1. 14 3月, 2006 7 次提交
    • A
      [PATCH] SUNRPC: fix a NULL pointer dereference in net/sunrpc/clnt.c · 712917d1
      Adrian Bunk 提交于
      The Coverity checker spotted this possible NULL pointer dereference in
      rpc_new_client().
      Signed-off-by: NAdrian Bunk <bunk@stusta.de>
      Signed-off-by: NTrond Myklebust <Trond.Myklebust@netapp.com>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      712917d1
    • T
      [PATCH] NFS: Fix a potential panic in O_DIRECT · 143f412e
      Trond Myklebust 提交于
      Based on an original patch by Mike O'Connor and Greg Banks of SGI.
      
      Mike states:
      
      A normal user can panic an NFS client and cause a local DoS with
      'judicious'(?) use of O_DIRECT.  Any O_DIRECT write to an NFS file where the
      user buffer starts with a valid mapped page and contains an unmapped page,
      will crash in this way.  I haven't followed the code, but O_DIRECT reads with
      similar user buffers will probably also crash albeit in different ways.
      
      Details: when nfs_get_user_pages() calls get_user_pages(), it detects and
      correctly handles get_user_pages() returning an error, which happens if the
      first page covered by the user buffer's address range is unmapped.  However,
      if the first page is mapped but some subsequent page isn't, get_user_pages()
      will return a positive number which is less than the number of pages requested
      (this behaviour is sort of analagous to a short write() call and appears to be
      intentional).  nfs_get_user_pages() doesn't detect this and hands off the
      array of pages (whose last few elements are random rubbish from the newly
      allocated array memory) to it's caller, whence they go to
      nfs_direct_write_seg(), which then totally ignores the nr_pages it's given,
      and calculates its own idea of how many pages are in the array from the user
      buffer length.  Needless to say, when it comes to transmit those uninitialised
      page* pointers, we see a crash in the network stack.
      Signed-off-by: NTrond Myklebust <Trond.Myklebust@netapp.com>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      143f412e
    • G
      [PATCH] Fix sigaltstack corruption among cloned threads · f9a3879a
      GOTO Masanori 提交于
      This patch fixes alternate signal stack corruption among cloned threads
      with CLONE_SIGHAND (and CLONE_VM) for linux-2.6.16-rc6.
      
      The value of alternate signal stack is currently inherited after a call of
      clone(...  CLONE_SIGHAND | CLONE_VM).  But if sigaltstack is set by a
      parent thread, and then if multiple cloned child threads (+ parent threads)
      call signal handler at the same time, some threads may be conflicted -
      because they share to use the same alternative signal stack region.
      Finally they get sigsegv.  It's an undesirable race condition.  Note that
      child threads created from NPTL pthread_create() also hit this conflict
      when the parent thread uses sigaltstack, without my patch.
      
      To fix this problem, this patch clears the child threads' sigaltstack
      information like exec().  This behavior follows the SUSv3 specification.
      In SUSv3, pthread_create() says "The alternate stack shall not be inherited
      (when new threads are initialized)".  It means that sigaltstack should be
      cleared when sigaltstack memory space is shared by cloned threads with
      CLONE_SIGHAND.
      
      Note that I chose "if (clone_flags & CLONE_SIGHAND)" line because:
        - If clone_flags line is not existed, fork() does not inherit sigaltstack.
        - CLONE_VM is another choice, but vfork() does not inherit sigaltstack.
        - CLONE_SIGHAND implies CLONE_VM, and it looks suitable.
        - CLONE_THREAD is another candidate, and includes CLONE_SIGHAND + CLONE_VM,
          but this flag has a bit different semantics.
      I decided to use CLONE_SIGHAND.
      
      [ Changed to test for CLONE_VM && !CLONE_VFORK after discussion --Linus ]
      Signed-off-by: NGOTO Masanori <gotom@sanori.org>
      Cc: Roland McGrath <roland@redhat.com>
      Cc: Ingo Molnar <mingo@elte.hu>
      Acked-by: NLinus Torvalds <torvalds@osdl.org>
      Cc: Ulrich Drepper <drepper@redhat.com>
      Cc: Jakub Jelinek <jakub@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      f9a3879a
    • B
      [PATCH] macintosh: correct AC Power info in /proc/pmu/info · 63e1fd41
      Benjamin Herrenschmidt 提交于
      Report AC Power present in /proc/pmu/info if there is no battery.
      Signed-off-by: NOlaf Hering <olh@suse.de>
      Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>,
      Cc: Paul Mackerras <paulus@samba.org>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      63e1fd41
    • M
      [PATCH] Restore tuning capabilities in V4L2 MXB driver · 6acaba8e
      Michael Hunold 提交于
      The behaviour of the all-in-one Video4Linux tuner driver apparently
      changed.  It now wants to know the tv standard, otherwise it refuses to
      tune.
      
      Restore tuning functionality in my driver for the "Multimedia eXtension
      Board".  The all-in-one tuner driver apparently changed its behaviour.
      Signed-off-by: NMichael Hunold <hunold@linuxtv.org>
      Cc: Mauro Carvalho Chehab <mchehab@infradead.org>
      Cc: Johannes Stezenbach <js@linuxtv.org>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      6acaba8e
    • D
      [PATCH] mtd_dataflash, fix block vs page erase · 3cb4f09f
      David Brownell 提交于
      Fix a bug in the block-erase optimization for Dataflash; it was using block
      erase even for smaller segments that need page erase.
      
      That wouldn't matter for JFFS2, which never erases less than one block
      (sometimes several blocks), but for other callers it might.
      Signed-off-by: NDavid Brownell <dbrownell@users.sourceforge.net>
      Acked-by: NDavid Woodhouse <dwmw2@infradead.org>
      Acked-by: NThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      3cb4f09f
    • H
      [TCP]: Fix zero port problem in IPv6 · 3759fa9c
      Herbert Xu 提交于
      When we link a socket into the hash table, we need to make sure that we
      set the num/port fields so that it shows us with a non-zero port value
      in proc/netlink and on the wire.  This code and comment is copied over
      from the IPv4 stack as is.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      3759fa9c
  2. 13 3月, 2006 11 次提交
  3. 12 3月, 2006 22 次提交