]> git.karo-electronics.de Git - karo-tx-linux.git/log
karo-tx-linux.git
16 years ago[NETFILTER]: Fix warnings in ip_nat_snmp_basic.c
David S. Miller [Mon, 14 Jul 2008 18:09:23 +0000 (21:09 +0300)]
[NETFILTER]: Fix warnings in ip_nat_snmp_basic.c

net/ipv4/netfilter/ip_nat_snmp_basic.c: In function 'asn1_header_decode':
net/ipv4/netfilter/ip_nat_snmp_basic.c:248: warning: 'len' may be used unini
net/ipv4/netfilter/ip_nat_snmp_basic.c:248: warning: 'def' may be used unini
net/ipv4/netfilter/ip_nat_snmp_basic.c: In function 'snmp_translate':
net/ipv4/netfilter/ip_nat_snmp_basic.c:672: warning: 'l' may be used uniniti
net/ipv4/netfilter/ip_nat_snmp_basic.c:668: warning: 'type' may be used unin

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years agoasn1: additional sanity checking during BER decoding (CVE-2008-1673)
Chris Wright [Mon, 14 Jul 2008 18:09:23 +0000 (21:09 +0300)]
asn1: additional sanity checking during BER decoding (CVE-2008-1673)

- Don't trust a length which is greater than the working buffer.
  An invalid length could cause overflow when calculating buffer size
  for decoding oid.

- An oid length of zero is invalid and allows for an off-by-one error when
  decoding oid because the first subid actually encodes first 2 subids.

- A primitive encoding may not have an indefinite length.

Thanks to Wei Wang from McAfee for report.

Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years agoTCP: Fix shrinking windows with window scaling
Patrick McHardy [Mon, 14 Jul 2008 18:09:22 +0000 (21:09 +0300)]
TCP: Fix shrinking windows with window scaling

Upstream commit: 607bfbf2d55dd1cfe5368b41c2a81a8c9ccf4723

When selecting a new window, tcp_select_window() tries not to shrink
the offered window by using the maximum of the remaining offered window
size and the newly calculated window size. The newly calculated window
size is always a multiple of the window scaling factor, the remaining
window size however might not be since it depends on rcv_wup/rcv_nxt.
This means we're effectively shrinking the window when scaling it down.

The dump below shows the problem (scaling factor 2^7):

- Window size of 557 (71296) is advertised, up to 3111907257:

IP 172.2.2.3.33000 > 172.2.2.2.33000: . ack 3111835961 win 557 <...>

- New window size of 514 (65792) is advertised, up to 3111907217, 40 bytes
  below the last end:

IP 172.2.2.3.33000 > 172.2.2.2.33000: . 3113575668:3113577116(1448) ack 3111841425 win 514 <...>

The number 40 results from downscaling the remaining window:

3111907257 - 3111841425 = 65832
65832 / 2^7 = 514
65832 % 2^7 = 40

If the sender uses up the entire window before it is shrunk, this can have
chaotic effects on the connection. When sending ACKs, tcp_acceptable_seq()
will notice that the window has been shrunk since tcp_wnd_end() is before
tp->snd_nxt, which makes it choose tcp_wnd_end() as sequence number.
This will fail the receivers checks in tcp_sequence() however since it
is before it's tp->rcv_wup, making it respond with a dupack.

If both sides are in this condition, this leads to a constant flood of
ACKs until the connection times out.

Make sure the window is never shrunk by aligning the remaining window to
the window scaling factor.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years agox86: Replace NSC/Cyrix specific chipset access macros by inlined functions.
Juergen Beisert [Sun, 6 Jul 2008 15:17:23 +0000 (18:17 +0300)]
x86: Replace NSC/Cyrix specific chipset access macros by inlined functions.

Due to index register access ordering problems, when using macros a line
like this fails (and does nothing):

    setCx86(CX86_CCR2, getCx86(CX86_CCR2) | 0x88);

With inlined functions this line will work as expected.

Note about a side effect: Seems on Geode GX1 based systems the
"suspend on halt power saving feature" was never enabled due to this
wrong macro expansion. With inlined functions it will be enabled, but
this will stop the TSC when the CPU runs into a HLT instruction.
Kernel output something like this:
    Clocksource tsc unstable (delta = -472746897 ns)

This is the 3rd version of this patch.

 - Adding missed arch/i386/kernel/cpu/mtrr/state.c
    Thanks to Andres Salomon
 - Adding some big fat comments into the new header file
    Suggested by Andi Kleen

AK: fixed x86-64 compilation

Adrian Bunk:
Added workaround for x86_64 compilation.

Signed-off-by: Juergen Beisert <juergen@kreuzholzen.de>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years agoDisable DETECT_SOFTLOCKUP for s390
Heiko Carstens [Thu, 10 Apr 2008 21:33:23 +0000 (00:33 +0300)]
Disable DETECT_SOFTLOCKUP for s390

From: Heiko Carstens <heiko.carstens@de.ibm.com>

We got several false bug reports because of enabled
CONFIG_DETECT_SOFTLOCKUP.  Disable soft lockup detection on s390, since it
doesn't work on a virtualized architecture.

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years ago[DECNet] fib: Fix out of bound access of dn_fib_props[]
Thomas Graf [Wed, 19 Mar 2008 21:14:34 +0000 (23:14 +0200)]
[DECNet] fib: Fix out of bound access of dn_fib_props[]

Fixes a typo which caused fib_props[] to have the wrong size
and makes sure the value used to index the array which is
provided by userspace via netlink is checked to avoid out of
bound access.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years agoUSB: race on disconnect in mdc800
Oliver Neukum [Wed, 19 Mar 2008 20:43:12 +0000 (22:43 +0200)]
USB: race on disconnect in mdc800

I overlooked one. Setting the flag and killing the URBs must be under the lo
so that no URB is submitted after usb_kill_urb()

Adrian Bunk:
Backported to 2.6.16.

Signed-off-by: Oliver Neukum <oliver@neukum.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years agogcc >= 4.3 is not supported
Adrian Bunk [Fri, 14 Mar 2008 20:05:58 +0000 (22:05 +0200)]
gcc >= 4.3 is not supported

Building kernel 2.6.16 with gcc 4.3 is completely untested, and
you might run into both kernel and gcc problems (as always with
new gcc versions).

For making this obvious the kernel build now #error's when trying
to build with gcc >= 4.3.

The kernel might work fine when compiled with gcc 4.3 and it's
therefore possible to remove the #error, but if someone really
longs for regressions he can as well try a more recent kernel
instead.

Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years agoLinux 2.6.16.60 v2.6.16.60
Adrian Bunk [Sun, 27 Jan 2008 16:58:41 +0000 (18:58 +0200)]
Linux 2.6.16.60

16 years agoLinux 2.6.16.60-rc1 v2.6.16.60-rc1
Adrian Bunk [Mon, 21 Jan 2008 19:06:04 +0000 (21:06 +0200)]
Linux 2.6.16.60-rc1

16 years agoNFS: call nfs_wb_all() only on regular files
Trond Myklebust [Mon, 21 Jan 2008 19:04:16 +0000 (21:04 +0200)]
NFS: call nfs_wb_all() only on regular files

It looks like nfs_setattr() and nfs_rename() also need to test whether the
target is a regular file before calling nfs_wb_all()...

It isn't technically needed since the version of nfs_wb_all() that exists
on 2.6.16 should be safe to call on non-regular files (it will be a no-op).
However it is a useful optimisation.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years agoNFS: writes should not clobber utimes() calls
Trond Myklebust [Mon, 21 Jan 2008 19:02:11 +0000 (21:02 +0200)]
NFS: writes should not clobber utimes() calls

Ensure that we flush out writes in the case when someone calls utimes() in
order to set the file times.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years agovfs: coredumping fix (CVE-2007-6206)
Ingo Molnar [Mon, 21 Jan 2008 00:20:19 +0000 (02:20 +0200)]
vfs: coredumping fix (CVE-2007-6206)

fix: http://bugzilla.kernel.org/show_bug.cgi?id=3043

only allow coredumping to the same uid that the coredumping
task runs under.

Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years agoI4L: fix isdn_ioctl memory overrun vulnerability (CVE-2007-6151)
Karsten Keil [Sun, 20 Jan 2008 22:10:25 +0000 (00:10 +0200)]
I4L: fix isdn_ioctl memory overrun vulnerability (CVE-2007-6151)

Fix possible memory overrun issue in the isdn ioctl code.

Found by ADLAB <adlab@venustech.com.cn>

Signed-off-by: Karsten Keil <kkeil@suse.de>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years agoisdn: avoid copying overly-long strings (CVE-2007-6063)
Karsten Keil [Sun, 20 Jan 2008 22:11:35 +0000 (00:11 +0200)]
isdn: avoid copying overly-long strings (CVE-2007-6063)

Addresses http://bugzilla.kernel.org/show_bug.cgi?id=9416

Signed-off-by: Karsten Keil <kkeil@suse.de>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years ago[NET]: Generic checksum annotations and cleanups.
Al Viro [Sun, 20 Jan 2008 18:41:26 +0000 (20:41 +0200)]
[NET]: Generic checksum annotations and cleanups.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years agodrivers/scsi/BusLogic.c: #ifdef MODULE BusLogic_pci_tbl[]
Adrian Bunk [Sun, 20 Jan 2008 18:29:06 +0000 (20:29 +0200)]
drivers/scsi/BusLogic.c: #ifdef MODULE BusLogic_pci_tbl[]

Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years ago[BusLogic] Add pci dev table for auto module loading.
Ben Collins [Sun, 20 Jan 2008 17:50:13 +0000 (19:50 +0200)]
[BusLogic] Add pci dev table for auto module loading.

Signed-off-by: Ben Collins <bcollins@ubuntu.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years ago[ATM]: Check IP header validity in mpc_send_packet
Herbert Xu [Mon, 21 Jan 2008 00:14:02 +0000 (02:14 +0200)]
[ATM]: Check IP header validity in mpc_send_packet

[ Upstream commit: 1c9b7aa1eb40ab708ef3242f74b9a61487623168 ]

Al went through the ip_fast_csum callers and found this piece of code
that did not validate the IP header.  While root crashing the machine
by sending bogus packets through raw or AF_PACKET sockets isn't that
serious, it is still nice to react gracefully.

This patch ensures that the skb has enough data for an IP header and
that the header length field is valid.

Adrian Bunk:
Backported to 2.6.16 following instructions by David Miller.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years ago[IPV4] ROUTE: ip_rt_dump() is unecessary slow
Eric Dumazet [Sun, 20 Jan 2008 20:12:16 +0000 (22:12 +0200)]
[IPV4] ROUTE: ip_rt_dump() is unecessary slow

[ Upstream commit: d8c9283089287341c85a0a69de32c2287a990e71 ]

I noticed "ip route list cache x.y.z.t" can be *very* slow.

While strace-ing -T it I also noticed that first part of route cache
is fetched quite fast :

recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
+msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202
GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) =
+3772 <0.000047>
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
+msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\
202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0)
+= 3736 <0.000042>
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
+msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\
202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0)
+= 3740 <0.000055>
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
+msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\
202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0)
+= 3712 <0.000043>
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
+msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\
202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0)
+= 3732 <0.000053>
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
+msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202
GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) =
+3708 <0.000052>
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
+msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202
GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) =
+3680 <0.000041>

while the part at the end of the table is more expensive:

recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
+msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\1\0\2"...,
+16384}], msg_controllen=0, msg_flags=0}, 0) = 3656 <0.003857>
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
+msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\1\0\2"...,
+16384}], msg_controllen=0, msg_flags=0}, 0) = 3772 <0.003891>
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
+msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\2\0\2\0"...,
+16384}], msg_controllen=0, msg_flags=0}, 0) = 3712 <0.003765>
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
+msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\2\0\2\0"...,
+16384}], msg_controllen=0, msg_flags=0}, 0) = 3700 <0.003879>
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
+msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\2\0\2\0"...,
+16384}], msg_controllen=0, msg_flags=0}, 0) = 3676 <0.003797>
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
+msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\2\0\2\0"...,
+16384}], msg_controllen=0, msg_flags=0}, 0) = 3724 <0.003856>
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
+msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\1\0\2"...,
+16384}], msg_controllen=0, msg_flags=0}, 0) = 3736 <0.003848>

The following patch corrects this performance/latency problem,
removing quadratic behavior.

Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years ago[NET]: Introduce types for checksums.
Al Viro [Sun, 20 Jan 2008 20:05:18 +0000 (22:05 +0200)]
[NET]: Introduce types for checksums.

New types - for 16bit checksums and "unfolded" 32bit variant.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years ago[CASSINI]: Set skb->truesize properly on receive packets.
David S. Miller [Sun, 20 Jan 2008 20:02:20 +0000 (22:02 +0200)]
[CASSINI]: Set skb->truesize properly on receive packets.

[ Upstream commit: d011a231675b240157a3c335dd53e9b849d7d30d ]

skb->truesize was not being incremented at all to
reflect the page based data added to RX SKBs.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years ago[CASSINI]: Fix endianness bug.
Al Viro [Sun, 20 Jan 2008 20:00:26 +0000 (22:00 +0200)]
[CASSINI]: Fix endianness bug.

[ Upstream commit: e5e025401f6e926c1d9dc3f3f2813cf98a2d8708 ]

Here's proposed fix for RX checksum handling in cassini; it affects
little-endian working with half-duplex gigabit, but obviously needs
testing on big-endian too.

The problem is, we need to convert checksum to fixed-endian *before*
correcting for (unstripped) FCS.  On big-endian it won't matter
(conversion is no-op), on little-endian it will, but only if FCS is
not stripped by hardware; i.e. in half-duplex gigabit mode when
->crc_size is set.

cassini.c part is that fix, cassini.h one consists of trivial
endianness annotations.  With that applied the sucker is endian-clean,
according to sparse.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years ago[ATM]: [nicstar] delay irq setup until card is configured
Chas Williams [Sun, 20 Jan 2008 19:43:46 +0000 (21:43 +0200)]
[ATM]: [nicstar] delay irq setup until card is configured

[ Upstream commit: 52961955aa180959158faeb9fd6b4f8a591450f5 ]

Adrian Bunk:
Backported to 2.6.16.

Signed-off-by: Chas Williams <chas@cmf.nrl.navy.mil>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years agoraw: don't allow the creation of a raw device with minor number 0
Jeff Moyer [Sun, 20 Jan 2008 19:31:32 +0000 (21:31 +0200)]
raw: don't allow the creation of a raw device with minor number 0

Minor number 0 (under the raw major) is reserved for the rawctl device
file, which is used to query, set, and unset raw device bindings.  However,
the ioctl interface does not protect the user from specifying a raw device
with minor number 0:

$ sudo ./raw /dev/raw/raw0 /dev/VolGroup00/swap
/dev/raw/raw0:  bound to major 253, minor 2
$ ls -l /dev/rawctl
ls: /dev/rawctl: No such file or directory
$ ls -l /dev/raw/raw0
crw------- 1 root root 162, 0 Jan 12 10:51 /dev/raw/raw0
$ sudo ./raw -qa
Cannot open master raw device '/dev/rawctl' (No such file or directory)

As you can see, this prevents any further raw operations from
succeeding.  The fix (from Steve Fernandez) is quite simple - do not
allow the allocation of minor number 0.

Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years agoLinux 2.6.16.59 v2.6.16.59
Adrian Bunk [Sat, 19 Jan 2008 11:40:09 +0000 (13:40 +0200)]
Linux 2.6.16.59

16 years agoLinux 2.6.16.59-rc1 v2.6.16.59-rc1
Adrian Bunk [Wed, 16 Jan 2008 21:45:59 +0000 (23:45 +0200)]
Linux 2.6.16.59-rc1

16 years agowait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-2007-5500)
Roland McGrath [Wed, 16 Jan 2008 21:41:47 +0000 (23:41 +0200)]
wait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-2007-5500)

patch a3474224e6a01924be40a8255636ea5522c1023a in mainline

The original meaning of the old test (p->state > TASK_STOPPED) was
"not dead", since it was before TASK_TRACED existed and before the
state/exit_state split.  It was a wrong correction in commit
14bf01bb0599c89fc7f426d20353b76e12555308 to make this test for
TASK_TRACED instead.  It should have been changed when TASK_TRACED
was introducted and again when exit_state was introduced.

Signed-off-by: Roland McGrath <roland@redhat.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years agolimit minixfs printks on corrupted dir i_size (CVE-2006-6058)
Eric Sandeen [Wed, 16 Jan 2008 21:36:44 +0000 (23:36 +0200)]
limit minixfs printks on corrupted dir i_size (CVE-2006-6058)

First reported at http://projects.info-pull.com/mokb/MOKB-17-11-2006.html

Essentially a corrupted minix dir inode reporting a very large
i_size will loop for a very long time in minix_readdir, minix_find_entry,
etc, because on EIO they just move on to try the next page.  This is
under the BKL, printk-storming as well.  This can lock up the machine
for a very long time.  Simply ratelimiting the printks gets things back
under control.  Make the message a bit more informative while we're here.

Adrian Bunk:
Backported to 2.6.16.

Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years agofix messages in fs/minix
Denis Vlasenko [Wed, 16 Jan 2008 21:25:08 +0000 (23:25 +0200)]
fix messages in fs/minix

Believe it or not, but in fs/minix/*, the oldest filesystem in the kernel,
something still can be fixed:

    printk("new_inode: bit already set");

"\n" is missing!

While at it, I also removed periods from the end of error messages and made
capitalization uniform.  Also s/i-node/inode/, s/printk (/printk(/

Signed-off-by: Denis Vlasenko <vda@ilport.com.ua>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years agoUse access mode instead of open flags to determine needed permissions (CVE-2008-0001)
Linus Torvalds [Tue, 15 Jan 2008 21:39:01 +0000 (23:39 +0200)]
Use access mode instead of open flags to determine needed permissions (CVE-2008-0001)

patch 974a9f0b47da74e28f68b9c8645c3786aa5ace1a in mainline

Way back when (in commit 834f2a4a1554dc5b2598038b3fe8703defcbe467, aka
"VFS: Allow the filesystem to return a full file pointer on open intent"
to be exact), Trond changed the open logic to keep track of the original
flags to a file open, in order to pass down the the intent of a dentry
lookup to the low-level filesystem.

However, when doing that reorganization, it changed the meaning of
namei_flags, and thus inadvertently changed the test of access mode for
directories (and RO filesystem) to use the wrong flag.  So fix those
test back to use access mode ("acc_mode") rather than the open flag
("flag").

Issue noticed by Bill Roman at Datalight.

Reported-and-tested-by: Bill Roman <bill.roman@datalight.com>
Acked-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years ago[IPSEC]: Avoid undefined shift operation when testing algorithm ID
Herbert Xu [Tue, 15 Jan 2008 21:29:47 +0000 (23:29 +0200)]
[IPSEC]: Avoid undefined shift operation when testing algorithm ID

[ Upstream commit: f398035f2dec0a6150833b0bc105057953594edb ]

The aalgos/ealgos fields are only 32 bits wide.  However, af_key tries
to test them with the expression 1 << id where id can be as large as
253.  This produces different behaviour on different architectures.

The following patch explicitly checks whether ID is greater than 31
and fails the check if that's the case.

We cannot easily extend the mask to be longer than 32 bits due to
exposure to user-space.  Besides, this whole interface is obsolete
anyway in favour of the xfrm_user interface which doesn't use this
bit mask in templates (well not within the kernel anyway).

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years ago[IRDA]: irda_create() nuke user triggable printk
Maximilian Attems [Tue, 15 Jan 2008 21:26:52 +0000 (23:26 +0200)]
[IRDA]: irda_create() nuke user triggable printk

[ Upstream commit: 9e8d6f8959c356d8294d45f11231331c3e1bcae6 ]

easy to trigger as user with sfuzz.

irda_create() is quiet on unknown sock->type,
match this behaviour for SOCK_DGRAM unknown protocol

Signed-off-by: Maximilian Attems <max@stro.at>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years ago[INET]: Fix netdev renaming and inet address labels
Mark McLoughlin [Tue, 15 Jan 2008 21:25:01 +0000 (23:25 +0200)]
[INET]: Fix netdev renaming and inet address labels

[ Upstream commit: 44344b2a85f03326c7047a8c861b0c625c674839 ]

When re-naming an interface, the previous secondary address
labels get lost e.g.

  $> brctl addbr foo
  $> ip addr add 192.168.0.1 dev foo
  $> ip addr add 192.168.0.2 dev foo label foo:00
  $> ip addr show dev foo | grep inet
    inet 192.168.0.1/32 scope global foo
    inet 192.168.0.2/32 scope global foo:00
  $> ip link set foo name bar
  $> ip addr show dev bar | grep inet
    inet 192.168.0.1/32 scope global bar
    inet 192.168.0.2/32 scope global bar:2

Turns out to be a simple thinko in inetdev_changename() - clearly we
want to look at the address label, rather than the device name, for
a suffix to retain.

Signed-off-by: Mark McLoughlin <markmc@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years ago[IPV4] raw: Strengthen check on validity of iph->ihl
Herbert Xu [Tue, 15 Jan 2008 23:21:00 +0000 (01:21 +0200)]
[IPV4] raw: Strengthen check on validity of iph->ihl

[ Upstream commit: f844c74fe07321953e2dd227fe35280075f18f60 ]

We currently check that iph->ihl is bounded by the real length and that
the real length is greater than the minimum IP header length.  However,
we did not check the caes where iph->ihl is less than the minimum IP
header length.

This breaks because some ip_fast_csum implementations assume that which
is quite reasonable.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years agoCONNECTOR: don't touch queue dev after decrement of ref count
Li Zefan [Tue, 15 Jan 2008 23:18:12 +0000 (01:18 +0200)]
CONNECTOR: don't touch queue dev after decrement of ref count

cn_queue_free_callback() will touch 'dev'(i.e. cbq->pdev),
so it should be called before atomic_dec(&dev->refcnt).

Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years ago[NET] kaweth was forgotten in msec switchover of usb_start_wait_urb
Russ Dill [Tue, 15 Jan 2008 23:13:56 +0000 (01:13 +0200)]
[NET] kaweth was forgotten in msec switchover of usb_start_wait_urb

Back in 2.6.12-pre, usb_start_wait_urb was switched over to take
milliseconds instead of jiffies. kaweth.c was never updated to match.

Signed-off-by: Russ Dill <Russ.Dill@asu.edu>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years ago[SPARC64]: Fix endless loop in cheetah_xcall_deliver().
David S. Miller [Tue, 15 Jan 2008 21:09:59 +0000 (23:09 +0200)]
[SPARC64]: Fix endless loop in cheetah_xcall_deliver().

[ Upsteam commit: 0de56d1ab83323d604d95ca193dcbd28388dbabb ]

We need to mask out the proper bits when testing the dispatch status
register else we can see unrelated NACK bits from previous cross call
sends.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years ago[IPV6]: Restore IPv6 when MTU is big enough
Evgeniy Polyakov [Tue, 15 Jan 2008 23:02:02 +0000 (01:02 +0200)]
[IPV6]: Restore IPv6 when MTU is big enough

[ Upstream commit: d31c7b8fa303eb81311f27b80595b8d2cbeef950 ]

Avaid provided test application, so bug got fixed.

IPv6 addrconf removes ipv6 inner device from netdev each time cmu
changes and new value is less than IPV6_MIN_MTU (1280 bytes).
When mtu is changed and new value is greater than IPV6_MIN_MTU,
it does not add ipv6 addresses and inner device bac.

This patch fixes that.

Tested with Avaid's application, which works ok now.

Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years agostruct input_device_id mustn't be userspace visible
Adrian Bunk [Tue, 15 Jan 2008 22:44:33 +0000 (00:44 +0200)]
struct input_device_id mustn't be userspace visible

struct input_device_id mustn't be userspace visible since
it uses kernel_ulong_t.

Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years agomissing dma_sync_single_range_for_{cpu,device} on alpha
Al Viro [Sun, 6 Jan 2008 18:38:18 +0000 (20:38 +0200)]
missing dma_sync_single_range_for_{cpu,device} on alpha

no-op as all dma_sync_... there.

Adrian Bunk:
Backported to 2.6.16.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years agoinclude/asm-alpha/io_trivial.h build fixes
Ivan Kokshaysky [Sun, 6 Jan 2008 18:27:32 +0000 (20:27 +0200)]
include/asm-alpha/io_trivial.h build fixes

This patch cherry picks the following from
commit 9548b209a37397f3036aa5bd3d5b4d3b725aa1:

fix build failure with gcc-4.2.x: fix up casts in cia_io* routines to avoid
warnings ('discards qualifiers from pointer target type'), which are
failures, thanks to -Werror;

Signed-off-by: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years agoLinux 2.6.16.58 v2.6.16.58
Adrian Bunk [Sun, 6 Jan 2008 15:54:15 +0000 (17:54 +0200)]
Linux 2.6.16.58

16 years agoLinux 2.6.16.58-rc1 v2.6.16.58-rc1
Adrian Bunk [Sun, 6 Jan 2008 00:10:24 +0000 (02:10 +0200)]
Linux 2.6.16.58-rc1

16 years ago[SCSI] aacraid: fix security weakness
Alan Cox [Sun, 9 Dec 2007 18:07:00 +0000 (19:07 +0100)]
[SCSI] aacraid: fix security weakness

Actually there are several but one is trivially fixed

1.  FSACTL_GET_NEXT_ADAPTER_FIB ioctl does not lock dev->fib_list
but needs to
2.  Ditto for FSACTL_CLOSE_GET_ADAPTER_FIB
3.  It is possible to construct an attack via the SRB ioctls where
the user obtains assorted elevated privileges. Various approaches are
possible, the trivial ones being things like writing to the raw media
via scsi commands and the swap image of other executing programs with
higher privileges.

So the ioctls should be CAP_SYS_RAWIO - at least all the FIB manipulating
ones. This is a bandaid fix for #3 but probably the ioctls should grow
their own capable checks. The other two bugs need someone competent in that
driver to fix them.

Signed-off-by: Alan Cox <alan@redhat.com>
Acked-by: Mark Salyzyn <mark_salyzyn@adaptec.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years agohwmon/lm87: Fix a division by zero
Jean Delvare [Sun, 9 Dec 2007 17:58:59 +0000 (18:58 +0100)]
hwmon/lm87: Fix a division by zero

Missing parentheses in the definition of FAN_FROM_REG cause a
division by zero for a specific register value.

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Acked-by: Hans de Goede <j.w.r.degoede@hhs.nl>
Signed-off-by: Mark M. Hoffman <mhoffman@lightlink.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years agohwmon/lm87: Disable VID when it should be
Jean Delvare [Sun, 9 Dec 2007 17:57:37 +0000 (18:57 +0100)]
hwmon/lm87: Disable VID when it should be

A stupid bit shifting bug caused the VID value to be always exported
even when the hardware is configured for something different.

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Mark M. Hoffman <mhoffman@lightlink.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years ago[PFKEY]: Sending an SADB_GET responds with an SADB_GET
Charles Hardin [Sun, 9 Dec 2007 17:41:07 +0000 (18:41 +0100)]
[PFKEY]: Sending an SADB_GET responds with an SADB_GET

[ Upstream commit: 435000bebd94aae3a7a50078d142d11683d3b193 ]

Kernel needs to respond to an SADB_GET with the same message type to
conform to the RFC 2367 Section 3.1.5

Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years ago[ATM]: [he] initialize lock and tasklet earlier
Chas Williams [Sun, 9 Dec 2007 17:38:22 +0000 (18:38 +0100)]
[ATM]: [he] initialize lock and tasklet earlier

[ Upstream commit: 8a8037ac9dbe4eb20ce50aa20244faf77444f4a3 ]

if you are lucky (unlucky?) enough to have shared interrupts, the
interrupt handler can be called before the tasklet and lock are ready
for use.

Signed-off-by: Chas Williams <chas@cmf.nrl.navy.mil>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years agotmpfs: restore missing clear_highpage (CVE-2007-6417)
Hugh Dickins [Sun, 6 Jan 2008 02:18:21 +0000 (04:18 +0200)]
tmpfs: restore missing clear_highpage (CVE-2007-6417)

tmpfs was misconverted to __GFP_ZERO in 2.6.11.  There's an unusual case in
which shmem_getpage receives the page from its caller instead of allocating.
We must cover this case by clear_highpage before SetPageUptodate, as before.

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
16 years agoipv4/arp.c:arp_process(): remove bogus #ifdef mess
Adrian Bunk [Sun, 9 Dec 2007 19:33:23 +0000 (20:33 +0100)]
ipv4/arp.c:arp_process(): remove bogus #ifdef mess

The #ifdef's in arp_process() were not only a mess, they were also wrong
in the CONFIG_NET_ETHERNET=n and (CONFIG_NETDEV_1000=y or
CONFIG_NETDEV_10000=y) cases.

Since they are not required this patch removes them.

Also removed are some #ifdef's around #include's that caused compile
errors after this change.

Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years ago[NETLINK]: Fix unicast timeouts
Patrick McHardy [Tue, 13 Nov 2007 11:23:22 +0000 (12:23 +0100)]
[NETLINK]: Fix unicast timeouts

[ Upstream commit: c3d8d1e30cace31fed6186a4b8c6b1401836d89c ]

Commit ed6dcf4a in the history.git tree broke netlink_unicast timeouts
by moving the schedule_timeout() call to a new function that doesn't
propagate the remaining timeout back to the caller. This means on each
retry we start with the full timeout again.

ipc/mqueue.c seems to actually want to wait indefinitely so this
behaviour is retained.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years agoPPPOE: fix memory leak (local DoS) (CVE-2007-2525)
Florian Zumbiehl [Tue, 13 Nov 2007 10:12:46 +0000 (11:12 +0100)]
PPPOE: fix memory leak (local DoS) (CVE-2007-2525)

This patch fixes a memory leak when a PPPoE socket is release()d after
it has been connect()ed, but before the PPPIOCGCHAN ioctl ever has been
called on it.

This is somewhat of a security problem, too, since PPPoE sockets can be
created by any user, so any user can easily allocate all the machine's
RAM to non-swappable address space and thus DoS the system.

Is there any specific reason for PPPoE sockets being available to any
unprivileged process, BTW? After all, you need a packet socket for the
discovery stage anyway, so it's unlikely that any unprivileged process
will ever need to create a PPPoE socket, no? Allocating all session IDs
for a known AC is a kind of DoS, too, after all - with Juniper ERXes,
this is really easy, actually, since they don't ever assign session ids
above 8000 ...

Signed-off-by: Florian Zumbiehl <florz@florz.de>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years ago[PKT_SCHED] CLS_U32: Fix endianness problem with u32 classifier hash masks.
Radu Rendec [Tue, 13 Nov 2007 08:30:35 +0000 (09:30 +0100)]
[PKT_SCHED] CLS_U32: Fix endianness problem with u32 classifier hash masks.

While trying to implement u32 hashes in my shaping machine I ran into
a possible bug in the u32 hash/bucket computing algorithm
(net/sched/cls_u32.c).

The problem occurs only with hash masks that extend over the octet
boundary, on little endian machines (where htonl() actually does
something).

Let's say that I would like to use 0x3fc0 as the hash mask. This means
8 contiguous "1" bits starting at b6. With such a mask, the expected
(and logical) behavior is to hash any address in, for instance,
192.168.0.0/26 in bucket 0, then any address in 192.168.0.64/26 in
bucket 1, then 192.168.0.128/26 in bucket 2 and so on.

This is exactly what would happen on a big endian machine, but on
little endian machines, what would actually happen with current
implementation is 0x3fc0 being reversed (into 0xc03f0000) by htonl()
in the userspace tool and then applied to 192.168.x.x in the u32
classifier. When shifting right by 16 bits (rank of first "1" bit in
the reversed mask) and applying the divisor mask (0xff for divisor
256), what would actually remain is 0x3f applied on the "168" octet of
the address.

One could say is this can be easily worked around by taking endianness
into account in userspace and supplying an appropriate mask (0xfc03)
that would be turned into contiguous "1" bits when reversed
(0x03fc0000). But the actual problem is the network address (inside
the packet) not being converted to host order, but used as a
host-order value when computing the bucket.

Let's say the network address is written as n31 n30 ... n0, with n0
being the least significant bit. When used directly (without any
conversion) on a little endian machine, it becomes n7 ... n0 n8 ..n15
etc in the machine's registers. Thus bits n7 and n8 would no longer be
adjacent and 192.168.64.0/26 and 192.168.128.0/26 would no longer be
consecutive.

The fix is to apply ntohl() on the hmask before computing fshift,
and in u32_hash_fold() convert the packet data to host order before
shifting down by fshift.

With helpful feedback from Jamal Hadi Salim and Jarek Poplawski.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years ago[PKT_SCHED]: Fix OOPS when removing devices from a teql queuing discipline
Evgeniy Polyakov [Tue, 13 Nov 2007 08:27:27 +0000 (09:27 +0100)]
[PKT_SCHED]: Fix OOPS when removing devices from a teql queuing discipline

[ Upstream commit: 4f9f8311a08c0d95c70261264a2b47f2ae99683a ]

tecl_reset() is called from deactivate and qdisc is set to noop already,
but subsequent teql_xmit does not know about it and dereference private
data as teql qdisc and thus oopses.
not catch it first :)

Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years agoi386: fixup TRACE_IRQ breakage
Peter Zijlstra [Tue, 13 Nov 2007 07:46:02 +0000 (08:46 +0100)]
i386: fixup TRACE_IRQ breakage

The TRACE_IRQS_ON function in iret_exc: calls a C function without
ensuring that the segments are set properly. Move the trace function and
the enabling of interrupt into the C stub.

Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years agoHandle bogus %cs selector in single-step instruction decoding (CVE-2007-3731)
Roland McGrath [Tue, 13 Nov 2007 07:43:25 +0000 (08:43 +0100)]
Handle bogus %cs selector in single-step instruction decoding (CVE-2007-3731)

The code for LDT segment selectors was not robust in the face of a bogus
selector set in %cs via ptrace before the single-step was done.

Signed-off-by: Roland McGrath <roland@redhat.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years ago[ATM]: Add CPPFLAGS to byteorder.h check
Ben Collins [Tue, 13 Nov 2007 06:50:09 +0000 (07:50 +0100)]
[ATM]: Add CPPFLAGS to byteorder.h check

O= builds produced errors in the shell command because of unfound headers.

Signed-off-by: Ben Collins <bcollins@ubuntu.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years ago[PPP_MPPE]: Don't put InterimKey on the stack
Michal Schmidt [Tue, 13 Nov 2007 06:48:46 +0000 (07:48 +0100)]
[PPP_MPPE]: Don't put InterimKey on the stack

ppp_mppe puts a crypto key on the kernel stack, then passes the
address of that into the crypto layer.  That doesn't work because the
crypto layer needs to be able to do virt_to_*() on the address which
does not universally work for the kernel stack on all platforms.

Adrian Bunk:
Backported to 2.6.16.

Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years ago[INET_DIAG]: Fix oops in netlink_rcv_skb
Patrick McHardy [Mon, 12 Nov 2007 12:04:20 +0000 (13:04 +0100)]
[INET_DIAG]: Fix oops in netlink_rcv_skb

netlink_run_queue() doesn't handle multiple processes processing the
queue concurrently. Serialize queue processing in inet_diag to fix
a oops in netlink_rcv_skb caused by netlink_run_queue passing a
NULL for the skb.

BUG: unable to handle kernel NULL pointer dereference at virtual address 00000054
[349587.500454]  printing eip:
[349587.500457] c03318ae
[349587.500459] *pde = 00000000
[349587.500464] Oops: 0000 [#1]
[349587.500466] PREEMPT SMP
[349587.500474] Modules linked in: w83627hf hwmon_vid i2c_isa
[349587.500483] CPU:    0
[349587.500485] EIP:    0060:[<c03318ae>]    Not tainted VLI
[349587.500487] EFLAGS: 00010246   (2.6.22.3 #1)
[349587.500499] EIP is at netlink_rcv_skb+0xa/0x7e
[349587.500506] eax: 00000000   ebx: 00000000   ecx: c148d2a0   edx: c0398819
[349587.500510] esi: 00000000   edi: c0398819   ebp: c7a21c8c   esp: c7a21c80
[349587.500517] ds: 007b   es: 007b   fs: 00d8  gs: 0033  ss: 0068
[349587.500521] Process oidentd (pid: 17943, ti=c7a20000 task=cee231c0 task.ti=c7a20000)
[349587.500527] Stack: 00000000 c7a21cac f7c8ba78 c7a21ca4 c0331962 c0398819 f7c8ba00 0000004c
[349587.500542]        f736f000 c7a21cb4 c03988e3 00000001 f7c8ba00 c7a21cc4 c03312a5 0000004c
[349587.500558]        f7c8ba00 c7a21cd4 c0330681 f7c8ba00 e4695280 c7a21d00 c03307c6 7fffffff
[349587.500578] Call Trace:
[349587.500581]  [<c010361a>] show_trace_log_lvl+0x1c/0x33
[349587.500591]  [<c01036d4>] show_stack_log_lvl+0x8d/0xaa
[349587.500595]  [<c010390e>] show_registers+0x1cb/0x321
[349587.500604]  [<c0103bff>] die+0x112/0x1e1
[349587.500607]  [<c01132d2>] do_page_fault+0x229/0x565
[349587.500618]  [<c03c8d3a>] error_code+0x72/0x78
[349587.500625]  [<c0331962>] netlink_run_queue+0x40/0x76
[349587.500632]  [<c03988e3>] inet_diag_rcv+0x1f/0x2c
[349587.500639]  [<c03312a5>] netlink_data_ready+0x57/0x59
[349587.500643]  [<c0330681>] netlink_sendskb+0x24/0x45
[349587.500651]  [<c03307c6>] netlink_unicast+0x100/0x116
[349587.500656]  [<c0330f83>] netlink_sendmsg+0x1c2/0x280
[349587.500664]  [<c02fcce9>] sock_sendmsg+0xba/0xd5
[349587.500671]  [<c02fe4d1>] sys_sendmsg+0x17b/0x1e8
[349587.500676]  [<c02fe92d>] sys_socketcall+0x230/0x24d
[349587.500684]  [<c01028d2>] syscall_call+0x7/0xb
[349587.500691]  =======================
[349587.500693] Code: f0 ff 4e 18 0f 94 c0 84 c0 0f 84 66 ff ff ff 89 f0 e8 86 e2 fc ff e9 5a ff ff ff f0 ff 40 10 eb be 55 89 e5 57 89 d7 56 89 c6 53 <8b> 50 54 83 fa 10 72 55 8b 9e 9c 00 00 00 31 c9 8b 03 83 f8 0f

Reported by Athanasius <link@miggy.org>

Adrian Bunk:
Backported to 2.6.16 based on a suggestion by David S. Miller.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years ago[IPV6]: Fix unbalanced socket reference with MSG_CONFIRM.
YOSHIFUJI Hideaki [Mon, 12 Nov 2007 12:00:22 +0000 (13:00 +0100)]
[IPV6]: Fix unbalanced socket reference with MSG_CONFIRM.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years agoLinux 2.6.16.57 v2.6.16.57
Adrian Bunk [Mon, 5 Nov 2007 20:27:33 +0000 (21:27 +0100)]
Linux 2.6.16.57

17 years agoLinux 2.6.16.57-rc1 v2.6.16.57-rc1
Adrian Bunk [Fri, 2 Nov 2007 22:11:56 +0000 (23:11 +0100)]
Linux 2.6.16.57-rc1

17 years agoknfsd: allow nfsd READDIR to return 64bit cookies
Neil Brown [Fri, 2 Nov 2007 22:08:36 +0000 (23:08 +0100)]
knfsd: allow nfsd READDIR to return 64bit cookies

->readdir passes lofft_t offsets (used as nfs cookies) to
nfs3svc_encode_entry{,_plus}, but when they pass it on to encode_entry it
becomes an 'off_t', which isn't good.

So filesystems that returned 64bit offsets would lose.

Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years agobuffer: memorder fix
Nick Piggin [Fri, 2 Nov 2007 22:07:14 +0000 (23:07 +0100)]
buffer: memorder fix

unlock_buffer(), like unlock_page(), must not clear the lock without
ensuring that the critical section is closed.

Mingming later sent the same patch, saying:

We are running SDET benchmark and saw double free issue for ext3 extended
attributes block, which complains the same xattr block already being freed (in
ext3_xattr_release_block()).  The problem could also been triggered by
multiple threads loop untar/rm a kernel tree.

The race is caused by missing a memory barrier at unlock_buffer() before the
lock bit being cleared, resulting in possible concurrent h_refcounter update.
That causes a reference counter leak, then later leads to the double free that
we have seen.

Inside unlock_buffer(), there is a memory barrier is placed *after* the lock
bit is being cleared, however, there is no memory barrier *before* the bit is
cleared.  On some arch the h_refcount update instruction and the clear bit
instruction could be reordered, thus leave the critical section re-entered.

The race is like this: For example, if the h_refcount is initialized as 1,

cpu 0:                                   cpu1
--------------------------------------   -----------------------------------
lock_buffer() /* test_and_set_bit */
clear_buffer_locked(bh);
                                        lock_buffer() /* test_and_set_bit */
h_refcount = h_refcount+1; /* = 2*/     h_refcount = h_refcount + 1; /*= 2 */
                                        clear_buffer_locked(bh);
....                                    ......

We lost a h_refcount here.  We need a memory barrier before the buffer head
lock bit being cleared to force the order of the two writes.  Please apply.

Signed-off-by: Nick Piggin <npiggin@suse.de>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years ago[PKTGEN]: srcmac fix
Adit Ranadive [Fri, 2 Nov 2007 22:05:27 +0000 (23:05 +0100)]
[PKTGEN]: srcmac fix

Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years ago[SPARC64]: Fix show_stack() when stack argument is NULL.
David S. Miller [Fri, 2 Nov 2007 21:56:18 +0000 (22:56 +0100)]
[SPARC64]: Fix show_stack() when stack argument is NULL.

It didn't handle that case at all, and now dump_stack()
can be implemented directly as show_stack(current, NULL)

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years ago[SNAP]: Check packet length before reading
Herbert Xu [Fri, 2 Nov 2007 21:53:44 +0000 (22:53 +0100)]
[SNAP]: Check packet length before reading

The snap_rcv code reads 5 bytes so we should make sure that
we have 5 bytes in the head before proceeding.

Based on diagnosis and fix by Evgeniy Polyakov, reported by
Alan J. Wylie.

Patch also kills the skb->sk assignment before kfree_skb
since it's redundant.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years ago[NET]: gen_estimator deadlock fix
Ranko Zivojnovic [Fri, 2 Nov 2007 21:51:48 +0000 (22:51 +0100)]
[NET]: gen_estimator deadlock fix

-Fixes ABBA deadlock noted by Patrick McHardy <kaber@trash.net>:

> There is at least one ABBA deadlock, est_timer() does:
> read_lock(&est_lock)
> spin_lock(e->stats_lock) (which is dev->queue_lock)
>
> and qdisc_destroy calls htb_destroy under dev->queue_lock, which
> calls htb_destroy_class, then gen_kill_estimator and this
> write_locks est_lock.

To fix the ABBA deadlock the rate estimators are now kept on an rcu list.

-The est_lock changes the use from protecting the list to protecting
the update to the 'bstat' pointer in order to avoid NULL dereferencing.

-The 'interval' member of the gen_estimator structure removed as it is
not needed.

Signed-off-by: Ranko Zivojnovic <ranko@spidernet.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years ago[ICMP]: Fix icmp_errors_use_inbound_ifaddr sysctl
Patrick McHardy [Fri, 2 Nov 2007 21:42:48 +0000 (22:42 +0100)]
[ICMP]: Fix icmp_errors_use_inbound_ifaddr sysctl

Currently when icmp_errors_use_inbound_ifaddr is set and an ICMP error is
sent after the packet passed through ip_output(), an address from the
outgoing interface is chosen as ICMP source address since skb->dev doesn't
point to the incoming interface anymore.

Fix this by doing an interface lookup on rt->dst.iif and using that device.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years ago[Bluetooth] Fix NULL pointer dereference in HCI line discipline
Ohad Ben-Cohen [Fri, 2 Nov 2007 03:41:26 +0000 (04:41 +0100)]
[Bluetooth] Fix NULL pointer dereference in HCI line discipline

Normally a serial Bluetooth device is opened, TIOSETD'ed to N_HCI line
discipline, HCIUARTSETPROTO'ed and finally closed. In case the device
fails to HCIUARTSETPROTO, closing it produces a NULL pointer dereference.

Signed-off-by: Ohad Ben-Cohen <ohad@bencohen.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years ago[Bluetooth] Fix unintentional fall-through in HCI line discipline
Ohad Ben-Cohen [Fri, 2 Nov 2007 03:39:41 +0000 (04:39 +0100)]
[Bluetooth] Fix unintentional fall-through in HCI line discipline

A trivial fix to (what looks like) an unintentional fall-through in the
HCI line discipline.

Signed-off-by: Ohad Ben-Cohen <ohad@bencohen.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years agoide: add "optical" to sysfs "media" attribute
Danny Kukawka [Fri, 2 Nov 2007 03:19:29 +0000 (04:19 +0100)]
ide: add "optical" to sysfs "media" attribute

Add "optical" to sysfs "media" attribute as already in /proc

Signed-off-by: Danny Kukawka <dkukawka@suse.de>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years agooptical /proc/ide/*/media
Alexey Dobriyan [Fri, 2 Nov 2007 03:17:40 +0000 (04:17 +0100)]
optical /proc/ide/*/media

Sergey Vlasov reported that his "FUJITSU MCC3064AP, ATAPI OPTICAL drive"
pops up as UNKNOWN in /proc/ide/*/media .

Closes kernel Bugzilla #4145.

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years agoaacraid: fix security hole (CVE-2007-4308)
Alan Cox [Fri, 2 Nov 2007 02:41:27 +0000 (03:41 +0100)]
aacraid: fix security hole (CVE-2007-4308)

On the SCSI layer ioctl path there is no implicit permissions check for
ioctls (and indeed other drivers implement unprivileged ioctls). aacraid
however allows all sorts of very admin only things to be done so should
check.

Signed-off-by: Alan Cox <alan@redhat.com>
Acked-by: Mark Salyzyn <mark_salyzyn@adaptec.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years agoCIFS should honour umask (CVE-2007-3740)
Steve French [Fri, 2 Nov 2007 02:30:35 +0000 (03:30 +0100)]
CIFS should honour umask (CVE-2007-3740)

This patch makes CIFS honour a process' umask like other filesystems.
Of course the server is still free to munge the permissions if it wants
to; but the client will send the "right" permissions to begin with.

A few caveats:

1) It only applies to filesystems that have CAP_UNIX (aka support unix
extensions)
2) It applies the correct mode to the follow up CIFSSMBUnixSetPerms()
after remote creation

When mode to CIFS/NTFS ACL mapping is complete we can do the
same thing for that case for servers which do not
support the Unix Extensions.

Signed-off-by: Matt Keenen <matt@opcode-solutions.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years ago[IEEE80211]: avoid integer underflow for runt rx frames (CVE-2007-4997)
John W. Linville [Fri, 2 Nov 2007 02:13:03 +0000 (03:13 +0100)]
[IEEE80211]: avoid integer underflow for runt rx frames (CVE-2007-4997)

Reported by Chris Evans <scarybeasts@gmail.com>:

> The summary is that an evil 80211 frame can crash out a victim's
> machine. It only applies to drivers using the 80211 wireless code, and
> only then to certain drivers (and even then depends on a card's
> firmware not dropping a dubious packet). I must confess I'm not
> keeping track of Linux wireless support, and the different protocol
> stacks etc.
>
> Details are as follows:
>
> ieee80211_rx() does not explicitly check that "skb->len >= hdrlen".
> There are other skb->len checks, but not enough to prevent a subtle
> off-by-two error if the frame has the IEEE80211_STYPE_QOS_DATA flag
> set.
>
> This leads to integer underflow and crash here:
>
> if (frag != 0)
>    flen -= hdrlen;
>
> (flen is subsequently used as a memcpy length parameter).

How about this?

Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years agoFix oops in pwc v4l driver
Oliver Neukum [Thu, 1 Nov 2007 03:30:09 +0000 (04:30 +0100)]
Fix oops in pwc v4l driver

The pwc driver is defficient in locking, which can trigger an oops
when disconnecting.

Adrian Bunk:
Backported to 2.6.16.

Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years agoUSB: fix DoS in pwc USB video driver (CVE-2007-5093)
Oliver Neukum [Sat, 27 Oct 2007 21:36:46 +0000 (23:36 +0200)]
USB: fix DoS in pwc USB video driver (CVE-2007-5093)

The pwc driver has a disconnect method that waits for user space to
close the device. This opens up an opportunity for a DoS attack,
blocking the USB subsystem and making khubd's task busy wait in
kernel space. This patch shifts freeing resources to close if an opened
device is disconnected.

Adrian Bunk:
Backported to 2.6.16.

Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years ago[SPARC64] pass correct addr in get_fb_unmapped_area(MAP_FIXED)
Chris Wright [Wed, 24 Oct 2007 19:54:41 +0000 (21:54 +0200)]
[SPARC64] pass correct addr in get_fb_unmapped_area(MAP_FIXED)

Looks like the MAP_FIXED case is using the wrong address hint.  I'd
expect the comment "don't mess with it" means pass the request
straight on through, not change the address requested to -ENOMEM.

Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years agoLinux 2.6.16.56 v2.6.16.56
Adrian Bunk [Thu, 1 Nov 2007 02:23:29 +0000 (03:23 +0100)]
Linux 2.6.16.56

17 years agoLinux 2.6.16.56-rc2 v2.6.16.56-rc2
Adrian Bunk [Sun, 28 Oct 2007 21:33:36 +0000 (22:33 +0100)]
Linux 2.6.16.56-rc2

17 years agohugetlb: fix size=4G parsing
Hugh Dickins [Sun, 28 Oct 2007 21:32:04 +0000 (22:32 +0100)]
hugetlb: fix size=4G parsing

On 32-bit machines, mount -t hugetlbfs -o size=4G gave a 0GB filesystem,
size=5G gave a 1GB filesystem etc: there's no point in masking size with
HPAGE_MASK just before shifting its lower bits away, and since HPAGE_MASK is a
UL, that removed all the higher bits of the unsigned long long size.

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years agohugetlb: fix error return for brk() entering a hugepage region
Hugh Dickins [Sun, 28 Oct 2007 21:22:25 +0000 (22:22 +0100)]
hugetlb: fix error return for brk() entering a hugepage region

The lats commit causes the wrong return value.
is_hugepage_only_range() is a boolean, so we should return
-EINVAL rather than 1.

Also - we can use "mm" instead of looking up "current->mm" again.

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years agohugetlb: check for brk() entering a hugepage region
David Gibson [Sun, 28 Oct 2007 21:20:34 +0000 (22:20 +0100)]
hugetlb: check for brk() entering a hugepage region

Unlike mmap(), the codepath for brk() creates a vma without first checking
that it doesn't touch a region exclusively reserved for hugepages.  On
powerpc, this can allow it to create a normal page vma in a hugepage
region, causing oopses and other badness.

Add a test to prevent this.  With this patch, brk() will simply fail if it
attempts to move the break into a hugepage reserved region.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years ago[IA64] fix ia64 is_hugepage_only_range
Ken Chen [Sun, 28 Oct 2007 20:40:41 +0000 (21:40 +0100)]
[IA64] fix ia64 is_hugepage_only_range

fix is_hugepage_only_range() definition to be "overlaps"
instead of "within architectural restricted hugetlb address
range".  Simplify the ia64 specific code that used to use
is_hugepage_only_range() to just check which region the
address is in.

Signed-off-by: Ken Chen <kenneth.w.chen@intel.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years agoLinux 2.6.16.56-rc1 v2.6.16.56-rc1
Adrian Bunk [Fri, 19 Oct 2007 17:15:19 +0000 (19:15 +0200)]
Linux 2.6.16.56-rc1

17 years agoDon't allow the stack to grow into hugetlb reserved regions (CVE-2007-3739)
Adam Litke [Fri, 19 Oct 2007 17:05:10 +0000 (19:05 +0200)]
Don't allow the stack to grow into hugetlb reserved regions (CVE-2007-3739)

When expanding the stack, we don't currently check if the VMA will cross
into an area of the address space that is reserved for hugetlb pages.
Subsequent faults on the expanded portion of such a VMA will confuse the
low-level MMU code, resulting in an OOPS.  Check for this.

Signed-off-by: Adam Litke <agl@us.ibm.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years agodrivers/video/macmodes.c:mac_find_mode() mustn't be __init
Adrian Bunk [Fri, 19 Oct 2007 16:51:07 +0000 (18:51 +0200)]
drivers/video/macmodes.c:mac_find_mode() mustn't be __init

If it's EXPORT_SYMBOL'ed it can't be __devinit.

Reported by Mikael Pettersson.

Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years agohugetlb: fix prio_tree unit (CVE-2007-4133)
Hugh Dickins [Fri, 19 Oct 2007 12:30:18 +0000 (14:30 +0200)]
hugetlb: fix prio_tree unit (CVE-2007-4133)

hugetlb_vmtruncate_list was misconverted to prio_tree: its prio_tree is in
units of PAGE_SIZE (PAGE_CACHE_SIZE) like any other, not HPAGE_SIZE (whereas
its radix_tree is kept in units of HPAGE_SIZE, otherwise slots would be
absurdly sparse).

At first I thought the error benign, just calling __unmap_hugepage_range on
more vmas than necessary; but on 32-bit machines, when the prio_tree is
searched correctly, it happens to ensure the v_offset calculation won't
overflow.  As it stood, when truncating at or beyond 4GB, it was liable to
discard pages COWed from lower offsets; or even to clear pmd entries of
preceding vmas, triggering exit_mmap's BUG_ON(nr_ptes).

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years agohugetlbfs: add Kconfig help text
Arthur Othieno [Fri, 19 Oct 2007 00:04:58 +0000 (02:04 +0200)]
hugetlbfs: add Kconfig help text

In kernel bugzilla #6248 (http://bugzilla.kernel.org/show_bug.cgi?id=6248),
Adrian Bunk <bunk@stusta.de> notes that CONFIG_HUGETLBFS is missing Kconfig
help text.

Signed-off-by: Arthur Othieno <apgo@patchbomb.org>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years agohugetlbfs doc. update
Randy Dunlap [Fri, 19 Oct 2007 00:03:58 +0000 (02:03 +0200)]
hugetlbfs doc. update

Fix typos, spelling, etc., in Doc/vm/hugetlbpage.txt.

Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years agox86: HUGETLBFS and DEBUG_PAGEALLOC are incompatible
Ken Chen [Thu, 18 Oct 2007 23:59:17 +0000 (01:59 +0200)]
x86: HUGETLBFS and DEBUG_PAGEALLOC are incompatible

DEBUG_PAGEALLOC is not compatible with hugetlb page support.  That debug
option turns off PSE.  Once it is turned off in CR4, the cpu will ignore
pse bit in the pmd and causing infinite page-not- present faults.

So disable DEBUG_PAGEALLOC if the user selected hugetlbfs.

Signed-off-by: Ken Chen <kenneth.w.chen@intel.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years ago[IA64] lazy_mmu_prot_update needs to be aware of huge pages
Zhang Yanmin [Thu, 18 Oct 2007 23:52:21 +0000 (01:52 +0200)]
[IA64] lazy_mmu_prot_update needs to be aware of huge pages

Function lazy_mmu_prot_update is also used on huge pages when it is called
by set_huge_ptep_writable, but it isn't aware of huge pages.

Signed-off-by: Zhang Yanmin <yanmin.zhang@intel.com>
Acked-by: Ken Chen <kenneth.w.chen@intel.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years agoSELinux: clear parent death signal on SID transitions
Stephen Smalley [Thu, 18 Oct 2007 23:27:51 +0000 (01:27 +0200)]
SELinux: clear parent death signal on SID transitions

Clear parent death signal on SID transitions to prevent unauthorized
signaling between SIDs.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Eric Paris <eparis@parisplace.org>
Signed-off-by: James Morris <jmorris@localhost.localdomain>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years agomake UML compile (FC6/x86-64)
Ulrich Drepper [Thu, 18 Oct 2007 21:46:58 +0000 (23:46 +0200)]
make UML compile (FC6/x86-64)

I need this patch to get a UML kernel to compile.  This is with the
kernel headers in FC6 which are automatically generated from the kernel
tree.  Some headers are missing but those files don't need them.  At
least it appears so since the resuling kernel works fine.

Tested on x86-64.

Signed-off-by: Ulrich Drepper <drepper@redhat.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years agoDVB: get_dvb_firmware: update script for new location of tda10046 firmware
Andreas Arens [Thu, 18 Oct 2007 20:44:28 +0000 (22:44 +0200)]
DVB: get_dvb_firmware: update script for new location of tda10046 firmware

cherry picked from commit c545d6adbcacd296f7457bd992556feb055379de

Update get_dvb_firmware script for the new location of the
tda10046 firmware.

The old location doesn't work anymore.

Signed-off-by: Andreas Arens <ari@goron.de>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years agoDVB: get_dvb_firmware: update script for new location of sp8870 firmware
Michael Krufky [Thu, 18 Oct 2007 20:43:30 +0000 (22:43 +0200)]
DVB: get_dvb_firmware: update script for new location of sp8870 firmware

cherry picked from commit 302170a4b47e869372974abd885dd11d5536b64a

get_dvb_firmware: update script for new location of sp8870 firmware

This url is no longer valid:
http://www.technotrend.de/new/217g/tt_Premium_217g.zip

Replace with:
http://www.softwarepatch.pl/9999ccd06a4813cb827dbb0005071c71/tt_Premium_217g.zip

Thanks-to: Tobias Stoeber <tobi@to-st.de>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years agoalpha: fix epoll syscall enumerations
Mike Frysinger [Thu, 18 Oct 2007 19:30:46 +0000 (21:30 +0200)]
alpha: fix epoll syscall enumerations

We went and named them __NR_sys_foo instead of __NR_foo.

It may be too late to change this, but we can at least add the proper names
now.

Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
17 years agom68knommu: ptrace.h typo fix
Jan Altenberg [Thu, 18 Oct 2007 17:21:38 +0000 (19:21 +0200)]
m68knommu: ptrace.h typo fix

Signed-off-by: Jan Altenberg <tb10alj@tglx.de>
Signed-off-by: Adrian Bunk <bunk@kernel.org>