Permalink
Commits on Jun 20, 2006
  1. Linux 2.6.16.21

    chriswright committed Jun 20, 2006
  2. [PATCH] xt_sctp: fix endless loop caused by 0 chunk length (CVE-2006-…

    …3085)
    
    Fix endless loop in the SCTP match similar to those already fixed in the
    SCTP conntrack helper (was CVE-2006-1527).
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    kaber committed with chriswright Jun 19, 2006
  3. [PATCH] run_posix_cpu_timers: remove a bogus BUG_ON() (CVE-2006-2445)

    do_exit() clears ->it_##clock##_expires, but nothing prevents
    another cpu to attach the timer to exiting process after that.
    arm_timer() tries to protect against this race, but the check
    is racy.
    
    After exit_notify() does 'write_unlock_irq(&tasklist_lock)' and
    before do_exit() calls 'schedule() local timer interrupt can find
    tsk->exit_state != 0. If that state was EXIT_DEAD (or another cpu
    does sys_wait4) interrupted task has ->signal == NULL.
    
    At this moment exiting task has no pending cpu timers, they were
    cleanuped in __exit_signal()->posix_cpu_timers_exit{,_group}(),
    so we can just return from irq.
    
    John Stultz recently confirmed this bug, see
    
    	http://marc.theaimsgroup.com/?l=linux-kernel&m=115015841413687
    
    Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Oleg Nesterov committed with chriswright Jun 15, 2006
  4. [PATCH] check_process_timers: fix possible lockup

    If the local timer interrupt happens just after do_exit() sets PF_EXITING
    (and before it clears ->it_xxx_expires) run_posix_cpu_timers() will call
    check_process_timers() with tasklist_lock + ->siglock held and
    
    	check_process_timers:
    
    		t = tsk;
    		do {
    			....
    
    			do {
    				t = next_thread(t);
    			} while (unlikely(t->flags & PF_EXITING));
    		} while (t != tsk);
    
    the outer loop will never stop.
    
    Actually, the window is bigger.  Another process can attach the timer
    after ->it_xxx_expires was cleared (see the next commit) and the 'if
    (PF_EXITING)' check in arm_timer() is racy (see the one after that).
    
    Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Oleg Nesterov committed with chriswright Jun 15, 2006
  5. [PATCH] powerpc: Fix machine check problem on 32-bit kernels (CVE-200…

    …6-2448)
    
    This fixes a bug found by Dave Jones that means that it is possible
    for userspace to provoke a machine check on 32-bit kernels.  This
    also fixes a couple of other places where I found similar problems
    by inspection.
    
    Signed-off-by: Paul Mackerras <paulus@samba.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    paulusmack committed with chriswright Jun 9, 2006
Commits on Jun 5, 2006
  1. Linux 2.6.16.20

    chriswright committed Jun 5, 2006
  2. [PATCH] sbp2: fix check of return value of hpsb_allocate_and_register…

    …_addrspace
    
    I added a failure check in patch "sbp2: variable status FIFO address
    (fix login timeout)" --- alas for a wrong error value.  This is a bug
    since Linux 2.6.16.  Leads to NULL pointer dereference if the call
    failed, and bogus failure handling if call succeeded.
    
    Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Stefan Richter committed with chriswright Jun 3, 2006
  3. [PATCH] sbp2: backport read_capacity workaround for iPod

    There is a firmware bug in several Apple iPods which prevents access to
    these iPods under certain conditions. The disk size reported by the iPod
    is one sector too big. Once access to the end of the disk is attempted,
    the iPod becomes inaccessible. This problem has been known for USB iPods
    for some time and has recently been discovered to exist with
    FireWire/USB combo iPods too.
    
    This patch is derived from the fix in Linux 2.6.17, commit
    e9a1c52, to be applicable to 2.6.16.x
    without prerequisite patches. It hard-wires a workaround for three known
    affected model numbers (those of 4th generation iPod, iPod Photo, iPod
    mini).
    
    Note: This patch lacks Linux 2.6.17's ability to enable and disable the
    workaround via a module parameter.
    
    Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Stefan Richter committed with chriswright Jun 2, 2006
  4. [PATCH] x86_64: Don't do syscall exit tracing twice

    This fixes a regression from the earlier DOS fix for non canonical
    IRET addresses. It broke UML.
    
    int_ret_from_syscall already does syscall exit tracing, so
    no need to do it again in the caller.
    
    This caused problems for UML and some other special programs doing
    syscall interception.
    
    Signed-off-by: Andi Kleen <ak@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Andi Kleen committed with chriswright Jun 1, 2006
  5. [PATCH] x86_64: x86_64 add crashdump trigger points

    o Start booting into the capture kernel after an Oops if system is in a
      unrecoverable state. System will boot into the capture kernel, if one is
      pre-loaded by the user, and capture the kernel core dump.
    
    o One of the following conditions should be true to trigger the booting of
      capture kernel.
            - panic_on_oops is set.
            - pid of current thread is 0
            - pid of current thread is 1
            - Oops happened inside interrupt context.
    
    Signed-off-by: Vivek Goyal <vgoyal@in.ibm.com>
    Signed-off-by: Andi Kleen <ak@suse.de>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Vivek Goyal committed with chriswright Apr 18, 2006
  6. [PATCH] ipw2200: Filter unsupported channels out in ad-hoc mode

    Currently iwlist ethX freq[uency]/channel lists all the channels the card
    supported for the current region, which includes some channels can only
    be used in infrastructure mode. This patch filters these channels out if
    the card is currently in ad-hoc mode.
    
    Signed-off-by: Zhu Yi <yi.zhu@intel.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Zhu Yi committed with chriswright Mar 1, 2006
  7. [PATCH] the latest consensus libata resume fix

    Okay, just to sum things up.
    
    This forces libata to wait for up to 2 seconds for BUSY|DRQ to clear
    on resume before continuing.
    
    [jgarzik adds...]  During testing we never saw DRQ asserted, but
    nonetheless (a) this works and (b) testing for DRQ won't hurt.
    
    Signed-off-by:  Mark Lord <liml@rtr.ca>
    Acked-by: Jens Axboe <axboe@suse.de>
    Signed-off-by: Jeff Garzik <jeff@garzik.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Mark Lord committed with chriswright May 28, 2006
  8. [PATCH] ohci1394, sbp2: fix "scsi_add_device failed" with PL-3507 bas…

    …ed devices
    
    Re-enable posted writes for status FIFO.
    Besides bringing back a very minor bandwidth tweak from Linux 2.6.15.x
    and older, this also fixes an interoperability regression since 2.6.16:
    http://bugzilla.kernel.org/show_bug.cgi?id=6356
    (sbp2: scsi_add_device failed. IEEE1394 HD is not working anymore.)
    
    Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
    Tested-by: Vanei Heidemann <linux@javanei.com.br>
    Tested-by: Martin Putzlocher <mputzi@gmx.de> (chip type unconfirmed)
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Stefan Richter committed with chriswright May 27, 2006
  9. [PATCH] Input: psmouse - fix new device detection logic

    Input: psmouse - fix new device detection logic
    
    Reported to fix http://bugs.gentoo.org/130846
    
    Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
    Cc: Daniel Drake <dsd@gentoo.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Dmitry Torokhov committed with chriswright Apr 29, 2006
  10. [PATCH] PowerMac: force only suspend-to-disk to be valid

    For a very long time, echoing 'standby' or 'mem' into /sys/power/state has
    killed the machine on powerpc.  This patch fixes that.
    
    This patch adds the .valid callback to pm_ops on PowerMac so that only the
    suspend to disk state can be entered.  Note that just returning 0 would
    suffice since the upper layers don't pass PM_SUSPEND_DISK down, but we
    handle it there regardless just in case that changes.
    
    Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
    Cc: <stable@kernel.org>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    jmberg committed with chriswright May 26, 2006
  11. [PATCH] Cpuset: might sleep checking zones allowed fix

    Fix an infrequently encountered 'sleeping function called
    from invalid context' in the cpuset hooks in __alloc_pages.
    Could sleep while interrupts disabled.
    
    The routine cpuset_zone_allowed() is called by code in
    mm/page_alloc.c __alloc_pages() to determine if a zone is
    allowed in the current tasks cpuset.  This routine can sleep,
    for certain GFP_KERNEL allocations, if the zone is on a memory
    node not allowed in the current cpuset, but might be allowed
    in a parent cpuset.
    
    But we can't sleep in __alloc_pages() if in interrupt, nor
    if called for a GFP_ATOMIC request (__GFP_WAIT not set in
    gfp_flags).
    
    The rule was intended to be:
      Don't call cpuset_zone_allowed() if you can't sleep, unless you
      pass in the __GFP_HARDWALL flag set in gfp_flag, which disables
      the code that might scan up ancestor cpusets and sleep.
    
    This rule was being violated due to a bogus change made (by myself,
    pj) to __alloc_pages() as part of the November 2005 effort to
    cleanup its logic.
    
    The bogus change can be seen at:
      http://linux.derkeiler.com/Mailing-Lists/Kernel/2005-11/4691.html
      [PATCH 01/05] mm fix __alloc_pages cpuset ALLOC_* flags
    
    This was first noticed on a tight memory system, in code that
    was disabling interrupts and doing allocation requests with
    __GFP_WAIT not set, which resulted in __might_sleep() writing
    complaints to the log "Debug: sleeping function called ...",
    when the code in cpuset_zone_allowed() tried to take the
    callback_sem cpuset semaphore.
    
    Special thanks to Dave Chinner, for figuring this out,
    and a tip of the hat to Nick Piggin who warned me of this
    back in Nov 2005, before I was ready to listen.
    
    Signed-off-by: Paul Jackson <pj@sgi.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Paul Jackson committed with chriswright May 23, 2006
  12. [PATCH] Altix: correct ioc3 port order

    Currently loading the ioc3 as a module will cause the ports to be numbered
    in reverse order.  This mod maintains the proper order of cards for port
    numbering.
    
    Signed-off-by: Patrick Gefre <pfg@sgi.com>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Pat Gefre committed with chriswright May 1, 2006
  13. [PATCH] Altix: correct ioc4 port order

    Currently loading the ioc4 as a module will cause the ports to be numbered
    in reverse order.  This mod maintains the proper order of cards for port
    numbering.
    
    Signed-off-by: Brent Casavant <bcasavan@sgi.com>
    Cc: Pat Gefre <pfg@sgi.com>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Brent Casavant committed with chriswright May 4, 2006
Commits on May 31, 2006
  1. Linux 2.6.16.19

    chriswright committed May 31, 2006
  2. [PATCH] NETFILTER: Fix small information leak in SO_ORIGINAL_DST (CVE…

    …-2006-1343)
    
    It appears that sockaddr_in.sin_zero is not zeroed during
    getsockopt(...SO_ORIGINAL_DST...) operation. This can lead
    to an information leak (CVE-2006-1343).
    
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    holtmann committed with chriswright May 26, 2006
Commits on May 22, 2006
  1. Linux 2.6.16.18

    chriswright committed May 22, 2006
  2. [PATCH] NETFILTER: SNMP NAT: fix memory corruption (CVE-2006-2444)

    CVE-2006-2444 - Potential remote DoS in SNMP NAT helper.
    
    Fix memory corruption caused by snmp_trap_decode:
    
    - When snmp_trap_decode fails before the id and address are allocated,
      the pointers contain random memory, but are freed by the caller
      (snmp_parse_mangle).
    
    - When snmp_trap_decode fails after allocating just the ID, it tries
      to free both address and ID, but the address pointer still contains
      random memory. The caller frees both ID and random memory again.
    
    - When snmp_trap_decode fails after allocating both, it frees both,
      and the callers frees both again.
    
    The corruption can be triggered remotely when the ip_nat_snmp_basic
    module is loaded and traffic on port 161 or 162 is NATed.
    
    Found by multiple testcases of the trap-app and trap-enc groups of the
    PROTOS c06-snmpv1 testsuite.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    kaber committed with chriswright May 20, 2006
Commits on May 20, 2006
  1. Linux 2.6.16.17

    chriswright committed May 20, 2006
  2. [PATCH] SCTP: Validate the parameter length in HB-ACK chunk (CVE-2006…

    …-1857)
    
    If SCTP receives a badly formatted HB-ACK chunk, it is possible
    that we may access invalid memory and potentially have a buffer
    overflow.  We should really make sure that the chunk format is
    what we expect, before attempting to touch the data.
    
    Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Vladislav Yasevich committed with chriswright May 19, 2006
  3. [PATCH] SCTP: Respect the real chunk length when walking parameters (…

    …CVE-2006-1858)
    
    When performing bound checks during the parameter processing, we
    want to use the real chunk and paramter lengths for bounds instead
    of the rounded ones.  This prevents us from potentially walking of
    the end if the chunk length was miscalculated.  We still use rounded
    lengths when advancing the pointer. This was found during a
    conformance test that changed the chunk length without modifying
    parameters.
    
    (Vlad noted elsewhere: the most you'd overflow is 3 bytes, so problem
    is parameter dependent).
    
    Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Vladislav Yasevich committed with chriswright May 19, 2006
  4. [PATCH] ptrace_attach: fix possible deadlock schenario with irqs

    Eric Biederman points out that we can't take the task_lock while holding
    tasklist_lock for writing, because another CPU that holds the task lock
    might take an interrupt that then tries to take tasklist_lock for writing.
    
    Which would be a nasty deadlock, with one CPU spinning forever in an
    interrupt handler (although admittedly you need to really work at
    triggering it ;)
    
    Since the ptrace_attach() code is special and very unusual, just make it
    be extra careful, and use trylock+repeat to avoid the possible deadlock.
    
    Cc: Oleg Nesterov <oleg@tv-sign.ru>
    Cc: Eric W. Biederman <ebiederm@xmission.com>
    Cc: Roland McGrath <roland@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Linus Torvalds committed with chriswright May 11, 2006
  5. [PATCH] Fix ptrace_attach()/ptrace_traceme()/de_thread() race

    This holds the task lock (and, for ptrace_attach, the tasklist_lock)
    over the actual attach event, which closes a race between attacking to a
    thread that is either doing a PTRACE_TRACEME or getting de-threaded.
    
    Thanks to Oleg Nesterov for reminding me about this, and Chris Wright
    for noticing a lost return value in my first version.
    
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Linus Torvalds committed with chriswright May 7, 2006
  6. [PATCH] page migration: Fix fallback behavior for dirty pages

    Currently we check PageDirty() in order to make the decision to swap out
    the page.  However, the dirty information may be only be contained in the
    ptes pointing to the page.  We need to first unmap the ptes before checking
    for PageDirty().  If unmap is successful then the page count of the page
    will also be decreased so that pageout() works properly.
    
    This is a fix necessary for 2.6.17.  Without this fix we may migrate dirty
    pages for filesystems without migration functions.  Filesystems may keep
    pointers to dirty pages.  Migration of dirty pages can result in the
    filesystem keeping pointers to freed pages.
    
    Unmapping is currently not be separated out from removing all the
    references to a page and moving the mapping.  Therefore try_to_unmap will
    be called again in migrate_page() if the writeout is successful.  However,
    it wont do anything since the ptes are already removed.
    
    The coming updates to the page migration code will restructure the code
    so that this is no longer necessary.
    
    Signed-off-by: Christoph Lameter <clameter@sgi.com>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Christoph Lameter committed with chriswright May 1, 2006
  7. [PATCH] add migratepage address space op to shmem

    Basic problem: pages of a shared memory segment can only be migrated once.
    
    In 2.6.16 through 2.6.17-rc1, shared memory mappings do not have a
    migratepage address space op.  Therefore, migrate_pages() falls back to
    default processing.  In this path, it will try to pageout() dirty pages.
    Once a shared memory page has been migrated it becomes dirty, so
    migrate_pages() will try to page it out.  However, because the page count
    is 3 [cache + current + pte], pageout() will return PAGE_KEEP because
    is_page_cache_freeable() returns false.  This will abort all subsequent
    migrations.
    
    This patch adds a migratepage address space op to shared memory segments to
    avoid taking the default path.  We use the "migrate_page()" function
    because it knows how to migrate dirty pages.  This allows shared memory
    segment pages to migrate, subject to other conditions such as # pte's
    referencing the page [page_mapcount(page)], when requested.
    
    I think this is safe.  If we're migrating a shared memory page, then we
    found the page via a page table, so it must be in memory.
    
    Can be verified with memtoy and the shmem-mbind-test script, both
    available at:  http://free.linux.hp.com/~lts/Tools/
    
    Signed-off-by: Lee Schermerhorn <lee.schermerhorn@hp.com>
    Acked-by: Christoph Lameter <clameter@sgi.com>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Lee Schermerhorn committed with chriswright Apr 22, 2006
  8. [PATCH] Remove cond_resched in gather_stats()

    gather_stats() is called with a spinlock held from check_pte_range.  We
    cannot reschedule with a lock held.
    
    Signed-off-by: Christoph Lameter <clameter@sgi.com>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Christoph Lameter committed with chriswright Apr 20, 2006
  9. [PATCH] VIA quirk fixup, additional PCI IDs

    An earlier commit (75cf745) changed an
    overly-zealous PCI quirk to only poke those VIA devices that need it.
    However, some PCI devices were not included in what I hope is now the full
    list.  Consequently we're failing to run the quirk on all machines which need
    it, causing IRQ routing failures.
    
    This should I hope correct this.
    
    Thanks to Masoud Sharbiani <masouds@masoud.ir> for pointing this out
    and testing the fix.
    
    Signed-off-by: Chris Wedgwood <cw@f00f.org>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    cwedgwood committed with chriswright May 15, 2006
  10. [PATCH] PCI quirk: VIA IRQ fixup should only run for VIA southbridges

    Alan Cox pointed out that the VIA 'IRQ fixup' was erroneously running
    on my system which has no VIA southbridge (but I do have a VIA IEEE
    1394 device).
    
    This should address that.  I also changed "Via IRQ" to "VIA IRQ"
    (initially I read Via as a capitalized via (by way/means of).
    
    Signed-off-by: Chris Wedgwood <cw@f00f.org>
    Acked-by: Jeff Garzik <jeff@garzik.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    cwedgwood committed with chriswright Apr 19, 2006
  11. [PATCH] Fix udev device creation

    This patch corrects the order of the calls to register_chrdev() and
    pcmcia_register_driver().  Now udev correctly creates userspace device
    files /dev/cmmN and /dev/cmxN respectively.
    
    Based on an earlier patch by Jan Niehusmann <jan@gondor.com>.
    
    Signed-off-by: Harald Welte <laforge@netfilter.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    laf0rge committed with chriswright May 10, 2006
  12. [PATCH] limit request_fn recursion

    Don't recurse back into the driver even if the unplug threshold is met,
    when the driver asks for a requeue. This is both silly from a logical
    point of view (requeues typically happen due to driver/hardware
    shortage), and also dangerous since we could hit an endless request_fn
    -> requeue -> unplug -> request_fn loop and crash on stack overrun.
    
    Also limit blk_run_queue() to one level of recursion, similar to how
    blk_start_queue() works.
    
    This patch fixed a real problem with SLES10 and lpfc, and it could hit
    any SCSI lld that returns non-zero from it's ->queuecommand() handler.
    
    Signed-off-by: Jens Axboe <axboe@suse.de>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Jens Axboe committed with chriswright May 11, 2006
  13. [PATCH] PCI: correctly allocate return buffers for osc calls

    The OSC set and query functions do not allocate enough space for return values,
    and set the output buffer length to a false, too large value.  This causes the
    acpi-ca code to assume that the output buffer is larger than it actually is,
    and overwrite memory when copying acpi return buffers into this caller provided
    buffer.  In some cases this can cause kernel oops if the memory that is
    overwritten is a pointer.  This patch will change these calls to use a
    dynamically allocated output buffer, thus allowing the acpi-ca code to decide
    how much space is needed.
    
    Signed-off-by: Kristen Carlson Accardi <kristen.c.accardi@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    kaccardi committed with chriswright May 17, 2006