- 10 Nov, 2008 24 commits
-
-
Greg Kroah-Hartman authored
-
Patrick McHardy authored
netfilter: restore lost #ifdef guarding defrag exception Upstream commit 38f7ac3e: Nir Tzachar <nir.tzachar@gmail.com> reported a warning when sending fragments over loopback with NAT: [ 6658.338121] WARNING: at net/ipv4/netfilter/nf_nat_standalone.c:89 nf_nat_fn+0x33/0x155() The reason is that defragmentation is skipped for already tracked connections. This is wrong in combination with NAT and ip_conntrack actually had some ifdefs to avoid this behaviour when NAT is compiled in. The entire "optimization" may seem a bit silly, for now simply restoring the lost #ifdef is the easiest solution until we can come up with something better. Signed-off-by:
Patrick McHardy <kaber@trash.net> Signed-off-by:
Greg Kroah-Hartman <gregkh@suse.de>
-
Ilpo Järvinen authored
netfilter: snmp nat leaks memory in case of failure Upstream commit 311670f3: Signed-off-by:
Ilpo Jarvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by:
-
Alexey Dobriyan authored
netfilter: xt_iprange: fix range inversion match Upstream commit 6def1eb4: Inverted IPv4 v1 and IPv6 v0 matches don't match anything since 2.6.25-rc1! Signed-off-by:
Alexey Dobriyan <adobriyan@gmail.com> Acked-by:
Jan Engelhardt <jengelh@medozas.de> Signed-off-by:
-
Shaohua Li authored
commit 8b59560a upstream. ACPI: dock: avoid check _STA method In some BIOSes, every _STA method call will send a notification again, this cause freeze. And in some BIOSes, it appears _STA should be called after _DCK. This tries to avoid calls _STA, and still keep the device present check. http://bugzilla.kernel.org/show_bug.cgi?id=10431Signed-off-by:
Shaohua Li <shaohua.li@intel.com> Signed-off-by:
Len Brown <len.brown@intel.com> Signed-off-by:
-
Julia Jomantaite authored
upstream commit 469778c1 Thanks to Arjan for spotting this http://www.kerneloops.org/search.php?search=acpi_video_switch_brightness and suggesting it for .stable Fix use of uninitialized device->brightness. Signed-off-by:
Julia Jomantaite <julia.jomantaite@gmail.com> Signed-off-by:
Andi Kleen <ak@linux.intel.com> Acked-by:
Zhang Rui <rui.zhang@intel.com> Signed-off-by:
-
Andrea Shepard authored
[ Upstream commit e0037df3 ] Make arch/sparc64/kernel/trampoline.S in 2.6.27.1 lock prom_entry_lock when calling the PROM. This prevents a race condition that I observed causing a hang on startup on a 12-CPU E4500. I am not subscribed to this list, so please CC me on replies. Signed-off-by:
Andrea Shepard <andrea@persephoneslair.org> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
-
Kumar Gala authored
[ Upstream commit 930cc144 ] I'm trying to move the powerpc math-emu code to use the include/math-emu bits. In doing so I've been using TestFloat to see how good or bad we are doing. For the most part the current math-emu code that PPC uses has a number of issues that the code in include/math-emu seems to solve (plus bugs we've had for ever that no one every realized). Anyways, I've come across a case that we are flagging underflow and inexact because we think we have a denormalized result from a double precision divide: 000.FFFFFFFFFFFFF / 3FE.FFFFFFFFFFFFE soft: 001.0000000000000 ..... syst: 001.0000000000000 ...ux What it looks like is the results out of FP_DIV_D are: D: sign: 0 mantissa: 01000000 00000000 exp: -1023 (0) The problem seems like we aren't normalizing the result and bumping the exp. Now that I'm digging into this a bit I'm thinking my issue has to do with the fix DaveM put in place from back in Aug 2007 (commit 40584961): [MATH-EMU]: Fix underflow exception reporting. 2) we ended up rounding back up to normal (this is the case where we set the exponent to 1 and set the fraction to zero), this should set inexact too ... Another example, "0x0.0000000000001p-1022 / 16.0", should signal both inexact and underflow. The cpu implementations and ieee1754 literature is very clear about this. This is case #2 above. Here is the distilled glibc test case from Jakub Jelinek which prompted that commit: -------------------- #include <float.h> #include <fenv.h> #include <stdio.h> volatile double d = DBL_MIN; volatile double e = 0x0.0000000000001p-1022; volatile double f = 16.0; int main (void) { printf ("%x\n", fetestexcept (FE_UNDERFLOW)); d /= f; printf ("%x\n", fetestexcept (FE_UNDERFLOW)); e /= f; printf ("%x\n", fetestexcept (FE_UNDERFLOW)); return 0; } -------------------- It looks like the case I have we are exact before rounding, but think it looks like the rounding case since it appears as if "overflow is set". 000.FFFFFFFFFFFFF / 3FE.FFFFFFFFFFFFE = 001.0000000000000 I think the following adds the check for my case and still works for the issue your commit was trying to resolve. Signed-off-by:
-
Ilpo Järvinen authored
[ Upstream commit 53b12577 ] More breakage :-), part of timestamps just were previously overwritten. Signed-off-by:
-
Herbert Xu authored
[ Upstream commit 58ec3b4d ] Benjamin Thery tracked down a bug that explains many instances of the error unregister_netdevice: waiting for %s to become free. Usage count = %d It turns out that netdev_run_todo can dead-lock with itself if a second instance of it is run in a thread that will then free a reference to the device waited on by the first instance. The problem is really quite silly. We were trying to create parallelism where none was required. As netdev_run_todo always follows a RTNL section, and that todo tasks can only be added with the RTNL held, by definition you should only need to wait for the very ones that you've added and be done with it. There is no need for a second mutex or spinlock. This is exactly what the following patch does. Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by:
-
Lennart Sorensen authored
commit 4a029abe upstream The scx200_i2c driver is missing the .class parameter, which means no i2c drivers are willing to probe for devices on the bus and attach to them. Signed-off-by:
Len Sorensen <lsorense@csclub.uwaterloo.ca> Signed-off-by:
Jean Delvare <khali@linux-fr.org> Signed-off-by:
-
Devin Heitmueller authored
commit 11fc9a4a upstream. DVB: s5h1411: Power down s5h1411 when not in use Power down the s5h1411 demodulator when not in use (on the Pinnacle 801e, this brings idle power from 123ma down to 84ma). Signed-off-by:
Devin Heitmueller <devin.heitmueller@gmail.com> Acked-by:
Steven Toth <stoth@linuxtv.org> Signed-off-by:
Mauro Carvalho Chehab <mchehab@redhat.com> Signed-off-by:
Michael Krufky <mkrufky@linuxtv.org> Signed-off-by:
-
Devin Heitmueller authored
commit f0d041e5 upstream. DVB: s5h1411: Perform s5h1411 soft reset after tuning If you instruct the tuner to change frequencies, it can take up to 2500ms to get a demod lock. By performing a soft reset after the tuning call (which is consistent with how the Pinnacle 801e Windows driver behaves), you get a demod lock inside of 300ms Signed-off-by:
-
Steven Toth authored
commit 1af46b45 upstream. DVB: s5h1411: bugfix: Setting serial or parallel mode could destroy bits Adding a serialmode function to read/and/or/write the register for safety. Signed-off-by:
-
Boris Dores authored
commit 3f93d1ad upstream. V4L: pvrusb2: Keep MPEG PTSs from drifting away This change was empirically figured out by Boris Dores after empirically comparing against behavior in the Windows driver. Signed-off-by:
Mike Isely <isely@pobox.com> Signed-off-by:
-
Guillem Jover authored
upstream commit df316e93 Currently not always an EV_SYN event is reported to userland after the EV_SW SW_LID event has been sent. This is easy to verify by using “input-events” from input-utils and just closing and opening the lid. Signed-off-by:
Guillem Jover <guillem.jover@nokia.com> Acked-by:
Dmitry Torokhov <dtor@mail.ru> Signed-off-by:
-
Takashi Iwai authored
commit d8009882 upstream The lock used in snd_ctl_dev_disconnect() should be card->ctl_files_rwlock for protection of card->ctl_files entries, instead of card->controls_rwsem. Reported-by:
Vegard Nossum <vegard.nossum@gmail.com> Signed-off-by:
Takashi Iwai <tiwai@suse.de> Signed-off-by:
Jaroslav Kysela <perex@perex.cz> Cc: Chris Wedgwood <cw@f00f.org> Signed-off-by:
-
Serge Hallyn authored
commit 3318a386 upstream While Linux doesn't honor setuid on scripts. However, it mistakenly behaves differently for file capabilities. This patch fixes that behavior by making sure that get_file_caps() begins with empty bprm->caps_*. That way when a script is loaded, its bprm->caps_* may be filled when binfmt_misc calls prepare_binprm(), but they will be cleared again when binfmt_elf calls prepare_binprm() next to read the interpreter's file capabilities. Signed-off-by:
Serge Hallyn <serue@us.ibm.com> Acked-by:
David Howells <dhowells@redhat.com> Acked-by:
Andrew G. Morgan <morgan@kernel.org> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by:
-
Johannes Berg authored
commit 48735d8d upstream If somebody sends an invalid beacon/probe response, that can trash the whole BSS descriptor. The descriptor is, luckily, large enough so that it cannot scribble past the end of it; it's well above 400 bytes long. Signed-off-by:
Johannes Berg <johannes@sipsolutions.net> Signed-off-by:
John W. Linville <linville@tuxdriver.com> Signed-off-by:
-
David Miller authored
commit f8d570a4 and 3b53fbf4 upstream (because once wasn't good enough...) __scm_destroy() walks the list of file descriptors in the scm_fp_list pointed to by the scm_cookie argument. Those, in turn, can close sockets and invoke __scm_destroy() again. There is nothing which limits how deeply this can occur. The idea for how to fix this is from Linus. Basically, we do all of the fput()s at the top level by collecting all of the scm_fp_list objects hit by an fput(). Inside of the initial __scm_destroy() we keep running the list until it is empty. Signed-off-by:
-
Andrew Vasquez authored
commit 031e134e upstream Firmware does not have the facilities to issue management server IOCBs. Signed-off-by:
Andrew Vasquez <andrew.vasquez@qlogic.com> Signed-off-by:
James Bottomley <James.Bottomley@HansenPartnership.com> Cc: Ferenc Wagner <wferi@niif.hu> Signed-off-by:
-
Benjamin Herrenschmidt authored
commit 3b274f44 upstream The cell_edac driver is setting the edac_mode field of the csrow's to an incorrect value, causing the sysfs show routine for that field to go out of an array bound and Oopsing the kernel when used. Signed-off-by:
Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by:
Doug Thompson <dougthompson@xmission.com> Signed-off-by:
Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
-
Eric Sandeen authored
This is a trivial backport of the following upstream commits: - bd39597c (ext2) - cdbf6dba (ext3) - 9d9f1775 (ext4) This addresses CVE-2008-3528 ext[234]: Avoid printk floods in the face of directory corruption Note: some people thinks this represents a security bug, since it might make the system go away while it is printing a large number of console messages, especially if a serial console is involved. Hence, it has been assigned CVE-2008-3528, but it requires that the attacker either has physical access to your machine to insert a USB disk with a corrupted filesystem image (at which point why not just hit the power button), or is otherwise able to convince the system administrator to mount an arbitrary filesystem image (at which point why not just include a setuid shell or world-writable hard disk device file or some such). Me, I think they're just being silly. --tytso Signed-off-by:
Eric Sandeen <sandeen@redhat.com> Signed-off-by:
"Theodore Ts'o" <tytso@mit.edu> Cc: linux-ext4@vger.kernel.org Cc: Eugene Teo <eugeneteo@kernel.sg> Signed-off-by:
-
David Brownell authored
commit 978ccaa8 upstream We can get the following oops from gpio_get_value_cansleep() when a GPIO controller doesn't provide a get() callback: Unable to handle kernel paging request for instruction fetch Faulting instruction address: 0x00000000 Oops: Kernel access of bad area, sig: 11 [#1] [...] NIP [00000000] 0x0 LR [c0182fb0] gpio_get_value_cansleep+0x40/0x50 Call Trace: [c7b79e80] [c0183f28] gpio_value_show+0x5c/0x94 [c7b79ea0] [c01a584c] dev_attr_show+0x30/0x7c [c7b79eb0] [c00d6b48] fill_read_buffer+0x68/0xe0 [c7b79ed0] [c00d6c54] sysfs_read_file+0x94/0xbc [c7b79ef0] [c008f24c] vfs_read+0xb4/0x16c [c7b79f10] [c008f580] sys_read+0x4c/0x90 [c7b79f40] [c0013a14] ret_from_syscall+0x0/0x38 It's OK to request the value of *any* GPIO; most GPIOs are bidirectional, so configuring them as outputs just enables an output driver and doesn't disable the input logic. So the problem is that gpio_get_value_cansleep() isn't making the same sanity check that gpio_get_value() does: making sure this GPIO isn't one of the atypical "no input logic" cases. Reported-by:
Anton Vorontsov <avorontsov@ru.mvista.com> Signed-off-by:
David Brownell <dbrownell@users.sourceforge.net> Signed-off-by:
-
- 22 Oct, 2008 16 commits
-
-
Greg Kroah-Hartman authored
-
Arjan van de Ven authored
commit 5ba2f67a upstream NULL function pointers are very bad security wise. This one got caught by kerneloops.org quite a few times, so it's happening in the field.... Fix is simple, check the function pointer for NULL, like 6 other places in the same function are already doing. Signed-off-by:
Arjan van de Ven <arjan@linux.intel.com> Signed-off-by:
-
Michael Krufky authored
(cherry picked from commit a636da6b) DVB: au0828: add support for another USB id for Hauppauge HVR950Q Add autodetection support for a new revision of the Hauppauge HVR950Q (2040:721e) Signed-off-by:
-
Matthias Hopf authored
commit 4b408939 upstream Olaf Kirch noticed that the i915_set_status_page() function of the i915 kernel driver calls ioremap with an address offset that is supplied by userspace via ioctl. The function zeroes the mapped memory via memset and tells the hardware about the address. Turns out that access to that ioctl is not restricted to root so users could probably exploit that to do nasty things. We haven't tried to write actual exploit code though. It only affects the Intel G33 series and newer. Signed-off-by:
Dave Airlie <airlied@redhat.com> Signed-off-by:
-
Zhao Yakui authored
upstream commmit: c2c78905 According to acpi spec , the objectes of _BCL and _BCM are required if integrated LCD is present and supports brightness level and the _BQC is the optional object. So the _BQC object will be ignored when the backlight device is registered. At the same time when there is no _BQC object, the current brightness will be set to the maximum. http://bugzilla.kernel.org/show_bug.cgi?id=10206Signed-off-by:
Zhao Yakui <yakui.zhao@intel.com> Signed-off-by:
-
Jean Delvare authored
based on commit 98dd22c3 upstream On the Shuttle SN68PT, FAN_CTL2 is apparently not connected to a fan, but to something else. One user has reported instant system power-off when changing the PWM2 duty cycle, so we disable it. I use the board name string as the trigger in case the same board is ever used in other systems. This closes lm-sensors ticket #2349: pwmconfig causes a hard poweroff http://www.lm-sensors.org/ticket/2349Signed-off-by:
-
Linus Torvalds authored
commit b5ff7df3 upstream Check mapped ranges on sysfs resource files This is loosely based on a patch by Jesse Barnes to check the user-space PCI mappings though the sysfs interfaces. Quoting Jesse's original explanation: It's fairly common for applications to map PCI resources through sysfs. However, with the current implementation, it's possible for an application to map far more than the range corresponding to the resourceN file it opened. This patch plugs that hole by checking the range at mmap time, similar to what is done on platforms like sparc64 in their lower level PCI remapping routines. It was initially put together to help debug the e1000e NVRAM corruption problem, since we initially thought an X driver might be walking past the end of one of its mappings and clobbering the NVRAM. It now looks like that's not the case, but doing the check is still important for obvious reasons. and this version of the patch differs in that it uses a helper function to clarify the code, and does all the checks in pages (instead of bytes) in order to avoid overflows when doing "<< PAGE_SHIFT" etc. [cebbert@redhat.com: backport, changing WARN() to printk()] Acked-by:
Jesse Barnes <jbarnes@virtuousgeek.org> Signed-off-by:
-
David Rientjes authored
commit 60e6258cd43f9b06884f04f0f7cefb9c40f17a32 upstream It's possible for get_wchan() to dereference past task->stack + THREAD_SIZE while iterating through instruction pointers if fp equals the upper boundary, causing a kernel panic. Signed-off-by:
David Rientjes <rientjes@google.com> Signed-off-by:
Ingo Molnar <mingo@elte.hu> Cc: Chuck Ebbert <cebbert@redhat.com> Signed-off-by:
-
Shaohua Li authored
commit 149e1637 upstream Disable ASPM on pre-1.1 PCIe devices, as many of them don't implement it correctly. Tested-by:
Jack Howarth <howarth@bromo.msbb.uc.edu> Signed-off-by:
-
Shaohua Li authored
commit 5fde244d upstream The ACPI FADT table includes an ASPM control bit. If the bit is set, do not enable ASPM since it may indicate that the platform doesn't actually support the feature. Tested-by:
-
Ralph Loader authored
Commit fe6c700f upstream V4L/DVB (9053): fix buffer overflow in uvc-video There is a buffer overflow in drivers/media/video/uvc/uvc_ctrl.c: INFO: 0xf2c5ce08-0xf2c5ce0b. First byte 0xa1 instead of 0xcc INFO: Allocated in uvc_query_v4l2_ctrl+0x3c/0x239 [uvcvideo] age=13 cpu=1 pid=4975 ... A fixed size 8-byte buffer is allocated, and a variable size field is read into it; there is no particular bound on the size of the field (it is dependent on hardware and configuration) and it can overflow [also verified by inserting printk's.] The patch attempts to size the buffer to the correctly. Signed-off-by:
Laurent Pinchart <laurent.pinchart@skynet.be> Signed-off-by:
-
Laurent Pinchart authored
commit 04793dd0 upstream Data buffers on the stack are not allowed for USB I/O. Use dynamically allocated buffers instead. Signed-off-by:
Bruce Schmid <duck@freescale.com> Signed-off-by:
Mauro Carvalho Chehab <mchehab@infradead.org> Cc: Chuck Ebbert <cebbert@redhat.com> Signed-off-by:
-
Laurent Pinchart authored
commit 54812c77 upstream [required to get the following two patches to apply] Although the V4L2 spec states that the minimum and maximum fields may not be valid for control types other than V4L2_CTRL_TYPE_INTEGER, it makes sense to set the bounds to 0 and 1 for boolean controls instead of returning uninitialized values. Signed-off-by:
-
Linus Torvalds authored
commit efc968d4 upstream This is debatable, but while we're debating it, let's disallow the combination of splice and an O_APPEND destination. It's not entirely clear what the semantics of O_APPEND should be, and POSIX apparently expects pwrite() to ignore O_APPEND, for example. So we could make up any semantics we want, including the old ones. But Miklos convinced me that we should at least give it some thought, and that accepting writes at arbitrary offsets is wrong at least for IS_APPEND() files (which always have O_APPEND set, even if the reverse isn't true: you can obviously have O_APPEND set on a regular file). So disallow O_APPEND entirely for now. I doubt anybody cares, and this way we have one less gray area to worry about. Reported-and-argued-for-by:
Miklos Szeredi <miklos@szeredi.hu> Acked-by:
Jens Axboe <ens.axboe@oracle.com> Signed-off-by:
-
Jean Delvare authored
cherry picked from commit a30ee3c7 The zr36067 driver is improperly declaring pixel format RGBP twice, once as "16-bit RGB LE" and once as "16-bit RGB BE". The latter is actually RGBR. Fix the code to properly map both pixel formats. Signed-off-by:
Trent Piepho <xyzzy@speakeasy.org> Signed-off-by:
-
Jean Delvare authored
(cherry picked from commit c37396c1) Fix the following crash in the bttv driver: BUG: unable to handle kernel NULL pointer dereference at 000000000000036c IP: [<ffffffffa037860a>] radio_open+0x3a/0x170 [bttv] This happens because radio_open assumes that all present bttv devices have a radio function. If a bttv device without radio and one with radio are installed on the same system, and the one without radio is registered first, then radio_open checks for the radio device number of a bttv device that has no radio function, and this breaks. All we have to do to fix it is to skip bttv devices without a radio function. Signed-off-by:
-
