1. 05 Jun, 2006 12 commits
  2. 31 May, 2006 2 commits
  3. 22 May, 2006 2 commits
    • Chris Wright's avatar
      Linux 2.6.16.18 · b7d06179
      Chris Wright authored
      b7d06179
    • Patrick McHardy's avatar
      [PATCH] NETFILTER: SNMP NAT: fix memory corruption (CVE-2006-2444) · 1db6b5a6
      Patrick McHardy authored
      CVE-2006-2444 - Potential remote DoS in SNMP NAT helper.
      
      Fix memory corruption caused by snmp_trap_decode:
      
      - When snmp_trap_decode fails before the id and address are allocated,
        the pointers contain random memory, but are freed by the caller
        (snmp_parse_mangle).
      
      - When snmp_trap_decode fails after allocating just the ID, it tries
        to free both address and ID, but the address pointer still contains
        random memory. The caller frees both ID and random memory again.
      
      - When snmp_trap_decode fails after allocating both, it frees both,
        and the callers frees both again.
      
      The corruption can be triggered remotely when the ip_nat_snmp_basic
      module is loaded and traffic on port 161 or 162 is NATed.
      
      Found by multiple testcases of the trap-app and trap-enc groups of the
      PROTOS c06-snmpv1 testsuite.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      1db6b5a6
  4. 20 May, 2006 24 commits
    • Chris Wright's avatar
      Linux 2.6.16.17 · d87319c3
      Chris Wright authored
      d87319c3
    • Vladislav Yasevich's avatar
      [PATCH] SCTP: Validate the parameter length in HB-ACK chunk (CVE-2006-1857) · 1a9807fd
      Vladislav Yasevich authored
      If SCTP receives a badly formatted HB-ACK chunk, it is possible
      that we may access invalid memory and potentially have a buffer
      overflow.  We should really make sure that the chunk format is
      what we expect, before attempting to touch the data.
      Signed-off-by: default avatarVlad Yasevich <vladislav.yasevich@hp.com>
      Signed-off-by: default avatarSridhar Samudrala <sri@us.ibm.com>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      1a9807fd
    • Vladislav Yasevich's avatar
      [PATCH] SCTP: Respect the real chunk length when walking parameters (CVE-2006-1858) · 0eca2317
      Vladislav Yasevich authored
      When performing bound checks during the parameter processing, we
      want to use the real chunk and paramter lengths for bounds instead
      of the rounded ones.  This prevents us from potentially walking of
      the end if the chunk length was miscalculated.  We still use rounded
      lengths when advancing the pointer. This was found during a
      conformance test that changed the chunk length without modifying
      parameters.
      
      (Vlad noted elsewhere: the most you'd overflow is 3 bytes, so problem
      is parameter dependent).
      Signed-off-by: default avatarVlad Yasevich <vladislav.yasevich@hp.com>
      Signed-off-by: default avatarSridhar Samudrala <sri@us.ibm.com>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      0eca2317
    • Linus Torvalds's avatar
      [PATCH] ptrace_attach: fix possible deadlock schenario with irqs · f91962f9
      Linus Torvalds authored
      Eric Biederman points out that we can't take the task_lock while holding
      tasklist_lock for writing, because another CPU that holds the task lock
      might take an interrupt that then tries to take tasklist_lock for writing.
      
      Which would be a nasty deadlock, with one CPU spinning forever in an
      interrupt handler (although admittedly you need to really work at
      triggering it ;)
      
      Since the ptrace_attach() code is special and very unusual, just make it
      be extra careful, and use trylock+repeat to avoid the possible deadlock.
      
      Cc: Oleg Nesterov <oleg@tv-sign.ru>
      Cc: Eric W. Biederman <ebiederm@xmission.com>
      Cc: Roland McGrath <roland@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      f91962f9
    • Linus Torvalds's avatar
      [PATCH] Fix ptrace_attach()/ptrace_traceme()/de_thread() race · 65b01b76
      Linus Torvalds authored
      This holds the task lock (and, for ptrace_attach, the tasklist_lock)
      over the actual attach event, which closes a race between attacking to a
      thread that is either doing a PTRACE_TRACEME or getting de-threaded.
      
      Thanks to Oleg Nesterov for reminding me about this, and Chris Wright
      for noticing a lost return value in my first version.
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      65b01b76
    • Christoph Lameter's avatar
      [PATCH] page migration: Fix fallback behavior for dirty pages · 1d4532d4
      Christoph Lameter authored
      Currently we check PageDirty() in order to make the decision to swap out
      the page.  However, the dirty information may be only be contained in the
      ptes pointing to the page.  We need to first unmap the ptes before checking
      for PageDirty().  If unmap is successful then the page count of the page
      will also be decreased so that pageout() works properly.
      
      This is a fix necessary for 2.6.17.  Without this fix we may migrate dirty
      pages for filesystems without migration functions.  Filesystems may keep
      pointers to dirty pages.  Migration of dirty pages can result in the
      filesystem keeping pointers to freed pages.
      
      Unmapping is currently not be separated out from removing all the
      references to a page and moving the mapping.  Therefore try_to_unmap will
      be called again in migrate_page() if the writeout is successful.  However,
      it wont do anything since the ptes are already removed.
      
      The coming updates to the page migration code will restructure the code
      so that this is no longer necessary.
      Signed-off-by: default avatarChristoph Lameter <clameter@sgi.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      1d4532d4
    • Lee Schermerhorn's avatar
      [PATCH] add migratepage address space op to shmem · 75178298
      Lee Schermerhorn authored
      Basic problem: pages of a shared memory segment can only be migrated once.
      
      In 2.6.16 through 2.6.17-rc1, shared memory mappings do not have a
      migratepage address space op.  Therefore, migrate_pages() falls back to
      default processing.  In this path, it will try to pageout() dirty pages.
      Once a shared memory page has been migrated it becomes dirty, so
      migrate_pages() will try to page it out.  However, because the page count
      is 3 [cache + current + pte], pageout() will return PAGE_KEEP because
      is_page_cache_freeable() returns false.  This will abort all subsequent
      migrations.
      
      This patch adds a migratepage address space op to shared memory segments to
      avoid taking the default path.  We use the "migrate_page()" function
      because it knows how to migrate dirty pages.  This allows shared memory
      segment pages to migrate, subject to other conditions such as # pte's
      referencing the page [page_mapcount(page)], when requested.
      
      I think this is safe.  If we're migrating a shared memory page, then we
      found the page via a page table, so it must be in memory.
      
      Can be verified with memtoy and the shmem-mbind-test script, both
      available at:  http://free.linux.hp.com/~lts/Tools/Signed-off-by: default avatarLee Schermerhorn <lee.schermerhorn@hp.com>
      Acked-by: default avatarChristoph Lameter <clameter@sgi.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      75178298
    • Christoph Lameter's avatar
      [PATCH] Remove cond_resched in gather_stats() · 602e0343
      Christoph Lameter authored
      gather_stats() is called with a spinlock held from check_pte_range.  We
      cannot reschedule with a lock held.
      Signed-off-by: default avatarChristoph Lameter <clameter@sgi.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      602e0343
    • Chris Wedgwood's avatar
      [PATCH] VIA quirk fixup, additional PCI IDs · dc0f3695
      Chris Wedgwood authored
      An earlier commit (75cf7456) changed an
      overly-zealous PCI quirk to only poke those VIA devices that need it.
      However, some PCI devices were not included in what I hope is now the full
      list.  Consequently we're failing to run the quirk on all machines which need
      it, causing IRQ routing failures.
      
      This should I hope correct this.
      
      Thanks to Masoud Sharbiani <masouds@masoud.ir> for pointing this out
      and testing the fix.
      Signed-off-by: default avatarChris Wedgwood <cw@f00f.org>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      dc0f3695
    • Chris Wedgwood's avatar
      [PATCH] PCI quirk: VIA IRQ fixup should only run for VIA southbridges · c7249337
      Chris Wedgwood authored
      Alan Cox pointed out that the VIA 'IRQ fixup' was erroneously running
      on my system which has no VIA southbridge (but I do have a VIA IEEE
      1394 device).
      
      This should address that.  I also changed "Via IRQ" to "VIA IRQ"
      (initially I read Via as a capitalized via (by way/means of).
      Signed-off-by: default avatarChris Wedgwood <cw@f00f.org>
      Acked-by: default avatarJeff Garzik <jeff@garzik.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      c7249337
    • Harald Welte's avatar
      [PATCH] Fix udev device creation · 78406b5a
      Harald Welte authored
      This patch corrects the order of the calls to register_chrdev() and
      pcmcia_register_driver().  Now udev correctly creates userspace device
      files /dev/cmmN and /dev/cmxN respectively.
      
      Based on an earlier patch by Jan Niehusmann <jan@gondor.com>.
      Signed-off-by: default avatarHarald Welte <laforge@netfilter.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      78406b5a
    • Jens Axboe's avatar
      [PATCH] limit request_fn recursion · 7984c7b5
      Jens Axboe authored
      Don't recurse back into the driver even if the unplug threshold is met,
      when the driver asks for a requeue. This is both silly from a logical
      point of view (requeues typically happen due to driver/hardware
      shortage), and also dangerous since we could hit an endless request_fn
      -> requeue -> unplug -> request_fn loop and crash on stack overrun.
      
      Also limit blk_run_queue() to one level of recursion, similar to how
      blk_start_queue() works.
      
      This patch fixed a real problem with SLES10 and lpfc, and it could hit
      any SCSI lld that returns non-zero from it's ->queuecommand() handler.
      Signed-off-by: default avatarJens Axboe <axboe@suse.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      7984c7b5
    • Kristen Accardi's avatar
      [PATCH] PCI: correctly allocate return buffers for osc calls · 0cf72aa6
      Kristen Accardi authored
      The OSC set and query functions do not allocate enough space for return values,
      and set the output buffer length to a false, too large value.  This causes the
      acpi-ca code to assume that the output buffer is larger than it actually is,
      and overwrite memory when copying acpi return buffers into this caller provided
      buffer.  In some cases this can cause kernel oops if the memory that is
      overwritten is a pointer.  This patch will change these calls to use a
      dynamically allocated output buffer, thus allowing the acpi-ca code to decide
      how much space is needed.
      Signed-off-by: default avatarKristen Carlson Accardi <kristen.c.accardi@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      0cf72aa6
    • Serge E. Hallyn's avatar
      [PATCH] selinux: check for failed kmalloc in security_sid_to_context() · 3220ee4a
      Serge E. Hallyn authored
      Check for NULL kmalloc return value before writing to it.
      Signed-off-by: default avatarSerge E. Hallyn <serue@us.ibm.com>
      Acked-by: default avatarJames Morris <jmorris@namei.org>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      3220ee4a
    • Karsten Keil's avatar
      [PATCH] TG3: ethtool always report port is TP. · 39970bdd
      Karsten Keil authored
      Even with fiber cards ethtool reports that the connected port is TP,
      the patch fix this.
      Signed-off-by: default avatarKarsten Keil <kkeil@suse.de>
      Acked-by: default avatarMichael Chan <mchan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      39970bdd
    • Chris Wright's avatar
      [PATCH] Netfilter: do_add_counters race, possible oops or info leak (CVE-2006-0039) · 893acf3c
      Chris Wright authored
      Solar Designer found a race condition in do_add_counters(). The beginning
      of paddc is supposed to be the same as tmp which was sanity-checked
      above, but it might not be the same in reality. In case the integer
      overflow and/or the race condition are triggered, paddc->num_counters
      might not match the allocation size for paddc. If the check below
      (t->private->number != paddc->num_counters) nevertheless passes (perhaps
      this requires the race condition to be triggered), IPT_ENTRY_ITERATE()
      would read kernel memory beyond the allocation size, potentially causing
      an oops or leaking sensitive data (e.g., passwords from host system or
      from another VPS) via counter increments.  This requires CAP_NET_ADMIN.
      
      https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191698
      
      Cc: Solar Designer <solar@openwall.com>
      Cc: Kirill Korotaev <dev@sw.ru>
      Cc: Patrick McHardy <kaber@trash.net>
      (chrisw: rebase of Kirill's patch to 2.6.16.16)
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      893acf3c
    • Jean Delvare's avatar
      [PATCH] scx200_acb: Fix resource name use after free · 9a4a3539
      Jean Delvare authored
      We can't pass a string on the stack to request_region. As soon as we
      leave the function that stack is gone and the string is lost. Let's
      use the same string we identify the i2c_adapter with instead, it's
      more simple, more consistent, and just works.
      
      This is the second half of fix to bug #6445.
      Signed-off-by: default avatarJean Delvare <khali@linux-fr.org>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      9a4a3539
    • Carl-Daniel Hailfinger's avatar
      [PATCH] smbus unhiding kills thermal management · a9cacd68
      Carl-Daniel Hailfinger authored
      Do not enable the SMBus device on Asus boards if suspend is used.  We do
      not reenable the device on resume, leading to all sorts of undesirable
      effects, the worst being a total fan failure after resume on Samsung P35
      laptop.
      
      This fixes bug #6449 at bugzilla.kernel.org.
      Signed-off-by: default avatarCarl-Daniel Hailfinger <c-d.hailfinger.devel.2006@gmx.net>
      Signed-off-by: default avatarPavel Machek <pavel@suse.cz>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      Signed-off-by: default avatarJean Delvare <khali@linux-fr.org>
      a9cacd68
    • Alexey Dobriyan's avatar
      [PATCH] fs/compat.c: fix 'if (a |= b )' typo · 41c83627
      Alexey Dobriyan authored
      Mentioned by Mark Armbrust somewhere on Usenet.
      Signed-off-by: default avatarAlexey Dobriyan <adobriyan@gmail.com>
      Signed-off-by: default avatarDavid Woodhouse <dwmw2@infradead.org>
      Cc: Ulrich Drepper <drepper@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      41c83627
    • Jan Niehusmann's avatar
      [PATCH] smbfs: Fix slab corruption in samba error path · 0ce77590
      Jan Niehusmann authored
      Yesterday, I got the following error with 2.6.16.13 during a file copy from
      a smb filesystem over a wireless link.  I guess there was some error on the
      wireless link, which in turn caused an error condition for the smb
      filesystem.
      
      In the log, smb_file_read reports error=4294966784 (0xfffffe00), which also
      shows up in the slab dumps, and also is -ERESTARTSYS.  Error code 27499
      corresponds to 0x6b6b, so the rq_errno field seems to be the only one being
      set after freeing the slab.
      
      In smb_add_request (which is the only place in smbfs where I found
      ERESTARTSYS), I found the following:
      
              if (!timeleft || signal_pending(current)) {
                      /*
                       * On timeout or on interrupt we want to try and remove the
                       * request from the recvq/xmitq.
                       */
                      smb_lock_server(server);
                      if (!(req->rq_flags & SMB_REQ_RECEIVED)) {
                              list_del_init(&req->rq_queue);
                              smb_rput(req);
                      }
                      smb_unlock_server(server);
              }
      	[...]
              if (signal_pending(current))
                      req->rq_errno = -ERESTARTSYS;
      
      I guess that some codepath like smbiod_flush() caused the request to be
      removed from the queue, and smb_rput(req) be called, without
      SMB_REQ_RECEIVED being set.  This violates an asumption made by the quoted
      code.
      
      Then, the above code calls smb_rput(req) again, the req gets freed, and
      req->rq_errno = -ERESTARTSYS writes into the already freed slab.  As
      list_del_init doesn't cause an error if called multiple times, that does
      cause the observed behaviour (freed slab with rq_errno=-ERESTARTSYS).
      
      If this observation is correct, the following patch should fix it.
      
      I wonder why the smb code uses list_del_init everywhere - using list_del
      instead would catch such situations by poisoning the next and prev
      pointers.
      
      May  4 23:29:21 knautsch kernel: [17180085.456000] ipw2200: Firmware error detected.  Restarting.
      May  4 23:29:21 knautsch kernel: [17180085.456000] ipw2200: Sysfs 'error' log captured.
      May  4 23:33:02 knautsch kernel: [17180306.316000] ipw2200: Firmware error detected.  Restarting.
      May  4 23:33:02 knautsch kernel: [17180306.316000] ipw2200: Sysfs 'error' log already exists.
      May  4 23:33:02 knautsch kernel: [17180306.968000] smb_file_read: //some_file validation failed, error=4294966784
      May  4 23:34:18 knautsch kernel: [17180383.256000] smb_file_read: //some_file validation failed, error=4294966784
      May  4 23:34:18 knautsch kernel: [17180383.284000] SMB connection re-established (-5)
      May  4 23:37:19 knautsch kernel: [17180563.956000] smb_file_read: //some_file validation failed, error=4294966784
      May  4 23:40:09 knautsch kernel: [17180733.636000] smb_file_read: //some_file validation failed, error=4294966784
      May  4 23:40:26 knautsch kernel: [17180750.700000] smb_file_read: //some_file validation failed, error=4294966784
      May  4 23:43:02 knautsch kernel: [17180907.304000] smb_file_read: //some_file validation failed, error=4294966784
      May  4 23:43:08 knautsch kernel: [17180912.324000] smb_file_read: //some_file validation failed, error=4294966784
      May  4 23:43:34 knautsch kernel: [17180938.416000] smb_errno: class Unknown, code 27499 from command 0x6b
      May  4 23:43:34 knautsch kernel: [17180938.416000] Slab corruption: start=c4ebe09c, len=244
      May  4 23:43:34 knautsch kernel: [17180938.416000] Redzone: 0x5a2cf071/0x5a2cf071.
      May  4 23:43:34 knautsch kernel: [17180938.416000] Last user: [<e087b903>](smb_rput+0x53/0x90 [smbfs])
      May  4 23:43:34 knautsch kernel: [17180938.416000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b
      May  4 23:43:34 knautsch kernel: [17180938.416000] 0f0: 00 fe ff ff
      May  4 23:43:34 knautsch kernel: [17180938.416000] Next obj: start=c4ebe19c, len=244
      May  4 23:43:34 knautsch kernel: [17180938.416000] Redzone: 0x5a2cf071/0x5a2cf071.
      May  4 23:43:34 knautsch kernel: [17180938.416000] Last user: [<00000000>](_stext+0x3feffde0/0x30)
      May  4 23:43:34 knautsch kernel: [17180938.416000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
      May  4 23:43:34 knautsch kernel: [17180938.416000] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
      May  4 23:43:34 knautsch kernel: [17180938.460000] SMB connection re-established (-5)
      May  4 23:43:42 knautsch kernel: [17180946.292000] ipw2200: Firmware error detected.  Restarting.
      May  4 23:43:42 knautsch kernel: [17180946.292000] ipw2200: Sysfs 'error' log already exists.
      May  4 23:45:04 knautsch kernel: [17181028.752000] ipw2200: Firmware error detected.  Restarting.
      May  4 23:45:04 knautsch kernel: [17181028.752000] ipw2200: Sysfs 'error' log already exists.
      May  4 23:45:05 knautsch kernel: [17181029.868000] smb_file_read: //some_file validation failed, error=4294966784
      May  4 23:45:36 knautsch kernel: [17181060.984000] smb_errno: class Unknown, code 27499 from command 0x6b
      May  4 23:45:36 knautsch kernel: [17181060.984000] Slab corruption: start=c4ebe09c, len=244
      May  4 23:45:36 knautsch kernel: [17181060.984000] Redzone: 0x5a2cf071/0x5a2cf071.
      May  4 23:45:36 knautsch kernel: [17181060.984000] Last user: [<e087b903>](smb_rput+0x53/0x90 [smbfs])
      May  4 23:45:36 knautsch kernel: [17181060.984000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b
      May  4 23:45:36 knautsch kernel: [17181060.984000] 0f0: 00 fe ff ff
      May  4 23:45:36 knautsch kernel: [17181060.984000] Next obj: start=c4ebe19c, len=244
      May  4 23:45:36 knautsch kernel: [17181060.984000] Redzone: 0x5a2cf071/0x5a2cf071.
      May  4 23:45:36 knautsch kernel: [17181060.984000] Last user: [<00000000>](_stext+0x3feffde0/0x30)
      May  4 23:45:36 knautsch kernel: [17181060.984000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
      May  4 23:45:36 knautsch kernel: [17181060.984000] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
      May  4 23:45:36 knautsch kernel: [17181061.024000] SMB connection re-established (-5)
      May  4 23:46:17 knautsch kernel: [17181102.132000] smb_file_read: //some_file validation failed, error=4294966784
      May  4 23:47:46 knautsch kernel: [17181190.468000] smb_errno: class Unknown, code 27499 from command 0x6b
      May  4 23:47:46 knautsch kernel: [17181190.468000] Slab corruption: start=c4ebe09c, len=244
      May  4 23:47:46 knautsch kernel: [17181190.468000] Redzone: 0x5a2cf071/0x5a2cf071.
      May  4 23:47:46 knautsch kernel: [17181190.468000] Last user: [<e087b903>](smb_rput+0x53/0x90 [smbfs])
      May  4 23:47:46 knautsch kernel: [17181190.468000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b
      May  4 23:47:46 knautsch kernel: [17181190.468000] 0f0: 00 fe ff ff
      May  4 23:47:46 knautsch kernel: [17181190.468000] Next obj: start=c4ebe19c, len=244
      May  4 23:47:46 knautsch kernel: [17181190.468000] Redzone: 0x5a2cf071/0x5a2cf071.
      May  4 23:47:46 knautsch kernel: [17181190.468000] Last user: [<00000000>](_stext+0x3feffde0/0x30)
      May  4 23:47:46 knautsch kernel: [17181190.468000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
      May  4 23:47:46 knautsch kernel: [17181190.468000] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
      May  4 23:47:46 knautsch kernel: [17181190.492000] SMB connection re-established (-5)
      May  4 23:49:20 knautsch kernel: [17181284.828000] smb_file_read: //some_file validation failed, error=4294966784
      May  4 23:49:39 knautsch kernel: [17181303.896000] smb_file_read: //some_file validation failed, error=4294966784
      Signed-off-by: default avatarJan Niehusmann <jan@gondor.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      0ce77590
    • Trond Myklebust's avatar
      [PATCH] fs/locks.c: Fix sys_flock() race · cad6178c
      Trond Myklebust authored
      sys_flock() currently has a race which can result in a double free in the
      multi-thread case.
      
      Thread 1			Thread 2
      
      sys_flock(file, LOCK_EX)
      				sys_flock(file, LOCK_UN)
      
      If Thread 2 removes the lock from inode->i_lock before Thread 1 tests for
      list_empty(&lock->fl_link) at the end of sys_flock, then both threads will
      end up calling locks_free_lock for the same lock.
      
      Fix is to make flock_lock_file() do the same as posix_lock_file(), namely
      to make a copy of the request, so that the caller can always free the lock.
      
      This also has the side-effect of fixing up a reference problem in the
      lockd handling of flock.
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      cad6178c
    • Pete Zaitcev's avatar
      [PATCH] USB: ub oops in block_uevent · 572ae685
      Pete Zaitcev authored
      In kernel 2.6.16, if a mounted storage device is removed, an oops happens
      because ub supplies an interface device (and kobject) to the block layer,
      but neglects to pin it. And apparently, the block layer expects its users
      to pin device structures.
      
      The code in ub was broken this way for years. But the bug was exposed only
      by 2.6.16 when it started to call block_uevent on close, which traverses
      device structures (kobjects actually).
      Signed-off-by: default avatarPete Zaitcev <zaitcev@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      572ae685
    • Craig Brind's avatar
      [PATCH] via-rhine: zero pad short packets on Rhine I ethernet cards · 3aa2b052
      Craig Brind authored
      Fixes Rhine I cards disclosing fragments of previously transmitted frames
      in new transmissions.
      
      Before transmission, any socket buffer (skb) shorter than the ethernet
      minimum length of 60 bytes was zero-padded.  On Rhine I cards the data can
      later be copied into an aligned transmission buffer without copying this
      padding.  This resulted in the transmission of the frame with the extra
      bytes beyond the provided content leaking the previous contents of this
      buffer on to the network.
      
      Now zero-padding is repeated in the local aligned buffer if one is used.
      
      Following a suggestion from the via-rhine maintainer, no attempt is made
      here to avoid the duplicated effort of padding the skb if it is known that
      an aligned buffer will definitely be used.  This is to make the change
      "obviously correct" and allow it to be applied to a stable kernel if
      necessary.  There is no change to the flow of control and the changes are
      only to the Rhine I code path.
      
      The patch has run on an in-service Rhine-I host without incident.  Frames
      shorter than 60 bytes are now correctly zero-padded when captured on a
      separate host.  I see no unusual stats reported by ifconfig, and no unusual
      log messages.
      Signed-off-by: default avatarCraig Brind <craigbrind@gmail.com>
      Signed-off-by: default avatarRoger Luethi <rl@hellgate.ch>
      Cc: Jeff Garzik <jeff@garzik.org>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarJeff Garzik <jeff@garzik.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      3aa2b052
    • NeilBrown's avatar
      [PATCH] md: Avoid oops when attempting to fix read errors on raid10 · 37f94ce7
      NeilBrown authored
      We should add to the counter for the rdev *after* checking if the rdev is
      NULL!!!
      Signed-off-by: default avatarNeil Brown <neilb@suse.de>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
      37f94ce7