commit b176a15fefc84764bf047cf306a3cff3ae53e7c3 Author: Greg Kroah-Hartman Date: Wed Feb 6 11:59:40 2008 -0800 Linux 2.6.22.17 commit 83af8eda68a3f0c227d0eb05348e58ae27a62e7e Author: Nick Piggin Date: Sat Feb 2 03:08:53 2008 +0100 vm audit: add VM_DONTEXPAND to mmap for drivers that need it (CVE-2008-0007) Drivers that register a ->fault handler, but do not range-check the offset argument, must set VM_DONTEXPAND in the vm_flags in order to prevent an expanding mremap from overflowing the resource. I've audited the tree and attempted to fix these problems (usually by adding VM_DONTEXPAND where it is not obvious). Signed-off-by: Nick Piggin Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0abe2d30fd090eba86541654080fee7686cf72fc Author: Zhao Yakui Date: Mon Jan 14 02:27:45 2008 -0500 ACPI: apply quirk_ich6_lpc_acpi to more ICH8 and ICH9 patch d1ec7298fcefd7e4d1ca612da402ce9e5d5e2c13 in mainline. It is important that these resources be reserved to avoid conflicts with well known ACPI registers. Signed-off-by: Zhao Yakui Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 77988978c1e23902e20690aba46125ea35678a1c Author: Ilpo Järvinen Date: Sat Dec 8 15:47:02 2007 +0100 POWERPC: Fix invalid semicolon after if statement Patch 2b02d13996fe28478e45605de9bd8bdca25718de in mainline [POWERPC] Fix invalid semicolon after if statement A similar fix to netfilter from Eric Dumazet inspired me to look around a bit by using some grep/sed stuff as looking for this kind of bugs seemed easy to automate. This is one of them I found where it looks like this semicolon is not valid. Signed-off-by: Ilpo Järvinen Acked-by: Benjamin Herrenschmidt Signed-off-by: Paul Mackerras Signed-off-by: Greg Kroah-Hartman commit a41bfaeb83a36a26e357c1e516a26e283d177cfa Author: Divy Le Ray Date: Tue Dec 18 15:11:52 2007 -0800 chelsio: Fix skb->dev setting patch 7de6af0f23b25df8da9719ecae1916b669d0b03d in mainline. eth_type_trans() now sets skb->dev. Access skb->def after it gets set. Signed-off-by: Divy Le Ray Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7a2aba52ddb734f451bf6ea42b5a355a53c313c3 Author: Divy Le Ray Date: Tue Dec 18 15:13:55 2007 -0800 cxgb: fix stats patch e0348b9ae5374f9a24424ae680bcd80724415f60 in mainline. Fix MAC stats accounting. Fix get_stats. Signed-off-by: Divy Le Ray Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 78c2727b73075df479c23f850833ad1857407e8e Author: Divy Le Ray Date: Tue Dec 18 15:12:44 2007 -0800 cxgb: fix T2 GSO patch 7832ee034b6ef78aab020c9ec1348544cd65ccbd in mainline. The patch ensures that a GSO skb has enough headroom to push an encapsulating cpl_tx_pkt_lso header. Signed-off-by: Divy Le Ray Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 91021bbf5cd38700312445e71a6cb1f1811c480c Author: Ingo Molnar Date: Mon Dec 17 21:17:56 2007 +0100 vfs: coredumping fix (CVE-2007-6206) vfs: coredumping fix patch c46f739dd39db3b07ab5deb4e3ec81e1c04a91af in mainline fix: http://bugzilla.kernel.org/show_bug.cgi?id=3043 only allow coredumping to the same uid that the coredumping task runs under. Signed-off-by: Ingo Molnar Acked-by: Alan Cox Acked-by: Christoph Hellwig Acked-by: Al Viro Signed-off-by: Linus Torvalds Cc: maximilian attems Signed-off-by: Greg Kroah-Hartman commit 1e3a39572d7563f0d31914a1bcb731a73ce73675 Author: Bob Moore Date: Wed Dec 5 23:42:10 2007 -0500 ACPICA: fix acpi-cpufreq boot crash due to _PSD return-by-reference patch 152c300d007c70c4a1847dad39ecdaba22e7d457 in mainline. Changed resolution of named references in packages Fixed a problem with the Package operator where all named references were created as object references and left otherwise unresolved. According to the ACPI specification, a Package can only contain Data Objects or references to control methods. The implication is that named references to Data Objects (Integer, Buffer, String, Package, BufferField, Field) should be resolved immediately upon package creation. This is the approach taken with this change. References to all other named objects (Methods, Devices, Scopes, etc.) are all now properly created as reference objects. http://bugzilla.kernel.org/show_bug.cgi?id=5328 http://bugzilla.kernel.org/show_bug.cgi?id=9429 Signed-off-by: Bob Moore Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit b337ef510f8a906aa1a0ab8574ff602e03004a21 Author: David Miller Date: Fri Jan 11 01:38:38 2008 -0800 CASSINI: Set skb->truesize properly on receive packets. [ Upstream commit: d011a231675b240157a3c335dd53e9b849d7d30d ] skb->truesize was not being incremented at all to reflect the page based data added to RX SKBs. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 49181a894be9a556a2336b2f0bc8762bc5f2f9c7 Author: David Miller Date: Fri Jan 11 01:38:38 2008 -0800 CASSINI: Revert 'dont touch page_count'. [ Upstream commit: 9de4dfb4c7176e5bb232a21cdd8df78da2b15cac ] This reverts changeset fa4f0774d7c6cccb4d1fda76b91dd8eddcb2dd6a ([CASSINI]: dont touch page_count) because it breaks the driver. The local page counting added by this changeset did not account for the asynchronous page count changes done by kfree_skb() and friends. The change adds extra atomics and on top of it all appears to be totally unnecessary as well. Signed-off-by: David S. Miller Acked-by: Nick Piggin Signed-off-by: Greg Kroah-Hartman commit dc92e7d27d392866bc4eba38b77e21ee31658b5c Author: Al Viro Date: Fri Jan 11 01:38:38 2008 -0800 CASSINI: Fix endianness bug. [ Upstream commit: e5e025401f6e926c1d9dc3f3f2813cf98a2d8708 ] Here's proposed fix for RX checksum handling in cassini; it affects little-endian working with half-duplex gigabit, but obviously needs testing on big-endian too. The problem is, we need to convert checksum to fixed-endian *before* correcting for (unstripped) FCS. On big-endian it won't matter (conversion is no-op), on little-endian it will, but only if FCS is not stripped by hardware; i.e. in half-duplex gigabit mode when ->crc_size is set. cassini.c part is that fix, cassini.h one consists of trivial endianness annotations. With that applied the sucker is endian-clean, according to sparse. Signed-off-by: Al Viro Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6df2e34e938de2d7e6b192def65584d2e710ccc1 Author: Herbert Xu Date: Fri Jan 11 01:10:42 2008 -0800 ATM: Check IP header validity in mpc_send_packet [ATM]: Check IP header validity in mpc_send_packet [ Upstream commit: 1c9b7aa1eb40ab708ef3242f74b9a61487623168 ] Al went through the ip_fast_csum callers and found this piece of code that did not validate the IP header. While root crashing the machine by sending bogus packets through raw or AF_PACKET sockets isn't that serious, it is still nice to react gracefully. This patch ensures that the skb has enough data for an IP header and that the header length field is valid. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a005a2736620f676e0ab9455dc30415aa613d810 Author: Chas Williams Date: Fri Jan 11 01:35:51 2008 -0800 ATM: [nicstar] delay irq setup until card is configured [ATM]: [nicstar] delay irq setup until card is configured [ Upstream commit: 52961955aa180959158faeb9fd6b4f8a591450f5 ] Signed-off-by: Chas Williams Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 149dc1d086f29d61ec15c748e0bbfc0aeca8b7d6 Author: Li Zefan Date: Fri Jan 11 01:11:48 2008 -0800 CONNECTOR: Don't touch queue dev after decrement of ref count. [CONNECTOR]: Don't touch queue dev after decrement of ref count. [ Upstream commit: cf585ae8ae9ac7287a6d078425ea32f22bf7f1f7 ] cn_queue_free_callback() will touch 'dev'(i.e. cbq->pdev), so it should be called before atomic_dec(&dev->refcnt). Signed-off-by: Li Zefan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1430c862581e5f666951315f5e7663b7d3d3d5d9 Author: David Miller Date: Wed Dec 19 15:50:06 2007 -0800 Fix sparc64 cpu cross call hangs. [SPARC64]: Fix endless loop in cheetah_xcall_deliver(). [ Upsteam commit: 0de56d1ab83323d604d95ca193dcbd28388dbabb ] We need to mask out the proper bits when testing the dispatch status register else we can see unrelated NACK bits from previous cross call sends. Signed-off-by: David S. Miller commit 98af51d1c20f75e66c91333c6d6791a7b37faf6e Author: Mark McLoughlin Date: Fri Jan 11 01:13:17 2008 -0800 INET: Fix netdev renaming and inet address labels [INET]: Fix netdev renaming and inet address labels [ Upstream commit: 44344b2a85f03326c7047a8c861b0c625c674839 ] When re-naming an interface, the previous secondary address labels get lost e.g. $> brctl addbr foo $> ip addr add 192.168.0.1 dev foo $> ip addr add 192.168.0.2 dev foo label foo:00 $> ip addr show dev foo | grep inet inet 192.168.0.1/32 scope global foo inet 192.168.0.2/32 scope global foo:00 $> ip link set foo name bar $> ip addr show dev bar | grep inet inet 192.168.0.1/32 scope global bar inet 192.168.0.2/32 scope global bar:2 Turns out to be a simple thinko in inetdev_changename() - clearly we want to look at the address label, rather than the device name, for a suffix to retain. Signed-off-by: Mark McLoughlin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ddd294962d43ece789be6ecea2b22af130f499c4 Author: Herbert Xu Date: Fri Jan 11 01:32:51 2008 -0800 IPSEC: Avoid undefined shift operation when testing algorithm ID [IPSEC]: Avoid undefined shift operation when testing algorithm ID [ Upstream commit: f398035f2dec0a6150833b0bc105057953594edb ] The aalgos/ealgos fields are only 32 bits wide. However, af_key tries to test them with the expression 1 << id where id can be as large as 253. This produces different behaviour on different architectures. The following patch explicitly checks whether ID is greater than 31 and fails the check if that's the case. We cannot easily extend the mask to be longer than 32 bits due to exposure to user-space. Besides, this whole interface is obsolete anyway in favour of the xfrm_user interface which doesn't use this bit mask in templates (well not within the kernel anyway). Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 37d99de39e82f07e550557bfb68cb8e45e6d03fe Author: Herbert Xu Date: Wed Dec 19 16:35:54 2007 -0800 IPSEC: Fix potential dst leak in xfrm_lookup [IPSEC]: Fix potential dst leak in xfrm_lookup [ Upstream commit: 75b8c133267053c9986a7c8db5131f0e7349e806 ] If we get an error during the actual policy lookup we don't free the original dst while the caller expects us to always free the original dst in case of error. This patch fixes that. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 596bc9331ee5fa74fda7e276b5a001b789ae644c Author: Timo Teras Date: Fri Jan 11 01:30:35 2008 -0800 IPV4: ip_gre: set mac_header correctly in receive path [IPV4] ip_gre: set mac_header correctly in receive path [ Upstream commit: 1d0691674764098304ae4c63c715f5883b4d3784 ] mac_header update in ipgre_recv() was incorrectly changed to skb_reset_mac_header() when it was introduced. Signed-off-by: Timo Teras Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 498d03afccc265dafe8b445454e1a49be3f1358c Author: Eric Dumazet Date: Fri Jan 11 01:42:12 2008 -0800 IPV4 ROUTE: ip_rt_dump() is unecessary slow [IPV4] ROUTE: ip_rt_dump() is unecessary slow [ Upstream commit: d8c9283089287341c85a0a69de32c2287a990e71 ] I noticed "ip route list cache x.y.z.t" can be *very* slow. While strace-ing -T it I also noticed that first part of route cache is fetched quite fast : recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202 GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3772 <0.000047> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\ 202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3736 <0.000042> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\ 202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3740 <0.000055> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\ 202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3712 <0.000043> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\ 202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3732 <0.000053> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202 GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3708 <0.000052> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202 GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3680 <0.000041> while the part at the end of the table is more expensive: recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3656 <0.003857> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3772 <0.003891> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3712 <0.003765> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3700 <0.003879> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3676 <0.003797> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3724 <0.003856> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3736 <0.003848> The following patch corrects this performance/latency problem, removing quadratic behavior. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 17908e3a5fc852a79f692fa26949f2e9f2177aff Author: maximilian attems Date: Fri Jan 11 01:14:17 2008 -0800 IRDA: irda_create() nuke user triggable printk [IRDA]: irda_create() nuke user triggable printk [ Upstream commit: 9e8d6f8959c356d8294d45f11231331c3e1bcae6 ] easy to trigger as user with sfuzz. irda_create() is quiet on unknown sock->type, match this behaviour for SOCK_DGRAM unknown protocol Signed-off-by: maximilian attems Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 306f3a3cfe8925b98d288615cb5c1a15c3551c0e Author: David Miller Date: Fri Jan 11 01:31:39 2008 -0800 NET: Correct two mistaken skb_reset_mac_header() conversions. [NET]: Correct two mistaken skb_reset_mac_header() conversions. [ Upstream commit: c6e6ca712b5cc06a662f900c0484d49d7334af64 ] This operation helper abstracts: skb->mac_header = skb->data; but it was done in two more places which were actually: skb->mac_header = skb->network_header; and those are corrected here. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2e1c89f5df933e882e629818d9e1e63ed83b61a2 Author: Russ Dill Date: Fri Jan 11 01:16:28 2008 -0800 NET: kaweth was forgotten in msec switchover of usb_start_wait_urb [NET]: kaweth was forgotten in msec switchover of usb_start_wait_urb [ Upstream commit: 2b2b2e35b71e5be8bc06cc0ff38df15dfedda19b ] Back in 2.6.12-pre, usb_start_wait_urb was switched over to take milliseconds instead of jiffies. kaweth.c was never updated to match. Signed-off-by: Russ Dill Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c6b745a41e6b6e15cf637db23f054d85ca3cff31 Author: Russ Dill Date: Fri Jan 11 01:19:55 2008 -0800 NET: mcs7830 passes msecs instead of jiffies to usb_control_msg [NET]: mcs7830 passes msecs instead of jiffies to usb_control_msg [ Upstream commit 1d39da3dcaad4231f0fa75024b1d6d710a2ced74 ] usb_control_msg was changed long ago (2.6.12-pre) to take milliseconds instead of jiffies. Oddly, mcs7830 wasn't added until 2.6.19-rc3. Signed-off-by: Russ Dill Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f63145cd2ee2cba87fb7b61ef7c06c034c889a5a Author: David Miller Date: Wed Dec 19 16:27:11 2007 -0800 SPARC64: Fix memory controller register access when non-SMP. [SPARC64]: Fix memory controller register access when non-SMP. [ Upstream commit: b332b8bc9c67165eabdfc7d10b4a2e4cc9f937d0 ] get_cpu() always returns zero on non-SMP builds, but we really want the physical cpu number in this code in order to do the right thing. Based upon a non-SMP kernel boot failure report from Bernd Zeimetz. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 83f6ef15a3da00b409a334d688a1129f363fd7fc Author: David Miller Date: Wed Dec 19 16:28:57 2007 -0800 SPARC64: Fix two kernel linear mapping setup bugs. [SPARC64]: Fix two kernel linear mapping setup bugs. [ Upstream commit: 8f361453d8e9a67c85b2cf9b93c642c2d8fe0462 ] This was caught and identified by Greg Onufer. Since we setup the 256M/4M bitmap table after taking over the trap table, it's possible for some 4M mapping to get loaded in the TLB beforhand which later will be 256M mappings. This can cause illegal TLB multiple-match conditions. Fix this by setting up the bitmap before we take over the trap table. Next, __flush_tlb_all() was not doing anything on hypervisor platforms. Fix by adding sun4v_mmu_demap_all() and calling it. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a871dae86feab2232a297b649086ea46af60c7ac Author: Julia Lawall Date: Fri Jan 11 01:26:33 2008 -0800 X25: Add missing x25_neigh_put [X25]: Add missing x25_neigh_put [ Upstream commit: 76975f8a3186dae501584d0155ea410464f62815 ] The function x25_get_neigh increments a reference count. At the point of the second goto out, the result of calling x25_get_neigh is only stored in a local variable, and thus no one outside the function will be able to decrease the reference count. Thus, x25_neigh_put should be called before the return in this case. The problem was found using the following semantic match. (http://www.emn.fr/x-info/coccinelle/) // @@ type T,T1,T2; identifier E; statement S; expression x1,x2,x3; int ret; @@ T E; ... * if ((E = x25_get_neigh(...)) == NULL) S ... when != x25_neigh_put(...,(T1)E,...) when != if (E != NULL) { ... x25_neigh_put(...,(T1)E,...); ...} when != x1 = (T1)E when != E = x3; when any if (...) { ... when != x25_neigh_put(...,(T2)E,...) when != if (E != NULL) { ... x25_neigh_put(...,(T2)E,...); ...} when != x2 = (T2)E ( * return; | * return ret; ) } // Signed-off-by: Julia Lawall Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman