- 17 Oct, 2007 20 commits
-
-
Arnd Bergmann authored
commit 179c85ea in mainline. The futex list traversal on the compat side appears to have a bug. It's loop termination condition compares: while (compat_ptr(uentry) != &head->list) But that can't be right because "uentry" has the special "pi" indicator bit still potentially set at bit 0. This is cleared by fetch_robust_entry() into the "entry" return value. What this seems to mean is that the list won't terminate when list iteration gets back to the the head. And we'll also process the list head like a normal entry, which could cause all kinds of problems. So we should check for equality with "entry". That pointer is of the non-compat type so we have to do a little casting to keep the compiler and sparse happy. The same problem can in theory occur with the 'pending' variable, although that has not been reported from users so far. Based on the original patch from David Miller. Acked-by:
Ingo Molnar <mingo@elte.hu> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: David Miller <davem@davemloft.net> Signed-off-by:
Arnd Bergmann <arnd@arndb.de> Signed-off-by:
Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by:
Greg Kroah-Hartman <gregkh@suse.de>
-
Steven Toth authored
(cherry picked from commit 48200bae) [PATCH] V4L: cx88: Avoid a NULL pointer dereference during mpeg_open() Bug: With a hardware encoder board installed as cx88[1] and a non-encoder boards installed as cx88[0], an OOPS is generated during cx8802_get_device() called from mpeg_open(). Signed-off-by:
Steven Toth <stoth@hauppauge.com> Signed-off-by:
Mauro Carvalho Chehab <mchehab@infradead.org> Signed-off-by:
Michael Krufky <mkrufky@linuxtv.org> Signed-off-by:
-
Adam Radford authored
[SCSI] 3w-9xxx: Fix dma mask setting Extracted from commit 0e78d158 The attached patch updates the 3ware 9000 driver: - Fix dma mask setting to fallback to 32-bit if 64-bit fails. Signed-off-by:
Adam Radford <linuxraid@amcc.com> Signed-off-by:
James Bottomley <James.Bottomley@SteelEye.com> Signed-off-by:
Chuck Ebbert <cebbert@redhat.com> Signed-off-by:
-
Kumar Gala authored
commit 0ee6c15e in mainline. When we flush register state for FP, Altivec, or SPE in flush_*_to_thread we need to respect the task_struct that the caller has passed to us. Most cases we are called with current, however sometimes (ptrace) we may be passed a different task_struct. This showed up when using gdbserver debugging a simple program that used floating point. When gdb tried to show the FP regs they all showed up as 0, because the child's FP registers were never properly flushed to memory. Signed-off-by:
Kumar Gala <galak@kernel.crashing.org> Signed-off-by:
-
Nathael Pajani authored
commit e5dd0115 in mainline. This patch fixes the order of list_add_tail() arguments in usb_store_new_id() so the list can have more than one single element. Signed-off-by:
Nathael Pajani <nathael.pajani@cpe.fr> Signed-off-by:
-
Oleg Nesterov authored
commit 60187d27 in mainline. Spotted by taoyue <yue.tao@windriver.com> and Jeremy Katz <jeremy.katz@windriver.com>. collect_signal: sigqueue_free: list_del_init(&first->list); if (!list_empty(&q->list)) { // not taken } q->flags &= ~SIGQUEUE_PREALLOC; __sigqueue_free(first); __sigqueue_free(q); Now, __sigqueue_free() is called twice on the same "struct sigqueue" with the obviously bad implications. In particular, this double free breaks the array_cache->avail logic, so the same sigqueue could be "allocated" twice, and the bug can manifest itself via the "impossible" BUG_ON(!SIGQUEUE_PREALLOC) in sigqueue_free/send_sigqueue. Hopefully this can explain these mysterious bug-reports, see http://marc.info/?t=118766926500003 http://marc.info/?t=118466273000005 Alexey Dobriyan reports this patch makes the difference for the testcase, but nobody has an access to the application which opened the problems originally. Also, this patch removes tasklist lock/unlock, ->siglock is enough. Signed-off-by:
Oleg Nesterov <oleg@tv-sign.ru> Cc: taoyue <yue.tao@windriver.com> Cc: Jeremy Katz <jeremy.katz@windriver.com> Cc: Sukadev Bhattiprolu <sukadev@us.ibm.com> Cc: Alexey Dobriyan <adobriyan@sw.ru> Cc: Ingo Molnar <mingo@elte.hu> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Roland McGrath <roland@redhat.com> Signed-off-by:
-
Oleg Nesterov authored
commit b07e35f9 in mainline tree Spotted by Marcin Kowalczyk <qrczak@knm.org.pl>. sys_setpgid(child) fails if the child was forked by sub-thread. Fix the "is it our child" check. The previous commit ee0acf90 was not complete. (this patch asks for the new same_thread_group() helper, but mainline doesn't have it yet). Signed-off-by:
Roland McGrath <roland@redhat.com> Tested-by:
"Marcin 'Qrczak' Kowalczyk" <qrczak@knm.org.pl> Signed-off-by:
-
Takashi Iwai authored
Use seq_file for the proc file read/write of snd-page-alloc module. This automatically fixes bugs in the old proc code. Signed-off-by:
Takashi Iwai <tiwai@suse.de> Signed-off-by:
-
Oliver Neukum authored
the pwc driver has a disconnect method that waits for user space to close the device. This opens up an opportunity for a DoS attack, blocking the USB subsystem and making khubd's task busy wait in kernel space. This patch shifts freeing resources to close if an opened device is disconnected. Signed-off-by:
Oliver Neukum <oneukum@suse.de> Signed-off-by:
-
Alan Stern authored
This patch (as964) was suggested by Steffen Koepf. It makes usb_get_descriptor() retry on all errors other than ETIMEDOUT, instead of only on EPIPE. This helps with some devices. Signed-off-by:
Alan Stern <stern@rowland.harvard.edu> Signed-off-by:
-
David Miller authored
[TCP]: Invoke tcp_sendmsg() directly, do not use inet_sendmsg(). As discovered by Evegniy Polyakov, if we try to sendmsg after a connection reset, we can do incredibly stupid things. The core issue is that inet_sendmsg() tries to autobind the socket, but we should never do that for TCP. Instead we should just go straight into TCP's sendmsg() code which will do all of the necessary state and pending socket error checks. TCP's sendpage already directly vectors to tcp_sendpage(), so this merely brings sendmsg() in line with that. Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
-
David Miller authored
It didn't handle that case at all, and now dump_stack() can be implemented directly as show_stack(current, NULL) Signed-off-by:
-
Herbert Xu authored
[NET]: Fix unbalanced rcu_read_unlock in __sock_create The recent RCU work created an unbalanced rcu_read_unlock in __sock_create. This patch fixes that. Reported by oleg 123. Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by:
-
Herbert Xu authored
The snap_rcv code reads 5 bytes so we should make sure that we have 5 bytes in the head before proceeding. Based on diagnosis and fix by Evgeniy Polyakov, reported by Alan J. Wylie. Patch also kills the skb->sk assignment before kfree_skb since it's redundant. Signed-off-by:
-
Chuck Ebbert authored
Author: Chuck Ebbert <cebbert@redhat.com> Add xt_statistic.h to the list of headers to install. Apparently needed to build newer versions of iptables. Signed-off-by:
-
Gerrit Renker authored
This fixes the following bug reported in syslog: [ 4039.051658] BUG: sleeping function called from invalid context at /usr/src/davem-2.6/mm/slab.c:3032 [ 4039.051668] in_atomic():1, irqs_disabled():0 [ 4039.051670] INFO: lockdep is turned off. [ 4039.051674] [<c0104c0f>] show_trace_log_lvl+0x1a/0x30 [ 4039.051687] [<c0104d4d>] show_trace+0x12/0x14 [ 4039.051691] [<c0104d65>] dump_stack+0x16/0x18 [ 4039.051695] [<c011371e>] __might_sleep+0xaf/0xbe [ 4039.051700] [<c0157b66>] __kmalloc+0xb1/0xd0 [ 4039.051706] [<f090416f>] ccid2_hc_tx_alloc_seq+0x35/0xc3 [dccp_ccid2] [ 4039.051717] [<f09048d6>] ccid2_hc_tx_packet_sent+0x27f/0x2d9 [dccp_ccid2] [ 4039.051723] [<f085486b>] dccp_write_xmit+0x1eb/0x338 [dccp] [ 4039.051741] [<f085603d>] dccp_sendmsg+0x113/0x18f [dccp] [ 4039.051750] [<c03907fc>] inet_sendmsg+0x2e/0x4c [ 4039.051758] [<c033a47d>] sock_aio_write+0xd5/0x107 [ 4039.051766] [<c015abc1>] do_sync_write+0xcd/0x11c [ 4039.051772] [<c015b296>] vfs_write+0x118/0x11f [ 4039.051840] [<c015b932>] sys_write+0x3d/0x64 [ 4039.051845] [<c0103e7c>] syscall_call+0x7/0xb [ 4039.051848] ======================= The problem was that GFP_KERNEL was used; fixed by using gfp_any(). Signed-off-by:
Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by:
Arnaldo Carvalho de Melo <acme@ghostprotocols.net> Signed-off-by:
-
Jan Beulich authored
Signed-off-by:
Jan Beulich <jbeulich@novell.com> Signed-off-by:
Andi Kleen <ak@suse.de> Signed-off-by:
-
Francois Romieu authored
Theory : though needless, it should not have hurt. Practice: it does not play nice with DEBUG_SHIRQ + LOCKDEP + UP (see https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D242572). The patch makes sense in itself but I should dig why it has an effect on #242572 (assuming that NAPI do not change in a near future). Patch in mainline as 313b0305. Backported to 2.6.22-stable by Thomas M=FCller. Signed-off-by:
Thomas M=FCller <thomas@mathtm.de> Signed-off-by:
Francois Romieu <romieu@fr.zoreil.com> Signed-off-by:
-
Haavard Skinnemoen authored
These functions depend on "result" being initalized to 0, but "result" is not included as an input constraint to the inline assembly block following its initialization, only as an output constraint. Thus gcc thinks it doesn't need to initialize it, so result ends up undefined if the "unless" condition is true. This fixes an oops in sunrpc where the faulty atomics caused rpciod_up() to not start the workqueue as it should. Signed-off-by:
Haavard Skinnemoen <hskinnemoen@atmel.com> Signed-off-by:
-
Bob Moore authored
ACPICA: Fixed possible corruption of global GPE list Fixed a problem in acpi_ev_delete_gpe_xrupt where the global interrupt list could be corrupted if the interrupt being removed was at the head of the list. Reported by Linn Crosetto. Signed-off-by:
Bob Moore <robert.moore@intel.com> Signed-off-by:
Len Brown <len.brown@intel.com> Cc: Chuck Ebbert <cebbert@redhat.com> Signed-off-by:
-
- 23 Sep, 2007 3 commits
-
-
Willy Tarreau authored
-
Tom Alsberg authored
CPU time limit patch / setrlimit(RLIMIT_CPU, 0) cheat fix As discovered here today, the change in Kernel 2.6.17 intended to inhibit users from setting RLIMIT_CPU to 0 (as that is equivalent to unlimited) by "cheating" and setting it to 1 in such a case, does not make a difference, as the check is done in the wrong place (too late), and only applies to the profiling code. On all systems I checked running kernels above 2.6.17, no matter what the hard and soft CPU time limits were before, a user could escape them by issuing in the shell (sh/bash/zsh) "ulimit -t 0", and then the user's process was not ever killed. Attached is a trivial patch to fix that. Simply moving the check to a slightly earlier location (specifically, before the line that actually assigns the limit - *old_rlim = new_rlim), does the trick. Do note that at least the zsh (but not ash, dash, or bash) shell has the problem of "caching" the limits set by the ulimit command, so when running zsh the fix will not immediately be evident - after entering "ulimit -t 0", "ulimit -a" will show "-t: cpu time (seconds) 0", even though the actual limit as returned by getrlimit(...) will be 1. It can be verified by opening a subshell (which will not have the values of the parent shell in cache) and checking in it, or just by running a CPU intensive command like "echo '65536^1048576' | bc" and verifying that it dumps core after one second. Regardless of whether that is a misfeature in the shell, perhaps it would be better to return -EINVAL from setrlimit in such a case instead of cheating and setting to 1, as that does not really reflect the actual state of the process anymore. I do not however know what the ground for that decision was in the original 2.6.17 change, and whether there would be any "backward" compatibility issues, so I preferred not to touch that right now. Signed-off-by:
-
Andi Kleen authored
Strictly it's only needed for eax. It actually does a little more than strictly needed -- the other registers are already zero extended. Also remove the now unnecessary and non functional compat task check in ptrace. This is CVE-2007-4573 Found by Wojciech Purczynski Signed-off-by:
Chris Wright <chrisw@sous-sol.org>
-
- 08 Sep, 2007 2 commits
-
-
Willy Tarreau authored
-
YOSHIFUJI Hideaki authored
Because skb->dst is assigned in ip6_route_input(), it is really bad to use it in hop-by-hop option handler(s). Closes: Bug #8450 (Eric Sesterhenn <snakebyte@gmx.de>) Signed-off-by:
YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by:
Willy Tarreau <w@1wt.eu>
-
- 28 Aug, 2007 4 commits
-
-
Willy Tarreau authored
-
Patrick McHardy authored
secmark doesn't depend on CONFIG_NET_SCHED. Signed-off-by:
Patrick McHardy <kaber@trash.net> Acked-by:
James Morris <jmorris@namei.org> Signed-off-by:
-
Willy Tarreau authored
That update broke build of pata_atiixp as it requires some PCI IDs and other updates which have not been merged. Better remove it from 2.6.20. This reverts commit f327bcd1. Signed-off-by:
-
Willy Tarreau authored
Randy Dunlap and Boris B. Zhmurov reported build failure of rfcomm/tty.c since 2.6.20.17. Marcel Holtmann confirmed that the following patch was inappropriate for this kernel. Remove it. This reverts commit 8c25e9c9. Cc: Marcel Holtmann <marcel@holtmann.org> Signed-off-by:
-
- 25 Aug, 2007 11 commits
-
-
Willy Tarreau authored
-
Marcel Holtmann authored
This fixes a vulnerability in the "parent process death signal" implementation discoverd by Wojciech Purczynski of COSEINC PTE Ltd. and iSEC Security Research. http://marc.info/?l=bugtraq&m=118711306802632&w=2Signed-off-by:
Marcel Holtmann <marcel@holtmann.org> Signed-off-by:
-
Venki Pallipadi authored
Due to rounding and inexact jiffy accounting, idle_ticks can sometimes be higher than total_ticks. Make sure those cases are handled as zero load case. Signed-off-by:
Venkatesh Pallipadi <venkatesh.pallipadi@intel.com> Signed-off-by:
Dave Jones <davej@redhat.com> Signed-off-by:
-
Venki Pallipadi authored
With tickless kernel and software coordination os P-states, ondemand can look at wrong idle statistics. This can happen when ondemand sampling is happening on CPU 0 and due to software coordination sampling also looks at utilization of CPU 1. If CPU 1 is in tickless state at that moment, its idle statistics will not be uptodate and CPU 0 thinks CPU 1 is idle for less amount of time than it actually is. This can be resolved by looking at all the busy times of CPUs, which is accurate, even with tickless, and use that to determine idle time in a round about way (total time - busy time). Thanks to Arjan for originally reporting the ondemand bug on Lenovo T61. Signed-off-by:
-
Jeff Garzik authored
[libata] pata_atiixp: add SB700 PCI ID From AMD. Signed-off-by:
Jeff Garzik <jeff@garzik.org> Cc: Chuck Ebbert <cebbert@redhat.com> Signed-off-by:
-
Helge Deller authored
Visualize-EG, Graffiti and A4450A graphics cards on PARISC can be configured in double-buffer and standard mode, but the stifb driver supports standard mode only. This patch detects double-buffered cards more reliable. It is a real bugfix for a very nasty problem for all parisc users which have wrongly configured their graphic card. The problem: The stifb graphics driver will not detect that the card is wrongly configured and then nevertheless just enables the graphics mode, which it shouldn't. In the end, the user will see no further updates / boot messages on the screen. We had documented this problem already on our FAQ (http://parisc-linux.org/faq/index.html#viseg "Why do I get corrupted graphics with my Vis-EG/Graffiti/A4450A card?") but people still run into this problem. So having this fix in as early as possible can help us. Signed-off-by:
Helge Deller <deller@gmx.de> Signed-off-by:
Antonino Daplas <adaplas@gmail.com> Cc: Kyle McMartin <kyle@mcmartin.ca> Signed-off-by:
-
Badari Pulavarty authored
Need to initialize map_bh.b_state to zero. Otherwise, in case of a faulty user-buffer its possible to go into dio_zero_block() and submit a page by mistake - since it checks for buffer_new(). http://marc.info/?l=linux-kernel&m=118551339032528&w=2 akpm: Linus had a (better) patch to just do a kzalloc() in there, but it got lost. Probably this version is better for -stable anwyay. Signed-off-by:
Badari Pulavarty <pbadari@us.ibm.com> Acked-by:
Joe Jin <joe.jin@oracle.com> Acked-by:
Zach Brown <zach.brown@oracle.com> Cc: gurudas pai <gurudas.pai@oracle.com> Signed-off-by:
-
Tejun Heo authored
Fix map entry 10b for ich8. It's [P0 P2 IDE IDE] like ich6 / ich6m. Signed-off-by:
Tejun Heo <htejun@gmail.com> Acked-by:
Kristen Carlson Accardi <kristen.c.accardi@intel.com> Cc: Jeff Garzik <jeff@garzik.org> Signed-off-by:
-
Michael Buesch authored
The essid wireless extension does deadlock against the assoc mutex, as we don't unlock the assoc mutex when flushing the workqueue, which also holds the lock. Signed-off-by:
Michael Buesch <mb@bu3sch.de> Signed-off-by:
-
Matt Mackall authored
If root raised the default wakeup threshold over the size of the output pool, the pool transfer function could overflow the stack with RNG bytes, causing a DoS or potential privilege escalation. (Bug reported by the PaX Team <pageexec@freemail.hu>) Cc: Theodore Tso <tytso@mit.edu> Cc: Willy Tarreau <w@1wt.eu> Signed-off-by:
Matt Mackall <mpm@selenic.com> Signed-off-by:
-
Jeff Dike authored
Add some exports for hostfs that are required after Alberto Bertogli's fixes for accessing unlinked host files. Also did some style cleanups while I was here. Signed-off-by:
Jeff Dike <jdike@linux.intel.com> Signed-off-by:
-
