- 28 Mar, 2006 9 commits
-
-
Greg Kroah-Hartman authored
-
Al Viro authored
This fixes not one, but _two_, silly (but admittedly hard to hit) bugs in the ext2 filesystem "readdir()" function. It also cleans up the code to avoid the unnecessary goto mess. The bugs were related to re-valiating the f_pos value after somebody had either done an "lseek()" on the directory to an invalid offset, or when the offset had become invalid due to a file being unlinked in the directory. The code would not only set the f_version too eagerly, it would also not update f_pos appropriately for when the offset fixup took place. When that happened, we'd occasionally subsequently fail the readdir() even when we shouldn't (no real harm done, but an ugly printk, and obviously you would end up not necessarily seeing all entries). Thanks to Masoud Sharbiani <masouds@google.com> who noticed the problem and had a test-case for it, and also fixed up a thinko in the first version of this patch. Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk> Acked-by:
Masoud Sharbiani <masouds@google.com> Signed-off-by:
Linus Torvalds <torvalds@osdl.org> Signed-off-by:
Chris Wright <chrisw@sous-sol.org> Signed-off-by:
Greg Kroah-Hartman <gregkh@suse.de>
-
David S. Miller authored
The user can pass us arbitrary garbage so we should ensure the string they give us is null terminated before we pass it on to dev_get_by_index() et al. Found by Solar Designer. Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
-
Alexey Kuznetsov authored
The problem is in ip_push_pending_frames(), which uses: if (!df) { __ip_select_ident(iph, &rt->u.dst, 0); } else { iph->id = htons(inet->id++); } instead of ip_select_ident(). Right now I think the code is a nonsense. Most likely, I copied it from old ip_build_xmit(), where it was really special, we had to decide whether to generate unique ID when generating the first (well, the last) fragment. In ip_push_pending_frames() it does not make sense, it should use plain ip_select_ident() instead. Signed-off-by:Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Signed-off-by:
-
Michael Krufky authored
The cx25840 module requires external firmware in order to function, so it must select FW_LOADER, but saa7115 and saa7129 do not require it. Signed-off-by:
Michael Krufky <mkrufky@linuxtv.org> Cc: Mauro Carvalho Chehab <mchehab@infradead.org> Signed-off-by:
-
Dave Johnson authored
Fix handling of cramfs images created by util-linux containing empty regular files. Images created by cramfstools 1.x were ok. Fill out inode contents in cramfs_iget5_set() instead of get_cramfs_inode() to prevent issues if cramfs_iget5_test() is called with I_LOCK|I_NEW still set. Signed-off-by:
Dave Johnson <djohnson+linux-kernel@sw.starentnetworks.com> Cc: Olaf Hering <olh@suse.de> Cc: Chris Mason <mason@suse.com> Cc: Andreas Gruenbacher <agruen@suse.de> Signed-off-by:
Andrew Morton <akpm@osdl.org> Signed-off-by:
-
Randy Dunlap authored
A recent change to compat. dev_ifconf() in fs/compat_ioctl.c causes ifconf data to be truncated 1 entry too early when copying it to userspace. The correct amount of data (length) is returned, but the final entry is empty (zero, not filled in). The for-loop 'i' check should use <= to allow the final struct ifreq32 to be copied. I also used the ifconf-corruption program in kernel bugzilla #4746 to make sure that this change does not re-introduce the corruption. Signed-off-by:
Randy Dunlap <rdunlap@xenotime.net> Signed-off-by:
-
David S. Miller authored
The size of the skb carrying the netlink message is not equivalent to the length of the actual netlink message due to padding. ip_queue matches the length of the payload against the original packet size to determine if packet mangling is desired, due to the above wrong assumption arbitary packets may not be mangled depening on their original size. Signed-off-by:
Thomas Graf <tgraf@suug.ch> Signed-off-by:
-
Roland Dreier authored
Just fail abort and reset requests that come in after we've already decided to remove a target. This fixes a nasty crash if a storage target goes away. Signed-off-by:
Roland Dreier <rolandd@cisco.com> Signed-off-by:
-
- 05 Mar, 2006 5 commits
-
-
Chris Wright authored
-
Dave Jones authored
Gar.. mm/mempolicy.c: In function 'get_nodes': mm/mempolicy.c:527: error: 'BITS_PER_BYTE' undeclared (first use in this function) mm/mempolicy.c:527: error: (Each undeclared identifier is reported only once mm/mempolicy.c:527: error: for each function it appears in.) About to retry a build with the below patch which should do the trick. (How did this *ever* build?) Signed-off-by:
Dave Jones <davej@redhat.com> Signed-off-by:
-
Chris Wright authored
Compile fix: fs/nfs/direct.c: In function 'nfs_get_user_pages': fs/nfs/direct.c:110: warning: implicit declaration of function 'nfs_free_user_pages' fs/nfs/direct.c: At top level: fs/nfs/direct.c:127: warning: conflicting types for 'nfs_free_user_pages' fs/nfs/direct.c:127: error: static declaration of 'nfs_free_user_pages' follows non-static declaration fs/nfs/direct.c:110: error: previous implicit declaration of 'nfs_free_user_pages' was here This should now be the same as fix that's going upstream. Signed-off-by:
Trond Myklebust <trond.myklebust@fys.uio.no>
-
Tony Luck authored
arch/ia64/kernel/unaligned.c erroneously marked die_if_kernel() with a "noreturn" attribute ... which is silly (it returns whenever the argument regs say that the fault happened in user mode, as one might expect given the "if_kernel" part of its name!). Thanks to Alan and Gareth for pointing this out. Signed-off-by:
Tony Luck <tony.luck@intel.com> Signed-off-by:
-
Arnaldo Carvalho de Melo authored
In 295f7324 I moved defer_accept from tcp_sock to request_queue and mistakingly reset it at reqsl_queue_alloc, causing calls to setsockopt(TCP_DEFER_ACCEPT ) to be lost after bind, the fix is to remove the zeroing of rskq_defer_accept from reqsl_queue_alloc. Thanks to Alexandra N. Kossovsky <Alexandra.Kossovsky@oktetlabs.ru> for reporting and testing the suggested fix. Signed-off-by:
Arnaldo Carvalho de Melo <acme@mandriva.com> Signed-off-by:
-
- 01 Mar, 2006 26 commits
-
-
Chris Wright authored
-
Jack Morgenstein authored
Fix a case where copying max_inline_data from a successful create_qp capabilities output to create_qp input could cause EINVAL error: mthca_set_qp_size must check max_inline_data directly against max_desc_sz; checking qp->sq.max_gs is wrong since max_inline_data depends on the qp type and does not involve max_sg. Signed-off-by:
Jack Morgenstein <jackm@mellanox.co.il> Signed-off-by:
Michael S. Tsirkin <mst@mellanox.co.il> Signed-off-by:
-
Trond Myklebust authored
This is CVE-2006-0555 and SGI bug 946529. A normal user can panic an NFS client and cause a local DoS with 'judicious'(?) use of O_DIRECT. Signed-off-by: -
Mike O'Connor authored
This is CVE-2006-0554 and SGI bug 942658. With certain types of ftruncate() activity on 2.6 kernels, XFS can end up exposing stale data off disk to a user, putting extents where holes should be. Signed-off-by: -
Stefan Richter authored
sbp2: fix another deadlock after disconnection If there were commands enqueued but not completed before an SBP-2 unit was unplugged (or an attempt to reconnect failed), knodemgrd or any process which tried to remove the device would sleep uninterruptibly in blk_execute_rq(). Therefore make sure that all commands are completed when sbp2 retreats. Signed-off-by:
Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by:
-
Stefan Richter authored
sd: fix memory corruption with broken mode page headers There's a problem in sd where we blindly believe the length of the headers and block descriptors. Some devices return insane values for these and cause our length to end up greater than the actual buffer size, so check to make sure. Signed-off-by:
James Bottomley <James.Bottomley@SteelEye.com> Signed-off-by:
-
Alexey Kuznetsov authored
netlink overrun was broken while improvement of netlink. Destination socket is used in the place where it was meant to be source socket, so that now overrun is never sent to user netlink sockets, when it should be, and it even can be set on kernel socket, which results in complete deadlock of rtnetlink. Suggested fix is to restore status quo passing source socket as additional argument to netlink_attachskb(). A little explanation: overrun is set on a socket, when it failed to receive some message and sender of this messages does not or even have no way to handle this error. This happens in two cases: 1. when kernel sends something. Kernel never retransmits and cannot wait for buffer space. 2. when user sends a broadcast and the message was not delivered to some recipients. Signed-off-by:
-
Suresh Siddha authored
Fixes a local DOS on Intel systems that lead to an endless recursive fault. AMD machines don't seem to be affected. Signed-off-by:
Suresh Siddha <suresh.b.siddha@intel.com> Signed-off-by:
Andi Kleen <ak@suse.de> Signed-off-by:
-
Stephen Hemminger authored
If skge is attached to a bad cable, that goes up/down. It exposes an SMP race with the management of IRQ mask Signed-off-by:
Stephen Hemminger <shemminger@osdl.org> Signed-off-by:
-
Stephen Hemminger authored
The SysKonnect Genesis based board would fail on initialization with phy_read errors caused by not waiting for last phy write. Signed-off-by:
-
Stephen Hemminger authored
Fix a race in the receive NAPI, irq handling. The interrupt clear and the start need to be separated. Otherwise there is a window between the last frame received and the NAPI done level handling. Signed-off-by:
-
Stephen Hemminger authored
This is a clone of John Linville's fixed for speed setting on sky2 driver. The skge driver has the same code (and bug). It would not allow manually forcing 100 and 10 mbit. Signed-off-by:
-
Kaj-Michael Lang authored
The gbefb driver does not update the framebuffer layers visual setting when depth is changed with fbset, resulting in strange colors (very dark blue in 16-bit, almost black in 24-bit). Signed-off-by:
Kaj-Michael Lang <milang@tal.org> Signed-off-by:
Martin Michlmayr <tbm@cyrius.com> Signed-off-by:
Antonino Daplas <adaplas@pol.net> Cc: <stable@kernel.org> Signed-off-by:
-
Andrew Morton authored
Phil Marek <philipp.marek@bmlv.gv.at> points out that ramfs forgets to update a directory's mtime and ctime when it is modified. Cc: <stable@kernel.org> Signed-off-by:
-
Jun'ichi Nomura authored
Minor number should be freed after del_gendisk(). Otherwise, there could be a window where 2 registered gendisk has same minor number. Signed-off-by:
Jun'ichi Nomura <j-nomura@ce.jp.nec.com> Acked-by:
Alasdair G Kergon <agk@redhat.com> Cc: <stable@kernel.org> Signed-off-by:
-
Jun'ichi Nomura authored
Need to unfreeze and release bdev otherwise the bdev inode with inconsistent state is reused later and cause problem. Signed-off-by:
-
Martin Michlmayr authored
Allocating more than 4 MB memory for the GBE (SGI O2) framebuffer completely breakfs gbefb support at the moment. According to comments on #mipslinux, more than 4 MB has never worked correctly in Linux. Therefore, the default should be 4 MB. Signed-off-by:
-
Simon Vogl authored
Fix a kernel oops for Intel P30 flashes, where the wait queue head was not initialized for the flchip struct, which in turn caused a crash at the first read operation. Signed-off-by:
Thomas Gleixner <tglx@linutronix.de> Cc: <stable@kernel.org> Signed-off-by:
-
Takashi Iwai authored
Remove snd_device_free() for an opl3-oss instance which should have been released. Signed-off-by:
Takashi Iwai <tiwai@suse.de> Cc: Jaroslav Kysela <perex@suse.cz> Cc: <stable@kernel.org> Signed-off-by:
-
Juergen Kreileder authored
I'm getting oopses with snd-usb-audio in 32-bit compat environments: control_compat.c:get_ctl_type() doesn't initialize 'info', so 'itemlist[uinfo->value.enumerated.item]' in usbmixer.c:mixer_ctl_selector_info() might access random memory (The 'if ((int)uinfo->value.enumerated.item >= cval->max)' doesn't fix all problems because of the unsigned -> signed conversion.) Signed-off-by:
Juergen Kreileder <jk@blackdown.de> Cc: Jaroslav Kysela <perex@suse.cz> Acked-by:
-
Jean Delvare authored
Only scan I2C address 0x2d. This is the default address and no IT87xxF chip was ever seen on I2C at a different address. These chips are better accessed through their ISA interface anyway. This fixes bug #5889, although it doesn't address the whole class of problems. We'd need the ability to blacklist arbitrary I2C addresses on systems known to contain I2C devices which behave badly when probed. Signed-off-by:
Jean Delvare <khali@linux-fr.org> Signed-off-by:
-
Jean Delvare authored
Fix an oops on it87 module removal when no supported hardware was found. Signed-off-by:
-
Chris Wright authored
Make sure maxnodes is safe size before calculating nlongs in get_nodes(). Signed-off-by:
-
Peter Staubach authored
Fix a deadlock possible in the ext2 file system implementation. This deadlock occurs when a file is removed from an ext2 file system which was mounted with the "sync" mount option. The problem is that ext2_xattr_delete_inode() was invoking the routine, sync_dirty_buffer(), using a buffer head which was previously locked via lock_buffer(). The first thing that sync_dirty_buffer() does is to lock the buffer head that it was passed. It does this via lock_buffer(). Oops. The solution is to unlock the buffer head in ext2_xattr_delete_inode() before invoking sync_dirty_buffer(). This makes the code in ext2_xattr_delete_inode() obey the same locking rules as all other callers of sync_dirty_buffer() in the ext2 file system implementation. Signed-off-by:
Peter Staubach <staubach@redhat.com> Signed-off-by:
-
Oleg Nesterov authored
1. The tracee can go from ptrace_stop() to do_signal_stop() after __ptrace_unlink(p). 2. It is unsafe to __ptrace_unlink(p) while p->parent may wait for tasklist_lock in ptrace_detach(). Signed-off-by:
Oleg Nesterov <oleg@tv-sign.ru> Cc: Roland McGrath <roland@redhat.com> Cc: Ingo Molnar <mingo@elte.hu> Cc: Christoph Hellwig <hch@lst.de> Cc: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by:
-
Adrian Drzewiecki authored
Looks like somebody forgot to use the _bh spin_lock variant. We ran into a deadlock where br->hello_timer expired while br_stp_disable_br() walked br->port_list. Signed-off-by:
Adrian Drzewiecki <z@drze.net> Signed-off-by:
-
