Age | Commit message (Collapse) | Author |
|
From: Alexandra Kossovsky <Alexandra.Kossovsky@oktetlabs.ru>
From http://bugzilla.kernel.org/show_bug.cgi?id=4746
There is user data corruption when using ioctl(SIOCGIFCONF) in 32-bit
application running amd64 kernel. I do not think that this problem is
exploitable, but any data corruption may lead to security problems.
Following code demonstrates the problem
#include <stdint.h>
#include <stdio.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <net/if.h>
#include <sys/ioctl.h>
char buf[256];
main()
{
int s = socket(AF_INET, SOCK_DGRAM, 0);
struct ifconf req;
int i;
req.ifc_buf = buf;
req.ifc_len = 41;
printf("Result %d\n", ioctl(s, SIOCGIFCONF, &req));
printf("Len %d\n", req.ifc_len);
for (i = 41; i < 256; i++)
if (buf[i] != 0)
printf("Byte %d is corrupted\n", i);
}
Steps to reproduce:
Compile the code above into 32-bit elf and run it. You'll get
Result 0
Len 32
Byte 48 is corrupted
Byte 52 is corrupted
Byte 53 is corrupted
Byte 54 is corrupted
Byte 55 is corrupted
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
This way we don't have to check it in sk_run_filter().
Signed-off-by: Kris Katterjohn <kjak@users.sourceforge.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
If two packets were queued to be sent at the same time in the future,
their order would be reversed. This would occur because the queue is
traversed back to front, and a position is found by checking whether
the new packet needs to be sent before the packet being examined. If
the new packet is to be sent at the same time of a previous packet, it
would end up before the old packet in the queue. This patch places
packets in the correct order when they are queued to be sent at a same
time in the future.
Signed-off-by: Andrea Bittau <a.bittau@cs.ucl.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
|
|
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
|
|
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
|
|
kseriod and kgameportd used to process all pending events before
checking for freeze condition. This may cause swsusp to time out
while stopping tasks when resuming. Switch to process events one
by one to check freeze status more often.
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
|
|
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
|
|
If thread that submitted FF request gets interrupted somehow it
will release request structure and ioctl handler will work with
freed memory. TO prevent that from happening switch to using
wait_for_completion instead of wait_for_completion_interruptible.
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
|
|
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
|
|
Also introduce proper locking when creating/deleting device.
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
|
|
Try to save battery power by disabling wifi and bluetooth on suspend.
Signed-off-by: Miloslav Trmac <mitr@volny.cz>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
|
|
Register wistron-bios as a platform device, restore WIFI and
Bluetooth state upon resume.
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
|
|
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
|
|
Also fix a potential issue with some notebooks:
The current code assumes the response to bios_wifi_get_default_setting is
either 1 (disabled) or 3 (enabled), or wifi isn't supported. The BIOS
response appears to be a bit field w/ 0x1 indicating hardware presence, 0x2
indicating actiation status, and the other 6 bits being unknown/reserved --
with the patch, these 6 bits are ignored.
Signed-off-by: Bernhard Rosenkraenzer <bero@arklinux.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
|
|
On x86_64:
{standard input}:233: Error: suffix or operands invalid for `push'
{standard input}:233: Error: suffix or operands invalid for `pop'
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
|
|
A driver for laptop buttons using an x86 BIOS interface that is
apparently used on quite a few laptops and seems to be originating
from Wistron.
This driver currently "knows" only about Fujitsu-Siemens Amilo Pro V2000
(i.e. it can detect the laptop using DMI and it contains the
keycode->key meaning mapping for this laptop) and Xeron SonicPro X 155G
(probably can't be reliably autodetected, requires a module parameter),
adding other laptops should be easy.
In addition to reporting button presses to the input layer the driver
also allows enabling/disabling the embedded wireless NIC (using the
"Wifi" button); this is done using the same BIOS interface, so it seems
only logical to keep the implementation together. Any flexibility
possibly gained by allowing users to remap the function of the "Wifi"
button is IMHO not worth it when weighted against the necessity to run
an user-space daemon to convert button presses to wifi state changes.
Signed-off-by: Miloslav Trmac <mitr@volny.cz>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
|
|
Changing led state is pretty slow operation; when there are multiple
requests coming at a high rate they may interfere with normal typing.
Try optimize (skip) changing hardware state when multiple requests
are coming back-to-back.
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
|
|
|
|
so it does not return EACCESS (unless server really returns that).
Signed-off-by: Steve French <sfrench@us.ibm.com>
|
|
|
|
|
|
|
|
Manual fixups to ARM ixp4xxx by hand.
|
|
|
|
Also remove bogus comments for idefloppy_init() and idetape_init().
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
|
|
flagged_taskfile() is called from execute_drive_cmd()
(the only user) only if args->tf_out_flags.all != 0.
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
|
|
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
|
|
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
|
|
Remove duplicate documentation for ide_do_drive_cmd() from
<linux/ide.h>, this function is already documented in ide-io.c.
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
|
|
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
|
|
From: Mathias Kretschmer <posting@blx4.net>
Signed-off-by: Daniel Drake <dsd@gentoo.org>
Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
|
|
Since the spinlock was removed from sa1100_start_tx(), the "flags"
variable becomes redundant. Remove it.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
|
|
The receiver status register reports latched error conditions, which
must be cleared by writing to it. However, the data register reports
unlatched conditions which are associated with the current character.
Use the data register to interpret error status rather than the RSR.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
|
|
We were using udelay in the loop on the primary cpu waiting for the
secondary cpu to take the timebase value. Unfortunately now that
udelay uses the timebase, and the timebase is stopped at this point,
the udelay never terminated. This fixes it by not using udelay, and
increases the number of loops before we time out to compensate.
Signed-off-by: Paul Mackerras <paulus@samba.org>
|
|
Patch from Daniel Jacobowitz
After delivering a signal (creating its stack frame) we must check for
additional pending unblocked signals before returning to userspace.
Otherwise signals may be delayed past the next syscall or reschedule.
Once that was fixed it became obvious that the ARM signal mask manipulation
was broken. It was a little bit broken before the recent SA_NODEFER
changes, and then very broken after them. We must block the requested
signals before starting the handler or the same signal can be delivered
again before the handler even gets a chance to run.
Signed-off-by: Daniel Jacobowitz <dan@codesourcery.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
|
|
The result is mostly similar to the original ppc64 version but with
some adaptations for 32-bit compilation.
include/asm-ppc64 is now empty!
Signed-off-by: Paul Mackerras <paulus@samba.org>
|
|
It's only used by arch/powerpc/kernel/ptrace{,32}.c.
Signed-off-by: Paul Mackerras <paulus@samba.org>
|
|
This involves some minor changes: a few unused functions that the
ppc32 pci.c provides are no longer declared here or exported;
pcibios_assign_all_busses now just refers to the pci_assign_all_buses
variable on both 32-bit and 64-bit; pcibios_scan_all_fns is now
just 0 instead of a function that always returns 0 on 64-bit.
Signed-off-by: Paul Mackerras <paulus@samba.org>
|
|
For these, I have just done the lame-o merge where the file ends up
looking like:
#ifndef CONFIG_PPC64
#include <asm-ppc/foo.h>
#else
... contents from asm-ppc64/foo.h
#endif
so nothing has changed, really, except that we reduce include/asm-ppc64
a bit more.
Signed-off-by: Paul Mackerras <paulus@samba.org>
|
|
Signed-off-by: Steve French <sfrench@us.ibm.com>
|
|
asm-ppc64/imalloc.h is only included from files in arch/powerpc/mm.
We already have a header for mm local definitions,
arch/powerpc/mm/mmu_decl.h. Thus, this patch moves the contents of
imalloc.h into mmu_decl.h. The only exception are the definitions of
PHBS_IO_BASE, IMALLOC_BASE and IMALLOC_END. Those are moved into
pgtable.h, next to similar definitions of VMALLOC_START and
VMALLOC_SIZE.
Built for multiplatform 32bit and 64bit (ARCH=powerpc).
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Paul Mackerras <paulus@samba.org>
|
|
|
|
Trying to set the priority would just disable the interrupt due to an
incorrect mask used. We rarely use that call, in fact, I think only in
the powermac code for the cmd-power key combo that triggers xmon. So it
got unnoticed for a while.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Paul Mackerras <paulus@samba.org>
|
|
|
|
Noticed by Helge Deller.
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
master.kernel.org:/pub/scm/linux/kernel/git/roland/infiniband
|
|
master.kernel.org:/pub/scm/linux/kernel/git/kyle/parisc-2.6
|
|
Make sure that userspace passes in enough data when sending a MAD. We
always copy at least sizeof (struct ib_user_mad) + IB_MGMT_RMPP_HDR
bytes from userspace, so anything less is definitely invalid. Also,
if the length is less than this limit, it's possible for the second
copy_from_user() to get a negative length and trigger a BUG().
Signed-off-by: Roland Dreier <rolandd@cisco.com>
|
|
The following patch fixes a crash caused by attempting to bounce buffer
when an IDE CD-ROM is used on a machine with an IO-MMU. [At least, this
patch fixes things so I can use my IDE CD-ROM behind an ns87415 on a
HP PA-RISC workstation.]
Signed-off-by: James Bottomley <jejb@parisc-linux.org>
Signed-off-by: Kyle McMartin <kyle@parisc-linux.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
|