]> git.karo-electronics.de Git - karo-tx-linux.git/log
karo-tx-linux.git
18 years ago[PATCH] x86_64: Pass -32 to the assembler when compiling the 32bit vsyscall pages
Andi Kleen [Fri, 21 Apr 2006 07:43:22 +0000 (09:43 +0200)]
[PATCH] x86_64: Pass -32 to the assembler when compiling the 32bit vsyscall pages

This quietens warnings and actually fixes a bug. The unwind tables would
come out wrong without -32, causing pthread cancellation during them
to crash in the gcc runtime.

The problem seems to only happen with newer binutils
(it doesn't happen with 2.16.91.0.2 but happens wit 2.16.91.0.5)

Thanks to Brian Baker @ HP for test case and initial analysis.

Cc: brian.b@hp.com
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] make vm86 call audit_syscall_exit
Jason Baron [Tue, 31 Jan 2006 21:56:28 +0000 (16:56 -0500)]
[PATCH] make vm86 call audit_syscall_exit

hi,

The motivation behind the patch below was to address messages in
/var/log/messages such as:

Jan 31 10:54:15 mets kernel: audit(:0): major=252 name_count=0: freeing
multiple contexts (1)
Jan 31 10:54:15 mets kernel: audit(:0): major=113 name_count=0: freeing
multiple contexts (2)

I can reproduce by running 'get-edid' from:
http://john.fremlin.de/programs/linux/read-edid/.

These messages come about in the log b/c the vm86 calls do not exit via
the normal system call exit paths and thus do not call
'audit_syscall_exit'. The next system call will then free the context for
itself and for the vm86 context, thus generating the above messages. This
patch addresses the issue by simply adding a call to 'audit_syscall_exit'
from the vm86 code.

Besides fixing the above error messages the patch also now allows vm86
system calls to become auditable. This is useful since strace does not
appear to properly record the return values from sys_vm86.

I think this patch is also a step in the right direction in terms of
cleaning up some core auditing code. If we can correct any other paths
that do not properly call the audit exit and entries points, then we can
also eliminate the notion of context chaining.

I've tested this patch by verifying that the log messages no longer
appear, and that the audit records for sys_vm86 appear to be correct.
Also, 'read_edid' produces itentical output.

thanks,

-Jason

Signed-off-by: Jason Baron <jbaron@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] cs5535_gpio.c: call cdev_del() during module_exit to unmap kobject references...
Thayumanavar Sachithanantham [Thu, 20 Apr 2006 16:00:56 +0000 (16:00 +0000)]
[PATCH] cs5535_gpio.c: call cdev_del() during module_exit to unmap kobject references and other cleanups

During module unloading, cdev_del() must be called to unmap cdev related
kobject references and other cleanups(such as inode->i_cdev being set to
NULL) which prevents the OOPS upon subsequent loading, usage and unloading
of modules(as seen in the mail thread
http://marc.theaimsgroup.com/?l=linux-kernel&m=114533640609018&w=2).

Also, remove unneeded test of gpio_base.

Signed-off-by: Thayumanavar Sachithanantham <thayumk@gmail.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] sonypi: correct detection of new ICH7-based laptops
Arnaud MAZIN [Thu, 20 Apr 2006 16:01:02 +0000 (16:01 +0000)]
[PATCH] sonypi: correct detection of new ICH7-based laptops

Add a test to detect the ICH7 based Core Duo SONY laptops (such as the SZ1)
as type3 models.

Signed-off-by: Arnaud MAZIN <arnaud.mazin@gmail.com>
Acked-by: Stelian Pop <stelian@poppies.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years agoLinux 2.6.16.11 v2.6.16.11
Greg Kroah-Hartman [Mon, 24 Apr 2006 20:20:24 +0000 (13:20 -0700)]
Linux 2.6.16.11

18 years ago[PATCH] Don't allow a backslash in a path component (CVE-2006-1863)
Steve French [Fri, 21 Apr 2006 18:18:37 +0000 (18:18 +0000)]
[PATCH] Don't allow a backslash in a path component (CVE-2006-1863)

Unless Posix paths have been negotiated, the backslash, "\", is not a valid
character in a path component.

Signed-off-by: Dave Kleikamp <shaggy@austin.ibm.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years agoLinux 2.6.16.10 v2.6.16.10
Greg Kroah-Hartman [Mon, 24 Apr 2006 17:07:37 +0000 (10:07 -0700)]
Linux 2.6.16.10

18 years ago[PATCH] IPC: access to unmapped vmalloc area in grow_ary()
Alexey Kuznetsov [Tue, 18 Apr 2006 03:04:00 +0000 (03:04 +0000)]
[PATCH] IPC: access to unmapped vmalloc area in grow_ary()

grow_ary() should not copy struct ipc_id_ary (it copies new->p, not
new). Due to this, memcpy() src pointer could hit unmapped vmalloc page
when near page boundary.

Found during OpenVZ stress testing

Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Signed-off-by: Kirill Korotaev <dev@openvz.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] Add more prevent_tail_call()
OGAWA Hirofumi [Wed, 19 Apr 2006 23:59:40 +0000 (23:59 +0000)]
[PATCH] Add more prevent_tail_call()

Those also break userland regs like following.

   00000000 <sys_chown16>:
      0: 0f b7 44 24 0c        movzwl 0xc(%esp),%eax
      5: 83 ca ff              or     $0xffffffff,%edx
      8: 0f b7 4c 24 08        movzwl 0x8(%esp),%ecx
      d: 66 83 f8 ff           cmp    $0xffffffff,%ax
     11: 0f 44 c2              cmove  %edx,%eax
     14: 66 83 f9 ff           cmp    $0xffffffff,%cx
     18: 0f 45 d1              cmovne %ecx,%edx
     1b: 89 44 24 0c           mov    %eax,0xc(%esp)
     1f: 89 54 24 08           mov    %edx,0x8(%esp)
     23: e9 fc ff ff ff        jmp    24 <sys_chown16+0x24>

where the tailcall at the end overwrites the incoming stack-frame.

Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] alim15x3: ULI M-1573 south Bridge support
KAI.HSU [Wed, 19 Apr 2006 17:01:17 +0000 (17:01 +0000)]
[PATCH] alim15x3: ULI M-1573 south Bridge support

>From http://bugzilla.kernel.org/show_bug.cgi?id=6358

The alim15x3.c havn't been update for 3 years.  Recently when we use this
"ULI M1573" south bridge chip found that can't mount CDROM(VCD) smoothly,
must waiting for a long time.  After I check the "ULI M1573" south bridge
datasheet, I found the reason.  The reason is the "ULI M1573" version in
the Linux is "0xC7" not "0xC4" anymore So I was modified the source than it
was successed.

Cc: Bartlomiej Zolnierkiewicz <B.Zolnierkiewicz@elka.pw.edu.pl>
Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] apm: fix Armada laptops again
Samuel Thibault [Wed, 19 Apr 2006 17:00:54 +0000 (17:00 +0000)]
[PATCH] apm: fix Armada laptops again

Fix the "apm: set display: Interface not engaged" error on Armada laptops
again.

Jordan said:

  I think this is fine.  It seems to me that this may be the fault of one or
  both of the APM solutions handling this situation in a non-standard way, but
  since APM is used very little on the Geode, and I have direct access to our
  BIOS folks, if this problem comes up with a customer again, we'll solve it
  from the firmware.

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Cc: "Jordan Crouse" <jordan.crouse@amd.com>
Cc: Zachary Amsden <zach@vmware.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] fbdev: Fix return error of fb_write
Antonino A. Daplas [Wed, 19 Apr 2006 17:01:21 +0000 (17:01 +0000)]
[PATCH] fbdev: Fix return error of fb_write

Fix return code of fb_write():

If at least 1 byte was transferred to the device, return number of bytes,
otherwise:

    - return -EFBIG - if file offset is past the maximum allowable offset or
      size is greater than framebuffer length
    - return -ENOSPC - if size is greater than framebuffer length - offset

Signed-off-by: Antonino Daplas <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] Fix file lookup without ref
Dipankar Sarma [Wed, 19 Apr 2006 17:00:12 +0000 (17:00 +0000)]
[PATCH] Fix file lookup without ref

There are places in the kernel where we look up files in fd tables and
access the file structure without holding refereces to the file.  So, we
need special care to avoid the race between looking up files in the fd
table and tearing down of the file in another CPU.  Otherwise, one might
see a NULL f_dentry or such torn down version of the file.  This patch
fixes those special places where such a race may happen.

Signed-off-by: Dipankar Sarma <dipankar@in.ibm.com>
Acked-by: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] m41t00: fix bitmasks when writing to chip
David Barksdale [Wed, 19 Apr 2006 16:59:54 +0000 (16:59 +0000)]
[PATCH] m41t00: fix bitmasks when writing to chip

Fix the bitmasks used when writing to the M41T00 registers.

The original code used a mask of 0x7f when writing to each register,
this is incorrect and probably the result of a copy-paste error.  As a
result years from 1980 to 1999 will be read back as 2000 to 2019.

Signed-off-by: David Barksdale <amatus@ocgnet.org>
Acked-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] Open IPMI BT overflow
Heikki Orsila [Wed, 19 Apr 2006 17:01:01 +0000 (17:01 +0000)]
[PATCH] Open IPMI BT overflow

I was looking into random driver code and found a suspicious looking
memcpy() in drivers/char/ipmi/ipmi_bt_sm.c on 2.6.17-rc1:

if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH))
return -1;
...
memcpy(bt->write_data + 3, data + 1, size - 1);

where sizeof bt->write_data is IPMI_MAX_MSG_LENGTH.  It looks like the
memcpy would overflow by 2 bytes if size == IPMI_MAX_MSG_LENGTH.  A patch
attached to limit size to (IPMI_MAX_LENGTH - 2).

Cc: Corey Minyard <minyard@acm.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] x86: be careful about tailcall breakage for sys_open[at] too
Linus Torvalds [Tue, 18 Apr 2006 20:59:27 +0000 (20:59 +0000)]
[PATCH] x86: be careful about tailcall breakage for sys_open[at] too

x86: be careful about tailcall breakage for sys_open[at] too

Came up through a quick grep for other cases similar to the ftruncate()
one in commit 0a489cb3b6a7b277030cdbc97c2c65905db94536.

Also, add a comment, so that people who read the code understand why we
do what looks like a no-op.

(Again, this won't actually matter to any sane user, since libc will
save and restore the register gcc stomps on, but it's still wrong to
stomp on it)

Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] x86: don't allow tail-calls in sys_ftruncate[64]()
Linus Torvalds [Tue, 18 Apr 2006 20:59:26 +0000 (20:59 +0000)]
[PATCH] x86: don't allow tail-calls in sys_ftruncate[64]()

x86: don't allow tail-calls in sys_ftruncate[64]()

Gcc thinks it owns the incoming argument stack, but that's not true for
"asmlinkage" functions, and it corrupts the caller-set-up argument stack
when it pushes the third argument onto the stack.  Which can result in
%ebx getting corrupted in user space.

Now, normally nobody sane would ever notice, since libc will save and
restore %ebx anyway over the system call, but it's still wrong.

I'd much rather have "asmlinkage" tell gcc directly that it doesn't own
the stack, but no such attribute exists, so we're stuck with our hacky
manual "prevent_tail_call()" macro once more (we've had the same issue
before with sys_waitpid() and sys_wait4()).

Thanks to Hans-Werner Hilse <hilse@sub.uni-goettingen.de> for reporting
the issue and testing the fix.

Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] IPV6: XFRM: Fix decoding session with preceding extension header(s).
YOSHIFUJI Hideaki / \e$B5HF#1QL@\e(B [Wed, 19 Apr 2006 02:14:23 +0000 (11:14 +0900)]
[PATCH] IPV6: XFRM: Fix decoding session with preceding extension header(s).

[IPV6] XFRM: Fix decoding session with preceding extension header(s).

We did not correctly decode session with preceding extension
header(s).  This was because we had already pulled preceding
headers, skb->nh.raw + 40 + 1 - skb->data was minus, and
pskb_may_pull() failed.

We now have IP6CB(skb)->nhoff and skb->h.raw, and we can
start parsing / decoding upper layer protocol from current
position.

Tracked down by Noriaki TAKAMIYA <takamiya@po.ntts.co.jp>
and tested by Kazunori Miyazawa <kazunori@miyazawa.org>.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] IPV6: XFRM: Don't use old copy of pointer after pskb_may_pull().
YOSHIFUJI Hideaki / \e$B5HF#1QL@\e(B [Wed, 19 Apr 2006 02:14:07 +0000 (11:14 +0900)]
[PATCH] IPV6: XFRM: Don't use old copy of pointer after pskb_may_pull().

[IPV6] XFRM: Don't use old copy of pointer after pskb_may_pull().

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] IPV6: Ensure to have hop-by-hop options in our header of &sk_buff.
YOSHIFUJI Hideaki / \e$B5HF#1QL@\e(B [Wed, 19 Apr 2006 02:13:58 +0000 (11:13 +0900)]
[PATCH] IPV6: Ensure to have hop-by-hop options in our header of &sk_buff.

[IPV6]: Ensure to have hop-by-hop options in our header of &sk_buff.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] selinux: Fix MLS compatibility off-by-one bug
Ron Yorston [Wed, 19 Apr 2006 05:21:04 +0000 (22:21 -0700)]
[PATCH] selinux: Fix MLS compatibility off-by-one bug

Fix an off-by-one error in the MLS compatibility code that was causing
contexts with a MLS suffix to be rejected, preventing sharing partitions
between FC4 and FC5.  Bug reported in
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188068

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] PPC: fix oops in alsa powermac driver
Guido Guenther [Thu, 20 Apr 2006 18:59:10 +0000 (20:59 +0200)]
[PATCH] PPC: fix oops in alsa powermac driver

this fixes an oops in 2.6.16.X when loading the snd_powermac module. The
name of the requested module changed during the 2.6.16 development cycle
from i2c-keylargo to i2c-powermac:

Signed-off-by: Guido Guenther <agx@sigxcpu.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] MTD_NAND_SHARPSL and MTD_NAND_NANDSIM should be tristate's
Adrian Bunk [Tue, 18 Apr 2006 23:49:31 +0000 (01:49 +0200)]
[PATCH] MTD_NAND_SHARPSL and MTD_NAND_NANDSIM should be tristate's

MTD_NAND=m and MTD_NAND_SHARPSL=y or MTD_NAND_NANDSIM=y are illegal
combinations that mustn't be allowed.

This patch fixes this bug by making MTD_NAND_SHARPSL and MTD_NAND_NANDSIM
tristate's.

Additionally, it fixes some whitespace damage at these options.

This patch was already included in Linus' tree.

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] i2c-i801: Fix resume when PEC is used
Jean Delvare [Tue, 18 Apr 2006 12:15:59 +0000 (14:15 +0200)]
[PATCH] i2c-i801: Fix resume when PEC is used

Fix for bug #6395:
Fail to resume on Tecra M2 with ADM1032 and Intel 82801DBM

The BIOS of the Tecra M2 doesn't like it when it has to reboot or
resume after the i2c-i801 driver has left the SMBus in PEC mode.
I have a more complete fix for 2.6.17 but the simple approach of
leaving the SMBus in non-PEC mode after every transaction should do
for -stable. That's what the i2c-i801 driver was doing up to 2.6.15
(inclusive).

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] Fix hotplug race during device registration
Thomas de Grenier de Latour [Wed, 19 Apr 2006 04:22:39 +0000 (10:22 +0600)]
[PATCH] Fix hotplug race during device registration

On Sun, 9 Apr 2006 21:56:59 +0400,
Sergey Vlasov <vsu@altlinux.ru> wrote:
> However, show_address() does not output anything unless
> dev->reg_state == NETREG_REGISTERED - and this state is set by
> netdev_run_todo() only after netdev_register_sysfs() returns, so in
> the meantime (while netdev_register_sysfs() is busy adding the
> "statistics" attribute group) some process may see an empty "address"
> attribute.

I've tried the attached patch, suggested by Sergey Vlasov on
hotplug-devel@, and as far as i can test it works just fine.

Signed-off-by: Alexander Patrakov <patrakov@ums.usu.ru>
Signed-off-by: David Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] Fix truesize underflow
Herbert Xu [Wed, 19 Apr 2006 04:43:31 +0000 (21:43 -0700)]
[PATCH] Fix truesize underflow

[TCP]: Fix truesize underflow

There is a problem with the TSO packet trimming code.  The cause of
this lies in the tcp_fragment() function.

When we allocate a fragment for a completely non-linear packet the
truesize is calculated for a payload length of zero.  This means that
truesize could in fact be less than the real payload length.

When that happens the TSO packet trimming can cause truesize to become
negative.  This in turn can cause sk_forward_alloc to be -n * PAGE_SIZE
which would trigger the warning.

I've copied the code DaveM used in tso_fragment which should work here.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] efficeon-agp: Add missing memory mask
H. Peter Anvin [Sat, 15 Apr 2006 00:30:24 +0000 (17:30 -0700)]
[PATCH] efficeon-agp: Add missing memory mask

Original patch by Benjamin Herrenschmidt after debugging by Brian Hinz.

Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Brian Hinz <bphinz@hotmail.com>
Signed-off-by: H Peter Anvin <hpa@zytor.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] 3ware 9000 disable local irqs during kmap_atomic
adam radford [Tue, 11 Apr 2006 18:25:09 +0000 (11:25 -0700)]
[PATCH] 3ware 9000 disable local irqs during kmap_atomic

The attached patch for 2.6.17-rc2 updates the 3ware 9000 driver:

- Disable local interrupts during kmap/unmap_atomic().

Signed-off-by: Adam Radford <linuxraid@amcc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] 3ware: kmap_atomic() fix
Andrew Morton [Fri, 14 Apr 2006 21:52:14 +0000 (14:52 -0700)]
[PATCH] 3ware: kmap_atomic() fix

We must disable local IRQs while holding KM_IRQ0 or KM_IRQ1.  Otherwise, an
IRQ handler could use those kmap slots while this code is using them,
resulting in memory corruption.

Thanks to Nick Orlov <bugfixer@list.ru> for reporting.

Cc: <linuxraid@amcc.com>
Cc: James Bottomley <James.Bottomley@SteelEye.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years agoLinux 2.6.16.9 v2.6.16.9
Greg Kroah-Hartman [Wed, 19 Apr 2006 06:10:14 +0000 (23:10 -0700)]
Linux 2.6.16.9

18 years ago[PATCH] i386/x86-64: Fix x87 information leak between processes (CVE-2006-1056)
Andi Kleen [Wed, 19 Apr 2006 05:17:31 +0000 (07:17 +0200)]
[PATCH] i386/x86-64: Fix x87 information leak between processes (CVE-2006-1056)

AMD K7/K8 CPUs only save/restore the FOP/FIP/FDP x87 registers in FXSAVE
when an exception is pending.  This means the value leak through context
switches and allow processes to observe some x87 instruction state of
other processes.

This was actually documented by AMD, but nobody recognized it as being
different from Intel before.

The fix first adds an optimization: instead of unconditionally calling
FNCLEX after each FXSAVE test if ES is pending and skip it when not
needed. Then do a x87 load from a kernel variable to clear FOP/FIP/FDP.

This means other processes always will only see a constant value defined
by the kernel in their FP state.

I took some pain to make sure to chose a variable that's already in L1
during context switch to make the overhead of this low.

Also alternative() is used to patch away the new code on CPUs who don't
need it.

Patch for both i386/x86-64.

The problem was discovered originally by Jan Beulich. Richard Brunner
provided the basic code for the workarounds, with contribution from Jan.

This is CVE-2006-1056

Cc: richard.brunner@amd.com
Cc: jbeulich@novell.com
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years agoLinux 2.6.16.8 v2.6.16.8
Greg Kroah-Hartman [Tue, 18 Apr 2006 21:32:07 +0000 (14:32 -0700)]
Linux 2.6.16.8

18 years ago[PATCH] ip_route_input panic fix (CVE-2006-1525)
Stephen Hemminger [Tue, 18 Apr 2006 00:27:11 +0000 (17:27 -0700)]
[PATCH] ip_route_input panic fix (CVE-2006-1525)

This fixes http://bugzilla.kernel.org/show_bug.cgi?id=6388
The bug is caused by ip_route_input dereferencing skb->nh.protocol of
the dummy skb passed dow from inet_rtm_getroute (Thanks Thomas for seeing
it). It only happens if the route requested is for a multicast IP
address.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years agoLinux 2.6.16.7 v2.6.16.7
Greg Kroah-Hartman [Mon, 17 Apr 2006 21:53:25 +0000 (14:53 -0700)]
Linux 2.6.16.7

18 years ago[PATCH] fix MADV_REMOVE vulnerability (CVE-2006-1524 for real this time)
Hugh Dickins [Mon, 17 Apr 2006 21:46:32 +0000 (22:46 +0100)]
[PATCH] fix MADV_REMOVE vulnerability (CVE-2006-1524 for real this time)

madvise_remove needs to respect file and mmap protections.

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years agoLinux 2.6.16.6 v2.6.16.6
Greg Kroah-Hartman [Mon, 17 Apr 2006 20:36:51 +0000 (13:36 -0700)]
Linux 2.6.16.6

18 years ago[PATCH] shmat: stop mprotect from giving write permission to a readonly attachment...
Hugh Dickins [Wed, 12 Apr 2006 21:34:27 +0000 (14:34 -0700)]
[PATCH] shmat: stop mprotect from giving write permission to a readonly attachment (CVE-2006-1524)

I found that all of 2.4 and 2.6 have been letting mprotect give write
permission to a readonly attachment of shared memory, whether or not IPC
would give the caller that permission.

SUS says "The behaviour of this function [mprotect] is unspecified if the
mapping was not established by a call to mmap", but I don't think we can
interpret that as allowing it to subvert IPC permissions.

I haven't tried 2.2, but the 2.2.26 source looks like it gets it right; and
the patch below reproduces that behaviour - mprotect cannot be used to add
write permission to a shared memory segment attached readonly.

This patch is simple, and I'm sure it's what we should have done in 2.4.0:
if you want to go on to switch write permission on and off with mprotect,
just don't attach the segment readonly in the first place.

However, we could have accumulated apps which attach readonly (even though
they would be permitted to attach read/write), and which subsequently use
mprotect to switch write permission on and off: it's not unreasonable.

I was going to add a second ipcperms check in do_shmat, to check for
writable when readonly, and if not writable find_vma and clear VM_MAYWRITE.
 But security_ipc_permission might do auditing, and it seems wrong to
report an attempt for write permission when there has been none.  Or we
could flag the vma as SHM, note the shmid or shp in vm_private_data, and
then get mprotect to check.

But the patch below is a lot simpler: I'd rather stick with it, if we can
convince ourselves somehow that it'll be safe.

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] atm: clip causes unregister hang
Stephen Hemminger [Wed, 12 Apr 2006 21:52:54 +0000 (14:52 -0700)]
[PATCH] atm: clip causes unregister hang

If Classical IP over ATM module is loaded, its neighbor table gets
populated when permanent neighbor entries are created; but these entries
are not flushed when the device is removed. Since the entry never gets
flushed the unregister of the network device never completes.

This version of the patch also adds locking around the reference to
the atm arp daemon to avoid races with events and daemon state changes.
(Note: barrier() was never really safe)

Bug-reference: http://bugzilla.kernel.org/show_bug.cgi?id=6295

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] fix non-leader exec under ptrace
Roland McGrath [Wed, 12 Apr 2006 23:30:20 +0000 (16:30 -0700)]
[PATCH] fix non-leader exec under ptrace

This reverts most of commit 30e0fca6c1d7d26f3f2daa4dd2b12c51dadc778a.
It broke the case of non-leader MT exec when ptraced.
I think the bug it was intended to fix was already addressed by commit
788e05a67c343fa22f2ae1d3ca264e7f15c25eaf.

Signed-off-by: Roland McGrath <roland@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] USB: remove __init from usb_console_setup
Paul Fulghum [Wed, 12 Apr 2006 21:41:59 +0000 (23:41 +0200)]
[PATCH] USB: remove __init from usb_console_setup

This prevents an Oops if booted with "console=ttyUSB0" but without a
USB-serial dongle, and plugged one in afterwards.

Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] Fix suspend with traced tasks
Pavel Machek [Fri, 31 Mar 2006 10:30:06 +0000 (02:30 -0800)]
[PATCH] Fix suspend with traced tasks

strace /bin/bash misbehaves after resume; this fixes it.

(akpm: it's scary calling refrigerator() in state TASK_TRACED, but it seems to
do the right thing).

Signed-off-by: Pavel Machek <pavel@suse.cz>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] Incorrect signature sent on SMB Read
Steve French [Fri, 31 Mar 2006 21:22:00 +0000 (21:22 +0000)]
[PATCH] Incorrect signature sent on SMB Read

Fixes Samba bug 3621 and kernel.org bug 6147

For servers which require SMB/CIFS packet signing, we were sending the
wrong signature (all zeros) on SMB Read request.  The new cifs routine
to do signatures across an iovec was not complete - and SMB Read, unlike
the new SMBWrite2, did not fall back to the older routine (ie use
SendReceive vs. the more efficient SendReceive2 ie used the older
cifs_sign_smb vs. the disabled  cifs_sign_smb2) for calculating signatures.

This finishes up cifs_sign_smb2/cifs_calc_signature2 so that the callers
of SendReceive2 can get SMB/CIFS packet signatures.

Now that cifs_sign_smb2 is supported, we could start using it in
the write path but this smaller fix does not include the change
to use SMBWrite2 when signatures are required (which when enabled
will make more Writes more efficient and alloc less memory).
Currently Write2 is only used when signatures are not
required at the moment but after more testing we will enable
that as well).

Thanks to James Slepicka and Sam Flory for initial investigation.

Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] RLIMIT_CPU: fix handling of a zero limit
Andrew Morton [Fri, 24 Mar 2006 11:18:35 +0000 (03:18 -0800)]
[PATCH] RLIMIT_CPU: fix handling of a zero limit

At present the kernel doesn't honour an attempt to set RLIMIT_CPU to zero
seconds.  But the spec says it should, and that's what 2.4.x does.

Fixing this for real would involve some complexity (such as adding a new
it-has-been-set flag to the task_struct, and testing that everwhere, instead
of overloading the value of it_prof_expires).

Given that a 2.4 kernel won't actually send the signal until one second has
expired anyway, let's just handle this case by treating the caller's
zero-seconds as one second.

Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Ulrich Weigand <uweigand@de.ibm.com>
Cc: Cliff Wickman <cpw@sgi.com>
Acked-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
18 years ago[PATCH] Fix utime(2) in the case that no times parameter was passed in.
Nathan Scott [Tue, 11 Apr 2006 05:12:45 +0000 (15:12 +1000)]
[PATCH] Fix utime(2) in the case that no times parameter was passed in.

SGI-PV: 949858
SGI-Modid: xfs-linux-melb:xfs-kern:25717a

Signed-off-by: Jes Sorensen <jes@sgi.com>
Signed-off-by: Nathan Scott <nathans@sgi.com>
18 years ago[PATCH] alpha: SMP boot fixes
Brian Uhrain says [Tue, 11 Apr 2006 05:53:16 +0000 (22:53 -0700)]
[PATCH] alpha: SMP boot fixes

I've encountered two problems with 2.6.16 and newer kernels on my API CS20
(dual 833MHz Alpha 21264b processors).  The first is the kernel OOPSing
because of a NULL pointer dereference while trying to populate SysFS with the
CPU information.  The other is that only one processor was being brought up.
I've included a small Alpha-specific patch that fixes both problems.

The first problem was caused by the CPUs never being properly registered using
register_cpu(), the way it's done on other architectures.

The second problem has to do with the removal of hwrpb_cpu_present_mask in
arch/alpha/kernel/smp.c.  In setup_smp() in the 2.6.15 kernel sources,
hwrpb_cpu_present_mask has a bit set for each processor that is probed, and
afterwards cpu_present_mask is set to the cpumask for the boot CPU.  In the
same function of the same file in the 2.6.16 sources, instead of
hwrpb_cpu_present_mask being set, cpu_possible_map is updated for each probed
CPU.  cpu_present_mask is still set to the cpumask of the boot CPU afterwards.
 The problem lies in include/asm-alpha/smp.h, where cpu_possible_map is
#define'd to be cpu_present_mask.

Cleanups from: Ivan Kokshaysky <ink@jurassic.park.msu.ru>

 - cpu_present_mask and cpu_possible_map are essentially the same thing
   on alpha, as it doesn't support CPU hotplug;
 - allocate "struct cpu" only for present CPUs, like sparc64 does.
   Static array of "struct cpu" is just a waste of memory.

Signed-off-by: Brian Uhrain <buhrain@rosettastone.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] cciss: bug fix for crash when running hpacucli
Mike Miller [Mon, 10 Apr 2006 22:38:07 +0000 (15:38 -0700)]
[PATCH] cciss: bug fix for crash when running hpacucli

Fix a crash when running hpacucli with multiple logical volumes on a cciss
controller.  We were not properly initializing the disk->queue and causing
a fault.

Thanks to Hasso Tepper for reporting the problem.  Thanks to Steve Cameron
for root causing the problem.  Most of the patch just moves things around.
The fix is a one-liner.

Signed-off-by: Mike Miller <mike.miller@hp.com>
Signed-off-by: Stephen Cameron <steve.cameron@hp.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] edac_752x needs CONFIG_HOTPLUG
Randy Dunlap [Mon, 10 Apr 2006 18:54:24 +0000 (20:54 +0200)]
[PATCH] edac_752x needs CONFIG_HOTPLUG

EDAC_752X uses pci_scan_single_device(), which is only available
if CONFIG_HOTPLUG is enabled, so limit this driver with HOTPLUG.

This patch was already included in Linus' tree.

Adrian Bunk:
Rediffed for 2.6.16.x due to unrelated context changes.

Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: David S. Peterson <dsp@llnl.gov>
18 years ago[PATCH] ext3: Fix missed mutex unlock
Ananiev, Leonid I [Tue, 11 Apr 2006 05:54:38 +0000 (22:54 -0700)]
[PATCH] ext3: Fix missed mutex unlock

Missed unlock_super()call is added in error condition code path.

Signed-off-by: Leonid Ananiev <leonid.i.ananiev@intel.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] Fix block device symlink name
Stephen Rothwell [Mon, 10 Apr 2006 07:17:20 +0000 (00:17 -0700)]
[PATCH] Fix block device symlink name

As noted further on the this file, some block devices have a / in their
name, so fix the "block:..." symlink name the same as the /sys/block name.

Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] Fix buddy list race that could lead to page lru list corruptions
Nick Piggin [Mon, 10 Apr 2006 23:54:00 +0000 (16:54 -0700)]
[PATCH] Fix buddy list race that could lead to page lru list corruptions

Rohit found an obscure bug causing buddy list corruption.

page_is_buddy is using a non-atomic test (PagePrivate && page_count == 0)
to determine whether or not a free page's buddy is itself free and in the
buddy lists.

Each of the conjuncts may be true at different times due to unrelated
conditions, so the non-atomic page_is_buddy test may find each conjunct to
be true even if they were not both true at the same time (ie. the page was
not on the buddy lists).

Signed-off-by: Martin Bligh <mbligh@google.com>
Signed-off-by: Rohit Seth <rohitseth@google.com>
Signed-off-by: Nick Piggin <npiggin@suse.de>
Signed-off-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] fuse: fix oops in fuse_send_readpages()
Miklos Szeredi [Tue, 11 Apr 2006 16:37:57 +0000 (18:37 +0200)]
[PATCH] fuse: fix oops in fuse_send_readpages()

During heavy parallel filesystem activity it was possible to Oops the
kernel.  The reason is that read_cache_pages() could skip pages which
have already been inserted into the cache by another task.
Occasionally this may result in zero pages actually being sent, while
fuse_send_readpages() relies on at least one page being in the
request.

So check this corner case and just free the request instead of trying
to send it.

Reported and tested by Konstantin Isakov.

Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] m32r: Fix cpu_possible_map and cpu_present_map initialization for SMP kernel
Hirokazu Takata [Tue, 11 Apr 2006 05:53:18 +0000 (22:53 -0700)]
[PATCH] m32r: Fix cpu_possible_map and cpu_present_map initialization for SMP kernel

This patch fixes a boot problem of the m32r SMP kernel 2.6.16-rc1-mm3 or
later.

In this patch, cpu_possible_map is statically initialized, and cpu_present_map
is also copied from cpu_possible_map in smp_prepare_cpus(), because the m32r
architecture has not supported CPU hotplug yet.

Signed-off-by: Hayato Fujiwara <fujiwara.hayato@renesas.com>
Signed-off-by: Hirokazu Takata <takata@linux-m32r.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] m32r: security fix of {get, put}_user macros
Hirokazu Takata [Tue, 11 Apr 2006 05:53:20 +0000 (22:53 -0700)]
[PATCH] m32r: security fix of {get, put}_user macros

Update {get,put}_user macros for m32r kernel.
- Modify get_user to use __get_user_asm macro, instead of __get_user_x macro.
- Remove arch/m32r/lib/{get,put}user.S.
- Some cosmetic updates.

I would like to thank NIIBE Yutaka for his reporting about the m32r kernel's
security problem in {get,put}_user macros.

There were no address checking for user space access in {get,put}_user macros.
 ;-)

Signed-off-by: Hirokazu Takata <takata@linux-m32r.org>
Cc: NIIBE Yutaka <gniibe@fsij.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] NETFILTER: Fix fragmentation issues with bridge netfilter
Patrick McHardy [Thu, 6 Apr 2006 16:51:38 +0000 (18:51 +0200)]
[PATCH] NETFILTER: Fix fragmentation issues with bridge netfilter

[NETFILTER]: Fix fragmentation issues with bridge netfilter

The conntrack code doesn't do re-fragmentation of defragmented packets
anymore but relies on fragmentation in the IP layer. Purely bridged
packets don't pass through the IP layer, so the bridge netfilter code
needs to take care of fragmentation itself.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] sky2: bad memory reference on dual port cards
Stephen Hemminger [Thu, 6 Apr 2006 00:47:15 +0000 (17:47 -0700)]
[PATCH] sky2: bad memory reference on dual port cards

Sky2 driver will oops referencing bad memory if used on
a dual port card.  The problem is accessing past end of
MIB counter space.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] isd200: limit to BLK_DEV_IDE
Randy Dunlap [Wed, 5 Apr 2006 19:03:45 +0000 (12:03 -0700)]
[PATCH] isd200: limit to BLK_DEV_IDE

Limit USB_STORAGE_ISD200 to whatever BLK_DEV_IDE and USB_STORAGE
are set to (y, m) since isd200 calls ide_fix_driveid() in the
BLK_DEV_IDE code.

Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] MPBL0010 driver sysfs permissions wide open
Mark Bellon [Wed, 5 Apr 2006 08:06:06 +0000 (01:06 -0700)]
[PATCH] MPBL0010 driver sysfs permissions wide open

The MPBL0010 Telco clock driver (drivers/char/tlclk.c) uses 0222 (anyone
can write) permissions on its writable sysfs entries.  Alter the
permissions to 0220 (owner and group can write).

The use case for this driver is to configure the fail over behavior of the
clock hardware.  That should be done by the more privileged users.

Signed-off-by: Mark Bellon <mbellon@mvista.com>
Acked-by: Gross Mark <mark.gross@intel.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] powerpc: fix incorrect SA_ONSTACK behaviour for 64-bit processes
Laurent MEYER [Wed, 5 Apr 2006 22:45:19 +0000 (08:45 +1000)]
[PATCH] powerpc: fix incorrect SA_ONSTACK behaviour for 64-bit processes

*) When setting a sighandler using sigaction() call, if the flag
SA_ONSTACK is set and no alternate stack is provided via sigaltstack(),
the kernel still try to install the alternate stack. This behavior is
the opposite of the one which is documented in Single Unix
Specifications V3.

*) Also when setting an alternate stack using sigaltstack() with the
flag SS_DISABLE, the kernel try to install the alternate stack on
signal delivery.

These two use cases makes the process crash at signal delivery.

This fixes it.

Signed-off-by: Laurent Meyer <meyerlau@fr.ibm.com>
Signed-off-by: Paul Mackerras <paulus@samba.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] powerpc: iSeries needs slb_initialize to be called
Stephen Rothwell [Wed, 5 Apr 2006 00:41:21 +0000 (10:41 +1000)]
[PATCH] powerpc: iSeries needs slb_initialize to be called

Since the powerpc 64k pages patch went in, systems that have SLBs
(like Power4 iSeries) needed to have slb_initialize called to set up
some variables for the SLB miss handler.  This was not being called
on the boot processor on iSeries, so on single cpu iSeries machines,
we would get apparent memory curruption as soon as we entered user mode.

This patch fixes that by calling slb_initialize on the boot cpu if the
processor has an SLB.

Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years agoLinux 2.6.16.5 v2.6.16.5
Greg Kroah-Hartman [Wed, 12 Apr 2006 20:27:57 +0000 (13:27 -0700)]
Linux 2.6.16.5

18 years ago[PATCH] x86_64: When user could have changed RIP always force IRET (CVE-2006-0744)
Andi Kleen [Wed, 12 Apr 2006 06:19:29 +0000 (08:19 +0200)]
[PATCH] x86_64: When user could have changed RIP always force IRET (CVE-2006-0744)

Intel EM64T CPUs handle uncanonical return addresses differently from
AMD CPUs.

The exception is reported in the SYSRET, not the next instruction.
Thgis leads to the kernel exception handler running on the user stack
with the wrong GS because the kernel didn't expect exceptions on this
instruction.

This version of the patch has the teething problems that plagued an
earlier version fixed.

This is CVE-2006-0744

Thanks to Ernie Petrides and Asit B. Mallick for analysis and initial
patches.

Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] x86_64: Clean up execve
Andi Kleen [Wed, 12 Apr 2006 06:18:46 +0000 (08:18 +0200)]
[PATCH] x86_64: Clean up execve

Just call IRET always, no need for any special cases.

Needed for the next bug fix.

Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years agoLinux 2.6.16.4 v2.6.16.4
Greg Kroah-Hartman [Tue, 11 Apr 2006 17:19:28 +0000 (10:19 -0700)]
Linux 2.6.16.4

18 years ago[PATCH] RCU signal handling
Oleg Nesterov [Tue, 11 Apr 2006 18:18:58 +0000 (22:18 +0400)]
[PATCH] RCU signal handling

made this BUG_ON() unsafe. This code runs under ->siglock,
while switch_exec_pids() takes tasklist_lock.

Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years agoLinux 2.6.16.3 v2.6.16.3
Greg Kroah-Hartman [Tue, 11 Apr 2006 05:27:44 +0000 (22:27 -0700)]
Linux 2.6.16.3

18 years ago[PATCH] Keys: Fix oops when adding key to non-keyring [CVE-2006-1522]
David Howells [Mon, 10 Apr 2006 17:01:40 +0000 (17:01 +0000)]
[PATCH] Keys: Fix oops when adding key to non-keyring [CVE-2006-1522]

This fixes the problem of an oops occuring when a user attempts to add a
key to a non-keyring key [CVE-2006-1522].

The problem is that __keyring_search_one() doesn't check that the
keyring it's been given is actually a keyring.

I've fixed this problem by:

 (1) declaring that caller of __keyring_search_one() must guarantee that
     the keyring is a keyring; and

 (2) making key_create_or_update() check that the keyring is a keyring,
     and return -ENOTDIR if it isn't.

This can be tested by:

keyctl add user b b `keyctl add user a a @s`

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years agoLinux 2.6.16.2 v2.6.16.2
Greg Kroah-Hartman [Fri, 7 Apr 2006 16:56:47 +0000 (09:56 -0700)]
Linux 2.6.16.2

18 years ago[PATCH] kdump proc vmcore size oveflow fix
Vivek Goyal [Mon, 3 Apr 2006 23:38:11 +0000 (16:38 -0700)]
[PATCH] kdump proc vmcore size oveflow fix

A couple of /proc/vmcore data structures overflow with 32bit systems having
memory more than 4G.  This patch fixes those.

Signed-off-by: Ken'ichi Ohmichi <oomichi@mxs.nes.nec.co.jp>
Signed-off-by: Vivek Goyal <vgoyal@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] knfsd: Correct reserved reply space for read requests.
NeilBrown [Thu, 30 Mar 2006 06:01:15 +0000 (22:01 -0800)]
[PATCH] knfsd: Correct reserved reply space for read requests.

NFSd makes sure there is enough space to hold the maximum possible reply
before accepting a request.  The units for this maximum is (4byte) words.
However in three places, particularly for read request, the number given is
a number of bytes.

This means too much space is reserved which is slightly wasteful.

This is the sort of patch that could uncover a deeper bug, and it is not
critical, so it would be best for it to spend a while in -mm before going
in to mainline.

(akpm: target 2.6.17-rc2, 2.6.16.3 (approx))

Discovered-by: "Eivind Sarto" <ivan@kasenna.com>
Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] hostap: Fix EAPOL frame encryption
Jouni Malinen [Sat, 25 Mar 2006 05:24:55 +0000 (21:24 -0800)]
[PATCH] hostap: Fix EAPOL frame encryption

Fixed encrypted of EAPOL frames from wlan#ap interface (hostapd). This
was broken when moving to use new frame control field defines in
net/ieee80211.h. hostapd uses Protected flag, not protocol version
(which was cleared in this function anyway). This fixes WPA group key
handshake and re-authentication.
http://hostap.epitest.fi/bugz/show_bug.cgi?id=126

Signed-off-by: Jouni Malinen <jkmaline@cc.hut.fi>
18 years ago[PATCH] Add default entry for CTL Travel Master U553W
Takashi Iwai [Sat, 25 Mar 2006 21:07:28 +0000 (22:07 +0100)]
[PATCH] Add default entry for CTL Travel Master U553W

Added the default entry of ALC880 configuration table for
CTL Travel Master U553W.

This patch was already included in Linus' tree.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] AIRO{,_CS} <-> CRYPTO fixes
Adrian Bunk [Sat, 25 Mar 2006 18:22:27 +0000 (19:22 +0100)]
[PATCH] AIRO{,_CS} <-> CRYPTO fixes

CRYPTO is a helper variable, and to make it easier for users, it should
therefore select'ed and not be listed in the dependencies.

drivers/net/wireless/airo.c requires CONFIG_CRYPTO for compilations.

Therefore, AIRO_CS also has to select CRYPTO.

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] Fix NULL pointer dereference in node_read_numastat()
Christoph Lameter [Mon, 3 Apr 2006 10:11:57 +0000 (20:11 +1000)]
[PATCH] Fix NULL pointer dereference in node_read_numastat()

Fix NULL pointer dereference in node_read_numastat()

zone_pcp() only returns valid values if the processor is online.

Change node_read_numastat() to only scan online processors.

Signed-off-by: Christoph Lameter <clameter@sgi.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] drivers/net/wireless/ipw2200.c: fix an array overun
Adrian Bunk [Sat, 25 Mar 2006 21:07:32 +0000 (22:07 +0100)]
[PATCH] drivers/net/wireless/ipw2200.c: fix an array overun

This patch fixes a big array overun found by the Coverity checker.

This was already fixed in Linus' tree.

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] fbcon: Fix big-endian bogosity in slow_imageblit()
Antonino A. Daplas [Mon, 27 Mar 2006 13:11:44 +0000 (21:11 +0800)]
[PATCH] fbcon: Fix big-endian bogosity in slow_imageblit()

The monochrome->color expansion routine that handles bitmaps which have
(widths % 8) != 0 (slow_imageblit) produces corrupt characters in big-endian.
This is caused by a bogus bit test in slow_imageblit().

Fix.

Signed-off-by: Antonino Daplas <adaplas@pol.net>
Acked-by: Herbert Poetzl <herbert@13thfloor.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] fib_trie.c node freeing fix
David S. Miller [Tue, 4 Apr 2006 20:26:50 +0000 (13:26 -0700)]
[PATCH] fib_trie.c node freeing fix

Please apply to 2.6.{14,15,16} -stable, thanks a lot.

From: Robert Olsson <robert.olsson@its.uu.se>

[FIB_TRIE]: Fix leaf freeing.

Seems like leaf (end-nodes) has been freed by __tnode_free_rcu and not
by __leaf_free_rcu. This fixes the problem. Only tnode_free is now
used which checks for appropriate node type. free_leaf can be removed.

Signed-off-by: Robert Olsson <robert.olsson@its.uu.se>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] Fix module refcount leak in __set_personality()
Sergey Vlasov [Sat, 25 Mar 2006 17:36:37 +0000 (18:36 +0100)]
[PATCH] Fix module refcount leak in __set_personality()

If the change of personality does not lead to change of exec domain,
__set_personality() returned without releasing the module reference
acquired by lookup_exec_domain().

This patch was already included in Linus' tree.

Signed-off-by: Sergey Vlasov <vsu@altlinux.ru>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] Fix the p4-clockmod N60 errata workaround.
Venkatesh Pallipadi [Sat, 25 Mar 2006 17:20:41 +0000 (17:20 +0000)]
[PATCH] Fix the p4-clockmod N60 errata workaround.

[CPUFREQ] Fix the p4-clockmod N60 errata workaround.

Fix the code to disable freqs less than 2GHz in N60 errata.

Signed-off-by: Venkatesh Pallipadi <venkatesh.pallipadi@intel.com>
Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] wrong error path in dup_fd() leading to oopses in RCU
Kirill Korotaev [Sun, 2 Apr 2006 00:06:50 +0000 (16:06 -0800)]
[PATCH] wrong error path in dup_fd() leading to oopses in RCU

Wrong error path in dup_fd() - it should return NULL on error,
not an address of already freed memory :/

Triggered by OpenVZ stress test suite.

What is interesting is that it was causing different oopses in RCU like
below:
Call Trace:
   [<c013492c>] rcu_do_batch+0x2c/0x80
   [<c0134bdd>] rcu_process_callbacks+0x3d/0x70
   [<c0126cf3>] tasklet_action+0x73/0xe0
   [<c01269aa>] __do_softirq+0x10a/0x130
   [<c01058ff>] do_softirq+0x4f/0x60
   =======================
   [<c0113817>] smp_apic_timer_interrupt+0x77/0x110
   [<c0103b54>] apic_timer_interrupt+0x1c/0x24
  Code:  Bad EIP value.
   <0>Kernel panic - not syncing: Fatal exception in interrupt

Signed-Off-By: Pavel Emelianov <xemul@sw.ru>
Signed-Off-By: Dmitry Mishin <dim@openvz.org>
Signed-Off-By: Kirill Korotaev <dev@openvz.org>
Signed-Off-By: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] {ip, nf}_conntrack_netlink: fix expectation notifier unregistration
Martin Josefsson [Mon, 3 Apr 2006 08:47:48 +0000 (10:47 +0200)]
[PATCH] {ip, nf}_conntrack_netlink: fix expectation notifier unregistration

[NETFILTER]: {ip,nf}_conntrack_netlink: fix expectation notifier unregistration

This patch fixes expectation notifier unregistration on module unload to
use ip_conntrack_expect_unregister_notifier(). This bug causes a soft
lockup at the first expectation created after a rmmod ; insmod of this
module.

Should go into -stable as well.

Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] isicom must select FW_LOADER
maximilian attems [Fri, 31 Mar 2006 21:09:03 +0000 (23:09 +0200)]
[PATCH] isicom must select FW_LOADER

The isicom driver uses request_firmware()
and thus needs to select FW_LOADER.

This patch was already included in Linus' tree.

Signed-off-by: maximilian attems <maks@sternwelten.at>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] Mark longhaul driver as broken.
Dave Jones [Sat, 25 Mar 2006 17:20:42 +0000 (17:20 +0000)]
[PATCH] Mark longhaul driver as broken.

[CPUFREQ] Mark longhaul driver as broken.
This seems to work for a short period of time, but when
used in conjunction with a userspace governor that changes
the frequency regularly, it's only a matter of time before
everything just locks up.

Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] opti9x - Fix compile without CONFIG_PNP
Takashi Iwai [Sat, 25 Mar 2006 18:49:42 +0000 (19:49 +0100)]
[PATCH] opti9x - Fix compile without CONFIG_PNP

Modules: Opti9xx drivers

Fix compile errors without CONFIG_PNP.

This patch was already included in Linus' tree.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] pcmcia: permit single-character-identifiers
Janos Farkas [Tue, 4 Apr 2006 08:12:43 +0000 (10:12 +0200)]
[PATCH] pcmcia: permit single-character-identifiers

For some time, the core pcmcia drivers seem not to think single
character prod_ids are valid, thus preventing the "cleverly" named

  "D" "Link DWL-650 11Mbps WLAN Card"

Before (as in 2.6.16):
PRODID_1=""
PRODID_2="Link DWL-650 11Mbps WLAN Card"
PRODID_3="Version 01.02"
PRODID_4=""
MANFID=0156,0002
FUNCID=6

After (with the patch)
PRODID_1="D"
PRODID_2="Link DWL-650 11Mbps WLAN Card"
PRODID_3="Version 01.02"
PRODID_4=""
MANFID=0156,0002
FUNCID=6

Signed-off-by: Janos Farkas <chexum@gmail.com>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] PCMCIA_SPECTRUM must select FW_LOADER
Adrian Bunk [Fri, 31 Mar 2006 16:33:45 +0000 (18:33 +0200)]
[PATCH] PCMCIA_SPECTRUM must select FW_LOADER

PCMCIA_SPECTRUM must select FW_LOADER.

Reported by "Alexander E. Patrakov" <patrakov@ums.usu.ru>.

This patch was already included in Linus' tree.

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] powerpc: make ISA floppies work again
Stephen Rothwell [Mon, 3 Apr 2006 12:23:15 +0000 (22:23 +1000)]
[PATCH] powerpc: make ISA floppies work again

We used to assume that a DMA mapping request with a NULL dev was for
ISA DMA.  This assumption was broken at some point.  Now we explicitly
pass the detected ISA PCI device in the floppy setup.

Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] sbp2: fix spinlock recursion
Stefan Richter [Sat, 1 Apr 2006 19:11:41 +0000 (21:11 +0200)]
[PATCH] sbp2: fix spinlock recursion

sbp2util_mark_command_completed takes a lock which was already taken by
sbp2scsi_complete_all_commands.  This is a regression in Linux 2.6.15.
Reported by Kristian Harms at
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187394

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] USB: usbcore: usb_set_configuration oops (NULL ptr dereference)
Horst Schirmeier [Sat, 25 Mar 2006 18:13:13 +0000 (19:13 +0100)]
[PATCH] USB: usbcore: usb_set_configuration oops (NULL ptr dereference)

When trying to deconfigure a device via usb_set_configuration(dev, 0),
2.6.16-rc kernels after 55c527187c9d78f840b284d596a0b298bc1493af oops
with "Unable to handle NULL pointer dereference at...". This is due to
an unchecked dereference of cp in the power budget part.

This patch was already included in Linus' tree.

Signed-off-by: Horst Schirmeier <horst@schirmeier.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years ago[PATCH] USB: EHCI full speed ISO bugfixes
Clemens Ladisch [Fri, 20 Jan 2006 21:49:10 +0000 (13:49 -0800)]
[PATCH] USB: EHCI full speed ISO bugfixes

This patch replaces the split ISO raw_mask calculation code in the
iso_stream_init() function that computed incorrect numbers of high
speed transactions for both input and output transfers.

In the output case, it added a superfluous start-split transaction for
all maxmimum packet sizes that are a multiple of 188.

In the input case, it forgot to add complete-split transactions for all
microframes covered by the full speed transaction, and the additional
complete-split transaction needed for the case when full speed data
starts arriving near the end of a microframe.

These changes don't affect the lack of full speed bandwidth, but at
least it removes the MMF errors that the HC raised with some input
streams.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] sysfs: zero terminate sysfs write buffers (CVE-2006-1055)
Greg Kroah-Hartman [Fri, 31 Mar 2006 23:37:06 +0000 (15:37 -0800)]
[PATCH] sysfs: zero terminate sysfs write buffers (CVE-2006-1055)

No one should be writing a PAGE_SIZE worth of data to a normal sysfs
file, so properly terminate the buffer.

Thanks to Al Viro for pointing out my stupidity here.

CVE-2006-1055 has been assigned for this.

Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] USB: Fix irda-usb use after use
Eugene Teo [Wed, 15 Mar 2006 22:57:19 +0000 (14:57 -0800)]
[PATCH] USB: Fix irda-usb use after use

Don't read from free'd memory after calling netif_rx().  docopy is used as
a boolean (0 and 1) so unsigned int is sufficient.

Coverity bug #928

Signed-off-by: Eugene Teo <eugene.teo@eugeneteo.net>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] tlclk: fix handling of device major
Andrew Morton [Sat, 25 Mar 2006 05:29:13 +0000 (21:29 -0800)]
[PATCH] tlclk: fix handling of device major

tlclk calls register_chrdev() and permits register_chrdev() to allocate the
major, but it promptly forgets what that major was.  So if there's no hardware
present you still get "telco_clock" appearing in /proc/devices and, I assume,
an oops reading /proc/devices if tlclk was a module.

Fix.

Mark, I'd suggest that that we not call register_chrdev() until _after_ we've
established that the hardware is present.

Cc: Mark Gross <mgross@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years agoLinux 2.6.16.1 v2.6.16.1
Greg Kroah-Hartman [Tue, 28 Mar 2006 06:49:02 +0000 (22:49 -0800)]
Linux 2.6.16.1

18 years ago[PATCH] Fix speedstep-smi assembly bug in speedstep_smi_ownership
Andrew Morton [Sat, 25 Mar 2006 03:40:37 +0000 (19:40 -0800)]
[PATCH] Fix speedstep-smi assembly bug in speedstep_smi_ownership

Fix bug identified by Linus Torvalds <torvalds@osdl.org>: the `out'
instruction depends upon the state of memory_data[], so we need to tell gcc
that before executing it. (The opcode, not gcc).

Fixes http://bugzilla.kernel.org/show_bug.cgi?id=5553

Thanks to Antonio Ospite <ospite@studenti.unina.it> for testing.

Cc: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] DMI: fix DMI onboard device discovery
Andrey Panin [Fri, 24 Mar 2006 21:18:52 +0000 (13:18 -0800)]
[PATCH] DMI: fix DMI onboard device discovery

Attached patch fixes invalid pointer arithmetic in DMI code to make onboard
device discovery working again.

akpm: bug has been present since dmi_find_device() was added in 2.6.14.
Affects ipmi only (I think) - the symptoms weren't described.

akpm: changed to use pointer arithmetic rather than open-coded sizeof.

Signed-off-by: Andrey Panin <pazke@donpac.ru>
Cc: Corey Minyard <minyard@acm.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] cciss: fix use-after-free in cciss_init_one
Patrick McHardy [Thu, 23 Mar 2006 10:59:24 +0000 (02:59 -0800)]
[PATCH] cciss: fix use-after-free in cciss_init_one

free_hba() sets hba[i] to NULL, the dereference afterwards results in this
crash.  Setting busy_initializing to 0 actually looks unnecessary, but I'm
not entirely sure, which is why I left it in.

cciss: controller appears to be disabled
Unable to handle kernel NULL pointer dereference at virtual address 00000370
 printing eip:
c1114d53
*pde = 00000000
Oops: 0002 [#1]
Modules linked in:
CPU:    0
EIP:    0060:[<c1114d53>]    Not tainted VLI
EFLAGS: 00010286   (2.6.16 #1)
EIP is at cciss_init_one+0x4e9/0x4fe
eax: 00000000   ebx: c132cd60   ecx: c13154e4   edx: c27d3c00
esi: 00000000   edi: c2748800   ebp: c2536ee4   esp: c2536eb8
ds: 007b   es: 007b   ss: 0068
Process swapper (pid: 1, threadinfo=c2536000 task=c2535a30)
Stack: <0>00000000 00000000 00000000 c13fdba0 c2536ee8 c13159c0 c2536f38
f7c74740
       c132cd60 c132cd60 ffffffed c2536ef0 c10c1d51 c2748800 c2536f04
c10c1d85
       c132cd60 c2748800 c132cd8c c2536f14 c10c1db8 c2748848 00000000
c2536f28
Call Trace:
 [<c10031d5>] show_stack_log_lvl+0xa8/0xb0
 [<c1003305>] show_registers+0x102/0x16a
 [<c10034a2>] die+0xc1/0x13c
 [<c1288160>] do_page_fault+0x38a/0x525
 [<c1002e9b>] error_code+0x4f/0x54
 [<c10c1d51>] pci_call_probe+0xd/0x10
 [<c10c1d85>] __pci_device_probe+0x31/0x43
 [<c10c1db8>] pci_device_probe+0x21/0x34
 [<c110a654>] driver_probe_device+0x44/0x99
 [<c110a73f>] __driver_attach+0x39/0x5d
 [<c1109e1c>] bus_for_each_dev+0x35/0x5a
 [<c110a777>] driver_attach+0x14/0x16
 [<c110a220>] bus_add_driver+0x5c/0x8f
 [<c110ab22>] driver_register+0x73/0x78
 [<c10c1f6d>] __pci_register_driver+0x5f/0x71
 [<c13bf935>] cciss_init+0x1a/0x1c
 [<c13aa718>] do_initcalls+0x4c/0x96
 [<c13aa77e>] do_basic_setup+0x1c/0x1e
 [<c10002b1>] init+0x35/0x118
 [<c1000cf5>] kernel_thread_helper+0x5/0xb
Code: 04 b5 e0 de 40 c1 8d 50 04 8b 40 34 e8 3f b7 f9 ff 8b 04 b5 e0 de
40 c1 e8 aa f3 ff ff 89 f0 e8 e8 fa ff ff 8b 04 b5 e0 de 40 c1 <c7> 80
70 03 00 00 00 00 00 00 83 c8 ff 8d 65 f4 5b 5e 5f 5d c3
 <0>Kernel panic - not syncing: Attempted to kill init!

Signed-off-by: Patrick McHardy <kaber@trash.net>
Cc: <mike.miller@hp.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] DM: Fix bug: BIO_RW_BARRIER requests to md/raid1 hang.
Neil Brown [Thu, 23 Mar 2006 10:59:22 +0000 (02:59 -0800)]
[PATCH] DM: Fix bug: BIO_RW_BARRIER requests to md/raid1 hang.

Both R1BIO_Barrier and R1BIO_Returned are 4 !!!!

This means that barrier requests don't get returned (i.e.  b_endio called)
because it looks like they already have been.

Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] fix scheduler deadlock
Anton Blanchard [Thu, 23 Mar 2006 10:59:20 +0000 (02:59 -0800)]
[PATCH] fix scheduler deadlock

We have noticed lockups during boot when stress testing kexec on ppc64.
Two cpus would deadlock in scheduler code trying to grab already taken
spinlocks.

The double_rq_lock code uses the address of the runqueue to order the
taking of multiple locks.  This address is a per cpu variable:

if (rq1 < rq2) {
spin_lock(&rq1->lock);
spin_lock(&rq2->lock);
} else {
spin_lock(&rq2->lock);
spin_lock(&rq1->lock);
}

On the other hand, the code in wake_sleeping_dependent uses the cpu id
order to grab locks:

for_each_cpu_mask(i, sibling_map)
spin_lock(&cpu_rq(i)->lock);

This means we rely on the address of per cpu data increasing as cpu ids
increase.  While this will be true for the generic percpu implementation it
may not be true for arch specific implementations.

One way to solve this is to always take runqueues in cpu id order. To do
this we add a cpu variable to the runqueue and check it in the
double runqueue locking functions.

Signed-off-by: Anton Blanchard <anton@samba.org>
Acked-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] proc: fix duplicate line in /proc/devices
Neil Horman [Thu, 23 Mar 2006 10:59:19 +0000 (02:59 -0800)]
[PATCH] proc: fix duplicate line in /proc/devices

Fix a duplicate block device line printed after the "Block device" header
in /proc/devices.

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] rtc.h broke strace(1) builds
Joe Korty [Wed, 22 Mar 2006 08:07:43 +0000 (00:07 -0800)]
[PATCH] rtc.h broke strace(1) builds

Git patch 52dfa9a64cfb3dd01fa1ee1150d589481e54e28e

[PATCH] move rtc_interrupt() prototype to rtc.h

broke strace(1) builds.  The below moves the kernel-only additions lower,
under the already provided #ifdef __KERNEL__ statement.

Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>