From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Mon, 14 Jan 2008 23:45:01 +0000 (-0800)
Subject: more .23 patches
X-Git-Tag: v2.6.22.19~67
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bcda2d9778b29f684c6a4ff6c093c1c413e3d82a;p=thirdparty%2Fkernel%2Fstable-queue.git

more .23 patches
---

diff --git a/queue-2.6.23/atm-check-ip-header-validity-in-mpc_send_packet.patch b/queue-2.6.23/atm-check-ip-header-validity-in-mpc_send_packet.patch
new file mode 100644
index 00000000000..3953b353bc1
--- /dev/null
+++ b/queue-2.6.23/atm-check-ip-header-validity-in-mpc_send_packet.patch
@@ -0,0 +1,46 @@
+From stable-bounces@linux.kernel.org Fri Jan 11 01:11:11 2008
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Fri, 11 Jan 2008 01:10:42 -0800 (PST)
+Subject: ATM: Check IP header validity in mpc_send_packet
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20080111.011042.53950451.davem@davemloft.net>
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ATM]: Check IP header validity in mpc_send_packet
+
+[ Upstream commit: 1c9b7aa1eb40ab708ef3242f74b9a61487623168 ]
+
+Al went through the ip_fast_csum callers and found this piece of code
+that did not validate the IP header.  While root crashing the machine
+by sending bogus packets through raw or AF_PACKET sockets isn't that
+serious, it is still nice to react gracefully.
+
+This patch ensures that the skb has enough data for an IP header and
+that the header length field is valid.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/atm/mpc.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/atm/mpc.c
++++ b/net/atm/mpc.c
+@@ -542,6 +542,13 @@ static int mpc_send_packet(struct sk_buf
+ 	if (eth->h_proto != htons(ETH_P_IP))
+ 		goto non_ip; /* Multi-Protocol Over ATM :-) */
+ 
++	/* Weed out funny packets (e.g., AF_PACKET or raw). */
++	if (skb->len < ETH_HLEN + sizeof(struct iphdr))
++		goto non_ip;
++	skb_set_network_header(skb, ETH_HLEN);
++	if (skb->len < ETH_HLEN + ip_hdr(skb)->ihl * 4 || ip_hdr(skb)->ihl < 5)
++		goto non_ip;
++
+ 	while (i < mpc->number_of_mps_macs) {
+ 		if (!compare_ether_addr(eth->h_dest, (mpc->mps_macs + i*ETH_ALEN)))
+ 			if ( send_via_shortcut(skb, mpc) == 0 )           /* try shortcut */
diff --git a/queue-2.6.23/connector-don-t-touch-queue-dev-after-decrement-of-ref-count.patch b/queue-2.6.23/connector-don-t-touch-queue-dev-after-decrement-of-ref-count.patch
new file mode 100644
index 00000000000..7d4a93227e0
--- /dev/null
+++ b/queue-2.6.23/connector-don-t-touch-queue-dev-after-decrement-of-ref-count.patch
@@ -0,0 +1,37 @@
+From stable-bounces@linux.kernel.org Fri Jan 11 01:12:18 2008
+From: Li Zefan <lizf@cn.fujitsu.com>
+Date: Fri, 11 Jan 2008 01:11:48 -0800 (PST)
+Subject: CONNECTOR: Don't touch queue dev after decrement of ref count.
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20080111.011148.195698099.davem@davemloft.net>
+
+From: Li Zefan <lizf@cn.fujitsu.com>
+
+[CONNECTOR]: Don't touch queue dev after decrement of ref count.
+
+[ Upstream commit: cf585ae8ae9ac7287a6d078425ea32f22bf7f1f7 ]
+
+cn_queue_free_callback() will touch 'dev'(i.e. cbq->pdev), so it
+should be called before atomic_dec(&dev->refcnt).
+
+Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/connector/cn_queue.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/connector/cn_queue.c
++++ b/drivers/connector/cn_queue.c
+@@ -99,8 +99,8 @@ int cn_queue_add_callback(struct cn_queu
+ 	spin_unlock_bh(&dev->queue_lock);
+ 
+ 	if (found) {
+-		atomic_dec(&dev->refcnt);
+ 		cn_queue_free_callback(cbq);
++		atomic_dec(&dev->refcnt);
+ 		return -EINVAL;
+ 	}
+ 
diff --git a/queue-2.6.23/inet-fix-netdev-renaming-and-inet-address-labels.patch b/queue-2.6.23/inet-fix-netdev-renaming-and-inet-address-labels.patch
new file mode 100644
index 00000000000..15fc2e10c87
--- /dev/null
+++ b/queue-2.6.23/inet-fix-netdev-renaming-and-inet-address-labels.patch
@@ -0,0 +1,51 @@
+From stable-bounces@linux.kernel.org Fri Jan 11 01:13:43 2008
+From: Mark McLoughlin <markmc@redhat.com>
+Date: Fri, 11 Jan 2008 01:13:17 -0800 (PST)
+Subject: INET: Fix netdev renaming and inet address labels
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20080111.011317.218129613.davem@davemloft.net>
+
+From: Mark McLoughlin <markmc@redhat.com>
+
+[INET]: Fix netdev renaming and inet address labels
+
+[ Upstream commit: 44344b2a85f03326c7047a8c861b0c625c674839 ]
+
+When re-naming an interface, the previous secondary address
+labels get lost e.g.
+
+  $> brctl addbr foo
+  $> ip addr add 192.168.0.1 dev foo
+  $> ip addr add 192.168.0.2 dev foo label foo:00
+  $> ip addr show dev foo | grep inet
+    inet 192.168.0.1/32 scope global foo
+    inet 192.168.0.2/32 scope global foo:00
+  $> ip link set foo name bar
+  $> ip addr show dev bar | grep inet
+    inet 192.168.0.1/32 scope global bar
+    inet 192.168.0.2/32 scope global bar:2
+
+Turns out to be a simple thinko in inetdev_changename() - clearly we
+want to look at the address label, rather than the device name, for
+a suffix to retain.
+
+Signed-off-by: Mark McLoughlin <markmc@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/devinet.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -1030,7 +1030,7 @@ static void inetdev_changename(struct ne
+ 		memcpy(ifa->ifa_label, dev->name, IFNAMSIZ);
+ 		if (named++ == 0)
+ 			continue;
+-		dot = strchr(ifa->ifa_label, ':');
++		dot = strchr(old, ':');
+ 		if (dot == NULL) {
+ 			sprintf(old, ":%d", named);
+ 			dot = old;
diff --git a/queue-2.6.23/irda-irda_create-nuke-user-triggable-printk.patch b/queue-2.6.23/irda-irda_create-nuke-user-triggable-printk.patch
new file mode 100644
index 00000000000..471647dfc43
--- /dev/null
+++ b/queue-2.6.23/irda-irda_create-nuke-user-triggable-printk.patch
@@ -0,0 +1,38 @@
+From stable-bounces@linux.kernel.org Fri Jan 11 01:14:39 2008
+From: maximilian attems <max@stro.at>
+Date: Fri, 11 Jan 2008 01:14:17 -0800 (PST)
+Subject: IRDA: irda_create() nuke user triggable printk
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20080111.011417.59885591.davem@davemloft.net>
+
+From: maximilian attems <max@stro.at>
+
+[IRDA]: irda_create() nuke user triggable printk
+
+[ Upstream commit: 9e8d6f8959c356d8294d45f11231331c3e1bcae6 ]
+
+easy to trigger as user with sfuzz.
+
+irda_create() is quiet on unknown sock->type,
+match this behaviour for SOCK_DGRAM unknown protocol
+
+Signed-off-by: maximilian attems <max@stro.at>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/irda/af_irda.c |    2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -1115,8 +1115,6 @@ static int irda_create(struct socket *so
+ 			self->max_sdu_size_rx = TTP_SAR_UNBOUND;
+ 			break;
+ 		default:
+-			IRDA_ERROR("%s: protocol not supported!\n",
+-				   __FUNCTION__);
+ 			return -ESOCKTNOSUPPORT;
+ 		}
+ 		break;
diff --git a/queue-2.6.23/net-kaweth-was-forgotten-in-msec-switchover-of-usb_start_wait_urb.patch b/queue-2.6.23/net-kaweth-was-forgotten-in-msec-switchover-of-usb_start_wait_urb.patch
new file mode 100644
index 00000000000..be19d50b758
--- /dev/null
+++ b/queue-2.6.23/net-kaweth-was-forgotten-in-msec-switchover-of-usb_start_wait_urb.patch
@@ -0,0 +1,36 @@
+From stable-bounces@linux.kernel.org Fri Jan 11 01:16:53 2008
+From: Russ Dill <Russ.Dill@asu.edu>
+Date: Fri, 11 Jan 2008 01:16:28 -0800 (PST)
+Subject: NET: kaweth was forgotten in msec switchover of usb_start_wait_urb
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20080111.011628.29710158.davem@davemloft.net>
+
+From: Russ Dill <Russ.Dill@asu.edu>
+
+[NET]: kaweth was forgotten in msec switchover of usb_start_wait_urb
+
+[ Upstream commit: 2b2b2e35b71e5be8bc06cc0ff38df15dfedda19b ]
+
+Back in 2.6.12-pre, usb_start_wait_urb was switched over to take
+milliseconds instead of jiffies. kaweth.c was never updated to match.
+
+Signed-off-by: Russ Dill <Russ.Dill@asu.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/usb/kaweth.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/usb/kaweth.c
++++ b/drivers/net/usb/kaweth.c
+@@ -70,7 +70,7 @@
+ #define KAWETH_TX_TIMEOUT		(5 * HZ)
+ #define KAWETH_SCRATCH_SIZE		32
+ #define KAWETH_FIRMWARE_BUF_SIZE	4096
+-#define KAWETH_CONTROL_TIMEOUT		(30 * HZ)
++#define KAWETH_CONTROL_TIMEOUT		(30000)
+ 
+ #define KAWETH_STATUS_BROKEN		0x0000001
+ #define KAWETH_STATUS_CLOSING		0x0000002
diff --git a/queue-2.6.23/net-mcs7830-passes-msecs-instead-of-jiffies-to-usb_control_msg.patch b/queue-2.6.23/net-mcs7830-passes-msecs-instead-of-jiffies-to-usb_control_msg.patch
new file mode 100644
index 00000000000..32abf91c385
--- /dev/null
+++ b/queue-2.6.23/net-mcs7830-passes-msecs-instead-of-jiffies-to-usb_control_msg.patch
@@ -0,0 +1,45 @@
+From stable-bounces@linux.kernel.org Fri Jan 11 01:20:18 2008
+From: Russ Dill <Russ.Dill@asu.edu>
+Date: Fri, 11 Jan 2008 01:19:55 -0800 (PST)
+Subject: NET: mcs7830 passes msecs instead of jiffies to usb_control_msg
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20080111.011955.239033978.davem@davemloft.net>
+
+From: Russ Dill <Russ.Dill@asu.edu>
+
+[NET]: mcs7830 passes msecs instead of jiffies to usb_control_msg
+
+[ Upstream commit 1d39da3dcaad4231f0fa75024b1d6d710a2ced74 ]
+
+usb_control_msg was changed long ago (2.6.12-pre) to take milliseconds
+instead of jiffies. Oddly, mcs7830 wasn't added until 2.6.19-rc3.
+
+Signed-off-by: Russ Dill <Russ.Dill@asu.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/usb/mcs7830.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/usb/mcs7830.c
++++ b/drivers/net/usb/mcs7830.c
+@@ -94,7 +94,7 @@ static int mcs7830_get_reg(struct usbnet
+ 
+ 	ret = usb_control_msg(xdev, usb_rcvctrlpipe(xdev, 0), MCS7830_RD_BREQ,
+ 			      MCS7830_RD_BMREQ, 0x0000, index, data,
+-			      size, msecs_to_jiffies(MCS7830_CTRL_TIMEOUT));
++			      size, MCS7830_CTRL_TIMEOUT);
+ 	return ret;
+ }
+ 
+@@ -105,7 +105,7 @@ static int mcs7830_set_reg(struct usbnet
+ 
+ 	ret = usb_control_msg(xdev, usb_sndctrlpipe(xdev, 0), MCS7830_WR_BREQ,
+ 			      MCS7830_WR_BMREQ, 0x0000, index, data,
+-			      size, msecs_to_jiffies(MCS7830_CTRL_TIMEOUT));
++			      size, MCS7830_CTRL_TIMEOUT);
+ 	return ret;
+ }
+ 
diff --git a/queue-2.6.23/series b/queue-2.6.23/series
index e37bd322d4c..5ed73a4aa35 100644
--- a/queue-2.6.23/series
+++ b/queue-2.6.23/series
@@ -13,3 +13,10 @@ ipv4-raw-strengthen-check-on-validity-of-iph-ihl.patch
 sky2-xl-chksum
 sky2-1
 powerpc-change-fallocate-to-match-unistd.h-on-powerpc.patch
+x25-add-missing-x25_neigh_put.patch
+net-mcs7830-passes-msecs-instead-of-jiffies-to-usb_control_msg.patch
+net-kaweth-was-forgotten-in-msec-switchover-of-usb_start_wait_urb.patch
+irda-irda_create-nuke-user-triggable-printk.patch
+inet-fix-netdev-renaming-and-inet-address-labels.patch
+connector-don-t-touch-queue-dev-after-decrement-of-ref-count.patch
+atm-check-ip-header-validity-in-mpc_send_packet.patch
diff --git a/queue-2.6.23/x25-add-missing-x25_neigh_put.patch b/queue-2.6.23/x25-add-missing-x25_neigh_put.patch
new file mode 100644
index 00000000000..a3e9e72ea04
--- /dev/null
+++ b/queue-2.6.23/x25-add-missing-x25_neigh_put.patch
@@ -0,0 +1,81 @@
+From stable-bounces@linux.kernel.org Fri Jan 11 01:26:59 2008
+From: Julia Lawall <julia@diku.dk>
+Date: Fri, 11 Jan 2008 01:26:33 -0800 (PST)
+Subject: X25: Add missing x25_neigh_put
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20080111.012633.207825024.davem@davemloft.net>
+
+From: Julia Lawall <julia@diku.dk>
+
+[X25]: Add missing x25_neigh_put
+
+[ Upstream commit: 76975f8a3186dae501584d0155ea410464f62815 ]
+
+The function x25_get_neigh increments a reference count.  At the point of
+the second goto out, the result of calling x25_get_neigh is only stored in
+a local variable, and thus no one outside the function will be able to
+decrease the reference count.  Thus, x25_neigh_put should be called before
+the return in this case.
+
+The problem was found using the following semantic match.
+(http://www.emn.fr/x-info/coccinelle/)
+
+// <smpl>
+
+@@
+type T,T1,T2;
+identifier E;
+statement S;
+expression x1,x2,x3;
+int ret;
+@@
+
+  T E;
+  ...
+* if ((E = x25_get_neigh(...)) == NULL)
+  S
+  ... when != x25_neigh_put(...,(T1)E,...)
+      when != if (E != NULL) { ... x25_neigh_put(...,(T1)E,...); ...}
+      when != x1 = (T1)E
+      when != E = x3;
+      when any
+  if (...) {
+    ... when != x25_neigh_put(...,(T2)E,...)
+        when != if (E != NULL) { ... x25_neigh_put(...,(T2)E,...); ...}
+        when != x2 = (T2)E
+(
+*   return;
+|
+*   return ret;
+)
+  }
+// </smpl>
+
+Signed-off-by: Julia Lawall <julia@diku.dk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/x25/x25_forward.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/x25/x25_forward.c
++++ b/net/x25/x25_forward.c
+@@ -118,13 +118,14 @@ int x25_forward_data(int lci, struct x25
+ 		goto out;
+ 
+ 	if ( (skbn = pskb_copy(skb, GFP_ATOMIC)) == NULL){
+-		goto out;
++		goto output;
+ 
+ 	}
+ 	x25_transmit_link(skbn, nb);
+ 
+-	x25_neigh_put(nb);
+ 	rc = 1;
++output:
++	x25_neigh_put(nb);
+ out:
+ 	return rc;
+ }