From: Chris Wright Date: Mon, 6 Feb 2006 08:58:41 +0000 (-0800) Subject: Update a whole backlog of patches X-Git-Tag: v2.6.15.5~55 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cbf67af02e3bbe5a76326804799c57b8b5673111;p=thirdparty%2Fkernel%2Fstable-queue.git Update a whole backlog of patches --- diff --git a/queue/d_instantiate_unique-nfs-inode-leakage.patch b/queue/d_instantiate_unique-nfs-inode-leakage.patch new file mode 100644 index 00000000000..6a9e213c903 --- /dev/null +++ b/queue/d_instantiate_unique-nfs-inode-leakage.patch @@ -0,0 +1,52 @@ +From stable-bounces@linux.kernel.org Tue Jan 31 16:38:43 2006 +Date: Tue, 10 Jan 2006 09:28:45 -0800 +From: Linux Kernel Mailing List +To: git-commits-head@vger.kernel.org +Cc: +Subject: [PATCH] d_instantiate_unique / NFS inode leakage + +From: Oleg Drokin + +If we have found aliased dentry that we return, inode reference is not +dropped and inode is not attached anywhere, so it seems the reference to +inode is leaked in that case. + +Cc: Trond Myklebust , +Cc: +Cc: Christoph Hellwig +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +--- + + fs/dcache.c | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletion(-) + +Index: linux-2.6.15.2/fs/dcache.c +=================================================================== +--- linux-2.6.15.2.orig/fs/dcache.c ++++ linux-2.6.15.2/fs/dcache.c +@@ -808,10 +808,14 @@ void d_instantiate(struct dentry *entry, + * + * Fill in inode information in the entry. On success, it returns NULL. + * If an unhashed alias of "entry" already exists, then we return the +- * aliased dentry instead. ++ * aliased dentry instead and drop one reference to inode. + * + * Note that in order to avoid conflicts with rename() etc, the caller + * had better be holding the parent directory semaphore. ++ * ++ * This also assumes that the inode count has been incremented ++ * (or otherwise set) by the caller to indicate that it is now ++ * in use by the dcache. + */ + struct dentry *d_instantiate_unique(struct dentry *entry, struct inode *inode) + { +@@ -838,6 +842,7 @@ struct dentry *d_instantiate_unique(stru + dget_locked(alias); + spin_unlock(&dcache_lock); + BUG_ON(!d_unhashed(alias)); ++ iput(inode); + return alias; + } + list_add(&entry->d_alias, &inode->i_dentry); diff --git a/queue/dm-crypt-zero-key-before-freeing-it.patch b/queue/dm-crypt-zero-key-before-freeing-it.patch new file mode 100644 index 00000000000..8393067b3ce --- /dev/null +++ b/queue/dm-crypt-zero-key-before-freeing-it.patch @@ -0,0 +1,46 @@ +From stable-bounces@linux.kernel.org Fri Feb 3 11:03:07 2006 +Date: Fri, 6 Jan 2006 09:21:39 -0800 +From: Linux Kernel Mailing List +To: git-commits-head@vger.kernel.org +Cc: +Subject: [PATCH] dm-crypt: zero key before freeing it + +From: Stefan Rompf + +Zap the memory before freeing it so we don't leave crypto information +around in memory. + +Signed-off-by: Stefan Rompf +Acked-by: Clemens Fruhwirth +Acked-by: Alasdair G Kergon +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +--- + + drivers/md/dm-crypt.c | 5 +++++ + 1 files changed, 5 insertions(+) + +Index: linux-2.6.15.2/drivers/md/dm-crypt.c +=================================================================== +--- linux-2.6.15.2.orig/drivers/md/dm-crypt.c ++++ linux-2.6.15.2/drivers/md/dm-crypt.c +@@ -690,6 +690,8 @@ bad3: + bad2: + crypto_free_tfm(tfm); + bad1: ++ /* Must zero key material before freeing */ ++ memset(cc, 0, sizeof(*cc) + cc->key_size * sizeof(u8)); + kfree(cc); + return -EINVAL; + } +@@ -706,6 +708,9 @@ static void crypt_dtr(struct dm_target * + cc->iv_gen_ops->dtr(cc); + crypto_free_tfm(cc->tfm); + dm_put_device(ti, cc->dev); ++ ++ /* Must zero key material before freeing */ ++ memset(cc, 0, sizeof(*cc) + cc->key_size * sizeof(u8)); + kfree(cc); + } + diff --git a/queue/fix-extra-dst-release-when-ip_options_echo-fails.patch b/queue/fix-extra-dst-release-when-ip_options_echo-fails.patch new file mode 100644 index 00000000000..6f89eac6a84 --- /dev/null +++ b/queue/fix-extra-dst-release-when-ip_options_echo-fails.patch @@ -0,0 +1,33 @@ +From stable-bounces@linux.kernel.org Sat Feb 4 02:36:34 2006 +Date: Sat, 04 Feb 2006 02:29:45 -0800 (PST) +From: "David S. Miller" +To: stable@kernel.org +Cc: +Subject: [ICMP]: Fix extra dst release when ip_options_echo fails + +From: Herbert Xu + +When two ip_route_output_key lookups in icmp_send were combined I +forgot to change the error path for ip_options_echo to not drop the +dst reference since it now sits before the dst lookup. To fix it we +simply jump past the ip_rt_put call. + +Signed-off-by: Herbert Xu +Signed-off-by: David S. Miller + + net/ipv4/icmp.c | 2 +- + 1 files changed, 1 insertion(+), 1 deletion(-) + +Index: linux-2.6.15.2/net/ipv4/icmp.c +=================================================================== +--- linux-2.6.15.2.orig/net/ipv4/icmp.c ++++ linux-2.6.15.2/net/ipv4/icmp.c +@@ -524,7 +524,7 @@ void icmp_send(struct sk_buff *skb_in, i + iph->tos; + + if (ip_options_echo(&icmp_param.replyopts, skb_in)) +- goto ende; ++ goto out_unlock; + + + /* diff --git a/queue/fix-keyctl-usage-of-strnlen_user.patch b/queue/fix-keyctl-usage-of-strnlen_user.patch new file mode 100644 index 00000000000..7df3372242e --- /dev/null +++ b/queue/fix-keyctl-usage-of-strnlen_user.patch @@ -0,0 +1,86 @@ +From stable-bounces@linux.kernel.org Fri Feb 3 03:11:51 2006 +Date: Fri, 03 Feb 2006 03:04:46 -0800 +From: akpm@osdl.org +To: torvalds@osdl.org +Cc: dhowells@redhat.com, stable@kernel.org, davi.arnaut@gmail.com +Subject: Fix keyctl usage of strnlen_user() + +From: Davi Arnaut + +In the small window between strnlen_user() and copy_from_user() userspace +could alter the terminating `\0' character. + +Signed-off-by: Davi Arnaut +Cc: David Howells +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +--- + + security/keys/keyctl.c | 15 ++++++++++----- + 1 files changed, 10 insertions(+), 5 deletions(-) + +Index: linux-2.6.15.2/security/keys/keyctl.c +=================================================================== +--- linux-2.6.15.2.orig/security/keys/keyctl.c ++++ linux-2.6.15.2/security/keys/keyctl.c +@@ -66,9 +66,10 @@ asmlinkage long sys_add_key(const char _ + description = kmalloc(dlen + 1, GFP_KERNEL); + if (!description) + goto error; ++ description[dlen] = '\0'; + + ret = -EFAULT; +- if (copy_from_user(description, _description, dlen + 1) != 0) ++ if (copy_from_user(description, _description, dlen) != 0) + goto error2; + + /* pull the payload in if one was supplied */ +@@ -160,9 +161,10 @@ asmlinkage long sys_request_key(const ch + description = kmalloc(dlen + 1, GFP_KERNEL); + if (!description) + goto error; ++ description[dlen] = '\0'; + + ret = -EFAULT; +- if (copy_from_user(description, _description, dlen + 1) != 0) ++ if (copy_from_user(description, _description, dlen) != 0) + goto error2; + + /* pull the callout info into kernel space */ +@@ -181,9 +183,10 @@ asmlinkage long sys_request_key(const ch + callout_info = kmalloc(dlen + 1, GFP_KERNEL); + if (!callout_info) + goto error2; ++ callout_info[dlen] = '\0'; + + ret = -EFAULT; +- if (copy_from_user(callout_info, _callout_info, dlen + 1) != 0) ++ if (copy_from_user(callout_info, _callout_info, dlen) != 0) + goto error3; + } + +@@ -278,9 +281,10 @@ long keyctl_join_session_keyring(const c + name = kmalloc(nlen + 1, GFP_KERNEL); + if (!name) + goto error; ++ name[nlen] = '\0'; + + ret = -EFAULT; +- if (copy_from_user(name, _name, nlen + 1) != 0) ++ if (copy_from_user(name, _name, nlen) != 0) + goto error2; + } + +@@ -582,9 +586,10 @@ long keyctl_keyring_search(key_serial_t + description = kmalloc(dlen + 1, GFP_KERNEL); + if (!description) + goto error; ++ description[dlen] = '\0'; + + ret = -EFAULT; +- if (copy_from_user(description, _description, dlen + 1) != 0) ++ if (copy_from_user(description, _description, dlen) != 0) + goto error2; + + /* get the keyring at which to begin the search */ diff --git a/queue/fix-regression-in-xfs_buf_rele.patch b/queue/fix-regression-in-xfs_buf_rele.patch new file mode 100644 index 00000000000..6e73e023556 --- /dev/null +++ b/queue/fix-regression-in-xfs_buf_rele.patch @@ -0,0 +1,35 @@ +From stable-bounces@linux.kernel.org Wed Feb 1 18:39:39 2006 +Date: Thu, 2 Feb 2006 13:30:43 +1100 +From: Nathan Scott +To: stable@kernel.org +Cc: +Subject: [XFS] fix regression in xfs_buf_rele + +Fix regression in xfs_buf_rele dealing with non-hashed buffers, as +occur during log replay. Novell bug 145204, Fedora bug 177848. + +Signed-off-by: Nathan Scott +Signed-off-by: Chris Wright +--- + + fs/xfs/linux-2.6/xfs_buf.c | 7 +++++++ + 1 files changed, 7 insertions(+) + +Index: linux-2.6.15.2/fs/xfs/linux-2.6/xfs_buf.c +=================================================================== +--- linux-2.6.15.2.orig/fs/xfs/linux-2.6/xfs_buf.c ++++ linux-2.6.15.2/fs/xfs/linux-2.6/xfs_buf.c +@@ -830,6 +830,13 @@ pagebuf_rele( + + PB_TRACE(pb, "rele", pb->pb_relse); + ++ if (unlikely(!hash)) { ++ ASSERT(!pb->pb_relse); ++ if (atomic_dec_and_test(&pb->pb_hold)) ++ xfs_buf_free(pb); ++ return; ++ } ++ + if (atomic_dec_and_lock(&pb->pb_hold, &hash->bh_lock)) { + if (pb->pb_relse) { + atomic_inc(&pb->pb_hold); diff --git a/queue/fixed-hardware-rx-checksum-handling.patch b/queue/fixed-hardware-rx-checksum-handling.patch new file mode 100644 index 00000000000..ae1352af532 --- /dev/null +++ b/queue/fixed-hardware-rx-checksum-handling.patch @@ -0,0 +1,46 @@ +From stable-bounces@linux.kernel.org Sun Feb 5 21:00:48 2006 +Date: Sun, 05 Feb 2006 20:27:05 -0800 (PST) +From: "David S. Miller" +To: stable@kernel.org +Cc: +Subject: [PPP]: Fixed hardware RX checksum handling + +From: Herbert Xu + +When we pull the PPP protocol off the skb, we forgot to update the +hardware RX checksum. This may lead to messages such as + + dsl0: hw csum failure. + +Similarly, we need to clear the hardware checksum flag when we use +the existing packet to store the decompressed result. + +Signed-off-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +--- + + drivers/net/ppp_generic.c | 3 +++ + 1 files changed, 3 insertions(+) + +Index: linux-2.6.15.2/drivers/net/ppp_generic.c +=================================================================== +--- linux-2.6.15.2.orig/drivers/net/ppp_generic.c ++++ linux-2.6.15.2/drivers/net/ppp_generic.c +@@ -1610,6 +1610,8 @@ ppp_receive_nonmp_frame(struct ppp *ppp, + } + else if (!pskb_may_pull(skb, skb->len)) + goto err; ++ else ++ skb->ip_summed = CHECKSUM_NONE; + + len = slhc_uncompress(ppp->vj, skb->data + 2, skb->len - 2); + if (len <= 0) { +@@ -1690,6 +1692,7 @@ ppp_receive_nonmp_frame(struct ppp *ppp, + kfree_skb(skb); + } else { + skb_pull(skb, 2); /* chop off protocol */ ++ skb_postpull_rcsum(skb, skb->data - 2, 2); + skb->dev = ppp->dev; + skb->protocol = htons(npindex_to_ethertype[npi]); + skb->mac.raw = skb->data; diff --git a/queue/grip-fix-crash-when-accessing-device.patch b/queue/grip-fix-crash-when-accessing-device.patch new file mode 100644 index 00000000000..1d6847c1708 --- /dev/null +++ b/queue/grip-fix-crash-when-accessing-device.patch @@ -0,0 +1,28 @@ +From stable-bounces@linux.kernel.org Wed Feb 1 21:18:58 2006 +Date: Thu, 02 Feb 2006 00:09:00 -0500 +From: Dmitry Torokhov +To: stable@kernel.org +Cc: +Subject: Input: grip - fix crash when accessing device + +Signed-off-by: Dmitry Torokhov +Signed-off-by: Chris Wright +--- + + drivers/input/joystick/grip.c | 3 +++ + 1 files changed, 3 insertions(+) + +Index: linux-2.6.15.2/drivers/input/joystick/grip.c +=================================================================== +--- linux-2.6.15.2.orig/drivers/input/joystick/grip.c ++++ linux-2.6.15.2/drivers/input/joystick/grip.c +@@ -192,6 +192,9 @@ static void grip_poll(struct gameport *g + for (i = 0; i < 2; i++) { + + dev = grip->dev[i]; ++ if (!dev) ++ continue; ++ + grip->reads++; + + switch (grip->mode[i]) { diff --git a/queue/input-db9-fix-possible-crash-with-saturn-gamepads.patch b/queue/input-db9-fix-possible-crash-with-saturn-gamepads.patch new file mode 100644 index 00000000000..c0523e6a6ee --- /dev/null +++ b/queue/input-db9-fix-possible-crash-with-saturn-gamepads.patch @@ -0,0 +1,141 @@ +From stable-bounces@linux.kernel.org Wed Feb 1 21:19:12 2006 +Date: Thu, 02 Feb 2006 00:09:01 -0500 +From: Dmitry Torokhov +To: stable@kernel.org +Cc: +Subject: Input: db9 - fix possible crash with Saturn gamepads + +Input: db9 - fix possible crash with Saturn gamepads + +Signed-off-by: Dmitry Torokhov +Signed-off-by: Chris Wright +--- + + drivers/input/joystick/db9.c | 70 ++++++++++++++++++++++--------------------- + 1 files changed, 36 insertions(+), 34 deletions(-) + +Index: linux-2.6.15.2/drivers/input/joystick/db9.c +=================================================================== +--- linux-2.6.15.2.orig/drivers/input/joystick/db9.c ++++ linux-2.6.15.2/drivers/input/joystick/db9.c +@@ -275,68 +275,70 @@ static unsigned char db9_saturn_read_pac + /* + * db9_saturn_report() analyzes packet and reports. + */ +-static int db9_saturn_report(unsigned char id, unsigned char data[60], struct input_dev *dev, int n, int max_pads) ++static int db9_saturn_report(unsigned char id, unsigned char data[60], struct input_dev *devs[], int n, int max_pads) + { ++ struct input_dev *dev; + int tmp, i, j; + + tmp = (id == 0x41) ? 60 : 10; +- for (j = 0; (j < tmp) && (n < max_pads); j += 10, n++) { ++ for (j = 0; j < tmp && n < max_pads; j += 10, n++) { ++ dev = devs[n]; + switch (data[j]) { + case 0x16: /* multi controller (analog 4 axis) */ +- input_report_abs(dev + n, db9_abs[5], data[j + 6]); ++ input_report_abs(dev, db9_abs[5], data[j + 6]); + case 0x15: /* mission stick (analog 3 axis) */ +- input_report_abs(dev + n, db9_abs[3], data[j + 4]); +- input_report_abs(dev + n, db9_abs[4], data[j + 5]); ++ input_report_abs(dev, db9_abs[3], data[j + 4]); ++ input_report_abs(dev, db9_abs[4], data[j + 5]); + case 0x13: /* racing controller (analog 1 axis) */ +- input_report_abs(dev + n, db9_abs[2], data[j + 3]); ++ input_report_abs(dev, db9_abs[2], data[j + 3]); + case 0x34: /* saturn keyboard (udlr ZXC ASD QE Esc) */ + case 0x02: /* digital pad (digital 2 axis + buttons) */ +- input_report_abs(dev + n, db9_abs[0], !(data[j + 1] & 128) - !(data[j + 1] & 64)); +- input_report_abs(dev + n, db9_abs[1], !(data[j + 1] & 32) - !(data[j + 1] & 16)); ++ input_report_abs(dev, db9_abs[0], !(data[j + 1] & 128) - !(data[j + 1] & 64)); ++ input_report_abs(dev, db9_abs[1], !(data[j + 1] & 32) - !(data[j + 1] & 16)); + for (i = 0; i < 9; i++) +- input_report_key(dev + n, db9_cd32_btn[i], ~data[j + db9_saturn_byte[i]] & db9_saturn_mask[i]); ++ input_report_key(dev, db9_cd32_btn[i], ~data[j + db9_saturn_byte[i]] & db9_saturn_mask[i]); + break; + case 0x19: /* mission stick x2 (analog 6 axis + buttons) */ +- input_report_abs(dev + n, db9_abs[0], !(data[j + 1] & 128) - !(data[j + 1] & 64)); +- input_report_abs(dev + n, db9_abs[1], !(data[j + 1] & 32) - !(data[j + 1] & 16)); ++ input_report_abs(dev, db9_abs[0], !(data[j + 1] & 128) - !(data[j + 1] & 64)); ++ input_report_abs(dev, db9_abs[1], !(data[j + 1] & 32) - !(data[j + 1] & 16)); + for (i = 0; i < 9; i++) +- input_report_key(dev + n, db9_cd32_btn[i], ~data[j + db9_saturn_byte[i]] & db9_saturn_mask[i]); +- input_report_abs(dev + n, db9_abs[2], data[j + 3]); +- input_report_abs(dev + n, db9_abs[3], data[j + 4]); +- input_report_abs(dev + n, db9_abs[4], data[j + 5]); ++ input_report_key(dev, db9_cd32_btn[i], ~data[j + db9_saturn_byte[i]] & db9_saturn_mask[i]); ++ input_report_abs(dev, db9_abs[2], data[j + 3]); ++ input_report_abs(dev, db9_abs[3], data[j + 4]); ++ input_report_abs(dev, db9_abs[4], data[j + 5]); + /* +- input_report_abs(dev + n, db9_abs[8], (data[j + 6] & 128 ? 0 : 1) - (data[j + 6] & 64 ? 0 : 1)); +- input_report_abs(dev + n, db9_abs[9], (data[j + 6] & 32 ? 0 : 1) - (data[j + 6] & 16 ? 0 : 1)); ++ input_report_abs(dev, db9_abs[8], (data[j + 6] & 128 ? 0 : 1) - (data[j + 6] & 64 ? 0 : 1)); ++ input_report_abs(dev, db9_abs[9], (data[j + 6] & 32 ? 0 : 1) - (data[j + 6] & 16 ? 0 : 1)); + */ +- input_report_abs(dev + n, db9_abs[6], data[j + 7]); +- input_report_abs(dev + n, db9_abs[7], data[j + 8]); +- input_report_abs(dev + n, db9_abs[5], data[j + 9]); ++ input_report_abs(dev, db9_abs[6], data[j + 7]); ++ input_report_abs(dev, db9_abs[7], data[j + 8]); ++ input_report_abs(dev, db9_abs[5], data[j + 9]); + break; + case 0xd3: /* sankyo ff (analog 1 axis + stop btn) */ +- input_report_key(dev + n, BTN_A, data[j + 3] & 0x80); +- input_report_abs(dev + n, db9_abs[2], data[j + 3] & 0x7f); ++ input_report_key(dev, BTN_A, data[j + 3] & 0x80); ++ input_report_abs(dev, db9_abs[2], data[j + 3] & 0x7f); + break; + case 0xe3: /* shuttle mouse (analog 2 axis + buttons. signed value) */ +- input_report_key(dev + n, BTN_START, data[j + 1] & 0x08); +- input_report_key(dev + n, BTN_A, data[j + 1] & 0x04); +- input_report_key(dev + n, BTN_C, data[j + 1] & 0x02); +- input_report_key(dev + n, BTN_B, data[j + 1] & 0x01); +- input_report_abs(dev + n, db9_abs[2], data[j + 2] ^ 0x80); +- input_report_abs(dev + n, db9_abs[3], (0xff-(data[j + 3] ^ 0x80))+1); /* */ ++ input_report_key(dev, BTN_START, data[j + 1] & 0x08); ++ input_report_key(dev, BTN_A, data[j + 1] & 0x04); ++ input_report_key(dev, BTN_C, data[j + 1] & 0x02); ++ input_report_key(dev, BTN_B, data[j + 1] & 0x01); ++ input_report_abs(dev, db9_abs[2], data[j + 2] ^ 0x80); ++ input_report_abs(dev, db9_abs[3], (0xff-(data[j + 3] ^ 0x80))+1); /* */ + break; + case 0xff: + default: /* no pad */ +- input_report_abs(dev + n, db9_abs[0], 0); +- input_report_abs(dev + n, db9_abs[1], 0); ++ input_report_abs(dev, db9_abs[0], 0); ++ input_report_abs(dev, db9_abs[1], 0); + for (i = 0; i < 9; i++) +- input_report_key(dev + n, db9_cd32_btn[i], 0); ++ input_report_key(dev, db9_cd32_btn[i], 0); + break; + } + } + return n; + } + +-static int db9_saturn(int mode, struct parport *port, struct input_dev *dev) ++static int db9_saturn(int mode, struct parport *port, struct input_dev *devs[]) + { + unsigned char id, data[60]; + int type, n, max_pads; +@@ -361,7 +363,7 @@ static int db9_saturn(int mode, struct p + max_pads = min(db9_modes[mode].n_pads, DB9_MAX_DEVICES); + for (tmp = 0, i = 0; i < n; i++) { + id = db9_saturn_read_packet(port, data, type + i, 1); +- tmp = db9_saturn_report(id, data, dev, tmp, max_pads); ++ tmp = db9_saturn_report(id, data, devs, tmp, max_pads); + } + return 0; + } +@@ -489,7 +491,7 @@ static void db9_timer(unsigned long priv + case DB9_SATURN_DPP: + case DB9_SATURN_DPP_2: + +- db9_saturn(db9->mode, port, dev); ++ db9_saturn(db9->mode, port, db9->dev); + break; + + case DB9_CD32_PAD: diff --git a/queue/input-iforce-do-not-return-enomem-upon-successful-allocation.patch b/queue/input-iforce-do-not-return-enomem-upon-successful-allocation.patch new file mode 100644 index 00000000000..dcaef389153 --- /dev/null +++ b/queue/input-iforce-do-not-return-enomem-upon-successful-allocation.patch @@ -0,0 +1,30 @@ +From stable-bounces@linux.kernel.org Wed Feb 1 21:19:02 2006 +Date: Thu, 02 Feb 2006 00:09:04 -0500 +From: Dmitry Torokhov +To: stable@kernel.org +Cc: +Subject: Input: iforce - do not return ENOMEM upon successful allocation + +From: Alexey Dobriyan + +Signed-off-by: Alexey Dobriyan +Signed-off-by: Dmitry Torokhov +Signed-off-by: Chris Wright +--- + + drivers/input/joystick/iforce/iforce-main.c | 2 +- + 1 files changed, 1 insertion(+), 1 deletion(-) + +Index: linux-2.6.15.2/drivers/input/joystick/iforce/iforce-main.c +=================================================================== +--- linux-2.6.15.2.orig/drivers/input/joystick/iforce/iforce-main.c ++++ linux-2.6.15.2/drivers/input/joystick/iforce/iforce-main.c +@@ -345,7 +345,7 @@ int iforce_init_device(struct iforce *if + int i; + + input_dev = input_allocate_device(); +- if (input_dev) ++ if (!input_dev) + return -ENOMEM; + + init_waitqueue_head(&iforce->wait); diff --git a/queue/input-iforce-fix-detection-of-usb-devices.patch b/queue/input-iforce-fix-detection-of-usb-devices.patch new file mode 100644 index 00000000000..25290cb25bd --- /dev/null +++ b/queue/input-iforce-fix-detection-of-usb-devices.patch @@ -0,0 +1,55 @@ +From stable-bounces@linux.kernel.org Wed Feb 1 21:41:00 2006 +Date: Thu, 02 Feb 2006 00:09:05 -0500 +From: Dmitry Torokhov +To: stable@kernel.org +Cc: +Subject: Input: iforce - fix detection of USB devices + +Recent conversion to wait_event_interruptible_timeout() caused +USB detection routine erroneously report timeouts for perfectly +working devices. + +Signed-off-by: Dmitry Torokhov +Signed-off-by: Chris Wright +--- + + drivers/input/joystick/iforce/iforce-packets.c | 4 ++-- + drivers/input/joystick/iforce/iforce-usb.c | 1 - + 2 files changed, 2 insertions(+), 3 deletions(-) + +Index: linux-2.6.15.2/drivers/input/joystick/iforce/iforce-packets.c +=================================================================== +--- linux-2.6.15.2.orig/drivers/input/joystick/iforce/iforce-packets.c ++++ linux-2.6.15.2/drivers/input/joystick/iforce/iforce-packets.c +@@ -167,9 +167,9 @@ void iforce_process_packet(struct iforce + iforce->expect_packet = 0; + iforce->ecmd = cmd; + memcpy(iforce->edata, data, IFORCE_MAX_LENGTH); +- wake_up(&iforce->wait); + } + #endif ++ wake_up(&iforce->wait); + + if (!iforce->type) { + being_used--; +@@ -264,7 +264,7 @@ int iforce_get_id_packet(struct iforce * + wait_event_interruptible_timeout(iforce->wait, + iforce->ctrl->status != -EINPROGRESS, HZ); + +- if (iforce->ctrl->status != -EINPROGRESS) { ++ if (iforce->ctrl->status) { + usb_unlink_urb(iforce->ctrl); + return -1; + } +Index: linux-2.6.15.2/drivers/input/joystick/iforce/iforce-usb.c +=================================================================== +--- linux-2.6.15.2.orig/drivers/input/joystick/iforce/iforce-usb.c ++++ linux-2.6.15.2/drivers/input/joystick/iforce/iforce-usb.c +@@ -95,7 +95,6 @@ static void iforce_usb_irq(struct urb *u + goto exit; + } + +- wake_up(&iforce->wait); + iforce_process_packet(iforce, + (iforce->data[0] << 8) | (urb->actual_length - 1), iforce->data + 1, regs); + diff --git a/queue/input-sidewinder-fix-an-oops.patch b/queue/input-sidewinder-fix-an-oops.patch new file mode 100644 index 00000000000..d204ad5d0d6 --- /dev/null +++ b/queue/input-sidewinder-fix-an-oops.patch @@ -0,0 +1,32 @@ +From stable-bounces@linux.kernel.org Wed Feb 1 21:19:07 2006 +Date: Thu, 02 Feb 2006 00:09:02 -0500 +From: Dmitry Torokhov +To: stable@kernel.org +Cc: +Subject: Input: sidewinder - fix an oops + +From: Zinx Verituse + +Dynalloc conversion strikes again... + +Signed-off-by: Vojtech Pavlik +Signed-off-by: Dmitry Torokhov +Signed-off-by: Chris Wright +--- + + drivers/input/joystick/sidewinder.c | 2 +- + 1 files changed, 1 insertion(+), 1 deletion(-) + +Index: linux-2.6.15.2/drivers/input/joystick/sidewinder.c +=================================================================== +--- linux-2.6.15.2.orig/drivers/input/joystick/sidewinder.c ++++ linux-2.6.15.2/drivers/input/joystick/sidewinder.c +@@ -736,7 +736,7 @@ static int sw_connect(struct gameport *g + sprintf(sw->name, "Microsoft SideWinder %s", sw_name[sw->type]); + sprintf(sw->phys[i], "%s/input%d", gameport->phys, i); + +- input_dev = input_allocate_device(); ++ sw->dev[i] = input_dev = input_allocate_device(); + if (!input_dev) { + err = -ENOMEM; + goto fail3; diff --git a/queue/kill-compat_sys_clock_settime-sign-extension-stub.patch b/queue/kill-compat_sys_clock_settime-sign-extension-stub.patch new file mode 100644 index 00000000000..cafe840cacc --- /dev/null +++ b/queue/kill-compat_sys_clock_settime-sign-extension-stub.patch @@ -0,0 +1,42 @@ +From stable-bounces@linux.kernel.org Thu Feb 2 17:21:02 2006 +Date: Thu, 02 Feb 2006 17:12:59 -0800 (PST) +From: "David S. Miller" +To: stable@kernel.org +Cc: +Subject: [SPARC64]: Kill compat_sys_clock_settime sign extension stub. + +It's wrong and totally unneeded. + +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +--- + + arch/sparc64/kernel/sys32.S | 1 - + arch/sparc64/kernel/systbls.S | 2 +- + 2 files changed, 1 insertion(+), 2 deletions(-) + +Index: linux-2.6.15.2/arch/sparc64/kernel/sys32.S +=================================================================== +--- linux-2.6.15.2.orig/arch/sparc64/kernel/sys32.S ++++ linux-2.6.15.2/arch/sparc64/kernel/sys32.S +@@ -84,7 +84,6 @@ SIGN2(sys32_fadvise64_64, compat_sys_fad + SIGN2(sys32_bdflush, sys_bdflush, %o0, %o1) + SIGN1(sys32_mlockall, sys_mlockall, %o0) + SIGN1(sys32_nfsservctl, compat_sys_nfsservctl, %o0) +-SIGN1(sys32_clock_settime, compat_sys_clock_settime, %o1) + SIGN1(sys32_clock_nanosleep, compat_sys_clock_nanosleep, %o1) + SIGN1(sys32_timer_settime, compat_sys_timer_settime, %o1) + SIGN1(sys32_io_submit, compat_sys_io_submit, %o1) +Index: linux-2.6.15.2/arch/sparc64/kernel/systbls.S +=================================================================== +--- linux-2.6.15.2.orig/arch/sparc64/kernel/systbls.S ++++ linux-2.6.15.2/arch/sparc64/kernel/systbls.S +@@ -71,7 +71,7 @@ sys_call_table32: + /*240*/ .word sys_munlockall, sys32_sched_setparam, sys32_sched_getparam, sys32_sched_setscheduler, sys32_sched_getscheduler + .word sys_sched_yield, sys32_sched_get_priority_max, sys32_sched_get_priority_min, sys32_sched_rr_get_interval, compat_sys_nanosleep + /*250*/ .word sys32_mremap, sys32_sysctl, sys32_getsid, sys_fdatasync, sys32_nfsservctl +- .word sys_ni_syscall, sys32_clock_settime, compat_sys_clock_gettime, compat_sys_clock_getres, sys32_clock_nanosleep ++ .word sys_ni_syscall, compat_sys_clock_settime, compat_sys_clock_gettime, compat_sys_clock_getres, sys32_clock_nanosleep + /*260*/ .word compat_sys_sched_getaffinity, compat_sys_sched_setaffinity, sys32_timer_settime, compat_sys_timer_gettime, sys_timer_getoverrun + .word sys_timer_delete, sys32_timer_create, sys_ni_syscall, compat_sys_io_setup, sys_io_destroy + /*270*/ .word sys32_io_submit, sys_io_cancel, compat_sys_io_getevents, sys32_mq_open, sys_mq_unlink diff --git a/queue/mousedev-fix-memory-leak.patch b/queue/mousedev-fix-memory-leak.patch new file mode 100644 index 00000000000..34d5ec32da8 --- /dev/null +++ b/queue/mousedev-fix-memory-leak.patch @@ -0,0 +1,57 @@ +From stable-bounces@linux.kernel.org Wed Feb 1 21:18:54 2006 +Date: Thu, 02 Feb 2006 00:08:59 -0500 +From: Dmitry Torokhov +To: stable@kernel.org +Cc: +Subject: Input: mousedev - fix memory leak + +From: Kimball Murray + +Input: mousedev - fix memory leak + +Apparently, "while true; do cat /dev/input/mice; done" causes +an OOM in a short amount of time. Funny that nobody noticed, it actually +is very easy to trigger just by switching between VT1 and VT7... + +Signed-off-by: Pete Zaitcev +Signed-off-by: Dmitry Torokhov +Signed-off-by: Chris Wright +--- + + drivers/input/mousedev.c | 9 +++------ + 1 files changed, 3 insertions(+), 6 deletions(-) + +Index: linux-2.6.15.2/drivers/input/mousedev.c +=================================================================== +--- linux-2.6.15.2.orig/drivers/input/mousedev.c ++++ linux-2.6.15.2/drivers/input/mousedev.c +@@ -356,7 +356,7 @@ static void mousedev_free(struct mousede + kfree(mousedev); + } + +-static int mixdev_release(void) ++static void mixdev_release(void) + { + struct input_handle *handle; + +@@ -370,8 +370,6 @@ static int mixdev_release(void) + mousedev_free(mousedev); + } + } +- +- return 0; + } + + static int mousedev_release(struct inode * inode, struct file * file) +@@ -384,9 +382,8 @@ static int mousedev_release(struct inode + + if (!--list->mousedev->open) { + if (list->mousedev->minor == MOUSEDEV_MIX) +- return mixdev_release(); +- +- if (!mousedev_mix.open) { ++ mixdev_release(); ++ else if (!mousedev_mix.open) { + if (list->mousedev->exist) + input_close_device(&list->mousedev->handle); + else diff --git a/queue/pcmcia-m-hostap_cs-y-is-not-a-legal-configuration.patch b/queue/pcmcia-m-hostap_cs-y-is-not-a-legal-configuration.patch new file mode 100644 index 00000000000..5156bd3f6aa --- /dev/null +++ b/queue/pcmcia-m-hostap_cs-y-is-not-a-legal-configuration.patch @@ -0,0 +1,33 @@ +From stable-bounces@linux.kernel.org Fri Feb 3 12:22:26 2006 +Date: Fri, 3 Feb 2006 21:15:34 +0100 +From: Adrian Bunk +To: stable@kernel.org +Cc: linville@tuxdriver.com +Subject: [PATCH] PCMCIA=m, HOSTAP_CS=y is not a legal configuration + +CONFIG_PCMCIA=m, CONFIG_HOSTAP_CS=y doesn't compile. + +Reported by "Gabriel C." . + +This patch was already included in 2.6.16-rc2. + +Signed-off-by: Adrian Bunk +Signed-off-by: Chris Wright +--- + + drivers/net/wireless/hostap/Kconfig | 2 +- + 1 files changed, 1 insertion(+), 1 deletion(-) + +Index: linux-2.6.15.2/drivers/net/wireless/hostap/Kconfig +=================================================================== +--- linux-2.6.15.2.orig/drivers/net/wireless/hostap/Kconfig ++++ linux-2.6.15.2/drivers/net/wireless/hostap/Kconfig +@@ -61,7 +61,7 @@ config HOSTAP_PCI + + config HOSTAP_CS + tristate "Host AP driver for Prism2/2.5/3 PC Cards" +- depends on PCMCIA!=n && HOSTAP ++ depends on PCMCIA && HOSTAP + ---help--- + Host AP driver's version for Prism2/2.5/3 PC Cards. + diff --git a/queue/seclvl-settime-fix.patch b/queue/seclvl-settime-fix.patch new file mode 100644 index 00000000000..0af63d15090 --- /dev/null +++ b/queue/seclvl-settime-fix.patch @@ -0,0 +1,34 @@ +From stable-bounces@linux.kernel.org Tue Jan 31 21:27:10 2006 +Date: Tue, 31 Jan 2006 21:20:26 -0800 +From: Linus Torvalds +To: stable@kernel.org +Cc: +Subject: seclvl settime fix + +Don't try to "validate" a non-existing timeval. + +settime() with a NULL timeval is silly but legal. + +Noticed by Dave Jones + +Signed-off-by: Linus Torvalds +[chrisw: seclvl only] +Signed-off-by: Chris Wright +--- + + security/seclvl.c | 2 +- + 1 files changed, 1 insertion(+), 1 deletion(-) + +Index: linux-2.6.15.2/security/seclvl.c +=================================================================== +--- linux-2.6.15.2.orig/security/seclvl.c ++++ linux-2.6.15.2/security/seclvl.c +@@ -369,7 +369,7 @@ static int seclvl_capable(struct task_st + static int seclvl_settime(struct timespec *tv, struct timezone *tz) + { + struct timespec now; +- if (seclvl > 1) { ++ if (tv && seclvl > 1) { + now = current_kernel_time(); + if (tv->tv_sec < now.tv_sec || + (tv->tv_sec == now.tv_sec && tv->tv_nsec < now.tv_nsec)) { diff --git a/queue/selinux-fix-size-128-slab-leak.patch b/queue/selinux-fix-size-128-slab-leak.patch new file mode 100644 index 00000000000..975ecf390ae --- /dev/null +++ b/queue/selinux-fix-size-128-slab-leak.patch @@ -0,0 +1,40 @@ +From stable-bounces@linux.kernel.org Fri Feb 3 20:04:58 2006 +Date: Fri, 3 Feb 2006 19:57:49 -0800 +From: Andrew Morton +To: stable@kernel.org +Cc: +Subject: [PATCH] SELinux: fix size-128 slab leak + +From: Stephen Smalley + +Remove private inode tests from security_inode_alloc and security_inode_free, +as we otherwise end up leaking inode security structures for private inodes. + +Signed-off-by: Stephen Smalley +Acked-by: James Morris +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +--- + include/linux/security.h | 4 ---- + 1 files changed, 4 deletions(-) + +Index: linux-2.6.15.2/include/linux/security.h +=================================================================== +--- linux-2.6.15.2.orig/include/linux/security.h ++++ linux-2.6.15.2/include/linux/security.h +@@ -1437,15 +1437,11 @@ static inline void security_sb_post_pivo + + static inline int security_inode_alloc (struct inode *inode) + { +- if (unlikely (IS_PRIVATE (inode))) +- return 0; + return security_ops->inode_alloc_security (inode); + } + + static inline void security_inode_free (struct inode *inode) + { +- if (unlikely (IS_PRIVATE (inode))) +- return; + security_ops->inode_free_security (inode); + } + diff --git a/queue/series b/queue/series index f1b6dd89a2d..470e061a8c2 100644 --- a/queue/series +++ b/queue/series @@ -1 +1,17 @@ scsi-turn-off-ordered-flush-barriers.patch +dm-crypt-zero-key-before-freeing-it.patch +d_instantiate_unique-nfs-inode-leakage.patch +seclvl-settime-fix.patch +fix-regression-in-xfs_buf_rele.patch +mousedev-fix-memory-leak.patch +grip-fix-crash-when-accessing-device.patch +input-db9-fix-possible-crash-with-saturn-gamepads.patch +input-sidewinder-fix-an-oops.patch +input-iforce-do-not-return-enomem-upon-successful-allocation.patch +input-iforce-fix-detection-of-usb-devices.patch +kill-compat_sys_clock_settime-sign-extension-stub.patch +fix-keyctl-usage-of-strnlen_user.patch +pcmcia-m-hostap_cs-y-is-not-a-legal-configuration.patch +selinux-fix-size-128-slab-leak.patch +fix-extra-dst-release-when-ip_options_echo-fails.patch +fixed-hardware-rx-checksum-handling.patch