As reported by Mark Dowd <Mark_Dowd@McAfee.com>, ip6_tables is susceptible
to a fragmentation attack causing false negatives on extension header matches.
When extension headers occur in the non-first fragment after the fragment
header (possibly with an incorrect nexthdr value in the fragment header)
a rule looking for this extension header will never match.
Drop fragments that are at offset 0 and don't contain the final protocol
header regardless of the ruleset, since this should not happen normally.
Since all extension headers are before the protocol header this makes sure
an extension header is either not present or in the first fragment, where
we can properly parse it.
With help from Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
As reported by Mark Dowd <Mark_Dowd@McAfee.com>, ip6_tables is susceptible
to a fragmentation attack causing false negatives on protocol matches.
When the protocol header doesn't follow the fragment header immediately,
the fragment header contains the protocol number of the next extension
header. When the extension header and the protocol header are sent in
a second fragment a rule like "ip6tables .. -p udp -j DROP" will never
match.
Drop fragments that are at offset 0 and don't contain the final protocol
header regardless of the ruleset, since this should not happen normally.
With help from Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
xfrm_state_num needs to be increased for XFRM_STATE_ACQ states created
by xfrm_state_find() to prevent the counter from going negative when
the state is destroyed.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
memcpy 4 bytes to address of auto unsigned long variable followed
by comparison with u32 is a bloody bad idea.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
In commit 4e8a520150 ("[PKT_SCHED] netem:
Orphan SKB when adding to queue.") Davem mistakenly also included a
temporary diff in his tree that disabled the pci_fixup_video VGA quirk,
which broke sparc64.
This reverts that part of the commit. Sayeth Davem:
"Greg KH has a patch coming to you soon which will move that VGA code
back into x86/x86_64/IA64 specific areas and will fix the sparc64
problem properly."
Special thanks to Claudio Martins <ctpm@ist.utl.pt> for noticing the
error in the first place.
Cc: Claudio Martins <ctpm@ist.utl.pt>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Eliminate more __must_check madness.
The return code from device_for_each_child() depends on the values
which the helper function returns. If the helper function always
returns zero, it's utterly pointless to check the return code from
device_for_each_child().
The only code which knows if the return value should be checked is
the caller itself, so forcing the return code to always be checked
is silly. Hence, remove the __must_check annotation.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/perex/alsa:
[ALSA] hda-intel - Add check of MSI availabity
[ALSA] version 1.0.13
[ALSA] Fix addition of user-defined boolean controls
[ALSA] Fix AC97 power-saving mode
[ALSA] Fix re-use of va_list
[ALSA] hda_intel: add ATI RS690 HDMI audio support
[ALSA] hda-codec - Add model entry for ASUS U5F laptop
[ALSA] Fix dependency of snd-adlib driver in Kconfig
[ALSA] Various fixes for suspend/resume of ALSA PCI drivers
[ALSA] hda-codec - Fix assignment of PCM devices for Realtek codecs
[ALSA] sound/isa/opti9xx/opti92x-ad1848.c: check kmalloc() return value
[ALSA] sound/isa/ad1816a/ad1816a.c: check kmalloc() return value
[ALSA] sound/isa/cmi8330.c: check kmalloc() return value
[ALSA] sound/isa/gus/interwave.c: check kmalloc() return value
* master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6:
[PKT_SCHED] netem: Orphan SKB when adding to queue.
[NET]: kernel-doc fix for sock.h
[NET]: Reduce sizeof(struct flowi) by 20 bytes.
[IPv6] fib: initialize tb6_lock in common place to give lockdep a key
[ATM] nicstar: Fix a bogus casting warning
[ATM] firestream: handle thrown error
[ATM]: No need to return void
[ATM]: handle sysfs errors
[DCCP] ipv6: Fix opt_skb leak.
[DCCP]: Fix Oops in DCCPv6
Check the availability of MSI and turn off MSI automatically when it's
not available on the hardware. MSI seems broken on some hardwares
but the kernel doesn't know exactly, thus we have to turn the MSI
feature off on the sound driver manually.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
Otherwise we get a ton of unaligned exceptions, for cases such
as compat_sys_msgrcv() which go:
p = compat_alloc_user_space(second + sizeof(struct msgbuf));
and here 'second' can for example be an arbitrary odd value.
Based upon a bug report from Jurij Smakov.
Signed-off-by: David S. Miller <davem@davemloft.net>
The networking emulator can queue SKBs for a very long
time, so if you're using netem on the sender side for
large bandwidth/delay product testing, the SKB socket
send queue sizes become artificially larger.
Correct this by calling skb_orphan() in netem_enqueue().
Signed-off-by: David S. Miller <davem@davemloft.net>
Fix kernel-doc warning in include/net/sock.h:
Warning(/var/linsrc/linux-2619-rc1-pv//include/net/sock.h:894): No description found for parameter 'rcu'
Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Fixed the addition of user-defined boolean controls, the private
data size is corrected to be handled properly.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
Fix the bug in AC97 power-saving mode that the power isn't turned on
when power_save is set to 1 via sysfs during the power off state.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
The va_list is designed to be used only once. The current code
may pass va_list arguments multiple times and may cause Oops.
Copy/release the arguments temporarily to avoid this problem.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
This patch adds support for the HDMI codec of the ATI RS690 IGP northbridge.
Signed-off-by: Felix Kuehling <fkuehlin@ati.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
Added the missing dependency on CONFIG_SND for snd-adlib driver.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
- Check the return value of pci_enable_device() and request_irq()
in the suspend. If any error occurs there, disable the device
using snd_card_disconnect().
- Call pci_set_power_state() properly with pci_choose_state().
- Fix the order to call pci_set_power_state().
- Removed obsolete house-made PM codes in some drivers.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
Fixed the assignment of PCM devices for Realtek codecs.
The secondary analog capture should be statically asigned to the
third device regardless whether SPDIF exists or not.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
Check the return value of kmalloc() in function snd_card_opti9xx_pnp(),
in file sound/isa/opti9xx/opti92x-ad1848.c.
Signed-off-by: Amit Choudhary <amit2030@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
Check the return value of kmalloc() in function snd_card_ad1816a_pnp(),
in file sound/isa/ad1816a/ad1816a.c.
Signed-off-by: Amit Choudhary <amit2030@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
Check the return value of kmalloc() in function snd_cmi8330_pnp(),
in file sound/isa/cmi8330.c.
Signed-off-by: Amit Choudhary <amit2030@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
Check the return value of kmalloc() in function snd_interwave_pnp(),
in file sound/isa/gus/interwave.c.
Signed-off-by: Amit Choudhary <amit2030@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
As suggested by David, just kill off some unused fields in dnports to
reduce sizef(struct flowi). If they come back, they should be moved to
nl_u.dn_u in order not to enlarge again struct flowi
[ Modified to really delete this stuff instead of using #if 0. -DaveM ]
Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Not enough to make Nicstar 64bit friendly but got squashed in passing so might
as well be applied
Signed-off-by: Alan Cox <alan@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
gcc emits the following warning:
drivers/atm/firestream.c: In function ‘fs_open’:
drivers/atm/firestream.c:870: warning: ‘tmc0’ may be used uninitialized in this function
This indicates a real bug. We should check make_rate() return value for
potential errors.
Signed-off-by: Jeff Garzik <jeff@garzik.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
The module_exit function has return-type void and pci_unregister_driver()
returns void anyway.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Based upon a patch from Jesper Juhl. Try to match the
TCP IPv6 code this was copied from as much as possible,
so that it's easy to see where to add the ipv6 pktoptions
support code.
Signed-off-by: David S. Miller <davem@davemloft.net>
I think I got the cause for the Oops observed in
http://www.mail-archive.com/dccp@vger.kernel.org/msg00578.html
The problem is always with applications listening on PF_INET6 sockets. Apart
from the mentioned oops, I observed another one one, triggered at irregular
intervals via timer interrupt:
run_timer_softirq -> dccp_keepalive_timer
-> inet_csk_reqsk_queue_prune
-> reqsk_free
-> dccp_v6_reqsk_destructor
The latter function is the problem and is also the last function to be called
in said kernel panic.
In any case, there is a real problem with allocating the right request_sock
which is what this patch tackles.
It fixes the following problem:
- application listens on PF_INET6
- DCCPv4 packet comes in, is handed over to dccp_v4_do_rcv, from there
to dccp_v4_conn_request
Now: socket is PF_INET6, packet is IPv4. The following code then furnishes the
connection with IPv6 - request_sock operations:
req = reqsk_alloc(sk->sk_prot->rsk_prot);
The first problem is that all further incoming packets will get a Reset since
the connection can not be looked up.
The second problem is worse:
--> reqsk_alloc is called instead of inet6_reqsk_alloc
--> consequently inet6_rsk_offset is never set (dangling pointer)
--> the request_sock_ops are nevertheless still dccp6_request_ops
--> destructor is called via reqsk_free
--> dccp_v6_reqsk_destructor tries to free random memory location (inet6_rsk_offset not set)
--> panic
I have tested this for a while, DCCP sockets are now handled correctly in all
three scenarios (v4/v6 only/v4-mapped).
Commiter note: I've added the dccp_request_sock_ops forward declaration to keep
the tree building and to reduce the size of the patch for 2.6.19,
later I'll move the functions to the top of the affected source
code to match what we have in the TCP counterpart, where this
problem hasn't existed in the first place, dumb me not to have
done the same thing on DCCP land 8)
Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
This patch increases the timeout for PCI split transactions on PHB1 on
the first Calgary to work around an issue with the aic94xx
adapter. Fixes kernel.org bugzilla #7180
(http://bugzilla.kernel.org/show_bug.cgi?id=7180)
Based on excellent debugging and a patch by Darrick J. Wong
<djwong@us.ibm.com>
Signed-off-by: Muli Ben-Yehuda <muli@il.ibm.com>
Signed-off-by: Jon Mason <jdmason@kudzu.us>
Signed-off-by: Andi Kleen <ak@suse.de>
Acked-by: Darrick J. Wong <djwong@us.ibm.com>
There was a typo in the C3 latency test to decide of the TSC
should be used or not. It used the C2 latency threshold, not the
C3 one. Fix that.
This should fix the time on various dual core laptops.
Signed-off-by: Andi Kleen <ak@suse.de>
The current implementation uses a sequence of a cacheflush and a copy.
This is racy in case of a multithreaded debuggee and renders GDB
virtually unusable.
Aside this fixes a performance hog rendering access to /proc/cmdline very
slow and resulting in a enough cache stalls for the 34K AP/SP programming
model to make the bare metal code on the non-Linux VPE miss RT deadlines.
The main part of this patch was originally written by Ralf Baechle;
Atushi Nemoto did the the debugging.
Signed-off-by: Atsushi Nemoto <anemo@mba.ocn.ne.jp>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
* 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/libata-dev:
[PATCH] libata-sff: Allow for wacky systems
[PATCH] ahci: readability tweak
[PATCH] libata: typo fix
[PATCH] ATA must depend on BLOCK
[PATCH] libata: use correct map_db values for ICH8
* 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/netdev-2.6: (22 commits)
[PATCH] ibmveth: Fix index increment calculation
[PATCH] Fix timer race
[PATCH] Remove useless comment from sb1250
[PATCH] ucc_geth: changes to ucc_geth driver as a result of qe_lib changes and bugfixes
[PATCH] sky2: 88E803X transmit lockup
[PATCH] e1000: Reset all functions after a PCI error
[PATCH] WAN/pc300: handle, propagate minor errors
[PATCH] Update smc91x driver with ARM Versatile board info
[PATCH] wireless: WE-20 compatibility for ESSID and NICKN ioctls
[PATCH] zd1211rw: fix build-break caused by association race fix
[PATCH] sotftmac: fix a slab corruption in WEP restricted key association
[PATCH] airo: check if need to freeze
[PATCH] wireless: More WE-21 potential overflows...
[PATCH] zd1201: Possible NULL dereference
[PATCH] orinoco: fix WE-21 buffer overflow
[PATCH] airo.c: check returned values
[PATCH] bcm43xx-softmac: Fix system hang for x86-64 with >1GB RAM
[PATCH] bcm43xx-softmac: check returned value from pci_enable_device
[PATCH] softmac: Fix WX and association related races
[PATCH] bcm43xx: fix race condition in periodic work handler
...
* 'for-linus' of git://one.firstfloor.org/home/andi/git/linux-2.6:
[PATCH] x86-64: Revert timer routing behaviour back to 2.6.16 state
[PATCH] x86-64: Overlapping program headers in physical addr space fix
[PATCH] x86-64: Put more than one cpu in TARGET_CPUS
[PATCH] x86: Revert new unwind kernel stack termination
[PATCH] x86-64: Use irq_domain in ioapic_retrigger_irq
[PATCH] i386: Disable nmi watchdog on all ThinkPads
[PATCH] x86-64: Revert interrupt backlink changes
[PATCH] x86-64: Fix ENOSYS in system call tracing
[PATCH] i386: Fix fake return address
[PATCH] x86-64: x86_64 add NX mask for PTE entry
[PATCH] x86-64: Speed up dwarf2 unwinder
[PATCH] x86: Use -maccumulate-outgoing-args
[PATCH] x86-64: fix page align in e820 allocator
[PATCH] x86-64: Fix for arch/x86_64/pci/Makefile CFLAGS
[PATCH] i386: fix .cfi_signal_frame copy-n-paste error
[PATCH] x86-64: typo in __assign_irq_vector when updating pos for vector and offset
[PATCH] x86-64: x86_64 hot-add memory srat.c fix
[PATCH] i386: Update defconfig
[PATCH] x86-64: Update defconfig
If someone has renamed a directory on the server, triggering the d_move
code in d_materialise_unique(), then we need to invalidate the cached
directory information in the source parent directory.
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Cc: Miklos Szeredi <miklos@szeredi.hu>
Cc: Maneesh Soni <maneesh@in.ibm.com>
Cc: Dipankar Sarma <dipankar@in.ibm.com>
Cc: Neil Brown <neilb@cse.unsw.edu.au>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
If the caller tries to instantiate a directory using an inode that already
has a dentry alias, then we attempt to rename the existing dentry instead
of instantiating a new one. Fail with an ELOOP error if the rename would
affect one of our parent directories.
This behaviour is needed in order to avoid issues such as
http://bugzilla.kernel.org/show_bug.cgi?id=7178
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Cc: Miklos Szeredi <miklos@szeredi.hu>
Cc: Maneesh Soni <maneesh@in.ibm.com>
Cc: Dipankar Sarma <dipankar@in.ibm.com>
Cc: Neil Brown <neilb@cse.unsw.edu.au>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>