--- /dev/null
+From foo@baz Tue Apr 9 12:12:43 2002
+Date: Tue, 09 Apr 2002 12:14:34 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org, stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>, torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk
+Subject: [00/08] 2.6.15.7 -stable review
+Status: RO
+Content-Length: 732
+Lines: 17
+
+This is the start of the stable review cycle for the 2.6.15.7 release.
+There are 8 patches in this series, all will be posted as a response to
+this one. If anyone has any issues with these being applied, please let
+us know. If anyone is a maintainer of the proper subsystem, and wants
+to add a signed-off-by: line to the patch, please respond with it.
+
+These patches are sent out with a number of different people on the Cc:
+line. If you wish to be a reviewer, please email stable@kernel.org to
+add your name to the list. If you want to be off the reviewer list,
+also email us.
+
+Responses should be made by Tuesday March 28 02:00:00 UTC. Anything
+received after that time, might be too late.
+
+thanks,
+
+the -stable release team
+
+From stable-bounces@linux.kernel.org Mon Mar 6 20:28:25 2006
+Date: Mon, 06 Mar 2006 20:23:33 -0800
+To: linux-kernel@vger.kernel.org, stable@kernel.org, rolandd@cisco.com, Justin Forbes <jmforbes@linuxtx.org>, Zwane Mwaikambo <zwane@arm.linux.org.uk>, Theodore Ts'o <tytso@mit.edu>, Randy.Dunlap <rdunlap@xenotime.net>, Chuck Wolber <chuckw@quantumlinux.com>, torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk
+Subject: [PATCH 01/08] IB/srp: Don't send task management commands after target removal
+Status: RO
+Content-Length: 949
+Lines: 31
+
+From: Roland Dreier <rdreier@cisco.com>
+
+Just fail abort and reset requests that come in after we've already
+decided to remove a target. This fixes a nasty crash if a storage
+target goes away.
+
+Signed-off-by: Roland Dreier <rolandd@cisco.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+This is upstream in Linus's tree as 1285b3a0b0aa2391ac6f6939e6737203c8220f68
+
+ drivers/infiniband/ulp/srp/ib_srp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- linux-2.6.15.6.orig/drivers/infiniband/ulp/srp/ib_srp.c
++++ linux-2.6.15.6/drivers/infiniband/ulp/srp/ib_srp.c
+@@ -1154,6 +1154,12 @@ static int srp_send_tsk_mgmt(struct scsi
+
+ spin_lock_irq(target->scsi_host->host_lock);
+
++ if (target->state == SRP_TARGET_DEAD ||
++ target->state == SRP_TARGET_REMOVED) {
++ scmnd->result = DID_BAD_TARGET << 16;
++ goto out;
++ }
++
+ if (scmnd->host_scribble == (void *) -1L)
+ goto out;
+
+
+From stable-bounces@linux.kernel.org Tue Mar 7 15:04:47 2006
+Date: Tue, 07 Mar 2006 14:59:23 -0800 (PST)
+To: linux-kernel@vger.kernel.org, stable@kernel.org, davem@davemloft.net, tgraf@suug.ch, Justin Forbes <jmforbes@linuxtx.org>, Zwane Mwaikambo <zwane@arm.linux.org.uk>, Theodore Ts'o <tytso@mit.edu>, Randy.Dunlap <rdunlap@xenotime.net>, Chuck Wolber <chuckw@quantumlinux.com>, torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk
+Cc:
+Subject: [PATCH 02/08] Netfilter ip_queue: Fix wrong skb->len == nlmsg_len assumption
+Status: RO
+Content-Length: 1539
+Lines: 42
+
+From: "David S. Miller" <davem@davemloft.net>
+
+The size of the skb carrying the netlink message is not
+equivalent to the length of the actual netlink message
+due to padding. ip_queue matches the length of the payload
+against the original packet size to determine if packet
+mangling is desired, due to the above wrong assumption
+arbitary packets may not be mangled depening on their
+original size.
+
+Signed-off-by: Thomas Graf <tgraf@suug.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+ net/ipv4/netfilter/ip_queue.c | 2 +-
+ net/ipv6/netfilter/ip6_queue.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- linux-2.6.15.6.orig/net/ipv4/netfilter/ip_queue.c
++++ linux-2.6.15.6/net/ipv4/netfilter/ip_queue.c
+@@ -524,7 +524,7 @@ ipq_rcv_skb(struct sk_buff *skb)
+ write_unlock_bh(&queue_lock);
+
+ status = ipq_receive_peer(NLMSG_DATA(nlh), type,
+- skblen - NLMSG_LENGTH(0));
++ nlmsglen - NLMSG_LENGTH(0));
+ if (status < 0)
+ RCV_SKB_FAIL(status);
+
+--- linux-2.6.15.6.orig/net/ipv6/netfilter/ip6_queue.c
++++ linux-2.6.15.6/net/ipv6/netfilter/ip6_queue.c
+@@ -522,7 +522,7 @@ ipq_rcv_skb(struct sk_buff *skb)
+ write_unlock_bh(&queue_lock);
+
+ status = ipq_receive_peer(NLMSG_DATA(nlh), type,
+- skblen - NLMSG_LENGTH(0));
++ nlmsglen - NLMSG_LENGTH(0));
+ if (status < 0)
+ RCV_SKB_FAIL(status);
+
+
+From stable-bounces@linux.kernel.org Wed Mar 8 17:48:08 2006
+Date: Wed, 08 Mar 2006 17:43:17 -0800 (PST)
+To: linux-kernel@vger.kernel.org, stable@kernel.org, davem@davemloft.net, rdunlap@xenotime.net, Justin Forbes <jmforbes@linuxtx.org>, Zwane Mwaikambo <zwane@arm.linux.org.uk>, Theodore Ts'o <tytso@mit.edu>, Randy.Dunlap <rdunlap@xenotime.net>, Chuck Wolber <chuckw@quantumlinux.com>, torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk
+Subject: [PATCH 03/08] NET: compat ifconf: fix limits
+Status: RO
+Content-Length: 1318
+Lines: 31
+
+From: Randy Dunlap <rdunlap@xenotime.net>
+
+A recent change to compat. dev_ifconf() in fs/compat_ioctl.c
+causes ifconf data to be truncated 1 entry too early when copying it
+to userspace. The correct amount of data (length) is returned,
+but the final entry is empty (zero, not filled in).
+The for-loop 'i' check should use <= to allow the final struct
+ifreq32 to be copied. I also used the ifconf-corruption program
+in kernel bugzilla #4746 to make sure that this change does not
+re-introduce the corruption.
+
+Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+ fs/compat_ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.15.6.orig/fs/compat_ioctl.c
++++ linux-2.6.15.6/fs/compat_ioctl.c
+@@ -687,7 +687,7 @@ static int dev_ifconf(unsigned int fd, u
+ ifr = ifc.ifc_req;
+ ifr32 = compat_ptr(ifc32.ifcbuf);
+ for (i = 0, j = 0;
+- i + sizeof (struct ifreq32) < ifc32.ifc_len && j < ifc.ifc_len;
++ i + sizeof (struct ifreq32) <= ifc32.ifc_len && j < ifc.ifc_len;
+ i += sizeof (struct ifreq32), j += sizeof (struct ifreq)) {
+ if (copy_in_user(ifr32, ifr, sizeof (struct ifreq32)))
+ return -EFAULT;
+
+From nobody Mon Sep 17 00:00:00 2001
+To: linux-kernel@vger.kernel.org, stable@kernel.org, djohnson@sw.starentnetworks.com, djohnson+linux-kernel@sw.starentnetworks.com, olh@suse.de, mason@suse.com, agruen@suse.de, Justin Forbes <jmforbes@linuxtx.org>, Zwane Mwaikambo <zwane@arm.linux.org.uk>, Theodore Ts'o <tytso@mit.edu>, Randy.Dunlap <rdunlap@xenotime.net>, Chuck Wolber <chuckw@quantumlinux.com>, torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk
+Subject: [PATCH 04/08] cramfs mounts provide corrupted content since 2.6.15
+Status: RO
+Content-Length: 4080
+Lines: 109
+
+From: Dave Johnson <djohnson@sw.starentnetworks.com>
+
+Fix handling of cramfs images created by util-linux containing empty
+regular files. Images created by cramfstools 1.x were ok.
+
+Fill out inode contents in cramfs_iget5_set() instead of get_cramfs_inode()
+to prevent issues if cramfs_iget5_test() is called with I_LOCK|I_NEW still
+set.
+
+Signed-off-by: Dave Johnson <djohnson+linux-kernel@sw.starentnetworks.com>
+Cc: Olaf Hering <olh@suse.de>
+Cc: Chris Mason <mason@suse.com>
+Cc: Andreas Gruenbacher <agruen@suse.de>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+ fs/cramfs/inode.c | 60 ++++++++++++++++++++++++++----------------------------
+ 1 file changed, 29 insertions(+), 31 deletions(-)
+
+ff3aea0e68bfd46120ce2d08bc1f8240fa2bd36a
+--- linux-2.6.15.6.orig/fs/cramfs/inode.c
++++ linux-2.6.15.6/fs/cramfs/inode.c
+@@ -36,7 +36,7 @@ static DECLARE_MUTEX(read_mutex);
+
+ /* These two macros may change in future, to provide better st_ino
+ semantics. */
+-#define CRAMINO(x) ((x)->offset?(x)->offset<<2:1)
++#define CRAMINO(x) (((x)->offset && (x)->size)?(x)->offset<<2:1)
+ #define OFFSET(x) ((x)->i_ino)
+
+
+@@ -66,8 +66,36 @@ static int cramfs_iget5_test(struct inod
+
+ static int cramfs_iget5_set(struct inode *inode, void *opaque)
+ {
++ static struct timespec zerotime;
+ struct cramfs_inode *cramfs_inode = opaque;
++ inode->i_mode = cramfs_inode->mode;
++ inode->i_uid = cramfs_inode->uid;
++ inode->i_size = cramfs_inode->size;
++ inode->i_blocks = (cramfs_inode->size - 1) / 512 + 1;
++ inode->i_blksize = PAGE_CACHE_SIZE;
++ inode->i_gid = cramfs_inode->gid;
++ /* Struct copy intentional */
++ inode->i_mtime = inode->i_atime = inode->i_ctime = zerotime;
+ inode->i_ino = CRAMINO(cramfs_inode);
++ /* inode->i_nlink is left 1 - arguably wrong for directories,
++ but it's the best we can do without reading the directory
++ contents. 1 yields the right result in GNU find, even
++ without -noleaf option. */
++ if (S_ISREG(inode->i_mode)) {
++ inode->i_fop = &generic_ro_fops;
++ inode->i_data.a_ops = &cramfs_aops;
++ } else if (S_ISDIR(inode->i_mode)) {
++ inode->i_op = &cramfs_dir_inode_operations;
++ inode->i_fop = &cramfs_directory_operations;
++ } else if (S_ISLNK(inode->i_mode)) {
++ inode->i_op = &page_symlink_inode_operations;
++ inode->i_data.a_ops = &cramfs_aops;
++ } else {
++ inode->i_size = 0;
++ inode->i_blocks = 0;
++ init_special_inode(inode, inode->i_mode,
++ old_decode_dev(cramfs_inode->size));
++ }
+ return 0;
+ }
+
+@@ -77,37 +105,7 @@ static struct inode *get_cramfs_inode(st
+ struct inode *inode = iget5_locked(sb, CRAMINO(cramfs_inode),
+ cramfs_iget5_test, cramfs_iget5_set,
+ cramfs_inode);
+- static struct timespec zerotime;
+-
+ if (inode && (inode->i_state & I_NEW)) {
+- inode->i_mode = cramfs_inode->mode;
+- inode->i_uid = cramfs_inode->uid;
+- inode->i_size = cramfs_inode->size;
+- inode->i_blocks = (cramfs_inode->size - 1) / 512 + 1;
+- inode->i_blksize = PAGE_CACHE_SIZE;
+- inode->i_gid = cramfs_inode->gid;
+- /* Struct copy intentional */
+- inode->i_mtime = inode->i_atime = inode->i_ctime = zerotime;
+- inode->i_ino = CRAMINO(cramfs_inode);
+- /* inode->i_nlink is left 1 - arguably wrong for directories,
+- but it's the best we can do without reading the directory
+- contents. 1 yields the right result in GNU find, even
+- without -noleaf option. */
+- if (S_ISREG(inode->i_mode)) {
+- inode->i_fop = &generic_ro_fops;
+- inode->i_data.a_ops = &cramfs_aops;
+- } else if (S_ISDIR(inode->i_mode)) {
+- inode->i_op = &cramfs_dir_inode_operations;
+- inode->i_fop = &cramfs_directory_operations;
+- } else if (S_ISLNK(inode->i_mode)) {
+- inode->i_op = &page_symlink_inode_operations;
+- inode->i_data.a_ops = &cramfs_aops;
+- } else {
+- inode->i_size = 0;
+- inode->i_blocks = 0;
+- init_special_inode(inode, inode->i_mode,
+- old_decode_dev(cramfs_inode->size));
+- }
+ unlock_new_inode(inode);
+ }
+ return inode;
+
+From nobody Mon Sep 17 00:00:00 2001
+To: linux-kernel@vger.kernel.org, stable@kernel.org, Justin Forbes <jmforbes@linuxtx.org>, Zwane Mwaikambo <zwane@arm.linux.org.uk>, Theodore Ts'o <tytso@mit.edu>, Randy.Dunlap <rdunlap@xenotime.net>, Chuck Wolber <chuckw@quantumlinux.com>, torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk, viro@ftp.linux.org.uk, masouds@google.com
+Subject: [PATCH 08/08] Fix ext2 readdir f_pos re-validation logic
+Status: RO
+Content-Length: 3194
+Lines: 101
+
+From: Al Viro <viro@ftp.linux.org.uk>
+
+This fixes not one, but _two_, silly (but admittedly hard to hit) bugs
+in the ext2 filesystem "readdir()" function. It also cleans up the code
+to avoid the unnecessary goto mess.
+
+The bugs were related to re-valiating the f_pos value after somebody had
+either done an "lseek()" on the directory to an invalid offset, or when
+the offset had become invalid due to a file being unlinked in the
+directory. The code would not only set the f_version too eagerly, it
+would also not update f_pos appropriately for when the offset fixup took
+place.
+
+When that happened, we'd occasionally subsequently fail the readdir()
+even when we shouldn't (no real harm done, but an ugly printk, and
+obviously you would end up not necessarily seeing all entries).
+
+Thanks to Masoud Sharbiani <masouds@google.com> who noticed the problem
+and had a test-case for it, and also fixed up a thinko in the first
+version of this patch.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: Masoud Sharbiani <masouds@google.com>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+ fs/ext2/dir.c | 28 ++++++++++++----------------
+ 1 file changed, 12 insertions(+), 16 deletions(-)
+
+2d7f2ea9c989853310c7f6e8be52cc090cc8e66b
+--- linux-2.6.15.6.orig/fs/ext2/dir.c
++++ linux-2.6.15.6/fs/ext2/dir.c
+@@ -256,11 +256,10 @@ ext2_readdir (struct file * filp, void *
+ unsigned long npages = dir_pages(inode);
+ unsigned chunk_mask = ~(ext2_chunk_size(inode)-1);
+ unsigned char *types = NULL;
+- int need_revalidate = (filp->f_version != inode->i_version);
+- int ret;
++ int need_revalidate = filp->f_version != inode->i_version;
+
+ if (pos > inode->i_size - EXT2_DIR_REC_LEN(1))
+- goto success;
++ return 0;
+
+ if (EXT2_HAS_INCOMPAT_FEATURE(sb, EXT2_FEATURE_INCOMPAT_FILETYPE))
+ types = ext2_filetype_table;
+@@ -275,12 +274,15 @@ ext2_readdir (struct file * filp, void *
+ "bad page in #%lu",
+ inode->i_ino);
+ filp->f_pos += PAGE_CACHE_SIZE - offset;
+- ret = -EIO;
+- goto done;
++ return -EIO;
+ }
+ kaddr = page_address(page);
+- if (need_revalidate) {
+- offset = ext2_validate_entry(kaddr, offset, chunk_mask);
++ if (unlikely(need_revalidate)) {
++ if (offset) {
++ offset = ext2_validate_entry(kaddr, offset, chunk_mask);
++ filp->f_pos = (n<<PAGE_CACHE_SHIFT) + offset;
++ }
++ filp->f_version = inode->i_version;
+ need_revalidate = 0;
+ }
+ de = (ext2_dirent *)(kaddr+offset);
+@@ -289,9 +291,8 @@ ext2_readdir (struct file * filp, void *
+ if (de->rec_len == 0) {
+ ext2_error(sb, __FUNCTION__,
+ "zero-length directory entry");
+- ret = -EIO;
+ ext2_put_page(page);
+- goto done;
++ return -EIO;
+ }
+ if (de->inode) {
+ int over;
+@@ -306,19 +307,14 @@ ext2_readdir (struct file * filp, void *
+ le32_to_cpu(de->inode), d_type);
+ if (over) {
+ ext2_put_page(page);
+- goto success;
++ return 0;
+ }
+ }
+ filp->f_pos += le16_to_cpu(de->rec_len);
+ }
+ ext2_put_page(page);
+ }
+-
+-success:
+- ret = 0;
+-done:
+- filp->f_version = inode->i_version;
+- return ret;
++ return 0;
+ }
+
+ /*
+
+From stable-bounces@linux.kernel.org Thu Mar 23 22:55:25 2006
+Date: Thu, 23 Mar 2006 22:54:18 -0800 (PST)
+To: linux-kernel@vger.kernel.org, stable@kernel.org, Justin Forbes <jmforbes@linuxtx.org>, Zwane Mwaikambo <zwane@arm.linux.org.uk>, Theodore Ts'o <tytso@mit.edu>, Randy.Dunlap <rdunlap@xenotime.net>, Chuck Wolber <chuckw@quantumlinux.com>, torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk, davem@davemloft.net
+Subject: [PATCH 07/08] NET: Ensure device name passed to SO_BINDTODEVICE is NULL terminated.
+Status: RO
+Content-Length: 879
+Lines: 30
+
+From: "David S. Miller" <davem@davemloft.net>
+
+The user can pass us arbitrary garbage so we should ensure the
+string they give us is null terminated before we pass it on
+to dev_get_by_index() et al.
+
+Found by Solar Designer.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+ net/core/sock.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- linux-2.6.15.6.orig/net/core/sock.c
++++ linux-2.6.15.6/net/core/sock.c
+@@ -403,8 +403,9 @@ set_rcvbuf:
+ if (!valbool) {
+ sk->sk_bound_dev_if = 0;
+ } else {
+- if (optlen > IFNAMSIZ)
+- optlen = IFNAMSIZ;
++ if (optlen > IFNAMSIZ - 1)
++ optlen = IFNAMSIZ - 1;
++ memset(devname, 0, sizeof(devname));
+ if (copy_from_user(devname, optval, optlen)) {
+ ret = -EFAULT;
+ break;
+
+From stable-bounces@linux.kernel.org Wed Mar 22 14:36:39 2006
+Date: Wed, 22 Mar 2006 14:34:42 -0800 (PST)
+To: linux-kernel@vger.kernel.org, stable@kernel.org, Justin Forbes <jmforbes@linuxtx.org>, Zwane Mwaikambo <zwane@arm.linux.org.uk>, Theodore Ts'o <tytso@mit.edu>, Randy.Dunlap <rdunlap@xenotime.net>, Chuck Wolber <chuckw@quantumlinux.com>, torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk, davem@davemloft.net, kuznet@ms2.inr.ac.ru
+Subject: [PATCH 06/08] TCP: Do not use inet->id of global tcp_socket when sending RST (CVE-2006-1242)
+Status: RO
+Content-Length: 1356
+Lines: 45
+
+From: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
+
+
+The problem is in ip_push_pending_frames(), which uses:
+
+ if (!df) {
+ __ip_select_ident(iph, &rt->u.dst, 0);
+ } else {
+ iph->id = htons(inet->id++);
+ }
+
+instead of ip_select_ident().
+
+Right now I think the code is a nonsense. Most likely, I copied it from
+old ip_build_xmit(), where it was really special, we had to decide
+whether to generate unique ID when generating the first (well, the last)
+fragment.
+
+In ip_push_pending_frames() it does not make sense, it should use plain
+ip_select_ident() instead.
+
+Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+ net/ipv4/ip_output.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- linux-2.6.15.6.orig/net/ipv4/ip_output.c
++++ linux-2.6.15.6/net/ipv4/ip_output.c
+@@ -1237,11 +1237,7 @@ int ip_push_pending_frames(struct sock *
+ iph->tos = inet->tos;
+ iph->tot_len = htons(skb->len);
+ iph->frag_off = df;
+- if (!df) {
+- __ip_select_ident(iph, &rt->u.dst, 0);
+- } else {
+- iph->id = htons(inet->id++);
+- }
++ ip_select_ident(iph, &rt->u.dst, sk);
+ iph->ttl = ttl;
+ iph->protocol = sk->sk_protocol;
+ iph->saddr = rt->rt_src;
+
+From stable-bounces@linux.kernel.org Mon Mar 20 19:35:28 2006
+Date: Mon, 20 Mar 2006 22:34:58 -0500
+To: linux-kernel@vger.kernel.org, stable@kernel.org, Justin Forbes <jmforbes@linuxtx.org>, Zwane Mwaikambo <zwane@arm.linux.org.uk>, Theodore Ts'o <tytso@mit.edu>, Randy.Dunlap <rdunlap@xenotime.net>, Chuck Wolber <chuckw@quantumlinux.com>, torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk, mkrufky@linuxtv.org, mchehab@infradead.org
+Subject: [PATCH 05/08] Kconfig: VIDEO_DECODER must select FW_LOADER
+Status: RO
+Content-Length: 853
+Lines: 24
+
+From: Michael Krufky <mkrufky@linuxtv.org>
+
+The cx25840 module requires external firmware in order to function,
+so it must select FW_LOADER, but saa7115 and saa7129 do not require it.
+
+Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
+Cc: Mauro Carvalho Chehab <mchehab@infradead.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+ drivers/media/video/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- linux-2.6.15.6.orig/drivers/media/video/Kconfig
++++ linux-2.6.15.6/drivers/media/video/Kconfig
+@@ -340,6 +340,7 @@ config VIDEO_AUDIO_DECODER
+ config VIDEO_DECODER
+ tristate "Add support for additional video chipsets"
+ depends on VIDEO_DEV && I2C && EXPERIMENTAL
++ select FW_LOADER
+ ---help---
+ Say Y here to compile drivers for SAA7115, SAA7127 and CX25840
+ video decoders.
+
--- /dev/null
+From gregkh@suse.de Fri Mar 24 20:08:52 2006
+Date: Fri, 24 Mar 2006 20:08:52 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org, stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>, Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>, torvalds@osdl.org,
+ akpm@osdl.org, alan@lxorguk.ukuu.org.uk
+Subject: [00/08] 2.6.15.7 -stable review
+Message-ID: <20060325040852.GA16955@kroah.com>
+Mime-Version: 1.0
+Content-Type: text/plain; charset=us-ascii
+Content-Disposition: inline
+User-Agent: Mutt/1.5.11
+Status: RO
+Content-Length: 732
+
+This is the start of the stable review cycle for the 2.6.15.7 release.
+There are 8 patches in this series, all will be posted as a response to
+this one. If anyone has any issues with these being applied, please let
+us know. If anyone is a maintainer of the proper subsystem, and wants
+to add a signed-off-by: line to the patch, please respond with it.
+
+These patches are sent out with a number of different people on the Cc:
+line. If you wish to be a reviewer, please email stable@kernel.org to
+add your name to the list. If you want to be off the reviewer list,
+also email us.
+
+Responses should be made by Tuesday March 28 02:00:00 UTC. Anything
+received after that time, might be too late.
+
+thanks,
+
+the -stable release team
+
+From gregkh@suse.de Fri Mar 24 20:12:10 2006
+Date: Fri, 24 Mar 2006 20:12:10 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org, stable@kernel.org,
+ Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ "Randy.Dunlap" <rdunlap@xenotime.net>,
+ Chuck Wolber <chuckw@quantumlinux.com>, torvalds@osdl.org,
+ akpm@osdl.org, alan@lxorguk.ukuu.org.uk, viro@ftp.linux.org.uk,
+ masouds@google.com
+Subject: [PATCH 08/08] Fix ext2 readdir f_pos re-validation logic
+Message-ID: <20060325041210.GI16955@kroah.com>
+Mime-Version: 1.0
+Content-Type: text/plain; charset=us-ascii
+Content-Disposition: inline
+In-Reply-To: <20060325040852.GA16955@kroah.com>
+User-Agent: Mutt/1.5.11
+Status: RO
+Content-Length: 3194
+
+From: Al Viro <viro@ftp.linux.org.uk>
+
+This fixes not one, but _two_, silly (but admittedly hard to hit) bugs
+in the ext2 filesystem "readdir()" function. It also cleans up the code
+to avoid the unnecessary goto mess.
+
+The bugs were related to re-valiating the f_pos value after somebody had
+either done an "lseek()" on the directory to an invalid offset, or when
+the offset had become invalid due to a file being unlinked in the
+directory. The code would not only set the f_version too eagerly, it
+would also not update f_pos appropriately for when the offset fixup took
+place.
+
+When that happened, we'd occasionally subsequently fail the readdir()
+even when we shouldn't (no real harm done, but an ugly printk, and
+obviously you would end up not necessarily seeing all entries).
+
+Thanks to Masoud Sharbiani <masouds@google.com> who noticed the problem
+and had a test-case for it, and also fixed up a thinko in the first
+version of this patch.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: Masoud Sharbiani <masouds@google.com>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+ fs/ext2/dir.c | 28 ++++++++++++----------------
+ 1 file changed, 12 insertions(+), 16 deletions(-)
+
+2d7f2ea9c989853310c7f6e8be52cc090cc8e66b
+--- linux-2.6.15.6.orig/fs/ext2/dir.c
++++ linux-2.6.15.6/fs/ext2/dir.c
+@@ -256,11 +256,10 @@ ext2_readdir (struct file * filp, void *
+ unsigned long npages = dir_pages(inode);
+ unsigned chunk_mask = ~(ext2_chunk_size(inode)-1);
+ unsigned char *types = NULL;
+- int need_revalidate = (filp->f_version != inode->i_version);
+- int ret;
++ int need_revalidate = filp->f_version != inode->i_version;
+
+ if (pos > inode->i_size - EXT2_DIR_REC_LEN(1))
+- goto success;
++ return 0;
+
+ if (EXT2_HAS_INCOMPAT_FEATURE(sb, EXT2_FEATURE_INCOMPAT_FILETYPE))
+ types = ext2_filetype_table;
+@@ -275,12 +274,15 @@ ext2_readdir (struct file * filp, void *
+ "bad page in #%lu",
+ inode->i_ino);
+ filp->f_pos += PAGE_CACHE_SIZE - offset;
+- ret = -EIO;
+- goto done;
++ return -EIO;
+ }
+ kaddr = page_address(page);
+- if (need_revalidate) {
+- offset = ext2_validate_entry(kaddr, offset, chunk_mask);
++ if (unlikely(need_revalidate)) {
++ if (offset) {
++ offset = ext2_validate_entry(kaddr, offset, chunk_mask);
++ filp->f_pos = (n<<PAGE_CACHE_SHIFT) + offset;
++ }
++ filp->f_version = inode->i_version;
+ need_revalidate = 0;
+ }
+ de = (ext2_dirent *)(kaddr+offset);
+@@ -289,9 +291,8 @@ ext2_readdir (struct file * filp, void *
+ if (de->rec_len == 0) {
+ ext2_error(sb, __FUNCTION__,
+ "zero-length directory entry");
+- ret = -EIO;
+ ext2_put_page(page);
+- goto done;
++ return -EIO;
+ }
+ if (de->inode) {
+ int over;
+@@ -306,19 +307,14 @@ ext2_readdir (struct file * filp, void *
+ le32_to_cpu(de->inode), d_type);
+ if (over) {
+ ext2_put_page(page);
+- goto success;
++ return 0;
+ }
+ }
+ filp->f_pos += le16_to_cpu(de->rec_len);
+ }
+ ext2_put_page(page);
+ }
+-
+-success:
+- ret = 0;
+-done:
+- filp->f_version = inode->i_version;
+- return ret;
++ return 0;
+ }
+
+ /*
+
+From gregkh@suse.de Fri Mar 24 20:11:53 2006
+Date: Fri, 24 Mar 2006 20:11:53 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org, stable@kernel.org,
+ Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ "Randy.Dunlap" <rdunlap@xenotime.net>,
+ Chuck Wolber <chuckw@quantumlinux.com>, torvalds@osdl.org,
+ akpm@osdl.org, alan@lxorguk.ukuu.org.uk, davem@davemloft.net
+Subject: [PATCH 07/08] NET: Ensure device name passed to SO_BINDTODEVICE is NULL terminated.
+Message-ID: <20060325041153.GH16955@kroah.com>
+Mime-Version: 1.0
+Content-Type: text/plain; charset=us-ascii
+Content-Disposition: inline
+In-Reply-To: <20060325040852.GA16955@kroah.com>
+User-Agent: Mutt/1.5.11
+Status: RO
+Content-Length: 879
+
+From: "David S. Miller" <davem@davemloft.net>
+
+The user can pass us arbitrary garbage so we should ensure the
+string they give us is null terminated before we pass it on
+to dev_get_by_index() et al.
+
+Found by Solar Designer.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+ net/core/sock.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- linux-2.6.15.6.orig/net/core/sock.c
++++ linux-2.6.15.6/net/core/sock.c
+@@ -403,8 +403,9 @@ set_rcvbuf:
+ if (!valbool) {
+ sk->sk_bound_dev_if = 0;
+ } else {
+- if (optlen > IFNAMSIZ)
+- optlen = IFNAMSIZ;
++ if (optlen > IFNAMSIZ - 1)
++ optlen = IFNAMSIZ - 1;
++ memset(devname, 0, sizeof(devname));
+ if (copy_from_user(devname, optval, optlen)) {
+ ret = -EFAULT;
+ break;
+
+From gregkh@suse.de Fri Mar 24 20:11:32 2006
+Date: Fri, 24 Mar 2006 20:11:32 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org, stable@kernel.org,
+ Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ "Randy.Dunlap" <rdunlap@xenotime.net>,
+ Chuck Wolber <chuckw@quantumlinux.com>, torvalds@osdl.org,
+ akpm@osdl.org, alan@lxorguk.ukuu.org.uk, davem@davemloft.net,
+ kuznet@ms2.inr.ac.ru
+Subject: [PATCH 06/08] TCP: Do not use inet->id of global tcp_socket when sending RST (CVE-2006-1242)
+Message-ID: <20060325041132.GG16955@kroah.com>
+Mime-Version: 1.0
+Content-Type: text/plain; charset=us-ascii
+Content-Disposition: inline
+In-Reply-To: <20060325040852.GA16955@kroah.com>
+User-Agent: Mutt/1.5.11
+Status: RO
+Content-Length: 1356
+
+From: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
+
+
+The problem is in ip_push_pending_frames(), which uses:
+
+ if (!df) {
+ __ip_select_ident(iph, &rt->u.dst, 0);
+ } else {
+ iph->id = htons(inet->id++);
+ }
+
+instead of ip_select_ident().
+
+Right now I think the code is a nonsense. Most likely, I copied it from
+old ip_build_xmit(), where it was really special, we had to decide
+whether to generate unique ID when generating the first (well, the last)
+fragment.
+
+In ip_push_pending_frames() it does not make sense, it should use plain
+ip_select_ident() instead.
+
+Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+ net/ipv4/ip_output.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- linux-2.6.15.6.orig/net/ipv4/ip_output.c
++++ linux-2.6.15.6/net/ipv4/ip_output.c
+@@ -1237,11 +1237,7 @@ int ip_push_pending_frames(struct sock *
+ iph->tos = inet->tos;
+ iph->tot_len = htons(skb->len);
+ iph->frag_off = df;
+- if (!df) {
+- __ip_select_ident(iph, &rt->u.dst, 0);
+- } else {
+- iph->id = htons(inet->id++);
+- }
++ ip_select_ident(iph, &rt->u.dst, sk);
+ iph->ttl = ttl;
+ iph->protocol = sk->sk_protocol;
+ iph->saddr = rt->rt_src;
+
+From gregkh@suse.de Fri Mar 24 20:11:18 2006
+Date: Fri, 24 Mar 2006 20:11:18 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org, stable@kernel.org,
+ Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ "Randy.Dunlap" <rdunlap@xenotime.net>,
+ Chuck Wolber <chuckw@quantumlinux.com>, torvalds@osdl.org,
+ akpm@osdl.org, alan@lxorguk.ukuu.org.uk, mkrufky@linuxtv.org,
+ mchehab@infradead.org
+Subject: [PATCH 05/08] Kconfig: VIDEO_DECODER must select FW_LOADER
+Message-ID: <20060325041118.GF16955@kroah.com>
+Mime-Version: 1.0
+Content-Type: text/plain; charset=us-ascii
+Content-Disposition: inline
+In-Reply-To: <20060325040852.GA16955@kroah.com>
+User-Agent: Mutt/1.5.11
+Status: RO
+Content-Length: 853
+
+From: Michael Krufky <mkrufky@linuxtv.org>
+
+The cx25840 module requires external firmware in order to function,
+so it must select FW_LOADER, but saa7115 and saa7129 do not require it.
+
+Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
+Cc: Mauro Carvalho Chehab <mchehab@infradead.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+ drivers/media/video/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- linux-2.6.15.6.orig/drivers/media/video/Kconfig
++++ linux-2.6.15.6/drivers/media/video/Kconfig
+@@ -340,6 +340,7 @@ config VIDEO_AUDIO_DECODER
+ config VIDEO_DECODER
+ tristate "Add support for additional video chipsets"
+ depends on VIDEO_DEV && I2C && EXPERIMENTAL
++ select FW_LOADER
+ ---help---
+ Say Y here to compile drivers for SAA7115, SAA7127 and CX25840
+ video decoders.
+
+From gregkh@suse.de Fri Mar 24 20:10:38 2006
+Date: Fri, 24 Mar 2006 20:10:38 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org, stable@kernel.org,
+ djohnson@sw.starentnetworks.com,
+ djohnson+linux-kernel@sw.starentnetworks.com, olh@suse.de,
+ mason@suse.com, agruen@suse.de,
+ Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ "Randy.Dunlap" <rdunlap@xenotime.net>,
+ Chuck Wolber <chuckw@quantumlinux.com>, torvalds@osdl.org,
+ akpm@osdl.org, alan@lxorguk.ukuu.org.uk
+Subject: [PATCH 04/08] cramfs mounts provide corrupted content since 2.6.15
+Message-ID: <20060325041038.GE16955@kroah.com>
+Mime-Version: 1.0
+Content-Type: text/plain; charset=us-ascii
+Content-Disposition: inline
+In-Reply-To: <20060325040852.GA16955@kroah.com>
+User-Agent: Mutt/1.5.11
+Status: RO
+Content-Length: 4080
+
+From: Dave Johnson <djohnson@sw.starentnetworks.com>
+
+Fix handling of cramfs images created by util-linux containing empty
+regular files. Images created by cramfstools 1.x were ok.
+
+Fill out inode contents in cramfs_iget5_set() instead of get_cramfs_inode()
+to prevent issues if cramfs_iget5_test() is called with I_LOCK|I_NEW still
+set.
+
+Signed-off-by: Dave Johnson <djohnson+linux-kernel@sw.starentnetworks.com>
+Cc: Olaf Hering <olh@suse.de>
+Cc: Chris Mason <mason@suse.com>
+Cc: Andreas Gruenbacher <agruen@suse.de>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+ fs/cramfs/inode.c | 60 ++++++++++++++++++++++++++----------------------------
+ 1 file changed, 29 insertions(+), 31 deletions(-)
+
+ff3aea0e68bfd46120ce2d08bc1f8240fa2bd36a
+--- linux-2.6.15.6.orig/fs/cramfs/inode.c
++++ linux-2.6.15.6/fs/cramfs/inode.c
+@@ -36,7 +36,7 @@ static DECLARE_MUTEX(read_mutex);
+
+ /* These two macros may change in future, to provide better st_ino
+ semantics. */
+-#define CRAMINO(x) ((x)->offset?(x)->offset<<2:1)
++#define CRAMINO(x) (((x)->offset && (x)->size)?(x)->offset<<2:1)
+ #define OFFSET(x) ((x)->i_ino)
+
+
+@@ -66,8 +66,36 @@ static int cramfs_iget5_test(struct inod
+
+ static int cramfs_iget5_set(struct inode *inode, void *opaque)
+ {
++ static struct timespec zerotime;
+ struct cramfs_inode *cramfs_inode = opaque;
++ inode->i_mode = cramfs_inode->mode;
++ inode->i_uid = cramfs_inode->uid;
++ inode->i_size = cramfs_inode->size;
++ inode->i_blocks = (cramfs_inode->size - 1) / 512 + 1;
++ inode->i_blksize = PAGE_CACHE_SIZE;
++ inode->i_gid = cramfs_inode->gid;
++ /* Struct copy intentional */
++ inode->i_mtime = inode->i_atime = inode->i_ctime = zerotime;
+ inode->i_ino = CRAMINO(cramfs_inode);
++ /* inode->i_nlink is left 1 - arguably wrong for directories,
++ but it's the best we can do without reading the directory
++ contents. 1 yields the right result in GNU find, even
++ without -noleaf option. */
++ if (S_ISREG(inode->i_mode)) {
++ inode->i_fop = &generic_ro_fops;
++ inode->i_data.a_ops = &cramfs_aops;
++ } else if (S_ISDIR(inode->i_mode)) {
++ inode->i_op = &cramfs_dir_inode_operations;
++ inode->i_fop = &cramfs_directory_operations;
++ } else if (S_ISLNK(inode->i_mode)) {
++ inode->i_op = &page_symlink_inode_operations;
++ inode->i_data.a_ops = &cramfs_aops;
++ } else {
++ inode->i_size = 0;
++ inode->i_blocks = 0;
++ init_special_inode(inode, inode->i_mode,
++ old_decode_dev(cramfs_inode->size));
++ }
+ return 0;
+ }
+
+@@ -77,37 +105,7 @@ static struct inode *get_cramfs_inode(st
+ struct inode *inode = iget5_locked(sb, CRAMINO(cramfs_inode),
+ cramfs_iget5_test, cramfs_iget5_set,
+ cramfs_inode);
+- static struct timespec zerotime;
+-
+ if (inode && (inode->i_state & I_NEW)) {
+- inode->i_mode = cramfs_inode->mode;
+- inode->i_uid = cramfs_inode->uid;
+- inode->i_size = cramfs_inode->size;
+- inode->i_blocks = (cramfs_inode->size - 1) / 512 + 1;
+- inode->i_blksize = PAGE_CACHE_SIZE;
+- inode->i_gid = cramfs_inode->gid;
+- /* Struct copy intentional */
+- inode->i_mtime = inode->i_atime = inode->i_ctime = zerotime;
+- inode->i_ino = CRAMINO(cramfs_inode);
+- /* inode->i_nlink is left 1 - arguably wrong for directories,
+- but it's the best we can do without reading the directory
+- contents. 1 yields the right result in GNU find, even
+- without -noleaf option. */
+- if (S_ISREG(inode->i_mode)) {
+- inode->i_fop = &generic_ro_fops;
+- inode->i_data.a_ops = &cramfs_aops;
+- } else if (S_ISDIR(inode->i_mode)) {
+- inode->i_op = &cramfs_dir_inode_operations;
+- inode->i_fop = &cramfs_directory_operations;
+- } else if (S_ISLNK(inode->i_mode)) {
+- inode->i_op = &page_symlink_inode_operations;
+- inode->i_data.a_ops = &cramfs_aops;
+- } else {
+- inode->i_size = 0;
+- inode->i_blocks = 0;
+- init_special_inode(inode, inode->i_mode,
+- old_decode_dev(cramfs_inode->size));
+- }
+ unlock_new_inode(inode);
+ }
+ return inode;
+
+From gregkh@suse.de Fri Mar 24 20:10:20 2006
+Date: Fri, 24 Mar 2006 20:10:20 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org, stable@kernel.org, davem@davemloft.net,
+ rdunlap@xenotime.net, Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Chuck Wolber <chuckw@quantumlinux.com>, torvalds@osdl.org,
+ akpm@osdl.org, alan@lxorguk.ukuu.org.uk
+Subject: [PATCH 03/08] NET: compat ifconf: fix limits
+Message-ID: <20060325041020.GD16955@kroah.com>
+Mime-Version: 1.0
+Content-Type: text/plain; charset=us-ascii
+Content-Disposition: inline
+In-Reply-To: <20060325040852.GA16955@kroah.com>
+User-Agent: Mutt/1.5.11
+Status: RO
+Content-Length: 1318
+
+From: Randy Dunlap <rdunlap@xenotime.net>
+
+A recent change to compat. dev_ifconf() in fs/compat_ioctl.c
+causes ifconf data to be truncated 1 entry too early when copying it
+to userspace. The correct amount of data (length) is returned,
+but the final entry is empty (zero, not filled in).
+The for-loop 'i' check should use <= to allow the final struct
+ifreq32 to be copied. I also used the ifconf-corruption program
+in kernel bugzilla #4746 to make sure that this change does not
+re-introduce the corruption.
+
+Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+ fs/compat_ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.15.6.orig/fs/compat_ioctl.c
++++ linux-2.6.15.6/fs/compat_ioctl.c
+@@ -687,7 +687,7 @@ static int dev_ifconf(unsigned int fd, u
+ ifr = ifc.ifc_req;
+ ifr32 = compat_ptr(ifc32.ifcbuf);
+ for (i = 0, j = 0;
+- i + sizeof (struct ifreq32) < ifc32.ifc_len && j < ifc.ifc_len;
++ i + sizeof (struct ifreq32) <= ifc32.ifc_len && j < ifc.ifc_len;
+ i += sizeof (struct ifreq32), j += sizeof (struct ifreq)) {
+ if (copy_in_user(ifr32, ifr, sizeof (struct ifreq32)))
+ return -EFAULT;
+
+From gregkh@suse.de Fri Mar 24 20:10:01 2006
+Date: Fri, 24 Mar 2006 20:10:01 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org, stable@kernel.org, davem@davemloft.net,
+ tgraf@suug.ch, Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ "Randy.Dunlap" <rdunlap@xenotime.net>,
+ Chuck Wolber <chuckw@quantumlinux.com>, torvalds@osdl.org,
+ akpm@osdl.org, alan@lxorguk.ukuu.org.uk
+Subject: [PATCH 02/08] Netfilter ip_queue: Fix wrong skb->len == nlmsg_len assumption
+Message-ID: <20060325041001.GC16955@kroah.com>
+Mime-Version: 1.0
+Content-Type: text/plain; charset=us-ascii
+Content-Disposition: inline
+In-Reply-To: <20060325040852.GA16955@kroah.com>
+User-Agent: Mutt/1.5.11
+Status: RO
+Content-Length: 1539
+
+From: "David S. Miller" <davem@davemloft.net>
+
+The size of the skb carrying the netlink message is not
+equivalent to the length of the actual netlink message
+due to padding. ip_queue matches the length of the payload
+against the original packet size to determine if packet
+mangling is desired, due to the above wrong assumption
+arbitary packets may not be mangled depening on their
+original size.
+
+Signed-off-by: Thomas Graf <tgraf@suug.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+ net/ipv4/netfilter/ip_queue.c | 2 +-
+ net/ipv6/netfilter/ip6_queue.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- linux-2.6.15.6.orig/net/ipv4/netfilter/ip_queue.c
++++ linux-2.6.15.6/net/ipv4/netfilter/ip_queue.c
+@@ -524,7 +524,7 @@ ipq_rcv_skb(struct sk_buff *skb)
+ write_unlock_bh(&queue_lock);
+
+ status = ipq_receive_peer(NLMSG_DATA(nlh), type,
+- skblen - NLMSG_LENGTH(0));
++ nlmsglen - NLMSG_LENGTH(0));
+ if (status < 0)
+ RCV_SKB_FAIL(status);
+
+--- linux-2.6.15.6.orig/net/ipv6/netfilter/ip6_queue.c
++++ linux-2.6.15.6/net/ipv6/netfilter/ip6_queue.c
+@@ -522,7 +522,7 @@ ipq_rcv_skb(struct sk_buff *skb)
+ write_unlock_bh(&queue_lock);
+
+ status = ipq_receive_peer(NLMSG_DATA(nlh), type,
+- skblen - NLMSG_LENGTH(0));
++ nlmsglen - NLMSG_LENGTH(0));
+ if (status < 0)
+ RCV_SKB_FAIL(status);
+
+
+From gregkh@suse.de Fri Mar 24 20:09:31 2006
+Date: Fri, 24 Mar 2006 20:09:31 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org, stable@kernel.org, rolandd@cisco.com,
+ Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ "Randy.Dunlap" <rdunlap@xenotime.net>,
+ Chuck Wolber <chuckw@quantumlinux.com>, torvalds@osdl.org,
+ akpm@osdl.org, alan@lxorguk.ukuu.org.uk
+Subject: [PATCH 01/08] IB/srp: Don't send task management commands after target removal
+Message-ID: <20060325040931.GB16955@kroah.com>
+Mime-Version: 1.0
+Content-Type: text/plain; charset=us-ascii
+Content-Disposition: inline
+In-Reply-To: <20060325040852.GA16955@kroah.com>
+User-Agent: Mutt/1.5.11
+Status: RO
+Content-Length: 949
+
+From: Roland Dreier <rdreier@cisco.com>
+
+Just fail abort and reset requests that come in after we've already
+decided to remove a target. This fixes a nasty crash if a storage
+target goes away.
+
+Signed-off-by: Roland Dreier <rolandd@cisco.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+This is upstream in Linus's tree as 1285b3a0b0aa2391ac6f6939e6737203c8220f68
+
+ drivers/infiniband/ulp/srp/ib_srp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- linux-2.6.15.6.orig/drivers/infiniband/ulp/srp/ib_srp.c
++++ linux-2.6.15.6/drivers/infiniband/ulp/srp/ib_srp.c
+@@ -1154,6 +1154,12 @@ static int srp_send_tsk_mgmt(struct scsi
+
+ spin_lock_irq(target->scsi_host->host_lock);
+
++ if (target->state == SRP_TARGET_DEAD ||
++ target->state == SRP_TARGET_REMOVED) {
++ scmnd->result = DID_BAD_TARGET << 16;
++ goto out;
++ }
++
+ if (scmnd->host_scribble == (void *) -1L)
+ goto out;
+
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
