| From gregkh@mini.kroah.org Wed Sep 3 10:30:02 2008 |
| Message-Id: <20080903173001.983687600@mini.kroah.org> |
| References: <20080903172849.927077124@mini.kroah.org> |
| User-Agent: quilt/0.46-1 |
| Date: Wed, 03 Sep 2008 10:28:50 -0700 |
| From: Greg KH <gregkh@suse.de> |
| To: linux-kernel@vger.kernel.org, |
| stable@kernel.org, |
| jejb@kernel.org |
| Cc: Justin Forbes <jmforbes@linuxtx.org>, |
| Zwane Mwaikambo <zwane@arm.linux.org.uk>, |
| Theodore Ts'o <tytso@mit.edu>, |
| Randy Dunlap <rdunlap@xenotime.net>, |
| Dave Jones <davej@redhat.com>, |
| Chuck Wolber <chuckw@quantumlinux.com>, |
| Chris Wedgwood <reviews@ml.cw.f00f.org>, |
| Michael Krufky <mkrufky@linuxtv.org>, |
| Chuck Ebbert <cebbert@redhat.com>, |
| Domenico Andreoli <cavokz@gmail.com>, |
| Willy Tarreau <w@1wt.eu>, |
| Rodrigo Rubira Branco <rbranco@la.checkpoint.com>, |
| Jake Edge <jake@lwn.net>, |
| Eugene Teo <eteo@redhat.com>, |
| torvalds@linux-foundation.org, |
| akpm@linux-foundation.org, |
| alan@lxorguk.ukuu.org.uk, |
| Yinghai Lu <yhlu.kernel@gmail.com>, |
| Ingo Molnar <mingo@elte.hu> |
| Subject: [patch 01/16] x86: work around MTRR mask setting |
| Content-Disposition: inline; filename=x86-work-around-mtrr-mask-setting.patch |
| Content-Length: 2600 |
| Lines: 73 |
| |
| 2.6.25-stable review patch. If anyone has any objections, please let us know. |
| |
| ------------------ |
| |
| From: Yinghai Lu <yhlu.kernel@gmail.com> |
| |
| commit 38cc1c3df77c1bb739a4766788eb9fa49f16ffdf upstream |
| |
| Joshua Hoblitt reported that only 3 GB of his 16 GB of RAM is |
| usable. Booting with mtrr_show showed us the BIOS-initialized |
| MTRR settings - which are all wrong. |
| |
| So the root cause is that the BIOS has not set the mask correctly: |
| |
| > [ 0.429971] MSR00000200: 00000000d0000000 |
| > [ 0.433305] MSR00000201: 0000000ff0000800 |
| > should be ==> [ 0.433305] MSR00000201: 0000003ff0000800 |
| > |
| > [ 0.436638] MSR00000202: 00000000e0000000 |
| > [ 0.439971] MSR00000203: 0000000fe0000800 |
| > should be ==> [ 0.439971] MSR00000203: 0000003fe0000800 |
| > |
| > [ 0.443304] MSR00000204: 0000000000000006 |
| > [ 0.446637] MSR00000205: 0000000c00000800 |
| > should be ==> [ 0.446637] MSR00000205: 0000003c00000800 |
| > |
| > [ 0.449970] MSR00000206: 0000000400000006 |
| > [ 0.453303] MSR00000207: 0000000fe0000800 |
| > should be ==> [ 0.453303] MSR00000207: 0000003fe0000800 |
| > |
| > [ 0.456636] MSR00000208: 0000000420000006 |
| > [ 0.459970] MSR00000209: 0000000ff0000800 |
| > should be ==> [ 0.459970] MSR00000209: 0000003ff0000800 |
| |
| So detect this borkage and add the prefix 111. |
| |
| Signed-off-by: Yinghai Lu <yhlu.kernel@gmail.com> |
| Signed-off-by: Ingo Molnar <mingo@elte.hu> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| arch/x86/kernel/cpu/mtrr/generic.c | 15 +++++++++++++-- |
| 1 file changed, 13 insertions(+), 2 deletions(-) |
| |
| --- a/arch/x86/kernel/cpu/mtrr/generic.c |
| +++ b/arch/x86/kernel/cpu/mtrr/generic.c |
| @@ -229,6 +229,7 @@ static void generic_get_mtrr(unsigned in |
| unsigned long *size, mtrr_type *type) |
| { |
| unsigned int mask_lo, mask_hi, base_lo, base_hi; |
| + unsigned int tmp, hi; |
| |
| rdmsr(MTRRphysMask_MSR(reg), mask_lo, mask_hi); |
| if ((mask_lo & 0x800) == 0) { |
| @@ -242,8 +243,18 @@ static void generic_get_mtrr(unsigned in |
| rdmsr(MTRRphysBase_MSR(reg), base_lo, base_hi); |
| |
| /* Work out the shifted address mask. */ |
| - mask_lo = size_or_mask | mask_hi << (32 - PAGE_SHIFT) |
| - | mask_lo >> PAGE_SHIFT; |
| + tmp = mask_hi << (32 - PAGE_SHIFT) | mask_lo >> PAGE_SHIFT; |
| + mask_lo = size_or_mask | tmp; |
| + /* Expand tmp with high bits to all 1s*/ |
| + hi = fls(tmp); |
| + if (hi > 0) { |
| + tmp |= ~((1<<(hi - 1)) - 1); |
| + |
| + if (tmp != mask_lo) { |
| + WARN_ON("mtrr: your BIOS has set up an incorrect mask, fixing it up.\n"); |
| + mask_lo = tmp; |
| + } |
| + } |
| |
| /* This works correctly if size is a power of two, i.e. a |
| contiguous range. */ |
| |
| -- |
| |
| From gregkh@mini.kroah.org Wed Sep 3 10:30:02 2008 |
| Message-Id: <20080903173002.161917235@mini.kroah.org> |
| References: <20080903172849.927077124@mini.kroah.org> |
| User-Agent: quilt/0.46-1 |
| Date: Wed, 03 Sep 2008 10:28:51 -0700 |
| From: Greg KH <gregkh@suse.de> |
| To: linux-kernel@vger.kernel.org, |
| stable@kernel.org, |
| jejb@kernel.org |
| Cc: Justin Forbes <jmforbes@linuxtx.org>, |
| Zwane Mwaikambo <zwane@arm.linux.org.uk>, |
| Theodore Ts'o <tytso@mit.edu>, |
| Randy Dunlap <rdunlap@xenotime.net>, |
| Dave Jones <davej@redhat.com>, |
| Chuck Wolber <chuckw@quantumlinux.com>, |
| Chris Wedgwood <reviews@ml.cw.f00f.org>, |
| Michael Krufky <mkrufky@linuxtv.org>, |
| Chuck Ebbert <cebbert@redhat.com>, |
| Domenico Andreoli <cavokz@gmail.com>, |
| Willy Tarreau <w@1wt.eu>, |
| Rodrigo Rubira Branco <rbranco@la.checkpoint.com>, |
| Jake Edge <jake@lwn.net>, |
| Eugene Teo <eteo@redhat.com>, |
| torvalds@linux-foundation.org, |
| akpm@linux-foundation.org, |
| alan@lxorguk.ukuu.org.uk, |
| Alexey Dobriyan <adobriyan@gmail.com> |
| Subject: [patch 02/16] USB: cdc-acm: dont unlock acm->mutex on error path |
| Content-Disposition: inline; filename=usb-cdc-acm-don-t-unlock-acm-mutex-on-error-path.patch |
| Content-Length: 983 |
| Lines: 35 |
| |
| 2.6.25-stable review patch. If anyone has any objections, please let us know. |
| |
| ------------------ |
| From: Alexey Dobriyan <adobriyan@gmail.com> |
| |
| commit 74573ee7096a4ffc2f098108d21c85801b9c7434 upstream |
| |
| On Wed, Jul 23, 2008 at 03:52:36PM +0300, Andrei Popa wrote: |
| > I installed gnokii-0.6.22-r2 and gave the command "gnokii --identify" |
| > and the kernel oopsed: |
| > |
| > BUG: unable to handle kernel NULL pointer dereference at 00000458 |
| > IP: [<c0444b52>] mutex_unlock+0x0/0xb |
| > [<c03830ae>] acm_tty_open+0x4c/0x214 |
| |
| Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> |
| Tested-by: Andrei Popa <andrei.popa@i-neo.ro> |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| drivers/usb/class/cdc-acm.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/drivers/usb/class/cdc-acm.c |
| +++ b/drivers/usb/class/cdc-acm.c |
| @@ -531,8 +531,8 @@ static int acm_tty_open(struct tty_struc |
| tasklet_schedule(&acm->urb_task); |
| |
| done: |
| -err_out: |
| mutex_unlock(&acm->mutex); |
| +err_out: |
| mutex_unlock(&open_mutex); |
| return rv; |
| |
| |
| -- |
| |
| From gregkh@mini.kroah.org Wed Sep 3 10:30:02 2008 |
| Message-Id: <20080903173002.305624746@mini.kroah.org> |
| References: <20080903172849.927077124@mini.kroah.org> |
| User-Agent: quilt/0.46-1 |
| Date: Wed, 03 Sep 2008 10:28:52 -0700 |
| From: Greg KH <gregkh@suse.de> |
| To: linux-kernel@vger.kernel.org, |
| stable@kernel.org |
| Cc: Justin Forbes <jmforbes@linuxtx.org>, |
| Zwane Mwaikambo <zwane@arm.linux.org.uk>, |
| Theodore Ts'o <tytso@mit.edu>, |
| Randy Dunlap <rdunlap@xenotime.net>, |
| Dave Jones <davej@redhat.com>, |
| Chuck Wolber <chuckw@quantumlinux.com>, |
| Chris Wedgwood <reviews@ml.cw.f00f.org>, |
| Michael Krufky <mkrufky@linuxtv.org>, |
| Chuck Ebbert <cebbert@redhat.com>, |
| Domenico Andreoli <cavokz@gmail.com>, |
| Willy Tarreau <w@1wt.eu>, |
| Rodrigo Rubira Branco <rbranco@la.checkpoint.com>, |
| Jake Edge <jake@lwn.net>, |
| Eugene Teo <eteo@redhat.com>, |
| torvalds@linux-foundation.org, |
| akpm@linux-foundation.org, |
| alan@lxorguk.ukuu.org.uk, |
| linux-nfs@vger.kernel.org, |
| Greg Banks <gnb@sgi.com>, |
| Neil Brown <neilb@suse.de>, |
| "J. Bruce Fields" <bfields@citi.umich.edu>, |
| Tom Tucker <tom@opengridcomputing.com>, |
| Ingo Oeser <ioe-lkml@rameria.de>, |
| Cyrill Gorcunov <gorcunov@gmail.com>, |
| Chuck Lever <chuck.lever@oracle.com> |
| Subject: [patch 03/16] sunrpc: fix possible overrun on read of /proc/sys/sunrpc/transports |
| Content-Disposition: inline; filename=sunrpc-fix-possible-overrun-on-read-of-proc-sys-sunrpc-transports.patch |
| Content-Length: 2136 |
| Lines: 74 |
| |
| |
| 2.6.25-stable review patch. If anyone has any objections, please let us know. |
| |
| ------------------ |
| From: Cyrill Gorcunov <gorcunov@gmail.com> |
| |
| commit 27df6f25ff218072e0e879a96beeb398a79cdbc8 upstream |
| |
| Vegard Nossum reported |
| ---------------------- |
| > I noticed that something weird is going on with /proc/sys/sunrpc/transports. |
| > This file is generated in net/sunrpc/sysctl.c, function proc_do_xprt(). When |
| > I "cat" this file, I get the expected output: |
| > $ cat /proc/sys/sunrpc/transports |
| > tcp 1048576 |
| > udp 32768 |
| |
| > But I think that it does not check the length of the buffer supplied by |
| > userspace to read(). With my original program, I found that the stack was |
| > being overwritten by the characters above, even when the length given to |
| > read() was just 1. |
| |
| David Wagner added (among other things) that copy_to_user could be |
| probably used here. |
| |
| Ingo Oeser suggested to use simple_read_from_buffer() here. |
| |
| The conclusion is that proc_do_xprt doesn't check for userside buffer |
| size indeed so fix this by using Ingo's suggestion. |
| |
| Reported-by: Vegard Nossum <vegard.nossum@gmail.com> |
| Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com> |
| CC: Ingo Oeser <ioe-lkml@rameria.de> |
| Cc: Neil Brown <neilb@suse.de> |
| Cc: Chuck Lever <chuck.lever@oracle.com> |
| Cc: Greg Banks <gnb@sgi.com> |
| Cc: Tom Tucker <tom@opengridcomputing.com> |
| Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| net/sunrpc/sysctl.c | 18 ++++-------------- |
| 1 file changed, 4 insertions(+), 14 deletions(-) |
| |
| --- a/net/sunrpc/sysctl.c |
| +++ b/net/sunrpc/sysctl.c |
| @@ -60,24 +60,14 @@ static int proc_do_xprt(ctl_table *table |
| void __user *buffer, size_t *lenp, loff_t *ppos) |
| { |
| char tmpbuf[256]; |
| - int len; |
| + size_t len; |
| + |
| if ((*ppos && !write) || !*lenp) { |
| *lenp = 0; |
| return 0; |
| } |
| - if (write) |
| - return -EINVAL; |
| - else { |
| - len = svc_print_xprts(tmpbuf, sizeof(tmpbuf)); |
| - if (!access_ok(VERIFY_WRITE, buffer, len)) |
| - return -EFAULT; |
| - |
| - if (__copy_to_user(buffer, tmpbuf, len)) |
| - return -EFAULT; |
| - } |
| - *lenp -= len; |
| - *ppos += len; |
| - return 0; |
| + len = svc_print_xprts(tmpbuf, sizeof(tmpbuf)); |
| + return simple_read_from_buffer(buffer, *lenp, ppos, tmpbuf, len); |
| } |
| |
| static int |
| |
| -- |
| |
| From gregkh@mini.kroah.org Wed Sep 3 10:30:02 2008 |
| Message-Id: <20080903173002.470960355@mini.kroah.org> |
| References: <20080903172849.927077124@mini.kroah.org> |
| User-Agent: quilt/0.46-1 |
| Date: Wed, 03 Sep 2008 10:28:53 -0700 |
| From: Greg KH <gregkh@suse.de> |
| To: linux-kernel@vger.kernel.org, |
| stable@kernel.org |
| Cc: Justin Forbes <jmforbes@linuxtx.org>, |
| Zwane Mwaikambo <zwane@arm.linux.org.uk>, |
| Theodore Ts'o <tytso@mit.edu>, |
| Randy Dunlap <rdunlap@xenotime.net>, |
| Dave Jones <davej@redhat.com>, |
| Chuck Wolber <chuckw@quantumlinux.com>, |
| Chris Wedgwood <reviews@ml.cw.f00f.org>, |
| Michael Krufky <mkrufky@linuxtv.org>, |
| Chuck Ebbert <cebbert@redhat.com>, |
| Domenico Andreoli <cavokz@gmail.com>, |
| Willy Tarreau <w@1wt.eu>, |
| Rodrigo Rubira Branco <rbranco@la.checkpoint.com>, |
| Jake Edge <jake@lwn.net>, |
| Eugene Teo <eteo@redhat.com>, |
| torvalds@linux-foundation.org, |
| akpm@linux-foundation.org, |
| alan@lxorguk.ukuu.org.uk, |
| Marcus Sundberg <marcus@ingate.com>, |
| Jeff Garzik <jgarzik@redhat.com>, |
| Francois Romieu <romieu@fr.zoreil.com>, |
| Edward Hsu <edward_hsu@realtek.com.tw> |
| Subject: [patch 04/16] r8169: balance pci_map / pci_unmap pair |
| Content-Disposition: inline; filename=r8169-balance-pci_map-pci_unmap-pair.patch |
| Content-Length: 1047 |
| Lines: 34 |
| |
| 2.6.25-stable review patch. If anyone has any objections, please let us know. |
| |
| ------------------ |
| From: Francois Romieu <romieu@fr.zoreil.com> |
| |
| commit a866bbf6aacf95f849810079442a20be118ce905 upstream |
| |
| The leak hurts with swiotlb and jumbo frames. |
| |
| Fix http://bugzilla.kernel.org/show_bug.cgi?id=9468. |
| |
| Heavily hinted by Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>. |
| |
| Signed-off-by: Francois Romieu <romieu@fr.zoreil.com> |
| Tested-by: Alistair John Strachan <alistair@devzero.co.uk> |
| Tested-by: Timothy J Fontaine <tjfontaine@atxconsulting.com> |
| Cc: Edward Hsu <edward_hsu@realtek.com.tw> |
| Signed-off-by: Jeff Garzik <jgarzik@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| drivers/net/r8169.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/drivers/net/r8169.c |
| +++ b/drivers/net/r8169.c |
| @@ -2822,7 +2822,7 @@ static int rtl8169_rx_interrupt(struct n |
| pkt_size, PCI_DMA_FROMDEVICE); |
| rtl8169_mark_to_asic(desc, tp->rx_buf_sz); |
| } else { |
| - pci_unmap_single(pdev, addr, pkt_size, |
| + pci_unmap_single(pdev, addr, tp->rx_buf_sz, |
| PCI_DMA_FROMDEVICE); |
| tp->Rx_skbuff[entry] = NULL; |
| } |
| |
| -- |
| |
| From gregkh@mini.kroah.org Wed Sep 3 10:30:02 2008 |
| Message-Id: <20080903173002.635790941@mini.kroah.org> |
| References: <20080903172849.927077124@mini.kroah.org> |
| User-Agent: quilt/0.46-1 |
| Date: Wed, 03 Sep 2008 10:28:54 -0700 |
| From: Greg KH <gregkh@suse.de> |
| To: linux-kernel@vger.kernel.org, |
| stable@kernel.org |
| Cc: Justin Forbes <jmforbes@linuxtx.org>, |
| Zwane Mwaikambo <zwane@arm.linux.org.uk>, |
| Theodore Ts'o <tytso@mit.edu>, |
| Randy Dunlap <rdunlap@xenotime.net>, |
| Dave Jones <davej@redhat.com>, |
| Chuck Wolber <chuckw@quantumlinux.com>, |
| Chris Wedgwood <reviews@ml.cw.f00f.org>, |
| Michael Krufky <mkrufky@linuxtv.org>, |
| Chuck Ebbert <cebbert@redhat.com>, |
| Domenico Andreoli <cavokz@gmail.com>, |
| Willy Tarreau <w@1wt.eu>, |
| Rodrigo Rubira Branco <rbranco@la.checkpoint.com>, |
| Jake Edge <jake@lwn.net>, |
| Eugene Teo <eteo@redhat.com>, |
| torvalds@linux-foundation.org, |
| akpm@linux-foundation.org, |
| alan@lxorguk.ukuu.org.uk, |
| linux-nfs@vger.kernel.org, |
| "J. Bruce Fields" <bfields@citi.umich.edu>, |
| David Richter <richterd@citi.umich.edu> |
| Subject: [patch 05/16] nfsd: fix buffer overrun decoding NFSv4 acl |
| Content-Disposition: inline; filename=nfsd-fix-buffer-overrun-decoding-nfsv4-acl.patch |
| Content-Length: 868 |
| Lines: 30 |
| |
| 2.6.25-stable review patch. If anyone has any objections, please let us know. |
| |
| ------------------ |
| From: J. Bruce Fields <bfields@citi.umich.edu> |
| |
| commit 91b80969ba466ba4b915a4a1d03add8c297add3f upstream |
| |
| The array we kmalloc() here is not large enough. |
| |
| Thanks to Johann Dahm and David Richter for bug report and testing. |
| |
| Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> |
| Cc: David Richter <richterd@citi.umich.edu> |
| Tested-by: Johann Dahm <jdahm@umich.edu> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| fs/nfsd/nfs4acl.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/fs/nfsd/nfs4acl.c |
| +++ b/fs/nfsd/nfs4acl.c |
| @@ -443,7 +443,7 @@ init_state(struct posix_acl_state *state |
| * enough space for either: |
| */ |
| alloc = sizeof(struct posix_ace_state_array) |
| - + cnt*sizeof(struct posix_ace_state); |
| + + cnt*sizeof(struct posix_user_ace_state); |
| state->users = kzalloc(alloc, GFP_KERNEL); |
| if (!state->users) |
| return -ENOMEM; |
| |
| -- |
| |
| From gregkh@mini.kroah.org Wed Sep 3 10:30:02 2008 |
| Message-Id: <20080903173002.807673190@mini.kroah.org> |
| References: <20080903172849.927077124@mini.kroah.org> |
| User-Agent: quilt/0.46-1 |
| Date: Wed, 03 Sep 2008 10:28:55 -0700 |
| From: Greg KH <gregkh@suse.de> |
| To: linux-kernel@vger.kernel.org, |
| stable@kernel.org, |
| jejb@kernel.org |
| Cc: Justin Forbes <jmforbes@linuxtx.org>, |
| Zwane Mwaikambo <zwane@arm.linux.org.uk>, |
| Theodore Ts'o <tytso@mit.edu>, |
| Randy Dunlap <rdunlap@xenotime.net>, |
| Dave Jones <davej@redhat.com>, |
| Chuck Wolber <chuckw@quantumlinux.com>, |
| Chris Wedgwood <reviews@ml.cw.f00f.org>, |
| Michael Krufky <mkrufky@linuxtv.org>, |
| Chuck Ebbert <cebbert@redhat.com>, |
| Domenico Andreoli <cavokz@gmail.com>, |
| Willy Tarreau <w@1wt.eu>, |
| Rodrigo Rubira Branco <rbranco@la.checkpoint.com>, |
| Jake Edge <jake@lwn.net>, |
| Eugene Teo <eteo@redhat.com>, |
| torvalds@linux-foundation.org, |
| akpm@linux-foundation.org, |
| alan@lxorguk.ukuu.org.uk, |
| Adam Litke <agl@us.ibm.com>, |
| Mel Gorman <mel@csn.ul.ie>, |
| Dave Hansen <dave@linux.vnet.ibm.com>, |
| Nishanth Aravamudan <nacc@us.ibm.com>, |
| Andy Whitcroft <apw@shadowen.org> |
| Subject: [patch 06/16] mm: make setup_zone_migrate_reserve() aware of overlapping nodes |
| Content-Disposition: inline; filename=mm-make-setup_zone_migrate_reserve-aware-of-overlapping-nodes.patch |
| Content-Length: 1868 |
| Lines: 57 |
| |
| 2.6.25-stable review patch. If anyone has any objections, please let us know. |
| |
| ------------------ |
| From: Adam Litke <agl@us.ibm.com> |
| |
| commit 344c790e3821dac37eb742ddd0b611a300f78b9a upstream |
| |
| I have gotten to the root cause of the hugetlb badness I reported back on |
| August 15th. My system has the following memory topology (note the |
| overlapping node): |
| |
| Node 0 Memory: 0x8000000-0x44000000 |
| Node 1 Memory: 0x0-0x8000000 0x44000000-0x80000000 |
| |
| setup_zone_migrate_reserve() scans the address range 0x0-0x8000000 looking |
| for a pageblock to move onto the MIGRATE_RESERVE list. Finding no |
| candidates, it happily continues the scan into 0x8000000-0x44000000. When |
| a pageblock is found, the pages are moved to the MIGRATE_RESERVE list on |
| the wrong zone. Oops. |
| |
| setup_zone_migrate_reserve() should skip pageblocks in overlapping nodes. |
| |
| Signed-off-by: Adam Litke <agl@us.ibm.com> |
| Acked-by: Mel Gorman <mel@csn.ul.ie> |
| Cc: Dave Hansen <dave@linux.vnet.ibm.com> |
| Cc: Nishanth Aravamudan <nacc@us.ibm.com> |
| Cc: Andy Whitcroft <apw@shadowen.org> |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| mm/page_alloc.c | 7 +++++++ |
| 1 file changed, 7 insertions(+) |
| |
| --- a/mm/page_alloc.c |
| +++ b/mm/page_alloc.c |
| @@ -717,6 +717,9 @@ int move_freepages(struct zone *zone, |
| #endif |
| |
| for (page = start_page; page <= end_page;) { |
| + /* Make sure we are not inadvertently changing nodes */ |
| + VM_BUG_ON(page_to_nid(page) != zone_to_nid(zone)); |
| + |
| if (!pfn_valid_within(page_to_pfn(page))) { |
| page++; |
| continue; |
| @@ -2476,6 +2479,10 @@ static void setup_zone_migrate_reserve(s |
| continue; |
| page = pfn_to_page(pfn); |
| |
| + /* Watch out for overlapping nodes */ |
| + if (page_to_nid(page) != zone_to_nid(zone)) |
| + continue; |
| + |
| /* Blocks with reserved pages will never free, skip them. */ |
| if (PageReserved(page)) |
| continue; |
| |
| -- |
| |
| From gregkh@mini.kroah.org Wed Sep 3 10:30:03 2008 |
| Message-Id: <20080903173002.991900585@mini.kroah.org> |
| References: <20080903172849.927077124@mini.kroah.org> |
| User-Agent: quilt/0.46-1 |
| Date: Wed, 03 Sep 2008 10:28:56 -0700 |
| From: Greg KH <gregkh@suse.de> |
| To: linux-kernel@vger.kernel.org, |
| stable@kernel.org, |
| jejb@kernel.org |
| Cc: Justin Forbes <jmforbes@linuxtx.org>, |
| Zwane Mwaikambo <zwane@arm.linux.org.uk>, |
| Theodore Ts'o <tytso@mit.edu>, |
| Randy Dunlap <rdunlap@xenotime.net>, |
| Dave Jones <davej@redhat.com>, |
| Chuck Wolber <chuckw@quantumlinux.com>, |
| Chris Wedgwood <reviews@ml.cw.f00f.org>, |
| Michael Krufky <mkrufky@linuxtv.org>, |
| Chuck Ebbert <cebbert@redhat.com>, |
| Domenico Andreoli <cavokz@gmail.com>, |
| Willy Tarreau <w@1wt.eu>, |
| Rodrigo Rubira Branco <rbranco@la.checkpoint.com>, |
| Jake Edge <jake@lwn.net>, |
| Eugene Teo <eteo@redhat.com>, |
| torvalds@linux-foundation.org, |
| akpm@linux-foundation.org, |
| alan@lxorguk.ukuu.org.uk, |
| Ayaz Abdulla <aabdulla@nvidia.com>, |
| Jeff Garzik <jgarzik@pobox.com>, |
| Manfred Spraul <manfred@colorfullife.com>, |
| Jeff Garzik <jgarzik@redhat.com> |
| Subject: [patch 07/16] forcedeth: fix checksum flag |
| Content-Disposition: inline; filename=forcedeth-fix-checksum-flag.patch |
| Content-Length: 1738 |
| Lines: 48 |
| |
| 2.6.25-stable review patch. If anyone has any objections, please let us know. |
| |
| ------------------ |
| From: Ayaz Abdulla <aabdulla@nvidia.com> |
| |
| commit edcfe5f7e307846e578fb88d69fa27051fded0ab upstream |
| |
| Fix the checksum feature advertised in device flags. The hardware support |
| TCP/UDP over IPv4 and TCP/UDP over IPv6 (without IPv6 extension headers). |
| However, the kernel feature flags do not distinguish IPv6 with/without |
| extension headers. |
| |
| Therefore, the driver needs to use NETIF_F_IP_CSUM instead of |
| NETIF_F_HW_CSUM since the latter includes all IPv6 packets. |
| |
| A future patch can be created to check for extension headers and perform |
| software checksum calculation. |
| |
| Signed-off-by: Ayaz Abdulla <aabdulla@nvidia.com> |
| Cc: Jeff Garzik <jgarzik@pobox.com> |
| Cc: Manfred Spraul <manfred@colorfullife.com> |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| Signed-off-by: Jeff Garzik <jgarzik@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| drivers/net/forcedeth.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| --- a/drivers/net/forcedeth.c |
| +++ b/drivers/net/forcedeth.c |
| @@ -5249,7 +5249,7 @@ static int __devinit nv_probe(struct pci |
| if (id->driver_data & DEV_HAS_CHECKSUM) { |
| np->rx_csum = 1; |
| np->txrxctl_bits |= NVREG_TXRXCTL_RXCHECK; |
| - dev->features |= NETIF_F_HW_CSUM | NETIF_F_SG; |
| + dev->features |= NETIF_F_IP_CSUM | NETIF_F_SG; |
| dev->features |= NETIF_F_TSO; |
| } |
| |
| @@ -5548,7 +5548,7 @@ static int __devinit nv_probe(struct pci |
| |
| dev_printk(KERN_INFO, &pci_dev->dev, "%s%s%s%s%s%s%s%s%s%sdesc-v%u\n", |
| dev->features & NETIF_F_HIGHDMA ? "highdma " : "", |
| - dev->features & (NETIF_F_HW_CSUM | NETIF_F_SG) ? |
| + dev->features & (NETIF_F_IP_CSUM | NETIF_F_SG) ? |
| "csum " : "", |
| dev->features & (NETIF_F_HW_VLAN_RX | NETIF_F_HW_VLAN_TX) ? |
| "vlan " : "", |
| |
| -- |
| |
| From gregkh@mini.kroah.org Wed Sep 3 10:30:03 2008 |
| Message-Id: <20080903173003.179023319@mini.kroah.org> |
| References: <20080903172849.927077124@mini.kroah.org> |
| User-Agent: quilt/0.46-1 |
| Date: Wed, 03 Sep 2008 10:28:57 -0700 |
| From: Greg KH <gregkh@suse.de> |
| To: linux-kernel@vger.kernel.org, |
| stable@kernel.org, |
| jejb@kernel.org |
| Cc: Justin Forbes <jmforbes@linuxtx.org>, |
| Zwane Mwaikambo <zwane@arm.linux.org.uk>, |
| Theodore Ts'o <tytso@mit.edu>, |
| Randy Dunlap <rdunlap@xenotime.net>, |
| Dave Jones <davej@redhat.com>, |
| Chuck Wolber <chuckw@quantumlinux.com>, |
| Chris Wedgwood <reviews@ml.cw.f00f.org>, |
| Michael Krufky <mkrufky@linuxtv.org>, |
| Chuck Ebbert <cebbert@redhat.com>, |
| Domenico Andreoli <cavokz@gmail.com>, |
| Willy Tarreau <w@1wt.eu>, |
| Rodrigo Rubira Branco <rbranco@la.checkpoint.com>, |
| Jake Edge <jake@lwn.net>, |
| Eugene Teo <eteo@redhat.com>, |
| torvalds@linux-foundation.org, |
| akpm@linux-foundation.org, |
| alan@lxorguk.ukuu.org.uk, |
| Ian Campbell <ijc@hellion.org.uk>, |
| Jaya Kumar <jayakumar.lkml@gmail.com>, |
| Nick Piggin <npiggin@suse.de>, |
| Peter Zijlstra <a.p.zijlstra@chello.nl>, |
| Hugh Dickins <hugh@veritas.com>, |
| Johannes Weiner <hannes@saeurebad.de>, |
| Jeremy Fitzhardinge <jeremy@goop.org>, |
| Kel Modderman <kel@otaku42.de>, |
| Markus Armbruster <armbru@redhat.com>, |
| Krzysztof Helt <krzysztof.h1@poczta.fm> |
| Subject: [patch 08/16] fbdefio: add set_page_dirty handler to deferred IO FB |
| Content-Disposition: inline; filename=fbdefio-add-set_page_dirty-handler-to-deferred-io-fb.patch |
| Content-Length: 3112 |
| Lines: 103 |
| |
| 2.6.25-stable review patch. If anyone has any objections, please let us know. |
| |
| ------------------ |
| From: Ian Campbell <ijc@hellion.org.uk> |
| |
| commit d847471d063663b9f36927d265c66a270c0cfaab upstream |
| |
| Fixes kernel BUG at lib/radix-tree.c:473. |
| |
| Previously the handler was incidentally provided by tmpfs but this was |
| removed with: |
| |
| commit 14fcc23fdc78e9d32372553ccf21758a9bd56fa1 |
| Author: Hugh Dickins <hugh@veritas.com> |
| Date: Mon Jul 28 15:46:19 2008 -0700 |
| |
| tmpfs: fix kernel BUG in shmem_delete_inode |
| |
| relying on this behaviour was incorrect in any case and the BUG also |
| appeared when the device node was on an ext3 filesystem. |
| |
| v2: override a_ops at open() time rather than mmap() time to minimise |
| races per AKPM's concerns. |
| |
| Signed-off-by: Ian Campbell <ijc@hellion.org.uk> |
| Cc: Jaya Kumar <jayakumar.lkml@gmail.com> |
| Cc: Nick Piggin <npiggin@suse.de> |
| Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> |
| Cc: Hugh Dickins <hugh@veritas.com> |
| Cc: Johannes Weiner <hannes@saeurebad.de> |
| Cc: Jeremy Fitzhardinge <jeremy@goop.org> |
| Cc: Kel Modderman <kel@otaku42.de> |
| Cc: Markus Armbruster <armbru@redhat.com> |
| Cc: Krzysztof Helt <krzysztof.h1@poczta.fm> |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| drivers/video/fb_defio.c | 19 +++++++++++++++++++ |
| drivers/video/fbmem.c | 4 ++++ |
| include/linux/fb.h | 3 +++ |
| 3 files changed, 26 insertions(+) |
| |
| --- a/drivers/video/fb_defio.c |
| +++ b/drivers/video/fb_defio.c |
| @@ -114,6 +114,17 @@ static struct vm_operations_struct fb_de |
| .page_mkwrite = fb_deferred_io_mkwrite, |
| }; |
| |
| +static int fb_deferred_io_set_page_dirty(struct page *page) |
| +{ |
| + if (!PageDirty(page)) |
| + SetPageDirty(page); |
| + return 0; |
| +} |
| + |
| +static const struct address_space_operations fb_deferred_io_aops = { |
| + .set_page_dirty = fb_deferred_io_set_page_dirty, |
| +}; |
| + |
| static int fb_deferred_io_mmap(struct fb_info *info, struct vm_area_struct *vma) |
| { |
| vma->vm_ops = &fb_deferred_io_vm_ops; |
| @@ -163,6 +174,14 @@ void fb_deferred_io_init(struct fb_info |
| } |
| EXPORT_SYMBOL_GPL(fb_deferred_io_init); |
| |
| +void fb_deferred_io_open(struct fb_info *info, |
| + struct inode *inode, |
| + struct file *file) |
| +{ |
| + file->f_mapping->a_ops = &fb_deferred_io_aops; |
| +} |
| +EXPORT_SYMBOL_GPL(fb_deferred_io_open); |
| + |
| void fb_deferred_io_cleanup(struct fb_info *info) |
| { |
| void *screen_base = (void __force *) info->screen_base; |
| --- a/drivers/video/fbmem.c |
| +++ b/drivers/video/fbmem.c |
| @@ -1315,6 +1315,10 @@ fb_open(struct inode *inode, struct file |
| if (res) |
| module_put(info->fbops->owner); |
| } |
| +#ifdef CONFIG_FB_DEFERRED_IO |
| + if (info->fbdefio) |
| + fb_deferred_io_open(info, inode, file); |
| +#endif |
| return res; |
| } |
| |
| --- a/include/linux/fb.h |
| +++ b/include/linux/fb.h |
| @@ -966,6 +966,9 @@ static inline void __fb_pad_aligned_buff |
| |
| /* drivers/video/fb_defio.c */ |
| extern void fb_deferred_io_init(struct fb_info *info); |
| +extern void fb_deferred_io_open(struct fb_info *info, |
| + struct inode *inode, |
| + struct file *file); |
| extern void fb_deferred_io_cleanup(struct fb_info *info); |
| extern int fb_deferred_io_fsync(struct file *file, struct dentry *dentry, |
| int datasync); |
| |
| -- |
| |
| From gregkh@mini.kroah.org Wed Sep 3 10:30:03 2008 |
| Message-Id: <20080903173003.366604283@mini.kroah.org> |
| References: <20080903172849.927077124@mini.kroah.org> |
| User-Agent: quilt/0.46-1 |
| Date: Wed, 03 Sep 2008 10:28:58 -0700 |
| From: Greg KH <gregkh@suse.de> |
| To: linux-kernel@vger.kernel.org, |
| stable@kernel.org |
| Cc: Justin Forbes <jmforbes@linuxtx.org>, |
| Zwane Mwaikambo <zwane@arm.linux.org.uk>, |
| Theodore Ts'o <tytso@mit.edu>, |
| Randy Dunlap <rdunlap@xenotime.net>, |
| Dave Jones <davej@redhat.com>, |
| Chuck Wolber <chuckw@quantumlinux.com>, |
| Chris Wedgwood <reviews@ml.cw.f00f.org>, |
| Michael Krufky <mkrufky@linuxtv.org>, |
| Chuck Ebbert <cebbert@redhat.com>, |
| Domenico Andreoli <cavokz@gmail.com>, |
| Willy Tarreau <w@1wt.eu>, |
| Rodrigo Rubira Branco <rbranco@la.checkpoint.com>, |
| Jake Edge <jake@lwn.net>, |
| Eugene Teo <eteo@redhat.com>, |
| torvalds@linux-foundation.org, |
| akpm@linux-foundation.org, |
| alan@lxorguk.ukuu.org.uk, |
| Herbert Xu <herbert@gondor.apana.org.au> |
| Subject: [patch 09/16] crypto: authenc - Avoid using clobbered request pointer |
| Content-Disposition: inline; filename=crypto-authenc-avoid-using-clobbered-request-pointer.patch |
| Content-Length: 2331 |
| Lines: 69 |
| |
| 2.6.25-stable review patch. If anyone has any objections, please let us know. |
| |
| ------------------ |
| From: Herbert Xu <herbert@gondor.apana.org.au> |
| |
| crypto: authenc - Avoid using clobbered request pointer |
| |
| [ Upstream commit: a697690bece75d4ba424c1318eb25c37d41d5829 ] |
| |
| Authenc works in two stages for encryption, it first encrypts and |
| then computes an ICV. The context memory of the request is used |
| by both operations. The problem is that when an asynchronous |
| encryption completes, we will compute the ICV and then reread the |
| context memory of the encryption to get the original request. |
| |
| It just happens that we have a buffer of 16 bytes in front of the |
| request pointer, so ICVs of 16 bytes (such as SHA1) do not trigger |
| the bug. However, any attempt to uses a larger ICV instantly kills |
| the machine when the first asynchronous encryption is completed. |
| |
| This patch fixes this by saving the request pointer before we start |
| the ICV computation. |
| |
| Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| crypto/authenc.c | 10 ++++++---- |
| 1 file changed, 6 insertions(+), 4 deletions(-) |
| |
| --- a/crypto/authenc.c |
| +++ b/crypto/authenc.c |
| @@ -174,8 +174,9 @@ static int crypto_authenc_genicv(struct |
| static void crypto_authenc_encrypt_done(struct crypto_async_request *req, |
| int err) |
| { |
| + struct aead_request *areq = req->data; |
| + |
| if (!err) { |
| - struct aead_request *areq = req->data; |
| struct crypto_aead *authenc = crypto_aead_reqtfm(areq); |
| struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc); |
| struct ablkcipher_request *abreq = aead_request_ctx(areq); |
| @@ -185,7 +186,7 @@ static void crypto_authenc_encrypt_done( |
| err = crypto_authenc_genicv(areq, iv, 0); |
| } |
| |
| - aead_request_complete(req->data, err); |
| + aead_request_complete(areq, err); |
| } |
| |
| static int crypto_authenc_encrypt(struct aead_request *req) |
| @@ -216,14 +217,15 @@ static int crypto_authenc_encrypt(struct |
| static void crypto_authenc_givencrypt_done(struct crypto_async_request *req, |
| int err) |
| { |
| + struct aead_request *areq = req->data; |
| + |
| if (!err) { |
| - struct aead_request *areq = req->data; |
| struct skcipher_givcrypt_request *greq = aead_request_ctx(areq); |
| |
| err = crypto_authenc_genicv(areq, greq->giv, 0); |
| } |
| |
| - aead_request_complete(req->data, err); |
| + aead_request_complete(areq, err); |
| } |
| |
| static int crypto_authenc_givencrypt(struct aead_givcrypt_request *req) |
| |
| -- |
| |
| From gregkh@mini.kroah.org Wed Sep 3 10:30:03 2008 |
| Message-Id: <20080903173003.520975020@mini.kroah.org> |
| References: <20080903172849.927077124@mini.kroah.org> |
| User-Agent: quilt/0.46-1 |
| Date: Wed, 03 Sep 2008 10:28:59 -0700 |
| From: Greg KH <gregkh@suse.de> |
| To: linux-kernel@vger.kernel.org, |
| stable@kernel.org, |
| jejb@kernel.org |
| Cc: Justin Forbes <jmforbes@linuxtx.org>, |
| Zwane Mwaikambo <zwane@arm.linux.org.uk>, |
| Theodore Ts'o <tytso@mit.edu>, |
| Randy Dunlap <rdunlap@xenotime.net>, |
| Dave Jones <davej@redhat.com>, |
| Chuck Wolber <chuckw@quantumlinux.com>, |
| Chris Wedgwood <reviews@ml.cw.f00f.org>, |
| Michael Krufky <mkrufky@linuxtv.org>, |
| Chuck Ebbert <cebbert@redhat.com>, |
| Domenico Andreoli <cavokz@gmail.com>, |
| Willy Tarreau <w@1wt.eu>, |
| Rodrigo Rubira Branco <rbranco@la.checkpoint.com>, |
| Jake Edge <jake@lwn.net>, |
| Eugene Teo <eteo@redhat.com>, |
| torvalds@linux-foundation.org, |
| akpm@linux-foundation.org, |
| alan@lxorguk.ukuu.org.uk, |
| Al Viro <viro@zeniv.linux.org.uk> |
| Subject: [patch 10/16] cramfs: fix named-pipe handling |
| Content-Disposition: inline; filename=cramfs-fix-named-pipe-handling.patch |
| Content-Length: 4949 |
| Lines: 146 |
| |
| 2.6.25-stable review patch. If anyone has any objections, please let us know. |
| |
| ------------------ |
| From: Al Viro <viro@ZenIV.linux.org.uk> |
| |
| commit 82d63fc9e30687c055b97928942b8893ea65b0bb upstream |
| |
| After commit a97c9bf33f4612e2aed6f000f6b1d268b6814f3c (fix cramfs |
| making duplicate entries in inode cache) in kernel 2.6.14, named-pipe |
| on cramfs does not work properly. |
| |
| It seems the commit make all named-pipe on cramfs share their inode |
| (and named-pipe buffer). |
| |
| Make ..._test() refuse to merge inodes with ->i_ino == 1, take inode setup |
| back to get_cramfs_inode() and make ->drop_inode() evict ones with ->i_ino |
| == 1 immediately. |
| |
| Reported-by: Atsushi Nemoto <anemo@mba.ocn.ne.jp> |
| Cc: Al Viro <viro@zeniv.linux.org.uk> |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| fs/cramfs/inode.c | 84 ++++++++++++++++++++++++------------------------------ |
| 1 file changed, 38 insertions(+), 46 deletions(-) |
| |
| --- a/fs/cramfs/inode.c |
| +++ b/fs/cramfs/inode.c |
| @@ -44,58 +44,13 @@ static DEFINE_MUTEX(read_mutex); |
| static int cramfs_iget5_test(struct inode *inode, void *opaque) |
| { |
| struct cramfs_inode *cramfs_inode = opaque; |
| - |
| - if (inode->i_ino != CRAMINO(cramfs_inode)) |
| - return 0; /* does not match */ |
| - |
| - if (inode->i_ino != 1) |
| - return 1; |
| - |
| - /* all empty directories, char, block, pipe, and sock, share inode #1 */ |
| - |
| - if ((inode->i_mode != cramfs_inode->mode) || |
| - (inode->i_gid != cramfs_inode->gid) || |
| - (inode->i_uid != cramfs_inode->uid)) |
| - return 0; /* does not match */ |
| - |
| - if ((S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode)) && |
| - (inode->i_rdev != old_decode_dev(cramfs_inode->size))) |
| - return 0; /* does not match */ |
| - |
| - return 1; /* matches */ |
| + return inode->i_ino == CRAMINO(cramfs_inode) && inode->i_ino != 1; |
| } |
| |
| static int cramfs_iget5_set(struct inode *inode, void *opaque) |
| { |
| - static struct timespec zerotime; |
| struct cramfs_inode *cramfs_inode = opaque; |
| - inode->i_mode = cramfs_inode->mode; |
| - inode->i_uid = cramfs_inode->uid; |
| - inode->i_size = cramfs_inode->size; |
| - inode->i_blocks = (cramfs_inode->size - 1) / 512 + 1; |
| - inode->i_gid = cramfs_inode->gid; |
| - /* Struct copy intentional */ |
| - inode->i_mtime = inode->i_atime = inode->i_ctime = zerotime; |
| inode->i_ino = CRAMINO(cramfs_inode); |
| - /* inode->i_nlink is left 1 - arguably wrong for directories, |
| - but it's the best we can do without reading the directory |
| - contents. 1 yields the right result in GNU find, even |
| - without -noleaf option. */ |
| - if (S_ISREG(inode->i_mode)) { |
| - inode->i_fop = &generic_ro_fops; |
| - inode->i_data.a_ops = &cramfs_aops; |
| - } else if (S_ISDIR(inode->i_mode)) { |
| - inode->i_op = &cramfs_dir_inode_operations; |
| - inode->i_fop = &cramfs_directory_operations; |
| - } else if (S_ISLNK(inode->i_mode)) { |
| - inode->i_op = &page_symlink_inode_operations; |
| - inode->i_data.a_ops = &cramfs_aops; |
| - } else { |
| - inode->i_size = 0; |
| - inode->i_blocks = 0; |
| - init_special_inode(inode, inode->i_mode, |
| - old_decode_dev(cramfs_inode->size)); |
| - } |
| return 0; |
| } |
| |
| @@ -105,12 +60,48 @@ static struct inode *get_cramfs_inode(st |
| struct inode *inode = iget5_locked(sb, CRAMINO(cramfs_inode), |
| cramfs_iget5_test, cramfs_iget5_set, |
| cramfs_inode); |
| + static struct timespec zerotime; |
| + |
| if (inode && (inode->i_state & I_NEW)) { |
| + inode->i_mode = cramfs_inode->mode; |
| + inode->i_uid = cramfs_inode->uid; |
| + inode->i_size = cramfs_inode->size; |
| + inode->i_blocks = (cramfs_inode->size - 1) / 512 + 1; |
| + inode->i_gid = cramfs_inode->gid; |
| + /* Struct copy intentional */ |
| + inode->i_mtime = inode->i_atime = inode->i_ctime = zerotime; |
| + /* inode->i_nlink is left 1 - arguably wrong for directories, |
| + but it's the best we can do without reading the directory |
| + contents. 1 yields the right result in GNU find, even |
| + without -noleaf option. */ |
| + if (S_ISREG(inode->i_mode)) { |
| + inode->i_fop = &generic_ro_fops; |
| + inode->i_data.a_ops = &cramfs_aops; |
| + } else if (S_ISDIR(inode->i_mode)) { |
| + inode->i_op = &cramfs_dir_inode_operations; |
| + inode->i_fop = &cramfs_directory_operations; |
| + } else if (S_ISLNK(inode->i_mode)) { |
| + inode->i_op = &page_symlink_inode_operations; |
| + inode->i_data.a_ops = &cramfs_aops; |
| + } else { |
| + inode->i_size = 0; |
| + inode->i_blocks = 0; |
| + init_special_inode(inode, inode->i_mode, |
| + old_decode_dev(cramfs_inode->size)); |
| + } |
| unlock_new_inode(inode); |
| } |
| return inode; |
| } |
| |
| +static void cramfs_drop_inode(struct inode *inode) |
| +{ |
| + if (inode->i_ino == 1) |
| + generic_delete_inode(inode); |
| + else |
| + generic_drop_inode(inode); |
| +} |
| + |
| /* |
| * We have our own block cache: don't fill up the buffer cache |
| * with the rom-image, because the way the filesystem is set |
| @@ -535,6 +526,7 @@ static const struct super_operations cra |
| .put_super = cramfs_put_super, |
| .remount_fs = cramfs_remount, |
| .statfs = cramfs_statfs, |
| + .drop_inode = cramfs_drop_inode, |
| }; |
| |
| static int cramfs_get_sb(struct file_system_type *fs_type, |
| |
| -- |
| |
| From gregkh@mini.kroah.org Wed Sep 3 10:30:03 2008 |
| Message-Id: <20080903173003.673989999@mini.kroah.org> |
| References: <20080903172849.927077124@mini.kroah.org> |
| User-Agent: quilt/0.46-1 |
| Date: Wed, 03 Sep 2008 10:29:00 -0700 |
| From: Greg KH <gregkh@suse.de> |
| To: linux-kernel@vger.kernel.org, |
| stable@kernel.org, |
| jejb@kernel.org |
| Cc: Justin Forbes <jmforbes@linuxtx.org>, |
| Zwane Mwaikambo <zwane@arm.linux.org.uk>, |
| Theodore Ts'o <tytso@mit.edu>, |
| Randy Dunlap <rdunlap@xenotime.net>, |
| Dave Jones <davej@redhat.com>, |
| Chuck Wolber <chuckw@quantumlinux.com>, |
| Chris Wedgwood <reviews@ml.cw.f00f.org>, |
| Michael Krufky <mkrufky@linuxtv.org>, |
| Chuck Ebbert <cebbert@redhat.com>, |
| Domenico Andreoli <cavokz@gmail.com>, |
| Willy Tarreau <w@1wt.eu>, |
| Rodrigo Rubira Branco <rbranco@la.checkpoint.com>, |
| Jake Edge <jake@lwn.net>, |
| Eugene Teo <eteo@redhat.com>, |
| torvalds@linux-foundation.org, |
| akpm@linux-foundation.org, |
| alan@lxorguk.ukuu.org.uk, |
| Jeff Layton <jlayton@redhat.com>, |
| Steve French <sfrench@us.ibm.com> |
| Subject: [patch 11/16] cifs: fix O_APPEND on directio mounts |
| Content-Disposition: inline; filename=cifs-fix-o_append-on-directio-mounts.patch |
| Content-Length: 1983 |
| Lines: 52 |
| |
| 2.6.25-stable review patch. If anyone has any objections, please let us know. |
| |
| ------------------ |
| From: Jeff Layton <jlayton@redhat.com> |
| |
| commit 838726c4756813576078203eb7e1e219db0da870 upstream |
| |
| The direct I/O write codepath for CIFS is done through |
| cifs_user_write(). That function does not currently call |
| generic_write_checks() so the file position isn't being properly set |
| when the file is opened with O_APPEND. It's also not doing the other |
| "normal" checks that should be done for a write call. |
| |
| The problem is currently that when you open a file with O_APPEND on a |
| mount with the directio mount option, the file position is set to the |
| beginning of the file. This makes any subsequent writes clobber the data |
| in the file starting at the beginning. |
| |
| This seems to fix the problem in cursory testing. It is, however |
| important to note that NFS disallows the combination of |
| (O_DIRECT|O_APPEND). If my understanding is correct, the concern is |
| races with multiple clients appending to a file clobbering each others' |
| data. Since the write model for CIFS and NFS is pretty similar in this |
| regard, CIFS is probably subject to the same sort of races. What's |
| unclear to me is why this is a particular problem with O_DIRECT and not |
| with buffered writes... |
| |
| Regardless, disallowing O_APPEND on an entire mount is probably not |
| reasonable, so we'll probably just have to deal with it and reevaluate |
| this flag combination when we get proper support for O_DIRECT. In the |
| meantime this patch at least fixes the existing problem. |
| |
| Signed-off-by: Jeff Layton <jlayton@redhat.com> |
| Signed-off-by: Steve French <sfrench@us.ibm.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| fs/cifs/file.c | 4 ++++ |
| 1 file changed, 4 insertions(+) |
| |
| --- a/fs/cifs/file.c |
| +++ b/fs/cifs/file.c |
| @@ -835,6 +835,10 @@ ssize_t cifs_user_write(struct file *fil |
| return -EBADF; |
| open_file = (struct cifsFileInfo *) file->private_data; |
| |
| + rc = generic_write_checks(file, poffset, &write_size, 0); |
| + if (rc) |
| + return rc; |
| + |
| xid = GetXid(); |
| |
| if (*poffset > file->f_path.dentry->d_inode->i_size) |
| |
| -- |
| |
| From gregkh@mini.kroah.org Wed Sep 3 10:30:03 2008 |
| Message-Id: <20080903173003.840895989@mini.kroah.org> |
| References: <20080903172849.927077124@mini.kroah.org> |
| User-Agent: quilt/0.46-1 |
| Date: Wed, 03 Sep 2008 10:29:01 -0700 |
| From: Greg KH <gregkh@suse.de> |
| To: linux-kernel@vger.kernel.org, |
| stable@kernel.org |
| Cc: Justin Forbes <jmforbes@linuxtx.org>, |
| Zwane Mwaikambo <zwane@arm.linux.org.uk>, |
| Theodore Ts'o <tytso@mit.edu>, |
| Randy Dunlap <rdunlap@xenotime.net>, |
| Dave Jones <davej@redhat.com>, |
| Chuck Wolber <chuckw@quantumlinux.com>, |
| Chris Wedgwood <reviews@ml.cw.f00f.org>, |
| Michael Krufky <mkrufky@linuxtv.org>, |
| Chuck Ebbert <cebbert@redhat.com>, |
| Domenico Andreoli <cavokz@gmail.com>, |
| Willy Tarreau <w@1wt.eu>, |
| Rodrigo Rubira Branco <rbranco@la.checkpoint.com>, |
| Jake Edge <jake@lwn.net>, |
| Eugene Teo <eteo@redhat.com>, |
| torvalds@linux-foundation.org, |
| akpm@linux-foundation.org, |
| alan@lxorguk.ukuu.org.uk, |
| Vlad Yasevich <vladislav.yasevich@hp.com>, |
| "David S. Miller" <davem@davemloft.net> |
| Subject: [patch 12/16] sctp: fix potential panics in the SCTP-AUTH API. |
| Content-Disposition: inline; filename=0007-sctp-fix-potential-panics-in-the-SCTP-AUTH-API.patch |
| Content-Length: 6848 |
| Lines: 248 |
| |
| 2.6.25-stable review patch. If anyone has any objections, please let us know. |
| |
| ------------------ |
| From: Vlad Yasevich <vladislav.yasevich@hp.com> |
| |
| [ Upstream commit 5e739d1752aca4e8f3e794d431503bfca3162df4 ] |
| |
| All of the SCTP-AUTH socket options could cause a panic |
| if the extension is disabled and the API is envoked. |
| |
| Additionally, there were some additional assumptions that |
| certain pointers would always be valid which may not |
| always be the case. |
| |
| This patch hardens the API and address all of the crash |
| scenarios. |
| |
| Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| net/sctp/endpointola.c | 4 +- |
| net/sctp/socket.c | 85 +++++++++++++++++++++++++++++++++++++------------ |
| 2 files changed, 67 insertions(+), 22 deletions(-) |
| |
| --- a/net/sctp/endpointola.c |
| +++ b/net/sctp/endpointola.c |
| @@ -103,6 +103,7 @@ static struct sctp_endpoint *sctp_endpoi |
| |
| /* Initialize the CHUNKS parameter */ |
| auth_chunks->param_hdr.type = SCTP_PARAM_CHUNKS; |
| + auth_chunks->param_hdr.length = htons(sizeof(sctp_paramhdr_t)); |
| |
| /* If the Add-IP functionality is enabled, we must |
| * authenticate, ASCONF and ASCONF-ACK chunks |
| @@ -110,8 +111,7 @@ static struct sctp_endpoint *sctp_endpoi |
| if (sctp_addip_enable) { |
| auth_chunks->chunks[0] = SCTP_CID_ASCONF; |
| auth_chunks->chunks[1] = SCTP_CID_ASCONF_ACK; |
| - auth_chunks->param_hdr.length = |
| - htons(sizeof(sctp_paramhdr_t) + 2); |
| + auth_chunks->param_hdr.length += htons(2); |
| } |
| } |
| |
| --- a/net/sctp/socket.c |
| +++ b/net/sctp/socket.c |
| @@ -2983,6 +2983,9 @@ static int sctp_setsockopt_auth_chunk(st |
| { |
| struct sctp_authchunk val; |
| |
| + if (!sctp_auth_enable) |
| + return -EACCES; |
| + |
| if (optlen != sizeof(struct sctp_authchunk)) |
| return -EINVAL; |
| if (copy_from_user(&val, optval, optlen)) |
| @@ -3013,6 +3016,9 @@ static int sctp_setsockopt_hmac_ident(st |
| struct sctp_hmacalgo *hmacs; |
| int err; |
| |
| + if (!sctp_auth_enable) |
| + return -EACCES; |
| + |
| if (optlen < sizeof(struct sctp_hmacalgo)) |
| return -EINVAL; |
| |
| @@ -3051,6 +3057,9 @@ static int sctp_setsockopt_auth_key(stru |
| struct sctp_association *asoc; |
| int ret; |
| |
| + if (!sctp_auth_enable) |
| + return -EACCES; |
| + |
| if (optlen <= sizeof(struct sctp_authkey)) |
| return -EINVAL; |
| |
| @@ -3088,6 +3097,9 @@ static int sctp_setsockopt_active_key(st |
| struct sctp_authkeyid val; |
| struct sctp_association *asoc; |
| |
| + if (!sctp_auth_enable) |
| + return -EACCES; |
| + |
| if (optlen != sizeof(struct sctp_authkeyid)) |
| return -EINVAL; |
| if (copy_from_user(&val, optval, optlen)) |
| @@ -3113,6 +3125,9 @@ static int sctp_setsockopt_del_key(struc |
| struct sctp_authkeyid val; |
| struct sctp_association *asoc; |
| |
| + if (!sctp_auth_enable) |
| + return -EACCES; |
| + |
| if (optlen != sizeof(struct sctp_authkeyid)) |
| return -EINVAL; |
| if (copy_from_user(&val, optval, optlen)) |
| @@ -5073,19 +5088,29 @@ static int sctp_getsockopt_maxburst(stru |
| static int sctp_getsockopt_hmac_ident(struct sock *sk, int len, |
| char __user *optval, int __user *optlen) |
| { |
| + struct sctp_hmacalgo __user *p = (void __user *)optval; |
| struct sctp_hmac_algo_param *hmacs; |
| - __u16 param_len; |
| + __u16 data_len = 0; |
| + u32 num_idents; |
| + |
| + if (!sctp_auth_enable) |
| + return -EACCES; |
| |
| hmacs = sctp_sk(sk)->ep->auth_hmacs_list; |
| - param_len = ntohs(hmacs->param_hdr.length); |
| + data_len = ntohs(hmacs->param_hdr.length) - sizeof(sctp_paramhdr_t); |
| |
| - if (len < param_len) |
| + if (len < sizeof(struct sctp_hmacalgo) + data_len) |
| return -EINVAL; |
| + |
| + len = sizeof(struct sctp_hmacalgo) + data_len; |
| + num_idents = data_len / sizeof(u16); |
| + |
| if (put_user(len, optlen)) |
| return -EFAULT; |
| - if (copy_to_user(optval, hmacs->hmac_ids, len)) |
| + if (put_user(num_idents, &p->shmac_num_idents)) |
| + return -EFAULT; |
| + if (copy_to_user(p->shmac_idents, hmacs->hmac_ids, data_len)) |
| return -EFAULT; |
| - |
| return 0; |
| } |
| |
| @@ -5095,6 +5120,9 @@ static int sctp_getsockopt_active_key(st |
| struct sctp_authkeyid val; |
| struct sctp_association *asoc; |
| |
| + if (!sctp_auth_enable) |
| + return -EACCES; |
| + |
| if (len < sizeof(struct sctp_authkeyid)) |
| return -EINVAL; |
| if (copy_from_user(&val, optval, sizeof(struct sctp_authkeyid))) |
| @@ -5109,6 +5137,12 @@ static int sctp_getsockopt_active_key(st |
| else |
| val.scact_keynumber = sctp_sk(sk)->ep->active_key_id; |
| |
| + len = sizeof(struct sctp_authkeyid); |
| + if (put_user(len, optlen)) |
| + return -EFAULT; |
| + if (copy_to_user(optval, &val, len)) |
| + return -EFAULT; |
| + |
| return 0; |
| } |
| |
| @@ -5119,13 +5153,16 @@ static int sctp_getsockopt_peer_auth_chu |
| struct sctp_authchunks val; |
| struct sctp_association *asoc; |
| struct sctp_chunks_param *ch; |
| - u32 num_chunks; |
| + u32 num_chunks = 0; |
| char __user *to; |
| |
| - if (len <= sizeof(struct sctp_authchunks)) |
| + if (!sctp_auth_enable) |
| + return -EACCES; |
| + |
| + if (len < sizeof(struct sctp_authchunks)) |
| return -EINVAL; |
| |
| - if (copy_from_user(&val, p, sizeof(struct sctp_authchunks))) |
| + if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks))) |
| return -EFAULT; |
| |
| to = p->gauth_chunks; |
| @@ -5134,20 +5171,21 @@ static int sctp_getsockopt_peer_auth_chu |
| return -EINVAL; |
| |
| ch = asoc->peer.peer_chunks; |
| + if (!ch) |
| + goto num; |
| |
| /* See if the user provided enough room for all the data */ |
| num_chunks = ntohs(ch->param_hdr.length) - sizeof(sctp_paramhdr_t); |
| if (len < num_chunks) |
| return -EINVAL; |
| |
| - len = num_chunks; |
| - if (put_user(len, optlen)) |
| + if (copy_to_user(to, ch->chunks, num_chunks)) |
| return -EFAULT; |
| +num: |
| + len = sizeof(struct sctp_authchunks) + num_chunks; |
| + if (put_user(len, optlen)) return -EFAULT; |
| if (put_user(num_chunks, &p->gauth_number_of_chunks)) |
| return -EFAULT; |
| - if (copy_to_user(to, ch->chunks, len)) |
| - return -EFAULT; |
| - |
| return 0; |
| } |
| |
| @@ -5158,13 +5196,16 @@ static int sctp_getsockopt_local_auth_ch |
| struct sctp_authchunks val; |
| struct sctp_association *asoc; |
| struct sctp_chunks_param *ch; |
| - u32 num_chunks; |
| + u32 num_chunks = 0; |
| char __user *to; |
| |
| - if (len <= sizeof(struct sctp_authchunks)) |
| + if (!sctp_auth_enable) |
| + return -EACCES; |
| + |
| + if (len < sizeof(struct sctp_authchunks)) |
| return -EINVAL; |
| |
| - if (copy_from_user(&val, p, sizeof(struct sctp_authchunks))) |
| + if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks))) |
| return -EFAULT; |
| |
| to = p->gauth_chunks; |
| @@ -5177,17 +5218,21 @@ static int sctp_getsockopt_local_auth_ch |
| else |
| ch = sctp_sk(sk)->ep->auth_chunk_list; |
| |
| + if (!ch) |
| + goto num; |
| + |
| num_chunks = ntohs(ch->param_hdr.length) - sizeof(sctp_paramhdr_t); |
| - if (len < num_chunks) |
| + if (len < sizeof(struct sctp_authchunks) + num_chunks) |
| return -EINVAL; |
| |
| - len = num_chunks; |
| + if (copy_to_user(to, ch->chunks, num_chunks)) |
| + return -EFAULT; |
| +num: |
| + len = sizeof(struct sctp_authchunks) + num_chunks; |
| if (put_user(len, optlen)) |
| return -EFAULT; |
| if (put_user(num_chunks, &p->gauth_number_of_chunks)) |
| return -EFAULT; |
| - if (copy_to_user(to, ch->chunks, len)) |
| - return -EFAULT; |
| |
| return 0; |
| } |
| |
| -- |
| |
| From gregkh@mini.kroah.org Wed Sep 3 10:30:04 2008 |
| Message-Id: <20080903173004.016103941@mini.kroah.org> |
| References: <20080903172849.927077124@mini.kroah.org> |
| User-Agent: quilt/0.46-1 |
| Date: Wed, 03 Sep 2008 10:29:02 -0700 |
| From: Greg KH <gregkh@suse.de> |
| To: linux-kernel@vger.kernel.org, |
| stable@kernel.org |
| Cc: Justin Forbes <jmforbes@linuxtx.org>, |
| Zwane Mwaikambo <zwane@arm.linux.org.uk>, |
| Theodore Ts'o <tytso@mit.edu>, |
| Randy Dunlap <rdunlap@xenotime.net>, |
| Dave Jones <davej@redhat.com>, |
| Chuck Wolber <chuckw@quantumlinux.com>, |
| Chris Wedgwood <reviews@ml.cw.f00f.org>, |
| Michael Krufky <mkrufky@linuxtv.org>, |
| Chuck Ebbert <cebbert@redhat.com>, |
| Domenico Andreoli <cavokz@gmail.com>, |
| Willy Tarreau <w@1wt.eu>, |
| Rodrigo Rubira Branco <rbranco@la.checkpoint.com>, |
| Jake Edge <jake@lwn.net>, |
| Eugene Teo <eteo@redhat.com>, |
| torvalds@linux-foundation.org, |
| akpm@linux-foundation.org, |
| alan@lxorguk.ukuu.org.uk, |
| Vlad Yasevich <vladislav.yasevich@hp.com>, |
| "David S. Miller" <davem@davemloft.net> |
| Subject: [patch 13/16] sctp: add verification checks to SCTP_AUTH_KEY option |
| Content-Disposition: inline; filename=0008-sctp-add-verification-checks-to-SCTP_AUTH_KEY-optio.patch |
| Content-Length: 1272 |
| Lines: 46 |
| |
| 2.6.25-stable review patch. If anyone has any objections, please let us know. |
| |
| ------------------ |
| From: Vlad Yasevich <vladislav.yasevich@hp.com> |
| |
| [ Upstream commit 30c2235cbc477d4629983d440cdc4f496fec9246 ] |
| |
| The structure used for SCTP_AUTH_KEY option contains a |
| length that needs to be verfied to prevent buffer overflow |
| conditions. Spoted by Eugene Teo <eteo@redhat.com>. |
| |
| Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| net/sctp/auth.c | 4 ++++ |
| net/sctp/socket.c | 5 +++++ |
| 2 files changed, 9 insertions(+) |
| |
| --- a/net/sctp/auth.c |
| +++ b/net/sctp/auth.c |
| @@ -80,6 +80,10 @@ static struct sctp_auth_bytes *sctp_auth |
| { |
| struct sctp_auth_bytes *key; |
| |
| + /* Verify that we are not going to overflow INT_MAX */ |
| + if ((INT_MAX - key_len) < sizeof(struct sctp_auth_bytes)) |
| + return NULL; |
| + |
| /* Allocate the shared key */ |
| key = kmalloc(sizeof(struct sctp_auth_bytes) + key_len, gfp); |
| if (!key) |
| --- a/net/sctp/socket.c |
| +++ b/net/sctp/socket.c |
| @@ -3072,6 +3072,11 @@ static int sctp_setsockopt_auth_key(stru |
| goto out; |
| } |
| |
| + if (authkey->sca_keylength > optlen) { |
| + ret = -EINVAL; |
| + goto out; |
| + } |
| + |
| asoc = sctp_id2assoc(sk, authkey->sca_assoc_id); |
| if (!asoc && authkey->sca_assoc_id && sctp_style(sk, UDP)) { |
| ret = -EINVAL; |
| |
| -- |
| |
| From gregkh@mini.kroah.org Wed Sep 3 10:30:04 2008 |
| Message-Id: <20080903173004.187581253@mini.kroah.org> |
| References: <20080903172849.927077124@mini.kroah.org> |
| User-Agent: quilt/0.46-1 |
| Date: Wed, 03 Sep 2008 10:29:03 -0700 |
| From: Greg KH <gregkh@suse.de> |
| To: linux-kernel@vger.kernel.org, |
| stable@kernel.org |
| Cc: Justin Forbes <jmforbes@linuxtx.org>, |
| Zwane Mwaikambo <zwane@arm.linux.org.uk>, |
| Theodore Ts'o <tytso@mit.edu>, |
| Randy Dunlap <rdunlap@xenotime.net>, |
| Dave Jones <davej@redhat.com>, |
| Chuck Wolber <chuckw@quantumlinux.com>, |
| Chris Wedgwood <reviews@ml.cw.f00f.org>, |
| Michael Krufky <mkrufky@linuxtv.org>, |
| Chuck Ebbert <cebbert@redhat.com>, |
| Domenico Andreoli <cavokz@gmail.com>, |
| Willy Tarreau <w@1wt.eu>, |
| Rodrigo Rubira Branco <rbranco@la.checkpoint.com>, |
| Jake Edge <jake@lwn.net>, |
| Eugene Teo <eteo@redhat.com>, |
| torvalds@linux-foundation.org, |
| akpm@linux-foundation.org, |
| alan@lxorguk.ukuu.org.uk, |
| Vlad Yasevich <vladislav.yasevich@hp.com>, |
| "David S. Miller" <davem@davemloft.net> |
| Subject: [patch 14/16] sctp: correct bounds check in sctp_setsockopt_auth_key |
| Content-Disposition: inline; filename=0011-sctp-correct-bounds-check-in-sctp_setsockopt_auth_k.patch |
| Content-Length: 909 |
| Lines: 32 |
| |
| 2.6.25-stable review patch. If anyone has any objections, please let us know. |
| |
| ------------------ |
| From: Vlad Yasevich <vladislav.yasevich@hp.com> |
| |
| [ Upstream commit 328fc47ea0bcc27d9afa69c3ad6e52431cadd76c ] |
| |
| The bonds check to prevent buffer overlflow was not exactly |
| right. It still allowed overflow of up to 8 bytes which is |
| sizeof(struct sctp_authkey). |
| |
| Since optlen is already checked against the size of that struct, |
| we are guaranteed not to cause interger overflow either. |
| |
| Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| net/sctp/socket.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/net/sctp/socket.c |
| +++ b/net/sctp/socket.c |
| @@ -3072,7 +3072,7 @@ static int sctp_setsockopt_auth_key(stru |
| goto out; |
| } |
| |
| - if (authkey->sca_keylength > optlen) { |
| + if (authkey->sca_keylength > optlen - sizeof(struct sctp_authkey)) { |
| ret = -EINVAL; |
| goto out; |
| } |
| |
| -- |
| |
| From gregkh@mini.kroah.org Wed Sep 3 10:30:04 2008 |
| Message-Id: <20080903173004.360243281@mini.kroah.org> |
| References: <20080903172849.927077124@mini.kroah.org> |
| User-Agent: quilt/0.46-1 |
| Date: Wed, 03 Sep 2008 10:29:04 -0700 |
| From: Greg KH <gregkh@suse.de> |
| To: linux-kernel@vger.kernel.org, |
| stable@kernel.org |
| Cc: Justin Forbes <jmforbes@linuxtx.org>, |
| Zwane Mwaikambo <zwane@arm.linux.org.uk>, |
| Theodore Ts'o <tytso@mit.edu>, |
| Randy Dunlap <rdunlap@xenotime.net>, |
| Dave Jones <davej@redhat.com>, |
| Chuck Wolber <chuckw@quantumlinux.com>, |
| Chris Wedgwood <reviews@ml.cw.f00f.org>, |
| Michael Krufky <mkrufky@linuxtv.org>, |
| Chuck Ebbert <cebbert@redhat.com>, |
| Domenico Andreoli <cavokz@gmail.com>, |
| Willy Tarreau <w@1wt.eu>, |
| Rodrigo Rubira Branco <rbranco@la.checkpoint.com>, |
| Jake Edge <jake@lwn.net>, |
| Eugene Teo <eteo@redhat.com>, |
| torvalds@linux-foundation.org, |
| akpm@linux-foundation.org, |
| alan@lxorguk.ukuu.org.uk, |
| Vlad Yasevich <vladislav.yasevich@hp.com>, |
| "David S. Miller" <davem@davemloft.net> |
| Subject: [patch 15/16] sctp: fix random memory dereference with SCTP_HMAC_IDENT option. |
| Content-Disposition: inline; filename=0012-sctp-fix-random-memory-dereference-with-SCTP_HMAC_I.patch |
| Content-Length: 1487 |
| Lines: 53 |
| |
| 2.6.25-stable review patch. If anyone has any objections, please let us know. |
| |
| ------------------ |
| From: Vlad Yasevich <vladislav.yasevich@hp.com> |
| |
| [ Upstream commit d97240552cd98c4b07322f30f66fd9c3ba4171de ] |
| |
| The number of identifiers needs to be checked against the option |
| length. Also, the identifier index provided needs to be verified |
| to make sure that it doesn't exceed the bounds of the array. |
| |
| Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| net/sctp/auth.c | 3 +++ |
| net/sctp/socket.c | 6 ++++-- |
| 2 files changed, 7 insertions(+), 2 deletions(-) |
| |
| --- a/net/sctp/auth.c |
| +++ b/net/sctp/auth.c |
| @@ -786,6 +786,9 @@ int sctp_auth_ep_set_hmacs(struct sctp_e |
| for (i = 0; i < hmacs->shmac_num_idents; i++) { |
| id = hmacs->shmac_idents[i]; |
| |
| + if (id > SCTP_AUTH_HMAC_ID_MAX) |
| + return -EOPNOTSUPP; |
| + |
| if (SCTP_AUTH_HMAC_ID_SHA1 == id) |
| has_sha1 = 1; |
| |
| --- a/net/sctp/socket.c |
| +++ b/net/sctp/socket.c |
| @@ -3014,6 +3014,7 @@ static int sctp_setsockopt_hmac_ident(st |
| int optlen) |
| { |
| struct sctp_hmacalgo *hmacs; |
| + u32 idents; |
| int err; |
| |
| if (!sctp_auth_enable) |
| @@ -3031,8 +3032,9 @@ static int sctp_setsockopt_hmac_ident(st |
| goto out; |
| } |
| |
| - if (hmacs->shmac_num_idents == 0 || |
| - hmacs->shmac_num_idents > SCTP_AUTH_NUM_HMACS) { |
| + idents = hmacs->shmac_num_idents; |
| + if (idents == 0 || idents > SCTP_AUTH_NUM_HMACS || |
| + (idents * sizeof(u16)) > (optlen - sizeof(struct sctp_hmacalgo))) { |
| err = -EINVAL; |
| goto out; |
| } |
| |
| -- |
| |
| From gregkh@mini.kroah.org Wed Sep 3 10:30:04 2008 |
| Message-Id: <20080903173004.527701225@mini.kroah.org> |
| References: <20080903172849.927077124@mini.kroah.org> |
| User-Agent: quilt/0.46-1 |
| Date: Wed, 03 Sep 2008 10:29:05 -0700 |
| From: Greg KH <gregkh@suse.de> |
| To: linux-kernel@vger.kernel.org, |
| stable@kernel.org |
| Cc: Justin Forbes <jmforbes@linuxtx.org>, |
| Zwane Mwaikambo <zwane@arm.linux.org.uk>, |
| Theodore Ts'o <tytso@mit.edu>, |
| Randy Dunlap <rdunlap@xenotime.net>, |
| Dave Jones <davej@redhat.com>, |
| Chuck Wolber <chuckw@quantumlinux.com>, |
| Chris Wedgwood <reviews@ml.cw.f00f.org>, |
| Michael Krufky <mkrufky@linuxtv.org>, |
| Chuck Ebbert <cebbert@redhat.com>, |
| Domenico Andreoli <cavokz@gmail.com>, |
| Willy Tarreau <w@1wt.eu>, |
| Rodrigo Rubira Branco <rbranco@la.checkpoint.com>, |
| Jake Edge <jake@lwn.net>, |
| Eugene Teo <eteo@redhat.com>, |
| torvalds@linux-foundation.org, |
| akpm@linux-foundation.org, |
| alan@lxorguk.ukuu.org.uk, |
| Thomas Graf <tgraf@suug.ch>, |
| "David S. Miller" <davem@davemloft.net> |
| Subject: [patch 16/16] sch_prio: Fix nla_parse_nested_compat() regression |
| Content-Disposition: inline; filename=sch_prio_2625.patch |
| Content-Length: 1554 |
| Lines: 51 |
| |
| 2.6.25-stable review patch. If anyone has any objections, please let us know. |
| |
| ------------------ |
| From: Thomas Graf <tgraf@suug.ch> |
| |
| [ No upstream commit, this is fixing code no longer in 2.6.27 ] |
| |
| nla_parse_nested_compat() was used to parse two different message |
| formats in the netem and prio qdisc, when it was "fixed" to work |
| with netem, it broke the multi queue support in the prio qdisc. |
| Since the prio qdisc code in question is already removed in the |
| development tree, this patch only fixes the regression in the |
| stable tree. |
| |
| Based on original patch from Alexander H Duyck <alexander.h.duyck@intel.com> |
| |
| Signed-off-by: Thomas Graf <tgraf@suug.ch> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| net/sched/sch_prio.c | 16 +++++++++++----- |
| 1 file changed, 11 insertions(+), 5 deletions(-) |
| |
| --- a/net/sched/sch_prio.c |
| +++ b/net/sched/sch_prio.c |
| @@ -228,14 +228,20 @@ static int prio_tune(struct Qdisc *sch, |
| { |
| struct prio_sched_data *q = qdisc_priv(sch); |
| struct tc_prio_qopt *qopt; |
| - struct nlattr *tb[TCA_PRIO_MAX + 1]; |
| + struct nlattr *tb[TCA_PRIO_MAX + 1] = {0}; |
| int err; |
| int i; |
| |
| - err = nla_parse_nested_compat(tb, TCA_PRIO_MAX, opt, NULL, qopt, |
| - sizeof(*qopt)); |
| - if (err < 0) |
| - return err; |
| + qopt = nla_data(opt); |
| + if (nla_len(opt) < sizeof(*qopt)) |
| + return -1; |
| + |
| + if (nla_len(opt) >= sizeof(*qopt) + sizeof(struct nlattr)) { |
| + err = nla_parse_nested(tb, TCA_PRIO_MAX, |
| + (struct nlattr *) (qopt + 1), NULL); |
| + if (err < 0) |
| + return err; |
| + } |
| |
| q->bands = qopt->bands; |
| /* If we're multiqueue, make sure the number of incoming bands |
| |
| -- |
| |
| From gregkh@mini.kroah.org Wed Sep 3 10:30:01 2008 |
| Message-Id: <20080903172849.927077124@mini.kroah.org> |
| User-Agent: quilt/0.46-1 |
| Date: Wed, 03 Sep 2008 10:28:49 -0700 |
| From: Greg KH <gregkh@suse.de> |
| To: linux-kernel@vger.kernel.org, |
| stable@kernel.org |
| Cc: Justin Forbes <jmforbes@linuxtx.org>, |
| Zwane Mwaikambo <zwane@arm.linux.org.uk>, |
| Theodore Ts'o <tytso@mit.edu>, |
| Randy Dunlap <rdunlap@xenotime.net>, |
| Dave Jones <davej@redhat.com>, |
| Chuck Wolber <chuckw@quantumlinux.com>, |
| Chris Wedgwood <reviews@ml.cw.f00f.org>, |
| Michael Krufky <mkrufky@linuxtv.org>, |
| Chuck Ebbert <cebbert@redhat.com>, |
| Domenico Andreoli <cavokz@gmail.com>, |
| Willy Tarreau <w@1wt.eu>, |
| Rodrigo Rubira Branco <rbranco@la.checkpoint.com>, |
| Jake Edge <jake@lwn.net>, |
| Eugene Teo <eteo@redhat.com>, |
| torvalds@linux-foundation.org, |
| akpm@linux-foundation.org, |
| alan@lxorguk.ukuu.org.uk |
| Subject: [patch 00/16] 2.6.25-stable review |
| Content-Length: 1846 |
| Lines: 44 |
| |
| |
| This is the start of the stable review cycle for the 2.6.25.17 release. |
| There are 16 patches in this series, all will be posted as a response |
| to this one. If anyone has any issues with these being applied, please |
| let us know. If anyone is a maintainer of the proper subsystem, and |
| wants to add a Signed-off-by: line to the patch, please respond with it. |
| |
| These patches are sent out with a number of different people on the |
| Cc: line. If you wish to be a reviewer, please email stable@kernel.org |
| to add your name to the list. If you want to be off the reviewer list, |
| also email us. |
| |
| Responses should be made by September 6 10:00:00 UTC. Anything received |
| after that time might be too late. |
| |
| The whole patch series can be found in one patch at: |
| kernel.org/pub/linux/kernel/v2.6/stable-review/patch-2.6.25.17-rc1.gz |
| and the diffstat can be found below. |
| |
| |
| thanks, |
| |
| the -stable release team |
| |
| |
| Makefile | 2 |
| arch/x86/kernel/cpu/mtrr/generic.c | 15 +++++ |
| crypto/authenc.c | 10 ++- |
| drivers/net/forcedeth.c | 4 - |
| drivers/net/r8169.c | 2 |
| drivers/usb/class/cdc-acm.c | 2 |
| drivers/video/fb_defio.c | 19 +++++++ |
| drivers/video/fbmem.c | 4 + |
| fs/cifs/file.c | 4 + |
| fs/cramfs/inode.c | 84 ++++++++++++++------------------ |
| fs/nfsd/nfs4acl.c | 2 |
| include/linux/fb.h | 3 + |
| mm/page_alloc.c | 7 ++ |
| net/sched/sch_prio.c | 16 ++++-- |
| net/sctp/auth.c | 7 ++ |
| net/sctp/endpointola.c | 4 - |
| net/sctp/socket.c | 96 ++++++++++++++++++++++++++++--------- |
| net/sunrpc/sysctl.c | 18 +----- |
| 18 files changed, 198 insertions(+), 101 deletions(-) |
| |
