Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Commits on Jan 18, 2007
  1. @AdrianBunk


    AdrianBunk authored
  2. @AdrianBunk

    [IPV6] Fix joining all-node multicast group.

    YOSHIFUJI Hideaki authored AdrianBunk committed
    Signed-off-by: Adrian Bunk <>
Commits on Jan 14, 2007
  1. @AdrianBunk

    UML: fix the MODE_TT compilation

    Paolo 'Blaisorblade' Giarrusso authored AdrianBunk committed
    Signed-off-by: Paolo 'Blaisorblade' Giarrusso <>
    Signed-off-by: Adrian Bunk <>
Commits on Jan 9, 2007
  1. @AdrianBunk


    AdrianBunk authored
  2. @AdrianBunk

    x86_64: re-add a newline to RESTORE_CONTEXT

    AdrianBunk authored
    RESTORE_CONTEXT lost a newline:
    Reported by Steven M. Christey.
    Signed-off-by: Adrian Bunk <>
  3. @cladisch @AdrianBunk

    ALSA: snd_rtctimer: handle RTC interrupts with a tasklet

    cladisch authored AdrianBunk committed
    The calls to rtc_control() from inside the interrupt handler can
    deadlock the RTC code, so move our interrupt handling code to a tasklet.
    Signed-off-by: Clemens Ladisch <>
    Acked-By: Takashi Iwai <>
    Signed-off-by: Adrian Bunk <>
  4. @thertp @AdrianBunk

    ALSA: emu10k1: Fix outl() in snd_emu10k1_resume_regs()

    thertp authored AdrianBunk committed
    The emu10k1 driver saves the A_IOCFG and HCFG register on suspend and restores
    it on resumes. Unfortunately, this doesn't work as the arguments to outl() are
    Signed-off-by: Arnaud Patard <>
    Signed-off-by: Takashi Iwai <>
    Signed-off-by: Adrian Bunk <>
  5. @tiwai @AdrianBunk

    ALSA: Fix initiailization of user-space controls

    tiwai authored AdrianBunk committed
    Fix an assertion when accessing a user-defined control due to lack of
    initialization (appears only when CONFIG_SND_DEBUg is enabled).
      ALSA sound/core/control.c:660: BUG? (info->access == 0)
    Signed-off-by: Takashi Iwai <>
    Signed-off-by: Adrian Bunk <>
  6. @AdrianBunk

    skip data conversion in compat_sys_mount when data_page is NULL

    Andrey Mirkin authored AdrianBunk committed
    OpenVZ Linux kernel team has found a problem with mounting in compat mode.
    Simple command "mount -t smbfs ..." on Fedora Core 5 distro in 32-bit mode
    leads to oops:
    Unable to handle kernel NULL pointer dereference at 0000000000000000 RIP:
    [<ffffffff802bc7c6>] compat_sys_mount+0xd6/0x290
    PGD 34d48067 PUD 34d03067 PMD 0
    Oops: 0000 [1] SMP
    CPU: 0
    Modules linked in: iptable_nat simfs smbfs ip_nat ip_conntrack vzdquota
    parport_pc lp parport 8021q bridge llc vznetdev vzmon nfs lockd sunrpc vzdev
    iptable_filter af_packet xt_length ipt_ttl xt_tcpmss ipt_TCPMSS
    iptable_mangle xt_limit ipt_tos ipt_REJECT ip_tables x_tables thermal
    processor fan button battery asus_acpi ac uhci_hcd ehci_hcd usbcore i2c_i801
    i2c_core e100 mii floppy ide_cd cdrom
    Pid: 14656, comm: mount
    RIP: 0060:[<ffffffff802bc7c6>]  [<ffffffff802bc7c6>]
    RSP: 0000:ffff810034d31f38  EFLAGS: 00010292
    RAX: 000000000000002c RBX: 0000000000000000 RCX: 0000000000000000
    RDX: ffff810034c86bc0 RSI: 0000000000000096 RDI: ffffffff8061fc90
    RBP: ffff810034d31f78 R08: 0000000000000000 R09: 000000000000000d
    R10: ffff810034d31e58 R11: 0000000000000001 R12: ffff810039dc3000
    R13: 000000000805ea48 R14: 0000000000000000 R15: 00000000c0ed0000
    FS:  0000000000000000(0000) GS:ffffffff80749000(0033) knlGS:00000000b7d556b0
    CS:  0060 DS: 007b ES: 007b CR0: 000000008005003b
    CR2: 0000000000000000 CR3: 0000000034d43000 CR4: 00000000000006e0
    Process mount (pid: 14656, veid=300, threadinfo ffff810034d30000, task
    Stack:  0000000000000000 ffff810034dd0000 ffff810034e4a000 000000000805ea48
     0000000000000000 0000000000000000 0000000000000000 0000000000000000
     000000000805ea48 ffffffff8021e64e 0000000000000000 0000000000000000
    Call Trace:
     [<ffffffff8021e64e>] ia32_sysret+0x0/0xa
    Code: 83 3b 06 0f 85 41 01 00 00 0f b7 43 0c 89 43 14 0f b7 43 0a
    RIP  [<ffffffff802bc7c6>] compat_sys_mount+0xd6/0x290
     RSP <ffff810034d31f38>
    CR2: 0000000000000000
    The problem is that data_page pointer can be NULL, so we should skip data
    conversion in this case.
    Signed-off-by: Andrey Mirkin <>
    Signed-off-by: Adrian Bunk <>
  7. @AdrianBunk

    rtc: lockdep fix/workaround

    Peter Zijlstra authored AdrianBunk committed
    BUG: warning at kernel/lockdep.c:1816/trace_hardirqs_on() (Not tainted)
     [<c04051ee>] show_trace_log_lvl+0x58/0x171
     [<c0405802>] show_trace+0xd/0x10
     [<c040591b>] dump_stack+0x19/0x1b
     [<c043abee>] trace_hardirqs_on+0xa2/0x11e
     [<c06143c3>] _spin_unlock_irq+0x22/0x26
     [<c0541540>] rtc_get_rtc_time+0x32/0x176
     [<c0419ba4>] hpet_rtc_interrupt+0x92/0x14d
     [<c0450f94>] handle_IRQ_event+0x20/0x4d
     [<c0451055>] __do_IRQ+0x94/0xef
     [<c040678d>] do_IRQ+0x9e/0xbd
     [<c0404a49>] common_interrupt+0x25/0x2c
    DWARF2 unwinder stuck at common_interrupt+0x25/0x2c
    Signed-off-by: Peter Zijlstra <>
    Signed-off-by: Adrian Bunk <>
  8. @AdrianBunk

    ebtables: check struct type before computing gap

    Chuck Ebbert authored AdrianBunk committed
    Check struct type before dereferencing fields in ebt_entry.
    Failure to check can cause oops.
    Signed-off-by: Chuck Ebbert <>
    Acked-by: Al Viro <>
    Signed-off-by: Adrian Bunk <>
  9. @AdrianBunk

    i2c-mv64xxx: Fix random oops at boot

    Maxime Bizon authored AdrianBunk committed
    I have a Marvell board which has the same i2c hw block than mv64xxx, so
    I'm trying to use i2c-mv64xxx driver.
    But I get the following random oops at boot:
    Unable to handle kernel NULL pointer dereference at virtual address 00000002
    [<c0397e4c>] (mv64xxx_i2c_intr+0x0/0x2b8) from [<c02879c4>] (__do_irq+0x4c/0x8c)
    [<c0287978>] (__do_irq+0x0/0x8c) from [<c0287c0c>] (do_level_IRQ+0x68/0xc0)
     r8 = C0501E08  r7 = 00000005  r6 = C0501E08  r5 = 00000005
     r4 = C048BB78
    [<c0287ba4>] (do_level_IRQ+0x0/0xc0) from [<c02885f8>] (asm_do_IRQ+0x50/0x134)
     r6 = C0449C78  r5 = F1020000  r4 = FFFFFFFF
    [<c02885a8>] (asm_do_IRQ+0x0/0x134) from [<c02869c4>] (__irq_svc+0x24/0x100)
     r8 = C1CAC400  r7 = 00000005  r6 = 00000002  r5 = F1020000
     r4 = FFFFFFFF
    [<c0287efc>] (setup_irq+0x0/0x124) from [<c02880d0>] (request_irq+0xb0/0xd0)
     r7 = C041B2AC  r6 = C0397E4C  r5 = 00000000  r4 = 00000005
    [<c0288020>] (request_irq+0x0/0xd0) from [<c03985f4>] (mv64xxx_i2c_probe+0x148/0x244)
    [<c03984ac>] (mv64xxx_i2c_probe+0x0/0x244) from [<c038bedc>] (platform_drv_probe+0x20/0x24)
    The oops is caused by a spurious interrupt that occurs when request_irq
    is called. mv64xxx_i2c_fsm() tries to read drv_data->msg, which is NULL.
    I noticed that hardware init is done after requesting irq. Thus any
    pending irq from previous hardware usage may cause this.
    Signed-off-by: Maxime Bizon <>
    Signed-off-by: Jean Delvare <>
    Signed-off-by: Adrian Bunk <>
  10. @AdrianBunk

    V4L: cx88: Fix leadtek_eeprom tagging

    Jean Delvare authored AdrianBunk committed
    reference to .init.text: from .text between 'cx88_card_setup'
    (at offset 0x68c) and 'cx88_risc_field'
    Caused by leadtek_eeprom() being declared __devinit and called from
    a non-devinit context.
    Signed-off-by: Jean Delvare <>
    Signed-off-by: Marcel Holtmann <>
  11. @AdrianBunk

    corrupted cramfs filesystems cause kernel oops (CVE-2006-5823)

    Phillip Lougher authored AdrianBunk committed
    Steve Grubb's fzfuzzer tool (
    fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause
    Cramfs to kernel oops in cramfs_uncompress_block().  The cause of the oops
    is an unchecked corrupted block length field read by cramfs_readpage().
    This patch adds a sanity check to cramfs_readpage() which checks that the
    block length field is sensible.  The (PAGE_CACHE_SIZE << 1) size check is
    intentional, even though the uncompressed data is not going to be larger
    than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than
    the original source data.  Mkcramfs checks that the compressed size is
    always less than or equal to PAGE_CACHE_SIZE << 1.  Of course Cramfs could
    use the original uncompressed data in this case, but it doesn't.
    Signed-off-by: Phillip Lougher <>
    Signed-off-by: Adrian Bunk <>
  12. @AdrianBunk

    handle ext3 directory corruption better (CVE-2006-6053)

    Eric Sandeen authored AdrianBunk committed
    I've been using Steve Grubb's purely evil "fsfuzzer" tool, at
    Basically it makes a filesystem, splats some random bits over it, then
    tries to mount it and do some simple filesystem actions.
    At best, the filesystem catches the corruption gracefully.  At worst,
    things spin out of control.
    As you might guess, we found a couple places in ext3 where things spin out
    of control :)
    First, we had a corrupted directory that was never checked for
    consistency...  it was corrupt, and pointed to another bad "entry" of
    length 0.  The for() loop looped forever, since the length of
    ext3_next_entry(de) was 0, and we kept looking at the same pointer over and
    over and over and over...  I modeled this check and subsequent action on
    what is done for other directory types in ext3_readdir...
    (adding this check adds some computational expense; I am testing a followup
    patch to reduce the number of times we check and re-check these directory
    entries, in all cases.  Thanks for the idea, Andreas).
    Next we had a root directory inode which had a corrupted size, claimed to
    be > 200M on a 4M filesystem.  There was only really 1 block in the
    directory, but because the size was so large, readdir kept coming back for
    more, spewing thousands of printk's along the way.
    Per Andreas' suggestion, if we're in this read error condition and we're
    trying to read an offset which is greater than i_blocks worth of bytes,
    stop trying, and break out of the loop.
    With these two changes fsfuzz test survives quite well on ext3.
    Signed-off-by: Eric Sandeen <>
    Signed-off-by: Adrian Bunk <>
  13. @AdrianBunk

    ext2: skip pages past number of blocks in ext2_find_entry (CVE-2006-6…

    Eric Sandeen authored AdrianBunk committed
    This one was pointed out on the MOKB site:
    If a directory's i_size is corrupted, ext2_find_entry() will keep processing
    pages until the i_size is reached, even if there are no more blocks associated
    with the directory inode.  This patch puts in some minimal sanity-checking
    so that we don't keep checking pages (and issuing errors) if we know there
    can be no more data to read, based on the block count of the directory inode.
    This is somewhat similar in approach to the ext3 patch I sent earlier this
    Signed-off-by: Eric Sandeen <>
    Signed-off-by: Adrian Bunk <>
  14. @AdrianBunk

    hfs_fill_super returns success even if no root inode (CVE-2006-6056)

    Eric Sandeen authored AdrianBunk committed
    mount that image...
    fs: filesystem was not cleanly unmounted, running fsck.hfs is recommended.  mounting read-only.
    hfs: get root inode failed.
    BUG: unable to handle kernel NULL pointer dereference at virtual address 00000018
     printing eip
    EIP is at superblock_doinit+0x21/0x767
     [] selinux_sb_kern_mount+0xc/0x4b
     [] vfs_kern_mount+0x99/0xf6
     [] do_kern_mount+0x2d/0x3e
     [] do_mount+0x5fa/0x66d
     [] sys_mount+0x77/0xae
     [] syscall_call+0x7/0xb
    DWARF2 unwinder stuck at syscall_call+0x7/0xb
    hfs_fill_super() returns success even if
      root_inode = hfs_iget(sb, &fd.search_key->cat, &rec);
      sb->s_root = d_alloc_root(root_inode);
    fails.  This superblock finds its way to superblock_doinit() which does:
            struct dentry *root = sb->s_root;
            struct inode *inode = root->d_inode;
    and boom.  Need to make sure the error cases return an error, I think.
    [ return -ENOMEM on oom]
    Signed-off-by: Eric Sandeen <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Adrian Bunk <>
  15. @AdrianBunk

    USB_RTL8150 must select MII to avoid link errors.

    AdrianBunk authored
    Stolen from a patch by Randy Dunlap.
    Signed-off-by: Adrian Bunk <>
  16. @AdrianBunk

    Fix for shmem_truncate_range() BUG_ON()

    Badari Pulavarty authored AdrianBunk committed
    Ran into BUG() while doing madvise(REMOVE) testing.  If we are punching a
    hole into shared memory segment using madvise(REMOVE) and the entire hole
    is below the indirect blocks, we hit following assert.
                BUG_ON(limit <= SHMEM_NR_DIRECT);
    Signed-off-by: Badari Pulavarty <>
    Forwarded-by: Jordan Neumeyer
    Signed-off-by: Adrian Bunk <>
  17. @AdrianBunk

    TCP: Fix and simplify microsecond rtt sampling

    John Heffner authored AdrianBunk committed
    This changes the microsecond RTT sampling so that samples are taken in
    the same way that RTT samples are taken for the RTO calculator: on the
    last segment acknowledged, and only when the segment hasn't been
    Signed-off-by: John Heffner <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Adrian Bunk <>
  18. @AdrianBunk

    uml: fix processor selection

    Paolo 'Blaisorblade' Giarrusso authored AdrianBunk committed
    Makes UML compile on any possible processor choice. The two problems were:
    *) x86 code, when 386 is selected, checks at runtime boot_cpuflags, which we
       not have.
    *) 3Dnow support for memcpy() et al. does not compile currently and fixing t
       is not trivial, so simply disable it; with this change, if one selects MK
       UML compiles (while it did not).
    Merged upstream.
    Signed-off-by: Paolo 'Blaisorblade' Giarrusso <>
    Signed-off-by: Adrian Bunk <>
  19. @AdrianBunk

    rio: typo in bitwise AND expression.

    Willy Tarreau authored AdrianBunk committed
    The line:
        hp->Mode &= !RIO_PCI_INT_ENABLE;
    is obviously wrong as RIO_PCI_INT_ENABLE=0x04 and is used as a bitmask
    2 lines before. Getting no IRQ would not disable RIO_PCI_INT_ENABLE
    but rather RIO_PCI_BOOT_FROM_RAM which equals 0x01.
    Obvious fix is to change ! for ~.
    Signed-off-by: Willy Tarreau <>
    Signed-off-by: Adrian Bunk <>
  20. @zulcss @AdrianBunk

    drm: allow detection of new VIA chipsets

    zulcss authored AdrianBunk committed
    Update pci ids.
    Signed-off-by: Chuck Short <>
    Signed-off-by: Ben Collins <>
    Signed-off-by: Adrian Bunk <>
  21. @AdrianBunk

    drm: Add the P4VM800PRO PCI ID.

    Dave Airlie authored AdrianBunk committed
    Signed-off-by: Dave Airlie <>
    Signed-off-by: Adrian Bunk <>
  22. @AdrianBunk

    i2c-i801: SMBus patch for Intel ICH9

    Jason Gaston authored AdrianBunk committed
    This updated patch adds the Intel ICH9 LPC and SMBus Controller DID's.
    Signed-off-by: Jason Gaston <>
    Signed-off-by: Adrian Bunk <>
  23. @AdrianBunk

    PCI: irq: irq and pci_ids patch for Intel ICH9

    Jason Gaston authored AdrianBunk committed
    This updated patch adds the Intel ICH9 LPC and SMBus Controller DID's.
    Signed-off-by: Jason Gaston <>
    Signed-off-by: Adrian Bunk <>
  24. @AdrianBunk

    i2c-viapro: Add support for the VT8237A and VT8251

    Rudolf Marek authored AdrianBunk committed
    Documentation update included. Compile tested.
    Signed-off-by: Rudolf Marek <>
    Signed-off-by: Jean Delvare <>
    Signed-off-by: Adrian Bunk <>
  25. @AdrianBunk

    SPI/MTD: mtd_dataflash oops prevention

    David Brownell authored AdrianBunk committed
    Return a fault code if the Dataflash driver runs into a "no device present"
    error when the MISO line has a pulldown (it currently expects a pullup), so
    that rmmod won't oops.
    Signed-off-by: David Brownell <>
    Signed-off-by: Adrian Bunk <>
  26. @AdrianBunk

    [IPV4/IPV6]: Fix inet{,6} device initialization order.

    David L Stevens authored AdrianBunk committed
    It is important that we only assign dev->ip{,6}_ptr
    only after all portions of the inet{,6} are setup.
    Otherwise we can receive packets before the multicast
    spinlocks et al. are initialized.
    Signed-off-by: David L Stevens <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Adrian Bunk <>
  27. @davem330 @AdrianBunk

    [SOUND] Sparc CS4231: Use 64 for period_bytes_min

    davem330 authored AdrianBunk committed
    This matches what the ISA cs4231 driver uses.
    Tested by Georg Chini.
    Signed-off-by: David S. Miller <>
    Signed-off-by: Adrian Bunk <>
  28. @AdrianBunk

    [SOUND] Sparc CS4231: Fix IRQ return value and initialization.

    Georg Chini authored AdrianBunk committed
    SBUS: Change IRQ-handler return value from 0 to IRQ_HANDLED and
    fix some initialisation problems.
    Change period_bytes_min from 4096 to 256 to allow driver to work with
    low latency (VOIP) applications. Hope this does not break EBUS.
    Signed-off-by: Georg Chini <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Adrian Bunk <>
  29. @AdrianBunk

    USB: Fix alignment of buffer passed down to ->hub_control()

    Mikael Pettersson authored AdrianBunk committed
    Implementations assume the buffer is at least 4 byte aligned.
    Signed-off-by: Greg Kroah-Hartman <>
    Signed-off-by: Adrian Bunk <>
  30. @AdrianBunk

    fix the UML compilation

    AdrianBunk authored
    Based on patches from Linus' tree.
    Signed-off-by: Adrian Bunk <>
  31. @AdrianBunk

    [SUNKBD]: Fix sunkbd_enable(sunkbd, 0); obvious.

    Fabrice Knevez authored AdrianBunk committed
    "sunkbd_enable(sunkbd, 0);" has no effect. Adding "sunkbd->enabled =
    enable" in sunkbd_enable (obvious)
    Signed-off-by: Fabrice Knevez <>
    Signed-off-by: Adrian Bunk <>
  32. @AdrianBunk

    ibmtr section fixes

    Andrew Morton authored AdrianBunk committed
    WARNING: drivers/net/tokenring/ibmtr.o - Section mismatch: reference to from .text between 'ibmtr_probe1' (at offset 0x6e6) and 'ibmtr_probe_card'
    WARNING: drivers/net/tokenring/ibmtr.o - Section mismatch: reference to from .text between 'ibmtr_probe1' (at offset 0x74a) and 'ibmtr_probe_card'
    WARNING: drivers/net/tokenring/ibmtr.o - Section mismatch: reference to from .text between 'ibmtr_probe1' (at offset 0x7fd) and 'ibmtr_probe_card'
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Adrian Bunk <>
Something went wrong with that request. Please try again.