Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Commits on Feb 25, 2007
  1. @AdrianBunk


    AdrianBunk authored
Commits on Feb 22, 2007
  1. @AdrianBunk


    AdrianBunk authored
  2. @AdrianBunk

    USB: rtl8150 new device id

    Petko Manolov authored AdrianBunk committed
    This one adds another vendor ID to rtl8150 driver.
    Signed-off-by: Petko Manolov <>
    Signed-off-by: Adrian Bunk <>
  3. @ddstreet @AdrianBunk

    USB: add ZyXEL vendor/product ID to rtl8150 driver

    ddstreet authored AdrianBunk committed
    I just got a "ZyXEL Prestige USB Adapter" that is actually RTL8150
    adapter.  Here is the relevant /proc/bus/usb/devices output (after
    adding the vendor/product IDs to the driver):
    T:  Bus=01 Lev=02 Prnt=02 Port=02 Cnt=02 Dev#=119 Spd=12  MxCh= 0
    D:  Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 8 #Cfgs=  1
    P:  Vendor=0586 ProdID=401a Rev= 1.00
    S:  Manufacturer=ZyXEL
    S:  Product=Prestige USB Adapter
    S:  SerialNumber=1027
    C:* #Ifs= 1 Cfg#= 1 Atr=80 MxPwr=120mA
    I:  If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=ff Driver=rtl8150
    E:  Ad=81(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
    E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
    E:  Ad=83(I) Atr=03(Int.) MxPS=   8 Ivl=1ms
    This patch adds the ZyXEL vendor ID to the rtl8150.c driver.  The
    device has absolutely no identifying marks on the outside for model
    type, just a serial number, and I can't find anything on ZyXEL's
    website, so I called the product ID PRODUCT_ID_PRESTIGE to match the
    product string.
    Signed-off-by: Dan Streetman <>
    Signed-off-by: Adrian Bunk <>
  4. @AdrianBunk

    sky2: dual-port pci-x checksum fix

    Stephen Hemminger authored AdrianBunk committed
    Add a workaround for dual port PCI-X card that returns status out of
    order sometimes because of split transactions.
    Signed-off-by: Stephen Hemminger <>
    Signed-off-by: Adrian Bunk <>
  5. @AdrianBunk

    sky2: fix for NAPI with dual port boards

    Stephen Hemminger authored AdrianBunk committed
    This driver uses port 0 to handle receives on both ports. So
    the netif_poll_disable call in dev_close would end up stopping the
    second port on dual port cards.
    Signed-off-by: Stephen Hemminger <>
    Signed-off-by: Adrian Bunk <>
Commits on Feb 21, 2007
  1. @AdrianBunk

    fix rtl8150

    Al Viro authored AdrianBunk committed
    That code doesn't do what its author apparently thought it would do...
    Signed-off-by: Al Viro <>
    Signed-off-by: Adrian Bunk <>
  2. @AdrianBunk

    [ATM] ambassador, firestream: "-1 >>" is implementation defined

    Alexey Dobriyan authored AdrianBunk committed
    6.5.7(5): The result of E1 >> E2 is E1 right-shifted E2 bit positions.
        If E1 has a signed type and a negative value, the resulting value
        is implementation defined.
    So, cast -1 to unsigned type to make result well-defined.
    [ Modified to use ~0U based upon recommendation from Al Viro. -DaveM ]
    Signed-off-by: Alexey Dobriyan <>
    Signed-off-by: Adrian Bunk <>
  3. @AdrianBunk

    [ATM] firestream: handle thrown error

    Jeff Garzik authored AdrianBunk committed
    gcc emits the following warning:
    drivers/atm/firestream.c: In function ‘fs_open’:
    drivers/atm/firestream.c:870: warning: ‘tmc0’ may be used uninitialized in this function
    This indicates a real bug.  We should check make_rate() return value for
    potential errors.
    Signed-off-by: Jeff Garzik <>
    Signed-off-by: Adrian Bunk <>
  4. @davem330 @AdrianBunk

    [ATM] horizon: read_bia() needs to be __devinit

    davem330 authored AdrianBunk committed
    Thanks to Randy Dunlap.
    Signed-off-by: David S. Miller <>
    Signed-off-by: Adrian Bunk <>
  5. @AdrianBunk

    ATM horizon.c: missing __devinit

    Al Viro authored AdrianBunk committed
    Signed-off-by: Al Viro <>
    Signed-off-by: Adrian Bunk <>
  6. @AdrianBunk

    Keys: Fix key serial number collision handling (CVE-2007-0006)

    David Howells authored AdrianBunk committed
    Fix the key serial number collision avoidance code in key_alloc_serial().
    This didn't use to be so much of a problem as the key serial numbers were
    allocated from a simple incremental counter, and it would have to go through
    two billion keys before it could possibly encounter a collision.  However, n
    that random numbers are used instead, collisions are much more likely.
    This is fixed by finding a hole in the rbtree where the next unused serial
    number ought to be and using that by going almost back to the top of the
    insertion routine and redoing the insertion with the new serial number rathe
    than trying to be clever and attempting to work out the insertion point
    pointer directly.
    This fixes kernel Bugzilla #7727.
    Signed-off-by: David Howells <>
    Signed-off-by: Adrian Bunk <>
Commits on Feb 20, 2007
  1. @AdrianBunk

    fix bad_inode_ops memory corruption (CVE-2006-5753)

    Eric Sandeen authored AdrianBunk committed
    CVE-2006-5753 is for a case where an inode can be marked bad, switching
    the ops to bad_inode_ops, which are all connected as:
    static int return_EIO(void)
            return -EIO;
    #define EIO_ERROR ((void *) (return_EIO))
    static struct inode_operations bad_inode_ops =
            .create         = bad_inode_create
    The problem here is that the void cast causes return types to not be
    promoted, and for ops such as listxattr which expect more than 32 bits of
    return value, the 32-bit -EIO is interpreted as a large positive 64-bit
    number, i.e. 0x00000000fffffffa instead of 0xfffffffa.
    This goes particularly badly when the return value is taken as a number of
    bytes to copy into, say, a user's buffer for example...
    I originally had coded up the fix by creating a return_EIO_<TYPE> macro
    for each return type, like this:
    static int return_EIO_int(void)
        return -EIO;
    #define EIO_ERROR_INT ((void *) (return_EIO_int))
    static struct inode_operations bad_inode_ops =
        .create         = EIO_ERROR_INT,
    but Al felt that it was probably better to create an EIO-returner for each
    actual op signature.  Since so few ops share a signature, I just went ahead
    & created an EIO function for each individual file & inode op that returns
    a value.
    Adrian Bunk:
    backported to 2.6.16
    Signed-off-by: Eric Sandeen <>
    Signed-off-by: Adrian Bunk <>
  2. @holtmann @AdrianBunk

    [Bluetooth] Restrict well known PSM to privileged users

    holtmann authored AdrianBunk committed
    The PSM values below 0x1001 of L2CAP are reserved for well known
    services. Restrict the possibility to bind them to privileged
    Signed-off-by: Marcel Holtmann <>
    Signed-off-by: Adrian Bunk <>
  3. @holtmann @AdrianBunk

    [Bluetooth] Missing endian swapping for L2CAP socket list

    holtmann authored AdrianBunk committed
    The PSM value in the L2CAP socket list must be converted to host
    order before printing it.
    Signed-off-by: Marcel Holtmann <>
    Signed-off-by: Adrian Bunk <>
  4. @AdrianBunk

    Fix a free-wrong-pointer bug in nfs/acl server (CVE-2007-0772)

    Greg Banks authored AdrianBunk committed
    Due to type confusion, when an nfsacl verison 2 'ACCESS' request
    finishes and tries to clean up, it calls fh_put on entiredly the
    wrong thing and this can cause an oops.
    Signed-off-by: Adrian Bunk <>
  5. @AdrianBunk

    V4L/DVB: Buf_qbuf: fix: videobuf_queue->stream corruption and lockup

    Oleg Nesterov authored AdrianBunk committed
    We are doing ->buf_prepare(buf) before adding buf to q->stream list. This
    means that videobuf_qbuf() should not try to re-add a STATE_PREPARED buffer.
    Adrian Bunk:
    Backported to 2.6.16.
    Signed-off-by: Oleg Nesterov <>
    Signed-off-by: Mauro Carvalho Chehab <>
Commits on Feb 17, 2007
  1. @AdrianBunk


    AdrianBunk authored
Commits on Feb 15, 2007
  1. @AdrianBunk


    AdrianBunk authored
Commits on Feb 14, 2007
  1. @AdrianBunk

    uml: fix signal frame alignment

    Jeff Dike authored AdrianBunk committed
    Use the same signal frame alignment calculations as the underlying
    architecture.  x86_64 appeared to do this, but the "- 8" was really
    subtracting 8 * sizeof(struct rt_sigframe) rather than 8 bytes.
    UML/i386 might have been OK, but I changed the calculation to match
    i386 just to be sure.
    Signed-off-by: Jeff Dike <>
    Signed-off-by: Adrian Bunk <>
  2. @AdrianBunk

    [ALSA] echo3g_dsp.c shouldn't include #include <linux/irq.h>

    AdrianBunk authored
    Despite being under linux/, linux/irq.h shouldn't be #include'd by arch
    independent code.
    Signed-off-by: Adrian Bunk <>
  3. @AdrianBunk

    Revert "[Bluetooth] Fix compat ioctl for BNEP, CMTP and HIDP"

    AdrianBunk authored
    This reverts commit ac4d63d.
    Does not work in 2.6.16.
  4. @AdrianBunk

    [TCP]: struct tcp_sack_block annotations

    Al Viro authored AdrianBunk committed
    Some of the instances of tcp_sack_block are host-endian, some - net-endian.
    Define struct tcp_sack_block_wire identical to struct tcp_sack_block
    with u32 replaced with __be32; annotate uses of tcp_sack_block replacing
    net-endian ones with tcp_sack_block_wire.  Change is obviously safe since
    for cc(1) __be32 is typedefed to u32.
    Signed-off-by: Al Viro <>
    Signed-off-by: Adrian Bunk <>
  5. @jiribohac @AdrianBunk

    [IPX]: Fix NULL pointer dereference on ipx unload

    jiribohac authored AdrianBunk committed
    Fixes a null pointer dereference when unloading the ipx module.
    On initialization of the ipx module, registering certain packet
    types can fail. When this happens, unloading the module later
    dereferences NULL pointers.  This patch fixes that. Please apply.
    Signed-off-by: Jiri Bohac <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Adrian Bunk <>
  6. @herbertx @AdrianBunk

    [NETFILTER]: Clear GSO bits for TCP reset packet

    herbertx authored AdrianBunk committed
    The TCP reset packet is copied from the original.  This
    includes all the GSO bits which do not apply to the new
    packet.  So we should clear those bits.
    Spotted by Patrick McHardy.
    Signed-off-by: Herbert Xu <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Adrian Bunk <>
  7. @AdrianBunk

    [TCP]: Don't apply FIN exception to full TSO segments.

    John Heffner authored AdrianBunk committed
    Signed-off-by: John Heffner <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Adrian Bunk <>
  8. @AdrianBunk

    [ATM]: Fix for crash in adummy_init()

    Daniel Walker authored AdrianBunk committed
    This was reported by Ingo Molnar here,
    The problem is that adummy_init() depends on atm_init() , but adummy_init()
    is called first.
    So I put atm_init() into subsys_initcall which seems appropriate, and it
    will still get module_init() if it becomes a module.
    Interesting to note that you could crash your system here if you just load
    the modules in the wrong order.
    Signed-off-by: Daniel Walker <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Adrian Bunk <>
  9. @AdrianBunk

    TCP: skb is unexpectedly freed.

    Masayuki Nakagawa authored AdrianBunk committed
    I encountered a kernel panic with my test program, which is a very
    simple IPv6 client-server program.
    The server side sets IPV6_RECVPKTINFO on a listening socket, and the
    client side just sends a message to the server.  Then the kernel panic
    occurs on the server.  (If you need the test program, please let me
    know. I can provide it.)
    This problem happens because a skb is forcibly freed in
    When a socket in listening state(TCP_LISTEN) receives a syn packet,
    then tcp_v6_conn_request() will be called from
    tcp_rcv_state_process().  If the tcp_v6_conn_request() successfully
    returns, the skb would be discarded by __kfree_skb().
    However, in case of a listening socket which was already set
    IPV6_RECVPKTINFO, an address of the skb will be stored in
    treq->pktopts and a ref count of the skb will be incremented in
    tcp_v6_conn_request().  But, even if the skb is still in use, the skb
    will be freed.  Then someone still using the freed skb will cause the
    kernel panic.
    I suggest to use kfree_skb() instead of __kfree_skb().
    Signed-off-by: Masayuki Nakagawa <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Adrian Bunk <>
  10. @baruch @AdrianBunk

    TCP: Fix sorting of SACK blocks.

    baruch authored AdrianBunk committed
    The sorting of SACK blocks actually munges them rather than sort,
    causing the TCP stack to ignore some SACK information and breaking the
    assumption of ordered SACK blocks after sorting.
    The sort takes the data from a second buffer which isn't moved causing
    subsequent data moves to occur from the wrong location. The fix is to
    use a temporary buffer as a normal sort does.
    Signed-off-By: Baruch Even <>
    Signed-off-by: David S. Miller <>
  11. @davem330 @AdrianBunk

    AF_PACKET: Check device down state before hard header callbacks.

    davem330 authored AdrianBunk committed
    If the device is down, invoking the device hard header callbacks
    is not legal, so check it early.
    Based upon a shaper OOPS report from Frederik Deweerdt.
    Signed-off-by: David S. Miller <>
    Signed-off-by: Adrian Bunk <>
  12. @breuerr @AdrianBunk

    SPARC32: Fix over-optimization by GCC near ip_fast_csum.

    breuerr authored AdrianBunk committed
    In some cases such as:
            iph->check = 0;
            iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
    GCC may optimize out the previous store.
    Observed as a failure of NFS over udp (bad checksums on ip fragments)
    when compiled with GCC 3.4.2.
    Signed-off-by: Bob Breuer <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Adrian Bunk <>
  13. @ebiederm @AdrianBunk

    DECNET: Handle a failure in neigh_parms_alloc (take 2)

    ebiederm authored AdrianBunk committed
    While enhancing the neighbour code to handle multiple network
    namespaces I noticed that decnet is assuming neigh_parms_alloc
    will allways succeed, which is clearly wrong.  So handle the
    Signed-off-by: Eric W. Biederman <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Adrian Bunk <>
Commits on Feb 13, 2007
  1. @AdrianBunk

    Fix up CIFS for "test_clear_page_dirty()" removal

    Linus Torvalds authored AdrianBunk committed
    This also adds he required page "writeback" flag handling, that cifs
    hasn't been doing and that the page dirty flag changes made obvious.
    Signed-off-by: Linus Torvalds <>
    Acked-by: Steve French <>
  2. @AdrianBunk

    fix umask when noACL kernel meets extN tuned for ACLs

    Hugh Dickins authored AdrianBunk committed
    Fix insecure default behaviour reported by Tigran Aivazian: if an
    ext2 or ext3 filesystem is tuned to mount with "acl", but mounted by
    a kernel built without ACL support, then umask was ignored when creating
    inodes - though root or user has umask 022, touch creates files as 0666,
    and mkdir creates directories as 0777.
    This appears to have worked right until 2.6.11, when a fix to the default
    mode on symlinks (always 0777) assumed VFS applies umask: which it does,
    unless the mount is marked for ACLs; but ext[23] set MS_POSIXACL in
    s_flags according to s_mount_opt set according to def_mount_opts.
    We could revert to the 2.6.10 ext[23]_init_acl (adding an S_ISLNK test);
    but other filesystems only set MS_POSIXACL when ACLs are configured.  We
    could fix this at another level; but it seems most robust to avoid setting
    the s_mount_opt flag in the first place (at the expense of more ifdefs).
    Likewise don't set the XATTR_USER flag when built without XATTR support.
    Signed-off-by: Hugh Dickins <>
    Signed-off-by: Adrian Bunk <>
Commits on Feb 10, 2007
  1. @AdrianBunk


    AdrianBunk authored
Something went wrong with that request. Please try again.