--- /dev/null
+From stable-bounces@linux.kernel.org Wed Oct 10 03:10:54 2007
+From: Stephen Hemminger <shemminger@linux-foundation.org>
+Date: Wed, 10 Oct 2007 03:10:39 -0700 (PDT)
+Subject: Fix cls_u32 error return handling.
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20071010.031039.98861895.davem@davemloft.net>
+
+From: Stephen Hemminger <shemminger@linux-foundation.org>
+
+changeset bf1b803b01b00c3801e0aa373ba0305f8278e260 from mainline.
+
+Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sched/cls_u32.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/cls_u32.c
++++ b/net/sched/cls_u32.c
+@@ -518,7 +518,7 @@ static int u32_set_parms(struct tcf_prot
+
+ #ifdef CONFIG_NET_CLS_IND
+ if (tb[TCA_U32_INDEV-1]) {
+- int err = tcf_change_indev(tp, n->indev, tb[TCA_U32_INDEV-1]);
++ err = tcf_change_indev(tp, n->indev, tb[TCA_U32_INDEV-1]);
+ if (err < 0)
+ goto errout;
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Oct 10 03:09:27 2007
+From: David Miller <davem@davemloft.net>
+Date: Wed, 10 Oct 2007 03:09:12 -0700 (PDT)
+Subject: Fix ESP host instance numbering.
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20071010.030912.107685079.davem@davemloft.net>
+
+From: David Miller <davem@davemloft.net>
+
+changeset ff4abd6cfacf0bb23a077f615d3a5cd17359db1b in mainline.
+
+The ESP scsi driver does not initialize the host controller
+instance early enough, so the messages in the log confuse
+users.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/esp_scsi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/esp_scsi.c
++++ b/drivers/scsi/esp_scsi.c
+@@ -2318,6 +2318,7 @@ int __devinit scsi_esp_register(struct e
+ esp->host->transportt = esp_transport_template;
+ esp->host->max_lun = ESP_MAX_LUN;
+ esp->host->cmd_per_lun = 2;
++ esp->host->unique_id = instance;
+
+ esp_set_clock_params(esp);
+
+@@ -2341,7 +2342,7 @@ int __devinit scsi_esp_register(struct e
+ if (err)
+ return err;
+
+- esp->host->unique_id = instance++;
++ instance++;
+
+ scsi_scan_host(esp->host);
+
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Oct 10 03:13:13 2007
+From: John W. Linville <linville@tuxdriver.com>
+Date: Wed, 10 Oct 2007 03:12:57 -0700 (PDT)
+Subject: Fix ieee80211 handling of bogus hdrlength field
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20071010.031257.26966233.davem@davemloft.net>
+
+From: John W. Linville <linville@tuxdriver.com>
+
+changeset 04045f98e0457aba7d4e6736f37eed189c48a5f7 from mainline
+
+Reported by Chris Evans <scarybeasts@gmail.com>:
+
+> The summary is that an evil 80211 frame can crash out a victim's
+> machine. It only applies to drivers using the 80211 wireless code, and
+> only then to certain drivers (and even then depends on a card's
+> firmware not dropping a dubious packet). I must confess I'm not
+> keeping track of Linux wireless support, and the different protocol
+> stacks etc.
+>
+> Details are as follows:
+>
+> ieee80211_rx() does not explicitly check that "skb->len >= hdrlen".
+> There are other skb->len checks, but not enough to prevent a subtle
+> off-by-two error if the frame has the IEEE80211_STYPE_QOS_DATA flag
+> set.
+>
+> This leads to integer underflow and crash here:
+>
+> if (frag != 0)
+> flen -= hdrlen;
+>
+> (flen is subsequently used as a memcpy length parameter).
+
+How about this?
+
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ieee80211/ieee80211_rx.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/ieee80211/ieee80211_rx.c
++++ b/net/ieee80211/ieee80211_rx.c
+@@ -366,6 +366,12 @@ int ieee80211_rx(struct ieee80211_device
+ frag = WLAN_GET_SEQ_FRAG(sc);
+ hdrlen = ieee80211_get_hdrlen(fc);
+
++ if (skb->len < hdrlen) {
++ printk(KERN_INFO "%s: invalid SKB length %d\n",
++ dev->name, skb->len);
++ goto rx_dropped;
++ }
++
+ /* Put this code here so that we avoid duplicating it in all
+ * Rx paths. - Jean II */
+ #ifdef CONFIG_WIRELESS_EXT
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Oct 10 03:19:18 2007
+From: Brian Haley <brian.haley@hp.com>
+Date: Wed, 10 Oct 2007 03:19:06 -0700 (PDT)
+Subject: Fix ipv6 redirect processing, leads to TAHI failures.
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20071010.031906.13770851.davem@davemloft.net>
+
+
+From: Brian Haley <brian.haley@hp.com>
+
+changeset bf0b48dfc368c07c42b5a3a5658c8ee81b4283ac from mainline.
+
+When the ICMPv6 Target address is multicast, Linux processes the
+redirect instead of dropping it. The problem is in this code in
+ndisc_redirect_rcv():
+
+ if (ipv6_addr_equal(dest, target)) {
+ on_link = 1;
+ } else if (!(ipv6_addr_type(target) & IPV6_ADDR_LINKLOCAL)) {
+ ND_PRINTK2(KERN_WARNING
+ "ICMPv6 Redirect: target address is not
+link-local.\n");
+ return;
+ }
+
+This second check will succeed if the Target address is, for example,
+FF02::1 because it has link-local scope. Instead, it should be checking
+if it's a unicast link-local address, as stated in RFC 2461/4861 Section
+8.1:
+
+ - The ICMP Target Address is either a link-local address (when
+ redirected to a router) or the same as the ICMP Destination
+ Address (when redirected to the on-link destination).
+
+I know this doesn't explicitly say unicast link-local address, but it's
+implied.
+
+This bug is preventing Linux kernels from achieving IPv6 Logo Phase II
+certification because of a recent error that was found in the TAHI test
+suite - Neighbor Disovery suite test 206 (v6LC.2.3.6_G) had the
+multicast address in the Destination field instead of Target field, so
+we were passing the test. This won't be the case anymore.
+
+The patch below fixes this problem, and also fixes ndisc_send_redirect()
+to not send an invalid redirect with a multicast address in the Target
+field. I re-ran the TAHI Neighbor Discovery section to make sure Linux
+passes all 245 tests now.
+
+Signed-off-by: Brian Haley <brian.haley@hp.com>
+Acked-by: David L Stevens <dlstevens@us.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/ndisc.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/net/ipv6/ndisc.c
++++ b/net/ipv6/ndisc.c
+@@ -1268,9 +1268,10 @@ static void ndisc_redirect_rcv(struct sk
+
+ if (ipv6_addr_equal(dest, target)) {
+ on_link = 1;
+- } else if (!(ipv6_addr_type(target) & IPV6_ADDR_LINKLOCAL)) {
++ } else if (ipv6_addr_type(target) !=
++ (IPV6_ADDR_UNICAST|IPV6_ADDR_LINKLOCAL)) {
+ ND_PRINTK2(KERN_WARNING
+- "ICMPv6 Redirect: target address is not link-local.\n");
++ "ICMPv6 Redirect: target address is not link-local unicast.\n");
+ return;
+ }
+
+@@ -1344,9 +1345,9 @@ void ndisc_send_redirect(struct sk_buff
+ }
+
+ if (!ipv6_addr_equal(&ipv6_hdr(skb)->daddr, target) &&
+- !(ipv6_addr_type(target) & IPV6_ADDR_LINKLOCAL)) {
++ ipv6_addr_type(target) != (IPV6_ADDR_UNICAST|IPV6_ADDR_LINKLOCAL)) {
+ ND_PRINTK2(KERN_WARNING
+- "ICMPv6 Redirect: target address is not link-local.\n");
++ "ICMPv6 Redirect: target address is not link-local unicast.\n");
+ return;
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Oct 10 03:20:17 2007
+From: Alexey Dobriyan <adobriyan@gmail.com>
+Date: Wed, 10 Oct 2007 03:20:01 -0700 (PDT)
+Subject: Fix ROSE module unload oops.
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20071010.032001.75763214.davem@davemloft.net>
+
+From: Alexey Dobriyan <adobriyan@gmail.com>
+
+changeset 891e6a931255238dddd08a7b306871240961a27f from mainline.
+
+Commit a3d384029aa304f8f3f5355d35f0ae274454f7cd aka
+"[AX.25]: Fix unchecked rose_add_loopback_neigh uses"
+transformed rose_loopback_neigh var into statically allocated one.
+However, on unload it will be kfree's which can't work.
+
+Steps to reproduce:
+
+ modprobe rose
+ rmmod rose
+
+BUG: unable to handle kernel NULL pointer dereference at virtual address 00000008
+ printing eip:
+c014c664
+*pde = 00000000
+Oops: 0000 [#1]
+PREEMPT DEBUG_PAGEALLOC
+Modules linked in: rose ax25 fan ufs loop usbhid rtc snd_intel8x0 snd_ac97_codec ehci_hcd ac97_bus uhci_hcd thermal usbcore button processor evdev sr_mod cdrom
+CPU: 0
+EIP: 0060:[<c014c664>] Not tainted VLI
+EFLAGS: 00210086 (2.6.23-rc9 #3)
+EIP is at kfree+0x48/0xa1
+eax: 00000556 ebx: c1734aa0 ecx: f6a5e000 edx: f7082000
+esi: 00000000 edi: f9a55d20 ebp: 00200287 esp: f6a5ef28
+ds: 007b es: 007b fs: 0000 gs: 0033 ss: 0068
+Process rmmod (pid: 1823, ti=f6a5e000 task=f7082000 task.ti=f6a5e000)
+Stack: f9a55d20 f9a5200c 00000000 00000000 00000000 f6a5e000 f9a5200c f9a55a00
+ 00000000 bf818cf0 f9a51f3f f9a55a00 00000000 c0132c60 65736f72 00000000
+ f69f9630 f69f9528 c014244a f6a4e900 00200246 f7082000 c01025e6 00000000
+Call Trace:
+ [<f9a5200c>] rose_rt_free+0x1d/0x49 [rose]
+ [<f9a5200c>] rose_rt_free+0x1d/0x49 [rose]
+ [<f9a51f3f>] rose_exit+0x4c/0xd5 [rose]
+ [<c0132c60>] sys_delete_module+0x15e/0x186
+ [<c014244a>] remove_vma+0x40/0x45
+ [<c01025e6>] sysenter_past_esp+0x8f/0x99
+ [<c012bacf>] trace_hardirqs_on+0x118/0x13b
+ [<c01025b6>] sysenter_past_esp+0x5f/0x99
+ =======================
+Code: 05 03 1d 80 db 5b c0 8b 03 25 00 40 02 00 3d 00 40 02 00 75 03 8b 5b 0c 8b 73 10 8b 44 24 18 89 44 24 04 9c 5d fa e8 77 df fd ff <8b> 56 08 89 f8 e8 84 f4 fd ff e8 bd 32 06 00 3b 5c 86 60 75 0f
+EIP: [<c014c664>] kfree+0x48/0xa1 SS:ESP 0068:f6a5ef28
+
+Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/net/rose.h | 2 +-
+ net/rose/rose_loopback.c | 4 ++--
+ net/rose/rose_route.c | 15 ++++++++++-----
+ 3 files changed, 13 insertions(+), 8 deletions(-)
+
+--- a/include/net/rose.h
++++ b/include/net/rose.h
+@@ -188,7 +188,7 @@ extern void rose_kick(struct sock *);
+ extern void rose_enquiry_response(struct sock *);
+
+ /* rose_route.c */
+-extern struct rose_neigh rose_loopback_neigh;
++extern struct rose_neigh *rose_loopback_neigh;
+ extern const struct file_operations rose_neigh_fops;
+ extern const struct file_operations rose_nodes_fops;
+ extern const struct file_operations rose_routes_fops;
+--- a/net/rose/rose_loopback.c
++++ b/net/rose/rose_loopback.c
+@@ -79,7 +79,7 @@ static void rose_loopback_timer(unsigned
+
+ skb_reset_transport_header(skb);
+
+- sk = rose_find_socket(lci_o, &rose_loopback_neigh);
++ sk = rose_find_socket(lci_o, rose_loopback_neigh);
+ if (sk) {
+ if (rose_process_rx_frame(sk, skb) == 0)
+ kfree_skb(skb);
+@@ -88,7 +88,7 @@ static void rose_loopback_timer(unsigned
+
+ if (frametype == ROSE_CALL_REQUEST) {
+ if ((dev = rose_dev_get(dest)) != NULL) {
+- if (rose_rx_call_request(skb, dev, &rose_loopback_neigh, lci_o) == 0)
++ if (rose_rx_call_request(skb, dev, rose_loopback_neigh, lci_o) == 0)
+ kfree_skb(skb);
+ } else {
+ kfree_skb(skb);
+--- a/net/rose/rose_route.c
++++ b/net/rose/rose_route.c
+@@ -45,7 +45,7 @@ static DEFINE_SPINLOCK(rose_neigh_list_l
+ static struct rose_route *rose_route_list;
+ static DEFINE_SPINLOCK(rose_route_list_lock);
+
+-struct rose_neigh rose_loopback_neigh;
++struct rose_neigh *rose_loopback_neigh;
+
+ /*
+ * Add a new route to a node, and in the process add the node and the
+@@ -362,7 +362,12 @@ out:
+ */
+ void rose_add_loopback_neigh(void)
+ {
+- struct rose_neigh *sn = &rose_loopback_neigh;
++ struct rose_neigh *sn;
++
++ rose_loopback_neigh = kmalloc(sizeof(struct rose_neigh), GFP_KERNEL);
++ if (!rose_loopback_neigh)
++ return;
++ sn = rose_loopback_neigh;
+
+ sn->callsign = null_ax25_address;
+ sn->digipeat = NULL;
+@@ -417,13 +422,13 @@ int rose_add_loopback_node(rose_address
+ rose_node->mask = 10;
+ rose_node->count = 1;
+ rose_node->loopback = 1;
+- rose_node->neighbour[0] = &rose_loopback_neigh;
++ rose_node->neighbour[0] = rose_loopback_neigh;
+
+ /* Insert at the head of list. Address is always mask=10 */
+ rose_node->next = rose_node_list;
+ rose_node_list = rose_node;
+
+- rose_loopback_neigh.count++;
++ rose_loopback_neigh->count++;
+
+ out:
+ spin_unlock_bh(&rose_node_list_lock);
+@@ -454,7 +459,7 @@ void rose_del_loopback_node(rose_address
+
+ rose_remove_node(rose_node);
+
+- rose_loopback_neigh.count--;
++ rose_loopback_neigh->count--;
+
+ out:
+ spin_unlock_bh(&rose_node_list_lock);
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Oct 10 03:16:42 2007
+From: Mitsuru Chinen <mitch@linux.vnet.ibm.com>
+Date: Wed, 10 Oct 2007 03:16:26 -0700 (PDT)
+Subject: Fix some cases of missed IPV6 DAD
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20071010.031626.52166762.davem@davemloft.net>
+
+From: Mitsuru Chinen <mitch@linux.vnet.ibm.com>
+
+changeset 0fcace22d38ce9216f5ba52f929a99d284aa7e49 from mainline
+
+To judge the timing for DAD, netif_carrier_ok() is used. However,
+there is a possibility that dev->qdisc stays noop_qdisc even if
+netif_carrier_ok() returns true. In that case, DAD NS is not sent out.
+We need to defer the IPv6 device initialization until a valid qdisc
+is specified.
+
+Signed-off-by: Mitsuru Chinen <mitch@linux.vnet.ibm.com>
+Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/addrconf.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -73,6 +73,7 @@
+ #include <net/tcp.h>
+ #include <net/ip.h>
+ #include <net/netlink.h>
++#include <net/pkt_sched.h>
+ #include <linux/if_tunnel.h>
+ #include <linux/rtnetlink.h>
+
+@@ -212,6 +213,12 @@ static struct ipv6_devconf ipv6_devconf_
+ const struct in6_addr in6addr_any = IN6ADDR_ANY_INIT;
+ const struct in6_addr in6addr_loopback = IN6ADDR_LOOPBACK_INIT;
+
++/* Check if a valid qdisc is available */
++static inline int addrconf_qdisc_ok(struct net_device *dev)
++{
++ return (dev->qdisc != &noop_qdisc);
++}
++
+ static void addrconf_del_timer(struct inet6_ifaddr *ifp)
+ {
+ if (del_timer(&ifp->timer))
+@@ -376,7 +383,7 @@ static struct inet6_dev * ipv6_add_dev(s
+ }
+ #endif
+
+- if (netif_running(dev) && netif_carrier_ok(dev))
++ if (netif_running(dev) && addrconf_qdisc_ok(dev))
+ ndev->if_flags |= IF_READY;
+
+ ipv6_mc_init_dev(ndev);
+@@ -2269,7 +2276,7 @@ static int addrconf_notify(struct notifi
+ case NETDEV_UP:
+ case NETDEV_CHANGE:
+ if (event == NETDEV_UP) {
+- if (!netif_carrier_ok(dev)) {
++ if (!addrconf_qdisc_ok(dev)) {
+ /* device is not ready yet. */
+ printk(KERN_INFO
+ "ADDRCONF(NETDEV_UP): %s: "
+@@ -2281,7 +2288,7 @@ static int addrconf_notify(struct notifi
+ if (idev)
+ idev->if_flags |= IF_READY;
+ } else {
+- if (!netif_carrier_ok(dev)) {
++ if (!addrconf_qdisc_ok(dev)) {
+ /* device is still not ready. */
+ break;
+ }
--- /dev/null
+fix-esp-host-instance-numbering.patch
+fix-cls_u32-error-return-handling.patch
+fix-ieee80211-handling-of-bogus-hdrlength-field.patch
+fix-some-cases-of-missed-ipv6-dad.patch
+fix-ipv6-redirect-processing-leads-to-tahi-failures.patch
+fix-rose-module-unload-oops.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
