Permalink
Commits on Apr 21, 2011
  1. Merge branch 'version-2.6.38' into pf-2.6.38

    Oleksandr Natalenko committed Apr 21, 2011
  2. version-2.6.38: bump version to 2.6.38-pf5

    Oleksandr Natalenko committed Apr 21, 2011
  3. Merge branch 'ck-2.6.38' into pf-2.6.38

    Oleksandr Natalenko committed Apr 21, 2011
  4. ck-2.6.38: update BFS to version 401

    Oleksandr Natalenko committed Apr 21, 2011
Commits on Apr 15, 2011
  1. Merge branch 'version-2.6.38' into pf-2.6.38

    Oleksandr Natalenko committed Apr 15, 2011
  2. version-2.6.38: bump version to 2.6.38-pf4

    Oleksandr Natalenko committed Apr 15, 2011
  3. fix merge conflict

    Oleksandr Natalenko committed Apr 15, 2011
  4. Revert "Restore the initialization of mmu_cr4_features during boot, w…

    …hich was"
    
    This reverts commit 611e4e7.
    Oleksandr Natalenko committed Apr 15, 2011
Commits on Apr 14, 2011
  1. Linux 2.6.38.3

    gregkh committed Apr 14, 2011
  2. nfsd4: fix oops on lock failure

    commit 23fcf2e upstream.
    
    Lock stateid's can have access_bmap 0 if they were only partially
    initialized (due to a failed lock request); handle that case in
    free_generic_stateid.
    
    ------------[ cut here ]------------
    kernel BUG at fs/nfsd/nfs4state.c:380!
    invalid opcode: 0000 [#1] SMP
    last sysfs file: /sys/kernel/mm/ksm/run
    Modules linked in: nfs fscache md4 nls_utf8 cifs ip6table_filter ip6_tables ebtable_nat ebtables ipt_MASQUERADE iptable_nat nf_nat bridge stp llc nfsd lockd nfs_acl auth_rpcgss sunrpc ipv6 ppdev parport_pc parport pcnet32 mii pcspkr microcode i2c_piix4 BusLogic floppy [last unloaded: mperf]
    
    Pid: 1468, comm: nfsd Not tainted 2.6.38+ #120 VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform
    EIP: 0060:[<e24f180d>] EFLAGS: 00010297 CPU: 0
    EIP is at nfs4_access_to_omode+0x1c/0x29 [nfsd]
    EAX: ffffffff EBX: dd758120 ECX: 00000000 EDX: 00000004
    ESI: dd758120 EDI: ddfe657c EBP: dd54dde0 ESP: dd54dde0
     DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
    Process nfsd (pid: 1468, ti=dd54c000 task=ddc92580 task.ti=dd54c000)
    Stack:
     dd54ddf0 e24f19ca 00000000 ddfe6560 dd54de08 e24f1a5d dd758130 deee3a20
     ddfe6560 31270000 dd54df1c e24f52fd 0000000f dd758090 e2505dd0 0be304cf
     dbb51d68 0000000e ddfe657c ddcd8020 dd758130 dd758128 dd7580d8 dd54de68
    Call Trace:
     [<e24f19ca>] free_generic_stateid+0x1c/0x3e [nfsd]
     [<e24f1a5d>] release_lockowner+0x71/0x8a [nfsd]
     [<e24f52fd>] nfsd4_lock+0x617/0x66c [nfsd]
     [<e24e57b6>] ? nfsd_setuser+0x199/0x1bb [nfsd]
     [<e24e056c>] ? nfsd_setuser_and_check_port+0x65/0x81 [nfsd]
     [<c07a0052>] ? _cond_resched+0x8/0x1c
     [<c04ca61f>] ? slab_pre_alloc_hook.clone.33+0x23/0x27
     [<c04cac01>] ? kmem_cache_alloc+0x1a/0xd2
     [<c04835a0>] ? __call_rcu+0xd7/0xdd
     [<e24e0dfb>] ? fh_verify+0x401/0x452 [nfsd]
     [<e24f0b61>] ? nfsd4_encode_operation+0x52/0x117 [nfsd]
     [<e24ea0d7>] ? nfsd4_putfh+0x33/0x3b [nfsd]
     [<e24f4ce6>] ? nfsd4_delegreturn+0xd4/0xd4 [nfsd]
     [<e24ea2c9>] nfsd4_proc_compound+0x1ea/0x33e [nfsd]
     [<e24de6ee>] nfsd_dispatch+0xd1/0x1a5 [nfsd]
     [<e1d6e1c7>] svc_process_common+0x282/0x46f [sunrpc]
     [<e1d6e578>] svc_process+0xdc/0xfa [sunrpc]
     [<e24de0fa>] nfsd+0xd6/0x115 [nfsd]
     [<e24de024>] ? nfsd_shutdown+0x24/0x24 [nfsd]
     [<c0454322>] kthread+0x62/0x67
     [<c04542c0>] ? kthread_worker_fn+0x114/0x114
     [<c07a6ebe>] kernel_thread_helper+0x6/0x10
    Code: eb 05 b8 00 00 27 4f 8d 65 f4 5b 5e 5f 5d c3 83 e0 03 55 83 f8 02 89 e5 74 17 83 f8 03 74 05 48 75 09 eb 09 b8 02 00 00 00 eb 0b <0f> 0b 31 c0 eb 05 b8 01 00 00 00 5d c3 55 89 e5 57 56 89 d6 8d
    EIP: [<e24f180d>] nfs4_access_to_omode+0x1c/0x29 [nfsd] SS:ESP 0068:dd54dde0
    ---[ end trace 2b0bf6c6557cb284 ]---
    
    The trace route is:
    
     -> nfsd4_lock()
       -> if (lock->lk_is_new) {
         -> alloc_init_lock_stateid()
    
            3739: stp->st_access_bmap = 0;
    
       ->if (status && lock->lk_is_new && lock_sop)
         -> release_lockowner()
          -> free_generic_stateid()
           -> nfs4_access_bmap_to_omode()
              -> nfs4_access_to_omode()
    
            380: BUG();   *****
    
    This problem was introduced by 0997b17.
    
    Reported-by: Mi Jinlong <mijinlong@cn.fujitsu.com>
    Tested-by: Mi Jinlong <mijinlong@cn.fujitsu.com>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    J. Bruce Fields committed with gregkh Mar 28, 2011
  3. nfsd: fix auth_domain reference leak on nlm operations

    commit 954032d upstream.
    
    This was noticed by users who performed more than 2^32 lock operations
    and hence made this counter overflow (eventually leading to
    use-after-free's).  Setting rq_client to NULL here means that it won't
    later get auth_domain_put() when it should be.
    
    Appears to have been introduced in 2.5.42 by "[PATCH] kNFSd: Move auth
    domain lookup into svcauth" which moved most of the rq_client handling
    to common svcauth code, but left behind this one line.
    
    Cc: Neil Brown <neilb@suse.de>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    J. Bruce Fields committed with gregkh Mar 25, 2011
  4. ext4: fix credits computing for indirect mapped files

    commit 5b41395 upstream.
    
    When writing a contiguous set of blocks, two indirect blocks could be
    needed depending on how the blocks are aligned, so we need to increase
    the number of credits needed by one.
    
    [ Also fixed a another bug which could further underestimate the
      number of journal credits needed by 1; the code was using integer
      division instead of DIV_ROUND_UP() -- tytso]
    
    Signed-off-by: Yongqiang Yang <xiaoqiangnk@gmail.com>
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    YANGYongqiang committed with gregkh Apr 4, 2011
  5. ext4: fix a double free in ext4_register_li_request

    commit 46e4690 upstream.
    
    In ext4_register_li_request, we malloc a ext4_li_request and
    inserts it into ext4_li_info->li_request_list. In case of any
    error later, we free it in the end.  But if we have some error
    in ext4_run_lazyinit_thread, the whole li_request_list will be
    dropped and freed in it. So we will double free this ext4_li_request.
    
    This patch just sets elr to NULL after it is inserted to the list
    so that the latter kfree won't double free it.
    
    Signed-off-by: Tao Ma <boyu.mt@taobao.com>
    Reviewed-by: Lukas Czerner <lczerner@redhat.com>
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    taoma-tm committed with gregkh Apr 4, 2011
  6. atm/solos-pci: Don't flap VCs when carrier state changes

    commit c031235 upstream.
    
    Don't flap VCs when carrier state changes; higher-level protocols
    can detect loss of connectivity and act accordingly. This is more
    consistent with how other network interfaces work.
    
    We no longer use release_vccs() so we can delete it.
    
    release_vccs() was duplicated from net/atm/common.c; make the
    corresponding function exported, since other code duplicates it
    and could leverage it if it were public.
    
    Signed-off-by: Philip A. Prindeville <philipp@redfish-solutions.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    pprindeville committed with gregkh Mar 30, 2011
  7. atm/solos-pci: Don't include frame pseudo-header on transmit hex-dump

    commit 18b429e upstream.
    
    Omit pkt_hdr preamble when dumping transmitted packet as hex-dump;
    we can pull this up because the frame has already been sent, and
    dumping it is the last thing we do with it before freeing it.
    
    Also include the size, vpi, and vci in the debug as is done on
    receive.
    
    Use "port" consistently instead of "device" intermittently.
    
    Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    pprindeville committed with gregkh Mar 30, 2011
  8. Squashfs: handle corruption of directory structure

    commit 44cff8a upstream.
    
    Handle the rare case where a directory metadata block is uncompressed and
    corrupted, leading to a kernel oops in directory scanning (memcpy).
    Normally corruption is detected at the decompression stage and dealt with
    then, however, this will not happen if:
    
    - metadata isn't compressed (users can optionally request no metadata
      compression), or
    - the compressed metadata block was larger than the original, in which
      case the uncompressed version was used, or
    - the data was corrupt after decompression
    
    This patch fixes this by adding some sanity checks against known maximum
    values.
    
    Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    plougher committed with gregkh Mar 15, 2011
  9. Squashfs: Use vmalloc rather than kmalloc for zlib workspace

    commit 117a91e upstream.
    
    Bugzilla bug 31422 reports occasional "page allocation failure. order:4"
    at Squashfs mount time.  Fix this by making zlib workspace allocation
    use vmalloc rather than kmalloc.
    
    Reported-by: Mehmet Giritli <mehmet@giritli.eu>
    Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    plougher committed with gregkh Mar 22, 2011
  10. Revert "x86: Cleanup highmap after brk is concluded"

    This reverts upstream commit e5f15b4
    
    It caused problems in the stable tree and should not have been there.
    
    Cc: Yinghai Lu <yinghai@kernel.org>
    Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    gregkh committed Apr 11, 2011
  11. acer-wmi: does not set persistence state by rfkill_init_sw_state

    commit 8215af0 upstream.
    
    Acer BIOS keeps devices state when system reboot, but reset to default
    device states (Wlan on, Bluetooth off, wwan on) if system cold boot.
    That means BIOS's initial state is not always real persistence.
    
    So, removed rfkill_init_sw_state because it sets initial state to
    persistence then replicate to other new killswitch when rfkill-input
    enabled.
    After removed it, acer-wmi set initial soft-block state after rfkill
    register, and doesn't allow set_block until rfkill initial finished.
    
    Reference: bko#31002
    	https://bugzilla.kernel.org/show_bug.cgi?id=31002
    
    Cc: Carlos Corbacho <carlos@strangeworlds.co.uk>
    Cc: Matthew Garrett <mjg@redhat.com>
    Cc: Dmitry Torokhov <dtor@mail.ru>
    Cc: Corentin Chary <corentincj@iksaif.net>
    Cc: Oldřich Jedlička <oldium.pro@seznam.cz>
    Cc: Johannes Berg <johannes@sipsolutions.net>
    Signed-off-by: Chun-Yi Lee <jlee@novell.com>
    Signed-off-by: Matthew Garrett <mjg@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Chun-Yi Lee committed with gregkh Mar 28, 2011
  12. drivers/media/video/tlg2300/pd-video.c: Remove second mutex_unlock in…

    … pd_vidioc_s_fmt
    
    commit a07500e upstream.
    
    Error path in file drivers/media/video/tlg2300/pd-video.c:
    1. First mutex_unlock on &pd->lock in line 767 (in function that
       called from line 805)
    2. Second in line  806
    
     805        pd_vidioc_s_fmt(pd, &f->fmt.pix);
     806        mutex_unlock(&pd->lock);
    
    Found by Linux Device Drivers Verification Project
    
    Signed-off-by: Alexander Strakh <strakh@ispras.ru>
    Acked-by: Huang Shijie <shijie8@gmail.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    cromlehg committed with gregkh Jan 25, 2011
  13. sound/oss: remove offset from load_patch callbacks

    commit b769f49 upstream.
    
    Was: [PATCH] sound/oss/midi_synth: prevent underflow, use of
    uninitialized value, and signedness issue
    
    The offset passed to midi_synth_load_patch() can be essentially
    arbitrary.  If it's greater than the header length, this will result in
    a copy_from_user(dst, src, negative_val).  While this will just return
    -EFAULT on x86, on other architectures this may cause memory corruption.
    Additionally, the length field of the sysex_info structure may not be
    initialized prior to its use.  Finally, a signed comparison may result
    in an unintentionally large loop.
    
    On suggestion by Takashi Iwai, version two removes the offset argument
    from the load_patch callbacks entirely, which also resolves similar
    issues in opl3.  Compile tested only.
    
    v3 adjusts comments and hopefully gets copy offsets right.
    
    Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Dan Rosenberg committed with gregkh Mar 23, 2011
  14. netfilter: h323: bug in parsing of ASN1 SEQOF field

    commit b4232a2 upstream.
    
    Static analyzer of clang found a dead store which appears to be a bug in
    reading count of items in SEQOF field, only the lower byte of word is
    stored. This may lead to corrupted read and communication shutdown.
    
    The bug has been in the module since it's first inclusion into linux
    kernel.
    
    [Patrick: the bug is real, but without practical consequence since the
     largest amount of sequence-of members we parse is 30.]
    
    Signed-off-by: David Sterba <dsterba@suse.cz>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    kdave committed with gregkh Apr 4, 2011
  15. econet: 4 byte infoleak to the network

    commit 67c5c6c upstream.
    
    struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on
    x86_64.  These bytes are not initialized in the variable 'ah' before
    sending 'ah' to the network.  This leads to 4 bytes kernel stack
    infoleak.
    
    This bug was introduced before the git epoch.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Acked-by: Phil Blundell <philb@gnu.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Vasiliy Kulikov committed with gregkh Mar 17, 2011
  16. drivers/leds/leds-lp5521.c: world-writable sysfs engine* files

    commit 67d1da7 upstream.
    
    Don't allow everybody to change LED settings.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Cc: Richard Purdie <rpurdie@rpsys.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Vasiliy Kulikov committed with gregkh Mar 22, 2011
  17. drivers/leds/leds-lp5523.c: world-writable engine* sysfs files

    commit ccd7510 upstream.
    
    Don't allow everybody to change LED settings.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Cc: Richard Purdie <rpurdie@rpsys.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Vasiliy Kulikov committed with gregkh Mar 22, 2011
  18. drivers/misc/ep93xx_pwm.c: world-writable sysfs files

    commit deb187e upstream.
    
    Don't allow everybody to change device settings.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Acked-by: Hartley Sweeten <hartleys@visionengravers.com>
    Cc: Matthieu Crapet <mcrapet@gmail.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Vasiliy Kulikov committed with gregkh Mar 22, 2011
  19. drivers/rtc/rtc-ds1511.c: world-writable sysfs nvram file

    commit 49d50fb upstream.
    
    Don't allow everybogy to write to NVRAM.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Cc: Andy Sharp <andy.sharp@onstor.com>
    Cc: Alessandro Zummo <a.zummo@towertech.it>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Vasiliy Kulikov committed with gregkh Mar 22, 2011
  20. mfd: ab3100: world-writable debugfs *_priv files

    commit f8a0697 upstream.
    
    Don't allow everybody to change device hardware registers.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Acked-by: Linus Walleij <linus.walleij@stericsson.com>
    Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Vasiliy Kulikov committed with gregkh Feb 4, 2011
  21. mfd: ab3500: world-writable debugfs register-* files

    commit 90c861c upstream.
    
    Don't allow everybody to interact with hardware registers.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Acked-by: Linus Walleij <linus.walleij@stericsson.com>
    Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Vasiliy Kulikov committed with gregkh Feb 4, 2011
  22. mfd: ab8500: world-writable debugfs register-* files

    commit 44bdcb5 upstream.
    
    Don't allow everybody to interact with hardware registers.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Acked-by: Linus Walleij <linus.walleij@stericsson.com>
    Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Vasiliy Kulikov committed with gregkh Feb 4, 2011
  23. scsi_transport_iscsi: make priv_sess file writeable only by root

    commit 523f3c8 upstream.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Acked-by: Mike Christie <michaelc@cs.wisc.edu>
    Signed-off-by: James Bottomley <James.Bottomley@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Vasiliy Kulikov committed with gregkh Feb 4, 2011
  24. ipv6: netfilter: ip6_tables: fix infoleak to userspace

    commit 6a8ab06 upstream.
    
    Structures ip6t_replace, compat_ip6t_replace, and xt_get_revision are
    copied from userspace.  Fields of these structs that are
    zero-terminated strings are not checked.  When they are used as argument
    to a format string containing "%s" in request_module(), some sensitive
    information is leaked to userspace via argument of spawned modprobe
    process.
    
    The first bug was introduced before the git epoch;  the second was
    introduced in 3bc3fe5 (v2.6.25-rc1);  the third is introduced by
    6b7d31f (v2.6.15-rc1).  To trigger the bug one should have
    CAP_NET_ADMIN.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Vasiliy Kulikov committed with gregkh Mar 15, 2011
  25. netfilter: ipt_CLUSTERIP: fix buffer overflow

    commit 961ed18 upstream.
    
    'buffer' string is copied from userspace.  It is not checked whether it is
    zero terminated.  This may lead to overflow inside of simple_strtoul().
    Changli Gao suggested to copy not more than user supplied 'size' bytes.
    
    It was introduced before the git epoch.  Files "ipt_CLUSTERIP/*" are
    root writable only by default, however, on some setups permissions might be
    relaxed to e.g. network admin user.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Acked-by: Changli Gao <xiaosuo@gmail.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Vasiliy Kulikov committed with gregkh Mar 20, 2011