already correct sr_init_command to
fully match the corresponding -rc patch.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Stefan Richter [Wed, 14 Dec 2005 22:32:33 +0000 (23:32 +0100)]
[PATCH] SCSI: fix transfer direction in sd (kernel panic when ejecting iPod)
SCSI: fix transfer direction in sd (kernel panic when ejecting iPod)
sd_init_command could issue WRITE requests with zero buffer length.
This may lead to kernel panic or oops with some SCSI low-level drivers.
Seen with the command "eject /dev/sdX" when disconnecting an iPod:
http://marc.theaimsgroup.com/?l=linux1394-devel&m=113399994920181
http://marc.theaimsgroup.com/?l=linux1394-user&m=112152701817435
Derived from -rc patches from Jens Axboe and James Bottomley.
Patch is reassembled for -stable from patches:
[SCSI] fix panic when ejecting ieee1394 ipod
[SCSI] Consolidate REQ_BLOCK_PC handling path (fix ipod panic)
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jason Wessel [Tue, 20 Dec 2005 22:41:02 +0000 (23:41 +0100)]
[PATCH] kernel/params.c: fix sysfs access with CONFIG_MODULES=n
All the work was done to setup the file and maintain the file handles but
the access functions were zeroed out due to the #ifdef. Removing the
#ifdef allows full access to all the parameters when CONFIG_MODULES=n.
akpm: put it back again, but use CONFIG_SYSFS instead.
This patch has already been included in Linus' tree.
Signed-off-by: Jason Wessel <jason.wessel@windriver.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
David S. Miller [Tue, 20 Dec 2005 01:03:02 +0000 (17:03 -0800)]
[PATCH] Perform SA switchover immediately.
When we insert a new xfrm_state which potentially
subsumes an existing one, make sure all cached
bundles are flushed so that the new SA is used
immediately.
Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
The route expiration time is stored in rt6i_expires in jiffies.
The argument of rt6_route_add() for adding a route is not the
expiration time in jiffies nor in clock_t, but the lifetime
(or time left before expiration) in clock_t.
Because of the confusion, we sometimes saw several strange errors
(FAILs) in TAHI IPv6 Ready Logo Phase-2 Self Test.
The symptoms were analyzed by Mitsuru Chinen <CHINEN@jp.ibm.com>.
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Bart De Schuymer [Tue, 20 Dec 2005 01:00:13 +0000 (17:00 -0800)]
[PATCH] Fix bridge-nf ipv6 length check
A typo caused some bridged IPv6 packets to get dropped randomly,
as reported by Sebastien Chaumontet. The patch below fixes this
(using skb->nh.raw instead of raw) and also makes the jumbo packet
length checking up-to-date with the code in
net/ipv6/exthdrs.c::ipv6_hop_jumbo.
Signed-off-by: Bart De Schuymer <bdschuym@pandora.be> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Kristian Slavov [Tue, 20 Dec 2005 00:59:18 +0000 (16:59 -0800)]
[PATCH] Fix RTNLGRP definitions in rtnetlink.h
I reported a problem and gave hints to the solution, but nobody seemed
to react. So I prepared a patch against 2.6.14.4.
Tested on 2.6.14.4 with "ip monitor addr" and with the program
attached, while adding and removing IPv6 address. Both programs didn't
receive any messages. Tested 2.6.14.4 + this patch, and both programs
received add and remove messages.
Signed-off-by: Kristian Slavov <kristian.slavov@nomadiclab.com> Acked-by: Jamal Hadi salim <hadi@cyberus.ca> ACKed-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Patrick McHardy [Tue, 20 Dec 2005 00:58:12 +0000 (16:58 -0800)]
[PATCH] Fix incorrect dependency for IP6_NF_TARGET_NFQUEUE
IP6_NF_TARGET_NFQUEUE depends on IP6_NF_IPTABLES, not IP_NF_IPTABLES.
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Patrick McHardy [Tue, 20 Dec 2005 00:57:21 +0000 (16:57 -0800)]
[PATCH] Fix NAT init order
As noticed by Phil Oester, the GRE NAT protocol helper is initialized
before the NAT core, which makes registration fail.
Change the linking order to make NAT be initialized first.
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Receiving VLAN packets over a device (without VLAN assist) that is
doing hardware checksumming (CHECKSUM_HW), causes errors because the
VLAN code forgets to adjust the hardware checksum.
Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Herbert Xu [Wed, 14 Dec 2005 21:02:35 +0000 (13:02 -0800)]
[PATCH] Fix hardware checksum modification
The skb_postpull_rcsum introduced a bug to the checksum modification.
Although the length pulled is offset bytes, the origin of the pulling
is the GRE header, not the IP header.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Salyzyn, Mark [Sun, 18 Dec 2005 03:26:30 +0000 (19:26 -0800)]
[PATCH] dpt_i2o fix for deadlock condition
Miquel van Smoorenburg <miquels@cistron.nl> forwarded me this fix to
resolve a deadlock condition that occurs due to the API change in 2.6.13+
kernels dropping the host locking when entering the error handling. They
all end up calling adpt_i2o_post_wait(), which if you call it unlocked,
might return with host_lock locked anyway and that causes a deadlock.
Signed-off-by: Mark Salyzyn <aacraid@adaptec.com> Cc: James Bottomley <James.Bottomley@steeleye.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Chris Wright <chrisw@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Patrick McHardy [Tue, 13 Dec 2005 11:26:07 +0000 (12:26 +0100)]
[PATCH] Fix unbalanced read_unlock_bh in ctnetlink
NFA_NEST calls NFA_PUT which jumps to nfattr_failure if the skb has no
room left. We call read_unlock_bh at nfattr_failure for the NFA_PUT
inside the locked section, so move NFA_NEST inside the locked section
too.
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Krzysztof Piotr Oledzki <ole@ans.pl> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jens Axboe [Fri, 18 Nov 2005 22:02:54 +0000 (14:02 -0800)]
[PATCH] cciss: bug fix for BIG_PASS_THRU
Applications using CCISS_BIG_PASSTHRU complained that the data written
was zeros. The problem is that the buffer is being cleared after the
user copy, unless the user copy has failed... Correct that logic.
Signed-off-by: Mike Miller <mike.miller@hp.com> Signed-off-by: Jens Axboe <axboe@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch fixes a bug that breaks hpacucli, a command line interface
for the HP Array Config Utility. Without this fix the utility will
not detect any controllers in the system. I thought I had already fixed
this, but I guess not.
Thanks to all who reported the issue. Please consider this this inclusion.
Signed-off-by: Mike Miller <mikem@beardog.cca.cpqcorp.net> Signed-off-by: Jens Axboe <axboe@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Ondrej Zary [Thu, 10 Nov 2005 05:02:07 +0000 (21:02 -0800)]
[PATCH] ide-floppy: software eject not working with LS-120 drive
The problem (eject not working on ATAPI LS-120 drive) is caused by
idefloppy_ioctl() function which *first* tries generic_ide_ioctl()
and *only* if it fails with -EINVAL, proceeds with the specific ioctls.
The generic eject command fails with something other than -EINVAL
and the specific one is never executed.
This patch fixes it by first going through the internal ioctls
and only trying generic_ide_ioctl() if none of them matches.
Jeff Garzik [Mon, 31 Oct 2005 17:05:36 +0000 (09:05 -0800)]
[PATCH] libata: locking rewrite (== fix)
[libata] locking rewrite (== fix)
A lot of power packed into a little patch.
This change eliminates the sharing between our controller-wide spinlock
and the SCSI core's Scsi_Host lock. As the locking in libata was
already highly compartmentalized, always referencing our own lock, and
never scsi_host::host_lock.
As a side effect, this change eliminates a deadlock from calling
scsi_finish_command() while inside our spinlock.
Olaf Rempel [Thu, 24 Nov 2005 08:00:03 +0000 (00:00 -0800)]
[PATCH] BRIDGE: recompute features when adding a new device
[BRIDGE]: recompute features when adding a new device
We must recompute bridge features everytime the list of underlying
devices changes, or we might end up with features that are not supported
by all devices (eg. NETIF_F_TSO)
This patch adds the missing recompute when adding a device to the bridge.
Signed-off-by: Olaf Rempel <razzor@kopf-tisch.de> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jay Vosburgh [Wed, 9 Nov 2005 18:02:38 +0000 (10:02 -0800)]
[PATCH] bonding: fix feature consolidation
This should resolve http://bugzilla.kernel.org/show_bug.cgi?id=5519
The current feature computation loses bits that it doesn't know about,
resulting in an inability to add VLANs and possibly other havoc.
Rewrote function to preserve bits it doesn't know about, remove an
unneeded state variable, and simplify the code.
Signed-off-by: Jay Vosburgh <fubar@us.ibm.com> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Igor Popik [Wed, 7 Dec 2005 07:46:33 +0000 (08:46 +0100)]
[PATCH] i82365: release all resources if no devices are found
The i82365 driver does not release all the resources when the device is not
found. This can cause an oops when reading /proc/ioports after module
unload (e.g. bug #5657).
[PATCH] ALSA: nm256: reset workaround for Latitude CSx
Modules: NM256 driver
The current snd-nm256 driver can cause Dell Latitude CSx laptops to
lock-up during module (un)load. I have isolated this to the writes to
the control port register at offset 0x6cc which were not already
protected by the existing reset_workaround.
I tried grouping these writes with the existing reset_workaround
clause, but that caused the driver to have (un)load problems on the
Dell Latitude LS laptops. So, I have implemented a reset_workaround_2
clause (please feel free to suggest a better name!) to cover this
situation and added a quirk entry for the CSx laptops.
Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Michael Krufky [Fri, 9 Dec 2005 06:03:32 +0000 (01:03 -0500)]
[PATCH] V4L/DVB: Fix analog NTSC for Thomson DTT 761X hybrid tuner
- Enable tda9887 on the following cx88 boards:
pcHDTV 3000
FusionHDTV3 Gold-T
- This ensures that analog NTSC video will function properly, without
this patch, the tuner may appear to be broken.
Signed-off-by: Thomas Renninger <trenn@suse.de> Cc: Rajesh Shah <rajesh.shah@intel.com> Signed-off-by: Len Brown <len.brown@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Gentoo users with kernels with selinux compiled in, and coreutils compiled
with acl support, noticed that they could not copy files on tmpfs using
'cp'.
cp (compiled with acl support) copies the file, lists the extended
attributes on the old file, copies them all to the new file, and then
exits. However the listxattr() calls were failing with this odd behaviour:
llistxattr("a.out", (nil), 0) = 17
llistxattr("a.out", 0x7fffff8c6cb0, 17) = -1 ERANGE (Numerical result out of
range)
I believe this is a simple problem in the logic used to check the buffer
sizes; if the user sends a buffer the exact size of the data, then its ok
:)
This change solves the problem.
More info can be found at http://bugs.gentoo.org/113138
Signed-off-by: Daniel Drake <dsd@gentoo.org> Acked-by: James Morris <jmorris@namei.org> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Thomas Graf [Thu, 1 Dec 2005 22:05:12 +0000 (23:05 +0100)]
[PATCH] NETLINK: Fix processing of fib_lookup netlink messages
The receive path for fib_lookup netlink messages is lacking sanity
checks for header and payload and is thus vulnerable to malformed
netlink messages causing illegal memory references.
Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
David Gibson [Wed, 30 Nov 2005 03:46:37 +0000 (19:46 -0800)]
[PATCH] Fix crash when ptrace poking hugepage areas
set_page_dirty() will not cope with being handed a page * which is part of
a compound page, but not the master page in that compound page. This case
can occur via access_process_vm() if you attemp to write to another
process's hugepage memory area using ptrace() (causing an oops or hang).
This patch fixes the bug by only calling set_page_dirty() from
access_process_vm() if the page is not a compound page. We already use a
similar fix in bio_set_pages_dirty() for the case of direct io to
hugepages.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Acked-by: William Irwin <wli@holomorphy.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jean Delvare [Mon, 21 Nov 2005 18:22:16 +0000 (19:22 +0100)]
[PATCH] hwmon: Fix missing it87 fan div init
Fix a bug where setting the low fan speed limits will not work if no
data was ever read through the sysfs interface and the fan clock
dividers have not been explicitely set yet either. The reason is that
data->fan_div[nr] may currently be used before it is initialized from
the chip register values. The fix is to explicitely initialize
data->fan_div[nr] before using it.
Bug reported, and fix tested, by Nicolas Mailhot.
Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@osdl.org>
Jean Delvare [Mon, 14 Nov 2005 22:11:45 +0000 (23:11 +0100)]
[PATCH] hwmon: Fix lm78 VID conversion
Fix the lm78 VID reading, which I accidentally broke while making
this driver use the common vid_from_reg function rather than
reimplementing its own in 2.6.14-rc1.
I'm not proud of it, trust me.
Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@osdl.org>
Andi Kleen [Sun, 30 Oct 2005 06:49:38 +0000 (01:49 -0500)]
[PATCH] x86_64/i386: Compute correct MTRR mask on early Noconas
Force correct address space size for MTRR on some 64bit Intel Xeons
They report 40bit, but only have 36bits of physical address space.
This caused problems with setting up the correct masks for MTRR,
resulting in incorrect MTRRs.
CPUID workaround for steppings 0F33h(supporting x86) and 0F34h(supporting x86
and EM64T). Detail info can be found at:
http://download.intel.com/design/Xeon/specupdt/30240216.pdf
http://download.intel.com/design/Pentium4/specupdt/30235221.pdf
Harald Welte [Tue, 15 Nov 2005 12:32:36 +0000 (13:32 +0100)]
[PATCH] ip_conntrack: fix ftp/irc/tftp helpers on ports >= 32768
Since we've converted the ftp/irc/tftp helpers to use the new
module_parm_array() some time ago, we ware accidentially using signed data
types - thus preventing those modules from being used on ports >= 32768.
This patch fixes it by using 'ushort' module parameters.
Thanks to Jan Nijs for reporting this bug.
Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
[PATCH] ctnetlink: Fix oops when no ICMP ID info in message
This patch fixes an userspace triggered oops. If there is no ICMP_ID
info the reference to attr will be NULL.
Signed-off-by: Krzysztof Piotr Oledzki <ole@ans.pl> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: Chris Wright <chrisw@osdl.org>
Philip Craig [Tue, 15 Nov 2005 12:32:36 +0000 (13:32 +0100)]
[PATCH] PPTP helper: fix PNS-PAC expectation call id
The reply tuple of the PNS->PAC expectation was using the wrong call id.
So we had the following situation:
- PNS behind NAT firewall
- PNS call id requires NATing
- PNS->PAC gre packet arrives first
then the PNS->PAC expectation is matched, and the other expectation
is deleted, but the PAC->PNS gre packets do not match the gre conntrack
because the call id is wrong.
We also cannot use ip_nat_follow_master().
Signed-off-by: Philip Craig <philipc@snapgear.com> Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Harald Welte [Tue, 15 Nov 2005 12:32:36 +0000 (13:32 +0100)]
[PATCH] ctnetlink: check if protoinfo is present
This fixes an oops triggered from userspace. If we don't pass information
about the private protocol info, the reference to attr will be NULL. This is
likely to happen in update messages.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Harald Welte [Tue, 15 Nov 2005 12:32:36 +0000 (13:32 +0100)]
[PATCH] nf_queue: Fix Ooops when no queue handler registered
With the new nf_queue generalization in 2.6.14, we've introduced a bug
that causes an oops as soon as a packet is queued but no queue handler
registered. This patch fixes it.
Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Rusty Rusty [Tue, 15 Nov 2005 12:32:36 +0000 (13:32 +0100)]
[PATCH] NAT: Fix module refcount dropping too far
The unknown protocol is used as a fallback when a protocol isn't known.
Hence we cannot handle it failing, so don't set ".me". It's OK, since we
only grab a reference from within the same module (iptable_nat.ko), so we
never take the module refcount from 0 to 1.
Also, remove the "protocol is NULL" test: it's never NULL.
Signed-off-by: Rusty Rusty <rusty@rustcorp.com.au> Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Krzysztof Halasa [Fri, 11 Nov 2005 00:54:14 +0000 (01:54 +0100)]
[PATCH] Generic HDLC WAN drivers - disable netif_carrier_off()
As we are currently unable to fix the problem with carrier and protocol
state signaling in net core I've to disable netif_carrier_off() calls
used by WAN protocol drivers. The attached patch should make them
working again.
The remaining netif_carrier_*() calls in hdlc_fr.c are fine as they
don't touch the physical device.
Signed-off-by: Krzysztof Halasa <khc@pm.waw.pl> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
J. Bruce Fields [Fri, 11 Nov 2005 00:08:00 +0000 (19:08 -0500)]
[PATCH] VFS: Fix memory leak with file leases
The patch
http://linux.bkbits.net:8080/linux-2.6/diffs/fs/locks.c@1.70??nav=index.html
introduced a pretty nasty memory leak in the lease code. When freeing
the lease, the code in locks_delete_lock() will correctly clean up
the fasync queue, but when we return to fcntl_setlease(), the freed
fasync entry will be reinstated.
This patch ensures that we skip the call to fasync_helper() when we're
freeing up the lease.
Signed-off-by: J. Bruce Fields <bfields@fieldses.org> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Peter Osterlund [Mon, 14 Nov 2005 00:06:36 +0000 (16:06 -0800)]
[PATCH] packet writing oops fix
There is an old bug in the pkt_count_states() function that causes stack
corruption. When compiling with gcc 3.x or 2.x it is harmless, but gcc 4
allocates local variables differently, which makes the bug visible.
Signed-off-by: Peter Osterlund <petero2@telia.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Linus Torvalds [Wed, 9 Nov 2005 19:37:57 +0000 (11:37 -0800)]
[PATCH] Fix ptrace self-attach rule
Before we did CLONE_THREAD, the way to check whether we were attaching
to ourselves was to just check "current == task", but with CLONE_THREAD
we should check that the thread group ID matches instead.
[PATCH] ipvs: fix connection leak if expire_nodest_conn=1
There was a fix in 2.6.13 that changed the behaviour of
ip_vs_conn_expire_now function not to put reference to connection, its
callers should hold write lock or connection refcnt. But we forgot to
convert one caller, when the real server for connection is unavailable
caller should put the connection reference. It happens only when sysctl
var expire_nodest_conn is set to 1 and such connections never expire.
Thanks to Roberto Nibali who found the problem and tested a 2.4.32-rc2
patch, which is equal to this 2.6 version.
Oleg Nesterov [Wed, 9 Nov 2005 18:22:14 +0000 (10:22 -0800)]
[PATCH] fix de_thread() vs send_group_sigqueue() race
When non-leader thread does exec, de_thread calls release_task(leader) before
calling exit_itimers(). If local timer interrupt happens in between, it can
oops in send_group_sigqueue() while taking ->sighand->siglock == NULL.
However, we can't change send_group_sigqueue() to check p->signal != NULL,
because sys_timer_create() does get_task_struct() only in SIGEV_THREAD_ID
case. So it is possible that this task_struct was already freed and we can't
trust p->signal.
This patch changes de_thread() so that leader released after exit_itimers()
call.
Adrian Bunk [Wed, 9 Nov 2005 18:22:11 +0000 (10:22 -0800)]
[PATCH] airo.c/airo_cs.c: correct prototypes
This patch creates a file airo.h containing prototypes of the global
functions in airo.c used by airo_cs.c .
If you got strange problems with either airo_cs devices or in any other
completely unrelated part of the kernel shortly or long after a airo_cs
device was detected by the kernel, this might have been caused by the
fact that caller and callee disagreed regarding the size of the first
argument to init_airo_card()...
Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
The max growth of BIC TCP is too large. Original code was based on
BIC 1.0 and the default there was 32. Later code (2.6.13) included
compensation for delayed acks, and should have reduced the default
value to 16; since normally TCP gets one ack for every two packets sent.
The current value of 32 makes BIC too aggressive and unfair to other
flows.
[PATCH] USB: always export interface information for modalias
This fixes a problem with some cdc acm devices that were not getting
automatically loaded as the module alias was not being reported
properly.
This check was for back in the days when we only reported hotplug events
for the main usb device, not the interfaces. We should always give the
interface information for MODALIAS/modalias as it can be needed.
Dimitri Puzin [Wed, 9 Nov 2005 18:22:07 +0000 (10:22 -0800)]
[PATCH] fix XFS_QUOTA for modular XFS
This patch by Dimitri Puzin submitted through kernel Bugzilla #5514
fixes the following issue:
Cannot build XFS filesystem support as module with quota support. It
works only when the XFS filesystem support is compiled into the kernel.
Menuconfig prevents from setting CONFIG_XFS_FS=m and CONFIG_XFS_QUOTA=y.
How to reproduce: configure the XFS filesystem with quota support as
module. The resulting kernel won't have quota support compiled into
xfs.ko.
Fix: Changing the fs/xfs/Kconfig file from tristate to bool lets you
configure the quota support to be compiled into the XFS module. The
Makefile-linux-2.6 checks only for CONFIG_XFS_QUOTA=y.
Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Nathan Scott <nathans@sgi.com> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Roger While [Wed, 9 Nov 2005 18:22:06 +0000 (10:22 -0800)]
[PATCH] prism54 : Fix frame length
prism54 is leaking information when passing transmits to the firmware.
There is no requirement to adjust the length to >= ETH_ZLEN.
Just pass the skb length (after possible adjustment).
Signed-off-by: Roger While <simrw@sim-basis.de> Acked-by: Jeff Garzik <jgarzik@pobox.com> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Al Viro [Tue, 8 Nov 2005 15:03:46 +0000 (15:03 +0000)]
[PATCH] CVE-2005-2709 sysctl unregistration oops
You could open the /proc/sys/net/ipv4/conf/<if>/<whatever> file, then
wait for interface to go away, try to grab as much memory as possible in
hope to hit the (kfreed) ctl_table. Then fill it with pointers to your
function. Then do read from file you've opened and if you are lucky,
you'll get it called as ->proc_handler() in kernel mode.
So this is at least an Oops and possibly more. It does depend on an
interface going away though, so less of a security risk than it would
otherwise be.
Herbert Xu [Thu, 27 Oct 2005 08:47:46 +0000 (18:47 +1000)]
[TCP]: Clear stale pred_flags when snd_wnd changes
This bug is responsible for causing the infamous "Treason uncloaked"
messages that's been popping up everywhere since the printk was added.
It has usually been blamed on foreign operating systems. However,
some of those reports implicate Linux as both systems are running
Linux or the TCP connection is going across the loopback interface.
In fact, there really is a bug in the Linux TCP header prediction code
that's been there since at least 2.1.8. This bug was tracked down with
help from Dale Blount.
The effect of this bug ranges from harmless "Treason uncloaked"
messages to hung/aborted TCP connections. The details of the bug
and fix is as follows.
When snd_wnd is updated, we only update pred_flags if
tcp_fast_path_check succeeds. When it fails (for example,
when our rcvbuf is used up), we will leave pred_flags with
an out-of-date snd_wnd value.
When the out-of-date pred_flags happens to match the next incoming
packet we will again hit the fast path and use the current snd_wnd
which will be wrong.
In the case of the treason messages, it just happens that the snd_wnd
cached in pred_flags is zero while tp->snd_wnd is non-zero. Therefore
when a zero-window packet comes in we incorrectly conclude that the
window is non-zero.
In fact if the peer continues to send us zero-window pure ACKs we
will continue making the same mistake. It's only when the peer
transmits a zero-window packet with data attached that we get a
chance to snap out of it. This is what triggers the treason
message at the next retransmit timeout.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
Oleg Nesterov [Wed, 26 Oct 2005 16:26:53 +0000 (20:26 +0400)]
[PATCH] Fix cpu timers expiration time
There's a silly off-by-one error in the code that updates the expiration
of posix CPU timers, causing them to not be properly updated when they
hit exactly on their expiration time (which should be the normal case).
This causes them to then fire immediately again, and only _then_ get
properly updated.
Peter Wainwright [Wed, 26 Oct 2005 08:59:02 +0000 (01:59 -0700)]
[PATCH] Fix HFS+ to free up the space when a file is deleted.
fsck_hfs reveals lots of temporary files accumulating in the hidden
directory "\000\000\000HFS+ Private Data". According to the HFS+
documentation these are files which are unlinked while in use. However,
there may be a bug in the Linux hfsplus implementation which causes this to
happen even when the files are not in use. It looks like the "opencnt"
field is never initialized as (I think) it should be in hfsplus_read_inode.
This means that a file can appear to be still in use when in fact it has
been closed. This patch seems to fix it for me.
Signed-off-by: Anton Altaparmakov <aia21@cantab.net> Cc: Roman Zippel <zippel@linux-m68k.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Jeff Garzik [Wed, 26 Oct 2005 08:59:01 +0000 (01:59 -0700)]
[PATCH] kill massive wireless-related log spam
Although this message is having the intended effect of causing wireless
driver maintainers to upgrade their code, I never should have merged this
patch in its present form. Leading to tons of bug reports and unhappy
users.
Some wireless apps poll for statistics regularly, which leads to a printk()
every single time they ask for stats. That's a little bit _too_ much of a
reminder that the driver is using an old API.
Change this to printing out the message once, per kernel boot.
Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
[PATCH] ppc64: Fix wrong register mapping in mpic driver
The mpic interrupt controller driver (used on G5 and early pSeries among
others) has a bug where it doesn't get the right virtual address for the
timer registers. It causes the driver to poke at the MMIO space of
whatever has been mapped just next to it (ouch !) when initializing and
causes boot failures on some IBM machines.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Magnus Damm [Wed, 26 Oct 2005 08:58:59 +0000 (01:58 -0700)]
[PATCH] NUMA: broken per cpu pageset counters
The NUMA counters in struct per_cpu_pageset (linux/mmzone.h) are never
cleared today. This works ok for CPU 0 on NUMA machines because
boot_pageset[] is already zero, but for other CPU:s this results in
uninitialized counters.
Signed-off-by: Magnus Damm <magnus@valinux.co.jp> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
NeilBrown [Wed, 26 Oct 2005 08:58:58 +0000 (01:58 -0700)]
[PATCH] md: make sure mdthreads will always respond to kthread_stop
There are still a couple of cases where md threads (the resync/recovery
thread) is not interruptible since the change to use kthreads. All places
there it tests "signal_pending", it should also test kthread_should_stop,
as with this patch.
Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
projects / karo-tx-linux.git / log