--- /dev/null
+From stable-bounces@linux.kernel.org Fri Jan 11 01:11:11 2008
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Fri, 11 Jan 2008 01:10:42 -0800 (PST)
+Subject: ATM: Check IP header validity in mpc_send_packet
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20080111.011042.53950451.davem@davemloft.net>
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ATM]: Check IP header validity in mpc_send_packet
+
+[ Upstream commit: 1c9b7aa1eb40ab708ef3242f74b9a61487623168 ]
+
+Al went through the ip_fast_csum callers and found this piece of code
+that did not validate the IP header. While root crashing the machine
+by sending bogus packets through raw or AF_PACKET sockets isn't that
+serious, it is still nice to react gracefully.
+
+This patch ensures that the skb has enough data for an IP header and
+that the header length field is valid.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/atm/mpc.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/atm/mpc.c
++++ b/net/atm/mpc.c
+@@ -542,6 +542,13 @@ static int mpc_send_packet(struct sk_buf
+ if (eth->h_proto != htons(ETH_P_IP))
+ goto non_ip; /* Multi-Protocol Over ATM :-) */
+
++ /* Weed out funny packets (e.g., AF_PACKET or raw). */
++ if (skb->len < ETH_HLEN + sizeof(struct iphdr))
++ goto non_ip;
++ skb_set_network_header(skb, ETH_HLEN);
++ if (skb->len < ETH_HLEN + ip_hdr(skb)->ihl * 4 || ip_hdr(skb)->ihl < 5)
++ goto non_ip;
++
+ while (i < mpc->number_of_mps_macs) {
+ if (!compare_ether_addr(eth->h_dest, (mpc->mps_macs + i*ETH_ALEN)))
+ if ( send_via_shortcut(skb, mpc) == 0 ) /* try shortcut */
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Jan 11 01:12:18 2008
+From: Li Zefan <lizf@cn.fujitsu.com>
+Date: Fri, 11 Jan 2008 01:11:48 -0800 (PST)
+Subject: CONNECTOR: Don't touch queue dev after decrement of ref count.
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20080111.011148.195698099.davem@davemloft.net>
+
+From: Li Zefan <lizf@cn.fujitsu.com>
+
+[CONNECTOR]: Don't touch queue dev after decrement of ref count.
+
+[ Upstream commit: cf585ae8ae9ac7287a6d078425ea32f22bf7f1f7 ]
+
+cn_queue_free_callback() will touch 'dev'(i.e. cbq->pdev), so it
+should be called before atomic_dec(&dev->refcnt).
+
+Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/connector/cn_queue.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/connector/cn_queue.c
++++ b/drivers/connector/cn_queue.c
+@@ -99,8 +99,8 @@ int cn_queue_add_callback(struct cn_queu
+ spin_unlock_bh(&dev->queue_lock);
+
+ if (found) {
+- atomic_dec(&dev->refcnt);
+ cn_queue_free_callback(cbq);
++ atomic_dec(&dev->refcnt);
+ return -EINVAL;
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Jan 11 01:13:43 2008
+From: Mark McLoughlin <markmc@redhat.com>
+Date: Fri, 11 Jan 2008 01:13:17 -0800 (PST)
+Subject: INET: Fix netdev renaming and inet address labels
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20080111.011317.218129613.davem@davemloft.net>
+
+From: Mark McLoughlin <markmc@redhat.com>
+
+[INET]: Fix netdev renaming and inet address labels
+
+[ Upstream commit: 44344b2a85f03326c7047a8c861b0c625c674839 ]
+
+When re-naming an interface, the previous secondary address
+labels get lost e.g.
+
+ $> brctl addbr foo
+ $> ip addr add 192.168.0.1 dev foo
+ $> ip addr add 192.168.0.2 dev foo label foo:00
+ $> ip addr show dev foo | grep inet
+ inet 192.168.0.1/32 scope global foo
+ inet 192.168.0.2/32 scope global foo:00
+ $> ip link set foo name bar
+ $> ip addr show dev bar | grep inet
+ inet 192.168.0.1/32 scope global bar
+ inet 192.168.0.2/32 scope global bar:2
+
+Turns out to be a simple thinko in inetdev_changename() - clearly we
+want to look at the address label, rather than the device name, for
+a suffix to retain.
+
+Signed-off-by: Mark McLoughlin <markmc@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/devinet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -1030,7 +1030,7 @@ static void inetdev_changename(struct ne
+ memcpy(ifa->ifa_label, dev->name, IFNAMSIZ);
+ if (named++ == 0)
+ continue;
+- dot = strchr(ifa->ifa_label, ':');
++ dot = strchr(old, ':');
+ if (dot == NULL) {
+ sprintf(old, ":%d", named);
+ dot = old;
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Jan 11 01:14:39 2008
+From: maximilian attems <max@stro.at>
+Date: Fri, 11 Jan 2008 01:14:17 -0800 (PST)
+Subject: IRDA: irda_create() nuke user triggable printk
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20080111.011417.59885591.davem@davemloft.net>
+
+From: maximilian attems <max@stro.at>
+
+[IRDA]: irda_create() nuke user triggable printk
+
+[ Upstream commit: 9e8d6f8959c356d8294d45f11231331c3e1bcae6 ]
+
+easy to trigger as user with sfuzz.
+
+irda_create() is quiet on unknown sock->type,
+match this behaviour for SOCK_DGRAM unknown protocol
+
+Signed-off-by: maximilian attems <max@stro.at>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/irda/af_irda.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -1115,8 +1115,6 @@ static int irda_create(struct socket *so
+ self->max_sdu_size_rx = TTP_SAR_UNBOUND;
+ break;
+ default:
+- IRDA_ERROR("%s: protocol not supported!\n",
+- __FUNCTION__);
+ return -ESOCKTNOSUPPORT;
+ }
+ break;
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Jan 11 01:16:53 2008
+From: Russ Dill <Russ.Dill@asu.edu>
+Date: Fri, 11 Jan 2008 01:16:28 -0800 (PST)
+Subject: NET: kaweth was forgotten in msec switchover of usb_start_wait_urb
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20080111.011628.29710158.davem@davemloft.net>
+
+From: Russ Dill <Russ.Dill@asu.edu>
+
+[NET]: kaweth was forgotten in msec switchover of usb_start_wait_urb
+
+[ Upstream commit: 2b2b2e35b71e5be8bc06cc0ff38df15dfedda19b ]
+
+Back in 2.6.12-pre, usb_start_wait_urb was switched over to take
+milliseconds instead of jiffies. kaweth.c was never updated to match.
+
+Signed-off-by: Russ Dill <Russ.Dill@asu.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/usb/kaweth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/usb/kaweth.c
++++ b/drivers/net/usb/kaweth.c
+@@ -70,7 +70,7 @@
+ #define KAWETH_TX_TIMEOUT (5 * HZ)
+ #define KAWETH_SCRATCH_SIZE 32
+ #define KAWETH_FIRMWARE_BUF_SIZE 4096
+-#define KAWETH_CONTROL_TIMEOUT (30 * HZ)
++#define KAWETH_CONTROL_TIMEOUT (30000)
+
+ #define KAWETH_STATUS_BROKEN 0x0000001
+ #define KAWETH_STATUS_CLOSING 0x0000002
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Jan 11 01:20:18 2008
+From: Russ Dill <Russ.Dill@asu.edu>
+Date: Fri, 11 Jan 2008 01:19:55 -0800 (PST)
+Subject: NET: mcs7830 passes msecs instead of jiffies to usb_control_msg
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20080111.011955.239033978.davem@davemloft.net>
+
+From: Russ Dill <Russ.Dill@asu.edu>
+
+[NET]: mcs7830 passes msecs instead of jiffies to usb_control_msg
+
+[ Upstream commit 1d39da3dcaad4231f0fa75024b1d6d710a2ced74 ]
+
+usb_control_msg was changed long ago (2.6.12-pre) to take milliseconds
+instead of jiffies. Oddly, mcs7830 wasn't added until 2.6.19-rc3.
+
+Signed-off-by: Russ Dill <Russ.Dill@asu.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/usb/mcs7830.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/usb/mcs7830.c
++++ b/drivers/net/usb/mcs7830.c
+@@ -94,7 +94,7 @@ static int mcs7830_get_reg(struct usbnet
+
+ ret = usb_control_msg(xdev, usb_rcvctrlpipe(xdev, 0), MCS7830_RD_BREQ,
+ MCS7830_RD_BMREQ, 0x0000, index, data,
+- size, msecs_to_jiffies(MCS7830_CTRL_TIMEOUT));
++ size, MCS7830_CTRL_TIMEOUT);
+ return ret;
+ }
+
+@@ -105,7 +105,7 @@ static int mcs7830_set_reg(struct usbnet
+
+ ret = usb_control_msg(xdev, usb_sndctrlpipe(xdev, 0), MCS7830_WR_BREQ,
+ MCS7830_WR_BMREQ, 0x0000, index, data,
+- size, msecs_to_jiffies(MCS7830_CTRL_TIMEOUT));
++ size, MCS7830_CTRL_TIMEOUT);
+ return ret;
+ }
+
sky2-xl-chksum
sky2-1
powerpc-change-fallocate-to-match-unistd.h-on-powerpc.patch
+x25-add-missing-x25_neigh_put.patch
+net-mcs7830-passes-msecs-instead-of-jiffies-to-usb_control_msg.patch
+net-kaweth-was-forgotten-in-msec-switchover-of-usb_start_wait_urb.patch
+irda-irda_create-nuke-user-triggable-printk.patch
+inet-fix-netdev-renaming-and-inet-address-labels.patch
+connector-don-t-touch-queue-dev-after-decrement-of-ref-count.patch
+atm-check-ip-header-validity-in-mpc_send_packet.patch
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Jan 11 01:26:59 2008
+From: Julia Lawall <julia@diku.dk>
+Date: Fri, 11 Jan 2008 01:26:33 -0800 (PST)
+Subject: X25: Add missing x25_neigh_put
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20080111.012633.207825024.davem@davemloft.net>
+
+From: Julia Lawall <julia@diku.dk>
+
+[X25]: Add missing x25_neigh_put
+
+[ Upstream commit: 76975f8a3186dae501584d0155ea410464f62815 ]
+
+The function x25_get_neigh increments a reference count. At the point of
+the second goto out, the result of calling x25_get_neigh is only stored in
+a local variable, and thus no one outside the function will be able to
+decrease the reference count. Thus, x25_neigh_put should be called before
+the return in this case.
+
+The problem was found using the following semantic match.
+(http://www.emn.fr/x-info/coccinelle/)
+
+// <smpl>
+
+@@
+type T,T1,T2;
+identifier E;
+statement S;
+expression x1,x2,x3;
+int ret;
+@@
+
+ T E;
+ ...
+* if ((E = x25_get_neigh(...)) == NULL)
+ S
+ ... when != x25_neigh_put(...,(T1)E,...)
+ when != if (E != NULL) { ... x25_neigh_put(...,(T1)E,...); ...}
+ when != x1 = (T1)E
+ when != E = x3;
+ when any
+ if (...) {
+ ... when != x25_neigh_put(...,(T2)E,...)
+ when != if (E != NULL) { ... x25_neigh_put(...,(T2)E,...); ...}
+ when != x2 = (T2)E
+(
+* return;
+|
+* return ret;
+)
+ }
+// </smpl>
+
+Signed-off-by: Julia Lawall <julia@diku.dk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/x25/x25_forward.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/x25/x25_forward.c
++++ b/net/x25/x25_forward.c
+@@ -118,13 +118,14 @@ int x25_forward_data(int lci, struct x25
+ goto out;
+
+ if ( (skbn = pskb_copy(skb, GFP_ATOMIC)) == NULL){
+- goto out;
++ goto output;
+
+ }
+ x25_transmit_link(skbn, nb);
+
+- x25_neigh_put(nb);
+ rc = 1;
++output:
++ x25_neigh_put(nb);
+ out:
+ return rc;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
