Commit Graph

14715 Commits

Author SHA1 Message Date
David Gibson
86e07ce71a [PATCH] Fix error handling with put_compat_statfs()
In fs/compat.c, whenever put_compat_statfs() returns an error, the
containing syscall returns -EFAULT.  This is presumably by analogy with the
non-compat case, where any non-zero code from copy_to_user() should be
translated into an EFAULT.  However, put_compat_statfs() is also return
-EOVERFLOW.  The same applies for put_compat_statfs64().

This bug can be observed with a statfs() on a hugetlbfs directory.
hugetlbfs, when mounted without limits reports available, free and total
blocks as -1 (itself a bug, another patch coming).  statfs() will
mysteriously return EFAULT although it's parameters are perfectly valid
addresses.

This patch causes the compat versions of statfs() and statfs64() to
correctly propogate the return values from put_compat_statfs() and
put_compat_statfs64().

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-11-22 09:13:43 -08:00
Hugh Dickins
f3d48f0373 [PATCH] unpaged: fix sound Bad page states
Earlier I unifdefed PageCompound, so that snd_pcm_mmap_control_nopage and
others can give out a 0-order component of a higher-order page, which won't
be mistakenly freed when zap_pte_range unmaps it.  But many Bad page states
reported a PG_reserved was freed after all: I had missed that we need to
say __GFP_COMP to get compound page behaviour.

Some of these higher-order pages are allocated by snd_malloc_pages, some by
snd_malloc_dev_pages; or if SBUS, by sbus_alloc_consistent - but that has
no gfp arg, so add __GFP_COMP into its sparc32/64 implementations.

I'm still rather puzzled that DRM seems not to need a similar change.

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-11-22 09:13:43 -08:00
Hugh Dickins
0b0db14c53 [PATCH] unpaged: copy_page_range vma
For copy_one_pte's print_bad_pte to show the task correctly (instead of
"???"), dup_mmap must pass down parent vma rather than child vma.

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-11-22 09:13:43 -08:00
Hugh Dickins
689bcebfda [PATCH] unpaged: PG_reserved bad_page
It used to be the case that PG_reserved pages were silently never freed, but
in 2.6.15-rc1 they may be freed with a "Bad page state" message.  We should
work through such cases as they appear, fixing the code; but for now it's
safer to issue the message without freeing the page, leaving PG_reserved set.

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-11-22 09:13:42 -08:00
Hugh Dickins
f57e88a8d8 [PATCH] unpaged: ZERO_PAGE in VM_UNPAGED
It's strange enough to be looking out for anonymous pages in VM_UNPAGED areas,
let's not insert the ZERO_PAGE there - though whether it would matter will
depend on what we decide about ZERO_PAGE refcounting.

But whereas do_anonymous_page may (exceptionally) be called on a VM_UNPAGED
area, do_no_page should never be: just BUG_ON.

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-11-22 09:13:42 -08:00
Hugh Dickins
ee498ed730 [PATCH] unpaged: anon in VM_UNPAGED
copy_one_pte needs to copy the anonymous COWed pages in a VM_UNPAGED area,
zap_pte_range needs to free them, do_wp_page needs to COW them: just like
ordinary pages, not like the unpaged.

But recognizing them is a little subtle: because PageReserved is no longer a
condition for remap_pfn_range, we can now mmap all of /dev/mem (whether the
distro permits, and whether it's advisable on this or that architecture, is
another matter).  So if we can see a PageAnon, it may not be ours to mess with
(or may be ours from elsewhere in the address space).  I suspect there's an
entertaining insoluble self-referential problem here, but the page_is_anon
function does a good practical job, and MAP_PRIVATE PROT_WRITE VM_UNPAGED will
always be an odd choice.

In updating the comment on page_address_in_vma, noticed a potential NULL
dereference, in a path we don't actually take, but fixed it.

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-11-22 09:13:42 -08:00
Hugh Dickins
920fc356f5 [PATCH] unpaged: COW on VM_UNPAGED
Remove the BUG_ON(vma->vm_flags & VM_UNPAGED) from do_wp_page, and let it do
Copy-On-Write without touching the VM_UNPAGED's page counts - but this is
incomplete, because the anonymous page it inserts will itself need to be
handled, here and in other functions - next patch.

We still don't copy the page if the pfn is invalid, because the
copy_user_highpage interface does not allow it.  But that's not been a problem
in the past: can be added in later if the need arises.

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-11-22 09:13:42 -08:00
Hugh Dickins
101d2be764 [PATCH] unpaged: VM_NONLINEAR VM_RESERVED
There's one peculiar use of VM_RESERVED which the previous patch left behind:
because VM_NONLINEAR's try_to_unmap_cluster uses vm_private_data as a swapout
cursor, but should never meet VM_RESERVED vmas, it was a way of extending
VM_NONLINEAR to VM_RESERVED vmas using vm_private_data for some other purpose.
 But that's an empty set - they don't have the populate function required.  So
just throw away those VM_RESERVED tests.

But one more interesting in rmap.c has to go too: try_to_unmap_one will want
to swap out an anonymous page from VM_RESERVED or VM_UNPAGED area.

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-11-22 09:13:42 -08:00
Hugh Dickins
0b14c179a4 [PATCH] unpaged: VM_UNPAGED
Although we tend to associate VM_RESERVED with remap_pfn_range, quite a few
drivers set VM_RESERVED on areas which are then populated by nopage.  The
PageReserved removal in 2.6.15-rc1 changed VM_RESERVED not to free pages in
zap_pte_range, without changing those drivers not to set it: so their pages
just leak away.

Let's not change miscellaneous drivers now: introduce VM_UNPAGED at the core,
to flag the special areas where the ptes may have no struct page, or if they
have then it's not to be touched.  Replace most instances of VM_RESERVED in
core mm by VM_UNPAGED.  Force it on in remap_pfn_range, and the sparc and
sparc64 io_remap_pfn_range.

Revert addition of VM_RESERVED to powerpc vdso, it's not needed there.  Is it
needed anywhere?  It still governs the mm->reserved_vm statistic, and special
vmas not to be merged, and areas not to be core dumped; but could probably be
eliminated later (the drivers are probably specifying it because in 2.4 it
kept swapout off the vma, but in 2.6 we work from the LRU, which these pages
don't get on).

Use the VM_SHM slot for VM_UNPAGED, and define VM_SHM to 0: it serves no
purpose whatsoever, and should be removed from drivers when we clean up.

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Acked-by: William Irwin <wli@holomorphy.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-11-22 09:13:42 -08:00
Hugh Dickins
664beed019 [PATCH] unpaged: unifdefed PageCompound
It looks like snd_xxx is not the only nopage to be using PageReserved as a way
of holding a high-order page together: which no longer works, but is masked by
our failure to free from VM_RESERVED areas.  We cannot fix that bug without
first substituting another way to hold the high-order page together, while
farming out the 0-order pages from within it.

That's just what PageCompound is designed for, but it's been kept under
CONFIG_HUGETLB_PAGE.  Remove the #ifdefs: which saves some space (out- of-line
put_page), doesn't slow down what most needs to be fast (already using
hugetlb), and unifies the way we handle high-order pages.

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-11-22 09:13:42 -08:00
Hugh Dickins
1cdca61bf8 [PATCH] unpaged: sound nopage get_page
Something noticed when studying use of VM_RESERVED in different drivers:
snd_usX2Y_hwdep_pcm_vm_nopage omitted to get_page: fixed.

And how did this work before?  Aargh!  That nopage is returning a page from
within a buffer allocated by snd_malloc_pages, which allocates a high-order
page, then does SetPageReserved on each 0-order page within.

That would have worked in 2.6.14, because when the area was unmapped,
PageReserved inhibited put_page.  2.6.15-rc1 removed that inhibition (while
leaving ineffective PageReserveds around for now), but it hasn't caused
trouble because..  we've not been freeing from VM_RESERVED at all.

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-11-22 09:13:42 -08:00
Hugh Dickins
83e9b7e929 [PATCH] unpaged: private write VM_RESERVED
The PageReserved removal in 2.6.15-rc1 issued a "deprecated" message when you
tried to mmap or mprotect MAP_PRIVATE PROT_WRITE a VM_RESERVED, and failed
with -EACCES: because do_wp_page lacks the refinement to COW pages in those
areas, nor do we expect to find anonymous pages in them; and it seemed just
bloat to add code for handling such a peculiar case.  But immediately it
caused vbetool and ddcprobe (using lrmi) to fail.

So revert the "deprecated" messages, letting mmap and mprotect succeed.  But
leave do_wp_page's BUG_ON(vma->vm_flags & VM_RESERVED) in place until we've
added the code to do it right: so this particular patch is only good if the
app doesn't really need to write to that private area.

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-11-22 09:13:42 -08:00
Hugh Dickins
ed5297a940 [PATCH] unpaged: get_user_pages VM_RESERVED
The PageReserved removal in 2.6.15-rc1 prohibited get_user_pages on the areas
flagged VM_RESERVED in place of PageReserved.  That is correct in theory - we
ought not to interfere with struct pages in such a reserved area; but in
practice it broke BTTV for one.

So revert to prohibiting only on VM_IO: if someone gets into trouble with
get_user_pages on VM_RESERVED, it'll just be a "don't do that".

You can argue that videobuf_mmap_mapper shouldn't set VM_RESERVED in the first
place, but now's not the time for breaking drivers without notice.

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-11-22 09:13:41 -08:00
Jeff Dike
aa1a64ee12 [PATCH] uml: eliminate use of libc PAGE_SIZE
On some systems, libc PAGE_SIZE calls getpagesize, which can't happen from a
stub.  So, I use UM_KERN_PAGE_SIZE, which is less variable in its definition,
instead.

Signed-off-by: Jeff Dike <jdike@addtoit.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-11-22 09:13:41 -08:00
Jeff Dike
17d469715c [PATCH] uml: properly invoke x86_64 system calls
This patch makes stub_segv use the stub_syscall macros.  This was needed
anyway, but the bug that prompted this was the discovery that gcc was storing
stuff in RCX, which is trashed across a system call.  This is exactly the sort
of problem that the new macros fix.

There is a stub_syscall0 for getpid.  stub_segv was changed to be a libc file,
and that caused some include changes.

Signed-off-by: Jeff Dike <jdike@addtoit.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-11-22 09:13:41 -08:00
Jeff Dike
e23181deec [PATCH] uml: eliminate anonymous union and clean up symlink lossage
This gives a name to the anonymous union introduced in skas-hold-own-ldt,
allowing to build on a wider range of gccs.

It also removes ldt.h, which somehow became real, and replaces it with a
symlink, and creates ldt-x86_64.h as a copy of ldt-i386.h for now.

Signed-off-by: Jeff Dike <jdike@addtoit.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-11-22 09:13:41 -08:00
Jeff Dike
39d730ab87 [PATCH] uml: eliminate use of local in clone stub
We have a bug in the i386 stub_syscall6 which pushes ebp before the system
call and pops it afterwards.  Because we use syscall6 to remap the stack, the
old contents of the stack (and the former value of ebp) are no longer
available.  Some versions of gcc make from a real local, accessed through ebp,
despite my efforts to make it obvious that references to from are really
constants.  This patch attempts to make it even more obvious by eliminating
from and using a macro to access the stub's data explicitly with constants.

My original thinking on this was to replace syscall6 with a remap_stack
interface which saved ebp someplace and restored it afterwards.  The problem
is that there are no registers to put it in, except for esp.  That could work,
since we can store a constant in esp after the mmap because we just replaced
the stack.  However, this approach seems a tad cleaner.

Signed-off-by: Jeff Dike <jdike@addtoit.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-11-22 09:13:41 -08:00
Richard Knutsson
18317ab0ca [PATCH] net: Fix compiler-error on dgrs.c when !CONFIG_PCI
drivers/net/dgrs.c: In function `dgrs_init_module':
drivers/net/dgrs.c:1598: `dgrs_pci_driver' undeclared (first use in this function)

Signed-off-by: Richard Knutsson <ricknu-0@student.ltu.se>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-11-22 09:13:41 -08:00
Linus Torvalds
989e4d6cbc Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/scjody/ieee1394 2005-11-21 19:04:44 -08:00
Linus Torvalds
5ea8051a23 Merge master.kernel.org:/home/rmk/linux-2.6-serial 2005-11-21 19:00:43 -08:00
Linus Torvalds
66b5920f61 Merge master.kernel.org:/home/rmk/linux-2.6-arm 2005-11-21 19:00:05 -08:00
Linus Torvalds
49bd96c2ca Merge branch 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux-2.6 2005-11-21 17:44:56 -08:00
Russ Anderson
ab2ff46a2d [IA64-SGI] bte_copy nasid_index fix
The nasid_index was not being incremented if the
pointer was null, causing an infinite loop.

Signed-off-by: Russ Anderson (rja@sgi.com)
Signed-off-by: Tony Luck <tony.luck@intel.com>
2005-11-21 14:19:36 -08:00
Jack Steiner
771388dc7d [IA64-SGI] support for older versions of PROM
Add support for old versions of the SN PROMs. Eventually this
support will be deleted but it is useful right now to continue
supporting older PROMs.

Signed-off-by: Jack Steiner <steiner@sgi.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
2005-11-21 14:17:28 -08:00
hawkes@sgi.com
090de0b77c [IA64] fix bug in sn/ia64 for sparse CPU numbering
The kernel's use of the for_each_*cpu(i) macros has allowed for sparse CPU
numbering.  When I hacked the kernel to test sparse cpu_present_map[] and
cpu_possible_map[] cpumasks, I discovered one remaining spot, in
sn_hwperf_ioctl() during sn initialization, that needs to be fixed.

Signed-off-by: John Hawkes <hawkes@sgi.com>
Signed-off-by: Dean Roe <roe@sgi.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
2005-11-21 14:15:42 -08:00
Prarit Bhargava
9ad4f924ec [IA64] Prevent sn2 ptc code from executing on all ia64 subarches
Patch to prevent sn2_ptc_init code from attempting to load on non-sn2 systems
when sn2_smp.c is built-in to generic kernel.

Signed-off-by: Prarit Bhargava <prarit@sgi.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
2005-11-21 14:13:31 -08:00
Jens Axboe
8ad9ebb391 [PATCH] as-iosched: remove state assertion in as_add_request()
Kill the arq->state poison statement in as_add_request(), it can trigger
for perfectly valid code that just reuses a request after io completion
instead of freeing it and allocating a new one. We probably should
introduce a blk_init_request() to start from scratch, but for now just
kill it as we will be removing the as specific poisoning soon.

Signed-off-by: Jens Axboe <axboe@suse.de>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-11-21 11:04:52 -08:00
Linus Torvalds
f9e6bfa141 Merge master.kernel.org:/pub/scm/linux/kernel/git/davej/agpgart 2005-11-21 10:56:30 -08:00
Linus Torvalds
1a324727ca Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2005-11-21 10:46:34 -08:00
Russell King
c889b89619 [SERIAL] imx: Fix missed platform_driver_unregister
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2005-11-21 17:05:21 +00:00
Russell King
9b73fcf85f [ARM] Shut up gcc warning in clps7500 core.c
core.c:263: warning: initialization makes integer from pointer without a cast

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2005-11-21 17:03:15 +00:00
Russell King
2f3eca8b4f [ARM] Shut up gcc warning in assabet.c
assabet.c:291: warning: 'scr' may be used uninitialized in this function

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2005-11-21 17:01:13 +00:00
Russell King
30a09616df [ARM] ebsa110: __arch_ioremap should be 3 args
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2005-11-21 15:26:52 +00:00
Russell King
5aaf291056 [ARM] Add asm/memory.h to asm/numnodes.h
Since the defintion of NODES_SHIFT may be overridden in asm/arch/memory.h
it's important to include asm/memory.h into asm/numnodes.h to ensure
that the correct value is always defined.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2005-11-21 15:26:18 +00:00
Kenneth Tan
19f07be3b8 [ARM] 3171/1: To add missing QMGR region size for IXP4XX
Patch from Kenneth Tan

To add queue manager region size which is missing from ixp4xx-regs.h

Signed-off-by: Kenneth Tan <chong.yin.tan@intel.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2005-11-21 15:17:07 +00:00
Dirk Opfer
067c90481a [ARM] 3170/1: Sharp SL-6000x: platform device conversion fixup
Patch from Dirk Opfer

Fix an error in tosa.c after the platform device conversion.

Signed-off-by: Dirk Opfer <Dirk@Opfer-Online.de>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2005-11-21 15:17:06 +00:00
Dave Jones
e7e37ee9c5 Merge ../linus/ 2005-11-21 06:56:52 -08:00
Dave Jones
c243f1f1f6 [AGPGART] Support VIA P4M800CE bridge.
Signed-off-by: Dave Jones <davej@redhat.com>
2005-11-21 06:53:16 -08:00
Randy Dunlap
461ddf3b90 [NET]: kernel-doc fixes
Fix kernel-doc warnings in network files.

Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-11-20 21:25:15 -08:00
Patrick McHardy
b84f4cc977 [NET]: Use unused bit for ipvs_property field in struct sk_buff
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-11-20 21:19:21 -08:00
Patrick McHardy
a516b04950 [DCCP]: Add missing no_policy flag to struct net_protocol
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-11-20 21:16:13 -08:00
Nicolas Kaiser
bd4cfb594b [NETFILTER]: Remove ARRAY_SIZE duplicate
Signed-off-by: Nicolas Kaiser <nikai@nikai.net>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-11-20 21:11:31 -08:00
Yasuyuki Kozakai
2b8f2ff6f4 [NETFILTER]: fixed dependencies between modules related with ip_conntrack
- IP_NF_CONNTRACK_MARK is bool and depends on only IP_NF_CONNTRACK
  which is tristate. If a variable depends on IP_NF_CONNTRACK_MARK and
  doesn't care about IP_NF_CONNTRACK, it can be y. This must be avoided.
- IP_NF_CT_ACCT has same problem.
- IP_NF_TARGET_CLUSTERIP also depends on IP_NF_MANGLE.

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-11-20 21:09:55 -08:00
Patrick McHardy
c9e53cbe7a [FIB_TRIE]: Don't show local table in /proc/net/route output
Don't show local table to behave similar to fib_hash.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-11-20 21:09:00 -08:00
David S. Miller
1ef43204f4 Merge git://git.skbuff.net/gitroot/yoshfuji/linux-2.6.14+advapi-fix/ 2005-11-20 20:52:16 -08:00
Dmitry Torokhov
db93a82fa9 [PATCH] Fix an OOPS is CinergyT2
Fix an OOPS is CinergyT2 driver when registering IR remote

Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-11-20 14:06:28 -08:00
Yan Zheng
5d5780df23 [IPV6]: Acquire addrconf_hash_lock for read in addrconf_verify(...)
addrconf_verify(...) only traverse address hash table when
addrconf_hash_lock is held for writing, and it may hold
addrconf_hash_lock for a long time. So I think it's better to acquire
addrconf_hash_lock for reading instead of writing

Signed-off-by: Yan Zheng <yanzheng@21cn.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-11-20 13:42:20 -08:00
Alexandra Kossovsky
4909724b5d [COMPAT] net: SIOCGIFCONF data corruption
From: Alexandra Kossovsky <Alexandra.Kossovsky@oktetlabs.ru>

From http://bugzilla.kernel.org/show_bug.cgi?id=4746

There is user data corruption when using ioctl(SIOCGIFCONF) in 32-bit
application running amd64 kernel. I do not think that this problem is
exploitable, but any data corruption may lead to security problems.
Following code demonstrates the problem

#include <stdint.h>
#include <stdio.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <net/if.h>
#include <sys/ioctl.h>

char buf[256];

main()
{
	int s = socket(AF_INET, SOCK_DGRAM, 0);
	struct ifconf req;
	int i;

	req.ifc_buf = buf;
	req.ifc_len = 41;

	printf("Result %d\n", ioctl(s, SIOCGIFCONF, &req));
	printf("Len %d\n", req.ifc_len);
	for (i = 41; i < 256; i++)
		if (buf[i] != 0)
			printf("Byte %d is corrupted\n", i);
}
	
Steps to reproduce:
Compile the code above into 32-bit elf and run it. You'll get
Result 0
Len 32
Byte 48 is corrupted
Byte 52 is corrupted
Byte 53 is corrupted
Byte 54 is corrupted
Byte 55 is corrupted

Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-11-20 13:41:59 -08:00
Kris Katterjohn
fb0d366b08 [NET]: Reject socket filter if division by constant zero is attempted.
This way we don't have to check it in sk_run_filter().

Signed-off-by: Kris Katterjohn <kjak@users.sourceforge.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-11-20 13:41:34 -08:00
Andrea Bittau
aa8751667d [PKT_SCHED]: sch_netem: correctly order packets to be sent simultaneously
If two packets were queued to be sent at the same time in the future,
their order would be reversed.  This would occur because the queue is
traversed back to front, and a position is found by checking whether
the new packet needs to be sent before the packet being examined.  If
the new packet is to be sent at the same time of a previous packet, it
would end up before the old packet in the queue.  This patch places
packets in the correct order when they are queued to be sent at a same
time in the future.

Signed-off-by: Andrea Bittau <a.bittau@cs.ucl.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-11-20 13:41:05 -08:00