- 04 May, 2006 4 commits
-
-
Jing Min Zhao authored
Signed-off-by:
Jing Min Zhao <zhaojingmin@users.sourceforge.net> Signed-off-by:
Patrick McHardy <kaber@trash.net> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Patrick McHardy authored
net/ipv4/netfilter/ip_nat_standalone.c: In function 'ip_nat_out': net/ipv4/netfilter/ip_nat_standalone.c:223: warning: unused variable 'ctinfo' net/ipv4/netfilter/ip_nat_standalone.c:222: warning: unused variable 'ct' Surprisingly no complaints so far .. Signed-off-by:
-
Patrick McHardy authored
When a Choice element contains an unsupported choice no error is returned and parsing continues normally, but the choice value is not set and contains data from the last parsed message. This may in turn lead to parsing of more stale data and following crashes. Fixes a crash triggered by testcase 0003243 from the PROTOS c07-h2250v4 testsuite following random other testcases: CPU: 0 EIP: 0060:[<c01a9554>] Not tainted VLI EFLAGS: 00210646 (2.6.17-rc2 #3) EIP is at memmove+0x19/0x22 eax: d7be0307 ebx: d7be0307 ecx: e841fcf9 edx: d7be0307 esi: bfffffff edi: bfffffff ebp: da5eb980 esp: c0347e2c ds: 007b es: 007b ss: 0068 Process events/0 (pid: 4, threadinfo=c0347000 task=dff86a90) Stack: <0>00000006 c0347ea6 d7be0301 e09a6b2c 00000006 da5eb980 d7be003e d7be0052 c0347f6c e09a6d9c 00000006 c0347ea6 00000006 00000000 d7b9a548 00000000 c0347f6c d7b9a548 00000004 e0a1a119 0000028f 00000006 c0347ea6 00000006 Call Trace: [<e09a6b2c>] mangle_contents+0x40/0xd8 [ip_nat] [<e09a6d9c>] ip_nat_mangle_tcp_packet+0xa1/0x191 [ip_nat] [<e0a1a119>] set_addr+0x60/0x14d [ip_nat_h323] [<e0ab6e66>] q931_help+0x2da/0x71a [ip_conntrack_h323] [<e0ab6e98>] q931_help+0x30c/0x71a [ip_conntrack_h323] [<e09af242>] ip_conntrack_help+0x22/0x2f [ip_conntrack] [<c022934a>] nf_iterate+0x2e/0x5f [<c025d357>] xfrm4_output_finish+0x0/0x39f [<c02294ce>] nf_hook_slow+0x42/0xb0 [<c025d357>] xfrm4_output_finish+0x0/0x39f [<c025d732>] xfrm4_output+0x3c/0x4e [<c025d357>] xfrm4_output_finish+0x0/0x39f [<c0230370>] ip_forward+0x1c2/0x1fa [<c022f417>] ip_rcv+0x388/0x3b5 [<c02188f9>] netif_receive_skb+0x2bc/0x2ec [<c0218994>] process_backlog+0x6b/0xd0 [<c021675a>] net_rx_action+0x4b/0xb7 [<c0115606>] __do_softirq+0x35/0x7d [<c0104294>] do_softirq+0x38/0x3f Signed-off-by: -
Patrick McHardy authored
When the TPKT len included in the packet is below the lowest valid value of 4 an underflow occurs which results in an endless loop. Found by testcase 0000058 from the PROTOS c07-h2250v4 testsuite. Signed-off-by:
-
- 03 May, 2006 1 commit
-
-
Patrick McHardy authored
fix infinite loop in the SCTP-netfilter code: check SCTP chunk size to guarantee progress of for_each_sctp_chunk(). (all other uses of for_each_sctp_chunk() are preceded by do_basic_checks(), so this fix should be complete.) Based on patch from Ingo Molnar <mingo@elte.hu> CVE-2006-1527 Signed-off-by:
Linus Torvalds <torvalds@osdl.org>
-
- 02 May, 2006 35 commits
-
-
Ayaz Abdulla authored
This patch fixes the issues with multiple irqs. I am resending based on feedback. I decoupled the dma mask for consistent memory and fixed leak with multiple irq in error path. Thanks to Manfred for catching the spin lock problem. Signed-Off-By:Ayaz Abdulla <aabdulla@nvidia.com>
-
Craig Brind authored
Fixes Rhine I cards disclosing fragments of previously transmitted frames in new transmissions. Before transmission, any socket buffer (skb) shorter than the ethernet minimum length of 60 bytes was zero-padded. On Rhine I cards the data can later be copied into an aligned transmission buffer without copying this padding. This resulted in the transmission of the frame with the extra bytes beyond the provided content leaking the previous contents of this buffer on to the network. Now zero-padding is repeated in the local aligned buffer if one is used. Following a suggestion from the via-rhine maintainer, no attempt is made here to avoid the duplicated effort of padding the skb if it is known that an aligned buffer will definitely be used. This is to make the change "obviously correct" and allow it to be applied to a stable kernel if necessary. There is no change to the flow of control and the changes are only to the Rhine I code path. The patch has run on an in-service Rhine-I host without incident. Frames shorter than 60 bytes are now correctly zero-padded when captured on a separate host. I see no unusual stats reported by ifconfig, and no unusual log messages. Signed-off-by:
Craig Brind <craigbrind@gmail.com> Signed-off-by:
Roger Luethi <rl@hellgate.ch> Cc: Jeff Garzik <jeff@garzik.org> Signed-off-by:
Andrew Morton <akpm@osdl.org> Signed-off-by:
Jeff Garzik <jeff@garzik.org>
-
Olaf Hering authored
On Sat, Mar 11, Olaf Hering wrote: > Why is the /sys/class/net/eth0/device symlink not created for the > mv643xx_eth driver? Does this work for other platform device drivers? > Seems to work for the ps2 keyboard at least. The SET_NETDEV_DEV has to be done before a call to register_netdev. With the new patch below, the device symlink for the platform device was created. Unfortunately, after the 4 ls commands, the network connection died. No idea if the box crashed or if something else broke, lost remote access. Provide sysfs 'device' in /class/net/ethN Also, set module owner field, like pcnet32 driver does. Signed-off-by:
Olaf Hering <olh@suse.de> Acked-by:
Dale Farnsworth <dale@farnsworth.org> Signed-off-by:
-
Jens Axboe authored
Apply the same rules as the anon pipe pages, only allow stealing if no one else is using the page. Signed-off-by:Jens Axboe <axboe@suse.de>
-
Jens Axboe authored
Currently we rely on the PIPE_BUF_FLAG_LRU flag being set correctly to know whether we need to fiddle with page LRU state after stealing it, however for some origins we just don't know if the page is on the LRU list or not. So remove PIPE_BUF_FLAG_LRU and do this check/add manually in pipe_to_file() instead. Signed-off-by: -
Jens Axboe authored
We need to use the minium of {len, PAGE_SIZE-off}, not {len, PAGE_SIZE}-off. The latter doesn't make any sense, and could cause us to attempt negative length transfers... Signed-off-by: -
git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-currentLinus Torvalds authored
* 'audit.b10' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current: [PATCH] Audit Filter Performance [PATCH] Rework of IPC auditing [PATCH] More user space subject labels [PATCH] Reworked patch for labels on user space messages [PATCH] change lspp ipc auditing [PATCH] audit inode patch [PATCH] support for context based audit filtering, part 2 [PATCH] support for context based audit filtering [PATCH] no need to wank with task_lock() and pinning task down in audit_syscall_exit() [PATCH] drop task argument of audit_syscall_{entry,exit} [PATCH] drop gfp_mask in audit_log_exit() [PATCH] move call of audit_free() into do_exit() [PATCH] sockaddr patch [PATCH] deal with deadlocks in audit_free()
-
Patrick McHardy authored
When iptables userspace adds an ipt_standard_target, it calculates the size of the entire entry as: sizeof(struct ipt_entry) + XT_ALIGN(sizeof(struct ipt_standard_target)) ipt_standard_target looks like this: struct xt_standard_target { struct xt_entry_target target; int verdict; }; xt_entry_target contains a pointer, so when compiled for 64 bit the structure gets an extra 4 byte of padding at the end. On 32 bit architectures where iptables aligns to 8 byte it will also have 4 byte padding at the end because it is only 36 bytes large. The compat_ipt_standard_fn in the kernel adjusts the offsets by sizeof(struct ipt_standard_target) - sizeof(struct compat_ipt_standard_target), which will always result in 4, even if the structure from userspace was already padded to a multiple of 8. On x86 this works out by accident because userspace only aligns to 4, on all other architectures this is broken and causes incorrect adjustments to the size and following offsets. Thanks to Linus for lots of debugging help and testing. Signed-off-by: -
git://brick.kernel.dk/data/git/linux-2.6-blockLinus Torvalds authored
* 'splice' of git://brick.kernel.dk/data/git/linux-2.6-block: [PATCH] vmsplice: allow user to pass in gift pages [PATCH] pipe: enable atomic copying of pipe data to/from user space [PATCH] splice: call handle_ra_miss() on failure to lookup page [PATCH] Add ->splice_read/splice_write to def_blk_fops [PATCH] pipe: introduce ->pin() buffer operation [PATCH] splice: fix bugs in pipe_to_file() [PATCH] splice: fix bugs with stealing regular pipe pages
-
git://git.kernel.org/pub/scm/linux/kernel/git/roland/infinibandLinus Torvalds authored
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband: IB/ipath: tidy up white space in a few files IB/ipath: fix label name in interrupt handler IB/ipath: improve sparse annotation IB/ipath: simplify IB timer usage IB/ipath: simplify RC send posting IB/ipath: prevent hardware from being accessed during reset IB/ipath: fix verbs registration IB/ipath: change handling of PIO buffers IB/ipath: iterate over correct number of ports during reset IB/ipath: set up 32-bit DMA mask if 64-bit setup fails IB/ipath: fix race with exposing reset file IB/mthca: Fix offset in query_gid method
-
Shaohua Li authored
At suspend time, the TSC CPUFREQ_SUSPENDCHANGE notifier change might wrongly enable interrupt. cpufreq driver suspend/resume is in interrupt disabled environment. Signed-off-by:
Shaohua Li <shaohua.li@intel.com> Cc: Pavel Machek <pavel@ucw.cz> Signed-off-by:
-
Mikael Pettersson authored
The PC Speaker driver's ->probe() routine doesn't even get called in the 64-bit kernels. The reason for that is that the arch code apparently has to explictly add a "pcspkr" platform device in order for the driver core to call the ->probe() routine. arch/i386/kernel/setup.c unconditionally adds a "pcspkr" device, but the x86_64 kernel has no code at all related to the PC Speaker. The patch below copies the relevant code from i386 to x86_64, which makes the PC Speaker work for me on x86_64. Cc: Dmitry Torokhov <dtor_core@ameritech.net> Acked-by:
Andi Kleen <ak@muc.de> Signed-off-by:
-
Atsushi Nemoto authored
Fix genrtc's read() routine for 64-bit platforms. Current gen_rtc_read() stores 64bit integer and returns 8 even if an user tried to read a 32bit integer. Signed-off-by:
Atsushi Nemoto <anemo@mba.ocn.ne.jp> Cc: Alessandro Zummo <a.zummo@towertech.it> Signed-off-by:
-
Atsushi Nemoto authored
Make rtc-dev work well on 64-bit platforms with 32-bit userland. On those platforms, users might try to read 32-bit integer value. This patch make rtc-dev's read() work well for both "int" and "long" size. This tweak is came from genrtc driver. Signed-off-by:
-
Heiko Carstens authored
Consider return value of __put_user() when setting up a signal frame instead of ignoring it. Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by:
Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by:
-
Heiko Carstens authored
As pointed out by Paulo Marques <pmarques@grupopie.com> MAX_IPD_TIME is by a factor of ten too small. Since this means that we allow ten times more IPDs in the intended time frame this could result in a cpu check stop of a physical cpu. Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by:
-
Jeremy Kerr authored
Add an nid member to the spu structure, and store the numa id of the spu there on creation. Signed-off-by:
Arnd Bergmann <arnd.bergmann@de.ibm.com> Cc: Paul Mackerras <paulus@samba.org> Signed-off-by:
-
Jeremy Kerr authored
Change of_node_to_nid() to traverse the device tree, looking for a numa id. Cell uses this to assign ids to SPUs, which are children of the CPU node. Existing users of of_node_to_nid() are altered to use of_node_to_nid_single(), which doesn't do the traversal. Export an attach_sysdev_to_node() function, allowing system devices (eg. SPUs) to link themselves into the numa topology in sysfs. Signed-off-by:
-
Joel H Schopp authored
Based on an older patch from Mike Kravetz <kravetz@us.ibm.com> We need to have a mem_map for high addresses in order to make fops->no_page work on spufs mem and register files. So far, we have used the memory_present() function during early bootup, but that did not work when CONFIG_NUMA was enabled. We now use the __add_pages() function to add the mem_map when loading the spufs module, which is a lot nicer. Signed-off-by:
-
Mike Kravetz authored
This patch fixes two bugs with the way sparsemem interacts with memory add. They are: - memory leak if memmap for section already exists - calling alloc_bootmem_node() after boot These bugs were discovered and a first cut at the fixes were provided by Arnd Bergmann <arnd@arndb.de> and Joel Schopp <jschopp@us.ibm.com>. Signed-off-by:
Mike Kravetz <kravetz@us.ibm.com> Signed-off-by:
Joel Schopp <jschopp@austin.ibm.com> Signed-off-by:
-
Pat Gefre authored
Currently loading the ioc3 as a module will cause the ports to be numbered in reverse order. This mod maintains the proper order of cards for port numbering. Signed-off-by:
Patrick Gefre <pfg@sgi.com> Signed-off-by:
-
Christoph Lameter authored
Currently we check PageDirty() in order to make the decision to swap out the page. However, the dirty information may be only be contained in the ptes pointing to the page. We need to first unmap the ptes before checking for PageDirty(). If unmap is successful then the page count of the page will also be decreased so that pageout() works properly. This is a fix necessary for 2.6.17. Without this fix we may migrate dirty pages for filesystems without migration functions. Filesystems may keep pointers to dirty pages. Migration of dirty pages can result in the filesystem keeping pointers to freed pages. Unmapping is currently not be separated out from removing all the references to a page and moving the mapping. Therefore try_to_unmap will be called again in migrate_page() if the writeout is successful. However, it wont do anything since the ptes are already removed. The coming updates to the page migration code will restructure the code so that this is no longer necessary. Signed-off-by:
Christoph Lameter <clameter@sgi.com> Signed-off-by:
-
Jeff Dike authored
Blaisorblade's uml-makefile-nicer makes a V=0 build say SYMLINK where what's happening is really a LINK. Signed-off-by:
Jeff Dike <jdike@addtoit.com> Acked-by:
Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it> Signed-off-by:
-
Paolo 'Blaisorblade' Giarrusso authored
GCC hardened introduces additional symbol refererences (for the canary and friends), also in modules - add weak export_symbols for them. We already tested that the weak declaration creates no problem on both GCC's providing the function definition and on GCC's which don't provide it. Signed-off-by:
-
Paolo 'Blaisorblade' Giarrusso authored
*) Rather than duplicate in various buggy ways the application of CFLAGS_NO_HARDENING and UNPROFILE (which apply to the same files), centralize it in Makefile.rules. UNPROFILE_OBJS mustn't be listed in USER_OBJS but are compiled as such. I've also verified that unprofile didn't work in the current form, because we set _c_flags directly (using CFLAGS and not USER_CFLAGS, which is wrong), which is normally used by c_flags, but we also override c_flags for all USER_OBJS, and there we don't call unprofile. Instead it only worked for unmap.o, the only one which wasn't a USER_OBJ. We need to set c_flags (which is not a public Kbuild API) to clear a lot of compilation flags like -nostdinc which Kbuild forces on everything. *) Rather than $(CFLAGS_$(notdir $@)), which expands to CFLAGS_anObj.s when building "anObj.s", use $(CFLAGS_$(*F).o) which always accesses CFLAGS_anObj.o, like done by Kbuild. *) Make c_flags apply to all targets having the same basename, rather than listing .s, .i, .lst and .o, with the use (which I tested) of $(USER_OBJS:.o=.%): c_flags = ... and of - $(obj)/unmap.c: _c_flags = ... + $(obj)/unmap.%: _c_flags = ... Signed-off-by:
-
Paolo 'Blaisorblade' Giarrusso authored
To make some half-assembly stubs compile, disable various "hardened" GCC features: *) we can't make it build PIC code as we need %ebx to do syscalls and GCC wants it free for PIC *) we can't leave stack protection as the stub is moved (not relocated!) in memory so the RIP-relative access to the canary tries reading from an unmapped address and causes a segfault, since we move the stub of various megabytes (the exact amount will be decided at runtime) away from the link-time address. Signed-off-by:
-
Paolo 'Blaisorblade' Giarrusso authored
Move the build of user-offsets to arch/um/sys-$(SUBARCH), where it's located. So we can also build it via Kbuild with its dependency tracking rather than by hand. While hacking here, fix also a lot of little cosmetic things. Signed-off-by:
-
Mattia Dongili authored
Append /usr/lib/uml to the existing PATH environment variable to let execvp() search uml_net in FHS compliant locations. Signed-off-by:
Mattia Dongili <malattia@linux.it> Signed-off-by:
-
Paolo 'Blaisorblade' Giarrusso authored
I sent a patch, it was applied as cda402b2, then it was applied again as 181ae400 by mistake. But while the 1st time it modified (correctly) cow_header_v3, the 2nd it modified cow_header_v3_broken. Signed-off-by:
-
Jeff Dike authored
Blairsorblade noticed some confusion between our use of a system call's return value and errno. This patch fixes a number of related bugs - using errno instead of a return value using a return value instead of errno forgetting to negate a error return to get a positive error code Signed-off-by:
-
Jeff Dike authored
Bring defconfig up to date. Also disable CONFIG_BLK_DEV_UBD_SYNC by default. By performing synchronous I/O to the host, it slows things down, only protects against host crashes, and can make a UML appear to hang while it waits for the host's disk. Signed-off-by:
-
Jeff Dike authored
The MADVISE_REMOVE-checking code didn't clean up after itself. Signed-off-by:
-
Jesper Juhl authored
Remove redundant NULL checks before [kv]free + small CodingStyle cleanup for arch/ Signed-off-by:
Jesper Juhl <jesper.juhl@gmail.com> Signed-off-by:
-
Joris van Rantwijk authored
A quick hack to allow skas0 mode to run on 2G/2G hosts. Signed-off-by:
-
Victor V. Vengerov authored
We need to walk the region list properly. Signed-off-by:
-
