]> git.karo-electronics.de Git - karo-tx-linux.git/log
karo-tx-linux.git
18 years ago[IPV6]: Fix kernel OOPs when setting sticky socket options.
YOSHIFUJI Hideaki [Wed, 6 Sep 2006 14:30:02 +0000 (16:30 +0200)]
[IPV6]: Fix kernel OOPs when setting sticky socket options.

Bug noticed by Remi Denis-Courmont <rdenis@simphalempin.com>.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoidr: fix race in idr code
Sonny Rao [Wed, 6 Sep 2006 14:23:48 +0000 (16:23 +0200)]
idr: fix race in idr code

I ran into a bug where the kernel died in the idr code:

cpu 0x1d: Vector: 300 (Data Access) at [c000000b7096f710]
    pc: c0000000001f8984: .idr_get_new_above_int+0x140/0x330
    lr: c0000000001f89b4: .idr_get_new_above_int+0x170/0x330
    sp: c000000b7096f990
   msr: 800000000000b032
   dar: 0
 dsisr: 40010000
  current = 0xc000000b70d43830
  paca    = 0xc000000000556900
    pid   = 2022, comm = hwup
1d:mon> t
[c000000b7096f990c0000000000d2ad8 .expand_files+0x2e8/0x364 (unreliable)
[c000000b7096faa0c0000000001f8bf8 .idr_get_new_above+0x18/0x68
[c000000b7096fb20c00000000002a054 .init_new_context+0x5c/0xf0
[c000000b7096fbc0c000000000049dc8 .copy_process+0x91c/0x1404
[c000000b7096fcd0c00000000004a988 .do_fork+0xd8/0x224
[c000000b7096fdc0c00000000000ebdc .sys_clone+0x5c/0x74
[c000000b7096fe30c000000000008950 .ppc_clone+0x8/0xc
-- Exception: c00 (System Call) at 000000000fde887c
SP (f8b4e7a0) is in userspace

Turned out to be a race-condition and NULL ptr deref, here's my fix:

Users of the idr code are supposed to call idr_pre_get without locking, so the
idr code must serialize itself with respect to layer allocations.  However, it
fails to do so in an error path in idr_get_new_above_int().  I added the
missing locking to fix this.

Signed-off-by: Sonny Rao <sonny@burdell.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agofix misoptimization in futex unqueue_me
Christian Borntraeger [Wed, 6 Sep 2006 14:01:43 +0000 (16:01 +0200)]
fix misoptimization in futex unqueue_me

This patch adds a barrier() in futex unqueue_me to avoid aliasing of two
pointers.

On my s390x system I saw the following oops:

Unable to handle kernel pointer dereference at virtual kernel address
0000000000000000
Oops: 0004 [#1]
CPU:    0    Not tainted
Process mytool (pid: 13613, task: 000000003ecb6ac0, ksp: 00000000366bdbd8)
Krnl PSW : 0704d00180000000 00000000003c9ac2 (_spin_lock+0xe/0x30)
Krnl GPRS: 00000000ffffffff 000000003ecb6ac0 0000000000000000 0700000000000000
           0000000000000000 0000000000000000 000001fe00002028 00000000000c091f
           000001fe00002054 000001fe00002054 0000000000000000 00000000366bddc0
           00000000005ef8c0 00000000003d00e8 0000000000144f91 00000000366bdcb8
Krnl Code: ba 4e 20 00 12 44 b9 16 00 3e a7 84 00 08 e3 e0 f0 88 00 04
Call Trace:
([<0000000000144f90>] unqueue_me+0x40/0xe4)
 [<0000000000145a0c>] do_futex+0x33c/0xc40
 [<000000000014643e>] sys_futex+0x12e/0x144
 [<000000000010bb00>] sysc_noemu+0x10/0x16
 [<000002000003741c>] 0x2000003741c

The code in question is:

static int unqueue_me(struct futex_q *q)
{
        int ret = 0;
        spinlock_t *lock_ptr;

        /* In the common case we don't take the spinlock, which is nice. */
 retry:
        lock_ptr = q->lock_ptr;
        if (lock_ptr != 0) {
                spin_lock(lock_ptr);
                /*
                 * q->lock_ptr can change between reading it and
                 * spin_lock(), causing us to take the wrong lock.  This
                 * corrects the race condition.
[...]

and my compiler (gcc 4.1.0) makes the following out of it:

00000000000003c8 <unqueue_me>:
     3c8:       eb bf f0 70 00 24       stmg    %r11,%r15,112(%r15)
     3ce:       c0 d0 00 00 00 00       larl    %r13,3ce <unqueue_me+0x6>
                        3d0: R_390_PC32DBL      .rodata+0x2a
     3d4:       a7 f1 1e 00             tml     %r15,7680
     3d8:       a7 84 00 01             je      3da <unqueue_me+0x12>
     3dc:       b9 04 00 ef             lgr     %r14,%r15
     3e0:       a7 fb ff d0             aghi    %r15,-48
     3e4:       b9 04 00 b2             lgr     %r11,%r2
     3e8:       e3 e0 f0 98 00 24       stg     %r14,152(%r15)
     3ee:       e3 c0 b0 28 00 04       lg      %r12,40(%r11)
                /* write q->lock_ptr in r12 */
     3f4:       b9 02 00 cc             ltgr    %r12,%r12
     3f8:       a7 84 00 4b             je      48e <unqueue_me+0xc6>
                /* if r12 is zero then jump over the code.... */
     3fc:       e3 20 b0 28 00 04       lg      %r2,40(%r11)
                /* write q->lock_ptr in r2 */
     402:       c0 e5 00 00 00 00       brasl   %r14,402 <unqueue_me+0x3a>
                        404: R_390_PC32DBL      _spin_lock+0x2
                /* use r2 as parameter for spin_lock */

So the code becomes more or less:
if (q->lock_ptr != 0) spin_lock(q->lock_ptr)
instead of
if (lock_ptr != 0) spin_lock(lock_ptr)

Which caused the oops from above.
After adding a barrier gcc creates code without this problem:
[...] (the same)
     3ee:       e3 c0 b0 28 00 04       lg      %r12,40(%r11)
     3f4:       b9 02 00 cc             ltgr    %r12,%r12
     3f8:       b9 04 00 2c             lgr     %r2,%r12
     3fc:       a7 84 00 48             je      48c <unqueue_me+0xc4>
     400:       c0 e5 00 00 00 00       brasl   %r14,400 <unqueue_me+0x38>
                        402: R_390_PC32DBL      _spin_lock+0x2

As a general note, this code of unqueue_me seems a bit fishy. The retry logic
of unqueue_me only works if we can guarantee, that the original value of
q->lock_ptr is always a spinlock (Otherwise we overwrite kernel memory). We
know that q->lock_ptr can change. I dont know what happens with the original
spinlock, as I am not an expert with the futex code.

Signed-off-by: Christian Borntraeger <borntrae@de.ibm.com>
Acked-by: Ingo Molnar <mingo@redhat.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years ago[SERIAL] icom: select FW_LOADER
maximilian attems [Wed, 6 Sep 2006 13:39:02 +0000 (15:39 +0200)]
[SERIAL] icom: select FW_LOADER

The icom driver uses request_firmware()
and thus needs to select FW_LOADER.

Signed-off-by: maximilian attems <maks@sternwelten.at>
Signed-off-by: Olaf Hering <olh@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoMissing PCI id update for VIA IDE
Alan Cox [Wed, 6 Sep 2006 13:07:59 +0000 (15:07 +0200)]
Missing PCI id update for VIA IDE

Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoFix sctp_primitive_ABORT() call in sctp_close()
Sridhar Samudrala [Tue, 5 Sep 2006 19:59:11 +0000 (21:59 +0200)]
Fix sctp_primitive_ABORT() call in sctp_close()

With the recent fix, the callers of sctp_primitive_ABORT()
need to create an ABORT chunk and pass it as an argument rather
than msghdr that was passed earlier.

Adrian Bunk:
Ported to 2.6.16.

Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoALSA: RME HDSP - fixed proc interface (missing {})
Remy Bruno [Tue, 5 Sep 2006 19:40:12 +0000 (21:40 +0200)]
ALSA: RME HDSP - fixed proc interface (missing {})

Signed-off-by: Jaroslav Kysela <perex@suse.cz>
Acked-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoALSA: hda-intel - Fix race in remove
Takashi Iwai [Tue, 5 Sep 2006 19:39:12 +0000 (21:39 +0200)]
ALSA: hda-intel - Fix race in remove

Call iounmap after free_irq to avoid invalid accesses in the
shared irq.  The patch is taken from
        https://bugzilla.novell.com/show_bug.cgi?id=167869

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoALSA: Fix workaround for AD1988A rev2 codec
Takashi Iwai [Tue, 5 Sep 2006 19:38:52 +0000 (21:38 +0200)]
ALSA: Fix workaround for AD1988A rev2 codec

Fix the workaround for AD1988A rev2 codec not to apply to AD1988B codec
chips.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoALSA: Fix model for HP dc7600
Takashi Iwai [Tue, 5 Sep 2006 19:38:23 +0000 (21:38 +0200)]
ALSA: Fix model for HP dc7600

Changed the assigned model for HP dc7600 with ALC260 codec
to match better with the actual I/O assignment.
Patch taken from ALSA bug#2157.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoALSA: Fix missing array terminators in AD1988 codec support
Takashi Iwai [Tue, 5 Sep 2006 19:37:57 +0000 (21:37 +0200)]
ALSA: Fix missing array terminators in AD1988 codec support

Fixed the missing array terminators in AD1988 codec support code.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoALSA: Fix a deadlock in snd-rtctimer
Takashi Iwai [Tue, 5 Sep 2006 19:37:16 +0000 (21:37 +0200)]
ALSA: Fix a deadlock in snd-rtctimer

Fix an occasional deadlock occuring with snd-rtctimer driver,
added irqsave to the lock in tasklet (ALSA bug#952).

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoALSA: au88x0 - Fix 64bit address of MPU401 MMIO port
Takashi Iwai [Tue, 5 Sep 2006 19:34:57 +0000 (21:34 +0200)]
ALSA: au88x0 - Fix 64bit address of MPU401 MMIO port

Fix 64bit address of MPU401 MMIO port on au88x0 chip.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoethtool: fix oops in ethtool_set_pauseparam()
Willy Tarreau [Thu, 31 Aug 2006 20:02:56 +0000 (22:02 +0200)]
ethtool: fix oops in ethtool_set_pauseparam()

The function pointers which were checked were for their get_* counterparts.
Typically a copy-paste typo.

Signed-off-by: Willy Tarreau <w@1wt.eu>
Acked-by: Jeff Garzik <jeff@garzik.org>
Acked-by: David Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoETHTOOL: Fix UFO typo
Herbert Xu [Thu, 31 Aug 2006 19:59:19 +0000 (21:59 +0200)]
ETHTOOL: Fix UFO typo

The function ethtool_get_ufo was referring to ETHTOOL_GTSO instead of
ETHTOOL_GUFO.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Acked-by: Matthew Wilcox <matthew@wil.cx>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agofix struct file leakage
Kirill Korotaev [Wed, 30 Aug 2006 20:55:59 +0000 (22:55 +0200)]
fix struct file leakage

2.6.16 leaks like hell. While testing, I found massive filp leakage
(reproduced in openvz) in the bowels of namei.c.

Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoHave ext3 reject file handles with bad inode numbers early
Eric Sandeen [Wed, 30 Aug 2006 16:01:00 +0000 (18:01 +0200)]
Have ext3 reject file handles with bad inode numbers early

blatantly ripped off from Neil Brown's ext2 patch.

Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
Acked-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoext3: avoid triggering ext3_error on bad NFS file handle
Neil Brown [Wed, 30 Aug 2006 15:58:44 +0000 (17:58 +0200)]
ext3: avoid triggering ext3_error on bad NFS file handle

The inode number out of an NFS file handle gets passed eventually to
ext3_get_inode_block() without any checking.  If ext3_get_inode_block()
allows it to trigger an error, then bad filehandles can have unpleasant
effect - ext3_error() will usually cause a forced read-only remount, or a
panic if `errors=panic' was used.

So remove the call to ext3_error there and put a matching check in
ext3/namei.c where inode numbers are read off storage.

Andrew Morton fixed an off-by-one error.

Dann Frazier ported the patch to 2.6.16.

Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoeicon: fix define conflict with ptrace
Alexey Dobriyan [Wed, 30 Aug 2006 15:31:15 +0000 (17:31 +0200)]
eicon: fix define conflict with ptrace

* MODE_MASK is unused in eicon driver.
* Conflicts with a ptrace stuff on arm.

drivers/isdn/hardware/eicon/divasync.h:259:1: warning: "MODE_MASK" redefined
include2/asm/ptrace.h:48:1: warning: this is the location of the previous definition

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Acked-by: Karsten Keil <kkeil@suse.de>
Acked-by: Armin Schindler <armin@melware.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoip_tables: fix table locking in ipt_do_table
Patrick McHardy [Wed, 30 Aug 2006 15:25:57 +0000 (17:25 +0200)]
ip_tables: fix table locking in ipt_do_table

table->private might change because of ruleset changes, don't use it without
holding the lock.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoaic79xx: use BIOS settings
Hannes Reinecke [Wed, 30 Aug 2006 15:23:16 +0000 (17:23 +0200)]
aic79xx: use BIOS settings

This patch fixes the aic79xx driver to properly respond to BIOS
settings.

Signed-off-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agotty serialize flush_to_ldisc
Paul Fulghum [Sun, 27 Aug 2006 01:36:58 +0000 (03:36 +0200)]
tty serialize flush_to_ldisc

Serialize processing of tty buffers in flush_to_ldisc
to fix (very rare) corruption of tty buffer free list
on SMP systems.

Signed-off-by: Paul Fulghum <paulkf@microgate.com>
Acked-by: Alan Cox <alan@redhat.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoulog: fix panic on SMP kernels
Mark Huang [Sat, 26 Aug 2006 15:35:49 +0000 (17:35 +0200)]
ulog: fix panic on SMP kernels

Fix kernel panic on various SMP machines. The culprit is a null
ub->skb in ulog_send(). If ulog_timer() has already been scheduled on
one CPU and is spinning on the lock, and ipt_ulog_packet() flushes the
queue on another CPU by calling ulog_send() right before it exits,
there will be no skbuff when ulog_timer() acquires the lock and calls
ulog_send(). Cancelling the timer in ulog_send() doesn't help because
it has already been scheduled and is running on the first CPU.

Similar problem exists in ebt_ulog.c and nfnetlink_log.c.

Signed-off-by: Mark Huang <mlhuang@cs.princeton.edu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoFix a potential NULL dereference in md/raid1
Neil Brown [Sat, 26 Aug 2006 15:33:27 +0000 (17:33 +0200)]
Fix a potential NULL dereference in md/raid1

At the point where this 'atomic_add' is, rdev could be NULL,
as seen by the fact that we test for this in the very next
statement.
Further is it is really the wrong place of the add.
We could add to the count of corrected errors
once the are sure it was corrected, not before
trying to correct it.

Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoSCTP: Send only 1 window update SACK per message.
Tsutomu Fujii [Sat, 26 Aug 2006 00:41:37 +0000 (02:41 +0200)]
SCTP: Send only 1 window update SACK per message.

Right now, every time we increase our rwnd by more then MTU bytes, we
trigger a SACK.  When processing large messages, this will generate a
SACK for almost every other SCTP fragment. However since we are freeing
the entire message at the same time, we might as well collapse the SACK
generation to 1.

Signed-off-by: Tsutomu Fujii <t-fujii@nb.jp.nec.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoSCTP: Reset rtt_in_progress for the chunk when processing its sack.
Vlad Yasevich [Sat, 26 Aug 2006 00:41:12 +0000 (02:41 +0200)]
SCTP: Reset rtt_in_progress for the chunk when processing its sack.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoSCTP: Limit association max_retrans setting in setsockopt.
Vlad Yasevich [Sat, 26 Aug 2006 00:40:29 +0000 (02:40 +0200)]
SCTP: Limit association max_retrans setting in setsockopt.

When using ASSOCINFO socket option, we need to limit the number of
maximum association retransmissions to be no greater than the sum
of all the path retransmissions. This is specified in Section 7.1.2
of the SCTP socket API draft.
However, we only do this if the association has multiple paths. If
there is only one path, the protocol stack will use the
assoc_max_retrans setting when trying to retransmit packets.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoSCTP: Fix persistent slowdown in sctp when a gap ack consumes rx buffer.
Neil Horman [Sat, 26 Aug 2006 00:39:48 +0000 (02:39 +0200)]
SCTP: Fix persistent slowdown in sctp when a gap ack consumes rx buffer.

In the event that our entire receive buffer is full with a series of
chunks that represent a single gap-ack, and then we accept a chunk
(or chunks) that fill in the gap between the ctsn and the first gap,
we renege chunks from the end of the buffer, which effectively does
nothing but move our gap to the end of our received tsn stream. This
does little but move our missing tsns down stream a little, and, if the
sender is sending sufficiently large retransmit frames, the result is a
perpetual slowdown which can never be recovered from, since the only
chunk that can be accepted to allow progress in the tsn stream necessitates
that a new gap be created to make room for it. This leads to a constant
need for retransmits, and subsequent receiver stalls. The fix I've come up
with is to deliver the frame without reneging if we have a full receive
buffer and the receiving sockets sk_receive_queue is empty(indicating that
the receive buffer is being blocked by a missing tsn).

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoSCTP: Reject sctp packets with broadcast addresses.
Vlad Yasevich [Sat, 26 Aug 2006 00:39:03 +0000 (02:39 +0200)]
SCTP: Reject sctp packets with broadcast addresses.

Make SCTP handle broadcast properly

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoLinux 2.6.16.28 v2.6.16.28
Adrian Bunk [Fri, 25 Aug 2006 20:51:14 +0000 (22:51 +0200)]
Linux 2.6.16.28

18 years agoLinux 2.6.16.28-rc3 v2.6.16.28-rc3
Adrian Bunk [Wed, 23 Aug 2006 17:29:05 +0000 (19:29 +0200)]
Linux 2.6.16.28-rc3

18 years ago1394: fix for recently added firewire patch that breaks things on ppc
Danny Tholen [Wed, 23 Aug 2006 17:28:41 +0000 (19:28 +0200)]
1394: fix for recently added firewire patch that breaks things on ppc

Recently a patch was added for preliminary suspend/resume handling on
!PPC_PMAC.  However, this broke both suspend and firewire on powerpc
because it saves the pci state after the device has already been disabled.

This moves the save state to before the pmac specific code.

Signed-off-by: Danny Tholen <obiwan@mailmij.org>
Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoFix sctp privilege elevation (CVE-2006-3745)
Sridhar Samudrala [Wed, 23 Aug 2006 16:01:55 +0000 (18:01 +0200)]
Fix sctp privilege elevation (CVE-2006-3745)

sctp_make_abort_user() now takes the msg_len along with the msg
so that we don't have to recalculate the bytes in iovec.
It also uses memcpy_fromiovec() so that we don't go beyond the
length allocated.

It is good to have this fix even if verify_iovec() is fixed to
return error on overflow.

Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Acked-by: David Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoFix possible UDF deadlock and memory corruption (CVE-2006-4145)
Jan Kara [Wed, 23 Aug 2006 16:00:30 +0000 (18:00 +0200)]
Fix possible UDF deadlock and memory corruption (CVE-2006-4145)

UDF code is not really ready to handle extents larger that 1GB. This is
the easy way to forbid creating those.

Also truncation code did not count with the case when there are no
extents in the file and we are extending the file.

Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoLinux 2.6.16.28-rc2 v2.6.16.28-rc2
Adrian Bunk [Tue, 22 Aug 2006 15:48:30 +0000 (17:48 +0200)]
Linux 2.6.16.28-rc2

18 years agopowerpc: Clear HID0 attention enable on PPC970 at boot time (CVE-2006-4093)
Olof Johansson [Fri, 18 Aug 2006 19:44:57 +0000 (21:44 +0200)]
powerpc: Clear HID0 attention enable on PPC970 at boot time (CVE-2006-4093)

Clear HID0[en_attn] at CPU init time on PPC970.  Closes CVE-2006-4093.

Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Paul Mackerras <paulus@samba.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agocdrom: fix bad cgc.buflen assignment (CVE-2006-2935)
Jens Axboe [Fri, 18 Aug 2006 19:42:43 +0000 (21:42 +0200)]
cdrom: fix bad cgc.buflen assignment (CVE-2006-2935)

The code really means to mask off the high bits, not assign 0xff.

Reported by Marcus Meissner <meissner@suse.de>.

Signed-off-by: Jens Axboe <axboe@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoide-io: increase timeout value to allow for slave wakeup
Al Boldi [Fri, 18 Aug 2006 19:30:53 +0000 (21:30 +0200)]
ide-io: increase timeout value to allow for slave wakeup

During an STR resume cycle, the ide master disk times-out when there is
also a slave present (especially CD).  Increasing the timeout in ide-io
from 10,000 to 100,000 fixes this problem.

Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoSPARC64: Fix quad-float multiply emulation.
David S. Miller [Fri, 18 Aug 2006 19:28:03 +0000 (21:28 +0200)]
SPARC64: Fix quad-float multiply emulation.

Something is wrong with the 3-multiply (vs. 4-multiply) optimized
version of _FP_MUL_MEAT_2_*(), so just use the slower version
which actually computes correct values.

Noticed by Rene Rebe

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoSPARC32: Fix iommu_flush_iotlb end address
Bob Breuer [Fri, 18 Aug 2006 19:26:56 +0000 (21:26 +0200)]
SPARC32: Fix iommu_flush_iotlb end address

Fix the calculation of the end address when flushing iotlb entries to
ram.  This bug has been a cause of esp dma errors, and it affects
HyperSPARC systems much worse than SuperSPARC systems.

Signed-off-by: Bob Breuer <breuerr@mc.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Acked-by: William Lee Irwin III <wli@holomorphy.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoLinux 2.6.16.28-rc1 v2.6.16.28-rc1
Adrian Bunk [Sat, 12 Aug 2006 17:00:06 +0000 (19:00 +0200)]
Linux 2.6.16.28-rc1

18 years agoupdate the i386 defconfig
Adrian Bunk [Sat, 12 Aug 2006 16:59:17 +0000 (18:59 +0200)]
update the i386 defconfig

The i386 defconfig wasn't updated for ages.

Instead of running "make oldconfig" on the old defconfig and trying to
give reasonable answers at all new options, this patch replaces it with
the one I'm using in 2.6.16-rc1.

This way, it's a .config that is confirmed to work on at least one
computer in the world.  ;-)

Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoieee1394: sbp2: enable auto spin-up for Maxtor disks
Stefan Richter [Fri, 11 Aug 2006 21:42:30 +0000 (23:42 +0200)]
ieee1394: sbp2: enable auto spin-up for Maxtor disks

At least Maxtor OneTouch III require a "start stop unit" command after
auto spin-down before the next access can proceed.  This patch activates
the responsible code in scsi_mod for all Maxtor SBP-2 disks.
https://bugzilla.novell.com/show_bug.cgi?id=183011

Maybe that should be done for all SBP-2 disks, but better be cautious.

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoFix broken suspend/resume in ohci1394
Robert Hancock [Fri, 11 Aug 2006 21:41:52 +0000 (23:41 +0200)]
Fix broken suspend/resume in ohci1394

I've been experimenting to track down the cause of suspend/resume problems
on my Compaq Presario X1050 laptop:

http://bugzilla.kernel.org/show_bug.cgi?id=6075

Essentially the ACPI Embedded Controller and keyboard controller would
get into a bizarre, confused state after resume.

I found that unloading the ohci1394 module before suspend and reloading it
after resume made the problem go away.  Diffing the dmesg output from
resume, with and without the module loaded, I found that with the module
loaded I was missing these:

PM: Writing back config space on device 0000:02:00.0 at offset 1. (Was 2100080, writing 2100007)
PM: Writing back config space on device 0000:02:00.0 at offset 3. (Was 0, writing 8008)
PM: Writing back config space on device 0000:02:00.0 at offset 4. (Was 0, writing 90200000)
PM: Writing back config space on device 0000:02:00.0 at offset 5. (Was 1, writing 2401)
PM: Writing back config space on device 0000:02:00.0 at offset f. (Was 20000100, writing 2000010a)

The default PCI driver performs the pci_restore_state when no driver is
loaded for the device.  When the ohci1394 driver is loaded, it is supposed
to do this, however it appears not to do so.

I created the patch below and tested it, and it appears to resolve the
suspend problems I was having with the module loaded.  I only added in the
pci_save_state and pci_restore_state - however, though I know little of
this hardware, surely the driver should really be doing more than this when
suspending and resuming?  Currently it does almost nothing, what if there
are commands in progress, etc?

Signed-off-by: Robert Hancock <hancockr@shaw.ca>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agofix debugfs inode leak
Jens Axboe [Fri, 11 Aug 2006 20:43:42 +0000 (22:43 +0200)]
fix debugfs inode leak

Looking at the reiser4 crash, I found a leak in debugfs. In
debugfs_mknod(), we create the inode before checking if the dentry
already has one attached. We don't free it if that is the case.

Signed-off-by: Jens Axboe <axboe@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoFix missing ret assignment in __bio_map_user() error path
Jens Axboe [Fri, 11 Aug 2006 20:29:11 +0000 (22:29 +0200)]
Fix missing ret assignment in __bio_map_user() error path

If get_user_pages() returns less pages than what we asked for, we
jump to out_unmap which will return ERR_PTR(ret). But ret can contain
a positive number just smaller than local_nr_pages, so be sure to set
it to -EFAULT always.

Problem found and diagnosed by Damien Le Moal <damien@sdl.hitachi.co.jp>

Signed-off-by: Jens Axboe <axboe@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years ago[AGPGART] Fix Nforce3 suspend on amd64.
Dave Jones [Wed, 9 Aug 2006 22:03:27 +0000 (00:03 +0200)]
[AGPGART] Fix Nforce3 suspend on amd64.

kernel.org bugzilla #6206

Based on patch from Serge Belyshev <belyshev@depni.sinp.msu.ru>

Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoSOUND_SSCAPE shouldn't depend on OBSOLETE_OSS_DRIVER
Adrian Bunk [Wed, 9 Aug 2006 21:26:03 +0000 (23:26 +0200)]
SOUND_SSCAPE shouldn't depend on OBSOLETE_OSS_DRIVER

Due to a regression in the correcponding ALSA driver (ALSA #2234), the
OSS driver should stay until it's fixed.

Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoieee80211: TKIP requires CRC32
Chuck Ebbert [Tue, 8 Aug 2006 21:23:12 +0000 (23:23 +0200)]
ieee80211: TKIP requires CRC32

ieee80211_crypt_tkip will not work without CRC32.

  LD      .tmp_vmlinux1
net/built-in.o: In function `ieee80211_tkip_encrypt':
net/ieee80211/ieee80211_crypt_tkip.c:349: undefined reference to `crc32_le'

Reported by Toralf Foerster <toralf.foerster@gmx.de>

Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agomemory hotplug: solve config broken: undefined reference to `online_page'
Yasunori Goto [Tue, 8 Aug 2006 15:35:33 +0000 (17:35 +0200)]
memory hotplug: solve config broken: undefined reference to `online_page'

Memory hotplug code of i386 adds memory to only highmem.  So, if
CONFIG_HIGHMEM is not set, CONFIG_MEMORY_HOTPLUG shouldn't be set.
Otherwise, it causes compile error.

In addition, many architecture can't use memory hotplug feature yet.  So, I
introduce CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG.

Signed-off-by: Yasunori Goto <y-goto@jp.fujitsu.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agopdflush: handle resume wakeups
Pavel Machek [Tue, 8 Aug 2006 09:58:01 +0000 (11:58 +0200)]
pdflush: handle resume wakeups

2.6.16 needs this. It was merged into 2.6.18-rc1.

pdflush is carefully designed to ensure that all wakeups have some
corresponding work to do - if a woken-up pdflush thread discovers that
it hasn't been given any work to do then this is considered an error.

That all broke when swsusp came along - because a timer-delivered
wakeup to a frozen pdflush thread will just get lost.  This causes the
pdflush thread to get lost as well: the writeback timer is supposed to
be re-armed by pdflush in process context, but pdflush doesn't execute
the callout which does this.

Fix that up by ignoring the return value from try_to_freeze(): jsut
proceed, see if we have any work pending and only go back to sleep if
that is not the case.

Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Pavel Machek <pavel@suse.cz>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoBLOCK: Fix bounce limit address check
Andi Kleen [Mon, 7 Aug 2006 19:26:18 +0000 (21:26 +0200)]
BLOCK: Fix bounce limit address check

This fixes some OOMs on 64bit systems with <4GB of RAM when accessing
the cdrom.

Do a safer check for when to enable DMA. Currently we enable ISA DMA
for cases that do not need it, resulting in OOM conditions when ZONE_DMA
runs out of space.

Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Jens Axboe <axboe@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoIB/mthca: restore missing PCI registers after reset
Michael S. Tsirkin [Mon, 7 Aug 2006 17:04:22 +0000 (19:04 +0200)]
IB/mthca: restore missing PCI registers after reset

mthca does not restore the following PCI-X/PCI Express registers after reset:
  PCI-X device: PCI-X command register
  PCI-X bridge: upstream and downstream split transaction registers
  PCI Express : PCI Express device control and link control registers

This causes instability and/or bad performance on systems where one of
these registers is set to a non-default value by BIOS.

Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agofix the SND_FM801_TEA575X dependencies
Adrian Bunk [Thu, 3 Aug 2006 19:58:11 +0000 (21:58 +0200)]
fix the SND_FM801_TEA575X dependencies

CONFIG_SND_FM801=y, CONFIG_SND_FM801_TEA575X=m resulted in the following
compile error:

<--  snip  -->

...
  LD      vmlinux
sound/built-in.o: In function 'snd_fm801_free':
fm801.c:(.text+0x3c15b): undefined reference to 'snd_tea575x_exit'
sound/built-in.o: In function 'snd_card_fm801_probe':
fm801.c:(.text+0x3cfde): undefined reference to 'snd_tea575x_init'
make: *** [vmlinux] Error 1

<--  snip  -->

This patch fixes kernel Bugzilla #6458.

Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoremove obsolete swsusp_encrypt
Pavel Machek [Thu, 3 Aug 2006 19:56:53 +0000 (21:56 +0200)]
remove obsolete swsusp_encrypt

Remove SWSUSP_ENCRYPT config option; it is no longer implemented.

Signed-off-by: Pavel Machek <pavel@suse.cz>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
18 years agoLinux 2.6.16.27 v2.6.16.27
Greg Kroah-Hartman [Mon, 17 Jul 2006 13:58:58 +0000 (06:58 -0700)]
Linux 2.6.16.27

18 years ago[PATCH] USB serial ftdi_sio: Prevent userspace DoS (CVE-2006-2936)
Ian Abbott [Mon, 26 Jun 2006 11:59:17 +0000 (12:59 +0100)]
[PATCH] USB serial ftdi_sio: Prevent userspace DoS (CVE-2006-2936)

This patch limits the amount of outstanding 'write' data that can be
queued up for the ftdi_sio driver, to prevent userspace DoS attacks (or
simple accidents) that use up all the system memory by writing lots of
data to the serial port.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] IPV6 ADDRCONF: Fix default source address selection without CONFIG_IPV6_PRIVACY
YOSHIFUJI Hideaki [Thu, 22 Jun 2006 08:42:13 +0000 (01:42 -0700)]
[PATCH] IPV6 ADDRCONF: Fix default source address selection without CONFIG_IPV6_PRIVACY

We need to update hiscore.rule even if we don't enable CONFIG_IPV6_PRIVACY,
because we have more less significant rule; longest match.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] IPV6: Fix source address selection.
$,1 aukasz Stelmach [Thu, 22 Jun 2006 08:39:05 +0000 (01:39 -0700)]
[PATCH] IPV6: Fix source address selection.

Two additional labels (RFC 3484, sec. 10.3) for IPv6 addreses
are defined to make a distinction between global unicast
addresses and Unique Local Addresses (fc00::/7, RFC 4193) and
Teredo (2001::/32, RFC 4380). It is necessary to avoid attempts
of connection that would either fail (eg. fec0:: to 2001:feed::)
or be sub-optimal (2001:0:: to 2001:feed::).

Signed-off-by: \e$,1 aukasz Stelmach <stlman@poczta.fm>
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years agoLinux 2.6.16.25 v2.6.16.26
Greg Kroah-Hartman [Sat, 15 Jul 2006 19:45:58 +0000 (12:45 -0700)]
Linux 2.6.16.25

18 years ago[PATCH] Relax /proc fix a bit
Linus Torvalds [Sat, 15 Jul 2006 05:59:19 +0000 (05:59 +0000)]
[PATCH] Relax /proc fix a bit

Relax /proc fix a bit

Clearign all of i_mode was a bit draconian. We only really care about
S_ISUID/ISGID, after all.

Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years agoLinux 2.6.16.25 v2.6.16.25
Greg Kroah-Hartman [Sat, 15 Jul 2006 02:33:41 +0000 (19:33 -0700)]
Linux 2.6.16.25

18 years ago[PATCH] Fix nasty /proc vulnerability (CVE-2006-3626)
Linus Torvalds [Fri, 14 Jul 2006 23:59:02 +0000 (23:59 +0000)]
[PATCH] Fix nasty /proc vulnerability (CVE-2006-3626)

Fix nasty /proc vulnerability

We have a bad interaction with both the kernel and user space being able
to change some of the /proc file status.  This fixes the most obvious
part of it, but I expect we'll also make it harder for users to modify
even their "own" files in /proc.

Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years agoLinux 2.6.16.24 v2.6.16.24
Greg Kroah-Hartman [Thu, 6 Jul 2006 20:06:01 +0000 (13:06 -0700)]
Linux 2.6.16.24

18 years agofix prctl privilege escalation and suid_dumpable (CVE-2006-2451)
Greg Kroah-Hartman [Thu, 6 Jul 2006 20:05:42 +0000 (13:05 -0700)]
fix prctl privilege escalation and suid_dumpable (CVE-2006-2451)

Based on a patch from Ernie Petrides

During security research, Red Hat discovered a behavioral flaw in core
dump handling. A local user could create a program that would cause a
core file to be dumped into a directory they would not normally have
permissions to write to. This could lead to a denial of service (disk
consumption), or allow the local user to gain root privileges.

Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years agoLinux 2.6.16.23 v2.6.16.23
Greg Kroah-Hartman [Fri, 30 Jun 2006 21:17:30 +0000 (14:17 -0700)]
Linux 2.6.16.23

18 years ago[PATCH] revert PARPORT_SERIAL should depend on SERIAL_8250_PCI patch
Chris Wright [Fri, 30 Jun 2006 21:06:52 +0000 (14:06 -0700)]
[PATCH] revert PARPORT_SERIAL should depend on SERIAL_8250_PCI patch

Should have not been applied to 2.6.16

Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] NETFILTER: SCTP conntrack: fix crash triggered by packet without chunks ...
Patrick McHardy [Fri, 30 Jun 2006 03:33:12 +0000 (05:33 +0200)]
[PATCH] NETFILTER: SCTP conntrack: fix crash triggered by packet without chunks [CVE-2006-2934]

When a packet without any chunks is received, the newconntrack variable
in sctp_packet contains an out of bounds value that is used to look up an
pointer from the array of timeouts, which is then dereferenced, resulting
in a crash. Make sure at least a single chunk is present.

Problem noticed by George A. Theall <theall@tenablesecurity.com>

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years agoLinux 2.6.16.22 v2.6.16.22
Chris Wright [Thu, 22 Jun 2006 19:16:21 +0000 (12:16 -0700)]
Linux 2.6.16.22

18 years ago[PATCH] NTFS: Critical bug fix (affects MIPS and possibly others)
Anton Altaparmakov [Tue, 20 Jun 2006 07:29:41 +0000 (00:29 -0700)]
[PATCH] NTFS: Critical bug fix (affects MIPS and possibly others)

It fixes a crash in NTFS on architectures where flush_dcache_page()
is a real function.  I never noticed this as all my testing is done on
i386 where flush_dcache_page() is NULL.

http://bugzilla.kernel.org/show_bug.cgi?id=6700

Many thanks to Pauline Ng for the detailed bug report and analysis!

Signed-off-by: Anton Altaparmakov <aia21@cantab.net>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
18 years ago[PATCH] powernow-k8 crash workaround
Andrew Morton [Sat, 10 Jun 2006 18:59:23 +0000 (18:59 +0000)]
[PATCH] powernow-k8 crash workaround

Work around the oops reported in
http://bugzilla.kernel.org/show_bug.cgi?id=6478.

Thanks to Ralf Hildebrandt <ralf.hildebrandt@charite.de> for testing and
reporting.

Acked-by: Dave Jones <davej@codemonkey.org.uk>
Cc: "Brown, Len" <len.brown@intel.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] I2O: Bugfixes to get I2O working again
Markus Lidel [Sat, 10 Jun 2006 16:54:14 +0000 (09:54 -0700)]
[PATCH] I2O: Bugfixes to get I2O working again

- Fixed locking of struct i2o_exec_wait in Executive-OSM

- Removed LCT Notify in i2o_exec_probe() which caused freeing memory and
  accessing freed memory during first enumeration of I2O devices

- Added missing locking in i2o_exec_lct_notify()

- removed put_device() of I2O controller in i2o_iop_remove() which caused
  the controller structure get freed to early

- Fixed size of mempool in i2o_iop_alloc()

- Fixed access to freed memory in i2o_msg_get()

See http://bugzilla.kernel.org/show_bug.cgi?id=6561

Signed-off-by: Markus Lidel <Markus.Lidel@shadowconnect.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] scsi_lib.c: properly count the number of pages in scsi_req_map_sg()
James Bottomley [Thu, 8 Jun 2006 04:03:28 +0000 (00:03 -0400)]
[PATCH] scsi_lib.c: properly count the number of pages in scsi_req_map_sg()

The calculation of nr_pages in scsi_req_map_sg() doesn't account for
the fact that the first page could have an offset that pushes the end
of the buffer onto a new page.

Signed-off-by: Bryan Holty <lgeek@frontiernet.net>
Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] JFS: Fix multiple errors in metapage_releasepage
Dave Kleikamp [Wed, 7 Jun 2006 02:54:44 +0000 (22:54 -0400)]
[PATCH] JFS: Fix multiple errors in metapage_releasepage

It looks like metapage_releasepage was making in invalid assumption that
the releasepage method would not be called on a dirty page.  Instead of
issuing a warning and releasing the metapage, it should return 0, indicating
that the private data for the page cannot be released.

I also realized that metapage_releasepage had the return code all wrong.  If
it is successful in releasing the private data, it should return 1, otherwise
it needs to return 0.

Lastly, there is no need to call wait_on_page_writeback, since
try_to_release_page will not call us with a page in writback state.

Signed-off-by: Dave Kleikamp <shaggy@austin.ibm.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] fs/namei.c: Call to file_permission() under a spinlock in do_lookup_path()
Trond Myklebust [Tue, 6 Jun 2006 15:19:35 +0000 (11:19 -0400)]
[PATCH] fs/namei.c: Call to file_permission() under a spinlock in do_lookup_path()

We're presently running lock_kernel() under fs_lock via nfs's ->permission
handler.  That's a ranking bug and sometimes a sleep-in-spinlock bug.  This
problem was introduced in the openat() patchset.

We should not need to hold the current->fs->lock for a codepath that doesn't
use current->fs.

[vsu@altlinux.ru: fix error path]
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Cc: Al Viro <viro@ftp.linux.org.uk>
Signed-off-by: Sergey Vlasov <vsu@altlinux.ru>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] tmpfs: time granularity fix for [acm]time going backwards
Robin H. Johnson [Tue, 13 Jun 2006 17:06:11 +0000 (18:06 +0100)]
[PATCH] tmpfs: time granularity fix for [acm]time going backwards

I noticed a strange behavior in a tmpfs file system the other day, while
building packages - occasionally, and seemingly at random, make decided to
rebuild a target. However, only on tmpfs.

A file would be created, and if checked, it had a sub-second timestamp.
However, after an utimes related call where sub-seconds should be set, they
were zeroed instead. In the case that a file was created, and utimes(...,NULL)
was used on it in the same second, the timestamp on the file moved backwards.

After some digging, I found that this was being caused by tmpfs not having a
time granularity set, thus inheriting the default 1 second granularity.

Hugh adds: yes, we missed tmpfs when the s_time_gran mods went into 2.6.11.
Unfortunately, the granularity of CURRENT_TIME, often used in filesystems,
does not match the default granularity set by alloc_super.  A few more such
discrepancies have been found, but this is the most important to fix now.

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
Acked-by: Andi Kleen <ak@suse.de>
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] Missed error checking for intent's filp in open_namei().
Oleg Drokin [Sat, 25 Mar 2006 11:06:54 +0000 (03:06 -0800)]
[PATCH] Missed error checking for intent's filp in open_namei().

It seems there is error check missing in open_namei for errors returned
through intent.open.file (from lookup_instantiate_filp).

If there is plain open performed, then such a check done inside
__path_lookup_intent_open called from path_lookup_open(), but when the open
is performed with O_CREAT flag set, then __path_lookup_intent_open is only
called with LOOKUP_PARENT set where no file opening can occur yet.

Later on lookup_hash is called where exact opening might take place and
intent.open.file may be filled.  If it is filled with error value of some
sort, then we get kernel attempting to dereference this error value as
address (and corresponding oops) in nameidata_to_filp() called from
filp_open().

While this is relatively simple to workaround in ->lookup() method by just
checking lookup_instantiate_filp() return value and returning error as
needed, this is not so easy in ->d_revalidate(), where we can only return
"yes, dentry is valid" or "no, dentry is invalid, perform full lookup
again", and just returning 0 on error would cause extra lookup (with
potential extra costly RPCs).

So in short, I believe that there should be no difference in error handling
for opening a file and creating a file in open_namei() and propose this
simple patch as a solution.

Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] SPARC64: Fix missing fold at end of checksums.
David Miller [Mon, 5 Jun 2006 18:27:10 +0000 (11:27 -0700)]
[PATCH] SPARC64: Fix missing fold at end of checksums.

Both csum_partial() and the csum_partial_copy*() family of routines
forget to do a final fold on the computed checksum value on sparc64.
So do the standard Sparc "add + set condition codes, add carry"
sequence, then make sure the high 32-bits of the return value are
clear.

Based upon some excellent detective work and debugging done by
Richard Braun and Samuel Thibault.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] SPARC64: Respect gfp_t argument to dma_alloc_coherent().
David Miller [Mon, 5 Jun 2006 03:41:00 +0000 (20:41 -0700)]
[PATCH] SPARC64: Respect gfp_t argument to dma_alloc_coherent().

Using asm-generic/dma-mapping.h does not work because pushing
the call down to pci_alloc_coherent() causes the gfp_t argument
of dma_alloc_coherent() to be ignored.

Fix this by implementing things directly, and adding a gfp_t
argument we can use in the internal call down to the PCI DMA
implementation of pci_alloc_coherent().

This fixes massive memory corruption when using the sound driver
layer, which passes things like __GFP_COMP down into these
routines and (correctly) expects that to work.

This is a disk eater when sound is used, so it's pretty critical.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] SPARC64: Fix D-cache corruption in mremap
David Miller [Sat, 3 Jun 2006 01:30:58 +0000 (18:30 -0700)]
[PATCH] SPARC64: Fix D-cache corruption in mremap

If we move a mapping from one virtual address to another,
and this changes the virtual color of the mapping to those
pages, we can see corrupt data due to D-cache aliasing.

Check for and deal with this by overriding the move_pte()
macro.  Set things up so that other platforms can cleanly
override the move_pte() macro too.

This long standing bug corrupts user memory, and in particular
has been notorious for corrupting Debian package database
files on sparc64 boxes.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] USB: Whiteheat: fix firmware spurious errors
Stuart MacDonald [Wed, 31 May 2006 17:28:40 +0000 (13:28 -0400)]
[PATCH] USB: Whiteheat: fix firmware spurious errors

Attached patch fixes spurious errors during firmware load.

Signed-off-by: Stuart MacDonald <stuartm@connecttech.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
18 years agoLinux 2.6.16.21 v2.6.16.21
Chris Wright [Tue, 20 Jun 2006 08:55:00 +0000 (01:55 -0700)]
Linux 2.6.16.21

18 years ago[PATCH] xt_sctp: fix endless loop caused by 0 chunk length (CVE-2006-3085)
Patrick McHardy [Mon, 19 Jun 2006 17:14:21 +0000 (19:14 +0200)]
[PATCH] xt_sctp: fix endless loop caused by 0 chunk length (CVE-2006-3085)

Fix endless loop in the SCTP match similar to those already fixed in the
SCTP conntrack helper (was CVE-2006-1527).

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
18 years ago[PATCH] run_posix_cpu_timers: remove a bogus BUG_ON() (CVE-2006-2445)
Oleg Nesterov [Thu, 15 Jun 2006 16:11:43 +0000 (20:11 +0400)]
[PATCH] run_posix_cpu_timers: remove a bogus BUG_ON() (CVE-2006-2445)

do_exit() clears ->it_##clock##_expires, but nothing prevents
another cpu to attach the timer to exiting process after that.
arm_timer() tries to protect against this race, but the check
is racy.

After exit_notify() does 'write_unlock_irq(&tasklist_lock)' and
before do_exit() calls 'schedule() local timer interrupt can find
tsk->exit_state != 0. If that state was EXIT_DEAD (or another cpu
does sys_wait4) interrupted task has ->signal == NULL.

At this moment exiting task has no pending cpu timers, they were
cleanuped in __exit_signal()->posix_cpu_timers_exit{,_group}(),
so we can just return from irq.

John Stultz recently confirmed this bug, see

http://marc.theaimsgroup.com/?l=linux-kernel&m=115015841413687

Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
18 years ago[PATCH] check_process_timers: fix possible lockup
Oleg Nesterov [Thu, 15 Jun 2006 16:11:15 +0000 (20:11 +0400)]
[PATCH] check_process_timers: fix possible lockup

If the local timer interrupt happens just after do_exit() sets PF_EXITING
(and before it clears ->it_xxx_expires) run_posix_cpu_timers() will call
check_process_timers() with tasklist_lock + ->siglock held and

check_process_timers:

t = tsk;
do {
....

do {
t = next_thread(t);
} while (unlikely(t->flags & PF_EXITING));
} while (t != tsk);

the outer loop will never stop.

Actually, the window is bigger.  Another process can attach the timer
after ->it_xxx_expires was cleared (see the next commit) and the 'if
(PF_EXITING)' check in arm_timer() is racy (see the one after that).

Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
18 years ago[PATCH] powerpc: Fix machine check problem on 32-bit kernels (CVE-2006-2448)
Paul Mackerras [Fri, 9 Jun 2006 03:02:59 +0000 (13:02 +1000)]
[PATCH] powerpc: Fix machine check problem on 32-bit kernels (CVE-2006-2448)

This fixes a bug found by Dave Jones that means that it is possible
for userspace to provoke a machine check on 32-bit kernels.  This
also fixes a couple of other places where I found similar problems
by inspection.

Signed-off-by: Paul Mackerras <paulus@samba.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
18 years agoLinux 2.6.16.20 v2.6.16.20
Chris Wright [Mon, 5 Jun 2006 17:18:23 +0000 (10:18 -0700)]
Linux 2.6.16.20

18 years ago[PATCH] sbp2: fix check of return value of hpsb_allocate_and_register_addrspace
Stefan Richter [Sat, 3 Jun 2006 00:00:33 +0000 (02:00 +0200)]
[PATCH] sbp2: fix check of return value of hpsb_allocate_and_register_addrspace

I added a failure check in patch "sbp2: variable status FIFO address
(fix login timeout)" --- alas for a wrong error value.  This is a bug
since Linux 2.6.16.  Leads to NULL pointer dereference if the call
failed, and bogus failure handling if call succeeded.

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
18 years ago[PATCH] sbp2: backport read_capacity workaround for iPod
Stefan Richter [Fri, 2 Jun 2006 17:34:30 +0000 (19:34 +0200)]
[PATCH] sbp2: backport read_capacity workaround for iPod

There is a firmware bug in several Apple iPods which prevents access to
these iPods under certain conditions. The disk size reported by the iPod
is one sector too big. Once access to the end of the disk is attempted,
the iPod becomes inaccessible. This problem has been known for USB iPods
for some time and has recently been discovered to exist with
FireWire/USB combo iPods too.

This patch is derived from the fix in Linux 2.6.17, commit
e9a1c52c7b19d10342226c12f170d7ab644427e2, to be applicable to 2.6.16.x
without prerequisite patches. It hard-wires a workaround for three known
affected model numbers (those of 4th generation iPod, iPod Photo, iPod
mini).

Note: This patch lacks Linux 2.6.17's ability to enable and disable the
workaround via a module parameter.

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] x86_64: Don't do syscall exit tracing twice
Andi Kleen [Thu, 1 Jun 2006 01:26:58 +0000 (03:26 +0200)]
[PATCH] x86_64: Don't do syscall exit tracing twice

This fixes a regression from the earlier DOS fix for non canonical
IRET addresses. It broke UML.

int_ret_from_syscall already does syscall exit tracing, so
no need to do it again in the caller.

This caused problems for UML and some other special programs doing
syscall interception.

Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] x86_64: x86_64 add crashdump trigger points
Vivek Goyal [Tue, 18 Apr 2006 10:35:13 +0000 (12:35 +0200)]
[PATCH] x86_64: x86_64 add crashdump trigger points

o Start booting into the capture kernel after an Oops if system is in a
  unrecoverable state. System will boot into the capture kernel, if one is
  pre-loaded by the user, and capture the kernel core dump.

o One of the following conditions should be true to trigger the booting of
  capture kernel.
        - panic_on_oops is set.
        - pid of current thread is 0
        - pid of current thread is 1
        - Oops happened inside interrupt context.

Signed-off-by: Vivek Goyal <vgoyal@in.ibm.com>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
18 years ago[PATCH] ipw2200: Filter unsupported channels out in ad-hoc mode
Zhu Yi [Wed, 1 Mar 2006 21:55:51 +0000 (05:55 +0800)]
[PATCH] ipw2200: Filter unsupported channels out in ad-hoc mode

Currently iwlist ethX freq[uency]/channel lists all the channels the card
supported for the current region, which includes some channels can only
be used in infrastructure mode. This patch filters these channels out if
the card is currently in ad-hoc mode.

Signed-off-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
18 years ago[PATCH] the latest consensus libata resume fix
Mark Lord [Sun, 28 May 2006 15:28:00 +0000 (11:28 -0400)]
[PATCH] the latest consensus libata resume fix

Okay, just to sum things up.

This forces libata to wait for up to 2 seconds for BUSY|DRQ to clear
on resume before continuing.

[jgarzik adds...]  During testing we never saw DRQ asserted, but
nonetheless (a) this works and (b) testing for DRQ won't hurt.

Signed-off-by: Mark Lord <liml@rtr.ca>
Acked-by: Jens Axboe <axboe@suse.de>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] ohci1394, sbp2: fix "scsi_add_device failed" with PL-3507 based devices
Stefan Richter [Sat, 27 May 2006 12:11:18 +0000 (14:11 +0200)]
[PATCH] ohci1394, sbp2: fix "scsi_add_device failed" with PL-3507 based devices

Re-enable posted writes for status FIFO.
Besides bringing back a very minor bandwidth tweak from Linux 2.6.15.x
and older, this also fixes an interoperability regression since 2.6.16:
http://bugzilla.kernel.org/show_bug.cgi?id=6356
(sbp2: scsi_add_device failed. IEEE1394 HD is not working anymore.)

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Tested-by: Vanei Heidemann <linux@javanei.com.br>
Tested-by: Martin Putzlocher <mputzi@gmx.de> (chip type unconfirmed)
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] Input: psmouse - fix new device detection logic
Dmitry Torokhov [Sat, 29 Apr 2006 09:12:44 +0000 (05:12 -0400)]
[PATCH] Input: psmouse - fix new device detection logic

Input: psmouse - fix new device detection logic

Reported to fix http://bugs.gentoo.org/130846

Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Cc: Daniel Drake <dsd@gentoo.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] PowerMac: force only suspend-to-disk to be valid
Johannes Berg [Fri, 26 May 2006 01:44:24 +0000 (18:44 -0700)]
[PATCH] PowerMac: force only suspend-to-disk to be valid

For a very long time, echoing 'standby' or 'mem' into /sys/power/state has
killed the machine on powerpc.  This patch fixes that.

This patch adds the .valid callback to pm_ops on PowerMac so that only the
suspend to disk state can be entered.  Note that just returning 0 would
suffice since the upper layers don't pass PM_SUSPEND_DISK down, but we
handle it there regardless just in case that changes.

Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] Cpuset: might sleep checking zones allowed fix
Paul Jackson [Tue, 23 May 2006 00:56:07 +0000 (17:56 -0700)]
[PATCH] Cpuset: might sleep checking zones allowed fix

Fix an infrequently encountered 'sleeping function called
from invalid context' in the cpuset hooks in __alloc_pages.
Could sleep while interrupts disabled.

The routine cpuset_zone_allowed() is called by code in
mm/page_alloc.c __alloc_pages() to determine if a zone is
allowed in the current tasks cpuset.  This routine can sleep,
for certain GFP_KERNEL allocations, if the zone is on a memory
node not allowed in the current cpuset, but might be allowed
in a parent cpuset.

But we can't sleep in __alloc_pages() if in interrupt, nor
if called for a GFP_ATOMIC request (__GFP_WAIT not set in
gfp_flags).

The rule was intended to be:
  Don't call cpuset_zone_allowed() if you can't sleep, unless you
  pass in the __GFP_HARDWALL flag set in gfp_flag, which disables
  the code that might scan up ancestor cpusets and sleep.

This rule was being violated due to a bogus change made (by myself,
pj) to __alloc_pages() as part of the November 2005 effort to
cleanup its logic.

The bogus change can be seen at:
  http://linux.derkeiler.com/Mailing-Lists/Kernel/2005-11/4691.html
  [PATCH 01/05] mm fix __alloc_pages cpuset ALLOC_* flags

This was first noticed on a tight memory system, in code that
was disabling interrupts and doing allocation requests with
__GFP_WAIT not set, which resulted in __might_sleep() writing
complaints to the log "Debug: sleeping function called ...",
when the code in cpuset_zone_allowed() tried to take the
callback_sem cpuset semaphore.

Special thanks to Dave Chinner, for figuring this out,
and a tip of the hat to Nick Piggin who warned me of this
back in Nov 2005, before I was ready to listen.

Signed-off-by: Paul Jackson <pj@sgi.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 years ago[PATCH] Altix: correct ioc3 port order
Pat Gefre [Mon, 1 May 2006 19:16:08 +0000 (12:16 -0700)]
[PATCH] Altix: correct ioc3 port order

Currently loading the ioc3 as a module will cause the ports to be numbered
in reverse order.  This mod maintains the proper order of cards for port
numbering.

Signed-off-by: Patrick Gefre <pfg@sgi.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
18 years ago[PATCH] Altix: correct ioc4 port order
Brent Casavant [Thu, 4 May 2006 02:55:10 +0000 (19:55 -0700)]
[PATCH] Altix: correct ioc4 port order

Currently loading the ioc4 as a module will cause the ports to be numbered
in reverse order.  This mod maintains the proper order of cards for port
numbering.

Signed-off-by: Brent Casavant <bcasavan@sgi.com>
Cc: Pat Gefre <pfg@sgi.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
18 years agoLinux 2.6.16.19 v2.6.16.19
Chris Wright [Wed, 31 May 2006 00:31:44 +0000 (17:31 -0700)]
Linux 2.6.16.19