1. 19 Apr, 2004 10 commits
    • Chris Wright's avatar
      [PATCH] e1000: fix probable security hole · bf31652c
      Chris Wright authored
      * Ken Ashcraft (ken@coverity.com) wrote:
      > [BUG]
      > /home/kash/linux/linux-2.6.5/drivers/net/e1000/e1000_ethtool.c:1494:e1000_ethtool_ioctl: ERROR:TAINT: 1487:1494:Passing unbounded user value "(regs).len" as arg 2 to function "copy_to_user", which uses it unsafely in model [SOURCE_MODEL=(lib,copy_from_user,user,taintscalar)] [SINK_MODEL=(lib,copy_to_user,user,trustingsink)]    [PATH=]
      > 	}
      > 	case ETHTOOL_GREGS: {
      > 		struct ethtool_regs regs = {ETHTOOL_GREGS};
      > 		uint32_t regs_buff[E1000_REGS_LEN];
      >
      > Start --->
      > 		if(copy_from_user(&regs, addr, sizeof(regs)))
      > 			return -EFAULT;
      > 		e1000_ethtool_gregs(adapter, &regs, regs_buff);
      > 		if(copy_to_user(addr, &regs, sizeof(regs)))
      > 			return -EFAULT;
      >
      > 		addr += offsetof(struct ethtool_regs, data);
      > Error --->
      > 		if(copy_to_user(addr, regs_buff, regs.len))
      > 			return -EFAULT;
      >
      > 		return 0;
      
      Looks like a bug.  Possible patch below zeros the buffer (since it's not
      filled completely by e1000_ethtool_gregs()), and truncates len.
      bf31652c
    • Adrian Bunk's avatar
      [PATCH] fix warning in drivers/net/tulip/timer.c · 27de7466
      Adrian Bunk authored
      I get the following warning in 2.6.5-mm6 and 2.6.6-rc1:
      
      <--  snip  -->
      
      ...
        CC      drivers/net/tulip/timer.o
      drivers/net/tulip/timer.c: In function `comet_timer':
      drivers/net/tulip/timer.c:156: warning: unused variable `ioaddr'
      ...
      
      <--  snip  -->
      
      
      Since the
         [netdrvr tulip] add MII support for Comet chips
      patch has removed the only use of this variable, the fix is simple:
      27de7466
    • Jeff Garzik's avatar
      [netdrvr r8169] remove driver-local DMA_xxBIT_MASK definitions · 35fd5c4b
      Jeff Garzik authored
      They are now upstream, we don't need driver-local ones anymore.
      35fd5c4b
    • Jeff Garzik's avatar
      96f2c4a4
    • Jeff Garzik's avatar
      [hamradio baycom] Remove bogus check in interrupt handler · 62424348
      Jeff Garzik authored
      Tangentially noticed by Stanford checker.
      62424348
    • Chris Wright's avatar
      [PATCH] remove redundant check in de2104x ->get_regs() · 395ac660
      Chris Wright authored
      Trivial patchlet...ethtool core already caps regs.len at a max of
      ->get_regs_len():
      
      	reglen = ops->get_regs_len(dev);
      	if (regs.len > reglen)
      		regs.len = reglen;
      
      So doing the same in the in de2104x driver ->get_regs() is redundant.
      Patch below simply removes it to clarify the guarantee of the API.
      395ac660
    • Chris Wright's avatar
      [PATCH] wan sdla: fix probable security hole · 98cd917c
      Chris Wright authored
      > [BUG] minor
      > /home/kash/linux/linux-2.6.5/drivers/net/wan/sdla.c:1206:sdla_xfer:
      > ERROR:TAINT: 1201:1206:Passing unbounded user value "(mem).len" as arg 0
      > to function "kmalloc", which uses it unsafely in model
      > [SOURCE_MODEL=(lib,copy_from_user,user,taintscalar)]
      > [SINK_MODEL=(lib,kmalloc,user,trustingsink)]  [MINOR]  [PATH=] [Also
      > used at, line 1219 in argument 0 to function "kmalloc"]
      > static int sdla_xfer(struct net_device *dev, struct sdla_mem *info, int
      > read)
      > {
      > 	struct sdla_mem mem;
      > 	char	*temp;
      >
      > Start --->
      > 	if(copy_from_user(&mem, info, sizeof(mem)))
      > 		return -EFAULT;
      >
      > 	if (read)
      > 	{
      > Error --->
      > 		temp = kmalloc(mem.len, GFP_KERNEL);
      > 		if (!temp)
      > 			return(-ENOMEM);
      > 		sdla_read(dev, mem.addr, temp, mem.len);
      
      Hrm, I believe you could use this to read 128k of kernel memory.
      sdla_read() takes len as a short, whereas mem.len is an int.  So,
      if mem.len == 0x20000, the allocation could still succeed.  When cast
      to short, len will be 0x0, causing the read loop to copy nothing into
      the buffer.  At least it's protected by a capable() check.  I don't
      know what proper upper bound is for this hardware, or how much it's
      used/cared about.  Simple memset() is trivial fix.
      98cd917c
    • Jeff Garzik's avatar
      [wireless orinoco] Remove bogus !dev check · 3ce12aab
      Jeff Garzik authored
      Caught by Stanford checker.
      3ce12aab
    • Andrew Morton's avatar
      [PATCH] 3c509 oops fix · e059aa85
      Andrew Morton authored
      If __ISAPNP__ and CONFIG_X86_PC9800 are not set, we forget to link the device
      into the global chain and el3_init_module dereferences NULL.
      e059aa85
    • Olaf Hering's avatar
      [PATCH] mace register_netdev printk · 0847467e
      Olaf Hering authored
      small cosmetic fix for powermac mace network driver.
      
      eth%d: MACE at 00:05:02:f4:1b:1d, chip revision 25.64
      vs.
      eth0: MACE at 00:05:02:f4:1b:1d, chip revision 25.64
      0847467e
  2. 18 Apr, 2004 21 commits
    • Linus Torvalds's avatar
      Merge bk://bk.arm.linux.org.uk/linux-2.6-rmk · d5b1f484
      Linus Torvalds authored
      into ppc970.osdl.org:/home/torvalds/v2.6/linux
      d5b1f484
    • Russell King's avatar
      [ARM] Clean up ARM includes · 53bfadf7
      Russell King authored
      This removes a number of unnecessary includes from the ARM specific
      files throughout the kernel.  Most notably asm/pgalloc.h is
      needlessly included in several places.  There were some places
      including it as a means to get at the cache flushing functions,
      so this has been corrected.
      53bfadf7
    • Benjamin Herrenschmidt's avatar
      [PATCH] Fix typo in previous patch · a5d43dcf
      Benjamin Herrenschmidt authored
      This is my brown paper bag day, I sent you the wrong patch for
      fixing the deadlock in rtas.c, here's one to apply on top of current
      bk that fixes build.
      a5d43dcf
    • Linus Torvalds's avatar
      3fd2eaad
    • Geert Uytterhoeven's avatar
      [PATCH] Amiga Zorro8390 Ethernet KERN_* · 29f9b4d8
      Geert Uytterhoeven authored
      Amiga Zorro8390 Ethernet: Add KERN_* prefixes to printk() messages
      29f9b4d8
    • Geert Uytterhoeven's avatar
      [PATCH] Amiga Hydra Ethernet KERN_* · 0243dbb6
      Geert Uytterhoeven authored
      Amiga Hydra Ethernet: Add KERN_* prefixes to printk() messages
      0243dbb6
    • Geert Uytterhoeven's avatar
      [PATCH] Amiga Ariadne Ethernet KERN_* · d79459da
      Geert Uytterhoeven authored
      Amiga Ariadne Ethernet: Add KERN_* prefixes to printk() messages
      d79459da
    • Geert Uytterhoeven's avatar
      [PATCH] Amiga A2065 Ethernet debug · c934f504
      Geert Uytterhoeven authored
      Amiga A2065 Ethernet: Add missing variable in debug code
      c934f504
    • Andrew Morton's avatar
      [PATCH] fix visws build · 2b2f6d9a
      Andrew Morton authored
      From: Andrey Panin <pazke@donpac.ru>
      
      this small patch fixes visws build error in 2.6.5.
      2b2f6d9a
    • Andrew Morton's avatar
      [PATCH] Fix laptop mode writeback triggered by hdparm -y. · 247aea28
      Andrew Morton authored
      From: Bart Samwel <bart@samwel.tk>
      
      Currently, an `hdparm -Y' can trigger a sync in laptop mode.  We should
      only count fs-originated requests as being "disk activity".
      247aea28
    • Andrew Morton's avatar
      [PATCH] set_anon_super locking fix · 4e79ee42
      Andrew Morton authored
      Take the idr's lock while removing an element on the error path.  Spotted by
      Nathan Lynch <nathanl@austin.ibm.com>.
      4e79ee42
    • Andrew Morton's avatar
      [PATCH] Print warning for common symbols in modules · 8eeff89b
      Andrew Morton authored
      From: Rusty Russell <rusty@rustcorp.com.au>
      
      People still build modules wrong, particularly without -fno-common.  The
      resulting modules don't load, but we should at least warn about it.
      8eeff89b
    • Andrew Morton's avatar
      [PATCH] jbd: journal_dirty_metadata locking speedup · 2c941f77
      Andrew Morton authored
      Reduce the locking coverage of the oft-used j_list_lock: the per-bh
      jbd_lock_bh_state() gives us sufficient locking of buffer_head and
      journal_head internals.
      2c941f77
    • Andrew Morton's avatar
      [PATCH] rmap: nonlinear truncation · dd9fd0e0
      Andrew Morton authored
      From: Hugh Dickins <hugh@veritas.com>
      
      The earlier changes introducing PageAnon left truncated pages mapped into
      nonlinear vmas unswappable.  Once we go to object-based rmap, it's
      impossible to find where file page is mapped once page->mapping cleared:
      switching them to anonymous is odd, and breaks strict commit accounting.
      
      So now handle truncation of nonlinear vmas correctly.  And factor in
      Daniel's cluster filesystem needs while we're there: when invalidating
      local cache, we do want to unmap shared pages from all mms, but we do not
      want to discard private COWed modifications of those pages (which
      truncation discards to satisfy the SIGBUS semantics demanded by specs).
      
      Drew from Daniel's patch (LKML 2 Mar 04), but didn't always follow it;
      fewer name changes, but still some - "unmap" rather than "invalidate".
      zap_page_range is not exported, safe to give it and all the too-many layers
      an extra zap_details arg, in normal cases just NULL.
      
      Given details, zap_pte_range checks page mapping or index to skip anon or
      untruncated pages.  I didn't realize before implementing, that in nonlinear
      case, it should set a file pte when truncating - otherwise linear pages
      might appear in place of SIGBUS.  I suspect this implies that ->populate
      functions ought to set file ptes beyond EOF instead of failing, but haven't
      changed them as yet.
      
      To avoid making yet another copy of that ugly linear pgidx test, added
      inline function linear_page_index (to pagemap.h to get PAGE_CACHE_SIZE,
      though as usual things don't really work if it differs from PAGE_SIZE). 
      Ooh, I thought I'd removed ___add_to_page_cache last time, do so now.
      
      unmap_page_range static, shift its hugepage check up into sole caller
      unmap_vmas.  Killed "killme" debug from unmap_vmas, not seen it trigger.
      unmap_mapping_range is exported without restriction: I'm one of those who
      believe it should be generally available.  But I'm wrongly placed to decide
      that, probably just sob quietly to myself if _GPL added later.
      dd9fd0e0
    • Andrew Morton's avatar
      [PATCH] rmap: swap_unplug page · 3df9aaf3
      Andrew Morton authored
      From: Hugh Dickins <hugh@veritas.com>
      
      Good example of "swapper_space considered harmful": swap_unplug_io_fn was
      originally designed for calling via swapper_space.backing_dev_info; but
      that way it loses track of which device is to be unplugged, so had to
      unplug all swap devices.  But now sync_page tests SwapCache anyway, can
      call swap_unplug_io_fn with page, which leads direct to the device.
      
      Reverted -mc4's CONFIG_SWAP=n fix, just add another NOTHING for it.
      Reverted -mc3's editorial adjustments to swap_backing_dev_info and
      swapper_space initializations: they document the few fields which are
      actually used now, as comment above them says (sound of slapped wrist).
      3df9aaf3
    • Andrew Morton's avatar
      [PATCH] rmap: flush_dcache revisited · c4d92e6b
      Andrew Morton authored
      From: Hugh Dickins <hugh@veritas.com>
      
      One of the callers of flush_dcache_page is do_generic_mapping_read, where
      file is read without i_sem and without page lock: concurrent truncation may
      at any moment remove page from cache, NULLing ->mapping, making
      flush_dcache_page liable to oops.  Put result of page_mapping in a local
      variable and apply mapping_mapped to that (if we were to check for NULL
      within mapping_mapped, it's unclear whether to say yes or no).
      
      parisc and arm do have other locking unsafety in their i_mmap(_shared)
      searching, but that's a larger issue to be dealt with down the line.
      c4d92e6b
    • Andrew Morton's avatar
      [PATCH] Oprofilefs cant handle > 99 cpus · 1896ae13
      Andrew Morton authored
      From: Anton Blanchard <anton@samba.org>
      
      Oprofilefs cant handle > 99 cpus. This should fix it.
      1896ae13
    • Andrew Morton's avatar
      [PATCH] Fix unix module · 17ee20ae
      Andrew Morton authored
      From: Rusty Russell <rusty@rustcorp.com.au>
      
      # lsmod
      Module                  Size  Used by
      1                      26060  6
      #
      
      The compiler #define's unix to 1: we use -DKBUILD_MODNAME=unix.  We used to
      #undef unix at the top of af_unix.c, but now the name is inserted by
      modpost, that doesn't help.
      
      #undef unix in modpost.c's generated C file.
      17ee20ae
    • Andrew Morton's avatar
      [PATCH] ppc64: Fix CPU hot unplug deadlock · 26214e32
      Andrew Morton authored
      From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      
      My RTAS locking fixes incorrectly added a spinlock around the function used
      to stop a CPU, that function never returns, thus the lock becomes stale.
      The correct fix is to disable interrupts instead (the RTAS params beeing
      per-CPU, this should be safe enough)
      26214e32
    • Linus Torvalds's avatar
      Allow non-LFS sendfile to work on LFS files. · f5e277c5
      Linus Torvalds authored
      But obviously only if we're not passing in any offset pointer.
      
      This is how 2.4.x worked, and vsftpd relies on it.
      
      Bug reported by Chris < chris@scary.beasts.org>
      f5e277c5
    • Linus Torvalds's avatar
      Merge master.kernel.org:/home/davem/BK/net-2.6 · a9eb9eb7
      Linus Torvalds authored
      into ppc970.osdl.org:/home/torvalds/v2.6/linux
      a9eb9eb7
  3. 17 Apr, 2004 9 commits
    • Russell King's avatar
      [ARM] Add detailed documentation concerning ARM page tables · f6e8a90d
      Russell King authored
      This adds detailed documentation concerning how we map the Linux
      page table structure onto the hardware tables on ARM.  In addition,
      it also adds documentation describing how we emulate the "dirty"
      and "young" or "accessed" page table bits.
      
      This should be of interest to Linux MM developers.
      f6e8a90d
    • Hugh Dickins's avatar
      [PATCH] Fix vma corruption · e4cf8264
      Hugh Dickins authored
      It occurred to me that if vma and new_vma are one and the same, then
      vma_relink_file will not do a good job of linking it after itself - in
      that pretty unlikely case when move_page_tables fails.
      
      And more generally, whenever copy_vma's vma_merge succeeds, we have no
      guarantee that old vma comes before new_vma in the i_mmap lists, as we
      need to satisfy Rajesh's point: that ordering is only guaranteed in the
      newly allocated case.
      
      We have to abandon the ordering method when/if we move from lists to
      prio_trees, so this patch switches to the less glamorous use of
      i_shared_sem exclusion, as in my prio_tree mremap.
      e4cf8264
    • Alexander Viro's avatar
      [PATCH] Remove unused 'kobject' from superblock · 3ba9ac07
      Alexander Viro authored
      The field in question is
        a) unused
        b) damn next to impossible to use correctly, due to struct super_block
           lifetime and locking rules.
      3ba9ac07
    • Linus Torvalds's avatar
      Merge bk://bk.arm.linux.org.uk/linux-2.6-pcmcia · f8f9945f
      Linus Torvalds authored
      into ppc970.osdl.org:/home/torvalds/v2.6/linux
      f8f9945f
    • Linus Torvalds's avatar
      Merge bk://bk.arm.linux.org.uk/linux-2.6-serial · 1ea0721d
      Linus Torvalds authored
      into ppc970.osdl.org:/home/torvalds/v2.6/linux
      1ea0721d
    • Russell King's avatar
      [SERIAL] Use module_param/module_param_array · 2dff0579
      Russell King authored
      Update serial to use new module parameters rather than
      MODULE_PARM.
      2dff0579
    • Russell King's avatar
      [SERIAL] Remove check_region() · ae1b4721
      Russell King authored
      ae1b4721
    • Linus Torvalds's avatar
      Merge bk://bk.arm.linux.org.uk/linux-2.6-rmk · c7a7273c
      Linus Torvalds authored
      into ppc970.osdl.org:/home/torvalds/v2.6/linux
      c7a7273c
    • Pavel Roskin's avatar
      [PCMCIA] Conversion to module_param · 32ee9eec
      Pavel Roskin authored
      Patch from: Pavel Roskin
      
      As it turns out, mixing MODULE_PARM and module_param in one module is
      wrong.  The parameters specified in module_param are ignored.  I've just
      posted a patch to LKML that will detect this condition and warn about it.
      
      The new debugging code used the new-style module_param, which means that
      all instances of MODULE_PARM should be converted.  The attached patch does
      that.
      
      An additional bonus is that module_param_array provides the number of
      array elements.  This allowed me to change tcic.c and i82365.c to use
      this number for IRQ list.  This change was tested with i82365.  If
      "irq_list" is not specified, irq_list_count is 0.
      
      I set all permissions to 0444 to be safe.  I think we have no secrets
      from the users regarding those parameters.  If some parameters can be
      changed safely at the runtime, the permissions could be changed to 0644.
      I didn't examine how safe (and how useful) it would be, so it's 0444 for
      now.
      32ee9eec