From f02aa3f9a3dea4375759ae1d87bebf2467719b72 Mon Sep 17 00:00:00 2001 From: Erik Hovland Date: Fri, 30 Dec 2005 15:57:35 +0000 Subject: [PATCH 01/13] [ARM] 3216/1: indent and typo in drivers/serial/pxa.c Patch from Erik Hovland This patch provides two changes. An indent is supplied for an if/else clause so that it is more readable. An acronym is incorrectly typed as UER when it should be IER. Signed-off-by: Erik Hovland Signed-off-by: Russell King --- drivers/serial/pxa.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/serial/pxa.c b/drivers/serial/pxa.c index ff5e6309d682..cc998b99a19f 100644 --- a/drivers/serial/pxa.c +++ b/drivers/serial/pxa.c @@ -361,7 +361,7 @@ static int serial_pxa_startup(struct uart_port *port) if (port->line == 3) /* HWUART */ up->mcr |= UART_MCR_AFE; else - up->mcr = 0; + up->mcr = 0; /* * Allocate the IRQ @@ -641,7 +641,7 @@ serial_pxa_console_write(struct console *co, const char *s, unsigned int count) int i; /* - * First save the UER then disable the interrupts + * First save the IER then disable the interrupts */ ier = serial_in(up, UART_IER); serial_out(up, UART_IER, UART_IER_UUE); From 1994754412536d4ab902a81530b49bcaf496a59c Mon Sep 17 00:00:00 2001 From: Dmitry Torokhov Date: Thu, 29 Dec 2005 22:19:07 -0500 Subject: [PATCH 02/13] [PATCH] Input: kbtab - fix Y axis setup This patch fixes a typo introduced by conversion to dynamic input_dev allocation. Signed-off-by: Dmitry Torokhov Signed-off-by: Linus Torvalds --- drivers/usb/input/kbtab.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/input/kbtab.c b/drivers/usb/input/kbtab.c index a248664b5d1d..fd48e74e78ed 100644 --- a/drivers/usb/input/kbtab.c +++ b/drivers/usb/input/kbtab.c @@ -159,7 +159,7 @@ static int kbtab_probe(struct usb_interface *intf, const struct usb_device_id *i input_dev->keybit[LONG(BTN_DIGI)] |= BIT(BTN_TOOL_PEN) | BIT(BTN_TOUCH); input_dev->mscbit[0] |= BIT(MSC_SERIAL); input_set_abs_params(input_dev, ABS_X, 0, 0x2000, 4, 0); - input_set_abs_params(input_dev, ABS_X, 0, 0x1750, 4, 0); + input_set_abs_params(input_dev, ABS_Y, 0, 0x1750, 4, 0); input_set_abs_params(input_dev, ABS_PRESSURE, 0, 0xff, 0, 0); endpoint = &intf->cur_altsetting->endpoint[0].desc; From ae5536d6f7f9b51f7a0451421eade1988cfd7126 Mon Sep 17 00:00:00 2001 From: Dmitry Torokhov Date: Thu, 29 Dec 2005 22:19:08 -0500 Subject: [PATCH 03/13] [PATCH] Input: warrior - fix HAT0Y axis setup This patch fixes a typo introduced by conversion to dynamic input_dev allocation. Signed-off-by: Dmitry Torokhov Signed-off-by: Linus Torvalds --- drivers/input/joystick/warrior.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/input/joystick/warrior.c b/drivers/input/joystick/warrior.c index 99a642d2a1fe..1849b176cf18 100644 --- a/drivers/input/joystick/warrior.c +++ b/drivers/input/joystick/warrior.c @@ -172,7 +172,7 @@ static int warrior_connect(struct serio *serio, struct serio_driver *drv) input_set_abs_params(input_dev, ABS_Y, -64, 64, 0, 8); input_set_abs_params(input_dev, ABS_THROTTLE, -112, 112, 0, 0); input_set_abs_params(input_dev, ABS_HAT0X, -1, 1, 0, 0); - input_set_abs_params(input_dev, ABS_HAT0X, -1, 1, 0, 0); + input_set_abs_params(input_dev, ABS_HAT0Y, -1, 1, 0, 0); serio_set_drvdata(serio, warrior); From 40c37213a081990b1d3778f57630f97df75a7ec1 Mon Sep 17 00:00:00 2001 From: Denny Priebe Date: Thu, 29 Dec 2005 22:19:09 -0500 Subject: [PATCH 04/13] [PATCH] Input: wacom - fix X axis setup This patch fixes a typo introduced by conversion to dynamic input_dev allocation. Signed-off-by: Dmitry Torokhov Signed-off-by: Linus Torvalds --- drivers/usb/input/wacom.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/input/wacom.c b/drivers/usb/input/wacom.c index aea1cfae34cc..dc099bbe12bf 100644 --- a/drivers/usb/input/wacom.c +++ b/drivers/usb/input/wacom.c @@ -854,7 +854,7 @@ static int wacom_probe(struct usb_interface *intf, const struct usb_device_id *i input_dev->evbit[0] |= BIT(EV_KEY) | BIT(EV_ABS); input_dev->keybit[LONG(BTN_DIGI)] |= BIT(BTN_TOOL_PEN) | BIT(BTN_TOUCH) | BIT(BTN_STYLUS); - input_set_abs_params(input_dev, ABS_X, 0, wacom->features->y_max, 4, 0); + input_set_abs_params(input_dev, ABS_X, 0, wacom->features->x_max, 4, 0); input_set_abs_params(input_dev, ABS_Y, 0, wacom->features->y_max, 4, 0); input_set_abs_params(input_dev, ABS_PRESSURE, 0, wacom->features->pressure_max, 0, 0); From 8b90db0df7187a01fb7177f1f812123138f562cf Mon Sep 17 00:00:00 2001 From: Linus Torvalds Date: Fri, 30 Dec 2005 08:39:10 -0800 Subject: [PATCH 05/13] Insanity avoidance in /proc The old /proc interfaces were never updated to use loff_t, and are just generally broken. Now, we should be using the seq_file interface for all of the proc files, but converting the legacy functions is more work than most people care for and has little upside.. But at least we can make the non-LFS rules explicit, rather than just insanely wrapping the offset or something. Signed-off-by: Linus Torvalds --- fs/proc/generic.c | 47 +++++++++++++++++++++++------------------------ 1 file changed, 23 insertions(+), 24 deletions(-) diff --git a/fs/proc/generic.c b/fs/proc/generic.c index b638fb500743..72b431d0a0a4 100644 --- a/fs/proc/generic.c +++ b/fs/proc/generic.c @@ -54,6 +54,18 @@ proc_file_read(struct file *file, char __user *buf, size_t nbytes, ssize_t n, count; char *start; struct proc_dir_entry * dp; + unsigned long long pos; + + /* + * Gaah, please just use "seq_file" instead. The legacy /proc + * interfaces cut loff_t down to off_t for reads, and ignore + * the offset entirely for writes.. + */ + pos = *ppos; + if (pos > MAX_NON_LFS) + return 0; + if (nbytes > MAX_NON_LFS - pos) + nbytes = MAX_NON_LFS - pos; dp = PDE(inode); if (!(page = (char*) __get_free_page(GFP_KERNEL))) @@ -202,30 +214,17 @@ proc_file_write(struct file *file, const char __user *buffer, static loff_t proc_file_lseek(struct file *file, loff_t offset, int orig) { - lock_kernel(); - - switch (orig) { - case 0: - if (offset < 0) - goto out; - file->f_pos = offset; - unlock_kernel(); - return(file->f_pos); - case 1: - if (offset + file->f_pos < 0) - goto out; - file->f_pos += offset; - unlock_kernel(); - return(file->f_pos); - case 2: - goto out; - default: - goto out; - } - -out: - unlock_kernel(); - return -EINVAL; + loff_t retval = -EINVAL; + switch (orig) { + case 1: + offset += file->f_pos; + /* fallthrough */ + case 0: + if (offset < 0 || offset > MAX_NON_LFS) + break; + file->f_pos = retval = offset; + } + return retval; } static int proc_notify_change(struct dentry *dentry, struct iattr *iattr) From 8febdd85adaa41fa1fc1cb31286210fc2cd3ed0c Mon Sep 17 00:00:00 2001 From: Linus Torvalds Date: Fri, 30 Dec 2005 17:18:53 -0800 Subject: [PATCH 06/13] sysctl: don't overflow the user-supplied buffer with '\0' If the string was too long to fit in the user-supplied buffer, the sysctl layer would zero-terminate it by writing past the end of the buffer. Don't do that. Noticed by Yi Yang Signed-off-by: Linus Torvalds --- kernel/sysctl.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 9990e10192e8..ad0425a8f709 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -2201,14 +2201,12 @@ int sysctl_string(ctl_table *table, int __user *name, int nlen, if (get_user(len, oldlenp)) return -EFAULT; if (len) { - l = strlen(table->data); + l = strlen(table->data)+1; if (len > l) len = l; if (len >= table->maxlen) len = table->maxlen; if(copy_to_user(oldval, table->data, len)) return -EFAULT; - if(put_user(0, ((char __user *) oldval) + len)) - return -EFAULT; if(put_user(len, oldlenp)) return -EFAULT; } From 82c9df820112c6286a8e8fbe482e94b65b49062c Mon Sep 17 00:00:00 2001 From: Yi Yang Date: Fri, 30 Dec 2005 16:37:10 +0800 Subject: [PATCH 07/13] [PATCH] Fix false old value return of sysctl For the sysctl syscall, if the user wants to get the old value of a sysctl entry and set a new value for it in the same syscall, the old value is always overwritten by the new value if the sysctl entry is of string type and if the user sets its strategy to sysctl_string. This issue lies in the strategy being run twice if the strategy is set to sysctl_string, the general strategy sysctl_string always returns 0 if success. Such strategy routines as sysctl_jiffies and sysctl_jiffies_ms return 1 because they do read and write for the sysctl entry. The strategy routine sysctl_string return 0 although it actually read and write the sysctl entry. According to my analysis, if a strategy routine do read and write, it should return 1, if it just does some necessary check but not read and write, it should return 0, for example sysctl_intvec. Signed-off-by: Yi Yang Signed-off-by: Linus Torvalds --- kernel/sysctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/sysctl.c b/kernel/sysctl.c index ad0425a8f709..e5102ea6e104 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -2221,7 +2221,7 @@ int sysctl_string(ctl_table *table, int __user *name, int nlen, len--; ((char *) table->data)[len] = 0; } - return 0; + return 1; } /* From de9e007d9105bf8fa613a89810feff32a43add03 Mon Sep 17 00:00:00 2001 From: Linus Torvalds Date: Sat, 31 Dec 2005 17:00:29 -0800 Subject: [PATCH 08/13] sysctl: make sure to terminate strings with a NUL This is a slightly more complete fix for the previous minimal sysctl string fix. It always terminates the returned string with a NUL, even if the full result wouldn't fit in the user-supplied buffer. The returned length is the full untruncated length, so that you can tell when truncation has occurred. Signed-off-by: Linus Torvalds --- kernel/sysctl.c | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/kernel/sysctl.c b/kernel/sysctl.c index e5102ea6e104..b53115b882e1 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -2192,27 +2192,32 @@ int sysctl_string(ctl_table *table, int __user *name, int nlen, void __user *oldval, size_t __user *oldlenp, void __user *newval, size_t newlen, void **context) { - size_t l, len; - if (!table->data || !table->maxlen) return -ENOTDIR; if (oldval && oldlenp) { - if (get_user(len, oldlenp)) + size_t bufsize; + if (get_user(bufsize, oldlenp)) return -EFAULT; - if (len) { - l = strlen(table->data)+1; - if (len > l) len = l; - if (len >= table->maxlen) + if (bufsize) { + size_t len = strlen(table->data), copied; + + /* This shouldn't trigger for a well-formed sysctl */ + if (len > table->maxlen) len = table->maxlen; - if(copy_to_user(oldval, table->data, len)) + + /* Copy up to a max of bufsize-1 bytes of the string */ + copied = (len >= bufsize) ? bufsize - 1 : len; + + if (copy_to_user(oldval, table->data, copied) || + put_user(0, (char __user *)(oldval + copied))) return -EFAULT; - if(put_user(len, oldlenp)) + if (put_user(len, oldlenp)) return -EFAULT; } } if (newval && newlen) { - len = newlen; + size_t len = newlen; if (len > table->maxlen) len = table->maxlen; if(copy_from_user(table->data, newval, len)) From 557962a926c62a9c4bd79d6b36df873d4f8c51ef Mon Sep 17 00:00:00 2001 From: Stas Sergeev Date: Sun, 1 Jan 2006 04:18:52 +0300 Subject: [PATCH 09/13] [PATCH] x86: teach dump_task_regs() about the -8 offset. This should fix multi-threaded core-files Signed-off-by: stsp@aknet.ru Signed-off-by: Linus Torvalds --- arch/i386/kernel/process.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/i386/kernel/process.c b/arch/i386/kernel/process.c index df6c2bcde067..2333aead0563 100644 --- a/arch/i386/kernel/process.c +++ b/arch/i386/kernel/process.c @@ -554,7 +554,9 @@ int dump_task_regs(struct task_struct *tsk, elf_gregset_t *regs) struct pt_regs ptregs; ptregs = *(struct pt_regs *) - ((unsigned long)tsk->thread_info+THREAD_SIZE - sizeof(ptregs)); + ((unsigned long)tsk->thread_info + + /* see comments in copy_thread() about -8 */ + THREAD_SIZE - sizeof(ptregs) - 8); ptregs.xcs &= 0xffff; ptregs.xds &= 0xffff; ptregs.xes &= 0xffff; From f12f4d90308a22396ac87f6c3a7b2620589614c3 Mon Sep 17 00:00:00 2001 From: Benjamin Herrenschmidt Date: Mon, 2 Jan 2006 13:04:44 +1100 Subject: [PATCH 10/13] [PATCH] powerpc: more g5 overtemp problem fix Some G5s still occasionally experience shutdowns due to overtemp conditions despite the recent fix. After analyzing logs from such machines, it appears that the overtemp code is a bit too quick at shutting the machine down when reaching the critical temperature (tmax + 8) and doesn't leave the fan enough time to actually cool it down. This happens if the temperature of a CPU suddenly rises too high in a very short period of time, or occasionally on boot (that is the CPUs are already overtemp by the time the driver loads). This patches makes the code a bit more relaxed, leaving a few seconds to the fans to do their job before kicking the machine shutown. Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Linus Torvalds --- drivers/macintosh/therm_pm72.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/macintosh/therm_pm72.c b/drivers/macintosh/therm_pm72.c index 5bb36274a5c6..190878eef990 100644 --- a/drivers/macintosh/therm_pm72.c +++ b/drivers/macintosh/therm_pm72.c @@ -923,7 +923,7 @@ static void do_monitor_cpu_combined(void) if (temp_combi >= ((state0->mpu.tmax + 8) << 16)) { printk(KERN_WARNING "Warning ! Temperature way above maximum (%d) !\n", temp_combi >> 16); - state0->overtemp = CPU_MAX_OVERTEMP; + state0->overtemp += CPU_MAX_OVERTEMP / 4; } else if (temp_combi > (state0->mpu.tmax << 16)) state0->overtemp++; else @@ -998,7 +998,7 @@ static void do_monitor_cpu_split(struct cpu_pid_state *state) printk(KERN_WARNING "Warning ! CPU %d temperature way above maximum" " (%d) !\n", state->index, temp >> 16); - state->overtemp = CPU_MAX_OVERTEMP; + state->overtemp += CPU_MAX_OVERTEMP / 4; } else if (temp > (state->mpu.tmax << 16)) state->overtemp++; else @@ -1060,7 +1060,7 @@ static void do_monitor_cpu_rack(struct cpu_pid_state *state) printk(KERN_WARNING "Warning ! CPU %d temperature way above maximum" " (%d) !\n", state->index, temp >> 16); - state->overtemp = CPU_MAX_OVERTEMP; + state->overtemp = CPU_MAX_OVERTEMP / 4; } else if (temp > (state->mpu.tmax << 16)) state->overtemp++; else From abe842eb98c45e2b77c5868ef106616ca828a3e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dag-Erling=20Sm=F8rgrav?= Date: Mon, 2 Jan 2006 15:57:06 +0100 Subject: [PATCH 11/13] [PATCH] Avoid namespace pollution in In commit 3D59121003721a8fad11ee72e646fd9d3076b5679c, the x86 and x86-64 was changed to include for the configurable timer frequency. However, asm/param.h is sometimes used in userland (it is included indirectly from ), so your commit pollutes the userland namespace with tons of CONFIG_FOO macros. This greatly confuses software packages (such as BusyBox) which use CONFIG_FOO macros themselves to control the inclusion of optional features. After a short exchange, Christoph approved this patch Signed-off-by: Linus Torvalds --- include/asm-i386/param.h | 3 +-- include/asm-x86_64/param.h | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/include/asm-i386/param.h b/include/asm-i386/param.h index fa02e67ea86b..095580f3a45c 100644 --- a/include/asm-i386/param.h +++ b/include/asm-i386/param.h @@ -1,9 +1,8 @@ -#include - #ifndef _ASMi386_PARAM_H #define _ASMi386_PARAM_H #ifdef __KERNEL__ +# include # define HZ CONFIG_HZ /* Internal kernel timer frequency */ # define USER_HZ 100 /* .. some user interfaces are in "ticks" */ # define CLOCKS_PER_SEC (USER_HZ) /* like times() */ diff --git a/include/asm-x86_64/param.h b/include/asm-x86_64/param.h index 40b11937180d..5956b23b57c2 100644 --- a/include/asm-x86_64/param.h +++ b/include/asm-x86_64/param.h @@ -1,9 +1,8 @@ -#include - #ifndef _ASMx86_64_PARAM_H #define _ASMx86_64_PARAM_H #ifdef __KERNEL__ +# include # define HZ CONFIG_HZ /* Internal kernel timer frequency */ # define USER_HZ 100 /* .. some user interfaces are in "ticks */ #define CLOCKS_PER_SEC (USER_HZ) /* like times() */ From 8f493d797bc1fe470377adc9d8775845427e240e Mon Sep 17 00:00:00 2001 From: Andi Kleen Date: Tue, 3 Jan 2006 00:07:28 +0100 Subject: [PATCH 12/13] [PATCH] Make sure interleave masks have at least one node set Otherwise a bad mem policy system call can confuse the interleaving code into referencing undefined nodes. Originally reported by Doug Chapman I was told it's CVE-2005-3358 (one has to love these security people - they make everything sound important) Signed-off-by: Andi Kleen Signed-off-by: Linus Torvalds --- mm/mempolicy.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/mm/mempolicy.c b/mm/mempolicy.c index bec88c81244e..72f402cc9c9a 100644 --- a/mm/mempolicy.c +++ b/mm/mempolicy.c @@ -161,6 +161,10 @@ static struct mempolicy *mpol_new(int mode, nodemask_t *nodes) switch (mode) { case MPOL_INTERLEAVE: policy->v.nodes = *nodes; + if (nodes_weight(*nodes) == 0) { + kmem_cache_free(policy_cache, policy); + return ERR_PTR(-EINVAL); + } break; case MPOL_PREFERRED: policy->v.preferred_node = first_node(*nodes); From 88026842b0a760145aa71d69e74fbc9ec118ca44 Mon Sep 17 00:00:00 2001 From: Linus Torvalds Date: Mon, 2 Jan 2006 19:21:10 -0800 Subject: [PATCH 13/13] Linux v2.6.15 Hey, it's fifteen years today since I bought the machine that got Linux started. January 2nd is a good date. --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index f937f1f4595e..497884d3d556 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ VERSION = 2 PATCHLEVEL = 6 SUBLEVEL = 15 -EXTRAVERSION =-rc7 +EXTRAVERSION = NAME=Sliding Snow Leopard # *DOCUMENTATION*