1. 09 6月, 2007 22 次提交
  2. 08 6月, 2007 18 次提交
    • B
      RAMFS NOMMU: missed POSIX UID/GID inode attribute checking · 85f6038f
      Bryan Wu 提交于
      This bug was caught by LTP testcase fchmod06 on Blackfin platform.
      
      In the manpage of fchmod, "EPERM: The effective UID does not match the
      owner of the file, and the process is not privileged (Linux: it does not
      have the CAP_FOWNER capability)."
      
      But the ramfs nommu code missed the inode_change_ok POSIX UID/GID
      verification. This patch fixed this.
      Signed-off-by: NBryan Wu <bryan.wu@analog.com>
      Cc: David Howells <dhowells@redhat.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      85f6038f
    • L
      Merge git://git.linux-xtensa.org/kernel/xtensa-feed · c8d8170f
      Linus Torvalds 提交于
      * git://git.linux-xtensa.org/kernel/xtensa-feed:
        Xtensa: use asm-generic/fcntl.h
        [XTENSA] Remove non-rt signal handling
        [XTENSA] Move common sections into bss sections
        [XTENSA] clean-up header files
        [XTENSA] Use generic 64-bit division
        [XTENSA] Remove multi-exported symbols from xtensa_ksyms.c
        [XTENSA] fix sources using deprecated assembler directive
        [XTENSA] Spelling fixes in arch/xtensa
        [XTENSA] fix bit operations in bitops.h
      c8d8170f
    • L
      Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/sparc-2.6 · 34750bb1
      Linus Torvalds 提交于
      * 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/sparc-2.6:
        [SPARC64]: Fix SBUS IRQ regression caused by PCI-E driver.
        [SPARC64]: Fix 2 bugs in PCI Sabre bus scanning.
      34750bb1
    • L
      Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 · df3872a9
      Linus Torvalds 提交于
      * 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6: (24 commits)
        xfrm: Add security check before flushing SAD/SPD
        [NET_SCHED]: Fix filter double free
        [NET]: Avoid duplicate netlink notification when changing link state
        [UDP]: Revert 2-pass hashing changes.
        [AF_UNIX]: Fix stream recvmsg() race.
        [NETFILTER]: nf_conntrack_amanda: fix textsearch_prepare() error check
        [NETFILTER]: ip_tables: fix compat related crash
        [NETFILTER]: nf_conntrack: fix helper module unload races
        [RTNETLINK]: ifindex 0 does not exist
        [NETLINK]: Mark netlink policies const
        [TCP] tcp_probe: Attach printf attribute properly to printl().
        [TCP]: Use LIMIT_NETDEBUG in tcp_retransmit_timer().
        [NET]: Merge dst_discard_in and dst_discard_out.
        [RFKILL]: Make rfkill->name const
        [IPV4]: Restore old behaviour of default config values
        [IPV4]: Add default config support after inetdev_init
        [IPV4]: Convert IPv4 devconf to an array
        [IPV4]: Only panic if inetdev_init fails for loopback
        [TCP]: Honour sk_bound_dev_if in tcp_v4_send_ack
        [BNX2]: Update version and reldate.
        ...
      df3872a9
    • S
      enable interrupts in user path of page fault. · e5e3c84b
      Steven Rostedt 提交于
      This is a minor fix, but what is currently there is essentially wrong.
      In do_page_fault, if the faulting address from user code happens to be
      in kernel address space (int *p = (int*)-1; p = 0xbed;)  then the
      do_page_fault handler will jump over the local_irq_enable with the
      
        goto bad_area_nosemaphore;
      
      But the first line there sees this is user code and goes through the
      process of sending a signal to send SIGSEGV to the user task. This whole
      time interrupts are disabled and the task can not be preempted by a
      higher priority task.
      
      This patch always enables interrupts in the user path of the
      bad_area_nosemaphore.
      Signed-off-by: NSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      e5e3c84b
    • L
      Merge master.kernel.org:/home/rmk/linux-2.6-arm · c52ecdab
      Linus Torvalds 提交于
      * master.kernel.org:/home/rmk/linux-2.6-arm:
        [ARM] pxa: fix pxa27x keyboard driver
        [ARM] Fix 4417/1: Serial: Fix AMBA drivers locking
        [ARM] 4421/1: AT91: Value of _KEY fields.
        [ARM] Solve buggy smp_processor_id() usage
        [ARM] 4422/1: Fix default value handling in gpio_direction_output (PXA)
        [ARM] 4419/1: AT91: SAM9 USB clocks check for suspending
        [ARM] 4418/1: AT91: Number of programmable clocks differs
        [ARM] 4392/2: Do not corrupt the SP register in compressed/head.S
      c52ecdab
    • L
      Merge branch 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus · dc315011
      Linus Torvalds 提交于
      * 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus:
        [MIPS] Fix warning by moving do_default_vi into CONFIG_CPU_MIPSR2_SRS
        [MIPS] Fix some minor typoes in arch/mips/Kconfig.
        [MIPS] Remove prototype for deleted function qemu_handle_int
        [MIPS] Fix some system calls with long long arguments
        [MIPS] Make dma_map_sg handle sg elements which are longer than one page
        [MIPS] Drop __ARCH_WANT_SYS_FADVISE64
        [MIPS] Fix VGA corruption on RM300C
        [MIPS] RM300: Fix MMIO problems by marking the PCI INT ACK region busy
        [MIPS] EMMA2RH: remove dead KGDB code
        [MIPS] Remove duplicate fpu enable hazard code.
        [MIPS] Atlas, Malta, SEAD: Remove scroll from interrupt handler.
      dc315011
    • P
      frv: build fix · 2c750edd
      Peter Zijlstra 提交于
      In file included from /usr/src/linux-2.6-2/net/ipv4/ip_input.c:118:
      
        include2/asm/system.h:245: error: parse error before "__cmpxchg_32"
        include2/asm/system.h:245: error: parse error before '*' token
        include2/asm/system.h:245: warning: type defaults to `int' in declaration of `__cmpxchg_32'
        include2/asm/system.h:245: warning: function declaration isn't a prototype
        include2/asm/system.h:245: warning: data definition has no type or storage class
      Signed-off-by: NPeter Zijlstra <a.p.zijlstra@chello.nl>
      Acked-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      2c750edd
    • D
      [SPARC64]: Fix SBUS IRQ regression caused by PCI-E driver. · ec4d18f2
      David S. Miller 提交于
      We used to access the 64-bit IRQ IMAP and ICLR registers of bus
      controllers 4-bytes in and as a 32-bit register word, since only the
      low 32-bits were relevant.  This seemed like a good idea at the time.
      
      But the PCI-E controller requires full 8-byte 64-bit access to
      these registers, so we switched over to accessing them fully.
      
      SBUS was not adjusted properly, which broke interrupts completely.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ec4d18f2
    • D
      [SPARC64]: Fix 2 bugs in PCI Sabre bus scanning. · 321566c2
      David S. Miller 提交于
      If we are on hummingbird, bus runs at 66MHZ.
      
      pbm->pci_bus should be setup with the result of pci_scan_one_pbm()
      or else we deref NULL pointers in the error interrupt handlers.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      321566c2
    • J
      xfrm: Add security check before flushing SAD/SPD · 4aa2e62c
      Joy Latten 提交于
      Currently we check for permission before deleting entries from SAD and
      SPD, (see security_xfrm_policy_delete() security_xfrm_state_delete())
      However we are not checking for authorization when flushing the SPD and
      the SAD completely. It was perhaps missed in the original security hooks
      patch.
      
      This patch adds a security check when flushing entries from the SAD and
      SPD.  It runs the entire database and checks each entry for a denial.
      If the process attempting the flush is unable to remove all of the
      entries a denial is logged the the flush function returns an error
      without removing anything.
      
      This is particularly useful when a process may need to create or delete
      its own xfrm entries used for things like labeled networking but that
      same process should not be able to delete other entries or flush the
      entire database.
      
      Signed-off-by: Joy Latten<latten@austin.ibm.com>
      Signed-off-by: NEric Paris <eparis@parisplace.org>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      4aa2e62c
    • P
      [NET_SCHED]: Fix filter double free · b00b4bf9
      Patrick McHardy 提交于
      cbq and atm destroy their filters twice when destroying inner classes
      during qdisc destruction.
      Reported-and-tested-by: NStrobl Anton <a.strobl@aws-it.at>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b00b4bf9
    • T
      [NET]: Avoid duplicate netlink notification when changing link state · 7c355f53
      Thomas Graf 提交于
      When changing the link state from userspace not affecting any other
      flags. Two duplicate notification are being sent, once as action
      in the NETDEV_UP/NETDEV_DOWN notification chain and a second time
      when comparing old and new device flags after the change has been
      completed. Although harmless, the duplicates should be avoided.
      Signed-off-by: NThomas Graf <tgraf@suug.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7c355f53
    • D
      [UDP]: Revert 2-pass hashing changes. · df2bc459
      David S. Miller 提交于
      This reverts changesets:
      
      6aaf47fa
      b7b5f487
      de34ed91
      fc038410
      
      There are still some correctness issues recently
      discovered which do not have a known fix that doesn't
      involve doing a full hash table scan on port bind.
      
      So revert for now.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      df2bc459
    • M
      [AF_UNIX]: Fix stream recvmsg() race. · 3c0d2f37
      Miklos Szeredi 提交于
      A recv() on an AF_UNIX, SOCK_STREAM socket can race with a
      send()+close() on the peer, causing recv() to return zero, even though
      the sent data should be received.
      
      This happens if the send() and the close() is performed between
      skb_dequeue() and checking sk->sk_shutdown in unix_stream_recvmsg():
      
      process A  skb_dequeue() returns NULL, there's no data in the socket queue
      process B  new data is inserted onto the queue by unix_stream_sendmsg()
      process B  sk->sk_shutdown is set to SHUTDOWN_MASK by unix_release_sock()
      process A  sk->sk_shutdown is checked, unix_release_sock() returns zero
      
      I'm surprised nobody noticed this, it's not hard to trigger.  Maybe
      it's just (un)luck with the timing.
      
      It's possible to work around this bug in userspace, by retrying the
      recv() once in case of a zero return value.
      Signed-off-by: NMiklos Szeredi <mszeredi@suse.cz>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3c0d2f37
    • A
      [NETFILTER]: nf_conntrack_amanda: fix textsearch_prepare() error check · c764c9ad
      Akinobu Mita 提交于
      The return value from textsearch_prepare() needs to be checked
      by IS_ERR(). Because it returns error code as a pointer.
      
      Cc: "Brian J. Murrell" <netfilter@interlinx.bc.ca>
      Signed-off-by: NAkinobu Mita <akinobu.mita@gmail.com>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c764c9ad
    • D
      [NETFILTER]: ip_tables: fix compat related crash · 4c1b52bc
      Dmitry Mishin 提交于
      check_compat_entry_size_and_hooks iterates over the matches and calls
      compat_check_calc_match, which loads the match and calculates the
      compat offsets, but unlike the non-compat version, doesn't call
      ->checkentry yet. On error however it calls cleanup_matches, which in
      turn calls ->destroy, which can result in crashes if the destroy
      function (validly) expects to only get called after the checkentry
      function.
      
      Add a compat_release_match function that only drops the module reference
      on error and rename compat_check_calc_match to compat_find_calc_match to
      reflect the fact that it doesn't call the checkentry function.
      
      Reported by Jan Engelhardt <jengelh@linux01.gwdg.de>
      Signed-off-by: NDmitry Mishin <dim@openvz.org>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4c1b52bc
    • P
      [NETFILTER]: nf_conntrack: fix helper module unload races · 3c158f7f
      Patrick McHarrdy 提交于
      When a helper module is unloaded all conntracks refering to it have their
      helper pointer NULLed out, leading to lots of races. In most places this
      can be fixed by proper use of RCU (they do already check for != NULL,
      but in a racy way), additionally nf_conntrack_expect_related needs to
      bail out when no helper is present.
      
      Also remove two paranoid BUG_ONs in nf_conntrack_proto_gre that are racy
      and not worth fixing.
      Signed-off-by: NPatrick McHarrdy <kaber@trash.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3c158f7f