You could open the /proc/sys/net/ipv4/conf/<if>/<whatever> file, then
wait for interface to go away, try to grab as much memory as possible in
hope to hit the (kfreed) ctl_table.  Then fill it with pointers to your
function.  Then do read from file you've opened and if you are lucky,
you'll get it called as ->proc_handler() in kernel mode.

So this is at least an Oops and possibly more.  It does depend on an
interface going away though, so less of a security risk than it would
otherwise be.
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

From: Matt Domsch <Matt_Domsch@dell.com>

The patch below implements the Microsoft Point-to-Point Encryption method
as a PPP compressor/decompressor.  This is necessary for Linux clients and
servers to interoperate with Microsoft Point-to-Point Tunneling Protocol
(PPTP) servers (either Microsoft PPTP servers or the poptop project) which
use MPPE to encrypt data when creating a VPN.

This patch differs from the kernel_ppp_mppe DKMS pacakge at
pptpclient.sourceforge.net by utilizing the kernel crypto routines rather
than providing its own SHA1 and arcfour implementations.

Minor changes to ppp_generic.c try to prevent a link from disabling
compression (in our case, the encryption) after it has started using
compression (encryption).

Feedback to <pptpclient-devel@lists.sourceforge.net> please.
Signed-off-by: NMatt Domsch <Matt_Domsch@dell.com>
Cc: James Cameron <james.cameron@hp.com>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: NBrice Goglin <Brice.Goglin@ens-lyon.org>
Acked-by: NPaul Mackerras <paulus@samba.org>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

An unbindable mount does not forward or receive propagation.  Also
unbindable mount disallows bind mounts.  The semantics is as follows.

Bind semantics:
  It is invalid to bind mount an unbindable mount.

Move semantics:
  It is invalid to move an unbindable mount under shared mount.

Clone-namespace semantics:
  If a mount is unbindable in the parent namespace, the corresponding
  cloned mount in the child namespace becomes unbindable too.  Note:
  there is subtle difference, unbindable mounts cannot be bind mounted
  but can be cloned during clone-namespace.
Signed-off-by: NRam Pai <linuxram@us.ibm.com>
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

A slave mount always has a master mount from which it receives
mount/umount events.  Unlike shared mount the event propagation does not
flow from the slave mount to the master.
Signed-off-by: NRam Pai <linuxram@us.ibm.com>
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

An unmount of a mount creates a umount event on the parent.  If the
parent is a shared mount, it gets propagated to all mounts in the peer
group.
Signed-off-by: NRam Pai <linuxram@us.ibm.com>
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

Implement handling of MS_BIND in presense of shared mounts (see
Documentation/sharedsubtree.txt in the end of patch series for detailed
description).
Signed-off-by: NRam Pai <linuxram@us.ibm.com>
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

This creates shared mounts.  A shared mount when bind-mounted to some
mountpoint, propagates mount/umount events to each other.  All the
shared mounts that propagate events to each other belong to the same
peer-group.
Signed-off-by: NRam Pai <linuxram@us.ibm.com>
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

A private mount does not forward or receive propagation.  This patch
provides user the ability to convert any mount to private.
Signed-off-by: NRam Pai <linuxram@us.ibm.com>
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

This removes the per-namespace semaphore in favor of a global semaphore.
This can have an effect on namespace scalability.
Signed-off-by: NMiklos Szeredi <miklos@szeredi.hu>
Signed-off-by: NRam Pai <linuxram@us.ibm.com>
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

The way we currently deal with quota and process accounting that might
keep vfsmount busy at umount time is inherently broken; we try to turn
them off just in case (not quite correctly, at that) and

  a) pray umount doesn't fail (otherwise they'll stay turned off)
  b) pray nobody doesn anything funny just as we turn quota off

Moreover, LSM provides hooks for doing the same sort of broken logics.

The proper way to deal with that is to introduce the second kind of
reference to vfsmount.  Semantics:

 - when the last normal reference is dropped, all special ones are
   converted to normal ones and if there had been any, cleanup is done.
 - normal reference can be cloned into a special one
 - special reference can be converted to normal one; that's a no-op if
   we'd already passed the point of no return (i.e.  mntput() had
   converted special references to normal and started cleanup).

The way it works: e.g. starting process accounting converts the vfsmount
reference pinned by the opened file into special one and turns it back
to normal when it gets shut down; acct_auto_close() is done when no
normal references are left.  That way it does *not* obstruct umount(2)
and it silently gets turned off when the last normal reference to
vfsmount is gone.  Which is exactly what we want...

The same should be done by LSM module that holds some internal
references to vfsmount and wants to shut them down on umount - it should
make them special and security_sb_umount_close() will be called exactly
when the last normal reference to vfsmount is gone.

quota handling is even simpler - we don't use normal file IO anymore, so
there's no need to hold vfsmounts at all.  DQUOT_OFF() is done from
deactivate_super(), where it really belongs.
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

This patch adds the ability to the SMU driver to recover missing
calibration partitions from the SMU chip itself. It also adds some
dynamic mecanism to /proc/device-tree so that new properties are visible
to userland.
Signed-off-by: NBenjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: NPaul Mackerras <paulus@samba.org>

This patch contains the following possible cleanups:
- make needlessly global code static
- #if 0 the following unused global function:
  - core.c: pnp_remove_device
- #if 0 the following unneeded EXPORT_SYMBOL's:
  - card.c: pnp_add_card
  - card.c: pnp_remove_card
  - card.c: pnp_add_card_device
  - card.c: pnp_remove_card_device
  - card.c: pnp_add_card_id
  - core.c: pnp_register_protocol
  - core.c: pnp_unregister_protocol
  - core.c: pnp_add_device
  - core.c: pnp_remove_device
  - pnpacpi/core.c: pnpacpi_protocol
  - driver.c: pnp_add_id
  - isapnp/core.c: isapnp_read_byte
  - manager.c: pnp_auto_config_dev
  - resource.c: pnp_register_dependent_option
  - resource.c: pnp_register_independent_option
  - resource.c: pnp_register_irq_resource
  - resource.c: pnp_register_dma_resource
  - resource.c: pnp_register_port_resource
  - resource.c: pnp_register_mem_resource

Note that this patch #if 0's exactly one functions and removes no
functions.  Most it does is the #if 0 of EXPORT_SYMBOL's, so if any modular
code will use any of them, re-adding will be trivial.

Modular ISAPnP might be interesting in some cases, but this is more legacy
code.  If someone would work on it to sort all the issues out (starting
with the point that most users of __ISAPNP__ will have to be fixed)
re-enabling the required EXPORT_SYMBOL's won't be hard for him.
Signed-off-by: NAdrian Bunk <bunk@stusta.de>
Cc: Adam Belay <ambx1@neo.rr.com>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

This looks like something which out-of-tree code could possibly be using.
Give panic_timeout the twelve-month treatment.
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

This looks like something which out-of-tree code could possibly be using.
Give insert_resource the twelve-month treatment.
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

Convert to proper kernel-doc format.

Some have extra blank lines (not allowed immed.  after the function name)
or need blank lines (after all parameters).  Function summary must be only
one line.

Colon (":") in a function description does weird things (causes kernel-doc
to think that it's a new section head sadly).
Signed-off-by: NRandy Dunlap <rdunlap@xenotime.net>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

Fix various warnings in kernel-doc:

Warning(linux-2614-rc4//include/linux/net.h:89): Enum value 'SOCK_DCCP' not described in enum 'sock_type'

usercopy.c: should use !E instead of !I for exported symbols:
Warning(linux-2614-rc4//arch/i386/lib/usercopy.c): no structured comments found

fs.h does not need to use !E since it has no exported symbols:
Warning(linux-2614-rc4//include/linux/fs.h:1182): No description found for parameter 'find_exported_dentry'
Warning(linux-2614-rc4//include/linux/fs.h): no structured comments found

irq/manage.c should use !E for its exported symbols:
Warning(linux-2614-rc4//kernel/irq/manage.c): no structured comments found

macmodes.c should use !E for its exported symbols:
Warning(linux-2614-rc4//drivers/video/macmodes.c): no structured comments found
Signed-off-by: NRandy Dunlap <rdunlap@xenotime.net>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

Add structure fields kernel-doc for 2 fields in struct journal_s.

Warning(/var/linsrc/linux-2614-rc4//include/linux/jbd.h:808): No description found for parameter 'j_wbuf'
Warning(/var/linsrc/linux-2614-rc4//include/linux/jbd.h:808): No description found for parameter 'j_wbufsize'

Convert fs/jbd/recovery.c non-static functions to kernel-doc format.

fs/jbd/recovery.c doesn't export any symbols, so it should use
!I instead of !E to eliminate this warning message:

Warning(/var/linsrc/linux-2614-rc4//fs/jbd/recovery.c): no structured comments found
Signed-off-by: NRandy Dunlap <rdunlap@xenotime.net>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

Add new entries for Mystique AGP with the PCI ID 0x051e.

I don't actually have such boards but according to google they do exist.
Curiosly X.Org doesn't recognize that PCI ID.  And what's even more
interesting is that Matrox's own Windows drivers don't recognize it either.
After going through about a dozen different versions I did find one older
driver that does list this particular ID.  It is also listed in the pci.ids
file.

I'm not sure if non-220 AGP chips exist.  I left the chip revision check
intact for AGP chips nonetheless.
Signed-off-by: NVille Syrjl <syrjala@sci.fi>
Signed-off-by: NPetr Vandrovec <petr@vandrovec.name>
Cc: "Antonino A. Daplas" <adaplas@pol.net>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

Add new helper, fb_find_best_display(), which will search the modelist for the
best mode for the attached display.  This requires an EDID block that is
converted to struct fb_monspecs and a private modelist.  The search will be
done in this manner:

- if 1st detailed timing is preferred, use that
- else if dimensions of the display are known, use that to estimate xres and
- else if modelist has detailed timings, use the first detailed timing
- else, use the very first entry from the modelist
Signed-off-by: NAntonino Daplas <adaplas@pol.net>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

I converted the "rl" console font from the kbd utility to be a built-in font
for the framebuffer console, and I was wondering if you would be OK with
including it.  I've generated a font_rl.c file and related minor
modifications.  I find it's the most visually appealing of the kbd fonts which
is why I use it and selected it for conversion.  I believe the font is GPL'd.
Signed-off-by: NAntonino Daplas <adaplas@pol.net>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

Fix following compile error (From Kernel Bugzilla Bug 5427):

include/linux/console_struct.h:53: error: field `vt_mode' has incomplete type
Signed-off-by: NAntonino Daplas <adaplas@pol.net>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

Currently the fb_find_nearest_mode() function finds a mode with screen
resolution closest to that described by the 'var' argument and with some
arbitrary refresh rate (eg.  in the following sequence of refresh rates: 70 60
53 85 75, 53 is selected).

This patch fixes the function so that it looks for the closest mode as far as
both resolution and refresh rate are concerned.  The function's first argument
is changed to fb_videomode so that the refresh rate can be specified by the
caller, as fb_var_screeninfo doesn't have any fields that could directly hold
this data.
Signed-off-by: NMichal Januszewski <spock@gentoo.org>
Signed-off-by: NAntonino Daplas <adaplas@pol.net>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

According to Jon Smirl, filling in the field fb_cursor with soft_cursor for
drivers that do not support hardware cursors is redundant.  The soft_cursor
function is usable by all drivers because it is just a wrapper around
fb_imageblit.  And because soft_cursor is an fbcon-specific hook, the file is
moved to the console directory.

Thus, drivers that do not support hardware cursors can leave the fb_cursor
field blank.  For drivers that do, they can fill up this field with their own
version.

The end result is a smaller code size.  And if the framebuffer console is not
loaded, module/kernel size is also reduced because the soft_cursor module will
also not be loaded.
Signed-off-by: NAntonino Daplas <adaplas@pol.net>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

There are a couple of tests which could possibly be confused by extremely
large numbers appearing in 'xdr' packets.  I think the closest to an exploit
you could get would be writing random data from a free page into a file - i.e.
 leak data out of kernel space.

I'm fairly sure they cannot be used for remote compromise.
Signed-off-by: NNeil Brown <neilb@suse.de>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

Provide a file in the NFSD filesystem that allows setting and querying of
which version of NFS are being exported.  Changes are only allowed while no
server is running.
Signed-off-by: NSteve Dickson <steved@redhat.com>
Signed-off-by: NNeil Brown <neilb@suse.de>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

Updates the RIO messaging interface to pass a device instance into the
event registeration and callbacks.
Signed-off-by: NMatt Porter <mporter@kernel.crashing.org>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

Addresses issues raised with the 2.6.12-rc6-mm1 RIO support.  Fix dma_mask
init, shrink some code, general cleanup.
Signed-off-by: NMatt Porter <mporter@kernel.crashing.org>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

Add RapidIO core include files.

The core code implements enumeration/discovery, management of
devices/resources, and interfaces for RIO drivers.
Signed-off-by: NMatt Porter <mporter@kernel.crashing.org>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

Reorganize the preempt_disable/enable calls to eliminate the extra preempt
depth.  Changes based on Paul McKenney's review suggestions for the kprobes
RCU changeset.
Signed-off-by: NAnanth N Mavinakayanahalli <ananth@in.ibm.com>
Signed-off-by: NAnil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

Changes to the base kprobes infrastructure to use RCU for synchronization
during kprobe registration and unregistration.  These changes coupled with the
arch kprobe changes (next in series):

a. serialize registration and unregistration of kprobes.
b. enable lockless execution of handlers. Handlers can now run in parallel.
Signed-off-by: NAnanth N Mavinakayanahalli <ananth@in.ibm.com>
Signed-off-by: NAnil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

Changes to the base kprobe infrastructure to track kprobe execution on a
per-cpu basis.
Signed-off-by: NAnanth N Mavinakayanahalli <ananth@in.ibm.com>
Signed-off-by: NAnil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

This patch is rather large, but it really can't be done in smaller chunks
easily and I believe it is an important change.  This has been out and tested
for a while in the latest IPMI driver release.  There are no functional
changes, just changes as necessary to convert the locking over (and a few
minor style updates).

The IPMI driver uses read/write locks to ensure that things exist while they
are in use.  This is bad from a number of points of view.  This patch removes
the rwlocks and uses refcounts and RCU lists to manage what the locks did.
Signed-off-by: NCorey Minyard <minyard@acm.org>
Cc: Matt Domsch <Matt_Domsch@dell.com>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

This patch passes the file handle supplied in iattr to userspace, in case the
->setattr() was invoked from sys_ftruncate().  This solves the permission
checking (or lack thereof) in ftruncate() for the class of filesystems served
by an unprivileged userspace process.
Signed-off-by: NMiklos Szeredi <miklos@szeredi.hu>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

This patch adds an atomic create+open operation.  This does not yet work if
the file type changes between lookup and create+open, but solves the
permission checking problems for the separte create and open methods.
Signed-off-by: NMiklos Szeredi <miklos@szeredi.hu>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

Add a new access call, which will only be called if ->permission is invoked
from sys_access().  In all other cases permission checking is delayed until
the actual filesystem operation.
Signed-off-by: NMiklos Szeredi <miklos@szeredi.hu>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

Though the following changes are all backward compatible (from the kernel's as
well as the library's POV) change the minor version, so interested
applications can detect new features.
Signed-off-by: NMiklos Szeredi <miklos@szeredi.hu>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

This patch extends the iattr structure with a file pointer memeber, and adds
an ATTR_FILE validity flag for this member.

This is set if do_truncate() is invoked from ftruncate() or from
do_coredump().

The change is source and binary compatible.
Signed-off-by: NMiklos Szeredi <miklos@szeredi.hu>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

The sys_ptrace boilerplate code (everything outside the big switch
statement for the arch-specific requests) is shared by most architectures.
This patch moves it to kernel/ptrace.c and leaves the arch-specific code as
arch_ptrace.

Some architectures have a too different ptrace so we have to exclude them.
They continue to keep their implementations.  For sh64 I had to add a
sh64_ptrace wrapper because it does some initialization on the first call.
For um I removed an ifdefed SUBARCH_PTRACE_SPECIAL block, but
SUBARCH_PTRACE_SPECIAL isn't defined anywhere in the tree.
Signed-off-by: NChristoph Hellwig <hch@lst.de>
Acked-by: NPaul Mackerras <paulus@samba.org>
Acked-by: NRalf Baechle <ralf@linux-mips.org>
Acked-By: NDavid Howells <dhowells@redhat.com>
Acked-by: NRussell King <rmk+kernel@arm.linux.org.uk>
Acked-by: NPaul Mundt <lethal@linux-sh.org>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

Fix more include file problems that surfaced since I submitted the previous
fix-missing-includes.patch.  This should now allow not to include sched.h
from module.h, which is done by a followup patch.
Signed-off-by: NTim Schmielau <tim@physik3.uni-rostock.de>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>