Fix a case where copying max_inline_data from a successful create_qp capabilities output to create_qp input could cause EINVAL error: mthca_set_qp_size must check max_inline_data directly against max_desc_sz; checking qp->sq.max_gs is wrong since max_inline_data depends on the qp type and does not involve max_sg. Signed-off-by: Jack Morgenstein <jackm@mellanox.co.il> Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il> Signed-off-by: Roland Dreier <rolandd@cisco.com> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
This is CVE-2006-0555 and SGI bug 946529. A normal user can panic an NFS client and cause a local DoS with 'judicious'(?) use of O_DIRECT. Signed-off-by: Chris Wright <chrisw@sous-sol.org>
This is CVE-2006-0554 and SGI bug 942658. With certain types of ftruncate() activity on 2.6 kernels, XFS can end up exposing stale data off disk to a user, putting extents where holes should be. Signed-off-by: Chris Wright <chrisw@sous-sol.org>
sbp2: fix another deadlock after disconnection If there were commands enqueued but not completed before an SBP-2 unit was unplugged (or an attempt to reconnect failed), knodemgrd or any process which tried to remove the device would sleep uninterruptibly in blk_execute_rq(). Therefore make sure that all commands are completed when sbp2 retreats. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
sd: fix memory corruption with broken mode page headers There's a problem in sd where we blindly believe the length of the headers and block descriptors. Some devices return insane values for these and cause our length to end up greater than the actual buffer size, so check to make sure. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Also removed the buffer size magic number (512) and added DPOFUA of zero to the defaults Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org> rediff for 2.6.15.x without DPOFUA bit, taken from commit 489708007785389941a89fa06aedc5ec53303c96 Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
netlink overrun was broken while improvement of netlink. Destination socket is used in the place where it was meant to be source socket, so that now overrun is never sent to user netlink sockets, when it should be, and it even can be set on kernel socket, which results in complete deadlock of rtnetlink. Suggested fix is to restore status quo passing source socket as additional argument to netlink_attachskb(). A little explanation: overrun is set on a socket, when it failed to receive some message and sender of this messages does not or even have no way to handle this error. This happens in two cases: 1. when kernel sends something. Kernel never retransmits and cannot wait for buffer space. 2. when user sends a broadcast and the message was not delivered to some recipients. Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Fixes a local DOS on Intel systems that lead to an endless recursive fault. AMD machines don't seem to be affected. Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com> Signed-off-by: Andi Kleen <ak@suse.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
If skge is attached to a bad cable, that goes up/down. It exposes an SMP race with the management of IRQ mask Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
The SysKonnect Genesis based board would fail on initialization with phy_read errors caused by not waiting for last phy write. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org>