From: Greg Kroah-Hartman Date: Sat, 25 Mar 2006 04:13:25 +0000 (-0800) Subject: 2.6.15.7 review cycle start X-Git-Tag: v2.6.16.1~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2bd45b630f55fb9ab359975b596c9ecff097cb69;p=thirdparty%2Fkernel%2Fstable-queue.git 2.6.15.7 review cycle start --- diff --git a/queue/compat-ifconf-fix-limits.patch b/review-2.6.15/compat-ifconf-fix-limits.patch similarity index 100% rename from queue/compat-ifconf-fix-limits.patch rename to review-2.6.15/compat-ifconf-fix-limits.patch diff --git a/queue/cramfs-mounts-provide-corrupted-content-since-2.6.15.patch b/review-2.6.15/cramfs-mounts-provide-corrupted-content-since-2.6.15.patch similarity index 100% rename from queue/cramfs-mounts-provide-corrupted-content-since-2.6.15.patch rename to review-2.6.15/cramfs-mounts-provide-corrupted-content-since-2.6.15.patch diff --git a/queue/fix-ext2-readdir-f_pos-re-validation-logic.patch b/review-2.6.15/fix-ext2-readdir-f_pos-re-validation-logic.patch similarity index 100% rename from queue/fix-ext2-readdir-f_pos-re-validation-logic.patch rename to review-2.6.15/fix-ext2-readdir-f_pos-re-validation-logic.patch diff --git a/queue/ib-srp-don-t-send-task-management-commands-after-target-removal.patch b/review-2.6.15/ib-srp-don-t-send-task-management-commands-after-target-removal.patch similarity index 92% rename from queue/ib-srp-don-t-send-task-management-commands-after-target-removal.patch rename to review-2.6.15/ib-srp-don-t-send-task-management-commands-after-target-removal.patch index ff94def9e54..a97eb9ae910 100644 --- a/queue/ib-srp-don-t-send-task-management-commands-after-target-removal.patch +++ b/review-2.6.15/ib-srp-don-t-send-task-management-commands-after-target-removal.patch @@ -2,8 +2,7 @@ From stable-bounces@linux.kernel.org Mon Mar 6 20:28:25 2006 Date: Mon, 06 Mar 2006 20:23:33 -0800 From: Roland Dreier To: stable@kernel.org -Cc: -Subject: [PATCH] IB/srp: Don't send task management commands after target removal +Subject: IB/srp: Don't send task management commands after target removal Just fail abort and reset requests that come in after we've already decided to remove a target. This fixes a nasty crash if a storage diff --git a/queue/kconfig-video_decoder-must-select-fw_loader.patch b/review-2.6.15/kconfig-video_decoder-must-select-fw_loader.patch similarity index 100% rename from queue/kconfig-video_decoder-must-select-fw_loader.patch rename to review-2.6.15/kconfig-video_decoder-must-select-fw_loader.patch diff --git a/queue/net-ensure-device-name-passed-to-so_bindtodevice-is-null-terminated.patch b/review-2.6.15/net-ensure-device-name-passed-to-so_bindtodevice-is-null-terminated.patch similarity index 100% rename from queue/net-ensure-device-name-passed-to-so_bindtodevice-is-null-terminated.patch rename to review-2.6.15/net-ensure-device-name-passed-to-so_bindtodevice-is-null-terminated.patch diff --git a/queue/netfilter-ip_queue-fix-wrong-skb-len-nlmsg_len-assumption.patch b/review-2.6.15/netfilter-ip_queue-fix-wrong-skb-len-nlmsg_len-assumption.patch similarity index 100% rename from queue/netfilter-ip_queue-fix-wrong-skb-len-nlmsg_len-assumption.patch rename to review-2.6.15/netfilter-ip_queue-fix-wrong-skb-len-nlmsg_len-assumption.patch diff --git a/review-2.6.15/send.mbox b/review-2.6.15/send.mbox new file mode 100644 index 00000000000..b83cd1a4c9e --- /dev/null +++ b/review-2.6.15/send.mbox @@ -0,0 +1,517 @@ +From foo@baz Tue Apr 9 12:12:43 2002 +Date: Tue, 09 Apr 2002 12:14:34 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk +Subject: [00/08] 2.6.15.7 -stable review +Status: RO +Content-Length: 732 +Lines: 17 + +This is the start of the stable review cycle for the 2.6.15.7 release. +There are 8 patches in this series, all will be posted as a response to +this one. If anyone has any issues with these being applied, please let +us know. If anyone is a maintainer of the proper subsystem, and wants +to add a signed-off-by: line to the patch, please respond with it. + +These patches are sent out with a number of different people on the Cc: +line. If you wish to be a reviewer, please email stable@kernel.org to +add your name to the list. If you want to be off the reviewer list, +also email us. + +Responses should be made by Tuesday March 28 02:00:00 UTC. Anything +received after that time, might be too late. + +thanks, + +the -stable release team + +From stable-bounces@linux.kernel.org Mon Mar 6 20:28:25 2006 +Date: Mon, 06 Mar 2006 20:23:33 -0800 +To: linux-kernel@vger.kernel.org, stable@kernel.org, rolandd@cisco.com, Justin Forbes , Zwane Mwaikambo , Theodore Ts'o , Randy.Dunlap , Chuck Wolber , torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk +Subject: [PATCH 01/08] IB/srp: Don't send task management commands after target removal +Status: RO +Content-Length: 949 +Lines: 31 + +From: Roland Dreier + +Just fail abort and reset requests that come in after we've already +decided to remove a target. This fixes a nasty crash if a storage +target goes away. + +Signed-off-by: Roland Dreier +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + +This is upstream in Linus's tree as 1285b3a0b0aa2391ac6f6939e6737203c8220f68 + + drivers/infiniband/ulp/srp/ib_srp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- linux-2.6.15.6.orig/drivers/infiniband/ulp/srp/ib_srp.c ++++ linux-2.6.15.6/drivers/infiniband/ulp/srp/ib_srp.c +@@ -1154,6 +1154,12 @@ static int srp_send_tsk_mgmt(struct scsi + + spin_lock_irq(target->scsi_host->host_lock); + ++ if (target->state == SRP_TARGET_DEAD || ++ target->state == SRP_TARGET_REMOVED) { ++ scmnd->result = DID_BAD_TARGET << 16; ++ goto out; ++ } ++ + if (scmnd->host_scribble == (void *) -1L) + goto out; + + +From stable-bounces@linux.kernel.org Tue Mar 7 15:04:47 2006 +Date: Tue, 07 Mar 2006 14:59:23 -0800 (PST) +To: linux-kernel@vger.kernel.org, stable@kernel.org, davem@davemloft.net, tgraf@suug.ch, Justin Forbes , Zwane Mwaikambo , Theodore Ts'o , Randy.Dunlap , Chuck Wolber , torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk +Cc: +Subject: [PATCH 02/08] Netfilter ip_queue: Fix wrong skb->len == nlmsg_len assumption +Status: RO +Content-Length: 1539 +Lines: 42 + +From: "David S. Miller" + +The size of the skb carrying the netlink message is not +equivalent to the length of the actual netlink message +due to padding. ip_queue matches the length of the payload +against the original packet size to determine if packet +mangling is desired, due to the above wrong assumption +arbitary packets may not be mangled depening on their +original size. + +Signed-off-by: Thomas Graf +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + + net/ipv4/netfilter/ip_queue.c | 2 +- + net/ipv6/netfilter/ip6_queue.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- linux-2.6.15.6.orig/net/ipv4/netfilter/ip_queue.c ++++ linux-2.6.15.6/net/ipv4/netfilter/ip_queue.c +@@ -524,7 +524,7 @@ ipq_rcv_skb(struct sk_buff *skb) + write_unlock_bh(&queue_lock); + + status = ipq_receive_peer(NLMSG_DATA(nlh), type, +- skblen - NLMSG_LENGTH(0)); ++ nlmsglen - NLMSG_LENGTH(0)); + if (status < 0) + RCV_SKB_FAIL(status); + +--- linux-2.6.15.6.orig/net/ipv6/netfilter/ip6_queue.c ++++ linux-2.6.15.6/net/ipv6/netfilter/ip6_queue.c +@@ -522,7 +522,7 @@ ipq_rcv_skb(struct sk_buff *skb) + write_unlock_bh(&queue_lock); + + status = ipq_receive_peer(NLMSG_DATA(nlh), type, +- skblen - NLMSG_LENGTH(0)); ++ nlmsglen - NLMSG_LENGTH(0)); + if (status < 0) + RCV_SKB_FAIL(status); + + +From stable-bounces@linux.kernel.org Wed Mar 8 17:48:08 2006 +Date: Wed, 08 Mar 2006 17:43:17 -0800 (PST) +To: linux-kernel@vger.kernel.org, stable@kernel.org, davem@davemloft.net, rdunlap@xenotime.net, Justin Forbes , Zwane Mwaikambo , Theodore Ts'o , Randy.Dunlap , Chuck Wolber , torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk +Subject: [PATCH 03/08] NET: compat ifconf: fix limits +Status: RO +Content-Length: 1318 +Lines: 31 + +From: Randy Dunlap + +A recent change to compat. dev_ifconf() in fs/compat_ioctl.c +causes ifconf data to be truncated 1 entry too early when copying it +to userspace. The correct amount of data (length) is returned, +but the final entry is empty (zero, not filled in). +The for-loop 'i' check should use <= to allow the final struct +ifreq32 to be copied. I also used the ifconf-corruption program +in kernel bugzilla #4746 to make sure that this change does not +re-introduce the corruption. + +Signed-off-by: Randy Dunlap +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + + fs/compat_ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.15.6.orig/fs/compat_ioctl.c ++++ linux-2.6.15.6/fs/compat_ioctl.c +@@ -687,7 +687,7 @@ static int dev_ifconf(unsigned int fd, u + ifr = ifc.ifc_req; + ifr32 = compat_ptr(ifc32.ifcbuf); + for (i = 0, j = 0; +- i + sizeof (struct ifreq32) < ifc32.ifc_len && j < ifc.ifc_len; ++ i + sizeof (struct ifreq32) <= ifc32.ifc_len && j < ifc.ifc_len; + i += sizeof (struct ifreq32), j += sizeof (struct ifreq)) { + if (copy_in_user(ifr32, ifr, sizeof (struct ifreq32))) + return -EFAULT; + +From nobody Mon Sep 17 00:00:00 2001 +To: linux-kernel@vger.kernel.org, stable@kernel.org, djohnson@sw.starentnetworks.com, djohnson+linux-kernel@sw.starentnetworks.com, olh@suse.de, mason@suse.com, agruen@suse.de, Justin Forbes , Zwane Mwaikambo , Theodore Ts'o , Randy.Dunlap , Chuck Wolber , torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk +Subject: [PATCH 04/08] cramfs mounts provide corrupted content since 2.6.15 +Status: RO +Content-Length: 4080 +Lines: 109 + +From: Dave Johnson + +Fix handling of cramfs images created by util-linux containing empty +regular files. Images created by cramfstools 1.x were ok. + +Fill out inode contents in cramfs_iget5_set() instead of get_cramfs_inode() +to prevent issues if cramfs_iget5_test() is called with I_LOCK|I_NEW still +set. + +Signed-off-by: Dave Johnson +Cc: Olaf Hering +Cc: Chris Mason +Cc: Andreas Gruenbacher +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + + fs/cramfs/inode.c | 60 ++++++++++++++++++++++++++---------------------------- + 1 file changed, 29 insertions(+), 31 deletions(-) + +ff3aea0e68bfd46120ce2d08bc1f8240fa2bd36a +--- linux-2.6.15.6.orig/fs/cramfs/inode.c ++++ linux-2.6.15.6/fs/cramfs/inode.c +@@ -36,7 +36,7 @@ static DECLARE_MUTEX(read_mutex); + + /* These two macros may change in future, to provide better st_ino + semantics. */ +-#define CRAMINO(x) ((x)->offset?(x)->offset<<2:1) ++#define CRAMINO(x) (((x)->offset && (x)->size)?(x)->offset<<2:1) + #define OFFSET(x) ((x)->i_ino) + + +@@ -66,8 +66,36 @@ static int cramfs_iget5_test(struct inod + + static int cramfs_iget5_set(struct inode *inode, void *opaque) + { ++ static struct timespec zerotime; + struct cramfs_inode *cramfs_inode = opaque; ++ inode->i_mode = cramfs_inode->mode; ++ inode->i_uid = cramfs_inode->uid; ++ inode->i_size = cramfs_inode->size; ++ inode->i_blocks = (cramfs_inode->size - 1) / 512 + 1; ++ inode->i_blksize = PAGE_CACHE_SIZE; ++ inode->i_gid = cramfs_inode->gid; ++ /* Struct copy intentional */ ++ inode->i_mtime = inode->i_atime = inode->i_ctime = zerotime; + inode->i_ino = CRAMINO(cramfs_inode); ++ /* inode->i_nlink is left 1 - arguably wrong for directories, ++ but it's the best we can do without reading the directory ++ contents. 1 yields the right result in GNU find, even ++ without -noleaf option. */ ++ if (S_ISREG(inode->i_mode)) { ++ inode->i_fop = &generic_ro_fops; ++ inode->i_data.a_ops = &cramfs_aops; ++ } else if (S_ISDIR(inode->i_mode)) { ++ inode->i_op = &cramfs_dir_inode_operations; ++ inode->i_fop = &cramfs_directory_operations; ++ } else if (S_ISLNK(inode->i_mode)) { ++ inode->i_op = &page_symlink_inode_operations; ++ inode->i_data.a_ops = &cramfs_aops; ++ } else { ++ inode->i_size = 0; ++ inode->i_blocks = 0; ++ init_special_inode(inode, inode->i_mode, ++ old_decode_dev(cramfs_inode->size)); ++ } + return 0; + } + +@@ -77,37 +105,7 @@ static struct inode *get_cramfs_inode(st + struct inode *inode = iget5_locked(sb, CRAMINO(cramfs_inode), + cramfs_iget5_test, cramfs_iget5_set, + cramfs_inode); +- static struct timespec zerotime; +- + if (inode && (inode->i_state & I_NEW)) { +- inode->i_mode = cramfs_inode->mode; +- inode->i_uid = cramfs_inode->uid; +- inode->i_size = cramfs_inode->size; +- inode->i_blocks = (cramfs_inode->size - 1) / 512 + 1; +- inode->i_blksize = PAGE_CACHE_SIZE; +- inode->i_gid = cramfs_inode->gid; +- /* Struct copy intentional */ +- inode->i_mtime = inode->i_atime = inode->i_ctime = zerotime; +- inode->i_ino = CRAMINO(cramfs_inode); +- /* inode->i_nlink is left 1 - arguably wrong for directories, +- but it's the best we can do without reading the directory +- contents. 1 yields the right result in GNU find, even +- without -noleaf option. */ +- if (S_ISREG(inode->i_mode)) { +- inode->i_fop = &generic_ro_fops; +- inode->i_data.a_ops = &cramfs_aops; +- } else if (S_ISDIR(inode->i_mode)) { +- inode->i_op = &cramfs_dir_inode_operations; +- inode->i_fop = &cramfs_directory_operations; +- } else if (S_ISLNK(inode->i_mode)) { +- inode->i_op = &page_symlink_inode_operations; +- inode->i_data.a_ops = &cramfs_aops; +- } else { +- inode->i_size = 0; +- inode->i_blocks = 0; +- init_special_inode(inode, inode->i_mode, +- old_decode_dev(cramfs_inode->size)); +- } + unlock_new_inode(inode); + } + return inode; + +From nobody Mon Sep 17 00:00:00 2001 +To: linux-kernel@vger.kernel.org, stable@kernel.org, Justin Forbes , Zwane Mwaikambo , Theodore Ts'o , Randy.Dunlap , Chuck Wolber , torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk, viro@ftp.linux.org.uk, masouds@google.com +Subject: [PATCH 08/08] Fix ext2 readdir f_pos re-validation logic +Status: RO +Content-Length: 3194 +Lines: 101 + +From: Al Viro + +This fixes not one, but _two_, silly (but admittedly hard to hit) bugs +in the ext2 filesystem "readdir()" function. It also cleans up the code +to avoid the unnecessary goto mess. + +The bugs were related to re-valiating the f_pos value after somebody had +either done an "lseek()" on the directory to an invalid offset, or when +the offset had become invalid due to a file being unlinked in the +directory. The code would not only set the f_version too eagerly, it +would also not update f_pos appropriately for when the offset fixup took +place. + +When that happened, we'd occasionally subsequently fail the readdir() +even when we shouldn't (no real harm done, but an ugly printk, and +obviously you would end up not necessarily seeing all entries). + +Thanks to Masoud Sharbiani who noticed the problem +and had a test-case for it, and also fixed up a thinko in the first +version of this patch. + +Signed-off-by: Al Viro +Acked-by: Masoud Sharbiani +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + + fs/ext2/dir.c | 28 ++++++++++++---------------- + 1 file changed, 12 insertions(+), 16 deletions(-) + +2d7f2ea9c989853310c7f6e8be52cc090cc8e66b +--- linux-2.6.15.6.orig/fs/ext2/dir.c ++++ linux-2.6.15.6/fs/ext2/dir.c +@@ -256,11 +256,10 @@ ext2_readdir (struct file * filp, void * + unsigned long npages = dir_pages(inode); + unsigned chunk_mask = ~(ext2_chunk_size(inode)-1); + unsigned char *types = NULL; +- int need_revalidate = (filp->f_version != inode->i_version); +- int ret; ++ int need_revalidate = filp->f_version != inode->i_version; + + if (pos > inode->i_size - EXT2_DIR_REC_LEN(1)) +- goto success; ++ return 0; + + if (EXT2_HAS_INCOMPAT_FEATURE(sb, EXT2_FEATURE_INCOMPAT_FILETYPE)) + types = ext2_filetype_table; +@@ -275,12 +274,15 @@ ext2_readdir (struct file * filp, void * + "bad page in #%lu", + inode->i_ino); + filp->f_pos += PAGE_CACHE_SIZE - offset; +- ret = -EIO; +- goto done; ++ return -EIO; + } + kaddr = page_address(page); +- if (need_revalidate) { +- offset = ext2_validate_entry(kaddr, offset, chunk_mask); ++ if (unlikely(need_revalidate)) { ++ if (offset) { ++ offset = ext2_validate_entry(kaddr, offset, chunk_mask); ++ filp->f_pos = (n<f_version = inode->i_version; + need_revalidate = 0; + } + de = (ext2_dirent *)(kaddr+offset); +@@ -289,9 +291,8 @@ ext2_readdir (struct file * filp, void * + if (de->rec_len == 0) { + ext2_error(sb, __FUNCTION__, + "zero-length directory entry"); +- ret = -EIO; + ext2_put_page(page); +- goto done; ++ return -EIO; + } + if (de->inode) { + int over; +@@ -306,19 +307,14 @@ ext2_readdir (struct file * filp, void * + le32_to_cpu(de->inode), d_type); + if (over) { + ext2_put_page(page); +- goto success; ++ return 0; + } + } + filp->f_pos += le16_to_cpu(de->rec_len); + } + ext2_put_page(page); + } +- +-success: +- ret = 0; +-done: +- filp->f_version = inode->i_version; +- return ret; ++ return 0; + } + + /* + +From stable-bounces@linux.kernel.org Thu Mar 23 22:55:25 2006 +Date: Thu, 23 Mar 2006 22:54:18 -0800 (PST) +To: linux-kernel@vger.kernel.org, stable@kernel.org, Justin Forbes , Zwane Mwaikambo , Theodore Ts'o , Randy.Dunlap , Chuck Wolber , torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk, davem@davemloft.net +Subject: [PATCH 07/08] NET: Ensure device name passed to SO_BINDTODEVICE is NULL terminated. +Status: RO +Content-Length: 879 +Lines: 30 + +From: "David S. Miller" + +The user can pass us arbitrary garbage so we should ensure the +string they give us is null terminated before we pass it on +to dev_get_by_index() et al. + +Found by Solar Designer. + +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + + net/core/sock.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- linux-2.6.15.6.orig/net/core/sock.c ++++ linux-2.6.15.6/net/core/sock.c +@@ -403,8 +403,9 @@ set_rcvbuf: + if (!valbool) { + sk->sk_bound_dev_if = 0; + } else { +- if (optlen > IFNAMSIZ) +- optlen = IFNAMSIZ; ++ if (optlen > IFNAMSIZ - 1) ++ optlen = IFNAMSIZ - 1; ++ memset(devname, 0, sizeof(devname)); + if (copy_from_user(devname, optval, optlen)) { + ret = -EFAULT; + break; + +From stable-bounces@linux.kernel.org Wed Mar 22 14:36:39 2006 +Date: Wed, 22 Mar 2006 14:34:42 -0800 (PST) +To: linux-kernel@vger.kernel.org, stable@kernel.org, Justin Forbes , Zwane Mwaikambo , Theodore Ts'o , Randy.Dunlap , Chuck Wolber , torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk, davem@davemloft.net, kuznet@ms2.inr.ac.ru +Subject: [PATCH 06/08] TCP: Do not use inet->id of global tcp_socket when sending RST (CVE-2006-1242) +Status: RO +Content-Length: 1356 +Lines: 45 + +From: Alexey Kuznetsov + + +The problem is in ip_push_pending_frames(), which uses: + + if (!df) { + __ip_select_ident(iph, &rt->u.dst, 0); + } else { + iph->id = htons(inet->id++); + } + +instead of ip_select_ident(). + +Right now I think the code is a nonsense. Most likely, I copied it from +old ip_build_xmit(), where it was really special, we had to decide +whether to generate unique ID when generating the first (well, the last) +fragment. + +In ip_push_pending_frames() it does not make sense, it should use plain +ip_select_ident() instead. + +Signed-off-by: Alexey Kuznetsov +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + + net/ipv4/ip_output.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- linux-2.6.15.6.orig/net/ipv4/ip_output.c ++++ linux-2.6.15.6/net/ipv4/ip_output.c +@@ -1237,11 +1237,7 @@ int ip_push_pending_frames(struct sock * + iph->tos = inet->tos; + iph->tot_len = htons(skb->len); + iph->frag_off = df; +- if (!df) { +- __ip_select_ident(iph, &rt->u.dst, 0); +- } else { +- iph->id = htons(inet->id++); +- } ++ ip_select_ident(iph, &rt->u.dst, sk); + iph->ttl = ttl; + iph->protocol = sk->sk_protocol; + iph->saddr = rt->rt_src; + +From stable-bounces@linux.kernel.org Mon Mar 20 19:35:28 2006 +Date: Mon, 20 Mar 2006 22:34:58 -0500 +To: linux-kernel@vger.kernel.org, stable@kernel.org, Justin Forbes , Zwane Mwaikambo , Theodore Ts'o , Randy.Dunlap , Chuck Wolber , torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk, mkrufky@linuxtv.org, mchehab@infradead.org +Subject: [PATCH 05/08] Kconfig: VIDEO_DECODER must select FW_LOADER +Status: RO +Content-Length: 853 +Lines: 24 + +From: Michael Krufky + +The cx25840 module requires external firmware in order to function, +so it must select FW_LOADER, but saa7115 and saa7129 do not require it. + +Signed-off-by: Michael Krufky +Cc: Mauro Carvalho Chehab +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + + drivers/media/video/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- linux-2.6.15.6.orig/drivers/media/video/Kconfig ++++ linux-2.6.15.6/drivers/media/video/Kconfig +@@ -340,6 +340,7 @@ config VIDEO_AUDIO_DECODER + config VIDEO_DECODER + tristate "Add support for additional video chipsets" + depends on VIDEO_DEV && I2C && EXPERIMENTAL ++ select FW_LOADER + ---help--- + Say Y here to compile drivers for SAA7115, SAA7127 and CX25840 + video decoders. + diff --git a/review-2.6.15/send2.mbox b/review-2.6.15/send2.mbox new file mode 100644 index 00000000000..db0f596cb0e --- /dev/null +++ b/review-2.6.15/send2.mbox @@ -0,0 +1,623 @@ +From gregkh@suse.de Fri Mar 24 20:08:52 2006 +Date: Fri, 24 Mar 2006 20:08:52 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , Randy Dunlap , + Dave Jones , + Chuck Wolber , torvalds@osdl.org, + akpm@osdl.org, alan@lxorguk.ukuu.org.uk +Subject: [00/08] 2.6.15.7 -stable review +Message-ID: <20060325040852.GA16955@kroah.com> +Mime-Version: 1.0 +Content-Type: text/plain; charset=us-ascii +Content-Disposition: inline +User-Agent: Mutt/1.5.11 +Status: RO +Content-Length: 732 + +This is the start of the stable review cycle for the 2.6.15.7 release. +There are 8 patches in this series, all will be posted as a response to +this one. If anyone has any issues with these being applied, please let +us know. If anyone is a maintainer of the proper subsystem, and wants +to add a signed-off-by: line to the patch, please respond with it. + +These patches are sent out with a number of different people on the Cc: +line. If you wish to be a reviewer, please email stable@kernel.org to +add your name to the list. If you want to be off the reviewer list, +also email us. + +Responses should be made by Tuesday March 28 02:00:00 UTC. Anything +received after that time, might be too late. + +thanks, + +the -stable release team + +From gregkh@suse.de Fri Mar 24 20:12:10 2006 +Date: Fri, 24 Mar 2006 20:12:10 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, stable@kernel.org, + Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + "Randy.Dunlap" , + Chuck Wolber , torvalds@osdl.org, + akpm@osdl.org, alan@lxorguk.ukuu.org.uk, viro@ftp.linux.org.uk, + masouds@google.com +Subject: [PATCH 08/08] Fix ext2 readdir f_pos re-validation logic +Message-ID: <20060325041210.GI16955@kroah.com> +Mime-Version: 1.0 +Content-Type: text/plain; charset=us-ascii +Content-Disposition: inline +In-Reply-To: <20060325040852.GA16955@kroah.com> +User-Agent: Mutt/1.5.11 +Status: RO +Content-Length: 3194 + +From: Al Viro + +This fixes not one, but _two_, silly (but admittedly hard to hit) bugs +in the ext2 filesystem "readdir()" function. It also cleans up the code +to avoid the unnecessary goto mess. + +The bugs were related to re-valiating the f_pos value after somebody had +either done an "lseek()" on the directory to an invalid offset, or when +the offset had become invalid due to a file being unlinked in the +directory. The code would not only set the f_version too eagerly, it +would also not update f_pos appropriately for when the offset fixup took +place. + +When that happened, we'd occasionally subsequently fail the readdir() +even when we shouldn't (no real harm done, but an ugly printk, and +obviously you would end up not necessarily seeing all entries). + +Thanks to Masoud Sharbiani who noticed the problem +and had a test-case for it, and also fixed up a thinko in the first +version of this patch. + +Signed-off-by: Al Viro +Acked-by: Masoud Sharbiani +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + + fs/ext2/dir.c | 28 ++++++++++++---------------- + 1 file changed, 12 insertions(+), 16 deletions(-) + +2d7f2ea9c989853310c7f6e8be52cc090cc8e66b +--- linux-2.6.15.6.orig/fs/ext2/dir.c ++++ linux-2.6.15.6/fs/ext2/dir.c +@@ -256,11 +256,10 @@ ext2_readdir (struct file * filp, void * + unsigned long npages = dir_pages(inode); + unsigned chunk_mask = ~(ext2_chunk_size(inode)-1); + unsigned char *types = NULL; +- int need_revalidate = (filp->f_version != inode->i_version); +- int ret; ++ int need_revalidate = filp->f_version != inode->i_version; + + if (pos > inode->i_size - EXT2_DIR_REC_LEN(1)) +- goto success; ++ return 0; + + if (EXT2_HAS_INCOMPAT_FEATURE(sb, EXT2_FEATURE_INCOMPAT_FILETYPE)) + types = ext2_filetype_table; +@@ -275,12 +274,15 @@ ext2_readdir (struct file * filp, void * + "bad page in #%lu", + inode->i_ino); + filp->f_pos += PAGE_CACHE_SIZE - offset; +- ret = -EIO; +- goto done; ++ return -EIO; + } + kaddr = page_address(page); +- if (need_revalidate) { +- offset = ext2_validate_entry(kaddr, offset, chunk_mask); ++ if (unlikely(need_revalidate)) { ++ if (offset) { ++ offset = ext2_validate_entry(kaddr, offset, chunk_mask); ++ filp->f_pos = (n<f_version = inode->i_version; + need_revalidate = 0; + } + de = (ext2_dirent *)(kaddr+offset); +@@ -289,9 +291,8 @@ ext2_readdir (struct file * filp, void * + if (de->rec_len == 0) { + ext2_error(sb, __FUNCTION__, + "zero-length directory entry"); +- ret = -EIO; + ext2_put_page(page); +- goto done; ++ return -EIO; + } + if (de->inode) { + int over; +@@ -306,19 +307,14 @@ ext2_readdir (struct file * filp, void * + le32_to_cpu(de->inode), d_type); + if (over) { + ext2_put_page(page); +- goto success; ++ return 0; + } + } + filp->f_pos += le16_to_cpu(de->rec_len); + } + ext2_put_page(page); + } +- +-success: +- ret = 0; +-done: +- filp->f_version = inode->i_version; +- return ret; ++ return 0; + } + + /* + +From gregkh@suse.de Fri Mar 24 20:11:53 2006 +Date: Fri, 24 Mar 2006 20:11:53 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, stable@kernel.org, + Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + "Randy.Dunlap" , + Chuck Wolber , torvalds@osdl.org, + akpm@osdl.org, alan@lxorguk.ukuu.org.uk, davem@davemloft.net +Subject: [PATCH 07/08] NET: Ensure device name passed to SO_BINDTODEVICE is NULL terminated. +Message-ID: <20060325041153.GH16955@kroah.com> +Mime-Version: 1.0 +Content-Type: text/plain; charset=us-ascii +Content-Disposition: inline +In-Reply-To: <20060325040852.GA16955@kroah.com> +User-Agent: Mutt/1.5.11 +Status: RO +Content-Length: 879 + +From: "David S. Miller" + +The user can pass us arbitrary garbage so we should ensure the +string they give us is null terminated before we pass it on +to dev_get_by_index() et al. + +Found by Solar Designer. + +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + + net/core/sock.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- linux-2.6.15.6.orig/net/core/sock.c ++++ linux-2.6.15.6/net/core/sock.c +@@ -403,8 +403,9 @@ set_rcvbuf: + if (!valbool) { + sk->sk_bound_dev_if = 0; + } else { +- if (optlen > IFNAMSIZ) +- optlen = IFNAMSIZ; ++ if (optlen > IFNAMSIZ - 1) ++ optlen = IFNAMSIZ - 1; ++ memset(devname, 0, sizeof(devname)); + if (copy_from_user(devname, optval, optlen)) { + ret = -EFAULT; + break; + +From gregkh@suse.de Fri Mar 24 20:11:32 2006 +Date: Fri, 24 Mar 2006 20:11:32 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, stable@kernel.org, + Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + "Randy.Dunlap" , + Chuck Wolber , torvalds@osdl.org, + akpm@osdl.org, alan@lxorguk.ukuu.org.uk, davem@davemloft.net, + kuznet@ms2.inr.ac.ru +Subject: [PATCH 06/08] TCP: Do not use inet->id of global tcp_socket when sending RST (CVE-2006-1242) +Message-ID: <20060325041132.GG16955@kroah.com> +Mime-Version: 1.0 +Content-Type: text/plain; charset=us-ascii +Content-Disposition: inline +In-Reply-To: <20060325040852.GA16955@kroah.com> +User-Agent: Mutt/1.5.11 +Status: RO +Content-Length: 1356 + +From: Alexey Kuznetsov + + +The problem is in ip_push_pending_frames(), which uses: + + if (!df) { + __ip_select_ident(iph, &rt->u.dst, 0); + } else { + iph->id = htons(inet->id++); + } + +instead of ip_select_ident(). + +Right now I think the code is a nonsense. Most likely, I copied it from +old ip_build_xmit(), where it was really special, we had to decide +whether to generate unique ID when generating the first (well, the last) +fragment. + +In ip_push_pending_frames() it does not make sense, it should use plain +ip_select_ident() instead. + +Signed-off-by: Alexey Kuznetsov +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + + net/ipv4/ip_output.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- linux-2.6.15.6.orig/net/ipv4/ip_output.c ++++ linux-2.6.15.6/net/ipv4/ip_output.c +@@ -1237,11 +1237,7 @@ int ip_push_pending_frames(struct sock * + iph->tos = inet->tos; + iph->tot_len = htons(skb->len); + iph->frag_off = df; +- if (!df) { +- __ip_select_ident(iph, &rt->u.dst, 0); +- } else { +- iph->id = htons(inet->id++); +- } ++ ip_select_ident(iph, &rt->u.dst, sk); + iph->ttl = ttl; + iph->protocol = sk->sk_protocol; + iph->saddr = rt->rt_src; + +From gregkh@suse.de Fri Mar 24 20:11:18 2006 +Date: Fri, 24 Mar 2006 20:11:18 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, stable@kernel.org, + Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + "Randy.Dunlap" , + Chuck Wolber , torvalds@osdl.org, + akpm@osdl.org, alan@lxorguk.ukuu.org.uk, mkrufky@linuxtv.org, + mchehab@infradead.org +Subject: [PATCH 05/08] Kconfig: VIDEO_DECODER must select FW_LOADER +Message-ID: <20060325041118.GF16955@kroah.com> +Mime-Version: 1.0 +Content-Type: text/plain; charset=us-ascii +Content-Disposition: inline +In-Reply-To: <20060325040852.GA16955@kroah.com> +User-Agent: Mutt/1.5.11 +Status: RO +Content-Length: 853 + +From: Michael Krufky + +The cx25840 module requires external firmware in order to function, +so it must select FW_LOADER, but saa7115 and saa7129 do not require it. + +Signed-off-by: Michael Krufky +Cc: Mauro Carvalho Chehab +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + + drivers/media/video/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- linux-2.6.15.6.orig/drivers/media/video/Kconfig ++++ linux-2.6.15.6/drivers/media/video/Kconfig +@@ -340,6 +340,7 @@ config VIDEO_AUDIO_DECODER + config VIDEO_DECODER + tristate "Add support for additional video chipsets" + depends on VIDEO_DEV && I2C && EXPERIMENTAL ++ select FW_LOADER + ---help--- + Say Y here to compile drivers for SAA7115, SAA7127 and CX25840 + video decoders. + +From gregkh@suse.de Fri Mar 24 20:10:38 2006 +Date: Fri, 24 Mar 2006 20:10:38 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, stable@kernel.org, + djohnson@sw.starentnetworks.com, + djohnson+linux-kernel@sw.starentnetworks.com, olh@suse.de, + mason@suse.com, agruen@suse.de, + Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + "Randy.Dunlap" , + Chuck Wolber , torvalds@osdl.org, + akpm@osdl.org, alan@lxorguk.ukuu.org.uk +Subject: [PATCH 04/08] cramfs mounts provide corrupted content since 2.6.15 +Message-ID: <20060325041038.GE16955@kroah.com> +Mime-Version: 1.0 +Content-Type: text/plain; charset=us-ascii +Content-Disposition: inline +In-Reply-To: <20060325040852.GA16955@kroah.com> +User-Agent: Mutt/1.5.11 +Status: RO +Content-Length: 4080 + +From: Dave Johnson + +Fix handling of cramfs images created by util-linux containing empty +regular files. Images created by cramfstools 1.x were ok. + +Fill out inode contents in cramfs_iget5_set() instead of get_cramfs_inode() +to prevent issues if cramfs_iget5_test() is called with I_LOCK|I_NEW still +set. + +Signed-off-by: Dave Johnson +Cc: Olaf Hering +Cc: Chris Mason +Cc: Andreas Gruenbacher +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + + fs/cramfs/inode.c | 60 ++++++++++++++++++++++++++---------------------------- + 1 file changed, 29 insertions(+), 31 deletions(-) + +ff3aea0e68bfd46120ce2d08bc1f8240fa2bd36a +--- linux-2.6.15.6.orig/fs/cramfs/inode.c ++++ linux-2.6.15.6/fs/cramfs/inode.c +@@ -36,7 +36,7 @@ static DECLARE_MUTEX(read_mutex); + + /* These two macros may change in future, to provide better st_ino + semantics. */ +-#define CRAMINO(x) ((x)->offset?(x)->offset<<2:1) ++#define CRAMINO(x) (((x)->offset && (x)->size)?(x)->offset<<2:1) + #define OFFSET(x) ((x)->i_ino) + + +@@ -66,8 +66,36 @@ static int cramfs_iget5_test(struct inod + + static int cramfs_iget5_set(struct inode *inode, void *opaque) + { ++ static struct timespec zerotime; + struct cramfs_inode *cramfs_inode = opaque; ++ inode->i_mode = cramfs_inode->mode; ++ inode->i_uid = cramfs_inode->uid; ++ inode->i_size = cramfs_inode->size; ++ inode->i_blocks = (cramfs_inode->size - 1) / 512 + 1; ++ inode->i_blksize = PAGE_CACHE_SIZE; ++ inode->i_gid = cramfs_inode->gid; ++ /* Struct copy intentional */ ++ inode->i_mtime = inode->i_atime = inode->i_ctime = zerotime; + inode->i_ino = CRAMINO(cramfs_inode); ++ /* inode->i_nlink is left 1 - arguably wrong for directories, ++ but it's the best we can do without reading the directory ++ contents. 1 yields the right result in GNU find, even ++ without -noleaf option. */ ++ if (S_ISREG(inode->i_mode)) { ++ inode->i_fop = &generic_ro_fops; ++ inode->i_data.a_ops = &cramfs_aops; ++ } else if (S_ISDIR(inode->i_mode)) { ++ inode->i_op = &cramfs_dir_inode_operations; ++ inode->i_fop = &cramfs_directory_operations; ++ } else if (S_ISLNK(inode->i_mode)) { ++ inode->i_op = &page_symlink_inode_operations; ++ inode->i_data.a_ops = &cramfs_aops; ++ } else { ++ inode->i_size = 0; ++ inode->i_blocks = 0; ++ init_special_inode(inode, inode->i_mode, ++ old_decode_dev(cramfs_inode->size)); ++ } + return 0; + } + +@@ -77,37 +105,7 @@ static struct inode *get_cramfs_inode(st + struct inode *inode = iget5_locked(sb, CRAMINO(cramfs_inode), + cramfs_iget5_test, cramfs_iget5_set, + cramfs_inode); +- static struct timespec zerotime; +- + if (inode && (inode->i_state & I_NEW)) { +- inode->i_mode = cramfs_inode->mode; +- inode->i_uid = cramfs_inode->uid; +- inode->i_size = cramfs_inode->size; +- inode->i_blocks = (cramfs_inode->size - 1) / 512 + 1; +- inode->i_blksize = PAGE_CACHE_SIZE; +- inode->i_gid = cramfs_inode->gid; +- /* Struct copy intentional */ +- inode->i_mtime = inode->i_atime = inode->i_ctime = zerotime; +- inode->i_ino = CRAMINO(cramfs_inode); +- /* inode->i_nlink is left 1 - arguably wrong for directories, +- but it's the best we can do without reading the directory +- contents. 1 yields the right result in GNU find, even +- without -noleaf option. */ +- if (S_ISREG(inode->i_mode)) { +- inode->i_fop = &generic_ro_fops; +- inode->i_data.a_ops = &cramfs_aops; +- } else if (S_ISDIR(inode->i_mode)) { +- inode->i_op = &cramfs_dir_inode_operations; +- inode->i_fop = &cramfs_directory_operations; +- } else if (S_ISLNK(inode->i_mode)) { +- inode->i_op = &page_symlink_inode_operations; +- inode->i_data.a_ops = &cramfs_aops; +- } else { +- inode->i_size = 0; +- inode->i_blocks = 0; +- init_special_inode(inode, inode->i_mode, +- old_decode_dev(cramfs_inode->size)); +- } + unlock_new_inode(inode); + } + return inode; + +From gregkh@suse.de Fri Mar 24 20:10:20 2006 +Date: Fri, 24 Mar 2006 20:10:20 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, stable@kernel.org, davem@davemloft.net, + rdunlap@xenotime.net, Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Chuck Wolber , torvalds@osdl.org, + akpm@osdl.org, alan@lxorguk.ukuu.org.uk +Subject: [PATCH 03/08] NET: compat ifconf: fix limits +Message-ID: <20060325041020.GD16955@kroah.com> +Mime-Version: 1.0 +Content-Type: text/plain; charset=us-ascii +Content-Disposition: inline +In-Reply-To: <20060325040852.GA16955@kroah.com> +User-Agent: Mutt/1.5.11 +Status: RO +Content-Length: 1318 + +From: Randy Dunlap + +A recent change to compat. dev_ifconf() in fs/compat_ioctl.c +causes ifconf data to be truncated 1 entry too early when copying it +to userspace. The correct amount of data (length) is returned, +but the final entry is empty (zero, not filled in). +The for-loop 'i' check should use <= to allow the final struct +ifreq32 to be copied. I also used the ifconf-corruption program +in kernel bugzilla #4746 to make sure that this change does not +re-introduce the corruption. + +Signed-off-by: Randy Dunlap +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + + fs/compat_ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.15.6.orig/fs/compat_ioctl.c ++++ linux-2.6.15.6/fs/compat_ioctl.c +@@ -687,7 +687,7 @@ static int dev_ifconf(unsigned int fd, u + ifr = ifc.ifc_req; + ifr32 = compat_ptr(ifc32.ifcbuf); + for (i = 0, j = 0; +- i + sizeof (struct ifreq32) < ifc32.ifc_len && j < ifc.ifc_len; ++ i + sizeof (struct ifreq32) <= ifc32.ifc_len && j < ifc.ifc_len; + i += sizeof (struct ifreq32), j += sizeof (struct ifreq)) { + if (copy_in_user(ifr32, ifr, sizeof (struct ifreq32))) + return -EFAULT; + +From gregkh@suse.de Fri Mar 24 20:10:01 2006 +Date: Fri, 24 Mar 2006 20:10:01 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, stable@kernel.org, davem@davemloft.net, + tgraf@suug.ch, Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + "Randy.Dunlap" , + Chuck Wolber , torvalds@osdl.org, + akpm@osdl.org, alan@lxorguk.ukuu.org.uk +Subject: [PATCH 02/08] Netfilter ip_queue: Fix wrong skb->len == nlmsg_len assumption +Message-ID: <20060325041001.GC16955@kroah.com> +Mime-Version: 1.0 +Content-Type: text/plain; charset=us-ascii +Content-Disposition: inline +In-Reply-To: <20060325040852.GA16955@kroah.com> +User-Agent: Mutt/1.5.11 +Status: RO +Content-Length: 1539 + +From: "David S. Miller" + +The size of the skb carrying the netlink message is not +equivalent to the length of the actual netlink message +due to padding. ip_queue matches the length of the payload +against the original packet size to determine if packet +mangling is desired, due to the above wrong assumption +arbitary packets may not be mangled depening on their +original size. + +Signed-off-by: Thomas Graf +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + + net/ipv4/netfilter/ip_queue.c | 2 +- + net/ipv6/netfilter/ip6_queue.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- linux-2.6.15.6.orig/net/ipv4/netfilter/ip_queue.c ++++ linux-2.6.15.6/net/ipv4/netfilter/ip_queue.c +@@ -524,7 +524,7 @@ ipq_rcv_skb(struct sk_buff *skb) + write_unlock_bh(&queue_lock); + + status = ipq_receive_peer(NLMSG_DATA(nlh), type, +- skblen - NLMSG_LENGTH(0)); ++ nlmsglen - NLMSG_LENGTH(0)); + if (status < 0) + RCV_SKB_FAIL(status); + +--- linux-2.6.15.6.orig/net/ipv6/netfilter/ip6_queue.c ++++ linux-2.6.15.6/net/ipv6/netfilter/ip6_queue.c +@@ -522,7 +522,7 @@ ipq_rcv_skb(struct sk_buff *skb) + write_unlock_bh(&queue_lock); + + status = ipq_receive_peer(NLMSG_DATA(nlh), type, +- skblen - NLMSG_LENGTH(0)); ++ nlmsglen - NLMSG_LENGTH(0)); + if (status < 0) + RCV_SKB_FAIL(status); + + +From gregkh@suse.de Fri Mar 24 20:09:31 2006 +Date: Fri, 24 Mar 2006 20:09:31 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, stable@kernel.org, rolandd@cisco.com, + Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + "Randy.Dunlap" , + Chuck Wolber , torvalds@osdl.org, + akpm@osdl.org, alan@lxorguk.ukuu.org.uk +Subject: [PATCH 01/08] IB/srp: Don't send task management commands after target removal +Message-ID: <20060325040931.GB16955@kroah.com> +Mime-Version: 1.0 +Content-Type: text/plain; charset=us-ascii +Content-Disposition: inline +In-Reply-To: <20060325040852.GA16955@kroah.com> +User-Agent: Mutt/1.5.11 +Status: RO +Content-Length: 949 + +From: Roland Dreier + +Just fail abort and reset requests that come in after we've already +decided to remove a target. This fixes a nasty crash if a storage +target goes away. + +Signed-off-by: Roland Dreier +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + +This is upstream in Linus's tree as 1285b3a0b0aa2391ac6f6939e6737203c8220f68 + + drivers/infiniband/ulp/srp/ib_srp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- linux-2.6.15.6.orig/drivers/infiniband/ulp/srp/ib_srp.c ++++ linux-2.6.15.6/drivers/infiniband/ulp/srp/ib_srp.c +@@ -1154,6 +1154,12 @@ static int srp_send_tsk_mgmt(struct scsi + + spin_lock_irq(target->scsi_host->host_lock); + ++ if (target->state == SRP_TARGET_DEAD || ++ target->state == SRP_TARGET_REMOVED) { ++ scmnd->result = DID_BAD_TARGET << 16; ++ goto out; ++ } ++ + if (scmnd->host_scribble == (void *) -1L) + goto out; + + diff --git a/queue/series b/review-2.6.15/series similarity index 100% rename from queue/series rename to review-2.6.15/series diff --git a/queue/tcp-do-not-use-inet-id-of-global-tcp_socket-when-sending-rst.patch b/review-2.6.15/tcp-do-not-use-inet-id-of-global-tcp_socket-when-sending-rst.patch similarity index 100% rename from queue/tcp-do-not-use-inet-id-of-global-tcp_socket-when-sending-rst.patch rename to review-2.6.15/tcp-do-not-use-inet-id-of-global-tcp_socket-when-sending-rst.patch