Missed ve context switch in NFS RPC code.pipefs switches the context to ve0 and never returns to ve context. Such a
situation takes place in __rpc_execute (net/sunrpc/sched.c) and svc_recvfrom
(net/sunrpc/svcsock.c) functions. This causes oops on starting ve in case when
ve private area is placed on nfs partition.
ext3 error behavior was broken in linux kernels since 2.5.x versions by the following patch:2002/10/31 02:15:26-05:00 tytso@snap.thunk.org
Default mount options from superblock for ext2/3 filesystems
http://linux.bkbits.net:8080/linux-2.6/gnupatch@3dc0d88eKbV9ivV4ptRNM8fBuA3JBQ
In case ext3 file system is mounted with errors=continue (EXT3_ERRORS_CONTINUE)
errors should be ignored when possible. However at present in case of any error
kernel aborts journal and remounts filesystem to ...
task puts UBC before the task becomes invisible for all (e.g. /proc),thus a task can be found on the list without exec_env/owner_env
which should not happen.
Introduced by diff-ubc-dont-uncharge-in-RCU-20070212
EXT3_ERRORS_CONTINUE should be taken from the superblock as default value for error behaviour.Signed-off-by: Dmitry Mishin <dim@openvz.org>
Acked-by: Vasily Averin <vvs@sw.ru>
Acked-by: Kirill Korotaev <dev@openvz.org>
EXT2_ERRORS_CONTINUE should be read from the sb as default error behaviour. parse_option() should clean the alternative options and should not change default value taken from the superblock.Signed-off-by: Vasily Averin <vvs@sw.ru>
Acked-by: Kirill Korotaev <dev@openvz.org>
Patch from mainstream: [SPARC64]: Fix Tomatillo/Schizo IRQ handling.The code in schizo_irq_trans_init() should set irq_data->sync_reg
to the location of the SYNC register if this is Tomatillo, and set
it to zero otherwise. But that is not what it is doing.
As a result, non-Tomatillo systems were trying to access a
non-existent register resulting in bus errors at the first
PCI interrupt.
Thanks to Roland Stigge for the bug report.
Signed-off-by: David S. Mil...
Same story as with p4-clockmod. Driver does set_cpus_allowed(cpu), then checks for smp_processor_id() being equal to "cpu".http://bugzilla.openvz.org/show_bug.cgi?id=467
fix umask when noACL kernel meets extN tuned for ACLsFix insecure default behaviour reported by Tigran Aivazian: if an ext2
or ext3 filesystem is tuned to mount with "acl", but mounted by
a kernel built without ACL support, then umask was ignored when creating
inodes - though root or user has umask 022, touch creates files as 0666,
and mkdir creates directories as 0777.
This appears to have worked right until 2.6.11, when a fix to the default
mo...
Fix for shmem_truncate_range() BUG_ON()Ran into BUG() while doing madvise(REMOVE) testing. If we are punching a
hole into shared memory segment using madvise(REMOVE) and the entire hole
is below the indirect blocks, we hit following assert.
BUG_ON(limit <= SHMEM_NR_DIRECT);
Signed-off-by: Badari Pulavarty <pbadari@us.ibm.com>
Cc: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: ...
make ppc64 current preempt-safeRepeated -j20 kernel builds on a G5 Quad running an SMP PREEMPT kernel
would often collapse within a day, some exec failing with "Bad address".
In each case examined, load_elf_binary was doing a kernel_read, but
generic_file_aio_read's access_ok saw current->thread.fs.seg as USER_DS
instead of KERNEL_DS.
objdump of filemap.o shows gcc 4.1.0 emitting "mr r5,r13 ... ld r9,416(r5)"
here for get_p...
fix msync error on unmapped areaFix the 2.6.18 sys_msync to report -ENOMEM correctly when an unmapped area
falls within its range, and not to overshoot: to satisfy LSB 3.1 tests and
to fix Debian Bug#394392. Took the 2.6.19 sys_msync as starting point
(including its cleanup of repeated "current->mm"s), reintroducing the
msync_interval and balance_dirty_pages_ratelimited_nr needed in 2.6.18.
The misbehaviour fixed here may n...
read_zero_pagealigned() locking fixRamiro Voicu hits the BUG_ON(!pte_none(*pte)) in zeromap_pte_range: kernel
bugzilla 7645. Right: read_zero_pagealigned uses down_read of mmap_sem,
but another thread's racing read of /dev/zero, or a normal fault, can
easily set that pte again, in between zap_page_range and zeromap_page_range
getting there. It's been wrong ever since 2.4.3.
The simple fix is to use down_write instead, but tha...
Fix incorrect user space access locking in mincore() (CVE-2006-4814)Doug Chapman noticed that mincore() will doa "copy_to_user()" of the
result while holding the mmap semaphore for reading, which is a big
no-no. While a recursive read-lock on a semaphore in the case of a page
fault happens to work, we don't actually allow them due to deadlock
schenarios with writers due to fairness issues.
Doug and Marcel sent in a patch to fix it, but I decided to just rewri...
x86_64: fix 2.6.18 regression - PTRACE_OLDSETOPTIONS should be acceptedAlso PTRACE_OLDSETOPTIONS should be accepted, as done by kernel/ptrace.c and
forced by binary compatibility. UML/32bit breaks because of this - since it is wise
enough to use PTRACE_OLDSETOPTIONS to be binary compatible with 2.4 host
kernels.
Until 2.6.17 (commit f0f2d6536e3515b5b1b7ae97dc8f176860c8c2ce) we had:
default:
return sys_ptrace(request, pid, addr, data);
Ins...
V4L: buf_qbuf: fix videobuf_queue->stream corruption and lockupWe are doing ->buf_prepare(buf) before adding buf to q->stream list. This
means that videobuf_qbuf() should not try to re-add a STATE_PREPARED buffer.
(cherry picked from commit 419dd8378dfa32985672ab7927b4bc827f33b332)
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: ...
V4L: tveeprom: autodetect LG TAPC G701D as tuner type 37Autodetect LG TAPC G701D as tuner type 37, fixing
mis-detected tuners in some Hauppauge tv tuner cards.
Thanks to Adonis Papas, for pointing this out.
(cherry picked from commit 1323fbda1343f50f198bc8bd6d1d59c8b7fc45bf)
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
V4L: fix ks0127 status flagsOr status flags together in DECODER_GET_STATUS instead of and-zapping them.
(cherry picked from commit 55d5440d4587454628a850ce26703639885af678)
Signed-off-by: Martin Samuelsson <sam@home.se>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@sus...
V4L: Fix quickcam communicator driver for big endian architecturesHost endianess does not affect the order that pixel rgb data comes
in from the quickcam (the values are bytes, not words or longs). The
driver is erroniously swapping the order of rgb values for big endian
machines. This patch is needed get the Quickcam communicator working
on big endian machines (tested on powerpc)
(cherry picked from commit c6d704c8c4453f05717ba88792f70f8babf95268)
Signed...
v4l: cx88: Fix leadtek_eeprom taggingreference to .init.text: from .text between 'cx88_card_setup'
(at offset 0x68c) and 'cx88_risc_field'
Caused by leadtek_eeprom() being declared __devinit and called from
a non-devinit context.
(cherry picked from commit 69f7e75a9d45e5eaca16917a8d0dedf76149f13f)
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Mauro Carvalho Ch...
dvb-core: fix bug in CRC-32 checking on 64-bit systemsCRC-32 checking during ULE decapsulation always failed on x86_64 systems due
to the size of a variable used to store CRC. This bug was discovered on
Fedora Core 6 with kernel-2.6.18-1.2849. The i386 counterpart has no such
problem. This patch has been tested on 64-bit system as well as 32-bit system.
(cherry picked from commit dedcefb085fe98a1feaf63590fe2fc7e0ecb1987)
Signed-off-by: Ang Way C...
IB/mad: Fix race between cancel and receive completionWhen ib_cancel_mad() is called, it puts the canceled send on a list
and schedules a "flushed" callback from process context. However,
this leaves a window where a receive completion could be processed
before the send is fully flushed.
This is fine, except that ib_find_send_mad() will find the MAD and
return it to the receive processing, which results in the sender
getting both a successful re...
hfs_fill_super returns success even if no root inode (CVE-2006-6056)http://kernelfun.blogspot.com/2006/11/mokb-14-11-2006-linux-26x-selinux.html
mount that image...
fs: filesystem was not cleanly unmounted, running fsck.hfs is recommended. mounting read-only.
hfs: get root inode failed.
BUG: unable to handle kernel NULL pointer dereference at virtual address 00000018
printing eip
...
EIP is at superblock_doinit+0x21/0x767
...
[] selinux_sb_kern_mount+0xc/0x...
grow_buffers() infinite loop fix (CVE-2006-5757, CVE-2006-6060)If grow_buffers() is for some reason passed a block number which wants to lie
outside the maximum-addressable pagecache range (PAGE_SIZE * 4G bytes) then it
will accidentally truncate `index' and will then instnatiate a page at the
wrong pagecache offset. This causes __getblk_slow() to go into an infinite
loop.
This can happen with corrupted disks, or with software errors elsewhere.
Detect t...
i2c: fix broken ds1337 initializationOn a custom board with ds1337 RTC I found that upgrade from 2.6.15 to
2.6.18 broke RTC support.
The main problem are changes to ds1337_init_client().
When a ds1337 recognizes a problem (e.g. power or clock failure) bit 7
in status register is set. This has to be reset by writing 0 to status
register. But since there are only 16 byte written to the chip and the
first byte is interpreted as an a...
IB/srp: Fix FMR mapping for 32-bit kernels and addresses above 4Gstruct srp_device.fmr_page_mask was unsigned long, which means that
the top part of addresses above 4G was being chopped off on 32-bit
architectures. Of course nothing good happens when data from SRP
targets is DMAed to the wrong place.
Fix this by changing fmr_page_mask to u64, to match the addresses
actually used by IB devices.
Thanks to Brian Cain <Brian.Cain@ge.com> and David McMillen
<d...
SCSI: add missing cdb clearing in scsi_execute()Clear-garbage-after-CDB patch missed scsi_execute() and it causes some
ODDs (HL-DT-ST DVD-RAM GSA-H30N) choke during SCSI scan. Note that
this patch is only for -stable. There is another more reliable fix
for this problem proposed for devel tree.
http://thread.gmane.org/gmane.linux.ide/14605/focus=14605
Signed-off-by: Tejun Heo <htejun@gmail.com>
Cc: Jens Axboe <jens.axboe@oracle.com>
Cc: D...
Don't leak NT bit into next taskSYSENTER can cause a NT to be set which might cause crashes on the IRET
in the next task.
Following similar i386 patch from Linus.
Signed-off-by: Andi Kleen <ak@suse.de>
[backport from Chuck Ebbert]
Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
bcm43xx: Fix for oops on ampdu statusIf bcm43xx were to process an afterburner (ampdu) status response, Linux would oops. The
ampdu and intermediate status bits are properly named.
Signed-off-by: Michael Buesch <mb@bu3sch.de>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
bcm43xx: Fix for oops on resumeThere is a kernel oops on bcm43xx when resuming due to an overly tight timeout loop.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
[PATCH] Fix a free-wrong-pointer bug in nfs/acl server (CVE-2007-0772)Due to type confusion, when an nfsacl verison 2 'ACCESS' request
finishes and tries to clean up, it calls fh_put on entiredly the
wrong thing and this can cause an oops.
Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Replace wrong rcu_lock by rcu_unlock028test015 preemptive OpenVZ kernels doesn't work properly.
The symptoms are the following:
1) vzctl enter <veid>
entered into VE <veid>
exited from VE <veid>
2) "note: bash[13467] exited with preempt_count 2" in dmesg
3) bash in VE is killed by SIGSEGV.
Bug is introduced by
http://git.openvz.org/?p=linux-2.6.18-openvz;a=commitdiff;h=7ee2d8bf6a7098ed92e37b71a9b7a8a2af3be7fa
http://bugzilla...
[BC] Don't uncharge resources in RCU callbacksFiles and tasks can be uncharged in RCU in 2.6.18 kernel.
Though we've fixed all the problems we had with it it's
bad to keep doing this as resource may be freed with
uncertain delay.
Kmem objects are still uncharged with RCU but there's
nothing that can be done about it.
[BC] Fix compilation warning in ub_proc.c...
kernel/ub/ub_proc.c: In function 'bc_entry_open':
kernel/ub/ub_proc.c:249: warning: cast from pointer to integer of different size
We store 32bit bcid in void * member. This is ok but we
mast take some actions to make gcc happy.
Bad inode -EIO screwup. CVE-2006-5753 ported from mainstream.Original comments (by Eric Sandeen):
The problem here is that the void cast causes return types to not be
promoted, and for ops such as listxattr which expect more than 32 bits of
return value, the 32-bit -EIO is interpreted as a large positive 64-bit
number, i.e. 0x00000000fffffffa instead of 0xfffffffa.
This goes particularly badly when the return value is taken as a number of
bytes to ...
[CPT] use BUILD_BUG_ON() where appropriateBUILD_BUG_ON() will break compilation if condition in question
is triggered and, OTOH, expands to zero runtime code.
[BC] Return ENOMEM if pty charge failsIt turned out that if glibc's openpty() call can't open /dev/ptmx
file due to ENOENT or ENODEV error it starts thinking that ptmx
is not present in the system at all and doesn't even try to open
it in the future.
This creates a local DoS: when VE hits UB_NUMPTY limit no /dev/ptmx
will be opened ever after even if all ptys will be closed.
Fix this be returning ENOMEM instead.
[SIMFS] get lower vfsmount on simfs mountThis prevents lower FS from being umounted while simfs is mounted.
http://bugzilla.openvz.org/show_bug.cgi?id=451
OpenVZ team
Greg Kroah-Hartman
