Commit: 9164edcb4e4a74b4e7d6e57c9d59e2d8fb5654bb Author: Adrian Bunk Sun, 25 Feb 2007 17:49:51 +0100 Linux 2.6.16.42 Commit: 46e0933fbc83c15710285e31a19d373cd2dfe2ee Author: Adrian Bunk Thu, 22 Feb 2007 21:13:55 +0100 Linux 2.6.16.42-rc1 Commit: 9071da7e5ef78526b1d1a92102444b329b03e06a Author: Petko Manolov Thu, 22 Feb 2007 21:13:05 +0100 USB: rtl8150 new device id This one adds another vendor ID to rtl8150 driver. Signed-off-by: Petko Manolov Signed-off-by: Adrian Bunk Commit: c8e01fe2fe66a65f73e4164ecd5c4e0fa2456c3e Author: Dan Streetman Thu, 22 Feb 2007 21:11:26 +0100 USB: add ZyXEL vendor/product ID to rtl8150 driver I just got a "ZyXEL Prestige USB Adapter" that is actually RTL8150 adapter. Here is the relevant /proc/bus/usb/devices output (after adding the vendor/product IDs to the driver): T: Bus=01 Lev=02 Prnt=02 Port=02 Cnt=02 Dev#=119 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 8 #Cfgs= 1 P: Vendor=0586 ProdID=401a Rev= 1.00 S: Manufacturer=ZyXEL S: Product=Prestige USB Adapter S: SerialNumber=1027 C:* #Ifs= 1 Cfg#= 1 Atr=80 MxPwr=120mA I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=ff Driver=rtl8150 E: Ad=81(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=83(I) Atr=03(Int.) MxPS= 8 Ivl=1ms This patch adds the ZyXEL vendor ID to the rtl8150.c driver. The device has absolutely no identifying marks on the outside for model type, just a serial number, and I can't find anything on ZyXEL's website, so I called the product ID PRODUCT_ID_PRESTIGE to match the product string. Signed-off-by: Dan Streetman Signed-off-by: Adrian Bunk Commit: 4d12b6639bae991f592395da6895d02f11dd8ed9 Author: Stephen Hemminger Thu, 22 Feb 2007 21:07:51 +0100 sky2: dual-port pci-x checksum fix Add a workaround for dual port PCI-X card that returns status out of order sometimes because of split transactions. Signed-off-by: Stephen Hemminger Signed-off-by: Adrian Bunk Commit: 189b9a3bc90ecb79eb82ed4450db177aed7d292d Author: Stephen Hemminger Thu, 22 Feb 2007 21:07:11 +0100 sky2: fix for NAPI with dual port boards This driver uses port 0 to handle receives on both ports. So the netif_poll_disable call in dev_close would end up stopping the second port on dual port cards. Signed-off-by: Stephen Hemminger Signed-off-by: Adrian Bunk Commit: 65c35f6af648308f2a2d31b2dccacc7b3aeb640f Author: Al Viro Wed, 21 Feb 2007 12:48:22 +0100 fix rtl8150 That code doesn't do what its author apparently thought it would do... Signed-off-by: Al Viro Signed-off-by: Adrian Bunk Commit: c21af7af790184233f34077985ff160fe6b07d64 Author: Alexey Dobriyan Wed, 21 Feb 2007 01:43:24 +0100 [ATM] ambassador, firestream: "-1 >>" is implementation defined 6.5.7(5): The result of E1 >> E2 is E1 right-shifted E2 bit positions. ... If E1 has a signed type and a negative value, the resulting value is implementation defined. So, cast -1 to unsigned type to make result well-defined. [ Modified to use ~0U based upon recommendation from Al Viro. -DaveM ] Signed-off-by: Alexey Dobriyan Signed-off-by: Adrian Bunk Commit: 379efed186cb110913caa2014bf6cbc396e1fefb Author: Jeff Garzik Wed, 21 Feb 2007 01:42:39 +0100 [ATM] firestream: handle thrown error gcc emits the following warning: drivers/atm/firestream.c: In function ‘fs_open’: drivers/atm/firestream.c:870: warning: ‘tmc0’ may be used uninitialized in this function This indicates a real bug. We should check make_rate() return value for potential errors. Signed-off-by: Jeff Garzik Signed-off-by: Adrian Bunk Commit: ec2b07d409fcf3d83312b7fd431d1e8798224682 Author: David S. Miller Wed, 21 Feb 2007 01:41:25 +0100 [ATM] horizon: read_bia() needs to be __devinit Thanks to Randy Dunlap. Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 1f0e1052ae6619d75f3096a5293f1b2b38873f77 Author: Al Viro Wed, 21 Feb 2007 01:40:51 +0100 ATM horizon.c: missing __devinit Signed-off-by: Al Viro Signed-off-by: Adrian Bunk Commit: a0cd22f8e3a0cd4f6d8b08103629cbbc29a0c9fb Author: David Howells Wed, 21 Feb 2007 01:20:05 +0100 Keys: Fix key serial number collision handling (CVE-2007-0006) Fix the key serial number collision avoidance code in key_alloc_serial(). This didn't use to be so much of a problem as the key serial numbers were allocated from a simple incremental counter, and it would have to go through two billion keys before it could possibly encounter a collision. However, n that random numbers are used instead, collisions are much more likely. This is fixed by finding a hole in the rbtree where the next unused serial number ought to be and using that by going almost back to the top of the insertion routine and redoing the insertion with the new serial number rathe than trying to be clever and attempting to work out the insertion point pointer directly. This fixes kernel Bugzilla #7727. Signed-off-by: David Howells Signed-off-by: Adrian Bunk Commit: e48d2dd437e8f5c1fd4ae7ef8c77142e58491151 Author: Eric Sandeen Wed, 21 Feb 2007 00:57:05 +0100 fix bad_inode_ops memory corruption (CVE-2006-5753) CVE-2006-5753 is for a case where an inode can be marked bad, switching the ops to bad_inode_ops, which are all connected as: static int return_EIO(void) { return -EIO; } #define EIO_ERROR ((void *) (return_EIO)) static struct inode_operations bad_inode_ops = { .create = bad_inode_create ...etc... The problem here is that the void cast causes return types to not be promoted, and for ops such as listxattr which expect more than 32 bits of return value, the 32-bit -EIO is interpreted as a large positive 64-bit number, i.e. 0x00000000fffffffa instead of 0xfffffffa. This goes particularly badly when the return value is taken as a number of bytes to copy into, say, a user's buffer for example... I originally had coded up the fix by creating a return_EIO_ macro for each return type, like this: static int return_EIO_int(void) { return -EIO; } #define EIO_ERROR_INT ((void *) (return_EIO_int)) static struct inode_operations bad_inode_ops = { .create = EIO_ERROR_INT, ...etc... but Al felt that it was probably better to create an EIO-returner for each actual op signature. Since so few ops share a signature, I just went ahead & created an EIO function for each individual file & inode op that returns a value. Adrian Bunk: backported to 2.6.16 Signed-off-by: Eric Sandeen Signed-off-by: Adrian Bunk Commit: 82ea2673f38fd5987aa43351f81110e7c7acd32b Author: Marcel Holtmann Wed, 21 Feb 2007 00:25:10 +0100 [Bluetooth] Restrict well known PSM to privileged users The PSM values below 0x1001 of L2CAP are reserved for well known services. Restrict the possibility to bind them to privileged users. Signed-off-by: Marcel Holtmann Signed-off-by: Adrian Bunk Commit: 1042dac731e1ad848b69af31dd7b15a2e9c6f6f4 Author: Marcel Holtmann Wed, 21 Feb 2007 00:23:40 +0100 [Bluetooth] Missing endian swapping for L2CAP socket list The PSM value in the L2CAP socket list must be converted to host order before printing it. Signed-off-by: Marcel Holtmann Signed-off-by: Adrian Bunk Commit: 0d1335f51d535fa036c5cddccd1779cab5f2f143 Author: Greg Banks Wed, 21 Feb 2007 00:14:36 +0100 Fix a free-wrong-pointer bug in nfs/acl server (CVE-2007-0772) Due to type confusion, when an nfsacl verison 2 'ACCESS' request finishes and tries to clean up, it calls fh_put on entiredly the wrong thing and this can cause an oops. Signed-off-by: Adrian Bunk Commit: af8f3558878c9894b8ed08d9273c6357aca313aa Author: Oleg Nesterov Tue, 20 Feb 2007 16:07:19 +0100 V4L/DVB: Buf_qbuf: fix: videobuf_queue->stream corruption and lockup We are doing ->buf_prepare(buf) before adding buf to q->stream list. This means that videobuf_qbuf() should not try to re-add a STATE_PREPARED buffer. Adrian Bunk: Backported to 2.6.16. Signed-off-by: Oleg Nesterov Signed-off-by: Mauro Carvalho Chehab