- 02 Dec, 2006 24 commits
-
-
Chris Wright authored
-
Olaf Kirch authored
IPsec with NAT-T breaks on some notebooks using the latest e1000 chipset, when header split is enabled. When receiving sufficiently large packets, the driver puts everything up to and including the UDP header into the header portion of the skb, and the rest goes into the paged part. udp_encap_rcv forgets to use pskb_may_pull, and fails to decapsulate it. Instead, it passes it up it to the IKE daemon. Signed-off-by:
Olaf Kirch <okir@suse.de> Signed-off-by:
Jean Delvare <jdelvare@suse.de> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
Chris Wright <chrisw@sous-sol.org>
-
Miklos Szeredi authored
Fix bug in certain error paths of lookup routines. The request object was reused for sending FORGET, which is illegal. This bug could cause an Oops in 2.6.18. In earlier versions it might silently corrupt memory, but this is very unlikely. These error paths are never triggered by libfuse, so this wasn't noticed even with the 2.6.18 kernel, only with a filesystem using the raw kernel interface. Thanks to Russ Cox for the bug report and test filesystem. Signed-off-by:
Miklos Szeredi <miklos@szeredi.hu> Cc: <stable@kernel.org> Signed-off-by:
Andrew Morton <akpm@osdl.org> [chrisw: backport to 2.6.18 -stable] Signed-off-by:
-
Linus Torvalds authored
Not all graphic page remappers support physical addresses over the 4GB mark for remapping, so while some do (the AMD64 GART always did, and I just fixed the i965 to do so properly), we're safest off just forcing GFP_DMA32 allocations to make sure graphics pages get allocated in the low 32-bit address space by default. AGP sub-drivers that really care, and can do better, could just choose to implement their own allocator (or we could add another "64-bit safe" default allocator for their use), but quite frankly, you're not likely to care in practice. So for now, this trivial change means that we won't be allocating pages that we can't map correctly by mistake on x86-64. [ On traditional 32-bit x86, this could never happen, because GFP_KERNEL would never allocate any highmem memory anyway ] Acked-by:
Andi Kleen <ak@suse.de> Acked-by:
Dave Jones <davej@redhat.com> Cc: Eric Anholt <eric@anholt.net> Cc: Keith Packard <keithp@keithp.com> Signed-off-by:
Linus Torvalds <torvalds@osdl.org> Signed-off-by:
-
David S. Miller authored
The "u16 *" derefs of skb->data need to be wrapped inside of a get_unaligned(). Thanks to Gustavo Zacarias for the bug report. Signed-off-by:
-
Robin Holt authored
When called to do a transfer that has a start offset within the cache line which is uneven between source and destination and a length which terminates the source of the copy exactly on a cache line, one extra line gets copied into a temporary buffer. This is normally not an issue since the buffer is a kernel buffer and only the requested information gets copied into the user buffer. The problem arises when the source ends at the very last physical page of memory. That last cache line does not exist and results in the SHUB chip raising an MCA. Signed-off-by:
Robin Holt <holt@sgi.com> Signed-off-by:
Dean Nelson <dcn@sgi.com> Signed-off-by:
Tony Luck <tony.luck@intel.com> Signed-off-by:
-
YOSHIFUJI Hideaki authored
[PATCH] IPV6: Fix address/interface handling in UDP and DCCP, according to the scoping architecture. TCP and RAW do not have this issue. Closes Bug #7432. Signed-off-by:
YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by:
-
Ira W. Snyder authored
Sparse noticed a locking imbalance in tg3_open(). This patch adds an unlock to one of the error paths, so that tg3_open() always exits without the lock held. Signed-off-by:
Ira W. Snyder <kernel@irasnyder.com> Signed-off-by:
-
Laurent Riffard authored
Fix a slab corruption in ieee80211softmac_auth(). The size of a buffer was miscomputed. see http://bugzilla.kernel.org/show_bug.cgi?id=7245Acked-by:
Daniel Drake <dsd@gentoo.org> Signed-off-by:
Laurent Riffard <laurent.riffard@free.fr> Signed-off-by:
John W. Linville <linville@tuxdriver.com> Signed-off-by:
-
Fernando J. Pereda authored
There appears to be a typo in the EV56 config option. NORITAKE and PRIMO are be able to set a variation of either. Signed-off-by:
-
Shaohua Li authored
IA32 manual says if micorcode update's size is 0, then the size is default size (2048 bytes). But this doesn't suggest all microcode update's size should be above 2048 bytes to me. We actually had a microcode update whose size is 1024 bytes. The patch just removed the check. Backported to 2.6.18 by Daniel Drake. Signed-off-by:
-
Maciej W. Rozycki authored
V4L: Do not enable VIDEO_V4L2 unconditionally The VIDEO_V4L2 config setting is enabled unconditionally, even for configurations with no support for this subsystem whatsoever. The following patch adds the necessary dependency. Signed-off-by:
Maciej W. Rozycki <macro@linux-mips.org> Signed-off-by:
Mauro Carvalho Chehab <mchehab@infradead.org> Signed-off-by:
Michael Krufky <mkrufky@linuxtv.org> Signed-off-by:
-
Daniel Ritz authored
Having unbound PCMCIA devices: doing a 'find /sys' after a 'rmmod pcmcia' gives an oops because the pcmcia_device is not unregisterd from the driver core. fixes bugzilla #7481 Signed-off-by:
Daniel Ritz <daniel.ritz@gmx.ch> Acked-by:
Dominik Brodowski <linux@dominikbrodowski.net> Cc: Pavol Gono <Palo.Gono@gmail.com> Cc: <stable@kernel.org> Signed-off-by:
-
Patrick McHardy authored
H.323 connection tracking code calls ip_ct_refresh_acct() when processing RCFs and URQs but passes NULL as the skb. When CONFIG_IP_NF_CT_ACCT is enabled, the connection tracking core tries to derefence the skb, which results in an obvious panic. A similar fix was applied on the SIP connection tracking code some time ago. Signed-off-by:
Faidon Liambotis <paravoid@debian.org> Signed-off-by:
Patrick McHardy <kaber@trash.net> Signed-off-by:
-
Michael Buesch authored
Drain the Microcode TX-status-FIFO before we enable IRQs. This is required, because the FIFO may still have entries left from a previous run. Those would immediately fire after enabling IRQs and would lead to an oops in the DMA TXstatus handling code. Cc: "John W. Linville" <linville@tuxdriver.com> Signed-off-by:
Michael Buesch <mb@bu3sch.de> Signed-off-by:
Larry Finger <Larry.Finger@lwfinger.net> Signed-off-by:
-
Patrick McHardy authored
CONNSECMARK needs conntrack, add missing dependency to fix linking error with CONNSECMARK=y and CONNTRACK=m. Reported by Toralf Frster <toralf.foerster@gmx.de>. Signed-off-by:
-
Patrick McHardy authored
xt_physdev depends on bridge netfilter, which is a boolean, but can still be built modular because of special handling in the bridge makefile. Add a dependency on BRIDGE to prevent XT_MATCH_PHYSDEV=y, BRIDGE=m. Signed-off-by:
-
Patrick McHardy authored
For policy routing, packets originating from this machine itself may be routed differently to packets passing through. We want this packet to be routed as if it came from this machine itself. So re-compute the routing information using ip_route_me_harder(). This patch is derived from work by Ken Brownfield This patch (-stable version) also includes commit b4c4ed17 ([NETFILTER]: add type parameter to ip_route_me_harder), which is a precondition for the fix. Cc: Ken Brownfield <krb@irridia.com> Signed-off-by:
Simon Horman <horms@verge.net.au> Signed-off-by:
-
Patrick McHardy authored
Signed-off-by:
-
Patrick McHardy authored
Backport fix for missing ruleset validation in {arp,ip,ip6}_tables and a fix on top which fixes a regression in the first patch. There is a number of issues in parsing user-provided table in translate_table(). Malicious user with CAP_NET_ADMIN may crash system by passing special-crafted table to the *_tables. The first issue is that mark_source_chains() function is called before entry content checks. In case of standard target, mark_source_chains() function uses t->verdict field in order to determine new position. But the check, that this field leads no further, than the table end, is in check_entry(), which is called later, than mark_source_chains(). The second issue, that there is no check that target_offset points inside entry. If so, *_ITERATE_MATCH macro will follow further, than the entry ends. As a result, we'll have oops or memory disclosure. And the third issue, that there is no check that the target is completely inside entry. Results are the same, as in previous issue. Upstream commit 590bdf7f introduced a regression in match/target hook validation. mark_source_chains builds a bitmask for each rule representing the hooks it can be reached from, which is then used by the matches and targets to make sure they are only called from valid hooks. The patch moved the match/target specific validation before the mark_source_chains call, at which point the mask is always zero. This patch returns back to the old order and moves the standard checks to mark_source_chains. This allows to get rid of a special case for standard targets as a nice side-effect. Signed-off-by: -
Patrick McHardy authored
Based on patch by myself with additional fixes from Dmitry Mishin <dim@openvz.org>. Signed-off-by:
Dmitry Mishin <dim@openvz.org> Acked-by:
Vasily Averin <vvs@openvz.org> Acked-by:
Kirill Korotaev <dev@openvz.org> Signed-off-by:
-
Patrick McHardy authored
This patch adds forgotten compat_flush_offset() call to error way of translate_compat_table(). May lead to table corruption on the next compat_do_replace(). Signed-off-by:
-
Patrick McHardy authored
The 32bit compatibility layer has no CAP_NET_ADMIN check in compat_do_ipt_get_ctl, which for example allows to list the current iptables rules even without having that capability (the non-compat version requires it). Other capabilities might be required to exploit the bug (eg. CAP_NET_RAW to get the nfnetlink socket?), so a plain user can't exploit it, but a setup actually using the posix capability system might very well hit such a constellation of granted capabilities. Signed-off-by:
Björn Steinbrink <B.Steinbrink@gmx.de> Signed-off-by:
-
Tejun Heo authored
ATAPI devices transfer fixed number of bytes for CDBs (12 or 16). Some ATAPI devices choke when shorter CDB is used and the left bytes contain garbage. Block SG_IO cleared left bytes but SCSI SG_IO didn't. This patch makes SCSI SG_IO clear it and simplify CDB clearing in block SG_IO. Signed-off-by:
Tejun Heo <htejun@gmail.com> Cc: Mathieu Fluhr <mfluhr@nero.com> Cc: James Bottomley <James.Bottomley@steeleye.com> Cc: Douglas Gilbert <dougg@torque.net> Acked-by:
Jens Axboe <jens.axboe@oracle.com> Cc: <stable@kernel.org> Acked-by:
Jeff Garzik <jgarzik@pobox.com> Signed-off-by:
-
- 29 Nov, 2006 2 commits
-
-
Chris Wright authored
-
Chris Wright authored
Make sure to properly clamp maxnum to avoid overflow (CVE-2006-5751). Signed-off-by:
Eugene Teo <eteo@redhat.com> Acked-by:
Marcel Holtmann <marcel@holtmann.org> Signed-off-by:
-
- 19 Nov, 2006 14 commits
-
-
Chris Wright authored
-
Steve French authored
unlock in case where server does not support POSIX locks and nobrl is not specified. Signed-off-by:
Steve French <sfrench@us.ibm.com> Signed-off-by:
-
Steve French authored
Fixes Samba bugzilla bug # 4182 Rename by handle failures (retry after rename by path) were not being returned back. Signed-off-by:
-
Jens Axboe authored
cciss needs to call disk_stat_add() for iostat to work. Signed-off-by:
-
Jens Axboe authored
cpqarray needs to call disk_stat_add() for iostat to work. Signed-off-by:
-
Jiri Slaby authored
port is dereferenced even if it is NULL. Dereference it _after_ the check if (!port)... Thanks Eric <ef87@yahoo.com> for reporting this. This fixes http://bugzilla.kernel.org/show_bug.cgi?id=7527Signed-off-by:
Jiri Slaby <jirislaby@gmail.com> Signed-off-by:
-
Jens Axboe authored
Contrary to what the name misleads you to believe, SG_DXFER_TO_FROM_DEV is really just a normal read seen from the device side. This patch fixes http://lkml.org/lkml/2006/10/13/100Signed-off-by:
-
David Miller authored
The PCI sysfs attributes are created after the initial PCI bus scan. With the addition of more return value checking and assertions in the device and sysfs layers we now can get dumps like this on sparc64: [ 20.135032] Call Trace: [ 20.135042] [0000000000537f88] pci_remove_bus_device+0x30/0xc0 [ 20.135076] [000000000078f890] pci_fill_in_pbm_cookies+0x98/0x440 [ 20.135109] [000000000042e828] sabre_scan_bus+0x230/0x400 [ 20.135139] [000000000078c710] pcibios_init+0x58/0xa0 [ 20.135159] [0000000000416f14] init+0x9c/0x2e0 [ 20.135190] [0000000000417a50] kernel_thread+0x38/0x60 [ 20.135211] [0000000000417170] rest_init+0x18/0x40 [ 20.135514] PCI0(PBMB): Bus running at 33MHz It's triggering because removal of the "config" PCI sysfs file for the device fails. On sparc64, after probing the device, we'll delete the PCI device via pci_remove_bus_device() if we cannot find the firmware device tree node corresponding to it. This is fine, but at this point the sysfs files for the PCI device won't be setup yet. So we should not try to do anything in pci_remove_sysfs_dev_files() if pci_sysfs_init() has not run yet. Signed-off-by:
Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by:
-
Wink Saville authored
The following patch resolves the divide by zero error I encountered on my system: http://marc.10east.com/?l=linux-fbdev-devel&m=116058257024413&w=2 I accomplished this by merging what I thought was appropriate from: http://webcvs.freedesktop.org/xorg/driver/xf86-video-nv/src/Signed-off-by:
-
Dave Jones authored
This caused suspend/resume regressions. Signed-off-by:
-
Adrian Bunk authored
initlvl=2 in seclvl gives the guarantee "Cannot decrement the system time". But it was possible to set the time to the maximum unixtime value (19 Jan 2038) resulting in a wrap to the minimum value. This patch fixes this by disallowing setting the time to any date after 2030 with initlvl=2. This patch does not apply to kernel 2.6.19 since the seclvl module was already removed in this kernel. Signed-off-by:
Adrian Bunk <bunk@stusta.de> Signed-off-by:
-
Daniel Ritz authored
Fix interrupt routing for via 586 bridges. pirq can be 5 which needs to be mapped to INTD. But currently the access functions can handle only pirq 1-4. this is similar to the other via chipsets where pirq 4 and 5 are both mapped to INTD. Fixes bugzilla #7490 Cc: Daniel Paschka <monkey20181@gmx.net> Cc: Adrian Bunk <bunk@susta.de> Signed-off-by:
-
Herbert Xu authored
Since pskb_copy tacks on the non-linear bits from the original skb, it needs to count them in the truesize field of the new skb. Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by:
-
John Heffner authored
This patch removes consideration of high memory when determining TCP hash table sizes. Taking into account high memory results in tcp_mem values that are too large. Signed-off-by:
John Heffner <jheffner@psc.edu> Signed-off-by:
-
