Home Home > GIT Browse
summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2006-04-10Linux 2.6.16.3v2.6.16.3Greg Kroah-Hartman
2006-04-10[PATCH] Keys: Fix oops when adding key to non-keyring [CVE-2006-1522]David Howells
This fixes the problem of an oops occuring when a user attempts to add a key to a non-keyring key [CVE-2006-1522]. The problem is that __keyring_search_one() doesn't check that the keyring it's been given is actually a keyring. I've fixed this problem by: (1) declaring that caller of __keyring_search_one() must guarantee that the keyring is a keyring; and (2) making key_create_or_update() check that the keyring is a keyring, and return -ENOTDIR if it isn't. This can be tested by: keyctl add user b b `keyctl add user a a @s` Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-07Linux 2.6.16.2v2.6.16.2Greg Kroah-Hartman
2006-04-07[PATCH] kdump proc vmcore size oveflow fixVivek Goyal
A couple of /proc/vmcore data structures overflow with 32bit systems having memory more than 4G. This patch fixes those. Signed-off-by: Ken'ichi Ohmichi <oomichi@mxs.nes.nec.co.jp> Signed-off-by: Vivek Goyal <vgoyal@in.ibm.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-07[PATCH] knfsd: Correct reserved reply space for read requests.NeilBrown
NFSd makes sure there is enough space to hold the maximum possible reply before accepting a request. The units for this maximum is (4byte) words. However in three places, particularly for read request, the number given is a number of bytes. This means too much space is reserved which is slightly wasteful. This is the sort of patch that could uncover a deeper bug, and it is not critical, so it would be best for it to spend a while in -mm before going in to mainline. (akpm: target 2.6.17-rc2, 2.6.16.3 (approx)) Discovered-by: "Eivind Sarto" <ivan@kasenna.com> Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-07[PATCH] hostap: Fix EAPOL frame encryptionJouni Malinen
Fixed encrypted of EAPOL frames from wlan#ap interface (hostapd). This was broken when moving to use new frame control field defines in net/ieee80211.h. hostapd uses Protected flag, not protocol version (which was cleared in this function anyway). This fixes WPA group key handshake and re-authentication. http://hostap.epitest.fi/bugz/show_bug.cgi?id=126 Signed-off-by: Jouni Malinen <jkmaline@cc.hut.fi>
2006-04-07[PATCH] Add default entry for CTL Travel Master U553WTakashi Iwai
Added the default entry of ALC880 configuration table for CTL Travel Master U553W. This patch was already included in Linus' tree. Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-07[PATCH] AIRO{,_CS} <-> CRYPTO fixesAdrian Bunk
CRYPTO is a helper variable, and to make it easier for users, it should therefore select'ed and not be listed in the dependencies. drivers/net/wireless/airo.c requires CONFIG_CRYPTO for compilations. Therefore, AIRO_CS also has to select CRYPTO. Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-07[PATCH] Fix NULL pointer dereference in node_read_numastat()Christoph Lameter
Fix NULL pointer dereference in node_read_numastat() zone_pcp() only returns valid values if the processor is online. Change node_read_numastat() to only scan online processors. Signed-off-by: Christoph Lameter <clameter@sgi.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-07[PATCH] drivers/net/wireless/ipw2200.c: fix an array overunAdrian Bunk
This patch fixes a big array overun found by the Coverity checker. This was already fixed in Linus' tree. Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-07[PATCH] fbcon: Fix big-endian bogosity in slow_imageblit()Antonino A. Daplas
The monochrome->color expansion routine that handles bitmaps which have (widths % 8) != 0 (slow_imageblit) produces corrupt characters in big-endian. This is caused by a bogus bit test in slow_imageblit(). Fix. Signed-off-by: Antonino Daplas <adaplas@pol.net> Acked-by: Herbert Poetzl <herbert@13thfloor.at> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-07[PATCH] fib_trie.c node freeing fixDavid S. Miller
Please apply to 2.6.{14,15,16} -stable, thanks a lot. From: Robert Olsson <robert.olsson@its.uu.se> [FIB_TRIE]: Fix leaf freeing. Seems like leaf (end-nodes) has been freed by __tnode_free_rcu and not by __leaf_free_rcu. This fixes the problem. Only tnode_free is now used which checks for appropriate node type. free_leaf can be removed. Signed-off-by: Robert Olsson <robert.olsson@its.uu.se> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-07[PATCH] Fix module refcount leak in __set_personality()Sergey Vlasov
If the change of personality does not lead to change of exec domain, __set_personality() returned without releasing the module reference acquired by lookup_exec_domain(). This patch was already included in Linus' tree. Signed-off-by: Sergey Vlasov <vsu@altlinux.ru> Cc: Christoph Hellwig <hch@lst.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-07[PATCH] Fix the p4-clockmod N60 errata workaround.Venkatesh Pallipadi
[CPUFREQ] Fix the p4-clockmod N60 errata workaround. Fix the code to disable freqs less than 2GHz in N60 errata. Signed-off-by: Venkatesh Pallipadi <venkatesh.pallipadi@intel.com> Signed-off-by: Dave Jones <davej@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-07[PATCH] wrong error path in dup_fd() leading to oopses in RCUKirill Korotaev
Wrong error path in dup_fd() - it should return NULL on error, not an address of already freed memory :/ Triggered by OpenVZ stress test suite. What is interesting is that it was causing different oopses in RCU like below: Call Trace: [<c013492c>] rcu_do_batch+0x2c/0x80 [<c0134bdd>] rcu_process_callbacks+0x3d/0x70 [<c0126cf3>] tasklet_action+0x73/0xe0 [<c01269aa>] __do_softirq+0x10a/0x130 [<c01058ff>] do_softirq+0x4f/0x60 ======================= [<c0113817>] smp_apic_timer_interrupt+0x77/0x110 [<c0103b54>] apic_timer_interrupt+0x1c/0x24 Code: Bad EIP value. <0>Kernel panic - not syncing: Fatal exception in interrupt Signed-Off-By: Pavel Emelianov <xemul@sw.ru> Signed-Off-By: Dmitry Mishin <dim@openvz.org> Signed-Off-By: Kirill Korotaev <dev@openvz.org> Signed-Off-By: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-07[PATCH] {ip, nf}_conntrack_netlink: fix expectation notifier unregistrationMartin Josefsson
[NETFILTER]: {ip,nf}_conntrack_netlink: fix expectation notifier unregistration This patch fixes expectation notifier unregistration on module unload to use ip_conntrack_expect_unregister_notifier(). This bug causes a soft lockup at the first expectation created after a rmmod ; insmod of this module. Should go into -stable as well. Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-07[PATCH] isicom must select FW_LOADERmaximilian attems
The isicom driver uses request_firmware() and thus needs to select FW_LOADER. This patch was already included in Linus' tree. Signed-off-by: maximilian attems <maks@sternwelten.at> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-07[PATCH] Mark longhaul driver as broken.Dave Jones
[CPUFREQ] Mark longhaul driver as broken. This seems to work for a short period of time, but when used in conjunction with a userspace governor that changes the frequency regularly, it's only a matter of time before everything just locks up. Signed-off-by: Dave Jones <davej@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-07[PATCH] opti9x - Fix compile without CONFIG_PNPTakashi Iwai
Modules: Opti9xx drivers Fix compile errors without CONFIG_PNP. This patch was already included in Linus' tree. Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-07[PATCH] pcmcia: permit single-character-identifiersJanos Farkas
For some time, the core pcmcia drivers seem not to think single character prod_ids are valid, thus preventing the "cleverly" named "D" "Link DWL-650 11Mbps WLAN Card" Before (as in 2.6.16): PRODID_1="" PRODID_2="Link DWL-650 11Mbps WLAN Card" PRODID_3="Version 01.02" PRODID_4="" MANFID=0156,0002 FUNCID=6 After (with the patch) PRODID_1="D" PRODID_2="Link DWL-650 11Mbps WLAN Card" PRODID_3="Version 01.02" PRODID_4="" MANFID=0156,0002 FUNCID=6 Signed-off-by: Janos Farkas <chexum@gmail.com> Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-07[PATCH] PCMCIA_SPECTRUM must select FW_LOADERAdrian Bunk
PCMCIA_SPECTRUM must select FW_LOADER. Reported by "Alexander E. Patrakov" <patrakov@ums.usu.ru>. This patch was already included in Linus' tree. Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-07[PATCH] powerpc: make ISA floppies work againStephen Rothwell
We used to assume that a DMA mapping request with a NULL dev was for ISA DMA. This assumption was broken at some point. Now we explicitly pass the detected ISA PCI device in the floppy setup. Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-07[PATCH] sbp2: fix spinlock recursionStefan Richter
sbp2util_mark_command_completed takes a lock which was already taken by sbp2scsi_complete_all_commands. This is a regression in Linux 2.6.15. Reported by Kristian Harms at https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187394 Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-07[PATCH] USB: usbcore: usb_set_configuration oops (NULL ptr dereference)Horst Schirmeier
When trying to deconfigure a device via usb_set_configuration(dev, 0), 2.6.16-rc kernels after 55c527187c9d78f840b284d596a0b298bc1493af oops with "Unable to handle NULL pointer dereference at...". This is due to an unchecked dereference of cp in the power budget part. This patch was already included in Linus' tree. Signed-off-by: Horst Schirmeier <horst@schirmeier.com> Acked-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2006-04-07[PATCH] USB: EHCI full speed ISO bugfixesClemens Ladisch
This patch replaces the split ISO raw_mask calculation code in the iso_stream_init() function that computed incorrect numbers of high speed transactions for both input and output transfers. In the output case, it added a superfluous start-split transaction for all maxmimum packet sizes that are a multiple of 188. In the input case, it forgot to add complete-split transactions for all microframes covered by the full speed transaction, and the additional complete-split transaction needed for the case when full speed data starts arriving near the end of a microframe. These changes don't affect the lack of full speed bandwidth, but at least it removes the MMF errors that the HC raised with some input streams. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-07[PATCH] sysfs: zero terminate sysfs write buffers (CVE-2006-1055)Greg Kroah-Hartman
No one should be writing a PAGE_SIZE worth of data to a normal sysfs file, so properly terminate the buffer. Thanks to Al Viro for pointing out my stupidity here. CVE-2006-1055 has been assigned for this. Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-07[PATCH] USB: Fix irda-usb use after useEugene Teo
Don't read from free'd memory after calling netif_rx(). docopy is used as a boolean (0 and 1) so unsigned int is sufficient. Coverity bug #928 Signed-off-by: Eugene Teo <eugene.teo@eugeneteo.net> Cc: "David S. Miller" <davem@davemloft.net> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-07[PATCH] tlclk: fix handling of device majorAndrew Morton
tlclk calls register_chrdev() and permits register_chrdev() to allocate the major, but it promptly forgets what that major was. So if there's no hardware present you still get "telco_clock" appearing in /proc/devices and, I assume, an oops reading /proc/devices if tlclk was a module. Fix. Mark, I'd suggest that that we not call register_chrdev() until _after_ we've established that the hardware is present. Cc: Mark Gross <mgross@linux.intel.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-03-27Linux 2.6.16.1v2.6.16.1Greg Kroah-Hartman
2006-03-27[PATCH] Fix speedstep-smi assembly bug in speedstep_smi_ownershipAndrew Morton
Fix bug identified by Linus Torvalds <torvalds@osdl.org>: the `out' instruction depends upon the state of memory_data[], so we need to tell gcc that before executing it. (The opcode, not gcc). Fixes http://bugzilla.kernel.org/show_bug.cgi?id=5553 Thanks to Antonio Ospite <ospite@studenti.unina.it> for testing. Cc: Dave Jones <davej@codemonkey.org.uk> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-03-27[PATCH] DMI: fix DMI onboard device discoveryAndrey Panin
Attached patch fixes invalid pointer arithmetic in DMI code to make onboard device discovery working again. akpm: bug has been present since dmi_find_device() was added in 2.6.14. Affects ipmi only (I think) - the symptoms weren't described. akpm: changed to use pointer arithmetic rather than open-coded sizeof. Signed-off-by: Andrey Panin <pazke@donpac.ru> Cc: Corey Minyard <minyard@acm.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-03-27[PATCH] cciss: fix use-after-free in cciss_init_onePatrick McHardy
free_hba() sets hba[i] to NULL, the dereference afterwards results in this crash. Setting busy_initializing to 0 actually looks unnecessary, but I'm not entirely sure, which is why I left it in. cciss: controller appears to be disabled Unable to handle kernel NULL pointer dereference at virtual address 00000370 printing eip: c1114d53 *pde = 00000000 Oops: 0002 [#1] Modules linked in: CPU: 0 EIP: 0060:[<c1114d53>] Not tainted VLI EFLAGS: 00010286 (2.6.16 #1) EIP is at cciss_init_one+0x4e9/0x4fe eax: 00000000 ebx: c132cd60 ecx: c13154e4 edx: c27d3c00 esi: 00000000 edi: c2748800 ebp: c2536ee4 esp: c2536eb8 ds: 007b es: 007b ss: 0068 Process swapper (pid: 1, threadinfo=c2536000 task=c2535a30) Stack: <0>00000000 00000000 00000000 c13fdba0 c2536ee8 c13159c0 c2536f38 f7c74740 c132cd60 c132cd60 ffffffed c2536ef0 c10c1d51 c2748800 c2536f04 c10c1d85 c132cd60 c2748800 c132cd8c c2536f14 c10c1db8 c2748848 00000000 c2536f28 Call Trace: [<c10031d5>] show_stack_log_lvl+0xa8/0xb0 [<c1003305>] show_registers+0x102/0x16a [<c10034a2>] die+0xc1/0x13c [<c1288160>] do_page_fault+0x38a/0x525 [<c1002e9b>] error_code+0x4f/0x54 [<c10c1d51>] pci_call_probe+0xd/0x10 [<c10c1d85>] __pci_device_probe+0x31/0x43 [<c10c1db8>] pci_device_probe+0x21/0x34 [<c110a654>] driver_probe_device+0x44/0x99 [<c110a73f>] __driver_attach+0x39/0x5d [<c1109e1c>] bus_for_each_dev+0x35/0x5a [<c110a777>] driver_attach+0x14/0x16 [<c110a220>] bus_add_driver+0x5c/0x8f [<c110ab22>] driver_register+0x73/0x78 [<c10c1f6d>] __pci_register_driver+0x5f/0x71 [<c13bf935>] cciss_init+0x1a/0x1c [<c13aa718>] do_initcalls+0x4c/0x96 [<c13aa77e>] do_basic_setup+0x1c/0x1e [<c10002b1>] init+0x35/0x118 [<c1000cf5>] kernel_thread_helper+0x5/0xb Code: 04 b5 e0 de 40 c1 8d 50 04 8b 40 34 e8 3f b7 f9 ff 8b 04 b5 e0 de 40 c1 e8 aa f3 ff ff 89 f0 e8 e8 fa ff ff 8b 04 b5 e0 de 40 c1 <c7> 80 70 03 00 00 00 00 00 00 83 c8 ff 8d 65 f4 5b 5e 5f 5d c3 <0>Kernel panic - not syncing: Attempted to kill init! Signed-off-by: Patrick McHardy <kaber@trash.net> Cc: <mike.miller@hp.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-03-27[PATCH] DM: Fix bug: BIO_RW_BARRIER requests to md/raid1 hang.Neil Brown
Both R1BIO_Barrier and R1BIO_Returned are 4 !!!! This means that barrier requests don't get returned (i.e. b_endio called) because it looks like they already have been. Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-03-27[PATCH] fix scheduler deadlockAnton Blanchard
We have noticed lockups during boot when stress testing kexec on ppc64. Two cpus would deadlock in scheduler code trying to grab already taken spinlocks. The double_rq_lock code uses the address of the runqueue to order the taking of multiple locks. This address is a per cpu variable: if (rq1 < rq2) { spin_lock(&rq1->lock); spin_lock(&rq2->lock); } else { spin_lock(&rq2->lock); spin_lock(&rq1->lock); } On the other hand, the code in wake_sleeping_dependent uses the cpu id order to grab locks: for_each_cpu_mask(i, sibling_map) spin_lock(&cpu_rq(i)->lock); This means we rely on the address of per cpu data increasing as cpu ids increase. While this will be true for the generic percpu implementation it may not be true for arch specific implementations. One way to solve this is to always take runqueues in cpu id order. To do this we add a cpu variable to the runqueue and check it in the double runqueue locking functions. Signed-off-by: Anton Blanchard <anton@samba.org> Acked-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-03-27[PATCH] proc: fix duplicate line in /proc/devicesNeil Horman
Fix a duplicate block device line printed after the "Block device" header in /proc/devices. Signed-off-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-03-27[PATCH] rtc.h broke strace(1) buildsJoe Korty
Git patch 52dfa9a64cfb3dd01fa1ee1150d589481e54e28e [PATCH] move rtc_interrupt() prototype to rtc.h broke strace(1) builds. The below moves the kernel-only additions lower, under the already provided #ifdef __KERNEL__ statement. Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-03-27[PATCH] dm: bio split bvec fixAlasdair G Kergon
The code that handles bios that span table target boundaries by breaking them up into smaller bios will not split an individual struct bio_vec into more than two pieces. Sometimes more than that are required. This patch adds a loop to break the second piece up into as many pieces as are necessary. Cc: "Abhishek Gupta" <abhishekgupt@gmail.com> Cc: Dan Smith <danms@us.ibm.com> Signed-off-by: Alasdair G Kergon <agk@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-03-27[PATCH] v9fs: assign dentry ops to negative dentriesLatchesar Ionkov
If a file is not found in v9fs_vfs_lookup, the function creates negative dentry, but doesn't assign any dentry ops. This leaves the negative entry in the cache (there is no d_delete to mark it for removal). If the file is created outside of the mounted v9fs filesystem, the file shows up in the directory with weird permissions. This patch assigns the default v9fs dentry ops to the negative dentry. Signed-off-by: Latchesar Ionkov <lucho@ionkov.net> Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-03-27[PATCH] i810fb_cursor(): use GFP_ATOMICAntonino A. Daplas
The console cursor can be called in atomic context. Change memory allocation to use the GFP_ATOMIC flag in i810fb_cursor(). Signed-off-by: Antonino Daplas <adaplas@pol.net> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-03-27[PATCH] NET: Ensure device name passed to SO_BINDTODEVICE is NULL terminated.David S. Miller
The user can pass us arbitrary garbage so we should ensure the string they give us is null terminated before we pass it on to dev_get_by_index() et al. Found by Solar Designer. Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-03-27[PATCH] XFS writeout fixNathan Scott
[XFS] Check that a page has dirty buffers before finding it acceptable for rewrite clustering. This prevents writing excessive amounts of clean data when doing random rewrites of a cached file. Signed-off-by: David Chinner <dgc@sgi.com> Signed-off-by: Nathan Scott <nathans@sgi.com> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-03-27[PATCH] sysfs: fix a kobject leak in sysfs_add_link on the error pathGreg Kroah-Hartman
As pointed out by Oliver Neukum. Cc: Maneesh Soni <maneesh@in.ibm.com> Cc: Oliver Neukum <oliver@neukum.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-03-27[PATCH] get_cpu_sysdev() signedness fixAndrew Morton
Doing (int < NR_CPUS) doesn't dtrt if it's negative.. Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-03-27[PATCH] firmware: fix BUG: in fw_realloc_bufferJeff Moyer
The fw_realloc_buffer routine does not handle an increase in buffer size of more than 4k. It's not clear to me why it expects that it will only get an extra 4k of data. The attached patch modifies fw_realloc_buffer to vmalloc as much memory as is requested, instead of what we previously had + 4k. I've tested this on my laptop, which would crash occaisionally on boot without the patch. With the patch, it hasn't crashed, but I can't be certain that this code path is exercised. Signed-off-by: Jeff Moyer <jmoyer@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-03-27[PATCH] sysfs: sysfs_remove_dir() needs to invalidate the dentryGreg Kroah-Hartman
When calling sysfs_remove_dir() don't allow any further sysfs functions to work for this kobject anymore. This fixes a nasty USB cdc-acm oops on disconnect. Many thanks to Bob Copeland and Paul Fulghum for taking the time to track this down. Cc: Bob Copeland <email@bobcopeland.com> Cc: Paul Fulghum <paulkf@microgate.com> Cc: Maneesh Soni <maneesh@in.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-03-27[PATCH] TCP: Do not use inet->id of global tcp_socket when sending RST ↵Alexey Kuznetsov
(CVE-2006-1242) The problem is in ip_push_pending_frames(), which uses: if (!df) { __ip_select_ident(iph, &rt->u.dst, 0); } else { iph->id = htons(inet->id++); } instead of ip_select_ident(). Right now I think the code is a nonsense. Most likely, I copied it from old ip_build_xmit(), where it was really special, we had to decide whether to generate unique ID when generating the first (well, the last) fragment. In ip_push_pending_frames() it does not make sense, it should use plain ip_select_ident() instead. Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-03-27[PATCH] 2.6.xx: sata_mv: another critical fixMark Lord
This patch addresses a number of weird behaviours observed for the sata_mv driver, by fixing an "off by one" bug in processing of the EDMA response queue. Basically, sata_mv was looking in the wrong place for command results, and this produced a lot of unpredictable behaviour. Signed-off-by: Mark Lord <mlord@pobox.com> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-03-27[PATCH] Kconfig: VIDEO_DECODER must select FW_LOADERMichael Krufky
The cx25840 module requires external firmware in order to function, so it must select FW_LOADER, but saa7115 and saa7129 do not require it. Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Cc: Mauro Carvalho Chehab <mchehab@infradead.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-03-27[PATCH] V4L/DVB (3324): Fix Samsung tuner frequency rangesHans Verkuil
Forgot to take the NTSC frequency offset into account. Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org> Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-03-27[PATCH] sata_mv: fix irq port status usageJeff Garzik
Interrupt handler did not properly initialize a variable on a per-port basis, leading to incorrect behavior on ports other than port 0. Bug caught and fixed by Mark Lord. Signed-off-by: Jeff Garzik <jeff@garzik.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>