Skip to content
Commits on Mar 28, 2006
  1. @gregkh

    Linux 2.6.15.7

    gregkh committed
  2. @gregkh

    [PATCH] Fix ext2 readdir f_pos re-validation logic

    Al Viro committed with gregkh
    This fixes not one, but _two_, silly (but admittedly hard to hit) bugs
    in the ext2 filesystem "readdir()" function.  It also cleans up the code
    to avoid the unnecessary goto mess.
    
    The bugs were related to re-valiating the f_pos value after somebody had
    either done an "lseek()" on the directory to an invalid offset, or when
    the offset had become invalid due to a file being unlinked in the
    directory.  The code would not only set the f_version too eagerly, it
    would also not update f_pos appropriately for when the offset fixup took
    place.
    
    When that happened, we'd occasionally subsequently fail the readdir()
    even when we shouldn't (no real harm done, but an ugly printk, and
    obviously you would end up not necessarily seeing all entries).
    
    Thanks to Masoud Sharbiani <masouds@google.com> who noticed the problem
    and had a test-case for it, and also fixed up a thinko in the first
    version of this patch.
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Acked-by: Masoud Sharbiani <masouds@google.com>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  3. @davem330 @gregkh

    [PATCH] NET: Ensure device name passed to SO_BINDTODEVICE is NULL ter…

    davem330 committed with gregkh
    …minated.
    
    The user can pass us arbitrary garbage so we should ensure the
    string they give us is null terminated before we pass it on
    to dev_get_by_index() et al.
    
    Found by Solar Designer.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  4. @gregkh

    [PATCH] TCP: Do not use inet->id of global tcp_socket when sending RS…

    Alexey Kuznetsov committed with gregkh
    …T (CVE-2006-1242)
    
    The problem is in ip_push_pending_frames(), which uses:
    
            if (!df) {
                    __ip_select_ident(iph, &rt->u.dst, 0);
            } else {
                    iph->id = htons(inet->id++);
            }
    
    instead of ip_select_ident().
    
    Right now I think the code is a nonsense. Most likely, I copied it from
    old ip_build_xmit(), where it was really special, we had to decide
    whether to generate unique ID when generating the first (well, the last)
    fragment.
    
    In ip_push_pending_frames() it does not make sense, it should use plain
    ip_select_ident() instead.
    
    Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  5. @mkrufky @gregkh

    [PATCH] Kconfig: VIDEO_DECODER must select FW_LOADER

    mkrufky committed with gregkh
    The cx25840 module requires external firmware in order to function,
    so it must select FW_LOADER, but saa7115 and saa7129 do not require it.
    
    Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
    Cc: Mauro Carvalho Chehab <mchehab@infradead.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  6. @gregkh

    [PATCH] cramfs mounts provide corrupted content since 2.6.15

    Dave Johnson committed with gregkh
    Fix handling of cramfs images created by util-linux containing empty
    regular files.  Images created by cramfstools 1.x were ok.
    
    Fill out inode contents in cramfs_iget5_set() instead of get_cramfs_inode()
    to prevent issues if cramfs_iget5_test() is called with I_LOCK|I_NEW still
    set.
    
    Signed-off-by: Dave Johnson <djohnson+linux-kernel@sw.starentnetworks.com>
    Cc: Olaf Hering <olh@suse.de>
    Cc: Chris Mason <mason@suse.com>
    Cc: Andreas Gruenbacher <agruen@suse.de>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  7. @gregkh

    [PATCH] compat ifconf: fix limits

    Randy Dunlap committed with gregkh
    A recent change to compat. dev_ifconf() in fs/compat_ioctl.c
    causes ifconf data to be truncated 1 entry too early when copying it
    to userspace.  The correct amount of data (length) is returned,
    but the final entry is empty (zero, not filled in).
    The for-loop 'i' check should use <= to allow the final struct
    ifreq32 to be copied.  I also used the ifconf-corruption program
    in kernel bugzilla #4746 to make sure that this change does not
    re-introduce the corruption.
    
    Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  8. @davem330 @gregkh

    [PATCH] Netfilter ip_queue: Fix wrong skb->len == nlmsg_len assumption

    davem330 committed with gregkh
    The size of the skb carrying the netlink message is not
    equivalent to the length of the actual netlink message
    due to padding. ip_queue matches the length of the payload
    against the original packet size to determine if packet
    mangling is desired, due to the above wrong assumption
    arbitary packets may not be mangled depening on their
    original size.
    
    Signed-off-by: Thomas Graf <tgraf@suug.ch>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  9. @gregkh

    [PATCH] IB/srp: Don't send task management commands after target removal

    Roland Dreier committed with gregkh
    Just fail abort and reset requests that come in after we've already
    decided to remove a target.  This fixes a nasty crash if a storage
    target goes away.
    
    Signed-off-by: Roland Dreier <rolandd@cisco.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Commits on Mar 5, 2006
  1. @chriswright

    Linux 2.6.15.6

    chriswright committed
  2. @kernelslacker @chriswright

    [PATCH] mempolicy.c compile fix, make sure BITS_PER_BYTE is defined

    kernelslacker committed with chriswright
    Gar..
    
    mm/mempolicy.c: In function 'get_nodes':
    mm/mempolicy.c:527: error: 'BITS_PER_BYTE' undeclared (first use in this function)
    mm/mempolicy.c:527: error: (Each undeclared identifier is reported only once
    mm/mempolicy.c:527: error: for each function it appears in.)
    
    About to retry a build with the below patch which should do the trick.
    (How did this *ever* build?)
    
    Signed-off-by: Dave Jones <davej@redhat.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  3. @chriswright

    [PATCH] fs/nfs/direct.c compile fix

    chriswright committed
    Compile fix:
    
    fs/nfs/direct.c: In function 'nfs_get_user_pages':
    fs/nfs/direct.c:110: warning: implicit declaration of function 'nfs_free_user_pages'
    fs/nfs/direct.c: At top level:
    fs/nfs/direct.c:127: warning: conflicting types for 'nfs_free_user_pages'
    fs/nfs/direct.c:127: error: static declaration of 'nfs_free_user_pages' follows non-static declaration
    fs/nfs/direct.c:110: error: previous implicit declaration of 'nfs_free_user_pages' was here
    
    This should now be the same as fix that's going upstream.
    
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Acked-by: Trond Myklebust <trond.myklebust@fys.uio.no>
  4. @chriswright

    [PATCH] die_if_kernel() can return (CVE-2006-0742)

    Tony Luck committed with chriswright
    arch/ia64/kernel/unaligned.c erroneously marked die_if_kernel()
    with a "noreturn" attribute ... which is silly (it returns whenever
    the argument regs say that the fault happened in user mode, as one
    might expect given the "if_kernel" part of its name!).  Thanks to
    Alan and Gareth for pointing this out.
    
    Signed-off-by: Tony Luck <tony.luck@intel.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  5. @chriswright

    [PATCH] Don't reset rskq_defer_accept in reqsk_queue_alloc

    Arnaldo Carvalho de Melo committed with chriswright
    In 295f732 I moved defer_accept from
    tcp_sock to request_queue and mistakingly reset it at reqsl_queue_alloc, causing
    calls to setsockopt(TCP_DEFER_ACCEPT ) to be lost after bind, the fix is to
    remove the zeroing of rskq_defer_accept from reqsl_queue_alloc.
    
    Thanks to Alexandra N. Kossovsky <Alexandra.Kossovsky@oktetlabs.ru> for
    reporting and testing the suggested fix.
    
    Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Commits on Mar 1, 2006
  1. @chriswright

    Linux 2.6.15.5

    chriswright committed
  2. @chriswright

    [PATCH] IB/mthca: max_inline_data handling tweaks

    Jack Morgenstein committed with chriswright
    Fix a case where copying max_inline_data from a successful create_qp
    capabilities output to create_qp input could cause EINVAL error:
    
    mthca_set_qp_size must check max_inline_data directly against
    max_desc_sz; checking qp->sq.max_gs is wrong since max_inline_data
    depends on the qp type and does not involve max_sg.
    
    Signed-off-by: Jack Morgenstein <jackm@mellanox.co.il>
    Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il>
    Signed-off-by: Roland Dreier <rolandd@cisco.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  3. @chriswright

    [PATCH] Normal user can panic NFS client with direct I/O (CVE-2006-0555)

    Trond Myklebust committed with chriswright
    This is CVE-2006-0555 and SGI bug 946529.  A normal user can panic an
    NFS client and cause a local DoS with 'judicious'(?) use of O_DIRECT.
    
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  4. @chriswright

    [PATCH] XFS ftruncate() bug could expose stale data (CVE-2006-0554)

    Mike O'Connor committed with chriswright
    This is CVE-2006-0554 and SGI bug 942658.  With certain types of
    ftruncate() activity on 2.6 kernels, XFS can end up exposing stale
    data off disk to a user, putting extents where holes should be.
    
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  5. @chriswright

    [PATCH] sbp2: fix another deadlock after disconnection

    Stefan Richter committed with chriswright
    sbp2: fix another deadlock after disconnection
    
    If there were commands enqueued but not completed before an SBP-2 unit
    was unplugged (or an attempt to reconnect failed), knodemgrd or any
    process which tried to remove the device would sleep uninterruptibly
    in blk_execute_rq().  Therefore make sure that all commands are
    completed when sbp2 retreats.
    
    Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  6. @chriswright

    [PATCH] sd: fix memory corruption with broken mode page headers

    Stefan Richter committed with chriswright
    sd: fix memory corruption with broken mode page headers
    
    There's a problem in sd where we blindly believe the length of the
    headers and block descriptors.  Some devices return insane values for
    these and cause our length to end up greater than the actual buffer
    size, so check to make sure.
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    
    Also removed the buffer size magic number (512) and added DPOFUA of
    zero to the defaults
    
    Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    
    rediff for 2.6.15.x without DPOFUA bit, taken from commit
    4897080
    
    Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  7. @chriswright

    [PATCH] Fix a severe bug

    Alexey Kuznetsov committed with chriswright
    netlink overrun was broken while improvement of netlink.
    Destination socket is used in the place where it was meant to be source socket,
    so that now overrun is never sent to user netlink sockets, when it should be,
    and it even can be set on kernel socket, which results in complete deadlock
    of rtnetlink.
    
    Suggested fix is to restore status quo passing source socket as additional
    argument to netlink_attachskb().
    
    A little explanation: overrun is set on a socket, when it failed
    to receive some message and sender of this messages does not or even
    have no way to handle this error. This happens in two cases:
    1. when kernel sends something. Kernel never retransmits and cannot
       wait for buffer space.
    2. when user sends a broadcast and the message was not delivered
       to some recipients.
    
    Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  8. @chriswright

    [PATCH] x86_64: Check for bad elf entry address (CVE-2006-0741)

    Suresh Siddha committed with chriswright
    Fixes a local DOS on Intel systems that lead to an endless
    recursive fault.  AMD machines don't seem to be affected.
    
    Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com>
    Signed-off-by: Andi Kleen <ak@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  9. @chriswright

    [PATCH] skge: fix SMP race

    Stephen Hemminger committed with chriswright
    If skge is attached to a bad cable, that goes up/down.
    It exposes an SMP race with the management of IRQ mask
    
    Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  10. @chriswright

    [PATCH] skge: genesis phy initialization fix

    Stephen Hemminger committed with chriswright
    The SysKonnect Genesis based board would fail on initialization
    with phy_read errors caused by not waiting for last phy write.
    
    Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  11. @chriswright

    [PATCH] skge: fix NAPI/irq race

    Stephen Hemminger committed with chriswright
    Fix a race in the receive NAPI, irq handling. The interrupt clear and the
    start need to be separated.  Otherwise there is a window between the last
    frame received and the NAPI done level handling.
    
    Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  12. @chriswright

    [PATCH] skge: speed setting

    Stephen Hemminger committed with chriswright
    This is a clone of John Linville's fixed for speed setting on sky2 driver.
    The skge driver has the same code (and bug). It would not allow manually forcing
    100 and 10 mbit.
    
    Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  13. @oniongarlic @chriswright

    [PATCH] gbefb: IP32 gbefb depth change fix

    oniongarlic committed with chriswright
    The gbefb driver does not update the framebuffer layers visual setting when
    depth is changed with fbset, resulting in strange colors (very dark blue in
    16-bit, almost black in 24-bit).
    
    Signed-off-by: Kaj-Michael Lang <milang@tal.org>
    Signed-off-by: Martin Michlmayr <tbm@cyrius.com>
    Signed-off-by: Antonino Daplas <adaplas@pol.net>
    Cc: <stable@kernel.org>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  14. @chriswright

    [PATCH] ramfs: update dir mtime and ctime

    Andrew Morton committed with chriswright
    Phil Marek <philipp.marek@bmlv.gv.at> points out that ramfs forgets to update
    a directory's mtime and ctime when it is modified.
    
    Cc: <stable@kernel.org>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  15. @chriswright

    [PATCH] dm: free minor after unlink gendisk

    Jun'ichi Nomura committed with chriswright
    Minor number should be freed after del_gendisk().  Otherwise, there could
    be a window where 2 registered gendisk has same minor number.
    
    Signed-off-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
    Acked-by: Alasdair G Kergon <agk@redhat.com>
    Cc: <stable@kernel.org>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    [chrisw: backport to 2.6.15]
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  16. @chriswright

    [PATCH] dm: missing bdput/thaw_bdev at removal

    Jun'ichi Nomura committed with chriswright
    Need to unfreeze and release bdev otherwise the bdev inode with
    inconsistent state is reused later and cause problem.
    
    Signed-off-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
    Acked-by: Alasdair G Kergon <agk@redhat.com>
    Cc: <stable@kernel.org>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    [chrisw: backport to 2.6.15]
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  17. @tbm @chriswright

    [PATCH] gbefb: Set default of FB_GBE_MEM to 4 MB

    tbm committed with chriswright
    Allocating more than 4 MB memory for the GBE (SGI O2) framebuffer completely
    breakfs gbefb support at the moment.  According to comments on #mipslinux,
    more than 4 MB has never worked correctly in Linux.  Therefore, the default
    should be 4 MB.
    
    Signed-off-by: Martin Michlmayr <tbm@cyrius.com>
    Signed-off-by: Antonino Daplas <adaplas@pol.net>
    Cc: <stable@kernel.org>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  18. @chriswright

    [PATCH] cfi: init wait queue in chip struct

    Simon Vogl committed with chriswright
    Fix a kernel oops for Intel P30 flashes, where the wait queue head was not
    initialized for the flchip struct, which in turn caused a crash at the
    first read operation.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: <stable@kernel.org>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  19. @tiwai @chriswright

    [PATCH] alsa: fix bogus snd_device_free() in opl3-oss.c

    tiwai committed with chriswright
    Remove snd_device_free() for an opl3-oss instance which should have been
    released.
    
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Cc: Jaroslav Kysela <perex@suse.cz>
    Cc: <stable@kernel.org>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  20. @jkreileder @chriswright

    [PATCH] Fix snd-usb-audio in 32-bit compat environment

    jkreileder committed with chriswright
    I'm getting oopses with snd-usb-audio in 32-bit compat environments:
    control_compat.c:get_ctl_type() doesn't initialize 'info', so
    'itemlist[uinfo->value.enumerated.item]' in
    usbmixer.c:mixer_ctl_selector_info() might access random memory (The 'if
    ((int)uinfo->value.enumerated.item >= cval->max)' doesn't fix all problems
    because of the unsigned -> signed conversion.)
    
    Signed-off-by: Juergen Kreileder <jk@blackdown.de>
    Cc: Jaroslav Kysela <perex@suse.cz>
    Acked-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  21. @chriswright

    [PATCH] hwmon it87: Probe i2c 0x2d only

    Jean Delvare committed with chriswright
    Only scan I2C address 0x2d. This is the default address and no IT87xxF
    chip was ever seen on I2C at a different address. These chips are
    better accessed through their ISA interface anyway.
    
    This fixes bug #5889, although it doesn't address the whole class
    of problems. We'd need the ability to blacklist arbitrary I2C addresses
    on systems known to contain I2C devices which behave badly when probed.
    
    Signed-off-by: Jean Delvare <khali@linux-fr.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Something went wrong with that request. Please try again.