When selecting a new window, tcp_select_window() tries not to shrink
the offered window by using the maximum of the remaining offered window
size and the newly calculated window size. The newly calculated window
size is always a multiple of the window scaling factor, the remaining
window size however might not be since it depends on rcv_wup/rcv_nxt.
This means we're effectively shrinking the window when scaling it down.
The dump below shows the problem (scaling factor 2^7):
- Window size of 557 (71296) is advertised, up to 3111907257:
IP 172.2.2.3.33000 > 172.2.2.2.33000: . ack 3111835961 win 557 <...>
- New window size of 514 (65792) is advertised, up to 3111907217, 40 bytes
below the last end:
IP 172.2.2.3.33000 > 172.2.2.2.33000: . 3113575668:3113577116(1448) ack 3111841425 win 514 <...>
The number 40 results from downscaling the remaining window:
3111907257 - 3111841425 = 65832
65832 / 2^7 = 514
65832 % 2^7 = 40
If the sender uses up the entire window before it is shrunk, this can have
chaotic effects on the connection. When sending ACKs, tcp_acceptable_seq()
will notice that the window has been shrunk since tcp_wnd_end() is before
tp->snd_nxt, which makes it choose tcp_wnd_end() as sequence number.
This will fail the receivers checks in tcp_sequence() however since it
is before it's tp->rcv_wup, making it respond with a dupack.
If both sides are in this condition, this leads to a constant flood of
ACKs until the connection times out.
Make sure the window is never shrunk by aligning the remaining window to
the window scaling factor.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
zap_completion_queue() retrieves skbs from completion_queue where they have
zero skb->users counter. Before dev_kfree_skb_any() it should be non-zero
yet, so it's increased now.
Reported-and-tested-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
In br_fdb_cleanup() next_timer and this_timer are in jiffies, so they
should be compared using the time_after() macro.
Signed-off-by: Fabio Checconi <fabio@gandalf.sssup.it>
Signed-off-by: Stephen Hemminger <stephen.hemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Sparc MAC address support should be protected consistently
with CONFIG_SPARC, but there was a stray CONFIG_SPARC64
case.
Bump driver version and release date.
Reported by Andrew Morton.
Signed-off-by: David S. Miller <davem@davemloft.net>
From: Pavel Emelyanov <xemul@openvz.org>
This patch is based on the one from Thomas.
The kauditd_thread() calls the netlink_unicast() and passes
the audit_pid to it. The audit_pid, in turn, is received from
the user space and the tool (I've checked the audit v1.6.9)
uses getpid() to pass one in the kernel. Besides, this tool
doesn't bind the netlink socket to this id, but simply creates
it allowing the kernel to auto-bind one.
That's the preamble.
The problem is that netlink_autobind() _does_not_ guarantees
that the socket will be auto-bound to the current pid. Instead
it uses the current pid as a hint to start looking for a free
id. So, in case of conflict, the audit messages can be sent
to a wrong socket. This can happen (it's unlikely, but can be)
in case some task opens more than one netlink sockets and then
the audit one starts - in this case the audit's pid can be busy
and its socket will be bound to another id.
The proposal is to introduce an audit_nlk_pid in audit subsys,
that will point to the netlink socket to send packets to. It
will most often be equal to audit_pid. The socket id can be
got from the skb's netlink CB right in the audit_receive_msg.
The audit_nlk_pid reset to 0 is not required, since all the
decisions are taken based on audit_pid value only.
Later, if the audit tools will bind the socket themselves, the
kernel will have to provide a way to setup the audit_nlk_pid
as well.
A good side effect of this patch is that audit_pid can later
be converted to struct pid, as it is not longer safe to use
pid_t-s in the presence of pid namespaces. But audit code still
uses the tgid from task_struct in the audit_signal_info and in
the audit_filter_syscall.
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Acked-by: Eric Paris <eparis@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
commit e9720ac ([NET]: Make /proc/net a symlink on /proc/self/net (v3))
broke ganglia and probably other applications that read /proc/net/dev.
This is due to the change of permissions of /proc/net that was
introduced in that commit.
Before: dr-xr-xr-x 5 root root 0 Mar 19 11:30 /proc/net
After: dr-xr--r-- 5 root root 0 Mar 19 11:29 /proc/self/net
This patch restores the permissions to the old value which makes
ganglia happy again.
Pavel Emelyanov says:
This also broke the postfix, as it was reported in bug #10286
and described in detail by Benjamin.
Signed-off-by: Andre Noll <maan@systemlinux.org>
Acked-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
There is a race is SCTP between the loading of the module
and the access by the socket layer to the protocol functions.
In particular, a list of addresss that SCTP maintains is
not initialized prior to the registration with the protosw.
Thus it is possible for a user application to gain access
to SCTP functions before everything has been initialized.
The problem shows up as odd crashes during connection
initializtion when we try to access the SCTP address list.
The solution is to refactor how we do registration and
initialize the lists prior to registering with the protosw.
Care must be taken since the address list initialization
depends on some other pieces of SCTP initialization. Also
the clean-up in case of failure now also needs to be refactored.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Acked-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
If a rule using ipt_recent is created with a hit count greater than
ip_pkt_list_tot, the rule will never match as it cannot keep track
of enough timestamps. This patch makes ipt_recent refuse to create such
rules.
With ip_pkt_list_tot's default value of 20, the following can be used
to reproduce the problem.
nc -u -l 0.0.0.0 1234 &
for i in `seq 1 100`; do echo $i | nc -w 1 -u 127.0.0.1 1234; done
This limits it to 20 packets:
iptables -A OUTPUT -p udp --dport 1234 -m recent --set --name test \
--rsource
iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds \
60 --hitcount 20 --name test --rsource -j DROP
While this is unlimited:
iptables -A OUTPUT -p udp --dport 1234 -m recent --set --name test \
--rsource
iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds \
60 --hitcount 21 --name test --rsource -j DROP
With the patch the second rule-set will throw an EINVAL.
Reported-by: Sean Kennedy <skennedy@vcn.com>
Signed-off-by: Daniel Hokka Zakrisson <daniel@hozac.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
logical-bitwise & confusion
Signed-off-by: Roel Kluin <12o3l@tiscali.nl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
* git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6:
[SCSI] a100u2w: fix bitmap lookup routine
[SCSI] fix media change events for polled devices
[SCSI] sd, sr: do not emit change event at device add
[SCSI] mpt fusion: Power Management fixes for MPT SAS PCI-E controllers
[SCSI] gdth: Allocate sense_buffer to prevent NULL pointer dereference
[SCSI] arcmsr: fix iounmap error for Type B adapter
[SCSI] isd200: Allocate sense_buffer for hacked up scsi_cmnd
[SCSI] fix bsg queue oops with iscsi logout
[SCSI] Fix dependency problems in SCSI drivers
[SCSI] advansys: Fix bug in AdvLoadMicrocode
This fixes a use-after-free bug in the handling of split transactions.
The AT DMA handler of the request was occasionally executed after the
AR DMA handler of the response. The AT DMA handler then accessed an
already freed packet.
Reported by Johannes Berg.
http://bugzilla.kernel.org/show_bug.cgi?id=9617
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Tested-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Jarod Wilson <jwilson@redhat.com>
* git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/v4l-dvb:
V4L/DVB (7367): bug #10211: Fix depencencies for cx2341x
V4L/DVB (7362): tvp5150.c: logical-bitwise and confusion
V4L/DVB (7334): usb video: add a device link to usbvideo devices, else hal will ignore them
V4L/DVB (7330): V4L1 - fix v4l_compat_translate_ioctl possible NULL deref
V4L/DVB (7328): usb/opera1.c: fix a memory leak
V4L/DVB (7291): em28xx: correct use of and fix
V4L/DVB (7285): em28xx: Correct use of ! and &
V4L/DVB (7279): ivtv: Add missing sg_init_table()
V4L/DVB (7268): saa7134: fix: tuner should be loaded before calling saa7134_board_init2()
V4L/DVB (7267): cx88: Fix: Loads tuner module before sending commands to it
V4L/DVB (7251): VIDEO_VIVI must depend on VIDEO_DEV
V4L/DVB (7242): ivtv: fix for yuv filter table check
V4L/DVB (7236): bttv: struct member initialized twice
V4L/DVB (7228): saa7134: fix FM radio support for the Pinnacle PCTV 110i
The original justification for cap_task_kill() was as follows:
check_kill_permission() does appropriate uid equivalence checks.
However with file capabilities it becomes possible for an
unprivileged user to execute a file with file capabilities
resulting in a more privileged task with the same uid.
However now that cap_task_kill() always returns 0 (permission
granted) when p->uid==current->uid, the whole hook is worthless,
and only likely to create more subtle problems in the corner cases
where it might still be called but return -EPERM. Those cases
are basically when uids are different but euid/suid is equivalent
as per the check in check_kill_permission().
One example of a still-broken application is 'at' for non-root users.
This patch removes cap_task_kill().
Signed-off-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Andrew G. Morgan <morgan@kernel.org>
Earlier-version-tested-by: Luiz Fernando N. Capitulino <lcapitulino@mandriva.com.br>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
a0c1e9073e "futex: runtime enable pi and
robust functionality" introduces a test wether futex in atomic stuff
works or not.
It does that by writing to address 0 of the kernel address space. This
will crash on older machines where addressing mode switching is enabled
but where the mvcos instruction is not available. Page table walking is
done by hand and therefore the code tries to access current->mm which
is NULL.
Therefore add an extra check, so we survive the early test.
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
This is a bug correction for a macro that generated wrong results.
Nobody used it in official kernel tree, my driver did.
Signed-off-by: Davide Rizzo <davide@elpa.it>
Acked-by: Ben Dooks <ben-linux@fluff.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
fix signal return code when enable CONFIG_OABI_COMPAT
Signed-off-by: Janboe Ye <janboe.ye@gmail.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Until DSP MMU code is merged, dsp_request_mem() does not exist.
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
This patch adds the code required to register the F75375 device on the
GLAN Tank.
Signed-off-by: Gordon Farquharson <gordonfarquharson@gmail.com>
Acked-by: Lennert Buytenhek <buytenh@wantstofly.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Some bootloaders are disabling write buffer coalescing. Enable it back
under linux.
Signed-off-by: Arnaud Patard <arnaud.patard@rtp-net.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Define AT91_USART0, 1, 2 so the selection of the UART for early kernel
messages works.
(See commit fa3218d859).
Replace AT91_SHDC with AT91_SHDWC to be consistent with other AT91 platforms.
Signed-off-by: Andrew Victor <linux@maxim.org.za>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Change email address of AT91 maintainer.
This reverts the incorrect change in commit
6650e0a517
Signed-off-by: Andrew Victor <linux@maxim.org.za>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
There are possible NULL pointer derefs in case of kzalloc fails so fix them.
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
This patch fixes a memory leak in the "testval == 0x67" case spotted by
the Coverity checker.
Signed-off-by: Adrian Bunk <bunk@kernel.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
In commit e6bafba5b4, a bug was fixed that
involved converting !x & y to !(x & y). The code below shows the same
pattern, and thus should perhaps be fixed in the same way.
This is not tested and clearly changes the semantics, so it is only
something to consider.
The semantic patch that makes this change is as follows:
(http://www.emn.fr/x-info/coccinelle/)
// <smpl>
@@ expression E1,E2; @@
(
!E1 & !E2
|
- !E1 & E2
+ !(E1 & E2)
)
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
If a dma transfer is attempted for either yuv or framebuffer output, a missing
sg_init_table() call causes a kernel BUG in scatterlist.h if CONFIG_DEBUG_SG
is set.
Signed-off-by: Ian Armstrong <ian@iarmst.demon.co.uk>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
There are several parts of saa7134_board_init2() that calls tuner modules. We
should first load tuner, otherwise, the commands will fail.
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
This patch fixes the following compile error with
VIDEO_VIVI=y, VIDEO_DEV=m reported by Toralf Förster:
<-- snip -->
...
LD .tmp_vmlinux1
drivers/built-in.o: In function `vivi_release':
vivi.c:(.text+0x322f5): undefined reference to `video_unregister_device'
vivi.c:(.text+0x32337): undefined reference to `video_device_release'
drivers/built-in.o: In function `vivi_open':
vivi.c:(.text+0x32845): undefined reference to `v4l2_type_names'
drivers/built-in.o: In function `vivi_init':
vivi.c:(.init.text+0x1d20): undefined reference to `video_device_alloc'
vivi.c:(.init.text+0x1d48): undefined reference to `video_register_device'
drivers/built-in.o:(.rodata+0x1b40): undefined reference to
`video_ioctl2'drivers/built-in.o:(.data+0x140c): undefined reference to
`video_device_release'
<-- snip -->
Signed-off-by: Adrian Bunk <bunk@kernel.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
As the result of a previous change that delayed the loading of the firmware,
the driver can sometimes report a bogus error regarding the yuv output filter
table not being found in the firmware. This patch moves the filter table
check to ensure it's only done after the firmware has been loaded.
Signed-off-by: Ian Armstrong <ian@iarmst.demon.co.uk>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
fixes sparse warning:
drivers/media/video/bt8xx/bttv-driver.c:3391:3: warning: Initializer entry defined twice
drivers/media/video/bt8xx/bttv-driver.c:3392:3: also defined here
Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
This also has some coding style fixes.
Signed-off-by: Yuri Funduryan <yurifun@mail.ru>
Signed-off-by: Hartmut Hackmann <hartmut.hackmann@t-online.de>
Reviewed-by: Hermann Pitton <hermann-pitton@arcor.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
This patch changes the return value of omap_dma_chain_a_transfer
to 0 on success instead of the flag 'start_dma', which wasn't really useful
for anything.
Signed-off-by: Anand Gadiyar <gadiyar@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Although audio and dsp drivers are not integrated yet,
allow compiling in mailbox and mcbsp to see any build
warnings.
Signed-off-by: Tony Lindgren <tony@atomide.com>
GPIO IRQ unmask doesn't actually do anything useful. The problem is
hidden by a separate explicit mass unmask at the end of the chained
bank handler.
Signed-off-by: Kevin Hilman <khilman@mvista.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
One-shot mode was broken in MPU-timer support for OMAP1 due to a typo.
Also, ensure timer is stopped before changing the auto-reload flag.
The TRM says changing the AR flag when timer is running is undefined.
Also set GENERIC_CLOCKEVENTS for all omaps.
Signed-off-by: Tim Bird <tim.bird@am.sony.com>
Signed-off-by: Kevin Hilman <khilman@mvista.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
This patch is only compile tested.
It seems that bitmap lookup routine for allocation_map in
a100u2w driver is simply wrong.
It cannot lookup more than first 32 bits. If all first 32 bits
are set, it just returns 33-th orc_scb even though the 33-th bit
is not set.
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Tested-by: Alan Cox <alan@redhat.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
unsigned long != __le32, TYVM, and unsigned char[4] is not guaranteed
to be aligned for u32.
While we are at it, sanitize sOutDW() a bit - have it take Byte_t * and
handle dereferencing internally.
NB: sWriteTxPrioByte() is almost certainly buggered on big-endian and is
missing cpu_to_le16() on assignments to *WordPtr; I've left it alone for now.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Acked-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>