summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)Author
2007-12-23Merge git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-2.6Linus Torvalds
* git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-2.6: Modules: fix memory leak of module names UIO: Add a MAINTAINERS entry for Userspace I/O
2007-12-23Merge git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6Linus Torvalds
* git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6: USB: New device ID for the CP2101 driver USB: VID/PID update for sierra USB: Unbreak fsl_usb2_udc
2007-12-23Merge branch 'upstream-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/netdev-2.6 * 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/netdev-2.6: MACB: clear transmit buffers properly on transmit underrun 3c359 endianness annotations and fixes fec_mpc52xx: write in C... 3c574 and 3c589 endianness fixes (.24?) rrunner: use offsetof() instead of homegrown insanity r8169 endianness dl2k endianness fixes (.24 fodder?) yellowfin: annotations and fixes (.24 fodder?) asix fixes cycx: annotations and fixes (.24 fodder?) typhoon: trivial endianness annotations typhoon: memory corruptor on big-endian if TSO is enabled typhoon: missed rx overruns on big-endian typhoon: set_settings broken on big-endian typhoon: missing le32_to_cpu() in get_drvinfo typhoon: endianness bug in tx/rx byte counters ipw2200: prevent alloc of unspecified size on stack iwlwifi: fix possible priv->mutex deadlock during suspend p54: add Kconfig description rtl8187: Add USB ID for Sitecom WL-168 v1 001
2007-12-23uml: user of helper_wait() got missed when it got extra argumentsAl Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-12-23tty: fix logic change introduced by wait_event_interruptible_timeout()Cory T. Tusar
Commit 5a52bd4a2dcb570333ce6fe2e16cd311650dbdc8 introduced a subtle logic change in tty_wait_until_sent(). The original version would only error out of the 'do { ... } while (timeout)' loop if signal_pending() evaluated to true; a timeout or break due to an empty buffer would fall out of the loop and into the tty->driver->wait_until_sent handling. The current implementation will error out on either a pending signal or an empty buffer, falling through to the tty->driver->wait_until_sent handling only on a timeout. The ->wait_until_sent() will not be reached if the buffer empties before timeout jiffies have elapsed. This behavior differs from that prior to commit 5a52bd4a2dcb570333ce6fe2e16cd311650dbdc8. I turned this up while using a little serial download utility to bootstrap an ARM-based eval board. The util worked fine on 2.6.22.x, but consistently failed on 2.6.23.x. Once I'd determined that, I narrowed things down with git bisect, and found the above difference in logic in tty_wait_until_sent() by inspection. This change reverts the logic flow in tty_wait_until_sent() to match that prior to the aforementioned commit. Signed-off-by: Cory T. Tusar <ctusar@videon-central.com> Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> Acked-by: Jiri Slaby <jirislaby@gmail.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-12-23kconfig: obey KCONFIG_ALLCONFIG choices with randconfig.Paul Mundt
Currently when using KCONFIG_ALLCONFIG with randconfig the choice options are clobbered. As recommended by Roman, this adds an is_new test to see whether to select a new option or obey the existing one. This is a resend of the earlier patch a couple of weeks ago, since there was no reply. Original thread is at http://lkml.org/lkml/2007/11/28/94 Signed-off-by: Paul Mundt <lethal@linux-sh.org> Cc: Roman Zippel <zippel@linux-m68k.org> Cc: Sam Ravnborg <sam@ravnborg.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-12-23pcmcia: remove pxa2xx_lubbock build warningDavid Brownell
Init section confusion. There will likely be some other similar issues, introduced by I'm-not-sure-what-patch. Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-12-23lib: proportion: fix underflow in prop_norm_percpu()Peter Zijlstra
Zhe Jiang noticed that its possible to underflow pl->events in prop_norm_percpu() when the value returned by percpu_counter_read() is less than the error on that read and the period delay > 1. In that case half might not trigger the batch increment and the value will be identical on the next iteration, causing the same half to be subtracted again and again. Fix this by rewriting the division as a single subtraction instead of a subtraction loop and using percpu_counter_sum() when the value returned by percpu_counter_read() is smaller than the error. The latter is still needed if we want pl->events to shrink properly in the error region. [akpm@linux-foundation.org: cleanups] Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl> Reviewed-by: Jiang Zhe <zhe.jiang@intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-12-23ps3: vuart: fix error path lockingDaniel Walker
This stray down would cause a permanent sleep which doesn't seem correct. The other uses of this semaphore appear fairly mutex like it's even initialized with init_MUTEX() .. So here a patch for removing this one down(). Signed-off-by: Geoff Levand <geoffrey.levand@am.sony.com> Signed-off-by: Daniel Walker <dwalker@mvista.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-12-23MAINTAINERS: mailing list archives are web linksJoe Perches
L: entries should be email addresses Change L:http entries to W:http Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-12-23ecryptfs: redo dget,mntget on dentry_open failureEric Sandeen
Thanks to Jeff Moyer for pointing this out. If the RDWR dentry_open() in ecryptfs_init_persistent_file fails, it will do a dput/mntput. Need to re-take references if we retry as RDONLY. Signed-off-by: Eric Sandeen <sandeen@redhat.com> Acked-by: Mike Halcrow <mhalcrow@us.ibm.com> Signed-off-by: Jeff Moyer <jmoyer@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-12-23ecryptfs: fix unlocking in error pathsEric Sandeen
Thanks to Josef Bacik for finding these. A couple of ecryptfs error paths don't properly unlock things they locked. Signed-off-by: Eric Sandeen <sandeen@redhat.com> Cc: Josef Bacik <jbacik@redhat.com> Cc: Michael Halcrow <mhalcrow@us.ibm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-12-23Don't send quota messages repeatedly when hardlimit reachedJan Kara
We should send quota message to netlink only once when hardlimit is reached. Otherwise user could easily make the system busy by trying to exceed the hardlimit (and also the messages could be anoying if you cannot stop writing just now). Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-12-23Fix computation of SKB size for quota messagesJan Kara
Fix computation of size of skb needed for quota message. We should use netlink provided functions and not just an ad-hoc number. Also don't print the return value from nla_put_foo() as it is always -1. Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-12-23ecryptfs: fix string overflow on long cipher namesEric Sandeen
Passing a cipher name > 32 chars on mount results in an overflow when the cipher name is printed, because the last character in the struct ecryptfs_key_tfm's cipher_name string was never zeroed. Signed-off-by: Eric Sandeen <sandeen@redhat.com> Acked-by: Michael Halcrow <mhalcrow@us.ibm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-12-23quicklists: do not release off node pages earlyChristoph Lameter
quicklists must keep even off node pages on the quicklists until the TLB flush has been completed. Signed-off-by: Christoph Lameter <clameter@sgi.com> Cc: Dhaval Giani <dhaval@linux.vnet.ibm.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-12-22USB: New device ID for the CP2101 driverMartin Kusserow
attached please find a new device ID for CP2101 driver. This device is a usb stick from Dynastream to communicate with ANT wireless devices which I suppose is fairly similar to the ANT dev board having product id 0x1003. From: Martin Kusserow <kusserow@ife.ee.ethz.ch> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-12-22USB: VID/PID update for sierraKevin R Page
Adds VID/PID for the MC8775 found internally in the Thinkpad X61s laptop (and likely others). For commercial reasons the driver maintainer cannot add VID/PIDs for laptop OEM devices himself. Signed-off-by: Kevin R Page <linux-kernel@krp.org.uk> Cc: stable <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-12-22USB: Unbreak fsl_usb2_udcPeter Korsgaard
Commit a4e3ef5... (USB: gadget: gadget_is_{dualspeed,otg} predicates and cleanup) broke fsl_usb2_udc; the build test didn't cover peripheral drivers, just gadget drivers. Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk> Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-12-22Modules: fix memory leak of module namesGreg Kroah-Hartman
Due to the change in kobject name handling, the module kobject needs to have a null release function to ensure that the name it previously set will be properly cleaned up. All of this wierdness goes away in 2.6.25 with the rework of the kobject name and cleanup logic, but this is required for 2.6.24. Thanks to Alexey Dobriyan for finding the problem, and to Kay Sievers for pointing out the simple way to fix it after I tried many complex ways. Cc: Alexey Dobriyan <adobriyan@gmail.com> Cc: Kay Sievers <kay.sievers@vrfy.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-12-22UIO: Add a MAINTAINERS entry for Userspace I/OHans-Jürgen Koch
This patch adds an entry for the Userspace I/O framework to MAINTAINERS. Signed-off-by: Hans J. Koch <hjk@linutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-12-22MACB: clear transmit buffers properly on transmit underrunGregory CLEMENT
Initially transmit buffer pointers were only reset. But buffer descriptors were possibly still set as ready, and buffer in upper layer was not freed. This caused driver hang under big load. Now reset clean properly the buffer descriptor and freed upper layer. Signed-off-by: Gregory CLEMENT <gclement00@gmail.com> Signed-off-by: Haavard Skinnemoen <hskinnemoen@atmel.com> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-12-22Merge branch 'fixes-jgarzik' of ↵Jeff Garzik
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 into upstream-fixes
2007-12-223c359 endianness annotations and fixesAl Viro
Same story as with olympic - htons(readw()) when swab16(readw()) is needed, missing conversions to le32 when dealing with shared descriptors, etc. Olympic got those fixes in 2.4.0-test2, 3c359 didn't. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-12-22fec_mpc52xx: write in C...Al Viro
If you need to find a difference between addresses of two struct members, subtract offsetof() or cast addresses to char * and subtract those if you prefer it that way. Doing that same with s/char */u32/, OTOH... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-12-223c574 and 3c589 endianness fixes (.24?)Al Viro
Both store MAC address in CIS; there's no decoder for that type (0x88) so the drivers work with raw data. It is byteswapped, so ntohs() works for little-endian, but for big-endian it's wrong. ntohs(le16_to_cpu()) does the right thing on both (and always expands to swab16()). Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-12-22rrunner: use offsetof() instead of homegrown insanityAl Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-12-22r8169 endiannessAl Viro
missing conversions in a couple of places Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-12-22dl2k endianness fixes (.24 fodder?)Al Viro
* shift before cpu_to_le64(), not after it * writel() converts to l-e itself * misc missing conversions * in set_multicast() hash_table[] is host-endian; we feed it to card via writel() and populate it as host-endian, so we'd better put the first element into it also in host-endian * pci_unmap_single() et.al. expect host-endian, not little-endian Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-12-22yellowfin: annotations and fixes (.24 fodder?)Al Viro
pci_unmap_single() and friends getting a little-endian address... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-12-22asix fixesAl Viro
* usb_control_message() to/from stack (breaks on e.g. arm); some places did kmalloc() for buffer, some just worked from stack. Added kmalloc()/memcpy()/kfree() in asix_read_cmd()/asix_write_cmd(), removed that crap from callers. * Fixed a leak in ax88172_bind() - on success it forgot to kfree() the buffer. * Endianness bug in ax88178_bind() - we read a word from eeprom and work with it without converting to host-endian Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-12-22cycx: annotations and fixes (.24 fodder?)Al Viro
skb->protocol is net-endian, TYVM... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-12-22typhoon: trivial endianness annotationsAl Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-12-22typhoon: memory corruptor on big-endian if TSO is enabledAl Viro
txlo_dma_addr should be host-endian; we pass it to typhoon_tso_fill(), which does arithmetics on it, converts to l-e and passes it to card. Unfortunately, we forgot le32_to_cpu() when initializing it from face->txLoAddr, which sits in shared memory and is little-endian. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-12-22typhoon: missed rx overruns on big-endianAl Viro
rxBuffCleared is little-endian; we miss le32_to_cpu() in checks for rx ring overruns. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-12-22typhoon: set_settings broken on big-endianAl Viro
One cpu_to_le16() too many when passing argument for TYPHOON_CMD_XCVR_SELECT; we end up passing host-endian while the hardware expects little-endian. The other place doing that (typhoon_start_runtime()) does the right thing, so the card will recover at the next ifconfig up/tx timeout/resume, which limits the amount of mess, but still, WTF? Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-12-22typhoon: missing le32_to_cpu() in get_drvinfoAl Viro
in typhoon_get_drvinfo() .parm2 is little-endian; not critical since we just get the firmware id flipped in get_drvinfo output on big-endian boxen, but... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-12-22typhoon: endianness bug in tx/rx byte countersAl Viro
txBytes and rxBytesGood are both 64bit; using le32_to_cpu() won't work on big-endian for obvious reasons. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-12-21Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6Linus Torvalds
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (23 commits) [IPV4]: OOPS with NETLINK_FIB_LOOKUP netlink socket [NET]: Fix function put_cmsg() which may cause usr application memory overflow [ATM]: Spelling fixes [NETFILTER] ipv4: Spelling fixes [NETFILTER]: Spelling fixes [SCTP]: Spelling fixes [NETLABEL]: Spelling fixes [PKT_SCHED]: Spelling fixes [NET] net/core/: Spelling fixes [IPV6]: Spelling fixes [IRDA]: Spelling fixes [DCCP]: Spelling fixes [NET] include/net/: Spelling fixes [NET]: Correct two mistaken skb_reset_mac_header() conversions. [IPV4] ip_gre: set mac_header correctly in receive path [XFRM]: Audit function arguments misordered [IPSEC]: Avoid undefined shift operation when testing algorithm ID [IPV4] ARP: Remove not used code [TG3]: Endianness bugfix. [TG3]: Endianness annotations. ...
2007-12-21Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.6Linus Torvalds
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.6: [SPARC32]: Spelling fixes [SPARC64]: Spelling fixes [SPARC64]: Fix OOPS in dma_sync_*_for_device()
2007-12-21SLUB: Improve hackbench speedChristoph Lameter
Increase the mininum number of partial slabs to keep around and put partial slabs to the end of the partial queue so that they can add more objects. Signed-off-by: Christoph Lameter <clameter@sgi.com> Reviewed-by: Pekka Enberg <penberg@cs.helsinki.fi> Acked-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-12-21[IPV4]: OOPS with NETLINK_FIB_LOOKUP netlink socketDenis V. Lunev
[ Regression added by changeset: cd40b7d3983c708aabe3d3008ec64ffce56d33b0 [NET]: make netlink user -> kernel interface synchronious -DaveM ] nl_fib_input re-reuses incoming skb to send the reply. This means that this packet will be freed twice, namely in: - netlink_unicast_kernel - on receive path Use clone to send as a cure, the caller is responsible for kfree_skb on error. Thanks to Alexey Dobryan, who originally found the problem. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-12-20Linux 2.6.24-rc6v2.6.24-rc6Linus Torvalds
2007-12-20Merge git://git.kernel.org/pub/scm/linux/kernel/git/x86/linux-2.6-x86Linus Torvalds
* git://git.kernel.org/pub/scm/linux/kernel/git/x86/linux-2.6-x86: x86: intel_cacheinfo.c: cpu cache info entry for Intel Tolapai x86: fix die() to not be preemptible
2007-12-20Merge branch 'for-linus' of git://oss.sgi.com:8090/xfs/xfs-2.6Linus Torvalds
* 'for-linus' of git://oss.sgi.com:8090/xfs/xfs-2.6: [XFS] Initialise current offset in xfs_file_readdir correctly [XFS] Fix mknod regression
2007-12-21[XFS] Initialise current offset in xfs_file_readdir correctlyLachlan McIlroy
After reading the directory contents into the temporary buffer, we grab each dirent and pass it to filldir witht eh current offset of the dirent. The current offset was not being set for the first dirent in the temporary buffer, which coul dresult in bad offsets being set in the f_pos field result in looping and duplicate entries being returned from readdir. SGI-PV: 974905 SGI-Modid: xfs-linux-melb:xfs-kern:30282a Signed-off-by: David Chinner <dgc@sgi.com> Signed-off-by: Tim Shimmin <tes@sgi.com> Signed-off-by: Lachlan McIlroy <lachlan@sgi.com>
2007-12-21[XFS] Fix mknod regressionChristoph Hellwig
This was broken by my '[XFS] simplify xfs_create/mknod/symlink prototype', which assigned the re-shuffled ondisk dev_t back to the rdev variable in xfs_vn_mknod. Because of that i_rdev is set to the ondisk dev_t instead of the linux dev_t later down the function. Fortunately the fix for it is trivial: we can just remove the assignment because xfs_revalidate_inode has done the proper job before unlocking the inode. SGI-PV: 974873 SGI-Modid: xfs-linux-melb:xfs-kern:30273a Signed-off-by: Christoph Hellwig <hch@infradead.org> Signed-off-by: David Chinner <dgc@sgi.com> Signed-off-by: Lachlan McIlroy <lachlan@sgi.com>
2007-12-21x86: intel_cacheinfo.c: cpu cache info entry for Intel TolapaiJason Gaston
This patch adds a cpu cache info entry for the Intel Tolapai cpu. Signed-off-by: Jason Gaston <jason.d.gaston@intel.com> Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
2007-12-21x86: fix die() to not be preemptibleIngo Molnar
Andrew "Eagle Eye" Morton noticed that we use raw_local_save_flags() instead of raw_local_irq_save(flags) in die(). This allows the preemption of oopsing contexts - which is highly undesirable. It also causes CONFIG_DEBUG_PREEMPT to complain, as reported by Miles Lane. this bug was introduced via: commit 39743c9ef717fd4f2b5583f010115c5f2482b8ae Author: Andi Kleen <ak@suse.de> Date: Fri Oct 19 20:35:03 2007 +0200 x86: use raw locks during oopses - spin_lock_irqsave(&die.lock, flags); + __raw_spin_lock(&die.lock); + raw_local_save_flags(flags); that is not a correct open-coding of spin_lock_irqsave(): both the ordering is wrong (irqs should be disabled _first_), and the wrong flags-saving API was used. Signed-off-by: Ingo Molnar <mingo@elte.hu>
2007-12-20[NET]: Fix function put_cmsg() which may cause usr application memory overflowWei Yongjun
When used function put_cmsg() to copy kernel information to user application memory, if the memory length given by user application is not enough, by the bad length calculate of msg.msg_controllen, put_cmsg() function may cause the msg.msg_controllen to be a large value, such as 0xFFFFFFF0, so the following put_cmsg() can also write data to usr application memory even usr has no valid memory to store this. This may cause usr application memory overflow. int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data) { struct cmsghdr __user *cm = (__force struct cmsghdr __user *)msg->msg_control; struct cmsghdr cmhdr; int cmlen = CMSG_LEN(len); ~~~~~~~~~~~~~~~~~~~~~ int err; if (MSG_CMSG_COMPAT & msg->msg_flags) return put_cmsg_compat(msg, level, type, len, data); if (cm==NULL || msg->msg_controllen < sizeof(*cm)) { msg->msg_flags |= MSG_CTRUNC; return 0; /* XXX: return error? check spec. */ } if (msg->msg_controllen < cmlen) { ~~~~~~~~~~~~~~~~~~~~~~~~ msg->msg_flags |= MSG_CTRUNC; cmlen = msg->msg_controllen; } cmhdr.cmsg_level = level; cmhdr.cmsg_type = type; cmhdr.cmsg_len = cmlen; err = -EFAULT; if (copy_to_user(cm, &cmhdr, sizeof cmhdr)) goto out; if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr))) goto out; cmlen = CMSG_SPACE(len); ~~~~~~~~~~~~~~~~~~~~~~~~~~~ If MSG_CTRUNC flags is set, msg->msg_controllen is less than CMSG_SPACE(len), "msg->msg_controllen -= cmlen" will cause unsinged int type msg->msg_controllen to be a large value. ~~~~~~~~~~~~~~~~~~~~~~~~~~~ msg->msg_control += cmlen; msg->msg_controllen -= cmlen; ~~~~~~~~~~~~~~~~~~~~~ err = 0; out: return err; } The same promble exists in put_cmsg_compat(). This patch can fix this problem. Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com> Signed-off-by: David S. Miller <davem@davemloft.net>