aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2006-04-24Linux 2.6.16.11v2.6.16.11Greg Kroah-Hartman
2006-04-24[PATCH] Don't allow a backslash in a path component (CVE-2006-1863)Steve French
Unless Posix paths have been negotiated, the backslash, "\", is not a valid character in a path component. Signed-off-by: Dave Kleikamp <shaggy@austin.ibm.com> Signed-off-by: Steve French <sfrench@us.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24Linux 2.6.16.10v2.6.16.10Greg Kroah-Hartman
2006-04-24[PATCH] IPC: access to unmapped vmalloc area in grow_ary()Alexey Kuznetsov
grow_ary() should not copy struct ipc_id_ary (it copies new->p, not new). Due to this, memcpy() src pointer could hit unmapped vmalloc page when near page boundary. Found during OpenVZ stress testing Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Signed-off-by: Kirill Korotaev <dev@openvz.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] Add more prevent_tail_call()OGAWA Hirofumi
Those also break userland regs like following. 00000000 <sys_chown16>: 0: 0f b7 44 24 0c movzwl 0xc(%esp),%eax 5: 83 ca ff or $0xffffffff,%edx 8: 0f b7 4c 24 08 movzwl 0x8(%esp),%ecx d: 66 83 f8 ff cmp $0xffffffff,%ax 11: 0f 44 c2 cmove %edx,%eax 14: 66 83 f9 ff cmp $0xffffffff,%cx 18: 0f 45 d1 cmovne %ecx,%edx 1b: 89 44 24 0c mov %eax,0xc(%esp) 1f: 89 54 24 08 mov %edx,0x8(%esp) 23: e9 fc ff ff ff jmp 24 <sys_chown16+0x24> where the tailcall at the end overwrites the incoming stack-frame. Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] alim15x3: ULI M-1573 south Bridge supportKAI.HSU
>From http://bugzilla.kernel.org/show_bug.cgi?id=6358 The alim15x3.c havn't been update for 3 years. Recently when we use this "ULI M1573" south bridge chip found that can't mount CDROM(VCD) smoothly, must waiting for a long time. After I check the "ULI M1573" south bridge datasheet, I found the reason. The reason is the "ULI M1573" version in the Linux is "0xC7" not "0xC4" anymore So I was modified the source than it was successed. Cc: Bartlomiej Zolnierkiewicz <B.Zolnierkiewicz@elka.pw.edu.pl> Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] apm: fix Armada laptops againSamuel Thibault
Fix the "apm: set display: Interface not engaged" error on Armada laptops again. Jordan said: I think this is fine. It seems to me that this may be the fault of one or both of the APM solutions handling this situation in a non-standard way, but since APM is used very little on the Geode, and I have direct access to our BIOS folks, if this problem comes up with a customer again, we'll solve it from the firmware. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Cc: "Jordan Crouse" <jordan.crouse@amd.com> Cc: Zachary Amsden <zach@vmware.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] fbdev: Fix return error of fb_writeAntonino A. Daplas
Fix return code of fb_write(): If at least 1 byte was transferred to the device, return number of bytes, otherwise: - return -EFBIG - if file offset is past the maximum allowable offset or size is greater than framebuffer length - return -ENOSPC - if size is greater than framebuffer length - offset Signed-off-by: Antonino Daplas <adaplas@pol.net> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] Fix file lookup without refDipankar Sarma
There are places in the kernel where we look up files in fd tables and access the file structure without holding refereces to the file. So, we need special care to avoid the race between looking up files in the fd table and tearing down of the file in another CPU. Otherwise, one might see a NULL f_dentry or such torn down version of the file. This patch fixes those special places where such a race may happen. Signed-off-by: Dipankar Sarma <dipankar@in.ibm.com> Acked-by: "Paul E. McKenney" <paulmck@us.ibm.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] m41t00: fix bitmasks when writing to chipDavid Barksdale
Fix the bitmasks used when writing to the M41T00 registers. The original code used a mask of 0x7f when writing to each register, this is incorrect and probably the result of a copy-paste error. As a result years from 1980 to 1999 will be read back as 2000 to 2019. Signed-off-by: David Barksdale <amatus@ocgnet.org> Acked-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] Open IPMI BT overflowHeikki Orsila
I was looking into random driver code and found a suspicious looking memcpy() in drivers/char/ipmi/ipmi_bt_sm.c on 2.6.17-rc1: if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH)) return -1; ... memcpy(bt->write_data + 3, data + 1, size - 1); where sizeof bt->write_data is IPMI_MAX_MSG_LENGTH. It looks like the memcpy would overflow by 2 bytes if size == IPMI_MAX_MSG_LENGTH. A patch attached to limit size to (IPMI_MAX_LENGTH - 2). Cc: Corey Minyard <minyard@acm.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] x86: be careful about tailcall breakage for sys_open[at] tooLinus Torvalds
x86: be careful about tailcall breakage for sys_open[at] too Came up through a quick grep for other cases similar to the ftruncate() one in commit 0a489cb3b6a7b277030cdbc97c2c65905db94536. Also, add a comment, so that people who read the code understand why we do what looks like a no-op. (Again, this won't actually matter to any sane user, since libc will save and restore the register gcc stomps on, but it's still wrong to stomp on it) Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] x86: don't allow tail-calls in sys_ftruncate[64]()Linus Torvalds
x86: don't allow tail-calls in sys_ftruncate[64]() Gcc thinks it owns the incoming argument stack, but that's not true for "asmlinkage" functions, and it corrupts the caller-set-up argument stack when it pushes the third argument onto the stack. Which can result in %ebx getting corrupted in user space. Now, normally nobody sane would ever notice, since libc will save and restore %ebx anyway over the system call, but it's still wrong. I'd much rather have "asmlinkage" tell gcc directly that it doesn't own the stack, but no such attribute exists, so we're stuck with our hacky manual "prevent_tail_call()" macro once more (we've had the same issue before with sys_waitpid() and sys_wait4()). Thanks to Hans-Werner Hilse <hilse@sub.uni-goettingen.de> for reporting the issue and testing the fix. Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] IPV6: XFRM: Fix decoding session with preceding extension header(s).YOSHIFUJI Hideaki / $B5HF#1QL@(B
[IPV6] XFRM: Fix decoding session with preceding extension header(s). We did not correctly decode session with preceding extension header(s). This was because we had already pulled preceding headers, skb->nh.raw + 40 + 1 - skb->data was minus, and pskb_may_pull() failed. We now have IP6CB(skb)->nhoff and skb->h.raw, and we can start parsing / decoding upper layer protocol from current position. Tracked down by Noriaki TAKAMIYA <takamiya@po.ntts.co.jp> and tested by Kazunori Miyazawa <kazunori@miyazawa.org>. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] IPV6: XFRM: Don't use old copy of pointer after pskb_may_pull().YOSHIFUJI Hideaki / $B5HF#1QL@(B
[IPV6] XFRM: Don't use old copy of pointer after pskb_may_pull(). Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] IPV6: Ensure to have hop-by-hop options in our header of &sk_buff.YOSHIFUJI Hideaki / $B5HF#1QL@(B
[IPV6]: Ensure to have hop-by-hop options in our header of &sk_buff. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] selinux: Fix MLS compatibility off-by-one bugRon Yorston
Fix an off-by-one error in the MLS compatibility code that was causing contexts with a MLS suffix to be rejected, preventing sharing partitions between FC4 and FC5. Bug reported in https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188068 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] PPC: fix oops in alsa powermac driverGuido Guenther
this fixes an oops in 2.6.16.X when loading the snd_powermac module. The name of the requested module changed during the 2.6.16 development cycle from i2c-keylargo to i2c-powermac: Signed-off-by: Guido Guenther <agx@sigxcpu.org> Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] MTD_NAND_SHARPSL and MTD_NAND_NANDSIM should be tristate'sAdrian Bunk
MTD_NAND=m and MTD_NAND_SHARPSL=y or MTD_NAND_NANDSIM=y are illegal combinations that mustn't be allowed. This patch fixes this bug by making MTD_NAND_SHARPSL and MTD_NAND_NANDSIM tristate's. Additionally, it fixes some whitespace damage at these options. This patch was already included in Linus' tree. Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] i2c-i801: Fix resume when PEC is usedJean Delvare
Fix for bug #6395: Fail to resume on Tecra M2 with ADM1032 and Intel 82801DBM The BIOS of the Tecra M2 doesn't like it when it has to reboot or resume after the i2c-i801 driver has left the SMBus in PEC mode. I have a more complete fix for 2.6.17 but the simple approach of leaving the SMBus in non-PEC mode after every transaction should do for -stable. That's what the i2c-i801 driver was doing up to 2.6.15 (inclusive). Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] Fix hotplug race during device registrationThomas de Grenier de Latour
On Sun, 9 Apr 2006 21:56:59 +0400, Sergey Vlasov <vsu@altlinux.ru> wrote: > However, show_address() does not output anything unless > dev->reg_state == NETREG_REGISTERED - and this state is set by > netdev_run_todo() only after netdev_register_sysfs() returns, so in > the meantime (while netdev_register_sysfs() is busy adding the > "statistics" attribute group) some process may see an empty "address" > attribute. I've tried the attached patch, suggested by Sergey Vlasov on hotplug-devel@, and as far as i can test it works just fine. Signed-off-by: Alexander Patrakov <patrakov@ums.usu.ru> Signed-off-by: David Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] Fix truesize underflowHerbert Xu
[TCP]: Fix truesize underflow There is a problem with the TSO packet trimming code. The cause of this lies in the tcp_fragment() function. When we allocate a fragment for a completely non-linear packet the truesize is calculated for a payload length of zero. This means that truesize could in fact be less than the real payload length. When that happens the TSO packet trimming can cause truesize to become negative. This in turn can cause sk_forward_alloc to be -n * PAGE_SIZE which would trigger the warning. I've copied the code DaveM used in tso_fragment which should work here. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] efficeon-agp: Add missing memory maskH. Peter Anvin
Original patch by Benjamin Herrenschmidt after debugging by Brian Hinz. Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Brian Hinz <bphinz@hotmail.com> Signed-off-by: H Peter Anvin <hpa@zytor.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] 3ware 9000 disable local irqs during kmap_atomicadam radford
The attached patch for 2.6.17-rc2 updates the 3ware 9000 driver: - Disable local interrupts during kmap/unmap_atomic(). Signed-off-by: Adam Radford <linuxraid@amcc.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] 3ware: kmap_atomic() fixAndrew Morton
We must disable local IRQs while holding KM_IRQ0 or KM_IRQ1. Otherwise, an IRQ handler could use those kmap slots while this code is using them, resulting in memory corruption. Thanks to Nick Orlov <bugfixer@list.ru> for reporting. Cc: <linuxraid@amcc.com> Cc: James Bottomley <James.Bottomley@SteelEye.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-18Linux 2.6.16.9v2.6.16.9Greg Kroah-Hartman
2006-04-18[PATCH] i386/x86-64: Fix x87 information leak between processes (CVE-2006-1056)Andi Kleen
AMD K7/K8 CPUs only save/restore the FOP/FIP/FDP x87 registers in FXSAVE when an exception is pending. This means the value leak through context switches and allow processes to observe some x87 instruction state of other processes. This was actually documented by AMD, but nobody recognized it as being different from Intel before. The fix first adds an optimization: instead of unconditionally calling FNCLEX after each FXSAVE test if ES is pending and skip it when not needed. Then do a x87 load from a kernel variable to clear FOP/FIP/FDP. This means other processes always will only see a constant value defined by the kernel in their FP state. I took some pain to make sure to chose a variable that's already in L1 during context switch to make the overhead of this low. Also alternative() is used to patch away the new code on CPUs who don't need it. Patch for both i386/x86-64. The problem was discovered originally by Jan Beulich. Richard Brunner provided the basic code for the workarounds, with contribution from Jan. This is CVE-2006-1056 Cc: richard.brunner@amd.com Cc: jbeulich@novell.com Signed-off-by: Andi Kleen <ak@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-18Linux 2.6.16.8v2.6.16.8Greg Kroah-Hartman
2006-04-18[PATCH] ip_route_input panic fix (CVE-2006-1525)Stephen Hemminger
This fixes http://bugzilla.kernel.org/show_bug.cgi?id=6388 The bug is caused by ip_route_input dereferencing skb->nh.protocol of the dummy skb passed dow from inet_rtm_getroute (Thanks Thomas for seeing it). It only happens if the route requested is for a multicast IP address. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-17Linux 2.6.16.7v2.6.16.7Greg Kroah-Hartman
2006-04-17[PATCH] fix MADV_REMOVE vulnerability (CVE-2006-1524 for real this time)Hugh Dickins
madvise_remove needs to respect file and mmap protections. Signed-off-by: Hugh Dickins <hugh@veritas.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-17Linux 2.6.16.6v2.6.16.6Greg Kroah-Hartman
2006-04-17[PATCH] shmat: stop mprotect from giving write permission to a readonly ↵Hugh Dickins
attachment (CVE-2006-1524) I found that all of 2.4 and 2.6 have been letting mprotect give write permission to a readonly attachment of shared memory, whether or not IPC would give the caller that permission. SUS says "The behaviour of this function [mprotect] is unspecified if the mapping was not established by a call to mmap", but I don't think we can interpret that as allowing it to subvert IPC permissions. I haven't tried 2.2, but the 2.2.26 source looks like it gets it right; and the patch below reproduces that behaviour - mprotect cannot be used to add write permission to a shared memory segment attached readonly. This patch is simple, and I'm sure it's what we should have done in 2.4.0: if you want to go on to switch write permission on and off with mprotect, just don't attach the segment readonly in the first place. However, we could have accumulated apps which attach readonly (even though they would be permitted to attach read/write), and which subsequently use mprotect to switch write permission on and off: it's not unreasonable. I was going to add a second ipcperms check in do_shmat, to check for writable when readonly, and if not writable find_vma and clear VM_MAYWRITE. But security_ipc_permission might do auditing, and it seems wrong to report an attempt for write permission when there has been none. Or we could flag the vma as SHM, note the shmid or shp in vm_private_data, and then get mprotect to check. But the patch below is a lot simpler: I'd rather stick with it, if we can convince ourselves somehow that it'll be safe. Signed-off-by: Hugh Dickins <hugh@veritas.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-17[PATCH] atm: clip causes unregister hangStephen Hemminger
If Classical IP over ATM module is loaded, its neighbor table gets populated when permanent neighbor entries are created; but these entries are not flushed when the device is removed. Since the entry never gets flushed the unregister of the network device never completes. This version of the patch also adds locking around the reference to the atm arp daemon to avoid races with events and daemon state changes. (Note: barrier() was never really safe) Bug-reference: http://bugzilla.kernel.org/show_bug.cgi?id=6295 Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-17[PATCH] fix non-leader exec under ptraceRoland McGrath
This reverts most of commit 30e0fca6c1d7d26f3f2daa4dd2b12c51dadc778a. It broke the case of non-leader MT exec when ptraced. I think the bug it was intended to fix was already addressed by commit 788e05a67c343fa22f2ae1d3ca264e7f15c25eaf. Signed-off-by: Roland McGrath <roland@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-17[PATCH] USB: remove __init from usb_console_setupPaul Fulghum
This prevents an Oops if booted with "console=ttyUSB0" but without a USB-serial dongle, and plugged one in afterwards. Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-17[PATCH] Fix suspend with traced tasksPavel Machek
strace /bin/bash misbehaves after resume; this fixes it. (akpm: it's scary calling refrigerator() in state TASK_TRACED, but it seems to do the right thing). Signed-off-by: Pavel Machek <pavel@suse.cz> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-17[PATCH] Incorrect signature sent on SMB ReadSteve French
Fixes Samba bug 3621 and kernel.org bug 6147 For servers which require SMB/CIFS packet signing, we were sending the wrong signature (all zeros) on SMB Read request. The new cifs routine to do signatures across an iovec was not complete - and SMB Read, unlike the new SMBWrite2, did not fall back to the older routine (ie use SendReceive vs. the more efficient SendReceive2 ie used the older cifs_sign_smb vs. the disabled cifs_sign_smb2) for calculating signatures. This finishes up cifs_sign_smb2/cifs_calc_signature2 so that the callers of SendReceive2 can get SMB/CIFS packet signatures. Now that cifs_sign_smb2 is supported, we could start using it in the write path but this smaller fix does not include the change to use SMBWrite2 when signatures are required (which when enabled will make more Writes more efficient and alloc less memory). Currently Write2 is only used when signatures are not required at the moment but after more testing we will enable that as well). Thanks to James Slepicka and Sam Flory for initial investigation. Signed-off-by: Steve French <sfrench@us.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-17[PATCH] RLIMIT_CPU: fix handling of a zero limitAndrew Morton
At present the kernel doesn't honour an attempt to set RLIMIT_CPU to zero seconds. But the spec says it should, and that's what 2.4.x does. Fixing this for real would involve some complexity (such as adding a new it-has-been-set flag to the task_struct, and testing that everwhere, instead of overloading the value of it_prof_expires). Given that a 2.4 kernel won't actually send the signal until one second has expired anyway, let's just handle this case by treating the caller's zero-seconds as one second. Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> Cc: Ulrich Weigand <uweigand@de.ibm.com> Cc: Cliff Wickman <cpw@sgi.com> Acked-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-04-17[PATCH] Fix utime(2) in the case that no times parameter was passed in.Nathan Scott
SGI-PV: 949858 SGI-Modid: xfs-linux-melb:xfs-kern:25717a Signed-off-by: Jes Sorensen <jes@sgi.com> Signed-off-by: Nathan Scott <nathans@sgi.com>
2006-04-17[PATCH] alpha: SMP boot fixesBrian Uhrain says
I've encountered two problems with 2.6.16 and newer kernels on my API CS20 (dual 833MHz Alpha 21264b processors). The first is the kernel OOPSing because of a NULL pointer dereference while trying to populate SysFS with the CPU information. The other is that only one processor was being brought up. I've included a small Alpha-specific patch that fixes both problems. The first problem was caused by the CPUs never being properly registered using register_cpu(), the way it's done on other architectures. The second problem has to do with the removal of hwrpb_cpu_present_mask in arch/alpha/kernel/smp.c. In setup_smp() in the 2.6.15 kernel sources, hwrpb_cpu_present_mask has a bit set for each processor that is probed, and afterwards cpu_present_mask is set to the cpumask for the boot CPU. In the same function of the same file in the 2.6.16 sources, instead of hwrpb_cpu_present_mask being set, cpu_possible_map is updated for each probed CPU. cpu_present_mask is still set to the cpumask of the boot CPU afterwards. The problem lies in include/asm-alpha/smp.h, where cpu_possible_map is #define'd to be cpu_present_mask. Cleanups from: Ivan Kokshaysky <ink@jurassic.park.msu.ru> - cpu_present_mask and cpu_possible_map are essentially the same thing on alpha, as it doesn't support CPU hotplug; - allocate "struct cpu" only for present CPUs, like sparc64 does. Static array of "struct cpu" is just a waste of memory. Signed-off-by: Brian Uhrain <buhrain@rosettastone.com> Cc: Richard Henderson <rth@twiddle.net> Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-17[PATCH] cciss: bug fix for crash when running hpacucliMike Miller
Fix a crash when running hpacucli with multiple logical volumes on a cciss controller. We were not properly initializing the disk->queue and causing a fault. Thanks to Hasso Tepper for reporting the problem. Thanks to Steve Cameron for root causing the problem. Most of the patch just moves things around. The fix is a one-liner. Signed-off-by: Mike Miller <mike.miller@hp.com> Signed-off-by: Stephen Cameron <steve.cameron@hp.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-17[PATCH] edac_752x needs CONFIG_HOTPLUGRandy Dunlap
EDAC_752X uses pci_scan_single_device(), which is only available if CONFIG_HOTPLUG is enabled, so limit this driver with HOTPLUG. This patch was already included in Linus' tree. Adrian Bunk: Rediffed for 2.6.16.x due to unrelated context changes. Signed-off-by: Randy Dunlap <rdunlap@xenotime.net> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: David S. Peterson <dsp@llnl.gov>
2006-04-17[PATCH] ext3: Fix missed mutex unlockAnaniev, Leonid I
Missed unlock_super()call is added in error condition code path. Signed-off-by: Leonid Ananiev <leonid.i.ananiev@intel.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-17[PATCH] Fix block device symlink nameStephen Rothwell
As noted further on the this file, some block devices have a / in their name, so fix the "block:..." symlink name the same as the /sys/block name. Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Christoph Hellwig <hch@lst.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-17[PATCH] Fix buddy list race that could lead to page lru list corruptionsNick Piggin
Rohit found an obscure bug causing buddy list corruption. page_is_buddy is using a non-atomic test (PagePrivate && page_count == 0) to determine whether or not a free page's buddy is itself free and in the buddy lists. Each of the conjuncts may be true at different times due to unrelated conditions, so the non-atomic page_is_buddy test may find each conjunct to be true even if they were not both true at the same time (ie. the page was not on the buddy lists). Signed-off-by: Martin Bligh <mbligh@google.com> Signed-off-by: Rohit Seth <rohitseth@google.com> Signed-off-by: Nick Piggin <npiggin@suse.de> Signed-off-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-17[PATCH] fuse: fix oops in fuse_send_readpages()Miklos Szeredi
During heavy parallel filesystem activity it was possible to Oops the kernel. The reason is that read_cache_pages() could skip pages which have already been inserted into the cache by another task. Occasionally this may result in zero pages actually being sent, while fuse_send_readpages() relies on at least one page being in the request. So check this corner case and just free the request instead of trying to send it. Reported and tested by Konstantin Isakov. Signed-off-by: Miklos Szeredi <miklos@szeredi.hu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-17[PATCH] m32r: Fix cpu_possible_map and cpu_present_map initialization for ↵Hirokazu Takata
SMP kernel This patch fixes a boot problem of the m32r SMP kernel 2.6.16-rc1-mm3 or later. In this patch, cpu_possible_map is statically initialized, and cpu_present_map is also copied from cpu_possible_map in smp_prepare_cpus(), because the m32r architecture has not supported CPU hotplug yet. Signed-off-by: Hayato Fujiwara <fujiwara.hayato@renesas.com> Signed-off-by: Hirokazu Takata <takata@linux-m32r.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-17[PATCH] m32r: security fix of {get, put}_user macrosHirokazu Takata
Update {get,put}_user macros for m32r kernel. - Modify get_user to use __get_user_asm macro, instead of __get_user_x macro. - Remove arch/m32r/lib/{get,put}user.S. - Some cosmetic updates. I would like to thank NIIBE Yutaka for his reporting about the m32r kernel's security problem in {get,put}_user macros. There were no address checking for user space access in {get,put}_user macros. ;-) Signed-off-by: Hirokazu Takata <takata@linux-m32r.org> Cc: NIIBE Yutaka <gniibe@fsij.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-17[PATCH] NETFILTER: Fix fragmentation issues with bridge netfilterPatrick McHardy
[NETFILTER]: Fix fragmentation issues with bridge netfilter The conntrack code doesn't do re-fragmentation of defragmented packets anymore but relies on fragmentation in the IP layer. Purely bridged packets don't pass through the IP layer, so the bridge netfilter code needs to take care of fragmentation itself. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>