Permalink
Commits on Mar 11, 2007
  1. Linux 2.6.16.44-rc1

    AdrianBunk committed Mar 11, 2007
  2. [IPV6] fix ipv6_getsockopt_sticky copy_to_user leak

    User supplied len < 0 can cause leak of kernel memory.
    Use unsigned compare instead.
    
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    chriswright committed with AdrianBunk Mar 11, 2007
  3. [IPV6]: Fix for ipv6_setsockopt NULL dereference

    I came across this bug in http://bugzilla.kernel.org/show_bug.cgi?id=8155
    
    Signed-off-by: Olaf Kirch <olaf.kirch@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Olaf Kirch committed with AdrianBunk Mar 11, 2007
  4. Fix buffer overflow in Omnikey CardMan 4040 driver (CVE-2007-0005)

    Based on a patch from Don Howard <dhoward@redhat.com>
    
    When calling write() with a buffer larger than 512 bytes, the
    driver's write buffer overflows, allowing to overwrite the EIP and
    execute arbitrary code with kernel privileges.
    
    In read(), there exists a similar problem, but coming from the device.
    A malicous or buggy device sending more than 512 bytes can overflow
    of the driver's read buffer, with the same effects as above.
    
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    holtmann committed with AdrianBunk Mar 11, 2007
  5. IB/mthca: Fix off-by-one in FMR handling on memfree

    From: Michael S. Tsirkin <mst@mellanox.co.il>
    
    mthca_table_find() will return the wrong address when the table entry
    being searched for is exactly at the beginning of a sglist entry
    (other than the first), because it uses >= when it should use >.
    
    Example: assume we have 2 entries in scatterlist, 4K each, offset is 4K.
    The current code will return first entry + 4K when we really want
    the second entry.
    
    In particular this means mapping an FMR on a memfree HCA may end up
    writing the page table into the wrong place, leading to memory
    corruption and also causing the HCA to use an incorrect address
    translation table.
    
    Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il>
    Signed-off-by: Roland Dreier <rolandd@cisco.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Michael S. Tsirkin committed with AdrianBunk Mar 11, 2007
  6. IPoIB: Rejoin all multicast groups after a port event

    When ipoib_ib_dev_flush() is called because of a port event, the
    driver needs to rejoin all multicast groups, since the flush will call
    ipoib_mcast_dev_flush() (via ipoib_ib_dev_down()).  Otherwise no
    (non-broadcast) multicast groups will be rejoined until the networking
    core calls ->set_multicast_list again, and so multicast reception will
    be broken for potentially a long time.
    
    Signed-off-by: Eli Cohen <eli@mellanox.co.il>
    Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il>
    Signed-off-by: Roland Dreier <rolandd@cisco.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Eli Cohen committed with AdrianBunk Mar 11, 2007
  7. IB/mthca: Use mmiowb after doorbell ring

    We discovered a problem when running IPoIB applications on multiple
    CPUs on an Altix system. Many messages such as:
    
    ib_mthca 0002:01:00.0: SQ 000014 full (19941644 head, 19941707 tail, 64 max, 0 nreq)
    
    appear in syslog, and the driver wedges up.
    
    Apparently this is because writes to the doorbells from different CPUs
    reach the device out of order. The following patch adds mmiowb() calls
    after doorbell rings to ensure the doorbell writes are ordered.
    
    Signed-off-by: Arthur Kepner <akepner@sgi.com>
    Signed-off-by: Roland Dreier <rolandd@cisco.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Arthur Kepner committed with AdrianBunk Mar 11, 2007
Commits on Mar 9, 2007
  1. SPARC64: Fix memory corruption in pci_4u_free_consistent()

    The second argument to free_npages() was being incorrectly
    calculated, which would thus access far past the end of the
    arena->map[] bitmap.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    davem330 committed with AdrianBunk Mar 9, 2007
  2. make ppc64 current preempt-safe

    Repeated -j20 kernel builds on a G5 Quad running an SMP PREEMPT kernel
    would often collapse within a day, some exec failing with "Bad address".
    In each case examined, load_elf_binary was doing a kernel_read, but
    generic_file_aio_read's access_ok saw current->thread.fs.seg as USER_DS
    instead of KERNEL_DS.
    
    objdump of filemap.o shows gcc 4.1.0 emitting "mr r5,r13 ... ld r9,416(r5)"
    here for get_paca()->__current, instead of the expected and much more usual
    "ld r9,416(r13)"; I've seen other gcc4s do the same, but perhaps not gcc3s.
    
    So, if the task is preempted and rescheduled on a different cpu in between
    the mr and the ld, r5 will be looking at a different paca_struct from the
    one it's now on, pick up the wrong __current, and perhaps the wrong seg.
    Presumably much worse could happen elsewhere, though that split is rare.
    
    Other architectures appear to be safe (x86_64's read_pda is more limiting
    than get_paca), but ppc64 needs to force "current" into one instruction.
    
    Signed-off-by: Hugh Dickins <hugh@veritas.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Hugh Dickins committed with AdrianBunk Mar 9, 2007
  3. dvb-core: fix bug in CRC-32 checking on 64-bit systems

    CRC-32 checking during ULE decapsulation always failed on x86_64 systems due
    to the size of a variable used to store CRC. This bug was discovered on
    Fedora Core 6 with kernel-2.6.18-1.2849. The i386 counterpart has no such
    problem. This patch has been tested on 64-bit system as well as 32-bit system.
    
    Signed-off-by: Ang Way Chuang <wcang@nrg.cs.usm.my>
    Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Ang Way Chuang committed with AdrianBunk Mar 9, 2007
  4. [IPV6]: Handle np->opt being NULL in ipv6_getsockopt_sticky(). (CVE-2…

    …007-1000)
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    davem330 committed with AdrianBunk Mar 9, 2007
Commits on Mar 8, 2007
  1. [TCP]: Fix minisock tcp_create_openreq_child() typo.

    On 2/28/07, KOVACS Krisztian <hidden@balabit.hu> wrote:
    >
    >   Hi,
    >
    >   While reading TCP minisock code I've found this suspiciously looking
    > code fragment:
    >
    > - 8< -
    > struct sock *tcp_create_openreq_child(struct sock *sk, struct request_sock *req, struct sk_buff *skb)
    > {
    >         struct sock *newsk = inet_csk_clone(sk, req, GFP_ATOMIC);
    >
    >         if (newsk != NULL) {
    >                 const struct inet_request_sock *ireq = inet_rsk(req);
    >                 struct tcp_request_sock *treq = tcp_rsk(req);
    >                 struct inet_connection_sock *newicsk = inet_csk(sk);
    >                 struct tcp_sock *newtp;
    > - 8< -
    >
    >   The above code initializes newicsk to inet_csk(sk), isn't that supposed
    > to be inet_csk(newsk)?  As far as I can tell this might leave
    > icsk_ack.last_seg_size zero even if we do have received data.
    
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Arnaldo Carvalho de Melo committed with AdrianBunk Mar 8, 2007
  2. DVB: cxusb: fix firmware patch for big endian systems

    Without this patch, the device will not be detected after firmware download
    on big endian systems.
    
    Signed-off-by: Jin-Bong lee <jinbong.lee@samsung.com>
    Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Jin-Bong lee committed with AdrianBunk Mar 8, 2007
  3. [IPV6]: /proc/net/anycast6 unbalanced inet6_dev refcnt

    Reading /proc/net/anycast6 when there is no anycast address
    on an interface results in an ever-increasing inet6_dev reference
    count, as well as a reference to the netdevice you can't get rid of.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    David Stevens committed with AdrianBunk Mar 8, 2007
  4. [IPV6]: anycast refcnt fix

    This patch fixes a bug in Linux IPv6 stack which caused anycast address
    to be added to a device prior DAD has been completed. This led to
    incorrect reference count which resulted in infinite wait for
    unregister_netdevice completion on interface removal.
    
    Signed-off-by: Michal Wrobel <xmxwx@asn.pl>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    xmxwx committed with AdrianBunk Mar 8, 2007
  5. [SPARC64] bbc_i2c: Fix kenvctrld eating %100 cpu.

    Based almost entirely upon a patch by Joerg Friedrich
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    davem330 committed with AdrianBunk Mar 8, 2007
  6. [UDP]: Reread uh pointer after pskb_trim

    The header may have moved when trimming.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    herbertx committed with AdrianBunk Mar 8, 2007
  7. [INET]: twcal_jiffie should be unsigned long, not int

    Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Eric Dumazet committed with AdrianBunk Mar 8, 2007
  8. video/aty/mach64_ct.c: fix bogus delay loop

    CT based mach64 cards were reported to hang on sparc64 boxes when
    compiled with gcc-4.1.x and later.
    
    Looking at this piece of code, it's no surprise.  A critical
    delay was implemented as an empty for() loop, and gcc 4.0.x
    and previous did not optimize it away, so we did get a delay.
    
    But gcc-4.1.x and later can optimize it away, and we get crashes.
    
    Use a real udelay() to fix this.  Fix verified on SunBlade100.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    davem330 committed with AdrianBunk Mar 8, 2007
  9. modify 3c589_cs to be SMP safe

    1. EL3WINDOW is always 1 when lock is not held.
    
    2. The second argument of el3_interrupt is 'void *dev_id',
    not 'struct el3_private *lp'.
    
    Adrian Bunk:
    backported to 2.6.16
    
    Signed-off-by: Komuro <komurojun-mbn@nifty.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Komuro committed with AdrianBunk Mar 8, 2007
  10. Missing critical phys_to_virt in lib/swiotlb.c

    Adds missing call to phys_to_virt() in the
    lib/swiotlb.c:swiotlb_sync_sg() function.  Without this change, a kernel
    panic will always occur whenever a SWIOTLB bounce buffer from a
    scatter-gather list gets synced.
    
    Signed-off-by: David Moore <dcm@acm.org>
    Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    David Moore committed with AdrianBunk Mar 8, 2007
  11. init_reap_node() initialization fix

    It looks like there is a bug in init_reap_node() in slab.c that can cause
    multiple oops's on certain ES7000 configurations.  The variable reap_node
    is defined per cpu, but only initialized on a single CPU.  This causes an
    oops in next_reap_node() when __get_cpu_var(reap_node) returns the wrong
    value.  Fix is below.
    
    Signed-off-by: Dan Yeisley <dan.yeisley@unisys.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Dan Yeisley committed with AdrianBunk Mar 8, 2007
  12. Input: psmouse - fix attribute access on 64-bit systems

    psmouse_show_int_attr() and psmouse_set_int_attr() were accessing
    unsigned int fields as unsigned long, which gave garbage on x86_64.
    
    Signed-off-by: Sergey Vlasov <vsu@altlinux.ru>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    sigprof committed with AdrianBunk Mar 8, 2007
Commits on Mar 2, 2007
  1. Linux 2.6.16.43

    AdrianBunk committed Mar 2, 2007
  2. fs/bad_inode.c 64bit fix

    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    AdrianBunk committed Mar 2, 2007
Commits on Feb 27, 2007
  1. Linux 2.6.16.43-rc1

    AdrianBunk committed Feb 27, 2007
  2. i2c-isa: Restore driver owner

    Commit 2b48716 back in January
    2006 was a bit overzealous. It removed .owner from all i2c drivers,
    including i2c-isa ones, while they still need it.
    
    Signed-off-by: Jean Delvare <khali@linux-fr.org>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Jean Delvare committed with AdrianBunk Feb 27, 2007
Commits on Feb 26, 2007
  1. [DECNET]: Fix sfuzz hanging on 2.6.18

    Dave Jones wrote:
    > sfuzz         D 724EF62A  2828 28717  28691                     (NOTLB)
    >        cd69fe98 00000082 0000012d 724ef62a 0001971a 00000010 00000007 df6d22b0
    >        dfd81080 725bbc5e 0001971a 000cc634 00000001 df6d23bc c140e260 00000202
    >        de1d5ba0 cd69fea0 de1d5ba0 00000000 00000000 de1d5b60 de1d5b8c de1d5ba0
    > Call Trace:
    >  [<c05b1708>] lock_sock+0x75/0xa6
    >  [<e0b0b604>] dn_getname+0x18/0x5f [decnet]
    >  [<c05b083b>] sys_getsockname+0x5c/0xb0
    >  [<c05b0b46>] sys_socketcall+0xef/0x261
    >  [<c0403f97>] syscall_call+0x7/0xb
    > DWARF2 unwinder stuck at syscall_call+0x7/0xb
    >
    > I wonder if the plethora of lockdep related changes inadvertantly broke something?
    
    Looks like unbalanced locking.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    kaber committed with AdrianBunk Feb 26, 2007
  2. sis190: failure to set the MAC address from EEPROM

    Fix from http://bugzilla.kernel.org/show_bug.cgi?id=7747
    
    Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Francois Romieu committed with AdrianBunk Feb 26, 2007
  3. hwmon: Refactor SENSOR_DEVICE_ATTR_2

    This patch refactors SENSOR_DEVICE_ATTR_2 macro, following pattern set by
    SENSOR_ATTR.  First it creates a new macro SENSOR_ATTR_2() which expands
    to an initialization expression, then it uses that in SENSOR_DEVICE_ATTR_2,
    which declares and initializes a struct sensor_device_attribute_2.
    
    Signed-off-by: Jim Cromie <jim.cromie@gmail.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    jimc committed with AdrianBunk Feb 26, 2007
  4. hwmon: Allow sensor attributes arrays

    This patch refactors SENSOR_DEVICE_ATTR macro.  First it creates a new
    macro SENSOR_ATTR() which expands to an initialization expression, then
    it uses that in SENSOR_DEVICE_ATTR, which declares and initializes a
    struct sensor_device_attribute.
    
    IOW, SENSOR_ATTR() imitates __ATTR() in include/linux/device.h.
    
    Signed-off-by: Jim Cromie <jim.cromie@gmail.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    jimc committed with AdrianBunk Feb 26, 2007
  5. sky2: email and version change.

    Put in new email address.
    
    Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Stephen Hemminger committed with AdrianBunk Feb 26, 2007
  6. sky2: add more pci ids

    Update the pci device id table to match 2.6.20 (except for new 88e807x
    that is still experimental).
    
    Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Stephen Hemminger committed with AdrianBunk Feb 26, 2007
  7. sky2: more stats

    This is a simple enhancement to dump more device statistics with ethtool.
    
    Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Stephen Hemminger committed with AdrianBunk Feb 26, 2007
  8. sky2: fix for use on big endian

    Ben added this for 2.6.18, it allows sky2 to run on big endian.
    
    Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Stephen Hemminger committed with AdrianBunk Feb 26, 2007