Google Git
Sign in
kernel / pub / scm / linux / kernel / git / warthog9 / stable-queue / 410449452dd3868bff8971f247c7f42652d7bab3 / . / releases / 2.6.16.10 / send.mbox
blob: 9b7a5ca99c0597c5c1578277069971f0252c0659 [file] [log] [blame]
From greg@blue.kroah.org Thu Apr 20 21:34:41 2006
Message-Id: <20060421043441.285173000@blue.kroah.org>
References: <20060421043353.602539000@blue.kroah.org>
User-Agent: quilt/0.44-1
Date: Thu, 20 Apr 2006 21:33:54 -0700
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk,
James Bottomley <James.Bottomley@SteelEye.com>,
linuxraid@amcc.com,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [patch 01/22] 3ware: kmap_atomic() fix
Content-Disposition: inline; filename=3ware-kmap_atomic-fix.patch
Status: RO
Content-Length: 1275
Lines: 44
From: Andrew Morton <akpm@osdl.org>
We must disable local IRQs while holding KM_IRQ0 or KM_IRQ1. Otherwise, an
IRQ handler could use those kmap slots while this code is using them,
resulting in memory corruption.
Thanks to Nick Orlov <bugfixer@list.ru> for reporting.
Cc: <linuxraid@amcc.com>
Cc: James Bottomley <James.Bottomley@SteelEye.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/scsi/3w-xxxx.c | 3 +++
1 file changed, 3 insertions(+)
--- linux-2.6.16.9.orig/drivers/scsi/3w-xxxx.c
+++ linux-2.6.16.9/drivers/scsi/3w-xxxx.c
@@ -1508,10 +1508,12 @@ static void tw_transfer_internal(TW_Devi
struct scsi_cmnd *cmd = tw_dev->srb[request_id];
void *buf;
unsigned int transfer_len;
+ unsigned long flags = 0;
if (cmd->use_sg) {
struct scatterlist *sg =
(struct scatterlist *)cmd->request_buffer;
+ local_irq_save(flags);
buf = kmap_atomic(sg->page, KM_IRQ0) + sg->offset;
transfer_len = min(sg->length, len);
} else {
@@ -1526,6 +1528,7 @@ static void tw_transfer_internal(TW_Devi
sg = (struct scatterlist *)cmd->request_buffer;
kunmap_atomic(buf - sg->offset, KM_IRQ0);
+ local_irq_restore(flags);
}
}
--
From greg@blue.kroah.org Thu Apr 20 21:34:41 2006
Message-Id: <20060421043441.483596000@blue.kroah.org>
References: <20060421043353.602539000@blue.kroah.org>
User-Agent: quilt/0.44-1
Date: Thu, 20 Apr 2006 21:33:55 -0700
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org,
"James Bottomley" <James.Bottomley@steeleye.com>
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk,
Adam Radford <linuxraid@amcc.com>,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [patch 02/22] 3ware 9000 disable local irqs during kmap_atomic
Content-Disposition: inline; filename=3ware-9000-disable-local-irqs-during-kmap_atomic.patch
Status: RO
Content-Length: 1294
Lines: 40
The attached patch for 2.6.17-rc2 updates the 3ware 9000 driver:
- Disable local interrupts during kmap/unmap_atomic().
Signed-off-by: Adam Radford <linuxraid@amcc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/scsi/3w-9xxx.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- linux-2.6.16.9.orig/drivers/scsi/3w-9xxx.c
+++ linux-2.6.16.9/drivers/scsi/3w-9xxx.c
@@ -85,7 +85,7 @@
#include "3w-9xxx.h"
/* Globals */
-#define TW_DRIVER_VERSION "2.26.02.005"
+#define TW_DRIVER_VERSION "2.26.02.007"
static TW_Device_Extension *twa_device_extension_list[TW_MAX_SLOT];
static unsigned int twa_device_extension_count;
static int twa_major = -1;
@@ -1944,9 +1944,13 @@ static void twa_scsiop_execute_scsi_comp
}
if (tw_dev->srb[request_id]->use_sg == 1) {
struct scatterlist *sg = (struct scatterlist *)tw_dev->srb[request_id]->request_buffer;
- char *buf = kmap_atomic(sg->page, KM_IRQ0) + sg->offset;
+ char *buf;
+ unsigned long flags = 0;
+ local_irq_save(flags);
+ buf = kmap_atomic(sg->page, KM_IRQ0) + sg->offset;
memcpy(buf, tw_dev->generic_buffer_virt[request_id], sg->length);
kunmap_atomic(buf - sg->offset, KM_IRQ0);
+ local_irq_restore(flags);
}
}
} /* End twa_scsiop_execute_scsi_complete() */
--
From greg@blue.kroah.org Thu Apr 20 21:34:41 2006
Message-Id: <20060421043441.681515000@blue.kroah.org>
References: <20060421043353.602539000@blue.kroah.org>
User-Agent: quilt/0.44-1
Date: Thu, 20 Apr 2006 21:33:56 -0700
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Brian Hinz <bphinz@hotmail.com>,
H Peter Anvin <hpa@zytor.com>,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [patch 03/22] efficeon-agp: Add missing memory mask
Content-Disposition: inline; filename=efficeon-agp-add-missing-memory-mask.patch
Status: RO
Content-Length: 1161
Lines: 37
Original patch by Benjamin Herrenschmidt after debugging by Brian Hinz.
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Brian Hinz <bphinz@hotmail.com>
Signed-off-by: H Peter Anvin <hpa@zytor.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/char/agp/efficeon-agp.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- linux-2.6.16.9.orig/drivers/char/agp/efficeon-agp.c
+++ linux-2.6.16.9/drivers/char/agp/efficeon-agp.c
@@ -64,6 +64,12 @@ static struct gatt_mask efficeon_generic
{.mask = 0x00000001, .type = 0}
};
+/* This function does the same thing as mask_memory() for this chipset... */
+static inline unsigned long efficeon_mask_memory(unsigned long addr)
+{
+ return addr | 0x00000001;
+}
+
static struct aper_size_info_lvl2 efficeon_generic_sizes[4] =
{
{256, 65536, 0},
@@ -251,7 +257,7 @@ static int efficeon_insert_memory(struct
last_page = NULL;
for (i = 0; i < count; i++) {
int index = pg_start + i;
- unsigned long insert = mem->memory[i];
+ unsigned long insert = efficeon_mask_memory(mem->memory[i]);
page = (unsigned int *) efficeon_private.l1_table[index >> 10];
--
From greg@blue.kroah.org Thu Apr 20 21:34:42 2006
Message-Id: <20060421043441.878914000@blue.kroah.org>
References: <20060421043353.602539000@blue.kroah.org>
User-Agent: quilt/0.44-1
Date: Thu, 20 Apr 2006 21:33:57 -0700
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk,
Herbert Xu <herbert@gondor.apana.org.au>,
David Miller <davem@davemloft.net>,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [patch 04/22] : Fix truesize underflow
Content-Disposition: inline; filename=fix-bug.patch
Status: RO
Content-Length: 1357
Lines: 41
From: Herbert Xu <herbert@gondor.apana.org.au>
[TCP]: Fix truesize underflow
There is a problem with the TSO packet trimming code. The cause of
this lies in the tcp_fragment() function.
When we allocate a fragment for a completely non-linear packet the
truesize is calculated for a payload length of zero. This means that
truesize could in fact be less than the real payload length.
When that happens the TSO packet trimming can cause truesize to become
negative. This in turn can cause sk_forward_alloc to be -n * PAGE_SIZE
which would trigger the warning.
I've copied the code DaveM used in tso_fragment which should work here.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/ipv4/tcp_output.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- linux-2.6.16.9.orig/net/ipv4/tcp_output.c
+++ linux-2.6.16.9/net/ipv4/tcp_output.c
@@ -537,7 +537,9 @@ int tcp_fragment(struct sock *sk, struct
buff = sk_stream_alloc_skb(sk, nsize, GFP_ATOMIC);
if (buff == NULL)
return -ENOMEM; /* We'll just try again later. */
- sk_charge_skb(sk, buff);
+
+ buff->truesize = skb->len - len;
+ skb->truesize -= buff->truesize;
/* Correct the sequence numbers. */
TCP_SKB_CB(buff)->seq = TCP_SKB_CB(skb)->seq + len;
--
From greg@blue.kroah.org Thu Apr 20 21:34:42 2006
Message-Id: <20060421043442.075998000@blue.kroah.org>
References: <20060421043353.602539000@blue.kroah.org>
User-Agent: quilt/0.44-1
Date: Thu, 20 Apr 2006 21:33:58 -0700
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk,
Alexander Patrakov <patrakov@ums.usu.ru>,
David Miller <davem@davemloft.net>,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [patch 05/22] : Fix hotplug race during device registration
Content-Disposition: inline; filename=fix-hotplug-race-during-device-registration.patch
Status: RO
Content-Length: 1289
Lines: 39
From: Thomas de Grenier de Latour <degrenier@easyconnect.fr>
On Sun, 9 Apr 2006 21:56:59 +0400,
Sergey Vlasov <vsu@altlinux.ru> wrote:
> However, show_address() does not output anything unless
> dev->reg_state == NETREG_REGISTERED - and this state is set by
> netdev_run_todo() only after netdev_register_sysfs() returns, so in
> the meantime (while netdev_register_sysfs() is busy adding the
> "statistics" attribute group) some process may see an empty "address"
> attribute.
I've tried the attached patch, suggested by Sergey Vlasov on
hotplug-devel@, and as far as i can test it works just fine.
Signed-off-by: Alexander Patrakov <patrakov@ums.usu.ru>
Signed-off-by: David Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/core/dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.16.9.orig/net/core/dev.c
+++ linux-2.6.16.9/net/core/dev.c
@@ -2932,11 +2932,11 @@ void netdev_run_todo(void)
switch(dev->reg_state) {
case NETREG_REGISTERING:
+ dev->reg_state = NETREG_REGISTERED;
err = netdev_register_sysfs(dev);
if (err)
printk(KERN_ERR "%s: failed sysfs registration (%d)\n",
dev->name, err);
- dev->reg_state = NETREG_REGISTERED;
break;
case NETREG_UNREGISTERING:
--
From greg@blue.kroah.org Thu Apr 20 21:34:42 2006
Message-Id: <20060421043442.282447000@blue.kroah.org>
References: <20060421043353.602539000@blue.kroah.org>
User-Agent: quilt/0.44-1
Date: Thu, 20 Apr 2006 21:33:59 -0700
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk,
Jean Delvare <khali@linux-fr.org>,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [patch 06/22] i2c-i801: Fix resume when PEC is used
Content-Disposition: inline; filename=i2c-i801-fix-resume-when-pec-is-used.patch
Status: RO
Content-Length: 1025
Lines: 33
Fix for bug #6395:
Fail to resume on Tecra M2 with ADM1032 and Intel 82801DBM
The BIOS of the Tecra M2 doesn't like it when it has to reboot or
resume after the i2c-i801 driver has left the SMBus in PEC mode.
I have a more complete fix for 2.6.17 but the simple approach of
leaving the SMBus in non-PEC mode after every transaction should do
for -stable. That's what the i2c-i801 driver was doing up to 2.6.15
(inclusive).
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/i2c/busses/i2c-i801.c | 5 +++++
1 file changed, 5 insertions(+)
--- linux-2.6.16.9.orig/drivers/i2c/busses/i2c-i801.c
+++ linux-2.6.16.9/drivers/i2c/busses/i2c-i801.c
@@ -478,6 +478,11 @@ static s32 i801_access(struct i2c_adapte
ret = i801_transaction();
}
+ /* Some BIOSes don't like it when PEC is enabled at reboot or resume
+ time, so we forcibly disable it after every transaction. */
+ if (hwpec)
+ outb_p(0, SMBAUXCTL);
+
if(block)
return ret;
if(ret)
--
From greg@blue.kroah.org Thu Apr 20 21:34:42 2006
Message-Id: <20060421043442.480180000@blue.kroah.org>
References: <20060421043353.602539000@blue.kroah.org>
User-Agent: quilt/0.44-1
Date: Thu, 20 Apr 2006 21:34:00 -0700
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk,
"Artem B. Bityutskiy" <dedekind@yandex.ru>,
dwmw2@infradead.org,
Adrian Bunk <bunk@stusta.de>,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [patch 07/22] MTD_NAND_SHARPSL and MTD_NAND_NANDSIM should be tristates
Content-Disposition: inline; filename=mtd_nand_sharpsl-and-mtd_nand_nandsim-should-be-tristate-s.patch
Status: RO
Content-Length: 1444
Lines: 48
MTD_NAND=m and MTD_NAND_SHARPSL=y or MTD_NAND_NANDSIM=y are illegal
combinations that mustn't be allowed.
This patch fixes this bug by making MTD_NAND_SHARPSL and MTD_NAND_NANDSIM
tristate's.
Additionally, it fixes some whitespace damage at these options.
This patch was already included in Linus' tree.
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/mtd/nand/Kconfig | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
--- linux-2.6.16.9.orig/drivers/mtd/nand/Kconfig
+++ linux-2.6.16.9/drivers/mtd/nand/Kconfig
@@ -178,17 +178,16 @@ config MTD_NAND_DISKONCHIP_BBTWRITE
Even if you leave this disabled, you can enable BBT writes at module
load time (assuming you build diskonchip as a module) with the module
parameter "inftl_bbt_write=1".
-
- config MTD_NAND_SHARPSL
- bool "Support for NAND Flash on Sharp SL Series (C7xx + others)"
- depends on MTD_NAND && ARCH_PXA
-
- config MTD_NAND_NANDSIM
- bool "Support for NAND Flash Simulator"
- depends on MTD_NAND && MTD_PARTITIONS
+config MTD_NAND_SHARPSL
+ tristate "Support for NAND Flash on Sharp SL Series (C7xx + others)"
+ depends on MTD_NAND && ARCH_PXA
+
+config MTD_NAND_NANDSIM
+ tristate "Support for NAND Flash Simulator"
+ depends on MTD_NAND && MTD_PARTITIONS
help
The simulator may simulate verious NAND flash chips for the
MTD nand layer.
-
+
endmenu
--
From greg@blue.kroah.org Thu Apr 20 21:34:42 2006
Message-Id: <20060421043442.677627000@blue.kroah.org>
References: <20060421043353.602539000@blue.kroah.org>
User-Agent: quilt/0.44-1
Date: Thu, 20 Apr 2006 21:34:01 -0700
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk,
benh@kernel.crashing.org,
Guido Guenther <agx@sigxcpu.org>,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [patch 08/22] PPC: fix oops in alsa powermac driver
Content-Disposition: inline; filename=re-ppc-fix-oops-in-alsa-powermac-driver.patch
Status: RO
Content-Length: 2095
Lines: 65
this fixes an oops in 2.6.16.X when loading the snd_powermac module. The
name of the requested module changed during the 2.6.16 development cycle
from i2c-keylargo to i2c-powermac:
Signed-off-by: Guido Guenther <agx@sigxcpu.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/macintosh/therm_adt746x.c | 4 ++--
sound/oss/dmasound/tas_common.c | 4 ++--
sound/ppc/daca.c | 2 +-
sound/ppc/tumbler.c | 2 +-
4 files changed, 6 insertions(+), 6 deletions(-)
--- linux-2.6.16.9.orig/drivers/macintosh/therm_adt746x.c
+++ linux-2.6.16.9/drivers/macintosh/therm_adt746x.c
@@ -627,8 +627,8 @@ thermostat_init(void)
if(therm_type == ADT7460)
device_create_file(&of_dev->dev, &dev_attr_sensor2_fan_speed);
-#ifndef CONFIG_I2C_KEYWEST
- request_module("i2c-keywest");
+#ifndef CONFIG_I2C_POWERMAC
+ request_module("i2c-powermac");
#endif
return i2c_add_driver(&thermostat_driver);
--- linux-2.6.16.9.orig/sound/oss/dmasound/tas_common.c
+++ linux-2.6.16.9/sound/oss/dmasound/tas_common.c
@@ -195,8 +195,8 @@ tas_init(int driver_id, const char *driv
printk(KERN_INFO "tas driver [%s])\n", driver_name);
-#ifndef CONFIG_I2C_KEYWEST
- request_module("i2c-keywest");
+#ifndef CONFIG_I2C_POWERMAC
+ request_module("i2c-powermac");
#endif
tas_node = find_devices("deq");
if (tas_node == NULL)
--- linux-2.6.16.9.orig/sound/ppc/daca.c
+++ linux-2.6.16.9/sound/ppc/daca.c
@@ -256,7 +256,7 @@ int __init snd_pmac_daca_init(struct snd
#ifdef CONFIG_KMOD
if (current->fs->root)
- request_module("i2c-keywest");
+ request_module("i2c-powermac");
#endif /* CONFIG_KMOD */
mix = kmalloc(sizeof(*mix), GFP_KERNEL);
--- linux-2.6.16.9.orig/sound/ppc/tumbler.c
+++ linux-2.6.16.9/sound/ppc/tumbler.c
@@ -1314,7 +1314,7 @@ int __init snd_pmac_tumbler_init(struct
#ifdef CONFIG_KMOD
if (current->fs->root)
- request_module("i2c-keywest");
+ request_module("i2c-powermac");
#endif /* CONFIG_KMOD */
mix = kmalloc(sizeof(*mix), GFP_KERNEL);
--
From greg@blue.kroah.org Thu Apr 20 21:34:43 2006
Message-Id: <20060421043442.875624000@blue.kroah.org>
References: <20060421043353.602539000@blue.kroah.org>
User-Agent: quilt/0.44-1
Date: Thu, 20 Apr 2006 21:34:02 -0700
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org,
torvalds@osdl.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk,
jmorris@redhat.com,
sds@tycho.nsa.gov,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [patch 09/22] selinux: Fix MLS compatibility off-by-one bug
Content-Disposition: inline; filename=selinux-fix-mls-compatibility-off-by-one-bug.patch
Status: RO
Content-Length: 881
Lines: 30
From: Ron Yorston <rmy@tigress.co.uk>
Fix an off-by-one error in the MLS compatibility code that was causing
contexts with a MLS suffix to be rejected, preventing sharing partitions
between FC4 and FC5. Bug reported in
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188068
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
security/selinux/ss/mls.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.16.9.orig/security/selinux/ss/mls.c
+++ linux-2.6.16.9/security/selinux/ss/mls.c
@@ -264,7 +264,7 @@ int mls_context_to_sid(char oldc,
if (!selinux_mls_enabled) {
if (def_sid != SECSID_NULL && oldc)
- *scontext += strlen(*scontext);
+ *scontext += strlen(*scontext)+1;
return 0;
}
--
From greg@blue.kroah.org Thu Apr 20 21:34:43 2006
Message-Id: <20060421043443.076191000@blue.kroah.org>
References: <20060421043353.602539000@blue.kroah.org>
User-Agent: quilt/0.44-1
Date: Thu, 20 Apr 2006 21:34:03 -0700
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk,
netdev-core@vger.kernel.org,
yoshfuji@linux-ipv6.org,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [patch 10/22] IPV6: Ensure to have hop-by-hop options in our header of &sk_buff.
Content-Disposition: inline; filename=ipv6-ensure-to-have-hop-by-hop-options-in-our-header-of-sk_buff.patch
Status: RO
Content-Length: 935
Lines: 34
[IPV6]: Ensure to have hop-by-hop options in our header of &sk_buff.
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
---
net/ipv6/exthdrs.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- linux-2.6.16.9.orig/net/ipv6/exthdrs.c
+++ linux-2.6.16.9/net/ipv6/exthdrs.c
@@ -489,6 +489,18 @@ int ipv6_parse_hopopts(struct sk_buff *s
{
struct inet6_skb_parm *opt = IP6CB(skb);
+ /*
+ * skb->nh.raw is equal to skb->data, and
+ * skb->h.raw - skb->nh.raw is always equal to
+ * sizeof(struct ipv6hdr) by definition of
+ * hop-by-hop options.
+ */
+ if (!pskb_may_pull(skb, sizeof(struct ipv6hdr) + 8) ||
+ !pskb_may_pull(skb, sizeof(struct ipv6hdr) + ((skb->h.raw[1] + 1) << 3))) {
+ kfree_skb(skb);
+ return -1;
+ }
+
opt->hop = sizeof(struct ipv6hdr);
if (ip6_parse_tlv(tlvprochopopt_lst, skb)) {
skb->h.raw += (skb->h.raw[1]+1)<<3;
--
From greg@blue.kroah.org Thu Apr 20 21:34:43 2006
Message-Id: <20060421043443.282051000@blue.kroah.org>
References: <20060421043353.602539000@blue.kroah.org>
User-Agent: quilt/0.44-1
Date: Thu, 20 Apr 2006 21:34:04 -0700
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk,
netdev-core@vger.kernel.org,
yoshfuji@linux-ipv6.org,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [patch 11/22] IPV6: XFRM: Dont use old copy of pointer after pskb_may_pull().
Content-Disposition: inline; filename=ipv6-xfrm-don-t-use-old-copy-of-pointer-after-pskb_may_pull.patch
Status: RO
Content-Length: 1004
Lines: 33
[IPV6] XFRM: Don't use old copy of pointer after pskb_may_pull().
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
---
net/ipv6/xfrm6_policy.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- linux-2.6.16.9.orig/net/ipv6/xfrm6_policy.c
+++ linux-2.6.16.9/net/ipv6/xfrm6_policy.c
@@ -193,7 +193,7 @@ _decode_session6(struct sk_buff *skb, st
{
u16 offset = sizeof(struct ipv6hdr);
struct ipv6hdr *hdr = skb->nh.ipv6h;
- struct ipv6_opt_hdr *exthdr = (struct ipv6_opt_hdr*)(skb->nh.raw + offset);
+ struct ipv6_opt_hdr *exthdr;
u8 nexthdr = skb->nh.ipv6h->nexthdr;
memset(fl, 0, sizeof(struct flowi));
@@ -201,6 +201,8 @@ _decode_session6(struct sk_buff *skb, st
ipv6_addr_copy(&fl->fl6_src, &hdr->saddr);
while (pskb_may_pull(skb, skb->nh.raw + offset + 1 - skb->data)) {
+ exthdr = (struct ipv6_opt_hdr*)(skb->nh.raw + offset);
+
switch (nexthdr) {
case NEXTHDR_ROUTING:
case NEXTHDR_HOP:
--
From greg@blue.kroah.org Thu Apr 20 21:34:43 2006
Message-Id: <20060421043443.480173000@blue.kroah.org>
References: <20060421043353.602539000@blue.kroah.org>
User-Agent: quilt/0.44-1
Date: Thu, 20 Apr 2006 21:34:05 -0700
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk,
netdev-core@vger.kernel.org,
yoshfuji@linux-ipv6.org,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [patch 12/22] IPV6: XFRM: Fix decoding session with preceding extension header(s).
Content-Disposition: inline; filename=ipv6-xfrm-fix-decoding-session-with-preceding-extension-header.patch
Status: RO
Content-Length: 1246
Lines: 38
[IPV6] XFRM: Fix decoding session with preceding extension header(s).
We did not correctly decode session with preceding extension
header(s). This was because we had already pulled preceding
headers, skb->nh.raw + 40 + 1 - skb->data was minus, and
pskb_may_pull() failed.
We now have IP6CB(skb)->nhoff and skb->h.raw, and we can
start parsing / decoding upper layer protocol from current
position.
Tracked down by Noriaki TAKAMIYA <takamiya@po.ntts.co.jp>
and tested by Kazunori Miyazawa <kazunori@miyazawa.org>.
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/ipv6/xfrm6_policy.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- linux-2.6.16.9.orig/net/ipv6/xfrm6_policy.c
+++ linux-2.6.16.9/net/ipv6/xfrm6_policy.c
@@ -191,10 +191,10 @@ error:
static inline void
_decode_session6(struct sk_buff *skb, struct flowi *fl)
{
- u16 offset = sizeof(struct ipv6hdr);
+ u16 offset = skb->h.raw - skb->nh.raw;
struct ipv6hdr *hdr = skb->nh.ipv6h;
struct ipv6_opt_hdr *exthdr;
- u8 nexthdr = skb->nh.ipv6h->nexthdr;
+ u8 nexthdr = skb->nh.raw[IP6CB(skb)->nhoff];
memset(fl, 0, sizeof(struct flowi));
ipv6_addr_copy(&fl->fl6_dst, &hdr->daddr);
--
From greg@blue.kroah.org Thu Apr 20 21:34:41 2006
Message-Id: <20060421043353.602539000@blue.kroah.org>
User-Agent: quilt/0.44-1
Date: Thu, 20 Apr 2006 21:33:53 -0700
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk
Subject: [patch 00/22] 2.6.16-stable review cycle
Status: RO
Content-Length: 735
Lines: 17
This is the start of the stable review cycle for the 2.6.16.10 release.
There are 22 patches in this series, all will be posted as a response to
this one. If anyone has any issues with these being applied, please let
us know. If anyone is a maintainer of the proper subsystem, and wants
to add a signed-off-by: line to the patch, please respond with it.
These patches are sent out with a number of different people on the Cc:
line. If you wish to be a reviewer, please email stable@kernel.org to
add your name to the list. If you want to be off the reviewer list,
also email us.
Responses should be made by Sunday, April 23, 03:00:00 UTC. Anything
received after that time, might be too late.
thanks,
the -stable release team
From greg@blue.kroah.org Thu Apr 20 21:34:45 2006
Message-Id: <20060421043445.480513000@blue.kroah.org>
References: <20060421043353.602539000@blue.kroah.org>
User-Agent: quilt/0.44-1
Date: Thu, 20 Apr 2006 21:34:15 -0700
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk,
OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [patch 22/22] Add more prevent_tail_call()
Content-Disposition: inline; filename=add-more-prevent_tail_call.patch
Status: RO
Content-Length: 4609
Lines: 144
From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
[PATCH] Add more prevent_tail_call()
Those also break userland regs like following.
00000000 <sys_chown16>:
0: 0f b7 44 24 0c movzwl 0xc(%esp),%eax
5: 83 ca ff or $0xffffffff,%edx
8: 0f b7 4c 24 08 movzwl 0x8(%esp),%ecx
d: 66 83 f8 ff cmp $0xffffffff,%ax
11: 0f 44 c2 cmove %edx,%eax
14: 66 83 f9 ff cmp $0xffffffff,%cx
18: 0f 45 d1 cmovne %ecx,%edx
1b: 89 44 24 0c mov %eax,0xc(%esp)
1f: 89 54 24 08 mov %edx,0x8(%esp)
23: e9 fc ff ff ff jmp 24 <sys_chown16+0x24>
where the tailcall at the end overwrites the incoming stack-frame.
Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
kernel/uid16.c | 59 ++++++++++++++++++++++++++++++++++++++++++++-------------
1 file changed, 46 insertions(+), 13 deletions(-)
--- linux-2.6.16.9.orig/kernel/uid16.c
+++ linux-2.6.16.9/kernel/uid16.c
@@ -20,43 +20,67 @@
asmlinkage long sys_chown16(const char __user * filename, old_uid_t user, old_gid_t group)
{
- return sys_chown(filename, low2highuid(user), low2highgid(group));
+ long ret = sys_chown(filename, low2highuid(user), low2highgid(group));
+ /* avoid REGPARM breakage on x86: */
+ prevent_tail_call(ret);
+ return ret;
}
asmlinkage long sys_lchown16(const char __user * filename, old_uid_t user, old_gid_t group)
{
- return sys_lchown(filename, low2highuid(user), low2highgid(group));
+ long ret = sys_lchown(filename, low2highuid(user), low2highgid(group));
+ /* avoid REGPARM breakage on x86: */
+ prevent_tail_call(ret);
+ return ret;
}
asmlinkage long sys_fchown16(unsigned int fd, old_uid_t user, old_gid_t group)
{
- return sys_fchown(fd, low2highuid(user), low2highgid(group));
+ long ret = sys_fchown(fd, low2highuid(user), low2highgid(group));
+ /* avoid REGPARM breakage on x86: */
+ prevent_tail_call(ret);
+ return ret;
}
asmlinkage long sys_setregid16(old_gid_t rgid, old_gid_t egid)
{
- return sys_setregid(low2highgid(rgid), low2highgid(egid));
+ long ret = sys_setregid(low2highgid(rgid), low2highgid(egid));
+ /* avoid REGPARM breakage on x86: */
+ prevent_tail_call(ret);
+ return ret;
}
asmlinkage long sys_setgid16(old_gid_t gid)
{
- return sys_setgid(low2highgid(gid));
+ long ret = sys_setgid(low2highgid(gid));
+ /* avoid REGPARM breakage on x86: */
+ prevent_tail_call(ret);
+ return ret;
}
asmlinkage long sys_setreuid16(old_uid_t ruid, old_uid_t euid)
{
- return sys_setreuid(low2highuid(ruid), low2highuid(euid));
+ long ret = sys_setreuid(low2highuid(ruid), low2highuid(euid));
+ /* avoid REGPARM breakage on x86: */
+ prevent_tail_call(ret);
+ return ret;
}
asmlinkage long sys_setuid16(old_uid_t uid)
{
- return sys_setuid(low2highuid(uid));
+ long ret = sys_setuid(low2highuid(uid));
+ /* avoid REGPARM breakage on x86: */
+ prevent_tail_call(ret);
+ return ret;
}
asmlinkage long sys_setresuid16(old_uid_t ruid, old_uid_t euid, old_uid_t suid)
{
- return sys_setresuid(low2highuid(ruid), low2highuid(euid),
- low2highuid(suid));
+ long ret = sys_setresuid(low2highuid(ruid), low2highuid(euid),
+ low2highuid(suid));
+ /* avoid REGPARM breakage on x86: */
+ prevent_tail_call(ret);
+ return ret;
}
asmlinkage long sys_getresuid16(old_uid_t __user *ruid, old_uid_t __user *euid, old_uid_t __user *suid)
@@ -72,8 +96,11 @@ asmlinkage long sys_getresuid16(old_uid_
asmlinkage long sys_setresgid16(old_gid_t rgid, old_gid_t egid, old_gid_t sgid)
{
- return sys_setresgid(low2highgid(rgid), low2highgid(egid),
- low2highgid(sgid));
+ long ret = sys_setresgid(low2highgid(rgid), low2highgid(egid),
+ low2highgid(sgid));
+ /* avoid REGPARM breakage on x86: */
+ prevent_tail_call(ret);
+ return ret;
}
asmlinkage long sys_getresgid16(old_gid_t __user *rgid, old_gid_t __user *egid, old_gid_t __user *sgid)
@@ -89,12 +116,18 @@ asmlinkage long sys_getresgid16(old_gid_
asmlinkage long sys_setfsuid16(old_uid_t uid)
{
- return sys_setfsuid(low2highuid(uid));
+ long ret = sys_setfsuid(low2highuid(uid));
+ /* avoid REGPARM breakage on x86: */
+ prevent_tail_call(ret);
+ return ret;
}
asmlinkage long sys_setfsgid16(old_gid_t gid)
{
- return sys_setfsgid(low2highgid(gid));
+ long ret = sys_setfsgid(low2highgid(gid));
+ /* avoid REGPARM breakage on x86: */
+ prevent_tail_call(ret);
+ return ret;
}
static int groups16_to_user(old_gid_t __user *grouplist,
--
From greg@blue.kroah.org Thu Apr 20 21:34:45 2006
Message-Id: <20060421043445.281372000@blue.kroah.org>
References: <20060421043353.602539000@blue.kroah.org>
User-Agent: quilt/0.44-1
Date: Thu, 20 Apr 2006 21:34:14 -0700
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk,
Bartlomiej Zolnierkiewicz <B.Zolnierkiewicz@elka.pw.edu.pl>,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [patch 21/22] alim15x3: ULI M-1573 south Bridge support
Content-Disposition: inline; filename=alim15x3-uli-m-1573-south-bridge-support.patch
Status: RO
Content-Length: 1181
Lines: 36
From: KAI.HSU <windsboy@gmail.com>
[PATCH] alim15x3: ULI M-1573 south Bridge support
>From http://bugzilla.kernel.org/show_bug.cgi?id=6358
The alim15x3.c havn't been update for 3 years. Recently when we use this
"ULI M1573" south bridge chip found that can't mount CDROM(VCD) smoothly,
must waiting for a long time. After I check the "ULI M1573" south bridge
datasheet, I found the reason. The reason is the "ULI M1573" version in
the Linux is "0xC7" not "0xC4" anymore So I was modified the source than it
was successed.
Cc: Bartlomiej Zolnierkiewicz <B.Zolnierkiewicz@elka.pw.edu.pl>
Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/ide/pci/alim15x3.c | 2 ++
1 file changed, 2 insertions(+)
--- linux-2.6.16.9.orig/drivers/ide/pci/alim15x3.c
+++ linux-2.6.16.9/drivers/ide/pci/alim15x3.c
@@ -731,6 +731,8 @@ static unsigned int __devinit ata66_ali1
if(m5229_revision <= 0x20)
tmpbyte = (tmpbyte & (~0x02)) | 0x01;
+ else if (m5229_revision == 0xc7)
+ tmpbyte |= 0x03;
else
tmpbyte |= 0x01;
--
From greg@blue.kroah.org Thu Apr 20 21:34:45 2006
Message-Id: <20060421043445.070980000@blue.kroah.org>
References: <20060421043353.602539000@blue.kroah.org>
User-Agent: quilt/0.44-1
Date: Thu, 20 Apr 2006 21:34:13 -0700
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk,
Samuel Thibault <samuel.thibault@ens-lyon.org>,
"Jordan Crouse" <jordan.crouse@amd.com>,
Zachary Amsden <zach@vmware.com>,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [patch 20/22] apm: fix Armada laptops again
Content-Disposition: inline; filename=apm-fix-armada-laptops-again.patch
Status: RO
Content-Length: 1228
Lines: 39
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
[PATCH] apm: fix Armada laptops again
Fix the "apm: set display: Interface not engaged" error on Armada laptops
again.
Jordan said:
I think this is fine. It seems to me that this may be the fault of one or
both of the APM solutions handling this situation in a non-standard way, but
since APM is used very little on the Geode, and I have direct access to our
BIOS folks, if this problem comes up with a customer again, we'll solve it
from the firmware.
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Cc: "Jordan Crouse" <jordan.crouse@amd.com>
Cc: Zachary Amsden <zach@vmware.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
arch/i386/kernel/apm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.16.9.orig/arch/i386/kernel/apm.c
+++ linux-2.6.16.9/arch/i386/kernel/apm.c
@@ -1081,7 +1081,7 @@ static int apm_console_blank(int blank)
break;
}
- if (error == APM_NOT_ENGAGED && state != APM_STATE_READY) {
+ if (error == APM_NOT_ENGAGED) {
static int tried;
int eng_error;
if (tried++ == 0) {
--
From greg@blue.kroah.org Thu Apr 20 21:34:45 2006
Message-Id: <20060421043444.873698000@blue.kroah.org>
References: <20060421043353.602539000@blue.kroah.org>
User-Agent: quilt/0.44-1
Date: Thu, 20 Apr 2006 21:34:12 -0700
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk,
Antonino Daplas <adaplas@pol.net>,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [patch 19/22] fbdev: Fix return error of fb_write
Content-Disposition: inline; filename=fbdev-fix-return-error-of-fb_write.patch
Status: RO
Content-Length: 1422
Lines: 58
From: Antonino A. Daplas <adaplas@gmail.com>
[PATCH] fbdev: Fix return error of fb_write
Fix return code of fb_write():
If at least 1 byte was transferred to the device, return number of bytes,
otherwise:
- return -EFBIG - if file offset is past the maximum allowable offset or
size is greater than framebuffer length
- return -ENOSPC - if size is greater than framebuffer length - offset
Signed-off-by: Antonino Daplas <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/video/fbmem.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
--- linux-2.6.16.9.orig/drivers/video/fbmem.c
+++ linux-2.6.16.9/drivers/video/fbmem.c
@@ -669,13 +669,19 @@ fb_write(struct file *file, const char _
total_size = info->fix.smem_len;
if (p > total_size)
- return 0;
+ return -EFBIG;
- if (count >= total_size)
+ if (count > total_size) {
+ err = -EFBIG;
count = total_size;
+ }
+
+ if (count + p > total_size) {
+ if (!err)
+ err = -ENOSPC;
- if (count + p > total_size)
count = total_size - p;
+ }
buffer = kmalloc((count > PAGE_SIZE) ? PAGE_SIZE : count,
GFP_KERNEL);
@@ -717,7 +723,7 @@ fb_write(struct file *file, const char _
kfree(buffer);
- return (err) ? err : cnt;
+ return (cnt) ? cnt : err;
}
#ifdef CONFIG_KMOD
--
From greg@blue.kroah.org Thu Apr 20 21:34:44 2006
Message-Id: <20060421043444.675198000@blue.kroah.org>
References: <20060421043353.602539000@blue.kroah.org>
User-Agent: quilt/0.44-1
Date: Thu, 20 Apr 2006 21:34:11 -0700
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk,
Dipankar Sarma <dipankar@in.ibm.com>,
"Paul E. McKenney" <paulmck@us.ibm.com>,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [patch 18/22] Fix file lookup without ref
Content-Disposition: inline; filename=fix-file-lookup-without-ref.patch
Content-Length: 3707
Lines: 132
From: Dipankar Sarma <dipankar@in.ibm.com>
[PATCH] Fix file lookup without ref
There are places in the kernel where we look up files in fd tables and
access the file structure without holding refereces to the file. So, we
need special care to avoid the race between looking up files in the fd
table and tearing down of the file in another CPU. Otherwise, one might
see a NULL f_dentry or such torn down version of the file. This patch
fixes those special places where such a race may happen.
Signed-off-by: Dipankar Sarma <dipankar@in.ibm.com>
Acked-by: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/char/tty_io.c | 8 ++++++--
fs/locks.c | 9 +++++++--
fs/proc/base.c | 21 +++++++++++++++------
3 files changed, 28 insertions(+), 10 deletions(-)
--- linux-2.6.16.9.orig/drivers/char/tty_io.c
+++ linux-2.6.16.9/drivers/char/tty_io.c
@@ -2706,7 +2706,11 @@ static void __do_SAK(void *arg)
}
task_lock(p);
if (p->files) {
- rcu_read_lock();
+ /*
+ * We don't take a ref to the file, so we must
+ * hold ->file_lock instead.
+ */
+ spin_lock(&p->files->file_lock);
fdt = files_fdtable(p->files);
for (i=0; i < fdt->max_fds; i++) {
filp = fcheck_files(p->files, i);
@@ -2721,7 +2725,7 @@ static void __do_SAK(void *arg)
break;
}
}
- rcu_read_unlock();
+ spin_unlock(&p->files->file_lock);
}
task_unlock(p);
} while_each_task_pid(session, PIDTYPE_SID, p);
--- linux-2.6.16.9.orig/fs/locks.c
+++ linux-2.6.16.9/fs/locks.c
@@ -2212,7 +2212,12 @@ void steal_locks(fl_owner_t from)
lock_kernel();
j = 0;
- rcu_read_lock();
+
+ /*
+ * We are not taking a ref to the file structures, so
+ * we need to acquire ->file_lock.
+ */
+ spin_lock(&files->file_lock);
fdt = files_fdtable(files);
for (;;) {
unsigned long set;
@@ -2230,7 +2235,7 @@ void steal_locks(fl_owner_t from)
set >>= 1;
}
}
- rcu_read_unlock();
+ spin_unlock(&files->file_lock);
unlock_kernel();
}
EXPORT_SYMBOL(steal_locks);
--- linux-2.6.16.9.orig/fs/proc/base.c
+++ linux-2.6.16.9/fs/proc/base.c
@@ -294,16 +294,20 @@ static int proc_fd_link(struct inode *in
files = get_files_struct(task);
if (files) {
- rcu_read_lock();
+ /*
+ * We are not taking a ref to the file structure, so we must
+ * hold ->file_lock.
+ */
+ spin_lock(&files->file_lock);
file = fcheck_files(files, fd);
if (file) {
*mnt = mntget(file->f_vfsmnt);
*dentry = dget(file->f_dentry);
- rcu_read_unlock();
+ spin_unlock(&files->file_lock);
put_files_struct(files);
return 0;
}
- rcu_read_unlock();
+ spin_unlock(&files->file_lock);
put_files_struct(files);
}
return -ENOENT;
@@ -1485,7 +1489,12 @@ static struct dentry *proc_lookupfd(stru
if (!files)
goto out_unlock;
inode->i_mode = S_IFLNK;
- rcu_read_lock();
+
+ /*
+ * We are not taking a ref to the file structure, so we must
+ * hold ->file_lock.
+ */
+ spin_lock(&files->file_lock);
file = fcheck_files(files, fd);
if (!file)
goto out_unlock2;
@@ -1493,7 +1502,7 @@ static struct dentry *proc_lookupfd(stru
inode->i_mode |= S_IRUSR | S_IXUSR;
if (file->f_mode & 2)
inode->i_mode |= S_IWUSR | S_IXUSR;
- rcu_read_unlock();
+ spin_unlock(&files->file_lock);
put_files_struct(files);
inode->i_op = &proc_pid_link_inode_operations;
inode->i_size = 64;
@@ -1503,7 +1512,7 @@ static struct dentry *proc_lookupfd(stru
return NULL;
out_unlock2:
- rcu_read_unlock();
+ spin_unlock(&files->file_lock);
put_files_struct(files);
out_unlock:
iput(inode);
--
From greg@blue.kroah.org Thu Apr 20 21:34:44 2006
Message-Id: <20060421043444.476739000@blue.kroah.org>
References: <20060421043353.602539000@blue.kroah.org>
User-Agent: quilt/0.44-1
Date: Thu, 20 Apr 2006 21:34:10 -0700
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk,
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
Kirill Korotaev <dev@openvz.org>,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [patch 17/22] IPC: access to unmapped vmalloc area in grow_ary()
Content-Disposition: inline; filename=ipc-access-to-unmapped-vmalloc-area-in-grow_ary.patch
Content-Length: 1010
Lines: 33
>From Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
[PATCH] IPC: access to unmapped vmalloc area in grow_ary()
grow_ary() should not copy struct ipc_id_ary (it copies new->p, not
new). Due to this, memcpy() src pointer could hit unmapped vmalloc page
when near page boundary.
Found during OpenVZ stress testing
Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Signed-off-by: Kirill Korotaev <dev@openvz.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
ipc/util.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- linux-2.6.16.9.orig/ipc/util.c
+++ linux-2.6.16.9/ipc/util.c
@@ -182,8 +182,7 @@ static int grow_ary(struct ipc_ids* ids,
if(new == NULL)
return size;
new->size = newsize;
- memcpy(new->p, ids->entries->p, sizeof(struct kern_ipc_perm *)*size +
- sizeof(struct ipc_id_ary));
+ memcpy(new->p, ids->entries->p, sizeof(struct kern_ipc_perm *)*size);
for(i=size;i<newsize;i++) {
new->p[i] = NULL;
}
--
From greg@blue.kroah.org Thu Apr 20 21:34:44 2006
Message-Id: <20060421043444.279180000@blue.kroah.org>
References: <20060421043353.602539000@blue.kroah.org>
User-Agent: quilt/0.44-1
Date: Thu, 20 Apr 2006 21:34:09 -0700
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk,
David Barksdale <amatus@ocgnet.org>,
Jean Delvare <khali@linux-fr.org>,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [patch 16/22] m41t00: fix bitmasks when writing to chip
Content-Disposition: inline; filename=m41t00-fix-bitmasks-when-writing-to-chip.patch
Content-Length: 1649
Lines: 42
From: David Barksdale <amatus@ocgnet.org>
[PATCH] m41t00: fix bitmasks when writing to chip
Fix the bitmasks used when writing to the M41T00 registers.
The original code used a mask of 0x7f when writing to each register,
this is incorrect and probably the result of a copy-paste error. As a
result years from 1980 to 1999 will be read back as 2000 to 2019.
Signed-off-by: David Barksdale <amatus@ocgnet.org>
Acked-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/i2c/chips/m41t00.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- linux-2.6.16.9.orig/drivers/i2c/chips/m41t00.c
+++ linux-2.6.16.9/drivers/i2c/chips/m41t00.c
@@ -129,13 +129,13 @@ m41t00_set_tlet(ulong arg)
if ((i2c_smbus_write_byte_data(save_client, 0, tm.tm_sec & 0x7f) < 0)
|| (i2c_smbus_write_byte_data(save_client, 1, tm.tm_min & 0x7f)
< 0)
- || (i2c_smbus_write_byte_data(save_client, 2, tm.tm_hour & 0x7f)
+ || (i2c_smbus_write_byte_data(save_client, 2, tm.tm_hour & 0x3f)
< 0)
- || (i2c_smbus_write_byte_data(save_client, 4, tm.tm_mday & 0x7f)
+ || (i2c_smbus_write_byte_data(save_client, 4, tm.tm_mday & 0x3f)
< 0)
- || (i2c_smbus_write_byte_data(save_client, 5, tm.tm_mon & 0x7f)
+ || (i2c_smbus_write_byte_data(save_client, 5, tm.tm_mon & 0x1f)
< 0)
- || (i2c_smbus_write_byte_data(save_client, 6, tm.tm_year & 0x7f)
+ || (i2c_smbus_write_byte_data(save_client, 6, tm.tm_year & 0xff)
< 0))
dev_warn(&save_client->dev,"m41t00: can't write to rtc chip\n");
--
From greg@blue.kroah.org Thu Apr 20 21:34:44 2006
Message-Id: <20060421043444.072702000@blue.kroah.org>
References: <20060421043353.602539000@blue.kroah.org>
User-Agent: quilt/0.44-1
Date: Thu, 20 Apr 2006 21:34:08 -0700
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk,
Corey Minyard <minyard@acm.org>,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [patch 15/22] Open IPMI BT overflow
Content-Disposition: inline; filename=open-ipmi-bt-overflow.patch
Content-Length: 1188
Lines: 38
From: Heikki Orsila <shd@jolt.modeemi.cs.tut.fi>
[PATCH] Open IPMI BT overflow
I was looking into random driver code and found a suspicious looking
memcpy() in drivers/char/ipmi/ipmi_bt_sm.c on 2.6.17-rc1:
if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH))
return -1;
...
memcpy(bt->write_data + 3, data + 1, size - 1);
where sizeof bt->write_data is IPMI_MAX_MSG_LENGTH. It looks like the
memcpy would overflow by 2 bytes if size == IPMI_MAX_MSG_LENGTH. A patch
attached to limit size to (IPMI_MAX_LENGTH - 2).
Cc: Corey Minyard <minyard@acm.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/char/ipmi/ipmi_bt_sm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.16.9.orig/drivers/char/ipmi/ipmi_bt_sm.c
+++ linux-2.6.16.9/drivers/char/ipmi/ipmi_bt_sm.c
@@ -165,7 +165,7 @@ static int bt_start_transaction(struct s
{
unsigned int i;
- if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH))
+ if ((size < 2) || (size > (IPMI_MAX_MSG_LENGTH - 2)))
return -1;
if ((bt->state != BT_STATE_IDLE) && (bt->state != BT_STATE_HOSED))
--
From greg@blue.kroah.org Thu Apr 20 21:34:44 2006
Message-Id: <20060421043443.874934000@blue.kroah.org>
References: <20060421043353.602539000@blue.kroah.org>
User-Agent: quilt/0.44-1
Date: Thu, 20 Apr 2006 21:34:07 -0700
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [patch 14/22] x86: be careful about tailcall breakage for sys_opentoo
Content-Disposition: inline; filename=x86-be-careful-about-tailcall-breakage-for-sys_open-too.patch
Content-Length: 2045
Lines: 74
From: Linus Torvalds <torvalds@osdl.org>
x86: be careful about tailcall breakage for sys_open[at] too
Came up through a quick grep for other cases similar to the ftruncate()
one in commit 0a489cb3b6a7b277030cdbc97c2c65905db94536.
Also, add a comment, so that people who read the code understand why we
do what looks like a no-op.
(Again, this won't actually matter to any sane user, since libc will
save and restore the register gcc stomps on, but it's still wrong to
stomp on it)
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
fs/open.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
--- linux-2.6.16.9.orig/fs/open.c
+++ linux-2.6.16.9/fs/open.c
@@ -331,6 +331,7 @@ out:
asmlinkage long sys_ftruncate(unsigned int fd, unsigned long length)
{
long ret = do_sys_ftruncate(fd, length, 1);
+ /* avoid REGPARM breakage on x86: */
prevent_tail_call(ret);
return ret;
}
@@ -345,6 +346,7 @@ asmlinkage long sys_truncate64(const cha
asmlinkage long sys_ftruncate64(unsigned int fd, loff_t length)
{
long ret = do_sys_ftruncate(fd, length, 0);
+ /* avoid REGPARM breakage on x86: */
prevent_tail_call(ret);
return ret;
}
@@ -1087,20 +1089,30 @@ long do_sys_open(int dfd, const char __u
asmlinkage long sys_open(const char __user *filename, int flags, int mode)
{
+ long ret;
+
if (force_o_largefile())
flags |= O_LARGEFILE;
- return do_sys_open(AT_FDCWD, filename, flags, mode);
+ ret = do_sys_open(AT_FDCWD, filename, flags, mode);
+ /* avoid REGPARM breakage on x86: */
+ prevent_tail_call(ret);
+ return ret;
}
EXPORT_SYMBOL_GPL(sys_open);
asmlinkage long sys_openat(int dfd, const char __user *filename, int flags,
int mode)
{
+ long ret;
+
if (force_o_largefile())
flags |= O_LARGEFILE;
- return do_sys_open(dfd, filename, flags, mode);
+ ret = do_sys_open(dfd, filename, flags, mode);
+ /* avoid REGPARM breakage on x86: */
+ prevent_tail_call(ret);
+ return ret;
}
EXPORT_SYMBOL_GPL(sys_openat);
--
From greg@blue.kroah.org Thu Apr 20 21:34:43 2006
Message-Id: <20060421043443.678092000@blue.kroah.org>
References: <20060421043353.602539000@blue.kroah.org>
User-Agent: quilt/0.44-1
Date: Thu, 20 Apr 2006 21:34:06 -0700
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [patch 13/22] x86: dont allow tail-calls in sys_ftruncate()
Content-Disposition: inline; filename=x86-don-t-allow-tail-calls-in-sys_ftruncate.patch
Content-Length: 1669
Lines: 53
From: Linus Torvalds <torvalds@osdl.org>
x86: don't allow tail-calls in sys_ftruncate[64]()
Gcc thinks it owns the incoming argument stack, but that's not true for
"asmlinkage" functions, and it corrupts the caller-set-up argument stack
when it pushes the third argument onto the stack. Which can result in
%ebx getting corrupted in user space.
Now, normally nobody sane would ever notice, since libc will save and
restore %ebx anyway over the system call, but it's still wrong.
I'd much rather have "asmlinkage" tell gcc directly that it doesn't own
the stack, but no such attribute exists, so we're stuck with our hacky
manual "prevent_tail_call()" macro once more (we've had the same issue
before with sys_waitpid() and sys_wait4()).
Thanks to Hans-Werner Hilse <hilse@sub.uni-goettingen.de> for reporting
the issue and testing the fix.
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
fs/open.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- linux-2.6.16.9.orig/fs/open.c
+++ linux-2.6.16.9/fs/open.c
@@ -330,7 +330,9 @@ out:
asmlinkage long sys_ftruncate(unsigned int fd, unsigned long length)
{
- return do_sys_ftruncate(fd, length, 1);
+ long ret = do_sys_ftruncate(fd, length, 1);
+ prevent_tail_call(ret);
+ return ret;
}
/* LFS versions of truncate are only needed on 32 bit machines */
@@ -342,7 +344,9 @@ asmlinkage long sys_truncate64(const cha
asmlinkage long sys_ftruncate64(unsigned int fd, loff_t length)
{
- return do_sys_ftruncate(fd, length, 0);
+ long ret = do_sys_ftruncate(fd, length, 0);
+ prevent_tail_call(ret);
+ return ret;
}
#endif
--