summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2007-04-13Linux 2.6.16.47v2.6.16.47Adrian Bunk
2007-04-10Linux 2.6.16.47-rc1v2.6.16.47-rc1Adrian Bunk
2007-04-10APPLETALK: Fix a remotely triggerable crash (CVE-2007-1357)Jean Delvare
When we receive an AppleTalk frame shorter than what its header says, we still attempt to verify its checksum, and trip on the BUG_ON() at the end of function atalk_sum_skb() because of the length mismatch. This has security implications because this can be triggered by simply sending a specially crafted ethernet frame to a target victim, effectively crashing that host. Thus this qualifies, I think, as a remote DoS. Here is the frame I used to trigger the crash, in npg format: <Appletalk Killer> { # Ethernet header ----- XX XX XX XX XX XX # Destination MAC 00 00 00 00 00 00 # Source MAC 00 1D # Length # LLC header ----- AA AA 03 08 00 07 80 9B # Appletalk # Appletalk header ----- 00 1B # Packet length (invalid) 00 01 # Fake checksum 00 00 00 00 # Destination and source networks 00 00 00 00 # Destination and source nodes and ports # Payload ----- 0C 0D 0E 0F 10 11 12 13 14 } The destination MAC address must be set to those of the victim. The severity is mitigated by two requirements: * The target host must have the appletalk kernel module loaded. I suspect this isn't so frequent. * AppleTalk frames are non-IP, thus I guess they can only travel on local networks. I am no network expert though, maybe it is possible to somehow encapsulate AppleTalk packets over IP. The bug has been reported back in June 2004: http://bugzilla.kernel.org/show_bug.cgi?id=2979 But it wasn't investigated, and was closed in July 2006 as both reporters had vanished meanwhile. This code was new in kernel 2.6.0-test5: http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=7ab442d7e0a76402c12553ee256f756097cae2d2 And not modified since then, so we can assume that vanilla kernels 2.6.0-test5 and later, and distribution kernels based thereon, are affected. Note that I still do not know for sure what triggered the bug in the real-world cases. The frame could have been corrupted by the kernel if we have a bug hiding somewhere. But more likely, we are receiving the faulty frame from the network. Signed-off-by: Jean Delvare <jdelvare@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-09siimage: PIO1/2 taskfile transfer overclocking fixSergei Shtylyov
Fix two typos found by SiI680A documentation check. They caused the taskfile transfer overclocking: - in PIO mode 1 as 0x2283 must be used for both data and taskfile transfers; - in PIO mode 2 as data and taskfile timings are swapped when writing to the MMIO regs. Fix coding style and trailing whitespace in enclosing statements while at it... Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-09hrtimer: prevent overrun DoS in hrtimer_forward()Thomas Gleixner
hrtimer_forward() does not check for the possible overflow of timer->expires. This can happen on 64 bit machines with large interval values and results currently in an endless loop in the softirq because the expiry value becomes negative and therefor the timer is expired all the time. Check for this condition and set the expiry value to the max. expiry time in the future. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-09fix MTIME_SEC_MAX on 32-bitThomas Gleixner
The maximum seconds value we can handle on 32bit is LONG_MAX. Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-09prevent timespec/timeval to ktime_t overflowThomas Gleixner
Frank v. Waveren pointed out that on 64bit machines the timespec to ktime_t conversion might overflow. This is also true for timeval to time_t conversions. This breaks a "sleep inf" on 64bit machines. While a timespec/timeval with tx.sec = MAX_LONG is valid by specification the internal representation of ktime_t is based on nanoseconds. The conversion of seconds to nanoseconds overflows for seconds values >= (MAX_LONG / NSEC_PER_SEC). Check the seconds argument to the conversion and limit it to the maximum time which can be represented by ktime_t. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-08ieee1394: video1394: DMA fixDavid Moore
This together with the phys_to_virt fix in lib/swiotlb.c::swiotlb_sync_sg fixes video1394 DMA on machines with DMA bounce buffers, especially Intel x86-64 machines with > 3GB RAM. Signed-off-by: David Moore <dcm@acm.org> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-08Fix reparenting to the same thread group. (take 2)Eric W. Biederman
This patch fixes the case when we reparent to a different thread in the same thread group. This modifies the code so that we do not send signals and do not change the signal to send to SIGCHLD unless we have change the thread group of our parents. It also suppresses sending pdeath_sig in this cas as well since the result of geppid doesn't change. Thanks to Oleg for spotting my bug of only fixing this for non-ptraced tasks. This fixes the issues identified by Albert Cahalan in thread http://lkml.org/lkml/2006/12/21/22 Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-08tcp: fix cubic scaling errorStephen Hemminger
Doug Leith observed a discrepancy between the version of CUBIC described in the papers and the version in 2.6.18. A math error related to scaling causes Cubic to grow too slowly. Patch is from "Sangtae Ha" <sha2@ncsu.edu>. I validated that it does fix the problems. See the following to show behavior over 500ms 100 Mbit link. Sender (2.6.19-rc3) --- Bridge (2.6.18-rt7) ------- Receiver (2.6.19-rc3) 1G [netem] 100M http://developer.osdl.org/shemminger/tcp/2.6.19-rc3/cubic-orig.png http://developer.osdl.org/shemminger/tcp/2.6.19-rc3/cubic-fix.png Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-04[netdrvr] tulip, de2104x: fix typo: s/__sparc_/__sparc__/Jeff Garzik
Noticed by Doug Nazar (via David Miller). Signed-off-by: Jeff Garzik <jeff@garzik.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-04b44: src_desc->addr is little-endianAl Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-04ide-floppy: Fix unformatted media crashAlan Cox
A ZIP or similar with unformatted media will cause crashes when attempts are made to read/write it in some cases. This is because bs_factor is zero and we divide by it causing an oops. As the size of a non-accessible/non-existant media is really a bit of a zen question it doesn't matter if non-existant media is 512 bytes per sector or zero. Setting it to 1 causes us to generate 512 bytes/sector accesses and error properly. Based on a fix found lurking in an ancient bugzilla entry since about 2004 (ugghhh) Signed-off-by: Alan Cox <alan@redhat.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-03[IFB]: Fix crash on input device removalPatrick McHardy
The input_device pointer is not refcounted, which means the device may disappear while packets are queued, causing a crash when ifb passes packets with a stale skb->dev pointer to netif_rx(). Fix by storing the interface index instead and do a lookup where neccessary. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-03[VIDEO] ffb: Fix two DAC handling bugs.David S. Miller
The determination of whether the DAC has inverted cursor logic is broken, import the version checks the X.org driver uses to fix this. Next, when we change the timing generator, borrow code from X.org that does 10 NOP reads of the timing generator register afterwards to make sure the video-enable transition occurs cleanly. Finally, use macros for the DAC registers and fields in order to provide documentation for the next person who reads this code. Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-31Linux 2.6.16.46v2.6.16.46Adrian Bunk
2007-03-28Linux 2.6.16.46-rc1v2.6.16.46-rc1Adrian Bunk
2007-03-28[ALSA] ca0106 - Add missing sysfs device assignmentTakashi Iwai
Added the missing device assignment before creating sysfs tree. This caused the insufficient device permissions. Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-28[ALSA] cs4281 - Fix the check of right channelTakashi Iwai
Fix the check of right channel in mixer volume put callback. Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-28[ALSA] Dereference after free in snd_hwdep_release()Florin Malita
snd_card_file_remove() may free hw->card so we can't dereference hw->card->module after that. Coverity ID 1420. Signed-off-by: Florin Malita <fmalita@gmail.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-28[ALSA] cmipci - Fix a typo in 'PC Speaker Playback Switch' controlTakashi Iwai
Fixed a typo in 'PC Speaker Playback Switch' control name. Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-28[ALSA] fix NULL pointer dereference in sound/synth/emux/soundfont.cEric Sesterhenn
this is about coverity id #100. It seems the if statement is negated, since the else branch calls remove_info() with sflist->currsf as a parameter where it gets dereferenced. Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-28[ALSA] Fix invalid assignment of PCI revisionTakashi Iwai
Fix the type of PCI revision to char from int and avoid invalid assignment with pointer cast. Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-28[ALSA] hda-intel - Don't try to probe invalid codecsTakashi Iwai
Fix the max number of codecs detected by HD-intel (and compatible) controllers. ATI controllers may have up to 4 codecs while ICH up to 3. Now max codecs is defined according to the driver type, either 3 or 4. Currently 4 is set only to ATI chips. Other might need the same change, too. Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-28[ALSA] hda-codec - Don't return error at initialization of modem codecTakashi Iwai
Some modem codec seem to fail in the initialization, and this stopped loading of the whole module although the audio is OK. Since it's usually a non-fatal issue, the driver tries to proceed to initialize now. Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-28usb-audio: work around wrong frequency in CM6501 descriptorsClemens Ladisch
The C-Media CM6501 chip's descriptors say that altsetting 5 supports 48 kHz, but it actually plays at 96 kHz. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Jaroslav Kysela <perex@suse.cz> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-28sound/pci/au88x0/au88x0.c: ioremap balanced with iounmapAmol Lad
Signed-off-by: Amol Lad <amol@verismonetworks.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-28[IPV6] HASHTABLES: Use appropriate seed for caluculating ehash index.YOSHIFUJI Hideaki
Tetsuo Handa <handat@pm.nttdata.co.jp> told me that connect(2) with TCPv6 socket almost always took a few minutes to return when we did not have any ports available in the range of net.ipv4.ip_local_port_range. The reason was that we used incorrect seed for calculating index of hash when we check established sockets in __inet6_check_established(). Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-28[PPP]: Don't leak an sk_buff on interface destruction.Guennadi Liakhovetski
Signed-off-by: Guennadi Liakhovetski <gl@dsa-ac.de> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-28[NET_SCHED]: Fix ingress lockingPatrick McHardy
Ingress queueing uses a seperate lock for serializing enqueue operations, but fails to properly protect itself against concurrent changes to the qdisc tree. Use queue_lock for now since the real fix it quite intrusive. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-28[NET_SCHED]: cls_basic: fix NULL pointer dereferencePatrick McHardy
cls_basic doesn't allocate tp->root before it is linked into the active classifier list, resulting in a NULL pointer dereference when packets hit the classifier before its ->change function is called. Reported by Chris Madden <chris@reflexsecurity.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-28USB: RAZR v3i unusual_devsPete Zaitcev
This adds an unusual_devs entry for the Motorola RAZR 3vi. Signed-off-by: Phil Dibowitz <phil@ipom.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-28USB storage: Nokia 6288 unusual_devs entryAndrew Nayenko
This patch adds an usual_devs entry for the Nokia 6288. Signed-off-by: Phil Dibowitz <phil@ipom.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-28USB Storage: US_FL_IGNORE_RESIDUE needed for Aiptek MP3 PlayerDylan Taft
Device will not work as a mass storage device without US_FL_IGNORE_RESIDUE. I bought this mp3 player that takes SD cards here http://www.aiptek.com/Merchant2/merchant.mvc?Screen=PROD&Product_Code=AX4&Category_Code=MP3&Store_Code=AS Signed-off-by: Dylan Taft <d13f00l@gmail.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-28USB: unusual_devs.h for Sony floppyLuiz Fernando N. Capitulino
This patch increases the range for 0x054c:0x002c devices to make the following Sony USB floppy to work: T: Bus=02 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#= 6 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=054c ProdID=002c Rev=20.00 S: Manufacturer=SONY S: Product=USB Floppy C:* #Ifs= 1 Cfg#= 1 Atr=80 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 3 Cls=08(stor.) Sub=04 Prot=00 Driver=usb-storage E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=01(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=83(I) Atr=03(Int.) MxPS= 2 Ivl=127ms Signed-off-by: Marcelo Ricardo Leitner <mrl@mandriva.com> Signed-off-by: Luiz Fernando N. Capitulino <lcapitulino@mandriva.com.br> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-28[NET_SCHED]: Fix endless loops caused by inaccurate qlen countersPatrick McHardy
There are multiple problems related to qlen adjustment that can lead to an upper qdisc getting out of sync with the real number of packets queued, leading to endless dequeueing attempts by the upper layer code. All qdiscs must maintain an accurate q.qlen counter. There are basically two groups of operations affecting the qlen: operations that propagate down the tree (enqueue, dequeue, requeue, drop, reset) beginning at the root qdisc and operations only affecting a subtree or single qdisc (change, graft, delete class). Since qlen changes during operations from the second group don't propagate to ancestor qdiscs, their qlen values become desynchronized. This patch adds a function to propagate qlen changes up the qdisc tree, optionally calling a callback function to perform qdisc-internal maintenance when the child qdisc is deactivated, and converts all qdiscs to use this where necessary. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-28mm: fix madvise infinine loopNick Piggin
madvise(MADV_REMOVE) can go into an infinite loop or cause an oops if the call covers a region from the start of a vma, and extending past that vma. Signed-off-by: Nick Piggin <npiggin@suse.de> Acked-by: Hugh Dickins <hugh@veritas.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-28[SERIAL] Fix oops when removing suspended serial portRussell King
A serial card might have been removed when the system is resumed. This results in a suspended port being shut down, which results in the ports shutdown method being called twice in a row. This causes BUGs. Avoid this by tracking the suspended state separately from the initialised state. Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-27ieee1394: dv1394: fix CardBus card ejectionStefan Richter
Fix NULL pointer dereference on hot ejection of a FireWire card while dv1394 was loaded. http://bugzilla.kernel.org/show_bug.cgi?id=7121 Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-26md: fix /proc/mdstat refcountingAkinbou Mita
I have seen mdadm oops after successfully unloading md module. This patch privents from unloading md module while mdadm is polling /proc/mdstat. Signed-off-by: Akinbou Mita <akinobu.mita@gmail.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-26fix read past end of array in md/linear.cAndy Isaacson
When iterating through an array, one must be careful to test one's index variable rather than another similarly-named variable. The loop will read off the end of conf->disks[] in the following (pathological) case: % dd bs=1 seek=840716287 if=/dev/zero of=d1 count=1 % for i in 2 3 4; do dd if=/dev/zero of=d$i bs=1k count=$(($i+150)); done % ./vmlinux ubd0=root ubd1=d1 ubd2=d2 ubd3=d3 ubd4=d4 # mdadm -C /dev/md0 --level=linear --raid-devices=4 /dev/ubd[1234] adding some printks, I saw this: [42949374.960000] hash_spacing = 821120 [42949374.960000] cnt = 4 [42949374.960000] min_spacing = 801 [42949374.960000] j=0 size=820928 sz=820928 [42949374.960000] i=0 sz=820928 hash_spacing=820928 [42949374.960000] j=1 size=64 sz=64 [42949374.960000] j=2 size=64 sz=128 [42949374.960000] j=3 size=64 sz=192 [42949374.960000] j=4 size=1515870810 sz=1515871002 Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-26md: pass down BIO_RW_SYNC in raid{1,10}Lars Ellenberg
md raidX make_request functions strip off the BIO_RW_SYNC flag, thus introducing additional latency. Fixing this in raid1 and raid10 seems to be straightforward enough. For our particular usage case in DRBD, passing this flag improved some initialization time from ~5 minutes to ~5 seconds. Signed-off-by: Lars Ellenberg <lars@linbit.com> Acked-by: NeilBrown <neilb@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-26md: Fix bug where spares don't always get rebuilt properly when they become liveNeil Brown
If save_raid_disk is >= 0, then the device could be a device that is already in sync that is being re-added. So we need to default this value to -1. Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-26MD: Fix problem where hot-added drives are not resynced.Neil Brown
If a drive is added with HOT_ADD_DISK rather than ADD_NEW_DISK, saved_raid_disk isn't initialised properly, and the drive can be included in the array without a resync. Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-26USB: unusual_devs update for Sony P990i phoneAlan Stern
This patch (as846) adds the IGNORE_RESIDUE flag to the unusual_devs entry for Sony-Ericsson's P990i phone. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Phil Dibowitz <phil@ipom.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-26USB: unusual_devs entry for Sony DSC-H5Lars Jacob
This patch (as749) extends the unusual_devs entry for the Sony DSC-T1 and T5 to cover the H5 as well. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-25USB: unusual_devs.h entry for nokia 6233Manuel Osdoba
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-25USB: unusual_devs.h for 0x046b:ff40Pete Zaitcev
American Megatrends did something wrong in their floppy emulator. It breaks with both kinds of MODE SENSE which our stack sends. Alan and I tried a few tweaks, and got LUNs sensed right, but US_FL_NO_WP_DETECT is still needed. I set the firmware bracket to 1.00 exactly, in case AMI or Sun fix it with a firmware update. Hey, you never know. Signed-off-by: Pete Zaitcev <zaitcev@redhat.com> Signed-off-by: Phil Dibowitz <phil@ipom.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-25USB: Fix UCR-61S2B unusual_dev entryPhil Dibowitz
Recently this entry's bcd scope was narrowed so as not to falsly apply to bcd's other than 0x0110. But while it breaks those of a larger bcd, it is still needed for those of a smaller bcd - so this changes the lower bcd limit to 0x0000. Signed-off-by: Phil Dibowitz <phil@ipom.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-03-25unusual_devs update for UCR-61S2BAlan Stern
The existing unusual_devs entry for the UCR-61S2B appears to have too wide a revision range. It matches at least one device that doesn't respond to the initialization sequence. Perhaps the sequence needs to be updated, or perhaps something else can be done. For now, this patch (as764) restricts the range to include only the revision mentioned in the original comment. This resolves (for now!) Bugzilla entry #6950. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>