From: Greg Kroah-Hartman Date: Tue, 13 Dec 2005 07:13:35 +0000 (-0800) Subject: more 2.6.14 patches X-Git-Tag: v2.6.14.4~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=910bcb22db5f36f4bf0a51fd244a61a055318ffe;p=thirdparty%2Fkernel%2Fstable-queue.git more 2.6.14 patches --- diff --git a/queue/32bit-integer-overflow-in-invalidate_inode_pages2.patch b/queue/32bit-integer-overflow-in-invalidate_inode_pages2.patch new file mode 100644 index 00000000000..79c4a66adb6 --- /dev/null +++ b/queue/32bit-integer-overflow-in-invalidate_inode_pages2.patch @@ -0,0 +1,45 @@ +From stable-bounces@linux.kernel.org Fri Dec 2 13:00:27 2005 +Message-ID: <4390B550.4080900@gentoo.org> +Date: Fri, 02 Dec 2005 20:57:52 +0000 +From: Daniel Drake +To: stable@kernel.org +Cc: green@linuxhacker.ru +Subject: 32bit integer overflow in invalidate_inode_pages2() +X-Git-Tag: v2.6.15-rc3 +X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=479ef592f3664dd629417098c8599261c0f689ab + +From: Oleg Drokin + +[PATCH] 32bit integer overflow in invalidate_inode_pages2() + +Fix a 32 bit integer overflow in invalidate_inode_pages2_range. + +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/truncate.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- linux-2.6.14.3.orig/mm/truncate.c ++++ linux-2.6.14.3/mm/truncate.c +@@ -291,8 +291,8 @@ int invalidate_inode_pages2_range(struct + * Zap the rest of the file in one hit. + */ + unmap_mapping_range(mapping, +- page_index << PAGE_CACHE_SHIFT, +- (end - page_index + 1) ++ (loff_t)page_index< +Date: Fri, 02 Dec 2005 20:44:00 +0000 +From: Daniel Drake +To: stable@kernel.org +Cc: venkatesh.pallipadi@intel.com +Subject: ACPI: Add support for FADT P_LVL2_UP flag +X-Git-Tag: v2.6.15-rc4 +X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=4c0335526c95d90a1d958e0059f40a5745fc7c5d + +From: Venkatesh Pallipadi + +[ACPI] Add support for FADT P_LVL2_UP flag +which tells us if C2 is valid for UP-only, or SMP. + +As there is no separate bit for C3, use P_LVL2_UP +bit to cover both C2 and C3. + +http://bugzilla.kernel.org/show_bug.cgi?id=5165 + +(cherry picked from 28b86b368af3944eb383078fc5797caf2dc8ce44 commit) + +Signed-off-by: Venkatesh Pallipadi +Signed-off-by: Len Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/processor_idle.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- linux-2.6.14.3.orig/drivers/acpi/processor_idle.c ++++ linux-2.6.14.3/drivers/acpi/processor_idle.c +@@ -261,6 +261,16 @@ static void acpi_processor_idle(void) + + cx->usage++; + ++#ifdef CONFIG_HOTPLUG_CPU ++ /* ++ * Check for P_LVL2_UP flag before entering C2 and above on ++ * an SMP system. We do it here instead of doing it at _CST/P_LVL ++ * detection phase, to work cleanly with logical CPU hotplug. ++ */ ++ if ((cx->type != ACPI_STATE_C1) && (num_online_cpus() > 1) && ++ !pr->flags.has_cst && acpi_fadt.plvl2_up) ++ cx->type = ACPI_STATE_C1; ++#endif + /* + * Sleep: + * ------ +@@ -527,6 +537,15 @@ static int acpi_processor_get_power_info + pr->power.states[ACPI_STATE_C0].valid = 1; + pr->power.states[ACPI_STATE_C1].valid = 1; + ++#ifndef CONFIG_HOTPLUG_CPU ++ /* ++ * Check for P_LVL2_UP flag before entering C2 and above on ++ * an SMP system. ++ */ ++ if ((num_online_cpus() > 1) && acpi_fadt.plvl2_up) ++ return_VALUE(-ENODEV); ++#endif ++ + /* determine C2 and C3 address from pblk */ + pr->power.states[ACPI_STATE_C2].address = pr->pblk + 4; + pr->power.states[ACPI_STATE_C3].address = pr->pblk + 5; diff --git a/queue/acpi-fix-hp-nx8220-boot-hang-regression.patch b/queue/acpi-fix-hp-nx8220-boot-hang-regression.patch new file mode 100644 index 00000000000..db534c59e4a --- /dev/null +++ b/queue/acpi-fix-hp-nx8220-boot-hang-regression.patch @@ -0,0 +1,45 @@ +From stable-bounces@linux.kernel.org Fri Dec 2 12:44:30 2005 +Message-ID: <4390B11D.4030205@gentoo.org> +Date: Fri, 02 Dec 2005 20:39:57 +0000 +From: Daniel Drake +To: stable@kernel.org +Cc: trenn@suse.de +Subject: ACPI: fix HP nx8220 boot hang regression +X-Git-Tag: v2.6.15-rc4 +X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=bd7ce5b5ff930c29b1c0405051e9c9388660b785 + +From: Thomas Renninger + +[ACPI] fix HP nx8220 boot hang regression + +This patch reverts the acpi_bus_find_driver() return value check +that came in via the PCI tree via 3fb02738b0fd36f47710a2bf207129efd2f5daa2 + + [PATCH] acpi bridge hotadd: Allow ACPI .add and .start + operations to be done independently + +This particular change broke booting of some HP/Compaq laptops unless +acpi=noirq is used. + +http://bugzilla.kernel.org/show_bug.cgi?id=5221 +https://bugzilla.novell.com/show_bug.cgi?id=116763 + +Signed-off-by: Thomas Renninger +Cc: Rajesh Shah +Signed-off-by: Len Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.14.3.orig/drivers/acpi/scan.c ++++ linux-2.6.14.3/drivers/acpi/scan.c +@@ -1111,7 +1111,7 @@ acpi_add_single_object(struct acpi_devic + * + * TBD: Assumes LDM provides driver hot-plug capability. + */ +- result = acpi_bus_find_driver(device); ++ acpi_bus_find_driver(device); + + end: + if (!result) diff --git a/queue/acpi-prefer-_cst-over-fadt-for-c-state-capabilities.patch b/queue/acpi-prefer-_cst-over-fadt-for-c-state-capabilities.patch new file mode 100644 index 00000000000..0b2b3dd2a81 --- /dev/null +++ b/queue/acpi-prefer-_cst-over-fadt-for-c-state-capabilities.patch @@ -0,0 +1,57 @@ +From stable-bounces@linux.kernel.org Fri Dec 2 12:49:56 2005 +Message-ID: <4390B271.2080909@gentoo.org> +Date: Fri, 02 Dec 2005 20:45:37 +0000 +From: Daniel Drake +To: stable@kernel.org +Cc: venkatesh.pallipadi@intel.com +Subject: ACPI: Prefer _CST over FADT for C-state capabilities +X-Git-Tag: v2.6.15-rc4 +X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=6d93c64803a5fea84839789aae13290419c62d92 + +From: Venkatesh Pallipadi + +[ACPI] Prefer _CST over FADT for C-state capabilities + +Note: This ACPI standard compliance may cause regression +on some system, if they have _CST present, but _CST value +is bogus. "nocst" module parameter should workaround +that regression. + +http://bugzilla.kernel.org/show_bug.cgi?id=5165 + +(cherry picked from 883baf7f7e81cca26f4683ae0d25ba48f094cc08 commit) + +Signed-off-by: Venkatesh Pallipadi +Signed-off-by: Len Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/processor_idle.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- linux-2.6.14.3.orig/drivers/acpi/processor_idle.c ++++ linux-2.6.14.3/drivers/acpi/processor_idle.c +@@ -687,7 +687,7 @@ static int acpi_processor_get_power_info + + /* Validate number of power states discovered */ + if (pr->power.count < 2) +- status = -ENODEV; ++ status = -EFAULT; + + end: + acpi_os_free(buffer.pointer); +@@ -838,11 +838,11 @@ static int acpi_processor_get_power_info + * this function */ + + result = acpi_processor_get_power_info_cst(pr); +- if ((result) || (acpi_processor_power_verify(pr) < 2)) { ++ if (result == -ENODEV) + result = acpi_processor_get_power_info_fadt(pr); +- if ((result) || (acpi_processor_power_verify(pr) < 2)) +- result = acpi_processor_get_power_info_default_c1(pr); +- } ++ ++ if ((result) || (acpi_processor_power_verify(pr) < 2)) ++ result = acpi_processor_get_power_info_default_c1(pr); + + /* + * Set Default Policy diff --git a/queue/dvb-budget-ci-card-depends-on-stv0297-demodulator.patch b/queue/dvb-budget-ci-card-depends-on-stv0297-demodulator.patch new file mode 100644 index 00000000000..76bdf5e3c4f --- /dev/null +++ b/queue/dvb-budget-ci-card-depends-on-stv0297-demodulator.patch @@ -0,0 +1,26 @@ +From stable-bounces@linux.kernel.org Fri Dec 2 12:55:14 2005 +Message-ID: <4390B3A1.9040801@gentoo.org> +Date: Fri, 02 Dec 2005 20:50:41 +0000 +From: Daniel Drake +To: stable@kernel.org +Cc: r3pek@gentoo.org +Subject: DVB: BUDGET CI card depends on STV0297 demodulator + +This patch solves a DVB driver compile error introduced in 2.6.14 + +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/dvb/ttpci/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- linux-2.6.14.3.orig/drivers/media/dvb/ttpci/Kconfig ++++ linux-2.6.14.3/drivers/media/dvb/ttpci/Kconfig +@@ -81,6 +81,7 @@ config DVB_BUDGET_CI + tristate "Budget cards with onboard CI connector" + depends on DVB_CORE && PCI + select VIDEO_SAA7146 ++ select DVB_STV0297 + select DVB_STV0299 + select DVB_TDA1004X + help diff --git a/queue/fix-listxattr-for-generic-security-attributes.patch b/queue/fix-listxattr-for-generic-security-attributes.patch new file mode 100644 index 00000000000..7ea80ffd38d --- /dev/null +++ b/queue/fix-listxattr-for-generic-security-attributes.patch @@ -0,0 +1,56 @@ +From stable-bounces@linux.kernel.org Mon Dec 12 09:33:51 2005 +Message-ID: <439DB3FC.6040700@gentoo.org> +Date: Mon, 12 Dec 2005 17:31:40 +0000 +From: Daniel Drake +To: stable@kernel.org +Cc: +Subject: Fix listxattr() for generic security attributes +X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=894ec8707ced240b96dc45944790fb35d9a6b03c + +From: Daniel Drake + +[PATCH] Fix listxattr() for generic security attributes + +Commit f549d6c18c0e8e6cf1bf0e7a47acc1daf7e2cec1 introduced a generic +fallback for security xattrs, but appears to include a subtle bug. + +Gentoo users with kernels with selinux compiled in, and coreutils compiled +with acl support, noticed that they could not copy files on tmpfs using +'cp'. + +cp (compiled with acl support) copies the file, lists the extended +attributes on the old file, copies them all to the new file, and then +exits. However the listxattr() calls were failing with this odd behaviour: + +llistxattr("a.out", (nil), 0) = 17 +llistxattr("a.out", 0x7fffff8c6cb0, 17) = -1 ERANGE (Numerical result out of +range) + +I believe this is a simple problem in the logic used to check the buffer +sizes; if the user sends a buffer the exact size of the data, then its ok +:) + +This change solves the problem. +More info can be found at http://bugs.gentoo.org/113138 + +Signed-off-by: Daniel Drake +Acked-by: James Morris +Acked-by: Stephen Smalley +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/xattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.14.3.orig/fs/xattr.c ++++ linux-2.6.14.3/fs/xattr.c +@@ -243,7 +243,7 @@ listxattr(struct dentry *d, char __user + error = d->d_inode->i_op->listxattr(d, klist, size); + } else { + error = security_inode_listsecurity(d->d_inode, klist, size); +- if (size && error >= size) ++ if (size && error > size) + error = -ERANGE; + } + if (error > 0) { diff --git a/queue/fix-processing-of-fib_lookup-netlink-messages.patch b/queue/fix-processing-of-fib_lookup-netlink-messages.patch new file mode 100644 index 00000000000..20c8bdc9d7d --- /dev/null +++ b/queue/fix-processing-of-fib_lookup-netlink-messages.patch @@ -0,0 +1,40 @@ +From stable-bounces@linux.kernel.org Thu Dec 1 14:08:28 2005 +Date: Thu, 1 Dec 2005 23:05:12 +0100 +From: Thomas Graf +To: "David S. Miller" +Message-ID: <20051201220512.GT20395@postel.suug.ch> +Cc: Robert Olsson , stable@kernel.org, netdev@vger.kernel.org +Subject: [PATCH] [NETLINK]: Fix processing of fib_lookup netlink messages + +The receive path for fib_lookup netlink messages is lacking sanity +checks for header and payload and is thus vulnerable to malformed +netlink messages causing illegal memory references. + +Signed-off-by: Thomas Graf +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/fib_frontend.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- linux-2.6.14.3.orig/net/ipv4/fib_frontend.c ++++ linux-2.6.14.3/net/ipv4/fib_frontend.c +@@ -545,12 +545,16 @@ static void nl_fib_input(struct sock *sk + struct sk_buff *skb = NULL; + struct nlmsghdr *nlh = NULL; + struct fib_result_nl *frn; +- int err; + u32 pid; + struct fib_table *tb; + +- skb = skb_recv_datagram(sk, 0, 0, &err); ++ skb = skb_dequeue(&sk->sk_receive_queue); + nlh = (struct nlmsghdr *)skb->data; ++ if (skb->len < NLMSG_SPACE(0) || skb->len < nlh->nlmsg_len || ++ nlh->nlmsg_len < NLMSG_LENGTH(sizeof(*frn))) { ++ kfree_skb(skb); ++ return; ++ } + + frn = (struct fib_result_nl *) NLMSG_DATA(nlh); + tb = fib_get_table(frn->tb_id_in); diff --git a/queue/series b/queue/series index 662591201cd..1b29f3bbbfd 100644 --- a/queue/series +++ b/queue/series @@ -2,3 +2,12 @@ dpt_i2o-fix-a-null-pointer-deref.patch message-i2o-pci-fix-null-pointer-deref.patch infiniband-fix-a-null-pointer-deref.patch fix-crash-when-ptrace-poking-hugepage-areas.patch +usb-adapt-microtek-driver-to-new-scsi-features.patch +setkeys-needs-root.patch +fix-processing-of-fib_lookup-netlink-messages.patch +fix-listxattr-for-generic-security-attributes.patch +dvb-budget-ci-card-depends-on-stv0297-demodulator.patch +acpi-prefer-_cst-over-fadt-for-c-state-capabilities.patch +acpi-fix-hp-nx8220-boot-hang-regression.patch +acpi-add-support-for-fadt-p_lvl2_up-flag.patch +32bit-integer-overflow-in-invalidate_inode_pages2.patch diff --git a/queue/setkeys-needs-root.patch b/queue/setkeys-needs-root.patch new file mode 100644 index 00000000000..c6c3bde2a6b --- /dev/null +++ b/queue/setkeys-needs-root.patch @@ -0,0 +1,44 @@ +From stable-bounces@linux.kernel.org Fri Dec 2 13:00:25 2005 +Message-ID: <4390B4F5.5000907@gentoo.org> +Date: Fri, 02 Dec 2005 20:56:21 +0000 +From: Daniel Drake +To: stable@kernel.org +Cc: marcelo.tosatti@cyclades.com, mikpe@csd.uu.se +Subject: [PATCH] setkeys needs root + +This patch combines commit 0b360adbdb54d5b98b78d57ba0916bc4b8871968 (make +setkeys root-only) and commit e3f17f0f6e98f58edb13cb38810d93e6d4808e68 (only +disallow setting by users) + + Because people can play games reprogramming keys and leaving traps for the + next user of the console. + +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/char/vt_ioctl.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- linux-2.6.14.3.orig/drivers/char/vt_ioctl.c ++++ linux-2.6.14.3/drivers/char/vt_ioctl.c +@@ -80,6 +80,9 @@ do_kdsk_ioctl(int cmd, struct kbentry __ + if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry))) + return -EFAULT; + ++ if (!capable(CAP_SYS_TTY_CONFIG)) ++ perm = 0; ++ + switch (cmd) { + case KDGKBENT: + key_map = key_maps[s]; +@@ -192,6 +195,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry + int i, j, k; + int ret; + ++ if (!capable(CAP_SYS_TTY_CONFIG)) ++ perm = 0; ++ + kbs = kmalloc(sizeof(*kbs), GFP_KERNEL); + if (!kbs) { + ret = -ENOMEM; diff --git a/queue/usb-adapt-microtek-driver-to-new-scsi-features.patch b/queue/usb-adapt-microtek-driver-to-new-scsi-features.patch new file mode 100644 index 00000000000..ba84e58dedb --- /dev/null +++ b/queue/usb-adapt-microtek-driver-to-new-scsi-features.patch @@ -0,0 +1,136 @@ +From stable-bounces@linux.kernel.org Fri Dec 2 12:50:00 2005 +Message-ID: <4390B2E1.5010507@gentoo.org> +Date: Fri, 02 Dec 2005 20:47:29 +0000 +From: Daniel Drake +To: stable@kernel.org +Cc: oliver@neukum.org +Subject: USB: Adapt microtek driver to new scsi features +X-Git-Tag: v2.6.15-rc2 +X-Git-Url: http://www.kernel.org/git/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=9142d59a451731d23539d218c962418acc93283c + +From: Oliver Neukum + +[PATCH] USB: Adapt microtek driver to new scsi features + +the scsi layer now uses very short sg lists. This breaks the microtek +driver. Here is a patch fixes this and some other issues. + +Signed-off-by: Oliver Neukum +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Linus Torvalds +--- + drivers/usb/image/microtek.c | 31 +++++++++++++++++++++++++------ + drivers/usb/image/microtek.h | 2 +- + 2 files changed, 26 insertions(+), 7 deletions(-) + +--- linux-2.6.14.3.orig/drivers/usb/image/microtek.c ++++ linux-2.6.14.3/drivers/usb/image/microtek.c +@@ -327,6 +327,18 @@ static inline void mts_urb_abort(struct + usb_kill_urb( desc->urb ); + } + ++static int mts_slave_alloc (struct scsi_device *s) ++{ ++ s->inquiry_len = 0x24; ++ return 0; ++} ++ ++static int mts_slave_configure (struct scsi_device *s) ++{ ++ blk_queue_dma_alignment(s->request_queue, (512 - 1)); ++ return 0; ++} ++ + static int mts_scsi_abort (Scsi_Cmnd *srb) + { + struct mts_desc* desc = (struct mts_desc*)(srb->device->host->hostdata[0]); +@@ -411,7 +423,7 @@ static void mts_transfer_done( struct ur + MTS_INT_INIT(); + + context->srb->result &= MTS_SCSI_ERR_MASK; +- context->srb->result |= (unsigned)context->status<<1; ++ context->srb->result |= (unsigned)(*context->scsi_status)<<1; + + mts_transfer_cleanup(transfer); + +@@ -427,7 +439,7 @@ static void mts_get_status( struct urb * + mts_int_submit_urb(transfer, + usb_rcvbulkpipe(context->instance->usb_dev, + context->instance->ep_response), +- &context->status, ++ context->scsi_status, + 1, + mts_transfer_done ); + } +@@ -481,7 +493,7 @@ static void mts_command_done( struct urb + context->data_pipe, + context->data, + context->data_length, +- context->srb->use_sg ? mts_do_sg : mts_data_done); ++ context->srb->use_sg > 1 ? mts_do_sg : mts_data_done); + } else { + mts_get_status(transfer); + } +@@ -627,7 +639,6 @@ int mts_scsi_queuecommand( Scsi_Cmnd *sr + callback(srb); + + } +- + out: + return err; + } +@@ -645,6 +656,9 @@ static Scsi_Host_Template mts_scsi_host_ + .cmd_per_lun = 1, + .use_clustering = 1, + .emulated = 1, ++ .slave_alloc = mts_slave_alloc, ++ .slave_configure = mts_slave_configure, ++ .max_sectors= 256, /* 128 K */ + }; + + struct vendor_product +@@ -782,6 +796,10 @@ static int mts_usb_probe(struct usb_inte + if (!new_desc->urb) + goto out_kfree; + ++ new_desc->context.scsi_status = kmalloc(1, GFP_KERNEL); ++ if (!new_desc->context.scsi_status) ++ goto out_kfree2; ++ + new_desc->usb_dev = dev; + new_desc->usb_intf = intf; + init_MUTEX(&new_desc->lock); +@@ -818,6 +836,8 @@ static int mts_usb_probe(struct usb_inte + usb_set_intfdata(intf, new_desc); + return 0; + ++ out_kfree2: ++ kfree(new_desc->context.scsi_status); + out_free_urb: + usb_free_urb(new_desc->urb); + out_kfree: +@@ -837,6 +857,7 @@ static void mts_usb_disconnect (struct u + + scsi_host_put(desc->host); + usb_free_urb(desc->urb); ++ kfree(desc->context.scsi_status); + kfree(desc); + } + +@@ -857,5 +878,3 @@ module_exit(microtek_drv_exit); + MODULE_AUTHOR( DRIVER_AUTHOR ); + MODULE_DESCRIPTION( DRIVER_DESC ); + MODULE_LICENSE("GPL"); +- +- +--- linux-2.6.14.3.orig/drivers/usb/image/microtek.h ++++ linux-2.6.14.3/drivers/usb/image/microtek.h +@@ -22,7 +22,7 @@ struct mts_transfer_context + int data_pipe; + int fragment; + +- u8 status; /* status returned from ep_response after command completion */ ++ u8 *scsi_status; /* status returned from ep_response after command completion */ + }; + +