summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)Author
2006-05-21[PATCH] binfmt_flat: don't check for EMFILEAndrew Morton
Bernd Schmidt points out that binfmt_flat is now leaving the exec file open while the application runs. This offsets all the application's fd numbers. We should have closed the file within exec(), not at exit()-time. But there doesn't seem to be a lot of point in doing all this just to avoid going over RLIMIT_NOFILE by one fd for a few microseconds. So take the EMFILE checking out again. This will cause binfmt_flat to again fail LTP's exec-should-return-EMFILE-when-fdtable-is-full test. That test appears to be wrong anyway - Open Group specs say nothing about exec() returning EMFILE. Cc: Bernd Schmidt <bernd.schmidt@analog.com> Cc: Greg Ungerer <gerg@uclinux.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-05-21[PATCH] HID read busywait fixMicon, David
Make a read of a HID device block until data is available. Without it, the read goes into a busy-wait loop until data is available. Cc: Greg KH <greg@kroah.com> Acked-by: Vojtech Pavlik <vojtech@suse.cz> Cc: Dmitry Torokhov <dtor_core@ameritech.net> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-05-21[PATCH] nfsd: sign conversion obscuring errors in nfsd_set_posix_acl()Florin Malita
Assigning the result of posix_acl_to_xattr() to an unsigned data type (size/size_t) obscures possible errors. Coverity CID: 1206. Signed-off-by: Florin Malita <fmalita@gmail.com> Acked-by: NeilBrown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-05-21[PATCH] md: Fix inverted test for 'repair' directive.NeilBrown
We should be able to write 'repair' to /sys/block/mdX/md/sync_action, however due to and inverted test, that always given EINVAL. Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-05-21[PATCH] NFS server subtree_check returns dubious valuePeter Staubach
Address a problem found when a Linux NFS server uses the "subtree_check" export option. The "subtree_check" NFS export option was designed to prohibit a client from using a file handle for which it should not have permission. The algorithm used is to ensure that the entire path to the file being referenced is accessible to the user attempting to use the file handle. If some part of the path is not accessible, then the operation is aborted and the appropriate version of ESTALE is returned to the NFS client. The error, ESTALE, is unfortunate in that it causes NFS clients to make certain assumptions about the continued existence of the file. They assume that the file no longer exists and refuse to attempt to access it again. In this case, the file really does exist, but access was denied by the server for a particular user. A better error to return would be an EACCES sort of error. This would inform the client that the particular operation that it was attempting was not allowed, without the nasty side effects of the ESTALE error. Signed-off-by: Peter Staubach <staubach@redhat.com> Acked-By: NeilBrown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-05-21[PATCH] Kdump maintainer info updateVivek Goyal
Update MAINTAINERS file for info regarding kdump maintainership. Signed-off-by: Vivek Goyal <vgoyal@in.ibm.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-05-21[PATCH] powerpc: Fix ide-pmac sysfs entryBenjamin Herrenschmidt
It looks like the generic ide code now wants ide_init_hwif_ports() to set the parent struct device into the ide_hw structure (new field ?). Without this, the mac ide code can cause the ide probing code to explode in flames in sysfs registration due to what looks like a stale pointer in there (happens when removing/re-inserting one of the hotswap media bays on some laptops). Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Bartlomiej Zolnierkiewicz <B.Zolnierkiewicz@elka.pw.edu.pl> Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-05-21[PATCH] i386: remove junk from stack dumpChuck Ebbert
i386 stack dump has a "<0>" in the middle of the line and an extra space between columns in multicolumn mode. Remove those and also remove an extra blank line of source code. Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-05-21[PATCH] matroxfb: fix DVI setup to be more compatiblePaul A. Clarke
There has been a longstanding problem with the Matrox G450 and perhaps other similar cards, with modes "above" 1280x1024-60 on ppc/ppc64 boxes running Linux. Higher resolutions and/or higher refresh rates resulted in a very noticably "jittery" display, and sometimes no display, depending on the physical monitor. This patch fixes that problem on the systems I have easy access to... I've tested with SLES9SP3 (2.6.5+ kernel) and 2.6.16-rc6 custom kernels on an IBM eServer p5 520 w/G450 (a.k.a GXT135P on IBM's ppc64 systems), and a colleague of mine (Ian Romanick) tested it successfully on an Apple ppc32 box (w/GXT135P). I also tested it on IA32 box I have with a GXT135P to verify that it didn't obviously break anything. In my testing, I covered single-card, single and dual-head setups using both HD15 and DVI-D signals, on both the IA32 and ppc64 boxes. While everything appeared fine on both boxes, I did encounter one problem: I can't get any signal on the DVI-D output on the ppc64 box. However, this is also the case without my patch. I just noticed that screen-blanking only occurs on the primary display as well. Signed-off-by: Paul A. Clarke <pc@us.ibm.com> Signed-off-by: Ian Romanick <idr@us.ibm.com> Signed-off-by: Petr Vandrovec <petr@vandrovec.name> Cc: "Antonino A. Daplas" <adaplas@pol.net> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-05-21[PATCH] NFS: fix error handling on access_ok in compat_sys_nfsservctlLin Feng Shen
Functions compat_nfs_svc_trans, compat_nfs_clnt_trans, compat_nfs_exp_trans, compat_nfs_getfd_trans and compat_nfs_getfs_trans, which are called by compat_sys_nfsservctl(fs/compat.c), don't handle the return value of access_ok properly. access_ok return 1 when the addr is valid, and 0 when it's not, but these functions have the reversed understanding. When the address is valid, they always return -EFAULT to compat_sys_nfsservctl. An example is to run /usr/sbin/rpc.nfsd(32bit program on Power5). It doesn't function as expected. strace showes that nfsservctl returns -EFAULT. The patch fixes this by correcting the error handling on the return value of access_ok in the five functions. Signed-off-by: Lin Feng Shen <shenlinf@cn.ibm.com> Cc: Trond Myklebust <trond.myklebust@fys.uio.no> Acked-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-05-21[PATCH] forcedeth: fix multi irq issuesAyaz Abdulla
With Manfred Spraul <manfred@colorfullife.com> and Andrew Morton <akpm@osdl.org> Bring back this recently-reverted patch, only fixed. Original changelog: From: Ayaz Abdulla <aabdulla@nvidia.com> This patch fixes the issues with multiple irqs. I am resending based on feedback. I decoupled the dma mask for consistent memory and fixed leak with multiple irq in error path. Thanks to Manfred for catching the spin lock problem. Fix it: From: Manfred Spraul <manfred@colorfullife.com> Fix bug introduced by ebf34c9b6fcd22338ef764b039b3ac55ed0e297b, covered in http://bugzilla.kernel.org/show_bug.cgi?id=6568. Remove second instance of the request_irq() calls: they were moved from nv_open into nv_request_irq. Thanks to Alistair Strachan <alistair@devzero.co.uk> for reporting and persisting. Signed-off-by: Ayaz Abdulla <aabdulla@nvidia.com> Signed-off-by: Manfred Spraul <manfred@colorfullife.com> Cc: Jeff Garzik <jeff@garzik.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-05-20Merge branch 'upstream-fixes' of ↵Linus Torvalds
master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/libata-dev * 'upstream-fixes' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/libata-dev: [PATCH] libata-core: fix current kernel-doc warnings [PATCH] sata_mv: version bump [PATCH] sata_mv: endian fix [PATCH] sata_mv: remove local copy of queue indexes [PATCH] sata_mv: spurious interrupt workaround [PATCH] sata_mv: chip initialization fixes [PATCH] sata_mv: deal with interrupt coalescing interrupts [PATCH] sata_mv: prevent unnecessary double-resets
2006-05-20[PATCH] libata-core: fix current kernel-doc warningsRandy Dunlap
Fix all current kernel-doc warnings. Signed-off-by: Randy Dunlap <rdunlap@xenotime.net> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-05-20[PATCH] sata_mv: version bumpMark Lord
Increment the version number inside sata_mv.c. Signed-off-by: Mark Lord <liml@rtr.ca> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-05-20[PATCH] sata_mv: endian fixMark Lord
This fixes a byte-swap issue on PPC, found by Zang Roy-r61911 on the powerpc platform. His original patch also had some other platform-specific changes in #ifdef's, but I'm not sure yet how to incorporate them. Look for another patch for those (soon). Signed-off-by: Mark Lord <liml@rtr.ca> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-05-20[PATCH] sata_mv: remove local copy of queue indexesMark Lord
The driver currently keeps local copies of the hardware request/response queue indexes. But it expends significant effort ensuring consistency between the two views, and still gets it wrong after an error or reset occurs. This patch removes the local copies, in favour of just accessing the hardware whenever we need them. Eventually this may need to be tweaked again for NCQ, but for now this works and solves problems some users were seeing. Signed-off-by: Mark Lord <liml@rtr.ca> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-05-20[PATCH] sata_mv: spurious interrupt workaroundMark Lord
The 60xx chips, and possibly others, incorrectly assert DEV_IRQ interrupts on a regular basis. The cause of this is under investigation (by me and in theory by Marvell also), but regardless we do need to deal with these events. This patch tidies up some interrupt handler code, and ensures that we ignore DEV_IRQ interrupts when the drive still has ATA_BUSY asserted. Signed-off-by: Mark Lord <liml@rtr.ca> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-05-20[PATCH] sata_mv: chip initialization fixesMark Lord
The interface control register of the 60xx (and later) Marvell chip requires certain bits to always be set when writing to it. These bits incorrectly read-back as zeros, so the pattern must be ORed in with each write of the register. Also, bit 12 should NOT be set (note that Marvell's own driver also had bit-12 wrong here). While we're at it, we also now do pci_set_master() in the init code. Signed-off-by: Mark Lord <liml@rtr.ca> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-05-20[PATCH] sata_mv: deal with interrupt coalescing interruptsMark Lord
In some systems, it is possible that the BIOS may have enabled interrupt coalescing for the Marvell controllers which support it. This patch adds code to detect/ack interrupts from the chip's coalescing (combing) logic. Signed-off-by: Mark Lord <liml@rtr.ca> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-05-20[PATCH] sata_mv: prevent unnecessary double-resetsMark Lord
The mv_err_intr() function is invoked from the driver's interrupt handler, as well as from the timeout function. This patch prevents it from triggering a one-after-the-other double reset of the controller when invoked from the timeout function. This also adds a check for a timeout race condition that has been observed to occur with this driver in earlier kernels. This should not be needed, in theory, but in practice it has caught bugs. Maybe nuke it at a later date. Signed-off-by: Mark Lord <liml@rtr.ca> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-05-20[PATCH] winbond-840-remove-badness-in-pci_map_singleErling A. Jacobsen
Call pci_map_single() with the actual size of the receive buffers, not 0 (which skb->len is initialized to by dev_alloc_skb()). Signed-off-by: Erling A. Jacobsen <linuxcub@email.dk> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-05-20[PATCH] network: axnet_cs: bug fix multicast code (support older ax88190 ↵Komuro
chipset) Dear Jeff axnet_cs: bug fix multicast code (support older ax88190 chipset) Signed-off-by: komurojun-mbn@nifty.com Best Regards Komuro Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-05-20[PATCH] skge: don't allow transmit ring to be too smallStephen Hemminger
The driver will get stuck (permanent transmit timeout), if the transmit ring size is set too small. It needs to have enough ring elements to hold one maximum size transmit. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-05-20[PATCH] skge: bad checksums on big-endian platformsStephen Hemminger
Skge driver always causes bad checksums on big-endian. The checksum in the receive control block was being swapped when it doesn't need to be. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-05-20Merge branch 'upstream-fixes' of ↵Jeff Garzik
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 into upstream-fixes
2006-05-20[PATCH] sky2 version 1.4Stephen Hemminger
Need to track impact of this group of changes. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-05-20[PATCH] sky2: force NAPI repoll if busyStephen Hemminger
If the status ring processing can't keep up with the incoming frames, it is more efficient to have NAPI keep scheduling the poll routine rather than causing another interrupt. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-05-20[PATCH] sky2: more fixes for Yukon UltraStephen Hemminger
Logic error in the phy initialization code. Also, turn on wake on lan bit in status control. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-05-20[PATCH] Subjec: sky2, skge: correct PCI id for DGE-560TStephen Hemminger
The Dlink DGE-560T uses Yukon2 chipset so it needs sky2 driver; and the DGE-530T uses Yukon1 so it uses skge driver. Bug: http://bugzilla.kernel.org/show_bug.cgi?id=6544 Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-05-20[PATCH] sky2: allow dual port usageStephen Hemminger
If both ports are receiving on the SysKonnect dual port cards, then it appears the bus interface unit can give an interrupt status for frame before DMA has completed. This leads to bogus frames and general confusion. This is why receive checksumming is also messed up on dual port cards. A workaround for the out of order receive problem is to eliminating split transactions on PCI-X. This version is based of the current linux-2.6.git including earlier patch to disable dual ports. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-05-20[PATCH] via-rhine: revert "change mdelay to msleep and remove from ISR path"John W. Linville
Revert previous patch with subject "change mdelay to msleep and remove from ISR path". This patch seems to have caused bigger problems than it solved, and it didn't solve much of a problem to begin with... Discussion about backing-out this patch can be found here: http://marc.theaimsgroup.com/?l=linux-netdev&m=114321570402396&w=2 The git commit associated w/ the original patch is: 6ba98d311d0a4ff7dc36d8f435ce60174f4c30ec Signed-off-by: John W. Linville <linville@tuxdriver.com Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-05-20[PATCH] revert "forcedeth: fix multi irq issues"Andrew Morton
Revert ebf34c9b6fcd22338ef764b039b3ac55ed0e297b. Maybe. Due to crashes at shutdown - see http://bugzilla.kernel.org/show_bug.cgi?id=6568. Cc: Ayaz Abdulla <aabdulla@nvidia.com> Cc: Manfred Spraul <manfred@colorfullife.com> Cc: Jeff Garzik <jeff@garzik.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Jeff Garzik <jeff@garzik.org>
2006-05-19Merge branch 'for-linus' of ↵Linus Torvalds
master.kernel.org:/pub/scm/linux/kernel/git/roland/infiniband * 'for-linus' of master.kernel.org:/pub/scm/linux/kernel/git/roland/infiniband: IB/mthca: Fix posting lists of 256 receive requests for Tavor IB/uverbs: Don't leak ref to mm on error path IB/srp: Complete correct SCSI commands on device reset IB/srp: Get rid of extra scsi_host_put()s if reconnection fails IB/srp: Don't wait for disconnection if sending DREQ fails IB/mthca: Make fw_cmd_doorbell default to 0
2006-05-19Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6Linus Torvalds
* master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6: [SCTP]: Allow linger to abort 1-N style sockets. [SCTP]: Validate the parameter length in HB-ACK chunk. [SCTP]: Respect the real chunk length when walking parameters. [SCTP]: A better solution to fix the race between sctp_peeloff() and [SCTP]: Set sk_err so that poll wakes up after a non-blocking connect failure.
2006-05-19Merge master.kernel.org:/home/rmk/linux-2.6-mmcLinus Torvalds
* master.kernel.org:/home/rmk/linux-2.6-mmc: [ARM] 3531/1: i.MX/MX1 SD/MMC ensure, that clock are stopped before new command and cleanups
2006-05-19Merge master.kernel.org:/home/rmk/linux-2.6-armLinus Torvalds
* master.kernel.org:/home/rmk/linux-2.6-arm: [ARM] 3533/1: Implement the __raw_(read|write)_can_lock functions on ARM [ARM] 3530/1: PXA Mainstone: prevent double enable_irq() in pcmcia [ARM] 3529/1: s3c24xx: fix restoring control register with undefined instruction
2006-05-19Merge master.kernel.org:/pub/scm/linux/kernel/git/wim/linux-2.6-watchdogLinus Torvalds
* master.kernel.org:/pub/scm/linux/kernel/git/wim/linux-2.6-watchdog: [WATCHDOG] s3c2410_wdt.c stop watchdog after boot [WATCHDOG] i8xx_tco.c - remove support for ICH6 + ICH7 [WATCHDOG] Documentation/watchdog/watchdog-api.txt - fix watchdog daemon [WATCHDOG] sc1200wdt.c printk fix
2006-05-19[SCTP]: Allow linger to abort 1-N style sockets.Vladislav Yasevich
Enable SO_LINGER functionality for 1-N style sockets. The socket API draft will be clarfied to allow for this functionality. The linger settings will apply to all associations on a given socket. Signed-off-by: Vladislav Yasevich <vladislav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
2006-05-19[SCTP]: Validate the parameter length in HB-ACK chunk.Vladislav Yasevich
If SCTP receives a badly formatted HB-ACK chunk, it is possible that we may access invalid memory and potentially have a buffer overflow. We should really make sure that the chunk format is what we expect, before attempting to touch the data. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
2006-05-19[ARM] 3533/1: Implement the __raw_(read|write)_can_lock functions on ARMCatalin Marinas
Patch from Catalin Marinas Recent patches introduced the write_can_lock() call in the kernel/ptrace.c file. Implement the __raw_* variants on ARM (SMP) as well. Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2006-05-19[ARM] 3531/1: i.MX/MX1 SD/MMC ensure, that clock are stopped before new ↵Pavel Pisa
command and cleanups Patch from Pavel Pisa There has been problems that for some paths that clock are not stopped during new command programming and initiation. Result is issuing of incorrect command to the card. Some other problems are cleaned too. Noisy report of known ERRATUM #4 has been suppressed. Signed-off-by: Pavel Pisa <pisa@cmp.felk.cvut.cz> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2006-05-19[SCTP]: Respect the real chunk length when walking parameters.Vladislav Yasevich
When performing bound checks during the parameter processing, we want to use the real chunk and paramter lengths for bounds instead of the rounded ones. This prevents us from potentially walking of the end if the chunk length was miscalculated. We still use rounded lengths when advancing the pointer. This was found during a conformance test that changed the chunk length without modifying parameters. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
2006-05-19[SCTP]: A better solution to fix the race between sctp_peeloff() andVladislav Yasevich
sctp_rcv(). The goal is to hold the ref on the association/endpoint throughout the state-machine process. We accomplish like this: /* ref on the assoc/ep is taken during lookup */ if owned_by_user(sk) sctp_add_backlog(skb, sk); else inqueue_push(skb, sk); /* drop the ref on the assoc/ep */ However, in sctp_add_backlog() we take the ref on assoc/ep and hold it while the skb is on the backlog queue. This allows us to get rid of the sock_hold/sock_put in the lookup routines. Now sctp_backlog_rcv() needs to account for potential association move. In the unlikely event that association moved, we need to retest if the new socket is locked by user. If we don't this, we may have two packets racing up the stack toward the same socket and we can't deal with it. If the new socket is still locked, we'll just add the skb to its backlog continuing to hold the ref on the association. This get's rid of the need to move packets from one backlog to another and it also safe in case new packets arrive on the same backlog queue. The last step, is to lock the new socket when we are moving the association to it. This is needed in case any new packets arrive on the association when it moved. We want these to go to the backlog since we would like to avoid the race between this new packet and a packet that may be sitting on the backlog queue of the old socket toward the same association. Signed-off-by: Vladislav Yasevich <vladislav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
2006-05-19[SCTP]: Set sk_err so that poll wakes up after a non-blocking connect failure.Sridhar Samudrala
Also fix some other cases where sk_err is not set for 1-1 style sockets. Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
2006-05-19[NETFILTER]: nfnetlink_log: fix byteorder confusionPatrick McHardy
flags is a u16, so use htons instead of htonl. Also avoid double conversion. Noticed by Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-19[NETFILTER]: Fix do_add_counters race, possible oops or info leak ↵Solar Designer
(CVE-2006-0039) Solar Designer found a race condition in do_add_counters(). The beginning of paddc is supposed to be the same as tmp which was sanity-checked above, but it might not be the same in reality. In case the integer overflow and/or the race condition are triggered, paddc->num_counters might not match the allocation size for paddc. If the check below (t->private->number != paddc->num_counters) nevertheless passes (perhaps this requires the race condition to be triggered), IPT_ENTRY_ITERATE() would read kernel memory beyond the allocation size, potentially causing an oops or leaking sensitive data (e.g., passwords from host system or from another VPS) via counter increments. This requires CAP_NET_ADMIN. Signed-off-by: Solar Designer <solar@openwall.com> Signed-off-by: Kirill Korotaev <dev@openvz.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-19[NETFILTER]: GRE conntrack: fix htons/htonl confusionAlexey Dobriyan
GRE keys are 16 bit. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-19[NETFILTER]: fix format specifier for netfilter log targetsPhilip Craig
The prefix argument for nf_log_packet is a format specifier, so don't pass the user defined string directly to it. Signed-off-by: Philip Craig <philipc@snapgear.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-19[NETFILTER]: Fix memory leak in ipt_recentJesper Juhl
The Coverity checker spotted that we may leak 'hold' in net/ipv4/netfilter/ipt_recent.c::checkentry() when the following is true: if (!curr_table->status_proc) { ... if(!curr_table) { ... return 0; <-- here we leak. Simply moving an existing vfree(hold); up a bit avoids the possible leak. Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-18IB/mthca: Fix posting lists of 256 receive requests for TavorMichael S. Tsirkin
If we post a list of length 256 exactly, nreq in doorbell gets set to 256 which is wrong: it should be encoded by 0. This is because we only zero it out on the next WR, which may not be there. The solution is to ring the doorbell after posting a WQE, not before posting the next one. Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il> Signed-off-by: Roland Dreier <rolandd@cisco.com>