Linux kernel source tree https://git.amat.us/linux/atom/?h=v2.6.23.16 2008-02-11T06:06:32Z 2008-02-11T06:06:32Z Greg Kroah-Hartman gregkh@suse.de 2008-02-11T06:06:32Z urn:sha1:4b30c359ac5e24782a1c908e7ba392bec9b4ff34 2008-02-11T06:02:37Z Bastian Blank bastian@waldi.eu.org 2008-02-10T14:47:57Z urn:sha1:a5ecc6655e2b6b2517001b6698b6a61ceb6ccd58 patch 712a30e63c8066ed84385b12edbfb804f49cbc44 in mainline. Commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user pointer access verification") added the proper access_ok() calls to copy_from_user_mmap_sem() which ensures we can copy the struct iovecs from userspace to the kernel. But we also must check whether we can access the actual memory region pointed to by the struct iovec to fix the access checks properly. Signed-off-by: Bastian Blank <waldi@debian.org> Acked-by: Oliver Pinter <oliver.pntr@gmail.com> Cc: Jens Axboe <jens.axboe@oracle.com> Cc: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2008-02-08T20:05:19Z Greg Kroah-Hartman gregkh@suse.de 2008-02-08T20:05:19Z urn:sha1:23e4fef098fdc2205ab1be218f11d5b8078d9123 2008-02-08T20:01:52Z Jens Axboe jens.axboe@oracle.com 2008-02-08T16:49:14Z urn:sha1:6b2b03268d549b6446d1b148f0262f87ef737492 patch 8811930dc74a503415b35c4a79d14fb0b408a361 in mainline. vmsplice_to_user() must always check the user pointer and length with access_ok() before copying. Likewise, for the slow path of copy_from_user_mmap_sem() we need to check that we may read from the user region. Signed-off-by: Jens Axboe <jens.axboe@oracle.com> Cc: Wojciech Purczynski <cliph@research.coseinc.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2008-02-08T20:01:52Z Ian Abbott abbotti@mev.co.uk 2008-02-04T13:52:38Z urn:sha1:f70995b2044350bd966a32ecf43164c204293689 This patch works around a problem in the fakephp driver when a process writing "0" to a "power" sysfs file to fake removal of a PCI device ends up deadlocking itself in the sysfs code. The patch is functionally identical to the one in Linus' tree post 2.6.24: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=5c796ae7a7ebe56967ed9b9963d7c16d733635ff I have tested it on a 2.6.23 kernel. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2008-02-08T20:01:51Z Len Brown len.brown@intel.com 2008-02-04T05:38:13Z urn:sha1:a1959dbf34a76f7c21f4d5c842af8dd376a904a8 This patch is appropriate for supporting a 2.6.23-based products. Signed-off-by: Len Brown <len.brown@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2008-02-08T20:01:50Z Jay Cliburn jacliburn@bellsouth.net 2008-01-31T02:11:08Z urn:sha1:d57625ca789cdddf99b5f6540722dc9b77ce9845 Upstream commit: 2a49128f0a6edee337174ea341c1d6d7565be350 The driver sets up the hardware to accept a frame with max length equal to MTU + Ethernet header + FCS + VLAN tag, but we neglect to add the VLAN tag size to the ingress buffer. When a VLAN-tagged frame arrives, the hardware passes it, but bad things happen because the buffer is too small. This patch fixes that. Thanks to David Harris for reporting the bug and testing the fix. Signed-off-by: Jay Cliburn <jacliburn@bellsouth.net> Tested-by: David Harris <david.harris@cpni-inc.com> Signed-off-by: Jeff Garzik <jeff@garzik.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2008-02-08T20:01:50Z Ayaz Abdulla aabdulla@nvidia.com 2008-01-28T15:24:40Z urn:sha1:e04f1635f373f638b5f96e2b1a85f11408cc7bec patch 2b91213064bd882c3adf35f028c6d12fab3269ec in mainline. This patch is a critical fix for MCP77 and MCP79 devices. The feature flags were missing the define for correct mac address (DEV_HAS_CORRECT_MACADDR). Signed-off-by: Ayaz Abdulla <aabdulla@nvidia.com> Signed-off-by: Jeff Garzik <jeff@garzik.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2008-02-08T20:01:49Z Björn Steinbrink B.Steinbrink@gmx.de 2008-02-03T23:29:12Z urn:sha1:f7839802980042d93ffc6ec5966e1efdb507a9a2 patch a2b345642f530054a92b8d2b5108436225a8093e in mainline. In 46d2277c796f9f4937bfa668c40b2e3f43e93dd0, try_to_free_buffers was changed to bail out if the page was dirty. That caused truncate_complete_page to leak massive amounts of memory, because the dirty bit was only cleared after the call to try_to_free_buffers. So the call to cancel_dirty_page was moved up to have the dirty bit cleared early in 3e67c0987d7567ad666641164a153dca9a43b11d. The problem with that fix is, that the page can be redirtied after cancel_dirty_page was called, eg. like this: truncate_complete_page() cancel_dirty_page() // PG_dirty cleared, decr. dirty pages do_invalidatepage() ext3_invalidatepage() journal_invalidatepage() journal_unmap_buffer() __dispose_buffer() __journal_unfile_buffer() __journal_temp_unlink_buffer() mark_buffer_dirty(); // PG_dirty set, incr. dirty pages And then we end up with dirty pages being wrongly accounted. In ecdfc9787fe527491baefc22dce8b2dbd5b2908d the changes to try_to_free_buffers were reverted, so the original reason for the massive memory leak is gone, so we can also revert the move of the call to cancel_dirty_page from truncate_complete_page and get the accounting right again. Signed-off-by: Björn Steinbrink <B.Steinbrink@gmx.de> Tested-by: Krzysztof Piotr Oledzki <ole@ans.pl> Tested-by: Zaid D. <zaid.box@gmail.com> Cc: Jan Kara <jack@ucw.cz> Cc: Nick Piggin <nickpiggin@yahoo.com.au> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Thomas Osterried <osterried@jesse.de> Cc: Kerin Millar <kerframil@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2008-02-08T20:01:49Z Patrick McHardy kaber@trash.net 2008-01-29T18:08:28Z urn:sha1:50b85eb6699dac080b5047034da19c7282c821f2 [NETFILTER]: bridge-netfilter: fix net_device refcnt leaks Upstream commit 2dc2f207fb251666d2396fe1a69272b307ecc333 When packets are flood-forwarded to multiple output devices, the bridge-netfilter code reuses skb->nf_bridge for each clone to store the bridge port. When queueing packets using NFQUEUE netfilter takes a reference to skb->nf_bridge->physoutdev, which is overwritten when the packet is forwarded to the second port. This causes refcount unterflows for the first device and refcount leaks for all others. Additionally this provides incorrect data to the iptables physdev match. Unshare skb->nf_bridge by copying it if it is shared before assigning the physoutdev device. Reported, tested and based on initial patch by Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>