- Jan 21, 2008
-
-
Adrian Bunk authored
-
Trond Myklebust authored
It looks like nfs_setattr() and nfs_rename() also need to test whether the target is a regular file before calling nfs_wb_all()... It isn't technically needed since the version of nfs_wb_all() that exists on 2.6.16 should be safe to call on non-regular files (it will be a no-op). However it is a useful optimisation. Signed-off-by:
Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by:
Adrian Bunk <bunk@kernel.org>
-
Trond Myklebust authored
Ensure that we flush out writes in the case when someone calls utimes() in order to set the file times. Signed-off-by:
-
- Jan 20, 2008
-
-
Ingo Molnar authored
fix: http://bugzilla.kernel.org/show_bug.cgi?id=3043 only allow coredumping to the same uid that the coredumping task runs under. Signed-off-by:
Ingo Molnar <mingo@elte.hu> Signed-off-by:
-
Karsten Keil authored
Fix possible memory overrun issue in the isdn ioctl code. Found by ADLAB <adlab@venustech.com.cn> Signed-off-by:
Karsten Keil <kkeil@suse.de> Signed-off-by:
-
Karsten Keil authored
Addresses http://bugzilla.kernel.org/show_bug.cgi?id=9416 Signed-off-by:
-
Al Viro authored
Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk> Signed-off-by:
-
Adrian Bunk authored
Signed-off-by: -
Ben Collins authored
Signed-off-by:
Ben Collins <bcollins@ubuntu.com> Signed-off-by:
-
Herbert Xu authored
[ Upstream commit: 1c9b7aa1 ] Al went through the ip_fast_csum callers and found this piece of code that did not validate the IP header. While root crashing the machine by sending bogus packets through raw or AF_PACKET sockets isn't that serious, it is still nice to react gracefully. This patch ensures that the skb has enough data for an IP header and that the header length field is valid. Adrian Bunk: Backported to 2.6.16 following instructions by David Miller. Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
-
Eric Dumazet authored
[ Upstream commit: d8c92830 ] I noticed "ip route list cache x.y.z.t" can be *very* slow. While strace-ing -T it I also noticed that first part of route cache is fetched quite fast : recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, +msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202 GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = +3772 <0.000047> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, +msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\ 202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) += 3736 <0.000042> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, +msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\ 202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) += 3740 <0.000055> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, +msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\ 202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) += 3712 <0.000043> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, +msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\ 202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) += 3732 <0.000053> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, +msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202 GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = +3708 <0.000052> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, +msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202 GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = +3680 <0.000041> while the part at the end of the table is more expensive: recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, +msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\1\0\2"..., +16384}], msg_controllen=0, msg_flags=0}, 0) = 3656 <0.003857> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, +msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\1\0\2"..., +16384}], msg_controllen=0, msg_flags=0}, 0) = 3772 <0.003891> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, +msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\2\0\2\0"..., +16384}], msg_controllen=0, msg_flags=0}, 0) = 3712 <0.003765> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, +msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\2\0\2\0"..., +16384}], msg_controllen=0, msg_flags=0}, 0) = 3700 <0.003879> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, +msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\2\0\2\0"..., +16384}], msg_controllen=0, msg_flags=0}, 0) = 3676 <0.003797> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, +msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\2\0\2\0"..., +16384}], msg_controllen=0, msg_flags=0}, 0) = 3724 <0.003856> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, +msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\1\0\2"..., +16384}], msg_controllen=0, msg_flags=0}, 0) = 3736 <0.003848> The following patch corrects this performance/latency problem, removing quadratic behavior. Signed-off-by:
Eric Dumazet <dada1@cosmosbay.com> Signed-off-by:
-
Al Viro authored
New types - for 16bit checksums and "unfolded" 32bit variant. Signed-off-by:
-
David S. Miller authored
[ Upstream commit: d011a231 ] skb->truesize was not being incremented at all to reflect the page based data added to RX SKBs. Signed-off-by:
-
Al Viro authored
[ Upstream commit: e5e02540 ] Here's proposed fix for RX checksum handling in cassini; it affects little-endian working with half-duplex gigabit, but obviously needs testing on big-endian too. The problem is, we need to convert checksum to fixed-endian *before* correcting for (unstripped) FCS. On big-endian it won't matter (conversion is no-op), on little-endian it will, but only if FCS is not stripped by hardware; i.e. in half-duplex gigabit mode when ->crc_size is set. cassini.c part is that fix, cassini.h one consists of trivial endianness annotations. With that applied the sucker is endian-clean, according to sparse. Signed-off-by:
-
Chas Williams authored
[ Upstream commit: 52961955 ] Adrian Bunk: Backported to 2.6.16. Signed-off-by:
Chas Williams <chas@cmf.nrl.navy.mil> Signed-off-by:
-
Jeff Moyer authored
Minor number 0 (under the raw major) is reserved for the rawctl device file, which is used to query, set, and unset raw device bindings. However, the ioctl interface does not protect the user from specifying a raw device with minor number 0: $ sudo ./raw /dev/raw/raw0 /dev/VolGroup00/swap /dev/raw/raw0: bound to major 253, minor 2 $ ls -l /dev/rawctl ls: /dev/rawctl: No such file or directory $ ls -l /dev/raw/raw0 crw------- 1 root root 162, 0 Jan 12 10:51 /dev/raw/raw0 $ sudo ./raw -qa Cannot open master raw device '/dev/rawctl' (No such file or directory) As you can see, this prevents any further raw operations from succeeding. The fix (from Steve Fernandez) is quite simple - do not allow the allocation of minor number 0. Signed-off-by:
Jeff Moyer <jmoyer@redhat.com> Signed-off-by:
-
- Jan 19, 2008
-
-
Adrian Bunk authored
-
- Jan 16, 2008
-
-
Adrian Bunk authored
-
Roland McGrath authored
patch a3474224 in mainline The original meaning of the old test (p->state > TASK_STOPPED) was "not dead", since it was before TASK_TRACED existed and before the state/exit_state split. It was a wrong correction in commit 14bf01bb to make this test for TASK_TRACED instead. It should have been changed when TASK_TRACED was introducted and again when exit_state was introduced. Signed-off-by:
Roland McGrath <roland@redhat.com> Signed-off-by:
-
Eric Sandeen authored
First reported at http://projects.info-pull.com/mokb/MOKB-17-11-2006.html Essentially a corrupted minix dir inode reporting a very large i_size will loop for a very long time in minix_readdir, minix_find_entry, etc, because on EIO they just move on to try the next page. This is under the BKL, printk-storming as well. This can lock up the machine for a very long time. Simply ratelimiting the printks gets things back under control. Make the message a bit more informative while we're here. Adrian Bunk: Backported to 2.6.16. Signed-off-by:
Eric Sandeen <sandeen@redhat.com> Signed-off-by:
-
Denis Vlasenko authored
Believe it or not, but in fs/minix/*, the oldest filesystem in the kernel, something still can be fixed: printk("new_inode: bit already set"); "\n" is missing! While at it, I also removed periods from the end of error messages and made capitalization uniform. Also s/i-node/inode/, s/printk (/printk(/ Signed-off-by:Denis Vlasenko <vda@ilport.com.ua> Signed-off-by:
-
- Jan 15, 2008
-
-
Linus Torvalds authored
patch 974a9f0b in mainline Way back when (in commit 834f2a4a, aka "VFS: Allow the filesystem to return a full file pointer on open intent" to be exact), Trond changed the open logic to keep track of the original flags to a file open, in order to pass down the the intent of a dentry lookup to the low-level filesystem. However, when doing that reorganization, it changed the meaning of namei_flags, and thus inadvertently changed the test of access mode for directories (and RO filesystem) to use the wrong flag. So fix those test back to use access mode ("acc_mode") rather than the open flag ("flag"). Issue noticed by Bill Roman at Datalight. Reported-and-tested-by:
Bill Roman <bill.roman@datalight.com> Acked-by:
Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by:
-
Herbert Xu authored
[ Upstream commit: f398035f ] The aalgos/ealgos fields are only 32 bits wide. However, af_key tries to test them with the expression 1 << id where id can be as large as 253. This produces different behaviour on different architectures. The following patch explicitly checks whether ID is greater than 31 and fails the check if that's the case. We cannot easily extend the mask to be longer than 32 bits due to exposure to user-space. Besides, this whole interface is obsolete anyway in favour of the xfrm_user interface which doesn't use this bit mask in templates (well not within the kernel anyway). Signed-off-by:
-
Maximilian Attems authored
[ Upstream commit: 9e8d6f89 ] easy to trigger as user with sfuzz. irda_create() is quiet on unknown sock->type, match this behaviour for SOCK_DGRAM unknown protocol Signed-off-by:
Maximilian Attems <max@stro.at> Signed-off-by:
-
Mark McLoughlin authored
[ Upstream commit: 44344b2a ] When re-naming an interface, the previous secondary address labels get lost e.g. $> brctl addbr foo $> ip addr add 192.168.0.1 dev foo $> ip addr add 192.168.0.2 dev foo label foo:00 $> ip addr show dev foo | grep inet inet 192.168.0.1/32 scope global foo inet 192.168.0.2/32 scope global foo:00 $> ip link set foo name bar $> ip addr show dev bar | grep inet inet 192.168.0.1/32 scope global bar inet 192.168.0.2/32 scope global bar:2 Turns out to be a simple thinko in inetdev_changename() - clearly we want to look at the address label, rather than the device name, for a suffix to retain. Signed-off-by:
Mark McLoughlin <markmc@redhat.com> Signed-off-by:
-
Herbert Xu authored
[ Upstream commit: f844c74f ] We currently check that iph->ihl is bounded by the real length and that the real length is greater than the minimum IP header length. However, we did not check the caes where iph->ihl is less than the minimum IP header length. This breaks because some ip_fast_csum implementations assume that which is quite reasonable. Signed-off-by:
-
Li Zefan authored
cn_queue_free_callback() will touch 'dev'(i.e. cbq->pdev), so it should be called before atomic_dec(&dev->refcnt). Signed-off-by:
Li Zefan <lizf@cn.fujitsu.com> Signed-off-by:
-
Russ Dill authored
Back in 2.6.12-pre, usb_start_wait_urb was switched over to take milliseconds instead of jiffies. kaweth.c was never updated to match. Signed-off-by:
Russ Dill <Russ.Dill@asu.edu> Signed-off-by:
-
David S. Miller authored
[ Upsteam commit: 0de56d1a ] We need to mask out the proper bits when testing the dispatch status register else we can see unrelated NACK bits from previous cross call sends. Signed-off-by:
-
Evgeniy Polyakov authored
[ Upstream commit: d31c7b8f ] Avaid provided test application, so bug got fixed. IPv6 addrconf removes ipv6 inner device from netdev each time cmu changes and new value is less than IPV6_MIN_MTU (1280 bytes). When mtu is changed and new value is greater than IPV6_MIN_MTU, it does not add ipv6 addresses and inner device bac. This patch fixes that. Tested with Avaid's application, which works ok now. Signed-off-by:
Evgeniy Polyakov <johnpol@2ka.mipt.ru> Signed-off-by:
-
Adrian Bunk authored
struct input_device_id mustn't be userspace visible since it uses kernel_ulong_t. Signed-off-by:
-
- Jan 06, 2008
-
-
Al Viro authored
no-op as all dma_sync_... there. Adrian Bunk: Backported to 2.6.16. Signed-off-by:
-
Ivan Kokshaysky authored
This patch cherry picks the following from commit 9548b209: fix build failure with gcc-4.2.x: fix up casts in cia_io* routines to avoid warnings ('discards qualifiers from pointer target type'), which are failures, thanks to -Werror; Signed-off-by:
Ivan Kokshaysky <ink@jurassic.park.msu.ru> Signed-off-by:
-
Adrian Bunk authored
-
- Jan 05, 2008
-
-
Adrian Bunk authored
-
Alan Cox authored
Actually there are several but one is trivially fixed 1. FSACTL_GET_NEXT_ADAPTER_FIB ioctl does not lock dev->fib_list but needs to 2. Ditto for FSACTL_CLOSE_GET_ADAPTER_FIB 3. It is possible to construct an attack via the SRB ioctls where the user obtains assorted elevated privileges. Various approaches are possible, the trivial ones being things like writing to the raw media via scsi commands and the swap image of other executing programs with higher privileges. So the ioctls should be CAP_SYS_RAWIO - at least all the FIB manipulating ones. This is a bandaid fix for #3 but probably the ioctls should grow their own capable checks. The other two bugs need someone competent in that driver to fix them. Signed-off-by:
Alan Cox <alan@redhat.com> Acked-by:
Mark Salyzyn <mark_salyzyn@adaptec.com> Signed-off-by:
James Bottomley <James.Bottomley@HansenPartnership.com> Signed-off-by:
-
Jean Delvare authored
Missing parentheses in the definition of FAN_FROM_REG cause a division by zero for a specific register value. Signed-off-by:
Jean Delvare <khali@linux-fr.org> Acked-by:
Hans de Goede <j.w.r.degoede@hhs.nl> Signed-off-by:
Mark M. Hoffman <mhoffman@lightlink.com> Signed-off-by:
Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by:
-
Jean Delvare authored
A stupid bit shifting bug caused the VID value to be always exported even when the hardware is configured for something different. Signed-off-by:
-
Charles Hardin authored
[ Upstream commit: 435000be ] Kernel needs to respond to an SADB_GET with the same message type to conform to the RFC 2367 Section 3.1.5 Signed-off-by:
Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
-
Chas Williams authored
[ Upstream commit: 8a8037ac ] if you are lucky (unlucky?) enough to have shared interrupts, the interrupt handler can be called before the tasklet and lock are ready for use. Signed-off-by:
-
