commit 299a2479bca6211f845158761920ec480f35a229 Author: Greg Kroah-Hartman Date: Fri Feb 23 15:52:30 2007 -0800 Linux 2.6.18.8 commit b3008f65500fd9350ac45988de66f4dd5249604c Author: Hugh Dickins Date: Fri Feb 23 21:51:20 2007 +0000 fix umask when noACL kernel meets extN tuned for ACLs Fix insecure default behaviour reported by Tigran Aivazian: if an ext2 or ext3 filesystem is tuned to mount with "acl", but mounted by a kernel built without ACL support, then umask was ignored when creating inodes - though root or user has umask 022, touch creates files as 0666, and mkdir creates directories as 0777. This appears to have worked right until 2.6.11, when a fix to the default mode on symlinks (always 0777) assumed VFS applies umask: which it does, unless the mount is marked for ACLs; but ext[23] set MS_POSIXACL in s_flags according to s_mount_opt set according to def_mount_opts. We could revert to the 2.6.10 ext[23]_init_acl (adding an S_ISLNK test); but other filesystems only set MS_POSIXACL when ACLs are configured. We could fix this at another level; but it seems most robust to avoid setting the s_mount_opt flag in the first place (at the expense of more ifdefs). Likewise don't set the XATTR_USER flag when built without XATTR support. Signed-off-by: Hugh Dickins Acked-by: Andreas Gruenbacher Cc: Tigran Aivazian Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 4f1e627105e55e1e2ee6d6e9138912880c186dd0 Author: Badari Pulavarty Date: Fri Dec 22 01:06:23 2006 -0800 Fix for shmem_truncate_range() BUG_ON() Ran into BUG() while doing madvise(REMOVE) testing. If we are punching a hole into shared memory segment using madvise(REMOVE) and the entire hole is below the indirect blocks, we hit following assert. BUG_ON(limit <= SHMEM_NR_DIRECT); Signed-off-by: Badari Pulavarty Cc: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit f102c840f7f72492a83c93fa65396fe0edcf1df6 Author: Hugh Dickins Date: Thu Jan 4 20:26:22 2007 +0000 make ppc64 current preempt-safe Repeated -j20 kernel builds on a G5 Quad running an SMP PREEMPT kernel would often collapse within a day, some exec failing with "Bad address". In each case examined, load_elf_binary was doing a kernel_read, but generic_file_aio_read's access_ok saw current->thread.fs.seg as USER_DS instead of KERNEL_DS. objdump of filemap.o shows gcc 4.1.0 emitting "mr r5,r13 ... ld r9,416(r5)" here for get_paca()->__current, instead of the expected and much more usual "ld r9,416(r13)"; I've seen other gcc4s do the same, but perhaps not gcc3s. So, if the task is preempted and rescheduled on a different cpu in between the mr and the ld, r5 will be looking at a different paca_struct from the one it's now on, pick up the wrong __current, and perhaps the wrong seg. Presumably much worse could happen elsewhere, though that split is rare. Other architectures appear to be safe (x86_64's read_pda is more limiting than get_paca), but ppc64 needs to force "current" into one instruction. Signed-off-by: Hugh Dickins Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 700019f9fea4d78100e0b6032db3a66040620d42 Author: Hugh Dickins Date: Thu Jan 4 20:22:14 2007 +0000 fix msync error on unmapped area Fix the 2.6.18 sys_msync to report -ENOMEM correctly when an unmapped area falls within its range, and not to overshoot: to satisfy LSB 3.1 tests and to fix Debian Bug#394392. Took the 2.6.19 sys_msync as starting point (including its cleanup of repeated "current->mm"s), reintroducing the msync_interval and balance_dirty_pages_ratelimited_nr needed in 2.6.18. The misbehaviour fixed here may not seem very serious; but it was enough to mislead Debian into backporting 2.6.19's dirty page tracking patches, with attendant mayhem when those resulted in unsuspected file corruption. Signed-off-by: Hugh Dickins Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit dbee2bf2f312a9d18fa3f305adc14e2ee58f65df Author: Hugh Dickins Date: Sun Dec 10 02:18:43 2006 -0800 read_zero_pagealigned() locking fix Ramiro Voicu hits the BUG_ON(!pte_none(*pte)) in zeromap_pte_range: kernel bugzilla 7645. Right: read_zero_pagealigned uses down_read of mmap_sem, but another thread's racing read of /dev/zero, or a normal fault, can easily set that pte again, in between zap_page_range and zeromap_page_range getting there. It's been wrong ever since 2.4.3. The simple fix is to use down_write instead, but that would serialize reads of /dev/zero more than at present: perhaps some app would be badly affected. So instead let zeromap_page_range return the error instead of BUG_ON, and read_zero_pagealigned break to the slower clear_user loop in that case - there's no need to optimize for it. Use -EEXIST for when a pte is found: BUG_ON in mmap_zero (the other user of zeromap_page_range), though it really isn't interesting there. And since mmap_zero wants -EAGAIN for out-of-memory, the zeromaps better return that than -ENOMEM. Signed-off-by: Hugh Dickins Cc: Ramiro Voicu: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit d84ad2cb50ba8c92df32ae6df47d413e5877e6ea Author: Linus Torvalds Date: Sat Dec 16 09:44:32 2006 -0800 Fix incorrect user space access locking in mincore() (CVE-2006-4814) Doug Chapman noticed that mincore() will doa "copy_to_user()" of the result while holding the mmap semaphore for reading, which is a big no-no. While a recursive read-lock on a semaphore in the case of a page fault happens to work, we don't actually allow them due to deadlock schenarios with writers due to fairness issues. Doug and Marcel sent in a patch to fix it, but I decided to just rewrite the mess instead - not just fixing the locking problem, but making the code smaller and (imho) much easier to understand. Cc: Doug Chapman Cc: Marcel Holtmann Cc: Hugh Dickins Cc: Andrew Morton [chrisw: fold in subsequent fix: 4fb23e439ce0] Acked-by: Hugh Dickins [chrisw: fold in subsequent fix: 825020c3866e] Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 45cbffd7b28ab48a5215a54f4937cf74ae3eb406 Author: Paolo 'Blaisorblade' Giarrusso Date: Thu Feb 15 03:34:23 2007 +0100 x86_64: fix 2.6.18 regression - PTRACE_OLDSETOPTIONS should be accepted Also PTRACE_OLDSETOPTIONS should be accepted, as done by kernel/ptrace.c and forced by binary compatibility. UML/32bit breaks because of this - since it is wise enough to use PTRACE_OLDSETOPTIONS to be binary compatible with 2.4 host kernels. Until 2.6.17 (commit f0f2d6536e3515b5b1b7ae97dc8f176860c8c2ce) we had: default: return sys_ptrace(request, pid, addr, data); Instead here we have: case PTRACE_GET_THREAD_AREA: case ...: return sys_ptrace(request, pid, addr, data); default: return -EINVAL; This change was a style change - when a case is added, it must be explicitly tested this way. In this case, not enough testing was done. Cc: Andi Kleen Signed-off-by: Paolo 'Blaisorblade' Giarrusso Signed-off-by: Greg Kroah-Hartman commit 6a6a0294c1499b9b8b48999516e0797ce3a4f3ae Author: Oleg Nesterov Date: Tue Jan 23 20:04:13 2007 -0300 V4L: buf_qbuf: fix videobuf_queue->stream corruption and lockup We are doing ->buf_prepare(buf) before adding buf to q->stream list. This means that videobuf_qbuf() should not try to re-add a STATE_PREPARED buffer. (cherry picked from commit 419dd8378dfa32985672ab7927b4bc827f33b332) Signed-off-by: Oleg Nesterov Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit 0761fceaf46fdfc1411734e0d42c78e43e9ed67c Author: Michael Krufky Date: Fri Jan 12 17:38:05 2007 -0300 V4L: tveeprom: autodetect LG TAPC G701D as tuner type 37 Autodetect LG TAPC G701D as tuner type 37, fixing mis-detected tuners in some Hauppauge tv tuner cards. Thanks to Adonis Papas, for pointing this out. (cherry picked from commit 1323fbda1343f50f198bc8bd6d1d59c8b7fc45bf) Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit bd732136cabd7e967b3e529297e40c4cc80c4c18 Author: Martin Samuelsson Date: Sun Jan 7 20:50:27 2007 -0300 V4L: fix ks0127 status flags Or status flags together in DECODER_GET_STATUS instead of and-zapping them. (cherry picked from commit 55d5440d4587454628a850ce26703639885af678) Signed-off-by: Martin Samuelsson Signed-off-by: Andrew Morton Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit d828fc9efb2241efe5b68e7d6c82cf06d3644870 Author: Grant Likely Date: Sun Jan 7 10:33:30 2007 -0300 V4L: Fix quickcam communicator driver for big endian architectures Host endianess does not affect the order that pixel rgb data comes in from the quickcam (the values are bytes, not words or longs). The driver is erroniously swapping the order of rgb values for big endian machines. This patch is needed get the Quickcam communicator working on big endian machines (tested on powerpc) (cherry picked from commit c6d704c8c4453f05717ba88792f70f8babf95268) Signed-off-by: Grant Likely Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit 7be1d0e5a34cf1aecba94ab8ea3473ee3cfded4a Author: Jean Delvare Date: Wed Feb 7 15:39:34 2007 -0500 v4l: cx88: Fix leadtek_eeprom tagging reference to .init.text: from .text between 'cx88_card_setup' (at offset 0x68c) and 'cx88_risc_field' Caused by leadtek_eeprom() being declared __devinit and called from a non-devinit context. (cherry picked from commit 69f7e75a9d45e5eaca16917a8d0dedf76149f13f) Signed-off-by: Jean Delvare Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit bdc752eef3a682cad5309822cb1d53913479c1bb Author: Hans Verkuil Date: Wed Feb 7 15:38:23 2007 -0500 v4l: cx2341x audio_properties is an u16, not u8 This bug broke the MPEG audio mode controls. (cherry picked from commit cb2c7b4927c8f376b7ba9557978d8c59ed472664) Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit b030914a398220fe3a9443b5cb4ddb6c3c548289 Author: Ang Way Chuang Date: Wed Feb 7 15:36:11 2007 -0500 dvb-core: fix bug in CRC-32 checking on 64-bit systems CRC-32 checking during ULE decapsulation always failed on x86_64 systems due to the size of a variable used to store CRC. This bug was discovered on Fedora Core 6 with kernel-2.6.18-1.2849. The i386 counterpart has no such problem. This patch has been tested on 64-bit system as well as 32-bit system. (cherry picked from commit dedcefb085fe98a1feaf63590fe2fc7e0ecb1987) Signed-off-by: Ang Way Chuang Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit a385297dc1925131aacee187ec641a112663a54a Author: Roland Dreier Date: Thu Jan 11 11:42:49 2007 -0800 IB/mad: Fix race between cancel and receive completion When ib_cancel_mad() is called, it puts the canceled send on a list and schedules a "flushed" callback from process context. However, this leaves a window where a receive completion could be processed before the send is fully flushed. This is fine, except that ib_find_send_mad() will find the MAD and return it to the receive processing, which results in the sender getting both a successful receive and a "flushed" send completion for the same request. Understandably, this confuses the sender, which is expecting only one of these two callbacks, and leads to grief such as a use-after-free in IPoIB. Fix this by changing ib_find_send_mad() to return a send struct only if the status is still successful (and not "flushed"). The search of the send_list already had this check, so this patch just adds the same check to the search of the wait_list. Signed-off-by: Roland Dreier Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 78b8ebb89afe6230ab4e1c4297666216a545c425 Author: Eric Sandeen Date: Sat Dec 30 18:29:13 2006 -0500 hfs_fill_super returns success even if no root inode (CVE-2006-6056) http://kernelfun.blogspot.com/2006/11/mokb-14-11-2006-linux-26x-selinux.html mount that image... fs: filesystem was not cleanly unmounted, running fsck.hfs is recommended. mounting read-only. hfs: get root inode failed. BUG: unable to handle kernel NULL pointer dereference at virtual address 00000018 printing eip ... EIP is at superblock_doinit+0x21/0x767 ... [] selinux_sb_kern_mount+0xc/0x4b [] vfs_kern_mount+0x99/0xf6 [] do_kern_mount+0x2d/0x3e [] do_mount+0x5fa/0x66d [] sys_mount+0x77/0xae [] syscall_call+0x7/0xb DWARF2 unwinder stuck at syscall_call+0x7/0xb hfs_fill_super() returns success even if root_inode = hfs_iget(sb, &fd.search_key->cat, &rec); or sb->s_root = d_alloc_root(root_inode); fails. This superblock finds its way to superblock_doinit() which does: struct dentry *root = sb->s_root; struct inode *inode = root->d_inode; and boom. Need to make sure the error cases return an error, I think. [akpm@osdl.org: return -ENOMEM on oom] Signed-off-by: Eric Sandeen Cc: Roman Zippel Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 0fc7b9055c2069bdb2fae508cefaeef4d26f86aa Author: Andrew Morton Date: Sat Dec 30 18:23:35 2006 -0500 grow_buffers() infinite loop fix (CVE-2006-5757, CVE-2006-6060) If grow_buffers() is for some reason passed a block number which wants to lie outside the maximum-addressable pagecache range (PAGE_SIZE * 4G bytes) then it will accidentally truncate `index' and will then instnatiate a page at the wrong pagecache offset. This causes __getblk_slow() to go into an infinite loop. This can happen with corrupted disks, or with software errors elsewhere. Detect that, and handle it. Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 6ce115c0d888086716aef2b4b3cd702d3b4f060d Author: Dirk Eibach Date: Wed Dec 20 08:34:43 2006 +0100 i2c: fix broken ds1337 initialization On a custom board with ds1337 RTC I found that upgrade from 2.6.15 to 2.6.18 broke RTC support. The main problem are changes to ds1337_init_client(). When a ds1337 recognizes a problem (e.g. power or clock failure) bit 7 in status register is set. This has to be reset by writing 0 to status register. But since there are only 16 byte written to the chip and the first byte is interpreted as an address, the status register (which is the 16th) is never written. The other problem is, that initializing all registers to zero is not valid for day, date and month register. Funny enough this is checked by ds1337_detect(), which depends on this values not being zero. So then treated by ds1337_init_client() the ds1337 is not detected anymore, whereas the failure bit in the status register is still set. Broken by commit f9e8957937ebf60d22732a5ca9130f48a7603f60 (2.6.16-rc1, 2006-01-06). This fix is in Linus' tree since 2.6.20-rc1 (commit 763d9c046a2e511ec090a8986d3f85edf7448e7e). Signed-off-by: Dirk Stieler Signed-off-by: Dirk Eibach Signed-off-by: Jean Delvare Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit e7aaff7bdaa8ba73645c2329a811450764302e58 Author: Roland Dreier Date: Fri Dec 15 20:58:14 2006 -0800 IB/srp: Fix FMR mapping for 32-bit kernels and addresses above 4G struct srp_device.fmr_page_mask was unsigned long, which means that the top part of addresses above 4G was being chopped off on 32-bit architectures. Of course nothing good happens when data from SRP targets is DMAed to the wrong place. Fix this by changing fmr_page_mask to u64, to match the addresses actually used by IB devices. Thanks to Brian Cain and David McMillen for help diagnosing the bug and testing the fix. Signed-off-by: Roland Dreier Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit d797d17f1561af73e3bd30bc433271ff695bfeb4 Author: Tejun Heo Date: Sat Dec 16 20:02:32 2006 +0900 SCSI: add missing cdb clearing in scsi_execute() Clear-garbage-after-CDB patch missed scsi_execute() and it causes some ODDs (HL-DT-ST DVD-RAM GSA-H30N) choke during SCSI scan. Note that this patch is only for -stable. There is another more reliable fix for this problem proposed for devel tree. http://thread.gmane.org/gmane.linux.ide/14605/focus=14605 Signed-off-by: Tejun Heo Cc: Jens Axboe Cc: Douglas Gilbert Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit ff6e642fe5fae0da7b54540fb76a93f3d968c87a Author: Andi Kleen Date: Tue Sep 26 10:52:41 2006 +0200 Don't leak NT bit into next task SYSENTER can cause a NT to be set which might cause crashes on the IRET in the next task. Following similar i386 patch from Linus. Signed-off-by: Andi Kleen [backport from Chuck Ebbert] Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com> Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit abf95418101f410b1cfdcd3c78d0d299231c8fcd Author: Michael Buesch Date: Tue Feb 6 11:47:08 2007 -0600 bcm43xx: Fix for oops on ampdu status If bcm43xx were to process an afterburner (ampdu) status response, Linux would oops. The ampdu and intermediate status bits are properly named. Signed-off-by: Michael Buesch Signed-off-by: Larry Finger Signed-off-by: Greg Kroah-Hartman commit 0ae4320544a4fb8ffc363c68cf91b73241ed2884 Author: Larry Finger Date: Tue Feb 6 11:42:43 2007 -0600 bcm43xx: Fix for oops on resume There is a kernel oops on bcm43xx when resuming due to an overly tight timeout loop. Signed-off-by: Larry Finger Signed-off-by: Greg Kroah-Hartman