Author | Commit | Message | Commit date | Issues | |
---|---|---|---|---|---|
Pavel Emelyanov | 4fd5f77f463 | OpenVZ kernel 2.6.27-repin releasedCalled after Ilya Yefimovich Repin - a leading Russian painter and sculptor of the Peredvizhniki artistic school Signed-off-by: Pavel Emelyanov <xemul@openvz.org> | |||
David Ford | 310a780f027 | ipv4: additional update of dev_net(dev) to struct *net in ip_fragment.c, NULL ptr...ipv4: additional update of dev_net(dev) to struct *net in ip_fragment.c, NULL ptr OOPS ipv4 ip_frag_reasm(), fully replace 'dev_net(dev)' with 'net', defined previously patched into 2.6.29. Between 2.6.28.10 and 2.6.29, net/ipv4/ip_fragment.c was patched, changing from dev_net(dev) to container_of(...). Unfortunately the goto section (out_fail) on oversized packets inside ip_frag_reasm() did... | |||
Jorge Boncompte [DTI2] | 2fd921d1cbe | netns: oops in ip[6]_frag_reasm incrementing statsnetns: oops in ip[6]_frag_reasm incrementing stats dev can be NULL in ip[6]_frag_reasm for skb's coming from RAW sockets. Quagga's OSPFD sends fragmented packets on a RAW socket, when netfilter conntrack reassembles them on the OUTPUT path you hit this code path. You can test it with something like "hping2 -0 -d 2000 -f AA.BB.CC.DD" With help from Jarek Poplawski. [xemul: Removed the ipv6 ... | |||
Pavel Emelyanov | eaa706b0bda | Merged linux-2.6.27.57Conflicts: Makefile | |||
Pavel Emelaynov | ef4c5bc76fe | OpenVZ kernel 2.6.27-levitan releasedCalled after Vasily Dmitrievich Polenov - a Russian landscape painter Signed-off-by: Pavel Emelyanov <xemul@openvz.org> | |||
Andrey Vagin | e25d033a625 | vzdq: ignore remount commandsvzquota write nothing, so it can remain running even if the fs is remounted in readonly. http://bugzilla.openvz.org/show_bug.cgi?id=1400 Signed-off-by: Andrey Vagin <avagin@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@openvz.org> | |||
Pavel Emelaynov | 2360ebb1648M | Merged linux-2.6.27.56Conflicts: Makefile | |||
Greg Kroah-Hartman | 15816687e08 | Linux 2.6.27.56 | |||
Christof Schmitt | 7a951eac442 | Fix race when removing SCSI devicescommit 546ae796bfac6399e30da4b5af2cf7a6d0f8a4ec upstream. Removing SCSI devices through echo 1 > /sys/bus/scsi/devices/ ... /delete while the FC transport class removes the SCSI target can lead to an oops: Unable to handle kernel pointer dereference at virtual kernel address 00000000b6815000 Oops: 0011 [#1] PREEMPT SMP DEBUG_PAGEALLOC Modules linked in: sunrpc qeth_l3 binfmt_misc dm_multipat... | |||
Dan Carpenter | c47f5a57a00 | gdth: integer overflow in ioctlcommit f63ae56e4e97fb12053590e41a4fa59e7daa74a4 upstream. gdth_ioctl_alloc() takes the size variable as an int. copy_from_user() takes the size variable as an unsigned long. gen.data_len and gen.sense_len are unsigned longs. On x86_64 longs are 64 bit and ints are 32 bit. We could pass in a very large number and the allocation would truncate the size to 32 bits and allocate a small buffer. T... | |||
David Milburn | 2415dee5957 | libsas: fix NCQ mixing with non-NCQcommit f0ad30d3d2dc924decc0e10b1ff6dc32525a5d99 upstream. Some cards (like mvsas) have issue troubles if non-NCQ commands are mixed with NCQ ones. Fix this by using the libata default NCQ check routine which waits until all NCQ commands are complete before issuing a non-NCQ one. The impact to cards (like aic94xx) which don't need this logic should be minimal Signed-off-by: James Bottomley <... | |||
Mathieu Desnoyers | bfa24c0d957 | sched: Fix string comparison in /proc/sched_featurescommit 7740191cd909b75d75685fb08a5d1f54b8a9d28b upstream. Fix incorrect handling of the following case: INTERACTIVE INTERACTIVE_SOMETHING_ELSE The comparison only checks up to each element's length. Changelog since v1: - Embellish using some Rostedtisms. [ mingo: ^^ == smaller and cleaner ] Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Reviewed-by: ... | |||
Vasiliy Kulikov | 6dbb2b0e38a | pcmcia: synclink_cs: fix information leak to userlandcommit 5b917a1420d3d1a9c8da49fb0090692dc9aaee86 upstream. Structure new_line is copied to userland with some padding fields unitialized. It leads to leaking of stack memory. Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> | |||
Greg Kroah-Hartman | 89f5bcae3a7 | Linux 2.6.27.55 | |||
Roland McGrath | 358b1c7959f | execve: make responsive to SIGKILL with large argumentscommit 9aea5a65aa7a1af9a4236dfaeb0088f1624f9919 upstream. An execve with a very large total of argument/environment strings can take a really long time in the execve system call. It runs uninterruptibly to count and copy all the strings. This change makes it abort the exec quickly if sent a SIGKILL. Note that this is the conservative change, to interrupt only for SIGKILL, by using fatal_sig... | |||
Roland McGrath | 7a6c02774aa | execve: improve interactivity with large argumentscommit 7993bc1f4663c0db67bb8f0d98e6678145b387cd upstream. This adds a preemption point during the copying of the argument and environment strings for execve, in copy_strings(). There is already a preemption point in the count() loop, so this doesn't add any new points in the abstract sense. When the total argument+environment strings are very large, the time spent copying them can be much mo... | |||
Roland McGrath | a32489590e5 | setup_arg_pages: diagnose excessive argument sizecommit 1b528181b2ffa14721fb28ad1bd539fe1732c583 upstream. The CONFIG_STACK_GROWSDOWN variant of setup_arg_pages() does not check the size of the argument/environment area on the stack. When it is unworkably large, shift_arg_pages() hits its BUG_ON. This is exploitable with a very large RLIMIT_STACK limit, to create a crash pretty easily. Check that the initial stack is not too large to make i... | |||
Paul Fertser | 1ebafa01d2a | b44: fix carrier detection on bindcommit bcf64aa379fcadd074449cbf0c049da70071b06f upstream. For carrier detection to work properly when binding the driver with a cable unplugged, netif_carrier_off() should be called after register_netdev(), not before. Signed-off-by: Paul Fertser <fercerpav@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> | |||
Michael Neuling | e98637ef0ae | powerpc: Don't use kernel stack with translation offcommit 54a834043314c257210db2a9d59f8cc605571639 upstream. In f761622e59433130bc33ad086ce219feee9eb961 we changed early_setup_secondary so it's called using the proper kernel stack rather than the emergency one. Unfortunately, this stack pointer can't be used when translation is off on PHYP as this stack pointer might be outside the RMO. This results in the following on all non zero cpus: c... | |||
Matt Evans | 9bf670e5d36 | powerpc: Initialise paca->kstack before early_setup_secondarycommit f761622e59433130bc33ad086ce219feee9eb961 upstream. As early setup calls down to slb_initialize(), we must have kstack initialised before checking "should we add a bolted SLB entry for our kstack?" Failing to do so means stack access requires an SLB miss exception to refill an entry dynamically, if the stack isn't accessible via SLB(0) (kernel text & static data). It's not always allow... | |||
Ben Hutchings | c52425062ae | r6040: Fix multicast list iteration when hash filter is usedThis was fixed in mainline by the interface change made in commit f9dcbcc9e338d08c0f7de7eba4eaafbbb7f81249. After walking the multicast list to set up the hash filter, this function will walk off the end of the list when filling the exact-match entries. This was fixed in mainline by the interface change made in commit f9dcbcc9e338d08c0f7de7eba4eaafbbb7f81249. Reported-by: spamalot@hispeed.ch... | |||
Florian Fainelli | 1ad2b6fea22 | r6040: fix r6040_multicast_listcommit 3bcf8229a8c49769e48d3e0bd1e20d8e003f8106 upstream. As reported in <https://bugzilla.kernel.org/show_bug.cgi?id=15355>, r6040_ multicast_list currently crashes. This is due a wrong maximum of multicast entries. This patch fixes the following issues with multicast: - number of maximum entries if off-by-one (4 instead of 3) - the writing of the hash table index is not necessary and leads... | |||
FUJITA Tomonori | 41ace54c2c2 | bsg: fix incorrect device_status valuecommit 478971600e47cb83ff2d3c63c5c24f2b04b0d6a1 upstream. bsg incorrectly returns sg's masked_status value for device_status. [jejb: fix up expression logic] Reported-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> Signed-off-by: James Bottomley <James.Bottomley@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> | |||
Luca Tettamanti | 8f371eacfd1 | atl1: fix resumecommit ec5a32f67c603b11d68eb283d94eb89a4f6cfce1 upstream. adapter->cmb.cmb is initialized when the device is opened and freed when it's closed. Accessing it unconditionally during resume results either in a crash (NULL pointer dereference, when the interface has not been opened yet) or data corruption (when the interface has been used and brought down adapter->cmb.cmb points to a deallocated m... | |||
Johannes Berg | 45d787b8a94 | wext: fix potential private ioctl memory content leakcommit df6d02300f7c2fbd0fbe626d819c8e5237d72c62 upstream. When a driver doesn't fill the entire buffer, old heap contents may remain, and if it also doesn't update the length properly, this old heap content will be copied back to userspace. It is very unlikely that this happens in any of the drivers using private ioctls since it would show up as junk being reported by iwpriv, but it seems bet... | |||
Simon Guinot | 1aa14af44cc | dmaengine: fix interrupt clearing for mv_xorcommit cc60f8878eab892c03d06b10f389232b9b66bd83 upstream. When using simultaneously the two DMA channels on a same engine, some transfers are never completed. For example, an endless lock can occur while writing heavily on a RAID5 array (with async-tx offload support enabled). Note that this issue can also be reproduced by using the DMA test client. On a same engine, the interrupt cause regi... | |||
Linus Torvalds | 0243e39b20b | v4l1: fix 32-bit compat microcode loading translationcommit 3e645d6b485446c54c6745c5e2cf5c528fe4deec upstream. The compat code for the VIDIOCSMICROCODE ioctl is totally buggered. It's only used by the VIDEO_STRADIS driver, and that one is scheduled to staging and eventually removed unless somebody steps up to maintain it (at which point it should use request_firmware() rather than some magic ioctl). So we'll get rid of it eventually. But in th... | |||
Dan Rosenberg | 56b40aa2ea3 | ALSA: prevent heap corruption in snd_ctl_new()commit 5591bf07225523600450edd9e6ad258bb877b779 upstream. The snd_ctl_new() function in sound/core/control.c allocates space for a snd_kcontrol struct by performing arithmetic operations on a user-provided size without checking for integer overflow. If a user provides a large enough size, an overflow will occur, the allocated chunk will be too small, and a second user-influenced value will be... | |||
Dan Rosenberg | 7b1178dc25f | ALSA: sound/pci/rme9652: prevent reading uninitialized stack memorycommit e68d3b316ab7b02a074edc4f770e6a746390cb7d upstream. The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctls in hdspm.c and hdsp.c allow unprivileged users to read uninitialized kernel stack memory, because several fields of the hdsp{m}_config_info structs declared on the stack are not altered or zeroed before being copied back to the user. This patch takes care ... | |||
Tony Luck | 207988da56b | guard page for stacks that grow upwardscommit 8ca3eb08097f6839b2206e2242db4179aee3cfb3 upstream. pa-risc and ia64 have stacks that grow upwards. Check that they do not run into other mappings. By making VM_GROWSUP 0x0 on architectures that do not ever use it, we can avoid some unpleasant #ifdefs in check_stack_guard_page(). Signed-off-by: Tony Luck <tony.luck@intel.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>... | |||
Jeff Moyer | 5f2a867eb3c | aio: check for multiplication overflow in do_io_submitcommit 75e1c70fc31490ef8a373ea2a4bea2524099b478 upstream. Tavis Ormandy pointed out that do_io_submit does not do proper bounds checking on the passed-in iocb array: Â Â Â Â if (unlikely(nr < 0)) Â Â Â Â Â Â Â Â return -EINVAL; Â Â Â Â if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(iocbpp))))) Â Â Â Â Â Â Â Â return -EFAULT; Â Â Â Â Â Â Â Â Â Â Â ^^^^^^^^^^^^^^^^^^ The attached patch ch... | |||
Pavel Emelyanov | aba17c5813c | OpenVZ kernel 2.6.27-levitan releasedCalled after Isaac Ilyich Levitan - a classical Russian landscape painter. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> | |||
Pavel Emelyanov | 2b06dcf6ce8M | Merged linux-2.6.27.54Conflicts: Makefile mm/memory.c mm/mmap.c | |||
Greg Kroah-Hartman | 4f49db69961 | Linux 2.6.27.54 | |||
Roland McGrath | 1b159e074a4 | x86-64, compat: Retruncate rax after ia32 syscall entry tracingcommit eefdca043e8391dcd719711716492063030b55ac upstream. In commit d4d6715, we reopened an old hole for a 64-bit ptracer touching a 32-bit tracee in system call entry. A %rax value set via ptrace at the entry tracing stop gets used whole as a 32-bit syscall number, while we only check the low 32 bits for validity. Fix it by truncating %rax back to 32 bits after syscall_trace_enter, in addit... | |||
Anton Vorontsov | 7a0e4cc1437 | apm_power: Add missing break statementcommit 1d220334d6a8a711149234dc5f98d34ae02226b8 upstream. The missing break statement causes wrong capacity calculation for batteries that report energy. Reported-by: d binderman <dcb314@hotmail.com> Signed-off-by: Anton Vorontsov <cbouatmailru@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> | |||
Guillem Jover | a804b54dcb9 | hwmon: (f75375s) Do not overwrite values read from registerscommit c3b327d60bbba3f5ff8fd87d1efc0e95eb6c121b upstream. All bits in the values read from registers to be used for the next write were getting overwritten, avoid doing so to not mess with the current configuration. Signed-off-by: Guillem Jover <guillem@hadrons.org> Cc: Riku Voipio <riku.voipio@iki.fi> Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Greg Kroah-Hartman <gregkh@... | |||
Guillem Jover | 14df2c15035 | hwmon: (f75375s) Shift control mode to the correct bit positioncommit 96f3640894012be7dd15a384566bfdc18297bc6c upstream. The spec notes that fan0 and fan1 control mode bits are located in bits 7-6 and 5-4 respectively, but the FAN_CTRL_MODE macro was making the bits shift by 5 instead of by 4. Signed-off-by: Guillem Jover <guillem@hadrons.org> Cc: Riku Voipio <riku.voipio@iki.fi> Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Greg Kroah-... | |||
H. Peter Anvin | 1d3fb6bbb5c | compat: Make compat_alloc_user_space() incorporate the access_ok()commit c41d68a513c71e35a14f66d71782d27a79a81ea6 upstream. compat_alloc_user_space() expects the caller to independently call access_ok() to verify the returned area. A missing call could introduce problems on some architectures. This patch incorporates the access_ok() check into compat_alloc_user_space() and also adds a sanity check on the length. The existing compat_alloc_user_space() imple... | |||
H. Peter Anvin | 18023624ec3 | x86-64, compat: Test %rax for the syscall number, not %eaxcommit 36d001c70d8a0144ac1d038f6876c484849a74de upstream. On 64 bits, we always, by necessity, jump through the system call table via %rax. For 32-bit system calls, in theory the system call number is stored in %eax, and the code was testing %eax for a valid system call number. At one point we loaded the stored value back from the stack to enforce zero-extension, but that was removed in chec... | |||
Gary King | c0a328941a7 | bounce: call flush_dcache_page() after bounce_copy_vec()commit ac8456d6f9a3011c824176bd6084d39e5f70a382 upstream. I have been seeing problems on Tegra 2 (ARMv7 SMP) systems with HIGHMEM enabled on 2.6.35 (plus some patches targetted at 2.6.36 to perform cache maintenance lazily), and the root cause appears to be that the mm bouncing code is calling flush_dcache_page before it copies the bounce buffer into the bio. The bounced page needs to be flus... | |||
Dan Carpenter | a80e26256af | irda: off by onecommit cf9b94f88bdbe8a02015fc30d7c232b2d262d4ad upstream. This is an off by one. We would go past the end when we NUL terminate the "value" string at end of the function. The "value" buffer is allocated in irlan_client_parse_response() or irlan_provider_parse_command(). CC: stable@kernel.org Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> | |||
Steven Rostedt | 9af1d24a2b1 | tracing: Do not allow llseek to set_ftrace_filtercommit 9c55cb12c1c172e2d51e85fbb5a4796ca86b77e7 upstream. Reading the file set_ftrace_filter does three things. 1) shows whether or not filters are set for the function tracer 2) shows what functions are set for the function tracer 3) shows what triggers are set on any functions 3 is independent from 1 and 2. The way this file currently works is that it is a state machine, and as you read i... | |||
Luis R. Rodriguez | d14a2c2005c | ath9k_hw: fix parsing of HT40 5 GHz CTLscommit 904879748d7439a6dabdc6be9aad983e216b027d upstream. The 5 GHz CTL indexes were not being read for all hardware devices due to the masking out through the CTL_MODE_M mask being one bit too short. Without this the calibrated regulatory maximum values were not being picked up when devices operate on 5 GHz in HT40 mode. The final output power used for Atheros devices is the minimum between t... | |||
Takashi Iwai | d0d3c686c7c | ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()commit 27f7ad53829f79e799a253285318bff79ece15bd upstream. The error handling in snd_seq_oss_open() has several bad codes that do dereferecing released pointers and double-free of kmalloc'ed data. The object dp is release in free_devinfo() that is called via private_free callback. The rest shouldn't touch this object any more. The patch changes delete_port() to call kfree() in any case, and g... | CVE-2010 | ||
Greg Kroah-Hartman | 10089188980 | Linux 2.6.27.53 | |||
Greg Kroah-Hartman | 7bb7a0dd003 | USB: io_ti: check firmware version before updatingcommit 0827a9ff2bbcbb03c33f1a6eb283fe051059482c upstream. If we can't read the firmware for a device from the disk, and yet the device already has a valid firmware image in it, we don't want to replace the firmware with something invalid. So check the version number to be less than the current one to verify this is the correct thing to do. Reported-by: Chris Beauchamp <chris@chillibean.tv> ... | |||
Ross Burton | 38cebc0e22e | USB: add device IDs for igotu to navmancommit 0eee6a2b2a52e17066a572d30ad2805d3ebc7508 upstream. I recently bought a i-gotU USB GPS, and whilst hunting around for linux support discovered this post by you back in 2009: http://kerneltrap.org/mailarchive/linux-usb/2009/3/12/5148644 >Try the navman driver instead. You can either add the device id to the > driver and rebuild it, or do this before you plug the device in: > modprobe ... | GT-600 | ||
Dave Airlie | 2afa902362e | drm: stop information leak of old kernel stack.commit b9f0aee83335db1f3915f4e42a5e21b351740afd upstream. non-critical issue, CVE-2010-2803 Userspace controls the amount of memory to be allocate, so it can get the ioctl to allocate more memory than the kernel uses, and get access to kernel stack. This can only be done for processes authenticated to the X server for DRI access, and if the user has DRI access. Fix is to just memset the data... | CVE-2010 | ||
Jan Beulich | 346767e3c92 | fixes for using make 3.82commit 3c955b407a084810f57260d61548cc92c14bc627 upstream. It doesn't like pattern and explicit rules to be on the same line, and it seems to be more picky when matching file (or really directory) names with different numbers of trailing slashes. Signed-off-by: Jan Beulich <jbeulich@novell.com> Acked-by: Sam Ravnborg <sam@ravnborg.org> Andrew Benton <b3nton@gmail.com> Signed-off-by: Michal Mar... |
Commits
Author | Commit | Commit date | Issues | |
---|---|---|---|---|
Pavel Emelyanov | 4fd5f77f463 | |||
David Ford | 310a780f027 | |||
Jorge Boncompte [DTI2] | 2fd921d1cbe | |||
Pavel Emelyanov | eaa706b0bda | |||
Pavel Emelaynov | ef4c5bc76fe | |||
Andrey Vagin | e25d033a625 | |||
Pavel Emelaynov | 2360ebb1648M | |||
Greg Kroah-Hartman | 15816687e08 | |||
Christof Schmitt | 7a951eac442 | |||
Dan Carpenter | c47f5a57a00 | |||
David Milburn | 2415dee5957 | |||
Mathieu Desnoyers | bfa24c0d957 | |||
Vasiliy Kulikov | 6dbb2b0e38a | |||
Greg Kroah-Hartman | 89f5bcae3a7 | |||
Roland McGrath | 358b1c7959f | |||
Roland McGrath | 7a6c02774aa | |||
Roland McGrath | a32489590e5 | |||
Paul Fertser | 1ebafa01d2a | |||
Michael Neuling | e98637ef0ae | |||
Matt Evans | 9bf670e5d36 | |||
Ben Hutchings | c52425062ae | |||
Florian Fainelli | 1ad2b6fea22 | |||
FUJITA Tomonori | 41ace54c2c2 | |||
Luca Tettamanti | 8f371eacfd1 | |||
Johannes Berg | 45d787b8a94 | |||
Simon Guinot | 1aa14af44cc | |||
Linus Torvalds | 0243e39b20b | |||
Dan Rosenberg | 56b40aa2ea3 | |||
Dan Rosenberg | 7b1178dc25f | |||
Tony Luck | 207988da56b | |||
Jeff Moyer | 5f2a867eb3c | |||
Pavel Emelyanov | aba17c5813c | |||
Pavel Emelyanov | 2b06dcf6ce8M | |||
Greg Kroah-Hartman | 4f49db69961 | |||
Roland McGrath | 1b159e074a4 | |||
Anton Vorontsov | 7a0e4cc1437 | |||
Guillem Jover | a804b54dcb9 | |||
Guillem Jover | 14df2c15035 | |||
H. Peter Anvin | 1d3fb6bbb5c | |||
H. Peter Anvin | 18023624ec3 | |||
Gary King | c0a328941a7 | |||
Dan Carpenter | a80e26256af | |||
Steven Rostedt | 9af1d24a2b1 | |||
Luis R. Rodriguez | d14a2c2005c | |||
Takashi Iwai | d0d3c686c7c | CVE-2010 | ||
Greg Kroah-Hartman | 10089188980 | |||
Greg Kroah-Hartman | 7bb7a0dd003 | |||
Ross Burton | 38cebc0e22e | GT-600 | ||
Dave Airlie | 2afa902362e | CVE-2010 | ||
Jan Beulich | 346767e3c92 |