- 03 Dec, 2009 1 commit
-
-
Jeff Layton authored
The scenario is this: The kernel gets EREMOTE and starts chasing a DFS referral at mount time. The tcon reference is put, which puts the session reference too, but neither pointer is zeroed out. The mount gets retried (goto try_mount_again) with new mount info. Session setup fails fails and rc ends up being non-zero. The code then falls through to the end and tries to put the previously freed tcon pointer again. Oops at: cifs_put_smb_ses+0x14/0xd0 Fix this by moving the initialization of the rc variable and the tcon, pSesInfo and srvTcp pointers below the try_mount_again label. Also, add a FreeXid() before the goto to prevent xid "leaks". Signed-off-by: Jeff Layton <jlayton@redhat.com> Reported-by: Gustavo Carvalho Homem <gustavo@angulosolido.pt> CC: stable <stable@kernel.org> Signed-off-by: Steve French <sfrench@us.ibm.com>
-
- 01 Dec, 2009 1 commit
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6Linus Torvalds authored
* 'security' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6: mac80211: fix spurious delBA handling mac80211: fix two remote exploits
-
- 30 Nov, 2009 38 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6Linus Torvalds authored
* git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6: [SCSI] fix crash when disconnecting usb storage [SCSI] fix async scan add/remove race resulting in an oops [SCSI] sd: Return correct error code for DIF
-
git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6Linus Torvalds authored
* git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: gcm - fix another complete call in complete fuction crypto: padlock-aes - Use the correct mask when checking whether copying is required
-
git://git.kernel.org/pub/scm/linux/kernel/git/vapier/blackfinLinus Torvalds authored
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/vapier/blackfin: Blackfin: fix SMP build error in start_thread() Blackfin: fix memset in smp_send_reschedule() and -stop() Blackfin: fix typo in ptrace poking Blackfin: check for anomaly 05000475 Blackfin: work around testset anomaly 05000477 Blackfin: update anomaly lists Blackfin: fix cache Kconfig typo Blackfin: fix suspend/resume failure with some on-chip ROMs
-
git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6Linus Torvalds authored
* git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6: [CIFS] Fix sparse warning [CIFS] Duplicate data on appending to some Samba servers [CIFS] fix oops in cifs_lookup during net boot
-
git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/stagingLinus Torvalds authored
* 'i2c-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging: at24: Use timeout also for read i2c: Fix userspace_device list corruption MAINTAINERS: Add missing i2c files i2c/tsl2550: Fix lux value in extended mode
-
Linus Torvalds authored
* 'for-linus' of master.kernel.org:/home/rmk/linux-2.6-arm: [ARM] Update mach-types ARM: 5793/1: ARM: Check put_user fail in do_signal when enable OABI_COMPAT MAINTAINERS: add maintainer information for AMBA primecell drivers [ARM] pxa/spitz: fix compile regression on spitz ARM: PNX4008: i2c-pnx: use the same dev_id for request_irq and free_irq [ARM] pxa/cpufreq: fix index assignments for end marker ARM: PNX4008: fix watchdog device driver name [ARM] kmap: fix build errors with DEBUG_HIGHMEM enabled
-
git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpcLinus Torvalds authored
* 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc: powerpc: Fix DEBUG_HIGHMEM build break from d4515646
-
Becky Bruce authored
Code was added to mm/higmem.c that depends on several kmap types that powerpc does not support. We add dummy invalid definitions for KM_NMI, KM_NM_PTE, and KM_IRQ_PTE. According to list discussion, this fix should not be needed anymore starting with 2.6.33. The code is commented to this effect so hopefully we will remember to remove this. Signed-off-by: Becky Bruce <beckyb@kernel.crashing.org> Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
-
git://git.kernel.org/pub/scm/linux/kernel/git/davem/ide-2.6Linus Torvalds authored
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/ide-2.6: ide: fix ioctl to pass requested transfer mode to ide_find_dma_mode instead of UDMA6
-
git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.6Linus Torvalds authored
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.6: sunsu: Use sunserial_console_termios() in sunsu_console_setup(). sunsu: Pass true 'ignore_line' to console match when RSC or LOM console. serial: suncore: Fix RSC/LOM handling in sunserial_console_termios(). serial: suncore: Add 'ignore_line' argument to sunserial_console_match(). sunsu: Fix detection of SU ports which are RSC console or control. sunsab: Do not set sunsab_reg.cons right before registering minors. sparc64: Fix definition of VMEMMAP_SIZE.
-
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6Linus Torvalds authored
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (42 commits) b44: Fix wedge when using netconsole. wan: cosa: drop chan->wsem on error path ep93xx-eth: check for zero MAC address on probe, not on device open NET: smc91x: Fix irq flags smsc9420: prevent BUG() if ethtool is called with interface down r8169: restore mac addr in rtl8169_remove_one and rtl_shutdown ipv4: additional update of dev_net(dev) to struct *net in ip_fragment.c, NULL ptr OOPS e100: Use pci pool to work around GFP_ATOMIC order 5 memory allocation failure sctp: on T3_RTX retransmit all the in-flight chunks pktgen: Fix netdevice unregister macvlan: fix gso_max_size setting rfkill: fix miscdev ops ath9k: set ps_default as false hso: fix soft-lockup hso: fix debug routines pktgen: Fix device name compares stmmac: do not fail when the timer cannot be used. stmmac: fixed a compilation error when use the external timer netfilter: xt_limit: fix invalid return code in limit_mt_check() Au1x00: fix crash when trying register_netdev() ...
-
git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuseLinus Torvalds authored
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse: fuse: reject O_DIRECT flag also in fuse_create
-
git://git.kernel.org/pub/scm/linux/kernel/git/dtor/inputLinus Torvalds authored
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: keyboard - fix braille keyboard keysym generation
-
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/suspend-2.6Linus Torvalds authored
* 'pm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/suspend-2.6: PM: fix irq enable/disable in runtime PM code
-
git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6Linus Torvalds authored
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6: firewire: ohci: pass correct iso xmit timestamps to core firewire: ohci: Make cycleMatch ISO transmission work
-
git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-2.6Linus Torvalds authored
* 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-2.6: V4L/DVB (13372): staging/go7007: fix mutex function usage for s2250 staging/go7007: Fix compilation by re-adding the missing s2250-loader.h V4L/DVB (13530): Fix wrong parameter order in memset V4L/DVB (13481): sh_mobile_ceu_camera: fix compile warning V4L/DVB (13436): cxusb: Fix hang on DViCO FusionHDTV DVB-T Dual Digital 4 (rev 1) V4L/DVB (13412): SMS_SIANO_MDTV should depend on HAS_DMA V4L/DVB (13372a): MAINTAINERS: addition of gspca_gl860 driver V4L/DVB (13371): davinci: remove stray duplicate config pointer V4L/DVB (13366): em28xx: fix Reddo DVB-C USB TV Box GPIO V4L/DVB (13345): soc-camera: sh_mobile_ceu_camera: call pm_runtime_disable V4L/DVB (13344): soc-camera: properly initialise the device object when reusing V4L/DVB (13343): v4l: add more missing linux/sched.h includes V4L/DVB (13321): radio-gemtek-pci: fix double mutex_lock
-
git://git.kernel.org/pub/scm/linux/kernel/git/anholt/drm-intelLinus Torvalds authored
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/anholt/drm-intel: drm/i915: Select CONFIG_SHMEM drm/i915: Fix CRT hotplug detect by checking really no channels attached agp/intel: new host bridge support drm/i915: Add more registers save/restore for Ironlake suspend drm/i915: Fix IRQ stall issue on Ironlake drm/i915: HDMI hardware workaround for Ironlake drm/i915: Fix and cleanup DPLL calculation for Ironlake drm/i915: Avoid potential sleep whilst holding spinlock
-
git://git.kernel.dk/linux-2.6-blockLinus Torvalds authored
* 'for-linus' of git://git.kernel.dk/linux-2.6-block: cciss: make device attrs static Thaw refrigerated bdi flusher threads before invoking kthread_stop on them
-
git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-acpi-2.6Linus Torvalds authored
* 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-acpi-2.6: acerhdf: return temperature in milidegree instead of degree thinkpad-acpi: fix detection of old ThinkPads thinkpad-acpi: fix sign of ERESTARTSYS return ACPI: Add Thinkpad T400, T500 to OSI(Linux) white-list ACPICA: Silence the warning about _BIF returning the buffer ACPI: DMI init_set_sci_en_on_resume for HP-Compaq C700
-
git://git.kernel.org/pub/scm/linux/kernel/git/davej/cpufreqLinus Torvalds authored
* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/davej/cpufreq: [CPUFREQ] Enable ACPI PDC handshake for VIA/Centaur CPUs
-
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6Linus Torvalds authored
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6: ALSA: AACI: fix recording bug ALSA: AACI: fix AC97 multiple-open bug ASoC: AIC23: Fixing infinite loop in resume path ASoC: Fix suspend with active audio streams
-
git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6Linus Torvalds authored
* 'drm-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6: drm/fb: fix FBIOGET/PUT_VSCREENINFO pixel clock handling drm: make sure page protections are updated after changing vm_flags drm/radeon/kms: Report vga connector is connected according to ddc_probe drm: mm always protect change to unused_nodes with unused_lock spinlock drm/radeon/kms: Disable TV load detect on RS400,RC410,RS480 drm/radeon/kms: read back register before writing in IIO. drm/radeon/kms: fix handling of d1/d2 vga drm: work around EDIDs with bad htotal/vtotal values drm/radeon/kms: resume AGP by calling init.
-
git://git.kernel.org/pub/scm/linux/kernel/git/djbw/async_txLinus Torvalds authored
* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/djbw/async_tx: shdma: fix initialization error handling ioat3: fix pq completion versus channel deallocation race async_tx: build-time toggling of async_{syndrome,xor}_val dma support dmaengine: include xor/pq validate in device_has_all_tx_types() ioat2,3: report all uncorrectable errors ioat3: specify valid address for disabled-Q or disabled-P ioat2,3: disable asynchronous error notifications ioat3: dca and raid operations are incompatible ioat: silence "dca disabled" messages
-
git://ftp.linux-mips.org/pub/scm/upstream-linusLinus Torvalds authored
* 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus: Staging: octeon-ethernet: Assign proper MAC addresses. Staging: Octeon: Use symbolic values for irq numbers. MIPS: Octeon: Fix compile error in drivers/staging/octeon/ethernet-mdio.c
-
David Woodhouse authored
In 2.6.23 kernel, commit a32ea1e1 ("Fix read/truncate race") fixed a race in the generic code, and as a side effect, now do_generic_file_read() can ask us to readpage() past the i_size. This seems to be correctly handled by the block routines (e.g. block_read_full_page() fills the page with zeroes in case if somebody is trying to read past the last inode's block). JFFS2 doesn't handle this; it assumes that it won't be asked to read pages which don't exist -- and thus that there will be at least _one_ valid 'frag' on the page it's being asked to read. It will fill any holes with the following memset: memset(buf, 0, min(end, frag->ofs + frag->size) - offset); When the 'closest smaller match' returned by jffs2_lookup_node_frag() is actually on a previous page and ends before 'offset', that results in: memset(buf, 0, <huge unsigned negative>); Hopefully, in most cases the corruption is fatal, and quickly causing random oopses, like this: root@10.0.0.4:~/ltp-fs-20090531# ./testcases/kernel/fs/ftest/ftest01 Unable to handle kernel paging request for data at address 0x00000008 Faulting instruction address: 0xc01cd980 Oops: Kernel access of bad area, sig: 11 [#1] [...] NIP [c01cd980] rb_insert_color+0x38/0x184 LR [c0043978] enqueue_hrtimer+0x88/0xc4 Call Trace: [c6c63b60] [c004f9a8] tick_sched_timer+0xa0/0xe4 (unreliable) [c6c63b80] [c0043978] enqueue_hrtimer+0x88/0xc4 [c6c63b90] [c0043a48] __run_hrtimer+0x94/0xbc [c6c63bb0] [c0044628] hrtimer_interrupt+0x140/0x2b8 [c6c63c10] [c000f8e8] timer_interrupt+0x13c/0x254 [c6c63c30] [c001352c] ret_from_except+0x0/0x14 --- Exception: 901 at memset+0x38/0x5c LR = jffs2_read_inode_range+0x144/0x17c [c6c63cf0] [00000000] (null) (unreliable) This patch fixes the issue, plus fixes all LTP tests on NAND/UBI with JFFS2 filesystem that were failing since 2.6.23 (seems like the bug above also broke the truncation). Reported-By: Anton Vorontsov <avorontsov@ru.mvista.com> Tested-By: Anton Vorontsov <avorontsov@ru.mvista.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
Geert Uytterhoeven authored
The fbdev mailing lists at SourceForge have been migrated to a single mailing list at kernel.org: linux-fbdev@vger.kernel.org. Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org> Acked-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-2.6-kconfigLinus Torvalds authored
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-2.6-kconfig: kconfig: Fix make O=<dir> local{mod,yes}config
-
git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/libata-devLinus Torvalds authored
* 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/libata-dev: sata_fsl: Split hard and soft reset
-
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-2.6-fscacheLinus Torvalds authored
* git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-2.6-fscache: (31 commits) FS-Cache: Provide nop fscache_stat_d() if CONFIG_FSCACHE_STATS=n SLOW_WORK: Fix GFS2 to #include <linux/module.h> before using THIS_MODULE SLOW_WORK: Fix CIFS to pass THIS_MODULE to slow_work_register_user() CacheFiles: Don't log lookup/create failing with ENOBUFS CacheFiles: Catch an overly long wait for an old active object CacheFiles: Better showing of debugging information in active object problems CacheFiles: Mark parent directory locks as I_MUTEX_PARENT to keep lockdep happy CacheFiles: Handle truncate unlocking the page we're reading CacheFiles: Don't write a full page if there's only a partial page to cache FS-Cache: Actually requeue an object when requested FS-Cache: Start processing an object's operations on that object's death FS-Cache: Make sure FSCACHE_COOKIE_LOOKING_UP cleared on lookup failure FS-Cache: Add a retirement stat counter FS-Cache: Handle pages pending storage that get evicted under OOM conditions FS-Cache: Handle read request vs lookup, creation or other cache failure FS-Cache: Don't delete pending pages from the page-store tracking tree FS-Cache: Fix lock misorder in fscache_write_op() FS-Cache: The object-available state can't rely on the cookie to be available FS-Cache: Permit cache retrieval ops to be interrupted in the initial wait phase FS-Cache: Use radix tree preload correctly in tracking of pages to be stored ...
-
Pete Eberlein authored
Fix mutex function usage, which was overlooked in a previous patch. Signed-off-by: Pete Eberlein <pete@sensoray.com> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
-
Mauro Carvalho Chehab authored
As pointed by Stefan Lippers-Hollmann <s.L-H@gmx.de>, Commit: fd9a40da broke s2250 compilation. This patch re-adds the missing s2250-loader.h Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
-
Johannes Berg authored
Lennert Buytenhek noticed that delBA handling in mac80211 was broken and has remotely triggerable problems, some of which are due to some code shuffling I did that ended up changing the order in which things were done -- this was commit d75636ef Author: Johannes Berg <johannes@sipsolutions.net> Date: Tue Feb 10 21:25:53 2009 +0100 mac80211: RX aggregation: clean up stop session and other parts were already present in the original commit d92684e6 Author: Ron Rindjunsky <ron.rindjunsky@intel.com> Date: Mon Jan 28 14:07:22 2008 +0200 mac80211: A-MPDU Tx add delBA from recipient support The first problem is that I moved a BUG_ON before various checks -- thereby making it possible to hit. As the comment indicates, the BUG_ON can be removed since the ampdu_action callback must already exist when the state is != IDLE. The second problem isn't easily exploitable but there's a race condition due to unconditionally setting the state to OPERATIONAL when a delBA frame is received, even when no aggregation session was ever initiated. All the drivers accept stopping the session even then, but that opens a race window where crashes could happen before the driver accepts it. Right now, a WARN_ON may happen with non-HT drivers, while the race opens only for HT drivers. For this case, there are two things necessary to fix it: 1) don't process spurious delBA frames, and be more careful about the session state; don't drop the lock 2) HT drivers need to be prepared to handle a session stop even before the session was really started -- this is true for all drivers (that support aggregation) but iwlwifi which can be fixed easily. The other HT drivers (ath9k and ar9170) are behaving properly already. Reported-by: Lennert Buytenhek <buytenh@marvell.com> Cc: stable@kernel.org Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Johannes Berg authored
Lennert Buytenhek noticed a remotely triggerable problem in mac80211, which is due to some code shuffling I did that ended up changing the order in which things were done -- this was in commit d75636ef Author: Johannes Berg <johannes@sipsolutions.net> Date: Tue Feb 10 21:25:53 2009 +0100 mac80211: RX aggregation: clean up stop session The problem is that the BUG_ON moved before the various checks, and as such can be triggered. As the comment indicates, the BUG_ON can be removed since the ampdu_action callback must already exist when the state is OPERATIONAL. A similar code path leads to a WARN_ON in ieee80211_stop_tx_ba_session, which can also be removed. Cc: stable@kernel.org [2.6.29+] Cc: Lennert Buytenhek <buytenh@marvell.com> Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Gertjan van Wingerde authored
We can have bzip2 compressed images nowadays. Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
Helge Deller authored
kernel unwinding is broken with gcc >= 4.x. Part of the problem is that binutils seems very sensitive to where the unwind information is stored. Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Kyle McMartin <kyle@mcmartin.ca> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
Russell King authored
pcm->r[1].slots is the double rate slot information, not the capture information. For capture, 'pcm' will already be the capture ac97 pcm structure. Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> Cc: <stable@kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Russell King authored
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> Cc: <stable@kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Takashi Iwai authored
-