- 13 Apr, 2007 19 commits
-
-
Patrick McHardy authored
[NET_SCHED]: cls_tcindex: fix compatibility breakage Userspace uses an integer for TCA_TCINDEX_SHIFT, the kernel was changed to expect and use a u16 value in 2.6.11, which broke compatibility on big endian machines. Change back to use int. Reported by Ole Reinartz <ole.reinartz@gmx.de> Signed-off-by:
Patrick McHardy <kaber@trash.net> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
Greg Kroah-Hartman <gregkh@suse.de>
-
Herbert Xu authored
[IPSEC]: Reject packets within replay window but outside the bit mask Up until this point we've accepted replay window settings greater than 32 but our bit mask can only accomodate 32 packets. Thus any packet with a sequence number within the window but outside the bit mask would be accepted. This patch causes those packets to be rejected instead. Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by:
-
John Heffner authored
[TCP]: Do receiver-side SWS avoidance for rcvbuf < MSS. Signed-off-by:
John Heffner <jheffner@psc.edu> Signed-off-by:
-
David Miller authored
[SCSI]: Fix scsi_send_eh_cmnd scatterlist handling This fixes a regression caused by commit: 2dc611de The sense buffer code in scsi_send_eh_cmnd was changed to use alloc_page() and a scatter list, but the sense data copy was not updated to match so what we actually get in the sense buffer is total grabage starting with the kernel address of the struct page we got. Basically the stack frame of scsi_send_eh_cmd() is what ends up in the sense buffer. Depending upon how pointers look on a given platform, you can end up getting sr_ioctl.c errors when you mount a cdrom. If the CDROM gives a check condition for GPCMD_GET_CONFIGURATION issued by drivers/cdrom/cdrom.c:cdrom_mmc_profile(), sr_ioctl will spit out this error message in sr_do_ioctl() with the way pointers are on sparc64: default: printk(KERN_ERR "%s: CDROM (ioctl) error, command: ", cd->cdi.name); __scsi_print_command(cgc->cmd); scsi_print_sense_hdr("sr", &sshdr); err = -EIO; This is the error Tom Callaway reported in: http://marc.info/?l=linux-sparc&m=117407453208101&w=2 Anyways, fix this by using page_address(sgl.page) which is OK because we know this is low-mem due to GFP_ATOMIC. Signed-off-by:
Christoph Hellwig <hch@lst.de> Signed-off-by:
-
YOSHIFUJI Hideaki authored
[IPv6]: Fix incorrect length check in rawv6_sendmsg() In article <20070329.142644.70222545.davem@davemloft.net> (at Thu, 29 Mar 2007 14:26:44 -0700 (PDT)), David Miller <davem@davemloft.net> says: > From: Sridhar Samudrala <sri@us.ibm.com> > Date: Thu, 29 Mar 2007 14:17:28 -0700 > > > The check for length in rawv6_sendmsg() is incorrect. > > As len is an unsigned int, (len < 0) will never be TRUE. > > I think checking for IPV6_MAXPLEN(65535) is better. > > > > Is it possible to send ipv6 jumbo packets using raw > > sockets? If so, we can remove this check. > > I don't see why such a limitation against jumbo would exist, > does anyone else? > > Thanks for catching this Sridhar. A good compiler should simply > fail to compile "if (x < 0)" when 'x' is an unsigned type, don't > you think :-) Dave, we use "int" for returning value, so we should fix this anyway, IMHO; we should not allow len > INT_MAX. Signed-off-by:
YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Acked-by:
Sridhar Samudrala <sri@us.ibm.com> Signed-off-by:
-
Patrick McHardy authored
[IFB]: Fix crash on input device removal The input_device pointer is not refcounted, which means the device may disappear while packets are queued, causing a crash when ifb passes packets with a stale skb->dev pointer to netif_rx(). Fix by storing the interface index instead and do a lookup where neccessary. Signed-off-by:
Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by:
-
Patrick McHardy authored
[NETFILTER]: ipt_CLUSTERIP: fix oops in checkentry function The clusterip_config_find_get() already increases entries reference counter, so there is no reason to do it twice in checkentry() callback. This causes the config to be freed before it is removed from the list, resulting in a crash when adding the next rule. Signed-off-by:
Jaroslav Kysela <perex@suse.cz> Signed-off-by:
-
Francois Romieu authored
Your usual dont-flush_scheduled_work-with-RTNL-held stuff. It is a bit different here since the thread runs permanently or is only occasionally kicked for recovery depending on the hardware revision. Signed-off-by:
Francois Romieu <romieu@fr.zoreil.com> Cc: Ben Greear <greearb@candelatech.com> Signed-off-by:
-
Neil Brown authored
If 'num_pages' were ever 1 more than a multiple of 8 (32bit platforms) for of 16 (64 bit platforms). filemap_attr would be allocated one 'unsigned long' shorter than required. We need a round-up in there. Signed-off-by:
Neil Brown <neilb@suse.de> Signed-off-by:
-
Adam Kropelin authored
HID: Do not discard truncated input reports Truncated reports should not be discarded since it prevents buggy devices from communicating with userspace. Prior to the regession introduced in 2.6.20, a shorter-than-expected report in hid_input_report() was passed thru after having the missing bytes cleared. This behavior was established over a few patches in the 2.6.early-teens days, including commit cd610457. This patch restores the previous behavior and fixes the regression. Signed-off-by:
Adam Kropelin <akropel1@rochester.rr.com> Signed-off-by:
Jiri Kosina <jkosina@suse.cz> Signed-off-by:
-
Andreas Oberritter authored
DVB: pluto2: fix incorrect TSCR register setting The ADEF bits in the TSCR register have different meanings in read and write mode. For this reason ADEF has to be reset on every read-modify-write operation. This patch introduces a special write function for this register, which takes care of it. Thanks to Holger Magnussen for pointing my nose at this problem. (cherry picked from commit 1489f90a) Signed-off-by:
Andreas Oberritter <obi@linuxtv.org> Signed-off-by:
Mauro Carvalho Chehab <mchehab@infradead.org> Signed-off-by:
Michael Krufky <mkrufky@linuxtv.org> Signed-off-by:
-
Andreas Oberritter authored
DVB: tda10086: fix DiSEqC message length Setting the message length to zero means to send one byte, so you need a subtraction instead of an addition. (cherry picked from commit d420cb44) Signed-off-by:
-
Stephen Hemminger authored
The workaround Yukon EC-U wasn't comparing with correct version and wasn't doing correct setup. Without it, 88e8056 throws all sorts of errors. Signed-off-by:
Stephen Hemminger <shemminger@linux-foundation.org> Signed-off-by:
-
Stephen Hemminger authored
Some of these chips are disabled until clock is enabled. This fixes: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=404107Signed-off-by: -
Stephen Hemminger authored
Driver needs to turn off carrier when down. Signed-off-by:
-
Stephen Hemminger authored
Driver needs to turn off carrier when down, otherwise it can confuse bonding and bridging and looks like carrier is on immediately when it is brought back up. Signed-off-by:
-
Stephen Hemminger authored
This adds working recovery from transmit timeouts. Previous code didn't do enough to truly reset chip. It is a backport of the 2.6.21 code. Signed-off-by:
-
Thomas Gleixner authored
The __copy_to_user_inatomic() calls in file_read_actor() and pipe_read() are broken on original i386 machines, where WP-works-ok == false, as __copy_to_user_inatomic() on such systems calls functions which might sleep and/or contain cond_resched() calls inside of a kmap_atomic() region. The original check for WP-works-ok was in access_ok(), but got moved during the 2.5 series to fix a race vs. swap. Return the number of bytes to copy in the case where we are in an atomic region, so the non atomic code pathes in file_read_actor() and pipe_read() are taken. This could be optimized to avoid the kmap_atomic by moving the check for WP-works-ok into fault_in_pages_writeable(), but this is more intrusive and can be done later. Signed-off-by:
Thomas Gleixner <tglx@linutronix.de> Acked-by:
Ingo Molnar <mingo@elte.hu> Signed-off-by:
-
Jan Beulich authored
Commit 2e3646e5 changed the way the split config tree is built, but failed to also adjust fixdep accordingly - if changing a config option from or to m, files referencing the respective CONFIG_..._MODULE (but not the corresponding CONFIG_...) didn't get rebuilt. The problem is that trisate symbol are represent with three different symbols: SYMBOL=n => no symbol defined SYMBOL=y => CONFIG_SYMBOL defined to '1' SYMBOL=m => CONFIG_SYMBOL_MODULE defined to '1' But conf_split_config do not distingush between the =y and =m case, so only the =y case is honoured. This is fixed in fixdep so when a CONFIG symbol with _MODULE is found we skip that part and only look for the CONFIG_SYMBOL version. Signed-off-by:
Jan Beulich <jbeulich@novell.com> Signed-off-by:
Sam Ravnborg <sam@ravnborg.org> Signed-off-by:
-
- 06 Apr, 2007 21 commits
-
-
Chris Wright authored
-
Herbert Xu authored
In the scatterwalk_copychunks loop, We should be advancing by len_this_page and not nbytes. The latter is the total length. Signed-off-by:
Chris Wright <chrisw@sous-sol.org>
-
Paolo 'Blaisorblade' Giarrusso authored
There was a typo in commit b40b478e, preventing it from working - 32bit binaries crashed hopelessly before the below fix and work perfectly now. Signed-off-by:
Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> [chrisw: update changelog to reflect -stable commit id] Signed-off-by:
-
Greg Kroah-Hartman authored
-
Jean Delvare authored
When we receive an AppleTalk frame shorter than what its header says, we still attempt to verify its checksum, and trip on the BUG_ON() at the end of function atalk_sum_skb() because of the length mismatch. This has security implications because this can be triggered by simply sending a specially crafted ethernet frame to a target victim, effectively crashing that host. Thus this qualifies, I think, as a remote DoS. Here is the frame I used to trigger the crash, in npg format: <Appletalk Killer> { # Ethernet header ----- XX XX XX XX XX XX # Destination MAC 00 00 00 00 00 00 # Source MAC 00 1D # Length # LLC header ----- AA AA 03 08 00 07 80 9B # Appletalk # Appletalk header ----- 00 1B # Packet length (invalid) 00 01 # Fake checksum 00 00 00 00 # Destination and source networks 00 00 00 00 # Destination and source nodes and ports # Payload ----- 0C 0D 0E 0F 10 11 12 13 14 } The destination MAC address must be set to those of the victim. The severity is mitigated by two requirements: * The target host must have the appletalk kernel module loaded. I suspect this isn't so frequent. * AppleTalk frames are non-IP, thus I guess they can only travel on local networks. I am no network expert though, maybe it is possible to somehow encapsulate AppleTalk packets over IP. The bug has been reported back in June 2004: http://bugzilla.kernel.org/show_bug.cgi?id=2979 But it wasn't investigated, and was closed in July 2006 as both reporters had vanished meanwhile. This code was new in kernel 2.6.0-test5: http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=7ab442d7e0a76402c12553ee256f756097cae2d2 And not modified since then, so we can assume that vanilla kernels 2.6.0-test5 and later, and distribution kernels based thereon, are affected. Note that I still do not know for sure what triggered the bug in the real-world cases. The frame could have been corrupted by the kernel if we have a bug hiding somewhere. But more likely, we are receiving the faulty frame from the network. Signed-off-by:Jean Delvare <jdelvare@suse.de> Signed-off-by:
-
Daniel Drake authored
Commit d720bc4b partially removed a private implementation of baud speed decoding. However it doesn't seem to be complete: after the speed is decoded, it is still being used as an index to a local speed table (array overrun, no doubt). This was found by Graham Murray who noticed it caused a 2.6.19 regression with the SX driver: https://bugs.gentoo.org/170554Signed-off-by:
Daniel Drake <dsd@gentoo.org> Acked-by:
Alan Cox <alan@lxorguk.ukuu.org.uk> Cc: Russell King <rmk@arm.linux.org.uk> Signed-off-by:
Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
-
Jeff Garzik authored
[libata] sata_mv: Fix 50xx irq mask IRQ mask bits assumed a 60xx or newer generation chip, which is very wrong for the 50xx series. Luckily both generations shared the per-port interrupt mask bits, leaving only the "misc chip features" bits to be completely mismatched. Fix 50xx by ensuring we only program bits that exist. Cc: Chuck Ebbert <cebbert@redhat.com> Signed-off-by:
Jeff Garzik <jeff@garzik.org> Signed-off-by:
-
Jeff Garzik authored
[libata] sata_mv: don't touch reserved bits in EDMA config register The code in mv_edma_cfg() reflected its 60xx origins, by doing things [slightly] incorrectly on the older 50xx and newer 6042/7042 chips. Clean up the EDMA configuration setup such that, each chip family carefully initializes its own EDMA setup. Cc: Chuck Ebbert <cebbert@redhat.com> Signed-off-by:
-
Mark Lord authored
libata bugfix: HDIO_DRIVE_TASK I was trying to use HDIO_DRIVE_TASK for something today, and discovered that the libata implementation does not copy over the upper four LBA bits from args[6]. This is serious, as any tools using this ioctl would have their commands applied to the wrong sectors on the drive, possibly resulting in disk corruption. Ideally, newer apps should use SG_IO/ATA_16 directly, avoiding this bug. But with libata poised to displace drivers/ide, better compatibility here is a must. This patch fixes libata to use the upper four LBA bits passed in from the ioctl. The original drivers/ide implementation copies over all bits except for the master/slave select bit. With this patch, libata will copy only the four high-order LBA bits, just in case there are assumptions elsewhere in libata (?). Signed-off-by:
Mark Lord <mlord@pobox.com> Cc: Chuck Ebbert <cebbert@redhat.com> Signed-off-by:
-
Tejun Heo authored
libata: clear TF before IDENTIFYing Some devices chock if Feature is not clear when IDENTIFY is issued. Set ATA_TFLAG_ISADDR | ATA_TFLAG_DEVICE for IDENTIFY such that whole TF is cleared when reading ID data. Kudos to Art Haas for testing various futile patches over several months and Mark Lord for pointing out the fix. Signed-off-by:
Tejun Heo <htejun@gmail.com> Cc: Art Haas <ahaas@airmail.net> Cc: Mark Lord <mlord@pobox.com> Cc: Chuck Ebbert <cebbert@redhat.com> Signed-off-by:
-
J. Bruce Fields authored
[CRYPTO] api: scatterwalk_copychunks() fails to advance through scatterlist In the loop in scatterwalk_copychunks(), if walk->offset is zero, then scatterwalk_pagedone rounds that up to the nearest page boundary: walk->offset += PAGE_SIZE - 1; walk->offset &= PAGE_MASK; which is a no-op in this case, so we don't advance to the next element of the scatterlist array: if (walk->offset >= walk->sg->offset + walk->sg->length) scatterwalk_start(walk, sg_next(walk->sg)); and we end up copying the same data twice. It appears that other callers of scatterwalk_{page}done first advance walk->offset, so I believe that's the correct thing to do here. This caused a bug in NFS when run with krb5p security, which would cause some writes to fail with permissions errors--for example, writes of less than 8 bytes (the des blocksize) at the start of a file. A git-bisect shows the bug was originally introduced by 5c64097a, first in 2.6.19-rc1. Cc: Chuck Ebbert <cebbert@redhat.com> Signed-off-by:J. Bruce Fields <bfields@citi.umich.edu> Signed-off-by:
-
Alan Tyson authored
[CIFS] reset mode when client notices that ATTR_READONLY is no longer set [<cebbert@redhat.com>: removed changelog part of patch] Cc: Chuck Ebbert <cebbert@redhat.com> Signed-off-by:
Alan Tyso <atyson@hp.com> Signed-off-by:
Jeff Layton <jlayton@redhat.com> Signed-off-by:
Steve French <sfrench@us.ibm.com> Signed-off-by:
-
Steve French authored
[CIFS] Allow reset of file to ATTR_NORMAL when archive bit not set When a file had a dos attribute of 0x1 (readonly - but dos attribute of archive was not set) - doing chmod 0777 or equivalent would try to set a dos attribute of 0 (which some servers ignore) rather than ATTR_NORMAL (0x20) which most servers accept. Does not affect servers which support the CIFS Unix Extensions. [<cebbert@redhat.com>: removed changelog part of patch] Cc: Chuck Ebbert <cebbert@redhat.com> Acked-by:
Prasad Potluri <pvp@us.ibm.com> Acked-by:
Shirish Pargaonkar <shirishp@us.ibm.com> Signed-off-by:
-
Bartlomiej Zolnierkiewicz authored
"ide: fix drive side 80c cable check, take 2" patch from Tejun Heo (commit fab59375) fixed 80c bit test (bit13 of word93) but we also need to fix master/slave IDENTIFY order (slave device should be probed first in order to make it release PDIAG- signal) and we should also check for pre-ATA3 slave devices (which may not release PDIAG- signal). Unfortunately the fact that IDE driver doesn't reset devices itself helps only a bit as it seems that some BIOS-es reset ATA devices after programming the chipset, some BIOS-es can be set to not probe/configure selected devices, there may be no BIOS in case of add-on cards etc. Since we are quite late in the release cycle and the required changes will affect a lot of systems just revert the fix for now. [ Please also see libata commit f31f0cc2. ] Cc: Chuck Ebbert <cebbert@redhat.com> Signed-off-by:
Bartlomiej Zolnierkiewicz <bzolnier@gmail.com> Signed-off-by:
-
Vasily Averin authored
I2O subsystem has been broken in mainstream several months ago (after 2.6.18). Commit 4aff5e23 from Jens Axboe split struct request ->flags into two parts: cmd_type and cmd_flags. In i2o layer this patch has replaced flag REQ_SPECIAL by the according cmd_type. However i2o has used REQ_SPECIAL not as command type but as driver-specific flag for the debug purposes. As result all i2o requests have type "special" now, are not processed to the hardware and fail with I/O error: i2o/hda:<3>Buffer I/O error on device i2o/hda, logical block 0 Buffer I/O error on device i2o/hda, logical block 0 Buffer I/O error on device i2o/hda, logical block 0 unable to read partition table block-osm: device added (TID: 207): i2o/hda The following patch removes the extra debug checks without any drawbacks and restores the normal driver's work. Signed-off-by:
Vasily Averin <vvs@sw.ru> Acked-by:
Markus Lidel <Markus.Lidel@shadowconnect.com> Cc: Jens Axboe <jens.axboe@oracle.com> From: Chuck Ebbert <cebbert@redhat.com> Signed-off-by:
-
Tejun Heo authored
jmicron: make ide jmicron driver play nice with libata ones When libata is configured, the device is configured such that SATA and PATA ports live in separate functions with different programming interfaces. pata_jmicron and ide jmicron drivers can drive only the PATA part. This patch makes jmicron match PCI class code such that it doesn't attach itself to the SATA part preventing the proper ahci driver from attaching. This change is suggested by Bartlomiej. Signed-off-by:
-
Oliver Endriss authored
V4L: saa7146: Fix allocation of clipping memory Olaf Hering pointed out that SAA7146_CLIPPING_MEM would become very large for PAGE_SIZE > 4K. In fact, the number of clipping windows is limited to 16, and calculate_clipping_registers_rect() does not use more than 256 bytes. SAA7146_CLIPPING_MEM adjusted accordingly. (cherry picked from commit 7a7cd192) Thanks-to: Olaf Hering <olaf@aepfle.de> Acked-by:
Michael Hunold <hunold@linuxtv.org> Signed-off-by:
Oliver Endriss <o.endriss@gmx.de> Signed-off-by:
-
Simon Arlott authored
dvb-core: fix several locking related problems Fix several instances of dvb-core functions using mutex_lock_interruptible and returning -ERESTARTSYS where the calling function will either never retry or never check the return value. These cause a race condition with dvb_dmxdev_filter_free and dvb_dvr_release, both of which are filesystem release functions whose return value is ignored and will never be retried. When this happens it becomes impossible to open dvr0 again (-EBUSY) since it has not been released properly. (cherry picked from commit c2788502) Signed-off-by:
Simon Arlott <simon@fire.lp0.eu> Signed-off-by:
Johannes Stezenbach <js@linuxtv.org> Signed-off-by:
-
Thomas Viehweger authored
DVB: isl6421: don't reference freed memory After freeing a block there should be no reference to this block. (cherry picked from commit 09d48954) Signed-off-by:
Thomas Viehweger <Thomas.Viehweger@marconi.com> Signed-off-by:
-
Hans Verkuil authored
V4L: msp_attach must return 0 if no msp3400 was found. Returning -1 causes the probe to stop, but it should just continue instead. This patch fixes an annoying 'i2c_adapter i2c-7: Client creation failed at 0x44 (-1)' kernel message that appeared in 2.6.20 (cherry picked from commit 3284b4e0) Signed-off-by:
Hans Verkuil <hverkuil@xs4all.nl> Signed-off-by:
-
Mauro Carvalho Chehab authored
V4L: Fix SECAM handling on saa7115 (cherry picked from commit a9aaec4e) Signed-off-by:
-
