This fixes not one, but _two_, silly (but admittedly hard to hit) bugs
in the ext2 filesystem "readdir()" function. It also cleans up the code
to avoid the unnecessary goto mess.
The bugs were related to re-valiating the f_pos value after somebody had
either done an "lseek()" on the directory to an invalid offset, or when
the offset had become invalid due to a file being unlinked in the
directory. The code would not only set the f_version too eagerly, it
would also not update f_pos appropriately for when the offset fixup took
place.
When that happened, we'd occasionally subsequently fail the readdir()
even when we shouldn't (no real harm done, but an ugly printk, and
obviously you would end up not necessarily seeing all entries).
Thanks to Masoud Sharbiani <masouds@google.com> who noticed the problem
and had a test-case for it, and also fixed up a thinko in the first
version of this patch.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Acked-by: Masoud Sharbiani <masouds@google.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
David S. Miller [Fri, 24 Mar 2006 06:54:18 +0000 (22:54 -0800)]
[PATCH] NET: Ensure device name passed to SO_BINDTODEVICE is NULL terminated.
The user can pass us arbitrary garbage so we should ensure the
string they give us is null terminated before we pass it on
to dev_get_by_index() et al.
Found by Solar Designer.
Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Right now I think the code is a nonsense. Most likely, I copied it from
old ip_build_xmit(), where it was really special, we had to decide
whether to generate unique ID when generating the first (well, the last)
fragment.
In ip_push_pending_frames() it does not make sense, it should use plain
ip_select_ident() instead.
Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dave Johnson [Mon, 6 Mar 2006 23:42:36 +0000 (15:42 -0800)]
[PATCH] cramfs mounts provide corrupted content since 2.6.15
Fix handling of cramfs images created by util-linux containing empty
regular files. Images created by cramfstools 1.x were ok.
Fill out inode contents in cramfs_iget5_set() instead of get_cramfs_inode()
to prevent issues if cramfs_iget5_test() is called with I_LOCK|I_NEW still
set.
Signed-off-by: Dave Johnson <djohnson+linux-kernel@sw.starentnetworks.com> Cc: Olaf Hering <olh@suse.de> Cc: Chris Mason <mason@suse.com> Cc: Andreas Gruenbacher <agruen@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Randy Dunlap [Thu, 9 Mar 2006 01:43:17 +0000 (17:43 -0800)]
[PATCH] compat ifconf: fix limits
A recent change to compat. dev_ifconf() in fs/compat_ioctl.c
causes ifconf data to be truncated 1 entry too early when copying it
to userspace. The correct amount of data (length) is returned,
but the final entry is empty (zero, not filled in).
The for-loop 'i' check should use <= to allow the final struct
ifreq32 to be copied. I also used the ifconf-corruption program
in kernel bugzilla #4746 to make sure that this change does not
re-introduce the corruption.
Signed-off-by: Randy Dunlap <rdunlap@xenotime.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
The size of the skb carrying the netlink message is not
equivalent to the length of the actual netlink message
due to padding. ip_queue matches the length of the payload
against the original packet size to determine if packet
mangling is desired, due to the above wrong assumption
arbitary packets may not be mangled depening on their
original size.
Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Roland Dreier [Tue, 7 Mar 2006 04:23:33 +0000 (20:23 -0800)]
[PATCH] IB/srp: Don't send task management commands after target removal
Just fail abort and reset requests that come in after we've already
decided to remove a target. This fixes a nasty crash if a storage
target goes away.
Signed-off-by: Roland Dreier <rolandd@cisco.com> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dave Jones [Thu, 2 Mar 2006 04:10:31 +0000 (23:10 -0500)]
[PATCH] mempolicy.c compile fix, make sure BITS_PER_BYTE is defined
Gar..
mm/mempolicy.c: In function 'get_nodes':
mm/mempolicy.c:527: error: 'BITS_PER_BYTE' undeclared (first use in this function)
mm/mempolicy.c:527: error: (Each undeclared identifier is reported only once
mm/mempolicy.c:527: error: for each function it appears in.)
About to retry a build with the below patch which should do the trick.
(How did this *ever* build?)
Signed-off-by: Dave Jones <davej@redhat.com> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Chris Wright [Thu, 2 Mar 2006 07:19:25 +0000 (23:19 -0800)]
[PATCH] fs/nfs/direct.c compile fix
Compile fix:
fs/nfs/direct.c: In function 'nfs_get_user_pages':
fs/nfs/direct.c:110: warning: implicit declaration of function 'nfs_free_user_pages'
fs/nfs/direct.c: At top level:
fs/nfs/direct.c:127: warning: conflicting types for 'nfs_free_user_pages'
fs/nfs/direct.c:127: error: static declaration of 'nfs_free_user_pages' follows non-static declaration
fs/nfs/direct.c:110: error: previous implicit declaration of 'nfs_free_user_pages' was here
This should now be the same as fix that's going upstream.
Signed-off-by: Chris Wright <chrisw@sous-sol.org> Acked-by: Trond Myklebust <trond.myklebust@fys.uio.no>
Tony Luck [Tue, 28 Feb 2006 00:18:58 +0000 (16:18 -0800)]
[PATCH] die_if_kernel() can return (CVE-2006-0742)
arch/ia64/kernel/unaligned.c erroneously marked die_if_kernel()
with a "noreturn" attribute ... which is silly (it returns whenever
the argument regs say that the fault happened in user mode, as one
might expect given the "if_kernel" part of its name!). Thanks to
Alan and Gareth for pointing this out.
Signed-off-by: Tony Luck <tony.luck@intel.com> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
[PATCH] Don't reset rskq_defer_accept in reqsk_queue_alloc
In 295f7324ff8d9ea58b4d3ec93b1aaa1d80e048a9 I moved defer_accept from
tcp_sock to request_queue and mistakingly reset it at reqsl_queue_alloc, causing
calls to setsockopt(TCP_DEFER_ACCEPT ) to be lost after bind, the fix is to
remove the zeroing of rskq_defer_accept from reqsl_queue_alloc.
Thanks to Alexandra N. Kossovsky <Alexandra.Kossovsky@oktetlabs.ru> for
reporting and testing the suggested fix.
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Jack Morgenstein [Mon, 27 Feb 2006 21:44:40 +0000 (13:44 -0800)]
[PATCH] IB/mthca: max_inline_data handling tweaks
Fix a case where copying max_inline_data from a successful create_qp
capabilities output to create_qp input could cause EINVAL error:
mthca_set_qp_size must check max_inline_data directly against
max_desc_sz; checking qp->sq.max_gs is wrong since max_inline_data
depends on the qp type and does not involve max_sg.
Signed-off-by: Jack Morgenstein <jackm@mellanox.co.il> Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il> Signed-off-by: Roland Dreier <rolandd@cisco.com> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Mike O'Connor [Wed, 15 Feb 2006 05:17:24 +0000 (00:17 -0500)]
[PATCH] XFS ftruncate() bug could expose stale data (CVE-2006-0554)
This is CVE-2006-0554 and SGI bug 942658. With certain types of
ftruncate() activity on 2.6 kernels, XFS can end up exposing stale
data off disk to a user, putting extents where holes should be.
Stefan Richter [Sun, 26 Feb 2006 23:52:53 +0000 (00:52 +0100)]
[PATCH] sbp2: fix another deadlock after disconnection
sbp2: fix another deadlock after disconnection
If there were commands enqueued but not completed before an SBP-2 unit
was unplugged (or an attempt to reconnect failed), knodemgrd or any
process which tried to remove the device would sleep uninterruptibly
in blk_execute_rq(). Therefore make sure that all commands are
completed when sbp2 retreats.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Stefan Richter [Sun, 26 Feb 2006 23:16:10 +0000 (00:16 +0100)]
[PATCH] sd: fix memory corruption with broken mode page headers
sd: fix memory corruption with broken mode page headers
There's a problem in sd where we blindly believe the length of the
headers and block descriptors. Some devices return insane values for
these and cause our length to end up greater than the actual buffer
size, so check to make sure.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Also removed the buffer size magic number (512) and added DPOFUA of
zero to the defaults
Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
rediff for 2.6.15.x without DPOFUA bit, taken from commit 489708007785389941a89fa06aedc5ec53303c96
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Alexey Kuznetsov [Mon, 27 Feb 2006 08:28:32 +0000 (00:28 -0800)]
[PATCH] Fix a severe bug
netlink overrun was broken while improvement of netlink.
Destination socket is used in the place where it was meant to be source socket,
so that now overrun is never sent to user netlink sockets, when it should be,
and it even can be set on kernel socket, which results in complete deadlock
of rtnetlink.
Suggested fix is to restore status quo passing source socket as additional
argument to netlink_attachskb().
A little explanation: overrun is set on a socket, when it failed
to receive some message and sender of this messages does not or even
have no way to handle this error. This happens in two cases:
1. when kernel sends something. Kernel never retransmits and cannot
wait for buffer space.
2. when user sends a broadcast and the message was not delivered
to some recipients.
Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Fix a race in the receive NAPI, irq handling. The interrupt clear and the
start need to be separated. Otherwise there is a window between the last
frame received and the NAPI done level handling.
Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
This is a clone of John Linville's fixed for speed setting on sky2 driver.
The skge driver has the same code (and bug). It would not allow manually forcing
100 and 10 mbit.
Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Kaj-Michael Lang [Fri, 24 Feb 2006 21:04:15 +0000 (13:04 -0800)]
[PATCH] gbefb: IP32 gbefb depth change fix
The gbefb driver does not update the framebuffer layers visual setting when
depth is changed with fbset, resulting in strange colors (very dark blue in
16-bit, almost black in 24-bit).
Signed-off-by: Kaj-Michael Lang <milang@tal.org> Signed-off-by: Martin Michlmayr <tbm@cyrius.com> Signed-off-by: Antonino Daplas <adaplas@pol.net> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Martin Michlmayr [Fri, 24 Feb 2006 21:04:16 +0000 (13:04 -0800)]
[PATCH] gbefb: Set default of FB_GBE_MEM to 4 MB
Allocating more than 4 MB memory for the GBE (SGI O2) framebuffer completely
breakfs gbefb support at the moment. According to comments on #mipslinux,
more than 4 MB has never worked correctly in Linux. Therefore, the default
should be 4 MB.
Signed-off-by: Martin Michlmayr <tbm@cyrius.com> Signed-off-by: Antonino Daplas <adaplas@pol.net> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Simon Vogl [Fri, 24 Feb 2006 21:04:09 +0000 (13:04 -0800)]
[PATCH] cfi: init wait queue in chip struct
Fix a kernel oops for Intel P30 flashes, where the wait queue head was not
initialized for the flchip struct, which in turn caused a crash at the
first read operation.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
[PATCH] Fix snd-usb-audio in 32-bit compat environment
I'm getting oopses with snd-usb-audio in 32-bit compat environments:
control_compat.c:get_ctl_type() doesn't initialize 'info', so
'itemlist[uinfo->value.enumerated.item]' in
usbmixer.c:mixer_ctl_selector_info() might access random memory (The 'if
((int)uinfo->value.enumerated.item >= cval->max)' doesn't fix all problems
because of the unsigned -> signed conversion.)
Signed-off-by: Juergen Kreileder <jk@blackdown.de> Cc: Jaroslav Kysela <perex@suse.cz> Acked-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jean Delvare [Sun, 19 Feb 2006 14:34:03 +0000 (15:34 +0100)]
[PATCH] hwmon it87: Probe i2c 0x2d only
Only scan I2C address 0x2d. This is the default address and no IT87xxF
chip was ever seen on I2C at a different address. These chips are
better accessed through their ISA interface anyway.
This fixes bug #5889, although it doesn't address the whole class
of problems. We'd need the ability to blacklist arbitrary I2C addresses
on systems known to contain I2C devices which behave badly when probed.
Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Peter Staubach [Fri, 17 Feb 2006 21:52:36 +0000 (13:52 -0800)]
[PATCH] fix deadlock in ext2
Fix a deadlock possible in the ext2 file system implementation. This
deadlock occurs when a file is removed from an ext2 file system which was
mounted with the "sync" mount option.
The problem is that ext2_xattr_delete_inode() was invoking the routine,
sync_dirty_buffer(), using a buffer head which was previously locked via
lock_buffer(). The first thing that sync_dirty_buffer() does is to lock
the buffer head that it was passed. It does this via lock_buffer(). Oops.
The solution is to unlock the buffer head in ext2_xattr_delete_inode()
before invoking sync_dirty_buffer(). This makes the code in
ext2_xattr_delete_inode() obey the same locking rules as all other callers
of sync_dirty_buffer() in the ext2 file system implementation.
Signed-off-by: Peter Staubach <staubach@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Looks like somebody forgot to use the _bh spin_lock variant. We ran into a
deadlock where br->hello_timer expired while br_stp_disable_br() walked
br->port_list.
Signed-off-by: Adrian Drzewiecki <z@drze.net> Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dave Jones [Fri, 10 Feb 2006 21:27:11 +0000 (16:27 -0500)]
[PATCH] Fix s390 build failure.
arch/s390/kernel/compat_signal.c:199: error: conflicting types for 'do_sigaction'
include/linux/sched.h:1115: error: previous declaration of 'do_sigaction' was here
Signed-off-by: Dave Jones <davej@redhat.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Kristian Slavov [Wed, 15 Feb 2006 22:42:14 +0000 (23:42 +0100)]
[PATCH] Address autoconfiguration does not work after device down/up cycle
If you set network interface down and up again, the IPv6 address
autoconfiguration does not work. 'ip addr' shows that the link-local
address is in tentative state. We don't even react to periodical router
advertisements.
During NETDEV_DOWN we clear IF_READY, and we don't set it back in
NETDEV_UP. While starting to perform DAD on the link-local address, we
notice that the device is not in IF_READY, and we abort autoconfiguration
process (which would eventually send router solicitations).
Acked-by: Juha-Matti Tapio <jmtapio@verkkotelakka.net> Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jeff Mahoney [Mon, 13 Feb 2006 06:34:55 +0000 (22:34 -0800)]
[PATCH] reiserfs: disable automatic enabling of reiserfs inode attributes
Unfortunately, the reiserfs_attrs_cleared bit in the superblock flag can
lie. File systems have been observed with the bit set, yet still contain
garbage in the stat data field, causing unpredictable results.
This patch backs out the enable-by-default behavior.
Hugh Dickins [Sun, 12 Feb 2006 19:26:05 +0000 (19:26 +0000)]
[PATCH] hugetlbfs mmap ENOMEM failure
2.6.15's hugepage faulting introduced huge_pages_needed accounting into
hugetlbfs: to count how many pages are already in cache, for spot check
on how far a new mapping may be allowed to extend the file. But it's
muddled: each hugepage found covers HPAGE_SIZE, not PAGE_SIZE. Once
pages were already in cache, it would overshoot, wrap its hugepages
count backwards, and so fail a harmless repeat mapping with -ENOMEM.
Fixes the problem found by Don Dupuis.
Signed-off-by: Hugh Dickins <hugh@veritas.com> Acked-By: Adam Litke <agl@us.ibm.com> Acked-by: William Irwin <wli@us.ibm.com> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Andi Kleen [Mon, 13 Feb 2006 09:34:30 +0000 (10:34 +0100)]
[PATCH] i386: Move phys_proc_id/early intel workaround to correct function
early_cpu_detect only runs on the BP, but this code needs to run
on all CPUs. This will fix problems with the powernow-k8 driver
on dual core systems and general misdetection of AMD dual core.
Looks like a mismerge somewhere. Also add a warning comment.
Horms [Mon, 13 Feb 2006 02:14:57 +0000 (11:14 +0900)]
[PATCH] netfilter missing symbol has_bridge_parent
5dce971acf2ae20c80d5e9d1f6bbf17376870911 in Linus' tree,
otherwise known as bridge-netfilter-races-on-device-removal.patch in
2.5.15.4 removed has_bridge_parent, however this symbol is still
called with NETFILTER_DEBUG is enabled.
This patch uses the already seeded realoutdev value to detect if a parent
exists, and if so, the value of the parent.
Signed-Off-By: Horms <horms@verge.net.au> Acked-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
The addition of the .text section definition in the definition of
_GLOBAL overrides the .relocate_code section definition. As a result,
these two functions don't end up in .relocate_code, so they don't get
relocated correctly, and the boot fails.
There's another suspicious-looking usage at kernel/swsusp.S:37 that
someone should look into. I did not exhaustively search the source
tree, though.
The following is the minimal patch that fixes the immediate problem.
I could easily be convinced that the _GLOBAL definition should be
modified to remove the ".text;" line either instead of, or in addition
to, this fix.
Signed-off-by: Paul Janzen <pcj@linux.sez.to> Signed-off-by: Paul Mackerras <paulus@samba.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Neil Brown [Thu, 12 Jan 2006 09:05:23 +0000 (01:05 -0800)]
[PATCH] md: remove slashes from disk names when creation dev names in sysfs
e.g. The sx8 driver uses names like sx8/0.
This would make a md component dev name like
/sys/block/md0/md/dev-sx8/0
which is not allowed. So we change the '/' to '!' just like
fs/partitions/check.c(register_disk) does.
Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Steve Langasek [Wed, 8 Feb 2006 06:24:17 +0000 (07:24 +0100)]
[PATCH] __cmpxchg() must really always be inlined
With the latest 2.6.15 kernel builds for alpha on Debian, we ran into a
problem with undefined references to __cmpxchg_called_with_bad_pointer() in
a couple of kernel modules (xfs.ko and drm.ko; see
http://bugs.debian.org/347556).
It looks like people have been trying to out-clever each other wrt the
definition of "inline" on this architecture :), with the result that
__cmpxchg(), which must be inlined so the compiler can see its argument is
const, is not guaranteed to be inlined. Indeed, it was not being inlined
when building with -Os.
The attached patch fixes the issue by adding an
__attribute__((always_inline)) explicitly to the definition of __cmpxchg()
instead of relying on redefines of "inline" elsewhere to make this happen.
Cc: Richard Henderson <rth@twiddle.net> Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Ashok Raj [Tue, 7 Feb 2006 11:37:09 +0000 (11:37 +0000)]
[PATCH] x86_64: Dont record local apic ids when they are disabled in MADT
Some broken BIOS's had processors disabled, but
same apic id as a valid processor. This causes
acpi_processor_start() to think this disabled
cpu is ok, and croak. So we dont record bad
apicid's anymore.
Andi Kleen [Mon, 6 Feb 2006 23:18:55 +0000 (00:18 +0100)]
[PATCH] x86_64: Let impossible CPUs point to reference per cpu data
Don't mark the reference per cpu data init data (so it stays
around after boot) and point all impossible CPUs to it. This way
they reference some valid - although shared memory. Usually
this is only initialization like INIT_LIST_HEADs and there
won't be races because these CPUs never run. Still somewhat hackish.
Herbert Xu [Mon, 6 Feb 2006 04:27:05 +0000 (20:27 -0800)]
[PATCH] Fixed hardware RX checksum handling
When we pull the PPP protocol off the skb, we forgot to update the
hardware RX checksum. This may lead to messages such as
dsl0: hw csum failure.
Similarly, we need to clear the hardware checksum flag when we use
the existing packet to store the decompressed result.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Stephen Smalley [Sat, 4 Feb 2006 03:57:49 +0000 (19:57 -0800)]
[PATCH] SELinux: fix size-128 slab leak
Remove private inode tests from security_inode_alloc and security_inode_free,
as we otherwise end up leaking inode security structures for private inodes.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Kimball Murray [Thu, 2 Feb 2006 05:08:59 +0000 (00:08 -0500)]
[PATCH] Input: mousedev - fix memory leak
Input: mousedev - fix memory leak
Apparently, "while true; do cat </dev/null >/dev/input/mice; done" causes
an OOM in a short amount of time. Funny that nobody noticed, it actually
is very easy to trigger just by switching between VT1 and VT7...
Signed-off-by: Pete Zaitcev <zaitcev@redhat.com> Signed-off-by: Dmitry Torokhov <dtor@mail.ru> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Oleg Drokin [Tue, 10 Jan 2006 17:28:45 +0000 (09:28 -0800)]
[PATCH] d_instantiate_unique / NFS inode leakage
If we have found aliased dentry that we return, inode reference is not
dropped and inode is not attached anywhere, so it seems the reference to
inode is leaked in that case.
Cc: Trond Myklebust <trond.myklebust@fys.uio.no>, Cc: <viro@parcelfarce.linux.theplanet.co.uk> Cc: Christoph Hellwig <hch@lst.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Herbert Xu [Sat, 4 Feb 2006 10:29:45 +0000 (02:29 -0800)]
[PATCH] Fix extra dst release when ip_options_echo fails
When two ip_route_output_key lookups in icmp_send were combined I
forgot to change the error path for ip_options_echo to not drop the
dst reference since it now sits before the dst lookup. To fix it we
simply jump past the ip_rt_put call.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
David S. Miller [Fri, 20 Jan 2006 12:31:34 +0000 (04:31 -0800)]
[PATCH] Make second arg to skb_reserved() signed.
Some subsystems, such as PPP, can send negative values
here. It just happened to work correctly on 32-bit with
an unsigned value, but on 64-bit this explodes.
Figured out by Paul Mackerras based upon several PPP crash
reports.
Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Ensure a consistent value is read from the STICK register by ensuring
that both high and low are read without high changing due to a roll
over of the low register.
Various Debian/SPARC users (myself include) have noticed problems with
Hummingbird based systems. The symptoms are that the system time is
seen to jump forward 3 days, 6 hours, 11 minutes give or take a few
seconds. In many cases the system then hangs some time afterwards.
I've spotted a race condition in the code to read the STICK register.
I could not work out why 3d, 6h, 11m is important but guess that it is
due to the 2^32 jump of STICK (forwards on one read and then the next
read will seem to be backwards) during a timer interrupt. I'm guessing
that a change of -2^32 will get converted to a large unsigned
increment after the arithmetic manipulation between STICK,
nanoseconds, jiffies etc.
I did a test where I modified __hbird_read_stick to artificially
inject rollover faults forcefully every few seconds. With this I saw
the clock jump over 6 times in 12 hours compared to once every month
or so.
Signed-off-by: Richard Mortimer <richm@oldelvet.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Evgeniy [Fri, 13 Jan 2006 15:12:15 +0000 (18:12 +0300)]
[PATCH] Fix oops in ufs_fill_super at mount time
There's a lack of parenthesis in fs/ufs/utils.h, so instead of the 512th
byte of buffer, the usb2 pointer will point to the nth structure of type
ufs_super_block_second.
This can cause a mount-time oops if you're unlucky (especially with
DEBUG_PAGEALLOC, which is how Alexey Dobriyan saw this problem)
Alexander Viro [Sat, 14 Jan 2006 20:29:55 +0000 (15:29 -0500)]
[PATCH] Fix double decrement of mqueue_mnt->mnt_count in sys_mq_open (CVE-2005-3356)
Fixed the refcounting on failure exits in sys_mq_open() and
cleaned the logics up. Rules are actually pretty simple - dentry_open()
expects vfsmount and dentry to be pinned down and it either transfers
them into created struct file or drops them. Old code had been very
confused in that area - if dentry_open() had failed either in do_open()
or do_create(), we ended up dentry and mqueue_mnt dropped twice, once
by dentry_open() cleanup and then by sys_mq_open().
Fix consists of making the rules for do_create() and do_open()
same as for dentry_open() and updating the sys_mq_open() accordingly;
that actually leads to more straightforward code and less work on
normal path.
Signed-off-by: Al Viro <aviro@redhat.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jens Axboe [Mon, 9 Jan 2006 19:15:33 +0000 (11:15 -0800)]
[PATCH] Kill blk_attempt_remerge()
[BLOCK] Kill blk_attempt_remerge()
It's a broken interface, it's done way too late. And apparently it triggers
slab problems in recent kernels as well (most likely after the generic dispatch
code was merged). So kill it, ide-cd is the only user of it.
Signed-off-by: Jens Axboe <axboe@suse.de>
chrisw: backport to 2.6.15 tree Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Clemens Ladisch [Thu, 12 Jan 2006 08:44:29 +0000 (09:44 +0100)]
[PATCH] usb-audio: don't use empty packets at start of playback
Some widespread USB interface chips with adaptive iso endpoints hang
after receiving a series of empty packets when they expect data. This
completely disables audio playback on those devices. To avoid this, we
have to send packets containing silence (zero samples) instead.
Martin Murray [Wed, 11 Jan 2006 05:02:29 +0000 (21:02 -0800)]
[PATCH] Fix DoS in netlink_rcv_skb() (CVE-2006-0035)
Sanity check nlmsg_len during netlink_rcv_skb. An nlmsg_len == 0 can
cause infinite loop in kernel, effectively DoSing machine. Noted by
Martin Murray.
Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Problem narrowed down by Luis F. Ortiz and Richard Mortimer.
I tried using %l2 as suggested by Luis and that works for me.
Looking at the code I wonder if it makes sense to simplify the code
a little bit. The following works for me but I'm not sure how to
exercise the "NOERROR" codepath.
Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Bart De Schuymer [Tue, 10 Jan 2006 21:13:45 +0000 (13:13 -0800)]
[PATCH] Don't match tcp/udp source/destination port for IP fragments
Signed-off-by: Bart De Schuymer <bdschuym@pandora.be> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org>