Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Commits on Apr 1, 2010
  1. @gregkh


    gregkh committed
  2. @gregkh

    hwmon: (coretemp) Add missing newline to dev_warn() message

    Dean Nelson committed with gregkh
    commit 4d7a564 upstream.
    Add missing newline to dev_warn() message string. This is more of an issue
    with older kernels that don't automatically add a newline if it was missing
    from the end of the previous line.
    Signed-off-by: Dean Nelson <>
    Signed-off-by: Jean Delvare <>
    Signed-off-by: Greg Kroah-Hartman <>
  3. @gregkh

    USB: fix usbfs regression

    Alan Stern committed with gregkh
    commit 7152b59 upstream.
    This patch (as1352) fixes a bug in the way isochronous input data is
    returned to userspace for usbfs transfers.  The entire buffer must be
    copied, not just the first actual_length bytes, because the individual
    packets will be discontiguous if any of them are short.
    Reported-by: Markus Rechberger <>
    Signed-off-by: Alan Stern <>
    Signed-off-by: Greg Kroah-Hartman <>
  4. @kosaki @gregkh

    tmpfs: cleanup mpol_parse_str()

    kosaki committed with gregkh
    commit 926f2ae upstream.
    mpol_parse_str() made lots 'err' variable related bug.  Because it is ugly
    and reviewing unfriendly.
    This patch simplifies it.
    Signed-off-by: KOSAKI Motohiro <>
    Cc: Ravikiran Thirumalai <>
    Cc: Christoph Lameter <>
    Cc: Mel Gorman <>
    Acked-by: Lee Schermerhorn <>
    Cc: Hugh Dickins <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  5. @kosaki @gregkh

    doc: add the documentation for mpol=local

    kosaki committed with gregkh
    commit 5574169 upstream.
    commit 3f226aa (mempolicy: support mpol=local tmpfs mount option) added
    new mpol=local mount option.  but it didn't add a documentation.
    This patch does it.
    Signed-off-by: KOSAKI Motohiro <>
    Cc: Ravikiran Thirumalai <>
    Cc: Christoph Lameter <>
    Cc: Mel Gorman <>
    Acked-by: Lee Schermerhorn <>
    Cc: Hugh Dickins <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  6. @kosaki @gregkh

    tmpfs: handle MPOL_LOCAL mount option properly

    kosaki committed with gregkh
    commit 12821f5 upstream.
    commit 71fe804 (mempolicy: use struct mempolicy pointer in
    shmem_sb_info) added mpol=local mount option.  but its feature is broken
    since it was born.  because such code always return 1 (i.e.  mount
    This patch fixes it.
    Signed-off-by: KOSAKI Motohiro <>
    Cc: Ravikiran Thirumalai <>
    Cc: Christoph Lameter <>
    Cc: Mel Gorman <>
    Acked-by: Lee Schermerhorn <>
    Cc: Hugh Dickins <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  7. @kosaki @gregkh

    tmpfs: mpol=bind:0 don't cause mount error.

    kosaki committed with gregkh
    commit d69b2e6 upstream.
    Currently, following mount operation cause mount error.
    % mount -t tmpfs -ompol=bind:0 none /tmp
    Because commit 71fe804 (mempolicy: use struct mempolicy pointer in
    shmem_sb_info) corrupted MPOL_BIND parse code.
    This patch restore the needed one.
    Signed-off-by: KOSAKI Motohiro <>
    Cc: Ravikiran Thirumalai <>
    Cc: Christoph Lameter <>
    Cc: Mel Gorman <>
    Acked-by: Lee Schermerhorn <>
    Cc: Hugh Dickins <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  8. @gregkh

    tmpfs: fix oops on mounts with mpol=default

    Ravikiran G Thirumalai committed with gregkh
    commit 413b43d upstream.
    Fix an 'oops' when a tmpfs mount point is mounted with the mpol=default
    Upon remounting a tmpfs mount point with 'mpol=default' option, the mount
    code crashed with a null pointer dereference.  The initial problem report
    was on 2.6.27, but the problem exists in mainline 2.6.34-rc as well.  On
    examining the code, we see that mpol_new returns NULL if default mempolicy
    was requested.  This 'NULL' mempolicy is accessed to store the node mask
    resulting in oops.
    The following patch fixes it.
    Signed-off-by: Ravikiran Thirumalai <>
    Signed-off-by: KOSAKI Motohiro <>
    Cc: Christoph Lameter <>
    Cc: Mel Gorman <>
    Acked-by: Lee Schermerhorn <>
    Cc: Hugh Dickins <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  9. @stanislav-brabec @gregkh

    b44 WOL setup: one-bit-off stack corruption kernel panic fix

    stanislav-brabec committed with gregkh
    commit e018882 upstream.
    About 50% of shutdowns of b44 Ethernet adapter ends by kernel panic
    with kernels compiled with stack-protector.
    Checking b44_magic_pattern() return values, one call of
    b44_magic_pattern() returns 127. It means, that set_bit(128, pmask)
    was called on line 1509. It means that bit 0 of 17th byte of pmask was
    overwritten. But pmask has only 16 bytes. Stack corruption happens.
    It seems that set_bit() on line 1509 always writes one bit off.
    The fix does not only solve the stack corruption, but also makes Wake
    On LAN working on my onboard B44 on Asus A7V-333X mainboard.
    It seems that this problem affects all kernel versions since commit
    725ad80 ([PATCH] b44: add wol for old nic) on 2006-06-20.
    Signed-off-by: Stanislav Brabec <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  10. @gregkh

    V4L/DVB (13961): em28xx-dvb: fix memleak in dvb_fini()

    Francesco Lavra committed with gregkh
    commit 19f48cb upstream.
    this patch fixes a memory leak which occurs when an em28xx card with DVB
    extension is unplugged or its DVB extension driver is unloaded. In
    dvb_fini(), dev->dvb must be freed before being set to NULL, as is done
    in dvb_init() in case of error.
    Note that this bug is also present in the latest stable kernel release.
    Signed-off-by: Francesco Lavra <>
    Signed-off-by: Mauro Carvalho Chehab <>
    Signed-off-by: Greg Kroah-Hartman <>
  11. @gregkh

    bonding: ignore updelay param when there is no active slave

    Jiri Pirko committed with gregkh
    commit 41f8910 upstream.
    Pointed out by Sean E. Millichamp.
    Quote from Documentation/networking/bonding.txt:
    "Note that when a bonding interface has no active links, the
    driver will immediately reuse the first link that goes up, even if the
    updelay parameter has been specified (the updelay is ignored in this
    case).  If there are slave interfaces waiting for the updelay timeout
    to expire, the interface that first went into that state will be
    immediately reused.  This reduces down time of the network if the
    value of updelay has been overestimated, and since this occurs only in
    cases with no connectivity, there is no additional penalty for
    ignoring the updelay."
    This patch actually changes the behaviour in this way.
    Signed-off-by: Jiri Pirko <>
    Signed-off-by: David S. Miller <>
    Cc: Jean Delvare <>
    Signed-off-by: Greg Kroah-Hartman <>
  12. @gregkh

    coredump: suppress uid comparison test if core output files are pipes

    Neil Horman committed with gregkh
    commit 76595f7 upstream.
    Modify uid check in do_coredump so as to not apply it in the case of
    This just got noticed in testing.  The end of do_coredump validates the
    uid of the inode for the created file against the uid of the crashing
    process to ensure that no one can pre-create a core file with different
    ownership and grab the information contained in the core when they
    shouldn' tbe able to.  This causes failures when using pipes for a core
    dumps if the crashing process is not root, which is the uid of the pipe
    when it is created.
    The fix is simple.  Since the check for matching uid's isn't relevant for
    pipes (a process can't create a pipe that the uermodehelper code will open
    anyway), we can just just skip it in the event ispipe is non-zero
    Reverts a pipe-affecting change which was accidentally made in
    : commit c46f739
    : Author:     Ingo Molnar <>
    : AuthorDate: Wed Nov 28 13:59:18 2007 +0100
    : Commit:     Linus Torvalds <>
    : CommitDate: Wed Nov 28 10:58:01 2007 -0800
    :     vfs: coredumping fix
    Signed-off-by: Neil Horman <>
    Cc: Andi Kleen <>
    Cc: Oleg Nesterov <>
    Cc: Alan Cox <>
    Cc: Al Viro <>
    Cc: Ingo Molnar <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Cc: maximilian attems <>
    Signed-off-by: Greg Kroah-Hartman <>
  13. @gregkh

    x86, ia32_aout: do not kill argument mapping

    Jiri Slaby committed with gregkh
    commit 318f6b2 upstream.
    Do not set current->mm->mmap to NULL in 32-bit emulation on 64-bit
    load_aout_binary after flush_old_exec as it would destroy already
    set brpm mapping with arguments.
    Introduced by b6a2fea
    mm: variable length argument support
    where the argument mapping in bprm was added.
    [ hpa: this is a regression from 2.6.22... time to kill a.out? ]
    Signed-off-by: Jiri Slaby <>
    LKML-Reference: <>
    Cc: Ingo Molnar <>
    Cc: Thomas Gleixner <>
    Cc: Ollie Wild <>
    Signed-off-by: H. Peter Anvin <>
    Signed-off-by: Greg Kroah-Hartman <>
  14. @gregkh

    fix LOOKUP_FOLLOW on automount "symlinks"

    Al Viro committed with gregkh
    commit ac278a9 upstream.
    Make sure that automount "symlinks" are followed regardless of LOOKUP_FOLLOW;
    it should have no effect on them.
    Signed-off-by: Al Viro <>
    Signed-off-by: Greg Kroah-Hartman <>
  15. @gregkh

    KVM: x86: check for cr3 validity in ioctl_set_sregs

    Marcelo Tosatti committed with gregkh
    commit 59839df upstream.
    Matt T. Yourst notes that kvm_arch_vcpu_ioctl_set_sregs lacks validity
    checking for the new cr3 value:
    "Userspace callers of KVM_SET_SREGS can pass a bogus value of cr3 to
    the kernel. This will trigger a NULL pointer access in gfn_to_rmap()
    when userspace next tries to call KVM_RUN on the affected VCPU and kvm
    attempts to activate the new non-existent page table root.
    This happens since kvm only validates that cr3 points to a valid guest
    physical memory page when code *inside* the guest sets cr3. However, kvm
    currently trusts the userspace caller (e.g. QEMU) on the host machine to
    always supply a valid page table root, rather than properly validating
    it along with the rest of the reloaded guest state."
    Check for a valid cr3 address in kvm_arch_vcpu_ioctl_set_sregs, triple
    fault in case of failure.
    Signed-off-by: Marcelo Tosatti <>
    Signed-off-by: Avi Kivity <>
    Signed-off-by: Greg Kroah-Hartman <>
  16. @gregkh

    parisc: isa-eeprom - Fix loff_t usage

    Michael Buesch committed with gregkh
    commit 6b4dbcd upstream.
    loff_t is a signed type. If userspace passes a negative ppos, the "count"
    range check is weakened. "count"s bigger than HPEE_MAX_LENGTH will pass the check.
    Also, if ppos is negative, the readb(eisa_eeprom_addr + *ppos) will poke in random
    Signed-off-by: Michael Buesch <>
    Signed-off-by: Helge Deller <>
    Signed-off-by: Greg Kroah-Hartman <>
  17. @gregkh

    tc: Fix unitialized kernel memory leak

    Eric Dumazet committed with gregkh
    commit 16ebb5e upstream.
    Three bytes of uninitialized kernel memory are currently leaked to user
    Signed-off-by: Eric Dumazet <>
    Reviewed-by: Jiri Pirko <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  18. @gregkh

    drm/r128: Add test for initialisation to all ioctls that require it

    Ben Hutchings committed with gregkh
    commit 7dc482d upstream.
    Almost all r128's private ioctls require that the CCE state has
    already been initialised.  However, most do not test that this has
    been done, and will proceed to dereference a null pointer.  This may
    result in a security vulnerability, since some ioctls are
    This adds a macro for the common initialisation test and changes all
    ioctl implementations that require prior initialisation to use that
    Also, r128_do_init_cce() does not test that the CCE state has not
    been initialised already.  Repeated initialisation may lead to a crash
    or resource leak.  This adds that test.
    Signed-off-by: Ben Hutchings <>
    Signed-off-by: Dave Airlie <>
    Signed-off-by: Greg Kroah-Hartman <>
  19. @gregkh

    KVM: VMX: Check cpl before emulating debug register access

    Avi Kivity committed with gregkh
    commit 0a79b00 upstream.
    Debug registers may only be accessed from cpl 0.  Unfortunately, vmx will
    code to emulate the instruction even though it was issued from guest
    userspace, possibly leading to an unexpected trap later.
    Signed-off-by: Avi Kivity <>
    Signed-off-by: Marcelo Tosatti <>
    Signed-off-by: Greg Kroah-Hartman <>
  20. @tytso @gregkh

    ext4: Avoid null pointer dereference when decoding EROFS w/o a journal

    tytso committed with gregkh
    commit 78f1ddb upstream.
    We need to check to make sure a journal is present before checking the
    journal flags in ext4_decode_error().
    Signed-off-by: Eric Sesterhenn <>
    Signed-off-by: "Theodore Ts'o" <>
    Signed-off-by: Greg Kroah-Hartman <>
  21. @gregkh

    KVM: x86 emulator: limit instructions to 15 bytes

    Avi Kivity committed with gregkh
    commit eb3c79e upstream
    [ <>: backport to 2.6.27 ]
    While we are never normally passed an instruction that exceeds 15 bytes,
    smp games can cause us to attempt to interpret one, which will cause
    large latencies in non-preempt hosts.
    Signed-off-by: Avi Kivity <>
    Signed-off-by: Greg Kroah-Hartman <>
  22. @gregkh

    USB: EHCI: fix counting of transaction error retries

    Alan Stern committed with gregkh
    commit ef4638f upstream.
    This patch (as1274) simplifies the counting of transaction-error
    retries.  Now we will count up from 0 to QH_XACTERR_MAX instead of
    down from QH_XACTERR_MAX to 0.
    The patch also fixes a small bug: qh->xacterr was not getting
    initialized for interrupt endpoints.
    Signed-off-by: Alan Stern <>
    Tested-by: Matthijs Kooijman <>
    Cc: Reinoud Koornstra <>
    Signed-off-by: Greg Kroah-Hartman <>
  23. @torvalds @gregkh

    USB: usbfs: properly clean up the as structure on error paths

    torvalds committed with gregkh
    commit ddeee0b upstream.
    I notice that the processcompl_compat() function seems to be leaking the
    'struct async *as' in the error paths.
    I think that the calling convention is fundamentally buggered. The
    caller is the one that did the "reap_as()" to get the as thing, the
    caller should be the one to free it too.
    Freeing it in the caller also means that it very clearly always gets
    freed, and avoids the need for any "free in the error case too".
    From: Linus Torvalds <>
    Cc: Alan Stern <>
    Cc: Marcus Meissner <>
    Signed-off-by: Greg Kroah-Hartman <>
  24. @gregkh

    USB: usbfs: only copy the actual data received

    gregkh committed with gregkh
    commit d4a4683 upstream.
    We need to only copy the data received by the device to userspace, not
    the whole kernel buffer, which can contain "stale" data.
    Thanks to Marcus Meissner for pointing this out and testing the fix.
    Reported-by: Marcus Meissner <>
    Tested-by: Marcus Meissner <>
    Cc: Alan Stern <>
    Cc: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  25. @liftoff-sr @gregkh

    serial: 8250: add serial transmitter fully empty test

    liftoff-sr committed with gregkh
    commit bca4761 upstream.
    When controlling an industrial radio modem it can be necessary to
    manipulate the handshake lines in order to control the radio modem's
    transmitter, from userspace.
    The transmitter should not be turned off before all characters have been
    transmitted.  serial8250_tx_empty() was reporting that all characters were
    transmitted before they actually were.
    Discovered in parallel with more testing and analysis by Kees Schoenmakers
    as follows:
    I ran into an NetMos 9835 serial pci board which behaves a little
    different than the standard.  This type of expansion board is very common.
    "Standard" 8250 compatible devices clear the 'UART_LST_TEMT" bit together
    with the "UART_LSR_THRE" bit when writing data to the device.
    The NetMos device does it slightly different
    I believe that the TEMT bit is coupled to the shift register.  The problem
    is that after writing data to the device and very quickly after that one
    does call serial8250_tx_empty, it returns the wrong information.
    My patch makes the test more robust (and solves the problem) and it does
    not affect the already correct devices.
      We may yet need to quirk this but now we know which chips we have a
      way to do that should we find this breaks some other 8250 clone with
      dodgy THRE.
    Signed-off-by: Dick Hollenbeck <>
    Signed-off-by: Alan Cox <>
    Cc: Kees Schoenmakers <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Greg Kroah-Hartman <>
  26. @gregkh

    i2c: Do not use device name after device_unregister

    Thadeu Lima de Souza Cascardo committed with gregkh
    In Linus' tree:;a=commit;h=c556752109794a5ff199b80a1673336b4df8433a
    dev_dbg outputs dev_name, which is released with device_unregister. This bug
    resulted in output like this:
    i2c Xy2�0: adapter [SMBus I801 adapter at 1880] unregistered
    The right output would be:
    i2c i2c-0: adapter [SMBus I801 adapter at 1880] unregistered
    Signed-off-by: Thadeu Lima de Souza Cascardo <>
    Signed-off-by: Jean Delvare <>
    Signed-off-by: Greg Kroah-Hartman <>
  27. @sqazi @gregkh

    drivers/char/mem.c: avoid OOM lockup during large reads from /dev/zero

    sqazi committed with gregkh
    commit 730c586 upstream.
    While running 20 parallel instances of dd as follows:
      for i in `seq 1 20`; do
               dd if=/dev/zero of=/export/hda3/dd_$i bs=1073741824 count=1 &
    on a 16G machine, we noticed that rather than just killing the processes,
    the entire kernel went down.  Stracing dd reveals that it first does an
    mmap2, which makes 1GB worth of zero page mappings.  Then it performs a
    read on those pages from /dev/zero, and finally it performs a write.
    The machine died during the reads.  Looking at the code, it was noticed
    that /dev/zero's read operation had been changed by
    557ed1f ("remove ZERO_PAGE") from giving
    zero page mappings to actually zeroing the page.
    The zeroing of the pages causes physical pages to be allocated to the
    process.  But, when the process exhausts all the memory that it can, the
    kernel cannot kill it, as it is still in the kernel mode allocating more
    memory.  Consequently, the kernel eventually crashes.
    To fix this, I propose that when a fatal signal is pending during
    /dev/zero read operation, we simply return and let the user process die.
    Signed-off-by: Salman Qazi <>
    Cc: Nick Piggin <>
    Signed-off-by: Andrew Morton <>
    [ Modified error return and comment trivially.  - Linus]
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  28. @gregkh

    sched: wakeup preempt when small overlap

    Peter Zijlstra committed with gregkh
    commit 15afe09 upstream.
    Lin Ming reported a 10% OLTP regression against 2.6.27-rc4.
    The difference seems to come from different preemption agressiveness,
    which affects the cache footprint of the workload and its effective
    cache trashing.
    Aggresively preempt a task if its avg overlap is very small, this should
    avoid the task going to sleep and find it still running when we schedule
    back to it - saving a wakeup.
    Reported-by: Lin Ming <>
    Signed-off-by: Peter Zijlstra <>
    Signed-off-by: Ingo Molnar <>
    Signed-off-by: Greg Kroah-Hartman <>
  29. @gregkh

    sched: fine-tune SD_SIBLING_INIT

    Ingo Molnar committed with gregkh
    commit 52c642f upstream.
    fine-tune the HT sched-domains parameters as well.
    On a HT capable box, this increases lat_ctx performance from 23.87
    usecs to 1.49 usecs:
     # before
     $ ./lat_ctx -s 0 2
       "size=0k ovr=1.89
        2 23.87
     # after
     $ ./lat_ctx -s 0 2
       "size=0k ovr=1.84
         2 1.49
    Signed-off-by: Ingo Molnar <>
    Signed-off-by: Greg Kroah-Hartman <>
  30. @gregkh

    sched: fine-tune SD_MC_INIT

    Mike Galbraith committed with gregkh
    commit 1480098 upstream.
    Tune SD_MC_INIT the same way as SD_CPU_INIT:
    This improves vmark by 5%:
    vmark         132102 125968 125497 messages/sec    avg 127855.66    .984
    vmark         139404 131719 131272 messages/sec    avg 134131.66   1.033
    Signed-off-by: Mike Galbraith <>
    Acked-by: Peter Zijlstra <>
    Signed-off-by: Ingo Molnar <>
    Signed-off-by: Greg Kroah-Hartman <>
  31. @mikemccormack @gregkh

    sky2: Set SKY2_HW_RAM_BUFFER in sky2_init

    mikemccormack committed with gregkh
    commit 74a61eb upstream.
    The SKY2_HW_RAM_BUFFER bit in hw->flags was checked in sky2_mac_init(),
     before being set later in sky2_up().
    Setting SKY2_HW_RAM_BUFFER in sky2_init() where other hw->flags are set
     should avoid this problem recurring.
    Signed-off-by: Mike McCormack <>
    Acked-by: Stephen Hemminger <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  32. @sthibaul @gregkh

    x86: fix csum_ipv6_magic asm memory clobber

    sthibaul committed with gregkh
    commit 392d814 upstream.
    Just like ip_fast_csum, the assembly snippet in csum_ipv6_magic needs a
    memory clobber, as it is only passed the address of the buffer, not a
    memory reference to the buffer itself.
    This caused failures in Hurd's pfinetv4 when we tried to compile it with
    gcc-4.3 (bogus checksums).
    Signed-off-by: Samuel Thibault <>
    Cc: Ingo Molnar <>
    Cc: Thomas Gleixner <>
    Cc: "H. Peter Anvin" <>
    Acked-by: "David S. Miller" <>
    Cc: Andi Kleen <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  33. @gregkh


    Robert Varga committed with gregkh
    commit 657e964 upstream.
    I have recently came across a preemption imbalance detected by:
    <4>huh, entered ffffffff80644630 with preempt_count 00000102, exited with 00000101?
    <0>------------[ cut here ]------------
    <2>kernel BUG at /usr/src/linux/kernel/timer.c:664!
    <0>invalid opcode: 0000 [1] PREEMPT SMP
    with ffffffff80644630 being inet_twdr_hangman().
    This appeared after I enabled CONFIG_TCP_MD5SIG and played with it a
    bit, so I looked at what might have caused it.
    One thing that struck me as strange is tcp_twsk_destructor(), as it
    calls tcp_put_md5sig_pool() -- which entails a put_cpu(), causing the
    detected imbalance. Found on, but 2.6.31 is affected as well,
    as far as I can tell.
    Signed-off-by: Robert Varga <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  34. @shlusiak @gregkh

    sit: fix off-by-one in ipip6_tunnel_get_prl

    shlusiak committed with gregkh
    commit 298bf12 upstream.
    When requesting all prl entries (kprl.addr == INADDR_ANY) and there are
    more prl entries than there is space passed from userspace, the existing
    code would always copy cmax+1 entries, which is more than can be handled.
    This patch makes the kernel copy only exactly cmax entries.
    Signed-off-by: Sascha Hlusiak <>
    Acked-By: Fred L. Templin <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  35. @gregkh

    net: unix: fix sending fds in multiple buffers

    Miklos Szeredi committed with gregkh
    commit 8ba69ba upstream.
    Kalle Olavi Niemitalo reported that:
      "..., when one process calls sendmsg once to send 43804 bytes of
      data and one file descriptor, and another process then calls recvmsg
      three times to receive the 16032+16032+11740 bytes, each of those
      recvmsg calls returns the file descriptor in the ancillary data.  I
      confirmed this with strace.  The behaviour differs from Linux
      2.6.26, where reportedly only one of those recvmsg calls (I think
      the first one) returned the file descriptor."
    This bug was introduced by a patch from me titled "net: unix: fix inflight
    counting bug in garbage collector", commit 6209344.
    And the reason is, quoting Kalle:
      "Before your patch, unix_attach_fds() would set scm->fp = NULL, so
      that if the loop in unix_stream_sendmsg() ran multiple iterations,
      it could not call unix_attach_fds() again.  But now,
      unix_attach_fds() leaves scm->fp unchanged, and I think this causes
      it to be called multiple times and duplicate the same file
      descriptors to each struct sk_buff."
    Fix this by introducing a flag that is cleared at the start and set
    when the fds attached to the first buffer.  The resulting code should
    work equivalently to the one on 2.6.26.
    Reported-by: Kalle Olavi Niemitalo <>
    Signed-off-by: Miklos Szeredi <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
Something went wrong with that request. Please try again.