Permalink
Commits on May 24, 2007
  1. Linux 2.6.16.52-rc1

    AdrianBunk committed May 24, 2007
Commits on May 22, 2007
  1. [NET_SCHED]: prio qdisc boundary condition

    This fixes an out-of-boundary condition when the classified
    band equals q->bands. Caught by Alexey
    
    Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Jamal Hadi Salim committed with AdrianBunk May 22, 2007
  2. [IPV6]: Reverse sense of promisc tests in ip6_mc_input

    Reverse the sense of the promiscuous-mode tests in ip6_mc_input().
    
    Signed-off-by: Corey Mutter <crm-netdev@mutternet.com>
    Signed-off-by: David L Stevens <dlstevens@us.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Corey Mutter committed with AdrianBunk May 22, 2007
  3. [IPV6]: Send ICMPv6 error on scope violations.

    When an IPv6 router is forwarding a packet with a link-local scope source
    address off-link, RFC 4007 requires it to send an ICMPv6 destination
    unreachable with code 2 ("not neighbor"), but Linux doesn't. Fix below.
    
    Signed-off-by: David L Stevens <dlstevens@us.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    David L Stevens committed with AdrianBunk May 22, 2007
  4. [TCP]: zero out rx_opt in tcp_disconnect()

    When the server drops its connection, NFS client reconnects using the
    same socket after disconnecting. If the new connection's SYN,ACK
    doesn't contain the TCP timestamp option and the old connection's did,
    tp->tcp_header_len is recomputed assuming no timestamp header but
    tp->rx_opt.tstamp_ok remains set. Then tcp_build_and_update_options()
    adds in a timestamp option past the end of the allocated TCP header,
    overwriting TCP data, or when the data is in skb_shinfo(skb)->frags[],
    overwriting skb_shinfo(skb) causing a crash soon after. (The issue was
    debugged from such a crash.)
    
    Similarly, wscale_ok and sack_ok also get set based on the SYN,ACK
    packet but not reset on disconnect, since they are zeroed out at
    initialization. The patch zeroes out the entire tp->rx_opt struct in
    tcp_disconnect() to avoid this sort of problem.
    
    Signed-off-by: Srinivas Aji <Aji_Srinivas@emc.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Srinivas Aji committed with AdrianBunk May 22, 2007
  5. [NETPOLL]: Remove CONFIG_NETPOLL_RX

    Get rid of the CONFIG_NETPOLL_RX option completely since all the
    dependencies have been removed long ago...
    
    Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
    Acked-by: Jeff Garzik <jgarzik@pobox.com>
    Acked-by: Matt Mackall <mpm@selenic.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Sergei Shtylyov committed with AdrianBunk May 22, 2007
  6. [NETPOLL]: Fix TX queue overflow in trapped mode.

    CONFIG_NETPOLL_TRAP causes the TX queue controls to be completely bypassed in
    the netpoll's "trapped" mode which easily causes overflows in the drivers with
    short TX queues (most notably, in 8139too with its 4-deep queue).  So, make
    this option more sensible by making it only bypass the TX softirq wakeup.
    
    Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
    Acked-by: Jeff Garzik <jgarzik@pobox.com>
    Acked-by: Tom Rini <trini@kernel.crashing.org>
    Acked-by: Matt Mackall <mpm@selenic.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Sergei Shtylyov committed with AdrianBunk May 22, 2007
  7. [IPV6]: Track device renames in snmp6.

    When network device's are renamed, the IPV6 snmp6 code
    gets confused. It doesn't track name changes so it will OOPS
    when network device's are removed.
    
    The fix is trivial, just unregister/re-register in notify handler.
    
    Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Stephen Hemminger committed with AdrianBunk May 22, 2007
  8. [IPV6]: Fix slab corruption running ip6sic

    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    SesterhennEric committed with AdrianBunk May 22, 2007
  9. gcc-4.1.0 is bust

    Keith says
    
    Compiling 2.6.19-rc6 with gcc version 4.1.0 (SUSE Linux), wait_hpet_tick is
    optimized away to a never ending loop and the kernel hangs on boot in timer
    setup.
    
    0000001a <wait_hpet_tick>:
      1a:   55                      push   %ebp
      1b:   89 e5                   mov    %esp,%ebp
      1d:   eb fe                   jmp    1d <wait_hpet_tick+0x3>
    
    This is not a problem with gcc 3.3.5.  Adding barrier() calls to
    wait_hpet_tick does not help, making the variables volatile does.
    
    And the consensus is that gcc-4.1.0 is busted.
    
    Adrian Bunk:
    Changed from a #warning to an #error for 2.6.16.
    
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Andrew Morton committed with AdrianBunk May 22, 2007
Commits on May 9, 2007
  1. Linux 2.6.16.51

    AdrianBunk committed May 9, 2007
Commits on May 4, 2007
  1. Linux 2.6.16.51-rc1

    AdrianBunk committed May 4, 2007
  2. [X.25]: Add missing sock_put in x25_receive_data

    __x25_find_socket does a sock_hold.
    This adds a missing sock_put in x25_receive_data.
    
    Signed-off-by: Andrew Hendry <andrew.hendry@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    AndrewHendry committed with AdrianBunk May 4, 2007
  3. [NETFILTER]: ipt_CLUSTERIP: fix oops in checkentry function

    The clusterip_config_find_get() already increases entries reference
    counter, so there is no reason to do it twice in checkentry() callback.
    
    This causes the config to be freed before it is removed from the list,
    resulting in a crash when adding the next rule.
    
    Signed-off-by: Jaroslav Kysela <perex@suse.cz>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Jaroslav Kysela committed with AdrianBunk May 4, 2007
  4. x86_64: ACPI_CPU_FREQ must select CPU_FREQ_TABLE

    Fix a compile error reported by Michel Lespinasse.
    
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    AdrianBunk committed May 4, 2007
Commits on May 3, 2007
  1. hwmon/w83627ehf: Don't redefine REGION_OFFSET

    On ia64, kernel headers define REGION_OFFSET so we can't use that.
    Reported by Andrew Morton.
    
    Signed-off-by: Jean Delvare <khali@linux-fr.org>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Jean Delvare committed with AdrianBunk May 3, 2007
  2. [NETFILTER]: ip_nat_proto_gre: do not modify/corrupt GREv0 packets th…

    …rough NAT
    
    While porting some changes of the 2.6.21-rc7 pptp/proto_gre conntrack
    and nat modules to a 2.4.32 kernel I noticed that the gre_key function
    returns a wrong pointer to the GRE key of a version 0 packet thus
    corrupting the packet payload.
    
    The intended behaviour for GREv0 packets is to act like
    ip_conntrack_proto_generic/ip_nat_proto_unknown so I have ripped the
    offending functions (not used anymore) and modified the
    ip_nat_proto_gre modules to not touch version 0 (non PPTP) packets.
    
    Signed-off-by: Jorge Boncompte <jorge@dti2.net>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Jorge Boncompte committed with AdrianBunk May 3, 2007
  3. holepunch: fix mmap_sem i_mutex deadlock

    sys_madvise has down_write of mmap_sem, then madvise_remove calls
    vmtruncate_range which takes i_mutex and i_alloc_sem: no, we can
    easily devise deadlocks from that ordering.
    
    madvise_remove drop mmap_sem while calling vmtruncate_range: luckily,
    since madvise_remove doesn't split or merge vmas, it's easy to handle
    this case with a NULL prev, without restructuring sys_madvise.  (Though
    sad to retake mmap_sem when it's unlikely to be needed, and certainly
    down_read is sufficient for MADV_REMOVE, unlike the other madvices.)
    
    Signed-off-by: Hugh Dickins <hugh@veritas.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Hugh Dickins committed with AdrianBunk May 3, 2007
  4. holepunch: fix disconnected pages after second truncate

    shmem_truncate_range has its own truncate_inode_pages_range, to free any
    pages racily instantiated while it was in progress: a SHMEM_PAGEIN flag
    is set when this might have happened.  But holepunching gets no chance
    to clear that flag at the start of vmtruncate_range, so it's always set
    (unless a truncate came just before), so holepunch almost always does
    this second truncate_inode_pages_range.
    
    shmem holepunch has unlikely swap<->file races hereabouts whatever we do
    (without a fuller rework than is fit for this release): I was going to
    skip the second truncate in the punch_hole case, but Miklos points out
    that would make holepunch correctness more vulnerable to swapoff.  So
    keep the second truncate, but follow it by an unmap_mapping_range to
    eliminate the disconnected pages (freed from pagecache while still
    mapped in userspace) that it might have left behind.
    
    Signed-off-by: Hugh Dickins <hugh@veritas.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Hugh Dickins committed with AdrianBunk May 3, 2007
  5. holepunch: fix shmem_truncate_range punch locking

    Miklos Szeredi observes that during truncation of shmem page directories,
    info->lock is released to improve latency (after lowering i_size and
    next_index to exclude races); but this is quite wrong for holepunching,
    which receives no such protection from i_size or next_index, and is left
    vulnerable to races with shmem_unuse, shmem_getpage and shmem_writepage.
    
    Hold info->lock throughout when holepunching?  No, any user could prevent
    rescheduling for far too long.  Instead take info->lock just when needed:
    in shmem_free_swp when removing the swap entries, and whenever removing
    a directory page from the level above.  But so long as we remove before
    scanning, we can safely skip taking the lock at the lower levels, except
    at misaligned start and end of the hole.
    
    Signed-off-by: Hugh Dickins <hugh@veritas.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Hugh Dickins committed with AdrianBunk May 3, 2007
  6. holepunch: fix shmem_truncate_range punching too far

    Miklos Szeredi observes BUG_ON(!entry) in shmem_writepage() triggered
    in rare circumstances, because shmem_truncate_range() erroneously
    removes partially truncated directory pages at the end of the range:
    later reclaim on pages pointing to these removed directories triggers
    the BUG.  Indeed, and it can also cause data loss beyond the hole.
    
    Fix this as in the patch proposed by Miklos, but distinguish between
    "limit" (how far we need to search: ignore truncation's next_index
    optimization in the holepunch case - if there are races it's more
    consistent to act on the whole range specified) and "upper_limit"
    (how far we can free directory pages: generally we must be careful
    to keep partially punched pages, but can relax at end of file -
    i_size being held stable by i_mutex).
    
    Signed-off-by: Hugh Dickins <hugh@veritas.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Hugh Dickins committed with AdrianBunk May 3, 2007
  7. Linux 2.6.16.50

    AdrianBunk committed May 3, 2007
Commits on May 1, 2007
  1. Linux 2.6.16.50-rc1

    AdrianBunk committed May 1, 2007
Commits on Apr 30, 2007
  1. [IPV6]: Disallow RH0 by default (CVE-2007-2242)

    A security issue is emerging.  Disallow Routing Header Type 0 by default
    as we have been doing for IPv4.
    
    This version already includes a fix for the original patch.
    
    Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    AdrianBunk committed Apr 30, 2007
  2. [NETLINK]: Infinite recursion in netlink (CVE-2007-1861)

    Reply to NETLINK_FIB_LOOKUP messages were misrouted back to kernel,
    which resulted in infinite recursion and stack overflow.
    
    The bug is present in all kernel versions since the feature appeared.
    
    The patch also makes some minimal cleanup:
    
    1. Return something consistent (-ENOENT) when fib table is missing
    2. Do not crash when queue is empty (does not happen, but yet)
    3. Put result of lookup
    
    Sergey Vlasov:
    Oops fix
    
    Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
    Signed-off-by: Sergey Vlasov <vsu@altlinux.ru>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    AdrianBunk committed Apr 30, 2007
Commits on Apr 25, 2007
  1. Char: icom, mark __init as __devinit

    Two functions are called from __devinit context, but they are marked as
    __init. Fix this.
    
    Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    jirislaby committed with AdrianBunk Apr 25, 2007
  2. aio: remove bare user-triggerable error printk

    The user can generate console output if they cause do_mmap() to fail
    during sys_io_setup().  This was seen in a regression test that does
    exactly that by spinning calling mmap() until it gets -ENOMEM before
    calling io_setup().
    
    We don't need this printk at all, just remove it.
    
    Signed-off-by: Zach Brown <zach.brown@oracle.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Zach Brown committed with AdrianBunk Apr 25, 2007
  3. mca_nmi_hook() can be called at any point

    ... and having it __init is a bad idea.
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Al Viro committed with AdrianBunk Apr 25, 2007
  4. IrDA: irttp_dup spin_lock initialisation

    Without this initialization one gets
    
    kernel BUG at kernel/rtmutex_common.h:80!
    
    Signed-off-by: G. Liakhovetski <gl@dsa-ac.de>
    Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
    Acked-by: David Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Guennadi Liakhovetski committed with AdrianBunk Apr 25, 2007
  5. IrDA: Incorrect TTP header reservation

    We must reserve SAR + MAX_HEADER bytes for IrLMP to fit in.
    This fixes an oops reported (and fixed) by Jeet Chaudhuri, when max_sdu_size
    is greater than 0.
    
    Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Jeet Chaudhuri committed with AdrianBunk Apr 25, 2007
Commits on Apr 23, 2007
  1. x86 microcode: don't check the size

    IA32 manual says if micorcode update's size is 0, then the size is
    default size (2048 bytes). But this doesn't suggest all microcode
    update's size should be above 2048 bytes to me. We actually had a
    microcode update whose size is 1024 bytes. The patch just removed the
    check.
    
    Backported by Daniel Drake.
    
    Signed-off-by: Daniel Drake <dsd@gentoo.org>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Shaohua Li committed with AdrianBunk Apr 23, 2007
Commits on Apr 22, 2007
  1. Linux 2.6.16.49

    AdrianBunk committed Apr 22, 2007
Commits on Apr 20, 2007
  1. Linux 2.6.16.49-rc1

    AdrianBunk committed Apr 20, 2007
  2. tty_io: fix race in master pty close/slave pty close path

    This patch fixes a possible race that leads to double freeing an idr index.
     When the master begin to close, release_dev() is called and then
    pty_close() is called:
    
            if (tty->driver->close)
                    tty->driver->close(tty, filp);
    
    This is done without helding any locks other than BKL.  Inside pty_close(),
    being a master close, the devpts entry will be removed:
    
    #ifdef CONFIG_UNIX98_PTYS
                    if (tty->driver == ptm_driver)
                            devpts_pty_kill(tty->index);
    #endif
    
    But devpts_pty_kill() will call get_node() that may sleep while waiting for
    &devpts_root->d_inode->i_sem.  When this happens and the slave is being
    opened, tty_open() just found the driver and index:
    
            driver = get_tty_driver(device, &index);
            if (!driver) {
                    mutex_unlock(&tty_mutex);
                    return -ENODEV;
            }
    
    This part of the code is already protected under tty_mute.  The problem is
    that the slave close already got an index.  Then init_dev() is called and
    blocks waiting for the same &devpts_root->d_inode->i_sem.
    
    When the master close resumes, it removes the devpts entry, and the
    relation between idr index and the tty is gone.  The master then sleeps
    waiting for the tty_mutex on release_dev().
    
    Slave open resumes and found no tty for that index.  As result, a NULL tty
    is returned and init_dev() doesn't flow to fast_track:
    
            /* check whether we're reopening an existing tty */
            if (driver->flags & TTY_DRIVER_DEVPTS_MEM) {
                    tty = devpts_get_tty(idx);
                    if (tty && driver->subtype == PTY_TYPE_MASTER)
                            tty = tty->link;
            } else {
                    tty = driver->ttys[idx];
            }
            if (tty) goto fast_track;
    
    The result of this, is that a new tty will be created and init_dev() returns
    sucessfull. After returning, tty_mutex is dropped and master close may resume.
    
    Master close finds it's the only use and both sides are closing, then releases
    the tty and the index. At this point, the idr index is free, but slave still
    has it.
    
    Slave open then calls pty_open() and finds that tty->link->count is 0,
    because there's no master and returns error.  Then tty_open() calls
    release_dev() which executes without any warning, as it was a case of last
    slave close when the master is already closed (master->count == 0,
    slave->count == 1).  The tty is then released with the already released idr
    index.
    
    This normally would only issue a warning on idr_remove() but in case of a
    customer's critical application, it's never too simple:
    
    thread1: opens master, gets index X
    thread1: begin closing master
    thread2: begin opening slave with index X
    thread1: finishes closing master, index X released
    thread3: opens master, gets index X, just released
    thread2: fails opening slave, releases index X         <----
    thread4: opens master, gets index X, init_dev() then find an already in use
             and healthy tty and fails
    
    If no more indexes are released, ptmx_open() will keep failing, as the
    first free index available is X, and it will make init_dev() fail because
    you're trying to "reopen a master" which isn't valid.
    
    The patch notices when this race happens and make init_dev() fail
    imediately.  The init_dev() function is called with tty_mutex held, so it's
    safe to continue with tty till the end of function because release_dev()
    won't make any further changes without grabbing the tty_mutex.
    
    Without the patch, on some machines it's possible get easily idr warnings
    like this one:
    
    idr_remove called for id=15 which is not allocated.
     [<c02555b9>] idr_remove+0x139/0x170
     [<c02a1b62>] release_mem+0x182/0x230
     [<c02a28e7>] release_dev+0x4b7/0x700
     [<c02a0ea7>] tty_ldisc_enable+0x27/0x30
     [<c02a1e64>] init_dev+0x254/0x580
     [<c02a0d64>] check_tty_count+0x14/0xb0
     [<c02a4f05>] tty_open+0x1c5/0x340
     [<c02a4d40>] tty_open+0x0/0x340
     [<c017388f>] chrdev_open+0xaf/0x180
     [<c017c2ac>] open_namei+0x8c/0x760
     [<c01737e0>] chrdev_open+0x0/0x180
     [<c0167bc9>] __dentry_open+0xc9/0x210
     [<c0167e2c>] do_filp_open+0x5c/0x70
     [<c0167a91>] get_unused_fd+0x61/0xd0
     [<c0167e93>] do_sys_open+0x53/0x100
     [<c0167f97>] sys_open+0x27/0x30
     [<c010303b>] syscall_call+0x7/0xb
    
    using this test application available on:
     http://www.ruivo.org/~aris/pty_sodomizer.c
    
    Signed-off-by: Aristeu Sergio Rozanski Filho <aris@ruivo.org>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    aristeu committed with AdrianBunk Apr 20, 2007
  3. elevator: move clearing of unplug flag earlier

    A flag was recently added to the elevator code to avoid
    performing an unplug when reuests are being re-queued.
    The goal of this flag was to avoid a deep recursion that
    can occur when re-queueing requests after a SCSI device/host
    reset.  See http://lkml.org/lkml/2006/5/17/254
    
    However, that fix added the flag near the bottom of a case
    statement, where an earlier break (in an if statement) could
    transport one out of the case, without setting the flag.
    This patch sets the flag earlier in the case statement.
    
    I re-discovered the deep recursion recently during testing;
    I was told that it was a known problem, and the fix to it was
    in the kernel I was testing. Indeed it was ... but it didn't
    fix the bug. With the patch below, I no longer see the bug.
    
    Signed-off by: Linas Vepstas <linas@austin.ibm.com>
    Signed-off-by: Jens Axboe <axboe@suse.de>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Linas Vepstas committed with AdrianBunk Apr 20, 2007