1. OpenVZ-legacy


AuthorCommitMessageCommit dateIssues
OpenVZ teamOpenVZ team
6133b02b431linux-2.6.22-ovz005 released
Alexey DobriyanAlexey Dobriyan
72e37424b9fNETFILTER: check for valid VE conntrack structure in __nf_ct_l3proto_find()If VE is started with permissions to use iptables but not conntracking, ->nf_conntrack pointer will be NULL. However it will be NULL dereference during the following codepath: net/netfilter/xt_state.c:check() nf_ct_l3proto_try_module_get nf_ct_l3proto_find_get __nf_ct_l3proto_find ve_nf_ct_l3protos[l3proto] == dereference Steps to reproduce: iptables -A OUTPUT -m state --state NEW -j ...
Alexey DobriyanAlexey Dobriyan
72d245e2611NETFILTER: use module_init() for NAT initcallsIf NAT is compiled in it will oops during init because VE0's ->nf_conntrack is still NULL. So, let's initialize NAT after conntrack.
Alexey DobriyanAlexey Dobriyan
ee00a25d588ia64: really do getpid(), getppid() by slow path
Alexey DobriyanAlexey Dobriyan
1309ad51717ia64: fix off-by-one in syscall table
Alexey DobriyanAlexey Dobriyan
Alexey DobriyanAlexey Dobriyan
65d91ea505cia64: compile fixes
Alexey DobriyanAlexey Dobriyan
7538f5e41e1pidns: ia64: don't do getpid() by fast pathWith the introduction of pid namespaces simply grabbing value from task_struct is wrong. One should do honest system call.
Alexey DobriyanAlexey Dobriyan
1552a89129dUBC: fix compilation on ia64 re quicklist changes
Alexey DobriyanAlexey Dobriyan
f1e27e693e9[PATCH] Stop tickless mode during stopmachine runFix unusable modprobe triggered by CONFIG_HIGH_RES_TIMES=y change. Two stopmachine threads end up on two different VCPUs but one PCPU. If scheduler tick is disabled on PCPU which haven't got stopmachine thread, we will be waiting for ACK from corresponding thread for a looong time. Idle cpu doesn't wake up and doesn't steal idle stopmachine thread. Busy cpu is busy executing busy stopmachine t...
Evgeny KravtsunovEvgeny Kravtsunov
294d1351198Virtualize SIT (IPv6 over IPv4)
Alexey DobriyanAlexey Dobriyan
f7a5b14a556NETFILTER: de-virtualize log_invalid_proto_min_maxlog_invalid_proto_min/max variables are just boundary values for ip_conntrack_log_invalid sysctl. They never change.
Greg Kroah-HartmanGreg Kroah-Hartman
Linus TorvaldsLinus Torvalds
572b445e040Revert "x86_64: allocate sparsemem memmap above 4G"patch 6a22c57b8d2a62dea7280a6b2ac807a539ef0716 in mainline. This reverts commit 2e1c49db4c640b35df13889b86b9d62215ade4b6. First off, testing in Fedora has shown it to cause boot failures, bisected down by Martin Ebourne, and reported by Dave Jobes. So the commit will likely be reverted in the 2.6.23 stable kernels. Secondly, in the 2.6.24 model, x86-64 has now grown support for SPARSEMEM_VM...
Milan BrozMilan Broz
d91447ee784dm snapshot: fix invalidation deadlockpatch fcac03abd325e4f7a4cc8fe05fea2793b1c8eb75 in mainline Process persistent exception store metadata IOs in a separate thread. A snapshot may become invalid while inside generic_make_request(). A synchronous write is then needed to update the metadata while still inside that function. Since the introduction of md-dm-reduce-stack-usage-with-stacked-block-devices.patch this has to be perform...
Ingo MolnarIngo Molnar
e2b35e3aaf9x86: fix global_flush_tlb() bugpatch 9a24d04a3c26c223f22493492c5c9085b8773d4a upstream While we were reviewing pageattr_32/64.c for unification, Thomas Gleixner noticed the following serious SMP bug in global_flush_tlb(): down_read(&init_mm.mmap_sem); list_replace_init(&deferred_pages, &l); up_read(&init_mm.mmap_sem); this is SMP-unsafe because list_replace_init() done on two CPUs in parallel can corrupt the list. Thi...
Dave YoungDave Young
b5f591838dbparam_sysfs_builtin memchr argument fixpatch faf8c714f4508207a9c81cc94dafc76ed6680b44 in mainline. If memchr argument is longer than strlen(kp->name), there will be some weird result. It will casuse duplicate filenames in sysfs for the "nousb". kernel warning messages are as bellow: sysfs: duplicate filename 'usbcore' can not be created WARNING: at fs/sysfs/dir.c:416 sysfs_add_one() [<c01c4750>] sysfs_add_one+0xa0/0xe0 [<c01c4...
Eric SandeenEric Sandeen
59531fe84bfminixfs: limit minixfs printks on corrupted dir i_size (CVE-2006-6058)patch 44ec6f3f89889a469773b1fd894f8fcc07c29cf in mainline This attempts to address CVE-2006-6058 first reported at Essentially a corrupted minix dir inode reporting a very large i_size will loop for a very long time in minix_readdir, minix_find_entry, etc, because on EIO they j...2 Jira Issues
Roland DreierRoland Dreier
b67e7778425IB/uverbs: Fix checking of userspace object ownershipUpstream as cbfb50e6e2e9c580848c0f51d37c24cdfb1cb704 Commit 9ead190b ("IB/uverbs: Don't serialize with ib_uverbs_idr_mutex") rewrote how userspace objects are looked up in the uverbs module's idrs, and introduced a severe bug in the process: there is no checking that an operation is being performed by the right process any more. Fix this by adding the missing check of uobj->context in __idr_ge...
Thomas GleixnerThomas Gleixner
b99411864ddgenirq: mark io_apic level interrupts to avoid resendpatch cc75b92d11384ba14f93828a2a0040344ae872e7 in mainline. Level type interrupts do not need to be resent. It was also found that some chipsets get confused in case of the resend. Mark the ioapic level type interrupts as such to avoid the resend functionality in the generic irq code. Signed-off-by: Thomas Gleixner <> Signed-off-by: Linus Torvalds <torvalds@linux-foundatio...
Thomas GleixnerThomas Gleixner
2f21ad63341genirq: suppress resend of level interruptspatch 2464286ace55b3abddfb9cc30ab95e2dac1de9a6 in mainline. Level type interrupts are resent by the interrupt hardware when they are still active at irq_enable(). Suppress the resend mechanism for interrupts marked as level. Signed-off-by: Thomas Gleixner <> Signed-off-by: Linus Torvalds <> Cc: Chuck Ebbert <> Signed-off-by: Gr...
Thomas GleixnerThomas Gleixner
5399b80762egenirq: cleanup mismerge artifactpatch 496634217e5671ed876a0348e9f5b7165e830b20 in mainline. Commit 5a43a066b11ac2fe84cf67307f20b83bea390f83: "genirq: Allow fasteoi handler to retrigger disabled interrupts" was erroneously applied to handle_level_irq(). This added the irq retrigger / resend functionality to the level irq handler. Revert the offending bits. Signed-off-by: Thomas Gleixner <> Signed-off-by: ...
Greg Kroah-HartmanGreg Kroah-Hartman
Gregory HaskinsGregory Haskins
8aa78d8d9e9lockdep: fix mismatched lockdep_depth/curr_chain_hashpatch 3aa416b07f0adf01c090baab26fb70c35ec17623 in mainline. lockdep: fix mismatched lockdep_depth/curr_chain_hash It is possible for the current->curr_chain_key to become inconsistent with the current index if the chain fails to validate. The end result is that future lock_acquire() operations may inadvertently fail to find a hit in the cache resulting in a new node being added to the graph ...
Kumar GalaKumar Gala
02d29bbef28POWERPC: Fix handling of stfiwx math emulationpatch ba02946a903015840ef672ccc9dc8620a7e83de6 in mainline Its legal for the stfiwx instruction to have RA = 0 as part of its effective address calculation. This is illegal for all other XE form instructions. Add code to compute the proper effective address for stfiwx if RA = 0 rather than treating it as illegal. Signed-off-by: Kumar Gala <> Signed-off-by: Greg Kroa...
Dave AirlieDave Airlie
0a0225bae6di915: fix vbl swap allocation size.This is upstream as 54583bf4efda79388fc13163e35c016c8bc5de81 Oops... Signed-off-by: Dave Airlie <> Signed-off-by: Greg Kroah-Hartman <>
Jean DelvareJean Delvare
0d5295636a1hwmon/w83627hf: Don't assume bank 0Already in Linus' tree:;a=commitdiff;h=d58df9cd788e6fb4962e1c8d5ba7b8b95d639a44 The bank switching code assumes that the bank selector is set to 0 when the driver is loaded. This might not be the case. This is exactly the same bug as was fixed in the w83627ehf driver two months ago:
Jean DelvareJean Delvare
f5000270cfdhwmon/w83627hf: Fix setting fan min right after driver loadAlready in Linus' tree:;a=commitdiff;h=c09c5184a26158da32801e89d5849d774605f0dd We need to read the fan clock dividers at initialization time, otherwise the code in store_fan_min() may use uninitialized values. That's pretty much the same bug and same fix as for the w83627ehf driver last month. Signed-off-by: Jean Delvare <khali...
Jean DelvareJean Delvare
f3c97cd833ehwmon/lm87: Disable VID when it should beAlready in Linus' tree:;a=commitdiff;h=889af3d5d9586db795a06c619e416b4baee11da8 A stupid bit shifting bug caused the VID value to be always exported even when the hardware is configured for something different. Signed-off-by: Jean Delvare <> Signed-off-by: Mark M. Hoffman <> Signed-off-by:...
Jean DelvareJean Delvare
c285b5c2ac6hwmon/lm87: Fix a division by zeroAlready in Linus' tree:;a=commitdiff;h=b965d4b7f614522170af6a7e450be0333792ccd2 Missing parentheses in the definition of FAN_FROM_REG cause a division by zero for a specific register value. Signed-off-by: Jean Delvare <> Acked-by: Hans de Goede <> Signed-off-by: Mark M. Hoffman <mhoffman@lig...
Ian ArmstrongIan Armstrong
7d57d714006V4L: ivtv: fix udma yuv bugBased on cb50f548c0ee9b2aac39743fc4021a7188825a98 in mainline [PATCH] V4L: ivtv: fix udma yuv bug Using udma yuv causes the driver to become locked into that mode. This prevents use of the mpeg decoder & non-udma yuv output. This patch clears the operating mode when the device is closed. Signed-off-by: Ian Armstrong <> Signed-off-by: Hans Verkuil <> S...
Peter KorsgaardPeter Korsgaard
2c69807c486dm9601: Fix receive MTUpatch f662fe5a0b144efadbfc00e8040e603ec318746e in mainline. dm9601: Fix receive MTU dm9601 didn't take the ethernet header into account when calculating RX MTU, causing packets bigger than 1486 to fail. Signed-off-by: Peter Korsgaard <> Signed-off-by: Jeff Garzik <> Signed-off-by: Greg Kroah-Hartman <>
Jeff GarzikJeff Garzik
c9a06c0099dnetdrvr: natsemi: Fix device removal bugThis episode illustrates how an overused warning can train people to ignore that warning, which winds up hiding bugs. The warning drivers/net/natsemi.c: In function ‘natsemi_remove1’: drivers/net/natsemi.c:3222: warning: ignoring return value of ‘device_create_file’, declared with attribute warn_unused_result is oft-ignored, even though at close inspection one notices this occurs in the /rem...
Stefan RichterStefan Richter
d9e0dded68afirewire: fix unloading of fw-ohci while devices are attachedFix panic in run_timer_softirq right after "modprobe -r firewire-ohci" if a FireWire disk was attached and firewire-sbp2 loaded. Same as commit 8a2d9ed3210464d22fccb9834970629c1c36fa36. Signed-off-by: Stefan Richter <> Signed-off-by: Greg Kroah-Hartman <>
Andy GreenAndy Green
774b4c5215aAdd get_unaligned to ieee80211_get_radiotap_lenpatch dfe6e81deaa79c85086c0cc8d85b229e444ab97f in mainline. ieee80211_get_radiotap_len() tries to dereference radiotap length without taking care that it is completely unaligned and get_unaligned() is required. Signed-off-by: Andy Green <> Signed-off-by: John W. Linville <> Signed-off-by: Greg Kroah-Hartman <>
Al ViroAl Viro
8c7537c7193libertas: more endianness breakagebased on patch 8362cd413e8116306fafbaf414f0419db0595142 in mainline. domain->header.len is le16 and has just been assigned cpu_to_le16(arithmetical expression). And all fields of adapter->logmsg are __le32; not a single 16-bit among them... That's incremental to the previous one Signed-off-by: Al Viro <> Signed-off-by: Dan Williams <> Signed-off-by: Jo...
Al ViroAl Viro
4b8e10dc2e8libertas: fix endianness breakagepatch 5707708111ca6c4e9a1160acffdc98a98d95e462 in mainline. wep->keytype[] is u8 Signed-off-by: Al Viro <> Signed-off-by: Dan Williams <> Signed-off-by: John W. Linville <>
John W. LinvilleJohn W. Linville
54b932c5086mac80211: filter locally-originated multicast framespatch b331615722779b078822988843ddffd4eaec9f83 in mainline. In STA mode, the AP will echo our traffic. This includes multicast traffic. Receiving these frames confuses some protocols and applications, notably IPv6 Duplicate Address Detection. Signed-off-by: John W. Linville <> Signed-off-by: Johannes Berg <> Acked-by: Michael Wu <flamingice@sou...
Eric DumazetEric Dumazet
dec0da2c0b4Fix TCP initial sequence number selection.changeset 162f6690a65075b49f242d3c8cdb5caaa959a060 in mainline. TCP V4 sequence numbers are 32bits, and RFC 793 assumed a 250 KHz clock. In order to follow network speed increase, we can use a faster clock, but we should limit this clock so that the delay between two rollovers is greater than MSL (TCP Maximum Segment Lifetime : 2 minutes) Choosing a 64 nsec clock should be OK, since the rollo...
David MillerDavid Miller
55d0058fe82Fix TCP MD5 on big-endian.changeset f8ab18d2d987a59ccbf0495032b2aef05b730037 in mainline. Based upon a report and initial patch by Peter Lieven. tcp4_md5sig_key and tcp6_md5sig_key need to start with the exact same members as tcp_md5sig_key. Because they are both cast to that type by tcp_v{4,6}_md5_do_lookup(). Unfortunately tcp{4,6}_md5sig_key use a u16 for the key length instead of a u8, which is what tcp_md5sig_k...
Ilpo JärvinenIlpo Järvinen
692767dfebcFix TCP's ->fastpath_cnt_hit handling.changeset 48611c47d09023d9356e78550d1cadb8d61da9c8 in mainline. When only GSO skb was partially ACKed, no hints are reset, therefore fastpath_cnt_hint must be tweaked too or else it can corrupt fackets_out. The corruption to occur, one must have non-trivial ACK/SACK sequence, so this bug is not very often that harmful. There's a fackets_out state reset in TCP because fackets_out is known to be...
David S. MillerDavid S. Miller
e43358c5c81Fix sys_ipc() SEMCTL on sparc64.changeset 6536a6b331d3225921c398eb7c6e4ecedb9b05e0 from mainline Thanks to Tom Callaway for the excellent bug report and test case. sys_ipc() has several problems, most to due with semaphore call handling: 1) 'err' return should be a 'long' 2) "union semun" is passed in a register on 64-bit compared to 32-bit which provides it on the stack and therefore by reference 3) Second and third...
David S. MillerDavid S. Miller
791333baf11Fix zero length socket write() semantics.changeset e79ad711a0108475c1b3a03815527e7237020b08 from mainline. This fixes kernel bugzilla #5731 It should generate an empty packet for datagram protocols when the socket is connected, for one. The check is doubly-wrong because all that a write() can be is a sendmsg() call with a NULL msg_control and a single entry iovec. No special semantics should be assigned to it, therefore the zero l...
Alexey DobriyanAlexey Dobriyan
f7c6bfbbb4aFix ROSE module unload oops.changeset 891e6a931255238dddd08a7b306871240961a27f from mainline. Commit a3d384029aa304f8f3f5355d35f0ae274454f7cd aka "[AX.25]: Fix unchecked rose_add_loopback_neigh uses" transformed rose_loopback_neigh var into statically allocated one. However, on unload it will be kfree's which can't work. Steps to reproduce: modprobe rose rmmod rose BUG: unable to handle kernel NULL pointer dereferen...
Brian HaleyBrian Haley
e483eb68a46Fix ipv6 redirect processing, leads to TAHI failures.changeset bf0b48dfc368c07c42b5a3a5658c8ee81b4283ac from mainline. When the ICMPv6 Target address is multicast, Linux processes the redirect instead of dropping it. The problem is in this code in ndisc_redirect_rcv(): if (ipv6_addr_equal(dest, target)) { on_link = 1; } else if (!(ipv6_addr_type(target) & IPV6_ADDR_LINKLOCAL)) { ND_PRINTK2(KE...
Mitsuru ChinenMitsuru Chinen
3b3ba80b46eFix some cases of missed IPV6 DADchangeset 0fcace22d38ce9216f5ba52f929a99d284aa7e49 from mainline To judge the timing for DAD, netif_carrier_ok() is used. However, there is a possibility that dev->qdisc stays noop_qdisc even if netif_carrier_ok() returns true. In that case, DAD NS is not sent out. We need to defer the IPv6 device initialization until a valid qdisc is specified. Signed-off-by: Mitsuru Chinen <mitch@linux.vnet...
John W. LinvilleJohn W. Linville
1902ababc21Fix ieee80211 handling of bogus hdrlength fieldchangeset 04045f98e0457aba7d4e6736f37eed189c48a5f7 from mainline Reported by Chris Evans <>: > The summary is that an evil 80211 frame can crash out a victim's > machine. It only applies to drivers using the 80211 wireless code, and > only then to certain drivers (and even then depends on a card's > firmware not dropping a dubious packet). I must confess I'm not > keeping...
Stephen HemmingerStephen Hemminger
fda485207e7Fix cls_u32 error return handling.changeset bf1b803b01b00c3801e0aa373ba0305f8278e260 from mainline. Signed-off-by: Stephen Hemminger <> Signed-off-by: David S. Miller <> Signed-off-by: Greg Kroah-Hartman <>
David MillerDavid Miller
c0d96d06ef7Fix ESP host instance numbering.changeset ff4abd6cfacf0bb23a077f615d3a5cd17359db1b in mainline. The ESP scsi driver does not initialize the host controller instance early enough, so the messages in the log confuse users. Signed-off-by: David S. Miller <> Signed-off-by: James Bottomley <> Signed-off-by: Greg Kroah-Hartman <>
Thomas GleixnerThomas Gleixner
f310d0f08fdACPI: disable lower idle C-states across suspend/resumechangeset b04e7bdb984e3b7f62fb7f44146a529f88cc7639 from mainline. device_suspend() calls ACPI suspend functions, which seems to have undesired side effects on lower idle C-states. It took me some time to realize that especially the VAIO BIOSes (both Andrews jinxed UP and my elfstruck SMP one) show this effect. I'm quite sure that other bug reports against suspend/resume about turning the syste...