Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Commits on Feb 11, 2008
  1. @gregkh

    Linux 2.6.22.18

    gregkh authored
  2. @gregkh

    splice: fix user pointer access in get_iovec_page_array() (CVE-2008-0…

    Bastian Blank authored gregkh committed
    …600)
    
    patch 712a30e in mainline.
    
    Commit 8811930 ("splice: missing user
    pointer access verification") added the proper access_ok() calls to
    copy_from_user_mmap_sem() which ensures we can copy the struct iovecs
    from userspace to the kernel.
    
    But we also must check whether we can access the actual memory region
    pointed to by the struct iovec to fix the access checks properly.
    
    Signed-off-by: Bastian Blank <waldi@debian.org>
    Acked-by: Oliver Pinter <oliver.pntr@gmail.com>
    Cc: Jens Axboe <jens.axboe@oracle.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Commits on Feb 6, 2008
  1. @gregkh

    Linux 2.6.22.17

    gregkh authored
  2. @gregkh

    vm audit: add VM_DONTEXPAND to mmap for drivers that need it (CVE-200…

    Nick Piggin authored gregkh committed
    …8-0007)
    
    Drivers that register a ->fault handler, but do not range-check the
    offset argument, must set VM_DONTEXPAND in the vm_flags in order to
    prevent an expanding mremap from overflowing the resource.
    
    I've audited the tree and attempted to fix these problems (usually by
    adding VM_DONTEXPAND where it is not obvious).
    
    Signed-off-by: Nick Piggin <npiggin@suse.de>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  3. @yakuizhao @gregkh

    ACPI: apply quirk_ich6_lpc_acpi to more ICH8 and ICH9

    yakuizhao authored gregkh committed
    patch d1ec729 in mainline.
    
    It is important that these resources be reserved
    to avoid conflicts with well known ACPI registers.
    
    Signed-off-by: Zhao Yakui <yakui.zhao@intel.com>
    Signed-off-by: Len Brown <len.brown@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  4. @gregkh

    POWERPC: Fix invalid semicolon after if statement

    Ilpo Järvinen authored gregkh committed
    Patch 2b02d13 in mainline
    
    [POWERPC] Fix invalid semicolon after if statement
    
    A similar fix to netfilter from Eric Dumazet inspired me to
    look around a bit by using some grep/sed stuff as looking for
    this kind of bugs seemed easy to automate.  This is one of them
    I found where it looks like this semicolon is not valid.
    
    Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
    Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Signed-off-by: Paul Mackerras <paulus@samba.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  5. @gregkh

    chelsio: Fix skb->dev setting

    Divy Le Ray authored gregkh committed
    patch 7de6af0 in mainline.
    
    eth_type_trans() now sets skb->dev.
    Access skb->def after it gets set.
    
    Signed-off-by: Divy Le Ray <divy@chelsio.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  6. @gregkh

    cxgb: fix stats

    Divy Le Ray authored gregkh committed
    patch e0348b9 in mainline.
    
    Fix MAC stats accounting.
    Fix get_stats.
    
    Signed-off-by: Divy Le Ray <divy@chelsio.com>
    Signed-off-by: Jeff Garzik <jeff@garzik.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  7. @gregkh

    cxgb: fix T2 GSO

    Divy Le Ray authored gregkh committed
    patch 7832ee0 in mainline.
    
    The patch ensures that a GSO skb has enough headroom
    to push an encapsulating cpl_tx_pkt_lso header.
    
    Signed-off-by: Divy Le Ray <divy@chelsio.com>
    Signed-off-by: Jeff Garzik <jeff@garzik.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  8. @gregkh

    vfs: coredumping fix (CVE-2007-6206)

    Ingo Molnar authored gregkh committed
    vfs: coredumping fix
    
    patch c46f739 in mainline
    
    fix: http://bugzilla.kernel.org/show_bug.cgi?id=3043
    
    only allow coredumping to the same uid that the coredumping
    task runs under.
    
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Acked-by: Alan Cox <alan@redhat.com>
    Acked-by: Christoph Hellwig <hch@lst.de>
    Acked-by: Al Viro <viro@ftp.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: maximilian attems <max@stro.at>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  9. @acpibob @gregkh

    ACPICA: fix acpi-cpufreq boot crash due to _PSD return-by-reference

    acpibob authored gregkh committed
    patch 152c300 in mainline.
    
    Changed resolution of named references in packages
    
    Fixed a problem with the Package operator where all named
    references were created as object references and left otherwise
    unresolved. According to the ACPI specification, a Package can
    only contain Data Objects or references to control methods. The
    implication is that named references to Data Objects (Integer,
    Buffer, String, Package, BufferField, Field) should be resolved
    immediately upon package creation. This is the approach taken
    with this change. References to all other named objects (Methods,
    Devices, Scopes, etc.) are all now properly created as reference objects.
    
    http://bugzilla.kernel.org/show_bug.cgi?id=5328
    http://bugzilla.kernel.org/show_bug.cgi?id=9429
    
    Signed-off-by: Bob Moore <robert.moore@intel.com>
    Signed-off-by: Len Brown <len.brown@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  10. @davem330 @gregkh

    CASSINI: Set skb->truesize properly on receive packets.

    davem330 authored gregkh committed
    [ Upstream commit: d011a23 ]
    
    skb->truesize was not being incremented at all to
    reflect the page based data added to RX SKBs.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  11. @davem330 @gregkh

    CASSINI: Revert 'dont touch page_count'.

    davem330 authored gregkh committed
    [ Upstream commit: 9de4dfb ]
    
    This reverts changeset fa4f077
    ([CASSINI]: dont touch page_count) because it breaks the driver.
    
    The local page counting added by this changeset did not account
    for the asynchronous page count changes done by kfree_skb()
    and friends.
    
    The change adds extra atomics and on top of it all appears to be
    totally unnecessary as well.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Acked-by: Nick Piggin <npiggin@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  12. @gregkh

    CASSINI: Fix endianness bug.

    Al Viro authored gregkh committed
    [ Upstream commit: e5e0254 ]
    
    Here's proposed fix for RX checksum handling in cassini; it affects
    little-endian working with half-duplex gigabit, but obviously needs
    testing on big-endian too.
    
    The problem is, we need to convert checksum to fixed-endian *before*
    correcting for (unstripped) FCS.  On big-endian it won't matter
    (conversion is no-op), on little-endian it will, but only if FCS is
    not stripped by hardware; i.e. in half-duplex gigabit mode when
    ->crc_size is set.
    
    cassini.c part is that fix, cassini.h one consists of trivial
    endianness annotations.  With that applied the sucker is endian-clean,
    according to sparse.
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  13. @herbertx @gregkh

    ATM: Check IP header validity in mpc_send_packet

    herbertx authored gregkh committed
    [ATM]: Check IP header validity in mpc_send_packet
    
    [ Upstream commit: 1c9b7aa ]
    
    Al went through the ip_fast_csum callers and found this piece of code
    that did not validate the IP header.  While root crashing the machine
    by sending bogus packets through raw or AF_PACKET sockets isn't that
    serious, it is still nice to react gracefully.
    
    This patch ensures that the skb has enough data for an IP header and
    that the header length field is valid.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  14. @gregkh

    ATM: [nicstar] delay irq setup until card is configured

    Chas Williams authored gregkh committed
    [ATM]: [nicstar] delay irq setup until card is configured
    
    [ Upstream commit: 5296195 ]
    
    Signed-off-by: Chas Williams <chas@cmf.nrl.navy.mil>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  15. @gregkh

    CONNECTOR: Don't touch queue dev after decrement of ref count.

    Li Zefan authored gregkh committed
    [CONNECTOR]: Don't touch queue dev after decrement of ref count.
    
    [ Upstream commit: cf585ae ]
    
    cn_queue_free_callback() will touch 'dev'(i.e. cbq->pdev), so it
    should be called before atomic_dec(&dev->refcnt).
    
    Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  16. @davem330 @gregkh

    Fix sparc64 cpu cross call hangs.

    davem330 authored gregkh committed
    [SPARC64]: Fix endless loop in cheetah_xcall_deliver().
    
    [ Upsteam commit: 0de56d1 ]
    
    We need to mask out the proper bits when testing the dispatch status
    register else we can see unrelated NACK bits from previous cross call
    sends.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
  17. @markmc @gregkh

    INET: Fix netdev renaming and inet address labels

    markmc authored gregkh committed
    [INET]: Fix netdev renaming and inet address labels
    
    [ Upstream commit: 44344b2 ]
    
    When re-naming an interface, the previous secondary address
    labels get lost e.g.
    
      $> brctl addbr foo
      $> ip addr add 192.168.0.1 dev foo
      $> ip addr add 192.168.0.2 dev foo label foo:00
      $> ip addr show dev foo | grep inet
        inet 192.168.0.1/32 scope global foo
        inet 192.168.0.2/32 scope global foo:00
      $> ip link set foo name bar
      $> ip addr show dev bar | grep inet
        inet 192.168.0.1/32 scope global bar
        inet 192.168.0.2/32 scope global bar:2
    
    Turns out to be a simple thinko in inetdev_changename() - clearly we
    want to look at the address label, rather than the device name, for
    a suffix to retain.
    
    Signed-off-by: Mark McLoughlin <markmc@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  18. @herbertx @gregkh

    IPSEC: Avoid undefined shift operation when testing algorithm ID

    herbertx authored gregkh committed
    [IPSEC]: Avoid undefined shift operation when testing algorithm ID
    
    [ Upstream commit: f398035 ]
    
    The aalgos/ealgos fields are only 32 bits wide.  However, af_key tries
    to test them with the expression 1 << id where id can be as large as
    253.  This produces different behaviour on different architectures.
    
    The following patch explicitly checks whether ID is greater than 31
    and fails the check if that's the case.
    
    We cannot easily extend the mask to be longer than 32 bits due to
    exposure to user-space.  Besides, this whole interface is obsolete
    anyway in favour of the xfrm_user interface which doesn't use this
    bit mask in templates (well not within the kernel anyway).
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  19. @herbertx @gregkh

    IPSEC: Fix potential dst leak in xfrm_lookup

    herbertx authored gregkh committed
    [IPSEC]: Fix potential dst leak in xfrm_lookup
    
    [ Upstream commit: 75b8c13 ]
    
    If we get an error during the actual policy lookup we don't free the
    original dst while the caller expects us to always free the original
    dst in case of error.
    
    This patch fixes that.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  20. @fabled @gregkh

    IPV4: ip_gre: set mac_header correctly in receive path

    fabled authored gregkh committed
    [IPV4] ip_gre: set mac_header correctly in receive path
    
    [ Upstream commit: 1d06916 ]
    
    mac_header update in ipgre_recv() was incorrectly changed to
    skb_reset_mac_header() when it was introduced.
    
    Signed-off-by: Timo Teras <timo.teras@iki.fi>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  21. @gregkh

    IPV4 ROUTE: ip_rt_dump() is unecessary slow

    Eric Dumazet authored gregkh committed
    [IPV4] ROUTE: ip_rt_dump() is unecessary slow
    
    [ Upstream commit: d8c9283 ]
    
    I noticed "ip route list cache x.y.z.t" can be *very* slow.
    
    While strace-ing -T it I also noticed that first part of route cache
    is fetched quite fast :
    
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202
    GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3772 <0.000047>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\
    202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3736 <0.000042>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\
    202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3740 <0.000055>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\
    202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3712 <0.000043>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\
    202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3732 <0.000053>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202
    GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3708 <0.000052>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202
    GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3680 <0.000041>
    
    while the part at the end of the table is more expensive:
    
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3656 <0.003857>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3772 <0.003891>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3712 <0.003765>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3700 <0.003879>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3676 <0.003797>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3724 <0.003856>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3736 <0.003848>
    
    The following patch corrects this performance/latency problem,
    removing quadratic behavior.
    
    Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  22. @brainflux @gregkh

    IRDA: irda_create() nuke user triggable printk

    brainflux authored gregkh committed
    [IRDA]: irda_create() nuke user triggable printk
    
    [ Upstream commit: 9e8d6f8 ]
    
    easy to trigger as user with sfuzz.
    
    irda_create() is quiet on unknown sock->type,
    match this behaviour for SOCK_DGRAM unknown protocol
    
    Signed-off-by: maximilian attems <max@stro.at>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  23. @davem330 @gregkh

    NET: Correct two mistaken skb_reset_mac_header() conversions.

    davem330 authored gregkh committed
    [NET]: Correct two mistaken skb_reset_mac_header() conversions.
    
    [ Upstream commit: c6e6ca7 ]
    
    This operation helper abstracts:
    
    	skb->mac_header = skb->data;
    
    but it was done in two more places which were actually:
    
    	skb->mac_header = skb->network_header;
    
    and those are corrected here.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  24. @gregkh

    NET: kaweth was forgotten in msec switchover of usb_start_wait_urb

    Russ Dill authored gregkh committed
    [NET]: kaweth was forgotten in msec switchover of usb_start_wait_urb
    
    [ Upstream commit: 2b2b2e3 ]
    
    Back in 2.6.12-pre, usb_start_wait_urb was switched over to take
    milliseconds instead of jiffies. kaweth.c was never updated to match.
    
    Signed-off-by: Russ Dill <Russ.Dill@asu.edu>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  25. @gregkh

    NET: mcs7830 passes msecs instead of jiffies to usb_control_msg

    Russ Dill authored gregkh committed
    [NET]: mcs7830 passes msecs instead of jiffies to usb_control_msg
    
    [ Upstream commit 1d39da3 ]
    
    usb_control_msg was changed long ago (2.6.12-pre) to take milliseconds
    instead of jiffies. Oddly, mcs7830 wasn't added until 2.6.19-rc3.
    
    Signed-off-by: Russ Dill <Russ.Dill@asu.edu>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  26. @davem330 @gregkh

    SPARC64: Fix memory controller register access when non-SMP.

    davem330 authored gregkh committed
    [SPARC64]: Fix memory controller register access when non-SMP.
    
    [ Upstream commit: b332b8b ]
    
    get_cpu() always returns zero on non-SMP builds, but we
    really want the physical cpu number in this code in order
    to do the right thing.
    
    Based upon a non-SMP kernel boot failure report from Bernd Zeimetz.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  27. @davem330 @gregkh

    SPARC64: Fix two kernel linear mapping setup bugs.

    davem330 authored gregkh committed
    [SPARC64]: Fix two kernel linear mapping setup bugs.
    
    [ Upstream commit: 8f36145 ]
    
    This was caught and identified by Greg Onufer.
    
    Since we setup the 256M/4M bitmap table after taking over the trap
    table, it's possible for some 4M mapping to get loaded in the TLB
    beforhand which later will be 256M mappings.
    
    This can cause illegal TLB multiple-match conditions.  Fix this by
    setting up the bitmap before we take over the trap table.
    
    Next, __flush_tlb_all() was not doing anything on hypervisor
    platforms.  Fix by adding sun4v_mmu_demap_all() and calling it.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  28. @JuliaLawall @gregkh

    X25: Add missing x25_neigh_put

    JuliaLawall authored gregkh committed
    [X25]: Add missing x25_neigh_put
    
    [ Upstream commit: 76975f8 ]
    
    The function x25_get_neigh increments a reference count.  At the point of
    the second goto out, the result of calling x25_get_neigh is only stored in
    a local variable, and thus no one outside the function will be able to
    decrease the reference count.  Thus, x25_neigh_put should be called before
    the return in this case.
    
    The problem was found using the following semantic match.
    (http://www.emn.fr/x-info/coccinelle/)
    
    // <smpl>
    
    @@
    type T,T1,T2;
    identifier E;
    statement S;
    expression x1,x2,x3;
    int ret;
    @@
    
      T E;
      ...
    * if ((E = x25_get_neigh(...)) == NULL)
      S
      ... when != x25_neigh_put(...,(T1)E,...)
          when != if (E != NULL) { ... x25_neigh_put(...,(T1)E,...); ...}
          when != x1 = (T1)E
          when != E = x3;
          when any
      if (...) {
        ... when != x25_neigh_put(...,(T2)E,...)
            when != if (E != NULL) { ... x25_neigh_put(...,(T2)E,...); ...}
            when != x2 = (T2)E
    (
    *   return;
    |
    *   return ret;
    )
      }
    // </smpl>
    
    Signed-off-by: Julia Lawall <julia@diku.dk>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Commits on Jan 14, 2008
  1. @gregkh

    Linux 2.6.22.16

    gregkh authored
  2. @gregkh

    Use access mode instead of open flags to determine needed permissions…

    Linus Torvalds authored gregkh committed
    … (CVE-2008-0001)
    
    patch 974a9f0 in mainline
    
    Way back when (in commit 834f2a4, aka
    "VFS: Allow the filesystem to return a full file pointer on open intent"
    to be exact), Trond changed the open logic to keep track of the original
    flags to a file open, in order to pass down the the intent of a dentry
    lookup to the low-level filesystem.
    
    However, when doing that reorganization, it changed the meaning of
    namei_flags, and thus inadvertently changed the test of access mode for
    directories (and RO filesystem) to use the wrong flag.  So fix those
    test back to use access mode ("acc_mode") rather than the open flag
    ("flag").
    
    Issue noticed by Bill Roman at Datalight.
    
    Reported-and-tested-by: Bill Roman <bill.roman@datalight.com>
    Acked-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
    Cc: Christoph Hellwig <hch@lst.de>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Commits on Dec 14, 2007
  1. @gregkh

    Linux 2.6.22.15

    gregkh authored
  2. @xemul @gregkh

    BRIDGE: Properly dereference the br_should_route_hook

    xemul authored gregkh committed
    [BRIDGE]: Properly dereference the br_should_route_hook
    
    [ Upstream commit: 82de382 ]
    
    This hook is protected with the RCU, so simple
    
    if (br_should_route_hook)
    	br_should_route_hook(...)
    
    is not enough on some architectures.
    
    Use the rcu_dereference/rcu_assign_pointer in this case.
    
    Fixed Stephen's comment concerning using the typeof().
    
    Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  3. @htejun @gregkh

    libata: kill spurious NCQ completion detection

    htejun authored gregkh committed
    patch 459ad68 in mainline.
    
    Spurious NCQ completion detection implemented in ahci was incorrect.
    On AHCI receving and processing FISes and raising interrupts are not
    interlocked and spurious interrupts are expected.
    
    For example, if an interrupt occurs while interrupt handler is running
    and the running interrupt handler handles the event the new IRQ
    indicated, after IRQ handler finishes, it will be executed again
    because IRQ pending bit is set by the new interrupt but there won't be
    anything to process.
    
    Please read the following message for more information.
    
      http://article.gmane.org/gmane.linux.ide/26012
    
    This patch...
    
    * Removes all spurious IRQ whining from ahci.  Spurious NCQ completion
      detection was completely wrong.  Spurious D2H Register FIS taught us
      that some early drives send spurious D2H Register FIS with I bit set
      while NCQ commands are in progress but none of recent drives does
      that and even the ones which show such behavior can do NCQ fine.
    
    * Kills all NCQ blacklist entries which were added because of spurious
      NCQ completions.  I tracked down each commit and verified all
      removed ones are actually added because of spurious completions.
    
      WD740ADFD-00NLR1 wasn't deleted but moved upward because the drive
      not only had spurious NCQ completions but also is slow on sequential
      data transfers if NCQ is enabled.
    
      Maxtor 7V300F0 was added by 0e3dbc0
      from Alan Cox.  I can only find evidences that the drive only had
      troubles with spuruious completions by searching the mailing list.
      This entry needs to be verified and removed if it doesn't have other
      NCQ related problems.
    
    Signed-off-by: Tejun Heo <htejun@gmail.com>
    Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
    Signed-off-by: Jeff Garzik <jeff@garzik.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Something went wrong with that request. Please try again.