- 29 Nov, 2006 2 commits
-
-
Chris Wright authored
-
Chris Wright authored
Make sure to properly clamp maxnum to avoid overflow (CVE-2006-5751). Signed-off-by:
Chris Wright <chrisw@sous-sol.org> Acked-by:
Eugene Teo <eteo@redhat.com> Acked-by:
Marcel Holtmann <marcel@holtmann.org> Signed-off-by:
Linus Torvalds <torvalds@osdl.org>
-
- 19 Nov, 2006 29 commits
-
-
Chris Wright authored
-
Steve French authored
unlock in case where server does not support POSIX locks and nobrl is not specified. Signed-off-by:
Steve French <sfrench@us.ibm.com> Signed-off-by:
-
Steve French authored
Fixes Samba bugzilla bug # 4182 Rename by handle failures (retry after rename by path) were not being returned back. Signed-off-by:
-
Jens Axboe authored
cciss needs to call disk_stat_add() for iostat to work. Signed-off-by:
Jens Axboe <jens.axboe@oracle.com> Signed-off-by:
-
Jens Axboe authored
cpqarray needs to call disk_stat_add() for iostat to work. Signed-off-by:
-
Jiri Slaby authored
port is dereferenced even if it is NULL. Dereference it _after_ the check if (!port)... Thanks Eric <ef87@yahoo.com> for reporting this. This fixes http://bugzilla.kernel.org/show_bug.cgi?id=7527 Signed-off-by:
Jiri Slaby <jirislaby@gmail.com> Signed-off-by:
-
Jens Axboe authored
Contrary to what the name misleads you to believe, SG_DXFER_TO_FROM_DEV is really just a normal read seen from the device side. This patch fixes http://lkml.org/lkml/2006/10/13/100 Signed-off-by:
-
David Miller authored
The PCI sysfs attributes are created after the initial PCI bus scan. With the addition of more return value checking and assertions in the device and sysfs layers we now can get dumps like this on sparc64: [ 20.135032] Call Trace: [ 20.135042] [0000000000537f88] pci_remove_bus_device+0x30/0xc0 [ 20.135076] [000000000078f890] pci_fill_in_pbm_cookies+0x98/0x440 [ 20.135109] [000000000042e828] sabre_scan_bus+0x230/0x400 [ 20.135139] [000000000078c710] pcibios_init+0x58/0xa0 [ 20.135159] [0000000000416f14] init+0x9c/0x2e0 [ 20.135190] [0000000000417a50] kernel_thread+0x38/0x60 [ 20.135211] [0000000000417170] rest_init+0x18/0x40 [ 20.135514] PCI0(PBMB): Bus running at 33MHz It's triggering because removal of the "config" PCI sysfs file for the device fails. On sparc64, after probing the device, we'll delete the PCI device via pci_remove_bus_device() if we cannot find the firmware device tree node corresponding to it. This is fine, but at this point the sysfs files for the PCI device won't be setup yet. So we should not try to do anything in pci_remove_sysfs_dev_files() if pci_sysfs_init() has not run yet. Signed-off-by:
David S. Miller <davem@davemloft.net> Acked-by:
Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by:
Andrew Morton <akpm@osdl.org> Signed-off-by:
-
Wink Saville authored
The following patch resolves the divide by zero error I encountered on my system: http://marc.10east.com/?l=linux-fbdev-devel&m=116058257024413&w=2 I accomplished this by merging what I thought was appropriate from: http://webcvs.freedesktop.org/xorg/driver/xf86-video-nv/src/ Signed-off-by:
-
Dave Jones authored
This caused suspend/resume regressions. Signed-off-by:
Dave Jones <davej@redhat.com> Signed-off-by:
-
Adrian Bunk authored
initlvl=2 in seclvl gives the guarantee "Cannot decrement the system time". But it was possible to set the time to the maximum unixtime value (19 Jan 2038) resulting in a wrap to the minimum value. This patch fixes this by disallowing setting the time to any date after 2030 with initlvl=2. This patch does not apply to kernel 2.6.19 since the seclvl module was already removed in this kernel. Signed-off-by:
Adrian Bunk <bunk@stusta.de> Signed-off-by:
-
Daniel Ritz authored
Fix interrupt routing for via 586 bridges. pirq can be 5 which needs to be mapped to INTD. But currently the access functions can handle only pirq 1-4. this is similar to the other via chipsets where pirq 4 and 5 are both mapped to INTD. Fixes bugzilla #7490 Cc: Daniel Paschka <monkey20181@gmx.net> Cc: Adrian Bunk <bunk@susta.de> Signed-off-by:
Daniel Ritz <daniel.ritz@gmx.ch> Cc: <stable@kernel.org> Signed-off-by:
-
Herbert Xu authored
Since pskb_copy tacks on the non-linear bits from the original skb, it needs to count them in the truesize field of the new skb. Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by:
-
John Heffner authored
This patch removes consideration of high memory when determining TCP hash table sizes. Taking into account high memory results in tcp_mem values that are too large. Signed-off-by:
John Heffner <jheffner@psc.edu> Signed-off-by:
-
Olaf Hering authored
similar to the version in adbhid_input_register(): The '<>' key and the '^°' key on a german keyboard is swapped. Provide correct keys to userland, external USB keyboards will not work correctly when the 'badmap'/'goodmap' workarounds from xkeyboard-config are used. It is expected that distributions drop the badmap/goodmap part from keycodes/macintosh in the xkeyboard-config package. This is probably 2.6.18.x material, if major distros settle on 2.6.18. Signed-off-by:
Olaf Hering <olh@suse.de> Cc: Greg KH <greg@kroah.com> Cc: Dmitry Torokhov <dtor@mail.ru> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: <stable@kernel.org> Signed-off-by:
-
Andi Kleen authored
This reverts an earlier patch that was found to cause FPU state corruption. I think the corruption happens because unlazy_fpu() can cause FPU exceptions and when it happens after the current switch some processing would affect the state in the wrong process. Thanks to Douglas Crosher and Tom Hughes for testing. Cc: jbeulich@novell.com Signed-off-by:
Andi Kleen <ak@suse.de> Signed-off-by:
-
Sergey Vlasov authored
psmouse_show_int_attr() and psmouse_set_int_attr() were accessing unsigned int fields as unsigned long, which gave garbage on x86_64. Signed-off-by:
Sergey Vlasov <vsu@altlinux.ru> Signed-off-by:
-
David Miller authored
We have seen a couple of __alloc_pages() failures due to fragmentation, there is plenty of free memory but no large order pages available. I think the problem is in sock_alloc_send_pskb(), the gfp_mask includes __GFP_REPEAT but its never used/passed to the page allocator. Shouldnt the gfp_mask be passed to alloc_skb() ? Signed-off-by:
Larry Woodman <lwoodman@redhat.com> Signed-off-by:
-
Auke Kok authored
e1000: Fix suspend/resume powerup and irq allocation From: Auke Kok <auke-jan.h.kok@intel.com> After 7.0.33/2.6.16, e1000 suspend/resume left the user with an enabled device showing garbled statistics and undetermined irq allocation state, where `ifconfig eth0 down` would display `trying to free already freed irq`. Explicitly free and allocate irq as well as powerup the PHY during resume fixes when needed. Signed-off-by:
Auke Kok <auke-jan.h.kok@intel.com> [chrisw: trivial 2.6.18 backport s/err/ret_val/] Signed-off-by:
-
Daniel Ritz authored
use the endpoint address from the endpoint descriptor instead of the hardcoding it to 0x81. at least some ITM based screen use a different address and don't work without this. Signed-off-by:
-
Oliver Neukum authored
USB: failure in usblp's error path if urb submission fails due to a transient error here eg. ENOMEM , the driver is dead. This fixes it. Regards Oliver Signed-off-by:
Oliver Neukum <oliver@neukum.name> Signed-off-by:
-
Daniel Yeisley authored
It looks like there is a bug in init_reap_node() in slab.c that can cause multiple oops's on certain ES7000 configurations. The variable reap_node is defined per cpu, but only initialized on a single CPU. This causes an oops in next_reap_node() when __get_cpu_var(reap_node) returns the wrong value. Fix is below. Signed-off-by:
Dan Yeisley <dan.yeisley@unisys.com> Cc: Andi Kleen <ak@suse.de> Acked-by:
Christoph Lameter <clameter@engr.sgi.com> Cc: Pekka Enberg <penberg@cs.helsinki.fi> Cc: Manfred Spraul <manfred@colorfullife.com> Cc: <stable@kernel.org> Signed-off-by:
-
Yvan Seth authored
Taken from http://bugzilla.kernel.org/show_bug.cgi?id=7439 It looks like device registration in drivers/char/ipmi/ipmi_si_intf.c was cleaned up and a small error was made when setting the class_mask. The fix is simple as the correct mask value is defined in the code but is not used. Acked-by:
Corey Minyard <minyard@acm.org> Cc: <stable@kernel.org> Signed-off-by:
-
Eric Sandeen authored
ufs2 fails to mount on x86_64, claiming bad magic. This is because ufs_super_block_third's fs_un1 member is padded out by 4 bytes for 8-byte alignment, pushing down the rest of the struct. Forcing this to be packed solves it. I took a quick look over other on-disk structures and didn't immediately find other problems. I was able to mount & ls a populated ufs2 filesystem w/ this change. Signed-off-by:
Eric Sandeen <sandeen@redhat.com> Cc: Evgeniy Dushistov <dushistov@mail.ru> Cc: <stable@kernel.org> Signed-off-by:
-
David Miller authored
When I added the robust futex syscall entries I forgot to bump NR_SYSCALLS. This is an easy mistake to make because NR_SYSCALLS lived in entry.S which is nowhere near unistd.h or syscalls.S, so while we're here move it's definition into unistd.h so this is unlikely to ever happen again. Signed-off-by:
-
Stephen Rothwell authored
sys_move_pages() uses vmalloc() to allocate an array of structures that is fills with information passed from user mode and then passes to do_stat_pages() (in the case the node list is NULL). do_stat_pages() depends on a marker in the node field of the structure to decide how large the array is and this marker is correctly inserted into the last element of the array. However, vmalloc() doesn't zero the memory it allocates and if the user passes NULL for the node list, then the node fields are not filled in (except for the end marker). If the memory the vmalloc() returned happend to have a word with the marker value in it in just the right place, do_pages_stat will fail to fill the status field of part of the array and we will return (random) kernel data to user mode. Signed-off-by:
Stephen Rothwell <sfr@canb.auug.org.au> Acked-by:
Christoph Lameter <clameter@sgi.com> Signed-off-by:
-
David Miller authored
I copied the logic from ll/sc arch implementations, but that was wrong and makes no sense at all. Just do a straight compare-exchange instruction, just like x86. Based upon bug reports from Dennis Gilmore and Fabio Massimo. Signed-off-by:
-
Benjamin Herrenschmidt authored
The alignment exception used to only check the exception table for -EFAULT, not for other errors. That opens an oops window if we can coerce the kernel into getting an alignment exception for other reasons in what would normally be a user-protected accessor, which can be done via some of the futex ops. This fixes it by always checking the exception tables. Signed-off-by:
Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by:
Paul Mackerras <paulus@samba.org> Signed-off-by:
-
Martin Schwidefsky authored
The previous patch to correct the copy_from_user padding is quite broken. The execute instruction needs to be done via the register %r4, not via %r2 and 31 bit doesn't know the instructions lgr and ahji. Signed-off-by:
Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by:
-
- 04 Nov, 2006 9 commits
-
-
Chris Wright authored
-
Alan Stern authored
The usbfs code doesn't provide sufficient mutual exclusion among open, release, and remove. Release vs. remove is okay because they both acquire the device lock, but open is not exclusive with either one. All three routines modify the udev->filelist linked list, so they must not run concurrently. Apparently someone gave this a minimum amount of thought in the past by explicitly acquiring the BKL at the start of the usbdev_open routine. Oddly enough, there's a comment pointing out that locking is unnecessary because chrdev_open already has acquired the BKL. But this ignores the point that the files in /proc/bus/usb/* are not char device files; they are regular files and so they don't get any special locking. Furthermore it's necessary to acquire the same lock in the release and remove routines, which the code does not do. Yet another problem arises because the same file_operations structure is accessible through both the /proc/bus/usb/* and /...
-
NeilBrown authored
Partitions are not limited to live within a device. So we should range check after partition mapping. Note that 'maxsector' was being used for two different things. I have split off the second usage into 'old_sector' so that maxsector can be still be used for it's primary usage later in the function. Cc: Jens Axboe <jens.axboe@oracle.com> Signed-off-by:
Neil Brown <neilb@suse.de> Signed-off-by:
-
James Morris authored
There's a bug in the seqfile handling for /proc/net/ip6_flowlabel, where, after finding a flowlabel, the code will loop forever not finding any further flowlabels, first traversing the rest of the hash bucket then just looping. This patch fixes the problem by breaking after the hash bucket has been traversed. Note that this bug can cause lockups and oopses, and is trivially invoked by an unpriveleged user. Signed-off-by:
James Morris <jmorris@namei.org> Signed-off-by:
-
Stephen Hemminger authored
Doug Leith observed a discrepancy between the version of CUBIC described in the papers and the version in 2.6.18. A math error related to scaling causes Cubic to grow too slowly. Patch is from "Sangtae Ha" <sha2@ncsu.edu>. I validated that it does fix the problems. See the following to show behavior over 500ms 100 Mbit link. Sender (2.6.19-rc3) --- Bridge (2.6.18-rt7) ------- Receiver (2.6.19-rc3) 1G [netem] 100M http://developer.osdl.org/shemminger/tcp/2.6.19-rc3/cubic-orig.png http://developer.osdl.org/shemminger/tcp/2.6.19-rc3/cubic-fix.png Signed-off-by:Stephen Hemminger <shemminger@osdl.org> Signed-off-by:
-
Alan Cox authored
The Jmicron JMB368 is PATA only so has the PATA on function zero. Don't therefore skip function zero on this device when probing Signed-off-by:
Alan Cox <alan@redhat.com> Cc: <stable@kernel.org> Signed-off-by:
-
Oleg Nesterov authored
1. fill_tgid() forgets to do put_task_struct(first). 2. release_task(first) can happen after fill_tgid() drops tasklist_lock, it is unsafe to dereference first->signal. This is a temporary fix, imho the locking should be reworked. Signed-off-by:
Oleg Nesterov <oleg@tv-sign.ru> Cc: Shailabh Nagar <nagar@watson.ibm.com> Cc: Balbir Singh <balbir@in.ibm.com> Cc: Jay Lan <jlan@sgi.com> Cc: <stable@kernel.org> Signed-off-by:
-
Martin Bligh authored
If try_to_free_pages / balance_pgdat are called with a gfp_mask specifying GFP_IO and/or GFP_FS, they will reclaim the requisite number of pages, and the reset prev_priority to DEF_PRIORITY (or to some other high (ie: unurgent) value). However, another reclaimer without those gfp_mask flags set (say, GFP_NOIO) may still be struggling to reclaim pages. The concurrent overwrite of zone->prev_priority will cause this GFP_NOIO thread to unexpectedly cease deactivating mapped pages, thus causing reclaim difficulties. Fix this is to key the distress calculation not off zone->prev_priority, but also take into account the local caller's priority by using min(zone->prev_priority, sc->priority) Signed-off-by:
Martin J. Bligh <mbligh@google.com> Cc: Nick Piggin <nickpiggin@yahoo.com.au> Cc: <stable@kernel.org> Signed-off-by:
-
Martin Bligh authored
The temp_priority field in zone is racy, as we can walk through a reclaim path, and just before we copy it into prev_priority, it can be overwritten (say with DEF_PRIORITY) by another reclaimer. The same bug is contained in both try_to_free_pages and balance_pgdat, but it is fixed slightly differently. In balance_pgdat, we keep a separate priority record per zone in a local array. In try_to_free_pages there is no need to do this, as the priority level is the same for all zones that we reclaim from. Impact of this bug is that temp_priority is copied into prev_priority, and setting this artificially high causes reclaimers to set distress artificially low. They then fail to reclaim mapped pages, when they are, in fact, under severe memory pressure (their priority may be as low as 0). This causes the OOM killer to fire incorrectly. From: Andrew Morton <akpm@osdl.org> __zone_reclaim() isn't modifying zone->prev_priority. But zone->prev_priority is used in the deci...
-
