Skip to content
Commits on Apr 13, 2007
  1. @AdrianBunk

    Linux 2.6.16.47

    AdrianBunk committed Apr 13, 2007
Commits on Apr 10, 2007
  1. @AdrianBunk

    Linux 2.6.16.47-rc1

    AdrianBunk committed Apr 10, 2007
  2. @jdelvare @AdrianBunk

    APPLETALK: Fix a remotely triggerable crash (CVE-2007-1357)

    When we receive an AppleTalk frame shorter than what its header says,
    we still attempt to verify its checksum, and trip on the BUG_ON() at
    the end of function atalk_sum_skb() because of the length mismatch.
    
    This has security implications because this can be triggered by simply
    sending a specially crafted ethernet frame to a target victim,
    effectively crashing that host. Thus this qualifies, I think, as a
    remote DoS. Here is the frame I used to trigger the crash, in npg
    format:
    
    <Appletalk Killer>
    {
    # Ethernet header -----
    
      XX XX XX XX XX XX  # Destination MAC
      00 00 00 00 00 00  # Source MAC
      00 1D              # Length
    
    # LLC header -----
    
      AA AA 03
      08 00 07 80 9B  # Appletalk
    
    # Appletalk header -----
    
      00 1B        # Packet length (invalid)
      00 01        # Fake checksum
      00 00 00 00  # Destination and source networks
      00 00 00 00  # Destination and source nodes and ports
    
    # Payload -----
    
      0C 0D 0E 0F 10 11 12 13
      14
    }
    
    The destination MAC address must be set to those of the victim.
    
    The severity is mitigated by two requirements:
    * The target host must have the appletalk kernel module loaded. I
      suspect this isn't so frequent.
    * AppleTalk frames are non-IP, thus I guess they can only travel on
      local networks. I am no network expert though, maybe it is possible
      to somehow encapsulate AppleTalk packets over IP.
    
    The bug has been reported back in June 2004:
      http://bugzilla.kernel.org/show_bug.cgi?id=2979
    But it wasn't investigated, and was closed in July 2006 as both
    reporters had vanished meanwhile.
    
    This code was new in kernel 2.6.0-test5:
      http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=7ab442d7e0a76402c12553ee256f756097cae2d2
    And not modified since then, so we can assume that vanilla kernels
    2.6.0-test5 and later, and distribution kernels based thereon, are
    affected.
    
    Note that I still do not know for sure what triggered the bug in the
    real-world cases. The frame could have been corrupted by the kernel if
    we have a bug hiding somewhere. But more likely, we are receiving the
    faulty frame from the network.
    
    Signed-off-by: Jean Delvare <jdelvare@suse.de>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    jdelvare committed with AdrianBunk Apr 10, 2007
Commits on Apr 8, 2007
  1. @AdrianBunk

    siimage: PIO1/2 taskfile transfer overclocking fix

    Fix two typos found by SiI680A documentation check.  They caused the taskfile
    transfer overclocking:
    
    - in PIO mode 1 as 0x2283 must be used for both data and taskfile transfers;
    
    - in PIO mode 2 as data and taskfile timings are swapped when writing to the
      MMIO regs.
    
    Fix coding style and trailing whitespace in enclosing statements while at it...
    
    Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Sergei Shtylyov committed with AdrianBunk Apr 9, 2007
  2. @AdrianBunk

    hrtimer: prevent overrun DoS in hrtimer_forward()

    hrtimer_forward() does not check for the possible overflow of
    timer->expires. This can happen on 64 bit machines with large interval
    values and results currently in an endless loop in the softirq because
    the expiry value becomes negative and therefor the timer is expired all
    the time.
    
    Check for this condition and set the expiry value to the max. expiry
    time in the future.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Thomas Gleixner committed with AdrianBunk Apr 9, 2007
  3. @AdrianBunk

    fix MTIME_SEC_MAX on 32-bit

    The maximum seconds value we can handle on 32bit is LONG_MAX.
    
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Thomas Gleixner committed with AdrianBunk Apr 9, 2007
  4. @AdrianBunk

    prevent timespec/timeval to ktime_t overflow

    Frank v.  Waveren pointed out that on 64bit machines the timespec to
    ktime_t conversion might overflow.  This is also true for timeval to
    time_t conversions.  This breaks a "sleep inf" on 64bit machines.
    
    While a timespec/timeval with tx.sec = MAX_LONG is valid by specification
    the internal representation of ktime_t is based on nanoseconds.  The
    conversion of seconds to nanoseconds overflows for seconds values >=
    (MAX_LONG / NSEC_PER_SEC).
    
    Check the seconds argument to the conversion and limit it to the maximum
    time which can be represented by ktime_t.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Thomas Gleixner committed with AdrianBunk Apr 9, 2007
  5. @AdrianBunk

    ieee1394: video1394: DMA fix

    This together with the phys_to_virt fix in lib/swiotlb.c::swiotlb_sync_sg
    fixes video1394 DMA on machines with DMA bounce buffers, especially Intel
    x86-64 machines with > 3GB RAM.
    
    Signed-off-by: David Moore <dcm@acm.org>
    Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    David Moore committed with AdrianBunk Apr 8, 2007
  6. @ebiederm @AdrianBunk

    Fix reparenting to the same thread group. (take 2)

    This patch fixes the case when we reparent to a different thread in the
    same thread group.  This modifies the code so that we do not send
    signals and do not change the signal to send to SIGCHLD unless we have
    change the thread group of our parents.  It also suppresses sending
    pdeath_sig in this cas as well since the result of geppid doesn't
    change.
    
    Thanks to Oleg for spotting my bug of only fixing this for non-ptraced
    tasks.
    
    This fixes the issues identified by Albert Cahalan in thread
    http://lkml.org/lkml/2006/12/21/22
    
    Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    ebiederm committed with AdrianBunk Apr 8, 2007
  7. @AdrianBunk

    tcp: fix cubic scaling error

    Doug Leith observed a discrepancy between the version of CUBIC described
    in the papers and the version in 2.6.18. A math error related to scaling
    causes Cubic to grow too slowly.
    
    Patch is from "Sangtae Ha" <sha2@ncsu.edu>. I validated that
    it does fix the problems.
    
    See the following to show behavior over 500ms 100 Mbit link.
    
    Sender (2.6.19-rc3) ---  Bridge (2.6.18-rt7) ------- Receiver (2.6.19-rc3)
                        1G      [netem]           100M
    
            http://developer.osdl.org/shemminger/tcp/2.6.19-rc3/cubic-orig.png
            http://developer.osdl.org/shemminger/tcp/2.6.19-rc3/cubic-fix.png
    
    Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Stephen Hemminger committed with AdrianBunk Apr 8, 2007
Commits on Apr 4, 2007
  1. @AdrianBunk

    [netdrvr] tulip, de2104x: fix typo: s/__sparc_/__sparc__/

    Noticed by Doug Nazar (via David Miller).
    
    Signed-off-by: Jeff Garzik <jeff@garzik.org>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Jeff Garzik committed with AdrianBunk Apr 4, 2007
  2. @AdrianBunk

    b44: src_desc->addr is little-endian

    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Al Viro committed with AdrianBunk Apr 4, 2007
  3. @AdrianBunk

    ide-floppy: Fix unformatted media crash

    A ZIP or similar with unformatted media will cause crashes when attempts
    are made to read/write it in some cases. This is because bs_factor is
    zero and we divide by it causing an oops.
    
    As the size of a non-accessible/non-existant media is really a bit of a
    zen question it doesn't matter if non-existant media is 512 bytes per
    sector or zero. Setting it to 1 causes us to generate 512 bytes/sector
    accesses and error properly.
    
    Based on a fix found lurking in an ancient bugzilla entry since about 2004 (ugghhh)
    
    Signed-off-by: Alan Cox <alan@redhat.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Alan Cox committed with AdrianBunk Apr 4, 2007
Commits on Apr 3, 2007
  1. @kaber @AdrianBunk

    [IFB]: Fix crash on input device removal

    The input_device pointer is not refcounted, which means the device may
    disappear while packets are queued, causing a crash when ifb passes packets
    with a stale skb->dev pointer to netif_rx().
    
    Fix by storing the interface index instead and do a lookup where neccessary.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    kaber committed with AdrianBunk Apr 3, 2007
Commits on Apr 2, 2007
  1. @davem330 @AdrianBunk

    [VIDEO] ffb: Fix two DAC handling bugs.

    The determination of whether the DAC has inverted cursor logic is
    broken, import the version checks the X.org driver uses to fix this.
    
    Next, when we change the timing generator, borrow code from X.org that
    does 10 NOP reads of the timing generator register afterwards to make
    sure the video-enable transition occurs cleanly.
    
    Finally, use macros for the DAC registers and fields in order to
    provide documentation for the next person who reads this code.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    davem330 committed with AdrianBunk Apr 3, 2007
Commits on Mar 31, 2007
  1. @AdrianBunk

    Linux 2.6.16.46

    AdrianBunk committed Mar 31, 2007
Commits on Mar 28, 2007
  1. @AdrianBunk

    Linux 2.6.16.46-rc1

    AdrianBunk committed Mar 28, 2007
  2. @tiwai @AdrianBunk

    [ALSA] ca0106 - Add missing sysfs device assignment

    Added the missing device assignment before creating sysfs tree.
    This caused the insufficient device permissions.
    
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    tiwai committed with AdrianBunk Mar 28, 2007
  3. @tiwai @AdrianBunk

    [ALSA] cs4281 - Fix the check of right channel

    Fix the check of right channel in mixer volume put callback.
    
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    tiwai committed with AdrianBunk Mar 28, 2007
  4. @fmalita @AdrianBunk

    [ALSA] Dereference after free in snd_hwdep_release()

    snd_card_file_remove() may free hw->card so we can't dereference
    hw->card->module after that.
    Coverity ID 1420.
    
    Signed-off-by: Florin Malita <fmalita@gmail.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    fmalita committed with AdrianBunk Mar 28, 2007
  5. @tiwai @AdrianBunk

    [ALSA] cmipci - Fix a typo in 'PC Speaker Playback Switch' control

    Fixed a typo in  'PC Speaker Playback Switch' control name.
    
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    tiwai committed with AdrianBunk Mar 28, 2007
  6. @SesterhennEric @AdrianBunk

    [ALSA] fix NULL pointer dereference in sound/synth/emux/soundfont.c

    this is about coverity id #100.
    It seems the if statement is negated, since the else branch calls
    remove_info() with sflist->currsf as a parameter where it gets
    dereferenced.
    
    Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    SesterhennEric committed with AdrianBunk Mar 28, 2007
  7. @tiwai @AdrianBunk

    [ALSA] Fix invalid assignment of PCI revision

    Fix the type of PCI revision to char from int and avoid invalid
    assignment with pointer cast.
    
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    tiwai committed with AdrianBunk Mar 28, 2007
  8. @tiwai @AdrianBunk

    [ALSA] hda-intel - Don't try to probe invalid codecs

    Fix the max number of codecs detected by HD-intel (and compatible)
    controllers.
    
    ATI controllers may have up to 4 codecs while ICH up to 3.
    Now max codecs is defined according to the driver type, either 3 or 4.
    Currently 4 is set only to ATI chips.  Other might need the same
    change, too.
    
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    tiwai committed with AdrianBunk Mar 28, 2007
  9. @tiwai @AdrianBunk

    [ALSA] hda-codec - Don't return error at initialization of modem codec

    Some modem codec seem to fail in the initialization, and this
    stopped loading of the whole module although the audio is OK.
    Since it's usually a non-fatal issue, the driver tries to proceed
    to initialize now.
    
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    tiwai committed with AdrianBunk Mar 28, 2007
  10. @cladisch @AdrianBunk

    usb-audio: work around wrong frequency in CM6501 descriptors

    The C-Media CM6501 chip's descriptors say that altsetting 5 supports
    48 kHz, but it actually plays at 96 kHz.
    
    Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
    Signed-off-by: Jaroslav Kysela <perex@suse.cz>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    cladisch committed with AdrianBunk Mar 28, 2007
  11. @AdrianBunk

    sound/pci/au88x0/au88x0.c: ioremap balanced with iounmap

    Signed-off-by: Amol Lad <amol@verismonetworks.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Amol Lad committed with AdrianBunk Mar 28, 2007
  12. @AdrianBunk

    [IPV6] HASHTABLES: Use appropriate seed for caluculating ehash index.

    Tetsuo Handa <handat@pm.nttdata.co.jp> told me that connect(2) with TCPv6
    socket almost always took a few minutes to return when we did not have any
    ports available in the range of net.ipv4.ip_local_port_range.
    
    The reason was that we used incorrect seed for calculating index of
    hash when we check established sockets in __inet6_check_established().
    
    Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    YOSHIFUJI Hideaki committed with AdrianBunk Mar 28, 2007
  13. @AdrianBunk

    [PPP]: Don't leak an sk_buff on interface destruction.

    Signed-off-by: Guennadi Liakhovetski <gl@dsa-ac.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Guennadi Liakhovetski committed with AdrianBunk Mar 28, 2007
  14. @kaber @AdrianBunk

    [NET_SCHED]: Fix ingress locking

    Ingress queueing uses a seperate lock for serializing enqueue operations,
    but fails to properly protect itself against concurrent changes to the
    qdisc tree. Use queue_lock for now since the real fix it quite intrusive.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    kaber committed with AdrianBunk Mar 28, 2007
  15. @kaber @AdrianBunk

    [NET_SCHED]: cls_basic: fix NULL pointer dereference

    cls_basic doesn't allocate tp->root before it is linked into the
    active classifier list, resulting in a NULL pointer dereference
    when packets hit the classifier before its ->change function is
    called.
    
    Reported by Chris Madden <chris@reflexsecurity.com>
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    kaber committed with AdrianBunk Mar 28, 2007
  16. @AdrianBunk

    USB: RAZR v3i unusual_devs

    This adds an unusual_devs entry for the Motorola RAZR 3vi.
    
    Signed-off-by: Phil Dibowitz <phil@ipom.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Pete Zaitcev committed with AdrianBunk Mar 28, 2007
  17. @AdrianBunk

    USB storage: Nokia 6288 unusual_devs entry

    This patch adds an usual_devs entry for the Nokia 6288.
    
    Signed-off-by: Phil Dibowitz <phil@ipom.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Andrew Nayenko committed with AdrianBunk Mar 28, 2007
  18. @AdrianBunk

    USB Storage: US_FL_IGNORE_RESIDUE needed for Aiptek MP3 Player

    Device will not work as a mass storage device without US_FL_IGNORE_RESIDUE.
    
    I bought this mp3 player that takes SD cards here
    
    http://www.aiptek.com/Merchant2/merchant.mvc?Screen=PROD&Product_Code=AX4&Category_Code=MP3&Store_Code=AS
    
    Signed-off-by: Dylan Taft <d13f00l@gmail.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Dylan Taft committed with AdrianBunk Mar 28, 2007
  19. @AdrianBunk

    USB: unusual_devs.h for Sony floppy

    This patch increases the range for 0x054c:0x002c devices to make
    the following Sony USB floppy to work:
    
    T:  Bus=02 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#=  6 Spd=12  MxCh= 0
    D:  Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
    P:  Vendor=054c ProdID=002c Rev=20.00
    S:  Manufacturer=SONY
    S:  Product=USB Floppy
    C:* #Ifs= 1 Cfg#= 1 Atr=80 MxPwr=500mA
    I:  If#= 0 Alt= 0 #EPs= 3 Cls=08(stor.) Sub=04 Prot=00 Driver=usb-storage
    E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
    E:  Ad=01(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
    E:  Ad=83(I) Atr=03(Int.) MxPS=   2 Ivl=127ms
    
    Signed-off-by: Marcelo Ricardo Leitner <mrl@mandriva.com>
    Signed-off-by: Luiz Fernando N. Capitulino <lcapitulino@mandriva.com.br>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Luiz Fernando N. Capitulino committed with AdrianBunk Mar 28, 2007
Something went wrong with that request. Please try again.