- 09 Feb, 2005 3 commits
-
-
Dave Airlie authored
into starflyer.(none):/foo/airlied/bitkeeper/drm-latest
-
Dave Airlie authored
Close a race which could allow for privilege escalation by users with DRI privileges on Radeon hardware. Essentially, a malicious program could submit a packet containing an offset (possibly in main memory) to be rendered from/to, while a separate thread switched that offset in userspace rapidly between a valid value and an invalid one. radeon_check_and_fixup_offset() would pull the offset in from user space, check it, and spit it back out to user space to be copied in later by the emit code. It would sometimes catch the bad value, but sometimes the malicious program could modify it after the check and get an invalid offset rendered from/to. Fix this by allocating a temporary buffer and copying the data in at once. While here, make the cliprects stuff not do the VERIFYAREA_READ and COPY_FROM_USER_UNCHECKED gymnastics, avoiding a lock order reversal on FreeBSD. Performance impact is negligible -- no difference on r200 to ~1% improvement on rv200 in quake3 tests (P4 1Ghz, demofour at 1024x768, n=4 or 5) From: Eric Anholt <anholt@freebsd.org> Signed-off-by: Dave Airlie <airlied@linux.ie>
-
Dave Airlie authored
Bug fd.o 2489 Reporter: Aapo Tahkola <aet@rasterburn.org> Signed-off-by: Dave Airlie <airlied@linux.ie>
-
- 07 Feb, 2005 17 commits
-
-
Andrew Vasquez authored
The qlogic driver complains about the use of smp_processor_id() in preemptible code. And it's right. But it's just for an affinity optimisation and we can validly quash the warning. Signed-off-by: Andrew Vasquez <andrew.vasquez@qlogic.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-
Yoichi Yuasa authored
This patch had fixed the following warning. arch/mips/lib-32/dump_tlb.c: In function 'dump_tlb': arch/mips/lib-32/dump_tlb.c:69: warning: control may reach end of non-void function 'msk2str' being inlined This patch adds return value, when page size is not match. Signed-off-by: Yoichi Yuasa <yuasa@hh.iij4u.or.jp> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-
Martin Kögler authored
We presently deadlock in low-latency mode because the receive code holds port.lock while calling into the tty code to perform echoing. The tty code calls back into the driver, which then takes port.lock. Fix that by dropping the lock around the echo call. Acked-by: Russell King <rmk@arm.linux.org.uk> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-
Suresh B. Siddha authored
Add the missing "lock" prefix in switch_to macro. Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-
Paolo \'Blaisorblade\' Giarrusso authored
Frank Fricke reported that hostfs does not verify that a chmod +s, for instance, is done by a sufficiently privileged user, as long as the UML kernel itself can complete the operation on the host. So, for instance, if UML is run as root and under /mnt/host we have a hostfs mount, this works successfully: paolo@zion:~ (0)$ chmod 4755 /mnt/host/bin/bash paolo@zion:~ (0)$ ll /mnt/host/bin/bash -rwsr-xr-x 1 root root 662724 2004-10-20 02:15 /mnt/host/bin/bash* (bash refuses running as setuid, but you could have another shell on the host, as dash or whatever). In general, if UML is run as uid 500 on the host, a hostfs mount is done and under the hostfs mount there is a file with uid 500 on the host, I can freely make it setuid (if it's executable). This is especially bad when UML is run as root (which you should not do), but is a problem in general, since it allows any user to create setuid 500 (in this example) executables on the host filesystem. Finally, while I was looking at the chmod() implementation, I spotted a kludge in the code and explained it with a comment. Signed-off-by: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it> Cc: Frank 'xraz' Fricke <xraz@rwxr-xr-x.de> Cc: Alexander Viro <viro@parcelfarce.linux.theplanet.co.uk> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-
Paolo \'Blaisorblade\' Giarrusso authored
Descend into arch/um/kernel/skas/util during make clean. Signed-off-by: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-
Ingo Molnar authored
Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-
Nick Piggin authored
When a task is put to sleep, it is dequeued from the runqueue while it is still running. The problem is that one some arches that have non-atomic scheduling, the runqueue lock can be dropped and retaken in schedule() before the task actually schedules off, and wait_task_inactive did not account for this. Signed-off-by: Nick Piggin <nickpiggin@yahoo.com.au> Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-
Alex Yustasov authored
Fix for resume on i850. Maybe for i855GM. Signed-off by: Nigel Cunningham <ncunningham@linuxmail.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-
Christoph Hellwig authored
filemap_populate needs to be exported so that filesystems with their own vm_operations (like XFS) can use it. Cc: Nathan Scott <nathans@sgi.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-
John Rose authored
Noted by David Woodhouse <dwmw2@infradead.org> Here's a fix for the ppc64 crash during boot. This corrects the offending function to use more conventional error codes. I'll follow up with return code cleanups for the entire module, and for RTAS code, since these are probably too big for 2.6.11. Signed-off-by: John Rose <johnrose@austin.ibm.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-
Linus Torvalds authored
The fix was just trying to hide the real bug, which was in an old udev script. The change made matters worse. Cset exclude: pavenis@latnet.lv[torvalds]|ChangeSet|20050202164823|05506
-
Peter Osterlund authored
mousedev_packet() clears list->ready too early when called with "tail == head - 1". The effect is that the last mouse event from the hardware isn't reported to userspace until another hardware mouse event arrives. This can make the left mouse button get stuck when tapping on a touchpad. When this happens, the butten doesn't unstick until you interact with the touchpad again. Signed-off-by: Peter Osterlund <petero2@telia.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-
bk://gkernel.bkbits.net/libata-2.6Linus Torvalds authored
into ppc970.osdl.org:/home/torvalds/v2.6/linux
-
bk://gkernel.bkbits.net/misc-2.6Linus Torvalds authored
into ppc970.osdl.org:/home/torvalds/v2.6/linux
-
bk://kernel.bkbits.net/davem/net-2.6Linus Torvalds authored
into ppc970.osdl.org:/home/torvalds/v2.6/linux
-
bk://kernel.bkbits.net/davem/sparc-2.6Linus Torvalds authored
into ppc970.osdl.org:/home/torvalds/v2.6/linux
-
- 06 Feb, 2005 20 commits
-
-
Jeff Garzik authored
-
Jeff Garzik authored
As 'i' and 'host->id' are of different types (signed vs. unsigned), we need a cast. Eventually host->id should probably be made unsigned, but this requires further analysis.
-
David S. Miller authored
into kernel.bkbits.net:/home/davem/net-2.6
-
Jeff Garzik authored
into pobox.com:/garz/repo/libata-2.6
-
Matthew Wilcox authored
strcpy is undefined if src and dest overlap. That's clearly possible here with a sufficiently deep path on the server. Use memmove instead. Signed-off-by: Matthew Wilcox <matthew@wil.cx> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Chas Williams authored
Signed-off-by: Nishanth Aravamudan <nacc@us.ibm.com> Signed-off-by: Chas Williams <chas@cmf.nrl.navy.mil> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Chas Williams authored
Signed-off-by: Nishanth Aravamudan <nacc@us.ibm.com> Signed-off-by: Chas Williams <chas@cmf.nrl.navy.mil> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Chas Williams authored
Signed-off-by: Nishanth Aravamudan <nacc@us.ibm.com> Signed-off-by: Chas Williams <chas@cmf.nrl.navy.mil> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Adrian Bunk authored
This patch makes some needlessly global code static. Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Thomas Graf authored
NLMSG_GOODSIZE specifies a good default size for the skb tailroom used in netlink messages when the size is unknown at the time of the allocation. The current value doesn't make much sense anymore because skb_shared_info isn't taken into account which means that depending on the architecture NLMSG_GOOSIZE can exceed PAGE_SIZE resulting in a waste of almost a complete page. Using SKB_MAXORDER solves this potential leak at the cost of slightly smaller but safer sizes for some architectures. Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Patrick McHardy authored
another patch which I think should go in 2.6.11, it fixes a crash when unloading, then reloading iptable_nat. ip_nat_core doesn't clear the status bits in struct ip_conntrack on module unload, but zeroes out the nat area. When the module is loaded again and a connection times out ip_nat_cleanup_conntrack tries to list_del the zeroed list-head and crashes. There are probably more conditions under which it can crash or cause other misbehaviour. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-
http://linux-mh.bkbits.net/bluetooth-2.6David S. Miller authored
into nuts.davemloft.net:/disk1/BK/net-2.6
-
Stephen Hemminger authored
Good catch.. netem needs to free skb's that are dropped due to loss simulation. Signed-off-by: David S. Miller <davem@davemloft.net>
-
Hideaki Yoshifuji authored
We need to fix tunnel list locking in ip6_tunnel.c as well. Noticed by jean-mickael guerin <jean-mickael.guerin@6WIND.com>. Signed-off-by: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Patrick McHardy authored
Jamal asked me to add back the call to pskb_expand_head before 2.6.11. This fixes a regression caused by my tc action cleanup patches, the tc actions most not replace packets, so it must prevent netfilter from doing so. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-
-
David S. Miller authored
Based upon feedback from Linus: - Touch on xchg(), cmpxchg() and spinlocks lightly. - Discuss atomic_dec_and_test() - Add some historical platform notes. Signed-off-by: David S. Miller <davem@davemloft.net>
-
David S. Miller authored
read_unlock should order all previous memory operations before the atomic counter update to drop the lock. The debugging version of write_unlock had a similar error. Signed-off-by: David S. Miller <davem@davemloft.net>
-
David S. Miller authored
Signed-off-by: David S. Miller <davem@davemloft.net>
-
bk://bk.arm.linux.org.uk/linux-2.6-rmkLinus Torvalds authored
into ppc970.osdl.org:/home/torvalds/v2.6/linux
-