commit ab7249d7e29c838206f93e446ff7719e01bd7b53 Author: Greg Kroah-Hartman Date: Mon Aug 2 10:19:11 2010 -0700 Linux 2.6.27.49 commit ae78a9ae2391bebf1b0ad0ff38b5a9cff3130a3e Author: Andre Osterhues Date: Tue Jul 13 15:59:17 2010 -0500 ecryptfs: Bugfix for error related to ecryptfs_hash_buckets commit a6f80fb7b5986fda663d94079d3bba0937a6b6ff upstream. The function ecryptfs_uid_hash wrongly assumes that the second parameter to hash_long() is the number of hash buckets instead of the number of hash bits. This patch fixes that and renames the variable ecryptfs_hash_buckets to ecryptfs_hash_bits to make it clearer. Fixes: CVE-2010-2492 Signed-off-by: Andre Osterhues Signed-off-by: Tyler Hicks Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4baaa88700f665504702646b908fd7240425bdb5 Author: Krzysztof Halasa Date: Fri Jun 11 01:08:20 2010 +0200 kbuild: Fix modpost segfault commit 1c938663d58b5b2965976a6f54cc51b5d6f691aa upstream. Alan writes: > program: /home/alan/GitTrees/linux-2.6-mid-ref/scripts/mod/modpost -o > Module.symvers -S vmlinux.o > > Program received signal SIGSEGV, Segmentation fault. It just hit me. It's the offset calculation in reloc_location() which overflows: return (void *)elf->hdr + sechdrs[section].sh_offset + (r->r_offset - sechdrs[section].sh_addr); E.g. for the first rodata r entry: r->r_offset < sechdrs[section].sh_addr and the expression in the parenthesis produces 0xFFFFFFE0 or something equally wise. Reported-by: Alan Signed-off-by: Krzysztof HaƂasa Tested-by: Alan Signed-off-by: Michal Marek Signed-off-by: Greg Kroah-Hartman commit 1671a40d1e83733a1bc71444f9a1277b5c83336b Author: Jiri Pirko Date: Wed Mar 25 17:23:38 2009 -0700 bonding: select current active slave when enslaving device for mode tlb and alb commit 5a29f7893fbe681f1334285be7e41e56f0de666c upstream. I've hit an issue on my system when I've been using RealTek RTL8139D cards in bonding interface in mode balancing-alb. When I enslave a card, the current active slave (bond->curr_active_slave) is not set and the link is therefore not functional. ---- # cat /proc/net/bonding/bond0 Ethernet Channel Bonding Driver: v3.5.0 (November 4, 2008) Bonding Mode: adaptive load balancing Primary Slave: None Currently Active Slave: None MII Status: up MII Polling Interval (ms): 100 Up Delay (ms): 0 Down Delay (ms): 0 Slave Interface: eth1 MII Status: up Link Failure Count: 0 Permanent HW addr: 00:1f:1f:01:2f:22 ---- The thing that gets it right is when I unplug the cable and then I put it back into the NIC. Then the current active slave is set to eth1 and link is working just fine. Here is dmesg log with bonding DEBUG messages turned on: ---- ADDRCONF(NETDEV_UP): bond0: link is not ready event_dev: bond0, event: 1 IFF_MASTER event_dev: bond0, event: 8 IFF_MASTER bond_ioctl: master=bond0, cmd=35216 slave_dev=cac5d800: slave_dev->name=eth1: eth1: ! NETIF_F_VLAN_CHALLENGED event_dev: eth1, event: 8 eth1: link up, 100Mbps, full-duplex, lpa 0xC5E1 event_dev: eth1, event: 1 event_dev: eth1, event: 8 IFF_SLAVE Initial state of slave_dev is BOND_LINK_UP bonding: bond0: enslaving eth1 as an active interface with an up link. ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready event_dev: bond0, event: 4 IFF_MASTER bond0: no IPv6 routers present <<<>>> eth1: link down event_dev: eth1, event: 4 IFF_SLAVE bonding: bond0: link status definitely down for interface eth1, disabling it event_dev: bond0, event: 4 IFF_MASTER <<<>>> eth1: link up, 100Mbps, full-duplex, lpa 0xC5E1 event_dev: eth1, event: 4 IFF_SLAVE bonding: bond0: link status definitely up for interface eth1. bonding: bond0: making interface eth1 the new active one. event_dev: eth1, event: 8 IFF_SLAVE event_dev: eth1, event: 8 IFF_SLAVE bonding: bond0: first active interface up! event_dev: bond0, event: 4 IFF_MASTER ---- The current active slave is set by calling bond_select_active_slave() function from bond_miimon_commit() function when the slave (eth1) link goes to state up. I also tested this on other machine with Broadcom NetXtreme II BCM5708 1000Base-T NIC and there all works fine. The thing is that this adapter is down and goes up after few seconds after it is enslaved. This patch calls bond_select_active_slave() in bond_enslave() function for modes alb and tlb and makes sure that the current active slave is set up properly even when the slave state is already up. Tested on both systems, works fine. Notice: The same problem can maybe also occrur in mode 8023AD but I'm unable to test that. Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller Cc: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 2e06c6e67bf3bbc63f8603fe9d71106e0fab28ad Author: Or Gerlitz Date: Sun Jun 6 04:59:16 2010 +0000 IPoIB: Fix world-writable child interface control sysfs attributes commit 7a52b34b07122ff5f45258d47f260f8a525518f0 upstream. Sumeet Lahorani reported that the IPoIB child entries are world-writable; however we don't want ordinary users to be able to create and destroy child interfaces, so fix them to be writable only by root. Signed-off-by: Or Gerlitz Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit 34883b011409464e6b0cf0b52a54e6b0503bd06f Author: Darrick J. Wong Date: Wed Jun 30 17:45:19 2010 -0700 x86, Calgary: Limit the max PHB number to 256 commit d596043d71ff0d7b3d0bead19b1d68c55f003093 upstream. The x3950 family can have as many as 256 PCI buses in a single system, so change the limits to the maximum. Since there can only be 256 PCI buses in one domain, we no longer need the BUG_ON check. Signed-off-by: Darrick J. Wong LKML-Reference: <20100701004519.GQ15515@tux1.beaverton.ibm.com> Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 6e992ba3c5662c42cb3b555fdf67e4dd4dcac84c Author: Darrick J. Wong Date: Thu Jun 24 14:26:47 2010 -0700 x86, Calgary: Increase max PHB number commit 499a00e92dd9a75395081f595e681629eb1eebad upstream. Newer systems (x3950M2) can have 48 PHBs per chassis and 8 chassis, so bump the limits up and provide an explanation of the requirements for each class. Signed-off-by: Darrick J. Wong Acked-by: Muli Ben-Yehuda Cc: Corinna Schultz LKML-Reference: <20100624212647.GI15515@tux1.beaverton.ibm.com> [ v2: Fixed build bug, added back PHBS_PER_CALGARY == 4 ] Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 51fcaa5075b5996a7e5f6ea11dec855f7dcb3976 Author: Ben Hutchings Date: Wed Mar 24 03:36:31 2010 +0000 amd64-agp: Probe unknown AGP devices the right way commit 6fd024893911dcb51b4a0aa71971db5ba38f7071 upstream. The current initialisation code probes 'unsupported' AGP devices simply by calling its own probe function. It does not lock these devices or even check whether another driver is already bound to them. We must use the device core to manage this. So if the specific device id table didn't match anything and agp_try_unsupported=1, switch the device id table and call driver_attach() again. Signed-off-by: Ben Hutchings Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 4cccc4c16363508973bf6197cabd66291d2a3423 Author: Julia Lawall Date: Sat May 15 11:46:12 2010 +0200 SCSI: aacraid: Eliminate use after free commit 8a52da632ceb9d8b776494563df579e87b7b586b upstream. The debugging code using the freed structure is moved before the kfree. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // @free@ expression E; position p; @@ kfree@p(E) @@ expression free.E, subE<=free.E, E1; position free.p; @@ kfree@p(E) ... ( subE = E1 | * E ) // Signed-off-by: Julia Lawall Signed-off-by: James Bottomley commit 30b816a516ba96aa85ce0290aa63cebd3d258b72 Author: Eric Dumazet Date: Fri Jul 2 10:05:01 2010 +0200 netfilter: ip6t_REJECT: fix a dst leak in ipv6 REJECT commit 499031ac8a3df6738f6186ded9da853e8ea18253 upstream. We should release dst if dst->error is set. Bug introduced in 2.6.14 by commit e104411b82f5c ([XFRM]: Always release dst_entry on error in xfrm_lookup) Signed-off-by: Eric Dumazet Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit e75c279c6760282546dbc794b8368d6a8ff12c92 Author: Tim Gardner Date: Tue Jun 8 11:33:02 2010 -0600 hostap: Protect against initialization interrupt commit d6a574ff6bfb842bdb98065da053881ff527be46 upstream. Use an irq spinlock to hold off the IRQ handler until enough early card init is complete such that the handler can run without faulting. Signed-off-by: Tim Gardner Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 387247ff4b68aea133a0ca440e78fb19ae3ecf16 Author: Mikael Pettersson Date: Tue Jul 20 18:45:14 2010 -0700 math-emu: correct test for downshifting fraction in _FP_FROM_INT() commit f8324e20f8289dffc646d64366332e05eaacab25 upstream. The kernel's math-emu code contains a macro _FP_FROM_INT() which is used to convert an integer to a raw normalized floating-point value. It does this basically in three steps: 1. Compute the exponent from the number of leading zero bits. 2. Downshift large fractions to put the MSB in the right position for normalized fractions. 3. Upshift small fractions to put the MSB in the right position. There is an boundary error in step 2, causing a fraction with its MSB exactly one bit above the normalized MSB position to not be downshifted. This results in a non-normalized raw float, which when packed becomes a massively inaccurate representation for that input. The impact of this depends on a number of arch-specific factors, but it is known to have broken emulation of FXTOD instructions on UltraSPARC III, which was originally reported as GCC bug 44631 . Any arch which uses math-emu to emulate conversions from integers to same-size floats may be affected. The fix is simple: the exponent comparison used to determine if the fraction should be downshifted must be "<=" not "<". I'm sending a kernel module to test this as a reply to this message. There are also SPARC user-space test cases in the GCC bug entry. Signed-off-by: Mikael Pettersson Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2339fdd79dfe5f17b0b44d89a9475aa8f912be2a Author: Brandon Philips Date: Wed Jun 16 16:21:58 2010 +0000 sky2: enable rx/tx in sky2_phy_reinit() commit 38000a94a902e94ca8b5498f7871c6316de8957a upstream. sky2_phy_reinit is called by the ethtool helpers sky2_set_settings, sky2_nway_reset and sky2_set_pauseparam when netif_running. However, at the end of sky2_phy_init GM_GP_CTRL has GM_GPCR_RX_ENA and GM_GPCR_TX_ENA cleared. So, doing these commands causes the device to stop working: $ ethtool -r eth0 $ ethtool -A eth0 autoneg off Fix this issue by enabling Rx/Tx after running sky2_phy_init in sky2_phy_reinit. Signed-off-by: Brandon Philips Tested-by: Brandon Philips Cc: stable@kernel.org Tested-by: Mike McCormack Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1a9e5fa66baa4dfd6bc366fbe84b172c6da9321b Author: Florian Fainelli Date: Sun Jun 20 22:07:48 2010 +0000 cpmac: do not leak struct net_device on phy_connect errors commit ed770f01360b392564650bf1553ce723fa46afec upstream. If the call to phy_connect fails, we will return directly instead of freeing the previously allocated struct net_device. Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit dd3eae69495d9ad7a4424f38ec632e811f10a292 Author: Suresh Jayaraman Date: Wed Mar 31 12:00:03 2010 +0530 cifs: Fix a kernel BUG with remote OS/2 server (try #3) commit 6513a81e9325d712f1bfb9a1d7b750134e49ff18 upstream. While chasing a bug report involving a OS/2 server, I noticed the server sets pSMBr->CountHigh to a incorrect value even in case of normal writes. This results in 'nbytes' being computed wrongly and triggers a kernel BUG at mm/filemap.c. void iov_iter_advance(struct iov_iter *i, size_t bytes) { BUG_ON(i->count < bytes); <--- BUG here Why the server is setting 'CountHigh' is not clear but only does so after writing 64k bytes. Though this looks like the server bug, the client side crash may not be acceptable. The workaround is to mask off high 16 bits if the number of bytes written as returned by the server is greater than the bytes requested by the client as suggested by Jeff Layton. Reviewed-by: Jeff Layton Signed-off-by: Suresh Jayaraman Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 0fd85ded784c60defd59d15a6a720793b4bfcad9 Author: Jeff Layton Date: Wed Jun 16 13:40:18 2010 -0400 cifs: remove bogus first_time check in NTLMv2 session setup code commit 8a224d489454b7457105848610cfebebdec5638d upstream. This bug appears to be the result of a cut-and-paste mistake from the NTLMv1 code. The function to generate the MAC key was commented out, but not the conditional above it. The conditional then ended up causing the session setup key not to be copied to the buffer unless this was the first session on the socket, and that made all but the first NTLMv2 session setup fail. Fix this by removing the conditional and all of the commented clutter that made it difficult to see. Reported-by: Gunther Deschner Signed-off-by: Jeff Layton Signed-off-by: Greg Kroah-Hartman commit 4fe7e0696857ed6b1980a2e5198aa4507c1fa9e9 Author: Jean Delvare Date: Fri Jul 9 16:22:49 2010 +0200 hwmon: (coretemp) Skip duplicate CPU entries commit d883b9f0977269d519469da72faec6a7f72cb489 upstream. On hyper-threaded CPUs, each core appears twice in the CPU list. Skip the second entry to avoid duplicate sensors. Signed-off-by: Jean Delvare Acked-by: Huaxu Wan Signed-off-by: Greg Kroah-Hartman commit dccb2a9a147dbb973bca41ed67bdddf3676c77f6 Author: Jean Delvare Date: Fri Jul 9 16:22:51 2010 +0200 hwmon: (coretemp) Properly label the sensors commit 3f4f09b4be35d38d6e2bf22c989443e65e70fc4c upstream. Don't assume that CPU entry number and core ID always match. It worked in the simple cases (single CPU, no HT) but fails on multi-CPU systems. Signed-off-by: Jean Delvare Acked-by: Huaxu Wan Signed-off-by: Greg Kroah-Hartman