1. 20 May, 2006 12 commits
    • Kristen Accardi's avatar
      [PATCH] PCI: correctly allocate return buffers for osc calls · 0cf72aa6
      Kristen Accardi authored
      The OSC set and query functions do not allocate enough space for return values,
      and set the output buffer length to a false, too large value.  This causes the
      acpi-ca code to assume that the output buffer is larger than it actually is,
      and overwrite memory when copying acpi return buffers into this caller provided
      buffer.  In some cases this can cause kernel oops if the memory that is
      overwritten is a pointer.  This patch will change these calls to use a
      dynamically allocated output buffer, thus allowing the acpi-ca code to decide
      how much space is needed.
      Signed-off-by: default avatarKristen Carlson Accardi <kristen.c.accardi@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      0cf72aa6
    • Serge E. Hallyn's avatar
      [PATCH] selinux: check for failed kmalloc in security_sid_to_context() · 3220ee4a
      Serge E. Hallyn authored
      Check for NULL kmalloc return value before writing to it.
      Signed-off-by: default avatarSerge E. Hallyn <serue@us.ibm.com>
      Acked-by: default avatarJames Morris <jmorris@namei.org>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      3220ee4a
    • Karsten Keil's avatar
      [PATCH] TG3: ethtool always report port is TP. · 39970bdd
      Karsten Keil authored
      Even with fiber cards ethtool reports that the connected port is TP,
      the patch fix this.
      Signed-off-by: default avatarKarsten Keil <kkeil@suse.de>
      Acked-by: default avatarMichael Chan <mchan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      39970bdd
    • Chris Wright's avatar
      [PATCH] Netfilter: do_add_counters race, possible oops or info leak (CVE-2006-0039) · 893acf3c
      Chris Wright authored
      Solar Designer found a race condition in do_add_counters(). The beginning
      of paddc is supposed to be the same as tmp which was sanity-checked
      above, but it might not be the same in reality. In case the integer
      overflow and/or the race condition are triggered, paddc->num_counters
      might not match the allocation size for paddc. If the check below
      (t->private->number != paddc->num_counters) nevertheless passes (perhaps
      this requires the race condition to be triggered), IPT_ENTRY_ITERATE()
      would read kernel memory beyond the allocation size, potentially causing
      an oops or leaking sensitive data (e.g., passwords from host system or
      from another VPS) via counter increments.  This requires CAP_NET_ADMIN.
      
      https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191698
      
      Cc: Solar Designer <solar@openwall.com>
      Cc: Kirill Korotaev <dev@sw.ru>
      Cc: Patrick McHardy <kaber@trash.net>
      (chrisw: rebase of Kirill's patch to 2.6.16.16)
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      893acf3c
    • Jean Delvare's avatar
      [PATCH] scx200_acb: Fix resource name use after free · 9a4a3539
      Jean Delvare authored
      We can't pass a string on the stack to request_region. As soon as we
      leave the function that stack is gone and the string is lost. Let's
      use the same string we identify the i2c_adapter with instead, it's
      more simple, more consistent, and just works.
      
      This is the second half of fix to bug #6445.
      Signed-off-by: default avatarJean Delvare <khali@linux-fr.org>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      9a4a3539
    • Carl-Daniel Hailfinger's avatar
      [PATCH] smbus unhiding kills thermal management · a9cacd68
      Carl-Daniel Hailfinger authored
      Do not enable the SMBus device on Asus boards if suspend is used.  We do
      not reenable the device on resume, leading to all sorts of undesirable
      effects, the worst being a total fan failure after resume on Samsung P35
      laptop.
      
      This fixes bug #6449 at bugzilla.kernel.org.
      Signed-off-by: default avatarCarl-Daniel Hailfinger <c-d.hailfinger.devel.2006@gmx.net>
      Signed-off-by: default avatarPavel Machek <pavel@suse.cz>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      Signed-off-by: default avatarJean Delvare <khali@linux-fr.org>
      a9cacd68
    • Alexey Dobriyan's avatar
      [PATCH] fs/compat.c: fix 'if (a |= b )' typo · 41c83627
      Alexey Dobriyan authored
      Mentioned by Mark Armbrust somewhere on Usenet.
      Signed-off-by: default avatarAlexey Dobriyan <adobriyan@gmail.com>
      Signed-off-by: default avatarDavid Woodhouse <dwmw2@infradead.org>
      Cc: Ulrich Drepper <drepper@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      41c83627
    • Jan Niehusmann's avatar
      [PATCH] smbfs: Fix slab corruption in samba error path · 0ce77590
      Jan Niehusmann authored
      Yesterday, I got the following error with 2.6.16.13 during a file copy from
      a smb filesystem over a wireless link.  I guess there was some error on the
      wireless link, which in turn caused an error condition for the smb
      filesystem.
      
      In the log, smb_file_read reports error=4294966784 (0xfffffe00), which also
      shows up in the slab dumps, and also is -ERESTARTSYS.  Error code 27499
      corresponds to 0x6b6b, so the rq_errno field seems to be the only one being
      set after freeing the slab.
      
      In smb_add_request (which is the only place in smbfs where I found
      ERESTARTSYS), I found the following:
      
              if (!timeleft || signal_pending(current)) {
                      /*
                       * On timeout or on interrupt we want to try and remove the
                       * request from the recvq/xmitq.
                       */
                      smb_lock_server(server);
                      if (!(req->rq_flags & SMB_REQ_RECEIVED)) {
                              list_del_init(&req->rq_queue);
                              smb_rput(req);
                      }
                      smb_unlock_server(server);
              }
      	[...]
              if (signal_pending(current))
                      req->rq_errno = -ERESTARTSYS;
      
      I guess that some codepath like smbiod_flush() caused the request to be
      removed from the queue, and smb_rput(req) be called, without
      SMB_REQ_RECEIVED being set.  This violates an asumption made by the quoted
      code.
      
      Then, the above code calls smb_rput(req) again, the req gets freed, and
      req->rq_errno = -ERESTARTSYS writes into the already freed slab.  As
      list_del_init doesn't cause an error if called multiple times, that does
      cause the observed behaviour (freed slab with rq_errno=-ERESTARTSYS).
      
      If this observation is correct, the following patch should fix it.
      
      I wonder why the smb code uses list_del_init everywhere - using list_del
      instead would catch such situations by poisoning the next and prev
      pointers.
      
      May  4 23:29:21 knautsch kernel: [17180085.456000] ipw2200: Firmware error detected.  Restarting.
      May  4 23:29:21 knautsch kernel: [17180085.456000] ipw2200: Sysfs 'error' log captured.
      May  4 23:33:02 knautsch kernel: [17180306.316000] ipw2200: Firmware error detected.  Restarting.
      May  4 23:33:02 knautsch kernel: [17180306.316000] ipw2200: Sysfs 'error' log already exists.
      May  4 23:33:02 knautsch kernel: [17180306.968000] smb_file_read: //some_file validation failed, error=4294966784
      May  4 23:34:18 knautsch kernel: [17180383.256000] smb_file_read: //some_file validation failed, error=4294966784
      May  4 23:34:18 knautsch kernel: [17180383.284000] SMB connection re-established (-5)
      May  4 23:37:19 knautsch kernel: [17180563.956000] smb_file_read: //some_file validation failed, error=4294966784
      May  4 23:40:09 knautsch kernel: [17180733.636000] smb_file_read: //some_file validation failed, error=4294966784
      May  4 23:40:26 knautsch kernel: [17180750.700000] smb_file_read: //some_file validation failed, error=4294966784
      May  4 23:43:02 knautsch kernel: [17180907.304000] smb_file_read: //some_file validation failed, error=4294966784
      May  4 23:43:08 knautsch kernel: [17180912.324000] smb_file_read: //some_file validation failed, error=4294966784
      May  4 23:43:34 knautsch kernel: [17180938.416000] smb_errno: class Unknown, code 27499 from command 0x6b
      May  4 23:43:34 knautsch kernel: [17180938.416000] Slab corruption: start=c4ebe09c, len=244
      May  4 23:43:34 knautsch kernel: [17180938.416000] Redzone: 0x5a2cf071/0x5a2cf071.
      May  4 23:43:34 knautsch kernel: [17180938.416000] Last user: [<e087b903>](smb_rput+0x53/0x90 [smbfs])
      May  4 23:43:34 knautsch kernel: [17180938.416000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b
      May  4 23:43:34 knautsch kernel: [17180938.416000] 0f0: 00 fe ff ff
      May  4 23:43:34 knautsch kernel: [17180938.416000] Next obj: start=c4ebe19c, len=244
      May  4 23:43:34 knautsch kernel: [17180938.416000] Redzone: 0x5a2cf071/0x5a2cf071.
      May  4 23:43:34 knautsch kernel: [17180938.416000] Last user: [<00000000>](_stext+0x3feffde0/0x30)
      May  4 23:43:34 knautsch kernel: [17180938.416000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
      May  4 23:43:34 knautsch kernel: [17180938.416000] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
      May  4 23:43:34 knautsch kernel: [17180938.460000] SMB connection re-established (-5)
      May  4 23:43:42 knautsch kernel: [17180946.292000] ipw2200: Firmware error detected.  Restarting.
      May  4 23:43:42 knautsch kernel: [17180946.292000] ipw2200: Sysfs 'error' log already exists.
      May  4 23:45:04 knautsch kernel: [17181028.752000] ipw2200: Firmware error detected.  Restarting.
      May  4 23:45:04 knautsch kernel: [17181028.752000] ipw2200: Sysfs 'error' log already exists.
      May  4 23:45:05 knautsch kernel: [17181029.868000] smb_file_read: //some_file validation failed, error=4294966784
      May  4 23:45:36 knautsch kernel: [17181060.984000] smb_errno: class Unknown, code 27499 from command 0x6b
      May  4 23:45:36 knautsch kernel: [17181060.984000] Slab corruption: start=c4ebe09c, len=244
      May  4 23:45:36 knautsch kernel: [17181060.984000] Redzone: 0x5a2cf071/0x5a2cf071.
      May  4 23:45:36 knautsch kernel: [17181060.984000] Last user: [<e087b903>](smb_rput+0x53/0x90 [smbfs])
      May  4 23:45:36 knautsch kernel: [17181060.984000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b
      May  4 23:45:36 knautsch kernel: [17181060.984000] 0f0: 00 fe ff ff
      May  4 23:45:36 knautsch kernel: [17181060.984000] Next obj: start=c4ebe19c, len=244
      May  4 23:45:36 knautsch kernel: [17181060.984000] Redzone: 0x5a2cf071/0x5a2cf071.
      May  4 23:45:36 knautsch kernel: [17181060.984000] Last user: [<00000000>](_stext+0x3feffde0/0x30)
      May  4 23:45:36 knautsch kernel: [17181060.984000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
      May  4 23:45:36 knautsch kernel: [17181060.984000] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
      May  4 23:45:36 knautsch kernel: [17181061.024000] SMB connection re-established (-5)
      May  4 23:46:17 knautsch kernel: [17181102.132000] smb_file_read: //some_file validation failed, error=4294966784
      May  4 23:47:46 knautsch kernel: [17181190.468000] smb_errno: class Unknown, code 27499 from command 0x6b
      May  4 23:47:46 knautsch kernel: [17181190.468000] Slab corruption: start=c4ebe09c, len=244
      May  4 23:47:46 knautsch kernel: [17181190.468000] Redzone: 0x5a2cf071/0x5a2cf071.
      May  4 23:47:46 knautsch kernel: [17181190.468000] Last user: [<e087b903>](smb_rput+0x53/0x90 [smbfs])
      May  4 23:47:46 knautsch kernel: [17181190.468000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b
      May  4 23:47:46 knautsch kernel: [17181190.468000] 0f0: 00 fe ff ff
      May  4 23:47:46 knautsch kernel: [17181190.468000] Next obj: start=c4ebe19c, len=244
      May  4 23:47:46 knautsch kernel: [17181190.468000] Redzone: 0x5a2cf071/0x5a2cf071.
      May  4 23:47:46 knautsch kernel: [17181190.468000] Last user: [<00000000>](_stext+0x3feffde0/0x30)
      May  4 23:47:46 knautsch kernel: [17181190.468000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
      May  4 23:47:46 knautsch kernel: [17181190.468000] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
      May  4 23:47:46 knautsch kernel: [17181190.492000] SMB connection re-established (-5)
      May  4 23:49:20 knautsch kernel: [17181284.828000] smb_file_read: //some_file validation failed, error=4294966784
      May  4 23:49:39 knautsch kernel: [17181303.896000] smb_file_read: //some_file validation failed, error=4294966784
      Signed-off-by: default avatarJan Niehusmann <jan@gondor.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      0ce77590
    • Trond Myklebust's avatar
      [PATCH] fs/locks.c: Fix sys_flock() race · cad6178c
      Trond Myklebust authored
      sys_flock() currently has a race which can result in a double free in the
      multi-thread case.
      
      Thread 1			Thread 2
      
      sys_flock(file, LOCK_EX)
      				sys_flock(file, LOCK_UN)
      
      If Thread 2 removes the lock from inode->i_lock before Thread 1 tests for
      list_empty(&lock->fl_link) at the end of sys_flock, then both threads will
      end up calling locks_free_lock for the same lock.
      
      Fix is to make flock_lock_file() do the same as posix_lock_file(), namely
      to make a copy of the request, so that the caller can always free the lock.
      
      This also has the side-effect of fixing up a reference problem in the
      lockd handling of flock.
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      cad6178c
    • Pete Zaitcev's avatar
      [PATCH] USB: ub oops in block_uevent · 572ae685
      Pete Zaitcev authored
      In kernel 2.6.16, if a mounted storage device is removed, an oops happens
      because ub supplies an interface device (and kobject) to the block layer,
      but neglects to pin it. And apparently, the block layer expects its users
      to pin device structures.
      
      The code in ub was broken this way for years. But the bug was exposed only
      by 2.6.16 when it started to call block_uevent on close, which traverses
      device structures (kobjects actually).
      Signed-off-by: default avatarPete Zaitcev <zaitcev@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      572ae685
    • Craig Brind's avatar
      [PATCH] via-rhine: zero pad short packets on Rhine I ethernet cards · 3aa2b052
      Craig Brind authored
      Fixes Rhine I cards disclosing fragments of previously transmitted frames
      in new transmissions.
      
      Before transmission, any socket buffer (skb) shorter than the ethernet
      minimum length of 60 bytes was zero-padded.  On Rhine I cards the data can
      later be copied into an aligned transmission buffer without copying this
      padding.  This resulted in the transmission of the frame with the extra
      bytes beyond the provided content leaking the previous contents of this
      buffer on to the network.
      
      Now zero-padding is repeated in the local aligned buffer if one is used.
      
      Following a suggestion from the via-rhine maintainer, no attempt is made
      here to avoid the duplicated effort of padding the skb if it is known that
      an aligned buffer will definitely be used.  This is to make the change
      "obviously correct" and allow it to be applied to a stable kernel if
      necessary.  There is no change to the flow of control and the changes are
      only to the Rhine I code path.
      
      The patch has run on an in-service Rhine-I host without incident.  Frames
      shorter than 60 bytes are now correctly zero-padded when captured on a
      separate host.  I see no unusual stats reported by ifconfig, and no unusual
      log messages.
      Signed-off-by: default avatarCraig Brind <craigbrind@gmail.com>
      Signed-off-by: default avatarRoger Luethi <rl@hellgate.ch>
      Cc: Jeff Garzik <jeff@garzik.org>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarJeff Garzik <jeff@garzik.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      3aa2b052
    • NeilBrown's avatar
      [PATCH] md: Avoid oops when attempting to fix read errors on raid10 · 37f94ce7
      NeilBrown authored
      We should add to the counter for the rdev *after* checking if the rdev is
      NULL!!!
      Signed-off-by: default avatarNeil Brown <neilb@suse.de>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      37f94ce7
  2. 11 May, 2006 2 commits
  3. 09 May, 2006 5 commits
  4. 05 May, 2006 2 commits
  5. 02 May, 2006 2 commits
  6. 01 May, 2006 17 commits