- 01 Mar, 2006 37 commits
-
-
Trond Myklebust authored
This is CVE-2006-0555 and SGI bug 946529. A normal user can panic an NFS client and cause a local DoS with 'judicious'(?) use of O_DIRECT. Signed-off-by:Chris Wright <chrisw@sous-sol.org>
-
Mike O'Connor authored
This is CVE-2006-0554 and SGI bug 942658. With certain types of ftruncate() activity on 2.6 kernels, XFS can end up exposing stale data off disk to a user, putting extents where holes should be. Signed-off-by: -
Stefan Richter authored
sbp2: fix another deadlock after disconnection If there were commands enqueued but not completed before an SBP-2 unit was unplugged (or an attempt to reconnect failed), knodemgrd or any process which tried to remove the device would sleep uninterruptibly in blk_execute_rq(). Therefore make sure that all commands are completed when sbp2 retreats. Signed-off-by:
Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by:
-
Stefan Richter authored
sd: fix memory corruption with broken mode page headers There's a problem in sd where we blindly believe the length of the headers and block descriptors. Some devices return insane values for these and cause our length to end up greater than the actual buffer size, so check to make sure. Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk> Also removed the buffer size magic number (512) and added DPOFUA of zero to the defaults Signed-off-by:
James Bottomley <James.Bottomley@SteelEye.com> Signed-off-by:
Linus Torvalds <torvalds@osdl.org> rediff for 2.6.15.x without DPOFUA bit, taken from commit 48970800Signed-off-by:
-
Alexey Kuznetsov authored
netlink overrun was broken while improvement of netlink. Destination socket is used in the place where it was meant to be source socket, so that now overrun is never sent to user netlink sockets, when it should be, and it even can be set on kernel socket, which results in complete deadlock of rtnetlink. Suggested fix is to restore status quo passing source socket as additional argument to netlink_attachskb(). A little explanation: overrun is set on a socket, when it failed to receive some message and sender of this messages does not or even have no way to handle this error. This happens in two cases: 1. when kernel sends something. Kernel never retransmits and cannot wait for buffer space. 2. when user sends a broadcast and the message was not delivered to some recipients. Signed-off-by:
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
-
Suresh Siddha authored
Fixes a local DOS on Intel systems that lead to an endless recursive fault. AMD machines don't seem to be affected. Signed-off-by:
Suresh Siddha <suresh.b.siddha@intel.com> Signed-off-by:
Andi Kleen <ak@suse.de> Signed-off-by:
-
Stephen Hemminger authored
If skge is attached to a bad cable, that goes up/down. It exposes an SMP race with the management of IRQ mask Signed-off-by:
Stephen Hemminger <shemminger@osdl.org> Signed-off-by:
-
Stephen Hemminger authored
The SysKonnect Genesis based board would fail on initialization with phy_read errors caused by not waiting for last phy write. Signed-off-by:
-
Stephen Hemminger authored
Fix a race in the receive NAPI, irq handling. The interrupt clear and the start need to be separated. Otherwise there is a window between the last frame received and the NAPI done level handling. Signed-off-by:
-
Stephen Hemminger authored
This is a clone of John Linville's fixed for speed setting on sky2 driver. The skge driver has the same code (and bug). It would not allow manually forcing 100 and 10 mbit. Signed-off-by:
-
Kaj-Michael Lang authored
The gbefb driver does not update the framebuffer layers visual setting when depth is changed with fbset, resulting in strange colors (very dark blue in 16-bit, almost black in 24-bit). Signed-off-by:
Kaj-Michael Lang <milang@tal.org> Signed-off-by:
Martin Michlmayr <tbm@cyrius.com> Signed-off-by:
Antonino Daplas <adaplas@pol.net> Cc: <stable@kernel.org> Signed-off-by:
Andrew Morton <akpm@osdl.org> Signed-off-by:
-
Andrew Morton authored
Phil Marek <philipp.marek@bmlv.gv.at> points out that ramfs forgets to update a directory's mtime and ctime when it is modified. Cc: <stable@kernel.org> Signed-off-by:
-
Jun'ichi Nomura authored
Minor number should be freed after del_gendisk(). Otherwise, there could be a window where 2 registered gendisk has same minor number. Signed-off-by:
Jun'ichi Nomura <j-nomura@ce.jp.nec.com> Acked-by:
Alasdair G Kergon <agk@redhat.com> Cc: <stable@kernel.org> Signed-off-by:
-
Jun'ichi Nomura authored
Need to unfreeze and release bdev otherwise the bdev inode with inconsistent state is reused later and cause problem. Signed-off-by:
-
Martin Michlmayr authored
Allocating more than 4 MB memory for the GBE (SGI O2) framebuffer completely breakfs gbefb support at the moment. According to comments on #mipslinux, more than 4 MB has never worked correctly in Linux. Therefore, the default should be 4 MB. Signed-off-by:
-
Simon Vogl authored
Fix a kernel oops for Intel P30 flashes, where the wait queue head was not initialized for the flchip struct, which in turn caused a crash at the first read operation. Signed-off-by:
Thomas Gleixner <tglx@linutronix.de> Cc: <stable@kernel.org> Signed-off-by:
-
Takashi Iwai authored
Remove snd_device_free() for an opl3-oss instance which should have been released. Signed-off-by:
Takashi Iwai <tiwai@suse.de> Cc: Jaroslav Kysela <perex@suse.cz> Cc: <stable@kernel.org> Signed-off-by:
-
Juergen Kreileder authored
I'm getting oopses with snd-usb-audio in 32-bit compat environments: control_compat.c:get_ctl_type() doesn't initialize 'info', so 'itemlist[uinfo->value.enumerated.item]' in usbmixer.c:mixer_ctl_selector_info() might access random memory (The 'if ((int)uinfo->value.enumerated.item >= cval->max)' doesn't fix all problems because of the unsigned -> signed conversion.) Signed-off-by:
Juergen Kreileder <jk@blackdown.de> Cc: Jaroslav Kysela <perex@suse.cz> Acked-by:
Greg Kroah-Hartman <gregkh@suse.de>
-
Jean Delvare authored
Only scan I2C address 0x2d. This is the default address and no IT87xxF chip was ever seen on I2C at a different address. These chips are better accessed through their ISA interface anyway. This fixes bug #5889, although it doesn't address the whole class of problems. We'd need the ability to blacklist arbitrary I2C addresses on systems known to contain I2C devices which behave badly when probed. Signed-off-by:
Jean Delvare <khali@linux-fr.org> Signed-off-by:
-
Jean Delvare authored
Fix an oops on it87 module removal when no supported hardware was found. Signed-off-by:
-
Chris Wright authored
Make sure maxnodes is safe size before calculating nlongs in get_nodes(). Signed-off-by:
-
Peter Staubach authored
Fix a deadlock possible in the ext2 file system implementation. This deadlock occurs when a file is removed from an ext2 file system which was mounted with the "sync" mount option. The problem is that ext2_xattr_delete_inode() was invoking the routine, sync_dirty_buffer(), using a buffer head which was previously locked via lock_buffer(). The first thing that sync_dirty_buffer() does is to lock the buffer head that it was passed. It does this via lock_buffer(). Oops. The solution is to unlock the buffer head in ext2_xattr_delete_inode() before invoking sync_dirty_buffer(). This makes the code in ext2_xattr_delete_inode() obey the same locking rules as all other callers of sync_dirty_buffer() in the ext2 file system implementation. Signed-off-by:
Peter Staubach <staubach@redhat.com> Signed-off-by:
-
Oleg Nesterov authored
1. The tracee can go from ptrace_stop() to do_signal_stop() after __ptrace_unlink(p). 2. It is unsafe to __ptrace_unlink(p) while p->parent may wait for tasklist_lock in ptrace_detach(). Signed-off-by:
Oleg Nesterov <oleg@tv-sign.ru> Cc: Roland McGrath <roland@redhat.com> Cc: Ingo Molnar <mingo@elte.hu> Cc: Christoph Hellwig <hch@lst.de> Cc: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by:
-
Adrian Drzewiecki authored
Looks like somebody forgot to use the _bh spin_lock variant. We ran into a deadlock where br->hello_timer expired while br_stp_disable_br() walked br->port_list. Signed-off-by:
Adrian Drzewiecki <z@drze.net> Signed-off-by:
-
Dave Jones authored
arch/s390/kernel/compat_signal.c:199: error: conflicting types for 'do_sigaction' include/linux/sched.h:1115: error: previous declaration of 'do_sigaction' was here Signed-off-by:
Dave Jones <davej@redhat.com> Signed-off-by:
-
Tony Luck authored
Pointed out by Oleg Nesterov <oleg@tv-sign.ru>, who in turn got the hint from Linus. Signed-off-by:
Tony Luck <tony.luck@intel.com> Signed-off-by:
-
Oleg Nesterov authored
Clear unblockable signals beforehand. Signed-off-by:
-
Oleg Nesterov authored
Pointed out by Linus Torvalds. sys_signal() forgets to initialize ->sa_mask. ( I suspect arch/ia64/ia32/ia32_signal.c:sys32_signal() also needs this fix ) Signed-off-by:
-
Kristian Slavov authored
If you set network interface down and up again, the IPv6 address autoconfiguration does not work. 'ip addr' shows that the link-local address is in tentative state. We don't even react to periodical router advertisements. During NETDEV_DOWN we clear IF_READY, and we don't set it back in NETDEV_UP. While starting to perform DAD on the link-local address, we notice that the device is not in IF_READY, and we abort autoconfiguration process (which would eventually send router solicitations). Acked-by:
Juha-Matti Tapio <jmtapio@verkkotelakka.net> Acked-by:
YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by:
-
David S. Miller authored
Revert the following changeset: bc8dfcb9 Recursive SKB frag lists are really possible and disallowing them breaks things. Noticed by: Jesse Brandeburg <jesse.brandeburg@intel.com> Signed-off-by:
-
Jeff Mahoney authored
Unfortunately, the reiserfs_attrs_cleared bit in the superblock flag can lie. File systems have been observed with the bit set, yet still contain garbage in the stat data field, causing unpredictable results. This patch backs out the enable-by-default behavior. It eliminates the changes from: d50a5cd860ce721dbeac6a4f3c6e42abcde68cd8, and ef5e5414e7a83eb9b4295bbaba5464410b11e030. Signed-off-by:
Jeff Mahoney <jeffm@suse.com> Signed-off-by:
-
Hugh Dickins authored
2.6.15's hugepage faulting introduced huge_pages_needed accounting into hugetlbfs: to count how many pages are already in cache, for spot check on how far a new mapping may be allowed to extend the file. But it's muddled: each hugepage found covers HPAGE_SIZE, not PAGE_SIZE. Once pages were already in cache, it would overshoot, wrap its hugepages count backwards, and so fail a harmless repeat mapping with -ENOMEM. Fixes the problem found by Don Dupuis. Signed-off-by:
Hugh Dickins <hugh@veritas.com> Acked-By:
Adam Litke <agl@us.ibm.com> Acked-by:
William Irwin <wli@us.ibm.com> Signed-off-by:
-
Andi Kleen authored
early_cpu_detect only runs on the BP, but this code needs to run on all CPUs. This will fix problems with the powernow-k8 driver on dual core systems and general misdetection of AMD dual core. Looks like a mismerge somewhere. Also add a warning comment. Signed-off-by:
-
Horms authored
5dce971a in Linus' tree, otherwise known as bridge-netfilter-races-on-device-removal.patch in 2.5.15.4 removed has_bridge_parent, however this symbol is still called with NETFILTER_DEBUG is enabled. This patch uses the already seeded realoutdev value to detect if a parent exists, and if so, the value of the parent. Signed-Off-By:
Horms <horms@verge.net.au> Acked-by:
-
KAMEZAWA Hiroyuki authored
sys_shmdt() can manage shm segments which are covered by multiple vmas. (This can happen when a user uses mprotect() after shmat().) This works well if shm is aligned to PAGE_SIZE, but if not, the last segment cannot be detached. It is because a comparison in sys_shmdt() (vma->vm_end - addr) < size addr == return address of shmat() size == shmsize, argments to shmget() size should be aligned to PAGE_SIZE before being compared with vma->vm_end, which is aligned. Signed-off-by:
KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Cc: Manfred Spraul <manfred@colorfullife.com> Cc: Hugh Dickins <hugh@veritas.com> Cc: <stable@kernel.org> Signed-off-by:
-
Heiko Carstens authored
Based on a patch from Maximilian Attems <maks@sternwelten.at> . Nothing in asm-s390/setup.h is of interest for user space. Signed-off-by:
Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by:
-
Tom Rini authored
In 2.6.14, we had the following definition of _GLOBAL() in include/asm-ppc/processor.h: #define _GLOBAL(n)\ .stabs __stringify(n:F-1),N_FUN,0,0,n;\ .globl n;\ n: In 2.6.15, as part of the great powerpc merge, we moved this definition to include/asm-powerpc/ppc_asm.h, where it appears (to 32-bit code) as: #define _GLOBAL(n) \ .text; \ .stabs __stringify(n:F-1),N_FUN,0,0,n;\ .globl n; \ n: Mostly, this is fine. However, we also have the following, in arch/ppc/boot/common/util.S: .section ".relocate_code","xa" [...] _GLOBAL(flush_instruction_cache) [...] _GLOBAL(flush_data_cache) [...] The addition of the .text section definition in the definition of _GLOBAL overrides the .relocate_code section definition. As a result, these two functions don't end up in .relocate_code, so they don't get relocated correctly, and the boot fails. There's another suspicious-looking usage at kernel/swsusp.S:37 that someone should look into. I did not exhaustively search the source tree, though. The following is the minimal patch that fixes the immediate problem. I could easily be convinced that the _GLOBAL definition should be modified to remove the ".text;" line either instead of, or in addition to, this fix. Signed-off-by:Paul Janzen <pcj@linux.sez.to> Signed-off-by:
Paul Mackerras <paulus@samba.org> Signed-off-by:
-
- 10 Feb, 2006 3 commits
-
-
Chris Wright authored
-
Neil Brown authored
e.g. The sx8 driver uses names like sx8/0. This would make a md component dev name like /sys/block/md0/md/dev-sx8/0 which is not allowed. So we change the '/' to '!' just like fs/partitions/check.c(register_disk) does. Signed-off-by:
Neil Brown <neilb@suse.de> Signed-off-by:
-
Steve Langasek authored
With the latest 2.6.15 kernel builds for alpha on Debian, we ran into a problem with undefined references to __cmpxchg_called_with_bad_pointer() in a couple of kernel modules (xfs.ko and drm.ko; see http://bugs.debian.org/347556). It looks like people have been trying to out-clever each other wrt the definition of "inline" on this architecture :), with the result that __cmpxchg(), which must be inlined so the compiler can see its argument is const, is not guaranteed to be inlined. Indeed, it was not being inlined when building with -Os. The attached patch fixes the issue by adding an __attribute__((always_inline)) explicitly to the definition of __cmpxchg() instead of relying on redefines of "inline" elsewhere to make this happen. Cc: Richard Henderson <rth@twiddle.net> Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru> Signed-off-by:
-
