Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Commits on Nov 29, 2006
  1. @chriswright


    chriswright authored
  2. @chriswright

    [PATCH] bridge: fix possible overflow in get_fdb_entries (CVE-2006-5751)

    chriswright authored
    Make sure to properly clamp maxnum to avoid overflow (CVE-2006-5751).
    Signed-off-by: Chris Wright <>
    Acked-by: Eugene Teo <>
    Acked-by: Marcel Holtmann <>
    Signed-off-by: Linus Torvalds <>
Commits on Nov 19, 2006
  1. @chriswright


    chriswright authored
  2. @chriswright

    [PATCH] CIFS: New POSIX locking code not setting rc properly to zero …

    Steve French authored chriswright committed
    …on successful
    unlock in case where server does not support POSIX locks and nobrl is
    not specified.
    Signed-off-by: Steve French <>
    Signed-off-by: Chris Wright <>
  3. @chriswright

    [PATCH] CIFS: report rename failure when target file is locked by Win…

    Steve French authored chriswright committed
    Fixes Samba bugzilla bug # 4182
    Rename by handle failures (retry after rename by path) were not
    being returned back.
    Signed-off-by: Steve French <>
    [chrisw: trivial backport in CHANGES]
    Signed-off-by: Chris Wright <>
  4. @chriswright

    [PATCH] cciss: fix iostat

    Jens Axboe authored chriswright committed
    cciss needs to call disk_stat_add() for iostat to work.
    Signed-off-by: Jens Axboe <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Chris Wright <>
  5. @chriswright

    [PATCH] cpqarray: fix iostat

    Jens Axboe authored chriswright committed
    cpqarray needs to call disk_stat_add() for iostat to work.
    Signed-off-by: Jens Axboe <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Chris Wright <>
  6. @jirislaby @chriswright

    [PATCH] Char: isicom, fix close bug

    jirislaby authored chriswright committed
    port is dereferenced even if it is NULL.  Dereference it _after_ the
    check if (!port)...  Thanks Eric <> for reporting this.
    This fixes

    Signed-off-by: Jiri Slaby <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Chris Wright <>
  7. @chriswright

    [PATCH] block: Fix bad data direction in SG_IO

    Jens Axboe authored chriswright committed
    Contrary to what the name misleads you to believe, SG_DXFER_TO_FROM_DEV
    is really just a normal read seen from the device side.
    This patch fixes
    Signed-off-by: Jens Axboe <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Chris Wright <>
  8. @davem330 @chriswright

    [PATCH] pci: don't try to remove sysfs files before they are setup.

    davem330 authored chriswright committed
    The PCI sysfs attributes are created after the initial PCI bus scan.  With
    the addition of more return value checking and assertions in the device and
    sysfs layers we now can get dumps like this on sparc64:
    [   20.135032] Call Trace:
    [   20.135042]  [0000000000537f88] pci_remove_bus_device+0x30/0xc0
    [   20.135076]  [000000000078f890] pci_fill_in_pbm_cookies+0x98/0x440
    [   20.135109]  [000000000042e828] sabre_scan_bus+0x230/0x400
    [   20.135139]  [000000000078c710] pcibios_init+0x58/0xa0
    [   20.135159]  [0000000000416f14] init+0x9c/0x2e0
    [   20.135190]  [0000000000417a50] kernel_thread+0x38/0x60
    [   20.135211]  [0000000000417170] rest_init+0x18/0x40
    [   20.135514] PCI0(PBMB): Bus running at 33MHz
    It's triggering because removal of the "config" PCI sysfs file for the
    device fails.
    On sparc64, after probing the device, we'll delete the PCI device via
    pci_remove_bus_device() if we cannot find the firmware device tree node
    corresponding to it.
    This is fine, but at this point the sysfs files for the PCI device won't be
    setup yet.
    So we should not try to do anything in pci_remove_sysfs_dev_files() if
    pci_sysfs_init() has not run yet.
    Signed-off-by: David S. Miller <>
    Acked-by: Greg Kroah-Hartman <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Chris Wright <>
  9. @winksaville @chriswright

    [PATCH] Patch for nvidia divide by zero error for 7600 pci-express card

    winksaville authored chriswright committed
    The following patch resolves the divide by zero error I encountered on my

    I accomplished this by merging what I thought was appropriate from:

    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Chris Wright <>
  10. @chriswright

    [PATCH] CPUFREQ: Make acpi-cpufreq unsticky again.

    Dave Jones authored chriswright committed
    This caused suspend/resume regressions.
    Signed-off-by: Dave Jones <>
    Signed-off-by: Chris Wright <>
  11. @AdrianBunk @chriswright

    [PATCH] security/seclvl.c: fix time wrap (CVE-2005-4352)

    AdrianBunk authored chriswright committed
    initlvl=2 in seclvl gives the guarantee
    "Cannot decrement the system time".
    But it was possible to set the time to the maximum unixtime value
    (19 Jan 2038) resulting in a wrap to the minimum value.
    This patch fixes this by disallowing setting the time to any date
    after 2030 with initlvl=2.
    This patch does not apply to kernel 2.6.19 since the seclvl module was
    already removed in this kernel.
    Signed-off-by: Adrian Bunk <>
    Signed-off-by: Chris Wright <>
  12. @dr-itz @chriswright

    [PATCH] fix via586 irq routing for pirq 5

    dr-itz authored chriswright committed
    Fix interrupt routing for via 586 bridges.  pirq can be 5 which needs to be
    mapped to INTD.  But currently the access functions can handle only pirq
    1-4.  this is similar to the other via chipsets where pirq 4 and 5 are both
    mapped to INTD.  Fixes bugzilla #7490
    Cc: Daniel Paschka <>
    Cc: Adrian Bunk <>
    Signed-off-by: Daniel Ritz <>
    Cc: <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Chris Wright <>
  13. @herbertx @chriswright

    [PATCH] NET: Set truesize in pskb_copy

    herbertx authored chriswright committed
    Since pskb_copy tacks on the non-linear bits from the original
    skb, it needs to count them in the truesize field of the new skb.
    Signed-off-by: Herbert Xu <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Chris Wright <>
  14. @chriswright

    [PATCH] TCP: Don't use highmem in tcp hash size calculation.

    John Heffner authored chriswright committed
    This patch removes consideration of high memory when determining TCP
    hash table sizes.  Taking into account high memory results in tcp_mem
    values that are too large.
    Signed-off-by: John Heffner <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Chris Wright <>
  15. @olafhering @chriswright

    [PATCH] correct keymapping on Powerbook built-in USB ISO keyboards

    olafhering authored chriswright committed
    similar to the version in adbhid_input_register(): The '<>' key and the
    '^°' key on a german keyboard is swapped.  Provide correct keys to
    userland, external USB keyboards will not work correctly when the
    'badmap'/'goodmap' workarounds from xkeyboard-config are used.
    It is expected that distributions drop the badmap/goodmap part from
    keycodes/macintosh in the xkeyboard-config package.
    This is probably 2.6.18.x material, if major distros settle on 2.6.18.
    Signed-off-by: Olaf Hering <>
    Cc: Greg KH <>
    Cc: Dmitry Torokhov <>
    Cc: Benjamin Herrenschmidt <>
    Cc: <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Chris Wright <>
  16. @chriswright

    [PATCH] x86_64: Fix FPU corruption

    Andi Kleen authored chriswright committed
    This reverts an earlier patch that was found to cause FPU
    state corruption. I think the corruption happens because
    unlazy_fpu() can cause FPU exceptions and when it happens
    after the current switch some processing would affect
    the state in the wrong process.
    Thanks to  Douglas Crosher and Tom Hughes for testing.
    Signed-off-by: Andi Kleen <>
    Signed-off-by: Chris Wright <>
  17. @sigprof @chriswright

    [PATCH] Input: psmouse - fix attribute access on 64-bit systems

    sigprof authored chriswright committed
    psmouse_show_int_attr() and psmouse_set_int_attr() were accessing
    unsigned int fields as unsigned long, which gave garbage on x86_64.
    Signed-off-by: Sergey Vlasov <>
    Signed-off-by: Chris Wright <>
  18. @davem330 @chriswright

    [PATCH] NET: __alloc_pages() failures reported due to fragmentation

    davem330 authored chriswright committed
    We have seen a couple of __alloc_pages() failures due to
    fragmentation, there is plenty of free memory but no large order pages
    available.  I think the problem is in sock_alloc_send_pskb(), the
    gfp_mask includes __GFP_REPEAT but its never used/passed to the page
    allocator.  Shouldnt the gfp_mask be passed to alloc_skb() ?
    Signed-off-by: Larry Woodman <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Chris Wright <>
  19. @sofar @chriswright

    [PATCH] e1000: Fix regression: garbled stats and irq allocation durin…

    sofar authored chriswright committed
    …g swsusp
    e1000: Fix suspend/resume powerup and irq allocation
    From: Auke Kok <>
    After 7.0.33/2.6.16, e1000 suspend/resume left the user with an enabled
    device showing garbled statistics and undetermined irq allocation state,
    where `ifconfig eth0 down` would display `trying to free already freed irq`.
    Explicitly free and allocate irq as well as powerup the PHY during resume
    fixes when needed.
    Signed-off-by: Auke Kok <>
    [chrisw: trivial 2.6.18 backport s/err/ret_val/]
    Signed-off-by: Chris Wright <>
  20. @dr-itz @chriswright

    [PATCH] usbtouchscreen: use endpoint address from endpoint descriptor

    dr-itz authored chriswright committed
    use the endpoint address from the endpoint descriptor instead of the hardcoding
    it to 0x81. at least some ITM based screen use a different address and don't work
    without this.
    Signed-off-by: Daniel Ritz <>
    Cc: Ralf Lehmann <>
    Cc: J.P. Delport <>
    Signed-off-by: Greg Kroah-Hartman <>
    Signed-off-by: Chris Wright <>
  21. @chriswright

    [PATCH] USB: failure in usblp's error path

    Oliver Neukum authored chriswright committed
    USB: failure in usblp's error path
    if urb submission fails due to a transient error here eg. ENOMEM
    , the driver is dead. This fixes it.
    Signed-off-by: Oliver Neukum <>
    Signed-off-by: Greg Kroah-Hartman <>
    Signed-off-by: Chris Wright <>
  22. @chriswright

    [PATCH] init_reap_node() initialization fix

    Daniel Yeisley authored chriswright committed
    It looks like there is a bug in init_reap_node() in slab.c that can cause
    multiple oops's on certain ES7000 configurations.  The variable reap_node
    is defined per cpu, but only initialized on a single CPU.  This causes an
    oops in next_reap_node() when __get_cpu_var(reap_node) returns the wrong
    value.  Fix is below.
    Signed-off-by: Dan Yeisley <>
    Cc: Andi Kleen <>
    Acked-by: Christoph Lameter <>
    Cc: Pekka Enberg <>
    Cc: Manfred Spraul <>
    Cc: <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Chris Wright <>
  23. @chriswright

    [PATCH] ipmi_si_intf.c sets bad class_mask with PCI_DEVICE_CLASS

    Yvan Seth authored chriswright committed
    Taken from
    It looks like device registration in drivers/char/ipmi/ipmi_si_intf.c was
    cleaned up and a small error was made when setting the class_mask.  The fix
    is simple as the correct mask value is defined in the code but is not used.
    Acked-by: Corey Minyard <>
    Cc: <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Chris Wright <>
  24. @chriswright

    [PATCH] fix UFS superblock alignment issues

    Eric Sandeen authored chriswright committed
    ufs2 fails to mount on x86_64, claiming bad magic.  This is because
    ufs_super_block_third's fs_un1 member is padded out by 4 bytes for 8-byte
    alignment, pushing down the rest of the struct.
    Forcing this to be packed solves it.  I took a quick look over other
    on-disk structures and didn't immediately find other problems.  I was able
    to mount & ls a populated ufs2 filesystem w/ this change.
    Signed-off-by: Eric Sandeen <>
    Cc: Evgeniy Dushistov <>
    Cc: <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Chris Wright <>
  25. @davem330 @chriswright

    [PATCH] SPARC: Fix missed bump of NR_SYSCALLS.

    davem330 authored chriswright committed
    When I added the robust futex syscall entries I forgot to bump
    NR_SYSCALLS.  This is an easy mistake to make because NR_SYSCALLS
    lived in entry.S which is nowhere near unistd.h or syscalls.S, so
    while we're here move it's definition into unistd.h so this is
    unlikely to ever happen again.
    Signed-off-by: David S. Miller <>
    Signed-off-by: Chris Wright <>
  26. @chriswright

    [PATCH] Fix sys_move_pages when a NULL node list is passed.

    Stephen Rothwell authored chriswright committed
    sys_move_pages() uses vmalloc() to allocate an array of structures
    that is fills with information passed from user mode and then passes to
    do_stat_pages() (in the case the node list is NULL).  do_stat_pages()
    depends on a marker in the node field of the structure to decide how large
    the array is and this marker is correctly inserted into the last element
    of the array.  However, vmalloc() doesn't zero the memory it allocates
    and if the user passes NULL for the node list, then the node fields are
    not filled in (except for the end marker).  If the memory the vmalloc()
    returned happend to have a word with the marker value in it in just the
    right place, do_pages_stat will fail to fill the status field of part
    of the array and we will return (random) kernel data to user mode.
    Signed-off-by: Stephen Rothwell <>
    Acked-by: Christoph Lameter <>
    Signed-off-by: Chris Wright <>
  27. @davem330 @chriswright

    [PATCH] SPARC64: Fix futex_atomic_cmpxchg_inatomic implementation.

    davem330 authored chriswright committed
    I copied the logic from ll/sc arch implementations, but that
    was wrong and makes no sense at all.  Just do a straight
    compare-exchange instruction, just like x86.
    Based upon bug reports from Dennis Gilmore and Fabio Massimo.
    Signed-off-by: David S. Miller <>
    Signed-off-by: Chris Wright <>
  28. @ozbenh @chriswright

    [PATCH] POWERPC: Make alignment exception always check exception table

    ozbenh authored chriswright committed
    The alignment exception used to only check the exception table for
    -EFAULT, not for other errors. That opens an oops window if we can
    coerce the kernel into getting an alignment exception for other reasons
    in what would normally be a user-protected accessor, which can be done
    via some of the futex ops. This fixes it by always checking the
    exception tables.
    Signed-off-by: Benjamin Herrenschmidt <>
    Signed-off-by: Paul Mackerras <>
    Signed-off-by: Chris Wright <>
  29. @chriswright

    [PATCH] S390: user readable uninitialised kernel memory, take 2.

    Martin Schwidefsky authored chriswright committed
    The previous patch to correct the copy_from_user padding is quite
    broken. The execute instruction needs to be done via the register %r4,
    not via %r2 and 31 bit doesn't know the instructions lgr and ahji.
    Signed-off-by: Martin Schwidefsky <>
    Signed-off-by: Chris Wright <>
Commits on Nov 4, 2006
  1. @chriswright


    chriswright authored
  2. @chriswright

    [PATCH] usbfs: private mutex for open, release, and remove

    Alan Stern authored chriswright committed
    The usbfs code doesn't provide sufficient mutual exclusion among open,
    release, and remove.  Release vs. remove is okay because they both
    acquire the device lock, but open is not exclusive with either one.  All
    three routines modify the udev->filelist linked list, so they must not
    run concurrently.
    Apparently someone gave this a minimum amount of thought in the past by
    explicitly acquiring the BKL at the start of the usbdev_open routine.
    Oddly enough, there's a comment pointing out that locking is unnecessary
    because chrdev_open already has acquired the BKL.
    But this ignores the point that the files in /proc/bus/usb/* are not
    char device files; they are regular files and so they don't get any
    special locking.  Furthermore it's necessary to acquire the same lock in
    the release and remove routines, which the code does not do.
    Yet another problem arises because the same file_operations structure is
    accessible through both the /proc/bus/usb/* and /dev/usb/usbdev* file
    nodes.  Even when one of them has been removed, it's still possible for
    userspace to open the other.  So simple locking around the individual
    remove routines is insufficient; we need to lock the entire
    usb_notify_remove_device notifier chain.
    Rather than rely on the BKL, this patch (as723) introduces a new private
    mutex for the purpose.  Holding the BKL while invoking a notifier chain
    doesn't seem like a good idea.
    Cc: Dave Jones <>
    Signed-off-by: Alan Stern <>
    Signed-off-by: Greg Kroah-Hartman <>
    Signed-off-by: Chris Wright <>
  3. @neilbrown @chriswright

    [PATCH] md: check bio address after mapping through partitions.

    neilbrown authored chriswright committed
    Partitions are not limited to live within a device.  So
    we should range check after partition mapping.
    Note that 'maxsector' was being used for two different things.  I have
    split off the second usage into 'old_sector' so that maxsector can be
    still be used for it's primary usage later in the function.
    Cc: Jens Axboe <>
    Signed-off-by: Neil Brown <>
    Signed-off-by: Chris Wright <>
  4. @chriswright

    [PATCH] IPV6: fix lockup via /proc/net/ip6_flowlabel [CVE-2006-5619]

    James Morris authored chriswright committed
    There's a bug in the seqfile handling for /proc/net/ip6_flowlabel, where,
    after finding a flowlabel, the code will loop forever not finding any
    further flowlabels, first traversing the rest of the hash bucket then just
    This patch fixes the problem by breaking after the hash bucket has been
    Note that this bug can cause lockups and oopses, and is trivially invoked
    by an unpriveleged user.
    Signed-off-by: James Morris <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Chris Wright <>
Something went wrong with that request. Please try again.