Permalink
Commits on Jul 14, 2008
  1. Linux 2.6.16.61-rc1

    Adrian Bunk committed Jul 14, 2008
  2. 3w-xxxx: Prevent data corruption

    Use default DMA data direction to prevent data corruption
    when using SWIOTLB with 4GB+ on EM64T.
    
    http://www.3ware.com/KB/article.aspx?id=15243&cNode=6I1C6S
    
    Acked-by: Jean Delvare <jdelvare@suse.de>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    3ware Inc committed with Adrian Bunk Jul 14, 2008
  3. fix SMP ordering hole in fcntl_setlk() (CVE-2008-1669)

    fcntl_setlk()/close() race prevention has a subtle hole - we need to
    make sure that if we *do* have an fcntl/close race on SMP box, the
    access to descriptor table and inode->i_flock won't get reordered.
    
    As it is, we get STORE inode->i_flock, LOAD descriptor table entry vs.
    STORE descriptor table entry, LOAD inode->i_flock with not a single
    lock in common on both sides.  We do have BKL around the first STORE,
    but check in locks_remove_posix() is outside of BKL and for a good
    reason - we don't want BKL on common path of close(2).
    
    Solution is to hold ->file_lock around fcheck() in there; that orders
    us wrt removal from descriptor table that preceded locks_remove_posix()
    on close path and we either come first (in which case eviction will be
    handled by the close side) or we'll see the effect of close and do
    eviction ourselves.  Note that even though it's read-only access,
    we do need ->file_lock here - rcu_read_lock() won't be enough to
    order the things.
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Al Viro committed with Adrian Bunk Jul 14, 2008
  4. sit: Add missing kfree_skb() on pskb_may_pull() failure. (CVE-2008-2136)

    Noticed by Paul Marks <paul@pmarks.net>.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    davem330 committed with Adrian Bunk Jul 14, 2008
  5. [NETFILTER]: Fix warnings in ip_nat_snmp_basic.c

    net/ipv4/netfilter/ip_nat_snmp_basic.c: In function 'asn1_header_decode':
    net/ipv4/netfilter/ip_nat_snmp_basic.c:248: warning: 'len' may be used unini
    net/ipv4/netfilter/ip_nat_snmp_basic.c:248: warning: 'def' may be used unini
    net/ipv4/netfilter/ip_nat_snmp_basic.c: In function 'snmp_translate':
    net/ipv4/netfilter/ip_nat_snmp_basic.c:672: warning: 'l' may be used uniniti
    net/ipv4/netfilter/ip_nat_snmp_basic.c:668: warning: 'type' may be used unin
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    davem330 committed with Adrian Bunk Jul 14, 2008
  6. asn1: additional sanity checking during BER decoding (CVE-2008-1673)

    - Don't trust a length which is greater than the working buffer.
      An invalid length could cause overflow when calculating buffer size
      for decoding oid.
    
    - An oid length of zero is invalid and allows for an off-by-one error when
      decoding oid because the first subid actually encodes first 2 subids.
    
    - A primitive encoding may not have an indefinite length.
    
    Thanks to Wei Wang from McAfee for report.
    
    Acked-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    chriswright committed with Adrian Bunk Jul 14, 2008
  7. TCP: Fix shrinking windows with window scaling

    Upstream commit: 607bfbf
    
    When selecting a new window, tcp_select_window() tries not to shrink
    the offered window by using the maximum of the remaining offered window
    size and the newly calculated window size. The newly calculated window
    size is always a multiple of the window scaling factor, the remaining
    window size however might not be since it depends on rcv_wup/rcv_nxt.
    This means we're effectively shrinking the window when scaling it down.
    
    The dump below shows the problem (scaling factor 2^7):
    
    - Window size of 557 (71296) is advertised, up to 3111907257:
    
    IP 172.2.2.3.33000 > 172.2.2.2.33000: . ack 3111835961 win 557 <...>
    
    - New window size of 514 (65792) is advertised, up to 3111907217, 40 bytes
      below the last end:
    
    IP 172.2.2.3.33000 > 172.2.2.2.33000: . 3113575668:3113577116(1448) ack 3111841425 win 514 <...>
    
    The number 40 results from downscaling the remaining window:
    
    3111907257 - 3111841425 = 65832
    65832 / 2^7 = 514
    65832 % 2^7 = 40
    
    If the sender uses up the entire window before it is shrunk, this can have
    chaotic effects on the connection. When sending ACKs, tcp_acceptable_seq()
    will notice that the window has been shrunk since tcp_wnd_end() is before
    tp->snd_nxt, which makes it choose tcp_wnd_end() as sequence number.
    This will fail the receivers checks in tcp_sequence() however since it
    is before it's tp->rcv_wup, making it respond with a dupack.
    
    If both sides are in this condition, this leads to a constant flood of
    ACKs until the connection times out.
    
    Make sure the window is never shrunk by aligning the remaining window to
    the window scaling factor.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    kaber committed with Adrian Bunk Jul 14, 2008
  8. x86: Replace NSC/Cyrix specific chipset access macros by inlined func…

    …tions.
    
    Due to index register access ordering problems, when using macros a line
    like this fails (and does nothing):
    
        setCx86(CX86_CCR2, getCx86(CX86_CCR2) | 0x88);
    
    With inlined functions this line will work as expected.
    
    Note about a side effect: Seems on Geode GX1 based systems the
    "suspend on halt power saving feature" was never enabled due to this
    wrong macro expansion. With inlined functions it will be enabled, but
    this will stop the TSC when the CPU runs into a HLT instruction.
    Kernel output something like this:
        Clocksource tsc unstable (delta = -472746897 ns)
    
    This is the 3rd version of this patch.
    
     - Adding missed arch/i386/kernel/cpu/mtrr/state.c
        Thanks to Andres Salomon
     - Adding some big fat comments into the new header file
        Suggested by Andi Kleen
    
    AK: fixed x86-64 compilation
    
    Adrian Bunk:
    Added workaround for x86_64 compilation.
    
    Signed-off-by: Juergen Beisert <juergen@kreuzholzen.de>
    Signed-off-by: Andi Kleen <ak@suse.de>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Juergen Beisert committed with Adrian Bunk Jul 6, 2008
Commits on Apr 10, 2008
  1. Disable DETECT_SOFTLOCKUP for s390

    From: Heiko Carstens <heiko.carstens@de.ibm.com>
    
    We got several false bug reports because of enabled
    CONFIG_DETECT_SOFTLOCKUP.  Disable soft lockup detection on s390, since it
    doesn't work on a virtualized architecture.
    
    Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Heiko Carstens committed with Adrian Bunk Apr 10, 2008
Commits on Mar 19, 2008
  1. [DECNet] fib: Fix out of bound access of dn_fib_props[]

    Fixes a typo which caused fib_props[] to have the wrong size
    and makes sure the value used to index the array which is
    provided by userspace via netlink is checked to avoid out of
    bound access.
    
    Signed-off-by: Thomas Graf <tgraf@suug.ch>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    tgraf committed with Adrian Bunk Mar 19, 2008
  2. USB: race on disconnect in mdc800

    I overlooked one. Setting the flag and killing the URBs must be under the lo
    so that no URB is submitted after usb_kill_urb()
    
    Adrian Bunk:
    Backported to 2.6.16.
    
    Signed-off-by: Oliver Neukum <oliver@neukum.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Oliver Neukum committed with Adrian Bunk Mar 19, 2008
Commits on Mar 14, 2008
  1. gcc >= 4.3 is not supported

    Building kernel 2.6.16 with gcc 4.3 is completely untested, and
    you might run into both kernel and gcc problems (as always with
    new gcc versions).
    
    For making this obvious the kernel build now #error's when trying
    to build with gcc >= 4.3.
    
    The kernel might work fine when compiled with gcc 4.3 and it's
    therefore possible to remove the #error, but if someone really
    longs for regressions he can as well try a more recent kernel
    instead.
    
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Adrian Bunk committed Mar 14, 2008
Commits on Jan 27, 2008
  1. Linux 2.6.16.60

    Adrian Bunk committed Jan 27, 2008
Commits on Jan 21, 2008
  1. Linux 2.6.16.60-rc1

    Adrian Bunk committed Jan 21, 2008
  2. NFS: call nfs_wb_all() only on regular files

    It looks like nfs_setattr() and nfs_rename() also need to test whether the
    target is a regular file before calling nfs_wb_all()...
    
    It isn't technically needed since the version of nfs_wb_all() that exists
    on 2.6.16 should be safe to call on non-regular files (it will be a no-op).
    However it is a useful optimisation.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Trond Myklebust committed with Adrian Bunk Jan 21, 2008
  3. NFS: writes should not clobber utimes() calls

    Ensure that we flush out writes in the case when someone calls utimes() in
    order to set the file times.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Trond Myklebust committed with Adrian Bunk Jan 21, 2008
  4. vfs: coredumping fix (CVE-2007-6206)

    fix: http://bugzilla.kernel.org/show_bug.cgi?id=3043
    
    only allow coredumping to the same uid that the coredumping
    task runs under.
    
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Ingo Molnar committed with Adrian Bunk Jan 21, 2008
  5. I4L: fix isdn_ioctl memory overrun vulnerability (CVE-2007-6151)

    Fix possible memory overrun issue in the isdn ioctl code.
    
    Found by ADLAB <adlab@venustech.com.cn>
    
    Signed-off-by: Karsten Keil <kkeil@suse.de>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Karsten Keil committed with Adrian Bunk Jan 20, 2008
  6. isdn: avoid copying overly-long strings (CVE-2007-6063)

    Addresses http://bugzilla.kernel.org/show_bug.cgi?id=9416
    
    Signed-off-by: Karsten Keil <kkeil@suse.de>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Karsten Keil committed with Adrian Bunk Jan 20, 2008
  7. [NET]: Generic checksum annotations and cleanups.

    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Al Viro committed with Adrian Bunk Jan 20, 2008
  8. drivers/scsi/BusLogic.c: #ifdef MODULE BusLogic_pci_tbl[]

    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Adrian Bunk committed Jan 20, 2008
  9. [BusLogic] Add pci dev table for auto module loading.

    Signed-off-by: Ben Collins <bcollins@ubuntu.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    benmcollins committed with Adrian Bunk Jan 20, 2008
  10. [ATM]: Check IP header validity in mpc_send_packet

    [ Upstream commit: 1c9b7aa ]
    
    Al went through the ip_fast_csum callers and found this piece of code
    that did not validate the IP header.  While root crashing the machine
    by sending bogus packets through raw or AF_PACKET sockets isn't that
    serious, it is still nice to react gracefully.
    
    This patch ensures that the skb has enough data for an IP header and
    that the header length field is valid.
    
    Adrian Bunk:
    Backported to 2.6.16 following instructions by David Miller.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    herbertx committed with Adrian Bunk Jan 21, 2008
Commits on Jan 20, 2008
  1. [IPV4] ROUTE: ip_rt_dump() is unecessary slow

    [ Upstream commit: d8c9283 ]
    
    I noticed "ip route list cache x.y.z.t" can be *very* slow.
    
    While strace-ing -T it I also noticed that first part of route cache
    is fetched quite fast :
    
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
    +msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202
    GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) =
    +3772 <0.000047>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
    +msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\
    202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0)
    += 3736 <0.000042>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
    +msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\
    202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0)
    += 3740 <0.000055>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
    +msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\
    202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0)
    += 3712 <0.000043>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
    +msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\
    202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0)
    += 3732 <0.000053>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
    +msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202
    GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) =
    +3708 <0.000052>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
    +msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202
    GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) =
    +3680 <0.000041>
    
    while the part at the end of the table is more expensive:
    
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
    +msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\1\0\2"...,
    +16384}], msg_controllen=0, msg_flags=0}, 0) = 3656 <0.003857>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
    +msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\1\0\2"...,
    +16384}], msg_controllen=0, msg_flags=0}, 0) = 3772 <0.003891>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
    +msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\2\0\2\0"...,
    +16384}], msg_controllen=0, msg_flags=0}, 0) = 3712 <0.003765>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
    +msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\2\0\2\0"...,
    +16384}], msg_controllen=0, msg_flags=0}, 0) = 3700 <0.003879>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
    +msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\2\0\2\0"...,
    +16384}], msg_controllen=0, msg_flags=0}, 0) = 3676 <0.003797>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
    +msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\2\0\2\0"...,
    +16384}], msg_controllen=0, msg_flags=0}, 0) = 3724 <0.003856>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
    +msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\1\0\2"...,
    +16384}], msg_controllen=0, msg_flags=0}, 0) = 3736 <0.003848>
    
    The following patch corrects this performance/latency problem,
    removing quadratic behavior.
    
    Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Eric Dumazet committed with Adrian Bunk Jan 20, 2008
  2. [NET]: Introduce types for checksums.

    New types - for 16bit checksums and "unfolded" 32bit variant.
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Al Viro committed with Adrian Bunk Jan 20, 2008
  3. [CASSINI]: Set skb->truesize properly on receive packets.

    [ Upstream commit: d011a23 ]
    
    skb->truesize was not being incremented at all to
    reflect the page based data added to RX SKBs.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    davem330 committed with Adrian Bunk Jan 20, 2008
  4. [CASSINI]: Fix endianness bug.

    [ Upstream commit: e5e0254 ]
    
    Here's proposed fix for RX checksum handling in cassini; it affects
    little-endian working with half-duplex gigabit, but obviously needs
    testing on big-endian too.
    
    The problem is, we need to convert checksum to fixed-endian *before*
    correcting for (unstripped) FCS.  On big-endian it won't matter
    (conversion is no-op), on little-endian it will, but only if FCS is
    not stripped by hardware; i.e. in half-duplex gigabit mode when
    ->crc_size is set.
    
    cassini.c part is that fix, cassini.h one consists of trivial
    endianness annotations.  With that applied the sucker is endian-clean,
    according to sparse.
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Al Viro committed with Adrian Bunk Jan 20, 2008
  5. [ATM]: [nicstar] delay irq setup until card is configured

    [ Upstream commit: 5296195 ]
    
    Adrian Bunk:
    Backported to 2.6.16.
    
    Signed-off-by: Chas Williams <chas@cmf.nrl.navy.mil>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Chas Williams committed with Adrian Bunk Jan 20, 2008
  6. raw: don't allow the creation of a raw device with minor number 0

    Minor number 0 (under the raw major) is reserved for the rawctl device
    file, which is used to query, set, and unset raw device bindings.  However,
    the ioctl interface does not protect the user from specifying a raw device
    with minor number 0:
    
    $ sudo ./raw /dev/raw/raw0 /dev/VolGroup00/swap
    /dev/raw/raw0:  bound to major 253, minor 2
    $ ls -l /dev/rawctl
    ls: /dev/rawctl: No such file or directory
    $ ls -l /dev/raw/raw0
    crw------- 1 root root 162, 0 Jan 12 10:51 /dev/raw/raw0
    $ sudo ./raw -qa
    Cannot open master raw device '/dev/rawctl' (No such file or directory)
    
    As you can see, this prevents any further raw operations from
    succeeding.  The fix (from Steve Fernandez) is quite simple - do not
    allow the allocation of minor number 0.
    
    Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    JeffMoyer committed with Adrian Bunk Jan 20, 2008
Commits on Jan 19, 2008
  1. Linux 2.6.16.59

    Adrian Bunk committed Jan 19, 2008
Commits on Jan 16, 2008
  1. Linux 2.6.16.59-rc1

    Adrian Bunk committed Jan 16, 2008
  2. wait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-20…

    …07-5500)
    
    patch a347422 in mainline
    
    The original meaning of the old test (p->state > TASK_STOPPED) was
    "not dead", since it was before TASK_TRACED existed and before the
    state/exit_state split.  It was a wrong correction in commit
    14bf01b to make this test for
    TASK_TRACED instead.  It should have been changed when TASK_TRACED
    was introducted and again when exit_state was introduced.
    
    Signed-off-by: Roland McGrath <roland@redhat.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Roland McGrath committed with Adrian Bunk Jan 16, 2008
  3. limit minixfs printks on corrupted dir i_size (CVE-2006-6058)

    First reported at http://projects.info-pull.com/mokb/MOKB-17-11-2006.html
    
    Essentially a corrupted minix dir inode reporting a very large
    i_size will loop for a very long time in minix_readdir, minix_find_entry,
    etc, because on EIO they just move on to try the next page.  This is
    under the BKL, printk-storming as well.  This can lock up the machine
    for a very long time.  Simply ratelimiting the printks gets things back
    under control.  Make the message a bit more informative while we're here.
    
    Adrian Bunk:
    Backported to 2.6.16.
    
    Signed-off-by: Eric Sandeen <sandeen@redhat.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Eric Sandeen committed with Adrian Bunk Jan 16, 2008
  4. fix messages in fs/minix

    Believe it or not, but in fs/minix/*, the oldest filesystem in the kernel,
    something still can be fixed:
    
        printk("new_inode: bit already set");
    
    "\n" is missing!
    
    While at it, I also removed periods from the end of error messages and made
    capitalization uniform.  Also s/i-node/inode/, s/printk (/printk(/
    
    Signed-off-by: Denis Vlasenko <vda@ilport.com.ua>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Denis Vlasenko committed with Adrian Bunk Jan 16, 2008
Commits on Jan 15, 2008
  1. Use access mode instead of open flags to determine needed permissions…

    … (CVE-2008-0001)
    
    patch 974a9f0 in mainline
    
    Way back when (in commit 834f2a4, aka
    "VFS: Allow the filesystem to return a full file pointer on open intent"
    to be exact), Trond changed the open logic to keep track of the original
    flags to a file open, in order to pass down the the intent of a dentry
    lookup to the low-level filesystem.
    
    However, when doing that reorganization, it changed the meaning of
    namei_flags, and thus inadvertently changed the test of access mode for
    directories (and RO filesystem) to use the wrong flag.  So fix those
    test back to use access mode ("acc_mode") rather than the open flag
    ("flag").
    
    Issue noticed by Bill Roman at Datalight.
    
    Reported-and-tested-by: Bill Roman <bill.roman@datalight.com>
    Acked-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    torvalds committed with Adrian Bunk Jan 15, 2008