- 24 Feb, 2011 40 commits
-
-
Shirish Pargaonkar authored
commit 5e640927 upstream. LANMAN response length was changed to 16 bytes instead of 24 bytes. Revert it back to 24 bytes. Signed-off-by:
Shirish Pargaonkar <shirishpargaonkar@gmail.com> Signed-off-by:
Steve French <sfrench@us.ibm.com> Signed-off-by:
Greg Kroah-Hartman <gregkh@suse.de>
-
Jeff Layton authored
commit 96161256 upstream. The code finds, the '%' sign in an ipv6 address and copies that to a buffer allocated on the stack. It then ignores that buffer, and passes 'pct' to simple_strtoul(), which doesn't work right because we're comparing 'endp' against a completely different string. Fix it by passing the correct pointer. While we're at it, this is a good candidate for conversion to strict_strtoul as well. Cc: David Howells <dhowells@redhat.com> Reported-by:
Björn JACKE <bj@sernet.de> Signed-off-by:
Jeff Layton <jlayton@redhat.com> Signed-off-by:
-
Russell King authored
commit a9ad21fe upstream. When SMP_ON_UP is used and the spinlocks are inlined, we end up with inline spinlocks in the exit code, with references from the SMP alternatives section to the exit sections. This causes link time errors. Avoid this by placing the exit sections in the init-discarded region. Tested-by:
Dave Martin <dave.martin@linaro.org> Signed-off-by:
Russell King <rmk+kernel@arm.linux.org.uk> Signed-off-by:
-
Russell King authored
commit 53399053 upstream. Ensure a predictable endian state when entering signal handlers. This avoids programs which use SETEND to momentarily switch their endian state from having their signal handlers entered with an unpredictable endian state. Acked-by:
-
Geert Uytterhoeven authored
commit 2400982a upstream. Commit e3c92215 ("[media] radio-aimslab.c: Fix gcc 4.5+ bug") removed the include, but introduced new callers of msleep(): | drivers/media/radio/radio-aimslab.c: In function ‘rt_decvol’: | drivers/media/radio/radio-aimslab.c:76: error: implicit declaration of function ‘msleep’ Signed-off-by:
Geert Uytterhoeven <geert@linux-m68k.org> Signed-off-by:
Mauro Carvalho Chehab <mchehab@redhat.com> Cc: dann frazier <dannf@debian.org> Signed-off-by:
-
Pablo Neira Ayuso authored
commit c71caf41 upstream. In 13ee6ac5 netfilter: fix race in conntrack between dump_table and destroy, we recovered spinlocks to protect the dump of the conntrack table according to reports from Stephen and acknowledgments on the issue from Eric. In that patch, the refcount bump that allows to keep a reference to the current ct object was removed. However, we still decrement the refcount for that object in the output path of ctnetlink_dump_table(): if (last) nf_ct_put(last) Cc: Stephen Hemminger <stephen.hemminger@vyatta.com> Signed-off-by:
Pablo Neira Ayuso <pablo@netfilter.org> Acked-by:
Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by:
Patrick McHardy <kaber@trash.net> Signed-off-by:
-
Stephen Hemminger authored
commit 13ee6ac5 upstream. The netlink interface to dump the connection tracking table has a race when entries are deleted at the same time. A customer reported a crash and the backtrace showed thatctnetlink_dump_table was running while a conntrack entry was being destroyed. (see https://bugzilla.vyatta.com/show_bug.cgi?id=6402 ). According to RCU documentation, when using hlist_nulls the reader must handle the case of seeing a deleted entry and not proceed further down the linked list. The old code would continue which caused the scan to walk into the free list. This patch uses locking (rather than RCU) for this operation which is guaranteed safe, and no longer requires getting reference while doing dump operation. Signed-off-by:
Stephen Hemminger <shemminger@vyatta.com> Signed-off-by:
-
Clemens Ladisch authored
commit 2c6315da upstream. On systems where the temperature sensor is actually used, the BIOS is likely to have locked the alarm registers. In that case, all writes through the corresponding sysfs files would be silently ignored. To prevent this, detect the locks and make the affected sysfs files read-only. Signed-off-by:
Clemens Ladisch <clemens@ladisch.de> Signed-off-by:
Guenter Roeck <guenter.roeck@ericsson.com> Signed-off-by:
-
Clemens Ladisch authored
commit d5622f5b upstream. The documentation lists standard numbers and chip names in excruciating detail, but that's all it does. To help mere mortals in deciding whether to enable this driver, mention what this sensor is for and in which systems it might be found. Also add a link to the actual JC 42.4 specification. Signed-off-by:
-
Clemens Ladisch authored
commit e8667296 upstream. In set_temp_crit_hyst(), make the variable 'val' have the correct type for strict_strtoul(). Signed-off-by:
-
Clemens Ladisch authored
commit aa4790a6 upstream. Add the PCI ID to support the internal temperature sensor of the AMD "Llano" and "Brazos" processor families. Signed-off-by:
-
Robert Richter authored
commit ca86828c upstream. This patch adds the PCI northbridge device id for AMD CPU families 12h and 14h. Both families have implemented the same PCI northbridge device. There are some future use cases that use this PCI device and we would like to clarify its naming. Signed-off-by:
Robert Richter <robert.richter@amd.com> Cc: xen-devel@lists.xensource.com <xen-devel@lists.xensource.com> Cc: Keir Fraser <keir@xen.org> Cc: Jan Beulich <JBeulich@novell.com> LKML-Reference: <20110106165107.GL4739@erda.amd.com> Signed-off-by:
Ingo Molnar <mingo@elte.hu> Signed-off-by:
-
Jan Beulich authored
commit f065a93e upstream. The interface is identical EMC6D102, so all that needs to be added are some definitions and their uses. Registers apparently missing in EMC6D103S/EMC6D103:A2 compared to EMC6D103:A0, EMC6D103:A1, and EMC6D102 (according to the data sheets), but used unconditionally in the driver: 62[5:7], 6D[0:7], and 6E[0:7]. For that reason, EMC6D103S chips don't get enabled for the time being. Signed-off-by:
Jan Beulich <jbeulich@novell.com> (Guenter Roeck: Replaced EMC6D103_A2 with EMC6D103S per EMC6D103S datasheet) Signed-off-by:
-
David Henningsson authored
commit 89724958 upstream. Without this patch, one line-out and one speaker and Conexant's auto parser would announce (non-working) surround capabilities. BugLink: http://bugs.launchpad.net/bugs/721126 Signed-off-by:
David Henningsson <david.henningsson@canonical.com> Signed-off-by:
Takashi Iwai <tiwai@suse.de> Signed-off-by:
-
Takashi Iwai authored
commit eaae55da upstream. Use strlcpy() to assure not to overflow the string array sizes by too long USB device name string. Reported-by:
Rafa <rafa@mwrinfosecurity.com> Signed-off-by:
-
David Henningsson authored
commit b540afc2 upstream. The bug reporter claims that position_fix=1 is needed for his microphone to work. The controller PCI vendor-id is [1002:4383] (rev 40). Reported-by: Kjell L. BugLink: http://bugs.launchpad.net/bugs/718402 Signed-off-by:
-
Stanislaw Gruszka authored
commit c91d0155 upstream. Patch fixes: https://bugzilla.redhat.com/show_bug.cgi?id=654599 Many users report very low speed problem on 3945 devices, this patch fixes problem, but only for some of them. For unknown reason, sometimes after hw scanning, device is not able to receive frames at high rate. Since plcp health check may request hw scan to "reset radio", performance problem start to be observable after update kernel to .35, where plcp check was introduced. Bug reporter confirmed that removing plcp check fixed problem for him. Reported-and-tested-by:
SilvioTO <silviotoya@yahoo.it> Signed-off-by:
Stanislaw Gruszka <sgruszka@redhat.com> Acked-by:
Wey-Yi Guy <wey-yi.w.guy@intel.com> Signed-off-by:
John W. Linville <linville@tuxdriver.com> Signed-off-by:
-
Eric Dumazet authored
commit ceaaec98 upstream. commit 9b5e383c (net: Introduce unregister_netdevice_many()) left an active LIST_HEAD() in rollback_registered(), with possible memory corruption. Even if device is freed without touching its unreg_list (and therefore touching the previous memory location holding LISTE_HEAD(single), better close the bug for good, since its really subtle. (Same fix for default_device_exit_batch() for completeness) Reported-by:
Michal Hocko <mhocko@suse.cz> Tested-by:
Eric W. Biderman <ebiderman@xmission.com> Tested-by:
Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
-
Tejun Heo authored
commit 3233cdbd upstream. MAYDAY_INITIAL_TIMEOUT is defined as HZ / 100 and depending on configuration may end up 0 or 1. Even when it's 1, depending on when the mayday timer is added in the current jiffy interval, it may expire way before a jiffy has passed. Make sure MAYDAY_INITIAL_TIMEOUT is at least two to guarantee that at least a full jiffy has passed before calling rescuers. Signed-off-by:
Tejun Heo <tj@kernel.org> Reported-by:
Ray Jui <rjui@broadcom.com> Signed-off-by:
-
Tejun Heo authored
commit 7576958a upstream. After executing the matching works, a rescuer leaves the gcwq whether there are more pending works or not. This may decrease the concurrency level to zero and stall execution until a new work item is queued on the gcwq. Make rescuer wake up a regular worker when it leaves a gcwq if there are more works to execute, so that execution isn't stalled. Signed-off-by:
-
Timo Warns authored
commit fa7ea87a upstream. Validate number of blocks in map and remove redundant variable. Signed-off-by:
Timo Warns <warns@pre-sense.de> Signed-off-by:
-
Alex Deucher authored
commit 9f4283f4 upstream. The fixed ref/post dividers are set by the AdjustPll table rather than the ss info table on dce4+. Make sure we enable the fractional feedback dividers when using a fixed post or ref divider on them as well. Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=29272 Signed-off-by:
Alex Deucher <alexdeucher@gmail.com> Signed-off-by:
Dave Airlie <airlied@redhat.com> Signed-off-by:
-
Stanislaw Gruszka authored
commit 2e725a06 upstream. Currently we return 0 in swsusp_alloc() when alloc_image_page() fails. Fix that. Also remove unneeded "error" variable since the only useful value of error is -ENOMEM. [rjw: Fixed up the changelog and changed subject.] Signed-off-by:
Stanislaw Gruszka <stf_xl@wp.pl> Signed-off-by:
Rafael J. Wysocki <rjw@sisk.pl> Signed-off-by:
-
Jacob Pan authored
This is a backport for 2.6.37 stable. The original commit ID is 6550904d Offlining the secondary CPU causes the timer irq affinity to be set to CPU 0. When the secondary CPU is back online again, the wrong irq affinity will be used. This patch ensures secondary per CPU timer always has the correct IRQ affinity when enabled. Signed-off-by:
Jacob Pan <jacob.jun.pan@linux.intel.com> LKML-Reference: <1294963604-18111-1-git-send-email-jacob.jun.pan@linux.intel.com> Signed-off-by:
H. Peter Anvin <hpa@linux.intel.com> Signed-off-by:
-
Martin Schwidefsky authored
commit 261cd298 upstream. task_show_regs used to be a debugging aid in the early bringup days of Linux on s390. /proc/<pid>/status is a world readable file, it is not a good idea to show the registers of a process. The only correct fix is to remove task_show_regs. Reported-by:
Al Viro <viro@zeniv.linux.org.uk> Signed-off-by:
Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by:
-
Borislav Petkov authored
Upstream commits: 93789b32, 1c9d16e3 ea530692 made a CPU use monitor/mwait when offline. This is not the optimal choice for AMD wrt to powersavings and we'd prefer our cores to halt (i.e. enter C1) instead. For this, the same selection whether to use monitor/mwait has to be used as when we select the idle routine for the machine. With this patch, offlining cores 1-5 on a X6 machine allows core0 to boost again. [ hpa: putting this in urgent since it is a (power) regression fix ] Reported-by:
Andreas Herrmann <andreas.herrmann3@amd.com> Cc: H. Peter Anvin <hpa@linux.intel.com> Cc: Arjan van de Ven <arjan@linux.intel.com> Cc: Len Brown <lenb@kernel.org> Cc: Venkatesh Pallipadi <venki@google.com> Cc: Peter Zijlstra <a.p.zijlstra@chello.hl> Signed-off-by:
Borislav Petkov <borislav.petkov@amd.com> LKML-Reference: <1295534572-10730-1-git-send-email-bp@amd64.org> Signed-off-by:
-
NeilBrown authored
commit 47c85291 upstream. These functions return an nfs status, not a host_err. So don't try to convert before returning. This is a regression introduced by 3c726023 ; I fixed up two of the callers, but missed these two. Reported-by:
Herbert Poetzl <herbert@13thfloor.at> Signed-off-by:
NeilBrown <neilb@suse.de> Signed-off-by:
J. Bruce Fields <bfields@redhat.com> Signed-off-by:
-
Rafael J. Wysocki authored
This is a backport of mainline kernel commit 2a5d2428. Commit 9630bdd9 (ACPI: Use GPE reference counting to support shared GPEs) introduced a suspend regression where boxes resume immediately after being suspended due to the lid or sleep button wakeup status not being cleared properly. This happens if the GPEs corresponding to those devices are not enabled all the time, which apparently is expected by some BIOSes. To fix this problem, enable button and lid GPEs unconditionally during initialization and keep them enabled all the time, regardless of whether or not the ACPI button driver is used. References: https://bugzilla.kernel.org/show_bug.cgi?id=27372 Reported-and-tested-by:
Ferenc Wágner <wferi@niif.hu> Signed-off-by:
-
Chris Wright authored
commit a628e7b8 upstream. This reintroduces commit 47970b1b which was subsequently reverted as f00eaeea. The original change was broken and caused X startup failures and generally made privileged processes incapable of reading device dependent config space. The normal capable() interface returns true on success, but the LSM interface returns 0 on success. This thinko is now fixed in this patch, and has been confirmed to work properly. So, once again...Eric Paris noted that commit de139a33 ("pci: check caps from sysfs file open to read device dependent config space") caused the capability check to bypass security modules and potentially auditing. Rectify this by calling security_capable() when checking the open file's capabilities for config space reads. Reported-by:
Eric Paris <eparis@redhat.com> Tested-by:
Dave Young <hidave.darkstar@gmail.com> Acked-by:
James Morris <jmorris@namei.org> Cc: Dave Airlie <airlied@gmail.com> Cc: Alex Riesen <raa.lkml@gmail.com> Cc: Sedat Dilek <sedat.dilek@googlemail.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by:
Chris Wright <chrisw@sous-sol.org> Signed-off-by:
-
Chris Wright authored
commit 6037b715 upstream. Expand security_capable() to include cred, so that it can be usable in a wider range of call sites. Signed-off-by:
Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by:
-
Tetsuo Handa authored
commit fb2b2a1d upstream. In prepare_kernel_cred() since 2.6.29, put_cred(new) is called without assigning new->usage when security_prepare_creds() returned an error. As a result, memory for new and refcount for new->{user,group_info,tgcred} are leaked because put_cred(new) won't call __put_cred() unless old->usage == 1. Fix these leaks by assigning new->usage (and new->subscribers which was added in 2.6.32) before calling security_prepare_creds(). Signed-off-by:
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by:
David Howells <dhowells@redhat.com> Signed-off-by:
-
Tetsuo Handa authored
commit 2edeaa34 upstream. In cred_alloc_blank() since 2.6.32, abort_creds(new) is called with new->security == NULL and new->magic == 0 when security_cred_alloc_blank() returns an error. As a result, BUG() will be triggered if SELinux is enabled or CONFIG_DEBUG_CREDENTIALS=y. If CONFIG_DEBUG_CREDENTIALS=y, BUG() is called from __invalid_creds() because cred->magic == 0. Failing that, BUG() is called from selinux_cred_free() because selinux_cred_free() is not expecting cred->security == NULL. This does not affect smack_cred_free(), tomoyo_cred_free() or apparmor_cred_free(). Fix these bugs by (1) Set new->magic before calling security_cred_alloc_blank(). (2) Handle null cred->security in creds_are_invalid() and selinux_cred_free(). Signed-off-by:
-
Dan Rosenberg authored
commit 51788b1b upstream. Commit bf5fc093 refactored btrfs_ioctl_space_info() and introduced several security issues. space_args.space_slots is an unsigned 64-bit type controlled by a possibly unprivileged caller. The comparison as a signed int type allows providing values that are treated as negative and cause the subsequent allocation size calculation to wrap, or be truncated to 0. By providing a size that's truncated to 0, kmalloc() will return ZERO_SIZE_PTR. It's also possible to provide a value smaller than the slot count. The subsequent loop ignores the allocation size when copying data in, resulting in a heap overflow or write to ZERO_SIZE_PTR. The fix changes the slot count type and comparison typecast to u64, which prevents truncation or signedness errors, and also ensures that we don't copy more data than we've allocated in the subsequent loop. Note that zero-size allocations are no longer possible since there is already an explicit check for space_args.space_slots being 0 and truncation of this value is no longer an issue. Signed-off-by:
Dan Rosenberg <drosenberg@vsecurity.com> Signed-off-by:
Josef Bacik <josef@redhat.com> Reviewed-by:
Chris Mason <chris.mason@oracle.com> Signed-off-by:
-
Tetsuo Handa authored
commit 78d29788 upstream. In get_empty_filp() since 2.6.29, file_free(f) is called with f->f_cred == NULL when security_file_alloc() returned an error. As a result, kernel will panic() due to put_cred(NULL) call within RCU callback. Fix this bug by assigning f->f_cred before calling security_file_alloc(). Signed-off-by:
-
Benjamin Tissoires authored
commit c64f6f93 upstream. This device used the MULTI_INPUT quirk whereas it could be used with hid-mosart instead to support the multitouch part. Reference: https://bugs.launchpad.net/ubuntu/+bug/620609/ Signed-off-by:
Benjamin Tissoires <benjamin.tissoires@enac.fr> Signed-off-by:
Jiri Kosina <jkosina@suse.cz> Signed-off-by:
-
Benjamin Tissoires authored
commit bc5ab083 upstream. This device has been reported to be an hid-cando one. Signed-off-by:
-
Dave Chinner authored
commit 0fbca4d1 upstream. Commit 368e1361 ("xfs: remove duplicate code from dquot reclaim") fails to unlock the dquot freelist when the number of loop restarts is exceeded in xfs_qm_dqreclaim_one(). This causes hangs in memory reclaim. Rework the loop control logic into an unwind stack that all the different cases jump into. This means there is only one set of code that processes the loop exit criteria, and simplifies the unlocking of all the items from different points in the loop. It also fixes a double increment of the restart counter from the qi_dqlist_lock case. Reported-by:
Malcolm Scott <lkml@malc.org.uk> Signed-off-by:
Dave Chinner <dchinner@redhat.com> Reviewed-by:
Alex Elder <aelder@sgi.com> Cc: Arkadiusz Miskiewicz <a.miskiewicz@gmail.com> Signed-off-by:
-
Dan Carpenter authored
commit cb26a24e upstream. info->num comes from the user. It's type int. If the user passes in a negative value that would cause memory corruption. Signed-off-by:
Dan Carpenter <error27@gmail.com> Signed-off-by:
-
Stefan Bader authored
commit cf04d120 upstream. In case the mfn_list does not have enough entries to fill a p2m page we do not want the entries from max_pfn up to the boundary to be filled with unknown values. Hence set them to INVALID_P2M_ENTRY. Signed-off-by:
Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by:
Stefan Bader <stefan.bader@canonical.com> Signed-off-by:
-
Stefan Bader authored
commit 8e1b4cf2 upstream. After changing the p2m mapping to a tree by commit 58e05027 xen: convert p2m to a 3 level tree and trying to boot a DomU with 615MB of memory, the following crash was observed in the dump: kernel direct mapping tables up to 26f00000 @ 1ec4000-1fff000 BUG: unable to handle kernel NULL pointer dereference at (null) IP: [<c0107397>] xen_set_pte+0x27/0x60 *pdpt = 0000000000000000 *pde = 0000000000000000 Adding further debug statements showed that when trying to set up pfn=0x26700 the returned mapping was invalid. pfn=0x266ff calling set_pte(0xc1fe77f8, 0x6b3003) pfn=0x26700 calling set_pte(0xc1fe7800, 0x3) Although the last_pfn obtained from the startup info is 0x26700, which should in turn not be hit, the additional 8MB which are added as extra memory normally seem to be ok. This lead to looking into the initial p2m tree construction, which uses the smaller value and assuming that there is other code handling the extra memory. When the p2m tree is set up, the leaves are directly pointed to the array which the domain builder set up. But if the mapping is not on a boundary that fits into one p2m page, this will result in the last leaf being only partially valid. And as the invalid entries are not initialized in that case, things go badly wrong. I am trying to fix that by checking whether the current leaf is a complete map and if not, allocate a completely new page and copy only the valid pointers there. This may not be the most efficient or elegant solution, but at least it seems to allow me booting DomUs with memory assignments all over the range. BugLink: http://bugs.launchpad.net/bugs/686692 [v2: Redid a bit of commit wording and fixed a compile warning] Signed-off-by:
-
