git.osdn.net Git - linux-kernel-docs/linux-2.4.36.git/log

[NETFILTER]: this patch fixes a compilation issue with gcc 3.4.3.

Signed-off-by: Marcus Sundberg <marcus@ingate.com>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

[MCAST]: Fix MCAST_EXCLUDE line dupes

Signed-off-by: Denis Lukianov <denis@voxelsoft.com>
Signed-off-by: David L Stevens <dlstevens@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

[IPVS]: really invalidate persistent templates

Agostino di Salle noticed that persistent templates are not
invalidated due to buggy optimization.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>

[IPVS]: ip_vs_ftp breaks connections using persistence

ip_vs_ftp when loaded can create NAT connections with unknown
client port for passive FTP. For such expectations we lookup with
cport=0 on incoming packet but it matches the format of the persistence
templates causing packets to other persistent virtual servers to be
forwarded to real server without creating connection. Later the
reply packets are treated as foreign and not SNAT-ed.

This patch changes the connection lookup for packets from
clients:

* introduce IP_VS_CONN_F_TEMPLATE connection flag to mark the
connection as template
* create new connection lookup function just for templates - ip_vs_ct_in_get
* make sure ip_vs_conn_in_get hits only connections with
IP_VS_CONN_F_NO_CPORT flag set when s_port is 0. By this way
we avoid returning template when looking for cport=0 (ftp)

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>

[TCP]: Don't over-clamp window in tcp_clamp_window()

From: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>

Handle better the case where the sender sends full sized
frames initially, then moves to a mode where it trickles
out small amounts of data at a time.

This known problem is even mentioned in the comments
above tcp_grow_window() in tcp_input.c, specifically:

...
* The scheme does not work when sender sends good segments opening
* window and then starts to feed us spagetti. But it should work
* in common situations. Otherwise, we have to rely on queue collapsing.
...

When the sender gives full sized frames, the "struct sk_buff" overhead
from each packet is small. So we'll advertize a larger window.
If the sender moves to a mode where small segments are sent, this
ratio becomes tilted to the other extreme and we start overrunning
the socket buffer space.

tcp_clamp_window() tries to address this, but it's clamping of
tp->window_clamp is a wee bit too aggressive for this particular case.

Fix confirmed by Ion Badulescu.

Signed-off-by: David S. Miller <davem@davemloft.net>

[PATCH] CAN-2005-0204: AMD64, allows local users to write to privileged IO ports via OUTS instruction

Description: [CAN-2005-0204]: AMD64, allows local users to write to privileged IO ports via OUTS instruction
Patch author: Suresh Siddha (suresh.b.siddha@intel.com)
Upstream status: not applied
URL: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=146244
Patch source: Micah Anderson <micah@riseup.net> (debian-kernel)

Added definition of IO_BITMAP_BYTES for Debian's 2.4.27 and
submitted upstream for consideration for inclusion in 2.4 -- Horms

NFS: dprintk on -ENAMETOOLONG error handling

[PATCH] nfs client: handle long symlinks properly

In 2.4.31, the v2/3 nfs readlink accepts too long symlinks.
I have tested this by having a server return long symlinks.

diff -u linux-2.4.31.orig/fs/nfs/nfs2xdr.c linux-2.4.31/fs/nfs/nfs2xdr.c

[PATCH] Update PPPoE's configuration documentation

Following trivial patch updates the CONFIG_PPPOE options's
documentation.

o Update CONFIG_PPPOE option's documentation since ppp version
2.4.2 is already released (with PPPoE plug-in) and there is
no need a CVS checkout anymore

Signed-off-by: M.Baris Demiray <baris@labristeknoloji.com>
diff --git a/Documentation/Configure.help b/Documentation/Configure.help

[PATCH] IA64: page_not_present fault in region 5 is normal

Attached is a patch for the latest 2.4 tree
which is semantically identical to what was included in 2.6.
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=63028aa7f581d9d4e6889f9dc06ded2534250a76

Without this patch, exception handler can be unexpectedly invoked for
page-not-present fault in region 5 and cause panic etc.

Could you apply the attached patch to 2.4?
We tested the patch on 2.4.29 + linux-2.4.29-ia64-050312 patch
which is the latest version working on ia64.

Excerpt from ChangeLog-2.6.14-rc1:

When copying data from user-space to kernel-space by __copy_user(),
a page_not_present fault sometimes occurs at vmalloced kernel address
because of VHPT pre-fetching.

Ignore the page_not_present fault in ia64_do_page_fault() before
jumping into exception handlers.

Signed-off-by: Kiyoshi Ueda <k-ueda@ct.jp.nec.com>
Signed-off-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
diff --git a/arch/ia64/mm/fault.c b/arch/ia64/mm/fault.c

Update VERSION to 2.4.32-rc1

[PATCH] Lost sockfd_put() in routing_ioctl()

This patch adds lost sockfd_put() in 32bit compat rounting_ioctl() on
64bit platforms

I believe this is a security issues, since user can fget() file as many
times as he wants to. So file refcounter can be overlapped and first
fput() will free resources though there will be still structures
pointing to the file, mnt, dentry etc.
Also fput() sets f_dentry and f_vfsmnt to NULL,
so other file users will OOPS.

The oops can be done under files_lock and others, so this can be an
exploitable DoS on SMP. Didn't checked it on practice actually.

Signed-Off-By: Kirill Korotaev <dev@sw.ru>
Signed-Off-By: Maxim Giryaev <gem@sw.ru>
diff --git a/arch/ppc64/kernel/ioctl32.c b/arch/ppc64/kernel/ioctl32.c

[PATCH] lost fput in 32bit ioctl on x86-64

This patch adds lost fput in 32bit tiocgdev ioctl on x86-64

I believe this is a security issues, since user can fget() file as many
times as he wants to. So file refcounter can be overlapped and first
fput() will free resources though there will be still structures
pointing to the file, mnt, dentry etc.
Also fput() sets f_dentry and f_vfsmnt to NULL,
so other file users will OOPS.

The oops can be done under files_lock and others, so this is really
exploitable DoS on SMP. Didn't checked it on practice actually.

Signed-Off-By: Kirill Korotaev <dev@sw.ru>
Signed-Off-By: Maxim Giryaev <gem@sw.ru>
diff --git a/arch/x86_64/ia32/ia32_ioctl.c b/arch/x86_64/ia32/ia32_ioctl.c

[NETFILTER]: Handle NAT module load race

When the NAT module is loaded when connections are already confirmed
it must not change their tuples anymore. This is especially important
with CONFIG_NETFILTER_DEBUG, the netfilter listhelp functions will
refuse to remove an entry from a list when it can not be found on
the list, so when a changed tuple hashes to a new bucket the entry
is kept in the list until and after the conntrack is freed.

Allocate the exact conntrack tuple for NAT for already confirmed
connections or drop them if that fails.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

[PATCH] Andrea Arcangeli: avoid size_buffers_type overflow

size_buffers_type array, which is an unsigned long, can overflow
on 32-bits: its perfectly possible for PAE machines to have more
than 4Gb of data mapped by buffer_head's at the same time.

Avoid that by accounting 1/512 of the real size (size >> 9).

[PATCH] i386: fix incorrect FP signal delivery

i386 floating-point exception handling has a bug that can cause error
code 0 to be sent instead of the proper code during signal delivery.

This is caused by unconditionally checking the IS and c1 bits from the
FPU status word when they are not always relevant. The IS bit tells
whether an exception is a stack fault and is only relevant when the
exception is IE (invalid operation.) The C1 bit determines whether a
stack fault is overflow or underflow and is only relevant when IS and IE
are set.

diff --git a/arch/i386/kernel/traps.c b/arch/i386/kernel/traps.c

Merge /pub/scm/linux/kernel/git/davem/net-2.4

[IPV4]: Fix negative timer loop with lots of ipv4 peers.

From: Dave Johnson <djohnson+linux-kernel@sw.starentnetworks.com>

Found this bug while doing some scaling testing that created 500K inet
peers.

peer_check_expire() in net/ipv4/inetpeer.c isn't using inet_peer_gc_mintime
correctly and will end up creating an expire timer with less than the
minimum duration, and even zero/negative if enough active peers are
present.

If >65K peers, the timer will be less than inet_peer_gc_mintime, and with
>70K peers, the timer duration will reach zero and go negative.

The timer handler will continue to schedule another zero/negative timer in
a loop until peers can be aged. This can continue for at least a few
minutes or even longer if the peers remain active due to arriving packets
while the loop is occurring.

Bug is present in both 2.4 and 2.6. Same patch will apply to both just
fine.

Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

[SPARC64]: Use vmalloc() in do_netfilter_replace()

Otherwise the number of rules one can upload into the kernel
is severely limited.

Signed-off-by: David S. Miller <davem@davemloft.net>

[PATCH] cciss 2.4.60

This patch
        1) adds support for next series of Smart Array contollers.
        2) bumps version to 2.4.60.
        3) changes our copyright dates.
        4) adds code to bind to any HP controller with a cciss signature.
Built against 2.4.31. Please consider this for inclusion.

Signed-off-by: Mike Miller
Documentation/cciss.txt |    6 ++++
drivers/block/cciss.c   |   60 ++++++++++++++++++++++++++++++++++++++----------
include/linux/pci_ids.h |    4 +++
3 files changed, 57 insertions(+), 13 deletions(-)

[IPV6]: Route events reported with wrong netlink PID and seq number

Attached is backport of patch from jamal already in the 2.6 kernel -
It would be very nice to see it in the 2.4 kernel as well, as I keep
receiving reports from users that "Quagga IPv6 is broken with 2.4 kernel".

Signed-off-by: David S. Miller <davem@davemloft.net>

Revert unnecessary arch/ppc64/boot/zlib.c

It turns out that empty distance code tables are not an error, and that
a compressed block with only literals can validly have an empty table
and should not be flagged as a data error.

Some old versions of gzip had problems with this case, but it does not
affect the zlib code in the kernel.

Analysis and explanations thanks to Sergey Vlasov <vsu@altlinux.ru>

Revert unnecessary zlib_inflate/inftress.c fix

It turns out that empty distance code tables are not an error, and that
a compressed block with only literals can validly have an empty table
and should not be flagged as a data error.

Some old versions of gzip had problems with this case, but it does not
affect the zlib code in the kernel.

Analysis and explanations thanks to Sergey Vlasov <vsu@altlinux.ru>

[PATCH] Remove isofs useless unsigned " < 0" comparison

This patch fix gcc-3.4 warnings by remove useless "if (ivalue < 0)"
comparison.

[PATCH] update lm_sensors mailing list address

The lm_sensors project changed mailing lists.

Signed-off-by: Jean Delvare <khali@linux-fr.org>

[PATCH] isofs driver ignore parameters

It seems that Alexander Pytlev's original (simple) patch was correct.

Without it the logic looks a bit like this.

while (...) {
if iocharset
...
else if map
...
if session
...
if sbsector
...
else if check
...
...
else
return 1;
}

Now, if iocharset, map or session are matched, then none of the if or
else if clauses under sbsector will match (that is none of these clauses
match iocharset, map or session), and thus the else clause will be hit,
and the function will return 1 without parsing any furhter options.

With Alexander's fix, the if session and if sbsector clauses
become else if, and its easy to see that the return 1 won't
be premeturely called.

I have tested that this patch works using the testcase options
iocharset=koi8-r,gid=100, and checking that gid is set correctly
with the patch, and incorrectly without.

Here is the patch and signoff again, just for the record.
I will send a second patch to clean up the *value = 0 code
that Marcelo cast concerns over - its bogus but harmless.

Signed-off-by: Horms <horms@verge.net.au>

Change VERSION to v2.4.32-pre3

[PATCH] fix potential NULL dereferences in several serial driver methods (Julien Tinnes)

These patches from Julien Tinnes fix *potential* NULL dereferences in several
serial drivers. Although their known callers can't pass NULL, we cannot tell
about unknown callers (non-mainline patches), so it's safer to check.

Change VERSION to v2.4.32-pre2

[PATCH] PATCH: Fix outstanding gzip/zlib security issues

commit 243393c90f2b7cb781fd794e22786e9c8547901a
Add fakey 'deflateBound()' function to the in-kernel zlib routines

It's not the real deflateBound() in newer zlib libraries, partly because
the upcoming usage of it won't have the "stream" available, so we can't
have the same interfaces anyway.

commit fab5a60a29f98f17256a4183e34a414f6db67569
This uses the new deflateBound() thing to sanity-check the input to the
zlib decompressor before we even bother to start reading in the blocks.

Problem noted by Tim Yamin <plasmaroo@gentoo.org>
author Linus Torvalds <torvalds@g5.osdl.org>

[PATCH] fix oops when starting md multipath 2.4 kernel

The device major/minor numbers no longer match up values recorded in the
descriptor array in the md superblock. Because of the exception made in
the current code, the descriptor entries are removed and although the
real devices are present and accounted for, they are kicked out from
the array. This leaves the array with zero devices. When multipath_run()
is invoked, it blows up expecting to have had some disks.

Lars Marowsky-Bree suggested some patches for md multipath in 2002 but
never made it to mainline 2.4 kernel:

http://marc.theaimsgroup.com/?l=3Dlinux-kernel&m=3D103355467608953&w=3D=2
That patch is large and most of it is not requried for this particular
problem. The section that reinitializes the descriptor array from
current rdevs for the case of multipath will resolve this issue of
device names shift.

[PATCH] Fix Alpha AXP Cabriolet build

This humble acolyte runs a couple of ancient Alpha AXP 21064 boxes (using
Debian Sarge), and recently when upgrading the kernel from 2.4.18 to
2.4.31 (compiling vanilla sources off of www.kernel.org) I found that the
build would fail when linking the kernel binary. The error was an
unresolved reference to:

ns87312_enable_ide()

The Alpha variant used was "Cabriolet." The Cabriolet's are rather old,
circa 1995 or '96, motherboards based around the 21064, so I doubt that
there are many of them still running, but I like mine just the same ;-)

Anyhow, a simple one line fix to the arch/alpha/kernel/Makefile solves
this problem (patch file is attached). I've also attached the config file
I used for the build, as well as the boot messages from the kernel built
after the patch was applied.

[PATCH] fix RedBlackTree rb_next/rb_prev functions

I have found a bug in the source of rbtree.c file in /lib. In Kernel 2.6 it's
ok, but 2.4.31 has this error.

We try to use it with the jffs2 source code and only with this fix it work's
fine.

Signed-off-by: Marcelo Tosatti <marcelo.tosatti@cyclades.com>

[PATCH] Revert USB UHCI changes

On Thu, 28 Jul 2005, Johannes Erdfelt wrote:

> Am I missing something here? We're certainly adding TDs to the schedule, so
> why is this patch setting the QH bit?

This is pretty embarrassing.  I didn't realize that the 2.4 driver uses
TDs to mark interrupt queues.  (2.6 uses QHs, which makes more sense.)
Of course, if I had done better testing the problem would have shown up
right away.

So please accept my apology, the UHCI part of that patch was completely
wrong.  Below is another patch to revert it.  The lesson is clear -- from
now on I'll leave the 2.4 driver alone!

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>

[PATCH] Fix XTEA implementation

The XTEA implementation was incorrect due to a misinterpretation of
operator precedence. Because of the wide-spread nature of this
error, the erroneous implementation will be kept, albeit under the
new name of XETA.

Signed-off-by: Aaron Grothe <ajgrothe@yahoo.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

[PATCH] Remove bogus declaration of ipt_mutex

Fix compiler error (gcc-4.0) for bogus declaration of ipt_mutex

Signed-off-by: Harald Welte <laforge@netfilter.org>
diff -Nru linux-2.4.31/include/linux/netfilter_ipv4/ip_tables.h linux-2.4.32-pre2/include/linux/netfilter_ipv4/ip_tables.h

[PATCH] Fix incorrect Asus k7m irq router detection

Here is 2.4 version of a patch submitted earlier for 2.6 by Giancarlo
Formicuccia.

this patch:
http://marc.theaimsgroup.com/?l=bk-commits-head&m=111955644929114&w=2
uncovered a k7m bios bug, where the VT82C686A router is reported as
being "586-compatible". The two chips have different pirq mapping, so
this leads to "irq routing conflict" on many pci devices.

Patch for 2.4.32-pre2

Signed-off-by: Aleksey Gorelov <aleksey_gorelov@phoenix.com>
diff --git a/arch/i386/kernel/pci-irq.c b/arch/i386/kernel/pci-irq.c

[PATCH] ppc32: stop misusing ntps time_offset value

v2.4 backport

Signed-off-by: Horms <horms@verge.net.au>
From: john stultz <johnstul@us.ibm.com>
Date: Fri, 1 Jul 2005 05:08:54 +0000 (+1000)
Subject: [PATCH] ppc32: stop misusing ntps time_offset value
X-Git-Tag: v2.6.12.3
X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/gregkh/linux-2.6.12.y.git;a=commitdiff;h=8f399a7448e0b58eae969426f61b7e81d55d2639

  [PATCH] ppc32: stop misusing ntps time_offset value

  As part of my timeofday rework, I've been looking at the NTP code and I
  noticed that the PPC architecture is apparently misusing the NTP's
  time_offset (it is a terrible name!) value as some form of timezone offset.

  This could cause problems when time_offset changed by the NTP code.  This
  patch changes the PPC code so it uses a more clear local variable:
  timezone_offset.

Signed-off-by: John Stultz <johnstul@us.ibm.com>
Acked-by: Tom Rini <trini@kernel.crashing.org>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

[PATCH] i810_audio: use MMIO on systems that support it

Use MMIO accesses for devices that support it. This also enables
MMIO-only configurations.

Acked-by: Jeff Garzik <jgarzik@pobox.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

[PATCH] i810_audio: offset LVI from CIV to avoid stalled start

Offset LVI past CIV when starting DAC/ADC in order to prevent
stalled start.

Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Thomas Voegtle <tv@lio96.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

[PATCH] megaraid2 v2.10.10.1

This patch contains accumulated changes over the time.

Description of the changes.
### Version 2.10.10.1
Thu Jan 27 15:59:59 EDT 2005 - Seokmann Ju <sju@lsil.com>
1. There was a bug in the 'megadev_ioctl()' function that cause random
deletion error and has been fixed.

### Version 2.10.10.0
Fri Jan 21 15:59:59 EDT 2005 - Seokmann Ju <sju@lsil.com>
1. Fixed Tape drive issue : For any Direct CDB command to physical
device including tape, timeout value set by driver was 10 minutes. With
this value, most of command will return within timeout. However, for
those command like ERASE or FORMAT, it takes more than an hour depends
on capacity of the device and the command could be terminated before
it completes. To address this issue, the 'timeout' field in the DCDB
command will have NO TIMEOUT (i.e., 4) value as its timeout on DCDB
command.

2. Added NEC ROMB support : NEC MegaRAID PCI Express ROMB
controller

### Version 2.10.9.0
Fri Aug 13 15:59:59 EDT 2004 - Rajesh Prabhakaran <rajeshpr@lsil.com>
1. Added Support for 64-applications : mega_ioctl function and
nitioctl_t struct where changed to accomadate 64-bit addressing.

Signed-off-by: Seokmann Ju <seokmann.ju@lsil.com>
diff -Naur old/drivers/scsi/megaraid2.c new/drivers/scsi/megaraid2.c

Merge /pub/scm/linux/kernel/git/davem/net-2.4

[NETFILTER]: Use correct byteorder in ICMP NAT

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

[NETFILTER]: Fix potential memory corruption in NAT code (aka memory NAT)

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

[NETFILTER]: Fix ip6t_LOG sit tunnel logging

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

[NETFILTER]: Restore netfilter assumption in IPv6 multicast

Netfilter assumes that skb->data == skb->nh.ipv6h

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

[NETFILTER]: Fix deadlock with ip_queue/ip6_queue

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

[NETFILTER]: Ignore PSH on SYN/ACK in ipt_unclean

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

Merge ... /linux/kernel/git/davem/net-2.4.git

[IPVS]: Close race conditions on ip_vs_conn_tab list modification

In an smp system, it is possible for an connection timer to expire, calling
ip_vs_conn_expire while the connection table is being flushed, before
ct_write_lock_bh is acquired.

Since the list iterator loop in ip_vs_con_flush releases and re-acquires the
spinlock (even though it doesn't re-enable softirqs), it is possible for the
expiration function to modify the connection list, while it is being traversed
in ip_vs_conn_flush.

The result is that the next pointer gets set to NULL, and subsequently
dereferenced, resulting in an oops.

Signed-off-by: Neil Horman <nhorman@redhat.com>
Acked-by: JulianAnastasov
Signed-off-by: David S. Miller <davem@davemloft.net>

[NETLINK]: Fix two socket hashing bugs.

1) netlink_release() should only decrement the hash entry
   count if the socket was actually hashed.

   This was causing hash->entries to underflow, which
   resulting in all kinds of troubles.

   On 64-bit systems, this would cause the following
   conditional to erroneously trigger:

err = -ENOMEM;
if (BITS_PER_LONG > 32 && unlikely(hash->entries >= UINT_MAX))
goto err;

2) netlink_autobind() needs to propagate the error return from
   netlink_insert().  Otherwise, callers will not see the error
   as they should and thus try to operate on a socket with a zero pid,
   which is very bad.

   However, it should not propagate -EBUSY.  If two threads race
   to autobind the socket, that is fine.  This is consistent with the
   autobind behavior in other protocols.

   So bug #1 above, combined with this one, resulted in hangs
   on netlink_sendmsg() calls to the rtnetlink socket.  We'd try
   to do the user sendmsg() with the socket's pid set to zero,
   later we do a socket lookup using that pid (via the value we
   stashed away in NETLINK_CB(skb).pid), but that won't give us the
   user socket, it will give us the rtnetlink socket.  So when we
   try to wake up the receive queue, we dive back into rtnetlink_rcv()
   which tries to recursively take the rtnetlink semaphore.

Thanks to Jakub Jelink for providing backtraces.  Also, thanks to
Herbert Xu for supplying debugging patches to help track this down,
and also finding a mistake in an earlier version of this fix.

Signed-off-by: David S. Miller <davem@davemloft.net>

Merge ... /linux/kernel/git/davem/sparc-2.4.git/
rsync://rsync.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.4.git/

[SPARC64]: fix sys32_utimes(somefile, NULL)

This patch fixes utimes(somefile, NULL) syscalls on sparc64 kernel with
32-bit userland - use of uninitialized value resulted in making random
timestamps, which confused e.g. sudo.
It has been already fixed (by davem) in linux-2.6 tree 30 months ago.

Signed-off-by: Jakub Bogusz <qboosh@pld-linux.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

The gzip description is as good as the ChangeLog says it is -: "Set n to
length of v, to detect improper tables" and "Don't accidentally grow j
past z". The return 2 instead of the return 0 is so that we actually
error out if we also get inproper tables (for some reason the code
returned "OK" in such cases).

Fix outstanding security bugs in the Linux zlib implementations. See:

a) http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html
b) http://bugs.gentoo.org/show_bug.cgi?id=94584

Signed-off-by: Tim Yamin <plasmaroo@gentoo.org>
Signed-off-by: Tavis Ormandy <taviso@gentoo.org>

[PATCH] workaround inode cache (prune_icache/__refile_inode) SMP races

Over the past couple of weeks we have seen two races in the inode cache
code. The first is between [dispose_list()] and __refile_inode() and the
second is between prune_icache() and truncate_inodes(). I posted both of
these patches but wanted to make sure they got properly reviewed and
included in RHEL3-U6.

Fixes bug 155289.

The first scenerio is:

1.) cpu0 is in __sync_one() just about to call __refile_inode() after
taking the inode_lock and clearing I_LOCK.

spin_lock(&inode_lock);
inode->i_state &= ~I_LOCK;
if (!(inode->i_state & I_FREEING))
__refile_inode(inode);
wake_up(&inode->i_wait);

2.) cpu1 is in [dispose_list()] where it has dropped the inode_lock and calls
clear_inode(). It doesnt block because
I_LOCK is clear so it sets the inode state.

void clear_inode(struct inode *inode)
{
...
wait_on_inode(inode);
...
inode->i_state = I_CLEAR;
...
}

3.) cpu0 calls __refile_inode which places is on one of the four
possible inode lists

static inline void __refile_inode(struct inode *inode)
{
if (inode->i_state & I_DIRTY)
to = &inode->i_sb->s_dirty;
else if (atomic_read(&inode->i_count))
to = &inode_in_use;
else if (inode->i_data.nrpages)
to = &inode_unused_pagecache;
else
to = &inode_unused;

list_del(&inode->i_list);
list_add(&inode->i_list, to);
}

4.) cpu1 returns from clear_inode() then calls destroy_inode() which
kmem_cache_free()s it.

static void destroy_inode(struct inode *inode)
{

if (inode->i_sb->s_op->destroy_inode)
inode->i_sb->s_op->destroy_inode(inode);
else
kmem_cache_free(inode_cachep, inode);
}

5.) at this point we have an inode that has been kmem_cache_free()'d
that is also sitting one of the lists determined by __refile_inode(),
that cant be good!!! Also, the code looks the same in RHEL4.

The second scenerio is:

CPU0 is in prune_icache() called by kswapd and CPU1 is in
invalidate_inodes() called by the auto-mount daemon.

1.) CPU0: prune_icache() sets the I_LOCK bit in an inode on the
inode_unused_pagecache list, releases the inode_lock and calls
invalidate_inode_pages.

2.) CPU1: invalidate_inodes() calls invalidate_list() for the
inode_unused_pagecache list with the node_lock held and sets the
I_FREEING bit in the inode->i_state.

3.) CPU0: prune_icache() acquires the inode_lock and clears the I_LOCK
bit in the inode->i_state.

4.) CPU1: dispose_list() calls clear_inode() without the inode_lock
held. Since the I_LOCK bit is clear, clear_inode() sets inode->i_state =
I_CLEAR, clearing the I_FREEING bit.

5.) CPU0: prune_icache() calls __refile_inode() because clear_inode()
cleared I_FREEING without holding the inode_lock. This inode that is no
longer on the inode_unused_pagecache list which results in that inode
being placed on the inode_unused list.

6.) CPU1: dispose_list() calls destroy_inode() which kmem_cache_free()s
an inode that is also on the inode_unused list.

At this point there is an inode that has been kmem_cache_free()'d and is
also on the inode_unused list.

This patch to clear_inode() acquires the inode_lock before manipulating
the inode->i_state field. This is the only place in the kernel that
manipulates the inode without holding the inode_lock.

[PATCH] file_storage and UHCI bugfixes

The patch below (as547) corrects two minor errors, one in the
file_storage gadget driver (need to send a length-zero packet if a
control response is short) and one in the alternate UHCI driver (need
to set the QH bit in the frame list). Both of these are back-ports of
things that have been in 2.6 for several releases.

Alan Stern

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>

[PATCH] usb: printer double up()

Doing a double up() is actually safe in Linux, but still, it's a bug.
This fix is present in 2.6.13-rc3.

By Domen Puncer <domen@coderock.org>
up(&usblp->sem) was called twice in a row in this code path.

libata: update to 2.6.x latest

Minor stuff:
* doc updates
* pci id updates
* new ->host_stop behavior
* fix bugs in PIO data xfer, SATA probe, large disk SCSI xlat

Revert [NETLINK]: Fix two socket hashing bugs.

I premutarely applied this fix - its not complete yet.

Revert.

Change VERSION to 2.4.32-pre1

Merge ... /pub/scm/linux/kernel/git/davem/net-2.4

[PATCH] x86-64: Enable Nvidia timer override workaround for SMP kernels too

>From Tymm Twillman

In the 2.4.30/31 kernels there is now a backport from the 2.6 kernels of
a workaround for buggy timer overrides in the ACPI tables for many
nvidia chipset based motherboards.  Unfortunately the code for this on
x86-64 based systems is conditionally compiled in only for non-SMP
kernels.  This is a patch to remove the conditional and allow the code
to be compiled in for SMP kernels as well (we've seen a number of SMP
motherboards which intermittently lock up during boot, and otherwise
sometimes seem unstable without the workaround).  Patch so far has been
tested across numerous reboots and several hours uptime.

Signed-off-by: Andi Kleen <ak@suse.de>

[PATCH] x86-64: Fix build with !CONFIG_SWIOTLB

Allow compilation without CONFIG_SWIOTLB

Pointed out by Tymm Twillman. I did the patch slightly differently
than his version.

Signed-off-by: Andi Kleen <ak@suse.de>

[PATCH] x86_64: Disable exception stack for stack faults

Stack segment faults were executed on a exception stack. But they
use the normal return path and can schedule there, but scheduling
is not allowed on a exception stack.

Just drop the exception stack for stack segment faults. This
will make some oops triple fault now, but that's better than
allowing user triggerable oops.

Double faults still have this problem, but if they happen you
have enough other problems already that this one doesn't matter
anymore.

2.6 has a more complicated fix here that actually handles
this properly, but for 2.4 the simple version is better.

Found from RedHat QA using crashme

Signed-off-by: Andi Kleen <ak@suse.de>

[PATCH] Fix canonical checking for segment registers in ptrace

Fix canonical checking for segment registers in ptrace

This avoids a local DOS where a process could oops the kernel by
passing bogus values to ptrace. Some versions of UML did this.

Found by Alexander Nyberg

Signed-off-by: Andi Kleen <ak@suse.de>

[PATCH] Check for canonical addresses in ptrace

Check for canonical addresses in ptrace

This works around a AMD bug that allows to hang the CPU by passing
illegal addresses.

Signed-off-by: Andi Kleen <ak@suse.de>

[PATCH] Fix buffer overflow in x86-64/ia64 32bit execve

Fix buffer overflow in x86-64/ia64 32bit execve

Originally noted by Ilja van Sprundel

I fixed it for both x86-64 and IA64. Other architectures
are not affected.

Signed-off-by: Andi Kleen <ak@suse.de>

[NETLINK]: Fix two socket hashing bugs.

1) netlink_release() should only decrement the hash entry
   count if the socket was actually hashed.

   This was causing hash->entries to underflow, which
   resulting in all kinds of troubles.

   On 64-bit systems, this would cause the following
   conditional to erroneously trigger:

err = -ENOMEM;
if (BITS_PER_LONG > 32 && unlikely(hash->entries >= UINT_MAX))
goto err;

2) netlink_autobind() needs to propagate the error return from
   netlink_insert().  Otherwise, callers will not see the error
   as they should and thus try to operate on a socket with a zero pid,
   which is very bad.

   So bug #1 above, combined with this one, resulted in hangs
   on netlink_sendmsg() calls to the rtnetlink socket.  We'd try
   to do the user sendmsg() with the socket's pid set to zero,
   later we do a socket lookup using that pid (via the value we
   stashed away in NETLINK_CB(skb).pid), but that won't give us the
   user socket, it will give us the rtnetlink socket.  So when we
   try to wake up the receive queue, we dive back into rtnetlink_rcv()
   which tries to recursively take the rtnetlink semaphore.

Thanks to Jakub Jelink for providing backtraces, and Herbert Xu for
debugging patches to help track this down.

Signed-off-by: David S. Miller <davem@davemloft.net>

Merge ... /linux/kernel/git/davem/sparc-2.4

[SPARC64]: Fix cmsg length checks in Solaris emulation layer.

Signed-off-by: David S. Miller <davem@davemloft.net>

[SPARC64]: Fix conflicting __bzero_noasi() prototypes.

Signed-off-by: David S. Miller <davem@davemloft.net>

[PATCH] update netdev address

Change the address of netdev in 2.4 also.

[PATCH] newer i386/x86_64 assemblers prohibit instructions for moving between a seg register and a 32bit location

The new i386/x86_64 assemblers no longer accept instructions for moving
between a segment register and a 32bit memory location, i.e.,

        movl (%eax),%ds
        movl %ds,(%eax)

To generate instructions for moving between a segment register and a
16bit memory location without the 16bit operand size prefix, 0x66,

        mov (%eax),%ds
        mov %ds,(%eax)

should be used. It will work with both new and old assemblers. The
assembler starting from 2.16.90.0.1 will also support

        movw (%eax),%ds
        movw %ds,(%eax)

without the 0x66 prefix. I am enclosing patches for 2.4 and 2.6 kernels
here. The resulting kernel binaries should be unchanged as before, with
old and new assemblers, if gcc never generates memory access for

               unsigned gsindex;
               asm volatile("movl %%gs,%0" : "=g" (gsindex));

If gcc does generate memory access for the code above, the upper bits
in gsindex are undefined and the new assembler doesn't allow it.

Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

[PATCH] USB 2.4.31: ftdi_sio fixes

These are 7 fixes that Ian Abbott sent me in 2.4.31 frame and which were
delayed while 2.4.31 stabilized.

- A big batch of new IDs, backported from 2.6; with renamed CANview
- Change the message about zero length write to warning
- Fix custom baud bases (by Rogier Wolff)
- Unregister user-specified tables, or else we oops on rmmod
- Actually initialize user-specified devices, using FT8U232AM template
- Add ID for UM100 (by Armin Laugher)
- Restore RTS and DTR after B0 (originally by Nathan Croy)

[PATCH] Claim i_alloc_sem while changing file size in nfsd

nfsd should hold i_alloc_sem while calling notify_change
with ATTR_SIZE set, just like do_truncate does.

From: Oleg Drokin <green@linuxhacker.ru>
Signed-off-by: Neil Brown <neilb@cse.unsw.edu.au>
### Diffstat output
./fs/nfsd/vfs.c | 2 ++
1 files changed, 2 insertions(+)

diff ./fs/nfsd/vfs.c~current~ ./fs/nfsd/vfs.c

[PATCH] Don't drop setuid on directories when ownership changed by NFSd

..as setuid means something totally different on directories.

Signed-off-by: Neil Brown <neilb@cse.unsw.edu.au>
diff ./fs/nfsd/vfs.c~current~ ./fs/nfsd/vfs.c

[PATCH] Fix" introduced in 2.4.27pre2 for bluetooth hci_usb race causes kernel hang

> I have noticed a problem with a race condition fix introduced in
> 2.4.27-pre2 that causes the kernel to hang when disconnecting a
> Bluetooth USB dongle or doing 'hciconfig hci0 down'. No message is
> printed, the kernel just doesn't respond anymore.

if this works then we should do the same change in the bfusb driver. A
patch that fixes both drivers is attached.

initial v2.4 GIT import