Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Commits on Jul 10, 2007
  1. @gregkh


    gregkh authored
    Ok, so it was more than just 5 minutes for the first exploit to be
    found, nothing to be ashamed about :)
    Signed-off-by: Greg Kroah-Hartman <>
  2. @kaber @gregkh

    NETFILTER: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr…

    kaber authored gregkh committed
    … dereference (CVE-2007-2876)
    When creating a new connection by sending an unknown chunk type, we
    don't transition to a valid state, causing a NULL pointer dereference in
    sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE].
    Fix by don't creating new conntrack entry if initial state is invalid.
    Noticed by Vilmos Nebehaj <>
    CC: Kiran Kumar Immidi <>
    Cc: David Miller <>
    Signed-off-by: Patrick McHardy <>
    Signed-off-by: Greg Kroah-Hartman <>
    Signed-off-by: Chris Wright <>
Commits on Jul 8, 2007
  1. Linux 2.6.22

    Linus Torvalds authored
    Woo-hoo. I'm sure somebody will report a "this doesn't compile, and
    I have a new root exploit" five minutes after release, but it still
    feels good ;)
    Signed-off-by: Linus Torvalds <>
  2. Merge

    Linus Torvalds authored
      qd65xx: fix PIO mode selection
      sis5513: adding PCI-ID
  3. Fix permission checking for the new utimensat() system call

    Linus Torvalds authored
    Commit 1c710c8 added the utimensat()
    system call, but didn't handle the case of checking for the writability
    of the target right, when the target was a file descriptor, not a
    We cannot use vfs_permission(MAY_WRITE) for that case, and need to
    simply check whether the file descriptor is writable.  The oops from
    using the wrong function was noticed and narrowed down by Markus
    Cc: Ulrich Drepper <>
    Cc: Markus Trippelsdorf <>
    Cc: Andrew Morton <>
    Acked-by: Al Viro <>
    Signed-off-by: Linus Torvalds <>
  4. mm: double mark_page_accessed() in read_cache_page_async()

    Peter Zijlstra authored Linus Torvalds committed
    Fix a post-2.6.21 regression.
    read_cache_page_async() has two invocations of mark_page_accessed() which will
    launch pages right onto the active list.
    Remove the first one, keeping the latter one.  This avoids marking unwanted
    pages active (in the retry loop).
    Signed-off-by: Peter Zijlstra <>
    Acked-by: Nick Piggin <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
  5. @bzolnier

    qd65xx: fix PIO mode selection

    bzolnier authored
    PIO4 is a maximum PIO mode supported by a driver.  Using "255" as a max_mode
    argument to ide_get_best_pio_mode() could result in wrong timings being used
    by a driver (for "pio" equal to 5) or OOPS (for "pio" values > 5 && < 255).
    Signed-off-by: Bartlomiej Zolnierkiewicz <>
    Acked-by: Sergei Shtylyov <>
    Reviewed-by: Alan Cox <>
  6. @bzolnier

    sis5513: adding PCI-ID

    Uwe Koziolek authored bzolnier committed
    The SiS966 has one additional PCI-ID 1180.
    If the chipset is using this PCI-ID, the primary channel is connected to the
    first PATA-port. The secondary channel is connected to SATA-ports in IDE
    emulation mode.  The legacy IO-ports are used.
    The including of the PCI-ID into pata_sis is not sufficient, because the legacy
    driver in drivers/ide is initialized before pata_sis.
    Signed-off-by: Uwe Koziolek <>
    Signed-off-by: Bartlomiej Zolnierkiewicz <>
Commits on Jul 7, 2007
  1. @AdrianBunk

    DLM must depend on SYSFS

    AdrianBunk authored Linus Torvalds committed
    The dependency of DLM on SYSFS got lost in
    commit 6ed7257 resulting in the
    following compile error with CONFIG_DLM=y, CONFIG_SYSFS=n:
    <--  snip  -->
      LD      .tmp_vmlinux1
    fs/built-in.o: In function `dlm_lockspace_init':
    /home/bunk/linux/kernel-2.6/linux-2.6.22-rc6-mm1/fs/dlm/lockspace.c:231: undefined reference to `kernel_subsys'
    fs/built-in.o: In function `configfs_init':
    /home/bunk/linux/kernel-2.6/linux-2.6.22-rc6-mm1/fs/configfs/mount.c:143: undefined reference to `kernel_subsys'
    make[1]: *** [.tmp_vmlinux1] Error 1
    <--  snip  -->
    Signed-off-by: Adrian Bunk <>
    Signed-off-by: Linus Torvalds <>
  2. @kernelslacker

    Clean up E7520/7320/7525 quirk printk.

    kernelslacker authored Linus Torvalds committed
    The printk level in this printk is bogus, as the previous printk
    didn't have a terminating \n resulting in ..
    Intel E7520/7320/7525 detected.<6>Disabling irq balancing and affinity
    It also never printed a \n at all in the case where we didn't do
    the quirk.
    Change it to only make noise if it actually does something useful.
    Signed-off-by: Dave Jones <>
    Signed-off-by: Linus Torvalds <>
  3. @AdrianBunk

    include/linux/kallsyms.h must #include <linux/errno.h>

    AdrianBunk authored Linus Torvalds committed
    This patch fixes the following 2.6.22 regression with CONFIG_KALLSYMS=n:
    <--  snip  -->
      CC      arch/m32r/kernel/traps.o
    In file included from /home/bunk/linux/kernel-2.6/linux-2.6.22-rc6-mm1/arch/m32r/kernel/traps.c:14:
    /home/bunk/linux/kernel-2.6/linux-2.6.22-rc6-mm1/include/linux/kallsyms.h: In function 'lookup_symbol_name':
    /home/bunk/linux/kernel-2.6/linux-2.6.22-rc6-mm1/include/linux/kallsyms.h:66: error: 'ERANGE' undeclared (first use in this function)
    /home/bunk/linux/kernel-2.6/linux-2.6.22-rc6-mm1/include/linux/kallsyms.h:66: error: (Each undeclared identifier is reported only once
    /home/bunk/linux/kernel-2.6/linux-2.6.22-rc6-mm1/include/linux/kallsyms.h:66: error: for each function it appears in.)
    /home/bunk/linux/kernel-2.6/linux-2.6.22-rc6-mm1/include/linux/kallsyms.h: In function 'lookup_symbol_attrs':
    /home/bunk/linux/kernel-2.6/linux-2.6.22-rc6-mm1/include/linux/kallsyms.h:71: error: 'ERANGE' undeclared (first use in this function)
    make[2]: *** [arch/m32r/kernel/traps.o] Error 1
    <--  snip  -->
    Signed-off-by: Adrian Bunk <>
    Signed-off-by: Linus Torvalds <>
  4. @dwmw2

    Fix use-after-free oops in Bluetooth HID.

    dwmw2 authored Linus Torvalds committed
    When cleaning up HIDP sessions, we currently close the ACL connection
    before deregistering the input device. Closing the ACL connection
    schedules a workqueue to remove the associated objects from sysfs, but
    the input device still refers to them -- and if the workqueue happens to
    run before the input device removal, the kernel will oops when trying to
    look up PHYSDEVPATH for the removed input device.
    Fix this by deregistering the input device before closing the
    Signed-off-by: David Woodhouse <>
    Acked-by: Marcel Holtmann <>
    Signed-off-by: Linus Torvalds <>
Commits on Jul 6, 2007
  1. slub: remove useless EXPORT_SYMBOL

    Christoph Lameter authored Linus Torvalds committed
    kmem_cache_open is static. EXPORT_SYMBOL was leftover from some earlier
    time period where kmem_cache_open was usable outside of slub.
    (Fixes powerpc build error)
    Signed-off-by: Chrsitoph Lameter <>
    Cc: Johannes Berg <>
    Cc: Benjamin Herrenschmidt <>
    Cc: Paul Mackerras <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
  2. @brainflux

    MAINTAINERS new kernel janitors ml

    brainflux authored Linus Torvalds committed
    davem kindly moved the list from osdl to vger.
    Signed-of-by: maximilian attems <>
    Cc: Alexey Dobriyan <>
    Cc: Randy Dunlap <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
  3. @dilinger

    GEODE: reboot fixup for geode machines with CS5536 boards

    dilinger authored Linus Torvalds committed
    Writing to MSR 0x51400017 forces a hard reset on CS5536-based machines,
    this has the reboot fixup do just that if such a board is detected.
    Acked-by: Jordan Crouse <>
    Signed-off-by: Andres Salomon <>
    Cc: Alan Cox <>
    Cc: Andi Kleen <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
  4. Merge branch 'master' of…

    Linus Torvalds authored
    * 'master' of
      [NETPOLL]: Fixups for 'fix soft lockup when removing module'
      [NET]: net/core/netevent.c should #include <net/netevent.h>
      [NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values
      [NET] skbuff: remove export of static symbol
      SCTP: Add scope_id validation for link-local binds
      SCTP: Check to make sure file is valid before setting timeout
      SCTP: Fix thinko in sctp_copy_laddrs()
  5. Merge branch 'upstream' of git://…

    Linus Torvalds authored
    * 'upstream' of git://
      [MIPS] Fix scheduling latency issue on 24K, 34K and 74K cores
      [MIPS] Add macros to encode processor revisions.
      [MIPS] SMTC: Fix cut'n'paste bug in Kconfig.debug
      [MIPS] Change libgcc-style functions from lib-y to obj-y
      [MIPS] Fix timer/performance interrupt detection
      [MIPS] AP/SP: Avoid triggering the 34K E125 performance issue
      [MIPS] 64-bit TO_PHYS_MASK macro for RM9000 processors
  6. mm: fixup /proc/vmstat output

    Peter Zijlstra authored Linus Torvalds committed
    Line up the vmstat_text with zone_stat_item
    enum zone_stat_item {
    	/* First 128 byte cacheline (assuming 64 bit words) */
    We current have nr_active and nr_inactive reversed.
    [ "OK with patch, though using initializers canbe handy to prevent such
       things in future:
    	static const char * const vmstat_text[] = {
    		[NR_FREE_PAGES] = "nr_free_pages",
    							 - Alexey ]
    Signed-off-by: Peter Zijlstra <>
    Acked-by: Alexey Dobriyan <>
    Signed-off-by: Linus Torvalds <>
  7. potential compiler error, irqfunc caller sites update

    Yoann Padioleau authored Linus Torvalds committed
    In 7d12e78 David Howells performed
    this evolution:
     "IRQ: Maintain regs pointer globally rather than passing to IRQ handlers"
    He correctly updated many of the function definitions that were using this
    extra regs pointer parameter but forgot to update some caller sites of
    those functions.  The reason the modifications was not properly done on all
    drivers is that some drivers were rarely compiled because they are for
    AMIGA, or that some code sites were inside #ifdefs where the option is not
    set or inside #if 0.
    Here is the semantic patch that found the occurences
    and fixed the problem.
    @ rule1 @
    identifier fn;
    identifier irq, dev_id;
    typedef irqreturn_t;
    static irqreturn_t fn(int irq, void *dev_id)
    identifier rule1.fn;
    expression E1, E2, E3;
     fn(E1, E2
    -   ,E3
    Signed-off-by: Yoann Padioleau <>
    Cc: "David S. Miller" <>
    Cc: Jeff Garzik <>
    Cc: Greg KH <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
  8. i386: es7000 build breakage fix

    Vivek Goyal authored Linus Torvalds committed
    o Commit 1833d6b broke the build if
      compiled with CONFIG_ES7000=y and CONFIG_X86_GENERICARCH=n
    arch/i386/kernel/built-in.o(.init.text+0x4fa9): In function `acpi_parse_madt':
    : undefined reference to `acpi_madt_oem_check'
    arch/i386/kernel/built-in.o(.init.text+0x7406): In function `smp_read_mpc':
    : undefined reference to `mps_oem_check'
    arch/i386/kernel/built-in.o(.init.text+0x8990): In function
    : undefined reference to `enable_apic_mode'
    make: *** [.tmp_vmlinux1] Error 1
    o Fix the build issue. Provided the definitions of missing functions.
    o Don't have ES7000 machine. Only compile tested.
    Cc: Len Brown <>
    Cc: Natalie Protasevich <>
    Cc: Roland Dreier <>
    Cc: Andi Kleen <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
  9. PNP SMCf010 quirk: work around Toshiba Portege 4000 ACPI issues

    Bjorn Helgaas authored Linus Torvalds committed
    When we enable the SMCf010 IR device, the Toshiba Portege 4000 BIOS claims
    the device is working, but it really isn't configured correctly.  The BIOS
    *will* configure it, but only if we call _SRS after (1) reversing the order
    of the SIR and FIR I/O port regions and (2) changing the IRQ from
    active-high to active-low.
    This patch addresses the 2.6.22 regression:
        "no irda0 interface (2.6.21 was OK), smsc does not find chip"
    I tested this on a Portege 4000.  The smsc-ircc2 driver correctly detects
    the device, and "irattach irda0 -s && irdadump" shows transmitted and
    received packets.
    Signed-off-by: Bjorn Helgaas <>
    Cc: Andrey Borzenkov <>
    Cc: Samuel Ortiz <>
    Cc: "Linus Walleij (LD/EAB)" <>
    Cc: Michal Piotrowski <>
    Cc: Adam Belay <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
  10. @agraf

    fix logic error in ipc compat semctl()

    agraf authored Linus Torvalds committed
    When calling a semctl(IPC_STAT) without IPC_64 the check if the memory is
    unevaluated.  This patch fixes this.
    Signed-off-by: Alexander Graf <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
  11. @dwmw2

    x86_64: fix headers_install

    dwmw2 authored Linus Torvalds committed
    A bug in headers_install for ARCH=x86_64 yields an asm/ directory full of
    files all of which are using the same #ifdef guard, "__ASM_STUB_" with no
    postfix.  So the second and later asm files #included in the same C file
    (often through standard headers like ioctl.h) yields no symbols.
    Strangeness with the Ubuntu 'tell me if I support something that's not
    explcitly mentioned in POSIX, and I'll strip it out' shell, I believe.
    We don't need the 'export' but we do need a semicolon at the end of the
    FNAME line:
    Signed-off-by: David Woodhouse <>
    Signed-off-by: Rob Landley <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
  12. MTRR: Fix race causing set_mtrr to go into infinite loop

    Loic Prylli authored Linus Torvalds committed
    Processors synchronization in set_mtrr requires the .gate field to be set
    after .count field is properly initialized.  Without an explicit barrier,
    the compiler was reordering those memory stores.  That was sometimes
    causing a processor (in ipi_handler) to see the .gate change and decrement
    .count before the latter is set by set_mtrr() (which then hangs in a
    infinite loop with irqs disabled).
    Signed-off-by: Loic Prylli <>
    Cc: Andi Kleen <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
  13. @jwessel

    i386: fix regression, endless loop in ptrace singlestep over an int80

    jwessel authored Linus Torvalds committed
    The commit 635cf99 introduced a
    regression.  Executing a ptrace single step after certain int80
    accesses will infinitely loop and never advance the PC.
    The TIF_SINGLESTEP check should be done on the return from the syscall
    and not before it.
    I loops on each single step on the pop right after the int80 which writes out
    to the console.  At that point you can issue as many single steps as you want
    and it will not advance any further.
    The test case is below:
    /* Test whether singlestep through an int80 syscall works.
    #define _GNU_SOURCE
    #include <stdio.h>
    #include <unistd.h>
    #include <fcntl.h>
    #include <sys/ptrace.h>
    #include <sys/wait.h>
    #include <sys/mman.h>
    #include <asm/user.h>
    #include <string.h>
    static int child, status;
    static struct user_regs_struct regs;
    static void do_child()
    	char str[80] = "child: int80 test\n";
    	ptrace(PTRACE_TRACEME, 0, 0, 0);
    	kill(getpid(), SIGUSR1);
    	asm ("int $0x80" : : "a" (20)); /* getpid */
    static void do_parent()
    	unsigned long eip, expected = 0;
    	waitpid(child, &status, 0);
    	if (WIFEXITED(status) || WIFSIGNALED(status))
    	if (WIFSTOPPED(status)) {
    		ptrace(PTRACE_GETREGS, child, 0, &regs);
    		eip = regs.eip;
    		if (expected)
    			fprintf(stderr, "child stop @ %08lx, expected %08lx %s\n",
    					eip, expected,
    					eip == expected ? "" : " <== ERROR");
    		if (*(unsigned short *)eip == 0x80cd) {
    			fprintf(stderr, "int 0x80 at %08x\n", (unsigned int)eip);
    			expected = eip + 2;
    		} else
    			expected = 0;
    		ptrace(PTRACE_SINGLESTEP, child, NULL, NULL);
    	goto again;
    int main(int argc, char * const argv[])
    	child = fork();
    	if (child)
    	return 0;
    Signed-off-by: Jason Wessel <>
    Cc: Jeremy Fitzhardinge <>
    Cc: <>
    Cc: Chuck Ebbert <>
    Acked-by: Andi Kleen <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
  14. @mpe

    Fix elf_core_dump() when writing arch specific notes (spu coredumps)

    mpe authored Linus Torvalds committed
    elf_core_dump() supports dumping arch specific ELF notes, via the #define
    ELF_CORE_WRITE_EXTRA_NOTES.  Currently the only user of this is the powerpc
    spu coredump code.
    There is a bug in the handling of foffset WRT the arch notes, which causes
    us to erroneously increment foffset by the size of the arch notes, leaving
    a block of zeroes in the file, and causing all subsequent data in the file
    to be at <supposed position> + <arch note size>.  eg:
      LOAD  0x050000 0x00100000 0x00000000 0x20000 0x20000 R E 0x10000
    Tells us we should have a chunk of data at 0x50000.  The truth is the data
    is at 0x90dbc = 0x50000 + 0x40dbc (the size of the arch notes).
    This bug prevents gdb from reading the core file correctly.
    The simplest fix is to simply remember the size of the arch notes, and add
    it to foffset after we've written the arch notes.  The only drawback is
    that if the arch code doesn't write as many bytes as it said it would, we
    end up with a broken core dump again.  For now I think that's a reasonable
    Tested on a Cell blade, gdb no longer complains about the core file being
    While I'm here I should point out that the spu coredump code does not work
    if we're dumping to a pipe - we'll have to wait for 23 to fix that.
    Signed-off-by: Michael Ellerman <>
    Acked-by: Arnd Bergmann <>
    Acked-by: Benjamin Herrenschmidt <>
    Acked-by: Paul Mackerras <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
  15. @ralfbaechle

    [MIPS] Fix scheduling latency issue on 24K, 34K and 74K cores

    ralfbaechle authored
    The idle loop goes to sleep using the WAIT instruction if !need_resched().
    This has is suffering from from a race condition that if if just after
    need_resched has returned 0 an interrupt might set TIF_NEED_RESCHED but
    we've just completed the test so go to sleep anyway.  This would be
    trivial to fix by just disabling interrupts during that sequence as in:
            if (!need_resched())
    but the processor architecture leaves it undefined if a processor calling
    WAIT with interrupts disabled will ever restart its pipeline and indeed
    some processors have made use of the freedom provided by the architecture
    definition.  This has been resolved and the Config7.WII bit indicates that
    the use of WAIT is safe on 24K, 24KE and 34K cores.  It also is safe on
    74K starting revision 2.1.0 so enable the use of WAIT with interrupts
    disabled for 74K based on a c0_prid of at least that.
    Signed-off-by: Ralf Baechle <>
  16. @ralfbaechle

    [MIPS] Add macros to encode processor revisions.

    ralfbaechle authored
    Older processors used to encode processor version and revision in two
    4-bit bitfields, the 4K seems to simply count up and even newer MTI cores
    have switched to use the 8-bits as 3:3:2 bitfield with the last field as
    the patch number.
    Signed-off-by: Ralf Baechle <>
  17. @ralfbaechle


    ralfbaechle authored
    The RM7000 processors and the E9000 cores have a bug (though PMC-Sierra
    opposes it being called that) where invalid instructions in the same
    I-cache line worth of instructions being fetched may case spurious
    The workaround for this was only enabled for E9000 cores; enable it also
    for all RM7000-based platforms.
    Signed-off-by: Ralf Baechle <>
  18. @ralfbaechle

    [MIPS] SMTC: Fix cut'n'paste bug in Kconfig.debug

    ralfbaechle authored
    This effectivly turned the SMTC_IDLE_HOOK_DEBUG debug option into a no-op.
    Signed-off-by: Ralf Baechle <>
  19. @ralfbaechle

    [MIPS] Change libgcc-style functions from lib-y to obj-y

    ralfbaechle authored
    Reported by Eugene Surovegin <>.
    If only modules were users of these functions they did not get linked into
    the kernel proper, so later module loads would fail as well.
    Signed-off-by: Ralf Baechle <>
  20. @chrisdearman @ralfbaechle

    [MIPS] Fix timer/performance interrupt detection

    chrisdearman authored ralfbaechle committed
    Signed-off-by: Chris Dearman <>
    Signed-off-by: Ralf Baechle <>
  21. @ralfbaechle

    [MIPS] AP/SP: Avoid triggering the 34K E125 performance issue

    ralfbaechle authored
    C0_status doesn't need to be initialized at this point anyway; the register
    will be initialized later.
    Signed-off-by: Ralf Baechle <>
  22. @ralfbaechle

    [MIPS] 64-bit TO_PHYS_MASK macro for RM9000 processors

    Andrew Sharp authored ralfbaechle committed
    Signed-off-by: Andrew Sharp <>
    Signed-off-by: Ralf Baechle <>
  23. @davem330

    [NETPOLL]: Fixups for 'fix soft lockup when removing module'

    Jarek Poplawski authored davem330 committed
    >From my recent patch:
    > >    #1
    > >    Until kernel ver. 2.6.21 (including) cancel_rearming_delayed_work()
    > >    required a work function should always (unconditionally) rearm with
    > >    delay > 0 - otherwise it would endlessly loop. This patch replaces
    > >    this function with cancel_delayed_work(). Later kernel versions don't
    > >    require this, so here it's only for uniformity.
    But Oleg Nesterov <> found:
    > But 2.6.22 doesn't need this change, why it was merged?
    > In fact, I suspect this change adds a race,
    His description was right (thanks), so this patch reverts #1.
    Signed-off-by: Jarek Poplawski <>
    Signed-off-by: David S. Miller <>
Something went wrong with that request. Please try again.