Alan Cox [Wed, 4 Apr 2007 19:34:22 +0000 (21:34 +0200)]
ide-floppy: Fix unformatted media crash
A ZIP or similar with unformatted media will cause crashes when attempts
are made to read/write it in some cases. This is because bs_factor is
zero and we divide by it causing an oops.
As the size of a non-accessible/non-existant media is really a bit of a
zen question it doesn't matter if non-existant media is 512 bytes per
sector or zero. Setting it to 1 causes us to generate 512 bytes/sector
accesses and error properly.
Based on a fix found lurking in an ancient bugzilla entry since about 2004 (ugghhh)
Signed-off-by: Alan Cox <alan@redhat.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Patrick McHardy [Tue, 3 Apr 2007 02:03:55 +0000 (04:03 +0200)]
[IFB]: Fix crash on input device removal
The input_device pointer is not refcounted, which means the device may
disappear while packets are queued, causing a crash when ifb passes packets
with a stale skb->dev pointer to netif_rx().
Fix by storing the interface index instead and do a lookup where neccessary.
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
David S. Miller [Mon, 2 Apr 2007 23:50:31 +0000 (01:50 +0200)]
[VIDEO] ffb: Fix two DAC handling bugs.
The determination of whether the DAC has inverted cursor logic is
broken, import the version checks the X.org driver uses to fix this.
Next, when we change the timing generator, borrow code from X.org that
does 10 NOP reads of the timing generator register afterwards to make
sure the video-enable transition occurs cleanly.
Finally, use macros for the DAC registers and fields in order to
provide documentation for the next person who reads this code.
Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Eric Sesterhenn [Wed, 28 Mar 2007 20:35:52 +0000 (22:35 +0200)]
[ALSA] fix NULL pointer dereference in sound/synth/emux/soundfont.c
this is about coverity id #100.
It seems the if statement is negated, since the else branch calls
remove_info() with sflist->currsf as a parameter where it gets
dereferenced.
Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Takashi Iwai [Wed, 28 Mar 2007 20:29:24 +0000 (22:29 +0200)]
[ALSA] hda-intel - Don't try to probe invalid codecs
Fix the max number of codecs detected by HD-intel (and compatible)
controllers.
ATI controllers may have up to 4 codecs while ICH up to 3.
Now max codecs is defined according to the driver type, either 3 or 4.
Currently 4 is set only to ATI chips. Other might need the same
change, too.
Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Takashi Iwai [Wed, 28 Mar 2007 20:28:59 +0000 (22:28 +0200)]
[ALSA] hda-codec - Don't return error at initialization of modem codec
Some modem codec seem to fail in the initialization, and this
stopped loading of the whole module although the audio is OK.
Since it's usually a non-fatal issue, the driver tries to proceed
to initialize now.
Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
[IPV6] HASHTABLES: Use appropriate seed for caluculating ehash index.
Tetsuo Handa <handat@pm.nttdata.co.jp> told me that connect(2) with TCPv6
socket almost always took a few minutes to return when we did not have any
ports available in the range of net.ipv4.ip_local_port_range.
The reason was that we used incorrect seed for calculating index of
hash when we check established sockets in __inet6_check_established().
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Patrick McHardy [Wed, 28 Mar 2007 19:58:20 +0000 (21:58 +0200)]
[NET_SCHED]: Fix ingress locking
Ingress queueing uses a seperate lock for serializing enqueue operations,
but fails to properly protect itself against concurrent changes to the
qdisc tree. Use queue_lock for now since the real fix it quite intrusive.
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
cls_basic doesn't allocate tp->root before it is linked into the
active classifier list, resulting in a NULL pointer dereference
when packets hit the classifier before its ->change function is
called.
Reported by Chris Madden <chris@reflexsecurity.com>
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Marcelo Ricardo Leitner <mrl@mandriva.com> Signed-off-by: Luiz Fernando N. Capitulino <lcapitulino@mandriva.com.br> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Patrick McHardy [Wed, 28 Mar 2007 19:31:36 +0000 (21:31 +0200)]
[NET_SCHED]: Fix endless loops caused by inaccurate qlen counters
There are multiple problems related to qlen adjustment that can lead
to an upper qdisc getting out of sync with the real number of packets
queued, leading to endless dequeueing attempts by the upper layer code.
All qdiscs must maintain an accurate q.qlen counter. There are basically
two groups of operations affecting the qlen: operations that propagate
down the tree (enqueue, dequeue, requeue, drop, reset) beginning at the
root qdisc and operations only affecting a subtree or single qdisc
(change, graft, delete class). Since qlen changes during operations from
the second group don't propagate to ancestor qdiscs, their qlen values
become desynchronized.
This patch adds a function to propagate qlen changes up the qdisc tree,
optionally calling a callback function to perform qdisc-internal
maintenance when the child qdisc is deactivated, and converts all
qdiscs to use this where necessary.
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Russell King [Wed, 28 Mar 2007 19:28:32 +0000 (21:28 +0200)]
[SERIAL] Fix oops when removing suspended serial port
A serial card might have been removed when the system is resumed.
This results in a suspended port being shut down, which results in
the ports shutdown method being called twice in a row. This causes
BUGs. Avoid this by tracking the suspended state separately from
the initialised state.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Neil Brown [Mon, 26 Mar 2007 21:40:42 +0000 (23:40 +0200)]
MD: Fix problem where hot-added drives are not resynced.
If a drive is added with HOT_ADD_DISK rather than ADD_NEW_DISK,
saved_raid_disk isn't initialised properly, and the drive can be
included in the array without a resync.
Pete Zaitcev [Sun, 25 Mar 2007 01:24:11 +0000 (03:24 +0200)]
USB: unusual_devs.h for 0x046b:ff40
American Megatrends did something wrong in their floppy emulator. It breaks
with both kinds of MODE SENSE which our stack sends. Alan and I tried a few
tweaks, and got LUNs sensed right, but US_FL_NO_WP_DETECT is still needed.
I set the firmware bracket to 1.00 exactly, in case AMI or Sun fix it with a
firmware update. Hey, you never know.
Signed-off-by: Pete Zaitcev <zaitcev@redhat.com> Signed-off-by: Phil Dibowitz <phil@ipom.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Phil Dibowitz [Sun, 25 Mar 2007 01:23:20 +0000 (03:23 +0200)]
USB: Fix UCR-61S2B unusual_dev entry
Recently this entry's bcd scope was narrowed so as not to falsly apply
to bcd's other than 0x0110. But while it breaks those of a larger bcd,
it is still needed for those of a smaller bcd - so this changes the
lower bcd limit to 0x0000.
Signed-off-by: Phil Dibowitz <phil@ipom.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Alan Stern [Sun, 25 Mar 2007 01:22:24 +0000 (03:22 +0200)]
unusual_devs update for UCR-61S2B
The existing unusual_devs entry for the UCR-61S2B appears to have too
wide a revision range. It matches at least one device that doesn't
respond to the initialization sequence. Perhaps the sequence needs to
be updated, or perhaps something else can be done. For now, this patch
(as764) restricts the range to include only the revision mentioned in
the original comment.
This resolves (for now!) Bugzilla entry #6950.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Jaco Kroon [Sun, 25 Mar 2007 01:14:22 +0000 (03:14 +0200)]
USB: add Digitech USB-Storage to unusual_devs.h
The mass storage device from Digitech designed for Flash Cards, as found
on (for example) the GNX4 device has issues with residue, similar to the
bug report at http://kerneltrap.org/node/6297. This patch adds the
faulty storage device to unusual_devs.h, this not only reduces the noise
in dmesg but also increases the transfer speeds by a factor of 7x for me
(89kB/s -> 637kB/s).
Phil Dibowitz [Sun, 25 Mar 2007 01:10:17 +0000 (03:10 +0200)]
USB: usb-storage: Unusual_dev update
The protocol in this entry is needed for some versions of the device but
not others. This adds the NEED_OVERRIDE flag to prevent it complaining
to users who don't need it.
Signed-off-by: Phil Dibowitz <phil@ipom.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Alan Stern [Sun, 25 Mar 2007 01:02:24 +0000 (03:02 +0200)]
USB: unusual_devs entry for Lacie DVD+-RW
This patch (as781) adds an entry to unusual_devs.h for the Lacie DVD+-RW
drive. Apparently its USB interface has requirements similar to the
Genesys Logic interface; it doesn't like data to be sent too soon after
a command.
This fixes Bugzilla #6817.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Phil Dibowitz <phil@ipom.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Alan Stern [Sun, 25 Mar 2007 00:55:30 +0000 (01:55 +0100)]
USB: unusual_devs entry for Nokia N91
This patch (as745) adds an unusual_devs entry for the Nokia N91, just like
the entry for the N80 added a couple of weeks ago. Apparently Nokia isn't
using very good firmware these days...
Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Phil Dibowitz [Sun, 25 Mar 2007 00:54:59 +0000 (01:54 +0100)]
USB Storage: US_FL_MAX_SECTORS_64 flag
This patch adds a US_FL_MAX_SECTORS_64 and removes the Genesys special-cases
for this that were in scsiglue.c. It also adds the flag to other devices
reported to need it.
Signed-off-by: Phil Dibowitz <phil@ipom.com> Signed-off-by: Matthew Dharm <mdharm-usb@one-eyed-alien.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Alan Stern [Sun, 25 Mar 2007 00:52:12 +0000 (01:52 +0100)]
usb-storage: unusual_devs entry for Nikon DSC D70s
This patch (as704) adds an unusual_devs entry for the Nikon DSC D70s,
which uses a different Product ID from the D70. It also moves the entry
for the DSC E2000 up in the list, to preserve the numerical ordering.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Phil Dibowitz [Sun, 25 Mar 2007 00:50:55 +0000 (01:50 +0100)]
USB: Storage: unusual devs update
This patch removes the Protocol portion of the Iomega Click! device as it's not
needed. Not-needed message reported by Kenneth Crudup <kenny@panix.com>
Signed-off-by: Phil Dibowitz <phil@ipom.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Phil Dibowitz [Sun, 25 Mar 2007 00:48:23 +0000 (01:48 +0100)]
USB: storage: sandisk unusual_devices entry
The following adds an unusual_devs entry for the SanDisk ImageMate CompactFlash
USB drive, for the US_FL_FIX_CAPACITY flag. Additionally, it removes trailing
whitespace from the previous entry. It's based on the patch sent by Roman Hodek
<roman@hodek.net>.
Signed-off-by: Phil Dibowitz <phil@ipom.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Patrick McHardy [Sat, 24 Mar 2007 20:30:53 +0000 (21:30 +0100)]
[NETFILTER]: nfnetlink_log: fix crash on bridged packet
physoutdev is only set on purely bridged packet, when nfnetlink_log is used
in the OUTPUT/FORWARD/POSTROUTING hooks on packets forwarded from or to a
bridge it crashes when trying to dereference skb->nf_bridge->physoutdev.
Reported by Holger Eitzenberger <heitzenberger@astaro.com>
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Patrick McHardy [Sat, 24 Mar 2007 20:30:06 +0000 (21:30 +0100)]
[NETFILTER]: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED
The individual fragments of a packet reassembled by conntrack have the
conntrack reference from the reassembled packet attached, but nfctinfo
is not copied. This leaves it initialized to 0, which unfortunately is
the value of IP_CT_ESTABLISHED.
The result is that all IPv6 fragments are tracked as ESTABLISHED,
allowing them to bypass a usual ruleset which accepts ESTABLISHED
packets early.
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Patrick McHardy [Sat, 24 Mar 2007 20:26:20 +0000 (21:26 +0100)]
NETFILTER: xt_connbytes: fix division by zero
When the packet counter of a connection is zero a division by zero
occurs in div64_64(). Fix that by using zero as average value, which
is correct as long as the packet counter didn't overflow, at which
point we have lost anyway.
Based on patch from Jonas Berlin <xkr47@outerspace.dyndns.org>,
with suggestions from KOVACS Krisztian <hidden@balabit.hu>.
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Patrick McHardy [Sat, 24 Mar 2007 20:22:33 +0000 (21:22 +0100)]
NETFILTER: nf_conntrack_ipv6: fix crash when handling fragments
When IPv6 connection tracking splits up a defragmented packet into
its original fragments, the packets are taken from a list and are
passed to the network stack with skb->next still set. This causes
dev_hard_start_xmit to treat them as GSO fragments, resulting in
a use after free when connection tracking handles the next fragment.
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Patrick McHardy [Sat, 24 Mar 2007 20:22:09 +0000 (21:22 +0100)]
NETFILTER: Fix iptables ABI breakage on (at least) CRIS
With the introduction of x_tables we accidentally broke compatibility
by defining IPT_TABLE_MAXNAMELEN to XT_FUNCTION_MAXNAMELEN instead of
XT_TABLE_MAXNAMELEN, which is two bytes larger.
On most architectures it doesn't really matter since we don't have
any tables with names that long in the kernel and the structure
layout didn't change because of alignment requirements of following
members. On CRIS however (and other architectures that don't align
data) this changed the structure layout and thus broke compatibility
with old iptables binaries.
Changing it back will break compatibility with binaries compiled
against recent kernels again, but since the breakage has only been
there for three releases this seems like the better choice.
Spotted by Jonas Berlin <xkr47@outerspace.dyndns.org>.
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Patrick McHardy [Sat, 24 Mar 2007 20:18:01 +0000 (21:18 +0100)]
NETFILTER: Kconfig: fix xt_physdev dependencies
xt_physdev depends on bridge netfilter, which is a boolean, but can still
be built modular because of special handling in the bridge makefile. Add
a dependency on BRIDGE to prevent XT_MATCH_PHYSDEV=y, BRIDGE=m.
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Ed Swierk [Tue, 20 Mar 2007 23:28:30 +0000 (00:28 +0100)]
load_module: no BUG if module_subsys uninitialized
Invoking load_module() before param_sysfs_init() is called crashes in
mod_sysfs_setup(), since the kset in module_subsys is not initialized yet.
In my case, net-pf-1 is getting modprobed as a result of hotplug trying to
create a UNIX socket. Calls to hotplug begin after the topology_init
initcall.
Another patch for the same symptom (module_subsys-initialize-earlier.patch)
moves param_sysfs_init() to the subsys initcalls, but this is still not
early enough in the boot process in some cases. In particular,
topology_init() causes /sbin/hotplug to run, which requests net-pf-1 (the
UNIX socket protocol) which can be compiled as a module. Moving
param_sysfs_init() to the postcore initcalls fixes this particular race,
but there might well be other cases where a usermodehelper causes a module
to load earlier still.
The patch makes load_module() return an error rather than crashing the
kernel if invoked before module_subsys is initialized.
Keith Mannthey [Tue, 20 Mar 2007 23:21:48 +0000 (00:21 +0100)]
i386 bootioremap / kexec fix
With CONFIG_PHYSICAL_START set to a non default values the i386
boot_ioremap code calculated its pte index wrong and users of boot_ioremap
have their areas incorrectly mapped (for me SRAT table not mapped during
early boot). This patch removes the addr < BOOT_PTE_PTRS constraint.
Signed-off-by: Keith Mannthey <kmannth@us.ibm.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
The ipv6_fl_socklist from listening socket is inadvertently shared
with new socket created for connection. This leads to a variety of
interesting, but fatal, bugs. For example, removing one of the
sockets may lead to the other socket's encountering a page fault
when the now freed list is referenced.
The fix is to not share the flow label list with the new socket.
Signed-off-by: Masayuki Nakagawa <nakagawa.msy@ncos.nec.co.jp> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Robert Olsson [Tue, 20 Mar 2007 22:21:39 +0000 (23:21 +0100)]
[IPV4]: Do not disable preemption in trie_leaf_remove().
Hello, Just discussed this Patrick...
We have two users of trie_leaf_remove, fn_trie_flush and fn_trie_delete
both are holding RTNL. So there shouldn't be need for this preempt stuff.
This is assumed to a leftover from an older RCU-take.
> Mhh .. I think I just remembered something - me incorrectly suggesting
> to add it there while we were talking about this at OLS :) IIRC the
> idea was to make sure tnode_free (which at that time didn't use
> call_rcu) wouldn't free memory while still in use in a rcu read-side
> critical section. It should have been synchronize_rcu of course,
> but with tnode_free using call_rcu it seems to be completely
> unnecessary. So I guess we can simply remove it.
Signed-off-by: Robert Olsson <robert.olsson@its.uu.se> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Joy Latten [Tue, 20 Mar 2007 22:19:34 +0000 (23:19 +0100)]
[XFRM]: Fix missing protocol comparison of larval SAs.
I noticed that in xfrm_state_add we look for the larval SA in a few
places without checking for protocol match. So when using both
AH and ESP, whichever one gets added first, deletes the larval SA.
It seems AH always gets added first and ESP is always the larval
SA's protocol since the xfrm->tmpl has it first. Thus causing the
additional km_query()
Adding the check eliminates accidental double SA creation.
Signed-off-by: Joy Latten <latten@austin.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Marcel Holtmann [Sun, 11 Mar 2007 06:39:14 +0000 (07:39 +0100)]
Fix buffer overflow in Omnikey CardMan 4040 driver (CVE-2007-0005)
Based on a patch from Don Howard <dhoward@redhat.com>
When calling write() with a buffer larger than 512 bytes, the
driver's write buffer overflows, allowing to overwrite the EIP and
execute arbitrary code with kernel privileges.
In read(), there exists a similar problem, but coming from the device.
A malicous or buggy device sending more than 512 bytes can overflow
of the driver's read buffer, with the same effects as above.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
IB/mthca: Fix off-by-one in FMR handling on memfree
From: Michael S. Tsirkin <mst@mellanox.co.il>
mthca_table_find() will return the wrong address when the table entry
being searched for is exactly at the beginning of a sglist entry
(other than the first), because it uses >= when it should use >.
Example: assume we have 2 entries in scatterlist, 4K each, offset is 4K.
The current code will return first entry + 4K when we really want
the second entry.
In particular this means mapping an FMR on a memfree HCA may end up
writing the page table into the wrong place, leading to memory
corruption and also causing the HCA to use an incorrect address
translation table.
Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il> Signed-off-by: Roland Dreier <rolandd@cisco.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
projects / karo-tx-linux.git / log