aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2006-05-04Linux 2.6.16.14v2.6.16.14Chris Wright
2006-05-04[PATCH] smbfs chroot issue (CVE-2006-1864)Olaf Kirch
Mark Moseley reported that a chroot environment on a SMB share can be left via "cd ..\\". Similar to CVE-2006-1863 issue with cifs, this fix is for smbfs. Steven French <sfrench@us.ibm.com> wrote: Looks fine to me. This should catch the slash on lookup or equivalent, which will be all obvious paths of interest. Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2006-05-02Linux 2.6.16.13v2.6.16.13Greg Kroah-Hartman
2006-05-02[PATCH] NETFILTER: SCTP conntrack: fix infinite loop (CVE-2006-1527)Patrick McHardy
[NETFILTER]: SCTP conntrack: fix infinite loop fix infinite loop in the SCTP-netfilter code: check SCTP chunk size to guarantee progress of for_each_sctp_chunk(). (all other uses of for_each_sctp_chunk() are preceded by do_basic_checks(), so this fix should be complete.) Based on patch from Ingo Molnar <mingo@elte.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-05-01Linux 2.6.16.12v2.6.16.12Greg Kroah-Hartman
2006-05-01[PATCH] i386: fix broken FP exception handlingChuck Ebbert
The FXSAVE information leak patch introduced a bug in FP exception handling: it clears FP exceptions only when there are already none outstanding. Mikael Pettersson reported that causes problems with the Erlang runtime and has tested this fix. Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com> Acked-by: Mikael Pettersson <mikpe@it.uu.se> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-05-01[PATCH] MIPS: Fix branch emulation for floating-point exceptions.Win Treese
In the branch emulation for floating-point exceptions, __compute_return_epc must determine for bc1f et al which condition code bit to test. This is based on bits <4:2> of the rt field. The switch statement to distinguish bc1f et al needs to use only the two low bits of rt, but the old code tests on the whole rt field. This patch masks off the proper bits. Signed-off-by: Win Treese <treese@acm.org> Signed-off-by: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-05-01[PATCH] MIPS: Fix tx49_blast_icache32_page_indexed.Atsushi Nemoto
Fix the cache index value in tx49_blast_icache32_page_indexed(). This is damage by de62893bc0725f8b5f0445250577cd7a10b2d8f8 commit. Signed-off-by: Atsushi Nemoto <anemo@mba.ocn.ne.jp> Signed-off-by: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-05-01[PATCH] MIPS: R2 build fixes for gcc < 3.4.Ralf Baechle
Signed-off-by: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-05-01[PATCH] MIPS: Use "R" constraint for cache_op.Ralf Baechle
Gcc might emit an absolute address for the the "m" constraint which gas unfortunately does not permit. Signed-off-by: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-05-01[PATCH] NET: e1000: Update truesize with the length of the packet for packet ↵Auke Kok
split Update skb with the real packet size. Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com> Signed-off-by: Auke Kok <auke-jan.h.kok@intel.com> Signed-off-by: John Ronciak <john.ronciak@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-05-01[PATCH] x86/PAE: Fix pte_clear for the >4GB RAM caseZachary Amsden
Proposed fix for ptep_get_and_clear_full PAE bug. Pte_clear had the same bug, so use the same fix for both. Turns out pmd_clear had it as well, but pgds are not affected. The problem is rather intricate. Page table entries in PAE mode are 64-bits wide, but the only atomic 8-byte write operation available in 32-bit mode is cmpxchg8b, which is expensive (at least on P4), and thus avoided. But it can happen that the processor may prefetch entries into the TLB in the middle of an operation which clears a page table entry. So one must always clear the P-bit in the low word of the page table entry first when clearing it. Since the sequence *ptep = __pte(0) leaves the order of the write dependent on the compiler, it must be coded explicitly as a clear of the low word followed by a clear of the high word. Further, there must be a write memory barrier here to enforce proper ordering by the compiler (and, in the future, by the processor as well). On > 4GB memory machines, the implementation of pte_clear for PAE was clearly deficient, as it could leave virtual mappings of physical memory above 4GB aliased to memory below 4GB in the TLB. The implementation of ptep_get_and_clear_full has a similar bug, although not nearly as likely to occur, since the mappings being cleared are in the process of being destroyed, and should never be dereferenced again. But, as luck would have it, it is possible to trigger bugs even without ever dereferencing these bogus TLB mappings, even if the clear is followed fairly soon after with a TLB flush or invalidation. The problem is that memory above 4GB may now be aliased into the first 4GB of memory, and in fact, may hit a region of memory with non-memory semantics. These regions include AGP and PCI space. As such, these memory regions are not cached by the processor. This introduces the bug. The processor can speculate memory operations, including memory writes, as long as they are committed with the proper ordering. Speculating a memory write to a linear address that has a bogus TLB mapping is possible. Normally, the speculation is harmless. But for cached memory, it does leave the falsely speculated cacheline unmodified, but in a dirty state. This cache line will be eventually written back. If this cacheline happens to intersect a region of memory that is not protected by the cache coherency protocol, it can corrupt data in I/O memory, which is generally a very bad thing to do, and can cause total system failure or just plain undefined behavior. These bugs are extremely unlikely, but the severity is of such magnitude, and the fix so simple that I think fixing them immediately is justified. Also, they are nearly impossible to debug. Signed-off-by: Zachary Amsden <zach@vmware.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-05-01[PATCH] LSM: add missing hook to do_compat_readv_writev()James Morris
This patch addresses a flaw in LSM, where there is no mediation of readv() and writev() in for 32-bit compatible apps using a 64-bit kernel. This bug was discovered and fixed initially in the native readv/writev code [1], but was not fixed in the compat code. Thanks to Al for spotting this one. [1] http://lwn.net/Articles/154282/ Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2006-05-01[PATCH] Alpha: strncpy() fixIvan Kokshaysky
As it turned out after recent SCSI changes, strncpy() was broken - it mixed up the return values from __stxncpy() in registers $24 and $27. Thanks to Mathieu Chouquet-Stringer for tracking down the problem and providing an excellent test case. Signed-off-by: Ivan Kokshaysky <ink@jurassic.park.msu.ru> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-05-01[PATCH] Altix snsc: duplicate kobject fixGreg Howard
Fix Altix system controller (snsc) device names to include the slot number of the blade whose associated system controller is the target of the device interface. Including the slot number avoids a problem we're currently having where slots within the same enclosure are attempting to create multiple kobjects with identical names. Signed-off-by: Greg Howard <ghoward@sgi.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-05-01[PATCH] Fix reiserfs deadlockJan Kara
reiserfs_cache_default_acl() should return whether we successfully found the acl or not. We have to return correct value even if reiserfs_get_acl() returns error code and not just 0. Otherwise callers such as reiserfs_mkdir() can unnecessarily lock the xattrs and later functions such as reiserfs_new_inode() fail to notice that we have already taken the lock and try to take it again with obvious consequences. Signed-off-by: Jan Kara <jack@suse.cz> Cc: <reiserfs-dev@namesys.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-05-01[PATCH] Simplify proc/devices and fix early termination regressionAndrew Morton
Repair /proc/devices early-termination regression. 2.6.16 broke /proc/devices. An application often gets an EOF before the end of data is reached, if that application uses a series of short read(2)s to access the data. I have used read buffers of varying sizes with varying degrees of unsuccess (larger sizes get further into the data than smaller sizes, following a simple pattern). It appears that the only safe way to get the data is to use a single read buffer larger than all the data in /proc/devices. The following example demonstates the problem: # dd if=/proc/devices bs=1 Character devices: 1 mem 27+0 records in 27+0 records out This patch is a backport of the fix recently accepted to Linus's tree: commit 68eef3b4791572ecb70249c7fb145bb3742dd899 [PATCH] Simplify proc/devices and fix early termination regression It replaces the complex, state-machine algorithm introduced in 2.6.16 with a simple algorithm, modeled on the implementation of /proc/interrupts. [akpm@osdl.org: cleanups, simplifications] Signed-off-by: Joe Korty <joe.korty@ccur.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-05-01[PATCH] dm flush queue EINTRJun'ichi Nomura
If dm_suspend() is cancelled, bios already added to the deferred list need to be submitted. Otherwise they remain 'in limbo' until there's a dm_resume(). Signed-off-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com> Signed-off-by: Alasdair G Kergon <agk@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-05-01[PATCH] dm snapshot: fix kcopyd destructorAlasdair G Kergon
Before removing a snapshot, wait for the completion of any kcopyd jobs using it. Do this by maintaining a count (nr_jobs) of how many outstanding jobs each kcopyd_client has. The snapshot destructor first unregisters the snapshot so that no new kcopyd jobs (created by writes to the origin) will reference that particular snapshot. kcopyd_client_destroy() is now run next to wait for the completion of any outstanding jobs before the snapshot exception structures (that those jobs reference) are freed. Signed-off-by: Alasdair G Kergon <agk@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-05-01[PATCH] cxusb-bluebird: bug-fix: power down corrupts frontendMichael Krufky
This patch prevents a bug where the frontend is unable to tune after waking from powered down state. Now, the device remains powered on until it is disconnected, just like the windows driver. It seems that the bluebird firmware is unable to successfully handle tuning after a powered down state. This patch fixes all of the FusionHDTV Bluebird USB2 devices. The Medion MD95700 will still behave as before, since it was unaffected by this bug. Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-05-01[PATCH] fix saa7129 support in saa7127 module for pvr350 tv outJose Alberto Reguero
This patch fixes tv-out support for the newer model of the pvr350, which has a saa7129 instead of a saa7127 video encoder. Signed-off-by: Jose Alberto Reguero <jareguero@telefonica.net> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl> Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-05-01[PATCH] for_each_possible_cpuAndrew Morton
Backport for_each_possible_cpu() into 2.6.16. Fixes the alpha build, and any future occurrences. Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-05-01[PATCH] get_dvb_firmware: download nxt2002 firmware from new driver locationMichael Krufky
BBTI has updated their driver, and removed the old one from their website. This patch updates the get_dvb_firmware script to download the firmware from the new driver location. Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-05-01[PATCH] tipar oops fixDaniel Drake
If compiled into the kernel, parport_register_driver() is called before the parport driver has been initalised. This means that it is expected that tp_count is 0 after the parport_register_driver() call() - tipar's attach function will not be called until later during bootup. Signed-off-by: Daniel Drake <dsd@gentoo.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-05-01[PATCH] USB: fix array overrun in drivers/usb/serial/option.cEric Sesterhenn
since the arrays are declared as in_urbs[N_IN_URB] and out_urbs[N_OUT_URB] both for loops, go one over the end of the array. This fixes coverity id #555 This patch was already included in Linus' tree. Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-05-01[PATCH] x86_64: Fix a race in the free_iommu path.Mike Waychison
We do this by removing a micro-optimization that tries to avoid grabbing the iommu_bitmap_lock spinlock and using a bus-locked operation. This still races with other simultaneous alloc_iommu or free_iommu(size > 1) which both use bus-unlocked operations. The end result of this race is eventually ending up with an iommu_gart_bitmap that has bits errornously set all over, making large contiguous iommu space allocations fail with 'PCI-DMA: Out of IOMMU space'. Signed-off-by: Mike Waychison <mikew@google.com> Signed-off-by: Andi Kleen <ak@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-05-01[PATCH] x86_64: Pass -32 to the assembler when compiling the 32bit vsyscall ↵Andi Kleen
pages This quietens warnings and actually fixes a bug. The unwind tables would come out wrong without -32, causing pthread cancellation during them to crash in the gcc runtime. The problem seems to only happen with newer binutils (it doesn't happen with 2.16.91.0.2 but happens wit 2.16.91.0.5) Thanks to Brian Baker @ HP for test case and initial analysis. Cc: brian.b@hp.com Signed-off-by: Andi Kleen <ak@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-05-01[PATCH] make vm86 call audit_syscall_exitJason Baron
hi, The motivation behind the patch below was to address messages in /var/log/messages such as: Jan 31 10:54:15 mets kernel: audit(:0): major=252 name_count=0: freeing multiple contexts (1) Jan 31 10:54:15 mets kernel: audit(:0): major=113 name_count=0: freeing multiple contexts (2) I can reproduce by running 'get-edid' from: http://john.fremlin.de/programs/linux/read-edid/. These messages come about in the log b/c the vm86 calls do not exit via the normal system call exit paths and thus do not call 'audit_syscall_exit'. The next system call will then free the context for itself and for the vm86 context, thus generating the above messages. This patch addresses the issue by simply adding a call to 'audit_syscall_exit' from the vm86 code. Besides fixing the above error messages the patch also now allows vm86 system calls to become auditable. This is useful since strace does not appear to properly record the return values from sys_vm86. I think this patch is also a step in the right direction in terms of cleaning up some core auditing code. If we can correct any other paths that do not properly call the audit exit and entries points, then we can also eliminate the notion of context chaining. I've tested this patch by verifying that the log messages no longer appear, and that the audit records for sys_vm86 appear to be correct. Also, 'read_edid' produces itentical output. thanks, -Jason Signed-off-by: Jason Baron <jbaron@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-05-01[PATCH] cs5535_gpio.c: call cdev_del() during module_exit to unmap kobject ↵Thayumanavar Sachithanantham
references and other cleanups During module unloading, cdev_del() must be called to unmap cdev related kobject references and other cleanups(such as inode->i_cdev being set to NULL) which prevents the OOPS upon subsequent loading, usage and unloading of modules(as seen in the mail thread http://marc.theaimsgroup.com/?l=linux-kernel&m=114533640609018&w=2). Also, remove unneeded test of gpio_base. Signed-off-by: Thayumanavar Sachithanantham <thayumk@gmail.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-05-01[PATCH] sonypi: correct detection of new ICH7-based laptopsArnaud MAZIN
Add a test to detect the ICH7 based Core Duo SONY laptops (such as the SZ1) as type3 models. Signed-off-by: Arnaud MAZIN <arnaud.mazin@gmail.com> Acked-by: Stelian Pop <stelian@poppies.net> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24Linux 2.6.16.11v2.6.16.11Greg Kroah-Hartman
2006-04-24[PATCH] Don't allow a backslash in a path component (CVE-2006-1863)Steve French
Unless Posix paths have been negotiated, the backslash, "\", is not a valid character in a path component. Signed-off-by: Dave Kleikamp <shaggy@austin.ibm.com> Signed-off-by: Steve French <sfrench@us.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24Linux 2.6.16.10v2.6.16.10Greg Kroah-Hartman
2006-04-24[PATCH] IPC: access to unmapped vmalloc area in grow_ary()Alexey Kuznetsov
grow_ary() should not copy struct ipc_id_ary (it copies new->p, not new). Due to this, memcpy() src pointer could hit unmapped vmalloc page when near page boundary. Found during OpenVZ stress testing Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Signed-off-by: Kirill Korotaev <dev@openvz.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] Add more prevent_tail_call()OGAWA Hirofumi
Those also break userland regs like following. 00000000 <sys_chown16>: 0: 0f b7 44 24 0c movzwl 0xc(%esp),%eax 5: 83 ca ff or $0xffffffff,%edx 8: 0f b7 4c 24 08 movzwl 0x8(%esp),%ecx d: 66 83 f8 ff cmp $0xffffffff,%ax 11: 0f 44 c2 cmove %edx,%eax 14: 66 83 f9 ff cmp $0xffffffff,%cx 18: 0f 45 d1 cmovne %ecx,%edx 1b: 89 44 24 0c mov %eax,0xc(%esp) 1f: 89 54 24 08 mov %edx,0x8(%esp) 23: e9 fc ff ff ff jmp 24 <sys_chown16+0x24> where the tailcall at the end overwrites the incoming stack-frame. Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] alim15x3: ULI M-1573 south Bridge supportKAI.HSU
>From http://bugzilla.kernel.org/show_bug.cgi?id=6358 The alim15x3.c havn't been update for 3 years. Recently when we use this "ULI M1573" south bridge chip found that can't mount CDROM(VCD) smoothly, must waiting for a long time. After I check the "ULI M1573" south bridge datasheet, I found the reason. The reason is the "ULI M1573" version in the Linux is "0xC7" not "0xC4" anymore So I was modified the source than it was successed. Cc: Bartlomiej Zolnierkiewicz <B.Zolnierkiewicz@elka.pw.edu.pl> Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] apm: fix Armada laptops againSamuel Thibault
Fix the "apm: set display: Interface not engaged" error on Armada laptops again. Jordan said: I think this is fine. It seems to me that this may be the fault of one or both of the APM solutions handling this situation in a non-standard way, but since APM is used very little on the Geode, and I have direct access to our BIOS folks, if this problem comes up with a customer again, we'll solve it from the firmware. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Cc: "Jordan Crouse" <jordan.crouse@amd.com> Cc: Zachary Amsden <zach@vmware.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] fbdev: Fix return error of fb_writeAntonino A. Daplas
Fix return code of fb_write(): If at least 1 byte was transferred to the device, return number of bytes, otherwise: - return -EFBIG - if file offset is past the maximum allowable offset or size is greater than framebuffer length - return -ENOSPC - if size is greater than framebuffer length - offset Signed-off-by: Antonino Daplas <adaplas@pol.net> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] Fix file lookup without refDipankar Sarma
There are places in the kernel where we look up files in fd tables and access the file structure without holding refereces to the file. So, we need special care to avoid the race between looking up files in the fd table and tearing down of the file in another CPU. Otherwise, one might see a NULL f_dentry or such torn down version of the file. This patch fixes those special places where such a race may happen. Signed-off-by: Dipankar Sarma <dipankar@in.ibm.com> Acked-by: "Paul E. McKenney" <paulmck@us.ibm.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] m41t00: fix bitmasks when writing to chipDavid Barksdale
Fix the bitmasks used when writing to the M41T00 registers. The original code used a mask of 0x7f when writing to each register, this is incorrect and probably the result of a copy-paste error. As a result years from 1980 to 1999 will be read back as 2000 to 2019. Signed-off-by: David Barksdale <amatus@ocgnet.org> Acked-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] Open IPMI BT overflowHeikki Orsila
I was looking into random driver code and found a suspicious looking memcpy() in drivers/char/ipmi/ipmi_bt_sm.c on 2.6.17-rc1: if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH)) return -1; ... memcpy(bt->write_data + 3, data + 1, size - 1); where sizeof bt->write_data is IPMI_MAX_MSG_LENGTH. It looks like the memcpy would overflow by 2 bytes if size == IPMI_MAX_MSG_LENGTH. A patch attached to limit size to (IPMI_MAX_LENGTH - 2). Cc: Corey Minyard <minyard@acm.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] x86: be careful about tailcall breakage for sys_open[at] tooLinus Torvalds
x86: be careful about tailcall breakage for sys_open[at] too Came up through a quick grep for other cases similar to the ftruncate() one in commit 0a489cb3b6a7b277030cdbc97c2c65905db94536. Also, add a comment, so that people who read the code understand why we do what looks like a no-op. (Again, this won't actually matter to any sane user, since libc will save and restore the register gcc stomps on, but it's still wrong to stomp on it) Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] x86: don't allow tail-calls in sys_ftruncate[64]()Linus Torvalds
x86: don't allow tail-calls in sys_ftruncate[64]() Gcc thinks it owns the incoming argument stack, but that's not true for "asmlinkage" functions, and it corrupts the caller-set-up argument stack when it pushes the third argument onto the stack. Which can result in %ebx getting corrupted in user space. Now, normally nobody sane would ever notice, since libc will save and restore %ebx anyway over the system call, but it's still wrong. I'd much rather have "asmlinkage" tell gcc directly that it doesn't own the stack, but no such attribute exists, so we're stuck with our hacky manual "prevent_tail_call()" macro once more (we've had the same issue before with sys_waitpid() and sys_wait4()). Thanks to Hans-Werner Hilse <hilse@sub.uni-goettingen.de> for reporting the issue and testing the fix. Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] IPV6: XFRM: Fix decoding session with preceding extension header(s).YOSHIFUJI Hideaki / $B5HF#1QL@(B
[IPV6] XFRM: Fix decoding session with preceding extension header(s). We did not correctly decode session with preceding extension header(s). This was because we had already pulled preceding headers, skb->nh.raw + 40 + 1 - skb->data was minus, and pskb_may_pull() failed. We now have IP6CB(skb)->nhoff and skb->h.raw, and we can start parsing / decoding upper layer protocol from current position. Tracked down by Noriaki TAKAMIYA <takamiya@po.ntts.co.jp> and tested by Kazunori Miyazawa <kazunori@miyazawa.org>. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] IPV6: XFRM: Don't use old copy of pointer after pskb_may_pull().YOSHIFUJI Hideaki / $B5HF#1QL@(B
[IPV6] XFRM: Don't use old copy of pointer after pskb_may_pull(). Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] IPV6: Ensure to have hop-by-hop options in our header of &sk_buff.YOSHIFUJI Hideaki / $B5HF#1QL@(B
[IPV6]: Ensure to have hop-by-hop options in our header of &sk_buff. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] selinux: Fix MLS compatibility off-by-one bugRon Yorston
Fix an off-by-one error in the MLS compatibility code that was causing contexts with a MLS suffix to be rejected, preventing sharing partitions between FC4 and FC5. Bug reported in https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188068 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] PPC: fix oops in alsa powermac driverGuido Guenther
this fixes an oops in 2.6.16.X when loading the snd_powermac module. The name of the requested module changed during the 2.6.16 development cycle from i2c-keylargo to i2c-powermac: Signed-off-by: Guido Guenther <agx@sigxcpu.org> Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] MTD_NAND_SHARPSL and MTD_NAND_NANDSIM should be tristate'sAdrian Bunk
MTD_NAND=m and MTD_NAND_SHARPSL=y or MTD_NAND_NANDSIM=y are illegal combinations that mustn't be allowed. This patch fixes this bug by making MTD_NAND_SHARPSL and MTD_NAND_NANDSIM tristate's. Additionally, it fixes some whitespace damage at these options. This patch was already included in Linus' tree. Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] i2c-i801: Fix resume when PEC is usedJean Delvare
Fix for bug #6395: Fail to resume on Tecra M2 with ADM1032 and Intel 82801DBM The BIOS of the Tecra M2 doesn't like it when it has to reboot or resume after the i2c-i801 driver has left the SMBus in PEC mode. I have a more complete fix for 2.6.17 but the simple approach of leaving the SMBus in non-PEC mode after every transaction should do for -stable. That's what the i2c-i801 driver was doing up to 2.6.15 (inclusive). Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>