1. OpenVZ-legacy


AuthorCommitMessageCommit dateIssues
OpenVZ teamOpenVZ team
cb83d0360delinux-2.6.18-028test018 released
Evgeny KravtsunovEvgeny Kravtsunov
b9bff58fc99Missed ve context switch in NFS RPC code.pipefs switches the context to ve0 and never returns to ve context. Such a situation takes place in __rpc_execute (net/sunrpc/sched.c) and svc_recvfrom (net/sunrpc/svcsock.c) functions. This causes oops on starting ve in case when ve private area is placed on nfs partition.
Vasiliy AverinVasiliy Averin
156048b79adext3 error behavior was broken in linux kernels since 2.5.x versions by the following patch:2002/10/31 02:15:26-05:00 Default mount options from superblock for ext2/3 filesystems In case ext3 file system is mounted with errors=continue (EXT3_ERRORS_CONTINUE) errors should be ignored when possible. However at present in case of any error kernel aborts journal and remounts filesystem to ...
Vasily TarasovVasily Tarasov
67e1668cb46task puts UBC before the task becomes invisible for all (e.g. /proc),thus a task can be found on the list without exec_env/owner_env which should not happen. Introduced by diff-ubc-dont-uncharge-in-RCU-20070212RCU-20070212
Dmitry MishinDmitry Mishin
06d911fb785EXT3_ERRORS_CONTINUE should be taken from the superblock as default value for error behaviour.Signed-off-by: Dmitry Mishin <> Acked-by: Vasily Averin <> Acked-by: Kirill Korotaev <>
Vasily AverinVasily Averin
5b12b303de2EXT2_ERRORS_CONTINUE should be read from the sb as default error behaviour. parse_option() should clean the alternative options and should not change default value taken from the superblock.Signed-off-by: Vasily Averin <> Acked-by: Kirill Korotaev <>
Kirill KorotaevKirill Korotaev
d7d8cf0c663Revert diff-ms-ext3-retries-20061109 until all the issues are resolved.
Kir KolyshkinKir Kolyshkin
b3b2f114059Patch from mainstream: [SPARC64]: Fix Tomatillo/Schizo IRQ handling.The code in schizo_irq_trans_init() should set irq_data->sync_reg to the location of the SYNC register if this is Tomatillo, and set it to zero otherwise. But that is not what it is doing. As a result, non-Tomatillo systems were trying to access a non-existent register resulting in bus errors at the first PCI interrupt. Thanks to Roland Stigge for the bug report. Signed-off-by: David S. Mil...
Alexey DobriyanAlexey Dobriyan
6bcea8c4c35Same story as with p4-clockmod. Driver does set_cpus_allowed(cpu), then checks for smp_processor_id() being equal to "cpu".
OpenVZ teamOpenVZ team
6d6cd5dd70fMMerge git://
Greg Kroah-HartmanGreg Kroah-Hartman
Hugh DickinsHugh Dickins
b3008f65500fix umask when noACL kernel meets extN tuned for ACLsFix insecure default behaviour reported by Tigran Aivazian: if an ext2 or ext3 filesystem is tuned to mount with "acl", but mounted by a kernel built without ACL support, then umask was ignored when creating inodes - though root or user has umask 022, touch creates files as 0666, and mkdir creates directories as 0777. This appears to have worked right until 2.6.11, when a fix to the default mo...
Badari PulavartyBadari Pulavarty
4f1e627105eFix for shmem_truncate_range() BUG_ON()Ran into BUG() while doing madvise(REMOVE) testing. If we are punching a hole into shared memory segment using madvise(REMOVE) and the entire hole is below the indirect blocks, we hit following assert. BUG_ON(limit <= SHMEM_NR_DIRECT); Signed-off-by: Badari Pulavarty <> Cc: Hugh Dickins <> Signed-off-by: Andrew Morton <> Signed-off-by: ...
Hugh DickinsHugh Dickins
f102c840f7fmake ppc64 current preempt-safeRepeated -j20 kernel builds on a G5 Quad running an SMP PREEMPT kernel would often collapse within a day, some exec failing with "Bad address". In each case examined, load_elf_binary was doing a kernel_read, but generic_file_aio_read's access_ok saw current->thread.fs.seg as USER_DS instead of KERNEL_DS. objdump of filemap.o shows gcc 4.1.0 emitting "mr r5,r13 ... ld r9,416(r5)" here for get_p...
Hugh DickinsHugh Dickins
700019f9feafix msync error on unmapped areaFix the 2.6.18 sys_msync to report -ENOMEM correctly when an unmapped area falls within its range, and not to overshoot: to satisfy LSB 3.1 tests and to fix Debian Bug#394392. Took the 2.6.19 sys_msync as starting point (including its cleanup of repeated "current->mm"s), reintroducing the msync_interval and balance_dirty_pages_ratelimited_nr needed in 2.6.18. The misbehaviour fixed here may n...
Hugh DickinsHugh Dickins
dbee2bf2f31read_zero_pagealigned() locking fixRamiro Voicu hits the BUG_ON(!pte_none(*pte)) in zeromap_pte_range: kernel bugzilla 7645. Right: read_zero_pagealigned uses down_read of mmap_sem, but another thread's racing read of /dev/zero, or a normal fault, can easily set that pte again, in between zap_page_range and zeromap_page_range getting there. It's been wrong ever since 2.4.3. The simple fix is to use down_write instead, but tha...
Linus TorvaldsLinus Torvalds
d84ad2cb50bFix incorrect user space access locking in mincore() (CVE-2006-4814)Doug Chapman noticed that mincore() will doa "copy_to_user()" of the result while holding the mmap semaphore for reading, which is a big no-no. While a recursive read-lock on a semaphore in the case of a page fault happens to work, we don't actually allow them due to deadlock schenarios with writers due to fairness issues. Doug and Marcel sent in a patch to fix it, but I decided to just rewri...CVE-2006
Paolo 'Blaisorblade' GiarrussoPaolo 'Blaisorblade' Giarrusso
45cbffd7b28x86_64: fix 2.6.18 regression - PTRACE_OLDSETOPTIONS should be acceptedAlso PTRACE_OLDSETOPTIONS should be accepted, as done by kernel/ptrace.c and forced by binary compatibility. UML/32bit breaks because of this - since it is wise enough to use PTRACE_OLDSETOPTIONS to be binary compatible with 2.4 host kernels. Until 2.6.17 (commit f0f2d6536e3515b5b1b7ae97dc8f176860c8c2ce) we had: default: return sys_ptrace(request, pid, addr, data); Ins...
Oleg NesterovOleg Nesterov
6a6a0294c14V4L: buf_qbuf: fix videobuf_queue->stream corruption and lockupWe are doing ->buf_prepare(buf) before adding buf to q->stream list. This means that videobuf_qbuf() should not try to re-add a STATE_PREPARED buffer. (cherry picked from commit 419dd8378dfa32985672ab7927b4bc827f33b332) Signed-off-by: Oleg Nesterov <> Signed-off-by: Mauro Carvalho Chehab <> Signed-off-by: Michael Krufky <> Signed-off-by: ...
Michael KrufkyMichael Krufky
0761fceaf46V4L: tveeprom: autodetect LG TAPC G701D as tuner type 37Autodetect LG TAPC G701D as tuner type 37, fixing mis-detected tuners in some Hauppauge tv tuner cards. Thanks to Adonis Papas, for pointing this out. (cherry picked from commit 1323fbda1343f50f198bc8bd6d1d59c8b7fc45bf) Signed-off-by: Michael Krufky <> Signed-off-by: Mauro Carvalho Chehab <> Signed-off-by: Greg Kroah-Hartman <>
Martin SamuelssonMartin Samuelsson
bd732136cabV4L: fix ks0127 status flagsOr status flags together in DECODER_GET_STATUS instead of and-zapping them. (cherry picked from commit 55d5440d4587454628a850ce26703639885af678) Signed-off-by: Martin Samuelsson <> Signed-off-by: Andrew Morton <> Signed-off-by: Mauro Carvalho Chehab <> Signed-off-by: Michael Krufky <> Signed-off-by: Greg Kroah-Hartman <gregkh@sus...
Grant LikelyGrant Likely
d828fc9efb2V4L: Fix quickcam communicator driver for big endian architecturesHost endianess does not affect the order that pixel rgb data comes in from the quickcam (the values are bytes, not words or longs). The driver is erroniously swapping the order of rgb values for big endian machines. This patch is needed get the Quickcam communicator working on big endian machines (tested on powerpc) (cherry picked from commit c6d704c8c4453f05717ba88792f70f8babf95268) Signed...
Jean DelvareJean Delvare
7be1d0e5a34v4l: cx88: Fix leadtek_eeprom taggingreference to .init.text: from .text between 'cx88_card_setup' (at offset 0x68c) and 'cx88_risc_field' Caused by leadtek_eeprom() being declared __devinit and called from a non-devinit context. (cherry picked from commit 69f7e75a9d45e5eaca16917a8d0dedf76149f13f) Signed-off-by: Jean Delvare <> Signed-off-by: Michael Krufky <> Signed-off-by: Mauro Carvalho Ch...
Hans VerkuilHans Verkuil
bdc752eef3av4l: cx2341x audio_properties is an u16, not u8This bug broke the MPEG audio mode controls. (cherry picked from commit cb2c7b4927c8f376b7ba9557978d8c59ed472664) Signed-off-by: Hans Verkuil <> Signed-off-by: Mauro Carvalho Chehab <> Signed-off-by: Michael Krufky <> Signed-off-by: Greg Kroah-Hartman <>
Ang Way ChuangAng Way Chuang
b030914a398dvb-core: fix bug in CRC-32 checking on 64-bit systemsCRC-32 checking during ULE decapsulation always failed on x86_64 systems due to the size of a variable used to store CRC. This bug was discovered on Fedora Core 6 with kernel-2.6.18-1.2849. The i386 counterpart has no such problem. This patch has been tested on 64-bit system as well as 32-bit system. (cherry picked from commit dedcefb085fe98a1feaf63590fe2fc7e0ecb1987) Signed-off-by: Ang Way C...CRC-32
Roland DreierRoland Dreier
a385297dc19IB/mad: Fix race between cancel and receive completionWhen ib_cancel_mad() is called, it puts the canceled send on a list and schedules a "flushed" callback from process context. However, this leaves a window where a receive completion could be processed before the send is fully flushed. This is fine, except that ib_find_send_mad() will find the MAD and return it to the receive processing, which results in the sender getting both a successful re...
Eric SandeenEric Sandeen
78b8ebb89afhfs_fill_super returns success even if no root inode (CVE-2006-6056) mount that image... fs: filesystem was not cleanly unmounted, running fsck.hfs is recommended. mounting read-only. hfs: get root inode failed. BUG: unable to handle kernel NULL pointer dereference at virtual address 00000018 printing eip ... EIP is at superblock_doinit+0x21/0x767 ... [] selinux_sb_kern_mount+0xc/0x...CVE-2006
Andrew MortonAndrew Morton
0fc7b9055c2grow_buffers() infinite loop fix (CVE-2006-5757, CVE-2006-6060)If grow_buffers() is for some reason passed a block number which wants to lie outside the maximum-addressable pagecache range (PAGE_SIZE * 4G bytes) then it will accidentally truncate `index' and will then instnatiate a page at the wrong pagecache offset. This causes __getblk_slow() to go into an infinite loop. This can happen with corrupted disks, or with software errors elsewhere. Detect t...CVE-2006
Dirk EibachDirk Eibach
6ce115c0d88i2c: fix broken ds1337 initializationOn a custom board with ds1337 RTC I found that upgrade from 2.6.15 to 2.6.18 broke RTC support. The main problem are changes to ds1337_init_client(). When a ds1337 recognizes a problem (e.g. power or clock failure) bit 7 in status register is set. This has to be reset by writing 0 to status register. But since there are only 16 byte written to the chip and the first byte is interpreted as an a...
Roland DreierRoland Dreier
e7aaff7bdaaIB/srp: Fix FMR mapping for 32-bit kernels and addresses above 4Gstruct srp_device.fmr_page_mask was unsigned long, which means that the top part of addresses above 4G was being chopped off on 32-bit architectures. Of course nothing good happens when data from SRP targets is DMAed to the wrong place. Fix this by changing fmr_page_mask to u64, to match the addresses actually used by IB devices. Thanks to Brian Cain <> and David McMillen <d...
Tejun HeoTejun Heo
d797d17f156SCSI: add missing cdb clearing in scsi_execute()Clear-garbage-after-CDB patch missed scsi_execute() and it causes some ODDs (HL-DT-ST DVD-RAM GSA-H30N) choke during SCSI scan. Note that this patch is only for -stable. There is another more reliable fix for this problem proposed for devel tree. Signed-off-by: Tejun Heo <> Cc: Jens Axboe <> Cc: D...
Andi KleenAndi Kleen
ff6e642fe5fDon't leak NT bit into next taskSYSENTER can cause a NT to be set which might cause crashes on the IRET in the next task. Following similar i386 patch from Linus. Signed-off-by: Andi Kleen <> [backport from Chuck Ebbert] Signed-off-by: Chuck Ebbert <> Signed-off-by: Chris Wright <> Signed-off-by: Greg Kroah-Hartman <>
Michael BueschMichael Buesch
abf95418101bcm43xx: Fix for oops on ampdu statusIf bcm43xx were to process an afterburner (ampdu) status response, Linux would oops. The ampdu and intermediate status bits are properly named. Signed-off-by: Michael Buesch <> Signed-off-by: Larry Finger <> Signed-off-by: Greg Kroah-Hartman <>
Larry FingerLarry Finger
0ae4320544abcm43xx: Fix for oops on resumeThere is a kernel oops on bcm43xx when resuming due to an overly tight timeout loop. Signed-off-by: Larry Finger <> Signed-off-by: Greg Kroah-Hartman <>
Greg Kroah-HartmanGreg Kroah-Hartman
Greg BanksGreg Banks
48f51fc2631[PATCH] Fix a free-wrong-pointer bug in nfs/acl server (CVE-2007-0772)Due to type confusion, when an nfsacl verison 2 'ACCESS' request finishes and tries to clean up, it calls fh_put on entiredly the wrong thing and this can cause an oops. Signed-off-by: Neil Brown <> Signed-off-by: Linus Torvalds <> Signed-off-by: Greg Kroah-Hartman <>CVE-2007
Alexandr AndreevAlexandr Andreev
5b35caf70e3Over uncharged privvmpages in 32bit VE on x86_64do_mremap: wrong type for len variable is used.
Vasily TarasovVasily Tarasov
93ced4150f6Replace wrong rcu_lock by rcu_unlock028test015 preemptive OpenVZ kernels doesn't work properly. The symptoms are the following: 1) vzctl enter <veid> entered into VE <veid> exited from VE <veid> 2) "note: bash[13467] exited with preempt_count 2" in dmesg 3) bash in VE is killed by SIGSEGV. Bug is introduced by;a=commitdiff;h=7ee2d8bf6a7098ed92e37b71a9b7a8a2af3be7fa http://bugzilla...
OpenVZ teamOpenVZ team
c36845d0d52linux-2.6.18-028test017 released
Denis V. LunevDenis V. Lunev
e8fcc6e12daChange default for per/UB TW buckets limitations
Pavel EmelianovPavel Emelianov
62d05b98ed3[BC] Don't uncharge resources in RCU callbacksFiles and tasks can be uncharged in RCU in 2.6.18 kernel. Though we've fixed all the problems we had with it it's bad to keep doing this as resource may be freed with uncertain delay. Kmem objects are still uncharged with RCU but there's nothing that can be done about it.
Pavel EmelianovPavel Emelianov
e029fb83c8d[BC] Fix uncharging of privvmpages on error pathWhen loading ia32 binaries on x86_64 wrong value was used to roll back arg pages charging - fixed
Pavel EmelianovPavel Emelianov
595781f1ed6[BC] Fix compilation warning in ub_proc.c... kernel/ub/ub_proc.c: In function 'bc_entry_open': kernel/ub/ub_proc.c:249: warning: cast from pointer to integer of different size We store 32bit bcid in void * member. This is ok but we mast take some actions to make gcc happy.
Evgeny KravtsunovEvgeny Kravtsunov
63d81e9bafdBad inode -EIO screwup. CVE-2006-5753 ported from mainstream.Original comments (by Eric Sandeen): The problem here is that the void cast causes return types to not be promoted, and for ops such as listxattr which expect more than 32 bits of return value, the 32-bit -EIO is interpreted as a large positive 64-bit number, i.e. 0x00000000fffffffa instead of 0xfffffffa. This goes particularly badly when the return value is taken as a number of bytes to ...CVE-2006
Alexey DobriyanAlexey Dobriyan
9d000ed181f[CPT] use BUILD_BUG_ON() where appropriateBUILD_BUG_ON() will break compilation if condition in question is triggered and, OTOH, expands to zero runtime code.
Pavel EmelianovPavel Emelianov
64ff3996c4a[BC] Return ENOMEM if pty charge failsIt turned out that if glibc's openpty() call can't open /dev/ptmx file due to ENOENT or ENODEV error it starts thinking that ptmx is not present in the system at all and doesn't even try to open it in the future. This creates a local DoS: when VE hits UB_NUMPTY limit no /dev/ptmx will be opened ever after even if all ptys will be closed. Fix this be returning ENOMEM instead.
Evgeny KravtsunovEvgeny Kravtsunov
63f1ecae912[SIMFS] get lower vfsmount on simfs mountThis prevents lower FS from being umounted while simfs is mounted.
Alexey DobriyanAlexey Dobriyan
dfa746a12b2Introduce and use for_each_ve()Simple iterator hiding VE list head name (ve_list_head) and struct member name (ve_list).
Andrey MirkinAndrey Mirkin
3efd1ee3297Unresolved symbols should abort build.
Pavel EmelianovPavel Emelianov
2854e70a478IPC walking symbols are VE-related, not CPT.