Skip to content
Commits on Nov 5, 2007
  1. Linux 2.6.16.57

    Adrian Bunk committed Nov 5, 2007
Commits on Nov 2, 2007
  1. Linux 2.6.16.57-rc1

    Adrian Bunk committed Nov 2, 2007
  2. @neilbrown

    knfsd: allow nfsd READDIR to return 64bit cookies

    ->readdir passes lofft_t offsets (used as nfs cookies) to
    nfs3svc_encode_entry{,_plus}, but when they pass it on to encode_entry it
    becomes an 'off_t', which isn't good.
    
    So filesystems that returned 64bit offsets would lose.
    
    Signed-off-by: Neil Brown <neilb@suse.de>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    neilbrown committed with Adrian Bunk Nov 2, 2007
  3. buffer: memorder fix

    unlock_buffer(), like unlock_page(), must not clear the lock without
    ensuring that the critical section is closed.
    
    Mingming later sent the same patch, saying:
    
    We are running SDET benchmark and saw double free issue for ext3 extended
    attributes block, which complains the same xattr block already being freed (in
    ext3_xattr_release_block()).  The problem could also been triggered by
    multiple threads loop untar/rm a kernel tree.
    
    The race is caused by missing a memory barrier at unlock_buffer() before the
    lock bit being cleared, resulting in possible concurrent h_refcounter update.
    That causes a reference counter leak, then later leads to the double free that
    we have seen.
    
    Inside unlock_buffer(), there is a memory barrier is placed *after* the lock
    bit is being cleared, however, there is no memory barrier *before* the bit is
    cleared.  On some arch the h_refcount update instruction and the clear bit
    instruction could be reordered, thus leave the critical section re-entered.
    
    The race is like this: For example, if the h_refcount is initialized as 1,
    
    cpu 0:                                   cpu1
    --------------------------------------   -----------------------------------
    lock_buffer() /* test_and_set_bit */
    clear_buffer_locked(bh);
                                            lock_buffer() /* test_and_set_bit */
    h_refcount = h_refcount+1; /* = 2*/     h_refcount = h_refcount + 1; /*= 2 */
                                            clear_buffer_locked(bh);
    ....                                    ......
    
    We lost a h_refcount here.  We need a memory barrier before the buffer head
    lock bit being cleared to force the order of the two writes.  Please apply.
    
    Signed-off-by: Nick Piggin <npiggin@suse.de>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Nick Piggin committed with Adrian Bunk Nov 2, 2007
  4. @adit262

    [PKTGEN]: srcmac fix

    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    adit262 committed with Adrian Bunk Nov 2, 2007
  5. @davem330

    [SPARC64]: Fix show_stack() when stack argument is NULL.

    It didn't handle that case at all, and now dump_stack()
    can be implemented directly as show_stack(current, NULL)
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    davem330 committed with Adrian Bunk Nov 2, 2007
  6. @herbertx

    [SNAP]: Check packet length before reading

    The snap_rcv code reads 5 bytes so we should make sure that
    we have 5 bytes in the head before proceeding.
    
    Based on diagnosis and fix by Evgeniy Polyakov, reported by
    Alan J. Wylie.
    
    Patch also kills the skb->sk assignment before kfree_skb
    since it's redundant.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    herbertx committed with Adrian Bunk Nov 2, 2007
  7. [NET]: gen_estimator deadlock fix

    -Fixes ABBA deadlock noted by Patrick McHardy <kaber@trash.net>:
    
    > There is at least one ABBA deadlock, est_timer() does:
    > read_lock(&est_lock)
    > spin_lock(e->stats_lock) (which is dev->queue_lock)
    >
    > and qdisc_destroy calls htb_destroy under dev->queue_lock, which
    > calls htb_destroy_class, then gen_kill_estimator and this
    > write_locks est_lock.
    
    To fix the ABBA deadlock the rate estimators are now kept on an rcu list.
    
    -The est_lock changes the use from protecting the list to protecting
    the update to the 'bstat' pointer in order to avoid NULL dereferencing.
    
    -The 'interval' member of the gen_estimator structure removed as it is
    not needed.
    
    Signed-off-by: Ranko Zivojnovic <ranko@spidernet.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Ranko Zivojnovic committed with Adrian Bunk Nov 2, 2007
  8. @kaber

    [ICMP]: Fix icmp_errors_use_inbound_ifaddr sysctl

    Currently when icmp_errors_use_inbound_ifaddr is set and an ICMP error is
    sent after the packet passed through ip_output(), an address from the
    outgoing interface is chosen as ICMP source address since skb->dev doesn't
    point to the incoming interface anymore.
    
    Fix this by doing an interface lookup on rt->dst.iif and using that device.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    kaber committed with Adrian Bunk Nov 2, 2007
  9. [Bluetooth] Fix NULL pointer dereference in HCI line discipline

    Normally a serial Bluetooth device is opened, TIOSETD'ed to N_HCI line
    discipline, HCIUARTSETPROTO'ed and finally closed. In case the device
    fails to HCIUARTSETPROTO, closing it produces a NULL pointer dereference.
    
    Signed-off-by: Ohad Ben-Cohen <ohad@bencohen.org>
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Ohad Ben-Cohen committed with Adrian Bunk Nov 2, 2007
  10. [Bluetooth] Fix unintentional fall-through in HCI line discipline

    A trivial fix to (what looks like) an unintentional fall-through in the
    HCI line discipline.
    
    Signed-off-by: Ohad Ben-Cohen <ohad@bencohen.org>
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Ohad Ben-Cohen committed with Adrian Bunk Nov 2, 2007
  11. ide: add "optical" to sysfs "media" attribute

    Add "optical" to sysfs "media" attribute as already in /proc
    
    Signed-off-by: Danny Kukawka <dkukawka@suse.de>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Danny Kukawka committed with Adrian Bunk Nov 2, 2007
  12. optical /proc/ide/*/media

    Sergey Vlasov reported that his "FUJITSU MCC3064AP, ATAPI OPTICAL drive"
    pops up as UNKNOWN in /proc/ide/*/media .
    
    Closes kernel Bugzilla #4145.
    
    Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Alexey Dobriyan committed with Adrian Bunk Nov 2, 2007
  13. aacraid: fix security hole (CVE-2007-4308)

    On the SCSI layer ioctl path there is no implicit permissions check for
    ioctls (and indeed other drivers implement unprivileged ioctls). aacraid
    however allows all sorts of very admin only things to be done so should
    check.
    
    Signed-off-by: Alan Cox <alan@redhat.com>
    Acked-by: Mark Salyzyn <mark_salyzyn@adaptec.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Alan Cox committed with Adrian Bunk Nov 2, 2007
  14. CIFS should honour umask (CVE-2007-3740)

    This patch makes CIFS honour a process' umask like other filesystems.
    Of course the server is still free to munge the permissions if it wants
    to; but the client will send the "right" permissions to begin with.
    
    A few caveats:
    
    1) It only applies to filesystems that have CAP_UNIX (aka support unix
    extensions)
    2) It applies the correct mode to the follow up CIFSSMBUnixSetPerms()
    after remote creation
    
    When mode to CIFS/NTFS ACL mapping is complete we can do the
    same thing for that case for servers which do not
    support the Unix Extensions.
    
    Signed-off-by: Matt Keenen <matt@opcode-solutions.com>
    Signed-off-by: Steve French <sfrench@us.ibm.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Steve French committed with Adrian Bunk Nov 2, 2007
  15. @linvjw

    [IEEE80211]: avoid integer underflow for runt rx frames (CVE-2007-4997)

    Reported by Chris Evans <scarybeasts@gmail.com>:
    
    > The summary is that an evil 80211 frame can crash out a victim's
    > machine. It only applies to drivers using the 80211 wireless code, and
    > only then to certain drivers (and even then depends on a card's
    > firmware not dropping a dubious packet). I must confess I'm not
    > keeping track of Linux wireless support, and the different protocol
    > stacks etc.
    >
    > Details are as follows:
    >
    > ieee80211_rx() does not explicitly check that "skb->len >= hdrlen".
    > There are other skb->len checks, but not enough to prevent a subtle
    > off-by-two error if the frame has the IEEE80211_STYPE_QOS_DATA flag
    > set.
    >
    > This leads to integer underflow and crash here:
    >
    > if (frag != 0)
    >    flen -= hdrlen;
    >
    > (flen is subsequently used as a memcpy length parameter).
    
    How about this?
    
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    linvjw committed with Adrian Bunk Nov 2, 2007
Commits on Nov 1, 2007
  1. Fix oops in pwc v4l driver

    The pwc driver is defficient in locking, which can trigger an oops
    when disconnecting.
    
    Adrian Bunk:
    Backported to 2.6.16.
    
    Signed-off-by: Oliver Neukum <oneukum@suse.de>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Oliver Neukum committed with Adrian Bunk Nov 1, 2007
  2. USB: fix DoS in pwc USB video driver (CVE-2007-5093)

    The pwc driver has a disconnect method that waits for user space to
    close the device. This opens up an opportunity for a DoS attack,
    blocking the USB subsystem and making khubd's task busy wait in
    kernel space. This patch shifts freeing resources to close if an opened
    device is disconnected.
    
    Adrian Bunk:
    Backported to 2.6.16.
    
    Signed-off-by: Oliver Neukum <oneukum@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Oliver Neukum committed with Adrian Bunk Oct 27, 2007
  3. @chriswright

    [SPARC64] pass correct addr in get_fb_unmapped_area(MAP_FIXED)

    Looks like the MAP_FIXED case is using the wrong address hint.  I'd
    expect the comment "don't mess with it" means pass the request
    straight on through, not change the address requested to -ENOMEM.
    
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    chriswright committed with Adrian Bunk Oct 24, 2007
  4. Linux 2.6.16.56

    Adrian Bunk committed Nov 1, 2007
Commits on Oct 28, 2007
  1. Linux 2.6.16.56-rc2

    Adrian Bunk committed Oct 28, 2007
  2. hugetlb: fix size=4G parsing

    On 32-bit machines, mount -t hugetlbfs -o size=4G gave a 0GB filesystem,
    size=5G gave a 1GB filesystem etc: there's no point in masking size with
    HPAGE_MASK just before shifting its lower bits away, and since HPAGE_MASK is a
    UL, that removed all the higher bits of the unsigned long long size.
    
    Signed-off-by: Hugh Dickins <hugh@veritas.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Hugh Dickins committed with Adrian Bunk Oct 28, 2007
  3. hugetlb: fix error return for brk() entering a hugepage region

    The lats commit causes the wrong return value.
    is_hugepage_only_range() is a boolean, so we should return
    -EINVAL rather than 1.
    
    Also - we can use "mm" instead of looking up "current->mm" again.
    
    Signed-off-by: Hugh Dickins <hugh@veritas.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Hugh Dickins committed with Adrian Bunk Oct 28, 2007
  4. @dgibson

    hugetlb: check for brk() entering a hugepage region

    Unlike mmap(), the codepath for brk() creates a vma without first checking
    that it doesn't touch a region exclusively reserved for hugepages.  On
    powerpc, this can allow it to create a normal page vma in a hugepage
    region, causing oopses and other badness.
    
    Add a test to prevent this.  With this patch, brk() will simply fail if it
    attempts to move the break into a hugepage reserved region.
    
    Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    dgibson committed with Adrian Bunk Oct 28, 2007
  5. [IA64] fix ia64 is_hugepage_only_range

    fix is_hugepage_only_range() definition to be "overlaps"
    instead of "within architectural restricted hugetlb address
    range".  Simplify the ia64 specific code that used to use
    is_hugepage_only_range() to just check which region the
    address is in.
    
    Signed-off-by: Ken Chen <kenneth.w.chen@intel.com>
    Signed-off-by: Tony Luck <tony.luck@intel.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Ken Chen committed with Adrian Bunk Oct 28, 2007
Commits on Oct 19, 2007
  1. Linux 2.6.16.56-rc1

    Adrian Bunk committed Oct 19, 2007
  2. Don't allow the stack to grow into hugetlb reserved regions (CVE-2007…

    …-3739)
    
    When expanding the stack, we don't currently check if the VMA will cross
    into an area of the address space that is reserved for hugetlb pages.
    Subsequent faults on the expanded portion of such a VMA will confuse the
    low-level MMU code, resulting in an OOPS.  Check for this.
    
    Signed-off-by: Adam Litke <agl@us.ibm.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Adam Litke committed with Adrian Bunk Oct 19, 2007
  3. drivers/video/macmodes.c:mac_find_mode() mustn't be __init

    If it's EXPORT_SYMBOL'ed it can't be __devinit.
    
    Reported by Mikael Pettersson.
    
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Adrian Bunk committed Oct 19, 2007
  4. hugetlb: fix prio_tree unit (CVE-2007-4133)

    hugetlb_vmtruncate_list was misconverted to prio_tree: its prio_tree is in
    units of PAGE_SIZE (PAGE_CACHE_SIZE) like any other, not HPAGE_SIZE (whereas
    its radix_tree is kept in units of HPAGE_SIZE, otherwise slots would be
    absurdly sparse).
    
    At first I thought the error benign, just calling __unmap_hugepage_range on
    more vmas than necessary; but on 32-bit machines, when the prio_tree is
    searched correctly, it happens to ensure the v_offset calculation won't
    overflow.  As it stood, when truncating at or beyond 4GB, it was liable to
    discard pages COWed from lower offsets; or even to clear pmd entries of
    preceding vmas, triggering exit_mmap's BUG_ON(nr_ptes).
    
    Signed-off-by: Hugh Dickins <hugh@veritas.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Hugh Dickins committed with Adrian Bunk Oct 19, 2007
  5. hugetlbfs: add Kconfig help text

    In kernel bugzilla #6248 (http://bugzilla.kernel.org/show_bug.cgi?id=6248),
    Adrian Bunk <bunk@stusta.de> notes that CONFIG_HUGETLBFS is missing Kconfig
    help text.
    
    Signed-off-by: Arthur Othieno <apgo@patchbomb.org>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Arthur Othieno committed with Adrian Bunk Oct 19, 2007
  6. hugetlbfs doc. update

    Fix typos, spelling, etc., in Doc/vm/hugetlbpage.txt.
    
    Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Randy Dunlap committed with Adrian Bunk Oct 19, 2007
Commits on Oct 18, 2007
  1. x86: HUGETLBFS and DEBUG_PAGEALLOC are incompatible

    DEBUG_PAGEALLOC is not compatible with hugetlb page support.  That debug
    option turns off PSE.  Once it is turned off in CR4, the cpu will ignore
    pse bit in the pmd and causing infinite page-not- present faults.
    
    So disable DEBUG_PAGEALLOC if the user selected hugetlbfs.
    
    Signed-off-by: Ken Chen <kenneth.w.chen@intel.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Ken Chen committed with Adrian Bunk Oct 19, 2007
  2. [IA64] lazy_mmu_prot_update needs to be aware of huge pages

    Function lazy_mmu_prot_update is also used on huge pages when it is called
    by set_huge_ptep_writable, but it isn't aware of huge pages.
    
    Signed-off-by: Zhang Yanmin <yanmin.zhang@intel.com>
    Acked-by: Ken Chen <kenneth.w.chen@intel.com>
    Signed-off-by: Tony Luck <tony.luck@intel.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Zhang Yanmin committed with Adrian Bunk Oct 19, 2007
  3. @stephensmalley

    SELinux: clear parent death signal on SID transitions

    Clear parent death signal on SID transitions to prevent unauthorized
    signaling between SIDs.
    
    Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
    Acked-by: Eric Paris <eparis@parisplace.org>
    Signed-off-by: James Morris <jmorris@localhost.localdomain>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    stephensmalley committed with Adrian Bunk Oct 19, 2007
  4. make UML compile (FC6/x86-64)

    I need this patch to get a UML kernel to compile.  This is with the
    kernel headers in FC6 which are automatically generated from the kernel
    tree.  Some headers are missing but those files don't need them.  At
    least it appears so since the resuling kernel works fine.
    
    Tested on x86-64.
    
    Signed-off-by: Ulrich Drepper <drepper@redhat.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Ulrich Drepper committed with Adrian Bunk Oct 18, 2007
Something went wrong with that request. Please try again.