- 30 Jul, 2009 20 commits
-
-
Linus Torvalds authored
[ Upstream commit 7f818906 - modified for stable to not use the sloppy __VIRTUAL_MASK_SHIFT ] It's really not right to use 'access_ok()', since that is meant for the normal "get_user()" and "copy_from/to_user()" accesses, which are done through the TLB, rather than through the page tables. Why? access_ok() does both too few, and too many checks. Too many, because it is meant for regular kernel accesses that will not honor the 'user' bit in the page tables, and because it honors the USER_DS vs KERNEL_DS distinction that we shouldn't care about in GUP. And too few, because it doesn't do the 'canonical' check on the address on x86-64, since the TLB will do that for us. So instead of using a function that isn't meant for this, and does something else and much more complicated, just do the real rules: we don't want the range to overflow, and on x86-64, we want it to be a canonical low address (on 32-bit, all addresses are canonical). Acked-by:
Ingo Molnar <mingo@elte.hu> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Thomas Gleixner <tglx@linutronix.de> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by:
Greg Kroah-Hartman <gregkh@suse.de>
-
Andi Kleen authored
commit 429b2b31 upstream. Need to clear both nodes and nodes_add state for start/end. Signed-off-by:
Andi Kleen <ak@linux.intel.com> LKML-Reference: <20090718065657.GA2898@basil.fritz.box> Signed-off-by:
H. Peter Anvin <hpa@zytor.com> Signed-off-by:
-
Josef Bacik authored
commit c8236db9 upstream. In testing a backport of the write_begin/write_end AOPs, a 10% re-read regression was noticed when running iozone. This regression was introduced because the old AOPs would always do a mark_page_accessed(page) after the commit_write, but when the new AOPs where introduced, the only place this was kept was in pagecache_write_end(). This patch does the same thing in the generic case as what is done in pagecache_write_end(), which is just to mark the page accessed before we do write_end(). Signed-off-by:
Josef Bacik <jbacik@redhat.com> Acked-by:
Nick Piggin <npiggin@suse.de> Signed-off-by:
Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
-
NeilBrown authored
commit b8d966ef upstream. If we try to modify one of the md/ sysfs files suspend_lo or suspend_hi when the array is not active, we dereference a NULL. Protect against that. Signed-off-by:
NeilBrown <neilb@suse.de> Signed-off-by:
-
Jiri Slaby authored
commit 025dc740 upstream. Add omitted update_lock to one switch/case in set_div. Signed-off-by:
Jiri Slaby <jirislaby@gmail.com> Acked-by:
Hans J. Koch <hjk@linutronix.de> Signed-off-by:
Jean Delvare <khali@linux-fr.org> Signed-off-by:
-
Amerigo Wang authored
commit e2dbe125 upstream. Check before use it. Signed-off-by:
WANG Cong <amwang@redhat.com> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: David Howells <dhowells@redhat.com> Acked-by:
Roland McGrath <roland@redhat.com> Acked-by:
James Morris <jmorris@namei.org> Signed-off-by:
-
Jiri Slaby authored
commit 4859484b upstream. Add omitted BKL to one switch/case. Signed-off-by:
Jiri Kosina <jkosina@suse.cz> Signed-off-by:
-
Takashi Iwai authored
commit 8de56b7d upstream. The master mute switch is wrongly implemented as checking the pointer instead of its value, thus it can be never muted. This patch fixes the issue. Reference: Novell bnc#404873 https://bugzilla.novell.com/show_bug.cgi?id=404873 Signed-off-by:
Takashi Iwai <tiwai@suse.de> Signed-off-by:
-
Takashi Iwai authored
commit 34fdeb2d upstream. The capture buffer size with 64kB seems broken with CA0106. At least, either the update timing or the DMA position is wrong, and this screws up pulseaudio badly. This patch restricts the max buffer size less than that to make life a bit easier. Signed-off-by:
-
Greg Kroah-Hartman authored
commit 3c43f27b upstream. commit 1a1fab51 accidentally added the device id to both tables in the driver, which causes problems as this is only a single port device, not a multiple port device. Signed-off-by:
-
David Brownell authored
commit 4e19f220 upstream. The reworked Ethernet gadget has an RNDIS interop problem when used with the CDC subset driver ... e.g. on PXA 2xx and 3xx hardware, which currently has a hard time talking to MS-Windows hosts. The issue is that Microsoft requires USB_CLASS_COMM. Fix by tweaking the CDC subset driver to not switch to USB_CLASS_VENDOR_SPEC if RNDIS is used in some other device configuration. [ UPDATED: some "statements" were comma-terminated; fix that. ] Signed-off-by:
David Brownell <dbrownell@users.sourceforge.net> Cc: Aric Blumer <aric@sdgsystems.net> Signed-off-by:
-
Alan Stern authored
commit 9180135b upstream. This patch (as1262) fixes a bug in usbfs: It refuses to accept zero-length transfers, and it insists that the buffer pointer be valid even if there is no data being transferred. The patch also consolidates a bunch of repetitive access_ok() checks into a single check, which incidentally fixes the lack of such a check for Isochronous URBs. Signed-off-by:
Alan Stern <stern@rowland.harvard.edu> Signed-off-by:
-
Oliver Neukum authored
commit 87ea8c88 upstream. Signed-off-by:
Oliver Neukum <oliver@neukum.org> Cc: Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
-
Oliver Neukum authored
commit d794a021 upstream. This patch fixes a memory leak in devio.c::processcompl If writing to user space fails the packet must be discarded, as it already has been removed from the queue of completed packets. Signed-off-by:
-
Alan Stern authored
commit ec6d67e3 upstream. This patch (as1259b) makes ehci-hcd return the total number of bytes transferred in urb->actual_length for Isochronous transfers. Until now, the actual_length value was unaccountably left at 0. Signed-off-by:
-
Clemens Ladisch authored
commit 82639079 upstream. When resuming, we better take the DACs out of the reset state before trying to use them. Reference: kernel bug #13599 http://bugzilla.kernel.org/show_bug.cgi?id=13599 Signed-off-by:
Clemens Ladisch <clemens@ladisch.de> Signed-off-by:
-
Clemens Ladisch authored
commit 8886f33f upstream. Blue Microphones USB devices have an alternate setting that sends two channels of data to the computer. Unfortunately, the descriptors of that altsetting have a wrong channel setting, which means that any recorded data from such a device has twice the sample rate from what would be expected. This patch adds a workaround to ignore that altsetting. Since these devices have only one actual channel, no data is lost. Signed-off-by:
-
James Bottomley authored
commit d3a263a8 upstream. I recently discovered on my zalon that if the attachment fails because of a bus misconfiguration (I scrapped my HVD array, so the card is now unterminated) then the system oopses. The reason is that if ncr_attach() returns NULL (signalling failure) that NULL is passed by the goto failed straight into ncr_detach() which oopses. The fix is just to return -ENODEV in this case. Signed-off-by:
James Bottomley <James.Bottomley@HansenPartnership.com> Signed-off-by:
-
Tilman Schmidt authored
commit bceb0f12 upstream. ISDN connection setup failed if the "connection active" and "B channel up" messages from the device arrived in a different order than expected. Modify the state machine to accept them in any order. Impact: bugfix Signed-off-by:
Tilman Schmidt <tilman@imap.cc> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
-
Paul E. McKenney authored
commit 7ed9f7e5 upstream. Jesper noted that kmem_cache_destroy() invokes synchronize_rcu() rather than rcu_barrier() in the SLAB_DESTROY_BY_RCU case, which could result in RCU callbacks accessing a kmem_cache after it had been destroyed. Acked-by:
Matt Mackall <mpm@selenic.com> Reported-by:
Jesper Dangaard Brouer <hawk@comx.dk> Signed-off-by:
Paul E. McKenney <paulmck@linux.vnet.ibm.com> Signed-off-by:
Pekka Enberg <penberg@cs.helsinki.fi> Signed-off-by:
-
- 24 Jul, 2009 2 commits
-
-
Greg Kroah-Hartman authored
-
Linus Torvalds authored
commit 3730793d upstream. There's some odd bug in gcc-4.2 where it miscompiles a simple loop whent he loop counter is of type 'unsigned char' and it should count to 128. The compiler will incorrectly decide that a trivial loop like this: unsigned char i, ... for (i = 0; i < 128; i++) { .. is endless, and will compile it to a single instruction that just branches to itself. This was triggered by the addition of '-fno-strict-overflow', and we could play games with compiler versions and go back to '-fwrapv' instead, but the trivial way to avoid it is to just make the loop induction variable be an 'int' instead. Thanks to Krzysztof Oledzki for reporting and testing and to Troy Moure for digging through assembler differences and finding it. Reported-and-tested-by:
Krzysztof Oledzki <olel@ans.pl> Found-by:
Troy Moure <twmoure@szypr.net> Gcc-bug-acked-by:
Ian Lance Taylor <iant@google.com> Signed-off-by:
-
- 20 Jul, 2009 10 commits
-
-
Greg Kroah-Hartman authored
-
Linus Torvalds authored
commit a137802e upstream. This causes kernel images that don't run init to completion with certain broken gcc versions. This fixes kernel bugzilla entry: http://bugzilla.kernel.org/show_bug.cgi?id=13012 I suspect the gcc problem is this: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=28230 Fix the problem by using the -fno-strict-overflow flag instead, which not only does not exist in the known-to-be-broken versions of gcc (it was introduced later than fwrapv), but seems to be much less disturbing to gcc too: the difference in the generated code by -fno-strict-overflow are smaller (compared to using neither flag) than when using -fwrapv. Reported-by:
Barry K. Nathan <barryn@pobox.com> Pushed-by:
Frans Pop <elendil@planet.nl> Cc: Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
-
Tomasz Lemiech authored
commit 1f8ae0a2 upstream. The original patch was submitted last year but wasn't discussed or applied because of missing maintainer's CCs. I only fixed some formatting errors, but as I saw tulip is very badly formatted and needs further work. Original description: This patch fixes MTU problem, which occurs when using 802.1q VLANs. We should allow receiving frames of up to 1518 bytes in length, instead of 1514. Based on patch written by Ben McKeegan for 2.4.x kernels. It is archived at http://www.candelatech.com/~greear/vlan/howto.html#tulip I've adjusted a few things to make it apply on 2.6.x kernels. Tested on D-Link DFE-570TX quad-fastethernet card. Signed-off-by:
Tomasz Lemiech <szpajder@staszic.waw.pl> Signed-off-by:
Ivan Vecera <ivecera@redhat.com> Signed-off-by:
Ben McKeegan <ben@netservers.co.uk> Acked-by:
Grant Grundler <grundler@parisc-linux.org> Cc: Christoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de> Signed-off-by:
-
Zhang Rui authored
commit 8bc1ad7d upstream. When the 32-bit signed quantities get assigned to the u64 resource_size_t, they are incorrectly sign-extended. Addresses http://bugzilla.kernel.org/show_bug.cgi?id=13253 Addresses http://bugzilla.kernel.org/show_bug.cgi?id=9905 Signed-off-by:
Zhang Rui <rui.zhang@intel.com> Reported-by:
Leann Ogasawara <leann@ubuntu.com> Cc: Pierre Ossman <drzeus@drzeus.cx> Reported-by: <pablomme@googlemail.com> Tested-by: <pablomme@googlemail.com> Cc: Jesse Barnes <jbarnes@virtuousgeek.org> Signed-off-by:
-
Jiri Slaby authored
commit 8516a500 upstream. A crappy macro prevents us unlocking on a fail path. Expand the macro and unlock appropriatelly. Signed-off-by:
-
David Woodhouse authored
commit a15a519e upstream. This fixes kernel.org bug #13584. The IOVA code attempted to optimise the insertion of new ranges into the rbtree, with the unfortunate result that some ranges just didn't get inserted into the tree at all. Then those ranges would be handed out more than once, and things kind of go downhill from there. Introduced after 2.6.25 by ddf02886 ("PCI: iova RB tree setup tweak"). Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com> Cc: mark gross <mgross@linux.intel.com> Cc: Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
-
Christoph Lameter authored
commit e0a94c2a upstream. This patch removes the dependency of mmap_min_addr on CONFIG_SECURITY. It also sets a default mmap_min_addr of 4096. mmapping of addresses below 4096 will only be possible for processes with CAP_SYS_RAWIO. Signed-off-by:
Christoph Lameter <cl@linux-foundation.org> Acked-by:
Eric Paris <eparis@redhat.com> Looks-ok-by:
-
Julien Tinnes authored
commit f9fabcb5 upstream. We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO. The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE. We believe it is important to add MMAP_PAGE_ZERO, because by using this personality it is possible to have the first page mapped inside a process running as setuid root. This could be used in those scenarios: - Exploiting a NULL pointer dereference issue in a setuid root binary - Bypassing the mmap_min_addr restrictions of the Linux kernel: by running a setuid binary that would drop privileges before giving us control back (for instance by loading a user-supplied library), we could get the first page mapped in a process we control. By further using mremap and mprotect on this mapping, we can then completely bypass the mmap_min_addr restrictions. Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added since on x86 32bits it will in practice disable most of the address space layout randomization (only the stack will remain randomized). Signed-off-by:
Julien Tinnes <jt@cr0.org> Signed-off-by:
Tavis Ormandy <taviso@sdf.lonestar.org> Acked-by:
Christoph Hellwig <hch@infradead.org> Acked-by:
Kees Cook <kees@ubuntu.com> Acked-by:
Eugene Teo <eugene@redhat.com> [ Shortened lines and fixed whitespace as per Christophs' suggestion ] Signed-off-by:
-
Eugene Teo authored
commit a3ca86ae upstream. Turning on this flag could prevent the compiler from optimising away some "useless" checks for null pointers. Such bugs can sometimes become exploitable at compile time because of the -O2 optimisation. See http://gcc.gnu.org/onlinedocs/gcc-4.1.2/gcc/Optimize-Options.html An example that clearly shows this 'problem' is commit 6bf67672 . static void __devexit agnx_pci_remove(struct pci_dev *pdev) { struct ieee80211_hw *dev = pci_get_drvdata(pdev); - struct agnx_priv *priv = dev->priv; + struct agnx_priv *priv; AGNX_TRACE; if (!dev) return; + priv = dev->priv; By reverting this patch, and compile it with and without -fno-delete-null-pointer-checks flag, we can see that the check for dev is compiled away. call printk # - testq %r12, %r12 # dev - je .L94 #, movq %r12, %rdi # dev, Clearly the 'fix' is to stop using dev before it is tested, but building with -fno-delete-null-pointer-checks flag at least makes it harder to abuse. Signed-off-by:
Eugene Teo <eugeneteo@kernel.sg> Acked-by:
-
Greg Kroah-Hartman authored
This reverts commit 9fad9f26. It is really commit 4d89b7b4 that is being reverted here, it's a patch that should not have been applied to the .27 tree. Signed-off-by:
-
- 02 Jul, 2009 8 commits
-
-
Greg Kroah-Hartman authored
-
Justin P. Mattock authored
commit d15bd106 upstream. This fixes an error when compiling the kernel. CHK include/linux/version.h HOSTCC scripts/unifdef scripts/unifdef.c:209: error: conflicting types for 'getline' /usr/include/stdio.h:651: note: previous declaration of 'getline' was here make[1]: *** [scripts/unifdef] Error 1 make: *** [__headers] Error 2 Signed-off-by:
Justin P. Mattock <justinmattock@gmail.com> Cc: Frederic Weisbecker <fweisbec@gmail.com> Signed-off-by:
Sam Ravnborg <sam@ravnborg.org> Cc: Gilles Espinasse <g.esp@free.fr> Signed-off-by:
-
Renaud Lottiaux authored
commit df279ca8 upstream. The file opened in acct_on and freshly stored in the ns->bacct struct can be closed in acct_file_reopen by a concurrent call after we release acct_lock and before we call mntput(file->f_path.mnt). Record file->f_path.mnt in a local variable and use this variable only. Signed-off-by:
Renaud Lottiaux <renaud.lottiaux@kerlabs.com> Signed-off-by:
Louis Rilling <louis.rilling@kerlabs.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by:
-
Milan Broz authored
commit 4d89b7b4 upstream. Do not process sysfs attributes when device is being destroyed. Otherwise code can cause BUG_ON(test_bit(DMF_FREEING, &md->flags)); in dm_put() call. Signed-off-by:
Milan Broz <mbroz@redhat.com> Signed-off-by:
Alasdair G Kergon <agk@redhat.com> Signed-off-by:
-
Mikulas Patocka authored
commit 0e0497c0 upstream. The parser reads the argument count as a number but doesn't check that sufficient arguments are supplied. This command triggers the bug: dmsetup create mpath --table "0 `blockdev --getsize /dev/mapper/cr0` multipath 0 0 2 1 round-robin 1000 0 1 1 /dev/mapper/cr0 round-robin 0 1 1 /dev/mapper/cr1 1000" kernel BUG at drivers/md/dm-mpath.c:530! Signed-off-by:
Mikulas Patocka <mpatocka@redhat.com> Signed-off-by:
-
Mikulas Patocka authored
commit e094f4f1 upstream. Fix arg count parsing error in hw handlers. Signed-off-by:
-
Dimitri Sivanich authored
commit 364df0eb upstream. After downing/upping a cpu, an attempt to set /proc/sys/vm/percpu_pagelist_fraction results in an oops in percpu_pagelist_fraction_sysctl_handler(). If a processor is downed then we need to set the pageset pointer back to the boot pageset. Updates of the high water marks should not access pagesets of unpopulated zones (those pointer go to the boot pagesets which would be no longer functional if their size would be increased beyond zero). Signed-off-by:
Dimitri Sivanich <sivanich@sgi.com> Signed-off-by:
KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> Cc: Nick Piggin <nickpiggin@yahoo.com.au> Cc: Mel Gorman <mel@csn.ul.ie> Signed-off-by:
-
Clemens Ladisch authored
commit 6423f9ea upstream. When decoding (N)RPN sequencer events into raw MIDI commands, the extra_decode_xrpn() function had accidentally swapped the MSB and LSB controller values of both the parameter number and the data value. Signed-off-by:
-
