Age | Commit message (Collapse) | Author | Files | Lines |
|
[IPV6]: Ensure to have hop-by-hop options in our header of &sk_buff.
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
Fix an off-by-one error in the MLS compatibility code that was causing
contexts with a MLS suffix to be rejected, preventing sharing partitions
between FC4 and FC5. Bug reported in
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188068
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
this fixes an oops in 2.6.16.X when loading the snd_powermac module. The
name of the requested module changed during the 2.6.16 development cycle
from i2c-keylargo to i2c-powermac:
Signed-off-by: Guido Guenther <agx@sigxcpu.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
MTD_NAND=m and MTD_NAND_SHARPSL=y or MTD_NAND_NANDSIM=y are illegal
combinations that mustn't be allowed.
This patch fixes this bug by making MTD_NAND_SHARPSL and MTD_NAND_NANDSIM
tristate's.
Additionally, it fixes some whitespace damage at these options.
This patch was already included in Linus' tree.
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
Fix for bug #6395:
Fail to resume on Tecra M2 with ADM1032 and Intel 82801DBM
The BIOS of the Tecra M2 doesn't like it when it has to reboot or
resume after the i2c-i801 driver has left the SMBus in PEC mode.
I have a more complete fix for 2.6.17 but the simple approach of
leaving the SMBus in non-PEC mode after every transaction should do
for -stable. That's what the i2c-i801 driver was doing up to 2.6.15
(inclusive).
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
On Sun, 9 Apr 2006 21:56:59 +0400,
Sergey Vlasov <vsu@altlinux.ru> wrote:
> However, show_address() does not output anything unless
> dev->reg_state == NETREG_REGISTERED - and this state is set by
> netdev_run_todo() only after netdev_register_sysfs() returns, so in
> the meantime (while netdev_register_sysfs() is busy adding the
> "statistics" attribute group) some process may see an empty "address"
> attribute.
I've tried the attached patch, suggested by Sergey Vlasov on
hotplug-devel@, and as far as i can test it works just fine.
Signed-off-by: Alexander Patrakov <patrakov@ums.usu.ru>
Signed-off-by: David Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
[TCP]: Fix truesize underflow
There is a problem with the TSO packet trimming code. The cause of
this lies in the tcp_fragment() function.
When we allocate a fragment for a completely non-linear packet the
truesize is calculated for a payload length of zero. This means that
truesize could in fact be less than the real payload length.
When that happens the TSO packet trimming can cause truesize to become
negative. This in turn can cause sk_forward_alloc to be -n * PAGE_SIZE
which would trigger the warning.
I've copied the code DaveM used in tso_fragment which should work here.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
Original patch by Benjamin Herrenschmidt after debugging by Brian Hinz.
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Brian Hinz <bphinz@hotmail.com>
Signed-off-by: H Peter Anvin <hpa@zytor.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
The attached patch for 2.6.17-rc2 updates the 3ware 9000 driver:
- Disable local interrupts during kmap/unmap_atomic().
Signed-off-by: Adam Radford <linuxraid@amcc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
We must disable local IRQs while holding KM_IRQ0 or KM_IRQ1. Otherwise, an
IRQ handler could use those kmap slots while this code is using them,
resulting in memory corruption.
Thanks to Nick Orlov <bugfixer@list.ru> for reporting.
Cc: <linuxraid@amcc.com>
Cc: James Bottomley <James.Bottomley@SteelEye.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
|
|
AMD K7/K8 CPUs only save/restore the FOP/FIP/FDP x87 registers in FXSAVE
when an exception is pending. This means the value leak through context
switches and allow processes to observe some x87 instruction state of
other processes.
This was actually documented by AMD, but nobody recognized it as being
different from Intel before.
The fix first adds an optimization: instead of unconditionally calling
FNCLEX after each FXSAVE test if ES is pending and skip it when not
needed. Then do a x87 load from a kernel variable to clear FOP/FIP/FDP.
This means other processes always will only see a constant value defined
by the kernel in their FP state.
I took some pain to make sure to chose a variable that's already in L1
during context switch to make the overhead of this low.
Also alternative() is used to patch away the new code on CPUs who don't
need it.
Patch for both i386/x86-64.
The problem was discovered originally by Jan Beulich. Richard Brunner
provided the basic code for the workarounds, with contribution from Jan.
This is CVE-2006-1056
Cc: richard.brunner@amd.com
Cc: jbeulich@novell.com
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
|
|
This fixes http://bugzilla.kernel.org/show_bug.cgi?id=6388
The bug is caused by ip_route_input dereferencing skb->nh.protocol of
the dummy skb passed dow from inet_rtm_getroute (Thanks Thomas for seeing
it). It only happens if the route requested is for a multicast IP
address.
Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
|
|
madvise_remove needs to respect file and mmap protections.
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
|
|
attachment (CVE-2006-1524)
I found that all of 2.4 and 2.6 have been letting mprotect give write
permission to a readonly attachment of shared memory, whether or not IPC
would give the caller that permission.
SUS says "The behaviour of this function [mprotect] is unspecified if the
mapping was not established by a call to mmap", but I don't think we can
interpret that as allowing it to subvert IPC permissions.
I haven't tried 2.2, but the 2.2.26 source looks like it gets it right; and
the patch below reproduces that behaviour - mprotect cannot be used to add
write permission to a shared memory segment attached readonly.
This patch is simple, and I'm sure it's what we should have done in 2.4.0:
if you want to go on to switch write permission on and off with mprotect,
just don't attach the segment readonly in the first place.
However, we could have accumulated apps which attach readonly (even though
they would be permitted to attach read/write), and which subsequently use
mprotect to switch write permission on and off: it's not unreasonable.
I was going to add a second ipcperms check in do_shmat, to check for
writable when readonly, and if not writable find_vma and clear VM_MAYWRITE.
But security_ipc_permission might do auditing, and it seems wrong to
report an attempt for write permission when there has been none. Or we
could flag the vma as SHM, note the shmid or shp in vm_private_data, and
then get mprotect to check.
But the patch below is a lot simpler: I'd rather stick with it, if we can
convince ourselves somehow that it'll be safe.
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
If Classical IP over ATM module is loaded, its neighbor table gets
populated when permanent neighbor entries are created; but these entries
are not flushed when the device is removed. Since the entry never gets
flushed the unregister of the network device never completes.
This version of the patch also adds locking around the reference to
the atm arp daemon to avoid races with events and daemon state changes.
(Note: barrier() was never really safe)
Bug-reference: http://bugzilla.kernel.org/show_bug.cgi?id=6295
Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
This reverts most of commit 30e0fca6c1d7d26f3f2daa4dd2b12c51dadc778a.
It broke the case of non-leader MT exec when ptraced.
I think the bug it was intended to fix was already addressed by commit
788e05a67c343fa22f2ae1d3ca264e7f15c25eaf.
Signed-off-by: Roland McGrath <roland@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
This prevents an Oops if booted with "console=ttyUSB0" but without a
USB-serial dongle, and plugged one in afterwards.
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
strace /bin/bash misbehaves after resume; this fixes it.
(akpm: it's scary calling refrigerator() in state TASK_TRACED, but it seems to
do the right thing).
Signed-off-by: Pavel Machek <pavel@suse.cz>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
Fixes Samba bug 3621 and kernel.org bug 6147
For servers which require SMB/CIFS packet signing, we were sending the
wrong signature (all zeros) on SMB Read request. The new cifs routine
to do signatures across an iovec was not complete - and SMB Read, unlike
the new SMBWrite2, did not fall back to the older routine (ie use
SendReceive vs. the more efficient SendReceive2 ie used the older
cifs_sign_smb vs. the disabled cifs_sign_smb2) for calculating signatures.
This finishes up cifs_sign_smb2/cifs_calc_signature2 so that the callers
of SendReceive2 can get SMB/CIFS packet signatures.
Now that cifs_sign_smb2 is supported, we could start using it in
the write path but this smaller fix does not include the change
to use SMBWrite2 when signatures are required (which when enabled
will make more Writes more efficient and alloc less memory).
Currently Write2 is only used when signatures are not
required at the moment but after more testing we will enable
that as well).
Thanks to James Slepicka and Sam Flory for initial investigation.
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
At present the kernel doesn't honour an attempt to set RLIMIT_CPU to zero
seconds. But the spec says it should, and that's what 2.4.x does.
Fixing this for real would involve some complexity (such as adding a new
it-has-been-set flag to the task_struct, and testing that everwhere, instead
of overloading the value of it_prof_expires).
Given that a 2.4 kernel won't actually send the signal until one second has
expired anyway, let's just handle this case by treating the caller's
zero-seconds as one second.
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Ulrich Weigand <uweigand@de.ibm.com>
Cc: Cliff Wickman <cpw@sgi.com>
Acked-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
SGI-PV: 949858
SGI-Modid: xfs-linux-melb:xfs-kern:25717a
Signed-off-by: Jes Sorensen <jes@sgi.com>
Signed-off-by: Nathan Scott <nathans@sgi.com>
|
|
I've encountered two problems with 2.6.16 and newer kernels on my API CS20
(dual 833MHz Alpha 21264b processors). The first is the kernel OOPSing
because of a NULL pointer dereference while trying to populate SysFS with the
CPU information. The other is that only one processor was being brought up.
I've included a small Alpha-specific patch that fixes both problems.
The first problem was caused by the CPUs never being properly registered using
register_cpu(), the way it's done on other architectures.
The second problem has to do with the removal of hwrpb_cpu_present_mask in
arch/alpha/kernel/smp.c. In setup_smp() in the 2.6.15 kernel sources,
hwrpb_cpu_present_mask has a bit set for each processor that is probed, and
afterwards cpu_present_mask is set to the cpumask for the boot CPU. In the
same function of the same file in the 2.6.16 sources, instead of
hwrpb_cpu_present_mask being set, cpu_possible_map is updated for each probed
CPU. cpu_present_mask is still set to the cpumask of the boot CPU afterwards.
The problem lies in include/asm-alpha/smp.h, where cpu_possible_map is
#define'd to be cpu_present_mask.
Cleanups from: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
- cpu_present_mask and cpu_possible_map are essentially the same thing
on alpha, as it doesn't support CPU hotplug;
- allocate "struct cpu" only for present CPUs, like sparc64 does.
Static array of "struct cpu" is just a waste of memory.
Signed-off-by: Brian Uhrain <buhrain@rosettastone.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
Fix a crash when running hpacucli with multiple logical volumes on a cciss
controller. We were not properly initializing the disk->queue and causing
a fault.
Thanks to Hasso Tepper for reporting the problem. Thanks to Steve Cameron
for root causing the problem. Most of the patch just moves things around.
The fix is a one-liner.
Signed-off-by: Mike Miller <mike.miller@hp.com>
Signed-off-by: Stephen Cameron <steve.cameron@hp.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
EDAC_752X uses pci_scan_single_device(), which is only available
if CONFIG_HOTPLUG is enabled, so limit this driver with HOTPLUG.
This patch was already included in Linus' tree.
Adrian Bunk:
Rediffed for 2.6.16.x due to unrelated context changes.
Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: David S. Peterson <dsp@llnl.gov>
|
|
Missed unlock_super()call is added in error condition code path.
Signed-off-by: Leonid Ananiev <leonid.i.ananiev@intel.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
As noted further on the this file, some block devices have a / in their
name, so fix the "block:..." symlink name the same as the /sys/block name.
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
Rohit found an obscure bug causing buddy list corruption.
page_is_buddy is using a non-atomic test (PagePrivate && page_count == 0)
to determine whether or not a free page's buddy is itself free and in the
buddy lists.
Each of the conjuncts may be true at different times due to unrelated
conditions, so the non-atomic page_is_buddy test may find each conjunct to
be true even if they were not both true at the same time (ie. the page was
not on the buddy lists).
Signed-off-by: Martin Bligh <mbligh@google.com>
Signed-off-by: Rohit Seth <rohitseth@google.com>
Signed-off-by: Nick Piggin <npiggin@suse.de>
Signed-off-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
During heavy parallel filesystem activity it was possible to Oops the
kernel. The reason is that read_cache_pages() could skip pages which
have already been inserted into the cache by another task.
Occasionally this may result in zero pages actually being sent, while
fuse_send_readpages() relies on at least one page being in the
request.
So check this corner case and just free the request instead of trying
to send it.
Reported and tested by Konstantin Isakov.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
SMP kernel
This patch fixes a boot problem of the m32r SMP kernel 2.6.16-rc1-mm3 or
later.
In this patch, cpu_possible_map is statically initialized, and cpu_present_map
is also copied from cpu_possible_map in smp_prepare_cpus(), because the m32r
architecture has not supported CPU hotplug yet.
Signed-off-by: Hayato Fujiwara <fujiwara.hayato@renesas.com>
Signed-off-by: Hirokazu Takata <takata@linux-m32r.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
Update {get,put}_user macros for m32r kernel.
- Modify get_user to use __get_user_asm macro, instead of __get_user_x macro.
- Remove arch/m32r/lib/{get,put}user.S.
- Some cosmetic updates.
I would like to thank NIIBE Yutaka for his reporting about the m32r kernel's
security problem in {get,put}_user macros.
There were no address checking for user space access in {get,put}_user macros.
;-)
Signed-off-by: Hirokazu Takata <takata@linux-m32r.org>
Cc: NIIBE Yutaka <gniibe@fsij.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
[NETFILTER]: Fix fragmentation issues with bridge netfilter
The conntrack code doesn't do re-fragmentation of defragmented packets
anymore but relies on fragmentation in the IP layer. Purely bridged
packets don't pass through the IP layer, so the bridge netfilter code
needs to take care of fragmentation itself.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
Sky2 driver will oops referencing bad memory if used on
a dual port card. The problem is accessing past end of
MIB counter space.
Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
Limit USB_STORAGE_ISD200 to whatever BLK_DEV_IDE and USB_STORAGE
are set to (y, m) since isd200 calls ide_fix_driveid() in the
BLK_DEV_IDE code.
Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
The MPBL0010 Telco clock driver (drivers/char/tlclk.c) uses 0222 (anyone
can write) permissions on its writable sysfs entries. Alter the
permissions to 0220 (owner and group can write).
The use case for this driver is to configure the fail over behavior of the
clock hardware. That should be done by the more privileged users.
Signed-off-by: Mark Bellon <mbellon@mvista.com>
Acked-by: Gross Mark <mark.gross@intel.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
*) When setting a sighandler using sigaction() call, if the flag
SA_ONSTACK is set and no alternate stack is provided via sigaltstack(),
the kernel still try to install the alternate stack. This behavior is
the opposite of the one which is documented in Single Unix
Specifications V3.
*) Also when setting an alternate stack using sigaltstack() with the
flag SS_DISABLE, the kernel try to install the alternate stack on
signal delivery.
These two use cases makes the process crash at signal delivery.
This fixes it.
Signed-off-by: Laurent Meyer <meyerlau@fr.ibm.com>
Signed-off-by: Paul Mackerras <paulus@samba.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
Since the powerpc 64k pages patch went in, systems that have SLBs
(like Power4 iSeries) needed to have slb_initialize called to set up
some variables for the SLB miss handler. This was not being called
on the boot processor on iSeries, so on single cpu iSeries machines,
we would get apparent memory curruption as soon as we entered user mode.
This patch fixes that by calling slb_initialize on the boot cpu if the
processor has an SLB.
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
|
|
(CVE-2006-0744)
Intel EM64T CPUs handle uncanonical return addresses differently from
AMD CPUs.
The exception is reported in the SYSRET, not the next instruction.
Thgis leads to the kernel exception handler running on the user stack
with the wrong GS because the kernel didn't expect exceptions on this
instruction.
This version of the patch has the teething problems that plagued an
earlier version fixed.
This is CVE-2006-0744
Thanks to Ernie Petrides and Asit B. Mallick for analysis and initial
patches.
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
Just call IRET always, no need for any special cases.
Needed for the next bug fix.
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
|
|
made this BUG_ON() unsafe. This code runs under ->siglock,
while switch_exec_pids() takes tasklist_lock.
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
|
|
This fixes the problem of an oops occuring when a user attempts to add a
key to a non-keyring key [CVE-2006-1522].
The problem is that __keyring_search_one() doesn't check that the
keyring it's been given is actually a keyring.
I've fixed this problem by:
(1) declaring that caller of __keyring_search_one() must guarantee that
the keyring is a keyring; and
(2) making key_create_or_update() check that the keyring is a keyring,
and return -ENOTDIR if it isn't.
This can be tested by:
keyctl add user b b `keyctl add user a a @s`
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
|
|
A couple of /proc/vmcore data structures overflow with 32bit systems having
memory more than 4G. This patch fixes those.
Signed-off-by: Ken'ichi Ohmichi <oomichi@mxs.nes.nec.co.jp>
Signed-off-by: Vivek Goyal <vgoyal@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
NFSd makes sure there is enough space to hold the maximum possible reply
before accepting a request. The units for this maximum is (4byte) words.
However in three places, particularly for read request, the number given is
a number of bytes.
This means too much space is reserved which is slightly wasteful.
This is the sort of patch that could uncover a deeper bug, and it is not
critical, so it would be best for it to spend a while in -mm before going
in to mainline.
(akpm: target 2.6.17-rc2, 2.6.16.3 (approx))
Discovered-by: "Eivind Sarto" <ivan@kasenna.com>
Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|