[patch 09/59] NETFILTER: arp_tables: fix userspace compilation
-stable review patch. If anyone has any objections, please let us know. -- From: Patrick McHardy [EMAIL PROTECTED] The included patch translates arpt_counters to xt_counters, making userspace arptables compile against recent kernels. Signed-off-by: Bart De Schuymer [EMAIL PROTECTED] Signed-off-by: Patrick McHardy [EMAIL PROTECTED] Signed-off-by: Chris Wright [EMAIL PROTECTED] --- include/linux/netfilter_arp/arp_tables.h |1 + 1 file changed, 1 insertion(+) --- linux-2.6.19.2.orig/include/linux/netfilter_arp/arp_tables.h +++ linux-2.6.19.2/include/linux/netfilter_arp/arp_tables.h @@ -190,6 +190,7 @@ struct arpt_replace /* The argument to ARPT_SO_ADD_COUNTERS. */ #define arpt_counters_info xt_counters_info +#define arpt_counters xt_counters /* The argument to ARPT_SO_GET_ENTRIES. */ struct arpt_get_entries -- - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 17/59] PCI: prevent down_read when pci_devices is empty
-stable review patch. If anyone has any objections, please let us know.
--
From: Ard van Breemen [EMAIL PROTECTED]
The pci_find_subsys gets called very early by obsolete ide setup parameters.
This is a bogus call since pci is not initialized yet, so the list is empty.
But in the mean time, interrupts get enabled by down_read. This can result in
a kernel panic when the irq controller gets initialized.
This patch checks if the device list is empty before taking the semaphore, and
hence will not enable irq's. Furthermore it will inform that it is called
while pci_devices is empty as a reminder that the ide code needs to be fixed.
The pci_get_subsys can get called in the same manner, and as such is patched
in the same manner.
[EMAIL PROTECTED]: cleanups]
Signed-off-by: Ard van Breemen [EMAIL PROTECTED]
Cc: Greg KH [EMAIL PROTECTED]
Signed-off-by: Andrew Morton [EMAIL PROTECTED]
Signed-off-by: Linus Torvalds [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
This is the other half of the fix for bug #7505
drivers/pci/search.c | 24
1 file changed, 24 insertions(+)
--- linux-2.6.19.2.orig/drivers/pci/search.c
+++ linux-2.6.19.2/drivers/pci/search.c
@@ -193,6 +193,18 @@ static struct pci_dev * pci_find_subsys(
struct pci_dev *dev;
WARN_ON(in_interrupt());
+
+ /*
+* pci_find_subsys() can be called on the ide_setup() path, super-early
+* in boot. But the down_read() will enable local interrupts, which
+* can cause some machines to crash. So here we detect and flag that
+* situation and bail out early.
+*/
+ if (unlikely(list_empty(pci_devices))) {
+ printk(KERN_INFO pci_find_subsys() called while pci_devices
+ is still empty\n);
+ return NULL;
+ }
down_read(pci_bus_sem);
n = from ? from-global_list.next : pci_devices.next;
@@ -259,6 +271,18 @@ pci_get_subsys(unsigned int vendor, unsi
struct pci_dev *dev;
WARN_ON(in_interrupt());
+
+ /*
+* pci_get_subsys() can potentially be called by drivers super-early
+* in boot. But the down_read() will enable local interrupts, which
+* can cause some machines to crash. So here we detect and flag that
+* situation and bail out early.
+*/
+ if (unlikely(list_empty(pci_devices))) {
+ printk(KERN_NOTICE pci_get_subsys() called while pci_devices
+ is still empty\n);
+ return NULL;
+ }
down_read(pci_bus_sem);
n = from ? from-global_list.next : pci_devices.next;
--
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 05/59] md: pass down BIO_RW_SYNC in raid{1,10}
-stable review patch. If anyone has any objections, please let us know.
--
From: Lars Ellenberg [EMAIL PROTECTED]
md raidX make_request functions strip off the BIO_RW_SYNC flag, thus
introducing additional latency.
Fixing this in raid1 and raid10 seems to be straightforward enough.
For our particular usage case in DRBD, passing this flag improved some
initialization time from ~5 minutes to ~5 seconds.
Acked-by: NeilBrown [EMAIL PROTECTED]
Signed-off-by: Lars Ellenberg [EMAIL PROTECTED]
Acked-by: Jens Axboe [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Signed-off-by: Andrew Morton [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
drivers/md/raid1.c | 13 +
drivers/md/raid10.c | 11 ---
2 files changed, 17 insertions(+), 7 deletions(-)
--- linux-2.6.19.2.orig/drivers/md/raid1.c
+++ linux-2.6.19.2/drivers/md/raid1.c
@@ -775,6 +775,7 @@ static int make_request(request_queue_t
struct bio_list bl;
struct page **behind_pages = NULL;
const int rw = bio_data_dir(bio);
+ const int do_sync = bio_sync(bio);
int do_barriers;
/*
@@ -835,7 +836,7 @@ static int make_request(request_queue_t
read_bio-bi_sector = r1_bio-sector +
mirror-rdev-data_offset;
read_bio-bi_bdev = mirror-rdev-bdev;
read_bio-bi_end_io = raid1_end_read_request;
- read_bio-bi_rw = READ;
+ read_bio-bi_rw = READ | do_sync;
read_bio-bi_private = r1_bio;
generic_make_request(read_bio);
@@ -906,7 +907,7 @@ static int make_request(request_queue_t
mbio-bi_sector = r1_bio-sector +
conf-mirrors[i].rdev-data_offset;
mbio-bi_bdev = conf-mirrors[i].rdev-bdev;
mbio-bi_end_io = raid1_end_write_request;
- mbio-bi_rw = WRITE | do_barriers;
+ mbio-bi_rw = WRITE | do_barriers | do_sync;
mbio-bi_private = r1_bio;
if (behind_pages) {
@@ -941,6 +942,8 @@ static int make_request(request_queue_t
blk_plug_device(mddev-queue);
spin_unlock_irqrestore(conf-device_lock, flags);
+ if (do_sync)
+ md_wakeup_thread(mddev-thread);
#if 0
while ((bio = bio_list_pop(bl)) != NULL)
generic_make_request(bio);
@@ -1541,6 +1544,7 @@ static void raid1d(mddev_t *mddev)
* We already have a nr_pending reference on these
rdevs.
*/
int i;
+ const int do_sync = bio_sync(r1_bio-master_bio);
clear_bit(R1BIO_BarrierRetry, r1_bio-state);
clear_bit(R1BIO_Barrier, r1_bio-state);
for (i=0; i conf-raid_disks; i++)
@@ -1561,7 +1565,7 @@ static void raid1d(mddev_t *mddev)
conf-mirrors[i].rdev-data_offset;
bio-bi_bdev =
conf-mirrors[i].rdev-bdev;
bio-bi_end_io =
raid1_end_write_request;
- bio-bi_rw = WRITE;
+ bio-bi_rw = WRITE | do_sync;
bio-bi_private = r1_bio;
r1_bio-bios[i] = bio;
generic_make_request(bio);
@@ -1593,6 +1597,7 @@ static void raid1d(mddev_t *mddev)
(unsigned long long)r1_bio-sector);
raid_end_bio_io(r1_bio);
} else {
+ const int do_sync =
bio_sync(r1_bio-master_bio);
r1_bio-bios[r1_bio-read_disk] =
mddev-ro ? IO_BLOCKED : NULL;
r1_bio-read_disk = disk;
@@ -1608,7 +1613,7 @@ static void raid1d(mddev_t *mddev)
bio-bi_sector = r1_bio-sector +
rdev-data_offset;
bio-bi_bdev = rdev-bdev;
bio-bi_end_io = raid1_end_read_request;
- bio-bi_rw = READ;
+ bio-bi_rw = READ | do_sync;
bio-bi_private = r1_bio;
unplug = 1;
generic_make_request(bio);
--- linux-2.6.19.2.orig/drivers/md/raid10.c
+++ linux-2.6.19.2/drivers/md/raid10.c
@@ -782,6 +782,7 @@ static int make_request(request_queue_t
int i;
int chunk_sects = conf-chunk_mask + 1;
const int rw = bio_data_dir(bio);
+ const int do_sync = bio_sync(bio);
struct bio_list bl;
unsigned long flags;
@@ -863,7 +864,7 @@ static int make_request(request_queue_t
mirror-rdev-data_offset;
read_bio-bi_bdev = mirror-rdev-bdev
[patch 10/59] Repair snd-usb-usx2y over OHCI
-stable review patch. If anyone has any objections, please let us know.
--
From: Karsten Wiese [EMAIL PROTECTED]
The previous patch Repair snd-usb-usx2y for usb 2.6.18 assumed
urb-start_frame roll over beyond MAX_INT for both UHCI OHCI.
This isn't true until now (kernel 2.6.20).
Fix this by only looking at the common between OHCI UHCI Frame number
range.
This is for mainline and stable kernels = 2.6.18.
Signed-off-by: Karsten Wiese [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
sound/usb/usx2y/usbusx2yaudio.c |2 +-
sound/usb/usx2y/usx2yhwdeppcm.c |2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- linux-2.6.19.2.orig/sound/usb/usx2y/usbusx2yaudio.c
+++ linux-2.6.19.2/sound/usb/usx2y/usbusx2yaudio.c
@@ -322,7 +322,7 @@ static void i_usX2Y_urb_complete(struct
usX2Y_error_urb_status(usX2Y, subs, urb);
return;
}
- if (likely(urb-start_frame == usX2Y-wait_iso_frame))
+ if (likely((urb-start_frame 0x) == (usX2Y-wait_iso_frame
0x)))
subs-completed_urb = urb;
else {
usX2Y_error_sequence(usX2Y, subs, urb);
--- linux-2.6.19.2.orig/sound/usb/usx2y/usx2yhwdeppcm.c
+++ linux-2.6.19.2/sound/usb/usx2y/usx2yhwdeppcm.c
@@ -243,7 +243,7 @@ static void i_usX2Y_usbpcm_urb_complete(
usX2Y_error_urb_status(usX2Y, subs, urb);
return;
}
- if (likely(urb-start_frame == usX2Y-wait_iso_frame))
+ if (likely((urb-start_frame 0x) == (usX2Y-wait_iso_frame
0x)))
subs-completed_urb = urb;
else {
usX2Y_error_sequence(usX2Y, subs, urb);
--
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 11/59] [stable] [PATCH] IB/mthca: Fix off-by-one in FMR handling on memfree
-stable review patch. If anyone has any objections, please let us know.
--
From: Michael S. Tsirkin [EMAIL PROTECTED]
mthca_table_find() will return the wrong address when the table entry
being searched for is exactly at the beginning of a sglist entry
(other than the first), because it uses = when it should use .
Example: assume we have 2 entries in scatterlist, 4K each, offset is
4K. The current code will return first entry + 4K when we really want
the second entry.
In particular this means mapping an FMR on a memfree HCA may end up
writing the page table into the wrong place, leading to memory
corruption and also causing the HCA to use an incorrect address
translation table.
Signed-off-by: Michael S. Tsirkin [EMAIL PROTECTED]
Signed-off-by: Roland Dreier [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
This is upstream, and fixes a data corruption/crash bug with storage
over SRP.
drivers/infiniband/hw/mthca/mthca_memfree.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.19.2.orig/drivers/infiniband/hw/mthca/mthca_memfree.c
+++ linux-2.6.19.2/drivers/infiniband/hw/mthca/mthca_memfree.c
@@ -232,7 +232,7 @@ void *mthca_table_find(struct mthca_icm_
list_for_each_entry(chunk, icm-chunk_list, list) {
for (i = 0; i chunk-npages; ++i) {
- if (chunk-mem[i].length = offset) {
+ if (chunk-mem[i].length offset) {
page = chunk-mem[i].page;
goto out;
}
--
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH] ext2: skip pages past number of blocks in ext2_find_entry (CVE-2006-6054)
This one looks like it fell through the cracks, it's in 2.6.19.2 but not
upstream yet.
thanks,
-chris
--
Subject: [PATCH] ext2: skip pages past number of blocks in ext2_find_entry
(CVE-2006-6054)
From: Eric Sandeen <[EMAIL PROTECTED]>
This one was pointed out on the MOKB site:
http://kernelfun.blogspot.com/2006/11/mokb-09-11-2006-linux-26x-ext2checkpage.html
If a directory's i_size is corrupted, ext2_find_entry() will keep processing
pages until the i_size is reached, even if there are no more blocks associated
with the directory inode. This patch puts in some minimal sanity-checking
so that we don't keep checking pages (and issuing errors) if we know there
can be no more data to read, based on the block count of the directory inode.
This is somewhat similar in approach to the ext3 patch I sent earlier this
year.
Signed-off-by: Eric Sandeen <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
Not upstream yet
fs/ext2/dir.c |8
1 file changed, 8 insertions(+)
--- linux-2.6.19.1.orig/fs/ext2/dir.c
+++ linux-2.6.19.1/fs/ext2/dir.c
@@ -368,6 +368,14 @@ struct ext2_dir_entry_2 * ext2_find_entr
}
if (++n >= npages)
n = 0;
+ /* next page is past the blocks we've got */
+ if (unlikely(n > (dir->i_blocks >> (PAGE_CACHE_SHIFT - 9 {
+ ext2_error(dir->i_sb, __FUNCTION__,
+ "dir %lu size %lld exceeds block count %llu",
+ dir->i_ino, dir->i_size,
+ (unsigned long long)dir->i_blocks);
+ goto out;
+ }
} while (n != start);
out:
return NULL;
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Linux 2.6.19.2
net/netlabel/netlabel_cipso_v4.c |9 +
scripts/Kbuild.include | 19 +-
sound/sparc/cs4231.c | 26 +--
68 files changed, 673 insertions(+), 336 deletions(-)
Summary of changes from v2.6.19.1 to v2.6.19.2
Andy Gospodarek (1):
bonding: incorrect bonding state reported via ioctl
Ang Way Chuang (1):
dvb-core: fix bug in CRC-32 checking on 64-bit systems
Arjan van de Ven (1):
x86-64: Mark rdtsc as sync only for netburst, not for core2
Badari Pulavarty (1):
Fix for shmem_truncate_range() BUG_ON()
Chris Wright (1):
Linux 2.6.19.2
Chuck Ebbert (1):
ebtables: don't compute gap before checking struct type
David Hollis (1):
asix: Fix typo for AX88772 PHY Selection
David L Stevens (1):
IPV4/IPV6: Fix inet{,6} device initialization order.
David Miller (4):
UDP: Fix reversed logic in udp_get_port()
SPARC64: Fix "mem=xxx" handling.
SPARC64: Handle ISA devices with no 'regs' property.
SOUND: Sparc CS4231: Use 64 for period_bytes_min
David Woodhouse (1):
NET: Don't export linux/random.h outside __KERNEL__
Dimitri Gorokhovik (1):
ramfs breaks without CONFIG_BLOCK
Dirk Eibach (1):
i2c: fix broken ds1337 initialization
Ed L Cashin (1):
fix aoe without scatter-gather [Bug 7662]
Eric Sandeen (2):
handle ext3 directory corruption better (CVE-2006-6053)
ext2: skip pages past number of blocks in ext2_find_entry (CVE-2006-6054)
Erik Jacobson (1):
connector: some fixes for ia64 unaligned access errors
Georg Chini (1):
SOUND: Sparc CS4231: Fix IRQ return value and initialization.
Hans Verkuil (2):
V4L: Fix broken TUNER_LG_NTSC_TAPE radio support
V4L: cx2341x: audio_properties is an u16, not u8
Herbert Xu (2):
dm-crypt: Select CRYPTO_CBC
sha512: Fix sha384 block size
Hugh Dickins (2):
read_zero_pagealigned() locking fix
fix OOM killing of swapoff
Ingo Molnar (1):
sched: fix bad missed wakeups in the i386, x86_64, ia64, ACPI and APM
idle code
Jan Andersson (1):
sparc32: add offset in pci_map_sg()
Jean Delvare (1):
V4L: cx88: Fix leadtek_eeprom tagging
John W. Linville (1):
Revert "zd1211rw: Removed unneeded packed attributes"
Linus Torvalds (2):
VM: Fix nasty and subtle race in shared mmap'ed page writeback
Fix incorrect user space access locking in mincore() (CVE-2006-4814)
Marcel Holtmann (1):
Bluetooth: Add packet size checks for CAPI messages (CVE-2006-6106)
Michael Krufky (1):
DVB: lgdt330x: fix signal / lock status detection bug
Mike Miller (1):
cciss: fix XFER_READ/XFER_WRITE in do_cciss_request
Paul Moore (1):
NetLabel: correctly fill in unused CIPSOv4 level and category mappings
Peter Zijlstra (1):
Fix up page_mkclean_one(): virtual caches, s390
Phillip Lougher (1):
corrupted cramfs filesystems cause kernel oops (CVE-2006-5823)
Robert Olsson (1):
PKTGEN: Fix module load/unload races.
Roland Dreier (1):
IB/srp: Fix FMR mapping for 32-bit kernels and addresses above 4G
Roman Zippel (1):
kbuild: don't put temp files in source
Russell King (1):
ARM: Add sys_*at syscalls
Shantanu Goel (1):
Buglet in vmscan.c
Shaohua Li (1):
i386: CPU hotplug broken with 2GB VMSPLIT
Stefan Richter (1):
ieee1394: ohci1394: add PPC_PMAC platform code to driver probe
Tejun Heo (2):
libata: handle 0xff status properly
SCSI: add missing cdb clearing in scsi_execute()
Tim Chen (1):
sched: remove __cpuinitdata anotation to cpu_isolated_map
Ulrich Kunitz (3):
ieee80211softmac: Fix mutex_lock at exit of ieee80211_softmac_get_genie
softmac: Fixed handling of deassociation from AP
zd1211rw: Call ieee80211_rx in tasklet
Vitaly Wool (1):
smc911x: fix netpoll compilation faliure
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Linux 2.6.19.2
net/netlabel/netlabel_cipso_v4.c |9 +
scripts/Kbuild.include | 19 +-
sound/sparc/cs4231.c | 26 +--
68 files changed, 673 insertions(+), 336 deletions(-)
Summary of changes from v2.6.19.1 to v2.6.19.2
Andy Gospodarek (1):
bonding: incorrect bonding state reported via ioctl
Ang Way Chuang (1):
dvb-core: fix bug in CRC-32 checking on 64-bit systems
Arjan van de Ven (1):
x86-64: Mark rdtsc as sync only for netburst, not for core2
Badari Pulavarty (1):
Fix for shmem_truncate_range() BUG_ON()
Chris Wright (1):
Linux 2.6.19.2
Chuck Ebbert (1):
ebtables: don't compute gap before checking struct type
David Hollis (1):
asix: Fix typo for AX88772 PHY Selection
David L Stevens (1):
IPV4/IPV6: Fix inet{,6} device initialization order.
David Miller (4):
UDP: Fix reversed logic in udp_get_port()
SPARC64: Fix mem=xxx handling.
SPARC64: Handle ISA devices with no 'regs' property.
SOUND: Sparc CS4231: Use 64 for period_bytes_min
David Woodhouse (1):
NET: Don't export linux/random.h outside __KERNEL__
Dimitri Gorokhovik (1):
ramfs breaks without CONFIG_BLOCK
Dirk Eibach (1):
i2c: fix broken ds1337 initialization
Ed L Cashin (1):
fix aoe without scatter-gather [Bug 7662]
Eric Sandeen (2):
handle ext3 directory corruption better (CVE-2006-6053)
ext2: skip pages past number of blocks in ext2_find_entry (CVE-2006-6054)
Erik Jacobson (1):
connector: some fixes for ia64 unaligned access errors
Georg Chini (1):
SOUND: Sparc CS4231: Fix IRQ return value and initialization.
Hans Verkuil (2):
V4L: Fix broken TUNER_LG_NTSC_TAPE radio support
V4L: cx2341x: audio_properties is an u16, not u8
Herbert Xu (2):
dm-crypt: Select CRYPTO_CBC
sha512: Fix sha384 block size
Hugh Dickins (2):
read_zero_pagealigned() locking fix
fix OOM killing of swapoff
Ingo Molnar (1):
sched: fix bad missed wakeups in the i386, x86_64, ia64, ACPI and APM
idle code
Jan Andersson (1):
sparc32: add offset in pci_map_sg()
Jean Delvare (1):
V4L: cx88: Fix leadtek_eeprom tagging
John W. Linville (1):
Revert zd1211rw: Removed unneeded packed attributes
Linus Torvalds (2):
VM: Fix nasty and subtle race in shared mmap'ed page writeback
Fix incorrect user space access locking in mincore() (CVE-2006-4814)
Marcel Holtmann (1):
Bluetooth: Add packet size checks for CAPI messages (CVE-2006-6106)
Michael Krufky (1):
DVB: lgdt330x: fix signal / lock status detection bug
Mike Miller (1):
cciss: fix XFER_READ/XFER_WRITE in do_cciss_request
Paul Moore (1):
NetLabel: correctly fill in unused CIPSOv4 level and category mappings
Peter Zijlstra (1):
Fix up page_mkclean_one(): virtual caches, s390
Phillip Lougher (1):
corrupted cramfs filesystems cause kernel oops (CVE-2006-5823)
Robert Olsson (1):
PKTGEN: Fix module load/unload races.
Roland Dreier (1):
IB/srp: Fix FMR mapping for 32-bit kernels and addresses above 4G
Roman Zippel (1):
kbuild: don't put temp files in source
Russell King (1):
ARM: Add sys_*at syscalls
Shantanu Goel (1):
Buglet in vmscan.c
Shaohua Li (1):
i386: CPU hotplug broken with 2GB VMSPLIT
Stefan Richter (1):
ieee1394: ohci1394: add PPC_PMAC platform code to driver probe
Tejun Heo (2):
libata: handle 0xff status properly
SCSI: add missing cdb clearing in scsi_execute()
Tim Chen (1):
sched: remove __cpuinitdata anotation to cpu_isolated_map
Ulrich Kunitz (3):
ieee80211softmac: Fix mutex_lock at exit of ieee80211_softmac_get_genie
softmac: Fixed handling of deassociation from AP
zd1211rw: Call ieee80211_rx in tasklet
Vitaly Wool (1):
smc911x: fix netpoll compilation faliure
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH] ext2: skip pages past number of blocks in ext2_find_entry (CVE-2006-6054)
This one looks like it fell through the cracks, it's in 2.6.19.2 but not
upstream yet.
thanks,
-chris
--
Subject: [PATCH] ext2: skip pages past number of blocks in ext2_find_entry
(CVE-2006-6054)
From: Eric Sandeen [EMAIL PROTECTED]
This one was pointed out on the MOKB site:
http://kernelfun.blogspot.com/2006/11/mokb-09-11-2006-linux-26x-ext2checkpage.html
If a directory's i_size is corrupted, ext2_find_entry() will keep processing
pages until the i_size is reached, even if there are no more blocks associated
with the directory inode. This patch puts in some minimal sanity-checking
so that we don't keep checking pages (and issuing errors) if we know there
can be no more data to read, based on the block count of the directory inode.
This is somewhat similar in approach to the ext3 patch I sent earlier this
year.
Signed-off-by: Eric Sandeen [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
Not upstream yet
fs/ext2/dir.c |8
1 file changed, 8 insertions(+)
--- linux-2.6.19.1.orig/fs/ext2/dir.c
+++ linux-2.6.19.1/fs/ext2/dir.c
@@ -368,6 +368,14 @@ struct ext2_dir_entry_2 * ext2_find_entr
}
if (++n = npages)
n = 0;
+ /* next page is past the blocks we've got */
+ if (unlikely(n (dir-i_blocks (PAGE_CACHE_SHIFT - 9 {
+ ext2_error(dir-i_sb, __FUNCTION__,
+ dir %lu size %lld exceeds block count %llu,
+ dir-i_ino, dir-i_size,
+ (unsigned long long)dir-i_blocks);
+ goto out;
+ }
} while (n != start);
out:
return NULL;
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: mprotect abuse in slim
* Christoph Hellwig ([EMAIL PROTECTED]) wrote: > On Mon, Jan 08, 2007 at 07:07:25PM -0800, Arjan van de Ven wrote: > > maybe this is a silly question, but do you revoke not only the current > > fd entries, but also the ones that are pending in UNIX domain sockets > > and that are already being sent to the process? If not.. then you might > > as well not bother ;) > > Exactly. What these folks want is revoke (maybe more fine grained, but > that's not the point). And guess what folks, revoke is not trivial, > otherwise we'd have it. If you want to volunteer to implement a full-blown > revoke that's fine, but > > a) it belongs into core code > b) needs to be done right Very much agreed. There's way too many holes in half-way done revocation. thanks, -chris - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: mprotect abuse in slim
* Christoph Hellwig ([EMAIL PROTECTED]) wrote: On Mon, Jan 08, 2007 at 07:07:25PM -0800, Arjan van de Ven wrote: maybe this is a silly question, but do you revoke not only the current fd entries, but also the ones that are pending in UNIX domain sockets and that are already being sent to the process? If not.. then you might as well not bother ;) Exactly. What these folks want is revoke (maybe more fine grained, but that's not the point). And guess what folks, revoke is not trivial, otherwise we'd have it. If you want to volunteer to implement a full-blown revoke that's fine, but a) it belongs into core code b) needs to be done right Very much agreed. There's way too many holes in half-way done revocation. thanks, -chris - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 07/50] DVB: lgdt330x: fix signal / lock status detection bug
-stable review patch. If anyone has any objections, please let us know.
--
From: Michael Krufky <[EMAIL PROTECTED]>
In some cases when using VSB, the AGC status register has been known to
falsely report "no signal" when in fact there is a carrier lock. The
datasheet labels these status flags as QAM only, yet the lgdt330x
module is using these flags for both QAM and VSB.
This patch allows for the carrier recovery lock status register to be
tested, even if the agc signal status register falsely reports no signal.
Thanks to jcrews from #linuxtv in irc, for initially reporting this bug.
Signed-off-by: Michael Krufky <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
drivers/media/dvb/frontends/lgdt330x.c |6 --
1 file changed, 6 deletions(-)
--- linux-2.6.19.1.orig/drivers/media/dvb/frontends/lgdt330x.c
+++ linux-2.6.19.1/drivers/media/dvb/frontends/lgdt330x.c
@@ -435,9 +435,6 @@ static int lgdt3302_read_status(struct d
/* Test signal does not exist flag */
/* as well as the AGC lock flag. */
*status |= FE_HAS_SIGNAL;
- } else {
- /* Without a signal all other status bits are meaningless */
- return 0;
}
/*
@@ -500,9 +497,6 @@ static int lgdt3303_read_status(struct d
/* Test input signal does not exist flag */
/* as well as the AGC lock flag. */
*status |= FE_HAS_SIGNAL;
- } else {
- /* Without a signal all other status bits are meaningless */
- return 0;
}
/* Carrier Recovery Lock Status Register */
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 14/50] sched: remove __cpuinitdata anotation to cpu_isolated_map
-stable review patch. If anyone has any objections, please let us know. -- From: Tim Chen <[EMAIL PROTECTED]> The structure cpu_isolated_map is used not only during initialization. Multi-core scheduler configuration changes and exclusive cpusets use this during run time. During setting of sched_mc_power_savings policy, this structure is accessed to update sched_domains. Signed-off-by: Tim Chen <[EMAIL PROTECTED]> Acked-by: Suresh Siddha <[EMAIL PROTECTED]> Acked-by: Ingo Molnar <[EMAIL PROTECTED]> Signed-off-by: Chris Wright <[EMAIL PROTECTED]> --- kernel/sched.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- linux-2.6.19.1.orig/kernel/sched.c +++ linux-2.6.19.1/kernel/sched.c @@ -5493,7 +5493,7 @@ static void cpu_attach_domain(struct sch } /* cpus with isolated domains */ -static cpumask_t __cpuinitdata cpu_isolated_map = CPU_MASK_NONE; +static cpumask_t cpu_isolated_map = CPU_MASK_NONE; /* Setup the mask of cpus configured for isolated domains */ static int __init isolated_cpu_setup(char *str) -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 16/50] SCSI: add missing cdb clearing in scsi_execute()
-stable review patch. If anyone has any objections, please let us know. -- From: Tejun Heo <[EMAIL PROTECTED]> Clear-garbage-after-CDB patch missed scsi_execute() and it causes some ODDs (HL-DT-ST DVD-RAM GSA-H30N) choke during SCSI scan. Note that this patch is only for -stable. There is another more reliable fix for this problem proposed for devel tree. http://thread.gmane.org/gmane.linux.ide/14605/focus=14605 Signed-off-by: Tejun Heo <[EMAIL PROTECTED]> Cc: Jens Axboe <[EMAIL PROTECTED]> Cc: Douglas Gilbert <[EMAIL PROTECTED]> Signed-off-by: Chris Wright <[EMAIL PROTECTED]> --- drivers/scsi/scsi_lib.c |1 + 1 file changed, 1 insertion(+) --- linux-2.6.19.1.orig/drivers/scsi/scsi_lib.c +++ linux-2.6.19.1/drivers/scsi/scsi_lib.c @@ -191,6 +191,7 @@ int scsi_execute(struct scsi_device *sde goto out; req->cmd_len = COMMAND_SIZE(cmd[0]); + memset(req->cmd, 0, BLK_MAX_CDB); /* ATAPI hates garbage after CDB */ memcpy(req->cmd, cmd, req->cmd_len); req->sense = sense; req->sense_len = 0; -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 26/50] ramfs breaks without CONFIG_BLOCK
-stable review patch. If anyone has any objections, please let us know.
--
From: Dimitri Gorokhovik <[EMAIL PROTECTED]>
ramfs doesn't provide the .set_dirty_page a_op, and when the BLOCK layer is
not configured in, 'set_page_dirty' makes a call via a NULL pointer.
Signed-off-by: Dimitri Gorokhovik <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
fs/ramfs/file-mmu.c |4 +++-
fs/ramfs/file-nommu.c |4 +++-
2 files changed, 6 insertions(+), 2 deletions(-)
--- linux-2.6.19.1.orig/fs/ramfs/file-mmu.c
+++ linux-2.6.19.1/fs/ramfs/file-mmu.c
@@ -25,11 +25,13 @@
*/
#include
+#include
const struct address_space_operations ramfs_aops = {
.readpage = simple_readpage,
.prepare_write = simple_prepare_write,
- .commit_write = simple_commit_write
+ .commit_write = simple_commit_write,
+ .set_page_dirty = __set_page_dirty_nobuffers,
};
const struct file_operations ramfs_file_operations = {
--- linux-2.6.19.1.orig/fs/ramfs/file-nommu.c
+++ linux-2.6.19.1/fs/ramfs/file-nommu.c
@@ -11,6 +11,7 @@
#include
#include
+#include
#include
#include
#include
@@ -30,7 +31,8 @@ static int ramfs_nommu_setattr(struct de
const struct address_space_operations ramfs_aops = {
.readpage = simple_readpage,
.prepare_write = simple_prepare_write,
- .commit_write = simple_commit_write
+ .commit_write = simple_commit_write,
+ .set_page_dirty = __set_page_dirty_nobuffers,
};
const struct file_operations ramfs_file_operations = {
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 34/50] SPARC64: Fix "mem=xxx" handling.
-stable review patch. If anyone has any objections, please let us know.
--
From: David Miller <[EMAIL PROTECTED]>
We were not being careful enough. When we trim the physical
memory areas, we have to make sure we don't remove the kernel
image or initial ramdisk image ranges.
Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
arch/sparc64/mm/init.c | 147 +
1 file changed, 124 insertions(+), 23 deletions(-)
--- linux-2.6.19.1.orig/arch/sparc64/mm/init.c
+++ linux-2.6.19.1/arch/sparc64/mm/init.c
@@ -872,6 +872,115 @@ static unsigned long __init choose_bootm
prom_halt();
}
+static void __init trim_pavail(unsigned long *cur_size_p,
+ unsigned long *end_of_phys_p)
+{
+ unsigned long to_trim = *cur_size_p - cmdline_memory_size;
+ unsigned long avoid_start, avoid_end;
+ int i;
+
+ to_trim = PAGE_ALIGN(to_trim);
+
+ avoid_start = avoid_end = 0;
+#ifdef CONFIG_BLK_DEV_INITRD
+ avoid_start = initrd_start;
+ avoid_end = PAGE_ALIGN(initrd_end);
+#endif
+
+ /* Trim some pavail[] entries in order to satisfy the
+* requested "mem=xxx" kernel command line specification.
+*
+* We must not trim off the kernel image area nor the
+* initial ramdisk range (if any). Also, we must not trim
+* any pavail[] entry down to zero in order to preserve
+* the invariant that all pavail[] entries have a non-zero
+* size which is assumed by all of the code in here.
+*/
+ for (i = 0; i < pavail_ents; i++) {
+ unsigned long start, end, kern_end;
+ unsigned long trim_low, trim_high, n;
+
+ kern_end = PAGE_ALIGN(kern_base + kern_size);
+
+ trim_low = start = pavail[i].phys_addr;
+ trim_high = end = start + pavail[i].reg_size;
+
+ if (kern_base >= start &&
+ kern_base < end) {
+ trim_low = kern_base;
+ if (kern_end >= end)
+ continue;
+ }
+ if (kern_end >= start &&
+ kern_end < end) {
+ trim_high = kern_end;
+ }
+ if (avoid_start &&
+ avoid_start >= start &&
+ avoid_start < end) {
+ if (trim_low > avoid_start)
+ trim_low = avoid_start;
+ if (avoid_end >= end)
+ continue;
+ }
+ if (avoid_end &&
+ avoid_end >= start &&
+ avoid_end < end) {
+ if (trim_high < avoid_end)
+ trim_high = avoid_end;
+ }
+
+ if (trim_high <= trim_low)
+ continue;
+
+ if (trim_low == start && trim_high == end) {
+ /* Whole chunk is available for trimming.
+* Trim all except one page, in order to keep
+* entry non-empty.
+*/
+ n = (end - start) - PAGE_SIZE;
+ if (n > to_trim)
+ n = to_trim;
+
+ if (n) {
+ pavail[i].phys_addr += n;
+ pavail[i].reg_size -= n;
+ to_trim -= n;
+ }
+ } else {
+ n = (trim_low - start);
+ if (n > to_trim)
+ n = to_trim;
+
+ if (n) {
+ pavail[i].phys_addr += n;
+ pavail[i].reg_size -= n;
+ to_trim -= n;
+ }
+ if (to_trim) {
+ n = end - trim_high;
+ if (n > to_trim)
+ n = to_trim;
+ if (n) {
+ pavail[i].reg_size -= n;
+ to_trim -= n;
+ }
+ }
+ }
+
+ if (!to_trim)
+ break;
+ }
+
+ /* Recalculate. */
+ *cur_size_p = 0UL;
+ for (i = 0; i < pavail_ents; i++) {
+ *end_of_phys_p = pavail[i].phys_addr +
+ pavail[i].reg_size;
+ *cur_size_p += pavail[i].reg_size;
+ }
+}
+
static unsigned long __init bootmem_init(unsigned long *pages_
[patch 27/50] Buglet in vmscan.c
-stable review patch. If anyone has any objections, please let us know. -- From: Shantanu Goel <[EMAIL PROTECTED]> Fix a rather obvious buglet. Noticed while instrumenting the VM using /proc/vmstat. Cc: Christoph Lameter <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Signed-off-by: Andrew Morton <[EMAIL PROTECTED]> Signed-off-by: Chris Wright <[EMAIL PROTECTED]> --- mm/vmscan.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- linux-2.6.19.1.orig/mm/vmscan.c +++ linux-2.6.19.1/mm/vmscan.c @@ -691,7 +691,7 @@ static unsigned long shrink_inactive_lis __count_vm_events(KSWAPD_STEAL, nr_freed); } else __count_zone_vm_events(PGSCAN_DIRECT, zone, nr_scan); - __count_vm_events(PGACTIVATE, nr_freed); + __count_zone_vm_events(PGSTEAL, zone, nr_freed); if (nr_taken == 0) goto done; -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 36/50] NET: Dont export linux/random.h outside __KERNEL__
-stable review patch. If anyone has any objections, please let us know.
--
From: David Woodhouse <[EMAIL PROTECTED]>
Don't add it there please; add it lower down inside the existing #ifdef
__KERNEL__. You just made the _userspace_ net.h include random.h, which
then fails to compile unless was already included.
Signed-off-by: David Woodhouse <[EMAIL PROTECTED]>
Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
include/linux/net.h |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.19.1.orig/include/linux/net.h
+++ linux-2.6.19.1/include/linux/net.h
@@ -19,7 +19,6 @@
#define _LINUX_NET_H
#include
-#include
#include
struct poll_table_struct;
@@ -57,6 +56,7 @@ typedef enum {
#ifdef __KERNEL__
#include
+#include
#define SOCK_ASYNC_NOSPACE 0
#define SOCK_ASYNC_WAITDATA1
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 38/50] VM: Fix nasty and subtle race in shared mmaped page writeback
-stable review patch. If anyone has any objections, please let us know.
--
From: Linus Torvalds <[EMAIL PROTECTED]>
The VM layer (on the face of it, fairly reasonably) expected that when
it does a ->writepage() call to the filesystem, it would write out the
full page at that point in time. Especially since it had earlier marked
the whole page dirty with "set_page_dirty()".
But that isn't actually the case: ->writepage() does not actually write
a page, it writes the parts of the page that have been explicitly marked
dirty before, *and* that had not got written out for other reasons since
the last time we told it they were dirty.
That last caveat is the important one.
Which _most_ of the time ends up being the whole page (since we had
called "set_page_dirty()" on the page earlier), but if the filesystem
had done any dirty flushing of its own (for example, to honor some
internal write ordering guarantees), it might end up doing only a
partial page IO (or none at all) when ->writepage() is actually called.
That is the correct thing in general (since we actually often _want_
only the known-dirty parts of the page to be written out), but the
shared dirty page handling had implicitly forgotten about these details,
and had a number of cases where it was doing just the "->writepage()"
part, without telling the low-level filesystem that the whole page might
have been re-dirtied as part of being mapped writably into user space.
Since most of the time the FS did actually write out the full page, we
didn't notice this for a loong time, and this needed some really odd
patterns to trigger. But it caused occasional corruption with rtorrent
and with the Debian "apt" database, because both use shared mmaps to
update the end result.
This fixes it. Finally. After way too much hair-pulling.
Acked-by: Nick Piggin <[EMAIL PROTECTED]>
Acked-by: Martin J. Bligh <[EMAIL PROTECTED]>
Acked-by: Martin Michlmayr <[EMAIL PROTECTED]>
Acked-by: Martin Johansson <[EMAIL PROTECTED]>
Acked-by: Ingo Molnar <[EMAIL PROTECTED]>
Acked-by: Andrei Popa <[EMAIL PROTECTED]>
Cc: High Dickins <[EMAIL PROTECTED]>
Cc: Andrew Morton <[EMAIL PROTECTED]>,
Cc: Peter Zijlstra <[EMAIL PROTECTED]>
Cc: Segher Boessenkool <[EMAIL PROTECTED]>
Cc: David Miller <[EMAIL PROTECTED]>
Cc: Arjan van de Ven <[EMAIL PROTECTED]>
Cc: Gordon Farquharson <[EMAIL PROTECTED]>
Cc: Guillaume Chazarain <[EMAIL PROTECTED]>
Cc: Theodore Tso <[EMAIL PROTECTED]>
Cc: Kenneth Cheng <[EMAIL PROTECTED]>
Cc: Tobias Diedrich <[EMAIL PROTECTED]>
Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
[chrisw: backport to 2.6.19.1]
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
mm/page-writeback.c | 39 ++-
1 file changed, 34 insertions(+), 5 deletions(-)
--- linux-2.6.19.1.orig/mm/page-writeback.c
+++ linux-2.6.19.1/mm/page-writeback.c
@@ -893,12 +893,41 @@ int clear_page_dirty_for_io(struct page
{
struct address_space *mapping = page_mapping(page);
- if (mapping) {
+ if (mapping && mapping_cap_account_dirty(mapping)) {
+ /*
+* Yes, Virginia, this is indeed insane.
+*
+* We use this sequence to make sure that
+* (a) we account for dirty stats properly
+* (b) we tell the low-level filesystem to
+* mark the whole page dirty if it was
+* dirty in a pagetable. Only to then
+* (c) clean the page again and return 1 to
+* cause the writeback.
+*
+* This way we avoid all nasty races with the
+* dirty bit in multiple places and clearing
+* them concurrently from different threads.
+*
+* Note! Normally the "set_page_dirty(page)"
+* has no effect on the actual dirty bit - since
+* that will already usually be set. But we
+* need the side effects, and it can help us
+* avoid races.
+*
+* We basically use the page "master dirty bit"
+* as a serialization point for all the different
+* threads doing their things.
+*
+* FIXME! We still have a race here: if somebody
+* adds the page back to the page tables in
+* between the "page_mkclean()" and the "TestClearPageDirty()",
+* we might have it mapped without the dirty bit set.
+*/
+ if (page_mkclean(page))
+ set_page_dirty(page);
if (TestClearPageDirty(page)) {
- if (mapping_cap_accoun
[patch 45/50] IPV4/IPV6: Fix inet{,6} device initialization order.
-stable review patch. If anyone has any objections, please let us know.
--
From: David L Stevens <[EMAIL PROTECTED]>
It is important that we only assign dev->ip{,6}_ptr
only after all portions of the inet{,6} are setup.
Otherwise we can receive packets before the multicast
spinlocks et al. are initialized.
Signed-off-by: David L Stevens <[EMAIL PROTECTED]>
Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
commit 30c4cf577fb5b68c16e5750d6bdbd7072e42b279
net/ipv4/devinet.c |5 +++--
net/ipv6/addrconf.c |4 ++--
2 files changed, 5 insertions(+), 4 deletions(-)
--- linux-2.6.19.1.orig/net/ipv4/devinet.c
+++ linux-2.6.19.1/net/ipv4/devinet.c
@@ -165,9 +165,8 @@ struct in_device *inetdev_init(struct ne
NET_IPV4_NEIGH, "ipv4", NULL, NULL);
#endif
- /* Account for reference dev->ip_ptr */
+ /* Account for reference dev->ip_ptr (below) */
in_dev_hold(in_dev);
- rcu_assign_pointer(dev->ip_ptr, in_dev);
#ifdef CONFIG_SYSCTL
devinet_sysctl_register(in_dev, _dev->cnf);
@@ -176,6 +175,8 @@ struct in_device *inetdev_init(struct ne
if (dev->flags & IFF_UP)
ip_mc_up(in_dev);
out:
+ /* we can receive as soon as ip_ptr is set -- do this last */
+ rcu_assign_pointer(dev->ip_ptr, in_dev);
return in_dev;
out_kfree:
kfree(in_dev);
--- linux-2.6.19.1.orig/net/ipv6/addrconf.c
+++ linux-2.6.19.1/net/ipv6/addrconf.c
@@ -413,8 +413,6 @@ static struct inet6_dev * ipv6_add_dev(s
if (netif_carrier_ok(dev))
ndev->if_flags |= IF_READY;
- /* protected by rtnl_lock */
- rcu_assign_pointer(dev->ip6_ptr, ndev);
ipv6_mc_init_dev(ndev);
ndev->tstamp = jiffies;
@@ -425,6 +423,8 @@ static struct inet6_dev * ipv6_add_dev(s
NULL);
addrconf_sysctl_register(ndev, >cnf);
#endif
+ /* protected by rtnl_lock */
+ rcu_assign_pointer(dev->ip6_ptr, ndev);
return ndev;
}
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 39/50] V4L: cx2341x: audio_properties is an u16, not u8
-stable review patch. If anyone has any objections, please let us know.
--
From: Hans Verkuil <[EMAIL PROTECTED]>
This bug broke the MPEG audio mode controls.
Signed-off-by: Hans Verkuil <[EMAIL PROTECTED]>
Signed-off-by: Mauro Carvalho Chehab <[EMAIL PROTECTED]>
Signed-off-by: Michael Krufky <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
(cherry picked from commit cb2c7b4927c8f376b7ba9557978d8c59ed472664)
include/media/cx2341x.h |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.19.1.orig/include/media/cx2341x.h
+++ linux-2.6.19.1/include/media/cx2341x.h
@@ -49,7 +49,7 @@ struct cx2341x_mpeg_params {
enum v4l2_mpeg_audio_mode_extension audio_mode_extension;
enum v4l2_mpeg_audio_emphasis audio_emphasis;
enum v4l2_mpeg_audio_crc audio_crc;
- u8 audio_properties;
+ u16 audio_properties;
/* video */
enum v4l2_mpeg_video_encoding video_encoding;
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 33/50] PKTGEN: Fix module load/unload races.
-stable review patch. If anyone has any objections, please let us know.
--
From: Robert Olsson <[EMAIL PROTECTED]>
---
net/core/pktgen.c | 20 ++--
1 file changed, 18 insertions(+), 2 deletions(-)
--- linux-2.6.19.1.orig/net/core/pktgen.c
+++ linux-2.6.19.1/net/core/pktgen.c
@@ -147,6 +147,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -206,6 +207,11 @@ static struct proc_dir_entry *pg_proc_di
#define VLAN_TAG_SIZE(x) ((x)->vlan_id == 0x ? 0 : 4)
#define SVLAN_TAG_SIZE(x) ((x)->svlan_id == 0x ? 0 : 4)
+struct pktgen_thread_info {
+ struct pktgen_thread *t;
+ struct completion *c;
+};
+
struct flow_state {
__u32 cur_daddr;
int count;
@@ -3264,10 +3270,11 @@ out:;
* Main loop of the thread goes here
*/
-static void pktgen_thread_worker(struct pktgen_thread *t)
+static void pktgen_thread_worker(struct pktgen_thread_info *info)
{
DEFINE_WAIT(wait);
struct pktgen_dev *pkt_dev = NULL;
+ struct pktgen_thread *t = info->t;
int cpu = t->cpu;
sigset_t tmpsig;
u32 max_before_softirq;
@@ -3307,6 +3314,8 @@ static void pktgen_thread_worker(struct
__set_current_state(TASK_INTERRUPTIBLE);
mb();
+complete(info->c);
+
while (1) {
__set_current_state(TASK_RUNNING);
@@ -3518,6 +3527,8 @@ static struct pktgen_thread *__init pktg
static int __init pktgen_create_thread(const char *name, int cpu)
{
int err;
+ struct pktgen_thread_info info;
+struct completion started;
struct pktgen_thread *t = NULL;
struct proc_dir_entry *pe;
@@ -3558,7 +3569,11 @@ static int __init pktgen_create_thread(c
t->removed = 0;
- err = kernel_thread((void *)pktgen_thread_worker, (void *)t,
+ init_completion();
+info.t = t;
+info.c =
+
+ err = kernel_thread((void *)pktgen_thread_worker, (void *),
CLONE_FS | CLONE_FILES | CLONE_SIGHAND);
if (err < 0) {
printk("pktgen: kernel_thread() failed for cpu %d\n", t->cpu);
@@ -3568,6 +3583,7 @@ static int __init pktgen_create_thread(c
return err;
}
+ wait_for_completion();
return 0;
}
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 47/50] NetLabel: correctly fill in unused CIPSOv4 level and category mappings
-stable review patch. If anyone has any objections, please let us know. -- From: Paul Moore <[EMAIL PROTECTED]> Back when the original NetLabel patches were being changed to use Netlink attributes correctly some code was accidentially dropped which set all of the undefined CIPSOv4 level and category mappings to a sentinel value. The result is the mappings data in the kernel contains bogus mappings which always map to zero. Having level and category mappings that map to zero could result in the kernel assigning incorrect security attributes to packets. This patch restores the old/correct behavior by initializing the mapping data to the correct sentinel value. Signed-off-by: Paul Moore <[EMAIL PROTECTED]> Signed-off-by: Chris Wright <[EMAIL PROTECTED]> --- net/netlabel/netlabel_cipso_v4.c |9 + 1 file changed, 9 insertions(+) --- linux-2.6.19.1.orig/net/netlabel/netlabel_cipso_v4.c +++ linux-2.6.19.1/net/netlabel/netlabel_cipso_v4.c @@ -162,6 +162,7 @@ static int netlbl_cipsov4_add_std(struct struct nlattr *nla_b; int nla_a_rem; int nla_b_rem; + u32 iter; if (!info->attrs[NLBL_CIPSOV4_A_TAGLST] || !info->attrs[NLBL_CIPSOV4_A_MLSLVLLST]) @@ -223,6 +224,10 @@ static int netlbl_cipsov4_add_std(struct ret_val = -ENOMEM; goto add_std_failure; } + for (iter = 0; iter < doi_def->map.std->lvl.local_size; iter++) + doi_def->map.std->lvl.local[iter] = CIPSO_V4_INV_LVL; + for (iter = 0; iter < doi_def->map.std->lvl.cipso_size; iter++) + doi_def->map.std->lvl.cipso[iter] = CIPSO_V4_INV_LVL; nla_for_each_nested(nla_a, info->attrs[NLBL_CIPSOV4_A_MLSLVLLST], nla_a_rem) @@ -296,6 +301,10 @@ static int netlbl_cipsov4_add_std(struct ret_val = -ENOMEM; goto add_std_failure; } + for (iter = 0; iter < doi_def->map.std->cat.local_size; iter++) + doi_def->map.std->cat.local[iter] = CIPSO_V4_INV_CAT; + for (iter = 0; iter < doi_def->map.std->cat.cipso_size; iter++) + doi_def->map.std->cat.cipso[iter] = CIPSO_V4_INV_CAT; nla_for_each_nested(nla_a, info->attrs[NLBL_CIPSOV4_A_MLSCATLST], nla_a_rem) -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 49/50] fix OOM killing of swapoff
-stable review patch. If anyone has any objections, please let us know. -- From: Hugh Dickins <[EMAIL PROTECTED]> These days, if you swapoff when there isn't enough memory, OOM killer gives "BUG: scheduling while atomic" and the machine hangs: badness() needs to do its PF_SWAPOFF return after the task_unlock (tasklist_lock is also held here, so p isn't going to be freed: PF_SWAPOFF might get turned off at any moment, but that doesn't really matter). Signed-off-by: Hugh Dickins <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Signed-off-by: Andrew Morton <[EMAIL PROTECTED]> Signed-off-by: Chris Wright <[EMAIL PROTECTED]> --- mm/oom_kill.c | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) --- linux-2.6.19.1.orig/mm/oom_kill.c +++ linux-2.6.19.1/mm/oom_kill.c @@ -61,12 +61,6 @@ unsigned long badness(struct task_struct } /* -* swapoff can easily use up all memory, so kill those first. -*/ - if (p->flags & PF_SWAPOFF) - return ULONG_MAX; - - /* * The memory size of the process is the basis for the badness. */ points = mm->total_vm; @@ -77,6 +71,12 @@ unsigned long badness(struct task_struct task_unlock(p); /* +* swapoff can easily use up all memory, so kill those first. +*/ + if (p->flags & PF_SWAPOFF) + return ULONG_MAX; + + /* * Processes which fork a lot of child processes are likely * a good choice. We add half the vmsize of the children if they * have an own mm. This prevents forking servers to flood the -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 50/50] Fix incorrect user space access locking in mincore() (CVE-2006-4814)
-stable review patch. If anyone has any objections, please let us know.
--
From: Linus Torvalds <[EMAIL PROTECTED]>
Doug Chapman noticed that mincore() will doa "copy_to_user()" of the
result while holding the mmap semaphore for reading, which is a big
no-no. While a recursive read-lock on a semaphore in the case of a page
fault happens to work, we don't actually allow them due to deadlock
schenarios with writers due to fairness issues.
Doug and Marcel sent in a patch to fix it, but I decided to just rewrite
the mess instead - not just fixing the locking problem, but making the
code smaller and (imho) much easier to understand.
Cc: Doug Chapman <[EMAIL PROTECTED]>
Cc: Marcel Holtmann <[EMAIL PROTECTED]>
Cc: Hugh Dickins <[EMAIL PROTECTED]>
Cc: Andrew Morton <[EMAIL PROTECTED]>
[chrisw: fold in subsequent fix: 4fb23e439ce0]
Acked-by: Hugh Dickins <[EMAIL PROTECTED]>
[chrisw: fold in subsequent fix: 825020c3866e]
Signed-off-by: Oleg Nesterov <[EMAIL PROTECTED]>
Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
mm/mincore.c | 181 +--
1 file changed, 77 insertions(+), 104 deletions(-)
--- linux-2.6.19.1.orig/mm/mincore.c
+++ linux-2.6.19.1/mm/mincore.c
@@ -1,7 +1,7 @@
/*
* linux/mm/mincore.c
*
- * Copyright (C) 1994-1999 Linus Torvalds
+ * Copyright (C) 1994-2006 Linus Torvalds
*/
/*
@@ -38,46 +38,51 @@ static unsigned char mincore_page(struct
return present;
}
-static long mincore_vma(struct vm_area_struct * vma,
- unsigned long start, unsigned long end, unsigned char __user * vec)
+/*
+ * Do a chunk of "sys_mincore()". We've already checked
+ * all the arguments, we hold the mmap semaphore: we should
+ * just return the amount of info we're asked for.
+ */
+static long do_mincore(unsigned long addr, unsigned char *vec, unsigned long
pages)
{
- long error, i, remaining;
- unsigned char * tmp;
-
- error = -ENOMEM;
- if (!vma->vm_file)
- return error;
-
- start = ((start - vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff;
- if (end > vma->vm_end)
- end = vma->vm_end;
- end = ((end - vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff;
-
- error = -EAGAIN;
- tmp = (unsigned char *) __get_free_page(GFP_KERNEL);
- if (!tmp)
- return error;
-
- /* (end - start) is # of pages, and also # of bytes in "vec */
- remaining = (end - start),
+ unsigned long i, nr, pgoff;
+ struct vm_area_struct *vma = find_vma(current->mm, addr);
- error = 0;
- for (i = 0; remaining > 0; remaining -= PAGE_SIZE, i++) {
- int j = 0;
- long thispiece = (remaining < PAGE_SIZE) ?
- remaining : PAGE_SIZE;
+ /*
+* find_vma() didn't find anything above us, or we're
+* in an unmapped hole in the address space: ENOMEM.
+*/
+ if (!vma || addr < vma->vm_start)
+ return -ENOMEM;
- while (j < thispiece)
- tmp[j++] = mincore_page(vma, start++);
+ /*
+* Ok, got it. But check whether it's a segment we support
+* mincore() on. Right now, we don't do any anonymous mappings.
+*
+* FIXME: This is just stupid. And returning ENOMEM is
+* stupid too. We should just look at the page tables. But
+* this is what we've traditionally done, so we'll just
+* continue doing it.
+*/
+ if (!vma->vm_file)
+ return -ENOMEM;
- if (copy_to_user(vec + PAGE_SIZE * i, tmp, thispiece)) {
- error = -EFAULT;
- break;
- }
- }
+ /*
+* Calculate how many pages there are left in the vma, and
+* what the pgoff is for our address.
+*/
+ nr = (vma->vm_end - addr) >> PAGE_SHIFT;
+ if (nr > pages)
+ nr = pages;
+
+ pgoff = (addr - vma->vm_start) >> PAGE_SHIFT;
+ pgoff += vma->vm_pgoff;
+
+ /* And then we just fill the sucker in.. */
+ for (i = 0 ; i < nr; i++, pgoff++)
+ vec[i] = mincore_page(vma, pgoff);
- free_page((unsigned long) tmp);
- return error;
+ return nr;
}
/*
@@ -107,82 +112,50 @@ static long mincore_vma(struct vm_area_s
asmlinkage long sys_mincore(unsigned long start, size_t len,
unsigned char __user * vec)
{
- int index = 0;
- unsigned long end, limit;
- struct vm_area_struct * vma;
- size_t max;
- int unmapped_error = 0;
- long error;
+ long retval;
+ unsigned long pages;
+ unsigned char *tmp;
- /* check th
[patch 43/50] SOUND: Sparc CS4231: Fix IRQ return value and initialization.
-stable review patch. If anyone has any objections, please let us know.
--
From: Georg Chini <[EMAIL PROTECTED]>
fix some initialisation problems.
Change period_bytes_min from 4096 to 256 to allow driver to work with
low latency (VOIP) applications. Hope this does not break EBUS.
Signed-off-by: Georg Chini <[EMAIL PROTECTED]>
Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
commit d35a1b9e10481c9f1d3b87e778a0f1f6a0a2dd48
sound/sparc/cs4231.c | 26 --
1 file changed, 12 insertions(+), 14 deletions(-)
--- linux-2.6.19.1.orig/sound/sparc/cs4231.c
+++ linux-2.6.19.1/sound/sparc/cs4231.c
@@ -1268,7 +1268,7 @@ static struct snd_pcm_hardware snd_cs423
.channels_min = 1,
.channels_max = 2,
.buffer_bytes_max = (32*1024),
- .period_bytes_min = 4096,
+ .period_bytes_min = 256,
.period_bytes_max = (32*1024),
.periods_min= 1,
.periods_max= 1024,
@@ -1288,7 +1288,7 @@ static struct snd_pcm_hardware snd_cs423
.channels_min = 1,
.channels_max = 2,
.buffer_bytes_max = (32*1024),
- .period_bytes_min = 4096,
+ .period_bytes_min = 256,
.period_bytes_max = (32*1024),
.periods_min= 1,
.periods_max= 1024,
@@ -1796,7 +1796,7 @@ static irqreturn_t snd_cs4231_sbus_inter
snd_cs4231_outm(chip, CS4231_IRQ_STATUS, ~CS4231_ALL_IRQS | ~status, 0);
spin_unlock_irqrestore(>lock, flags);
- return 0;
+ return IRQ_HANDLED;
}
/*
@@ -1821,7 +1821,6 @@ static int sbus_dma_request(struct cs423
if (!(csr & test))
goto out;
err = -EBUSY;
- csr = sbus_readl(base->regs + APCCSR);
test = APC_XINT_CNVA;
if ( base->dir == APC_PLAY )
test = APC_XINT_PNVA;
@@ -1862,17 +1861,16 @@ static void sbus_dma_enable(struct cs423
spin_lock_irqsave(>lock, flags);
if (!on) {
- if (base->dir == APC_PLAY) {
- sbus_writel(0, base->regs + base->dir + APCNVA);
- sbus_writel(1, base->regs + base->dir + APCC);
- }
- else
- {
- sbus_writel(0, base->regs + base->dir + APCNC);
- sbus_writel(0, base->regs + base->dir + APCVA);
- }
+ sbus_writel(0, base->regs + base->dir + APCNC);
+ sbus_writel(0, base->regs + base->dir + APCNVA);
+ sbus_writel(0, base->regs + base->dir + APCC);
+ sbus_writel(0, base->regs + base->dir + APCVA);
+
+ /* ACK any APC interrupts. */
+ csr = sbus_readl(base->regs + APCCSR);
+ sbus_writel(csr, base->regs + APCCSR);
}
- udelay(600);
+ udelay(1000);
csr = sbus_readl(base->regs + APCCSR);
shift = 0;
if ( base->dir == APC_PLAY )
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [patch 00/50] -stable review
rollup available (when mirroring completes):
http://www.kernel.org/pub/linux/kernel/people/chrisw/stable/patch-2.6.19.2-rc1.{gz,bz2}
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 37/50] sparc32: add offset in pci_map_sg()
-stable review patch. If anyone has any objections, please let us know.
--
From: Jan Andersson <[EMAIL PROTECTED]>
Add sg->offset to sg->dvma_address in pci_map_sg() on sparc32. Without the
offset, transfers to buffers that do not begin on a page boundary will not
work as expected.
Signed-off-by: Jan Andersson <[EMAIL PROTECTED]>
Cc: "David S. Miller" <[EMAIL PROTECTED]>
Cc: William Lee Irwin III <[EMAIL PROTECTED]>
Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
arch/sparc/kernel/ioport.c |3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- linux-2.6.19.1.orig/arch/sparc/kernel/ioport.c
+++ linux-2.6.19.1/arch/sparc/kernel/ioport.c
@@ -728,7 +728,8 @@ int pci_map_sg(struct pci_dev *hwdev, st
/* IIep is write-through, not flushing. */
for (n = 0; n < nents; n++) {
BUG_ON(page_address(sg->page) == NULL);
- sg->dvma_address = virt_to_phys(page_address(sg->page));
+ sg->dvma_address =
+ virt_to_phys(page_address(sg->page)) + sg->offset;
sg->dvma_length = sg->length;
sg++;
}
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 44/50] SOUND: Sparc CS4231: Use 64 for period_bytes_min
-stable review patch. If anyone has any objections, please let us know. -- From: David Miller <[EMAIL PROTECTED]> This matches what the ISA cs4231 driver uses. Tested by Georg Chini. Signed-off-by: David S. Miller <[EMAIL PROTECTED]> Signed-off-by: Chris Wright <[EMAIL PROTECTED]> --- commit f9af1d9deaaffe6803dec693748498886915d766 sound/sparc/cs4231.c |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- linux-2.6.19.1.orig/sound/sparc/cs4231.c +++ linux-2.6.19.1/sound/sparc/cs4231.c @@ -1268,7 +1268,7 @@ static struct snd_pcm_hardware snd_cs423 .channels_min = 1, .channels_max = 2, .buffer_bytes_max = (32*1024), - .period_bytes_min = 256, + .period_bytes_min = 64, .period_bytes_max = (32*1024), .periods_min= 1, .periods_max= 1024, @@ -1288,7 +1288,7 @@ static struct snd_pcm_hardware snd_cs423 .channels_min = 1, .channels_max = 2, .buffer_bytes_max = (32*1024), - .period_bytes_min = 256, + .period_bytes_min = 64, .period_bytes_max = (32*1024), .periods_min= 1, .periods_max= 1024, -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 48/50] connector: some fixes for ia64 unaligned access errors
-stable review patch. If anyone has any objections, please let us know. -- From: Erik Jacobson <[EMAIL PROTECTED]> On ia64, the various functions that make up cn_proc.c cause kernel unaligned access errors. If you are using these, for example, to get notification about all tasks forking and exiting, you get multiple unaligned access errors per process. Use put_unaligned() in the appropriate palces to fix this. Signed-off-by: Erik Jacobson <[EMAIL PROTECTED]> Cc: Evgeniy Polyakov <[EMAIL PROTECTED]> Cc: Tony Luck <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Cc: "David S. Miller" <[EMAIL PROTECTED]> Signed-off-by: Andrew Morton <[EMAIL PROTECTED]> Signed-off-by: Chris Wright <[EMAIL PROTECTED]> --- drivers/connector/cn_proc.c | 11 ++- 1 file changed, 6 insertions(+), 5 deletions(-) --- linux-2.6.19.1.orig/drivers/connector/cn_proc.c +++ linux-2.6.19.1/drivers/connector/cn_proc.c @@ -28,6 +28,7 @@ #include #include #include +#include #include @@ -60,7 +61,7 @@ void proc_fork_connector(struct task_str ev = (struct proc_event*)msg->data; get_seq(>seq, >cpu); ktime_get_ts(); /* get high res monotonic timestamp */ - ev->timestamp_ns = timespec_to_ns(); + put_unaligned(timespec_to_ns(), (__u64 *)>timestamp_ns); ev->what = PROC_EVENT_FORK; ev->event_data.fork.parent_pid = task->real_parent->pid; ev->event_data.fork.parent_tgid = task->real_parent->tgid; @@ -88,7 +89,7 @@ void proc_exec_connector(struct task_str ev = (struct proc_event*)msg->data; get_seq(>seq, >cpu); ktime_get_ts(); /* get high res monotonic timestamp */ - ev->timestamp_ns = timespec_to_ns(); + put_unaligned(timespec_to_ns(), (__u64 *)>timestamp_ns); ev->what = PROC_EVENT_EXEC; ev->event_data.exec.process_pid = task->pid; ev->event_data.exec.process_tgid = task->tgid; @@ -124,7 +125,7 @@ void proc_id_connector(struct task_struc return; get_seq(>seq, >cpu); ktime_get_ts(); /* get high res monotonic timestamp */ - ev->timestamp_ns = timespec_to_ns(); + put_unaligned(timespec_to_ns(), (__u64 *)>timestamp_ns); memcpy(>id, _proc_event_id, sizeof(msg->id)); msg->ack = 0; /* not used */ @@ -146,7 +147,7 @@ void proc_exit_connector(struct task_str ev = (struct proc_event*)msg->data; get_seq(>seq, >cpu); ktime_get_ts(); /* get high res monotonic timestamp */ - ev->timestamp_ns = timespec_to_ns(); + put_unaligned(timespec_to_ns(), (__u64 *)>timestamp_ns); ev->what = PROC_EVENT_EXIT; ev->event_data.exit.process_pid = task->pid; ev->event_data.exit.process_tgid = task->tgid; @@ -181,7 +182,7 @@ static void cn_proc_ack(int err, int rcv ev = (struct proc_event*)msg->data; msg->seq = rcvd_seq; ktime_get_ts(); /* get high res monotonic timestamp */ - ev->timestamp_ns = timespec_to_ns(); + put_unaligned(timespec_to_ns(), (__u64 *)>timestamp_ns); ev->cpu = -1; ev->what = PROC_EVENT_NONE; ev->event_data.ack.err = err; -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 46/50] asix: Fix typo for AX88772 PHY Selection
-stable review patch. If anyone has any objections, please let us know.
--
From: David Hollis <[EMAIL PROTECTED]>
The attached patch fixes a PHY selection problem that prevents AX88772
based devices (Linksys USB200Mv2, etc) devices from working. The
interface comes up and everything seems fine except the device doesn't
send/receive any packets. The one-liner attached fixes this issue and
makes the devices usable again.
Signed-off-by: David Hollis <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
Patch has already been applied for 2.6.20+ kernels but it would be very
helpful for end-users/distributions to have this fixed in the 2.6.19
series as well.
drivers/usb/net/asix.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.19.1.orig/drivers/usb/net/asix.c
+++ linux-2.6.19.1/drivers/usb/net/asix.c
@@ -920,7 +920,7 @@ static int ax88772_bind(struct usbnet *d
goto out2;
if ((ret = asix_write_cmd(dev, AX_CMD_SW_PHY_SELECT,
- 0x, 0, 0, buf)) < 0) {
+ 1, 0, 0, buf)) < 0) {
dbg("Select PHY #1 failed: %d", ret);
goto out2;
}
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 28/50] softmac: Fixed handling of deassociation from AP
-stable review patch. If anyone has any objections, please let us know.
--
From: Ulrich Kunitz <[EMAIL PROTECTED]>
In 2.6.19 a deauthentication from the AP doesn't start a
reassociation by the softmac code. It appears that
mac->associnfo.associating must be set and the
ieee80211softmac_assoc_work function must be scheduled. This patch
fixes that.
Signed-off-by: Ulrich Kunitz <[EMAIL PROTECTED]>
Signed-off-by: John W. Linville <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
Date: Sun, 3 Dec 2006 15:32:00 + (+0100)
Subject: [patch 28/50] [PATCH] softmac: Fixed handling of deassociation from AP
X-Git-Tag: v2.6.20-rc1
X-Git-Url:
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=2b50c24554d31c2db2f93b1151b5991e62f96594
net/ieee80211/softmac/ieee80211softmac_assoc.c | 14 --
net/ieee80211/softmac/ieee80211softmac_auth.c |2 ++
net/ieee80211/softmac/ieee80211softmac_priv.h |2 ++
3 files changed, 16 insertions(+), 2 deletions(-)
--- linux-2.6.19.1.orig/net/ieee80211/softmac/ieee80211softmac_assoc.c
+++ linux-2.6.19.1/net/ieee80211/softmac/ieee80211softmac_assoc.c
@@ -427,6 +427,17 @@ ieee80211softmac_handle_assoc_response(s
return 0;
}
+void
+ieee80211softmac_try_reassoc(struct ieee80211softmac_device *mac)
+{
+ unsigned long flags;
+
+ spin_lock_irqsave(>lock, flags);
+ mac->associnfo.associating = 1;
+ schedule_work(>associnfo.work);
+ spin_unlock_irqrestore(>lock, flags);
+}
+
int
ieee80211softmac_handle_disassoc(struct net_device * dev,
struct ieee80211_disassoc *disassoc)
@@ -445,8 +456,7 @@ ieee80211softmac_handle_disassoc(struct
dprintk(KERN_INFO PFX "got disassoc frame\n");
ieee80211softmac_disassoc(mac);
- /* try to reassociate */
- schedule_work(>associnfo.work);
+ ieee80211softmac_try_reassoc(mac);
return 0;
}
--- linux-2.6.19.1.orig/net/ieee80211/softmac/ieee80211softmac_auth.c
+++ linux-2.6.19.1/net/ieee80211/softmac/ieee80211softmac_auth.c
@@ -328,6 +328,8 @@ ieee80211softmac_deauth_from_net(struct
/* can't transmit data right now... */
netif_carrier_off(mac->dev);
spin_unlock_irqrestore(>lock, flags);
+
+ ieee80211softmac_try_reassoc(mac);
}
/*
--- linux-2.6.19.1.orig/net/ieee80211/softmac/ieee80211softmac_priv.h
+++ linux-2.6.19.1/net/ieee80211/softmac/ieee80211softmac_priv.h
@@ -238,4 +238,6 @@ void ieee80211softmac_call_events_locked
int ieee80211softmac_notify_internal(struct ieee80211softmac_device *mac,
int event, void *event_context, notify_function_ptr fun, void *context,
gfp_t gfp_mask);
+void ieee80211softmac_try_reassoc(struct ieee80211softmac_device *mac);
+
#endif /* IEEE80211SOFTMAC_PRIV_H_ */
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 40/50] dvb-core: fix bug in CRC-32 checking on 64-bit systems
-stable review patch. If anyone has any objections, please let us know.
--
From: Ang Way Chuang <[EMAIL PROTECTED]>
CRC-32 checking during ULE decapsulation always failed on x86_64 systems due
to the size of a variable used to store CRC. This bug was discovered on
Fedora Core 6 with kernel-2.6.18-1.2849. The i386 counterpart has no such
problem. This patch has been tested on 64-bit system as well as 32-bit system.
Signed-off-by: Ang Way Chuang <[EMAIL PROTECTED]>
Signed-off-by: Michael Krufky <[EMAIL PROTECTED]>
Signed-off-by: Mauro Carvalho Chehab <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
(cherry picked from commit dedcefb085fe98a1feaf63590fe2fc7e0ecb1987)
drivers/media/dvb/dvb-core/dvb_net.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- linux-2.6.19.1.orig/drivers/media/dvb/dvb-core/dvb_net.c
+++ linux-2.6.19.1/drivers/media/dvb/dvb-core/dvb_net.c
@@ -604,7 +604,7 @@ static void dvb_net_ule( struct net_devi
{ , sizeof utype },
{ priv->ule_skb->data, priv->ule_skb->len - 4 }
};
- unsigned long ule_crc = ~0L, expected_crc;
+ u32 ule_crc = ~0L, expected_crc;
if (priv->ule_dbit) {
/* Set D-bit for CRC32 verification,
* if it was set originally. */
@@ -617,7 +617,7 @@ static void dvb_net_ule( struct net_devi
*((u8 *)priv->ule_skb->tail - 2) << 8 |
*((u8 *)priv->ule_skb->tail - 1);
if (ule_crc != expected_crc) {
- printk(KERN_WARNING "%lu: CRC32 check FAILED:
%#lx / %#lx, SNDU len %d type %#x, ts_remain %d, next 2: %x.\n",
+ printk(KERN_WARNING "%lu: CRC32 check FAILED:
%08x / %08x, SNDU len %d type %#x, ts_remain %d, next 2: %x.\n",
priv->ts_count, ule_crc, expected_crc,
priv->ule_sndu_len, priv->ule_sndu_type, ts_remain, ts_remain > 2 ? *(unsigned
short *)from_where : 0);
#ifdef ULE_DEBUG
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 19/50] sched: fix bad missed wakeups in the i386, x86_64, ia64, ACPI and APM idle code
ll 3 x86 architectures: i386, x86_64, ia64.
Signed-off-by: Ingo Molnar <[EMAIL PROTECTED]>
Tested-by: Fernando Lopez-Lezcano <[EMAIL PROTECTED]>
[chrisw: backport to 2.6.19.1]
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
arch/i386/kernel/apm.c|6 +-
arch/i386/kernel/process.c|7 ++-
arch/ia64/kernel/process.c| 10 --
arch/x86_64/kernel/process.c |6 +-
drivers/acpi/processor_idle.c | 12 ++--
5 files changed, 34 insertions(+), 7 deletions(-)
--- linux-2.6.19.1.orig/arch/i386/kernel/apm.c
+++ linux-2.6.19.1/arch/i386/kernel/apm.c
@@ -784,7 +784,11 @@ static int apm_do_idle(void)
polling = !!(current_thread_info()->status & TS_POLLING);
if (polling) {
current_thread_info()->status &= ~TS_POLLING;
- smp_mb__after_clear_bit();
+ /*
+* TS_POLLING-cleared state must be visible before we
+* test NEED_RESCHED:
+*/
+ smp_mb();
}
if (!need_resched()) {
idled = 1;
--- linux-2.6.19.1.orig/arch/i386/kernel/process.c
+++ linux-2.6.19.1/arch/i386/kernel/process.c
@@ -103,7 +103,12 @@ void default_idle(void)
if (!hlt_counter && boot_cpu_data.hlt_works_ok) {
current_thread_info()->status &= ~TS_POLLING;
- smp_mb__after_clear_bit();
+ /*
+* TS_POLLING-cleared state must be visible before we
+* test NEED_RESCHED:
+*/
+ smp_mb();
+
while (!need_resched()) {
local_irq_disable();
if (!need_resched())
--- linux-2.6.19.1.orig/arch/ia64/kernel/process.c
+++ linux-2.6.19.1/arch/ia64/kernel/process.c
@@ -268,10 +268,16 @@ cpu_idle (void)
/* endless idle loop with no priority at all */
while (1) {
- if (can_do_pal_halt)
+ if (can_do_pal_halt) {
current_thread_info()->status &= ~TS_POLLING;
- else
+ /*
+* TS_POLLING-cleared state must be visible before we
+* test NEED_RESCHED:
+*/
+ smp_mb();
+ } else {
current_thread_info()->status |= TS_POLLING;
+ }
if (!need_resched()) {
void (*idle)(void);
--- linux-2.6.19.1.orig/arch/x86_64/kernel/process.c
+++ linux-2.6.19.1/arch/x86_64/kernel/process.c
@@ -111,7 +111,11 @@ static void default_idle(void)
local_irq_enable();
current_thread_info()->status &= ~TS_POLLING;
- smp_mb__after_clear_bit();
+ /*
+* TS_POLLING-cleared state must be visible before we
+* test NEED_RESCHED:
+*/
+ smp_mb();
while (!need_resched()) {
local_irq_disable();
if (!need_resched())
--- linux-2.6.19.1.orig/drivers/acpi/processor_idle.c
+++ linux-2.6.19.1/drivers/acpi/processor_idle.c
@@ -211,7 +211,11 @@ acpi_processor_power_activate(struct acp
static void acpi_safe_halt(void)
{
current_thread_info()->status &= ~TS_POLLING;
- smp_mb__after_clear_bit();
+ /*
+* TS_POLLING-cleared state must be visible before we
+* test NEED_RESCHED:
+*/
+ smp_mb();
if (!need_resched())
safe_halt();
current_thread_info()->status |= TS_POLLING;
@@ -345,7 +349,11 @@ static void acpi_processor_idle(void)
*/
if (cx->type == ACPI_STATE_C2 || cx->type == ACPI_STATE_C3) {
current_thread_info()->status &= ~TS_POLLING;
- smp_mb__after_clear_bit();
+ /*
+* TS_POLLING-cleared state must be visible before we
+* test NEED_RESCHED:
+*/
+ smp_mb();
if (need_resched()) {
current_thread_info()->status |= TS_POLLING;
local_irq_enable();
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 30/50] handle ext3 directory corruption better (CVE-2006-6053)
-stable review patch. If anyone has any objections, please let us know.
--
From: Eric Sandeen <[EMAIL PROTECTED]>
I've been using Steve Grubb's purely evil "fsfuzzer" tool, at
http://people.redhat.com/sgrubb/files/fsfuzzer-0.4.tar.gz
Basically it makes a filesystem, splats some random bits over it, then
tries to mount it and do some simple filesystem actions.
At best, the filesystem catches the corruption gracefully. At worst,
things spin out of control.
As you might guess, we found a couple places in ext3 where things spin out
of control :)
First, we had a corrupted directory that was never checked for
consistency... it was corrupt, and pointed to another bad "entry" of
length 0. The for() loop looped forever, since the length of
ext3_next_entry(de) was 0, and we kept looking at the same pointer over and
over and over and over... I modeled this check and subsequent action on
what is done for other directory types in ext3_readdir...
(adding this check adds some computational expense; I am testing a followup
patch to reduce the number of times we check and re-check these directory
entries, in all cases. Thanks for the idea, Andreas).
Next we had a root directory inode which had a corrupted size, claimed to
be > 200M on a 4M filesystem. There was only really 1 block in the
directory, but because the size was so large, readdir kept coming back for
more, spewing thousands of printk's along the way.
Per Andreas' suggestion, if we're in this read error condition and we're
trying to read an offset which is greater than i_blocks worth of bytes,
stop trying, and break out of the loop.
With these two changes fsfuzz test survives quite well on ext3.
Signed-off-by: Eric Sandeen <[EMAIL PROTECTED]>
Cc:
Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
Date: Thu, 7 Dec 2006 04:36:26 + (-0800)
Subject: [patch 30/50] [PATCH] handle ext3 directory corruption better
X-Git-Tag: v2.6.20-rc1
X-Git-Url:
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=40b851348fe9bf49c26025b34261d25142269b60
fs/ext3/dir.c |3 +++
fs/ext3/namei.c |9 +
2 files changed, 12 insertions(+)
--- linux-2.6.19.1.orig/fs/ext3/dir.c
+++ linux-2.6.19.1/fs/ext3/dir.c
@@ -154,6 +154,9 @@ static int ext3_readdir(struct file * fi
ext3_error (sb, "ext3_readdir",
"directory #%lu contains a hole at offset %lu",
inode->i_ino, (unsigned long)filp->f_pos);
+ /* corrupt size? Maybe no more blocks to read */
+ if (filp->f_pos > inode->i_blocks << 9)
+ break;
filp->f_pos += sb->s_blocksize - offset;
continue;
}
--- linux-2.6.19.1.orig/fs/ext3/namei.c
+++ linux-2.6.19.1/fs/ext3/namei.c
@@ -552,6 +552,15 @@ static int htree_dirblock_to_tree(struct
dir->i_sb->s_blocksize -
EXT3_DIR_REC_LEN(0));
for (; de < top; de = ext3_next_entry(de)) {
+ if (!ext3_check_dir_entry("htree_dirblock_to_tree", dir, de, bh,
+ (block<i_sb))
+ +((char *)de - bh->b_data))) {
+ /* On error, skip the f_pos to the next block. */
+ dir_file->f_pos = (dir_file->f_pos |
+ (dir->i_sb->s_blocksize - 1)) + 1;
+ brelse (bh);
+ return count;
+ }
ext3fs_dirhash(de->name, de->name_len, hinfo);
if ((hinfo->hash < start_hash) ||
((hinfo->hash == start_hash) &&
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 31/50] corrupted cramfs filesystems cause kernel oops (CVE-2006-5823)
-stable review patch. If anyone has any objections, please let us know.
--
From: Phillip Lougher <[EMAIL PROTECTED]>
Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/
fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause
Cramfs to kernel oops in cramfs_uncompress_block(). The cause of the oops
is an unchecked corrupted block length field read by cramfs_readpage().
This patch adds a sanity check to cramfs_readpage() which checks that the
block length field is sensible. The (PAGE_CACHE_SIZE << 1) size check is
intentional, even though the uncompressed data is not going to be larger
than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than
the original source data. Mkcramfs checks that the compressed size is
always less than or equal to PAGE_CACHE_SIZE << 1. Of course Cramfs could
use the original uncompressed data in this case, but it doesn't.
Signed-off-by: Phillip Lougher <[EMAIL PROTECTED]>
Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
Date: Thu, 7 Dec 2006 04:37:20 + (-0800)
Subject: [patch 31/50] [PATCH] corrupted cramfs filesystems cause kernel oops
X-Git-Tag: v2.6.20-rc1
X-Git-Url:
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=8bb0269160df2a60764013994d0bc5165406cf4a
fs/cramfs/inode.c |2 ++
1 file changed, 2 insertions(+)
--- linux-2.6.19.1.orig/fs/cramfs/inode.c
+++ linux-2.6.19.1/fs/cramfs/inode.c
@@ -481,6 +481,8 @@ static int cramfs_readpage(struct file *
pgdata = kmap(page);
if (compr_len == 0)
; /* hole */
+ else if (compr_len > (PAGE_CACHE_SIZE << 1))
+ printk(KERN_ERR "cramfs: bad compressed blocksize
%u\n", compr_len);
else {
mutex_lock(_mutex);
bytes_filled = cramfs_uncompress_block(pgdata,
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 22/50] fix aoe without scatter-gather [Bug 7662]
-stable review patch. If anyone has any objections, please let us know.
--
From: Ed L Cashin <[EMAIL PROTECTED]>
Fix a bug that only appears when AoE goes over a network card that does not
support scatter-gather. The headers in the linear part of the skb appeared
to be larger than they really were, resulting in data that was offset by 24
bytes.
This patch eliminates the offset data on cards that don't support
scatter-gather or have had scatter-gather turned off. There remains an
unrelated issue that I'll address in a separate email.
Fixes bugzilla #7662
Signed-off-by: "Ed L. Cashin" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Cc: Greg KH <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
drivers/block/aoe/aoecmd.c | 13 ++---
1 file changed, 6 insertions(+), 7 deletions(-)
--- linux-2.6.19.1.orig/drivers/block/aoe/aoecmd.c
+++ linux-2.6.19.1/drivers/block/aoe/aoecmd.c
@@ -30,8 +30,6 @@ new_skb(ulong len)
skb->nh.raw = skb->mac.raw = skb->data;
skb->protocol = __constant_htons(ETH_P_AOE);
skb->priority = 0;
- skb_put(skb, len);
- memset(skb->head, 0, len);
skb->next = skb->prev = NULL;
/* tell the network layer not to perform IP checksums
@@ -122,8 +120,8 @@ aoecmd_ata_rw(struct aoedev *d, struct f
skb = f->skb;
h = (struct aoe_hdr *) skb->mac.raw;
ah = (struct aoe_atahdr *) (h+1);
- skb->len = sizeof *h + sizeof *ah;
- memset(h, 0, ETH_ZLEN);
+ skb_put(skb, sizeof *h + sizeof *ah);
+ memset(h, 0, skb->len);
f->tag = aoehdr_atainit(d, h);
f->waited = 0;
f->buf = buf;
@@ -149,7 +147,6 @@ aoecmd_ata_rw(struct aoedev *d, struct f
skb->len += bcnt;
skb->data_len = bcnt;
} else {
- skb->len = ETH_ZLEN;
writebit = 0;
}
@@ -206,6 +203,7 @@ aoecmd_cfg_pkts(ushort aoemajor, unsigne
printk(KERN_INFO "aoe: skb alloc failure\n");
continue;
}
+ skb_put(skb, sizeof *h + sizeof *ch);
skb->dev = ifp;
if (sl_tail == NULL)
sl_tail = skb;
@@ -243,6 +241,7 @@ freeframe(struct aoedev *d)
continue;
if (atomic_read(_shinfo(f->skb)->dataref) == 1) {
skb_shinfo(f->skb)->nr_frags = f->skb->data_len = 0;
+ skb_trim(f->skb, 0);
return f;
}
n++;
@@ -698,8 +697,8 @@ aoecmd_ata_id(struct aoedev *d)
skb = f->skb;
h = (struct aoe_hdr *) skb->mac.raw;
ah = (struct aoe_atahdr *) (h+1);
- skb->len = ETH_ZLEN;
- memset(h, 0, ETH_ZLEN);
+ skb_put(skb, sizeof *h + sizeof *ah);
+ memset(h, 0, skb->len);
f->tag = aoehdr_atainit(d, h);
f->waited = 0;
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 24/50] cciss: fix XFER_READ/XFER_WRITE in do_cciss_request
-stable review patch. If anyone has any objections, please let us know. -- From: Mike Miller <[EMAIL PROTECTED]> This patch fixes a stupid bug. Sometime during the 2tb enhancement I ended up replacing the macros XFER_READ and XFER_WRITE with h->cciss_read and h->cciss_write respectively. It seemed to work somehow at least on x86_64 and ia64. I don't know how. But people started complaining about command timeouts on older controllers like the 64xx series and only on ia32. This resolves the issue reproduced in our lab. Please consider this for inclusion. Signed-off-by: Mike Miller <[EMAIL PROTECTED]> Signed-off-by: Chris Wright <[EMAIL PROTECTED]> --- drivers/block/cciss.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- linux-2.6.19.1.orig/drivers/block/cciss.c +++ linux-2.6.19.1/drivers/block/cciss.c @@ -2530,7 +2530,7 @@ static void do_cciss_request(request_que c->Request.Type.Type = TYPE_CMD;// It is a command. c->Request.Type.Attribute = ATTR_SIMPLE; c->Request.Type.Direction = - (rq_data_dir(creq) == READ) ? h->cciss_read : h->cciss_write; + (rq_data_dir(creq) == READ) ? XFER_READ : XFER_WRITE; c->Request.Timeout = 0; // Don't time out c->Request.CDB[0] = (rq_data_dir(creq) == READ) ? h->cciss_read : h->cciss_write; -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 06/50] bonding: incorrect bonding state reported via ioctl
-stable review patch. If anyone has any objections, please let us know.
--
From: Andy Gospodarek <[EMAIL PROTECTED]>
This is a small fix-up to finish out the work done by Jay Vosburgh to
add carrier-state support for bonding devices. The output in
/proc/net/bonding/bondX was correct, but when collecting the same info
via an iotcl it could still be incorrect.
Signed-off-by: Andy Gospodarek <[EMAIL PROTECTED]>
Cc: Jeff Garzik <[EMAIL PROTECTED]>
Cc: Stephen Hemminger <[EMAIL PROTECTED]>
Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
Signed-off-by: Jeff Garzik <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
drivers/net/bonding/bond_main.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.19.1.orig/drivers/net/bonding/bond_main.c
+++ linux-2.6.19.1/drivers/net/bonding/bond_main.c
@@ -3675,7 +3675,7 @@ static int bond_do_ioctl(struct net_devi
mii->val_out = 0;
read_lock_bh(>lock);
read_lock(>curr_slave_lock);
- if (bond->curr_active_slave) {
+ if (netif_carrier_ok(bond->dev)) {
mii->val_out = BMSR_LSTATUS;
}
read_unlock(>curr_slave_lock);
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 42/50] ebtables: dont compute gap before checking struct type
-stable review patch. If anyone has any objections, please let us know. -- From: Chuck Ebbert <[EMAIL PROTECTED]> We cannot compute the gap until we know we have a 'struct ebt_entry' and not 'struct ebt_entries'. Failure to check can cause crash. Tested-by: Santiago Garcia Mantinan <[EMAIL PROTECTED]> Acked-by: Al Viro <[EMAIL PROTECTED]> Acked-by: Patrick McHardy <[EMAIL PROTECTED]> Signed-off-by: Chuck Ebbert <[EMAIL PROTECTED]> Signed-off-by: Chris Wright <[EMAIL PROTECTED]> --- net/bridge/netfilter/ebtables.c |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- linux-2.6.19.1.orig/net/bridge/netfilter/ebtables.c +++ linux-2.6.19.1/net/bridge/netfilter/ebtables.c @@ -575,7 +575,7 @@ ebt_check_entry(struct ebt_entry *e, str struct ebt_entry_target *t; struct ebt_target *target; unsigned int i, j, hook = 0, hookmask = 0; - size_t gap = e->next_offset - e->target_offset; + size_t gap; int ret; /* don't mess with the struct ebt_entries */ @@ -625,6 +625,7 @@ ebt_check_entry(struct ebt_entry *e, str if (ret != 0) goto cleanup_watchers; t = (struct ebt_entry_target *)(((char *)e) + e->target_offset); + gap = e->next_offset - e->target_offset; target = find_target_lock(t->u.name, , _mutex); if (!target) goto cleanup_watchers; -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 41/50] V4L: cx88: Fix leadtek_eeprom tagging
-stable review patch. If anyone has any objections, please let us know.
--
From: Jean Delvare <[EMAIL PROTECTED]>
reference to .init.text: from .text between 'cx88_card_setup'
(at offset 0x68c) and 'cx88_risc_field'
Caused by leadtek_eeprom() being declared __devinit and called from
a non-devinit context.
Signed-off-by: Jean Delvare <[EMAIL PROTECTED]>
Signed-off-by: Michael Krufky <[EMAIL PROTECTED]>
Signed-off-by: Mauro Carvalho Chehab <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
(cherry picked from commit 69f7e75a9d45e5eaca16917a8d0dedf76149f13f)
drivers/media/video/cx88/cx88-cards.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.19.1.orig/drivers/media/video/cx88/cx88-cards.c
+++ linux-2.6.19.1/drivers/media/video/cx88/cx88-cards.c
@@ -1610,7 +1610,7 @@ const unsigned int cx88_idcount = ARRAY_
/* --- */
/* some leadtek specific stuff */
-static void __devinit leadtek_eeprom(struct cx88_core *core, u8 *eeprom_data)
+static void leadtek_eeprom(struct cx88_core *core, u8 *eeprom_data)
{
/* This is just for the "Winfast 2000XP Expert" board ATM; I don't have
data on
* any others.
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 32/50] ext2: skip pages past number of blocks in ext2_find_entry (CVE-2006-6054)
-stable review patch. If anyone has any objections, please let us know.
--
From: Eric Sandeen <[EMAIL PROTECTED]>
This one was pointed out on the MOKB site:
http://kernelfun.blogspot.com/2006/11/mokb-09-11-2006-linux-26x-ext2checkpage.html
If a directory's i_size is corrupted, ext2_find_entry() will keep processing
pages until the i_size is reached, even if there are no more blocks associated
with the directory inode. This patch puts in some minimal sanity-checking
so that we don't keep checking pages (and issuing errors) if we know there
can be no more data to read, based on the block count of the directory inode.
This is somewhat similar in approach to the ext3 patch I sent earlier this
year.
Signed-off-by: Eric Sandeen <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
Not upstream yet
fs/ext2/dir.c |8
1 file changed, 8 insertions(+)
--- linux-2.6.19.1.orig/fs/ext2/dir.c
+++ linux-2.6.19.1/fs/ext2/dir.c
@@ -368,6 +368,14 @@ struct ext2_dir_entry_2 * ext2_find_entr
}
if (++n >= npages)
n = 0;
+ /* next page is past the blocks we've got */
+ if (unlikely(n > (dir->i_blocks >> (PAGE_CACHE_SHIFT - 9 {
+ ext2_error(dir->i_sb, __FUNCTION__,
+ "dir %lu size %lld exceeds block count %llu",
+ dir->i_ino, dir->i_size,
+ (unsigned long long)dir->i_blocks);
+ goto out;
+ }
} while (n != start);
out:
return NULL;
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 18/50] i2c: fix broken ds1337 initialization
-stable review patch. If anyone has any objections, please let us know.
--
From: Dirk Eibach <[EMAIL PROTECTED]>
On a custom board with ds1337 RTC I found that upgrade from 2.6.15 to
2.6.18 broke RTC support.
The main problem are changes to ds1337_init_client().
When a ds1337 recognizes a problem (e.g. power or clock failure) bit 7
in status register is set. This has to be reset by writing 0 to status
register. But since there are only 16 byte written to the chip and the
first byte is interpreted as an address, the status register (which is
the 16th) is never written.
The other problem is, that initializing all registers to zero is not
valid for day, date and month register. Funny enough this is checked by
ds1337_detect(), which depends on this values not being zero. So then
treated by ds1337_init_client() the ds1337 is not detected anymore,
whereas the failure bit in the status register is still set.
Broken by commit f9e8957937ebf60d22732a5ca9130f48a7603f60 (2.6.16-rc1,
2006-01-06). This fix is in Linus' tree since 2.6.20-rc1 (commit
763d9c046a2e511ec090a8986d3f85edf7448e7e).
Signed-off-by: Dirk Stieler <[EMAIL PROTECTED]>
Signed-off-by: Dirk Eibach <[EMAIL PROTECTED]>
Signed-off-by: Jean Delvare <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
drivers/i2c/chips/ds1337.c |8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- linux-2.6.19.1.orig/drivers/i2c/chips/ds1337.c
+++ linux-2.6.19.1/drivers/i2c/chips/ds1337.c
@@ -347,13 +347,19 @@ static void ds1337_init_client(struct i2
if ((status & 0x80) || (control & 0x80)) {
/* RTC not running */
- u8 buf[16];
+ u8 buf[1+16]; /* First byte is interpreted as address */
struct i2c_msg msg[1];
dev_dbg(>dev, "%s: RTC not running!\n", __FUNCTION__);
/* Initialize all, including STATUS and CONTROL to zero */
memset(buf, 0, sizeof(buf));
+
+ /* Write valid values in the date/time registers */
+ buf[1+DS1337_REG_DAY] = 1;
+ buf[1+DS1337_REG_DATE] = 1;
+ buf[1+DS1337_REG_MONTH] = 1;
+
msg[0].addr = client->addr;
msg[0].flags = 0;
msg[0].len = sizeof(buf);
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 35/50] SPARC64: Handle ISA devices with no regs property.
-stable review patch. If anyone has any objections, please let us know.
--
From: David Miller <[EMAIL PROTECTED]>
And this points out that the return value from
isa_dev_get_resource() and the 'pregs' arg to
isa_dev_get_irq() are totally unused.
Based upon a patch from Richard Mortimer <[EMAIL PROTECTED]>
Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
arch/sparc64/kernel/isa.c | 20
1 file changed, 8 insertions(+), 12 deletions(-)
--- linux-2.6.19.1.orig/arch/sparc64/kernel/isa.c
+++ linux-2.6.19.1/arch/sparc64/kernel/isa.c
@@ -22,14 +22,15 @@ static void __init report_dev(struct spa
printk(" [%s", isa_dev->prom_node->name);
}
-static struct linux_prom_registers * __init
-isa_dev_get_resource(struct sparc_isa_device *isa_dev)
+static void __init isa_dev_get_resource(struct sparc_isa_device *isa_dev)
{
struct linux_prom_registers *pregs;
unsigned long base, len;
int prop_len;
pregs = of_get_property(isa_dev->prom_node, "reg", _len);
+ if (!pregs)
+ return;
/* Only the first one is interesting. */
len = pregs[0].reg_size;
@@ -44,12 +45,9 @@ isa_dev_get_resource(struct sparc_isa_de
request_resource(_dev->bus->parent->io_space,
_dev->resource);
-
- return pregs;
}
-static void __init isa_dev_get_irq(struct sparc_isa_device *isa_dev,
- struct linux_prom_registers *pregs)
+static void __init isa_dev_get_irq(struct sparc_isa_device *isa_dev)
{
struct of_device *op = of_find_device_by_node(isa_dev->prom_node);
@@ -69,7 +67,6 @@ static void __init isa_fill_children(str
printk(" ->");
while (dp) {
- struct linux_prom_registers *regs;
struct sparc_isa_device *isa_dev;
isa_dev = kmalloc(sizeof(*isa_dev), GFP_KERNEL);
@@ -87,8 +84,8 @@ static void __init isa_fill_children(str
isa_dev->bus = parent_isa_dev->bus;
isa_dev->prom_node = dp;
- regs = isa_dev_get_resource(isa_dev);
- isa_dev_get_irq(isa_dev, regs);
+ isa_dev_get_resource(isa_dev);
+ isa_dev_get_irq(isa_dev);
report_dev(isa_dev, 1);
@@ -101,7 +98,6 @@ static void __init isa_fill_devices(stru
struct device_node *dp = isa_br->prom_node->child;
while (dp) {
- struct linux_prom_registers *regs;
struct sparc_isa_device *isa_dev;
isa_dev = kmalloc(sizeof(*isa_dev), GFP_KERNEL);
@@ -141,8 +137,8 @@ static void __init isa_fill_devices(stru
isa_dev->bus = isa_br;
isa_dev->prom_node = dp;
- regs = isa_dev_get_resource(isa_dev);
- isa_dev_get_irq(isa_dev, regs);
+ isa_dev_get_resource(isa_dev);
+ isa_dev_get_irq(isa_dev);
report_dev(isa_dev, 0);
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 29/50] zd1211rw: Call ieee80211_rx in tasklet
-stable review patch. If anyone has any objections, please let us know.
--
From: Ulrich Kunitz <[EMAIL PROTECTED]>
[PATCH] zd1211rw: Call ieee80211_rx in tasklet
The driver called ieee80211_rx in hardware interrupt context. This has
been against the intention of the ieee80211_rx function. It caused a bug
in the crypto routines used by WPA. This patch calls ieee80211_rx in a
tasklet.
Signed-off-by: Ulrich Kunitz <[EMAIL PROTECTED]>
Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
Signed-off-by: John W. Linville <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
Date: Sun, 10 Dec 2006 19:13:12 + (-0800)
Subject: [patch 29/50] [PATCH] zd1211rw: Call ieee80211_rx in tasklet
X-Git-Tag: v2.6.20-rc2
X-Git-Url:
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=4d1feabcbf41f875447a392015acd0796f57baf6
drivers/net/wireless/zd1211rw/zd_mac.c | 91 -
drivers/net/wireless/zd1211rw/zd_mac.h |6 +-
drivers/net/wireless/zd1211rw/zd_usb.c |4 -
3 files changed, 75 insertions(+), 26 deletions(-)
--- linux-2.6.19.1.orig/drivers/net/wireless/zd1211rw/zd_mac.c
+++ linux-2.6.19.1/drivers/net/wireless/zd1211rw/zd_mac.c
@@ -37,6 +37,8 @@ static void housekeeping_init(struct zd_
static void housekeeping_enable(struct zd_mac *mac);
static void housekeeping_disable(struct zd_mac *mac);
+static void do_rx(unsigned long mac_ptr);
+
int zd_mac_init(struct zd_mac *mac,
struct net_device *netdev,
struct usb_interface *intf)
@@ -47,6 +49,10 @@ int zd_mac_init(struct zd_mac *mac,
spin_lock_init(>lock);
mac->netdev = netdev;
+ skb_queue_head_init(>rx_queue);
+ tasklet_init(>rx_tasklet, do_rx, (unsigned long)mac);
+ tasklet_disable(>rx_tasklet);
+
ieee_init(ieee);
softmac_init(ieee80211_priv(netdev));
zd_chip_init(>chip, netdev, intf);
@@ -132,6 +138,8 @@ out:
void zd_mac_clear(struct zd_mac *mac)
{
+ skb_queue_purge(>rx_queue);
+ tasklet_kill(>rx_tasklet);
zd_chip_clear(>chip);
ZD_ASSERT(!spin_is_locked(>lock));
ZD_MEMCLEAR(mac, sizeof(struct zd_mac));
@@ -160,6 +168,8 @@ int zd_mac_open(struct net_device *netde
struct zd_chip *chip = >chip;
int r;
+ tasklet_enable(>rx_tasklet);
+
r = zd_chip_enable_int(chip);
if (r < 0)
goto out;
@@ -210,6 +220,8 @@ int zd_mac_stop(struct net_device *netde
*/
zd_chip_disable_rx(chip);
+ skb_queue_purge(>rx_queue);
+ tasklet_disable(>rx_tasklet);
housekeeping_disable(mac);
ieee80211softmac_stop(netdev);
@@ -873,45 +885,78 @@ static int fill_rx_stats(struct ieee8021
return 0;
}
-int zd_mac_rx(struct zd_mac *mac, const u8 *buffer, unsigned int length)
+static void zd_mac_rx(struct zd_mac *mac, struct sk_buff *skb)
{
int r;
struct ieee80211_device *ieee = zd_mac_to_ieee80211(mac);
struct ieee80211_rx_stats stats;
const struct rx_status *status;
- struct sk_buff *skb;
- if (length < ZD_PLCP_HEADER_SIZE + IEEE80211_1ADDR_LEN +
-IEEE80211_FCS_LEN + sizeof(struct rx_status))
- return -EINVAL;
+ if (skb->len < ZD_PLCP_HEADER_SIZE + IEEE80211_1ADDR_LEN +
+ IEEE80211_FCS_LEN + sizeof(struct rx_status))
+ {
+ dev_dbg_f(zd_mac_dev(mac), "Packet with length %u to small.\n",
+skb->len);
+ goto free_skb;
+ }
- r = fill_rx_stats(, , mac, buffer, length);
- if (r)
- return r;
+ r = fill_rx_stats(, , mac, skb->data, skb->len);
+ if (r) {
+ /* Only packets with rx errors are included here. */
+ goto free_skb;
+ }
- length -= ZD_PLCP_HEADER_SIZE+IEEE80211_FCS_LEN+
- sizeof(struct rx_status);
- buffer += ZD_PLCP_HEADER_SIZE;
+ __skb_pull(skb, ZD_PLCP_HEADER_SIZE);
+ __skb_trim(skb, skb->len -
+ (IEEE80211_FCS_LEN + sizeof(struct rx_status)));
- update_qual_rssi(mac, buffer, length, stats.signal, stats.rssi);
+ update_qual_rssi(mac, skb->data, skb->len, stats.signal,
+status->signal_strength);
- r = filter_rx(ieee, buffer, length, );
- if (r <= 0)
- return r;
- skb = dev_alloc_skb(sizeof(struct zd_rt_hdr) + length);
- if (!skb)
- return -ENOMEM;
+ r = filter_rx(ieee, skb->data, skb->len, );
+ if (r <= 0) {
+ if (r < 0)
+ dev_dbg_f(zd_mac_dev(mac), "Error in packet.\n");
+ goto free_skb;
+ }
+
if (ieee->iw_mode == IW_MODE_MONITOR)
-
[patch 25/50] [stable] [stable patch] i386: CPU hotplug broken with 2GB VMSPLIT
-stable review patch. If anyone has any objections, please let us know. -- From: Shaohua Li <[EMAIL PROTECTED]> In VMSPLIT mode, kernel PGD might have more entries than user space Signed-off-by: Shaohua Li <[EMAIL PROTECTED]> Signed-off-by: Chris Wright <[EMAIL PROTECTED]> --- arch/i386/kernel/smpboot.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- linux-2.6.19.1.orig/arch/i386/kernel/smpboot.c +++ linux-2.6.19.1/arch/i386/kernel/smpboot.c @@ -1095,7 +1095,7 @@ static int __cpuinit __smp_prepare_cpu(i /* init low mem mapping */ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS, - KERNEL_PGD_PTRS); + min_t(unsigned long, KERNEL_PGD_PTRS, USER_PGD_PTRS)); flush_tlb_all(); schedule_work(); wait_for_completion(); -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 20/50] Fix for shmem_truncate_range() BUG_ON()
-stable review patch. If anyone has any objections, please let us know. -- From: Badari Pulavarty <[EMAIL PROTECTED]> Ran into BUG() while doing madvise(REMOVE) testing. If we are punching a hole into shared memory segment using madvise(REMOVE) and the entire hole is below the indirect blocks, we hit following assert. BUG_ON(limit <= SHMEM_NR_DIRECT); Signed-off-by: Badari Pulavarty <[EMAIL PROTECTED]> Cc: Hugh Dickins <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Signed-off-by: Andrew Morton <[EMAIL PROTECTED]> Signed-off-by: Chris Wright <[EMAIL PROTECTED]> --- mm/shmem.c |7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) --- linux-2.6.19.1.orig/mm/shmem.c +++ linux-2.6.19.1/mm/shmem.c @@ -515,7 +515,12 @@ static void shmem_truncate_range(struct size = SHMEM_NR_DIRECT; nr_swaps_freed = shmem_free_swp(ptr+idx, ptr+size); } - if (!topdir) + + /* +* If there are no indirect blocks or we are punching a hole +* below indirect blocks, nothing to be done. +*/ + if (!topdir || (punch_hole && (limit <= SHMEM_NR_DIRECT))) goto done2; BUG_ON(limit <= SHMEM_NR_DIRECT); -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 23/50] UDP: Fix reversed logic in udp_get_port()
-stable review patch. If anyone has any objections, please let us know.
--
From: David Miller <[EMAIL PROTECTED]>
When this code was converted to use sk_for_each() the
logic for the "best hash chain length" code was reversed,
breaking everything.
The original code was of the form:
size = 0;
do {
if (++size >= best_size_so_far)
goto next;
} while ((sk = sk->next) != NULL);
best_size_so_far = size;
best = result;
next:;
and this got converted into:
sk_for_each(sk2, node, head)
if (++size < best_size_so_far) {
best_size_so_far = size;
best = result;
}
Which does something very very different from the original.
Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
net/ipv4/udp.c | 13 -
1 file changed, 8 insertions(+), 5 deletions(-)
--- linux-2.6.19.1.orig/net/ipv4/udp.c
+++ linux-2.6.19.1/net/ipv4/udp.c
@@ -167,11 +167,14 @@ int udp_get_port(struct sock *sk, unsign
goto gotit;
}
size = 0;
- sk_for_each(sk2, node, head)
- if (++size < best_size_so_far) {
- best_size_so_far = size;
- best = result;
- }
+ sk_for_each(sk2, node, head) {
+ if (++size >= best_size_so_far)
+ goto next;
+ }
+ best_size_so_far = size;
+ best = result;
+ next:
+ ;
}
result = best;
for(i = 0; i < (1 << 16) / UDP_HTABLE_SIZE; i++, result +=
UDP_HTABLE_SIZE) {
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 21/50] smc911x: fix netpoll compilation faliure
-stable review patch. If anyone has any objections, please let us know.
--
From: Vitaly Wool <[EMAIL PROTECTED]>
Fix the compilation failure for smc911x.c when NET_POLL_CONTROLLER is set.
Signed-off-by: Vitaly Wool <[EMAIL PROTECTED]>
Cc: Jeff Garzik <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
drivers/net/smc911x.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.19.1.orig/drivers/net/smc911x.c
+++ linux-2.6.19.1/drivers/net/smc911x.c
@@ -1331,7 +1331,7 @@ smc911x_rx_dma_irq(int dma, void *data)
static void smc911x_poll_controller(struct net_device *dev)
{
disable_irq(dev->irq);
- smc911x_interrupt(dev->irq, dev, NULL);
+ smc911x_interrupt(dev->irq, dev);
enable_irq(dev->irq);
}
#endif
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 15/50] IB/srp: Fix FMR mapping for 32-bit kernels and addresses above 4G
-stable review patch. If anyone has any objections, please let us know.
--
From: Roland Dreier <[EMAIL PROTECTED]>
struct srp_device.fmr_page_mask was unsigned long, which means that
the top part of addresses above 4G was being chopped off on 32-bit
architectures. Of course nothing good happens when data from SRP
targets is DMAed to the wrong place.
Fix this by changing fmr_page_mask to u64, to match the addresses
actually used by IB devices.
Thanks to Brian Cain <[EMAIL PROTECTED]> and David McMillen
<[EMAIL PROTECTED]> for help diagnosing the bug and testing
the fix.
Signed-off-by: Roland Dreier <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
I just asked Linus to pull this. It fixes nasty corruption/crash
problems on 32-bit systems with > 4G of memory.
drivers/infiniband/ulp/srp/ib_srp.c |2 +-
drivers/infiniband/ulp/srp/ib_srp.h |2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- linux-2.6.19.1.orig/drivers/infiniband/ulp/srp/ib_srp.c
+++ linux-2.6.19.1/drivers/infiniband/ulp/srp/ib_srp.c
@@ -1879,7 +1879,7 @@ static void srp_add_one(struct ib_device
*/
srp_dev->fmr_page_shift = max(9, ffs(dev_attr->page_size_cap) - 1);
srp_dev->fmr_page_size = 1 << srp_dev->fmr_page_shift;
- srp_dev->fmr_page_mask = ~((unsigned long) srp_dev->fmr_page_size - 1);
+ srp_dev->fmr_page_mask = ~((u64) srp_dev->fmr_page_size - 1);
INIT_LIST_HEAD(_dev->dev_list);
--- linux-2.6.19.1.orig/drivers/infiniband/ulp/srp/ib_srp.h
+++ linux-2.6.19.1/drivers/infiniband/ulp/srp/ib_srp.h
@@ -87,7 +87,7 @@ struct srp_device {
struct ib_fmr_pool *fmr_pool;
int fmr_page_shift;
int fmr_page_size;
- unsigned long fmr_page_mask;
+ u64 fmr_page_mask;
};
struct srp_host {
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 17/50] Bluetooth: Add packet size checks for CAPI messages (CVE-2006-6106)
-stable review patch. If anyone has any objections, please let us know.
--
From: Marcel Holtmann <[EMAIL PROTECTED]>
With malformed packets it might be possible to overwrite internal
CMTP and CAPI data structures. This patch adds additional length
checks to prevent these kinds of remote attacks.
Signed-off-by: Marcel Holtmann <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
net/bluetooth/cmtp/capi.c | 39 +--
1 file changed, 33 insertions(+), 6 deletions(-)
--- linux-2.6.19.1.orig/net/bluetooth/cmtp/capi.c
+++ linux-2.6.19.1/net/bluetooth/cmtp/capi.c
@@ -196,6 +196,9 @@ static void cmtp_recv_interopmsg(struct
switch (CAPIMSG_SUBCOMMAND(skb->data)) {
case CAPI_CONF:
+ if (skb->len < CAPI_MSG_BASELEN + 10)
+ break;
+
func = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 5);
info = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 8);
@@ -226,6 +229,9 @@ static void cmtp_recv_interopmsg(struct
break;
case CAPI_FUNCTION_GET_PROFILE:
+ if (skb->len < CAPI_MSG_BASELEN + 11 +
sizeof(capi_profile))
+ break;
+
controller = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN +
11);
msgnum = CAPIMSG_MSGID(skb->data);
@@ -246,17 +252,26 @@ static void cmtp_recv_interopmsg(struct
break;
case CAPI_FUNCTION_GET_MANUFACTURER:
+ if (skb->len < CAPI_MSG_BASELEN + 15)
+ break;
+
controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN +
10);
if (!info && ctrl) {
+ int len = min_t(uint, CAPI_MANUFACTURER_LEN,
+ skb->data[CAPI_MSG_BASELEN +
14]);
+
+ memset(ctrl->manu, 0, CAPI_MANUFACTURER_LEN);
strncpy(ctrl->manu,
- skb->data + CAPI_MSG_BASELEN + 15,
- skb->data[CAPI_MSG_BASELEN + 14]);
+ skb->data + CAPI_MSG_BASELEN + 15, len);
}
break;
case CAPI_FUNCTION_GET_VERSION:
+ if (skb->len < CAPI_MSG_BASELEN + 32)
+ break;
+
controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN +
12);
if (!info && ctrl) {
@@ -269,13 +284,18 @@ static void cmtp_recv_interopmsg(struct
break;
case CAPI_FUNCTION_GET_SERIAL_NUMBER:
+ if (skb->len < CAPI_MSG_BASELEN + 17)
+ break;
+
controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN +
12);
if (!info && ctrl) {
+ int len = min_t(uint, CAPI_SERIAL_LEN,
+ skb->data[CAPI_MSG_BASELEN +
16]);
+
memset(ctrl->serial, 0, CAPI_SERIAL_LEN);
strncpy(ctrl->serial,
- skb->data + CAPI_MSG_BASELEN + 17,
- skb->data[CAPI_MSG_BASELEN + 16]);
+ skb->data + CAPI_MSG_BASELEN + 17, len);
}
break;
@@ -284,14 +304,18 @@ static void cmtp_recv_interopmsg(struct
break;
case CAPI_IND:
+ if (skb->len < CAPI_MSG_BASELEN + 6)
+ break;
+
func = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 3);
if (func == CAPI_FUNCTION_LOOPBACK) {
+ int len = min_t(uint, skb->len - CAPI_MSG_BASELEN - 6,
+ skb->data[CAPI_MSG_BASELEN +
5]);
appl = CAPIMSG_APPID(skb->data);
msgnum = CAPIMSG_MSGID(skb->data);
cmtp_send_interopmsg(session, CAPI_RESP, appl, msgnum,
func,
- skb->data + CAPI_MSG_BASELEN +
6,
- skb->data[CAPI_MSG_BASELEN +
5]);
+ skb->data + CAPI_MSG_BASELEN +
6, len);
}
break;
@@ -309,6 +333,9 @@ void cmtp_recv_capimsg(struct cmtp_sessi
BT_DBG("session %p skb %p len %d", session, skb, skb->len);
+ if (skb->len < CAPI_MSG_BASELEN)
+ return;
[patch 12/50] kbuild: dont put temp files in source
-stable review patch. If anyone has any objections, please let us know. -- From: Roman Zippel <[EMAIL PROTECTED]> The as-instr/ld-option need to create temporary files, but create them in the output directory, when compiling external modules. Reformat them a bit and use $(CC) instead of $(AS) as the former is used by kbuild to assemble files. Signed-off-by: Roman Zippel <[EMAIL PROTECTED]> Cc: Andi Kleen <[EMAIL PROTECTED]> Cc: Jan Beulich <[EMAIL PROTECTED]> Cc: Sam Ravnborg <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Cc: Horst Schirmeier <[EMAIL PROTECTED]> Cc: Daniel Drake <[EMAIL PROTECTED]> Signed-off-by: Andrew Morton <[EMAIL PROTECTED]> Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]> Signed-off-by: Chris Wright <[EMAIL PROTECTED]> --- It fixes building of external modules in a sandboxed environment. http://bugs.gentoo.org/149307 scripts/Kbuild.include | 19 --- 1 file changed, 12 insertions(+), 7 deletions(-) --- linux-2.6.19.1.orig/scripts/Kbuild.include +++ linux-2.6.19.1/scripts/Kbuild.include @@ -56,6 +56,9 @@ endef # gcc support functions # See documentation in Documentation/kbuild/makefiles.txt +# output directory for tests below +TMPOUT := $(if $(KBUILD_EXTMOD),$(firstword $(KBUILD_EXTMOD))/) + # as-option # Usage: cflags-y += $(call as-option, -Wa$(comma)-isa=foo,) @@ -66,9 +69,11 @@ as-option = $(shell if $(CC) $(CFLAGS) $ # as-instr # Usage: cflags-y += $(call as-instr, instr, option1, option2) -as-instr = $(shell if echo -e "$(1)" | $(AS) >/dev/null 2>&1 -W -Z -o astest.out ; \ - then echo "$(2)"; else echo "$(3)"; fi; \ - rm -f astest.out) +as-instr = $(shell if echo -e "$(1)" | \ + $(CC) $(AFLAGS) -c -xassembler - \ + -o $(TMPOUT)astest.out > /dev/null 2>&1; \ + then rm $(TMPOUT)astest.out; echo "$(2)"; \ + else echo "$(3)"; fi) # cc-option # Usage: cflags-y += $(call cc-option, -march=winchip-c6, -march=i586) @@ -97,10 +102,10 @@ cc-ifversion = $(shell if [ $(call cc-ve # ld-option # Usage: ldflags += $(call ld-option, -Wl$(comma)--hash-style=both) -ld-option = $(shell if $(CC) $(1) \ --nostdlib -o ldtest.out -xc /dev/null \ - > /dev/null 2>&1; then echo "$(1)"; else echo "$(2)"; fi; \ -rm -f ldtest.out) +ld-option = $(shell if $(CC) $(1) -nostdlib -xc /dev/null \ +-o $(TMPOUT)ldtest.out > /dev/null 2>&1; \ + then rm $(TMPOUT)ldtest.out; echo "$(1)"; \ + else echo "$(2)"; fi) ### # Shorthand for $(Q)$(MAKE) -f scripts/Makefile.build obj= -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 04/50] ieee80211softmac: Fix mutex_lock at exit of ieee80211_softmac_get_genie
-stable review patch. If anyone has any objections, please let us know. -- From: Ulrich Kunitz <[EMAIL PROTECTED]> ieee80211softmac_wx_get_genie locks the associnfo mutex at function exit. This patch fixes it. The patch is against Linus' tree (commit af1713e0). Signed-off-by: Ulrich Kunitz <[EMAIL PROTECTED]> Signed-off-by: Michael Buesch <[EMAIL PROTECTED]> Signed-off-by: Chris Wright <[EMAIL PROTECTED]> --- net/ieee80211/softmac/ieee80211softmac_wx.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- linux-2.6.19.1.orig/net/ieee80211/softmac/ieee80211softmac_wx.c +++ linux-2.6.19.1/net/ieee80211/softmac/ieee80211softmac_wx.c @@ -463,7 +463,7 @@ ieee80211softmac_wx_get_genie(struct net err = -E2BIG; } spin_unlock_irqrestore(>lock, flags); - mutex_lock(>associnfo.mutex); + mutex_unlock(>associnfo.mutex); return err; } -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 09/50] Revert "[PATCH] zd1211rw: Removed unneeded packed attributes"
-stable review patch. If anyone has any objections, please let us know.
--
From: John W. Linville <[EMAIL PROTECTED]>
This reverts commit 4e1bbd846d00a245dcf78b6b331d8a9afed8e6d7.
Quoth Daniel Drake <[EMAIL PROTECTED]>:
"A user reported that commit 4e1bbd846d00a245dcf78b6b331d8a9afed8e6d7
(Remove unneeded packed attributes) breaks the zd1211rw driver on ARM."
Signed-off-by: John W. Linville <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
drivers/net/wireless/zd1211rw/zd_ieee80211.h |2 +-
drivers/net/wireless/zd1211rw/zd_mac.c |2 +-
drivers/net/wireless/zd1211rw/zd_mac.h |4 ++--
drivers/net/wireless/zd1211rw/zd_usb.h | 14 +++---
4 files changed, 11 insertions(+), 11 deletions(-)
--- linux-2.6.19.1.orig/drivers/net/wireless/zd1211rw/zd_ieee80211.h
+++ linux-2.6.19.1/drivers/net/wireless/zd1211rw/zd_ieee80211.h
@@ -64,7 +64,7 @@ struct cck_plcp_header {
u8 service;
__le16 length;
__le16 crc16;
-};
+} __attribute__((packed));
static inline u8 zd_cck_plcp_header_rate(const struct cck_plcp_header *header)
{
--- linux-2.6.19.1.orig/drivers/net/wireless/zd1211rw/zd_mac.c
+++ linux-2.6.19.1/drivers/net/wireless/zd1211rw/zd_mac.c
@@ -721,7 +721,7 @@ struct zd_rt_hdr {
u8 rt_rate;
u16 rt_channel;
u16 rt_chbitmask;
-};
+} __attribute__((packed));
static void fill_rt_header(void *buffer, struct zd_mac *mac,
const struct ieee80211_rx_stats *stats,
--- linux-2.6.19.1.orig/drivers/net/wireless/zd1211rw/zd_mac.h
+++ linux-2.6.19.1/drivers/net/wireless/zd1211rw/zd_mac.h
@@ -82,7 +82,7 @@ struct zd_ctrlset {
struct rx_length_info {
__le16 length[3];
__le16 tag;
-};
+} __attribute__((packed));
#define RX_LENGTH_INFO_TAG 0x697e
@@ -93,7 +93,7 @@ struct rx_status {
u8 signal_quality_ofdm;
u8 decryption_type;
u8 frame_status;
-};
+} __attribute__((packed));
/* rx_status field decryption_type */
#define ZD_RX_NO_WEP 0
--- linux-2.6.19.1.orig/drivers/net/wireless/zd1211rw/zd_usb.h
+++ linux-2.6.19.1/drivers/net/wireless/zd1211rw/zd_usb.h
@@ -74,17 +74,17 @@ enum control_requests {
struct usb_req_read_regs {
__le16 id;
__le16 addr[0];
-};
+} __attribute__((packed));
struct reg_data {
__le16 addr;
__le16 value;
-};
+} __attribute__((packed));
struct usb_req_write_regs {
__le16 id;
struct reg_data reg_writes[0];
-};
+} __attribute__((packed));
enum {
RF_IF_LE = 0x02,
@@ -101,7 +101,7 @@ struct usb_req_rfwrite {
/* RF2595: 24 */
__le16 bit_values[0];
/* (CR203 & ~(RF_IF_LE | RF_CLK | RF_DATA)) | (bit ? RF_DATA : 0) */
-};
+} __attribute__((packed));
/* USB interrupt */
@@ -118,12 +118,12 @@ enum usb_int_flags {
struct usb_int_header {
u8 type;/* must always be 1 */
u8 id;
-};
+} __attribute__((packed));
struct usb_int_regs {
struct usb_int_header hdr;
struct reg_data regs[0];
-};
+} __attribute__((packed));
struct usb_int_retry_fail {
struct usb_int_header hdr;
@@ -131,7 +131,7 @@ struct usb_int_retry_fail {
u8 _dummy;
u8 addr[ETH_ALEN];
u8 ibss_wakeup_dest;
-};
+} __attribute__((packed));
struct read_regs_int {
struct completion completion;
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 13/50] ARM: Add sys_*at syscalls
-stable review patch. If anyone has any objections, please let us know. -- From: Russell King <[EMAIL PROTECTED]> Later glibc requires the *at syscalls. Add them. Signed-off-by: Russell King <[EMAIL PROTECTED]> Signed-off-by: Chris Wright <[EMAIL PROTECTED]> --- arch/arm/kernel/calls.S | 13 + include/asm-arm/unistd.h | 13 + 2 files changed, 26 insertions(+) bca0b8e75f6b7cf52cf52c967286b72d84f9b37e --- linux-2.6.19.1.orig/arch/arm/kernel/calls.S +++ linux-2.6.19.1/arch/arm/kernel/calls.S @@ -331,6 +331,19 @@ CALL(sys_mbind) /* 320 */ CALL(sys_get_mempolicy) CALL(sys_set_mempolicy) + CALL(sys_openat) + CALL(sys_mkdirat) + CALL(sys_mknodat) +/* 325 */ CALL(sys_fchownat) + CALL(sys_futimesat) + CALL(sys_fstatat64) + CALL(sys_unlinkat) + CALL(sys_renameat) +/* 330 */ CALL(sys_linkat) + CALL(sys_symlinkat) + CALL(sys_readlinkat) + CALL(sys_fchmodat) + CALL(sys_faccessat) #ifndef syscalls_counted .equ syscalls_padding, ((NR_syscalls + 3) & ~3) - NR_syscalls #define syscalls_counted --- linux-2.6.19.1.orig/include/asm-arm/unistd.h +++ linux-2.6.19.1/include/asm-arm/unistd.h @@ -347,6 +347,19 @@ #define __NR_mbind (__NR_SYSCALL_BASE+319) #define __NR_get_mempolicy (__NR_SYSCALL_BASE+320) #define __NR_set_mempolicy (__NR_SYSCALL_BASE+321) +#define __NR_openat(__NR_SYSCALL_BASE+322) +#define __NR_mkdirat (__NR_SYSCALL_BASE+323) +#define __NR_mknodat (__NR_SYSCALL_BASE+324) +#define __NR_fchownat (__NR_SYSCALL_BASE+325) +#define __NR_futimesat (__NR_SYSCALL_BASE+326) +#define __NR_fstatat64 (__NR_SYSCALL_BASE+327) +#define __NR_unlinkat (__NR_SYSCALL_BASE+328) +#define __NR_renameat (__NR_SYSCALL_BASE+329) +#define __NR_linkat(__NR_SYSCALL_BASE+330) +#define __NR_symlinkat (__NR_SYSCALL_BASE+331) +#define __NR_readlinkat(__NR_SYSCALL_BASE+332) +#define __NR_fchmodat (__NR_SYSCALL_BASE+333) +#define __NR_faccessat (__NR_SYSCALL_BASE+334) /* * The following SWIs are ARM private. -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 10/50] libata: handle 0xff status properly
-stable review patch. If anyone has any objections, please let us know.
--
From: Tejun Heo <[EMAIL PROTECTED]>
libata waits for !BSY even when the status register reports 0xff.
This causes long boot delays when D8 isn't pulled down properly. This
patch does the followings.
* don't wait if status register is 0xff in all wait functions
* make ata_busy_sleep() return 0 on success and -errno on failure.
-ENODEV is returned on 0xff status and -EBUSY on other failures.
* make ata_bus_softreset() succeed on 0xff status. 0xff status is not
reset failure. It indicates no device. This removes unnecessary
retries on such ports. Note that the code change assumes unoccupied
port reporting 0xff status does not produce valid device signature.
Signed-off-by: Tejun Heo <[EMAIL PROTECTED]>
Cc: Joe Jin <[EMAIL PROTECTED]>
Signed-off-by: Jeff Garzik <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
It fixes a long delay during booting for some hardware.
http://bugs.gentoo.org/157326
drivers/ata/libata-core.c | 30 ++
include/linux/libata.h|9 -
2 files changed, 22 insertions(+), 17 deletions(-)
--- linux-2.6.19.1.orig/drivers/ata/libata-core.c
+++ linux-2.6.19.1/drivers/ata/libata-core.c
@@ -2325,11 +2325,14 @@ static inline void ata_tf_to_host(struct
* Sleep until ATA Status register bit BSY clears,
* or a timeout occurs.
*
- * LOCKING: None.
+ * LOCKING:
+ * Kernel thread context (may sleep).
+ *
+ * RETURNS:
+ * 0 on success, -errno otherwise.
*/
-
-unsigned int ata_busy_sleep (struct ata_port *ap,
-unsigned long tmout_pat, unsigned long tmout)
+int ata_busy_sleep(struct ata_port *ap,
+ unsigned long tmout_pat, unsigned long tmout)
{
unsigned long timer_start, timeout;
u8 status;
@@ -2337,27 +2340,32 @@ unsigned int ata_busy_sleep (struct ata_
status = ata_busy_wait(ap, ATA_BUSY, 300);
timer_start = jiffies;
timeout = timer_start + tmout_pat;
- while ((status & ATA_BUSY) && (time_before(jiffies, timeout))) {
+ while (status != 0xff && (status & ATA_BUSY) &&
+ time_before(jiffies, timeout)) {
msleep(50);
status = ata_busy_wait(ap, ATA_BUSY, 3);
}
- if (status & ATA_BUSY)
+ if (status != 0xff && (status & ATA_BUSY))
ata_port_printk(ap, KERN_WARNING,
"port is slow to respond, please be patient "
"(Status 0x%x)\n", status);
timeout = timer_start + tmout;
- while ((status & ATA_BUSY) && (time_before(jiffies, timeout))) {
+ while (status != 0xff && (status & ATA_BUSY) &&
+ time_before(jiffies, timeout)) {
msleep(50);
status = ata_chk_status(ap);
}
+ if (status == 0xff)
+ return -ENODEV;
+
if (status & ATA_BUSY) {
ata_port_printk(ap, KERN_ERR, "port failed to respond "
"(%lu secs, Status 0x%x)\n",
tmout / HZ, status);
- return 1;
+ return -EBUSY;
}
return 0;
@@ -2448,10 +2456,8 @@ static unsigned int ata_bus_softreset(st
* the bus shows 0xFF because the odd clown forgets the D7
* pulldown resistor.
*/
- if (ata_check_status(ap) == 0xFF) {
- ata_port_printk(ap, KERN_ERR, "SRST failed (status 0xFF)\n");
- return AC_ERR_OTHER;
- }
+ if (ata_check_status(ap) == 0xFF)
+ return 0;
ata_bus_post_reset(ap, devmask);
--- linux-2.6.19.1.orig/include/linux/libata.h
+++ linux-2.6.19.1/include/linux/libata.h
@@ -744,9 +744,8 @@ extern int ata_scsi_device_suspend(struc
extern int ata_host_suspend(struct ata_host *host, pm_message_t mesg);
extern void ata_host_resume(struct ata_host *host);
extern int ata_ratelimit(void);
-extern unsigned int ata_busy_sleep(struct ata_port *ap,
- unsigned long timeout_pat,
- unsigned long timeout);
+extern int ata_busy_sleep(struct ata_port *ap,
+ unsigned long timeout_pat, unsigned long timeout);
extern void ata_port_queue_task(struct ata_port *ap, void (*fn)(void *),
void *data, unsigned long delay);
extern u32 ata_wait_register(void __iomem *reg, u32 mask, u32 val,
@@ -1061,7 +1060,7 @@ static inline u8 ata_busy_wait(struct at
udelay(10);
status = ata_chk_status(ap);
max--;
- } while ((status & bits) && (max > 0));
+ } while (status !=
[patch 11/50] ieee1394: ohci1394: add PPC_PMAC platform code to driver probe
-stable review patch. If anyone has any objections, please let us know.
--
From: Stefan Richter <[EMAIL PROTECTED]>
Fixes http://bugzilla.kernel.org/show_bug.cgi?id=7431
iBook G3 threw a machine check exception and put the display backlight
to full brightness after ohci1394 was unloaded and reloaded.
Signed-off-by: Stefan Richter <[EMAIL PROTECTED]>
[EMAIL PROTECTED]: also added missing if condition, commit
63cca59e89892497e95e1e9c7156d3345fb7e2e8]
Signed-off-by: Daniel Drake <[EMAIL PROTECTED]>
Acked-by: Stefan Richter <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
It fixes a kernel oops which occurs when the ohci1394 driver is reloaded on PPC
http://bugs.gentoo.org/154851
drivers/ieee1394/ohci1394.c | 21 -
1 file changed, 16 insertions(+), 5 deletions(-)
--- linux-2.6.19.1.orig/drivers/ieee1394/ohci1394.c
+++ linux-2.6.19.1/drivers/ieee1394/ohci1394.c
@@ -3217,6 +3217,19 @@ static int __devinit ohci1394_pci_probe(
struct ti_ohci *ohci; /* shortcut to currently handled device */
resource_size_t ohci_base;
+#ifdef CONFIG_PPC_PMAC
+ /* Necessary on some machines if ohci1394 was loaded/ unloaded before */
+ if (machine_is(powermac)) {
+ struct device_node *of_node = pci_device_to_OF_node(dev);
+
+ if (of_node) {
+ pmac_call_feature(PMAC_FTR_1394_CABLE_POWER, of_node,
+ 0, 1);
+ pmac_call_feature(PMAC_FTR_1394_ENABLE, of_node, 0, 1);
+ }
+ }
+#endif /* CONFIG_PPC_PMAC */
+
if (pci_enable_device(dev))
FAIL(-ENXIO, "Failed to enable OHCI hardware");
pci_set_master(dev);
@@ -3505,11 +3518,9 @@ static void ohci1394_pci_remove(struct p
#endif
#ifdef CONFIG_PPC_PMAC
- /* On UniNorth, power down the cable and turn off the chip
-* clock when the module is removed to save power on
-* laptops. Turning it back ON is done by the arch code when
-* pci_enable_device() is called */
- {
+ /* On UniNorth, power down the cable and turn off the chip clock
+* to save power on laptops */
+ if (machine_is(powermac)) {
struct device_node* of_node;
of_node = pci_device_to_OF_node(ohci->dev);
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 08/50] V4L: Fix broken TUNER_LG_NTSC_TAPE radio support
-stable review patch. If anyone has any objections, please let us know.
--
From: Hans Verkuil <[EMAIL PROTECTED]>
The TUNER_LG_NTSC_TAPE is identical in all respects to the
TUNER_PHILIPS_FM1236_MK3. So use the params struct for the Philips tuner.
Also add this LG_NTSC_TAPE tuner to the switches where radio specific
parameters are set so it behaves like a TUNER_PHILIPS_FM1236_MK3. This
change fixes the radio support for this tuner (the wrong bandswitch byte
was used).
Thanks to Andy Walls <[EMAIL PROTECTED]> for finding this bug.
Signed-off-by: Hans Verkuil <[EMAIL PROTECTED]>
Signed-off-by: Mauro Carvalho Chehab <[EMAIL PROTECTED]>
Signed-off-by: Michael Krufky <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
drivers/media/video/tuner-simple.c |2 ++
drivers/media/video/tuner-types.c | 14 ++
2 files changed, 4 insertions(+), 12 deletions(-)
--- linux-2.6.19.1.orig/drivers/media/video/tuner-simple.c
+++ linux-2.6.19.1/drivers/media/video/tuner-simple.c
@@ -108,6 +108,7 @@ static int tuner_stereo(struct i2c_clien
case TUNER_PHILIPS_FM1216ME_MK3:
case TUNER_PHILIPS_FM1236_MK3:
case TUNER_PHILIPS_FM1256_IH3:
+ case TUNER_LG_NTSC_TAPE:
stereo = ((status & TUNER_SIGNAL) == TUNER_STEREO_MK3);
break;
default:
@@ -421,6 +422,7 @@ static void default_set_radio_freq(struc
case TUNER_PHILIPS_FM1216ME_MK3:
case TUNER_PHILIPS_FM1236_MK3:
case TUNER_PHILIPS_FMD1216ME_MK3:
+ case TUNER_LG_NTSC_TAPE:
buffer[3] = 0x19;
break;
case TUNER_TNF_5335MF:
--- linux-2.6.19.1.orig/drivers/media/video/tuner-types.c
+++ linux-2.6.19.1/drivers/media/video/tuner-types.c
@@ -672,16 +672,6 @@ static struct tuner_params tuner_panason
},
};
-/* TUNER_LG_NTSC_TAPE - LGINNOTEK NTSC */
-
-static struct tuner_params tuner_lg_ntsc_tape_params[] = {
- {
- .type = TUNER_PARAM_TYPE_NTSC,
- .ranges = tuner_fm1236_mk3_ntsc_ranges,
- .count = ARRAY_SIZE(tuner_fm1236_mk3_ntsc_ranges),
- },
-};
-
/* TUNER_TNF_8831BGFF - Philips PAL */
static struct tuner_range tuner_tnf_8831bgff_pal_ranges[] = {
@@ -1331,8 +1321,8 @@ struct tunertype tuners[] = {
},
[TUNER_LG_NTSC_TAPE] = { /* LGINNOTEK NTSC */
.name = "LG NTSC (TAPE series)",
- .params = tuner_lg_ntsc_tape_params,
- .count = ARRAY_SIZE(tuner_lg_ntsc_tape_params),
+ .params = tuner_fm1236_mk3_params,
+ .count = ARRAY_SIZE(tuner_fm1236_mk3_params),
},
[TUNER_TNF_8831BGFF] = { /* Philips PAL */
.name = "Tenna TNF 8831 BGFF)",
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 02/50] sha512: Fix sha384 block size
-stable review patch. If anyone has any objections, please let us know.
--
From: Herbert Xu <[EMAIL PROTECTED]>
The SHA384 block size should be 128 bytes, not 96 bytes. This was
spotted by Andrew Donofrio.
This breaks HMAC which uses the block size during setup and the final
calculation.
Signed-off-by: Herbert Xu <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
crypto/sha512.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.19.1.orig/crypto/sha512.c
+++ linux-2.6.19.1/crypto/sha512.c
@@ -24,7 +24,7 @@
#define SHA384_DIGEST_SIZE 48
#define SHA512_DIGEST_SIZE 64
-#define SHA384_HMAC_BLOCK_SIZE 96
+#define SHA384_HMAC_BLOCK_SIZE 128
#define SHA512_HMAC_BLOCK_SIZE 128
struct sha512_ctx {
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 01/50] dm-crypt: Select CRYPTO_CBC
-stable review patch. If anyone has any objections, please let us know. -- From: Herbert Xu <[EMAIL PROTECTED]> As CBC is the default chaining method for cryptoloop, we should select it from cryptoloop to ease the transition. Spotted by Rene Herman. Signed-off-by: Herbert Xu <[EMAIL PROTECTED]> Signed-off-by: Chris Wright <[EMAIL PROTECTED]> --- drivers/md/Kconfig |1 + 1 file changed, 1 insertion(+) --- linux-2.6.19.1.orig/drivers/md/Kconfig +++ linux-2.6.19.1/drivers/md/Kconfig @@ -215,6 +215,7 @@ config DM_CRYPT tristate "Crypt target support" depends on BLK_DEV_DM && EXPERIMENTAL select CRYPTO + select CRYPTO_CBC ---help--- This device-mapper target allows you to create a device that transparently encrypts the data on it. You'll need to activate -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 05/50] x86-64: Mark rdtsc as sync only for netburst, not for core2
-stable review patch. If anyone has any objections, please let us know. -- From: Arjan van de Ven <[EMAIL PROTECTED]> On the Core2 cpus, the rdtsc instruction is not serializing (as defined in the architecture reference since rdtsc exists) and due to the deep speculation of these cores, it's possible that you can observe time go backwards between cores due to this speculation. Since the kernel already deals with this with the SYNC_RDTSC flag, the solution is simple, only assume that the instruction is serializing on family 15... The price one pays for this is a slightly slower gettimeofday (by a dozen or two cycles), but that increase is quite small to pay for a really-going-forward tsc counter. Signed-off-by: Arjan van de Ven <[EMAIL PROTECTED]> Signed-off-by: Andi Kleen <[EMAIL PROTECTED]> Signed-off-by: Chris Wright <[EMAIL PROTECTED]> --- Commit: f3d73707a1e84f0687a05144b70b660441e999c7 Author: Arjan van de Ven <[EMAIL PROTECTED]> AuthorDate: Thu Dec 7 02:14:12 2006 +0100 arch/x86_64/kernel/setup.c |5 - 1 file changed, 4 insertions(+), 1 deletion(-) --- linux-2.6.19.1.orig/arch/x86_64/kernel/setup.c +++ linux-2.6.19.1/arch/x86_64/kernel/setup.c @@ -854,7 +854,10 @@ static void __cpuinit init_intel(struct set_bit(X86_FEATURE_CONSTANT_TSC, >x86_capability); if (c->x86 == 6) set_bit(X86_FEATURE_REP_GOOD, >x86_capability); - set_bit(X86_FEATURE_SYNC_RDTSC, >x86_capability); + if (c->x86 == 15) + set_bit(X86_FEATURE_SYNC_RDTSC, >x86_capability); + else + clear_bit(X86_FEATURE_SYNC_RDTSC, >x86_capability); c->x86_max_cores = intel_num_cpu_cores(c); srat_detect_node(); -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 03/50] read_zero_pagealigned() locking fix
-stable review patch. If anyone has any objections, please let us know.
--
From: Hugh Dickins <[EMAIL PROTECTED]>
Ramiro Voicu hits the BUG_ON(!pte_none(*pte)) in zeromap_pte_range: kernel
bugzilla 7645. Right: read_zero_pagealigned uses down_read of mmap_sem,
but another thread's racing read of /dev/zero, or a normal fault, can
easily set that pte again, in between zap_page_range and zeromap_page_range
getting there. It's been wrong ever since 2.4.3.
The simple fix is to use down_write instead, but that would serialize reads
of /dev/zero more than at present: perhaps some app would be badly
affected. So instead let zeromap_page_range return the error instead of
BUG_ON, and read_zero_pagealigned break to the slower clear_user loop in
that case - there's no need to optimize for it.
Use -EEXIST for when a pte is found: BUG_ON in mmap_zero (the other user of
zeromap_page_range), though it really isn't interesting there. And since
mmap_zero wants -EAGAIN for out-of-memory, the zeromaps better return that
than -ENOMEM.
Signed-off-by: Hugh Dickins <[EMAIL PROTECTED]>
Cc: Ramiro Voicu: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
drivers/char/mem.c | 12
mm/memory.c| 32 +---
2 files changed, 29 insertions(+), 15 deletions(-)
--- linux-2.6.19.1.orig/drivers/char/mem.c
+++ linux-2.6.19.1/drivers/char/mem.c
@@ -646,7 +646,8 @@ static inline size_t read_zero_pagealign
count = size;
zap_page_range(vma, addr, count, NULL);
- zeromap_page_range(vma, addr, count, PAGE_COPY);
+ if (zeromap_page_range(vma, addr, count, PAGE_COPY))
+ break;
size -= count;
buf += count;
@@ -713,11 +714,14 @@ out:
static int mmap_zero(struct file * file, struct vm_area_struct * vma)
{
+ int err;
+
if (vma->vm_flags & VM_SHARED)
return shmem_zero_setup(vma);
- if (zeromap_page_range(vma, vma->vm_start, vma->vm_end - vma->vm_start,
vma->vm_page_prot))
- return -EAGAIN;
- return 0;
+ err = zeromap_page_range(vma, vma->vm_start,
+ vma->vm_end - vma->vm_start, vma->vm_page_prot);
+ BUG_ON(err == -EEXIST);
+ return err;
}
#else /* CONFIG_MMU */
static ssize_t read_zero(struct file * file, char * buf,
--- linux-2.6.19.1.orig/mm/memory.c
+++ linux-2.6.19.1/mm/memory.c
@@ -1110,23 +1110,29 @@ static int zeromap_pte_range(struct mm_s
{
pte_t *pte;
spinlock_t *ptl;
+ int err = 0;
pte = pte_alloc_map_lock(mm, pmd, addr, );
if (!pte)
- return -ENOMEM;
+ return -EAGAIN;
arch_enter_lazy_mmu_mode();
do {
struct page *page = ZERO_PAGE(addr);
pte_t zero_pte = pte_wrprotect(mk_pte(page, prot));
+
+ if (unlikely(!pte_none(*pte))) {
+ err = -EEXIST;
+ pte++;
+ break;
+ }
page_cache_get(page);
page_add_file_rmap(page);
inc_mm_counter(mm, file_rss);
- BUG_ON(!pte_none(*pte));
set_pte_at(mm, addr, pte, zero_pte);
} while (pte++, addr += PAGE_SIZE, addr != end);
arch_leave_lazy_mmu_mode();
pte_unmap_unlock(pte - 1, ptl);
- return 0;
+ return err;
}
static inline int zeromap_pmd_range(struct mm_struct *mm, pud_t *pud,
@@ -1134,16 +1140,18 @@ static inline int zeromap_pmd_range(stru
{
pmd_t *pmd;
unsigned long next;
+ int err;
pmd = pmd_alloc(mm, pud, addr);
if (!pmd)
- return -ENOMEM;
+ return -EAGAIN;
do {
next = pmd_addr_end(addr, end);
- if (zeromap_pte_range(mm, pmd, addr, next, prot))
- return -ENOMEM;
+ err = zeromap_pte_range(mm, pmd, addr, next, prot);
+ if (err)
+ break;
} while (pmd++, addr = next, addr != end);
- return 0;
+ return err;
}
static inline int zeromap_pud_range(struct mm_struct *mm, pgd_t *pgd,
@@ -1151,16 +1159,18 @@ static inline int zeromap_pud_range(stru
{
pud_t *pud;
unsigned long next;
+ int err;
pud = pud_alloc(mm, pgd, addr);
if (!pud)
- return -ENOMEM;
+ return -EAGAIN;
do {
next = pud_addr_end(addr, end);
- if (zeromap_pmd_range(mm, pud, addr, next, prot))
- return -ENOMEM;
+ err = zeromap_pmd_range(mm, pud, addr, next, prot);
+ if (err)
+ break;
} while
[patch 00/50] -stable review
This is the start of the stable review cycle for the 2.6.19.2 release. There are 50 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let us know. If anyone is a maintainer of the proper subsystem, and wants to add a Signed-off-by: line to the patch, please respond with it. These patches are sent out with a number of different people on the Cc: line. If you wish to be a reviewer, please email [EMAIL PROTECTED] to add your name to the list. If you want to be off the reviewer list, also email us. Responses should be made by Mon Jan 8 02:30 UTC. Anything received after that time might be too late. thanks, the -stable release team -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 00/50] -stable review
This is the start of the stable review cycle for the 2.6.19.2 release. There are 50 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let us know. If anyone is a maintainer of the proper subsystem, and wants to add a Signed-off-by: line to the patch, please respond with it. These patches are sent out with a number of different people on the Cc: line. If you wish to be a reviewer, please email [EMAIL PROTECTED] to add your name to the list. If you want to be off the reviewer list, also email us. Responses should be made by Mon Jan 8 02:30 UTC. Anything received after that time might be too late. thanks, the -stable release team -- - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 03/50] read_zero_pagealigned() locking fix
-stable review patch. If anyone has any objections, please let us know.
--
From: Hugh Dickins [EMAIL PROTECTED]
Ramiro Voicu hits the BUG_ON(!pte_none(*pte)) in zeromap_pte_range: kernel
bugzilla 7645. Right: read_zero_pagealigned uses down_read of mmap_sem,
but another thread's racing read of /dev/zero, or a normal fault, can
easily set that pte again, in between zap_page_range and zeromap_page_range
getting there. It's been wrong ever since 2.4.3.
The simple fix is to use down_write instead, but that would serialize reads
of /dev/zero more than at present: perhaps some app would be badly
affected. So instead let zeromap_page_range return the error instead of
BUG_ON, and read_zero_pagealigned break to the slower clear_user loop in
that case - there's no need to optimize for it.
Use -EEXIST for when a pte is found: BUG_ON in mmap_zero (the other user of
zeromap_page_range), though it really isn't interesting there. And since
mmap_zero wants -EAGAIN for out-of-memory, the zeromaps better return that
than -ENOMEM.
Signed-off-by: Hugh Dickins [EMAIL PROTECTED]
Cc: Ramiro Voicu: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Signed-off-by: Andrew Morton [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
drivers/char/mem.c | 12
mm/memory.c| 32 +---
2 files changed, 29 insertions(+), 15 deletions(-)
--- linux-2.6.19.1.orig/drivers/char/mem.c
+++ linux-2.6.19.1/drivers/char/mem.c
@@ -646,7 +646,8 @@ static inline size_t read_zero_pagealign
count = size;
zap_page_range(vma, addr, count, NULL);
- zeromap_page_range(vma, addr, count, PAGE_COPY);
+ if (zeromap_page_range(vma, addr, count, PAGE_COPY))
+ break;
size -= count;
buf += count;
@@ -713,11 +714,14 @@ out:
static int mmap_zero(struct file * file, struct vm_area_struct * vma)
{
+ int err;
+
if (vma-vm_flags VM_SHARED)
return shmem_zero_setup(vma);
- if (zeromap_page_range(vma, vma-vm_start, vma-vm_end - vma-vm_start,
vma-vm_page_prot))
- return -EAGAIN;
- return 0;
+ err = zeromap_page_range(vma, vma-vm_start,
+ vma-vm_end - vma-vm_start, vma-vm_page_prot);
+ BUG_ON(err == -EEXIST);
+ return err;
}
#else /* CONFIG_MMU */
static ssize_t read_zero(struct file * file, char * buf,
--- linux-2.6.19.1.orig/mm/memory.c
+++ linux-2.6.19.1/mm/memory.c
@@ -1110,23 +1110,29 @@ static int zeromap_pte_range(struct mm_s
{
pte_t *pte;
spinlock_t *ptl;
+ int err = 0;
pte = pte_alloc_map_lock(mm, pmd, addr, ptl);
if (!pte)
- return -ENOMEM;
+ return -EAGAIN;
arch_enter_lazy_mmu_mode();
do {
struct page *page = ZERO_PAGE(addr);
pte_t zero_pte = pte_wrprotect(mk_pte(page, prot));
+
+ if (unlikely(!pte_none(*pte))) {
+ err = -EEXIST;
+ pte++;
+ break;
+ }
page_cache_get(page);
page_add_file_rmap(page);
inc_mm_counter(mm, file_rss);
- BUG_ON(!pte_none(*pte));
set_pte_at(mm, addr, pte, zero_pte);
} while (pte++, addr += PAGE_SIZE, addr != end);
arch_leave_lazy_mmu_mode();
pte_unmap_unlock(pte - 1, ptl);
- return 0;
+ return err;
}
static inline int zeromap_pmd_range(struct mm_struct *mm, pud_t *pud,
@@ -1134,16 +1140,18 @@ static inline int zeromap_pmd_range(stru
{
pmd_t *pmd;
unsigned long next;
+ int err;
pmd = pmd_alloc(mm, pud, addr);
if (!pmd)
- return -ENOMEM;
+ return -EAGAIN;
do {
next = pmd_addr_end(addr, end);
- if (zeromap_pte_range(mm, pmd, addr, next, prot))
- return -ENOMEM;
+ err = zeromap_pte_range(mm, pmd, addr, next, prot);
+ if (err)
+ break;
} while (pmd++, addr = next, addr != end);
- return 0;
+ return err;
}
static inline int zeromap_pud_range(struct mm_struct *mm, pgd_t *pgd,
@@ -1151,16 +1159,18 @@ static inline int zeromap_pud_range(stru
{
pud_t *pud;
unsigned long next;
+ int err;
pud = pud_alloc(mm, pgd, addr);
if (!pud)
- return -ENOMEM;
+ return -EAGAIN;
do {
next = pud_addr_end(addr, end);
- if (zeromap_pmd_range(mm, pud, addr, next, prot))
- return -ENOMEM;
+ err = zeromap_pmd_range(mm, pud, addr, next, prot);
+ if (err)
+ break;
} while (pud++, addr = next, addr != end);
- return 0;
+ return err;
}
int
[patch 05/50] x86-64: Mark rdtsc as sync only for netburst, not for core2
-stable review patch. If anyone has any objections, please let us know. -- From: Arjan van de Ven [EMAIL PROTECTED] On the Core2 cpus, the rdtsc instruction is not serializing (as defined in the architecture reference since rdtsc exists) and due to the deep speculation of these cores, it's possible that you can observe time go backwards between cores due to this speculation. Since the kernel already deals with this with the SYNC_RDTSC flag, the solution is simple, only assume that the instruction is serializing on family 15... The price one pays for this is a slightly slower gettimeofday (by a dozen or two cycles), but that increase is quite small to pay for a really-going-forward tsc counter. Signed-off-by: Arjan van de Ven [EMAIL PROTECTED] Signed-off-by: Andi Kleen [EMAIL PROTECTED] Signed-off-by: Chris Wright [EMAIL PROTECTED] --- Commit: f3d73707a1e84f0687a05144b70b660441e999c7 Author: Arjan van de Ven [EMAIL PROTECTED] AuthorDate: Thu Dec 7 02:14:12 2006 +0100 arch/x86_64/kernel/setup.c |5 - 1 file changed, 4 insertions(+), 1 deletion(-) --- linux-2.6.19.1.orig/arch/x86_64/kernel/setup.c +++ linux-2.6.19.1/arch/x86_64/kernel/setup.c @@ -854,7 +854,10 @@ static void __cpuinit init_intel(struct set_bit(X86_FEATURE_CONSTANT_TSC, c-x86_capability); if (c-x86 == 6) set_bit(X86_FEATURE_REP_GOOD, c-x86_capability); - set_bit(X86_FEATURE_SYNC_RDTSC, c-x86_capability); + if (c-x86 == 15) + set_bit(X86_FEATURE_SYNC_RDTSC, c-x86_capability); + else + clear_bit(X86_FEATURE_SYNC_RDTSC, c-x86_capability); c-x86_max_cores = intel_num_cpu_cores(c); srat_detect_node(); -- - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 01/50] dm-crypt: Select CRYPTO_CBC
-stable review patch. If anyone has any objections, please let us know. -- From: Herbert Xu [EMAIL PROTECTED] As CBC is the default chaining method for cryptoloop, we should select it from cryptoloop to ease the transition. Spotted by Rene Herman. Signed-off-by: Herbert Xu [EMAIL PROTECTED] Signed-off-by: Chris Wright [EMAIL PROTECTED] --- drivers/md/Kconfig |1 + 1 file changed, 1 insertion(+) --- linux-2.6.19.1.orig/drivers/md/Kconfig +++ linux-2.6.19.1/drivers/md/Kconfig @@ -215,6 +215,7 @@ config DM_CRYPT tristate Crypt target support depends on BLK_DEV_DM EXPERIMENTAL select CRYPTO + select CRYPTO_CBC ---help--- This device-mapper target allows you to create a device that transparently encrypts the data on it. You'll need to activate -- - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 08/50] V4L: Fix broken TUNER_LG_NTSC_TAPE radio support
-stable review patch. If anyone has any objections, please let us know.
--
From: Hans Verkuil [EMAIL PROTECTED]
The TUNER_LG_NTSC_TAPE is identical in all respects to the
TUNER_PHILIPS_FM1236_MK3. So use the params struct for the Philips tuner.
Also add this LG_NTSC_TAPE tuner to the switches where radio specific
parameters are set so it behaves like a TUNER_PHILIPS_FM1236_MK3. This
change fixes the radio support for this tuner (the wrong bandswitch byte
was used).
Thanks to Andy Walls [EMAIL PROTECTED] for finding this bug.
Signed-off-by: Hans Verkuil [EMAIL PROTECTED]
Signed-off-by: Mauro Carvalho Chehab [EMAIL PROTECTED]
Signed-off-by: Michael Krufky [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
drivers/media/video/tuner-simple.c |2 ++
drivers/media/video/tuner-types.c | 14 ++
2 files changed, 4 insertions(+), 12 deletions(-)
--- linux-2.6.19.1.orig/drivers/media/video/tuner-simple.c
+++ linux-2.6.19.1/drivers/media/video/tuner-simple.c
@@ -108,6 +108,7 @@ static int tuner_stereo(struct i2c_clien
case TUNER_PHILIPS_FM1216ME_MK3:
case TUNER_PHILIPS_FM1236_MK3:
case TUNER_PHILIPS_FM1256_IH3:
+ case TUNER_LG_NTSC_TAPE:
stereo = ((status TUNER_SIGNAL) == TUNER_STEREO_MK3);
break;
default:
@@ -421,6 +422,7 @@ static void default_set_radio_freq(struc
case TUNER_PHILIPS_FM1216ME_MK3:
case TUNER_PHILIPS_FM1236_MK3:
case TUNER_PHILIPS_FMD1216ME_MK3:
+ case TUNER_LG_NTSC_TAPE:
buffer[3] = 0x19;
break;
case TUNER_TNF_5335MF:
--- linux-2.6.19.1.orig/drivers/media/video/tuner-types.c
+++ linux-2.6.19.1/drivers/media/video/tuner-types.c
@@ -672,16 +672,6 @@ static struct tuner_params tuner_panason
},
};
-/* TUNER_LG_NTSC_TAPE - LGINNOTEK NTSC */
-
-static struct tuner_params tuner_lg_ntsc_tape_params[] = {
- {
- .type = TUNER_PARAM_TYPE_NTSC,
- .ranges = tuner_fm1236_mk3_ntsc_ranges,
- .count = ARRAY_SIZE(tuner_fm1236_mk3_ntsc_ranges),
- },
-};
-
/* TUNER_TNF_8831BGFF - Philips PAL */
static struct tuner_range tuner_tnf_8831bgff_pal_ranges[] = {
@@ -1331,8 +1321,8 @@ struct tunertype tuners[] = {
},
[TUNER_LG_NTSC_TAPE] = { /* LGINNOTEK NTSC */
.name = LG NTSC (TAPE series),
- .params = tuner_lg_ntsc_tape_params,
- .count = ARRAY_SIZE(tuner_lg_ntsc_tape_params),
+ .params = tuner_fm1236_mk3_params,
+ .count = ARRAY_SIZE(tuner_fm1236_mk3_params),
},
[TUNER_TNF_8831BGFF] = { /* Philips PAL */
.name = Tenna TNF 8831 BGFF),
--
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 02/50] sha512: Fix sha384 block size
-stable review patch. If anyone has any objections, please let us know.
--
From: Herbert Xu [EMAIL PROTECTED]
The SHA384 block size should be 128 bytes, not 96 bytes. This was
spotted by Andrew Donofrio.
This breaks HMAC which uses the block size during setup and the final
calculation.
Signed-off-by: Herbert Xu [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
crypto/sha512.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.19.1.orig/crypto/sha512.c
+++ linux-2.6.19.1/crypto/sha512.c
@@ -24,7 +24,7 @@
#define SHA384_DIGEST_SIZE 48
#define SHA512_DIGEST_SIZE 64
-#define SHA384_HMAC_BLOCK_SIZE 96
+#define SHA384_HMAC_BLOCK_SIZE 128
#define SHA512_HMAC_BLOCK_SIZE 128
struct sha512_ctx {
--
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 11/50] ieee1394: ohci1394: add PPC_PMAC platform code to driver probe
-stable review patch. If anyone has any objections, please let us know.
--
From: Stefan Richter [EMAIL PROTECTED]
Fixes http://bugzilla.kernel.org/show_bug.cgi?id=7431
iBook G3 threw a machine check exception and put the display backlight
to full brightness after ohci1394 was unloaded and reloaded.
Signed-off-by: Stefan Richter [EMAIL PROTECTED]
[EMAIL PROTECTED]: also added missing if condition, commit
63cca59e89892497e95e1e9c7156d3345fb7e2e8]
Signed-off-by: Daniel Drake [EMAIL PROTECTED]
Acked-by: Stefan Richter [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
It fixes a kernel oops which occurs when the ohci1394 driver is reloaded on PPC
http://bugs.gentoo.org/154851
drivers/ieee1394/ohci1394.c | 21 -
1 file changed, 16 insertions(+), 5 deletions(-)
--- linux-2.6.19.1.orig/drivers/ieee1394/ohci1394.c
+++ linux-2.6.19.1/drivers/ieee1394/ohci1394.c
@@ -3217,6 +3217,19 @@ static int __devinit ohci1394_pci_probe(
struct ti_ohci *ohci; /* shortcut to currently handled device */
resource_size_t ohci_base;
+#ifdef CONFIG_PPC_PMAC
+ /* Necessary on some machines if ohci1394 was loaded/ unloaded before */
+ if (machine_is(powermac)) {
+ struct device_node *of_node = pci_device_to_OF_node(dev);
+
+ if (of_node) {
+ pmac_call_feature(PMAC_FTR_1394_CABLE_POWER, of_node,
+ 0, 1);
+ pmac_call_feature(PMAC_FTR_1394_ENABLE, of_node, 0, 1);
+ }
+ }
+#endif /* CONFIG_PPC_PMAC */
+
if (pci_enable_device(dev))
FAIL(-ENXIO, Failed to enable OHCI hardware);
pci_set_master(dev);
@@ -3505,11 +3518,9 @@ static void ohci1394_pci_remove(struct p
#endif
#ifdef CONFIG_PPC_PMAC
- /* On UniNorth, power down the cable and turn off the chip
-* clock when the module is removed to save power on
-* laptops. Turning it back ON is done by the arch code when
-* pci_enable_device() is called */
- {
+ /* On UniNorth, power down the cable and turn off the chip clock
+* to save power on laptops */
+ if (machine_is(powermac)) {
struct device_node* of_node;
of_node = pci_device_to_OF_node(ohci-dev);
--
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 10/50] libata: handle 0xff status properly
-stable review patch. If anyone has any objections, please let us know.
--
From: Tejun Heo [EMAIL PROTECTED]
libata waits for !BSY even when the status register reports 0xff.
This causes long boot delays when D8 isn't pulled down properly. This
patch does the followings.
* don't wait if status register is 0xff in all wait functions
* make ata_busy_sleep() return 0 on success and -errno on failure.
-ENODEV is returned on 0xff status and -EBUSY on other failures.
* make ata_bus_softreset() succeed on 0xff status. 0xff status is not
reset failure. It indicates no device. This removes unnecessary
retries on such ports. Note that the code change assumes unoccupied
port reporting 0xff status does not produce valid device signature.
Signed-off-by: Tejun Heo [EMAIL PROTECTED]
Cc: Joe Jin [EMAIL PROTECTED]
Signed-off-by: Jeff Garzik [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
It fixes a long delay during booting for some hardware.
http://bugs.gentoo.org/157326
drivers/ata/libata-core.c | 30 ++
include/linux/libata.h|9 -
2 files changed, 22 insertions(+), 17 deletions(-)
--- linux-2.6.19.1.orig/drivers/ata/libata-core.c
+++ linux-2.6.19.1/drivers/ata/libata-core.c
@@ -2325,11 +2325,14 @@ static inline void ata_tf_to_host(struct
* Sleep until ATA Status register bit BSY clears,
* or a timeout occurs.
*
- * LOCKING: None.
+ * LOCKING:
+ * Kernel thread context (may sleep).
+ *
+ * RETURNS:
+ * 0 on success, -errno otherwise.
*/
-
-unsigned int ata_busy_sleep (struct ata_port *ap,
-unsigned long tmout_pat, unsigned long tmout)
+int ata_busy_sleep(struct ata_port *ap,
+ unsigned long tmout_pat, unsigned long tmout)
{
unsigned long timer_start, timeout;
u8 status;
@@ -2337,27 +2340,32 @@ unsigned int ata_busy_sleep (struct ata_
status = ata_busy_wait(ap, ATA_BUSY, 300);
timer_start = jiffies;
timeout = timer_start + tmout_pat;
- while ((status ATA_BUSY) (time_before(jiffies, timeout))) {
+ while (status != 0xff (status ATA_BUSY)
+ time_before(jiffies, timeout)) {
msleep(50);
status = ata_busy_wait(ap, ATA_BUSY, 3);
}
- if (status ATA_BUSY)
+ if (status != 0xff (status ATA_BUSY))
ata_port_printk(ap, KERN_WARNING,
port is slow to respond, please be patient
(Status 0x%x)\n, status);
timeout = timer_start + tmout;
- while ((status ATA_BUSY) (time_before(jiffies, timeout))) {
+ while (status != 0xff (status ATA_BUSY)
+ time_before(jiffies, timeout)) {
msleep(50);
status = ata_chk_status(ap);
}
+ if (status == 0xff)
+ return -ENODEV;
+
if (status ATA_BUSY) {
ata_port_printk(ap, KERN_ERR, port failed to respond
(%lu secs, Status 0x%x)\n,
tmout / HZ, status);
- return 1;
+ return -EBUSY;
}
return 0;
@@ -2448,10 +2456,8 @@ static unsigned int ata_bus_softreset(st
* the bus shows 0xFF because the odd clown forgets the D7
* pulldown resistor.
*/
- if (ata_check_status(ap) == 0xFF) {
- ata_port_printk(ap, KERN_ERR, SRST failed (status 0xFF)\n);
- return AC_ERR_OTHER;
- }
+ if (ata_check_status(ap) == 0xFF)
+ return 0;
ata_bus_post_reset(ap, devmask);
--- linux-2.6.19.1.orig/include/linux/libata.h
+++ linux-2.6.19.1/include/linux/libata.h
@@ -744,9 +744,8 @@ extern int ata_scsi_device_suspend(struc
extern int ata_host_suspend(struct ata_host *host, pm_message_t mesg);
extern void ata_host_resume(struct ata_host *host);
extern int ata_ratelimit(void);
-extern unsigned int ata_busy_sleep(struct ata_port *ap,
- unsigned long timeout_pat,
- unsigned long timeout);
+extern int ata_busy_sleep(struct ata_port *ap,
+ unsigned long timeout_pat, unsigned long timeout);
extern void ata_port_queue_task(struct ata_port *ap, void (*fn)(void *),
void *data, unsigned long delay);
extern u32 ata_wait_register(void __iomem *reg, u32 mask, u32 val,
@@ -1061,7 +1060,7 @@ static inline u8 ata_busy_wait(struct at
udelay(10);
status = ata_chk_status(ap);
max--;
- } while ((status bits) (max 0));
+ } while (status != 0xff (status bits) (max 0));
return status;
}
@@ -1082,7 +1081,7 @@ static inline u8 ata_wait_idle(struct at
{
u8 status = ata_busy_wait(ap, ATA_BUSY | ATA_DRQ, 1000);
- if (status (ATA_BUSY | ATA_DRQ
[patch 09/50] Revert [PATCH] zd1211rw: Removed unneeded packed attributes
-stable review patch. If anyone has any objections, please let us know.
--
From: John W. Linville [EMAIL PROTECTED]
This reverts commit 4e1bbd846d00a245dcf78b6b331d8a9afed8e6d7.
Quoth Daniel Drake [EMAIL PROTECTED]:
A user reported that commit 4e1bbd846d00a245dcf78b6b331d8a9afed8e6d7
(Remove unneeded packed attributes) breaks the zd1211rw driver on ARM.
Signed-off-by: John W. Linville [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
drivers/net/wireless/zd1211rw/zd_ieee80211.h |2 +-
drivers/net/wireless/zd1211rw/zd_mac.c |2 +-
drivers/net/wireless/zd1211rw/zd_mac.h |4 ++--
drivers/net/wireless/zd1211rw/zd_usb.h | 14 +++---
4 files changed, 11 insertions(+), 11 deletions(-)
--- linux-2.6.19.1.orig/drivers/net/wireless/zd1211rw/zd_ieee80211.h
+++ linux-2.6.19.1/drivers/net/wireless/zd1211rw/zd_ieee80211.h
@@ -64,7 +64,7 @@ struct cck_plcp_header {
u8 service;
__le16 length;
__le16 crc16;
-};
+} __attribute__((packed));
static inline u8 zd_cck_plcp_header_rate(const struct cck_plcp_header *header)
{
--- linux-2.6.19.1.orig/drivers/net/wireless/zd1211rw/zd_mac.c
+++ linux-2.6.19.1/drivers/net/wireless/zd1211rw/zd_mac.c
@@ -721,7 +721,7 @@ struct zd_rt_hdr {
u8 rt_rate;
u16 rt_channel;
u16 rt_chbitmask;
-};
+} __attribute__((packed));
static void fill_rt_header(void *buffer, struct zd_mac *mac,
const struct ieee80211_rx_stats *stats,
--- linux-2.6.19.1.orig/drivers/net/wireless/zd1211rw/zd_mac.h
+++ linux-2.6.19.1/drivers/net/wireless/zd1211rw/zd_mac.h
@@ -82,7 +82,7 @@ struct zd_ctrlset {
struct rx_length_info {
__le16 length[3];
__le16 tag;
-};
+} __attribute__((packed));
#define RX_LENGTH_INFO_TAG 0x697e
@@ -93,7 +93,7 @@ struct rx_status {
u8 signal_quality_ofdm;
u8 decryption_type;
u8 frame_status;
-};
+} __attribute__((packed));
/* rx_status field decryption_type */
#define ZD_RX_NO_WEP 0
--- linux-2.6.19.1.orig/drivers/net/wireless/zd1211rw/zd_usb.h
+++ linux-2.6.19.1/drivers/net/wireless/zd1211rw/zd_usb.h
@@ -74,17 +74,17 @@ enum control_requests {
struct usb_req_read_regs {
__le16 id;
__le16 addr[0];
-};
+} __attribute__((packed));
struct reg_data {
__le16 addr;
__le16 value;
-};
+} __attribute__((packed));
struct usb_req_write_regs {
__le16 id;
struct reg_data reg_writes[0];
-};
+} __attribute__((packed));
enum {
RF_IF_LE = 0x02,
@@ -101,7 +101,7 @@ struct usb_req_rfwrite {
/* RF2595: 24 */
__le16 bit_values[0];
/* (CR203 ~(RF_IF_LE | RF_CLK | RF_DATA)) | (bit ? RF_DATA : 0) */
-};
+} __attribute__((packed));
/* USB interrupt */
@@ -118,12 +118,12 @@ enum usb_int_flags {
struct usb_int_header {
u8 type;/* must always be 1 */
u8 id;
-};
+} __attribute__((packed));
struct usb_int_regs {
struct usb_int_header hdr;
struct reg_data regs[0];
-};
+} __attribute__((packed));
struct usb_int_retry_fail {
struct usb_int_header hdr;
@@ -131,7 +131,7 @@ struct usb_int_retry_fail {
u8 _dummy;
u8 addr[ETH_ALEN];
u8 ibss_wakeup_dest;
-};
+} __attribute__((packed));
struct read_regs_int {
struct completion completion;
--
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 13/50] ARM: Add sys_*at syscalls
-stable review patch. If anyone has any objections, please let us know. -- From: Russell King [EMAIL PROTECTED] Later glibc requires the *at syscalls. Add them. Signed-off-by: Russell King [EMAIL PROTECTED] Signed-off-by: Chris Wright [EMAIL PROTECTED] --- arch/arm/kernel/calls.S | 13 + include/asm-arm/unistd.h | 13 + 2 files changed, 26 insertions(+) bca0b8e75f6b7cf52cf52c967286b72d84f9b37e --- linux-2.6.19.1.orig/arch/arm/kernel/calls.S +++ linux-2.6.19.1/arch/arm/kernel/calls.S @@ -331,6 +331,19 @@ CALL(sys_mbind) /* 320 */ CALL(sys_get_mempolicy) CALL(sys_set_mempolicy) + CALL(sys_openat) + CALL(sys_mkdirat) + CALL(sys_mknodat) +/* 325 */ CALL(sys_fchownat) + CALL(sys_futimesat) + CALL(sys_fstatat64) + CALL(sys_unlinkat) + CALL(sys_renameat) +/* 330 */ CALL(sys_linkat) + CALL(sys_symlinkat) + CALL(sys_readlinkat) + CALL(sys_fchmodat) + CALL(sys_faccessat) #ifndef syscalls_counted .equ syscalls_padding, ((NR_syscalls + 3) ~3) - NR_syscalls #define syscalls_counted --- linux-2.6.19.1.orig/include/asm-arm/unistd.h +++ linux-2.6.19.1/include/asm-arm/unistd.h @@ -347,6 +347,19 @@ #define __NR_mbind (__NR_SYSCALL_BASE+319) #define __NR_get_mempolicy (__NR_SYSCALL_BASE+320) #define __NR_set_mempolicy (__NR_SYSCALL_BASE+321) +#define __NR_openat(__NR_SYSCALL_BASE+322) +#define __NR_mkdirat (__NR_SYSCALL_BASE+323) +#define __NR_mknodat (__NR_SYSCALL_BASE+324) +#define __NR_fchownat (__NR_SYSCALL_BASE+325) +#define __NR_futimesat (__NR_SYSCALL_BASE+326) +#define __NR_fstatat64 (__NR_SYSCALL_BASE+327) +#define __NR_unlinkat (__NR_SYSCALL_BASE+328) +#define __NR_renameat (__NR_SYSCALL_BASE+329) +#define __NR_linkat(__NR_SYSCALL_BASE+330) +#define __NR_symlinkat (__NR_SYSCALL_BASE+331) +#define __NR_readlinkat(__NR_SYSCALL_BASE+332) +#define __NR_fchmodat (__NR_SYSCALL_BASE+333) +#define __NR_faccessat (__NR_SYSCALL_BASE+334) /* * The following SWIs are ARM private. -- - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 04/50] ieee80211softmac: Fix mutex_lock at exit of ieee80211_softmac_get_genie
-stable review patch. If anyone has any objections, please let us know. -- From: Ulrich Kunitz [EMAIL PROTECTED] ieee80211softmac_wx_get_genie locks the associnfo mutex at function exit. This patch fixes it. The patch is against Linus' tree (commit af1713e0). Signed-off-by: Ulrich Kunitz [EMAIL PROTECTED] Signed-off-by: Michael Buesch [EMAIL PROTECTED] Signed-off-by: Chris Wright [EMAIL PROTECTED] --- net/ieee80211/softmac/ieee80211softmac_wx.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- linux-2.6.19.1.orig/net/ieee80211/softmac/ieee80211softmac_wx.c +++ linux-2.6.19.1/net/ieee80211/softmac/ieee80211softmac_wx.c @@ -463,7 +463,7 @@ ieee80211softmac_wx_get_genie(struct net err = -E2BIG; } spin_unlock_irqrestore(mac-lock, flags); - mutex_lock(mac-associnfo.mutex); + mutex_unlock(mac-associnfo.mutex); return err; } -- - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 17/50] Bluetooth: Add packet size checks for CAPI messages (CVE-2006-6106)
-stable review patch. If anyone has any objections, please let us know.
--
From: Marcel Holtmann [EMAIL PROTECTED]
With malformed packets it might be possible to overwrite internal
CMTP and CAPI data structures. This patch adds additional length
checks to prevent these kinds of remote attacks.
Signed-off-by: Marcel Holtmann [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
net/bluetooth/cmtp/capi.c | 39 +--
1 file changed, 33 insertions(+), 6 deletions(-)
--- linux-2.6.19.1.orig/net/bluetooth/cmtp/capi.c
+++ linux-2.6.19.1/net/bluetooth/cmtp/capi.c
@@ -196,6 +196,9 @@ static void cmtp_recv_interopmsg(struct
switch (CAPIMSG_SUBCOMMAND(skb-data)) {
case CAPI_CONF:
+ if (skb-len CAPI_MSG_BASELEN + 10)
+ break;
+
func = CAPIMSG_U16(skb-data, CAPI_MSG_BASELEN + 5);
info = CAPIMSG_U16(skb-data, CAPI_MSG_BASELEN + 8);
@@ -226,6 +229,9 @@ static void cmtp_recv_interopmsg(struct
break;
case CAPI_FUNCTION_GET_PROFILE:
+ if (skb-len CAPI_MSG_BASELEN + 11 +
sizeof(capi_profile))
+ break;
+
controller = CAPIMSG_U16(skb-data, CAPI_MSG_BASELEN +
11);
msgnum = CAPIMSG_MSGID(skb-data);
@@ -246,17 +252,26 @@ static void cmtp_recv_interopmsg(struct
break;
case CAPI_FUNCTION_GET_MANUFACTURER:
+ if (skb-len CAPI_MSG_BASELEN + 15)
+ break;
+
controller = CAPIMSG_U32(skb-data, CAPI_MSG_BASELEN +
10);
if (!info ctrl) {
+ int len = min_t(uint, CAPI_MANUFACTURER_LEN,
+ skb-data[CAPI_MSG_BASELEN +
14]);
+
+ memset(ctrl-manu, 0, CAPI_MANUFACTURER_LEN);
strncpy(ctrl-manu,
- skb-data + CAPI_MSG_BASELEN + 15,
- skb-data[CAPI_MSG_BASELEN + 14]);
+ skb-data + CAPI_MSG_BASELEN + 15, len);
}
break;
case CAPI_FUNCTION_GET_VERSION:
+ if (skb-len CAPI_MSG_BASELEN + 32)
+ break;
+
controller = CAPIMSG_U32(skb-data, CAPI_MSG_BASELEN +
12);
if (!info ctrl) {
@@ -269,13 +284,18 @@ static void cmtp_recv_interopmsg(struct
break;
case CAPI_FUNCTION_GET_SERIAL_NUMBER:
+ if (skb-len CAPI_MSG_BASELEN + 17)
+ break;
+
controller = CAPIMSG_U32(skb-data, CAPI_MSG_BASELEN +
12);
if (!info ctrl) {
+ int len = min_t(uint, CAPI_SERIAL_LEN,
+ skb-data[CAPI_MSG_BASELEN +
16]);
+
memset(ctrl-serial, 0, CAPI_SERIAL_LEN);
strncpy(ctrl-serial,
- skb-data + CAPI_MSG_BASELEN + 17,
- skb-data[CAPI_MSG_BASELEN + 16]);
+ skb-data + CAPI_MSG_BASELEN + 17, len);
}
break;
@@ -284,14 +304,18 @@ static void cmtp_recv_interopmsg(struct
break;
case CAPI_IND:
+ if (skb-len CAPI_MSG_BASELEN + 6)
+ break;
+
func = CAPIMSG_U16(skb-data, CAPI_MSG_BASELEN + 3);
if (func == CAPI_FUNCTION_LOOPBACK) {
+ int len = min_t(uint, skb-len - CAPI_MSG_BASELEN - 6,
+ skb-data[CAPI_MSG_BASELEN +
5]);
appl = CAPIMSG_APPID(skb-data);
msgnum = CAPIMSG_MSGID(skb-data);
cmtp_send_interopmsg(session, CAPI_RESP, appl, msgnum,
func,
- skb-data + CAPI_MSG_BASELEN +
6,
- skb-data[CAPI_MSG_BASELEN +
5]);
+ skb-data + CAPI_MSG_BASELEN +
6, len);
}
break;
@@ -309,6 +333,9 @@ void cmtp_recv_capimsg(struct cmtp_sessi
BT_DBG(session %p skb %p len %d, session, skb, skb-len);
+ if (skb-len CAPI_MSG_BASELEN)
+ return;
+
if (CAPIMSG_COMMAND(skb-data) == CAPI_INTEROPERABILITY) {
cmtp_recv_interopmsg(session, skb);
return;
--
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body
[patch 12/50] kbuild: dont put temp files in source
-stable review patch. If anyone has any objections, please let us know. -- From: Roman Zippel [EMAIL PROTECTED] The as-instr/ld-option need to create temporary files, but create them in the output directory, when compiling external modules. Reformat them a bit and use $(CC) instead of $(AS) as the former is used by kbuild to assemble files. Signed-off-by: Roman Zippel [EMAIL PROTECTED] Cc: Andi Kleen [EMAIL PROTECTED] Cc: Jan Beulich [EMAIL PROTECTED] Cc: Sam Ravnborg [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Cc: Horst Schirmeier [EMAIL PROTECTED] Cc: Daniel Drake [EMAIL PROTECTED] Signed-off-by: Andrew Morton [EMAIL PROTECTED] Signed-off-by: Linus Torvalds [EMAIL PROTECTED] Signed-off-by: Chris Wright [EMAIL PROTECTED] --- It fixes building of external modules in a sandboxed environment. http://bugs.gentoo.org/149307 scripts/Kbuild.include | 19 --- 1 file changed, 12 insertions(+), 7 deletions(-) --- linux-2.6.19.1.orig/scripts/Kbuild.include +++ linux-2.6.19.1/scripts/Kbuild.include @@ -56,6 +56,9 @@ endef # gcc support functions # See documentation in Documentation/kbuild/makefiles.txt +# output directory for tests below +TMPOUT := $(if $(KBUILD_EXTMOD),$(firstword $(KBUILD_EXTMOD))/) + # as-option # Usage: cflags-y += $(call as-option, -Wa$(comma)-isa=foo,) @@ -66,9 +69,11 @@ as-option = $(shell if $(CC) $(CFLAGS) $ # as-instr # Usage: cflags-y += $(call as-instr, instr, option1, option2) -as-instr = $(shell if echo -e $(1) | $(AS) /dev/null 21 -W -Z -o astest.out ; \ - then echo $(2); else echo $(3); fi; \ - rm -f astest.out) +as-instr = $(shell if echo -e $(1) | \ + $(CC) $(AFLAGS) -c -xassembler - \ + -o $(TMPOUT)astest.out /dev/null 21; \ + then rm $(TMPOUT)astest.out; echo $(2); \ + else echo $(3); fi) # cc-option # Usage: cflags-y += $(call cc-option, -march=winchip-c6, -march=i586) @@ -97,10 +102,10 @@ cc-ifversion = $(shell if [ $(call cc-ve # ld-option # Usage: ldflags += $(call ld-option, -Wl$(comma)--hash-style=both) -ld-option = $(shell if $(CC) $(1) \ --nostdlib -o ldtest.out -xc /dev/null \ - /dev/null 21; then echo $(1); else echo $(2); fi; \ -rm -f ldtest.out) +ld-option = $(shell if $(CC) $(1) -nostdlib -xc /dev/null \ +-o $(TMPOUT)ldtest.out /dev/null 21; \ + then rm $(TMPOUT)ldtest.out; echo $(1); \ + else echo $(2); fi) ### # Shorthand for $(Q)$(MAKE) -f scripts/Makefile.build obj= -- - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 15/50] IB/srp: Fix FMR mapping for 32-bit kernels and addresses above 4G
-stable review patch. If anyone has any objections, please let us know.
--
From: Roland Dreier [EMAIL PROTECTED]
struct srp_device.fmr_page_mask was unsigned long, which means that
the top part of addresses above 4G was being chopped off on 32-bit
architectures. Of course nothing good happens when data from SRP
targets is DMAed to the wrong place.
Fix this by changing fmr_page_mask to u64, to match the addresses
actually used by IB devices.
Thanks to Brian Cain [EMAIL PROTECTED] and David McMillen
[EMAIL PROTECTED] for help diagnosing the bug and testing
the fix.
Signed-off-by: Roland Dreier [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
I just asked Linus to pull this. It fixes nasty corruption/crash
problems on 32-bit systems with 4G of memory.
drivers/infiniband/ulp/srp/ib_srp.c |2 +-
drivers/infiniband/ulp/srp/ib_srp.h |2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- linux-2.6.19.1.orig/drivers/infiniband/ulp/srp/ib_srp.c
+++ linux-2.6.19.1/drivers/infiniband/ulp/srp/ib_srp.c
@@ -1879,7 +1879,7 @@ static void srp_add_one(struct ib_device
*/
srp_dev-fmr_page_shift = max(9, ffs(dev_attr-page_size_cap) - 1);
srp_dev-fmr_page_size = 1 srp_dev-fmr_page_shift;
- srp_dev-fmr_page_mask = ~((unsigned long) srp_dev-fmr_page_size - 1);
+ srp_dev-fmr_page_mask = ~((u64) srp_dev-fmr_page_size - 1);
INIT_LIST_HEAD(srp_dev-dev_list);
--- linux-2.6.19.1.orig/drivers/infiniband/ulp/srp/ib_srp.h
+++ linux-2.6.19.1/drivers/infiniband/ulp/srp/ib_srp.h
@@ -87,7 +87,7 @@ struct srp_device {
struct ib_fmr_pool *fmr_pool;
int fmr_page_shift;
int fmr_page_size;
- unsigned long fmr_page_mask;
+ u64 fmr_page_mask;
};
struct srp_host {
--
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 21/50] smc911x: fix netpoll compilation faliure
-stable review patch. If anyone has any objections, please let us know.
--
From: Vitaly Wool [EMAIL PROTECTED]
Fix the compilation failure for smc911x.c when NET_POLL_CONTROLLER is set.
Signed-off-by: Vitaly Wool [EMAIL PROTECTED]
Cc: Jeff Garzik [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Signed-off-by: Andrew Morton [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
drivers/net/smc911x.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.19.1.orig/drivers/net/smc911x.c
+++ linux-2.6.19.1/drivers/net/smc911x.c
@@ -1331,7 +1331,7 @@ smc911x_rx_dma_irq(int dma, void *data)
static void smc911x_poll_controller(struct net_device *dev)
{
disable_irq(dev-irq);
- smc911x_interrupt(dev-irq, dev, NULL);
+ smc911x_interrupt(dev-irq, dev);
enable_irq(dev-irq);
}
#endif
--
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 20/50] Fix for shmem_truncate_range() BUG_ON()
-stable review patch. If anyone has any objections, please let us know. -- From: Badari Pulavarty [EMAIL PROTECTED] Ran into BUG() while doing madvise(REMOVE) testing. If we are punching a hole into shared memory segment using madvise(REMOVE) and the entire hole is below the indirect blocks, we hit following assert. BUG_ON(limit = SHMEM_NR_DIRECT); Signed-off-by: Badari Pulavarty [EMAIL PROTECTED] Cc: Hugh Dickins [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Signed-off-by: Andrew Morton [EMAIL PROTECTED] Signed-off-by: Chris Wright [EMAIL PROTECTED] --- mm/shmem.c |7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) --- linux-2.6.19.1.orig/mm/shmem.c +++ linux-2.6.19.1/mm/shmem.c @@ -515,7 +515,12 @@ static void shmem_truncate_range(struct size = SHMEM_NR_DIRECT; nr_swaps_freed = shmem_free_swp(ptr+idx, ptr+size); } - if (!topdir) + + /* +* If there are no indirect blocks or we are punching a hole +* below indirect blocks, nothing to be done. +*/ + if (!topdir || (punch_hole (limit = SHMEM_NR_DIRECT))) goto done2; BUG_ON(limit = SHMEM_NR_DIRECT); -- - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 23/50] UDP: Fix reversed logic in udp_get_port()
-stable review patch. If anyone has any objections, please let us know.
--
From: David Miller [EMAIL PROTECTED]
When this code was converted to use sk_for_each() the
logic for the best hash chain length code was reversed,
breaking everything.
The original code was of the form:
size = 0;
do {
if (++size = best_size_so_far)
goto next;
} while ((sk = sk-next) != NULL);
best_size_so_far = size;
best = result;
next:;
and this got converted into:
sk_for_each(sk2, node, head)
if (++size best_size_so_far) {
best_size_so_far = size;
best = result;
}
Which does something very very different from the original.
Signed-off-by: David S. Miller [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
net/ipv4/udp.c | 13 -
1 file changed, 8 insertions(+), 5 deletions(-)
--- linux-2.6.19.1.orig/net/ipv4/udp.c
+++ linux-2.6.19.1/net/ipv4/udp.c
@@ -167,11 +167,14 @@ int udp_get_port(struct sock *sk, unsign
goto gotit;
}
size = 0;
- sk_for_each(sk2, node, head)
- if (++size best_size_so_far) {
- best_size_so_far = size;
- best = result;
- }
+ sk_for_each(sk2, node, head) {
+ if (++size = best_size_so_far)
+ goto next;
+ }
+ best_size_so_far = size;
+ best = result;
+ next:
+ ;
}
result = best;
for(i = 0; i (1 16) / UDP_HTABLE_SIZE; i++, result +=
UDP_HTABLE_SIZE) {
--
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 25/50] [stable] [stable patch] i386: CPU hotplug broken with 2GB VMSPLIT
-stable review patch. If anyone has any objections, please let us know. -- From: Shaohua Li [EMAIL PROTECTED] In VMSPLIT mode, kernel PGD might have more entries than user space Signed-off-by: Shaohua Li [EMAIL PROTECTED] Signed-off-by: Chris Wright [EMAIL PROTECTED] --- arch/i386/kernel/smpboot.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- linux-2.6.19.1.orig/arch/i386/kernel/smpboot.c +++ linux-2.6.19.1/arch/i386/kernel/smpboot.c @@ -1095,7 +1095,7 @@ static int __cpuinit __smp_prepare_cpu(i /* init low mem mapping */ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS, - KERNEL_PGD_PTRS); + min_t(unsigned long, KERNEL_PGD_PTRS, USER_PGD_PTRS)); flush_tlb_all(); schedule_work(task); wait_for_completion(done); -- - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 29/50] zd1211rw: Call ieee80211_rx in tasklet
-stable review patch. If anyone has any objections, please let us know.
--
From: Ulrich Kunitz [EMAIL PROTECTED]
[PATCH] zd1211rw: Call ieee80211_rx in tasklet
The driver called ieee80211_rx in hardware interrupt context. This has
been against the intention of the ieee80211_rx function. It caused a bug
in the crypto routines used by WPA. This patch calls ieee80211_rx in a
tasklet.
Signed-off-by: Ulrich Kunitz [EMAIL PROTECTED]
Signed-off-by: Andrew Morton [EMAIL PROTECTED]
Signed-off-by: John W. Linville [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
Date: Sun, 10 Dec 2006 19:13:12 + (-0800)
Subject: [patch 29/50] [PATCH] zd1211rw: Call ieee80211_rx in tasklet
X-Git-Tag: v2.6.20-rc2
X-Git-Url:
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=4d1feabcbf41f875447a392015acd0796f57baf6
drivers/net/wireless/zd1211rw/zd_mac.c | 91 -
drivers/net/wireless/zd1211rw/zd_mac.h |6 +-
drivers/net/wireless/zd1211rw/zd_usb.c |4 -
3 files changed, 75 insertions(+), 26 deletions(-)
--- linux-2.6.19.1.orig/drivers/net/wireless/zd1211rw/zd_mac.c
+++ linux-2.6.19.1/drivers/net/wireless/zd1211rw/zd_mac.c
@@ -37,6 +37,8 @@ static void housekeeping_init(struct zd_
static void housekeeping_enable(struct zd_mac *mac);
static void housekeeping_disable(struct zd_mac *mac);
+static void do_rx(unsigned long mac_ptr);
+
int zd_mac_init(struct zd_mac *mac,
struct net_device *netdev,
struct usb_interface *intf)
@@ -47,6 +49,10 @@ int zd_mac_init(struct zd_mac *mac,
spin_lock_init(mac-lock);
mac-netdev = netdev;
+ skb_queue_head_init(mac-rx_queue);
+ tasklet_init(mac-rx_tasklet, do_rx, (unsigned long)mac);
+ tasklet_disable(mac-rx_tasklet);
+
ieee_init(ieee);
softmac_init(ieee80211_priv(netdev));
zd_chip_init(mac-chip, netdev, intf);
@@ -132,6 +138,8 @@ out:
void zd_mac_clear(struct zd_mac *mac)
{
+ skb_queue_purge(mac-rx_queue);
+ tasklet_kill(mac-rx_tasklet);
zd_chip_clear(mac-chip);
ZD_ASSERT(!spin_is_locked(mac-lock));
ZD_MEMCLEAR(mac, sizeof(struct zd_mac));
@@ -160,6 +168,8 @@ int zd_mac_open(struct net_device *netde
struct zd_chip *chip = mac-chip;
int r;
+ tasklet_enable(mac-rx_tasklet);
+
r = zd_chip_enable_int(chip);
if (r 0)
goto out;
@@ -210,6 +220,8 @@ int zd_mac_stop(struct net_device *netde
*/
zd_chip_disable_rx(chip);
+ skb_queue_purge(mac-rx_queue);
+ tasklet_disable(mac-rx_tasklet);
housekeeping_disable(mac);
ieee80211softmac_stop(netdev);
@@ -873,45 +885,78 @@ static int fill_rx_stats(struct ieee8021
return 0;
}
-int zd_mac_rx(struct zd_mac *mac, const u8 *buffer, unsigned int length)
+static void zd_mac_rx(struct zd_mac *mac, struct sk_buff *skb)
{
int r;
struct ieee80211_device *ieee = zd_mac_to_ieee80211(mac);
struct ieee80211_rx_stats stats;
const struct rx_status *status;
- struct sk_buff *skb;
- if (length ZD_PLCP_HEADER_SIZE + IEEE80211_1ADDR_LEN +
-IEEE80211_FCS_LEN + sizeof(struct rx_status))
- return -EINVAL;
+ if (skb-len ZD_PLCP_HEADER_SIZE + IEEE80211_1ADDR_LEN +
+ IEEE80211_FCS_LEN + sizeof(struct rx_status))
+ {
+ dev_dbg_f(zd_mac_dev(mac), Packet with length %u to small.\n,
+skb-len);
+ goto free_skb;
+ }
- r = fill_rx_stats(stats, status, mac, buffer, length);
- if (r)
- return r;
+ r = fill_rx_stats(stats, status, mac, skb-data, skb-len);
+ if (r) {
+ /* Only packets with rx errors are included here. */
+ goto free_skb;
+ }
- length -= ZD_PLCP_HEADER_SIZE+IEEE80211_FCS_LEN+
- sizeof(struct rx_status);
- buffer += ZD_PLCP_HEADER_SIZE;
+ __skb_pull(skb, ZD_PLCP_HEADER_SIZE);
+ __skb_trim(skb, skb-len -
+ (IEEE80211_FCS_LEN + sizeof(struct rx_status)));
- update_qual_rssi(mac, buffer, length, stats.signal, stats.rssi);
+ update_qual_rssi(mac, skb-data, skb-len, stats.signal,
+status-signal_strength);
- r = filter_rx(ieee, buffer, length, stats);
- if (r = 0)
- return r;
- skb = dev_alloc_skb(sizeof(struct zd_rt_hdr) + length);
- if (!skb)
- return -ENOMEM;
+ r = filter_rx(ieee, skb-data, skb-len, stats);
+ if (r = 0) {
+ if (r 0)
+ dev_dbg_f(zd_mac_dev(mac), Error in packet.\n);
+ goto free_skb;
+ }
+
if (ieee-iw_mode == IW_MODE_MONITOR)
- fill_rt_header(skb_put(skb, sizeof(struct zd_rt_hdr)), mac,
+ fill_rt_header(skb_push
[patch 18/50] i2c: fix broken ds1337 initialization
-stable review patch. If anyone has any objections, please let us know.
--
From: Dirk Eibach [EMAIL PROTECTED]
On a custom board with ds1337 RTC I found that upgrade from 2.6.15 to
2.6.18 broke RTC support.
The main problem are changes to ds1337_init_client().
When a ds1337 recognizes a problem (e.g. power or clock failure) bit 7
in status register is set. This has to be reset by writing 0 to status
register. But since there are only 16 byte written to the chip and the
first byte is interpreted as an address, the status register (which is
the 16th) is never written.
The other problem is, that initializing all registers to zero is not
valid for day, date and month register. Funny enough this is checked by
ds1337_detect(), which depends on this values not being zero. So then
treated by ds1337_init_client() the ds1337 is not detected anymore,
whereas the failure bit in the status register is still set.
Broken by commit f9e8957937ebf60d22732a5ca9130f48a7603f60 (2.6.16-rc1,
2006-01-06). This fix is in Linus' tree since 2.6.20-rc1 (commit
763d9c046a2e511ec090a8986d3f85edf7448e7e).
Signed-off-by: Dirk Stieler [EMAIL PROTECTED]
Signed-off-by: Dirk Eibach [EMAIL PROTECTED]
Signed-off-by: Jean Delvare [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
drivers/i2c/chips/ds1337.c |8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- linux-2.6.19.1.orig/drivers/i2c/chips/ds1337.c
+++ linux-2.6.19.1/drivers/i2c/chips/ds1337.c
@@ -347,13 +347,19 @@ static void ds1337_init_client(struct i2
if ((status 0x80) || (control 0x80)) {
/* RTC not running */
- u8 buf[16];
+ u8 buf[1+16]; /* First byte is interpreted as address */
struct i2c_msg msg[1];
dev_dbg(client-dev, %s: RTC not running!\n, __FUNCTION__);
/* Initialize all, including STATUS and CONTROL to zero */
memset(buf, 0, sizeof(buf));
+
+ /* Write valid values in the date/time registers */
+ buf[1+DS1337_REG_DAY] = 1;
+ buf[1+DS1337_REG_DATE] = 1;
+ buf[1+DS1337_REG_MONTH] = 1;
+
msg[0].addr = client-addr;
msg[0].flags = 0;
msg[0].len = sizeof(buf);
--
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 35/50] SPARC64: Handle ISA devices with no regs property.
-stable review patch. If anyone has any objections, please let us know.
--
From: David Miller [EMAIL PROTECTED]
And this points out that the return value from
isa_dev_get_resource() and the 'pregs' arg to
isa_dev_get_irq() are totally unused.
Based upon a patch from Richard Mortimer [EMAIL PROTECTED]
Signed-off-by: David S. Miller [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
arch/sparc64/kernel/isa.c | 20
1 file changed, 8 insertions(+), 12 deletions(-)
--- linux-2.6.19.1.orig/arch/sparc64/kernel/isa.c
+++ linux-2.6.19.1/arch/sparc64/kernel/isa.c
@@ -22,14 +22,15 @@ static void __init report_dev(struct spa
printk( [%s, isa_dev-prom_node-name);
}
-static struct linux_prom_registers * __init
-isa_dev_get_resource(struct sparc_isa_device *isa_dev)
+static void __init isa_dev_get_resource(struct sparc_isa_device *isa_dev)
{
struct linux_prom_registers *pregs;
unsigned long base, len;
int prop_len;
pregs = of_get_property(isa_dev-prom_node, reg, prop_len);
+ if (!pregs)
+ return;
/* Only the first one is interesting. */
len = pregs[0].reg_size;
@@ -44,12 +45,9 @@ isa_dev_get_resource(struct sparc_isa_de
request_resource(isa_dev-bus-parent-io_space,
isa_dev-resource);
-
- return pregs;
}
-static void __init isa_dev_get_irq(struct sparc_isa_device *isa_dev,
- struct linux_prom_registers *pregs)
+static void __init isa_dev_get_irq(struct sparc_isa_device *isa_dev)
{
struct of_device *op = of_find_device_by_node(isa_dev-prom_node);
@@ -69,7 +67,6 @@ static void __init isa_fill_children(str
printk( -);
while (dp) {
- struct linux_prom_registers *regs;
struct sparc_isa_device *isa_dev;
isa_dev = kmalloc(sizeof(*isa_dev), GFP_KERNEL);
@@ -87,8 +84,8 @@ static void __init isa_fill_children(str
isa_dev-bus = parent_isa_dev-bus;
isa_dev-prom_node = dp;
- regs = isa_dev_get_resource(isa_dev);
- isa_dev_get_irq(isa_dev, regs);
+ isa_dev_get_resource(isa_dev);
+ isa_dev_get_irq(isa_dev);
report_dev(isa_dev, 1);
@@ -101,7 +98,6 @@ static void __init isa_fill_devices(stru
struct device_node *dp = isa_br-prom_node-child;
while (dp) {
- struct linux_prom_registers *regs;
struct sparc_isa_device *isa_dev;
isa_dev = kmalloc(sizeof(*isa_dev), GFP_KERNEL);
@@ -141,8 +137,8 @@ static void __init isa_fill_devices(stru
isa_dev-bus = isa_br;
isa_dev-prom_node = dp;
- regs = isa_dev_get_resource(isa_dev);
- isa_dev_get_irq(isa_dev, regs);
+ isa_dev_get_resource(isa_dev);
+ isa_dev_get_irq(isa_dev);
report_dev(isa_dev, 0);
--
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 32/50] ext2: skip pages past number of blocks in ext2_find_entry (CVE-2006-6054)
-stable review patch. If anyone has any objections, please let us know.
--
From: Eric Sandeen [EMAIL PROTECTED]
This one was pointed out on the MOKB site:
http://kernelfun.blogspot.com/2006/11/mokb-09-11-2006-linux-26x-ext2checkpage.html
If a directory's i_size is corrupted, ext2_find_entry() will keep processing
pages until the i_size is reached, even if there are no more blocks associated
with the directory inode. This patch puts in some minimal sanity-checking
so that we don't keep checking pages (and issuing errors) if we know there
can be no more data to read, based on the block count of the directory inode.
This is somewhat similar in approach to the ext3 patch I sent earlier this
year.
Signed-off-by: Eric Sandeen [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
Not upstream yet
fs/ext2/dir.c |8
1 file changed, 8 insertions(+)
--- linux-2.6.19.1.orig/fs/ext2/dir.c
+++ linux-2.6.19.1/fs/ext2/dir.c
@@ -368,6 +368,14 @@ struct ext2_dir_entry_2 * ext2_find_entr
}
if (++n = npages)
n = 0;
+ /* next page is past the blocks we've got */
+ if (unlikely(n (dir-i_blocks (PAGE_CACHE_SHIFT - 9 {
+ ext2_error(dir-i_sb, __FUNCTION__,
+ dir %lu size %lld exceeds block count %llu,
+ dir-i_ino, dir-i_size,
+ (unsigned long long)dir-i_blocks);
+ goto out;
+ }
} while (n != start);
out:
return NULL;
--
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 41/50] V4L: cx88: Fix leadtek_eeprom tagging
-stable review patch. If anyone has any objections, please let us know.
--
From: Jean Delvare [EMAIL PROTECTED]
reference to .init.text: from .text between 'cx88_card_setup'
(at offset 0x68c) and 'cx88_risc_field'
Caused by leadtek_eeprom() being declared __devinit and called from
a non-devinit context.
Signed-off-by: Jean Delvare [EMAIL PROTECTED]
Signed-off-by: Michael Krufky [EMAIL PROTECTED]
Signed-off-by: Mauro Carvalho Chehab [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
(cherry picked from commit 69f7e75a9d45e5eaca16917a8d0dedf76149f13f)
drivers/media/video/cx88/cx88-cards.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.19.1.orig/drivers/media/video/cx88/cx88-cards.c
+++ linux-2.6.19.1/drivers/media/video/cx88/cx88-cards.c
@@ -1610,7 +1610,7 @@ const unsigned int cx88_idcount = ARRAY_
/* --- */
/* some leadtek specific stuff */
-static void __devinit leadtek_eeprom(struct cx88_core *core, u8 *eeprom_data)
+static void leadtek_eeprom(struct cx88_core *core, u8 *eeprom_data)
{
/* This is just for the Winfast 2000XP Expert board ATM; I don't have
data on
* any others.
--
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 42/50] ebtables: dont compute gap before checking struct type
-stable review patch. If anyone has any objections, please let us know. -- From: Chuck Ebbert [EMAIL PROTECTED] We cannot compute the gap until we know we have a 'struct ebt_entry' and not 'struct ebt_entries'. Failure to check can cause crash. Tested-by: Santiago Garcia Mantinan [EMAIL PROTECTED] Acked-by: Al Viro [EMAIL PROTECTED] Acked-by: Patrick McHardy [EMAIL PROTECTED] Signed-off-by: Chuck Ebbert [EMAIL PROTECTED] Signed-off-by: Chris Wright [EMAIL PROTECTED] --- net/bridge/netfilter/ebtables.c |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- linux-2.6.19.1.orig/net/bridge/netfilter/ebtables.c +++ linux-2.6.19.1/net/bridge/netfilter/ebtables.c @@ -575,7 +575,7 @@ ebt_check_entry(struct ebt_entry *e, str struct ebt_entry_target *t; struct ebt_target *target; unsigned int i, j, hook = 0, hookmask = 0; - size_t gap = e-next_offset - e-target_offset; + size_t gap; int ret; /* don't mess with the struct ebt_entries */ @@ -625,6 +625,7 @@ ebt_check_entry(struct ebt_entry *e, str if (ret != 0) goto cleanup_watchers; t = (struct ebt_entry_target *)(((char *)e) + e-target_offset); + gap = e-next_offset - e-target_offset; target = find_target_lock(t-u.name, ret, ebt_mutex); if (!target) goto cleanup_watchers; -- - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 06/50] bonding: incorrect bonding state reported via ioctl
-stable review patch. If anyone has any objections, please let us know.
--
From: Andy Gospodarek [EMAIL PROTECTED]
This is a small fix-up to finish out the work done by Jay Vosburgh to
add carrier-state support for bonding devices. The output in
/proc/net/bonding/bondX was correct, but when collecting the same info
via an iotcl it could still be incorrect.
Signed-off-by: Andy Gospodarek [EMAIL PROTECTED]
Cc: Jeff Garzik [EMAIL PROTECTED]
Cc: Stephen Hemminger [EMAIL PROTECTED]
Signed-off-by: Andrew Morton [EMAIL PROTECTED]
Signed-off-by: Jeff Garzik [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
drivers/net/bonding/bond_main.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.19.1.orig/drivers/net/bonding/bond_main.c
+++ linux-2.6.19.1/drivers/net/bonding/bond_main.c
@@ -3675,7 +3675,7 @@ static int bond_do_ioctl(struct net_devi
mii-val_out = 0;
read_lock_bh(bond-lock);
read_lock(bond-curr_slave_lock);
- if (bond-curr_active_slave) {
+ if (netif_carrier_ok(bond-dev)) {
mii-val_out = BMSR_LSTATUS;
}
read_unlock(bond-curr_slave_lock);
--
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 24/50] cciss: fix XFER_READ/XFER_WRITE in do_cciss_request
-stable review patch. If anyone has any objections, please let us know. -- From: Mike Miller [EMAIL PROTECTED] This patch fixes a stupid bug. Sometime during the 2tb enhancement I ended up replacing the macros XFER_READ and XFER_WRITE with h-cciss_read and h-cciss_write respectively. It seemed to work somehow at least on x86_64 and ia64. I don't know how. But people started complaining about command timeouts on older controllers like the 64xx series and only on ia32. This resolves the issue reproduced in our lab. Please consider this for inclusion. Signed-off-by: Mike Miller [EMAIL PROTECTED] Signed-off-by: Chris Wright [EMAIL PROTECTED] --- drivers/block/cciss.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- linux-2.6.19.1.orig/drivers/block/cciss.c +++ linux-2.6.19.1/drivers/block/cciss.c @@ -2530,7 +2530,7 @@ static void do_cciss_request(request_que c-Request.Type.Type = TYPE_CMD;// It is a command. c-Request.Type.Attribute = ATTR_SIMPLE; c-Request.Type.Direction = - (rq_data_dir(creq) == READ) ? h-cciss_read : h-cciss_write; + (rq_data_dir(creq) == READ) ? XFER_READ : XFER_WRITE; c-Request.Timeout = 0; // Don't time out c-Request.CDB[0] = (rq_data_dir(creq) == READ) ? h-cciss_read : h-cciss_write; -- - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 22/50] fix aoe without scatter-gather [Bug 7662]
-stable review patch. If anyone has any objections, please let us know.
--
From: Ed L Cashin [EMAIL PROTECTED]
Fix a bug that only appears when AoE goes over a network card that does not
support scatter-gather. The headers in the linear part of the skb appeared
to be larger than they really were, resulting in data that was offset by 24
bytes.
This patch eliminates the offset data on cards that don't support
scatter-gather or have had scatter-gather turned off. There remains an
unrelated issue that I'll address in a separate email.
Fixes bugzilla #7662
Signed-off-by: Ed L. Cashin [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Cc: Greg KH [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Signed-off-by: Andrew Morton [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
drivers/block/aoe/aoecmd.c | 13 ++---
1 file changed, 6 insertions(+), 7 deletions(-)
--- linux-2.6.19.1.orig/drivers/block/aoe/aoecmd.c
+++ linux-2.6.19.1/drivers/block/aoe/aoecmd.c
@@ -30,8 +30,6 @@ new_skb(ulong len)
skb-nh.raw = skb-mac.raw = skb-data;
skb-protocol = __constant_htons(ETH_P_AOE);
skb-priority = 0;
- skb_put(skb, len);
- memset(skb-head, 0, len);
skb-next = skb-prev = NULL;
/* tell the network layer not to perform IP checksums
@@ -122,8 +120,8 @@ aoecmd_ata_rw(struct aoedev *d, struct f
skb = f-skb;
h = (struct aoe_hdr *) skb-mac.raw;
ah = (struct aoe_atahdr *) (h+1);
- skb-len = sizeof *h + sizeof *ah;
- memset(h, 0, ETH_ZLEN);
+ skb_put(skb, sizeof *h + sizeof *ah);
+ memset(h, 0, skb-len);
f-tag = aoehdr_atainit(d, h);
f-waited = 0;
f-buf = buf;
@@ -149,7 +147,6 @@ aoecmd_ata_rw(struct aoedev *d, struct f
skb-len += bcnt;
skb-data_len = bcnt;
} else {
- skb-len = ETH_ZLEN;
writebit = 0;
}
@@ -206,6 +203,7 @@ aoecmd_cfg_pkts(ushort aoemajor, unsigne
printk(KERN_INFO aoe: skb alloc failure\n);
continue;
}
+ skb_put(skb, sizeof *h + sizeof *ch);
skb-dev = ifp;
if (sl_tail == NULL)
sl_tail = skb;
@@ -243,6 +241,7 @@ freeframe(struct aoedev *d)
continue;
if (atomic_read(skb_shinfo(f-skb)-dataref) == 1) {
skb_shinfo(f-skb)-nr_frags = f-skb-data_len = 0;
+ skb_trim(f-skb, 0);
return f;
}
n++;
@@ -698,8 +697,8 @@ aoecmd_ata_id(struct aoedev *d)
skb = f-skb;
h = (struct aoe_hdr *) skb-mac.raw;
ah = (struct aoe_atahdr *) (h+1);
- skb-len = ETH_ZLEN;
- memset(h, 0, ETH_ZLEN);
+ skb_put(skb, sizeof *h + sizeof *ah);
+ memset(h, 0, skb-len);
f-tag = aoehdr_atainit(d, h);
f-waited = 0;
--
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 31/50] corrupted cramfs filesystems cause kernel oops (CVE-2006-5823)
-stable review patch. If anyone has any objections, please let us know.
--
From: Phillip Lougher [EMAIL PROTECTED]
Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/
fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause
Cramfs to kernel oops in cramfs_uncompress_block(). The cause of the oops
is an unchecked corrupted block length field read by cramfs_readpage().
This patch adds a sanity check to cramfs_readpage() which checks that the
block length field is sensible. The (PAGE_CACHE_SIZE 1) size check is
intentional, even though the uncompressed data is not going to be larger
than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than
the original source data. Mkcramfs checks that the compressed size is
always less than or equal to PAGE_CACHE_SIZE 1. Of course Cramfs could
use the original uncompressed data in this case, but it doesn't.
Signed-off-by: Phillip Lougher [EMAIL PROTECTED]
Signed-off-by: Andrew Morton [EMAIL PROTECTED]
Signed-off-by: Linus Torvalds [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
Date: Thu, 7 Dec 2006 04:37:20 + (-0800)
Subject: [patch 31/50] [PATCH] corrupted cramfs filesystems cause kernel oops
X-Git-Tag: v2.6.20-rc1
X-Git-Url:
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=8bb0269160df2a60764013994d0bc5165406cf4a
fs/cramfs/inode.c |2 ++
1 file changed, 2 insertions(+)
--- linux-2.6.19.1.orig/fs/cramfs/inode.c
+++ linux-2.6.19.1/fs/cramfs/inode.c
@@ -481,6 +481,8 @@ static int cramfs_readpage(struct file *
pgdata = kmap(page);
if (compr_len == 0)
; /* hole */
+ else if (compr_len (PAGE_CACHE_SIZE 1))
+ printk(KERN_ERR cramfs: bad compressed blocksize
%u\n, compr_len);
else {
mutex_lock(read_mutex);
bytes_filled = cramfs_uncompress_block(pgdata,
--
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 19/50] sched: fix bad missed wakeups in the i386, x86_64, ia64, ACPI and APM idle code
: backport to 2.6.19.1]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
arch/i386/kernel/apm.c|6 +-
arch/i386/kernel/process.c|7 ++-
arch/ia64/kernel/process.c| 10 --
arch/x86_64/kernel/process.c |6 +-
drivers/acpi/processor_idle.c | 12 ++--
5 files changed, 34 insertions(+), 7 deletions(-)
--- linux-2.6.19.1.orig/arch/i386/kernel/apm.c
+++ linux-2.6.19.1/arch/i386/kernel/apm.c
@@ -784,7 +784,11 @@ static int apm_do_idle(void)
polling = !!(current_thread_info()-status TS_POLLING);
if (polling) {
current_thread_info()-status = ~TS_POLLING;
- smp_mb__after_clear_bit();
+ /*
+* TS_POLLING-cleared state must be visible before we
+* test NEED_RESCHED:
+*/
+ smp_mb();
}
if (!need_resched()) {
idled = 1;
--- linux-2.6.19.1.orig/arch/i386/kernel/process.c
+++ linux-2.6.19.1/arch/i386/kernel/process.c
@@ -103,7 +103,12 @@ void default_idle(void)
if (!hlt_counter boot_cpu_data.hlt_works_ok) {
current_thread_info()-status = ~TS_POLLING;
- smp_mb__after_clear_bit();
+ /*
+* TS_POLLING-cleared state must be visible before we
+* test NEED_RESCHED:
+*/
+ smp_mb();
+
while (!need_resched()) {
local_irq_disable();
if (!need_resched())
--- linux-2.6.19.1.orig/arch/ia64/kernel/process.c
+++ linux-2.6.19.1/arch/ia64/kernel/process.c
@@ -268,10 +268,16 @@ cpu_idle (void)
/* endless idle loop with no priority at all */
while (1) {
- if (can_do_pal_halt)
+ if (can_do_pal_halt) {
current_thread_info()-status = ~TS_POLLING;
- else
+ /*
+* TS_POLLING-cleared state must be visible before we
+* test NEED_RESCHED:
+*/
+ smp_mb();
+ } else {
current_thread_info()-status |= TS_POLLING;
+ }
if (!need_resched()) {
void (*idle)(void);
--- linux-2.6.19.1.orig/arch/x86_64/kernel/process.c
+++ linux-2.6.19.1/arch/x86_64/kernel/process.c
@@ -111,7 +111,11 @@ static void default_idle(void)
local_irq_enable();
current_thread_info()-status = ~TS_POLLING;
- smp_mb__after_clear_bit();
+ /*
+* TS_POLLING-cleared state must be visible before we
+* test NEED_RESCHED:
+*/
+ smp_mb();
while (!need_resched()) {
local_irq_disable();
if (!need_resched())
--- linux-2.6.19.1.orig/drivers/acpi/processor_idle.c
+++ linux-2.6.19.1/drivers/acpi/processor_idle.c
@@ -211,7 +211,11 @@ acpi_processor_power_activate(struct acp
static void acpi_safe_halt(void)
{
current_thread_info()-status = ~TS_POLLING;
- smp_mb__after_clear_bit();
+ /*
+* TS_POLLING-cleared state must be visible before we
+* test NEED_RESCHED:
+*/
+ smp_mb();
if (!need_resched())
safe_halt();
current_thread_info()-status |= TS_POLLING;
@@ -345,7 +349,11 @@ static void acpi_processor_idle(void)
*/
if (cx-type == ACPI_STATE_C2 || cx-type == ACPI_STATE_C3) {
current_thread_info()-status = ~TS_POLLING;
- smp_mb__after_clear_bit();
+ /*
+* TS_POLLING-cleared state must be visible before we
+* test NEED_RESCHED:
+*/
+ smp_mb();
if (need_resched()) {
current_thread_info()-status |= TS_POLLING;
local_irq_enable();
--
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 28/50] softmac: Fixed handling of deassociation from AP
-stable review patch. If anyone has any objections, please let us know.
--
From: Ulrich Kunitz [EMAIL PROTECTED]
In 2.6.19 a deauthentication from the AP doesn't start a
reassociation by the softmac code. It appears that
mac-associnfo.associating must be set and the
ieee80211softmac_assoc_work function must be scheduled. This patch
fixes that.
Signed-off-by: Ulrich Kunitz [EMAIL PROTECTED]
Signed-off-by: John W. Linville [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
Date: Sun, 3 Dec 2006 15:32:00 + (+0100)
Subject: [patch 28/50] [PATCH] softmac: Fixed handling of deassociation from AP
X-Git-Tag: v2.6.20-rc1
X-Git-Url:
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=2b50c24554d31c2db2f93b1151b5991e62f96594
net/ieee80211/softmac/ieee80211softmac_assoc.c | 14 --
net/ieee80211/softmac/ieee80211softmac_auth.c |2 ++
net/ieee80211/softmac/ieee80211softmac_priv.h |2 ++
3 files changed, 16 insertions(+), 2 deletions(-)
--- linux-2.6.19.1.orig/net/ieee80211/softmac/ieee80211softmac_assoc.c
+++ linux-2.6.19.1/net/ieee80211/softmac/ieee80211softmac_assoc.c
@@ -427,6 +427,17 @@ ieee80211softmac_handle_assoc_response(s
return 0;
}
+void
+ieee80211softmac_try_reassoc(struct ieee80211softmac_device *mac)
+{
+ unsigned long flags;
+
+ spin_lock_irqsave(mac-lock, flags);
+ mac-associnfo.associating = 1;
+ schedule_work(mac-associnfo.work);
+ spin_unlock_irqrestore(mac-lock, flags);
+}
+
int
ieee80211softmac_handle_disassoc(struct net_device * dev,
struct ieee80211_disassoc *disassoc)
@@ -445,8 +456,7 @@ ieee80211softmac_handle_disassoc(struct
dprintk(KERN_INFO PFX got disassoc frame\n);
ieee80211softmac_disassoc(mac);
- /* try to reassociate */
- schedule_work(mac-associnfo.work);
+ ieee80211softmac_try_reassoc(mac);
return 0;
}
--- linux-2.6.19.1.orig/net/ieee80211/softmac/ieee80211softmac_auth.c
+++ linux-2.6.19.1/net/ieee80211/softmac/ieee80211softmac_auth.c
@@ -328,6 +328,8 @@ ieee80211softmac_deauth_from_net(struct
/* can't transmit data right now... */
netif_carrier_off(mac-dev);
spin_unlock_irqrestore(mac-lock, flags);
+
+ ieee80211softmac_try_reassoc(mac);
}
/*
--- linux-2.6.19.1.orig/net/ieee80211/softmac/ieee80211softmac_priv.h
+++ linux-2.6.19.1/net/ieee80211/softmac/ieee80211softmac_priv.h
@@ -238,4 +238,6 @@ void ieee80211softmac_call_events_locked
int ieee80211softmac_notify_internal(struct ieee80211softmac_device *mac,
int event, void *event_context, notify_function_ptr fun, void *context,
gfp_t gfp_mask);
+void ieee80211softmac_try_reassoc(struct ieee80211softmac_device *mac);
+
#endif /* IEEE80211SOFTMAC_PRIV_H_ */
--
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 40/50] dvb-core: fix bug in CRC-32 checking on 64-bit systems
-stable review patch. If anyone has any objections, please let us know.
--
From: Ang Way Chuang [EMAIL PROTECTED]
CRC-32 checking during ULE decapsulation always failed on x86_64 systems due
to the size of a variable used to store CRC. This bug was discovered on
Fedora Core 6 with kernel-2.6.18-1.2849. The i386 counterpart has no such
problem. This patch has been tested on 64-bit system as well as 32-bit system.
Signed-off-by: Ang Way Chuang [EMAIL PROTECTED]
Signed-off-by: Michael Krufky [EMAIL PROTECTED]
Signed-off-by: Mauro Carvalho Chehab [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
(cherry picked from commit dedcefb085fe98a1feaf63590fe2fc7e0ecb1987)
drivers/media/dvb/dvb-core/dvb_net.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- linux-2.6.19.1.orig/drivers/media/dvb/dvb-core/dvb_net.c
+++ linux-2.6.19.1/drivers/media/dvb/dvb-core/dvb_net.c
@@ -604,7 +604,7 @@ static void dvb_net_ule( struct net_devi
{ utype, sizeof utype },
{ priv-ule_skb-data, priv-ule_skb-len - 4 }
};
- unsigned long ule_crc = ~0L, expected_crc;
+ u32 ule_crc = ~0L, expected_crc;
if (priv-ule_dbit) {
/* Set D-bit for CRC32 verification,
* if it was set originally. */
@@ -617,7 +617,7 @@ static void dvb_net_ule( struct net_devi
*((u8 *)priv-ule_skb-tail - 2) 8 |
*((u8 *)priv-ule_skb-tail - 1);
if (ule_crc != expected_crc) {
- printk(KERN_WARNING %lu: CRC32 check FAILED:
%#lx / %#lx, SNDU len %d type %#x, ts_remain %d, next 2: %x.\n,
+ printk(KERN_WARNING %lu: CRC32 check FAILED:
%08x / %08x, SNDU len %d type %#x, ts_remain %d, next 2: %x.\n,
priv-ts_count, ule_crc, expected_crc,
priv-ule_sndu_len, priv-ule_sndu_type, ts_remain, ts_remain 2 ? *(unsigned
short *)from_where : 0);
#ifdef ULE_DEBUG
--
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 46/50] asix: Fix typo for AX88772 PHY Selection
-stable review patch. If anyone has any objections, please let us know.
--
From: David Hollis [EMAIL PROTECTED]
The attached patch fixes a PHY selection problem that prevents AX88772
based devices (Linksys USB200Mv2, etc) devices from working. The
interface comes up and everything seems fine except the device doesn't
send/receive any packets. The one-liner attached fixes this issue and
makes the devices usable again.
Signed-off-by: David Hollis [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
Patch has already been applied for 2.6.20+ kernels but it would be very
helpful for end-users/distributions to have this fixed in the 2.6.19
series as well.
drivers/usb/net/asix.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.19.1.orig/drivers/usb/net/asix.c
+++ linux-2.6.19.1/drivers/usb/net/asix.c
@@ -920,7 +920,7 @@ static int ax88772_bind(struct usbnet *d
goto out2;
if ((ret = asix_write_cmd(dev, AX_CMD_SW_PHY_SELECT,
- 0x, 0, 0, buf)) 0) {
+ 1, 0, 0, buf)) 0) {
dbg(Select PHY #1 failed: %d, ret);
goto out2;
}
--
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 48/50] connector: some fixes for ia64 unaligned access errors
-stable review patch. If anyone has any objections, please let us know. -- From: Erik Jacobson [EMAIL PROTECTED] On ia64, the various functions that make up cn_proc.c cause kernel unaligned access errors. If you are using these, for example, to get notification about all tasks forking and exiting, you get multiple unaligned access errors per process. Use put_unaligned() in the appropriate palces to fix this. Signed-off-by: Erik Jacobson [EMAIL PROTECTED] Cc: Evgeniy Polyakov [EMAIL PROTECTED] Cc: Tony Luck [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Cc: David S. Miller [EMAIL PROTECTED] Signed-off-by: Andrew Morton [EMAIL PROTECTED] Signed-off-by: Chris Wright [EMAIL PROTECTED] --- drivers/connector/cn_proc.c | 11 ++- 1 file changed, 6 insertions(+), 5 deletions(-) --- linux-2.6.19.1.orig/drivers/connector/cn_proc.c +++ linux-2.6.19.1/drivers/connector/cn_proc.c @@ -28,6 +28,7 @@ #include linux/init.h #include linux/connector.h #include asm/atomic.h +#include asm/unaligned.h #include linux/cn_proc.h @@ -60,7 +61,7 @@ void proc_fork_connector(struct task_str ev = (struct proc_event*)msg-data; get_seq(msg-seq, ev-cpu); ktime_get_ts(ts); /* get high res monotonic timestamp */ - ev-timestamp_ns = timespec_to_ns(ts); + put_unaligned(timespec_to_ns(ts), (__u64 *)ev-timestamp_ns); ev-what = PROC_EVENT_FORK; ev-event_data.fork.parent_pid = task-real_parent-pid; ev-event_data.fork.parent_tgid = task-real_parent-tgid; @@ -88,7 +89,7 @@ void proc_exec_connector(struct task_str ev = (struct proc_event*)msg-data; get_seq(msg-seq, ev-cpu); ktime_get_ts(ts); /* get high res monotonic timestamp */ - ev-timestamp_ns = timespec_to_ns(ts); + put_unaligned(timespec_to_ns(ts), (__u64 *)ev-timestamp_ns); ev-what = PROC_EVENT_EXEC; ev-event_data.exec.process_pid = task-pid; ev-event_data.exec.process_tgid = task-tgid; @@ -124,7 +125,7 @@ void proc_id_connector(struct task_struc return; get_seq(msg-seq, ev-cpu); ktime_get_ts(ts); /* get high res monotonic timestamp */ - ev-timestamp_ns = timespec_to_ns(ts); + put_unaligned(timespec_to_ns(ts), (__u64 *)ev-timestamp_ns); memcpy(msg-id, cn_proc_event_id, sizeof(msg-id)); msg-ack = 0; /* not used */ @@ -146,7 +147,7 @@ void proc_exit_connector(struct task_str ev = (struct proc_event*)msg-data; get_seq(msg-seq, ev-cpu); ktime_get_ts(ts); /* get high res monotonic timestamp */ - ev-timestamp_ns = timespec_to_ns(ts); + put_unaligned(timespec_to_ns(ts), (__u64 *)ev-timestamp_ns); ev-what = PROC_EVENT_EXIT; ev-event_data.exit.process_pid = task-pid; ev-event_data.exit.process_tgid = task-tgid; @@ -181,7 +182,7 @@ static void cn_proc_ack(int err, int rcv ev = (struct proc_event*)msg-data; msg-seq = rcvd_seq; ktime_get_ts(ts); /* get high res monotonic timestamp */ - ev-timestamp_ns = timespec_to_ns(ts); + put_unaligned(timespec_to_ns(ts), (__u64 *)ev-timestamp_ns); ev-cpu = -1; ev-what = PROC_EVENT_NONE; ev-event_data.ack.err = err; -- - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch 44/50] SOUND: Sparc CS4231: Use 64 for period_bytes_min
-stable review patch. If anyone has any objections, please let us know. -- From: David Miller [EMAIL PROTECTED] This matches what the ISA cs4231 driver uses. Tested by Georg Chini. Signed-off-by: David S. Miller [EMAIL PROTECTED] Signed-off-by: Chris Wright [EMAIL PROTECTED] --- commit f9af1d9deaaffe6803dec693748498886915d766 sound/sparc/cs4231.c |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- linux-2.6.19.1.orig/sound/sparc/cs4231.c +++ linux-2.6.19.1/sound/sparc/cs4231.c @@ -1268,7 +1268,7 @@ static struct snd_pcm_hardware snd_cs423 .channels_min = 1, .channels_max = 2, .buffer_bytes_max = (32*1024), - .period_bytes_min = 256, + .period_bytes_min = 64, .period_bytes_max = (32*1024), .periods_min= 1, .periods_max= 1024, @@ -1288,7 +1288,7 @@ static struct snd_pcm_hardware snd_cs423 .channels_min = 1, .channels_max = 2, .buffer_bytes_max = (32*1024), - .period_bytes_min = 256, + .period_bytes_min = 64, .period_bytes_max = (32*1024), .periods_min= 1, .periods_max= 1024, -- - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [patch 00/50] -stable review
rollup available (when mirroring completes):
http://www.kernel.org/pub/linux/kernel/people/chrisw/stable/patch-2.6.19.2-rc1.{gz,bz2}
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 37/50] sparc32: add offset in pci_map_sg()
-stable review patch. If anyone has any objections, please let us know.
--
From: Jan Andersson [EMAIL PROTECTED]
Add sg-offset to sg-dvma_address in pci_map_sg() on sparc32. Without the
offset, transfers to buffers that do not begin on a page boundary will not
work as expected.
Signed-off-by: Jan Andersson [EMAIL PROTECTED]
Cc: David S. Miller [EMAIL PROTECTED]
Cc: William Lee Irwin III [EMAIL PROTECTED]
Signed-off-by: Andrew Morton [EMAIL PROTECTED]
Signed-off-by: Linus Torvalds [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
arch/sparc/kernel/ioport.c |3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- linux-2.6.19.1.orig/arch/sparc/kernel/ioport.c
+++ linux-2.6.19.1/arch/sparc/kernel/ioport.c
@@ -728,7 +728,8 @@ int pci_map_sg(struct pci_dev *hwdev, st
/* IIep is write-through, not flushing. */
for (n = 0; n nents; n++) {
BUG_ON(page_address(sg-page) == NULL);
- sg-dvma_address = virt_to_phys(page_address(sg-page));
+ sg-dvma_address =
+ virt_to_phys(page_address(sg-page)) + sg-offset;
sg-dvma_length = sg-length;
sg++;
}
--
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 43/50] SOUND: Sparc CS4231: Fix IRQ return value and initialization.
-stable review patch. If anyone has any objections, please let us know.
--
From: Georg Chini [EMAIL PROTECTED]
fix some initialisation problems.
Change period_bytes_min from 4096 to 256 to allow driver to work with
low latency (VOIP) applications. Hope this does not break EBUS.
Signed-off-by: Georg Chini [EMAIL PROTECTED]
Signed-off-by: David S. Miller [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
commit d35a1b9e10481c9f1d3b87e778a0f1f6a0a2dd48
sound/sparc/cs4231.c | 26 --
1 file changed, 12 insertions(+), 14 deletions(-)
--- linux-2.6.19.1.orig/sound/sparc/cs4231.c
+++ linux-2.6.19.1/sound/sparc/cs4231.c
@@ -1268,7 +1268,7 @@ static struct snd_pcm_hardware snd_cs423
.channels_min = 1,
.channels_max = 2,
.buffer_bytes_max = (32*1024),
- .period_bytes_min = 4096,
+ .period_bytes_min = 256,
.period_bytes_max = (32*1024),
.periods_min= 1,
.periods_max= 1024,
@@ -1288,7 +1288,7 @@ static struct snd_pcm_hardware snd_cs423
.channels_min = 1,
.channels_max = 2,
.buffer_bytes_max = (32*1024),
- .period_bytes_min = 4096,
+ .period_bytes_min = 256,
.period_bytes_max = (32*1024),
.periods_min= 1,
.periods_max= 1024,
@@ -1796,7 +1796,7 @@ static irqreturn_t snd_cs4231_sbus_inter
snd_cs4231_outm(chip, CS4231_IRQ_STATUS, ~CS4231_ALL_IRQS | ~status, 0);
spin_unlock_irqrestore(chip-lock, flags);
- return 0;
+ return IRQ_HANDLED;
}
/*
@@ -1821,7 +1821,6 @@ static int sbus_dma_request(struct cs423
if (!(csr test))
goto out;
err = -EBUSY;
- csr = sbus_readl(base-regs + APCCSR);
test = APC_XINT_CNVA;
if ( base-dir == APC_PLAY )
test = APC_XINT_PNVA;
@@ -1862,17 +1861,16 @@ static void sbus_dma_enable(struct cs423
spin_lock_irqsave(base-lock, flags);
if (!on) {
- if (base-dir == APC_PLAY) {
- sbus_writel(0, base-regs + base-dir + APCNVA);
- sbus_writel(1, base-regs + base-dir + APCC);
- }
- else
- {
- sbus_writel(0, base-regs + base-dir + APCNC);
- sbus_writel(0, base-regs + base-dir + APCVA);
- }
+ sbus_writel(0, base-regs + base-dir + APCNC);
+ sbus_writel(0, base-regs + base-dir + APCNVA);
+ sbus_writel(0, base-regs + base-dir + APCC);
+ sbus_writel(0, base-regs + base-dir + APCVA);
+
+ /* ACK any APC interrupts. */
+ csr = sbus_readl(base-regs + APCCSR);
+ sbus_writel(csr, base-regs + APCCSR);
}
- udelay(600);
+ udelay(1000);
csr = sbus_readl(base-regs + APCCSR);
shift = 0;
if ( base-dir == APC_PLAY )
--
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
