- 07 Nov, 2006 9 commits
-
-
Stephen Hemminger authored
Acked-by:
Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
Adrian Bunk <bunk@stusta.de>
-
Thomas Graf authored
Module reference needs to be given back if message header construction fails. Signed-off-by:
Thomas Graf <tgraf@suug.ch> Signed-off-by:
-
Thomas Graf authored
Return ENOENT if action module is unavailable Signed-off-by:
-
Thomas Graf authored
The TCA_ACT_KIND attribute is used without checking its availability when dumping actions therefore leading to a value of 0x4 being dereferenced. The use of strcmp() in tc_lookup_action_n() isn't safe when fed with string from an attribute without enforcing proper NUL termination. Both bugs can be triggered with malformed netlink message and don't require any privileges. Signed-off-by:
-
Thomas Graf authored
"return -err" and blindly inheriting the error code in the netlink failure exception handler causes errors codes to be returned as positive value therefore making them being ignored by the caller. May lead to sending out incomplete netlink messages. Signed-off-by:
-
Neil Brown authored
Else a subsequent bio_clone might make a mess. Signed-off-by:
Neil Brown <neilb@suse.de> Acked-by:
Jens Axboe <axboe@suse.de> Signed-off-by:
-
Randy Dunlap authored
Fix powernow-k8 doesn't load bug. Reference: https://launchpad.net/distros/ubuntu/+source/linux-source-2.6.15/+bug/35145Signed-off-by:
Ben Collins <bcollins@ubuntu.com> Signed-off-by:
Dave Jones <davej@redhat.com>
-
Dave Jones authored
Even though powernow-k7 doesn't work in SMP environments, it can work on an SMP configured kernel if there's only one CPU present, however recalibrate_cpu_khz was returning -EINVAL on such kernels, so we failed to init the cpufreq driver. Signed-off-by:
-
Adrian Bunk authored
-
- 05 Nov, 2006 10 commits
-
-
Adrian Bunk authored
-
Patrick McHardy authored
As reported by Mark Dowd <Mark_Dowd@McAfee.com>, ip6_tables is susceptible to a fragmentation attack causing false negatives on extension header matches. When extension headers occur in the non-first fragment after the fragment header (possibly with an incorrect nexthdr value in the fragment header) a rule looking for this extension header will never match. Drop fragments that are at offset 0 and don't contain the final protocol header regardless of the ruleset, since this should not happen normally. Since all extension headers are before the protocol header this makes sure an extension header is either not present or in the first fragment, where we can properly parse it. With help from Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>. Signed-off-by:
Patrick McHardy <kaber@trash.net> Signed-off-by:
-
Patrick McHardy authored
As reported by Mark Dowd <Mark_Dowd@McAfee.com>, ip6_tables is susceptible to a fragmentation attack causing false negatives on protocol matches. When the protocol header doesn't follow the fragment header immediately, the fragment header contains the protocol number of the next extension header. When the extension header and the protocol header are sent in a second fragment a rule like "ip6tables .. -p udp -j DROP" will never match. Drop fragments that are at offset 0 and don't contain the final protocol header regardless of the ruleset, since this should not happen normally. With help from Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>. Signed-off-by:
-
Neil Brown authored
This is a long standing bug that seems to have only recently become apparent, presumably due to increasing use of NFS over TCP - many distros seem to be making it the default. The SK_CONN bit gets set when a listening socket may be ready for an accept, just as SK_DATA is set when data may be available. It is entirely possible for svc_tcp_accept to be called with neither of these set. It doesn't happen often but there is a small race in svc_sock_enqueue as SK_CONN and SK_DATA are tested outside the spin_lock. They could be cleared immediately after the test and before the lock is gained. This normally shouldn't be a problem. The sockets are non-blocking so trying to read() or accept() when ther is nothing to do is not a problem. However: svc_tcp_recvfrom makes the decision "Should I accept() or should I read()" based on whether SK_CONN is set or not. This usually works but is not safe. The decision should be based on whether it is a TCP_LISTEN socket or a TCP_CONNECTED socket. Signed-off-by:
-
Thomas Gleixner authored
The integer divisions in the timer accounting code can round the result down to 0. Adding 0 is without effect and the signal delivery stops. Clamp the division result to minimum 1 to avoid this. Problem was reported by Seongbae Park <spark@google.com>, who provided also an inital patch. Roland sayeth: I have had some more time to think about the problem, and to reproduce it using Toyo's test case. For the record, if my understanding of the problem is correct, this happens only in one very particular case. First, the expiry time has to be so soon that in cputime_t units (usually 1s/HZ ticks) it's < nthreads so the division yields zero. Second, it only affects each thread that is so new that its CPU time accumulation is zero so now+0 is still zero and ->it_*_expires winds up staying zero. For the VIRT and PROF clocks when cputime_t is tick granularity (or the SCHED clock on configurations where sched_clock's value only advances on clock ticks), this is not hard to arrange with new threads starting up and blocking before they accumulate a whole tick of CPU time. That's what happens in Toyo's test case. Note that in general it is fine for that division to round down to zero, and set each thread's expiry time to its "now" time. The problem only arises with thread's whose "now" value is still zero, so that now+0 winds up 0 and is interpreted as "not set" instead of ">= now". So it would be a sufficient and more precise fix to just use max(ticks, 1) inside the loop when setting each it_*_expires value. But, it does no harm to round the division up to one and always advance every thread's expiry time. If the thread didn't already fire timers for the expiry time of "now", there is no expectation that it will do so before the next tick anyway. So I followed Thomas's patch in lifting the max out of the loops. This patch also covers the reload cases, which are harder to write a test for (and I didn't try). I've tested it with Toyo's case and it fixes that. [toyoa@mvista.com: fix: min_t -> max_t] Signed-off-by:
Thomas Gleixner <tglx@linutronix.de> Signed-off-by:
Roland McGrath <roland@redhat.com> Signed-off-by:
Andrew Morton <akpm@osdl.org> Signed-off-by:
-
James Morris authored
There's a bug in the seqfile handling for /proc/net/ip6_flowlabel, where, after finding a flowlabel, the code will loop forever not finding any further flowlabels, first traversing the rest of the hash bucket then just looping. This patch fixes the problem by breaking after the hash bucket has been traversed. Note that this bug can cause lockups and oopses, and is trivially invoked by an unpriveleged user. Signed-off-by:
James Morris <jmorris@namei.org> Signed-off-by:
-
Shaohua Li authored
http://bugzilla.kernel.org/show_bug.cgi?id=5653Signed-off-by:
Shaohua Li <shaohua.li@intel.com> Signed-off-by:
Len Brown <len.brown@intel.com> Signed-off-by:
-
Al Viro authored
memcpy 4 bytes to address of auto unsigned long variable followed by comparison with u32 is a bloody bad idea. Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk> Signed-off-by:
-
Martin Schwidefsky authored
The previous patch to correct the copy_from_user padding is quite broken. The execute instruction needs to be done via the register %r4, not via %r2 and 31 bit doesn't know the instructions lgr and ahji. Signed-off-by:
Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by:
-
Martin Schwidefsky authored
A user space program can read uninitialised kernel memory by appending to a file from a bad address and then reading the result back. The cause is the copy_from_user function that does not clear the remaining bytes of the kernel buffer after it got a fault on the user space address. Signed-off-by:
-
- 02 Nov, 2006 1 commit
-
-
Adrian Bunk authored
-
- 17 Oct, 2006 2 commits
-
-
Adrian Bunk authored
-
Stephane Eranian authored
Fix a bug in sys_perfmonctl() whereby it was not correctly decrementing the file descriptor reference count. Signed-off-by:
Stephane Eranian <eranian@hpl.hp.com> Signed-off-by:
Tony Luck <tony.luck@intel.com> Signed-off-by:
-
- 14 Oct, 2006 8 commits
-
-
Michal Ostrowski authored
PPPoE must advertise the underlying device's MTU via the ppp channel descriptor structure, as multilink functionality depends on it. Signed-off-by:
Michal Ostrowski <mostrows@earthlink.net> Signed-off-by:
-
Kim Nordlund authored
Prevents filters from being added if the first generated handle already exists. Signed-off-by:
Kim Nordlund <kim.nordlund@nokia.com> Signed-off-by:
-
David S. Miller authored
There is an ancient and totally incorrect sanity check being done on the ramdisk location. The check assumes that the kernel is always loaded to physical address zero, which is wrong. It was trying to validate the ramdisk value by saying that if it fell within the kernel image address range it must be wrong. Anyways, kill this because it actually creates problems. The 'ramdisk_image' should always be adjusted down by KERNBASE. SILO can easily put the ramdisk in a location which causes this test to trigger, breaking things. [ Based almost entirely upon a patch from Ben Collins. ] Signed-off-by:
-
David S. Miller authored
Unfortunately, sparc64 doesn't have an easy way to do a "64 X 64 --> 128" bit multiply like PowerPC and IA64 do. We were doing a "64 X 64 --> 64" bit multiple which causes overflow very quickly with a 30-bit quotient shift. So use a quotientshift count of 10 instead of 30, just like x86 and ARM do. This also fixes the wrapping of printk timestamp values every ~17 seconds. Signed-off-by:
-
Rafael J. Wysocki authored
Make cifsd allow us to suspend if it has lost the connection with a server Ref: http://bugzilla.kernel.org/show_bug.cgi?id=6811Signed-off-by:
Rafael J. Wysocki <rjw@sisk.pl> Signed-off-by:
Steve French <sfrench@us.ibm.com> Signed-off-by:
-
Steve French authored
Since cifs_unlink can also be called from rename path and there was one report of oops am making the extra check for null inode. Signed-off-by:
-
Steve French authored
Signed-off-by:
-
Steve French authored
Signed-off-by:
-
- 13 Oct, 2006 10 commits
-
-
YOSHIFUJI Hideaki authored
In clip_mkip(), skb->dev is dereferenced after clip_push(), which frees up skb. Advisory: AD_LAB-06009 (<adlab@venustech.com.cn>). Signed-off-by:
YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by:
-
Olaf Hering authored
Add a modeline for the Philips 200W display. aty128fb does not do DDC, it picks 1920x1440 or similar. It works ok with nvidiafb because it can ask for DDC data. mode "1680x1050-60" # D: 146.028 MHz, H: 65.191 kHz, V: 59.863 Hz geometry 1680 1050 1680 1050 16 timings 6848 280 104 30 3 176 6 hsync high vsync high rgba 5/11,6/5,5/0,0/0 endmode hwinfo --monitor 20: None 00.0: 10000 Monitor [Created at monitor.206] Unique ID: rdCR.pzUFTofo1S4 Parent ID: 002j.bJRsY88eNSC Hardware Class: monitor Model: "PHILIPS Philips 200W" Vendor: PHL "PHILIPS" Device: eisa 0x0832 "Philips 200W" Serial ID: "VN 016596" Resolution: 720x400@70Hz Resolution: 640x480@60Hz Resolution: 640x480@67Hz Resolution: 640x480@72Hz Resolution: 640x480@75Hz Resolution: 800x600@56Hz Resolution: 800x600@60Hz Resolution: 800x600@72Hz Resolution: 800x600@75Hz Resolution: 832x624@75Hz Resolution: 1024x768@60Hz Resolution: 1024x768@70Hz Resolution: 1024x768@75Hz Resolution: 1280x1024@75Hz Resolution: 1152x864@70Hz Resolution: 1152x864@75Hz Resolution: 1280x960@60Hz Resolution: 1280x1024@60Hz Resolution: 1680x1050@60Hz Size: 433x271 mm Driver Info #0: Max. Resolution: 1680x1050 Vert. Sync Range: 56-85 Hz Hor. Sync Range: 30-93 kHz Config Status: cfg=new, avail=yes, need=no, active=unknown Attached to: #5 (VGA compatible controller) Signed-off-by:Olaf Hering <olh@suse.de> Signed-off-by:
-
Stephen Hemminger authored
Don't program the GMAC to reject flow control packets. This maybe the cause of some of the transmit hangs. Signed-off-by:
Stephen Hemminger <shemminger@osdl.org> Signed-off-by:
-
Stephen Hemminger authored
Fix support for fiber based devices. Needed to keep track of PMD type to add workaround in setup. Add support for gigabit half duplex fiber. Signed-off-by:
-
Stephen Hemminger authored
Several code paths assume an additional 16 bytes of header padding on the receive path. Use dev_alloc_skb to get that padding. Signed-off-by:
-
Oliver Endriss authored
Backport the budget driver DISEQC instability fix. Signed-off-by:
Oliver Endriss <o.endriss@gmx.de> Signed-off-by:
Andrew de Quincey <adq_dvb@lidskialf.net> Signed-off-by:
Michael Krufky <mkrufky@linuxtv.org>
-
Andrew de Quincey authored
Backport fix to artec USB DVB devices Signed-off-by:
-
Andrew de Quincey authored
The budget-av needs this GPIO set low for most cards to work. Signed-off-by:
-
Ang Way Chuang authored
ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation code has a bug that allows an attacker to send a malformed ULE packet with SNDU length of 0 and bring down the receiving machine. This patch fix the bug and has been tested on version 2.6.17.11. This bug is 100% reproducible and the modified source code (GPL) used to produce this bug will be posted on http://nrg.cs.usm.my/downloads.htm shortly. The kernel will produce a dump during CRC32 checking on faulty ULE packet. Signed-off-by:
Ang Way Chuang <wcang@nrg.cs.usm.my> Signed-off-by:
-
YOSHIFUJI Hideaki authored
This patch fixes RTNLGRP_IPV6_IFINFO netlink notifications. Issue pointed out by Patrick McHardy <kaber@trash.net>. Signed-off-by:
-
