This fixes not one, but _two_, silly (but admittedly hard to hit) bugs
in the ext2 filesystem "readdir()" function. It also cleans up the code
to avoid the unnecessary goto mess.
The bugs were related to re-valiating the f_pos value after somebody had
either done an "lseek()" on the directory to an invalid offset, or when
the offset had become invalid due to a file being unlinked in the
directory. The code would not only set the f_version too eagerly, it
would also not update f_pos appropriately for when the offset fixup took
place.
When that happened, we'd occasionally subsequently fail the readdir()
even when we shouldn't (no real harm done, but an ugly printk, and
obviously you would end up not necessarily seeing all entries).
Thanks to Masoud Sharbiani <email address hidden> who noticed the problem
and had a test-case for it, and also fixed up a thinko in the first
version of this patch.
[PATCH] NET: Ensure device name passed to SO_BINDTODEVICE is NULL terminated.
The user can pass us arbitrary garbage so we should ensure the
string they give us is null terminated before we pass it on
to dev_get_by_index() et al.
Found by Solar Designer.
Signed-off-by: David S. Miller <email address hidden>
Signed-off-by: Chris Wright <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
739d40f...
by
Alexey Kuznetsov <email address hidden>
[PATCH] TCP: Do not use inet->id of global tcp_socket when sending RST (CVE-2006-1242)
The problem is in ip_push_pending_frames(), which uses:
Right now I think the code is a nonsense. Most likely, I copied it from
old ip_build_xmit(), where it was really special, we had to decide
whether to generate unique ID when generating the first (well, the last)
fragment.
In ip_push_pending_frames() it does not make sense, it should use plain
ip_select_ident() instead.
Signed-off-by: Alexey Kuznetsov <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
Signed-off-by: Chris Wright <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
[PATCH] cramfs mounts provide corrupted content since 2.6.15
Fix handling of cramfs images created by util-linux containing empty
regular files. Images created by cramfstools 1.x were ok.
Fill out inode contents in cramfs_iget5_set() instead of get_cramfs_inode()
to prevent issues if cramfs_iget5_test() is called with I_LOCK|I_NEW still
set.
Signed-off-by: Dave Johnson <email address hidden>
Cc: Olaf Hering <email address hidden>
Cc: Chris Mason <email address hidden>
Cc: Andreas Gruenbacher <email address hidden>
Signed-off-by: Andrew Morton <email address hidden>
Signed-off-by: Linus Torvalds <email address hidden>
Signed-off-by: Chris Wright <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
A recent change to compat. dev_ifconf() in fs/compat_ioctl.c
causes ifconf data to be truncated 1 entry too early when copying it
to userspace. The correct amount of data (length) is returned,
but the final entry is empty (zero, not filled in).
The for-loop 'i' check should use <= to allow the final struct
ifreq32 to be copied. I also used the ifconf-corruption program
in kernel bugzilla #4746 to make sure that this change does not
re-introduce the corruption.
Signed-off-by: Randy Dunlap <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
Signed-off-by: Chris Wright <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
The size of the skb carrying the netlink message is not
equivalent to the length of the actual netlink message
due to padding. ip_queue matches the length of the payload
against the original packet size to determine if packet
mangling is desired, due to the above wrong assumption
arbitary packets may not be mangled depening on their
original size.
Signed-off-by: Thomas Graf <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
Signed-off-by: Chris Wright <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
[PATCH] IB/srp: Don't send task management commands after target removal
Just fail abort and reset requests that come in after we've already
decided to remove a target. This fixes a nasty crash if a storage
target goes away.
Signed-off-by: Roland Dreier <email address hidden>
Signed-off-by: Chris Wright <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>