- 24 Mar, 2008 8 commits
-
-
Jorge Boncompte [DTI2] authored
Upstream commit: 12aa343a Commit a0a400d7 ("[NET]: dev_mcast: add multicast list synchronization helpers") from you introduced a new field "da_synced" to struct dev_addr_list that is not properly initialized to 0. So when any of the current users (8021q, macvlan, mac80211) calls dev_mc_sync/unsync they mess the address list for both devices. The attached patch fixed it for me and avoid future problems. Signed-off-by:
Jorge Boncompte [DTI2] <jorge@dti2.net> Signed-off-by:
Patrick McHardy <kaber@trash.net> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by:
Chris Wright <chrisw@sous-sol.org>
-
David S. Miller authored
Upstream commit: a4425859 Signed-off-by:
-
Matheos Worku authored
Upstream commit: 3b5bcede BMAC port alternate MAC address index needs to start at 1. Index 0 is used for the main MAC address. Signed-off-by:
Matheos Worku <matheos.worku@sun.com> Signed-off-by:
-
Matheos Worku authored
Upstream commit: fa907895 From: Matheos Worku <Matheos.Worku@Sun.COM> 1) niu_enable_alt_mac() needs to be adjusted so that the mask is computed properly for the BMAC case. 2) BMAC has 6 alt MAC addresses available, not 7. Signed-off-by:
-
David S. Miller authored
Upstream commit: 7adc3830 If all of the entropy is in the local and foreign addresses, but xor'ing together would cancel out that entropy, the current hash performs poorly. Suggested by Cosmin Ratiu: Basically, the situation is as follows: There is a client machine and a server machine. Both create 15000 virtual interfaces, open up a socket for each pair of interfaces and do SIP traffic. By profiling I noticed that there is a lot of time spent walking the established hash chains with this particular setup. The addresses were distributed like this: client interfaces were 198.18.0.1/16 with increments of 1 and server interfaces were 198.18.128.1/16 with increments of 1. As I said, there were 15000 interfaces. Source and destination ports were 5060 for each connection. So in this case, ports don't matter for hashing purposes, and the bits from the address pairs used cancel each other, meaning there are no differences in the whole lot of pairs, so they all end up in the same hash chain. Signed-off-by:
-
David S. Miller authored
Upstream commit: f0e98c38 Reported by Adrian Bunk. Just like in changeset a3f99858 ("[SPARC64]: Move kernel unaligned trap handlers into assembler file.") we have to move the assembler bits into a seperate asm file because as far as the compiler is concerned these inline bits we're doing in unaligned.c are unreachable. Signed-off-by:
-
David S. Miller authored
Upstream commits: 622eaec6 be71716e Some parts of the kernel now do things like do *_user() accesses while set_fs(KERNEL_DS) that fault on purpose. See, for example, the code added by changeset a0c1e907 ("futex: runtime enable pi and robust functionality"). That trips up the ASI sanity checking we make in do_kernel_fault(). Just remove it for now. Maybe we can add it back later with an added conditional which looks at the current get_fs() value. Also, because of the new futex validation init handler, we have to accept faults in init section text as well as the normal kernel text. Thanks to Tom Callaway for the bug report. Signed-off-by:
-
Greg Kroah-Hartman authored
This reverts commit 5fb7ba76 . It was incorrectly added to the .24.y stable tree and causes build breakages. Cc: Stephen Hemminger <stephen.hemminger@vyatta.com> Cc: David S. Miller <davem@davemloft.net> Signed-off-by:
-
- 26 Feb, 2008 32 commits
-
-
Greg Kroah-Hartman authored
-
Ingo Molnar authored
(no matching git id as the upstream code is rewritten) fix CPA cache attribute bug in v2.6.24. When phys_base is nonzero (when CONFIG_RELOCATABLE=y) then change_page_attr_addr() miscalculates the secondary alias address by -14 MB (depending on the configured offset). The default 64-bit kernels of Fedora and Ubuntu are affected: $ grep RELOCA /boot/config-2.6.23.9-85.fc8 CONFIG_RELOCATABLE=y $ grep RELOC /boot/config-2.6.22-14-generic CONFIG_RELOCATABLE=y and probably on many other distros as well. the bug affects all pages in the first 40 MB of physical RAM that are allocated by some subsystem that does ioremap_nocache() on them: if (__pa(address) < KERNEL_TEXT_SIZE) { Hence we might leave page table entries with inconsistent cache attributes around (pages mapped at both UnCacheable and Write-Back), and we can also set the wrong kernel text pages to UnCacheable. the effects of this bug can be random slowdowns and other misbehavior. If for example AGP allocates its aperture pages into the first 40 MB of physical RAM, then the -14 MB bug might mark random kernel texto pages as uncacheable, slowing down a random portion of the 64-bit kernel until the AGP driver is unloaded. Signed-off-by:Ingo Molnar <mingo@elte.hu> Acked-by:
Thomas Gleixner <tglx@linutronix.de> Signed-off-by:
-
Jay Vosburgh authored
patch 4fe4763c in mainline. Fix the "are we creating a duplicate" check to not compare the name if the name is NULL (meaning that the system should select a name). Bug reported by Benny Amorsen <benny+usenet@amorsen.dk>. Signed-off-by:
Jay Vosburgh <fubar@us.ibm.com> Signed-off-by:
Jeff Garzik <jeff@garzik.org> Signed-off-by:
-
Olaf Hering authored
Commit: 092ca5bd [POWERPC] Revert chrp_pci_fixup_vt8231_ata devinit to fix libata on pegasos Commit 6d98bda7 changed the init order for chrp_pci_fixup_vt8231_ata(). It can not work anymore because either the irq is not yet set to 14 or pci_get_device() returns nothing. At least the printk() in chrp_pci_fixup_vt8231_ata() does not trigger anymore. pata_via works again on Pegasos with the change below. Signed-off-by:
Olaf Hering <olaf@aepfle.de> Signed-off-by:
Paul Mackerras <paulus@samba.org> Cc: Chuck Ebbert <cebbert@redhat.com> Signed-off-by:
-
Chuck Ebbert authored
Commit: a1a98b72 Fix station address detection in smc Megahertz EM1144 PCMCIA ethernet adapter needs special handling because it has two VERS_1 tuples and the station address is in the second one. Conversion to generic handling of these fields broke it. Reverting that fixes the device. https://bugzilla.redhat.com/show_bug.cgi?id=233255 Thanks go to Jon Stanley for not giving up on this one until the problem was found. Signed-off-by:
Chuck Ebbert <cebbert@redhat.com> Signed-off-by:
-
Boaz Harrosh authored
commit: 61c92814 The patch: "gdth: switch to modern scsi host registration" missed one simple fact when moving a way from scsi_module.c. That is to call scsi_scan_host() on the probed host. With this the gdth driver from 2.6.24 is again able to see drives and boot. Signed-off-by:
Boaz Harrosh <bharrosh@panasas.com> Tested-by:
Joerg Dorchain <joerg@dorchain.net> Tested-by:
Stefan Priebe <s.priebe@allied-internet.ag> Tested-by:
Jon Chelton <jchelton@ffpglobal.com> Signed-off-by:
James Bottomley <James.Bottomley@HansenPartnership.com> Signed-off-by:
-
Oliver Neukum authored
commit 19028690 upstream if you fail in open() you must decrement the pm counter again. Signed-off-by:
Oliver Neukum <oneukum@suse.de> Signed-off-by:
Pete Zaitcev <zaitcev@redhat.com> Signed-off-by:
-
Heiko Carstens authored
commit: d5b02b3f upstream Add missing exception table entry so that the kernel can handle proctection exceptions as well on the cs instruction. Currently only specification exceptions are handled correctly. The missing entry allows user space to crash the kernel. Signed-off-by:
Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by:
Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by:
-
Thomas Gleixner authored
commit 89d694b9 The default_disable() function was changed in commit: 76d21601 genirq: do not mask interrupts by default It removed the mask function in favour of the default delayed interrupt disabling. Unfortunately this also broke the shutdown in free_irq() when the last handler is removed from the interrupt for those architectures which rely on the default implementations. Now we can end up with a enabled interrupt line after the last handler was removed, which can result in spurious interrupts. Fix this by adding a default_shutdown function, which is only installed, when the irqchip implementation does provide neither a shutdown nor a disable function. Pointed-out-by:
Michael Hennerich <Michael.Hennerich@analog.com> Signed-off-by:
-
Thomas Gleixner authored
commit 63070a79 A CLOCK_REALTIME timer, which has an absolute expiry time less than the clock realtime offset calls with a negative delta into the clock events code and triggers the WARN_ON() there. This is a false positive and needs to be prevented. Check the result of timer->expires - timer->base->offset right away and return -ETIME right away. Thanks to Frans Pop, who reported the problem and tested the fixes. Signed-off-by:
Frans Pop <elendil@planet.nl> Signed-off-by:
-
Thomas Gleixner authored
commit: 5a7780e7 Various user space callers ask for relative timeouts. While we fixed that overflow issue in hrtimer_start(), the sites which convert relative user space values to absolute timeouts themself were uncovered. Instead of putting overflow checks into each place add a function which does the sanity checking and convert all affected callers to use it. Thanks to Frans Pop, who reported the problem and tested the fixes. Signed-off-by:
-
Christoph Lameter authored
patch 5bb983b0 in mainline. gcc 4.2 spits out an annoying warning if one casts a const void * pointer to a void * pointer. No warning is generated if the conversion is done through an assignment. Signed-off-by:
Christoph Lameter <clameter@sgi.com> Signed-off-by:
-
Oleg Nesterov authored
commit 41652937 Spotted by Pavel Emelyanov and Alexey Dobriyan. compat_sys_nanosleep() implicitly uses hrtimer_nanosleep_restart(), this can't work. Make a suitable compat_nanosleep_restart() helper. Introduced by commit c70878b4 hrtimer: hook compat_sys_nanosleep up to high res timer code Also, set ->addr_limit = KERNEL_DS before doing hrtimer_nanosleep(), this func was changed by the previous patch and now takes the "__user *" parameter. Thanks to Ingo Molnar for fixing the bug in this patch. Signed-off-by:
Oleg Nesterov <oleg@tv-sign.ru> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Alexey Dobriyan <adobriyan@sw.ru> Cc: Pavel Emelyanov <xemul@sw.ru> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Toyo Abe <toyoa@mvista.com> Signed-off-by:
-
Oleg Nesterov authored
commit 080344b9 Spotted by Pavel Emelyanov and Alexey Dobriyan. hrtimer_nanosleep() sets restart_block->arg1 = rmtp, but this rmtp points to the local variable which lives in the caller's stack frame. This means that if sys_restart_syscall() actually happens and it is interrupted as well, we don't update the user-space variable, but write into the already dead stack frame. Introduced by commit 04c22714 hrtimer: Rework hrtimer_nanosleep to make sys_compat_nanosleep easier Change the callers to pass "__user *rmtp" to hrtimer_nanosleep(), and change hrtimer_nanosleep() to use copy_to_user() to actually update *rmtp. Small problem remains. man 2 nanosleep states that *rtmp should be written if nanosleep() was interrupted (it says nothing whether it is OK to update *rmtp if nanosleep returns 0), but (with or without this patch) we can dirty *rem even if nanosleep() returns 0. NOTE: this patch doesn't change compat_sys_nanosleep(), because it has other bugs. Fixed by the next patch. Signed-off-by:
-
Benjamin Herrenschmidt authored
patch 592a607b in mainline. It appears that with the U3 northbridge, if the processor is in NAP mode the whole time while waiting for an SMU command to complete, then the SMU will fail. It could be related to the weird backward mechanism the SMU uses to get to system memory via i2c to the northbridge that doesn't operate properly when the said bridge is in napping along with the CPU. That is on U3 at least, U4 doesn't seem to be affected. This didn't show before NO_HZ as the timer wakeup was enough to make it work it seems, but that is no longer the case. This fixes it by disabling NAP mode on those machines while an SMU command is in flight. Signed-off-by:
Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by:
-
Jonathan Corbet authored
patch 900cf086 in mainline. So I spent a while pounding my head against my monitor trying to figure out the vmsplice() vulnerability - how could a failure to check for *read* access turn into a root exploit? It turns out that it's a buffer overflow problem which is made easy by the way get_user_pages() is coded. In particular, "len" is a signed int, and it is only checked at the *end* of a do {} while() loop. So, if it is passed in as zero, the loop will execute once and decrement len to -1. At that point, the loop will proceed until the next invalid address is found; in the process, it will likely overflow the pages array passed in to get_user_pages(). I think that, if get_user_pages() has been asked to grab zero pages, that's what it should do. Thus this patch; it is, among other things, enough to block the (already fixed) root exploit and any others which might be lurking in similar code. I also think that the number of pages should be unsigned, but changing the prototype of this function probably requires some more careful review. Signed-off-by:
Jonathan Corbet <corbet@lwn.net> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by:
-
Herbert Xu authored
Upstream commit: 406a1d86 The recent UDP patch exposed this bug in the audit code. It was calling pskb_expand_head without increasing skb->truesize. The caller of pskb_expand_head needs to do so because that function is designed to be called in places where truesize is already fixed and therefore it doesn't update its value. Because the audit system is using it in a place where the truesize has not yet been fixed, it needs to update its value manually. Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au> Acked-by:
James Morris <jmorris@namei.org> Signed-off-by:
-
Dave Young authored
Upstream commit: b6c06321 The bluetooth hci_conn sysfs add/del executed in the default workqueue. If the del_conn is executed after the new add_conn with same target, add_conn will failed with warning of "same kobject name". Here add btaddconn & btdelconn workqueues, flush the btdelconn workqueue in the add_conn function to avoid the issue. Signed-off-by:
Dave Young <hidave.darkstar@gmail.com> Signed-off-by:
-
Herbert Xu authored
Upstream commit: 29ffe1a5 When ip_fragment has to hit the slow path the value of skb->truesize may go out of sync because we would have updated it without changing the packet length. This violates the constraints on truesize. This patch postpones the update of skb->truesize to prevent this. Signed-off-by:
-
Arnaldo Carvalho de Melo authored
Upstream commit: 8cf8e5a6 Fixes: http://bugzilla.kernel.org/show_bug.cgi?id=9825 The inet_diag_lock_handler function uses ERR_PTR to encode errors but its callers were testing against NULL. This only happens when the only inet_diag modular user, DCCP, is not built into the kernel or available as a module. Also there was a problem with not dropping the mutex lock when a handler was not found, also fixed in this patch. This caused an OOPS and ss would then hang on subsequent calls, as &inet_diag_table_mutex was being left locked. Thanks to spike at ml.yaroslavl.ru for report it after trying 'ss -d' on a kernel that doesn't have DCCP available. This bug was introduced in cset d523a328 ("Fix inet_diag dead-lock regression"), after 2.6.24-rc3, so just 2.6.24 seems to be affected. Signed-off-by:
Arnaldo Carvalho de Melo <acme@redhat.com> Acked-by:
-
Herbert Xu authored
Upstream commit: 2614fa59 When I moved the nexthdr setting out of IPComp I accidently moved the reading of ipch->nexthdr after the decompression. Unfortunately this means that we'd be reading from a stale ipch pointer which doesn't work very well. This patch moves the reading up so that we get the correct nexthdr value. Signed-off-by:
-
Herbert Xu authored
Upstream commit: b1641064 I made a silly typo by entering IPPROTO_IP (== 0) instead of IPPROTO_IPIP (== 4). This broke the reception of incompressible packets. Signed-off-by:
-
Julian Anastasov authored
Upstream commit: c18865f3 fib_info can be shared by many route prefixes but we don't want duplicate alternative routes for a prefix+tos+priority. Last change was not correct to check fib_treeref because it accounts usage from other prefixes. Additionally, avoid replacement without error if new route is same, as Joonwoo Park suggests. Signed-off-by:
Julian Anastasov <ja@ssi.bg> Signed-off-by:
-
Julian Anastasov authored
Upstream commit: 936f6f8e Update fib_trie with some fib_hash fixes: - check for duplicate alternative routes for prefix+tos+priority when replacing route - properly insert by matching tos together with priority - fix alias walking to use list_for_each_entry_continue for insertion and deletion when fa_head is not NULL - copy state from fa to new_fa on replace (not a problem for now) - additionally, avoid replacement without error if new route is same, as Joonwoo Park suggests. Signed-off-by:
-
Stephen Hemminger authored
Upstream commit: dded9161 if_addrlabel.h is needed for iproute2 usage. Signed-off-by:
Stephen Hemminger <stephen.hemminger@vyatta.com> Signed-off-by:
-
Stephen Hemminger authored
Upstream commit: 268bcca1 Setting up a meta match causes a kernel OOPS because of uninitialized elements in tree. [ 37.322381] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 [ 37.322381] IP: [<ffffffff883fc717>] :em_meta:em_meta_destroy+0x17/0x80 [ 37.322381] Call Trace: [ 37.322381] [<ffffffff803ec83d>] tcf_em_tree_destroy+0x2d/0xa0 [ 37.322381] [<ffffffff803ecc8c>] tcf_em_tree_validate+0x2dc/0x4a0 [ 37.322381] [<ffffffff803f06d2>] nla_parse+0x92/0xe0 [ 37.322381] [<ffffffff883f9672>] :cls_basic:basic_change+0x202/0x3c0 [ 37.322381] [<ffffffff802a3917>] kmem_cache_alloc+0x67/0xa0 [ 37.322381] [<ffffffff803ea221>] tc_ctl_tfilter+0x3b1/0x580 [ 37.322381] [<ffffffff803dffd0>] rtnetlink_rcv_msg+0x0/0x260 [ 37.322381] [<ffffffff803ee944>] netlink_rcv_skb+0x74/0xa0 [ 37.322381] [<ffffffff803dffc8>] rtnetlink_rcv+0x18/0x20 [ 37.322381] [<ffffffff803ee6c3>] netlink_unicast+0x263/0x290 [ 37.322381] [<ffffffff803cf276>] __alloc_skb+0x96/0x160 [ 37.322381] [<ffffffff803ef014>] netlink_sendmsg+0x274/0x340 [ 37.322381] [<ffffffff803c7c3b>] sock_sendmsg+0x12b/0x140 [ 37.322381] [<ffffffff8024de90>] autoremove_wake_function+0x0/0x30 [ 37.322381] [<ffffffff8024de90>] autoremove_wake_function+0x0/0x30 [ 37.322381] [<ffffffff803c7c3b>] sock_sendmsg+0x12b/0x140 [ 37.322381] [<ffffffff80288611>] zone_statistics+0xb1/0xc0 [ 37.322381] [<ffffffff803c7e5e>] sys_sendmsg+0x20e/0x360 [ 37.322381] [<ffffffff803c7411>] sockfd_lookup_light+0x41/0x80 [ 37.322381] [<ffffffff8028d04b>] handle_mm_fault+0x3eb/0x7f0 [ 37.322381] [<ffffffff8020c2fb>] system_call_after_swapgs+0x7b/0x80 Signed-off-by:
Stephen Hemminger <shemminger@vyatta.com> Signed-off-by:
-
Paul Moore authored
Upstream commit: e1770d97 As pointed out by Adrian Bunk, commit 45c950e0 ("fix memory leak in netlabel code") caused a double-free when security_netlbl_sid_to_secattr() fails. This patch fixes this by removing the netlbl_secattr_destroy() call from that function since we are already releasing the secattr memory in selinux_netlbl_sock_setsid(). Signed-off-by:
Paul Moore <paul.moore@hp.com> Signed-off-by:
-
Stephen Hemminger authored
Upstream commit: 04f217ac If userspace passes a unknown match index into em_meta, then em_meta_change will return an error and the data for the match will not be set. This then causes an null pointer dereference when the cleanup is done in the error path via tcf_em_tree_destroy. Since the tree structure comes kzalloc, it is initialized to NULL. Discovered when testing a new version of tc command against an accidental older kernel. Signed-off-by:
-
Shan Wei authored
Upstream commit: 16ca3f91 In strategy_allowed_congestion_control of the 2.6.24 kernel, when sysctl_string return 1 on success,it should call tcp_set_allowed_congestion_control to set the allowed congestion control.But, it don't. the sysctl_string return 1 on success, otherwise return negative, never return 0.The patch fix the problem. Signed-off-by:
Shan Wei <shanwei@cn.fujitsu.com> Acked-by:
-
James Bottomley authored
patch 366c246d in mainline. Some devices report medium error locations incorrectly. Add guards to make sure the reported bad lba is actually in the request that caused it. Additionally remove the large case statment for sector sizes and replace it with the proper u64 divisions. Tested-by:
Mike Snitzer <snitzer@gmail.com> Cc: Stable Tree <stable@kernel.org> Cc: Tony Battersby <tonyb@cybernetics.com> Signed-off-by:
-
Al Viro authored
patch 9c52fab2 in mainline. The MSSR constants didn't match the reality - bitfield declarations used to be correct (1000BT_FD - bit 11, 1000BT_HD - bit 10), but enum had them the other way round. Went unnoticed until the switch from the bitfields use to the explicit arithmetics and I hadn't caught that one when verifying correctness of change... Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk> Signed-off-by:
-
David Chinner authored
patch 450790a2 in mainline. Several occurrences of oops in xfs_file_readdir() on ia32 have been reported since 2.6.24 was released. This is a regression introduced in 2.6.24 and is relatively easy to hit. The patch below fixes the problem. Signed-off-by:
Dave Chinner <dgc@sgi.com> Signed-off-by:
Lachlan McIlroy <lachlan@sgi.com> Signed-off-by:
-
![Jorge Boncompte [DTI2]'s avatar](https://www.gravatar.com/avatar/5c0cf83a6a7ce7bbeef63cef2c3f4163?s=80&d=identicon "Jorge Boncompte [DTI2]")
