If SCTP receives a badly formatted HB-ACK chunk, it is possible
that we may access invalid memory and potentially have a buffer
overflow.  We should really make sure that the chunk format is
what we expect, before attempting to touch the data.
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: NSridhar Samudrala <sri@us.ibm.com>

When performing bound checks during the parameter processing, we
want to use the real chunk and paramter lengths for bounds instead
of the rounded ones.  This prevents us from potentially walking of
the end if the chunk length was miscalculated.  We still use rounded
lengths when advancing the pointer. This was found during a
conformance test that changed the chunk length without modifying
parameters.
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: NSridhar Samudrala <sri@us.ibm.com>

sctp_rcv().

The goal is to hold the ref on the association/endpoint throughout the
state-machine process.  We accomplish like this:

  /* ref on the assoc/ep is taken during lookup */

  if owned_by_user(sk)
 	sctp_add_backlog(skb, sk);
  else
 	inqueue_push(skb, sk);

  /* drop the ref on the assoc/ep */

However, in sctp_add_backlog() we take the ref on assoc/ep and hold it
while the skb is on the backlog queue.  This allows us to get rid of the
sock_hold/sock_put in the lookup routines.

Now sctp_backlog_rcv() needs to account for potential association move.
In the unlikely event that association moved, we need to retest if the
new socket is locked by user.  If we don't this, we may have two packets
racing up the stack toward the same socket and we can't deal with it.
If the new socket is still locked, we'll just add the skb to its backlog
continuing to hold the ref on the association.  This get's rid of the
need to move packets from one backlog to another and it also safe in
case new packets arrive on the same backlog queue.

The last step, is to lock the new socket when we are moving the
association to it.  This is needed in case any new packets arrive on
the association when it moved.  We want these to go to the backlog since
we would like to avoid the race between this new packet and a packet
that may be sitting on the backlog queue of the old socket toward the
same association.
Signed-off-by: NVladislav Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: NSridhar Samudrala <sri@us.ibm.com>

Also fix some other cases where sk_err is not set for 1-1 style sockets.
Signed-off-by: NSridhar Samudrala <sri@us.ibm.com>

flags is a u16, so use htons instead of htonl. Also avoid double
conversion.

Noticed by Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: NPatrick McHardy <kaber@trash.net>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Solar Designer found a race condition in do_add_counters(). The beginning
of paddc is supposed to be the same as tmp which was sanity-checked
above, but it might not be the same in reality. In case the integer
overflow and/or the race condition are triggered, paddc->num_counters
might not match the allocation size for paddc. If the check below
(t->private->number != paddc->num_counters) nevertheless passes (perhaps
this requires the race condition to be triggered), IPT_ENTRY_ITERATE()
would read kernel memory beyond the allocation size, potentially causing
an oops or leaking sensitive data (e.g., passwords from host system or
from another VPS) via counter increments. This requires CAP_NET_ADMIN.
Signed-off-by: NSolar Designer <solar@openwall.com>
Signed-off-by: NKirill Korotaev <dev@openvz.org>
Signed-off-by: NPatrick McHardy <kaber@trash.net>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

GRE keys are 16 bit.
Signed-off-by: NAlexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: NPatrick McHardy <kaber@trash.net>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

The prefix argument for nf_log_packet is a format specifier,
so don't pass the user defined string directly to it.
Signed-off-by: NPhilip Craig <philipc@snapgear.com>
Signed-off-by: NPatrick McHardy <kaber@trash.net>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

The Coverity checker spotted that we may leak 'hold' in
net/ipv4/netfilter/ipt_recent.c::checkentry() when the following
is true:
  if (!curr_table->status_proc) {
    ...
    if(!curr_table) {
    ...
      return 0;  <-- here we leak.
Simply moving an existing vfree(hold); up a bit avoids the possible leak.
Signed-off-by: NJesper Juhl <jesper.juhl@gmail.com>
Signed-off-by: NPatrick McHardy <kaber@trash.net>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Re-enable posted writes for status FIFO.

Besides bringing back a very minor bandwidth tweak from Linux 2.6.15.x
and older, this also fixes an interoperability regression since 2.6.16:

   http://bugzilla.kernel.org/show_bug.cgi?id=6356
   (sbp2: scsi_add_device failed. IEEE1394 HD is not working anymore.)
Signed-off-by: NStefan Richter <stefanr@s5r6.in-berlin.de>
Tested-by: NVanei Heidemann <linux@javanei.com.br>
Tested-by: Martin Putzlocher <mputzi@gmx.de> (chip type unconfirmed)
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

In case the blacklist with workarounds for device bugs yields a false
positive, the module load parameter can now also be used as an override
instead of an addition to the blacklist.
Signed-off-by: NStefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

Apple decided to copy some USB stupidity over to FireWire.

The sector number returned by iPods from read_capacity is one too many.
This may cause I/O errors, especially if the kernel is configured for EFI
partition support. We use the same workaround as usb-storage but have to
check for different model IDs.

	http://marc.theaimsgroup.com/?t=114233262300001
	https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187409

Acknowledgements:
  Diagnosis and therapy by Mathieu Chouquet-Stringer <ml2news@free.fr>,
  additional data about affected and unaffected Apple hardware from
  Vladimir Kotal, Sander De Graaf, Bryan Olmstead and Hugh Dixon.
Signed-off-by: NStefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

Grand unification of the three types of workarounds we have so far.

The "skip mode page 8" workaround is now limited to devices which
pretend to be of TYPE_DISK instead of TYPE_RBC. This workaround is no
longer enabled for Initio bridges.

Patch update in anticipation of more workarounds:
 - Add module parameter "workarounds".
 - Deprecate parameter "force_inquiry_hack".
 - Compose the blacklist of a compound type for better readability and
   extensibility.
 - Remove a now unused #define.
Signed-off-by: NStefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

* master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6:
  [TCP]: reno sacked_out count fix
  [IPV6]: Endian fix in net/ipv6/netfilter/ip6t_eui64.c:match().
  [TR]: Remove an unused export.
  [IPX]: Correct return type of ipx_map_frame_type().
  [IPX]: Correct argument type of ipxrtr_delete().
  [PKT_SCHED]: Potential jiffy wrap bug in dev_watchdog().

* git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/netdev-2.6:
  sky2: prevent dual port receiver problems
  x86_64: Check for bad dma address in b44 1GB DMA workaround
  The ixp2000 driver for the enp2611 was developed on a board with

* 'upstream-linus' of git://oss.oracle.com/home/sourcebo/git/ocfs2:
  configfs: Make sure configfs_init() is called before consumers.
  configfs: configfs_mkdir() failed to cleanup linkage.
  configfs: Fix a reference leak in configfs_mkdir().
  ocfs2: fix gfp mask in some file system paths
  ocfs2: Don't populate uptodate cache in ocfs2_force_read_journal()
  ocfs2: take meta data lock in ocfs2_file_aio_read()
  ocfs2: take data locks around extend

configfs_init() needs to be called first to register configfs before anyconsumers try to access it.  Move up configfs in fs/Makefile to make
sure it is initialized early.
Signed-off-by: NJoel Becker <joel.becker@oracle.com>
Signed-off-by: NMark Fasheh <mark.fasheh@oracle.com>

If configfs_mkdir() errored in certain ways after the parent<->child
linkage was already created, it would not undo the linkage.  Also,
comment the reference counting for clarity.
Signed-off-by: NJoel Becker <joel.becker@oracle.com>
Signed-off-by: NMark Fasheh <mark.fasheh@oracle.com>

configfs_mkdir() failed to release the working parent reference in most
exit paths.  Also changed the exit path for readability.
Signed-off-by: NJoel Becker <joel.becker@oracle.com>
Signed-off-by: NMark Fasheh <mark.fasheh@oracle.com>

We were using GFP_KERNEL in a handful of places which really wanted
GFP_NOFS. Fix this.
Signed-off-by: NSunil Mushran <sunil.mushran@oracle.com>
Signed-off-by: NMark Fasheh <mark.fasheh@oracle.com>

This greatly reduces the amount of memory useded during recovery.
Signed-off-by: NMark Fasheh <mark.fasheh@oracle.com>

Temporarily take the meta data lock in ocfs2_file_aio_read() to allow us to
update our inode fields.
Signed-off-by: NMark Fasheh <mark.fasheh@oracle.com>

We need to take a data lock around extends to protect the pages that
ocfs2_zero_extend is going to be pulling into the page cache. Otherwise an
extend on one node might populate the page cache with data pages that have
no lock coverage.
Signed-off-by: NMark Fasheh <mark.fasheh@oracle.com>

* 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux-2.6:
  [IA64] one-line cleanup on set_irq_affinity_info
  [IA64] fix broken irq affinity
  [IA64] sn2 defconfig

Calls to set_irq_info in set_irq_affinity_info() is redundant because
irq_affinity mask was set just one line immediately above it.  Remove
that duplicate call.
Signed-off-by: NKen Chen <kenneth.w.chen@intel.com>
Signed-off-by: NTony Luck <tony.luck@intel.com>

When CONFIG_PCI_MSI is set, move_irq() is an empty function, causing
grief when sys admin tries to bind interrupt to CPU.
Signed-off-by: NKen Chen <kenneth.w.chen@intel.com>
Signed-off-by: NTony Luck <tony.luck@intel.com>

Set node shift to 10 on SN2 and disable mutex debugging.
Signed-off-by: NJes Sorensen <jes@sgi.com>
Signed-off-by: NTony Luck <tony.luck@intel.com>

From: "Angelo P. Castellani" <angelo.castellani+lkml@gmail.com>

Using NewReno, if a sk_buff is timed out and is accounted as lost_out,
it should also be removed from the sacked_out.

This is necessary because recovery using NewReno fast retransmit could
take up to a lot RTTs and the sk_buff RTO can expire without actually
being really lost.

left_out = sacked_out + lost_out
in_flight = packets_out - left_out + retrans_out

Using NewReno without this patch, on very large network losses,
left_out becames bigger than packets_out + retrans_out (!!).

For this reason unsigned integer in_flight overflows to 2^32 - something.
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Signed-off-by: NAlexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

This patch removes the unused EXPORT_SYMBOL(tr_source_route).

(Note, the usage in net/llc/llc_output.c can't be modular.)
Signed-off-by: NAdrian Bunk <bunk@stusta.de>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

* master.kernel.org:/pub/scm/linux/kernel/git/gregkh/spi-2.6:
  [PATCH] SPI: spi_bitbang: clocking fixes
  [PATCH] spi: Update to PXA2xx SPI Driver
  [PATCH] SPI: busnum == 0 needs to work
  [PATCH] SPI: devices can require LSB-first encodings
  [PATCH] SPI: Renamed bitbang_transfer_setup to spi_bitbang_setup_transfer and export it
  [PATCH] SPI: Add David as the SPI subsystem maintainer
  [PATCH] SPI: spi bounce buffer has a minimum length
  [PATCH] SPI: spi whitespace fixes
  [PATCH] SPI: add PXA2xx SSP SPI Driver
  [PATCH] SPI: per-transfer overrides for wordsize and clocking

Casting BE16 to int and back may or may not work. Correct, to be sure.
Signed-off-by: NAlexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

* master.kernel.org:/home/rmk/linux-2.6-arm:
  [ARM] arch/arm/kernel/dma-isa.c: named initializers
  [ARM] 3527/1: MPCore Boot Lockup Fix
  [ARM] arch/arm/kernel/process.c: Fix warning
  [ARM] 3526/1: ioremap should use vunmap instead of vfree on ARM
  [ARM] 3524/1: ARM EABI: more 64-bit aligned stack fixes
  [ARM] 3517/1: move definition of PROC_INFO_SZ from procinfo.h to asm-offsets.h

* master.kernel.org:/home/rmk/linux-2.6-serial:
  [ARM] 3523/1: Serial core pm_state

A single caller passes __u32. Inside function "net" is compared with
__u32 (__be32 really, just wasn't annotated).
Signed-off-by: NAlexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

There is a potential jiffy wraparound bug in the transmit watchdog
that is easily avoided by using time_after().
Signed-off-by: NStephen Hemminger <shemminger@osdl.org>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

This fixes two problems triggered by the MMC stack updating clocks:

 - SPI masters driver should accept a max clock speed of zero; that's one
   convention for marking idle devices.  (Presumably that helps controllers
   that don't autogate clocks to "off" when not in use.)

 - There are more than 1000 nanoseconds per millisecond; setting the clock
   down to 125 KHz now works properly.

Showing once again that Zero (http://en.wikipedia.org/wiki/Zero) is still
an inexhaustible number of bugs.
Signed-off-by: NDavid Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

Fix two outstanding issues with the pxa2xx_spi driver:

1) Bad cast in the function u32_writer. Thanks to Henrik Bechmann
2) Adds support for per transfer changes to speed and bits per word
Signed-off-by: NStephen Street <stephen@streetfiresound.com>
Cc: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

We need to be able to have a "SPI bus 0" matching chip numbering; but
that number was wrongly used to flag dynamic allocation of a bus number.

This patch resolves that issue; now negative numbers trigger dynamic alloc.

It also updates the how-to-write-a-controller-driver overview to mention
this stuff.
Signed-off-by: NDavid Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

Add spi_device hook for LSB-first word encoding, and update all the
(in-tree) controller drivers to reject such devices.  Eventually,
some controller drivers will be updated to support lsb-first encodings
on the wire; no current drivers need this.
Signed-off-by: NDavid Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>