OpenVZ-legacy
  1. OpenVZ-legacy

linux-2.6.27-openvz

Public
AuthorCommitMessageCommit dateIssues
Pavel EmelyanovPavel Emelyanov
4fd5f77f463OpenVZ kernel 2.6.27-repin releasedCalled after Ilya Yefimovich Repin - a leading Russian painter and sculptor of the Peredvizhniki artistic school Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
David FordPavel EmelyanovDavid Ford
310a780f027ipv4: additional update of dev_net(dev) to struct *net in ip_fragment.c, NULL ptr...ipv4: additional update of dev_net(dev) to struct *net in ip_fragment.c, NULL ptr OOPS ipv4 ip_frag_reasm(), fully replace 'dev_net(dev)' with 'net', defined previously patched into 2.6.29. Between 2.6.28.10 and 2.6.29, net/ipv4/ip_fragment.c was patched, changing from dev_net(dev) to container_of(...). Unfortunately the goto section (out_fail) on oversized packets inside ip_frag_reasm() did...
Jorge Boncompte [DTI2]Pavel EmelyanovJorge Boncompte [DTI2]
2fd921d1cbenetns: oops in ip[6]_frag_reasm incrementing statsnetns: oops in ip[6]_frag_reasm incrementing stats dev can be NULL in ip[6]_frag_reasm for skb's coming from RAW sockets. Quagga's OSPFD sends fragmented packets on a RAW socket, when netfilter conntrack reassembles them on the OUTPUT path you hit this code path. You can test it with something like "hping2 -0 -d 2000 -f AA.BB.CC.DD" With help from Jarek Poplawski. [xemul: Removed the ipv6 ...
Pavel EmelyanovPavel Emelyanov
eaa706b0bdaMerged linux-2.6.27.57Conflicts: Makefile
Pavel EmelaynovPavel EmelyanovPavel Emelaynov
ef4c5bc76feOpenVZ kernel 2.6.27-levitan releasedCalled after Vasily Dmitrievich Polenov - a Russian landscape painter Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Andrey VaginPavel EmelyanovAndrey Vagin
e25d033a625vzdq: ignore remount commandsvzquota write nothing, so it can remain running even if the fs is remounted in readonly. http://bugzilla.openvz.org/show_bug.cgi?id=1400 Signed-off-by: Andrey Vagin <avagin@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Pavel EmelaynovPavel EmelyanovPavel Emelaynov
2360ebb1648MMerged linux-2.6.27.56Conflicts: Makefile
Greg Kroah-HartmanGreg Kroah-Hartman
15816687e08Linux 2.6.27.56
Christof SchmittGreg Kroah-HartmanChristof Schmitt
7a951eac442Fix race when removing SCSI devicescommit 546ae796bfac6399e30da4b5af2cf7a6d0f8a4ec upstream. Removing SCSI devices through echo 1 > /sys/bus/scsi/devices/ ... /delete while the FC transport class removes the SCSI target can lead to an oops: Unable to handle kernel pointer dereference at virtual kernel address 00000000b6815000 Oops: 0011 [#1] PREEMPT SMP DEBUG_PAGEALLOC Modules linked in: sunrpc qeth_l3 binfmt_misc dm_multipat...
Dan CarpenterGreg Kroah-HartmanDan Carpenter
c47f5a57a00gdth: integer overflow in ioctlcommit f63ae56e4e97fb12053590e41a4fa59e7daa74a4 upstream. gdth_ioctl_alloc() takes the size variable as an int. copy_from_user() takes the size variable as an unsigned long. gen.data_len and gen.sense_len are unsigned longs. On x86_64 longs are 64 bit and ints are 32 bit. We could pass in a very large number and the allocation would truncate the size to 32 bits and allocate a small buffer. T...
David MilburnGreg Kroah-HartmanDavid Milburn
2415dee5957libsas: fix NCQ mixing with non-NCQcommit f0ad30d3d2dc924decc0e10b1ff6dc32525a5d99 upstream. Some cards (like mvsas) have issue troubles if non-NCQ commands are mixed with NCQ ones. Fix this by using the libata default NCQ check routine which waits until all NCQ commands are complete before issuing a non-NCQ one. The impact to cards (like aic94xx) which don't need this logic should be minimal Signed-off-by: James Bottomley <...
Mathieu DesnoyersGreg Kroah-HartmanMathieu Desnoyers
bfa24c0d957sched: Fix string comparison in /proc/sched_featurescommit 7740191cd909b75d75685fb08a5d1f54b8a9d28b upstream. Fix incorrect handling of the following case: INTERACTIVE INTERACTIVE_SOMETHING_ELSE The comparison only checks up to each element's length. Changelog since v1: - Embellish using some Rostedtisms. [ mingo: ^^ == smaller and cleaner ] Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Reviewed-by: ...
Vasiliy KulikovGreg Kroah-HartmanVasiliy Kulikov
6dbb2b0e38apcmcia: synclink_cs: fix information leak to userlandcommit 5b917a1420d3d1a9c8da49fb0090692dc9aaee86 upstream. Structure new_line is copied to userland with some padding fields unitialized. It leads to leaking of stack memory. Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Greg Kroah-HartmanGreg Kroah-Hartman
89f5bcae3a7Linux 2.6.27.55
Roland McGrathGreg Kroah-HartmanRoland McGrath
358b1c7959fexecve: make responsive to SIGKILL with large argumentscommit 9aea5a65aa7a1af9a4236dfaeb0088f1624f9919 upstream. An execve with a very large total of argument/environment strings can take a really long time in the execve system call. It runs uninterruptibly to count and copy all the strings. This change makes it abort the exec quickly if sent a SIGKILL. Note that this is the conservative change, to interrupt only for SIGKILL, by using fatal_sig...
Roland McGrathGreg Kroah-HartmanRoland McGrath
7a6c02774aaexecve: improve interactivity with large argumentscommit 7993bc1f4663c0db67bb8f0d98e6678145b387cd upstream. This adds a preemption point during the copying of the argument and environment strings for execve, in copy_strings(). There is already a preemption point in the count() loop, so this doesn't add any new points in the abstract sense. When the total argument+environment strings are very large, the time spent copying them can be much mo...
Roland McGrathGreg Kroah-HartmanRoland McGrath
a32489590e5setup_arg_pages: diagnose excessive argument sizecommit 1b528181b2ffa14721fb28ad1bd539fe1732c583 upstream. The CONFIG_STACK_GROWSDOWN variant of setup_arg_pages() does not check the size of the argument/environment area on the stack. When it is unworkably large, shift_arg_pages() hits its BUG_ON. This is exploitable with a very large RLIMIT_STACK limit, to create a crash pretty easily. Check that the initial stack is not too large to make i...
Paul FertserGreg Kroah-HartmanPaul Fertser
1ebafa01d2ab44: fix carrier detection on bindcommit bcf64aa379fcadd074449cbf0c049da70071b06f upstream. For carrier detection to work properly when binding the driver with a cable unplugged, netif_carrier_off() should be called after register_netdev(), not before. Signed-off-by: Paul Fertser <fercerpav@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Michael NeulingGreg Kroah-HartmanMichael Neuling
e98637ef0aepowerpc: Don't use kernel stack with translation offcommit 54a834043314c257210db2a9d59f8cc605571639 upstream. In f761622e59433130bc33ad086ce219feee9eb961 we changed early_setup_secondary so it's called using the proper kernel stack rather than the emergency one. Unfortunately, this stack pointer can't be used when translation is off on PHYP as this stack pointer might be outside the RMO. This results in the following on all non zero cpus: c...
Matt EvansGreg Kroah-HartmanMatt Evans
9bf670e5d36powerpc: Initialise paca->kstack before early_setup_secondarycommit f761622e59433130bc33ad086ce219feee9eb961 upstream. As early setup calls down to slb_initialize(), we must have kstack initialised before checking "should we add a bolted SLB entry for our kstack?" Failing to do so means stack access requires an SLB miss exception to refill an entry dynamically, if the stack isn't accessible via SLB(0) (kernel text & static data). It's not always allow...
Ben HutchingsGreg Kroah-HartmanBen Hutchings
c52425062aer6040: Fix multicast list iteration when hash filter is usedThis was fixed in mainline by the interface change made in commit f9dcbcc9e338d08c0f7de7eba4eaafbbb7f81249. After walking the multicast list to set up the hash filter, this function will walk off the end of the list when filling the exact-match entries. This was fixed in mainline by the interface change made in commit f9dcbcc9e338d08c0f7de7eba4eaafbbb7f81249. Reported-by: spamalot@hispeed.ch...
Florian FainelliGreg Kroah-HartmanFlorian Fainelli
1ad2b6fea22r6040: fix r6040_multicast_listcommit 3bcf8229a8c49769e48d3e0bd1e20d8e003f8106 upstream. As reported in <https://bugzilla.kernel.org/show_bug.cgi?id=15355>, r6040_ multicast_list currently crashes. This is due a wrong maximum of multicast entries. This patch fixes the following issues with multicast: - number of maximum entries if off-by-one (4 instead of 3) - the writing of the hash table index is not necessary and leads...
FUJITA TomonoriGreg Kroah-HartmanFUJITA Tomonori
41ace54c2c2bsg: fix incorrect device_status valuecommit 478971600e47cb83ff2d3c63c5c24f2b04b0d6a1 upstream. bsg incorrectly returns sg's masked_status value for device_status. [jejb: fix up expression logic] Reported-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> Signed-off-by: James Bottomley <James.Bottomley@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Luca TettamantiGreg Kroah-HartmanLuca Tettamanti
8f371eacfd1atl1: fix resumecommit ec5a32f67c603b11d68eb283d94eb89a4f6cfce1 upstream. adapter->cmb.cmb is initialized when the device is opened and freed when it's closed. Accessing it unconditionally during resume results either in a crash (NULL pointer dereference, when the interface has not been opened yet) or data corruption (when the interface has been used and brought down adapter->cmb.cmb points to a deallocated m...
Johannes BergGreg Kroah-HartmanJohannes Berg
45d787b8a94wext: fix potential private ioctl memory content leakcommit df6d02300f7c2fbd0fbe626d819c8e5237d72c62 upstream. When a driver doesn't fill the entire buffer, old heap contents may remain, and if it also doesn't update the length properly, this old heap content will be copied back to userspace. It is very unlikely that this happens in any of the drivers using private ioctls since it would show up as junk being reported by iwpriv, but it seems bet...
Simon GuinotGreg Kroah-HartmanSimon Guinot
1aa14af44ccdmaengine: fix interrupt clearing for mv_xorcommit cc60f8878eab892c03d06b10f389232b9b66bd83 upstream. When using simultaneously the two DMA channels on a same engine, some transfers are never completed. For example, an endless lock can occur while writing heavily on a RAID5 array (with async-tx offload support enabled). Note that this issue can also be reproduced by using the DMA test client. On a same engine, the interrupt cause regi...
Linus TorvaldsGreg Kroah-HartmanLinus Torvalds
0243e39b20bv4l1: fix 32-bit compat microcode loading translationcommit 3e645d6b485446c54c6745c5e2cf5c528fe4deec upstream. The compat code for the VIDIOCSMICROCODE ioctl is totally buggered. It's only used by the VIDEO_STRADIS driver, and that one is scheduled to staging and eventually removed unless somebody steps up to maintain it (at which point it should use request_firmware() rather than some magic ioctl). So we'll get rid of it eventually. But in th...
Dan RosenbergGreg Kroah-HartmanDan Rosenberg
56b40aa2ea3ALSA: prevent heap corruption in snd_ctl_new()commit 5591bf07225523600450edd9e6ad258bb877b779 upstream. The snd_ctl_new() function in sound/core/control.c allocates space for a snd_kcontrol struct by performing arithmetic operations on a user-provided size without checking for integer overflow. If a user provides a large enough size, an overflow will occur, the allocated chunk will be too small, and a second user-influenced value will be...
Dan RosenbergGreg Kroah-HartmanDan Rosenberg
7b1178dc25fALSA: sound/pci/rme9652: prevent reading uninitialized stack memorycommit e68d3b316ab7b02a074edc4f770e6a746390cb7d upstream. The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctls in hdspm.c and hdsp.c allow unprivileged users to read uninitialized kernel stack memory, because several fields of the hdsp{m}_config_info structs declared on the stack are not altered or zeroed before being copied back to the user. This patch takes care ...
Tony LuckGreg Kroah-HartmanTony Luck
207988da56bguard page for stacks that grow upwardscommit 8ca3eb08097f6839b2206e2242db4179aee3cfb3 upstream. pa-risc and ia64 have stacks that grow upwards. Check that they do not run into other mappings. By making VM_GROWSUP 0x0 on architectures that do not ever use it, we can avoid some unpleasant #ifdefs in check_stack_guard_page(). Signed-off-by: Tony Luck <tony.luck@intel.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>...
Jeff MoyerGreg Kroah-HartmanJeff Moyer
5f2a867eb3caio: check for multiplication overflow in do_io_submitcommit 75e1c70fc31490ef8a373ea2a4bea2524099b478 upstream. Tavis Ormandy pointed out that do_io_submit does not do proper bounds checking on the passed-in iocb array:        if (unlikely(nr < 0))                return -EINVAL;        if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(iocbpp)))))                return -EFAULT;                      ^^^^^^^^^^^^^^^^^^ The attached patch ch...
Pavel EmelyanovPavel Emelyanov
aba17c5813cOpenVZ kernel 2.6.27-levitan releasedCalled after Isaac Ilyich Levitan - a classical Russian landscape painter. Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Pavel EmelyanovPavel Emelyanov
2b06dcf6ce8MMerged linux-2.6.27.54Conflicts: Makefile mm/memory.c mm/mmap.c
Greg Kroah-HartmanGreg Kroah-Hartman
4f49db69961Linux 2.6.27.54
Roland McGrathGreg Kroah-HartmanRoland McGrath
1b159e074a4x86-64, compat: Retruncate rax after ia32 syscall entry tracingcommit eefdca043e8391dcd719711716492063030b55ac upstream. In commit d4d6715, we reopened an old hole for a 64-bit ptracer touching a 32-bit tracee in system call entry. A %rax value set via ptrace at the entry tracing stop gets used whole as a 32-bit syscall number, while we only check the low 32 bits for validity. Fix it by truncating %rax back to 32 bits after syscall_trace_enter, in addit...
Anton VorontsovGreg Kroah-HartmanAnton Vorontsov
7a0e4cc1437apm_power: Add missing break statementcommit 1d220334d6a8a711149234dc5f98d34ae02226b8 upstream. The missing break statement causes wrong capacity calculation for batteries that report energy. Reported-by: d binderman <dcb314@hotmail.com> Signed-off-by: Anton Vorontsov <cbouatmailru@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Guillem JoverGreg Kroah-HartmanGuillem Jover
a804b54dcb9hwmon: (f75375s) Do not overwrite values read from registerscommit c3b327d60bbba3f5ff8fd87d1efc0e95eb6c121b upstream. All bits in the values read from registers to be used for the next write were getting overwritten, avoid doing so to not mess with the current configuration. Signed-off-by: Guillem Jover <guillem@hadrons.org> Cc: Riku Voipio <riku.voipio@iki.fi> Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Greg Kroah-Hartman <gregkh@...
Guillem JoverGreg Kroah-HartmanGuillem Jover
14df2c15035hwmon: (f75375s) Shift control mode to the correct bit positioncommit 96f3640894012be7dd15a384566bfdc18297bc6c upstream. The spec notes that fan0 and fan1 control mode bits are located in bits 7-6 and 5-4 respectively, but the FAN_CTRL_MODE macro was making the bits shift by 5 instead of by 4. Signed-off-by: Guillem Jover <guillem@hadrons.org> Cc: Riku Voipio <riku.voipio@iki.fi> Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Greg Kroah-...
H. Peter AnvinGreg Kroah-HartmanH. Peter Anvin
1d3fb6bbb5ccompat: Make compat_alloc_user_space() incorporate the access_ok()commit c41d68a513c71e35a14f66d71782d27a79a81ea6 upstream. compat_alloc_user_space() expects the caller to independently call access_ok() to verify the returned area. A missing call could introduce problems on some architectures. This patch incorporates the access_ok() check into compat_alloc_user_space() and also adds a sanity check on the length. The existing compat_alloc_user_space() imple...
H. Peter AnvinGreg Kroah-HartmanH. Peter Anvin
18023624ec3x86-64, compat: Test %rax for the syscall number, not %eaxcommit 36d001c70d8a0144ac1d038f6876c484849a74de upstream. On 64 bits, we always, by necessity, jump through the system call table via %rax. For 32-bit system calls, in theory the system call number is stored in %eax, and the code was testing %eax for a valid system call number. At one point we loaded the stored value back from the stack to enforce zero-extension, but that was removed in chec...
Gary KingGreg Kroah-HartmanGary King
c0a328941a7bounce: call flush_dcache_page() after bounce_copy_vec()commit ac8456d6f9a3011c824176bd6084d39e5f70a382 upstream. I have been seeing problems on Tegra 2 (ARMv7 SMP) systems with HIGHMEM enabled on 2.6.35 (plus some patches targetted at 2.6.36 to perform cache maintenance lazily), and the root cause appears to be that the mm bouncing code is calling flush_dcache_page before it copies the bounce buffer into the bio. The bounced page needs to be flus...
Dan CarpenterGreg Kroah-HartmanDan Carpenter
a80e26256afirda: off by onecommit cf9b94f88bdbe8a02015fc30d7c232b2d262d4ad upstream. This is an off by one. We would go past the end when we NUL terminate the "value" string at end of the function. The "value" buffer is allocated in irlan_client_parse_response() or irlan_provider_parse_command(). CC: stable@kernel.org Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Steven RostedtGreg Kroah-HartmanSteven Rostedt
9af1d24a2b1tracing: Do not allow llseek to set_ftrace_filtercommit 9c55cb12c1c172e2d51e85fbb5a4796ca86b77e7 upstream. Reading the file set_ftrace_filter does three things. 1) shows whether or not filters are set for the function tracer 2) shows what functions are set for the function tracer 3) shows what triggers are set on any functions 3 is independent from 1 and 2. The way this file currently works is that it is a state machine, and as you read i...
Luis R. RodriguezGreg Kroah-HartmanLuis R. Rodriguez
d14a2c2005cath9k_hw: fix parsing of HT40 5 GHz CTLscommit 904879748d7439a6dabdc6be9aad983e216b027d upstream. The 5 GHz CTL indexes were not being read for all hardware devices due to the masking out through the CTL_MODE_M mask being one bit too short. Without this the calibrated regulatory maximum values were not being picked up when devices operate on 5 GHz in HT40 mode. The final output power used for Atheros devices is the minimum between t...
Takashi IwaiGreg Kroah-HartmanTakashi Iwai
d0d3c686c7cALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()commit 27f7ad53829f79e799a253285318bff79ece15bd upstream. The error handling in snd_seq_oss_open() has several bad codes that do dereferecing released pointers and double-free of kmalloc'ed data. The object dp is release in free_devinfo() that is called via private_free callback. The rest shouldn't touch this object any more. The patch changes delete_port() to call kfree() in any case, and g...CVE-2010
Greg Kroah-HartmanGreg Kroah-Hartman
10089188980Linux 2.6.27.53
Greg Kroah-HartmanGreg Kroah-Hartman
7bb7a0dd003USB: io_ti: check firmware version before updatingcommit 0827a9ff2bbcbb03c33f1a6eb283fe051059482c upstream. If we can't read the firmware for a device from the disk, and yet the device already has a valid firmware image in it, we don't want to replace the firmware with something invalid. So check the version number to be less than the current one to verify this is the correct thing to do. Reported-by: Chris Beauchamp <chris@chillibean.tv> ...
Ross BurtonGreg Kroah-HartmanRoss Burton
38cebc0e22eUSB: add device IDs for igotu to navmancommit 0eee6a2b2a52e17066a572d30ad2805d3ebc7508 upstream. I recently bought a i-gotU USB GPS, and whilst hunting around for linux support discovered this post by you back in 2009: http://kerneltrap.org/mailarchive/linux-usb/2009/3/12/5148644 >Try the navman driver instead. You can either add the device id to the > driver and rebuild it, or do this before you plug the device in: > modprobe ...GT-600
Dave AirlieGreg Kroah-HartmanDave Airlie
2afa902362edrm: stop information leak of old kernel stack.commit b9f0aee83335db1f3915f4e42a5e21b351740afd upstream. non-critical issue, CVE-2010-2803 Userspace controls the amount of memory to be allocate, so it can get the ioctl to allocate more memory than the kernel uses, and get access to kernel stack. This can only be done for processes authenticated to the X server for DRI access, and if the user has DRI access. Fix is to just memset the data...CVE-2010
Jan BeulichGreg Kroah-HartmanJan Beulich
346767e3c92fixes for using make 3.82commit 3c955b407a084810f57260d61548cc92c14bc627 upstream. It doesn't like pattern and explicit rules to be on the same line, and it seems to be more picky when matching file (or really directory) names with different numbers of trailing slashes. Signed-off-by: Jan Beulich <jbeulich@novell.com> Acked-by: Sam Ravnborg <sam@ravnborg.org> Andrew Benton <b3nton@gmail.com> Signed-off-by: Michal Mar...