- 09 Dec, 2006 4 commits
-
-
Adrian Bunk authored
-
Chuck Ebbert authored
Fix check for bad address; use macro instead of open-coding two checks. Taken from RHEL4 kernel update. From: Ernie Petrides <petrides@redhat.com> For background, the BAD_ADDR() macro should return TRUE if the address is TASK_SIZE, because that's the lowest address that is *not* valid for user-space mappings. The macro was correct in binfmt_aout.c but was wrong for the "equal to" case in binfmt_elf.c. There were two in-line validations of user-space addresses in binfmt_elf.c, which have been appropriately converted to use the corrected BAD_ADDR() macro in the patch you posted yesterday. Note that the size checks against TASK_SIZE are okay as coded. The additional changes that I propose are below. These are in the error paths for bad ELF entry addresses once load_elf_binary() has already committed to exec'ing the new image (following the tearing down of the task's original address space). The 1st hunk deals with the interp-side of the outer "if". There were two problems here. The printk() should be removed because this path can be triggered at will by a bogus interpreter image created and used by a malicious user. Further, the error code should not be ENOEXEC, because that causes the loop in search_binary_handler() to continue trying other exec handlers (twice, in fact). But it's too late for this to work correctly, because the user address space has already been torn down, and an exec() failure cannot be returned to the user code because the code no longer exists. The only recovery is to force a SIGSEGV, but it's best to terminate the search loop immediately. I somewhat arbitrarily chose EINVAL as a fallback error code, but any error returned by load_elf_interp() will override that (but this value will never be seen by user-space). The 2nd hunk deals with the non-interp-side of the outer "if". There were two problems here as well. The SIGSEGV needs to be forced, because a prior sigaction() syscall might have set the associated disposition to SIG_IGN. And the ENOEXEC should be changed to EINVAL as described above. Signed-off-by:
Chuck Ebbert <76306.1226@compuserve.com> Signed-off-by:
Adrian Bunk <bunk@stusta.de>
-
David S. Miller authored
We grab a reference to the route's inetpeer entry but forget to release it in xfrm4_dst_destroy(). Bug discovered by Kazunori MIYAZAWA <kazunori@miyazawa.org> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
-
Patrick McHardy authored
Currently the behaviour of disable_xfrm is inconsistent between locally generated and forwarded packets. For locally generated packets disable_xfrm disables the policy lookup if it is set on the output device, for forwarded traffic however it looks at the input device. This makes it impossible to disable xfrm on all devices but a dummy device and use normal routing to direct traffic to that device. Always use the output device when checking disable_xfrm. Signed-off-by:
Patrick McHardy <kaber@trash.net> Signed-off-by:
-
- 08 Dec, 2006 8 commits
-
-
Adrian Bunk authored
This patch reverts the quirk_via_irq changes in 2.6.16.17 that caused regressions for several people. Signed-off-by: -
Daniel Ritz authored
Signed-off-by:
Daniel Ritz <daniel.ritz@gmx.ch> Signed-off-by:
-
Daniel Ritz authored
- add the ICH6(R) LPC to the ICH6 ACPI quirks. currently only the ICH6-M is handled. [ PCI_DEVICE_ID_INTEL_ICH6_1 is the ICH6-M LPC, ICH6_0 is the ICH6(R) ] Signed-off-by:
-
Jean Delvare authored
Unhide the SMBus controller on the Asus PU-DLS board. This fixes bug #6763. Signed-off-by:
Jean Delvare <khali@linux-fr.org> Signed-off-by:
-
Bjorn Helgaas authored
Without this quirk, e100 can be pulling on a shared interrupt line when another device (eg. USB) loads, causing the interrupt to scream and get disabled. http://bugzilla.kernel.org/show_bug.cgi?id=5918Signed-off-by:
Bjorn Helgaas <bjorn.helgaas@hp.com> Signed-off-by:
-
Linus Torvalds authored
This is confirmed to fix a hang due to PCI resource conflicts with setting up the Cardbus bridge on old laptops with the 440MX chipsets. Original report by Alessio Sangalli, lspci debugging help by Pekka Enberg, and trial patch suggested by Daniel Ritz: "From the docs available i would _guess_ this thing is really similar to the 82443BX/82371AB combination. at least the SMBus base address register is hidden at the very same place (32bit at 0x90 in function 3 of the "south" brigde)" The dang thing is largely undocumented, but the patch was corroborated by Asit Mallick: "I am trying to find the register information. 440MX is an integration of 440BX north-bridge without AGP and PIIX4E (82371EB). PIIX4 quirk should cover the ACPI and SMBus related I/O registers." and verified to fix the problem by Alessio. Signed-off-by:
Linus Torvalds <torvalds@osdl.org> Signed-off-by:
-
Brice Goglin authored
The nVidia CK804 PCI-E chipset supports the AER extended capability but sometimes fails to link it (with some BIOS or after a warm reboot). It makes the AER cap invisible to pci_find_ext_capability(). The patch adds a quirk to set the missing bit that controls the linking of the capability. By the way, it removes the corresponding code in the myri10ge driver. Signed-off-by:
Brice Goglin <brice@myri.com> Signed-off-by:
-
John W. Linville authored
The naming of the constant defined for PCI ID 1022:7450 does not seem to match the information at http://pciids.sourceforge.net/: http://pci-ids.ucw.cz/iii/?i=1022 There 1022:7450 is listed as "AMD-8131 PCI-X Bridge" while 1022:7451 is listed as "AMD-8131 PCI-X IOAPIC". Yet, the current definition for 0x7450 is PCI_DEVICE_ID_AMD_8131_APIC. It seems to me like that name should map to 0x7451, while a name like PCI_DEVICE_ID_AMD_8131_BRIDGE should map to 0x7450. Signed-off-by:
John W. Linville <linville@tuxdriver.com> Signed-off-by:
-
- 06 Dec, 2006 2 commits
-
-
Ralf Baechle authored
<linux/mempolicy.h> uses struct mm_struct and relies on a definition or declaration somehow magically being dragged in which may result in a build: CC mm/mempolicy.o In file included from mm/mempolicy.c:69: include/linux/mempolicy.h:150: warning: 'struct mm_struct' declared inside parameter list include/linux/mempolicy.h:150: warning: its scope is only this definition or declaration, which is probably not what you want include/linux/mempolicy.h:174: warning: 'struct mm_struct' declared inside parameter list mm/mempolicy.c:673: error: conflicting types for 'do_migrate_pages' include/linux/mempolicy.h:174: error: previous declaration of 'do_migrate_pages' was here mm/mempolicy.c:1696: error: conflicting types for 'mpol_rebind_mm' include/linux/mempolicy.h:150: error: previous declaration of 'mpol_rebind_mm' was here make[1]: *** [mm/mempolicy.o] Error 1 make: *** [mm] Error 2 $ Including <linux/sched.h> is a step into direction of include hell so fixed by adding a forward declaration of struct mm_struct instead. Signed-off-by:
Ralf Baechle <ralf@linux-mips.org> Signed-off-by:
-
Adrian Bunk authored
-
- 04 Dec, 2006 20 commits
-
-
Adrian Bunk authored
-
Chris Wright authored
Make sure to properly clamp maxnum to avoid overflow (CVE-2006-5751). Signed-off-by:
Chris Wright <chrisw@sous-sol.org> Acked-by:
Stephen Hemminger <shemminger@osdl.org> Acked-by:
-
Trond Myklebust authored
fcntl(F_SETSIG) no longer works on leases because lease_release_private_callback() gets called as the lease is copied in order to initialise it. The problem is that lease_alloc() performs an unnecessary initialisation, which sets the lease_manager_ops. Avoid the problem by allocating the target lease structure using locks_alloc_lock(). Signed-off-by:
Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by:
-
Jens Axboe authored
cciss needs to call disk_stat_add() for iostat to work. Signed-off-by:
Jens Axboe <jens.axboe@oracle.com> Signed-off-by:
-
Jens Axboe authored
cpqarray needs to call disk_stat_add() for iostat to work. Signed-off-by:
-
Michael De Backer authored
Configuration bits are not set properly for DMA on some chipset revisions. It has already been corrected for M5229 (rev c7) but not for M5229 (rev c8). This leads to the bug described at http://bugzilla.kernel.org/show_bug.cgi?id=5786 (lost interrupt + ide bus hangs). Signed-off-by:
Michael De Backer <micdb@skynet.be> Signed-off-by:
-
Fernando J. Pereda authored
There appears to be a typo in the EV56 config option. NORITAKE and PRIMO are be able to set a variation of either. Signed-off-by:
Daniel Drake <dsd@gentoo.org> Signed-off-by:
-
Jiri Slaby authored
port is dereferenced even if it is NULL. Dereference it _after_ the check if (!port)... Thanks Eric <ef87@yahoo.com> for reporting this. This fixes http://bugzilla.kernel.org/show_bug.cgi?id=7527Signed-off-by:Jiri Slaby <jirislaby@gmail.com> Signed-off-by:
-
Roberto Castagnola authored
MX300 does not have an EXTRA_BTN - it is a simple wheel mouse with an additional task-switcher button, which is reported as side button (and not task button). Signed-off-by:
Dmitry Torokhov <dtor@mail.ru> Signed-off-by:
-
Zbigniew Luszpinski authored
Signed-off-by:
-
Zhou Yingchao authored
An up() is called in kernel/stop_machine.c on failure, and also in the caller (unconditionally). Signed-off-by:
Zhou Yingchao <yingchao.zhou@gmail.com> Signed-off-by:
-
Al Viro authored
Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk> Signed-off-by:
-
Al Viro authored
No need to revisit a chain we'd already finished with during the check for current hook. It's either instant loop (which we'd just detected) or a duplicate work. Signed-off-by:
-
Al Viro authored
We need that for iterator to work; existing check had been too weak. Signed-off-by:
-
Al Viro authored
We need to verify that a) we are not too close to the end of buffer to dereference b) next entry we'll be checking won't be _before_ our While we are at it, don't subtract unrelated pointers... Signed-off-by: -
Patrick McHardy authored
The tc actions increased the size of struct tc_police, which broke compatibility with old iproute binaries since both the act_police and the old NET_CLS_POLICE code check for an exact size match. Since the new members are not even used, the simple fix is to also accept the size of the old structure. Dumping is not affected since old userspace will receive a bigger structure, which is handled fine. Signed-off-by:
Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by:
-
Kim Nordlund authored
Not returning -EINVAL, because someone might want to use the value zero in some future gact_prob algorithm? Signed-off-by:
Kim Nordlund <kim.nordlund@nokia.com> Signed-off-by:
-
Dave Kleikamp authored
diRead and diWrite are representing the page number as an unsigned int. This causes file system corruption on volumes larger than 16TB. Signed-off-by:
Dave Kleikamp <shaggy@austin.ibm.com> Signed-off-by:
-
YOSHIFUJI Hideaki authored
TCP and RAW do not have this issue. Closes Bug #7432. Signed-off-by:
YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by:
-
Adrian Bunk authored
Spotted by Thomas Voegtle. Signed-off-by:
-
- 29 Nov, 2006 6 commits
-
-
Josh Triplett authored
Commit 7b2fd697427e73c81d5fa659efd91bd07d303b0e in the historical GIT tree stopped calling the readdir member of a file_operations struct with the big kernel lock held, and fixed up all the readdir functions to do their own locking. However, that change added calls to unlock_kernel() in vxfs_readdir, but no call to lock_kernel(). Fix this by adding a call to lock_kernel(). Signed-off-by:
Josh Triplett <josh@freedesktop.org> Signed-off-by:
-
Kyle McMartin authored
Signed-off-by:
Kyle McMartin <kyle@parisc-linux.org> Signed-off-by:
-
Jeremy Higdon authored
This patch removes a module_exit function that sgiioc4 should not have had. It seems that the IDE layer doesn't support submodule unloading. sgiioc4 was the only driver in drivers/ide/pci that had an exit function. After an unload, the devices would stay around and the next attempt to reference would crash... Signed-off-by:
Jeremy Higdon <jeremy@sgi.com> Signed-off-by:
-
Alexey Dobriyan authored
Convert various spin_lock_irqsave() callers to correctly use `unsigned long' Signed-off-by:
Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by:
-
Adrian Bunk authored
Backported from a patch by Mariusz Kozlowski <m.kozlowski@tuxland.pl> in 2.6.19. Signed-off-by: -
Vasily Tarasov authored
elv_iosched_show function iterates other elv_list, hence elv_list_lock should be got. Also the question is: in elv_iosched_show, elv_iosched_store q->elevator->elevator_type construction is used without locking q->queue_lock. Is it expected?.. Signed-off-by:
Vasily Tarasov <vtaras@openvz.org> Acked-by:
-
