From: Greg Kroah-Hartman Date: Tue, 13 Mar 2007 18:43:33 +0000 (-0700) Subject: next round of stable patches added X-Git-Tag: v2.6.20.4~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8e2d6464abbd71d367f0895e979f36f921368f02;p=thirdparty%2Fkernel%2Fstable-queue.git next round of stable patches added --- diff --git a/queue-2.6.20/SCSI-gdth-fix-oops-in-gdth_copy_cmd.patch b/queue-2.6.20/SCSI-gdth-fix-oops-in-gdth_copy_cmd.patch new file mode 100644 index 00000000000..6413df989e2 --- /dev/null +++ b/queue-2.6.20/SCSI-gdth-fix-oops-in-gdth_copy_cmd.patch @@ -0,0 +1,45 @@ +From bb9ba31ca3b88fd396e38950d1caedf2f83521c6 Mon Sep 17 00:00:00 2001 +From: Joerg Dorchain +Date: Tue, 6 Mar 2007 02:46:54 -0800 +Subject: [SCSI] gdth: fix oops in gdth_copy_cmd() + +Recent alterations to the gdth_fill_raw_cmd() path no longer set the +sg_ranz field for zero transfer commands. However, this field is used +lower down in the function to initialise ha->cmd_len to the size of +the firmware packet. If this uninitialised field contains a bogus +value, ha->cmd_len can become much larger than the actual firmware +packet and end up oopsing in gdth_copy_cmd() as it tries to copy this +huge packet to the device (usually because it runs into an unallocated +page). + +The fix is to initialise the sg_ranz field to zero at the start of +gdth_fill_raw_cmd(). + +Signed-off-by: Joerg Dorchain +Acked-by: "Leubner, Achim" +Signed-off-by: Andrew Morton +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/gdth.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/gdth.c ++++ b/drivers/scsi/gdth.c +@@ -3092,6 +3092,7 @@ static int gdth_fill_raw_cmd(int hanum,S + cmdp->u.raw64.direction = + gdth_direction_tab[scp->cmnd[0]]==DOU ? GDTH_DATA_OUT:GDTH_DATA_IN; + memcpy(cmdp->u.raw64.cmd,scp->cmnd,16); ++ cmdp->u.raw64.sg_ranz = 0; + } else { + cmdp->u.raw.reserved = 0; + cmdp->u.raw.mdisc_time = 0; +@@ -3108,6 +3109,7 @@ static int gdth_fill_raw_cmd(int hanum,S + cmdp->u.raw.direction = + gdth_direction_tab[scp->cmnd[0]]==DOU ? GDTH_DATA_OUT:GDTH_DATA_IN; + memcpy(cmdp->u.raw.cmd,scp->cmnd,12); ++ cmdp->u.raw.sg_ranz = 0; + } + + if (scp->use_sg) { diff --git a/queue-2.6.20/adjust-legacy-ide-resource-setting.patch b/queue-2.6.20/adjust-legacy-ide-resource-setting.patch new file mode 100644 index 00000000000..73b086205b4 --- /dev/null +++ b/queue-2.6.20/adjust-legacy-ide-resource-setting.patch @@ -0,0 +1,91 @@ +From stable-bounces@linux.kernel.org Tue Mar 13 11:05:30 2007 +From: Jan Beulich +Date: Tue, 13 Mar 2007 14:04:11 -0400 +Subject: adjust legacy IDE resource setting (v2) +To: linux-stable +Message-ID: <45F6E79B.1010208@redhat.com> + +From: Jan Beulich + +adjust legacy IDE resource setting (v2) + +The change to force legacy mode IDE channels' resources to fixed non-zero +values confuses (at least some versions of) X, because the values reported +by the kernel and those readable from PCI config space aren't consistent +anymore. Therefore, this patch arranges for the respective BARs to also +get updated if possible. + +Signed-off-by: Jan Beulich +Acked-by: Alan Cox +Signed-off-by: Andrew Morton +Signed-off-by: Bartlomiej Zolnierkiewicz +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/probe.c | 45 ++++++++++++++++++++++++++++++++------------- + 1 file changed, 32 insertions(+), 13 deletions(-) + +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -639,7 +639,34 @@ static void pci_read_irq(struct pci_dev + dev->irq = irq; + } + +-#define LEGACY_IO_RESOURCE (IORESOURCE_IO | IORESOURCE_PCI_FIXED) ++static void change_legacy_io_resource(struct pci_dev * dev, unsigned index, ++ unsigned start, unsigned end) ++{ ++ unsigned base = start & PCI_BASE_ADDRESS_IO_MASK; ++ unsigned len = (end | ~PCI_BASE_ADDRESS_IO_MASK) - base + 1; ++ ++ /* ++ * Some X versions get confused when the BARs reported through ++ * /sys or /proc differ from those seen in config space, thus ++ * try to update the config space values, too. ++ */ ++ if (!(pci_resource_flags(dev, index) & IORESOURCE_IO)) ++ printk(KERN_WARNING "%s: cannot adjust BAR%u (not I/O)\n", ++ pci_name(dev), index); ++ else if (pci_resource_len(dev, index) != len) ++ printk(KERN_WARNING "%s: cannot adjust BAR%u (size %04X)\n", ++ pci_name(dev), index, (unsigned)pci_resource_len(dev, index)); ++ else { ++ printk(KERN_INFO "%s: trying to change BAR%u from %04X to %04X\n", ++ pci_name(dev), index, ++ (unsigned)pci_resource_start(dev, index), base); ++ pci_write_config_dword(dev, PCI_BASE_ADDRESS_0 + index * 4, base); ++ } ++ pci_resource_start(dev, index) = start; ++ pci_resource_end(dev, index) = end; ++ pci_resource_flags(dev, index) = ++ IORESOURCE_IO | IORESOURCE_PCI_FIXED | PCI_BASE_ADDRESS_SPACE_IO; ++} + + /** + * pci_setup_device - fill in class and map information of a device +@@ -692,20 +719,12 @@ static int pci_setup_device(struct pci_d + u8 progif; + pci_read_config_byte(dev, PCI_CLASS_PROG, &progif); + if ((progif & 1) == 0) { +- dev->resource[0].start = 0x1F0; +- dev->resource[0].end = 0x1F7; +- dev->resource[0].flags = LEGACY_IO_RESOURCE; +- dev->resource[1].start = 0x3F6; +- dev->resource[1].end = 0x3F6; +- dev->resource[1].flags = LEGACY_IO_RESOURCE; ++ change_legacy_io_resource(dev, 0, 0x1F0, 0x1F7); ++ change_legacy_io_resource(dev, 1, 0x3F6, 0x3F6); + } + if ((progif & 4) == 0) { +- dev->resource[2].start = 0x170; +- dev->resource[2].end = 0x177; +- dev->resource[2].flags = LEGACY_IO_RESOURCE; +- dev->resource[3].start = 0x376; +- dev->resource[3].end = 0x376; +- dev->resource[3].flags = LEGACY_IO_RESOURCE; ++ change_legacy_io_resource(dev, 2, 0x170, 0x177); ++ change_legacy_io_resource(dev, 3, 0x376, 0x376); + } + } + break; diff --git a/queue-2.6.20/fix-another-null-pointer-deref-in-ipv6_sockglue.c.patch b/queue-2.6.20/fix-another-null-pointer-deref-in-ipv6_sockglue.c.patch new file mode 100644 index 00000000000..2b78e04e3e7 --- /dev/null +++ b/queue-2.6.20/fix-another-null-pointer-deref-in-ipv6_sockglue.c.patch @@ -0,0 +1,33 @@ +From stable-bounces@linux.kernel.org Fri Mar 9 23:05:14 2007 +From: Olaf Kirch +Date: Fri, 09 Mar 2007 23:03:53 -0800 (PST) +Subject: Fix another NULL pointer deref in ipv6_sockglue.c +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070309.230353.71089669.davem@davemloft.net> + +From: Olaf Kirch + +[IPV6]: Fix for ipv6_setsockopt NULL dereference + +I came across this bug in http://bugzilla.kernel.org/show_bug.cgi?id=8155 + +Signed-off-by: Olaf Kirch +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/ipv6_sockglue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/ipv6_sockglue.c ++++ b/net/ipv6/ipv6_sockglue.c +@@ -414,7 +414,7 @@ static int do_ipv6_setsockopt(struct soc + } + + /* routing header option needs extra check */ +- if (optname == IPV6_RTHDR && opt->srcrt) { ++ if (optname == IPV6_RTHDR && opt && opt->srcrt) { + struct ipv6_rt_hdr *rthdr = opt->srcrt; + switch (rthdr->type) { + case IPV6_SRCRT_TYPE_0: diff --git a/queue-2.6.20/fix-rtm_to_ifaddr-error-return.patch b/queue-2.6.20/fix-rtm_to_ifaddr-error-return.patch new file mode 100644 index 00000000000..a7472c58011 --- /dev/null +++ b/queue-2.6.20/fix-rtm_to_ifaddr-error-return.patch @@ -0,0 +1,38 @@ +From stable-bounces@linux.kernel.org Fri Mar 9 23:06:07 2007 +From: Evgeniy Polyakov +Date: Fri, 09 Mar 2007 23:04:42 -0800 (PST) +Subject: Fix rtm_to_ifaddr() error return. +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070309.230442.104034976.davem@davemloft.net> + + +From: Evgeniy Polyakov + +[IPV4]: Fix rtm_to_ifaddr() error handling. + +Return negative error value (embedded in the pointer) instead of +returning NULL. + +Signed-off-by: Evgeniy Polyakov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/devinet.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -503,8 +503,10 @@ static struct in_ifaddr *rtm_to_ifaddr(s + goto errout; + + ifm = nlmsg_data(nlh); +- if (ifm->ifa_prefixlen > 32 || tb[IFA_LOCAL] == NULL) ++ if (ifm->ifa_prefixlen > 32 || tb[IFA_LOCAL] == NULL) { ++ err = -EINVAL; + goto errout; ++ } + + dev = __dev_get_by_index(ifm->ifa_index); + if (dev == NULL) { diff --git a/queue-2.6.20/fix-user-copy-length-in-ipv6_sockglue.c.patch b/queue-2.6.20/fix-user-copy-length-in-ipv6_sockglue.c.patch new file mode 100644 index 00000000000..4a5b0cd9afb --- /dev/null +++ b/queue-2.6.20/fix-user-copy-length-in-ipv6_sockglue.c.patch @@ -0,0 +1,34 @@ +From stable-bounces@linux.kernel.org Fri Mar 9 23:07:24 2007 +From: Chris Wright +Date: Fri, 09 Mar 2007 23:05:59 -0800 (PST) +Subject: Fix user copy length in ipv6_sockglue.c +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070309.230559.78709619.davem@davemloft.net> + +From: Chris Wright + +[IPV6] fix ipv6_getsockopt_sticky copy_to_user leak + +User supplied len < 0 can cause leak of kernel memory. +Use unsigned compare instead. + +Signed-off-by: Chris Wright +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/ipv6_sockglue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/ipv6_sockglue.c ++++ b/net/ipv6/ipv6_sockglue.c +@@ -805,7 +805,7 @@ static int ipv6_getsockopt_sticky(struct + return 0; + hdr = opt->hopopt; + +- len = min_t(int, len, ipv6_optlen(hdr)); ++ len = min_t(unsigned int, len, ipv6_optlen(hdr)); + if (copy_to_user(optval, hdr, ipv6_optlen(hdr))) + return -EFAULT; + return len; diff --git a/queue-2.6.20/ia64-fix-null-pointer-in-ia64-irq_chip-mask-unmask-function.patch b/queue-2.6.20/ia64-fix-null-pointer-in-ia64-irq_chip-mask-unmask-function.patch new file mode 100644 index 00000000000..d30629286e3 --- /dev/null +++ b/queue-2.6.20/ia64-fix-null-pointer-in-ia64-irq_chip-mask-unmask-function.patch @@ -0,0 +1,97 @@ +From stable-bounces@linux.kernel.org Tue Mar 13 11:01:59 2007 +From: KAMEZAWA Hiroyuki +Date: Tue, 13 Mar 2007 14:00:39 -0400 +Subject: IA64: fix NULL pointer in ia64/irq_chip-mask/unmask function +To: linux-stable +Message-ID: <45F6E6C7.6070306@redhat.com> + +From: KAMEZAWA Hiroyuki + +[IA64] fix NULL pointer in ia64/irq_chip-mask/unmask function + +This patch fixes boot failure because irq_desc->mask() is NULL. + +- Added mask/unmask functions to ia64's irq desc function table. +- rename hw_interrupt_type to irq_chip. hw_interrupt_type is old name. +- Tony: Added same change to arch/ia64/sn/kernel/irq.c as pointed out + by Eric Biederman ... mask/unmask functions there can be no-op. + +Signed-off-by: KAMEZAWA Hiroyuki +Signed-off-by: Andrew Morton +Signed-off-by: Tony Luck +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + arch/ia64/kernel/iosapic.c | 8 ++++++-- + arch/ia64/sn/kernel/irq.c | 14 +++++++++++++- + 2 files changed, 19 insertions(+), 3 deletions(-) + +--- a/arch/ia64/kernel/iosapic.c ++++ b/arch/ia64/kernel/iosapic.c +@@ -446,7 +446,7 @@ iosapic_end_level_irq (unsigned int irq) + #define iosapic_disable_level_irq mask_irq + #define iosapic_ack_level_irq nop + +-struct hw_interrupt_type irq_type_iosapic_level = { ++struct irq_chip irq_type_iosapic_level = { + .name = "IO-SAPIC-level", + .startup = iosapic_startup_level_irq, + .shutdown = iosapic_shutdown_level_irq, +@@ -454,6 +454,8 @@ struct hw_interrupt_type irq_type_iosapi + .disable = iosapic_disable_level_irq, + .ack = iosapic_ack_level_irq, + .end = iosapic_end_level_irq, ++ .mask = mask_irq, ++ .unmask = unmask_irq, + .set_affinity = iosapic_set_affinity + }; + +@@ -493,7 +495,7 @@ iosapic_ack_edge_irq (unsigned int irq) + #define iosapic_disable_edge_irq nop + #define iosapic_end_edge_irq nop + +-struct hw_interrupt_type irq_type_iosapic_edge = { ++struct irq_chip irq_type_iosapic_edge = { + .name = "IO-SAPIC-edge", + .startup = iosapic_startup_edge_irq, + .shutdown = iosapic_disable_edge_irq, +@@ -501,6 +503,8 @@ struct hw_interrupt_type irq_type_iosapi + .disable = iosapic_disable_edge_irq, + .ack = iosapic_ack_edge_irq, + .end = iosapic_end_edge_irq, ++ .mask = mask_irq, ++ .unmask = unmask_irq, + .set_affinity = iosapic_set_affinity + }; + +--- a/arch/ia64/sn/kernel/irq.c ++++ b/arch/ia64/sn/kernel/irq.c +@@ -205,7 +205,17 @@ static void sn_set_affinity_irq(unsigned + (void)sn_retarget_vector(sn_irq_info, nasid, slice); + } + +-struct hw_interrupt_type irq_type_sn = { ++static void ++sn_mask_irq(unsigned int irq) ++{ ++} ++ ++static void ++sn_unmask_irq(unsigned int irq) ++{ ++} ++ ++struct irq_chip irq_type_sn = { + .name = "SN hub", + .startup = sn_startup_irq, + .shutdown = sn_shutdown_irq, +@@ -213,6 +223,8 @@ struct hw_interrupt_type irq_type_sn = { + .disable = sn_disable_irq, + .ack = sn_ack_irq, + .end = sn_end_irq, ++ .mask = sn_mask_irq, ++ .unmask = sn_unmask_irq, + .set_affinity = sn_set_affinity_irq + }; + diff --git a/queue-2.6.20/netfilter-nfnetlink_log-fix-reference-counting.patch b/queue-2.6.20/netfilter-nfnetlink_log-fix-reference-counting.patch new file mode 100644 index 00000000000..7e9a2e6fbc0 --- /dev/null +++ b/queue-2.6.20/netfilter-nfnetlink_log-fix-reference-counting.patch @@ -0,0 +1,48 @@ +From kaber@trash.net Tue Mar 13 08:41:53 2007 +From: Michal Miroslaw +Date: Tue, 13 Mar 2007 16:45:26 +0100 +Subject: NETFILTER: nfnetlink_log: fix reference counting +To: Greg KH +Message-ID: <45F6C716.4070104@trash.net> + +From: Michal Miroslaw + +[NETFILTER]: nfnetlink_log: fix reference counting + +Fix reference counting (memory leak) problem in __nfulnl_send() and callers +related to packet queueing. + +Signed-off-by: Michal Miroslaw +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nfnetlink_log.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -218,10 +218,8 @@ _instance_destroy2(struct nfulnl_instanc + spin_lock_bh(&inst->lock); + if (inst->skb) { + /* timer "holds" one reference (we have one more) */ +- if (timer_pending(&inst->timer)) { +- del_timer(&inst->timer); ++ if (del_timer(&inst->timer)) + instance_put(inst); +- } + if (inst->qlen) + __nfulnl_send(inst); + if (inst->skb) { +@@ -695,10 +693,8 @@ nfulnl_log_packet(unsigned int pf, + UDEBUG("flushing old skb\n"); + + /* timer "holds" one reference (we have another one) */ +- if (timer_pending(&inst->timer)) { +- del_timer(&inst->timer); ++ if (del_timer(&inst->timer)) + instance_put(inst); +- } + __nfulnl_send(inst); + + if (!(inst->skb = nfulnl_alloc_skb(nlbufsiz, size))) { diff --git a/queue-2.6.20/netlabel-cipso_std_bug b/queue-2.6.20/netlabel-cipso_std_bug new file mode 100644 index 00000000000..94b449c508d --- /dev/null +++ b/queue-2.6.20/netlabel-cipso_std_bug @@ -0,0 +1,52 @@ +From stable-bounces@linux.kernel.org Mon Mar 12 06:36:59 2007 +From: "Paul Moore" +Date: Mon, 12 Mar 2007 09:33:12 -0500 +Subject: NetLabel: Verify sensitivity level has a valid CIPSO mapping +To: stable@kernel.org +Message-ID: <20070228200140.491071752@hp.com> +Content-Disposition: inline; filename=netlabel-cipso_std_bug + +The current CIPSO engine has a problem where it does not verify that the given +sensitivity level has a valid CIPSO mapping when the "std" CIPSO DOI type is +used. The end result is that bad packets are sent on the wire which should +have never been sent in the first place. This patch corrects this problem by +verifying the sensitivity level mapping similar to what is done with the +category mapping. This patch also changes the returned error code in this case +to -EPERM to better match what the category mapping verification code returns. + +Signed-off-by: Paul Moore +Acked-by: James Morris +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + + +--- + net/ipv4/cipso_ipv4.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/net/ipv4/cipso_ipv4.c ++++ b/net/ipv4/cipso_ipv4.c +@@ -732,11 +732,12 @@ static int cipso_v4_map_lvl_hton(const s + *net_lvl = host_lvl; + return 0; + case CIPSO_V4_MAP_STD: +- if (host_lvl < doi_def->map.std->lvl.local_size) { ++ if (host_lvl < doi_def->map.std->lvl.local_size && ++ doi_def->map.std->lvl.local[host_lvl] < CIPSO_V4_INV_LVL) { + *net_lvl = doi_def->map.std->lvl.local[host_lvl]; + return 0; + } +- break; ++ return -EPERM; + } + + return -EINVAL; +@@ -771,7 +772,7 @@ static int cipso_v4_map_lvl_ntoh(const s + *host_lvl = doi_def->map.std->lvl.cipso[net_lvl]; + return 0; + } +- break; ++ return -EPERM; + } + + return -EINVAL; diff --git a/queue-2.6.20/series b/queue-2.6.20/series new file mode 100644 index 00000000000..6839378bc41 --- /dev/null +++ b/queue-2.6.20/series @@ -0,0 +1,8 @@ +fix-another-null-pointer-deref-in-ipv6_sockglue.c.patch +fix-rtm_to_ifaddr-error-return.patch +fix-user-copy-length-in-ipv6_sockglue.c.patch +SCSI-gdth-fix-oops-in-gdth_copy_cmd.patch +netlabel-cipso_std_bug +netfilter-nfnetlink_log-fix-reference-counting.patch +ia64-fix-null-pointer-in-ia64-irq_chip-mask-unmask-function.patch +adjust-legacy-ide-resource-setting.patch