--- /dev/null
+From bb9ba31ca3b88fd396e38950d1caedf2f83521c6 Mon Sep 17 00:00:00 2001
+From: Joerg Dorchain <joerg@dorchain.net>
+Date: Tue, 6 Mar 2007 02:46:54 -0800
+Subject: [SCSI] gdth: fix oops in gdth_copy_cmd()
+
+Recent alterations to the gdth_fill_raw_cmd() path no longer set the
+sg_ranz field for zero transfer commands. However, this field is used
+lower down in the function to initialise ha->cmd_len to the size of
+the firmware packet. If this uninitialised field contains a bogus
+value, ha->cmd_len can become much larger than the actual firmware
+packet and end up oopsing in gdth_copy_cmd() as it tries to copy this
+huge packet to the device (usually because it runs into an unallocated
+page).
+
+The fix is to initialise the sg_ranz field to zero at the start of
+gdth_fill_raw_cmd().
+
+Signed-off-by: Joerg Dorchain <joerg@dorchain.net>
+Acked-by: "Leubner, Achim" <Achim_Leubner@adaptec.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/gdth.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/scsi/gdth.c
++++ b/drivers/scsi/gdth.c
+@@ -3092,6 +3092,7 @@ static int gdth_fill_raw_cmd(int hanum,S
+ cmdp->u.raw64.direction =
+ gdth_direction_tab[scp->cmnd[0]]==DOU ? GDTH_DATA_OUT:GDTH_DATA_IN;
+ memcpy(cmdp->u.raw64.cmd,scp->cmnd,16);
++ cmdp->u.raw64.sg_ranz = 0;
+ } else {
+ cmdp->u.raw.reserved = 0;
+ cmdp->u.raw.mdisc_time = 0;
+@@ -3108,6 +3109,7 @@ static int gdth_fill_raw_cmd(int hanum,S
+ cmdp->u.raw.direction =
+ gdth_direction_tab[scp->cmnd[0]]==DOU ? GDTH_DATA_OUT:GDTH_DATA_IN;
+ memcpy(cmdp->u.raw.cmd,scp->cmnd,12);
++ cmdp->u.raw.sg_ranz = 0;
+ }
+
+ if (scp->use_sg) {
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Mar 13 11:05:30 2007
+From: Jan Beulich <jbeulich@novell.com>
+Date: Tue, 13 Mar 2007 14:04:11 -0400
+Subject: adjust legacy IDE resource setting (v2)
+To: linux-stable <stable@kernel.org>
+Message-ID: <45F6E79B.1010208@redhat.com>
+
+From: Jan Beulich <jbeulich@novell.com>
+
+adjust legacy IDE resource setting (v2)
+
+The change to force legacy mode IDE channels' resources to fixed non-zero
+values confuses (at least some versions of) X, because the values reported
+by the kernel and those readable from PCI config space aren't consistent
+anymore. Therefore, this patch arranges for the respective BARs to also
+get updated if possible.
+
+Signed-off-by: Jan Beulich <jbeulich@novell.com>
+Acked-by: Alan Cox <alan@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/pci/probe.c | 45 ++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 32 insertions(+), 13 deletions(-)
+
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -639,7 +639,34 @@ static void pci_read_irq(struct pci_dev
+ dev->irq = irq;
+ }
+
+-#define LEGACY_IO_RESOURCE (IORESOURCE_IO | IORESOURCE_PCI_FIXED)
++static void change_legacy_io_resource(struct pci_dev * dev, unsigned index,
++ unsigned start, unsigned end)
++{
++ unsigned base = start & PCI_BASE_ADDRESS_IO_MASK;
++ unsigned len = (end | ~PCI_BASE_ADDRESS_IO_MASK) - base + 1;
++
++ /*
++ * Some X versions get confused when the BARs reported through
++ * /sys or /proc differ from those seen in config space, thus
++ * try to update the config space values, too.
++ */
++ if (!(pci_resource_flags(dev, index) & IORESOURCE_IO))
++ printk(KERN_WARNING "%s: cannot adjust BAR%u (not I/O)\n",
++ pci_name(dev), index);
++ else if (pci_resource_len(dev, index) != len)
++ printk(KERN_WARNING "%s: cannot adjust BAR%u (size %04X)\n",
++ pci_name(dev), index, (unsigned)pci_resource_len(dev, index));
++ else {
++ printk(KERN_INFO "%s: trying to change BAR%u from %04X to %04X\n",
++ pci_name(dev), index,
++ (unsigned)pci_resource_start(dev, index), base);
++ pci_write_config_dword(dev, PCI_BASE_ADDRESS_0 + index * 4, base);
++ }
++ pci_resource_start(dev, index) = start;
++ pci_resource_end(dev, index) = end;
++ pci_resource_flags(dev, index) =
++ IORESOURCE_IO | IORESOURCE_PCI_FIXED | PCI_BASE_ADDRESS_SPACE_IO;
++}
+
+ /**
+ * pci_setup_device - fill in class and map information of a device
+@@ -692,20 +719,12 @@ static int pci_setup_device(struct pci_d
+ u8 progif;
+ pci_read_config_byte(dev, PCI_CLASS_PROG, &progif);
+ if ((progif & 1) == 0) {
+- dev->resource[0].start = 0x1F0;
+- dev->resource[0].end = 0x1F7;
+- dev->resource[0].flags = LEGACY_IO_RESOURCE;
+- dev->resource[1].start = 0x3F6;
+- dev->resource[1].end = 0x3F6;
+- dev->resource[1].flags = LEGACY_IO_RESOURCE;
++ change_legacy_io_resource(dev, 0, 0x1F0, 0x1F7);
++ change_legacy_io_resource(dev, 1, 0x3F6, 0x3F6);
+ }
+ if ((progif & 4) == 0) {
+- dev->resource[2].start = 0x170;
+- dev->resource[2].end = 0x177;
+- dev->resource[2].flags = LEGACY_IO_RESOURCE;
+- dev->resource[3].start = 0x376;
+- dev->resource[3].end = 0x376;
+- dev->resource[3].flags = LEGACY_IO_RESOURCE;
++ change_legacy_io_resource(dev, 2, 0x170, 0x177);
++ change_legacy_io_resource(dev, 3, 0x376, 0x376);
+ }
+ }
+ break;
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Mar 9 23:05:14 2007
+From: Olaf Kirch <olaf.kirch@oracle.com>
+Date: Fri, 09 Mar 2007 23:03:53 -0800 (PST)
+Subject: Fix another NULL pointer deref in ipv6_sockglue.c
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070309.230353.71089669.davem@davemloft.net>
+
+From: Olaf Kirch <olaf.kirch@oracle.com>
+
+[IPV6]: Fix for ipv6_setsockopt NULL dereference
+
+I came across this bug in http://bugzilla.kernel.org/show_bug.cgi?id=8155
+
+Signed-off-by: Olaf Kirch <olaf.kirch@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/ipv6_sockglue.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/ipv6_sockglue.c
++++ b/net/ipv6/ipv6_sockglue.c
+@@ -414,7 +414,7 @@ static int do_ipv6_setsockopt(struct soc
+ }
+
+ /* routing header option needs extra check */
+- if (optname == IPV6_RTHDR && opt->srcrt) {
++ if (optname == IPV6_RTHDR && opt && opt->srcrt) {
+ struct ipv6_rt_hdr *rthdr = opt->srcrt;
+ switch (rthdr->type) {
+ case IPV6_SRCRT_TYPE_0:
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Mar 9 23:06:07 2007
+From: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
+Date: Fri, 09 Mar 2007 23:04:42 -0800 (PST)
+Subject: Fix rtm_to_ifaddr() error return.
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070309.230442.104034976.davem@davemloft.net>
+
+
+From: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
+
+[IPV4]: Fix rtm_to_ifaddr() error handling.
+
+Return negative error value (embedded in the pointer) instead of
+returning NULL.
+
+Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/devinet.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -503,8 +503,10 @@ static struct in_ifaddr *rtm_to_ifaddr(s
+ goto errout;
+
+ ifm = nlmsg_data(nlh);
+- if (ifm->ifa_prefixlen > 32 || tb[IFA_LOCAL] == NULL)
++ if (ifm->ifa_prefixlen > 32 || tb[IFA_LOCAL] == NULL) {
++ err = -EINVAL;
+ goto errout;
++ }
+
+ dev = __dev_get_by_index(ifm->ifa_index);
+ if (dev == NULL) {
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Mar 9 23:07:24 2007
+From: Chris Wright <chrisw@sous-sol.org>
+Date: Fri, 09 Mar 2007 23:05:59 -0800 (PST)
+Subject: Fix user copy length in ipv6_sockglue.c
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070309.230559.78709619.davem@davemloft.net>
+
+From: Chris Wright <chrisw@sous-sol.org>
+
+[IPV6] fix ipv6_getsockopt_sticky copy_to_user leak
+
+User supplied len < 0 can cause leak of kernel memory.
+Use unsigned compare instead.
+
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/ipv6_sockglue.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/ipv6_sockglue.c
++++ b/net/ipv6/ipv6_sockglue.c
+@@ -805,7 +805,7 @@ static int ipv6_getsockopt_sticky(struct
+ return 0;
+ hdr = opt->hopopt;
+
+- len = min_t(int, len, ipv6_optlen(hdr));
++ len = min_t(unsigned int, len, ipv6_optlen(hdr));
+ if (copy_to_user(optval, hdr, ipv6_optlen(hdr)))
+ return -EFAULT;
+ return len;
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Mar 13 11:01:59 2007
+From: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+Date: Tue, 13 Mar 2007 14:00:39 -0400
+Subject: IA64: fix NULL pointer in ia64/irq_chip-mask/unmask function
+To: linux-stable <stable@kernel.org>
+Message-ID: <45F6E6C7.6070306@redhat.com>
+
+From: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+
+[IA64] fix NULL pointer in ia64/irq_chip-mask/unmask function
+
+This patch fixes boot failure because irq_desc->mask() is NULL.
+
+- Added mask/unmask functions to ia64's irq desc function table.
+- rename hw_interrupt_type to irq_chip. hw_interrupt_type is old name.
+- Tony: Added same change to arch/ia64/sn/kernel/irq.c as pointed out
+ by Eric Biederman ... mask/unmask functions there can be no-op.
+
+Signed-off-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/ia64/kernel/iosapic.c | 8 ++++++--
+ arch/ia64/sn/kernel/irq.c | 14 +++++++++++++-
+ 2 files changed, 19 insertions(+), 3 deletions(-)
+
+--- a/arch/ia64/kernel/iosapic.c
++++ b/arch/ia64/kernel/iosapic.c
+@@ -446,7 +446,7 @@ iosapic_end_level_irq (unsigned int irq)
+ #define iosapic_disable_level_irq mask_irq
+ #define iosapic_ack_level_irq nop
+
+-struct hw_interrupt_type irq_type_iosapic_level = {
++struct irq_chip irq_type_iosapic_level = {
+ .name = "IO-SAPIC-level",
+ .startup = iosapic_startup_level_irq,
+ .shutdown = iosapic_shutdown_level_irq,
+@@ -454,6 +454,8 @@ struct hw_interrupt_type irq_type_iosapi
+ .disable = iosapic_disable_level_irq,
+ .ack = iosapic_ack_level_irq,
+ .end = iosapic_end_level_irq,
++ .mask = mask_irq,
++ .unmask = unmask_irq,
+ .set_affinity = iosapic_set_affinity
+ };
+
+@@ -493,7 +495,7 @@ iosapic_ack_edge_irq (unsigned int irq)
+ #define iosapic_disable_edge_irq nop
+ #define iosapic_end_edge_irq nop
+
+-struct hw_interrupt_type irq_type_iosapic_edge = {
++struct irq_chip irq_type_iosapic_edge = {
+ .name = "IO-SAPIC-edge",
+ .startup = iosapic_startup_edge_irq,
+ .shutdown = iosapic_disable_edge_irq,
+@@ -501,6 +503,8 @@ struct hw_interrupt_type irq_type_iosapi
+ .disable = iosapic_disable_edge_irq,
+ .ack = iosapic_ack_edge_irq,
+ .end = iosapic_end_edge_irq,
++ .mask = mask_irq,
++ .unmask = unmask_irq,
+ .set_affinity = iosapic_set_affinity
+ };
+
+--- a/arch/ia64/sn/kernel/irq.c
++++ b/arch/ia64/sn/kernel/irq.c
+@@ -205,7 +205,17 @@ static void sn_set_affinity_irq(unsigned
+ (void)sn_retarget_vector(sn_irq_info, nasid, slice);
+ }
+
+-struct hw_interrupt_type irq_type_sn = {
++static void
++sn_mask_irq(unsigned int irq)
++{
++}
++
++static void
++sn_unmask_irq(unsigned int irq)
++{
++}
++
++struct irq_chip irq_type_sn = {
+ .name = "SN hub",
+ .startup = sn_startup_irq,
+ .shutdown = sn_shutdown_irq,
+@@ -213,6 +223,8 @@ struct hw_interrupt_type irq_type_sn = {
+ .disable = sn_disable_irq,
+ .ack = sn_ack_irq,
+ .end = sn_end_irq,
++ .mask = sn_mask_irq,
++ .unmask = sn_unmask_irq,
+ .set_affinity = sn_set_affinity_irq
+ };
+
--- /dev/null
+From kaber@trash.net Tue Mar 13 08:41:53 2007
+From: Michal Miroslaw <mirq-linux@rere.qmqm.pl>
+Date: Tue, 13 Mar 2007 16:45:26 +0100
+Subject: NETFILTER: nfnetlink_log: fix reference counting
+To: Greg KH <greg@kroah.com>
+Message-ID: <45F6C716.4070104@trash.net>
+
+From: Michal Miroslaw <mirq-linux@rere.qmqm.pl>
+
+[NETFILTER]: nfnetlink_log: fix reference counting
+
+Fix reference counting (memory leak) problem in __nfulnl_send() and callers
+related to packet queueing.
+
+Signed-off-by: Michal Miroslaw <mirq-linux@rere.qmqm.pl>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/netfilter/nfnetlink_log.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/net/netfilter/nfnetlink_log.c
++++ b/net/netfilter/nfnetlink_log.c
+@@ -218,10 +218,8 @@ _instance_destroy2(struct nfulnl_instanc
+ spin_lock_bh(&inst->lock);
+ if (inst->skb) {
+ /* timer "holds" one reference (we have one more) */
+- if (timer_pending(&inst->timer)) {
+- del_timer(&inst->timer);
++ if (del_timer(&inst->timer))
+ instance_put(inst);
+- }
+ if (inst->qlen)
+ __nfulnl_send(inst);
+ if (inst->skb) {
+@@ -695,10 +693,8 @@ nfulnl_log_packet(unsigned int pf,
+ UDEBUG("flushing old skb\n");
+
+ /* timer "holds" one reference (we have another one) */
+- if (timer_pending(&inst->timer)) {
+- del_timer(&inst->timer);
++ if (del_timer(&inst->timer))
+ instance_put(inst);
+- }
+ __nfulnl_send(inst);
+
+ if (!(inst->skb = nfulnl_alloc_skb(nlbufsiz, size))) {
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Mar 12 06:36:59 2007
+From: "Paul Moore" <paul.moore@hp.com>
+Date: Mon, 12 Mar 2007 09:33:12 -0500
+Subject: NetLabel: Verify sensitivity level has a valid CIPSO mapping
+To: stable@kernel.org
+Message-ID: <20070228200140.491071752@hp.com>
+Content-Disposition: inline; filename=netlabel-cipso_std_bug
+
+The current CIPSO engine has a problem where it does not verify that the given
+sensitivity level has a valid CIPSO mapping when the "std" CIPSO DOI type is
+used. The end result is that bad packets are sent on the wire which should
+have never been sent in the first place. This patch corrects this problem by
+verifying the sensitivity level mapping similar to what is done with the
+category mapping. This patch also changes the returned error code in this case
+to -EPERM to better match what the category mapping verification code returns.
+
+Signed-off-by: Paul Moore <paul.moore@hp.com>
+Acked-by: James Morris <jmorris@namei.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ net/ipv4/cipso_ipv4.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/cipso_ipv4.c
++++ b/net/ipv4/cipso_ipv4.c
+@@ -732,11 +732,12 @@ static int cipso_v4_map_lvl_hton(const s
+ *net_lvl = host_lvl;
+ return 0;
+ case CIPSO_V4_MAP_STD:
+- if (host_lvl < doi_def->map.std->lvl.local_size) {
++ if (host_lvl < doi_def->map.std->lvl.local_size &&
++ doi_def->map.std->lvl.local[host_lvl] < CIPSO_V4_INV_LVL) {
+ *net_lvl = doi_def->map.std->lvl.local[host_lvl];
+ return 0;
+ }
+- break;
++ return -EPERM;
+ }
+
+ return -EINVAL;
+@@ -771,7 +772,7 @@ static int cipso_v4_map_lvl_ntoh(const s
+ *host_lvl = doi_def->map.std->lvl.cipso[net_lvl];
+ return 0;
+ }
+- break;
++ return -EPERM;
+ }
+
+ return -EINVAL;
--- /dev/null
+fix-another-null-pointer-deref-in-ipv6_sockglue.c.patch
+fix-rtm_to_ifaddr-error-return.patch
+fix-user-copy-length-in-ipv6_sockglue.c.patch
+SCSI-gdth-fix-oops-in-gdth_copy_cmd.patch
+netlabel-cipso_std_bug
+netfilter-nfnetlink_log-fix-reference-counting.patch
+ia64-fix-null-pointer-in-ia64-irq_chip-mask-unmask-function.patch
+adjust-legacy-ide-resource-setting.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
