1. 20 Aug, 2008 34 commits
  2. 06 Aug, 2008 6 commits
    • Greg Kroah-Hartman's avatar
      Linux 2.6.26.2 · 26b33d46
      Greg Kroah-Hartman authored
      26b33d46
    • Willy Tarreau's avatar
      sound: ensure device number is valid in snd_seq_oss_synth_make_info · ee3b94e2
      Willy Tarreau authored
      commit 82e68f7f upstream
      
      snd_seq_oss_synth_make_info() incorrectly reports information
      to userspace without first checking for the validity of the
      device number, leading to possible information leak (CVE-2008-3272).
      Reported-By: default avatarTobias Klein <tk@trapkit.de>
      Acked-and-tested-by: default avatarTakashi Iwai <tiwai@suse.de>
      Cc: stable@kernel.org
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      ee3b94e2
    • Jiri Slaby's avatar
      Ath5k: kill tasklets on shutdown · 8256c73d
      Jiri Slaby authored
      commit 10488f8a upstream
      
      Don't forget to kill tasklets on stop to not panic if they
      fire after freeing some structures.
      Signed-off-by: default avatarJiri Slaby <jirislaby@gmail.com>
      Acked-by: default avatarNick Kossifidis <mickflemm@gmail.com>
      Cc: Luis R. Rodriguez <mcgrof@gmail.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      8256c73d
    • Jiri Slaby's avatar
      Ath5k: fix memory corruption · 906494c0
      Jiri Slaby authored
      commit 3a0f2c87 upstream
      
      When signal is noisy, hardware can use all RX buffers and since the last
      entry in the list is self-linked, it overwrites the entry until we link
      new buffers.
      
      Ensure that we don't free this last one until we are 100% sure that it
      is not used by the hardware anymore to not cause memory curruption as
      can be seen below.
      
      This is done by checking next buffer in the list. Even after that we
      know that the hardware refetched the new link and proceeded further
      (the next buffer is ready) we can finally free the overwritten buffer.
      
      We discard it since the status in its descriptor is overwritten (OR-ed
      by new status) too.
      
      =============================================================================
      BUG kmalloc-4096: Poison overwritten
      -----------------------------------------------------------------------------
      
      INFO: 0xffff810067419060-0xffff810067419667. First byte 0x8 instead of 0x6b
      INFO: Allocated in dev_alloc_skb+0x18/0x30 age=1118 cpu=1 pid=0
      INFO: Freed in skb_release_data+0x85/0xd0 age=1105 cpu=1 pid=3718
      INFO: Slab 0xffffe200019d0600 objects=7 used=0 fp=0xffff810067419048 flags=0x40000000000020c3
      INFO: Object 0xffff810067419048 @offset=4168 fp=0xffff81006741c120
      
      Bytes b4 0xffff810067419038:  4f 0b 02 00 01 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a O.......ZZZZZZZZ
        Object 0xffff810067419048:  6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
        Object 0xffff810067419058:  6b 6b 6b 6b 6b 6b 6b 6b 08 42 30 00 00 0b 6b 80 kkkkkkkk.B0...k.
        Object 0xffff810067419068:  f0 5d 00 4f 62 08 a3 64 00 0c 42 16 52 e4 f0 5a 360].Ob.243d..B.R344360Z
        Object 0xffff810067419078:  68 81 00 00 7b a5 b4 be 7d 3b 8f 53 cd d5 de 12 h...{245264276};.S315325336.
        Object 0xffff810067419088:  96 10 0b 89 48 54 23 41 0f 4e 2d b9 37 c3 cb 29 ....HT#A.N-2717303313)
        Object 0xffff810067419098:  d1 e0 de 14 8a 57 2a cc 3b 44 0d 78 7a 19 12 15 321340336..W*314;D.xz...
        Object 0xffff8100674190a8:  a9 ec d4 35 a8 10 ec 8c 40 a7 06 0a 51 a7 48 bb 2513543245250.354.@247..Q247H273
        Object 0xffff8100674190b8:  3e cf a1 c7 38 60 63 3f 51 15 c7 20 eb ba 65 30 >ϡ3078`c?Q.307.353272e0
       Redzone 0xffff81006741a048:  bb bb bb bb bb bb bb bb                         273273273273273273273273
       Padding 0xffff81006741a088:  5a 5a 5a 5a 5a 5a 5a 5a                         ZZZZZZZZ
      Pid: 3297, comm: ath5k_pci Not tainted 2.6.26-rc8-mm1_64 #427
      
      Call Trace:
       [<ffffffff802a7306>] print_trailer+0xf6/0x150
       [<ffffffff802a7485>] check_bytes_and_report+0x125/0x180
       [<ffffffff802a75dc>] check_object+0xac/0x260
       [<ffffffff802a9308>] __slab_alloc+0x368/0x6d0
       [<ffffffff80544f82>] ? wireless_send_event+0x142/0x310
       [<ffffffff804b1bd4>] ? __alloc_skb+0x44/0x150
       [<ffffffff80544f82>] ? wireless_send_event+0x142/0x310
       [<ffffffff802aa853>] __kmalloc_track_caller+0xc3/0xf0
       [<ffffffff804b1bfe>] __alloc_skb+0x6e/0x150
      [... stack snipped]
      
      FIX kmalloc-4096: Restoring 0xffff810067419060-0xffff810067419667=0x6b
      
      FIX kmalloc-4096: Marking all objects used
      Signed-off-by: default avatarJiri Slaby <jirislaby@gmail.com>
      Acked-by: default avatarNick Kossifidis <mickflemm@gmail.com>
      Cc: Luis R. Rodriguez <mcgrof@gmail.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      906494c0
    • Miklos Szeredi's avatar
      vfs: fix lookup on deleted directory · efd5285e
      Miklos Szeredi authored
      commit d70b67c8 upstream
      
      Lookup can install a child dentry for a deleted directory.  This keeps
      the directory dentry alive, and the inode pinned in the cache and on
      disk, even after all external references have gone away.
      
      This isn't a big problem normally, since memory pressure or umount
      will clear out the directory dentry and its children, releasing the
      inode.  But for UBIFS this causes problems because its orphan area can
      overflow.
      
      Fix this by returning ENOENT for all lookups on a S_DEAD directory
      before creating a child dentry.
      
      Thanks to Zoltan Sogor for noticing this while testing UBIFS, and
      Artem for the excellent analysis of the problem and testing.
      Reported-by: default avatarArtem Bityutskiy <Artem.Bityutskiy@nokia.com>
      Tested-by: default avatarArtem Bityutskiy <Artem.Bityutskiy@nokia.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      efd5285e
    • Takashi Iwai's avatar
      ALSA: emu10k1 - Fix inverted Analog/Digital mixer switch on Audigy2 · 5c975097
      Takashi Iwai authored
      commit d2cd74b1 upstream
      
      On Audigy2 Platinum, the Analog/Digital mixer switch is inverted.
      	https://bugzilla.novell.com/show_bug.cgi?id=396204
      
      The patch adds a simple workaround.
      
      There might be another device requiring a similar fix, too (or fix for
      audigy2 generically), but right now I fix only the known broken one.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      5c975097