Linux kernel source tree https://git.amat.us/linux/atom/?h=v2.6.14.1 2005-11-08T19:22:55Z 2005-11-08T19:22:55Z Greg Kroah-Hartman gregkh@suse.de 2005-11-08T19:22:55Z urn:sha1:93b188a95f1da119769a1165086b7d2912603470 2005-11-08T19:14:00Z Al Viro viro@zeniv.linux.org.uk 2005-11-08T15:03:46Z urn:sha1:e4e0411221c7d4f2bd82fa5e21745f927a1bff28 You could open the /proc/sys/net/ipv4/conf/<if>/<whatever> file, then wait for interface to go away, try to grab as much memory as possible in hope to hit the (kfreed) ctl_table. Then fill it with pointers to your function. Then do read from file you've opened and if you are lucky, you'll get it called as ->proc_handler() in kernel mode. So this is at least an Oops and possibly more. It does depend on an interface going away though, so less of a security risk than it would otherwise be. Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2005-10-28T00:02:08Z Linus Torvalds torvalds@g5.osdl.org 2005-10-28T00:02:08Z urn:sha1:741b2252a5e14d6c60a913c77a6099abe73a854a "Better late than never" 2005-10-27T23:58:20Z Linus Torvalds torvalds@g5.osdl.org 2005-10-27T23:58:20Z urn:sha1:cdada08eb26e7cc57bb423e51e6e70fd5450a0b5 2005-10-27T23:29:24Z Dave Jones davej@redhat.com 2005-10-27T23:16:25Z urn:sha1:927321440976d0781a252eefe686ae6b0f236ae2 Don't try to access not-present CPUs. Conservative governor will always oops on SMP without this fix. Fixes http://bugzilla.kernel.org/show_bug.cgi?id=4781 Signed-off-by: Venkatesh Pallipadi <venkatesh.pallipadi@intel.com> Signed-off-by: Dave Jones <davej@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> 2005-10-27T23:28:39Z Linus Torvalds torvalds@g5.osdl.org 2005-10-27T23:28:39Z urn:sha1:79b95a454bb5c1d9b7287d1016a70885ba3f346c Commit id 6142891a0c0209c91aa4a98f725de0d6e2ed4918 Andi Kleen reports that it seems to break things for some people, and since it's purely a small optimization, revert it for now. Signed-off-by: Linus Torvalds <torvalds@osdl.org> 2005-10-27T17:11:04Z Herbert Xu herbert@gondor.apana.org.au 2005-10-27T08:47:46Z urn:sha1:2ad41065d9fe518759b695fc2640cf9c07261dd2 This bug is responsible for causing the infamous "Treason uncloaked" messages that's been popping up everywhere since the printk was added. It has usually been blamed on foreign operating systems. However, some of those reports implicate Linux as both systems are running Linux or the TCP connection is going across the loopback interface. In fact, there really is a bug in the Linux TCP header prediction code that's been there since at least 2.1.8. This bug was tracked down with help from Dale Blount. The effect of this bug ranges from harmless "Treason uncloaked" messages to hung/aborted TCP connections. The details of the bug and fix is as follows. When snd_wnd is updated, we only update pred_flags if tcp_fast_path_check succeeds. When it fails (for example, when our rcvbuf is used up), we will leave pred_flags with an out-of-date snd_wnd value. When the out-of-date pred_flags happens to match the next incoming packet we will again hit the fast path and use the current snd_wnd which will be wrong. In the case of the treason messages, it just happens that the snd_wnd cached in pred_flags is zero while tp->snd_wnd is non-zero. Therefore when a zero-window packet comes in we incorrectly conclude that the window is non-zero. In fact if the peer continues to send us zero-window pure ACKs we will continue making the same mistake. It's only when the peer transmits a zero-window packet with data attached that we get a chance to snap out of it. This is what triggers the treason message at the next retransmit timeout. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com> 2005-10-27T16:08:43Z Roland McGrath roland@redhat.com 2005-10-27T10:16:42Z urn:sha1:72ab373a5688a78cbdaf3bf96012e597d5399bb7 This just makes sure that a thread's expiry times can't get reset after it clears them in do_exit. This is what allowed us to re-introduce the stricter BUG_ON() check in a362f463a6d316d14daed0f817e151835ce97ff7. Signed-off-by: Linus Torvalds <torvalds@osdl.org> 2005-10-27T16:07:33Z Linus Torvalds torvalds@g5.osdl.org 2005-10-27T16:07:33Z urn:sha1:a362f463a6d316d14daed0f817e151835ce97ff7 This reverts commit 3de463c7d9d58f8cf3395268230cb20a4c15bffa. Roland has another patch that allows us to leave the BUG_ON() in place by just making sure that the condition it tests for really is always true. That goes in next. Signed-off-by: Linus Torvalds <torvalds@osdl.org> 2005-10-26T22:21:14Z Oleg Nesterov oleg@tv-sign.ru 2005-10-26T16:26:53Z urn:sha1:7a4ed937aa44acdeb8c6ba671509dc7b54b09d3a There's a silly off-by-one error in the code that updates the expiration of posix CPU timers, causing them to not be properly updated when they hit exactly on their expiration time (which should be the normal case). This causes them to then fire immediately again, and only _then_ get properly updated. Signed-off-by: Linus Torvalds <torvalds@osdl.org>