summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Linux 2.6.16.28-rc1v2.6.16.28-rc1Adrian Bunk2006-08-121-1/+1
|
* update the i386 defconfigAdrian Bunk2006-08-121-427/+834
| | | | | | | | | | | | | The i386 defconfig wasn't updated for ages. Instead of running "make oldconfig" on the old defconfig and trying to give reasonable answers at all new options, this patch replaces it with the one I'm using in 2.6.16-rc1. This way, it's a .config that is confirmed to work on at least one computer in the world. ;-) Signed-off-by: Adrian Bunk <bunk@stusta.de>
* ieee1394: sbp2: enable auto spin-up for Maxtor disksStefan Richter2006-08-111-0/+3
| | | | | | | | | | | | At least Maxtor OneTouch III require a "start stop unit" command after auto spin-down before the next access can proceed. This patch activates the responsible code in scsi_mod for all Maxtor SBP-2 disks. https://bugzilla.novell.com/show_bug.cgi?id=183011 Maybe that should be done for all SBP-2 disks, but better be cautious. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* Fix broken suspend/resume in ohci1394Robert Hancock2006-08-111-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I've been experimenting to track down the cause of suspend/resume problems on my Compaq Presario X1050 laptop: http://bugzilla.kernel.org/show_bug.cgi?id=6075 Essentially the ACPI Embedded Controller and keyboard controller would get into a bizarre, confused state after resume. I found that unloading the ohci1394 module before suspend and reloading it after resume made the problem go away. Diffing the dmesg output from resume, with and without the module loaded, I found that with the module loaded I was missing these: PM: Writing back config space on device 0000:02:00.0 at offset 1. (Was 2100080, writing 2100007) PM: Writing back config space on device 0000:02:00.0 at offset 3. (Was 0, writing 8008) PM: Writing back config space on device 0000:02:00.0 at offset 4. (Was 0, writing 90200000) PM: Writing back config space on device 0000:02:00.0 at offset 5. (Was 1, writing 2401) PM: Writing back config space on device 0000:02:00.0 at offset f. (Was 20000100, writing 2000010a) The default PCI driver performs the pci_restore_state when no driver is loaded for the device. When the ohci1394 driver is loaded, it is supposed to do this, however it appears not to do so. I created the patch below and tested it, and it appears to resolve the suspend problems I was having with the module loaded. I only added in the pci_save_state and pci_restore_state - however, though I know little of this hardware, surely the driver should really be doing more than this when suspending and resuming? Currently it does almost nothing, what if there are commands in progress, etc? Signed-off-by: Robert Hancock <hancockr@shaw.ca> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* fix debugfs inode leakJens Axboe2006-08-111-1/+2
| | | | | | | | | Looking at the reiser4 crash, I found a leak in debugfs. In debugfs_mknod(), we create the inode before checking if the dentry already has one attached. We don't free it if that is the case. Signed-off-by: Jens Axboe <axboe@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* Fix missing ret assignment in __bio_map_user() error pathJens Axboe2006-08-111-2/+3
| | | | | | | | | | | | If get_user_pages() returns less pages than what we asked for, we jump to out_unmap which will return ERR_PTR(ret). But ret can contain a positive number just smaller than local_nr_pages, so be sure to set it to -EFAULT always. Problem found and diagnosed by Damien Le Moal <damien@sdl.hitachi.co.jp> Signed-off-by: Jens Axboe <axboe@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [AGPGART] Fix Nforce3 suspend on amd64.Dave Jones2006-08-101-0/+3
| | | | | | | | | kernel.org bugzilla #6206 Based on patch from Serge Belyshev <belyshev@depni.sinp.msu.ru> Signed-off-by: Dave Jones <davej@redhat.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* SOUND_SSCAPE shouldn't depend on OBSOLETE_OSS_DRIVERAdrian Bunk2006-08-091-1/+1
| | | | | | | Due to a regression in the correcponding ALSA driver (ALSA #2234), the OSS driver should stay until it's fixed. Signed-off-by: Adrian Bunk <bunk@stusta.de>
* ieee80211: TKIP requires CRC32Chuck Ebbert2006-08-081-0/+1
| | | | | | | | | | | | | ieee80211_crypt_tkip will not work without CRC32. LD .tmp_vmlinux1 net/built-in.o: In function `ieee80211_tkip_encrypt': net/ieee80211/ieee80211_crypt_tkip.c:349: undefined reference to `crc32_le' Reported by Toralf Foerster <toralf.foerster@gmx.de> Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* memory hotplug: solve config broken: undefined reference to `online_page'Yasunori Goto2006-08-085-1/+12
| | | | | | | | | | | | Memory hotplug code of i386 adds memory to only highmem. So, if CONFIG_HIGHMEM is not set, CONFIG_MEMORY_HOTPLUG shouldn't be set. Otherwise, it causes compile error. In addition, many architecture can't use memory hotplug feature yet. So, I introduce CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG. Signed-off-by: Yasunori Goto <y-goto@jp.fujitsu.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* pdflush: handle resume wakeupsPavel Machek2006-08-081-8/+7
| | | | | | | | | | | | | | | | | | | | | | | 2.6.16 needs this. It was merged into 2.6.18-rc1. pdflush is carefully designed to ensure that all wakeups have some corresponding work to do - if a woken-up pdflush thread discovers that it hasn't been given any work to do then this is considered an error. That all broke when swsusp came along - because a timer-delivered wakeup to a frozen pdflush thread will just get lost. This causes the pdflush thread to get lost as well: the writeback timer is supposed to be re-armed by pdflush in process context, but pdflush doesn't execute the callout which does this. Fix that up by ignoring the return value from try_to_freeze(): jsut proceed, see if we have any work pending and only go back to sleep if that is not the case. Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Pavel Machek <pavel@suse.cz> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* BLOCK: Fix bounce limit address checkAndi Kleen2006-08-071-1/+1
| | | | | | | | | | | | | This fixes some OOMs on 64bit systems with <4GB of RAM when accessing the cdrom. Do a safer check for when to enable DMA. Currently we enable ISA DMA for cases that do not need it, resulting in OOM conditions when ZONE_DMA runs out of space. Signed-off-by: Andi Kleen <ak@suse.de> Signed-off-by: Jens Axboe <axboe@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* IB/mthca: restore missing PCI registers after resetMichael S. Tsirkin2006-08-071-0/+59
| | | | | | | | | | | | | mthca does not restore the following PCI-X/PCI Express registers after reset: PCI-X device: PCI-X command register PCI-X bridge: upstream and downstream split transaction registers PCI Express : PCI Express device control and link control registers This causes instability and/or bad performance on systems where one of these registers is set to a non-default value by BIOS. Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* fix the SND_FM801_TEA575X dependenciesAdrian Bunk2006-08-032-7/+9
| | | | | | | | | | | | | | | | | | | | | CONFIG_SND_FM801=y, CONFIG_SND_FM801_TEA575X=m resulted in the following compile error: <-- snip --> ... LD vmlinux sound/built-in.o: In function 'snd_fm801_free': fm801.c:(.text+0x3c15b): undefined reference to 'snd_tea575x_exit' sound/built-in.o: In function 'snd_card_fm801_probe': fm801.c:(.text+0x3cfde): undefined reference to 'snd_tea575x_init' make: *** [vmlinux] Error 1 <-- snip --> This patch fixes kernel Bugzilla #6458. Signed-off-by: Adrian Bunk <bunk@stusta.de>
* remove obsolete swsusp_encryptPavel Machek2006-08-031-12/+0
| | | | | | | Remove SWSUSP_ENCRYPT config option; it is no longer implemented. Signed-off-by: Pavel Machek <pavel@suse.cz> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* Linux 2.6.16.27v2.6.16.27Greg Kroah-Hartman2006-07-171-1/+1
|
* [PATCH] USB serial ftdi_sio: Prevent userspace DoS (CVE-2006-2936)Ian Abbott2006-07-171-13/+71
| | | | | | | | | | This patch limits the amount of outstanding 'write' data that can be queued up for the ftdi_sio driver, to prevent userspace DoS attacks (or simple accidents) that use up all the system memory by writing lots of data to the serial port. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
* [PATCH] IPV6 ADDRCONF: Fix default source address selection without ↵YOSHIFUJI Hideaki2006-07-171-0/+3
| | | | | | | | | | | | CONFIG_IPV6_PRIVACY We need to update hiscore.rule even if we don't enable CONFIG_IPV6_PRIVACY, because we have more less significant rule; longest match. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
* [PATCH] IPV6: Fix source address selection.$,1 aukasz Stelmach2006-07-171-0/+6
| | | | | | | | | | | | | | | Two additional labels (RFC 3484, sec. 10.3) for IPv6 addreses are defined to make a distinction between global unicast addresses and Unique Local Addresses (fc00::/7, RFC 4193) and Teredo (2001::/32, RFC 4380). It is necessary to avoid attempts of connection that would either fail (eg. fec0:: to 2001:feed::) or be sub-optimal (2001:0:: to 2001:feed::). Signed-off-by: $,1 aukasz Stelmach <stlman@poczta.fm> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
* Linux 2.6.16.25v2.6.16.26Greg Kroah-Hartman2006-07-151-1/+1
|
* [PATCH] Relax /proc fix a bitLinus Torvalds2006-07-151-1/+2
| | | | | | | | | | Relax /proc fix a bit Clearign all of i_mode was a bit draconian. We only really care about S_ISUID/ISGID, after all. Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
* Linux 2.6.16.25v2.6.16.25Greg Kroah-Hartman2006-07-141-1/+1
|
* [PATCH] Fix nasty /proc vulnerability (CVE-2006-3626)Linus Torvalds2006-07-141-0/+1
| | | | | | | | | | | | Fix nasty /proc vulnerability We have a bad interaction with both the kernel and user space being able to change some of the /proc file status. This fixes the most obvious part of it, but I expect we'll also make it harder for users to modify even their "own" files in /proc. Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
* Linux 2.6.16.24v2.6.16.24Greg Kroah-Hartman2006-07-061-1/+1
|
* fix prctl privilege escalation and suid_dumpable (CVE-2006-2451)Greg Kroah-Hartman2006-07-061-1/+1
| | | | | | | | | | | | Based on a patch from Ernie Petrides During security research, Red Hat discovered a behavioral flaw in core dump handling. A local user could create a program that would cause a core file to be dumped into a directory they would not normally have permissions to write to. This could lead to a denial of service (disk consumption), or allow the local user to gain root privileges. Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
* Linux 2.6.16.23v2.6.16.23Greg Kroah-Hartman2006-06-301-1/+1
|
* [PATCH] revert PARPORT_SERIAL should depend on SERIAL_8250_PCI patchChris Wright2006-06-301-1/+1
| | | | | | | Should have not been applied to 2.6.16 Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
* [PATCH] NETFILTER: SCTP conntrack: fix crash triggered by packet without ↵Patrick McHardy2006-06-302-2/+2
| | | | | | | | | | | | | | | chunks [CVE-2006-2934] When a packet without any chunks is received, the newconntrack variable in sctp_packet contains an out of bounds value that is used to look up an pointer from the array of timeouts, which is then dereferenced, resulting in a crash. Make sure at least a single chunk is present. Problem noticed by George A. Theall <theall@tenablesecurity.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
* Linux 2.6.16.22v2.6.16.22Chris Wright2006-06-221-1/+1
|
* [PATCH] NTFS: Critical bug fix (affects MIPS and possibly others)Anton Altaparmakov2006-06-221-6/+7
| | | | | | | | | | | | | | | It fixes a crash in NTFS on architectures where flush_dcache_page() is a real function. I never noticed this as all my testing is done on i386 where flush_dcache_page() is NULL. http://bugzilla.kernel.org/show_bug.cgi?id=6700 Many thanks to Pauline Ng for the detailed bug report and analysis! Signed-off-by: Anton Altaparmakov <aia21@cantab.net> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
* [PATCH] powernow-k8 crash workaroundAndrew Morton2006-06-221-1/+4
| | | | | | | | | | | | | | | Work around the oops reported in http://bugzilla.kernel.org/show_bug.cgi?id=6478. Thanks to Ralf Hildebrandt <ralf.hildebrandt@charite.de> for testing and reporting. Acked-by: Dave Jones <davej@codemonkey.org.uk> Cc: "Brown, Len" <len.brown@intel.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
* [PATCH] I2O: Bugfixes to get I2O working againMarkus Lidel2006-06-223-39/+42
| | | | | | | | | | | | | | | | | | | | | | | - Fixed locking of struct i2o_exec_wait in Executive-OSM - Removed LCT Notify in i2o_exec_probe() which caused freeing memory and accessing freed memory during first enumeration of I2O devices - Added missing locking in i2o_exec_lct_notify() - removed put_device() of I2O controller in i2o_iop_remove() which caused the controller structure get freed to early - Fixed size of mempool in i2o_iop_alloc() - Fixed access to freed memory in i2o_msg_get() See http://bugzilla.kernel.org/show_bug.cgi?id=6561 Signed-off-by: Markus Lidel <Markus.Lidel@shadowconnect.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
* [PATCH] scsi_lib.c: properly count the number of pages in scsi_req_map_sg()James Bottomley2006-06-221-1/+1
| | | | | | | | | | | The calculation of nr_pages in scsi_req_map_sg() doesn't account for the fact that the first page could have an offset that pushes the end of the buffer onto a new page. Signed-off-by: Bryan Holty <lgeek@frontiernet.net> Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
* [PATCH] JFS: Fix multiple errors in metapage_releasepageDave Kleikamp2006-06-221-15/+5
| | | | | | | | | | | | | | | | | | It looks like metapage_releasepage was making in invalid assumption that the releasepage method would not be called on a dirty page. Instead of issuing a warning and releasing the metapage, it should return 0, indicating that the private data for the page cannot be released. I also realized that metapage_releasepage had the return code all wrong. If it is successful in releasing the private data, it should return 1, otherwise it needs to return 0. Lastly, there is no need to call wait_on_page_writeback, since try_to_release_page will not call us with a page in writback state. Signed-off-by: Dave Kleikamp <shaggy@austin.ibm.com> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
* [PATCH] fs/namei.c: Call to file_permission() under a spinlock in ↵Trond Myklebust2006-06-221-9/+10
| | | | | | | | | | | | | | | | | | | | do_lookup_path() We're presently running lock_kernel() under fs_lock via nfs's ->permission handler. That's a ranking bug and sometimes a sleep-in-spinlock bug. This problem was introduced in the openat() patchset. We should not need to hold the current->fs->lock for a codepath that doesn't use current->fs. [vsu@altlinux.ru: fix error path] Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Cc: Al Viro <viro@ftp.linux.org.uk> Signed-off-by: Sergey Vlasov <vsu@altlinux.ru> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
* [PATCH] tmpfs: time granularity fix for [acm]time going backwardsRobin H. Johnson2006-06-222-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | I noticed a strange behavior in a tmpfs file system the other day, while building packages - occasionally, and seemingly at random, make decided to rebuild a target. However, only on tmpfs. A file would be created, and if checked, it had a sub-second timestamp. However, after an utimes related call where sub-seconds should be set, they were zeroed instead. In the case that a file was created, and utimes(...,NULL) was used on it in the same second, the timestamp on the file moved backwards. After some digging, I found that this was being caused by tmpfs not having a time granularity set, thus inheriting the default 1 second granularity. Hugh adds: yes, we missed tmpfs when the s_time_gran mods went into 2.6.11. Unfortunately, the granularity of CURRENT_TIME, often used in filesystems, does not match the default granularity set by alloc_super. A few more such discrepancies have been found, but this is the most important to fix now. Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> Acked-by: Andi Kleen <ak@suse.de> Signed-off-by: Hugh Dickins <hugh@veritas.com> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
* [PATCH] Missed error checking for intent's filp in open_namei().Oleg Drokin2006-06-221-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It seems there is error check missing in open_namei for errors returned through intent.open.file (from lookup_instantiate_filp). If there is plain open performed, then such a check done inside __path_lookup_intent_open called from path_lookup_open(), but when the open is performed with O_CREAT flag set, then __path_lookup_intent_open is only called with LOOKUP_PARENT set where no file opening can occur yet. Later on lookup_hash is called where exact opening might take place and intent.open.file may be filled. If it is filled with error value of some sort, then we get kernel attempting to dereference this error value as address (and corresponding oops) in nameidata_to_filp() called from filp_open(). While this is relatively simple to workaround in ->lookup() method by just checking lookup_instantiate_filp() return value and returning error as needed, this is not so easy in ->d_revalidate(), where we can only return "yes, dentry is valid" or "no, dentry is invalid, perform full lookup again", and just returning 0 on error would cause extra lookup (with potential extra costly RPCs). So in short, I believe that there should be no difference in error handling for opening a file and creating a file in open_namei() and propose this simple patch as a solution. Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
* [PATCH] SPARC64: Fix missing fold at end of checksums.David Miller2006-06-222-4/+6
| | | | | | | | | | | | | | | Both csum_partial() and the csum_partial_copy*() family of routines forget to do a final fold on the computed checksum value on sparc64. So do the standard Sparc "add + set condition codes, add carry" sequence, then make sure the high 32-bits of the return value are clear. Based upon some excellent detective work and debugging done by Richard Braun and Samuel Thibault. Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
* [PATCH] SPARC64: Respect gfp_t argument to dma_alloc_coherent().David Miller2006-06-224-5/+146
| | | | | | | | | | | | | | | | | | | | Using asm-generic/dma-mapping.h does not work because pushing the call down to pci_alloc_coherent() causes the gfp_t argument of dma_alloc_coherent() to be ignored. Fix this by implementing things directly, and adding a gfp_t argument we can use in the internal call down to the PCI DMA implementation of pci_alloc_coherent(). This fixes massive memory corruption when using the sound driver layer, which passes things like __GFP_COMP down into these routines and (correctly) expects that to work. This is a disk eater when sound is used, so it's pretty critical. Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
* [PATCH] SPARC64: Fix D-cache corruption in mremapDavid Miller2006-06-223-11/+27
| | | | | | | | | | | | | | | | | | If we move a mapping from one virtual address to another, and this changes the virtual color of the mapping to those pages, we can see corrupt data due to D-cache aliasing. Check for and deal with this by overriding the move_pte() macro. Set things up so that other platforms can cleanly override the move_pte() macro too. This long standing bug corrupts user memory, and in particular has been notorious for corrupting Debian package database files on sparc64 boxes. Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
* [PATCH] USB: Whiteheat: fix firmware spurious errorsStuart MacDonald2006-06-221-2/+2
| | | | | | | | Attached patch fixes spurious errors during firmware load. Signed-off-by: Stuart MacDonald <stuartm@connecttech.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
* Linux 2.6.16.21v2.6.16.21Chris Wright2006-06-201-1/+1
|
* [PATCH] xt_sctp: fix endless loop caused by 0 chunk length (CVE-2006-3085)Patrick McHardy2006-06-201-1/+1
| | | | | | | | Fix endless loop in the SCTP match similar to those already fixed in the SCTP conntrack helper (was CVE-2006-1527). Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
* [PATCH] run_posix_cpu_timers: remove a bogus BUG_ON() (CVE-2006-2445)Oleg Nesterov2006-06-202-26/+18
| | | | | | | | | | | | | | | | | | | | | | | | do_exit() clears ->it_##clock##_expires, but nothing prevents another cpu to attach the timer to exiting process after that. arm_timer() tries to protect against this race, but the check is racy. After exit_notify() does 'write_unlock_irq(&tasklist_lock)' and before do_exit() calls 'schedule() local timer interrupt can find tsk->exit_state != 0. If that state was EXIT_DEAD (or another cpu does sys_wait4) interrupted task has ->signal == NULL. At this moment exiting task has no pending cpu timers, they were cleanuped in __exit_signal()->posix_cpu_timers_exit{,_group}(), so we can just return from irq. John Stultz recently confirmed this bug, see http://marc.theaimsgroup.com/?l=linux-kernel&m=115015841413687 Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
* [PATCH] check_process_timers: fix possible lockupOleg Nesterov2006-06-201-5/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | If the local timer interrupt happens just after do_exit() sets PF_EXITING (and before it clears ->it_xxx_expires) run_posix_cpu_timers() will call check_process_timers() with tasklist_lock + ->siglock held and check_process_timers: t = tsk; do { .... do { t = next_thread(t); } while (unlikely(t->flags & PF_EXITING)); } while (t != tsk); the outer loop will never stop. Actually, the window is bigger. Another process can attach the timer after ->it_xxx_expires was cleared (see the next commit) and the 'if (PF_EXITING)' check in arm_timer() is racy (see the one after that). Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
* [PATCH] powerpc: Fix machine check problem on 32-bit kernels (CVE-2006-2448)Paul Mackerras2006-06-202-1/+12
| | | | | | | | | | This fixes a bug found by Dave Jones that means that it is possible for userspace to provoke a machine check on 32-bit kernels. This also fixes a couple of other places where I found similar problems by inspection. Signed-off-by: Paul Mackerras <paulus@samba.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
* Linux 2.6.16.20v2.6.16.20Chris Wright2006-06-051-1/+1
|
* [PATCH] sbp2: fix check of return value of hpsb_allocate_and_register_addrspaceStefan Richter2006-06-051-1/+1
| | | | | | | | | | I added a failure check in patch "sbp2: variable status FIFO address (fix login timeout)" --- alas for a wrong error value. This is a bug since Linux 2.6.16. Leads to NULL pointer dereference if the call failed, and bogus failure handling if call succeeded. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
* [PATCH] sbp2: backport read_capacity workaround for iPodStefan Richter2006-06-051-0/+11
| | | | | | | | | | | | | | | | | | | | | | There is a firmware bug in several Apple iPods which prevents access to these iPods under certain conditions. The disk size reported by the iPod is one sector too big. Once access to the end of the disk is attempted, the iPod becomes inaccessible. This problem has been known for USB iPods for some time and has recently been discovered to exist with FireWire/USB combo iPods too. This patch is derived from the fix in Linux 2.6.17, commit e9a1c52c7b19d10342226c12f170d7ab644427e2, to be applicable to 2.6.16.x without prerequisite patches. It hard-wires a workaround for three known affected model numbers (those of 4th generation iPod, iPod Photo, iPod mini). Note: This patch lacks Linux 2.6.17's ability to enable and disable the workaround via a module parameter. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
* [PATCH] x86_64: Don't do syscall exit tracing twiceAndi Kleen2006-06-051-6/+1
| | | | | | | | | | | | | | | This fixes a regression from the earlier DOS fix for non canonical IRET addresses. It broke UML. int_ret_from_syscall already does syscall exit tracing, so no need to do it again in the caller. This caused problems for UML and some other special programs doing syscall interception. Signed-off-by: Andi Kleen <ak@suse.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>