Skip to content
Commits on Jan 28, 2010
  1. @gregkh


    gregkh committed Jan 28, 2010
  2. @gregkh

    fnctl: f_modown should call write_lock_irqsave/restore

    gregkh committed Jan 26, 2010
    commit b04da8b upstream.
    Commit 7036251 exposed that f_modown()
    should call write_lock_irqsave instead of just write_lock_irq so that
    because a caller could have a spinlock held and it would not be good to
    renable interrupts.
    Cc: Eric W. Biederman <>
    Cc: Al Viro <>
    Cc: Alan Cox <>
    Cc: Tavis Ormandy <>
    Signed-off-by: Greg Kroah-Hartman <>
    Signed-off-by: Linus Torvalds <>
  3. @borntraeger @gregkh

    KVM: S390: fix potential array overrun in intercept handling

    borntraeger committed with gregkh Jan 21, 2010
    commit 062d5e9 upstream.
    kvm_handle_sie_intercept uses a jump table to get the intercept handler
    for a SIE intercept. Static code analysis revealed a potential problem:
    the intercept_funcs jump table was defined to contain (0x48 >> 2) entries,
    but we only checked for code > 0x48 which would cause an off-by-one
    array overflow if code == 0x48.
    Use the compiler and ARRAY_SIZE to automatically set the limits.
    Signed-off-by: Christian Borntraeger <>
    Signed-off-by: Marcelo Tosatti <>
    Signed-off-by: Greg Kroah-Hartman <>
  4. @gregkh

    ipc ns: fix memory leak (idr)

    Serge E. Hallyn committed with gregkh Dec 15, 2009
    commit 7d6feeb upstream.
    We have apparently had a memory leak since
    7ca7e56 "ipc: store ipcs into IDRs" in
    2007.  The idr of which 3 exist for each ipc namespace is never freed.
    This patch simply frees them when the ipcns is freed.  I don't believe any
    idr_remove() are done from rcu (and could therefore be delayed until after
    this idr_destroy()), so the patch should be safe.  Some quick testing
    showed no harm, and the memory leak fixed.
    Caught by kmemleak.
    Signed-off-by: Serge E. Hallyn <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Acked-by: Nick Piggin <>
    Signed-off-by: Greg Kroah-Hartman <>
  5. @gregkh

    USB: EHCI & UHCI: fix race between root-hub suspend and port resume

    Alan Stern committed with gregkh Jan 8, 2010
    commit cec3a53 upstream.
    This patch (as1321) fixes a problem with EHCI and UHCI root-hub
    suspends: If the suspend occurs while a port is trying to resume, the
    resume doesn't finish and simply gets lost.  When remote wakeup is
    enabled, this is undesirable behavior.
    The patch checks first to see if any port resumes are in progress, and
    if they are then it fails the root-hub suspend with -EBUSY.
    Signed-off-by: Alan Stern <>
    Signed-off-by: Greg Kroah-Hartman <>
  6. @gregkh

    USB: EHCI: fix handling of unusual interrupt intervals

    Alan Stern committed with gregkh Jan 8, 2010
    commit 1b9a38b upstream.
    This patch (as1320) fixes two problems related to interrupt-URB
    scheduling in ehci-hcd.
    	URBs with an interval of 2 or 4 microframes aren't handled.
    	For the time being, the patch reduces to interval to 1 uframe.
    	URBs are constrained to have an interval no larger than 1024
    	frames by usb_submit_urb().  But some EHCI controllers allow
    	use of a schedule as short as 256 frames; for these
    	controllers we may have to decrease the interval to the
    	actual schedule length.
    The second problem isn't very significant since few devices expose
    interrupt endpoints with an interval larger than 256 frames.  But the
    first problem is critical; it will prevent the kernel from working
    with devices having interrupt intervals of 2 or 4 uframes.
    Signed-off-by: Alan Stern <>
    Tested-by: Glynn Farrow <>
    Signed-off-by: Greg Kroah-Hartman <>
  7. @gregkh

    USB: add missing delay during remote wakeup

    Alan Stern committed with gregkh Jan 8, 2010
    commit 49d0f07 upstream.
    This patch (as1330) fixes a bug in khbud's handling of remote
    wakeups.  When a device sends a remote-wakeup request, the parent hub
    (or the host controller driver, for directly attached devices) begins
    the resume sequence and notifies khubd when the sequence finishes.  At
    this point the port's SUSPEND feature is automatically turned off.
    However the device needs an additional 10-ms resume-recovery time
    (TRSMRCY in the USB spec).  Khubd does not wait for this delay if the
    SUSPEND feature is off, and as a result some devices fail to behave
    properly following a remote wakeup.  This patch adds the missing
    delay to the remote-wakeup path.
    It also extends the resume-signalling delay used by ehci-hcd and
    uhci-hcd from 20 ms (the value in the spec) to 25 ms (the value we use
    for non-remote-wakeup resumes).  The extra time appears to help some
    Signed-off-by: Alan Stern <>
    Cc: Rickard Bellini <>
    Signed-off-by: Greg Kroah-Hartman <>
  8. @gregkh

    tty: fix race in tty_fasync

    gregkh committed Dec 17, 2009
    commit 7036251 upstream.
    We need to keep the lock held over the call to __f_setown() to
    prevent a PID race.
    Thanks to Al Viro for pointing out the problem, and to Travis for
    making us look here in the first place.
    Cc: Eric W. Biederman <>
    Cc: Al Viro <>
    Cc: Alan Cox <>
    Cc: Linus Torvalds <>
    Cc: Tavis Ormandy <>
    Cc: Jeff Dike <>
    Cc: Julien Tinnes <>
    Cc: Matt Mackall <>
    Signed-off-by: Greg Kroah-Hartman <>
  9. @error27 @gregkh

    ecryptfs: use after free

    error27 committed with gregkh Jan 19, 2010
    commit ece550f upstream.
    The "full_alg_name" variable is used on a couple error paths, so we
    shouldn't free it until the end.
    Signed-off-by: Dan Carpenter <>
    Signed-off-by: Tyler Hicks <>
    Signed-off-by: Greg Kroah-Hartman <>
  10. @gregkh

    ecryptfs: initialize private persistent file before dereferencing poi…

    Erez Zadok committed with gregkh Dec 3, 2009
    commit e27759d upstream.
    Ecryptfs_open dereferences a pointer to the private lower file (the one
    stored in the ecryptfs inode), without checking if the pointer is NULL.
    Right afterward, it initializes that pointer if it is NULL.  Swap order of
    statements to first initialize.  Bug discovered by Duckjin Kang.
    Signed-off-by: Duckjin Kang <>
    Signed-off-by: Erez Zadok <>
    Cc: Dustin Kirkland <>
    Cc: Al Viro <>
    Signed-off-by: Tyler Hicks <>
    Signed-off-by: Greg Kroah-Hartman <>
  11. @jankara @gregkh

    reiserfs: truncate blocks not used by a write

    jankara committed with gregkh Dec 17, 2009
    commit ec8e2f7 upstream.
    It can happen that write does not use all the blocks allocated in
    write_begin either because of some filesystem error (like ENOSPC) or
    because page with data to write has been removed from memory.  We truncate
    these blocks so that we don't have dangling blocks beyond i_size.
    Cc: Jeff Mahoney <>
    Signed-off-by: Jan Kara <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  12. @bmr-cymru @gregkh

    megaraid_sas: remove sysfs poll_mode_io world writeable permissions

    bmr-cymru committed with gregkh Nov 12, 2009
    commit bb7d3f2 upstream.
    /sys/bus/pci/drivers/megaraid_sas/poll_mode_io defaults to being
    world-writable, which seems bad (letting any user affect kernel driver
    This turns off group and user write permissions, so that on typical
    production systems only root can write to it.
    Signed-off-by: Bryn M. Reeves <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  13. @gregkh

    edac: i5000_edac critical fix panic out of bounds

    Tamas Vincze committed with gregkh Jan 15, 2010
    commit 118f3e1 upstream.
    EDAC MC0: INTERNAL ERROR: channel-b out of range (4 >= 4)
    Kernel panic - not syncing: EDAC MC0: Uncorrected Error  (XEN) Domain 0 crashed: 'noreboot' set - not rebooting.
    This happens because FERR_NF_FBD bit 28 is not updated on i5000.  Due to
    that, both bits 28 and 29 may be equal to one, returning channel = 3.  As
    this value is invalid, EDAC core generates the panic.
    Signed-off-by: Tamas Vincze <>
    Signed-off-by: Mauro Carvalho Chehab <>
    Signed-off-by: Doug Thompson <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
Commits on Jan 18, 2010
  1. @gregkh


    gregkh committed Jan 18, 2010
  2. @gregkh

    powerpc: Handle VSX alignment faults correctly in little-endian mode

    Neil Campbell committed with gregkh Dec 14, 2009
    commit bb7f20b upstream.
    This patch fixes the handling of VSX alignment faults in little-endian
    mode (the current code assumes the processor is in big-endian mode).
    The patch also makes the handlers clear the top 8 bytes of the register
    when handling an 8 byte VSX load.
    This is based on 2.6.32.
    Signed-off-by: Neil Campbell <>
    Acked-by: Michael Neuling <>
    Signed-off-by: Benjamin Herrenschmidt <>
    Signed-off-by: Greg Kroah-Hartman <>
  3. @mikey @gregkh

    powerpc: Disable VSX or current process in giveup_fpu/altivec

    mikey committed with gregkh Apr 1, 2009
    commit 7e875e9 upstream.
    When we call giveup_fpu, we need to need to turn off VSX for the
    current process.  If we don't, on return to userspace it may execute a
    VSX instruction before the next FP instruction, and not have its
    register state refreshed correctly from the thread_struct.  Ditto for
    This caused a bug where an unaligned lfs or stfs results in
    fix_alignment calling giveup_fpu so it can use the FPRs (in order to
    do a single <-> double conversion), and then returning to userspace
    with FP off but VSX on.  Then if a VSX instruction is executed, before
    another FP instruction, it will proceed without another exception and
    hence have the incorrect register state for VSX registers 0-31.
       lfs unaligned   <- alignment exception turns FP off but leaves VSX on
       VSX instruction <- no exception since VSX on, hence we get the
                          wrong VSX register values for VSX registers 0-31,
                          which overlap the FPRs.
    Signed-off-by: Michael Neuling <>
    Signed-off-by: Paul Mackerras <>
    Signed-off-by: Greg Kroah-Hartman <>
  4. @gregkh

    fix more leaks in audit_tree.c tag_chunk()

    Al Viro committed with gregkh Dec 19, 2009
    commit b4c30aa upstream.
    Several leaks in audit_tree didn't get caught by commit
    318b6d3, including the leak on normal
    exit in case of multiple rules refering to the same chunk.
    Signed-off-by: Al Viro <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  5. @gregkh

    fix braindamage in audit_tree.c untag_chunk()

    Al Viro committed with gregkh Dec 19, 2009
    commit 6f5d511 upstream.
    ... aka "Al had badly fscked up when writing that thing and nobody
    noticed until Eric had fixed leaks that used to mask the breakage".
    The function essentially creates a copy of old array sans one element
    and replaces the references to elements of original (they are on cyclic
    lists) with those to corresponding elements of new one.  After that the
    old one is fair game for freeing.
    First of all, there's a dumb braino: when we get to list_replace_init we
    use indices for wrong arrays - position in new one with the old array
    and vice versa.
    Another bug is more subtle - termination condition is wrong if the
    element to be excluded happens to be the last one.  We shouldn't go
    until we fill the new array, we should go until we'd finished the old
    one.  Otherwise the element we are trying to kill will remain on the
    cyclic lists...
    That crap used to be masked by several leaks, so it was not quite
    trivial to hit.  Eric had fixed some of those leaks a while ago and the
    shit had hit the fan...
    Signed-off-by: Al Viro <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  6. @gregkh

    netfilter: ebtables: enforce CAP_NET_ADMIN

    Florian Westphal committed with gregkh Jan 8, 2010
    commit dce766a upstream.
    normal users are currently allowed to set/modify ebtables rules.
    Restrict it to processes with CAP_NET_ADMIN.
    Note that this cannot be reproduced with unmodified ebtables binary
    because it uses SOCK_RAW.
    Signed-off-by: Florian Westphal <>
    Signed-off-by: Patrick McHardy <>
    Signed-off-by: Greg Kroah-Hartman <>
  7. @gregkh

    kernel/signal.c: fix kernel information leak with print-fatal-signals=1

    Andi Kleen committed with gregkh Jan 8, 2010
    commit b45c6e7 upstream.
    When print-fatal-signals is enabled it's possible to dump any memory
    reachable by the kernel to the log by simply jumping to that address from
    user space.
    Or crash the system if there's some hardware with read side effects.
    The fatal signals handler will dump 16 bytes at the execution address,
    which is fully controlled by ring 3.
    In addition when something jumps to a unmapped address there will be up to
    16 additional useless page faults, which might be potentially slow (and at
    least is not very efficient)
    Fortunately this option is off by default and only there on i386.
    But fix it by checking for kernel addresses and also stopping when there's
    a page fault.
    Signed-off-by: Andi Kleen <>
    Cc: Ingo Molnar <>
    Cc: Oleg Nesterov <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
Commits on Jan 6, 2010
  1. @gregkh


    gregkh committed Jan 6, 2010
  2. @gregkh

    Revert: KVM: MMU: do not free active mmu pages in free_mmu_pages()

    gregkh committed Jan 6, 2010
    This reverts the commit d2127c8, which was
    the commit f00be0c upstream.
    This was done based on comments saying it was causing problems.
    Cc: Gleb Natapov <>
    Cc: Avi Kivity <>
    Signed-off-by: Greg Kroah-Hartman <>
  3. @gregkh

    generic_permission: MAY_OPEN is not write access

    Serge E. Hallyn committed with gregkh Dec 29, 2009
    commit 7ea6600 upstream.
    generic_permission was refusing CAP_DAC_READ_SEARCH-enabled
    processes from opening DAC-protected files read-only, because
    do_filp_open adds MAY_OPEN to the open mask.
    Ignore MAY_OPEN.  After this patch, CAP_DAC_READ_SEARCH is
    again sufficient to open(fname, O_RDONLY) on a file to which
    DAC otherwise refuses us read permission.
    Reported-by: Mike Kazantsev <>
    Signed-off-by: Serge E. Hallyn <>
    Tested-by: Mike Kazantsev <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  4. @torvalds @gregkh

    x86/ptrace: make genregs[32]_get/set more robust

    torvalds committed with gregkh Dec 17, 2009
    commit 04a1e62 upstream.
    The loop condition is fragile: we compare an unsigned value to zero, and
    then decrement it by something larger than one in the loop.  All the
    callers should be passing in appropriately aligned buffer lengths, but
    it's better to just not rely on it, and have some appropriate defensive
    loop limits.
    Acked-by: Roland McGrath <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  5. @gregkh

    S390: dasd: support DIAG access for read-only devices

    Stefan Weinhuber committed with gregkh Dec 7, 2009
    commit 22825ab upstream.
    When a DASD device is used with the DIAG discipline, the DIAG
    initialization will indicate success or error with a respective
    return code. So far we have interpreted a return code of 4 as error,
    but it actually means that the initialization was successful, but
    the device is read-only. To allow read-only devices to be used with
    DIAG we need to accept a return code of 4 as success.
    Re-initialization of the DIAG access is also part of the DIAG error
    recovery. If we find that the access mode of a device has been
    changed from writable to read-only while the device was in use,
    we print an error message.
    Signed-off-by: Stefan Weinhuber <>
    Signed-off-by: Martin Schwidefsky <>
    Cc: Stephen Powell <>
    Signed-off-by: Greg Kroah-Hartman <>
  6. @kaber @gregkh

    ipv6: reassembly: use seperate reassembly queues for conntrack and lo…

    kaber committed with gregkh Dec 15, 2009
    …cal delivery
    commit 0b5ccb2 upstream.
    Currently the same reassembly queue might be used for packets reassembled
    by conntrack in different positions in the stack (PREROUTING/LOCAL_OUT),
    as well as local delivery. This can cause "packet jumps" when the fragment
    completing a reassembled packet is queued from a different position in the
    stack than the previous ones.
    Add a "user" identifier to the reassembly queue key to seperate the queues
    of each caller, similar to what we do for IPv4.
    Signed-off-by: Patrick McHardy <>
    Signed-off-by: Greg Kroah-Hartman <>
  7. @gregkh

    i2c/tsl2550: Fix lux value in extended mode

    Michele Jr De Candia committed with gregkh Nov 26, 2009
    commit 5f5bfb0 upstream.
    According to the TAOS Application Note 'Controlling a Backlight with
    the TSL2550 Ambient Light Sensor' (page 14), the actual lux value in
    extended mode should be obtained multiplying the calculated lux value
    by 5.
    Signed-off-by: Michele Jr De Candia <>
    Signed-off-by: Jean Delvare <>
    Signed-off-by: Greg Kroah-Hartman <>
  8. @cladisch @gregkh

    sound: sgio2audio/pdaudiocf/usb-audio: initialize PCM buffer

    cladisch committed with gregkh Dec 18, 2009
    commit 3e85fd6 upstream.
    When allocating the PCM buffer, use vmalloc_user() instead of vmalloc().
    Otherwise, it would be possible for applications to play the previous
    contents of the kernel memory to the speakers, or to read it directly if
    the buffer is exported to userspace.
    Signed-off-by: Clemens Ladisch <>
    Signed-off-by: Takashi Iwai <>
    Signed-off-by: Greg Kroah-Hartman <>
  9. @bzolnier @gregkh

    pata_cmd64x: fix overclocking of UDMA0-2 modes

    bzolnier committed with gregkh Dec 20, 2009
    commit 509426b upstream.
    adev->dma_mode stores the transfer mode value not UDMA mode number
    so the condition in cmd64x_set_dmamode() is always true and the higher
    UDMA clock is always selected.  This can potentially result in data
    corruption when UDMA33 device is used, when 40-wire cable is used or
    when the error recovery code decides to lower the device speed down.
    The issue was introduced in the commit 6a40da0 ("libata cmd64x: whack
    into a shape that looks like the documentation") which goes back to
    kernel 2.6.20.
    Signed-off-by: Bartlomiej Zolnierkiewicz <>
    Signed-off-by: Jeff Garzik <>
    Signed-off-by: Greg Kroah-Hartman <>
  10. @zonque @gregkh

    Libertas: fix buffer overflow in lbs_get_essid()

    zonque committed with gregkh Dec 16, 2009
    commit 45b2416 upstream.
    The libertas driver copies the SSID buffer back to the wireless core and
    appends a trailing NULL character for termination. This is
    a) unnecessary because the buffer is allocated with kzalloc and is hence
       already NULLed when this function is called, and
    b) for priv->curbssparams.ssid_len == 32, it writes back one byte too
       much which causes memory corruptions.
    Fix this by removing the extra write.
    Signed-off-by: Daniel Mack <>
    Cc: Stephen Hemminger <>
    Cc: Maithili Hinge <>
    Cc: Kiran Divekar <>
    Cc: Michael Hirsch <>
    Acked-by: Holger Schurig <>
    Acked-by: Dan Williams <>
    Signed-off-by: John W. Linville <>
    Signed-off-by: Greg Kroah-Hartman <>
Commits on Dec 18, 2009
  1. @gregkh


    gregkh committed Dec 18, 2009
  2. @gregkh

    matroxfb: fix problems with display stability

    Alan Cox committed with gregkh Dec 15, 2009
    commit 8c65131 upstream.
    Regression caused in 2.6.23 and then despite repeated requests never fixed
    or dealt with (Petr promised to sort it in 2008 but seems to have
    Enough is enough - remove the problem line that was added.  If it upsets
    someone they've had two years to deal with it and at the very least it'll
    rattle their cage and wake them up.
    Signed-off-by: Alan Cox <>
    Reported-by: Damon <>
    Tested-by: Ruud van Melick <>
    Cc: Petr Vandrovec <>
    Cc: Pekka Enberg <>
    Cc: Paul A. Clarke <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  3. @dwmw2 @gregkh

    jffs2: Fix long-standing bug with symlink garbage collection.

    dwmw2 committed with gregkh Dec 16, 2009
    commit 2e16cfc upstream.
    Ever since jffs2_garbage_collect_metadata() was first half-written in
    February 2001, it's been broken on architectures where 'char' is signed.
    When garbage collecting a symlink with target length above 127, the payload
    length would end up negative, causing interesting and bad things to happen.
    Signed-off-by: David Woodhouse <>
    Signed-off-by: Greg Kroah-Hartman <>
  4. @gregkh

    backlight: lcd - Fix wrong sizeof

    Jean Delvare committed with gregkh Oct 2, 2009
    commit 1e0fa6b upstream.
    Which is why I have always preferred sizeof(struct foo) over
    Signed-off-by: Jean Delvare <>
    Signed-off-by: Richard Purdie <>
    Signed-off-by: Greg Kroah-Hartman <>
  5. @gregkh

    USB: fix mos7840 problem with minor numbers

    Tony Cook committed with gregkh Dec 8, 2009
    commit 37768ad upstream
    This patch fixes a problem with any mos7840 device where the use of the
    field "minor" before it is initialised results in all the devices being
    overlaid in memory (minor = 0 for all instances)
    Contributed by: Phillip Branch
    Backported to .27 by Christoph Biedl <>
    Signed-off-by: Tony Cook <>
    Signed-off-by: Greg Kroah-Hartman <>
Something went wrong with that request. Please try again.