Skip to content
Commits on Feb 11, 2008
  1. @gregkh

    Linux 2.6.22.18

    gregkh committed Feb 10, 2008
  2. @gregkh

    splice: fix user pointer access in get_iovec_page_array() (CVE-2008-0…

    …600)
    
    patch 712a30e in mainline.
    
    Commit 8811930 ("splice: missing user
    pointer access verification") added the proper access_ok() calls to
    copy_from_user_mmap_sem() which ensures we can copy the struct iovecs
    from userspace to the kernel.
    
    But we also must check whether we can access the actual memory region
    pointed to by the struct iovec to fix the access checks properly.
    
    Signed-off-by: Bastian Blank <waldi@debian.org>
    Acked-by: Oliver Pinter <oliver.pntr@gmail.com>
    Cc: Jens Axboe <jens.axboe@oracle.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Bastian Blank committed with gregkh Feb 10, 2008
Commits on Feb 6, 2008
  1. @gregkh

    Linux 2.6.22.17

    gregkh committed Feb 6, 2008
  2. @gregkh

    vm audit: add VM_DONTEXPAND to mmap for drivers that need it (CVE-200…

    …8-0007)
    
    Drivers that register a ->fault handler, but do not range-check the
    offset argument, must set VM_DONTEXPAND in the vm_flags in order to
    prevent an expanding mremap from overflowing the resource.
    
    I've audited the tree and attempted to fix these problems (usually by
    adding VM_DONTEXPAND where it is not obvious).
    
    Signed-off-by: Nick Piggin <npiggin@suse.de>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Nick Piggin committed with gregkh Feb 2, 2008
  3. @yakuizhao @gregkh

    ACPI: apply quirk_ich6_lpc_acpi to more ICH8 and ICH9

    patch d1ec729 in mainline.
    
    It is important that these resources be reserved
    to avoid conflicts with well known ACPI registers.
    
    Signed-off-by: Zhao Yakui <yakui.zhao@intel.com>
    Signed-off-by: Len Brown <len.brown@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    yakuizhao committed with gregkh Jan 14, 2008
  4. @gregkh

    POWERPC: Fix invalid semicolon after if statement

    Patch 2b02d13 in mainline
    
    [POWERPC] Fix invalid semicolon after if statement
    
    A similar fix to netfilter from Eric Dumazet inspired me to
    look around a bit by using some grep/sed stuff as looking for
    this kind of bugs seemed easy to automate.  This is one of them
    I found where it looks like this semicolon is not valid.
    
    Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
    Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Signed-off-by: Paul Mackerras <paulus@samba.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Ilpo Järvinen committed with gregkh Dec 8, 2007
  5. @gregkh

    chelsio: Fix skb->dev setting

    patch 7de6af0 in mainline.
    
    eth_type_trans() now sets skb->dev.
    Access skb->def after it gets set.
    
    Signed-off-by: Divy Le Ray <divy@chelsio.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Divy Le Ray committed with gregkh Dec 18, 2007
  6. @gregkh

    cxgb: fix stats

    patch e0348b9 in mainline.
    
    Fix MAC stats accounting.
    Fix get_stats.
    
    Signed-off-by: Divy Le Ray <divy@chelsio.com>
    Signed-off-by: Jeff Garzik <jeff@garzik.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Divy Le Ray committed with gregkh Dec 18, 2007
  7. @gregkh

    cxgb: fix T2 GSO

    patch 7832ee0 in mainline.
    
    The patch ensures that a GSO skb has enough headroom
    to push an encapsulating cpl_tx_pkt_lso header.
    
    Signed-off-by: Divy Le Ray <divy@chelsio.com>
    Signed-off-by: Jeff Garzik <jeff@garzik.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Divy Le Ray committed with gregkh Dec 18, 2007
  8. @gregkh

    vfs: coredumping fix (CVE-2007-6206)

    vfs: coredumping fix
    
    patch c46f739 in mainline
    
    fix: http://bugzilla.kernel.org/show_bug.cgi?id=3043
    
    only allow coredumping to the same uid that the coredumping
    task runs under.
    
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Acked-by: Alan Cox <alan@redhat.com>
    Acked-by: Christoph Hellwig <hch@lst.de>
    Acked-by: Al Viro <viro@ftp.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: maximilian attems <max@stro.at>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Ingo Molnar committed with gregkh Dec 17, 2007
  9. @acpibob @gregkh

    ACPICA: fix acpi-cpufreq boot crash due to _PSD return-by-reference

    patch 152c300 in mainline.
    
    Changed resolution of named references in packages
    
    Fixed a problem with the Package operator where all named
    references were created as object references and left otherwise
    unresolved. According to the ACPI specification, a Package can
    only contain Data Objects or references to control methods. The
    implication is that named references to Data Objects (Integer,
    Buffer, String, Package, BufferField, Field) should be resolved
    immediately upon package creation. This is the approach taken
    with this change. References to all other named objects (Methods,
    Devices, Scopes, etc.) are all now properly created as reference objects.
    
    http://bugzilla.kernel.org/show_bug.cgi?id=5328
    http://bugzilla.kernel.org/show_bug.cgi?id=9429
    
    Signed-off-by: Bob Moore <robert.moore@intel.com>
    Signed-off-by: Len Brown <len.brown@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    acpibob committed with gregkh Dec 5, 2007
  10. @davem330 @gregkh

    CASSINI: Set skb->truesize properly on receive packets.

    [ Upstream commit: d011a23 ]
    
    skb->truesize was not being incremented at all to
    reflect the page based data added to RX SKBs.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    davem330 committed with gregkh Jan 11, 2008
  11. @davem330 @gregkh

    CASSINI: Revert 'dont touch page_count'.

    [ Upstream commit: 9de4dfb ]
    
    This reverts changeset fa4f077
    ([CASSINI]: dont touch page_count) because it breaks the driver.
    
    The local page counting added by this changeset did not account
    for the asynchronous page count changes done by kfree_skb()
    and friends.
    
    The change adds extra atomics and on top of it all appears to be
    totally unnecessary as well.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Acked-by: Nick Piggin <npiggin@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    davem330 committed with gregkh Jan 11, 2008
  12. @gregkh

    CASSINI: Fix endianness bug.

    [ Upstream commit: e5e0254 ]
    
    Here's proposed fix for RX checksum handling in cassini; it affects
    little-endian working with half-duplex gigabit, but obviously needs
    testing on big-endian too.
    
    The problem is, we need to convert checksum to fixed-endian *before*
    correcting for (unstripped) FCS.  On big-endian it won't matter
    (conversion is no-op), on little-endian it will, but only if FCS is
    not stripped by hardware; i.e. in half-duplex gigabit mode when
    ->crc_size is set.
    
    cassini.c part is that fix, cassini.h one consists of trivial
    endianness annotations.  With that applied the sucker is endian-clean,
    according to sparse.
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Al Viro committed with gregkh Jan 11, 2008
  13. @herbertx @gregkh

    ATM: Check IP header validity in mpc_send_packet

    [ATM]: Check IP header validity in mpc_send_packet
    
    [ Upstream commit: 1c9b7aa ]
    
    Al went through the ip_fast_csum callers and found this piece of code
    that did not validate the IP header.  While root crashing the machine
    by sending bogus packets through raw or AF_PACKET sockets isn't that
    serious, it is still nice to react gracefully.
    
    This patch ensures that the skb has enough data for an IP header and
    that the header length field is valid.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    herbertx committed with gregkh Jan 11, 2008
  14. @gregkh

    ATM: [nicstar] delay irq setup until card is configured

    [ATM]: [nicstar] delay irq setup until card is configured
    
    [ Upstream commit: 5296195 ]
    
    Signed-off-by: Chas Williams <chas@cmf.nrl.navy.mil>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Chas Williams committed with gregkh Jan 11, 2008
  15. @gregkh

    CONNECTOR: Don't touch queue dev after decrement of ref count.

    [CONNECTOR]: Don't touch queue dev after decrement of ref count.
    
    [ Upstream commit: cf585ae ]
    
    cn_queue_free_callback() will touch 'dev'(i.e. cbq->pdev), so it
    should be called before atomic_dec(&dev->refcnt).
    
    Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Li Zefan committed with gregkh Jan 11, 2008
  16. @davem330 @gregkh

    Fix sparc64 cpu cross call hangs.

    [SPARC64]: Fix endless loop in cheetah_xcall_deliver().
    
    [ Upsteam commit: 0de56d1 ]
    
    We need to mask out the proper bits when testing the dispatch status
    register else we can see unrelated NACK bits from previous cross call
    sends.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    davem330 committed with gregkh Dec 19, 2007
  17. @markmc @gregkh

    INET: Fix netdev renaming and inet address labels

    [INET]: Fix netdev renaming and inet address labels
    
    [ Upstream commit: 44344b2 ]
    
    When re-naming an interface, the previous secondary address
    labels get lost e.g.
    
      $> brctl addbr foo
      $> ip addr add 192.168.0.1 dev foo
      $> ip addr add 192.168.0.2 dev foo label foo:00
      $> ip addr show dev foo | grep inet
        inet 192.168.0.1/32 scope global foo
        inet 192.168.0.2/32 scope global foo:00
      $> ip link set foo name bar
      $> ip addr show dev bar | grep inet
        inet 192.168.0.1/32 scope global bar
        inet 192.168.0.2/32 scope global bar:2
    
    Turns out to be a simple thinko in inetdev_changename() - clearly we
    want to look at the address label, rather than the device name, for
    a suffix to retain.
    
    Signed-off-by: Mark McLoughlin <markmc@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    markmc committed with gregkh Jan 11, 2008
  18. @herbertx @gregkh

    IPSEC: Avoid undefined shift operation when testing algorithm ID

    [IPSEC]: Avoid undefined shift operation when testing algorithm ID
    
    [ Upstream commit: f398035 ]
    
    The aalgos/ealgos fields are only 32 bits wide.  However, af_key tries
    to test them with the expression 1 << id where id can be as large as
    253.  This produces different behaviour on different architectures.
    
    The following patch explicitly checks whether ID is greater than 31
    and fails the check if that's the case.
    
    We cannot easily extend the mask to be longer than 32 bits due to
    exposure to user-space.  Besides, this whole interface is obsolete
    anyway in favour of the xfrm_user interface which doesn't use this
    bit mask in templates (well not within the kernel anyway).
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    herbertx committed with gregkh Jan 11, 2008
  19. @herbertx @gregkh

    IPSEC: Fix potential dst leak in xfrm_lookup

    [IPSEC]: Fix potential dst leak in xfrm_lookup
    
    [ Upstream commit: 75b8c13 ]
    
    If we get an error during the actual policy lookup we don't free the
    original dst while the caller expects us to always free the original
    dst in case of error.
    
    This patch fixes that.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    herbertx committed with gregkh Dec 19, 2007
  20. @fabled @gregkh

    IPV4: ip_gre: set mac_header correctly in receive path

    [IPV4] ip_gre: set mac_header correctly in receive path
    
    [ Upstream commit: 1d06916 ]
    
    mac_header update in ipgre_recv() was incorrectly changed to
    skb_reset_mac_header() when it was introduced.
    
    Signed-off-by: Timo Teras <timo.teras@iki.fi>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    fabled committed with gregkh Jan 11, 2008
  21. @gregkh

    IPV4 ROUTE: ip_rt_dump() is unecessary slow

    [IPV4] ROUTE: ip_rt_dump() is unecessary slow
    
    [ Upstream commit: d8c9283 ]
    
    I noticed "ip route list cache x.y.z.t" can be *very* slow.
    
    While strace-ing -T it I also noticed that first part of route cache
    is fetched quite fast :
    
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202
    GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3772 <0.000047>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\
    202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3736 <0.000042>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\
    202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3740 <0.000055>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\
    202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3712 <0.000043>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\
    202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3732 <0.000053>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202
    GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3708 <0.000052>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202
    GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3680 <0.000041>
    
    while the part at the end of the table is more expensive:
    
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3656 <0.003857>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3772 <0.003891>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3712 <0.003765>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3700 <0.003879>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3676 <0.003797>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3724 <0.003856>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3736 <0.003848>
    
    The following patch corrects this performance/latency problem,
    removing quadratic behavior.
    
    Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Eric Dumazet committed with gregkh Jan 11, 2008
  22. @brainflux @gregkh

    IRDA: irda_create() nuke user triggable printk

    [IRDA]: irda_create() nuke user triggable printk
    
    [ Upstream commit: 9e8d6f8 ]
    
    easy to trigger as user with sfuzz.
    
    irda_create() is quiet on unknown sock->type,
    match this behaviour for SOCK_DGRAM unknown protocol
    
    Signed-off-by: maximilian attems <max@stro.at>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    brainflux committed with gregkh Jan 11, 2008
  23. @davem330 @gregkh

    NET: Correct two mistaken skb_reset_mac_header() conversions.

    [NET]: Correct two mistaken skb_reset_mac_header() conversions.
    
    [ Upstream commit: c6e6ca7 ]
    
    This operation helper abstracts:
    
    	skb->mac_header = skb->data;
    
    but it was done in two more places which were actually:
    
    	skb->mac_header = skb->network_header;
    
    and those are corrected here.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    davem330 committed with gregkh Jan 11, 2008
  24. @gregkh

    NET: kaweth was forgotten in msec switchover of usb_start_wait_urb

    [NET]: kaweth was forgotten in msec switchover of usb_start_wait_urb
    
    [ Upstream commit: 2b2b2e3 ]
    
    Back in 2.6.12-pre, usb_start_wait_urb was switched over to take
    milliseconds instead of jiffies. kaweth.c was never updated to match.
    
    Signed-off-by: Russ Dill <Russ.Dill@asu.edu>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Russ Dill committed with gregkh Jan 11, 2008
  25. @gregkh

    NET: mcs7830 passes msecs instead of jiffies to usb_control_msg

    [NET]: mcs7830 passes msecs instead of jiffies to usb_control_msg
    
    [ Upstream commit 1d39da3 ]
    
    usb_control_msg was changed long ago (2.6.12-pre) to take milliseconds
    instead of jiffies. Oddly, mcs7830 wasn't added until 2.6.19-rc3.
    
    Signed-off-by: Russ Dill <Russ.Dill@asu.edu>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Russ Dill committed with gregkh Jan 11, 2008
  26. @davem330 @gregkh

    SPARC64: Fix memory controller register access when non-SMP.

    [SPARC64]: Fix memory controller register access when non-SMP.
    
    [ Upstream commit: b332b8b ]
    
    get_cpu() always returns zero on non-SMP builds, but we
    really want the physical cpu number in this code in order
    to do the right thing.
    
    Based upon a non-SMP kernel boot failure report from Bernd Zeimetz.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    davem330 committed with gregkh Dec 19, 2007
  27. @davem330 @gregkh

    SPARC64: Fix two kernel linear mapping setup bugs.

    [SPARC64]: Fix two kernel linear mapping setup bugs.
    
    [ Upstream commit: 8f36145 ]
    
    This was caught and identified by Greg Onufer.
    
    Since we setup the 256M/4M bitmap table after taking over the trap
    table, it's possible for some 4M mapping to get loaded in the TLB
    beforhand which later will be 256M mappings.
    
    This can cause illegal TLB multiple-match conditions.  Fix this by
    setting up the bitmap before we take over the trap table.
    
    Next, __flush_tlb_all() was not doing anything on hypervisor
    platforms.  Fix by adding sun4v_mmu_demap_all() and calling it.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    davem330 committed with gregkh Dec 19, 2007
  28. @JuliaLawall @gregkh

    X25: Add missing x25_neigh_put

    [X25]: Add missing x25_neigh_put
    
    [ Upstream commit: 76975f8 ]
    
    The function x25_get_neigh increments a reference count.  At the point of
    the second goto out, the result of calling x25_get_neigh is only stored in
    a local variable, and thus no one outside the function will be able to
    decrease the reference count.  Thus, x25_neigh_put should be called before
    the return in this case.
    
    The problem was found using the following semantic match.
    (http://www.emn.fr/x-info/coccinelle/)
    
    // <smpl>
    
    @@
    type T,T1,T2;
    identifier E;
    statement S;
    expression x1,x2,x3;
    int ret;
    @@
    
      T E;
      ...
    * if ((E = x25_get_neigh(...)) == NULL)
      S
      ... when != x25_neigh_put(...,(T1)E,...)
          when != if (E != NULL) { ... x25_neigh_put(...,(T1)E,...); ...}
          when != x1 = (T1)E
          when != E = x3;
          when any
      if (...) {
        ... when != x25_neigh_put(...,(T2)E,...)
            when != if (E != NULL) { ... x25_neigh_put(...,(T2)E,...); ...}
            when != x2 = (T2)E
    (
    *   return;
    |
    *   return ret;
    )
      }
    // </smpl>
    
    Signed-off-by: Julia Lawall <julia@diku.dk>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    JuliaLawall committed with gregkh Jan 11, 2008
Commits on Jan 14, 2008
  1. @gregkh

    Linux 2.6.22.16

    gregkh committed Jan 14, 2008
  2. @gregkh

    Use access mode instead of open flags to determine needed permissions…

    … (CVE-2008-0001)
    
    patch 974a9f0 in mainline
    
    Way back when (in commit 834f2a4, aka
    "VFS: Allow the filesystem to return a full file pointer on open intent"
    to be exact), Trond changed the open logic to keep track of the original
    flags to a file open, in order to pass down the the intent of a dentry
    lookup to the low-level filesystem.
    
    However, when doing that reorganization, it changed the meaning of
    namei_flags, and thus inadvertently changed the test of access mode for
    directories (and RO filesystem) to use the wrong flag.  So fix those
    test back to use access mode ("acc_mode") rather than the open flag
    ("flag").
    
    Issue noticed by Bill Roman at Datalight.
    
    Reported-and-tested-by: Bill Roman <bill.roman@datalight.com>
    Acked-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
    Cc: Christoph Hellwig <hch@lst.de>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Linus Torvalds committed with gregkh Jan 12, 2008
Commits on Dec 14, 2007
  1. @gregkh

    Linux 2.6.22.15

    gregkh committed Dec 14, 2007
  2. @xemul @gregkh

    BRIDGE: Properly dereference the br_should_route_hook

    [BRIDGE]: Properly dereference the br_should_route_hook
    
    [ Upstream commit: 82de382 ]
    
    This hook is protected with the RCU, so simple
    
    if (br_should_route_hook)
    	br_should_route_hook(...)
    
    is not enough on some architectures.
    
    Use the rcu_dereference/rcu_assign_pointer in this case.
    
    Fixed Stephen's comment concerning using the typeof().
    
    Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    xemul committed with gregkh Dec 13, 2007
  3. @htejun @gregkh

    libata: kill spurious NCQ completion detection

    patch 459ad68 in mainline.
    
    Spurious NCQ completion detection implemented in ahci was incorrect.
    On AHCI receving and processing FISes and raising interrupts are not
    interlocked and spurious interrupts are expected.
    
    For example, if an interrupt occurs while interrupt handler is running
    and the running interrupt handler handles the event the new IRQ
    indicated, after IRQ handler finishes, it will be executed again
    because IRQ pending bit is set by the new interrupt but there won't be
    anything to process.
    
    Please read the following message for more information.
    
      http://article.gmane.org/gmane.linux.ide/26012
    
    This patch...
    
    * Removes all spurious IRQ whining from ahci.  Spurious NCQ completion
      detection was completely wrong.  Spurious D2H Register FIS taught us
      that some early drives send spurious D2H Register FIS with I bit set
      while NCQ commands are in progress but none of recent drives does
      that and even the ones which show such behavior can do NCQ fine.
    
    * Kills all NCQ blacklist entries which were added because of spurious
      NCQ completions.  I tracked down each commit and verified all
      removed ones are actually added because of spurious completions.
    
      WD740ADFD-00NLR1 wasn't deleted but moved upward because the drive
      not only had spurious NCQ completions but also is slow on sequential
      data transfers if NCQ is enabled.
    
      Maxtor 7V300F0 was added by 0e3dbc0
      from Alan Cox.  I can only find evidences that the drive only had
      troubles with spuruious completions by searching the mailing list.
      This entry needs to be verified and removed if it doesn't have other
      NCQ related problems.
    
    Signed-off-by: Tejun Heo <htejun@gmail.com>
    Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
    Signed-off-by: Jeff Garzik <jeff@garzik.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    htejun committed with gregkh Dec 8, 2007
Something went wrong with that request. Please try again.