1. 05 6月, 2009 28 次提交
  2. 03 6月, 2009 6 次提交
  3. 02 6月, 2009 6 次提交
    • M
      net_cls: fix unconfigured struct tcf_proto keeps chaining and avoid kernel... · 12186be7
      Minoru Usui 提交于
      net_cls: fix unconfigured struct tcf_proto keeps chaining and avoid kernel panic when we use cls_cgroup
      
      This patch fixes a bug which unconfigured struct tcf_proto keeps
      chaining in tc_ctl_tfilter(), and avoids kernel panic in
      cls_cgroup_classify() when we use cls_cgroup.
      
      When we execute 'tc filter add', tcf_proto is allocated, initialized
      by classifier's init(), and chained.  After it's chained,
      tc_ctl_tfilter() calls classifier's change().  When classifier's
      change() fails, tc_ctl_tfilter() does not free and keeps tcf_proto.
      
      In addition, cls_cgroup is initialized in change() not in init().  It
      accesses unconfigured struct tcf_proto which is chained before
      change(), then hits Oops.
      Signed-off-by: NMinoru Usui <usui@mxm.nes.nec.co.jp>
      Signed-off-by: NJarek Poplawski <jarkao2@gmail.com>
      Signed-off-by: NJamal Hadi Salim <hadi@cyberus.ca>
      Tested-by: NMinoru Usui <usui@mxm.nes.nec.co.jp>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      12186be7
    • N
      e1000: add missing length check to e1000 receive routine · ea30e119
      Neil Horman 提交于
      	Patch to fix bad length checking in e1000.  E1000 by default does two
      things:
      
      1) Spans rx descriptors for packets that don't fit into 1 skb on recieve
      2) Strips the crc from a frame by subtracting 4 bytes from the length prior to
      doing an skb_put
      
      Since the e1000 driver isn't written to support receiving packets that span
      multiple rx buffers, it checks the End of Packet bit of every frame, and
      discards it if its not set.  This places us in a situation where, if we have a
      spanning packet, the first part is discarded, but the second part is not (since
      it is the end of packet, and it passes the EOP bit test).  If the second part of
      the frame is small (4 bytes or less), we subtract 4 from it to remove its crc,
      underflow the length, and wind up in skb_over_panic, when we try to skb_put a
      huge number of bytes into the skb.  This amounts to a remote DOS attack through
      careful selection of frame size in relation to interface MTU.  The fix for this
      is already in the e1000e driver, as well as the e1000 sourceforge driver, but no
      one ever pushed it to e1000.  This is lifted straight from e1000e, and prevents
      small frames from causing the underflow described above
      Signed-off-by: NNeil Horman <nhorman@tuxdriver.com>
      Tested-by: NAndy Gospodarek <andy@greyhouse.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ea30e119
    • E
      forcedeth: add phy_power_down parameter, leave phy powered up by default (v2) · 5a9a8e32
      Ed Swierk 提交于
      Add a phy_power_down parameter to forcedeth: set to 1 to power down the
      phy and disable the link when an interface goes down; set to 0 to always
      leave the phy powered up.
      
      The phy power state persists across reboots; Windows, some BIOSes, and
      older versions of Linux don't bother to power up the phy again, forcing
      users to remove all power to get the interface working (see
      http://bugzilla.kernel.org/show_bug.cgi?id=13072).  Leaving the phy
      powered on is the safest default behavior.  Users accustomed to seeing
      the link state reflect the interface state and/or wanting to minimize
      power consumption can set phy_power_down=1 if compatibility with other
      OSes is not an issue.
      Signed-off-by: NEd Swierk <eswierk@aristanetworks.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5a9a8e32
    • F
      xfs: prevent deadlock in xfs_qm_shake() · 1b17d766
      Felix Blyakher 提交于
      It's possible to recurse into filesystem from the memory
      allocation, which deadlocks in xfs_qm_shake(). Add check
      for __GFP_FS, and bail out if it is not set.
      Signed-off-by: NFelix Blyakher <felixb@sgi.com>
      Signed-off-by: NHedi Berriche <hedi@sgi.com>
      Reviewed-by: NChristoph Hellwig <hch@lst.de>
      Reviewed-by: NAndi Kleen <ak@linux.intel.com>
      Signed-off-by: NFelix Blyakher <felixb@sgi.com>
      1b17d766
    • E
      xfs: fix overflow in xfs_growfs_data_private · e6da7c9f
      Eric Sandeen 提交于
      In the case where growing a filesystem would leave the last AG
      too small, the fixup code has an overflow in the calculation
      of the new size with one fewer ag, because "nagcount" is a 32
      bit number.  If the new filesystem has > 2^32 blocks in it
      this causes a problem resulting in an EINVAL return from growfs:
      
       # xfs_io -f -c "truncate 19998630180864" fsfile
       # mkfs.xfs -f -bsize=4096 -dagsize=76288719b,size=3905982455b fsfile
       # mount -o loop fsfile /mnt
       # xfs_growfs /mnt
      
      meta-data=/dev/loop0             isize=256    agcount=52,
      agsize=76288719 blks
               =                       sectsz=512   attr=2
      data     =                       bsize=4096   blocks=3905982455, imaxpct=5
               =                       sunit=0      swidth=0 blks
      naming   =version 2              bsize=4096   ascii-ci=0
      log      =internal               bsize=4096   blocks=32768, version=2
               =                       sectsz=512   sunit=0 blks, lazy-count=0
      realtime =none                   extsz=4096   blocks=0, rtextents=0
      xfs_growfs: XFS_IOC_FSGROWFSDATA xfsctl failed: Invalid argument
      
      Reported-by: richard.ems@cape-horn-eng.com
      Signed-off-by: NEric Sandeen <sandeen@sandeen.net>
      Reviewed-by: NChristoph Hellwig <hch@lst.de>
      Reviewed-by: NFelix Blyakher <felixb@sgi.com>
      Signed-off-by: NFelix Blyakher <felixb@sgi.com>
      e6da7c9f
    • F
      xfs: fix double unlock in xfs_swap_extents() · 1f23920d
      Felix Blyakher 提交于
      Regreesion from commit ef8f7fc5, which rearranged the code in
      xfs_swap_extents() leading to double unlock of xfs inode ilock.
      That resulted in xfs_fsr deadlocking itself on platforms, which
      don't handle double unlock of rw_semaphore nicely. It caused the
      count go negative, which represents the write holder, without
      really having one. ia64 is one of the platforms where deadlock
      was easily reproduced and the fix was tested.
      Signed-off-by: NEric Sandeen <sandeen@sandeen.net>
      Reviewed-by: NEric Sandeen <sandeen@sandeen.net>
      Signed-off-by: NFelix Blyakher <felixb@sgi.com>
      1f23920d