aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2007-05-01Linux 2.6.16.50-rc1v2.6.16.50-rc1Adrian Bunk
2007-05-01[IPV6]: Disallow RH0 by default (CVE-2007-2242)Adrian Bunk
A security issue is emerging. Disallow Routing Header Type 0 by default as we have been doing for IPv4. This version already includes a fix for the original patch. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-05-01[NETLINK]: Infinite recursion in netlink (CVE-2007-1861)Adrian Bunk
Reply to NETLINK_FIB_LOOKUP messages were misrouted back to kernel, which resulted in infinite recursion and stack overflow. The bug is present in all kernel versions since the feature appeared. The patch also makes some minimal cleanup: 1. Return something consistent (-ENOENT) when fib table is missing 2. Do not crash when queue is empty (does not happen, but yet) 3. Put result of lookup Sergey Vlasov: Oops fix Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Signed-off-by: Sergey Vlasov <vsu@altlinux.ru> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-26Char: icom, mark __init as __devinitJiri Slaby
Two functions are called from __devinit context, but they are marked as __init. Fix this. Signed-off-by: Jiri Slaby <jirislaby@gmail.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-26aio: remove bare user-triggerable error printkZach Brown
The user can generate console output if they cause do_mmap() to fail during sys_io_setup(). This was seen in a regression test that does exactly that by spinning calling mmap() until it gets -ENOMEM before calling io_setup(). We don't need this printk at all, just remove it. Signed-off-by: Zach Brown <zach.brown@oracle.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-26mca_nmi_hook() can be called at any pointAl Viro
... and having it __init is a bad idea. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-25IrDA: irttp_dup spin_lock initialisationGuennadi Liakhovetski
Without this initialization one gets kernel BUG at kernel/rtmutex_common.h:80! Signed-off-by: G. Liakhovetski <gl@dsa-ac.de> Signed-off-by: Samuel Ortiz <samuel@sortiz.org> Acked-by: David Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-25IrDA: Incorrect TTP header reservationJeet Chaudhuri
We must reserve SAR + MAX_HEADER bytes for IrLMP to fit in. This fixes an oops reported (and fixed) by Jeet Chaudhuri, when max_sdu_size is greater than 0. Signed-off-by: Samuel Ortiz <samuel@sortiz.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-24x86 microcode: don't check the sizeShaohua Li
IA32 manual says if micorcode update's size is 0, then the size is default size (2048 bytes). But this doesn't suggest all microcode update's size should be above 2048 bytes to me. We actually had a microcode update whose size is 1024 bytes. The patch just removed the check. Backported by Daniel Drake. Signed-off-by: Daniel Drake <dsd@gentoo.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-23Linux 2.6.16.49v2.6.16.49Adrian Bunk
2007-04-21Linux 2.6.16.49-rc1v2.6.16.49-rc1Adrian Bunk
2007-04-21tty_io: fix race in master pty close/slave pty close pathAristeu Sergio Rozanski Filho
This patch fixes a possible race that leads to double freeing an idr index. When the master begin to close, release_dev() is called and then pty_close() is called: if (tty->driver->close) tty->driver->close(tty, filp); This is done without helding any locks other than BKL. Inside pty_close(), being a master close, the devpts entry will be removed: #ifdef CONFIG_UNIX98_PTYS if (tty->driver == ptm_driver) devpts_pty_kill(tty->index); #endif But devpts_pty_kill() will call get_node() that may sleep while waiting for &devpts_root->d_inode->i_sem. When this happens and the slave is being opened, tty_open() just found the driver and index: driver = get_tty_driver(device, &index); if (!driver) { mutex_unlock(&tty_mutex); return -ENODEV; } This part of the code is already protected under tty_mute. The problem is that the slave close already got an index. Then init_dev() is called and blocks waiting for the same &devpts_root->d_inode->i_sem. When the master close resumes, it removes the devpts entry, and the relation between idr index and the tty is gone. The master then sleeps waiting for the tty_mutex on release_dev(). Slave open resumes and found no tty for that index. As result, a NULL tty is returned and init_dev() doesn't flow to fast_track: /* check whether we're reopening an existing tty */ if (driver->flags & TTY_DRIVER_DEVPTS_MEM) { tty = devpts_get_tty(idx); if (tty && driver->subtype == PTY_TYPE_MASTER) tty = tty->link; } else { tty = driver->ttys[idx]; } if (tty) goto fast_track; The result of this, is that a new tty will be created and init_dev() returns sucessfull. After returning, tty_mutex is dropped and master close may resume. Master close finds it's the only use and both sides are closing, then releases the tty and the index. At this point, the idr index is free, but slave still has it. Slave open then calls pty_open() and finds that tty->link->count is 0, because there's no master and returns error. Then tty_open() calls release_dev() which executes without any warning, as it was a case of last slave close when the master is already closed (master->count == 0, slave->count == 1). The tty is then released with the already released idr index. This normally would only issue a warning on idr_remove() but in case of a customer's critical application, it's never too simple: thread1: opens master, gets index X thread1: begin closing master thread2: begin opening slave with index X thread1: finishes closing master, index X released thread3: opens master, gets index X, just released thread2: fails opening slave, releases index X <---- thread4: opens master, gets index X, init_dev() then find an already in use and healthy tty and fails If no more indexes are released, ptmx_open() will keep failing, as the first free index available is X, and it will make init_dev() fail because you're trying to "reopen a master" which isn't valid. The patch notices when this race happens and make init_dev() fail imediately. The init_dev() function is called with tty_mutex held, so it's safe to continue with tty till the end of function because release_dev() won't make any further changes without grabbing the tty_mutex. Without the patch, on some machines it's possible get easily idr warnings like this one: idr_remove called for id=15 which is not allocated. [<c02555b9>] idr_remove+0x139/0x170 [<c02a1b62>] release_mem+0x182/0x230 [<c02a28e7>] release_dev+0x4b7/0x700 [<c02a0ea7>] tty_ldisc_enable+0x27/0x30 [<c02a1e64>] init_dev+0x254/0x580 [<c02a0d64>] check_tty_count+0x14/0xb0 [<c02a4f05>] tty_open+0x1c5/0x340 [<c02a4d40>] tty_open+0x0/0x340 [<c017388f>] chrdev_open+0xaf/0x180 [<c017c2ac>] open_namei+0x8c/0x760 [<c01737e0>] chrdev_open+0x0/0x180 [<c0167bc9>] __dentry_open+0xc9/0x210 [<c0167e2c>] do_filp_open+0x5c/0x70 [<c0167a91>] get_unused_fd+0x61/0xd0 [<c0167e93>] do_sys_open+0x53/0x100 [<c0167f97>] sys_open+0x27/0x30 [<c010303b>] syscall_call+0x7/0xb using this test application available on: http://www.ruivo.org/~aris/pty_sodomizer.c Signed-off-by: Aristeu Sergio Rozanski Filho <aris@ruivo.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-21elevator: move clearing of unplug flag earlierLinas Vepstas
A flag was recently added to the elevator code to avoid performing an unplug when reuests are being re-queued. The goal of this flag was to avoid a deep recursion that can occur when re-queueing requests after a SCSI device/host reset. See http://lkml.org/lkml/2006/5/17/254 However, that fix added the flag near the bottom of a case statement, where an earlier break (in an if statement) could transport one out of the case, without setting the flag. This patch sets the flag earlier in the case statement. I re-discovered the deep recursion recently during testing; I was told that it was a known problem, and the fix to it was in the kernel I was testing. Indeed it was ... but it didn't fix the bug. With the patch below, I no longer see the bug. Signed-off by: Linas Vepstas <linas@austin.ibm.com> Signed-off-by: Jens Axboe <axboe@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-21start_kernel: test if irq's got enabled early, barf, and disable them againArd van Breemen
The calls made by parse_parms to other initialization code might enable interrupts again way too early. Having interrupts on this early can make systems PANIC when they initialize the IRQ controllers (which happens later in the code). This patch detects that irq's are enabled again, barfs about it and disables them again as a safety net. [akpm@osdl.org: cleanups] Signed-off-by: Ard van Breemen <ard@telegraafnet.nl> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-20[IrDA]: Correctly handling socket errorOlaf Kirch
This patch fixes an oops first reported in mid 2006 - see http://lkml.org/lkml/2006/8/29/358 The cause of this bug report is that when an error is signalled on the socket, irda_recvmsg_stream returns without removing a local wait_queue variable from the socket's sk_sleep queue. This causes havoc further down the road. In response to this problem, a patch was made that invoked sock_orphan on the socket when receiving a disconnect indication. This is not a good fix, as this sets sk_sleep to NULL, causing applications sleeping in recvmsg (and other places) to oops. Signed-off-by: Olaf Kirch <olaf.kirch@oracle.com> Signed-off-by: Samuel Ortiz <samuel@sortiz.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-20hwmon/w83627ehf: Fix the fan5 clock divider writeJean Delvare
Users have been complaining about the w83627ehf driver flooding their logs with debug messages like: w83627ehf 9191-0a10: Increasing fan 4 clock divider from 64 to 128 or: w83627ehf 9191-0290: Increasing fan 4 clock divider from 4 to 8 The reason is that we failed to actually write the LSB of the encoded clock divider value for that fan, causing the next read to report the same old value again and again. Additionally, the fan number was improperly reported, making the bug harder to find. Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-20[NET]: Fix UDP checksum issue in net poll mode.Aubrey Li
In net poll mode, the current checksum function doesn't consider the kind of packet which is padded to reach a specific minimum length. I believe that's the problem causing my test case failed. The following patch fixed this issue. Signed-off-by: Aubrey Li <aubreylee@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-20[SPARC64]: Fix inline directive in pci_iommu.cTom Callaway
While building a test kernel for the new esp driver (against git-current), I hit this bug. Trivial fix, put the inline declaration in the right place. :) Signed-off-by: Tom Callaway <tcallawa@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-20[SPARC64]: Fix arg passing to compat_sys_ipc().David S. Miller
Do not sign extend args using the sys32_ipc stub, that is buggy and unnecessary. Based upon an excellent report by Mikael Pettersson. Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-20[SPARC64]: Fix SBUS IOMMU allocation code.David S. Miller
There are several IOMMU allocator bugs. Instead of trying to fix this overly complicated code, just mirror the PCI IOMMU arena allocator which is very stable and well stress tested. I tried to make the code as identical as possible so we can switch sun4u PCI and SBUS over to a common piece of IOMMU code. All that will be need are two callbacks, one to do a full IOMMU flush and one to do a streaming buffer flush. This patch gets rid of a lot of hangs and mysterious crashes on SBUS sparc64 systems, at least for me. Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-20[SCSI] QLOGICPTI: Do not unmap DMA unless we actually mapped something.David S. Miller
We only map DMA when cmd->request_bufflen is non-zero for non-sg buffers, we thus should make the same check when unmapping. Based upon a report from Pasi Pirhonen. Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-15Linux 2.6.16.48v2.6.16.48Adrian Bunk
2007-04-13Linux 2.6.16.48-rc1Adrian Bunk
2007-04-13[NET_SCHED]: cls_tcindex: fix compatibility breakagePatrick McHardy
Userspace uses an integer for TCA_TCINDEX_SHIFT, the kernel was changed to expect and use a u16 value in 2.6.11, which broke compatibility on big endian machines. Change back to use int. Reported by Ole Reinartz <ole.reinartz@gmx.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-13[IPSEC]: Reject packets within replay window but outside the bit maskHerbert Xu
Up until this point we've accepted replay window settings greater than 32 but our bit mask can only accomodate 32 packets. Thus any packet with a sequence number within the window but outside the bit mask would be accepted. This patch causes those packets to be rejected instead. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-13[TCP]: Do receiver-side SWS avoidance for rcvbuf < MSS.John Heffner
Signed-off-by: John Heffner <jheffner@psc.edu> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-13[IPv6]: Fix incorrect length check in rawv6_sendmsg()YOSHIFUJI Hideaki
In article <20070329.142644.70222545.davem@davemloft.net> (at Thu, 29 Mar 2007 14:26:44 -0700 (PDT)), David Miller <davem@davemloft.net> says: > From: Sridhar Samudrala <sri@us.ibm.com> > Date: Thu, 29 Mar 2007 14:17:28 -0700 > > > The check for length in rawv6_sendmsg() is incorrect. > > As len is an unsigned int, (len < 0) will never be TRUE. > > I think checking for IPV6_MAXPLEN(65535) is better. > > > > Is it possible to send ipv6 jumbo packets using raw > > sockets? If so, we can remove this check. > > I don't see why such a limitation against jumbo would exist, > does anyone else? > > Thanks for catching this Sridhar. A good compiler should simply > fail to compile "if (x < 0)" when 'x' is an unsigned type, don't > you think :-) Dave, we use "int" for returning value, so we should fix this anyway, IMHO; we should not allow len > INT_MAX. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Acked-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-13[NET_SCHED]: cls_basic: fix memory leak in basic_destroyPatrick McHardy
tp->root is not freed on destruction. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-13V4L/DVB: Pluto2: fix incorrect TSCR register settingAndreas Oberritter
The ADEF bits in the TSCR register have different meanings in read and write mode. For this reason ADEF has to be reset on every read-modify-write operation. This patch introduces a special write function for this register, which takes care of it. Thanks to Holger Magnussen for pointing my nose at this problem. Signed-off-by: Andreas Oberritter <obi@linuxtv.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-13V4L: saa7146: Fix allocation of clipping memoryOliver Endriss
Olaf Hering pointed out that SAA7146_CLIPPING_MEM would become very large for PAGE_SIZE > 4K. In fact, the number of clipping windows is limited to 16, and calculate_clipping_registers_rect() does not use more than 256 bytes. SAA7146_CLIPPING_MEM adjusted accordingly. (cherry picked from commit 7a7cd1920969dd9da4e0d99aab573b3eba24c799) Thanks-to: Olaf Hering <olaf@aepfle.de> Signed-off-by: Oliver Endriss <o.endriss@gmx.de> Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-13V4L: radio: Fix error in Kbuild fileTrent Piepho
All the radio drivers need video_dev, but they were depending on VIDEO_DEV!=n. That meant that one could try to compile the driver into the kernel when VIDEO_DEV=m, which will not work. If video_dev is a module, then the radio drivers must be modules too. (cherry picked from commit b10fece583fdfdb3d2f29b0da3896ec58b8fe122) Signed-off-by: Trent Piepho <xyzzy@speakeasy.org> Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-13V4L: tveeprom: autodetect LG TAPC G701D as tuner type 37Michael Krufky
Autodetect LG TAPC G701D as tuner type 37, fixing mis-detected tuners in some Hauppauge tv tuner cards. Thanks to Adonis Papas, for pointing this out. (cherry picked from commit 1323fbda1343f50f198bc8bd6d1d59c8b7fc45bf) Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-13sky2: turn on clocks when doing resumeStephen Hemminger
Some of these chips are disabled until clock is enabled. This fixes: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=404107 Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-13sky2: turn carrier off when downStephen Hemminger
Driver needs to turn off carrier when down. Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-13skge: turn carrier off when downStephen Hemminger
Driver needs to turn off carrier when down, otherwise it can confuse bonding and bridging and looks like carrier is on immediately when it is brought back up. Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-13i386: fix file_read_actor() and pipe_read() for original i386 systemsThomas Gleixner
The __copy_to_user_inatomic() calls in file_read_actor() and pipe_read() are broken on original i386 machines, where WP-works-ok == false, as __copy_to_user_inatomic() on such systems calls functions which might sleep and/or contain cond_resched() calls inside of a kmap_atomic() region. The original check for WP-works-ok was in access_ok(), but got moved during the 2.5 series to fix a race vs. swap. Return the number of bytes to copy in the case where we are in an atomic region, so the non atomic code pathes in file_read_actor() and pipe_read() are taken. This could be optimized to avoid the kmap_atomicby moving the check for WP-works-ok into fault_in_pages_writeable(), but this is more intrusive and can be done later. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-13r8169: issue request_irq after the private data are completely initializedFrancois Romieu
The irq handler schedules a NAPI poll request unconditionally as soon as the status register is not clean. It has been there - and wrong - for ages but a recent timing change made it apparently easier to trigger. Adrian Bunk: backported to 2.6.16 Signed-off-by: Francois Romieu <romieu@fr.zoreil.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-13r8169: fix suspend/resume for down interfaceFrancois Romieu
The PM hooks are no-op if the r8169 interface is down (i.e. !IFF_UP). However, as the chipset is enabled, the device will not work after a suspend/resume cycle. The patch always issue the required PCI suspend sequence and removes the module unload/reload workaround. Signed-off-by: Arnaud Patard <apatard@mandriva.com> Signed-off-by: Francois Romieu <romieu@fr.zoreil.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-13r8169: fix a race between PCI probe and dev_openFrancois Romieu
Initialize the timer with the rest of the private-struct. Signed-off-by: Francois Romieu <romieu@fr.zoreil.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-13USB: usbnet driver bugfixDavid Brownell
The attached fixes an oops in the usbnet driver. The same patch is in 2.6.21-rc1, but that one has many whitespace changes. This is much smaller. Signed-off-by: David Brownell <david-b@pacbell.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-13Linux 2.6.16.47v2.6.16.47Adrian Bunk
2007-04-10Linux 2.6.16.47-rc1v2.6.16.47-rc1Adrian Bunk
2007-04-10APPLETALK: Fix a remotely triggerable crash (CVE-2007-1357)Jean Delvare
When we receive an AppleTalk frame shorter than what its header says, we still attempt to verify its checksum, and trip on the BUG_ON() at the end of function atalk_sum_skb() because of the length mismatch. This has security implications because this can be triggered by simply sending a specially crafted ethernet frame to a target victim, effectively crashing that host. Thus this qualifies, I think, as a remote DoS. Here is the frame I used to trigger the crash, in npg format: <Appletalk Killer> { # Ethernet header ----- XX XX XX XX XX XX # Destination MAC 00 00 00 00 00 00 # Source MAC 00 1D # Length # LLC header ----- AA AA 03 08 00 07 80 9B # Appletalk # Appletalk header ----- 00 1B # Packet length (invalid) 00 01 # Fake checksum 00 00 00 00 # Destination and source networks 00 00 00 00 # Destination and source nodes and ports # Payload ----- 0C 0D 0E 0F 10 11 12 13 14 } The destination MAC address must be set to those of the victim. The severity is mitigated by two requirements: * The target host must have the appletalk kernel module loaded. I suspect this isn't so frequent. * AppleTalk frames are non-IP, thus I guess they can only travel on local networks. I am no network expert though, maybe it is possible to somehow encapsulate AppleTalk packets over IP. The bug has been reported back in June 2004: http://bugzilla.kernel.org/show_bug.cgi?id=2979 But it wasn't investigated, and was closed in July 2006 as both reporters had vanished meanwhile. This code was new in kernel 2.6.0-test5: http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=7ab442d7e0a76402c12553ee256f756097cae2d2 And not modified since then, so we can assume that vanilla kernels 2.6.0-test5 and later, and distribution kernels based thereon, are affected. Note that I still do not know for sure what triggered the bug in the real-world cases. The frame could have been corrupted by the kernel if we have a bug hiding somewhere. But more likely, we are receiving the faulty frame from the network. Signed-off-by: Jean Delvare <jdelvare@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-09siimage: PIO1/2 taskfile transfer overclocking fixSergei Shtylyov
Fix two typos found by SiI680A documentation check. They caused the taskfile transfer overclocking: - in PIO mode 1 as 0x2283 must be used for both data and taskfile transfers; - in PIO mode 2 as data and taskfile timings are swapped when writing to the MMIO regs. Fix coding style and trailing whitespace in enclosing statements while at it... Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-09hrtimer: prevent overrun DoS in hrtimer_forward()Thomas Gleixner
hrtimer_forward() does not check for the possible overflow of timer->expires. This can happen on 64 bit machines with large interval values and results currently in an endless loop in the softirq because the expiry value becomes negative and therefor the timer is expired all the time. Check for this condition and set the expiry value to the max. expiry time in the future. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-09fix MTIME_SEC_MAX on 32-bitThomas Gleixner
The maximum seconds value we can handle on 32bit is LONG_MAX. Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-09prevent timespec/timeval to ktime_t overflowThomas Gleixner
Frank v. Waveren pointed out that on 64bit machines the timespec to ktime_t conversion might overflow. This is also true for timeval to time_t conversions. This breaks a "sleep inf" on 64bit machines. While a timespec/timeval with tx.sec = MAX_LONG is valid by specification the internal representation of ktime_t is based on nanoseconds. The conversion of seconds to nanoseconds overflows for seconds values >= (MAX_LONG / NSEC_PER_SEC). Check the seconds argument to the conversion and limit it to the maximum time which can be represented by ktime_t. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-08ieee1394: video1394: DMA fixDavid Moore
This together with the phys_to_virt fix in lib/swiotlb.c::swiotlb_sync_sg fixes video1394 DMA on machines with DMA bounce buffers, especially Intel x86-64 machines with > 3GB RAM. Signed-off-by: David Moore <dcm@acm.org> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-08Fix reparenting to the same thread group. (take 2)Eric W. Biederman
This patch fixes the case when we reparent to a different thread in the same thread group. This modifies the code so that we do not send signals and do not change the signal to send to SIGCHLD unless we have change the thread group of our parents. It also suppresses sending pdeath_sig in this cas as well since the result of geppid doesn't change. Thanks to Oleg for spotting my bug of only fixing this for non-ptraced tasks. This fixes the issues identified by Albert Cahalan in thread http://lkml.org/lkml/2006/12/21/22 Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
2007-04-08tcp: fix cubic scaling errorStephen Hemminger
Doug Leith observed a discrepancy between the version of CUBIC described in the papers and the version in 2.6.18. A math error related to scaling causes Cubic to grow too slowly. Patch is from "Sangtae Ha" <sha2@ncsu.edu>. I validated that it does fix the problems. See the following to show behavior over 500ms 100 Mbit link. Sender (2.6.19-rc3) --- Bridge (2.6.18-rt7) ------- Receiver (2.6.19-rc3) 1G [netem] 100M http://developer.osdl.org/shemminger/tcp/2.6.19-rc3/cubic-orig.png http://developer.osdl.org/shemminger/tcp/2.6.19-rc3/cubic-fix.png Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>