commit d5ed625ecf13099711051731d243a808b9bea0da Author: Willy Tarreau Date: Sat Aug 25 17:24:47 2007 +0200 Linux 2.6.20.17 commit c1e4dd1423d04c3010cfc70db210e41c97c5fd25 Author: Marcel Holtmann Date: Fri Aug 17 21:47:58 2007 +0200 [PATCH] Reset current->pdeath_signal on SUID binary execution (CVE-2007-3848) This fixes a vulnerability in the "parent process death signal" implementation discoverd by Wojciech Purczynski of COSEINC PTE Ltd. and iSEC Security Research. http://marc.info/?l=bugtraq&m=118711306802632&w=2 Signed-off-by: Marcel Holtmann Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 1cf05c27a34048f768a3d9ea1410a28e71763587 Author: Venki Pallipadi Date: Wed Jun 20 14:24:52 2007 -0700 [PATCH] CPUFREQ: ondemand: add a check to avoid negative load calculation Due to rounding and inexact jiffy accounting, idle_ticks can sometimes be higher than total_ticks. Make sure those cases are handled as zero load case. Signed-off-by: Venkatesh Pallipadi Signed-off-by: Dave Jones Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit f06ce2d4e4cbcfed29967c3c9fc40d2ecbc615c6 Author: Venki Pallipadi Date: Wed Jun 20 14:26:24 2007 -0700 [PATCH] CPUFREQ: ondemand: fix tickless accounting and software coordination bug With tickless kernel and software coordination os P-states, ondemand can look at wrong idle statistics. This can happen when ondemand sampling is happening on CPU 0 and due to software coordination sampling also looks at utilization of CPU 1. If CPU 1 is in tickless state at that moment, its idle statistics will not be uptodate and CPU 0 thinks CPU 1 is idle for less amount of time than it actually is. This can be resolved by looking at all the busy times of CPUs, which is accurate, even with tickless, and use that to determine idle time in a round about way (total time - busy time). Thanks to Arjan for originally reporting the ondemand bug on Lenovo T61. Signed-off-by: Venkatesh Pallipadi Signed-off-by: Dave Jones Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit f327bcd16db3128a6c1885e03109361e167d1a56 Author: Jeff Garzik Date: Mon Aug 13 16:31:32 2007 -0400 [PATCH] pata_atiixp: add SB700 PCI ID [libata] pata_atiixp: add SB700 PCI ID From AMD. Signed-off-by: Jeff Garzik Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 7d067cc61ac6b9708922788e67fea7ee5b83fb8c Author: Helge Deller Date: Fri Aug 10 13:00:45 2007 -0700 [PATCH] stifb: detect cards in double buffer mode more reliably Visualize-EG, Graffiti and A4450A graphics cards on PARISC can be configured in double-buffer and standard mode, but the stifb driver supports standard mode only. This patch detects double-buffered cards more reliable. It is a real bugfix for a very nasty problem for all parisc users which have wrongly configured their graphic card. The problem: The stifb graphics driver will not detect that the card is wrongly configured and then nevertheless just enables the graphics mode, which it shouldn't. In the end, the user will see no further updates / boot messages on the screen. We had documented this problem already on our FAQ (http://parisc-linux.org/faq/index.html#viseg "Why do I get corrupted graphics with my Vis-EG/Graffiti/A4450A card?") but people still run into this problem. So having this fix in as early as possible can help us. Signed-off-by: Helge Deller Signed-off-by: Antonino Daplas Cc: Kyle McMartin Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 0ded4a4aa1115c6b225a874fe8ef37c777013d3d Author: Badari Pulavarty Date: Fri Aug 10 13:00:44 2007 -0700 [PATCH] direct-io: fix error-path crashes Need to initialize map_bh.b_state to zero. Otherwise, in case of a faulty user-buffer its possible to go into dio_zero_block() and submit a page by mistake - since it checks for buffer_new(). http://marc.info/?l=linux-kernel&m=118551339032528&w=2 akpm: Linus had a (better) patch to just do a kzalloc() in there, but it got lost. Probably this version is better for -stable anwyay. Signed-off-by: Badari Pulavarty Acked-by: Joe Jin Acked-by: Zach Brown Cc: gurudas pai Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit f0ce9d8f0be71fd690db1d37ab44fc026a4ae2b6 Author: Tejun Heo Date: Tue Aug 7 02:43:27 2007 +0900 [PATCH] ata_piix: update map 10b for ich8m Fix map entry 10b for ich8. It's [P0 P2 IDE IDE] like ich6 / ich6m. Signed-off-by: Tejun Heo Acked-by: Kristen Carlson Accardi Cc: Jeff Garzik Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit bcc5aca038af561a3ca5b86ce25413d5dfa3244c Author: Michael Buesch Date: Tue Aug 7 12:20:40 2007 +0200 [PATCH] softmac: Fix deadlock of wx_set_essid with assoc work The essid wireless extension does deadlock against the assoc mutex, as we don't unlock the assoc mutex when flushing the workqueue, which also holds the lock. Signed-off-by: Michael Buesch Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 0496a0322a9f80a27f289fe61ed0936e9b2c7eb5 Author: Matt Mackall Date: Sun Jul 15 17:10:14 2007 -0700 [PATCH] random: fix bound check ordering (CVE-2007-3105) If root raised the default wakeup threshold over the size of the output pool, the pool transfer function could overflow the stack with RNG bytes, causing a DoS or potential privilege escalation. (Bug reported by the PaX Team ) Cc: Theodore Tso Cc: Willy Tarreau Signed-off-by: Matt Mackall Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 0ea4a21321478a85e9c4dfdb877f44a868e2a91a Author: Jeff Dike Date: Tue Jul 10 12:49:04 2007 -0400 [PATCH] UML: exports for hostfs Add some exports for hostfs that are required after Alberto Bertogli's fixes for accessing unlinked host files. Also did some style cleanups while I was here. Signed-off-by: Jeff Dike Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 3edbfd471543153c04ca8ea63dce47931787b474 Author: Jiri Slaby Date: Tue Jul 10 17:22:25 2007 -0700 [PATCH] sx: switch subven and subid values sx.c is failing to locate Graham's card. Signed-off-by: Jiri Slaby Cc: Graham Murray Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit ac82581f098be0d3f6ef011d2b168181f4f79a0e Author: David Stevens Date: Mon Feb 26 16:28:56 2007 -0800 [PATCH] IPV6: /proc/net/anycast6 unbalanced inet6_dev refcnt Reading /proc/net/anycast6 when there is no anycast address on an interface results in an ever-increasing inet6_dev reference count, as well as a reference to the netdevice you can't get rid of. Signed-off-by: David S. Miller Cc: Marcus Meissner Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 8c25e9c9cd1fed0d5f57075b584c39a4b9af9830 Author: Ville Tervo Date: Wed Jul 11 09:23:41 2007 +0200 [PATCH] Keep rfcomm_dev on the list until it is freed This patch changes the RFCOMM TTY release process so that the TTY is kept on the list until it is really freed. A new device flag is used to keep track of released TTYs. Signed-off-by: Ville Tervo Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit b37a2fc49a6b4b0dd4fdc0434f7d7b65a3f9aa3c Author: Mikko Rapeli Date: Wed Jul 11 09:18:15 2007 +0200 [PATCH] Hangup TTY before releasing rfcomm_dev The core problem is that RFCOMM socket layer ioctl can release rfcomm_dev struct while RFCOMM TTY layer is still actively using it. Calling tty_vhangup() is needed for a synchronous hangup before rfcomm_dev is freed. Addresses the oops at http://bugzilla.kernel.org/show_bug.cgi?id=7509 Acked-by: Alan Cox Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit c7127d95357001143678ac6517e8e25c2a65e4cf Author: Stefan Bader Date: Thu Jul 12 17:28:33 2007 +0100 [PATCH] dm: disable barriers This patch causes device-mapper to reject any barrier requests. This is done since most of the targets won't handle this correctly anyway. So until the situation improves it is better to reject these requests at the first place. Since barrier requests won't get to the targets, the checks there can be removed. Signed-off-by: Stefan Bader Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit f4c146b686810ba345b72ca3e2a0c74586838f1c Author: Milan Broz Date: Thu Jul 12 17:28:13 2007 +0100 [PATCH] dm snapshot: permit invalid activation Allow invalid snapshots to be activated instead of failing. This allows userspace to reinstate any given snapshot state - for example after an unscheduled reboot - and clean up the invalid snapshot at its leisure. Signed-off-by: Milan Broz Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit f83801d9974cda3172c4ca9c72ca39940df30f47 Author: J. Bruce Fields Date: Mon Jul 23 18:43:52 2007 -0700 [PATCH] nfsd: fix possible oops on re-insertion of rpcsec_gss modules The handling of the re-registration case is wrong here; the "test" that was returned from auth_domain_lookup will not be used again, so that reference should be put. And auth_domain_lookup never did anything with "new" in this case, so we should just clean it up ourself. Thanks to Akinobu Mita for bug report, analysis, and testing. Cc: Akinobu Mita Signed-off-by: "J. Bruce Fields" Cc: Neil Brown Cc: Trond Myklebust Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit f1c3689f3b8d8b97ac1653545b038b4551fc4443 Author: Adrian Bunk Date: Tue Jul 17 04:05:53 2007 -0700 [PATCH] drivers/video/macmodes.c:mac_find_mode() mustn't be __devinit If it's EXPORT_SYMBOL'ed it can't be __devinit. Reported by Mikael Pettersson. Signed-off-by: Adrian Bunk Cc: "Antonino A. Daplas" Cc: Michal Piotrowski Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 4de97a2d6f8793f7623106fe76da1947933a4f5c Author: Herbert van den Bergh Date: Sun Jul 15 23:38:25 2007 -0700 [PATCH] do not limit locked memory when RLIMIT_MEMLOCK is RLIM_INFINITY Fix a bug in mm/mlock.c on 32-bit architectures that prevents a user from locking more than 4GB of shared memory, or allocating more than 4GB of shared memory in hugepages, when rlim[RLIMIT_MEMLOCK] is set to RLIM_INFINITY. Signed-off-by: Herbert van den Bergh Acked-by: Chris Mason Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 2dd610fa1cc1b8eb9e3f4555078aee7b47691a04 Author: Joe Jin Date: Sun Jul 15 23:38:12 2007 -0700 [PATCH] hugetlb: fix race in alloc_fresh_huge_page() That static `nid' index needs locking. Without it we can end up calling alloc_pages_node() with an illegal node ID and the kernel crashes. Acked-by: Gurudas Pai Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 303a2abf3e1c29f0697e9e8f71e9b7b0c506a124 Author: Jan Kara Date: Sun Jul 15 23:37:20 2007 -0700 [PATCH] jbd2 commit: fix transaction dropping We have to check that also the second checkpoint list is non-empty before dropping the transaction. Signed-off-by: Jan Kara Cc: Chuck Ebbert Cc: Kirill Korotaev Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 8cd286b224aa466f0087e2d60bf765889d2da6e3 Author: Jan Kara Date: Sun Jul 15 23:37:18 2007 -0700 [PATCH] jbd commit: fix transaction dropping We have to check that also the second checkpoint list is non-empty before dropping the transaction. Signed-off-by: Jan Kara Cc: Chuck Ebbert Cc: Kirill Korotaev Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 78534eed45a917b1a1a933915eb5e742b400649f Author: Venki Pallipadi Date: Mon Jul 16 16:57:38 2007 -0400 [PATCH] acpi-cpufreq: Proper ReadModifyWrite of PERF_CTL MSR [CPUFREQ] acpi-cpufreq: Proper ReadModifyWrite of PERF_CTL MSR During recent acpi-cpufreq changes, writing to PERF_CTL msr changed from RMW of entire 64 bit to RMW of low 32 bit and clearing of upper 32 bit. Fix it back to do a proper RMW of the MSR. Signed-off-by: Venkatesh Pallipadi Signed-off-by: Dave Jones Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 8cea2c72a013b0c34faeb4d32a0037dd4b2261b3 Author: Ayaz Abdulla Date: Mon Jul 16 09:50:01 2007 -0400 [PATCH] forcedeth bug fix: vitesse phy This patch contains errata fixes for the vitesse phy. It only renamed the defines to be phy specific. Signed-off-by: Ayaz Abdulla Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 41416110f727eedf8fccd28ef6814d519e91405b Author: Ayaz Abdulla Date: Mon Jul 16 09:49:51 2007 -0400 [PATCH] forcedeth bug fix: cicada phy This patch contains errata fixes for the cicada phy. It only renamed the defines to be phy specific. Signed-off-by: Ayaz Abdulla Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 4297d4bd6cdf6dbe0d30d13894816a6429418d19 Author: Mariusz Kozlowski Date: Thu Jul 19 17:27:22 2007 -0700 [PATCH] fs: 9p/conv.c error path fix When buf_check_overflow() returns != 0 we will hit kfree(ERR_PTR(err)) and it will not be happy about it. Signed-off-by: Mariusz Kozlowski Cc: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau Acked-by: Eric Van Hensbergen commit faae60c8fef63043850b17b105f42c075d4d74f9 Author: Fengguang Wu Date: Thu Jul 19 01:47:58 2007 -0700 [PATCH] readahead: MIN_RA_PAGES/MAX_RA_PAGES macros Define two convenient macros for read-ahead: - MAX_RA_PAGES: rounded down counterpart of VM_MAX_READAHEAD - MIN_RA_PAGES: rounded _up_ counterpart of VM_MIN_READAHEAD Note that the rounded up MIN_RA_PAGES will work flawlessly with _large_ page sizes like 64k. Signed-off-by: Fengguang Wu Cc: Steven Pratt Cc: Ram Pai Cc: Rusty Russell Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 25d919bd316afa283e1d758967923fddcff83fd8 Author: J. Bruce Fields Date: Thu Jul 19 01:49:18 2007 -0700 [PATCH] nfsd: fix possible read-ahead cache and export table corruption The value of nperbucket calculated here is too small--we should be rounding up instead of down--with the result that the index j in the following loop can overflow the raparm_hash array. At least in my case, the next thing in memory turns out to be export_table, so the symptoms I see are crashes caused by the appearance of four zeroed-out export entries in the first bucket of the hash table of exports (which were actually entries in the readahead cache, a pointer to which had been written to the export table in this initialization code). It looks like the bug was probably introduced with commit fce1456a19f5c08b688c29f00ef90fdfa074c79b ("knfsd: make the readahead params cache SMP-friendly"). Cc: Greg Banks Signed-off-by: "J. Bruce Fields" Acked-by: NeilBrown Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 50dd9072c45f64348e10ae61df948fef43430a0e Author: Jean Tourrilhes Date: Tue Jul 17 10:46:33 2007 -0500 [PATCH] softmac: Fix ESSID problem Victor Porton reported that the SoftMAC layer had random problem when setting the ESSID : http://bugzilla.kernel.org/show_bug.cgi?id=8686 After investigation, it turned out to be worse, the SoftMAC layer is left in an inconsistent state. The fix is pretty trivial. Signed-off-by: Jean Tourrilhes Acked-by: Michael Buesch Acked-by: Larry Finger Acked-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 04745f208c5b7de16fb35628b0003744b760b2cd Author: Milan Broz Date: Sat Jul 21 04:37:27 2007 -0700 [PATCH] dm io: fix panic on large request Flush workqueue before releasing bioset and mopools in dm-crypt. There can be finished but not yet released request. Call chain causing oops: run workqueue dec_pending bio_endio(...); mempool_free(io, cc->io_pool); This usually happens when cryptsetup create temporary luks mapping in the beggining of crypt device activation. When dm-core calls destructor crypt_dtr, no new request are possible. Signed-off-by: Milan Broz Cc: Chuck Ebbert Cc: Patrick McHardy Acked-by: Alasdair G Kergon Cc: Christophe Saout Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 32419ed8545cf3becdc84cfee0efd62becb48b4d Author: Herton Ronaldo Krzesinski Date: Tue Jul 31 00:38:52 2007 -0700 [PATCH] Include serial_reg.h with userspace headers As reported by Gustavo de Nardin , while trying to compile xosview (http://xosview.sourceforge.net/) with upstream kernel headers being used you get the following errors: serialmeter.cc:48:30: error: linux/serial_reg.h: No such file or directory serialmeter.cc: In member function 'virtual void SerialMeter::checkResources()': serialmeter.cc:71: error: 'UART_LSR' was not declared in this scope serialmeter.cc:71: error: 'UART_MSR' was not declared in this scope ... Signed-off-by: Herton Ronaldo Krzesinski Cc: Gustavo de Nardin Cc: David Woodhouse Cc: Russell King Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 61675a5e1944525dba8421aa1fb0f2d075dba4b6 Author: Mingming Cao Date: Tue Jul 31 00:37:46 2007 -0700 [PATCH] "ext4_ext_put_in_cache" uses __u32 to receive physical block number Yan Zheng wrote: > I think I found a bug in ext4/extents.c, "ext4_ext_put_in_cache" uses > "__u32" to receive physical block number. "ext4_ext_put_in_cache" is > used in "ext4_ext_get_blocks", it sets ext4 inode's extent cache > according most recently tree lookup (higher 16 bits of saved physical > block number are always zero). when serving a mapping request, > "ext4_ext_get_blocks" first check whether the logical block is in > inode's extent cache. if the logical block is in the cache and the > cached region isn't a gap, "ext4_ext_get_blocks" gets physical block > number by using cached region's physical block number and offset in > the cached region. as described above, "ext4_ext_get_blocks" may > return wrong result when there are physical block numbers bigger than > 0xffffffff. > You are right. Thanks for reporting this! Signed-off-by: Mingming Cao Cc: Yan Zheng Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 017ec3f52da373ba92db9537c9f1487363810a99 Author: Daniel Ritz Date: Tue Jul 31 00:38:08 2007 -0700 [PATCH] pcmcia: give socket time to power down Give sockets up to 100ms of additional time to power down. otherwise we might generate false warnings with KERN_ERR priority (like in bug #8262). Signed-off-by: Daniel Ritz Cc: Nils Neumann Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit a14008cfca3a2026f09c91f2a96b26bcc507cd92 Author: Maik Hampel Date: Tue Jul 31 00:37:57 2007 -0700 [PATCH] md: raid10: fix use-after-free of bio In case of read errors raid10d tries to print a nice error message, unfortunately using data from an already put bio. Signed-off-by: Maik Hampel Acked-By: NeilBrown Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 32c207fa861f29aad527039da70556b5c387a2be Author: Arne Redlich Date: Tue Jul 31 00:37:57 2007 -0700 [PATCH] md: handle writes to broken raid10 arrays gracefully When writing to a broken array, raid10 currently happily emits empty bio lists. IOW, the master bio will never be completed, sending writers to UNINTERRUPTIBLE_SLEEP forever. Signed-off-by: Arne Redlich Acked-by: Neil Brown Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit dd6de5b299db5ca6e81f3237bf61610921ab5933 Author: Pavel Emelianov Date: Tue Jul 31 00:38:48 2007 -0700 [PATCH] Fix user struct leakage with locked IPC shem segment When user locks an ipc shmem segmant with SHM_LOCK ctl and the segment is already locked the shmem_lock() function returns 0. After this the subsequent code leaks the existing user struct: == ipc/shm.c: sys_shmctl() == ... err = shmem_lock(shp->shm_file, 1, user); if (!err) { shp->shm_perm.mode |= SHM_LOCKED; shp->mlock_user = user; } ... == Other results of this are: 1. the new shp->mlock_user is not get-ed and will point to freed memory when the task dies. 2. the RLIMIT_MEMLOCK is screwed on both user structs. The exploit looks like this: == id = shmget(...); setresuid(uid, 0, 0); shmctl(id, SHM_LOCK, NULL); setresuid(uid + 1, 0, 0); shmctl(id, SHM_LOCK, NULL); == My solution is to return 0 to the userspace and do not change the segment's user. Signed-off-by: Pavel Emelianov Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 037f00bce0965f3291bf80595c6a0bcc33cca3a1 Author: Ulrich Drepper Date: Tue Jul 31 00:38:16 2007 -0700 [PATCH] CPU online file permission Is there a reason why the "online" file in the subdirectories for the CPUs in /sys/devices/system isn't world-readable? I cannot imagine it to be security relevant especially now that a getcpu() syscall can be used to determine what CPUa thread runs on. The file is useful to correctly implement the sysconf() function to return the number of online CPUs. In the presence of hotplug we currently cannot provide this information. The patch below should to it. Signed-off-by: Ulrich Drepper Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 219d43111f781f42116d2a9b3b0e7fa2336a8fba Author: Alexey Dobriyan Date: Tue Jul 31 00:38:50 2007 -0700 [PATCH] Fix leak on /proc/lockdep_stats Signed-off-by: Alexey Dobriyan Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 8894f67be2ffabcd8b4491d552929b89bcebe36b Author: Dave Airlie Date: Tue Aug 7 09:09:51 2007 +1000 [PATCH] drm/i915: Fix i965 secured batchbuffer usage (CVE-2007-3851) This 965G and above chipsets moved the batch buffer non-secure bits to another place. This means that previous drm's allowed in-secure batchbuffers to be submitted to the hardware from non-privileged users who are logged into X and and have access to direct rendering. Signed-off-by: Dave Airlie Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 07acaa4834f61f28e7ea98cdb54ccc57a5c8af74 Author: Jens Axboe Date: Fri Jul 20 15:21:36 2007 +0200 [PATCH] splice: fix double page unlock If add_to_page_cache_lru() fails, the page will not be locked. But splice jumps to an error path that does a page release and unlock, causing a BUG() in unlock_page(). Fix this by adding one more label that just releases the page. This bug was actually triggered on EL5 by gurudas pai using fio. Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit f97119d87106f6bbb3f1e829f53b638c522f23a5 Author: Hans Verkuil Date: Tue Jul 24 08:07:43 2007 -0400 [PATCH] V4L: wm8775/wm8739: Fix memory leak when unloading module State struct was never freed. (cherry picked from commit 1b2232ab879993fcf5b9391c3febf6ab5d78201e) Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 7dbd515d60f8e0b4f3ab6f62cf5cb1606d62e654 Author: Hans Verkuil Date: Tue Jul 24 08:07:17 2007 -0400 [PATCH] V4L: Add check for valid control ID to v4l2_ctrl_next If v4l2_ctrl_next is called without the V4L2_CTRL_FLAG_NEXT_CTRL then it should check whether the passed control ID is valid and return 0 if it isn't. Otherwise a for-loop over the control IDs will never end. (cherry picked from commit a46c5fbc6912c4e34cb7ded314249b639dc244a6) Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit f87acefea8a786d3fe490f0f0b2c635973f619ec Author: Alan Cox Date: Mon Jul 23 14:51:05 2007 +0100 [PATCH] aacraid: fix security hole On the SCSI layer ioctl path there is no implicit permissions check for ioctls (and indeed other drivers implement unprivileged ioctls). aacraid however allows all sorts of very admin only things to be done so should check. Signed-off-by: Alan Cox Acked-by: Mark Salyzyn Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 69a7ef0f48c24f0acb35970b0237c8e71f6b822f Author: Alan Stern Date: Thu Jul 19 20:44:51 2007 -0700 [PATCH] USB: fix warning caused by autosuspend counter going negative This patch (as937) fixes a minor bug in the autosuspend usage-counting code. Each hub's usage counter keeps track of the number of unsuspended children. However the current driver increments the counter after registering a new child, by which time the child may already have been suspended and caused the counter to go negative. The obvious solution is to increment the counter before registering the child. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit d4d4eb0442422123ac0fb4a560af2ad481817397 Author: Joerg Roedel Date: Wed Jul 18 19:51:36 2007 +0300 [PATCH] KVM: SVM: Reliably detect if SVM was disabled by BIOS This patch adds an implementation to the svm is_disabled function to detect reliably if the BIOS disabled the SVM feature in the CPU. This fixes the issues with kernel panics when loading the kvm-amd module on machines where SVM is available but disabled. Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit c3338ef326869755751ae61897c5b475439f557d Author: YOSHIFUJI Hideaki Date: Tue Jul 24 21:47:05 2007 -0700 [PATCH] Fix TCP IPV6 MD5 bug. [TCPv6] MD5SIG: Ensure to reset allocation count to avoid panic. After clearing all passwords for IPv6 peers, we need to set allocation count to zero as well as we free the storage. Otherwise, we panic when a user trys to (re)add a password. Discovered and fixed by MIYAJIMA Mitsuharu . Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 924208714f0952c9db54121b99b885760917ef57 Author: Mark Fortescue Date: Tue Jul 24 21:45:44 2007 -0700 [PATCH] Fix sparc32 udelay() rounding errors. [SPARC32]: Fix rounding errors in ndelay/udelay implementation. __ndelay and __udelay have not been delayung >= specified time. The problem with __ndelay has been tacked down to the rounding of the multiplier constant. By changing this, delays > app 18us are correctly calculated. The problem with __udelay has also been tracked down to rounding issues. Changing the multiplier constant (to match that used in sparc64) corrects for large delays and adding in a rounding constant corrects for trunctaion errors in the claculations. Many short delays will return without looping. This is not an error as there is the fixed delay of doing all the maths to calculate the loop count. Signed-off-by: Mark Fortescue Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 461da1de5ee6ee7f4848840d296c28a60c8b50e7 Author: Alexander Shmelev Date: Tue Jul 24 21:44:48 2007 -0700 [PATCH] Fix sparc32 memset() [SPARC32]: Fix bug in sparc optimized memset. Sparc optimized memset (arch/sparc/lib/memset.S) does not fill last byte of the memory area, if area size is less than 8 bytes and start address is not word (4-bytes) aligned. Here is code chunk where bug located: /* %o0 - memory address, %o1 - size, %g3 - value */ 8: add %o0, 1, %o0 subcc %o1, 1, %o1 bne,a 8b stb %g3, [%o0 - 1] This code should write byte every loop iteration, but last time delay instruction stb is not executed because branch instruction sets "annul" bit. Patch replaces bne,a by bne instruction. Error can be reproduced by simple kernel module: -------------------- #include #include #include #include #include static void do_memset(void **p, int size) { memset(p, 0x00, size); } static int __init memset_test_init(void) { char fooc[8]; int *fooi; memset(fooc, 0xba, sizeof(fooc)); do_memset((void**)(fooc + 3), 1); fooi = (int*) fooc; printk("%08X %08X\n", fooi[0], fooi[1]); return -1; } static void __exit memset_test_cleanup(void) { return; } module_init(memset_test_init); module_exit(memset_test_cleanup); MODULE_LICENSE("GPL"); EXPORT_NO_SYMBOLS; ------------------------ Signed-off-by: Alexander Shmelev Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 8dd61f5b0bd0cc1eb3c925a3d1195c6f7ce132cc Author: David S. Miller Date: Thu Jul 19 22:06:09 2007 -0700 [PATCH] Sparc64 bootup assembler bug [SPARC64]: Fix two year old bug in early bootup asm. We try to fetch the CIF entry pointer from %o4, but that can get clobbered by the early OBP calls. It is saved in %l7 already, so actually this "mov %o4, %l7" can just be completely removed with no other changes. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 1801acf87921d8e96ad87be0d43c868b57e53c11 Author: Satyam Sharma Date: Wed Jul 18 02:54:19 2007 -0700 [PATCH] Netpoll leak [NETPOLL]: Fix a leak-n-bug in netpoll_cleanup() 93ec2c723e3f8a216dde2899aeb85c648672bc6b applied excessive duct tape to the netpoll beast's netpoll_cleanup(), thus substituting one leak with another, and opening up a little buglet :-) net_device->npinfo (netpoll_info) is a shared and refcounted object and cannot simply be set NULL the first time netpoll_cleanup() is called. Otherwise, further netpoll_cleanup()'s see np->dev->npinfo == NULL and become no-ops, thus leaking. And it's a bug too: the first call to netpoll_cleanup() would thus (annoyingly) "disable" other (still alive) netpolls too. Maybe nobody noticed this because netconsole (only user of netpoll) never supported multiple netpoll objects earlier. This is a trivial and obvious one-line fixlet. Signed-off-by: Satyam Sharma Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 676834f0a9091c428c63f5116657bd9944c35918 Author: Vlad Yasevich Date: Wed Jul 18 02:52:33 2007 -0700 [PATCH] Fix ipv6 link down handling. [IPV6]: Call inet6addr_chain notifiers on link down Currently if the link is brought down via ip link or ifconfig down, the inet6addr_chain notifiers are not called even though all the addresses are removed from the interface. This caused SCTP to add duplicate addresses to it's list. Signed-off-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 66d45a1f0c6b08c5cf528177f1f9d77a34b68e96 Author: Dmitry Butskoy Date: Wed Jul 18 02:51:17 2007 -0700 [PATCH] Fix error queue socket lookup in ipv6 [IPV6]: MSG_ERRQUEUE messages do not pass to connected raw sockets From: Dmitry Butskoy Taken from http://bugzilla.kernel.org/show_bug.cgi?id=8747 Problem Description: It is related to the possibility to obtain MSG_ERRQUEUE messages from the udp and raw sockets, both connected and unconnected. There is a little typo in net/ipv6/icmp.c code, which prevents such messages to be delivered to the errqueue of the correspond raw socket, when the socket is CONNECTED. The typo is due to swap of local/remote addresses. Consider __raw_v6_lookup() function from net/ipv6/raw.c. When a raw socket is looked up usual way, it is something like: sk = __raw_v6_lookup(sk, nexthdr, daddr, saddr, IP6CB(skb)->iif); where "daddr" is a destination address of the incoming packet (IOW our local address), "saddr" is a source address of the incoming packet (the remote end). But when the raw socket is looked up for some icmp error report, in net/ipv6/icmp.c:icmpv6_notify() , daddr/saddr are obtained from the echoed fragment of the "bad" packet, i.e. "daddr" is the original destination address of that packet, "saddr" is our local address. Hence, for icmpv6_notify() must use "saddr, daddr" in its arguments, not "daddr, saddr" ... Steps to reproduce: Create some raw socket, connect it to an address, and cause some error situation: f.e. set ttl=1 where the remote address is more than 1 hop to reach. Set IPV6_RECVERR . Then send something and wait for the error (f.e. poll() with POLLERR|POLLIN). You should receive "time exceeded" icmp message (because of "ttl=1"), but the socket do not receive it. If you do not connect your raw socket, you will receive MSG_ERRQUEUE successfully. (The reason is that for unconnected socket there are no actual checks for local/remote addresses). Signed-off-by: Andrew Morton Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 66f2a2e33796cb356ae01887db245a3ccb4d6692 Author: Ranko Zivojnovic Date: Wed Jul 18 02:49:48 2007 -0700 [PATCH] gen estimator deadlock fix [NET]: gen_estimator deadlock fix -Fixes ABBA deadlock noted by Patrick McHardy : > There is at least one ABBA deadlock, est_timer() does: > read_lock(&est_lock) > spin_lock(e->stats_lock) (which is dev->queue_lock) > > and qdisc_destroy calls htb_destroy under dev->queue_lock, which > calls htb_destroy_class, then gen_kill_estimator and this > write_locks est_lock. To fix the ABBA deadlock the rate estimators are now kept on an rcu list. -The est_lock changes the use from protecting the list to protecting the update to the 'bstat' pointer in order to avoid NULL dereferencing. -The 'interval' member of the gen_estimator structure removed as it is not needed. Signed-off-by: Ranko Zivojnovic Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 6bfc898d23fd41cc7fc1e8d0bc6a106f0e62d2ff Author: Patrick McHardy Date: Wed Jul 18 02:48:43 2007 -0700 [PATCH] gen estimator timer unload race [NET]: Fix gen_estimator timer removal race As noticed by Jarek Poplawski , the timer removal in gen_kill_estimator races with the timer function rearming the timer. Check whether the timer list is empty before rearming the timer in the timer function to fix this. Signed-off-by: Patrick McHardy Acked-by: Jarek Poplawski Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 844aa7759d867d26c4a63610c0da2354e235d80a Author: Vlad Yasevich Date: Wed Jul 18 02:44:12 2007 -0700 [PATCH] SCTP scope_id handling fix SCTP: Add scope_id validation for link-local binds SCTP currently permits users to bind to link-local addresses, but doesn't verify that the scope id specified at bind matches the interface that the address is configured on. It was report that this can hang a system. Signed-off-by: Vlad Yasevich Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit 16978e1a96df6d69bb9bac6268ec3d7e8af4af70 Author: Adrian Bunk Date: Wed Jul 18 02:37:05 2007 -0700 [PATCH] Missing header include in ipt_iprange.h [NETFILTER]: ipt_iprange.h must #include ipt_iprange.h must #include since it uses __be32. This patch fixes kernel Bugzilla #7604. Signed-off-by: Adrian Bunk Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau commit e7ddaa5dcfb5af80d8e2d0c4a83de78f380cad3b Author: Patrick McHardy Date: Wed Jul 18 02:26:27 2007 -0700 [PATCH] Fix IPCOMP crashes. [XFRM]: Fix crash introduced by struct dst_entry reordering XFRM expects xfrm_dst->u.next to be same pointer as dst->next, which was broken by the dst_entry reordering in commit 1e19e02c~, causing an oops in xfrm_bundle_ok when walking the bundle upwards. Kill xfrm_dst->u.next and change the only user to use dst->next instead. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau