Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=linux-2.6.16.y 2008-01-21T00:14:18+00:00 2008-01-21T00:14:18+00:00 Al Viro viro@zeniv.linux.org.uk 2008-01-20T18:41:26+00:00 urn:sha1:b7894b17ce3e6bac25b827ea33ff16c476d4b992 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Adrian Bunk <bunk@kernel.org> 2007-10-18T15:56:27+00:00 Ilpo Järvinen ilpo.jarvinen@helsinki.fi 2007-10-18T15:56:27+00:00 urn:sha1:c94861ff9759f5f73b49fb4f0fe0c000b82c703a Overflow can occur very easily with 32 bits, e.g., with 1 second us_idle is approx. 2^20, which leaves only 11-Wlog bits for queue length. Since the EWMA exponent is typically around 9, queue lengths larger than 2^2 cause overflow. Whether the affected branch is taken when us_idle is as high as 1 second, depends on Scell_log, but with rather reasonable configuration Scell_log is large enough to cause p->Stab to have zero index, which always results zero shift (typically also few other small indices result in zero shift). Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by: Adrian Bunk <bunk@kernel.org> 2007-04-03T02:03:55+00:00 Patrick McHardy kaber@trash.net 2007-04-03T02:03:55+00:00 urn:sha1:5f4a9d1b7a413d6aac382c51692ac0df785068c5 The input_device pointer is not refcounted, which means the device may disappear while packets are queued, causing a crash when ifb passes packets with a stale skb->dev pointer to netif_rx(). Fix by storing the interface index instead and do a lookup where neccessary. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de> 2007-03-28T19:31:36+00:00 Patrick McHardy kaber@trash.net 2007-03-28T19:31:36+00:00 urn:sha1:39740872332b2dd28b479d9d8333c42c32465953 There are multiple problems related to qlen adjustment that can lead to an upper qdisc getting out of sync with the real number of packets queued, leading to endless dequeueing attempts by the upper layer code. All qdiscs must maintain an accurate q.qlen counter. There are basically two groups of operations affecting the qlen: operations that propagate down the tree (enqueue, dequeue, requeue, drop, reset) beginning at the root qdisc and operations only affecting a subtree or single qdisc (change, graft, delete class). Since qlen changes during operations from the second group don't propagate to ancestor qdiscs, their qlen values become desynchronized. This patch adds a function to propagate qlen changes up the qdisc tree, optionally calling a callback function to perform qdisc-internal maintenance when the child qdisc is deactivated, and converts all qdiscs to use this where necessary. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de> 2007-03-08T07:19:00+00:00 Eric Dumazet dada1@cosmosbay.com 2007-03-08T07:19:00+00:00 urn:sha1:763eec030da398d17ebd85c54b1020b93435e55d Signed-off-by: Eric Dumazet <dada1@cosmosbay.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de> 2007-01-26T19:49:22+00:00 Marcel Holtmann marcel@holtmann.org 2007-01-25T19:32:22+00:00 urn:sha1:ecfad2cc55c3de17bc896816c49597cfacf2e3cf The command complete event of the exit periodic inquiry command must clear the HCI_INQUIRY flag and finish the HCI request. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> 2006-11-24T02:03:34+00:00 Al Viro viro@zeniv.linux.org.uk 2006-11-24T02:03:34+00:00 urn:sha1:d6042b2ec9446e7955d72a2155a4dff473ccc511 Calculation of IPX checksum got buggered about 2.4.0. The old variant mangled the packet; that got fixed, but calculation itself got buggered. Restored the correct logics, fixed a subtle breakage we used to have even back then: if the sum is 0 mod 0xffff, we want to return 0, not 0xffff. The latter has special meaning for IPX (cheksum disabled). Observation (and obvious fix) nicked from history of FreeBSD ipx_cksum.c... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de> 2006-08-26T00:39:03+00:00 Vlad Yasevich vladislav.yasevich@hp.com 2006-08-26T00:39:03+00:00 urn:sha1:cf7260ee89f7b187304a35b188cc0c889f7bdd24 Make SCTP handle broadcast properly Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de> 2006-08-23T16:01:55+00:00 Sridhar Samudrala sri@us.ibm.com 2006-08-23T16:01:55+00:00 urn:sha1:28ea23d9847cadc58edf3d10b8c1651f18b8d26b sctp_make_abort_user() now takes the msg_len along with the msg so that we don't have to recalculate the bytes in iovec. It also uses memcpy_fromiovec() so that we don't go beyond the length allocated. It is good to have this fix even if verify_iovec() is fixed to return error on overflow. Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Acked-by: David Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de> 2006-05-20T22:00:34+00:00 Vladislav Yasevich vladislav.yasevich@hp.com 2006-05-19T18:52:20+00:00 urn:sha1:0eca2317be1345e056fb75d256099a04c97f7021 When performing bound checks during the parameter processing, we want to use the real chunk and paramter lengths for bounds instead of the rounded ones. This prevents us from potentially walking of the end if the chunk length was miscalculated. We still use rounded lengths when advancing the pointer. This was found during a conformance test that changed the chunk length without modifying parameters. (Vlad noted elsewhere: the most you'd overflow is 3 bytes, so problem is parameter dependent). Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: Chris Wright <chrisw@sous-sol.org>