1. OpenVZ-legacy


AuthorCommitMessageCommit dateIssues
Alexey DobriyanAlexey Dobriyan
483a70883c8Linux 2.6.24-ovz005
Alexey DobriyanAlexey Dobriyan
bee1757116fMMerge branch 'master' of git:// into 2.6.24-openvz Conflicts: Makefile
Greg Kroah-HartmanGreg Kroah-Hartman
Al ViroAl Viro
0bbbae3bfd7fix SMP ordering hole in fcntl_setlk() (CVE-2008-1669)commit 0b2bac2f1ea0d33a3621b27ca68b9ae760fca2e9 upstream. fcntl_setlk()/close() race prevention has a subtle hole - we need to make sure that if we *do* have an fcntl/close race on SMP box, the access to descriptor table and inode->i_flock won't get reordered. As it is, we get STORE inode->i_flock, LOAD descriptor table entry vs. STORE descriptor table entry, LOAD inode->i_flock with not a si...CVE-2008
Alexey DobriyanAlexey Dobriyan
818c0c13b3bMMerge branch 'master' of git:// into 2.6.24-openvz Conflicts: Makefile net/ipv6/netfilter/nf_conntrack_reasm.c net/sched/sch_generic.c
Alexey DobriyanAlexey Dobriyan
f28668f8d34CPT: fix shmat(2)'ted segmentsCommit bc56bba8f31bd99f350a5ebfd43d50f411b620c7 aka "[PATCH] shm: make sysv ipc shared memory use stacked files"... It changed number and relationship of "struct file"s associated with SysV shmem: Before: one struct file for each shmem segment After: one struct file for each shmem segment + one struct file (different) for each shmat(2) call. Obviously checkpointing broke horribly. T...
Greg Kroah-HartmanGreg Kroah-Hartman
Al ViroAl Viro
344fb8a4953Fix dnotify/close race (CVE-2008-1375)commit 214b7049a7929f03bbd2786aaef04b8b79db34e2 upstream. We have a race between fcntl() and close() that can lead to dnotify_struct inserted into inode's list *after* the last descriptor had been gone from current->files. Since that's the only point where dnotify_struct gets evicted, we are screwed - it will stick around indefinitely. Even after struct file in question is gone and freed. W...CVE-2008
Paul BollePaul Bolle
ce5fb291813ISDN: Do not validate ISDN net device address prior to interface-upCommit bada339 (Validate device addr prior to interface-up) caused a regression in the ISDN network code, see: The trivial fix is to remove the pointer to eth_validate_addr() in the net_device struct in isdn_net_init(). Signed-off-by: Paul Bolle <> Signed-off-by: David S. Miller <> Signed-off-by: Greg Kroah-Ha...
Steven TothSteven Toth
dcd8f5bca37V4L: cx88: enable radio GPIO correctlyThis patch fixes an issue on the HVR1300, where GPIO is blown away due to the radio input being undefined, breaking the functionality of the DVB demodulator and MPEG2 encoder used on the cx8802 mpeg TS port. This is a minimal patch for 2.6.26 and the -stable series. This must be fixed a better way for 2.6.27. Signed-off-by: Steven Toth <> Signed-off-by: Mauro Carvalho Cheh...
Alan CoxAlan Cox
ef4fe7f473bV4L: Fix VIDIOCGAP corruption in ivtvFrank Bennett reported that ivtv was causing skype to crash. With help from one of their developers he showed it was a kernel problem. VIDIOCGCAP copies a name into a fixed length buffer - ivtv uses names that are too long and does not truncate them so corrupts a few bytes of the app data area. Possibly the names also want trimming but for now this should fix the corruption case. Signed-off-b...
Greg Kroah-HartmanGreg Kroah-Hartman
31ae1b20f94USB: remove broken usb-serial num_endpoints checkcommit: 07c3b1a1001614442c665570942a3107a722c314 The num_interrupt_in, num_bulk_in, and other checks in the usb-serial code are just wrong, there are too many different devices out there with different numbers of endpoints. We need to just be sticking with the device ids instead of trying to catch this kind of thing. It broke too many different devices. This fixes a large number of usb-seri...
John HeffnerJohn Heffner
085b9f23e25Increase the max_burst threshold from 3 to tp->reordering.[ Upstream commit: dd9e0dda66ba38a2ddd1405ac279894260dc5c36 ] This change is necessary to allow cwnd to grow during persistent reordering. Cwnd moderation is applied when in the disorder state and an ack that fills the hole comes in. If the hole was greater than 3 packets, but less than tp->reordering, cwnd will shrink when it should not have. Signed-off-by: John Heffner <jheffner@napa.none...
David WoodhouseDavid Woodhouse
c3648f83496JFFS2: Fix free space leak with in-band cleanmarkersWe were accounting for the cleanmarker by calling jffs2_link_node_ref() (without locking!), which adjusted both superblock and per-eraseblock accounting, subtracting the size of the cleanmarker from {jeb,c}->free_size and adding it to {jeb,c}->used_size. But only _then_ were we adding the size of the newly-erased block back to the superblock counts, and we were adding each of jeb->{free,used}_...
Jan AltenbergJan Altenberg
a086bcfa994USB: gadget: queue usb USB_CDC_GET_ENCAPSULATED_RESPONSE messagebackport of 41566bcf35a8b23ce4715dadb5acfd1098c1d3e4 commit 0cf4f2de0a0f4100795f38ef894d4910678c74f8 introduced a bug, which prevents sending an USB_CDC_GET_ENCAPSULATED_RESPONSE message. This breaks the RNDIS initialization (especially / only Windoze machines dislike this behavior...). Signed-off-by: Benedikt Spranger <> Signed-off-by: Jan Altenberg <jan.altenberg@lin...
Jeff GarzikJeff Garzik
f1b6098616ftehuti: move ioctl perm check closer to function start (CVE-2008-1675)Commit f946dffed6334f08da065a89ed65026ebf8b33b4 upstream Noticed by davem. Signed-off-by: Jeff Garzik <> Signed-off-by: Greg Kroah-Hartman <>CVE-2008
Francois RomieuFrancois Romieu
a30678eb8cetehuti: check register size (CVE-2008-1675)Signed-off-by: Francois Romieu <> Signed-off-by: Jeff Garzik <> Signed-off-by: Greg Kroah-Hartman <>CVE-2008
PJ WaskiewiczPJ Waskiewicz
2d66f3a83fax86: Fix 32-bit x86 MSI-X allocation leakagecommit 9d9ad4b51d2b29b5bbeb4011f5e76f7538119cf9 upstream This bug was introduced in the 2.6.24 lguest tree merge, where MSI-X vector allocation will eventually fail. The cause is the new bit array tracking used vectors is not getting cleared properly on IRQ destruction on the 32-bit APIC code. This can be seen easily using the ixgbe 10 GbE driver on multi-core systems by simply loading and u...
Karsten KeilKarsten Keil
d86fc5ca7bbfix oops on rmmod capidrvcommit eb36f4fc019835cecf0788907f6cab774508087b upstream. Fix overwriting the stack with the version string (it is currently 10 bytes + zero) when unloading the capidrv module. Safeguard against overwriting it should the version string grow in the future. Should fix Kernel Bug Tracker Bug 9696. Signed-off-by: Gerd v. Egidy <> Acked-by: Karsten Keil <>...
Hugh DickinsHugh Dickins
1a825fd5424splice: use mapping_gfp_maskupstream commit: 4cd13504652d28e16bf186c6bb2bbb3725369383 The loop block driver is careful to mask __GFP_IO|__GFP_FS out of its mapping_gfp_mask, to avoid hangs under memory pressure. But nowadays it uses splice, usually going through __generic_file_splice_read. That must use mapping_gfp_mask instead of GFP_KERNEL to avoid those hangs. Signed-off-by: Hugh Dickins <> Cc: Jens...
Alexey DobriyanAlexey Dobriyan
0fb90a706d7FAIRSCHED: move to kernel/fairsched.cIt was there before, so make patch application slightly easier.
Alexey DobriyanAlexey Dobriyan
c9d0e80b84aNETFILTER: remove mismerge in mark_source_chains()
Peter ZijlstraPeter Zijlstra
6b35cc2ae08Backport "SLUB: Do not upset lockdep" commit ba84c73c7ae21fc891a3c2576fa3be42752fce53 Author: root <> Date: Mon Jan 7 23:20:28 2008 -0800 SLUB: Do not upset lockdep inconsistent {softirq-on-W} -> {in-softirq-W} usage. swapper/0 [HC0[0]:SC1[1]:HE0:SE0] takes: (&n->list_lock){-+..}, at: [<ffffffff802935c1>] add_partial+0x31/0xa0 {so...
Pavel EmelianovPavel Emelianov
f293cb5b21cExpand VE0 cpu statsStable commit 28680bfb8269703def997e2269caf9bfe2de489c shrank struct percpu_data from NR_CPUS pointers to just 1, so space for VE0 cpu statistics (which is allocated very early) was too small resulting in oops in account_system_time()/update_ve_cpu_time().
Alexey DobriyanAlexey Dobriyan
Alexey DobriyanAlexey Dobriyan
551b0650d9bLeave irq state alone during call_console_drivers()Mainline does so at least.
Alexey DobriyanAlexey Dobriyan
aa10c926328Fix dcache accounting interaction with SLUBSLUB passes allocations greater than PAGE_SIZE/2 directly to page allocator, so in case of large names there is no cache associated with them and no ->objuse counter. Account for PAGE_SIZE in such cases.
Chris WrightChris Wright
J. Bruce FieldsJ. Bruce Fields
fa4bf970097locks: fix possible infinite loop in fcntl(F_SETLKW) over nfsupstream commit: 19e729a928172103e101ffd0829fd13e68c13f78 Miklos Szeredi found the bug: "Basically what happens is that on the server nlm_fopen() calls nfsd_open() which returns -EACCES, to which nlm_fopen() returns NLM_LCK_DENIED. "On the client this will turn into a -EAGAIN (nlm_stat_to_errno()), which in will cause fcntl_setlk() to retry forever." So, for example, opening a file on ...
Serge HallynSerge Hallyn
44996dccd89file capabilities: remove cap_task_kill()upstream commit: aedb60a67c10a0861af179725d060765262ba0fb The original justification for cap_task_kill() was as follows: check_kill_permission() does appropriate uid equivalence checks. However with file capabilities it becomes possible for an unprivileged user to execute a file with file capabilities resulting in a more privileged task with the same uid. However now that cap_task_kill()...
Atsushi NemotoAtsushi Nemoto
d7d835ba45amacb: Call phy_disconnect on removingupstream commit: 84b7901f8d5a17536ef2df7fd628ab865df8fe3a Call phy_disconnect() on remove routine. Otherwise the phy timer causes a kernel crash when unloading. Signed-off-by: Atsushi Nemoto <> Signed-off-by: Jeff Garzik <> Cc: Haavard Skinnemoen <> Signed-off-by: Chris Wright <>
Alexey DobriyanAlexey Dobriyan
acba01a4a72fbdev: fix /proc/fb oops after module removalupstream commit: c43f89c2084f46e3ec59ddcbc52ecf4b1e9b015a /proc/fb is not removed during rmmod. Steps to reproduce: modprobe fb rmmod fb ls /proc BUG: unable to handle kernel paging request at ffffffffa0094370 IP: [<ffffffff802b92a1>] proc_get_inode+0x101/0x130 PGD 203067 PUD 207063 PMD 17e758067 PTE 0 Oops: 0000 [1] SMP last sysfs file: /sys/devices/pci0000:00/0000:00:1e.0/0000:05:02.0/...
Chuck EbbertChuck Ebbert
bcf7b3914e9acpi: bus: check once more for an empty list after locking itupstream commit: f0a37e008750ead1751b7d5e89d220a260a46147 List could have become empty after the unlocked check that was made earlier, so check again inside the lock. Should fix Signed-off-by: Chuck Ebbert <> Cc: <> Cc: Len Brown <> Signed-off-by: Andrew Morton <> Sig...
Kyle McMartinKyle McMartin
d51b295acd9PARISC fix signal trampoline cache flushingupstream commit: cf39cc3b56bc4a562db6242d3069f65034ec7549 The signal trampolines were accidently flushing the kernel I$ instead of the users. Fix that up, and also add a missing user D$ flush while we're at it. Signed-off-by: Kyle McMartin <> Signed-off-by: Linus Torvalds <> Signed-off-by: Chris Wright <>
Kyle McMartinKyle McMartin
24319896af0PARISC pdc_console: fix bizarre panic on bootupstream commit ef1afd4d79f0479960ff36bb5fe6ec6eba1ebff2 commit 721fdf34167580ff98263c74cead8871d76936e6 Author: Kyle McMartin <> Date: Thu Dec 6 09:32:15 2007 -0800 [PARISC] print more than one character at a time for pdc console introduced a subtle bug by accidentally removing the "static" from iodc_dbuf. This resulted in, what appeared to be, a trap without *cu...
Kyle McMartinKyle McMartin
fe23b328b6fPARISC futex: special case cmpxchg NULL in kernel spaceupstream commit: c20a84c91048c76c1379011c96b1a5cee5c7d9a0 commit f9e77acd4060fefbb60a351cdb8d30fca27fe194 Author: Thomas Gleixner <> Date: Sun Feb 24 02:10:05 2008 +0000 futex: runtime enable pi and robust functionality which was backported to stable based on mainline Commit a0c1e9073ef7428a14309cba010633a6cd6719ea added code to futex.c to detect whether futex_atomi...
Len BrownLen Brown
e9a3ef655c4pnpacpi: reduce printk severity for "pnpacpi: exceeded the max number of ..."upstream commit 33fd7afd66ffdc6addf1b085fe6403b6af532f8e We have been printing these messages at KERN_ERR since 2.6.24, per But KERN_ERR pops up on a console booted with "quiet" and causes users to get alarmed and file bugs about the message itself: So reduce the severity of these messages to ...
Guido GuentherGuido Guenther
5cd82d4dd65POWERPC: Fix build of modular drivers/macintosh/apm_emu.cupstream commit: 620a245978d007279bc5c7c64e15f5f63af9af98 Currently, if drivers/macintosh/apm_emu is a module and the config doesn't have CONFIG_SUSPEND we get: ERROR: "pmu_batteries" [drivers/macintosh/apm_emu.ko] undefined! ERROR: "pmu_battery_count" [drivers/macintosh/apm_emu.ko] undefined! ERROR: "pmu_power_flags" [drivers/macintosh/apm_emu.ko] undefined! on PPC32. The variables aren't ...
Dan WilliamsDan Williams
f1e310c26a3md: close a livelock window in handle_parity_checks5upstream commit: bd2ab67030e9116f1e4aae1289220255412b37fd If a failure is detected after a parity check operation has been initiated, but before it completes handle_parity_checks5 will never quiesce operations on the stripe. Explicitly handle this case by "canceling" the parity check, i.e. clear the STRIPE_OP_CHECK flags and queue the stripe on the handle list again to refresh any non-uptoda...
Davide LibenziDavide Libenzi
c9c5091171csignalfd: fix for incorrect SI_QUEUE user data reportingupstream commit: 0859ab59a8a48d2a96b9d2b7100889bcb6bb5818 Michael Kerrisk found out that signalfd was not reporting back user data pushed using sigqueue: The following patch makes signalfd report back the ssi_ptr and ssi_int members of the signalfd_siginfo structure. Signed-off-by: Davide Libenzi <> Ac...
Mikulas PatockaMikulas Patocka
b895b7886c1plip: replace spin_lock_irq with spin_lock_irqsave in irq contextupstream commit: cabce28ec0a0ae3d0ddfa4461f0e8be94ade9e46 Plip uses spin_lock_irq/spin_unlock_irq in its IRQ handler (called from parport IRQ handler), the latter enables interrupts without parport subsystem IRQ handler expecting it. The bug can be seen if you compile kernel with lock dependency checking and use plip --- it produces a warning. This patch changes it to spin_lock_irqsave/spin_...
Alok KatariaAlok Kataria
53def1fec24acpi: fix "buggy BIOS check" when CPUs are hot removedupstream commit: ba62b077871a5255e271f4fdae57167651839277 Fixes a BUG in ACPI hotplugging. processor_device_array[pr->id] needs to be set to NULL when removing a CPU. Else the "buggy BIOS check" in acpi_processor_start mistakenly fires when a CPU is removed from the system and then later re-added. Signed-off-by: Alok N Kataria <> Signed-off-by: Dan Arai <> C...
Roman ZippelRoman Zippel
b1c9cdea40bHFS+: fix unlink of linksupstream commit: 76b0c26af2736b7e5b87e6ed7ab63901483d5736 Some time ago while attempting to handle invalid link counts, I botched the unlink of links itself, so this patch fixes this now correctly, so that only the link count of nodes that don't point to links is ignored. Thanks to Vlado Plaga <> to notify me of this problem. Signed-off-by: Roman Zippel <zippel@linux-m68...
Hartmut HackmannHartmut Hackmann
aff170c0b3fDVB: tda10086: make the 22kHz tone for DISEQC a config option(backported from commit ea75baf4b0f117564bd50827a49c4b14d61d24e9) Some cards need the diseqc signal modulated, while some just need the envelope to control the LNB supply. This fixes Bug 9887 Signed-off-by: Hartmut Hackmann <> Acked-by: Oliver Endriss <> Signed-off-by: Mauro Carvalho Chehab <> Cc: Hermann Pitton <hermann-pitton...
David S. MillerDavid S. Miller
1ff9e6f4776SPARC64: Fix FPU saving in 64-bit signal handling.Upstream commit: 7c3cce978e4f933ac13758ec5d2554fc8d0927d2 The calculation of the FPU reg save area pointer was wrong. Based upon an OOPS report from Tom Callaway. Signed-off-by: David S. Miller <> Signed-off-by: Chris Wright <>
Dave YoungDave Young
d5a425ea8e2bluetooth: hci_core: defer hci_unregister_sysfs()upstream commit: 147e2d59833e994cc99341806a88b9e59be41391 Alon Bar-Lev reports: Feb 16 23:41:33 alon1 usb 3-1: configuration #1 chosen from 1 choice Feb 16 23:41:33 alon1 BUG: unable to handle kernel NULL pointer dereference at virtual address 00000008 Feb 16 23:41:33 alon1 printing eip: c01b2db6 *pde = 00000000 Feb 16 23:41:33 alon1 Oops: 0000 [#1] PREEMPT Feb 16 23:41:33 alon1 Modules link...
Francois RomieuFrancois Romieu
93ea6ab18c1sis190: read the mac address from the eeprom firstupstream commit: 563e0ae06ff18f0b280f11cf706ba0172255ce52 Reading a serie of zero from the cmos sram area do not work well with is_valid_ether_addr(). Let's read the mac address from the eeprom first as it seems more reliable. Fix for Signed-off-by: Francois Romieu <> Signed-off-by: Jeff Garzik <> dsd@gentoo....
Tejun HeoTejun Heo
6cee5037c7clibata: assume no device is attached if both IDENTIFYs are abortedupstream commit: 1ffc151fcddf524d0c76709d7e7a2af0255acb6b This is to fix bugzilla #10254. QSI cdrom attached to pata_sis as secondary master appears as phantom device for the slave. Interestingly, instead of not setting DRQ after IDENTIFY which triggers NODEV_HINT, it aborts both IDENTIFY and IDENTIFY PACKET which makes EH retry. Modify EH such that it assumes no device is attached if both f...
David S. MillerDavid S. Miller
3923d91d2adSPARC64: flush_ptrace_access() needs preemption disable.Upstream commit: f6a843d939ade435e060d580f5c56d958464f8a5 Based upon a report by Mariusz Kozlowski. Signed-off-by: David S. Miller <> Signed-off-by: Chris Wright <>
David S. MillerDavid S. Miller
8b337d60a52SPARC64: Fix __get_cpu_var in preemption-enabled area.Upstream commit: 69072f6e8e4bd4799d2a54e4ff8771d0657512c1 Reported by Mariusz Kozlowski. Signed-off-by: David S. Miller <> Signed-off-by: Chris Wright <>