git.osdn.net Git - linux-kernel-docs/linux-2.4.36.git/log

[MAINTAINERS]: update e1000 maintainers

Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Signed-off-by: Auke Kok <auke-jan.h.kok@intel.com>

e1000: integrate latest 2.4 linux driver

This updates the e1000 driver to our out-of-tree equivalent of 7.3.20.
This adds support for several new pieces of e100 hardware, including
quad-port 82571's (copper only), integrated nics of ICH8. The patch
includes dynamic interrupt support, many rewrites of subcomponents such
as wol enabling, manageability handling, shutdown/reset race fixes,

To keep the difference with the 2.6-version of this driver minimal
(which will facilitate future updates) we include a small compatibility
layer exclusively for e1000.

Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Signed-off-by: Auke Kok <auke-jan.h.kok@intel.com>

Merge branch 'skge'

[PATCH] merge 2.6 backport of skge/sky2 network drivers

Quite a bunch of x86 motherboards equipped with a Gigabit LAN
port make use of a Marvell chip which requires the vendor's driver
from www.marvell.com. This driver is known to have some troubles,
among which losing frames under UDP-only trafic such as NFS and
DNS.

Stephen Hemminger has rewritten two separate drivers from scratch
for those chips to solve many problems in the historical driver.
A backport of his work is provided here as an alternate driver
for people experiencing problems with the vendor's one.

Current versions (skge-1.6 and sky2-1.5) do not support NAPI and
as such, consume slightly more CPU than the vendor's driver, but
at least they do seem to work correctly on UP. No test has been
performed on SMP yet.

Signed-off-by: Willy Tarreau <w@1wt.eu>

[NET] ethernet: Fix first packet goes out with MAC 00:00:00:00:00:00

This is a backport of a patch which was first included in Linux 2.6.16-rc5.
What follows between the "======" markers is the original description.

======
When you turn off ARP on a netdevice then the first packet always goes
out with a dstMAC of all zeroes. This is because the first packet is
used to resolve ARP entries. Even though the ARP entry may be resolved
(I tried by setting a static ARP entry for a host i was pinging from),
it gets overwritten by virtue of having the netdevice disabling ARP.

Subsequent packets go out fine with correct dstMAC address (which may
be why people have ignored reporting this issue).

To cut the story short:

the culprit code is in net/ethernet/eth.c::eth_header()
----
          /*
           *      Anyway, the loopback-device should never use this function...
           */

          if (dev->flags & (IFF_LOOPBACK|IFF_NOARP))
          {
                  memset(eth->h_dest, 0, dev->addr_len);
                  return ETH_HLEN;
          }

          if(daddr)
          {
                  memcpy(eth->h_dest,daddr,dev->addr_len);
                  return ETH_HLEN;
          }
----

Note how the h_dest is being reset when device has IFF_NOARP.

As a note:
All devices including loopback pass a daddr. loopback in fact passes
a 0 all the time ;->
This means i can delete the check totaly or i can remove the IFF_NOARP

Alexey says:
--------------------
I think, it was me who did this crap. It was so long ago I do not remember
why it was made.

I remember some troubles with dummy device. It tried to resolve
addresses, apparently, without success and generated errors instead of
blackholing. I think the problem was eventually solved at neighbour
level.

After some thinking I suspect the deletion of this chunk could change
behaviour of some parts which do not use neighbour cache f.e. packet
socket.

I think safer approach would be to move this chunk after if (daddr).
And the possibility to remove this completely could be analyzed later.
--------------------

Patch updated with Alexey's safer suggestions.

Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Acked-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
======

This problem also arises when transmitting IP multicast packets. If you send an
IP multicast stream over an ethernet network interface ethX and turn off ARP on
ethX then Linux will produce an ethernet frame with a dest. addresses of
00:00:00:00:00:00 (which is invalid). As IP multicast addresses are directly
mapped to HW (MAC) addresses without invoking any ARP protocol mechanisms - for
IP4 this mapping is performed by the function ip_eth_mc_map - it makes perfect
sense to do this even if ARP is disabled. Further, this problem may occur
periodically, everytime the corresponding struct dst_entry is garbage-collected
(e.g. ~ every 10 minutes).

Patch ported to Linux 2.4 by Christian Praehauser.

Signed-off-by: Christian Praehauser <cpraehaus@cosy.sbg.ac.at>

[PATCH] proper locking on disconnect for mdc800

this makes mdc800 take the necessary lock in disconnect() to prevent
submission of an URB for a disconnected device.

Signed-off-by: Oliver Neukum <oliver@neukum.name>

[PATCH] smbfs: fix problems introduced by last security backport

Users have reported a symlink issue with my recent smbfs backport.
Turns out my backport overlooked a second 2.6 patch w/ the fix:
http://linux.bkbits.net:8080/linux-2.6/?PAGE=cset&REV=419e7b76CdrmRG_NZ8LKj9DUUBGu1w

This is a backport of Haroldo Gamal's 2.6 patch that fixes the symlink
issue, and also cleans up an unnecessary double assignment. As his
commit message notes, you will need the userspace patches from Samba
Bug #999 in order to use the permission/ownership assigned by the
server.

Signed-off-by: dann frazier <dannf@debian.org>

Change VERSION to 2.4.34

Change VERSION to 2.4.34-rc4

- Call init_timer() for ISDN PPP CCP reset state timer (CVE-2006-5749)

[PATCH] Call init_timer() for ISDN PPP CCP reset state timer (CVE-2006-5749)

The function isdn_ppp_ccp_reset_alloc_state() sets ->timer.function
and ->timer.data and later on calls add_timer() with no init_timer()
ever done. The call of init_timer() is needed, because otherwise the
call of add_timer() will result in an instant death.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

Change VERSION to 2.4.34-rc3

- zeromap may find a pte
- Fix incorrect user space access locking in mincore() (CVE-2006-4814)

[PATCH] Fix incorrect user space access locking in mincore() (CVE-2006-4814)

Fix incorrect user space access locking in mincore()

Doug Chapman noticed that mincore() will do a "copy_to_user()" of the
result while holding the mmap semaphore for reading, which is a big
no-no.  While a recursive read-lock on a semaphore in the case of a page
fault happens to work, we don't actually allow them due to deadlock
scenarios with writers due to fairness issues.

Doug and Marcel sent in a patch to fix it, but I decided to just rewrite
the mess instead - not just fixing the locking problem, but making the
code smaller and (imho) much easier to understand.

Hugh "ported" it to 2.4:
please note two slight changes to behaviour under error conditions:

(a) mincore used to report -EINVAL if input len was so big that the
given area wrapped: that shouldn't be a distinct case from crossing
a hole in the address space, 2.6.11 corrected the error to -ENOMEM,
and this patch extends that correction to 2.4.

(b) mincore used to report -ENOMEM if the given area crossed a hole
in the address space, but continued to fill in the vector for file-
backed regions above - yet didn't fill the vector with non-present
entries for the hole, just ignored it.  This patch continues to
report -ENOMEM if the given area crosses a hole in the address
space, but simply stops filling the vector at that point.  We
doubt any app could be relying on the previous weird behaviour.

Cc: Doug Chapman <dchapman@redhat.com>
Cc: Marcel Holtmann <holtmann@redhat.com>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Hugh Dickins <hugh@veritas.com>

[PATCH] zeromap may find a pte

Ramiro Voicu hit 2.6's BUG_ON(!pte_none(*pte)) in zeromap_pte_range:
kernel bugzilla 7645.  Right: read_zero_pagealigned uses down_read of
mmap_sem, but another thread's racing read of /dev/zero, or a normal
fault, can easily set that pte again, in between zap_page_range and
zeromap_page_range getting there.  It's been wrong ever since 2.4.3.

The simple fix is to use down_write instead, but that would serialize
reads of /dev/zero more than at present: perhaps some app would be
badly affected.  So instead let zeromap_page_range return the error
instead of BUG in forget_pte, and read_zero_pagealigned break to the
slower clear_user loop in that case - no need to optimize for it.

Signed-off-by: Hugh Dickins <hugh@veritas.com>

Change VERSION to 2.4.34-rc2

- [Bluetooth] Add packet size checks for CAPI messages (CVE-2006-6106)

[PATCH] [Bluetooth] Add packet size checks for CAPI messages (CVE-2006-6106)

With malformed packets it might be possible to overwrite internal
CMTP and CAPI data structures. This patch adds additional length
checks to prevent these kinds of remote attacks.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

Change VERSION to 2.4.34-rc1

    - smbfs : don't ignore uid/gid/mode mount opts w/ unix extensions (CVE-2006-5871)
    - i2c cleanup : several cleanups
    - fix for transient error in usb printer driver
    - task stte leak in pegasus usb driver
    - Masking bug in 6pack driver
    - x86 microcode: dont check the size
    - rio: typo in bitwise AND expression.
    - flashpoint: use '!' instead of '~' with EE_SYNC_MASK
    - jfs: incorrect use of "&&" instead of "&"
    - arm: incorrect use of "&&" instead of "&"
    - e100: incorrect use of "&&" instead of "&"
    - ps2esdi: typo may cause premature timeout
    - fbcon: incorrect use of "&&" instead of "&"

[PATCH] smbfs : don't ignore uid/gid/mode mount opts w/ unix extensions

smbfs in 2.4 currently ignores the uid, gid & mode mount options if
unix extensions are enabled. Here is a backport of Haroldo Gamal's 2.6 fix for
Debian's 2.4.27 kernel that should apply cleanly to latest 2.4 git.

This issue has been assigned CVE-2006-5871.

Signed-off-by: dann frazier <dannf@debian.org>

[PATCH] task stte leak in pegasus usb driver

Hi,

this is a conservative port of a 2.6 fix for the pegasus driver which leaks
TASK_UNINTERRUPTIBLE in error cases. In case of an error the state
needs to be reset to TASK_RUNNING.

Regards
Oliver

Signed-off-by: Oliver Neukum <oliver@neukum.name>
Acked-by: Petko Manolov <petkan@nucleusys.com>

[PATCH] x86 microcode: dont check the size

(backported from 2.6)

IA32 manual says if micorcode update's size is 0, then the size is
default size (2048 bytes). But this doesn't suggest all microcode
update's size should be above 2048 bytes to me. We actually had a
microcode update whose size is 1024 bytes. The patch just removed the
check.

Backported to 2.6.18 by Daniel Drake.

Signed-off-by: Daniel Drake <dsd@gentoo.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Acked-by: Shaohua Li <shaohua.li@intel.com>

[PATCH] fix for transient error in usb printer driver

Hi,

this is a port of a fix for 2.6 which handles transient errors while
writing to the printer. The buffer has to be marked free again if
urb submission fails, as the completion handler can't do it.
Please apply to the 2.4 tree.

Regards
Oliver

Signed-off-by: Oliver Neukum <oliver@neukum.name>

[PATCH] i2c cleanup : warning fix

Fix the following warning on x86_64:

i2c-proc.c: In function "i2c_proc_real":
i2c-proc.c:388: warning: passing argument 3 of "i2c_write_reals" from incompatible pointer type

This was fixed in a similar way in i2c-SVN in April 2003.

Signed-off-by: Jean Delvare <khali@linux-fr.org>

[PATCH] i2c cleanup : resync algo ids

Resync i2c algorithm IDs with the values used in the 2.6 kernel
tree and the external i2c tree. These are arbitrary values anyway,
not exported to user-space.

Signed-off-by: Jean Delvare <khali@linux-fr.org>

[PATCH] i2c cleanup : simplify code

Simplify core i2c code as was done in the external i2c tree. There are
three type of changes:
* Flatten imbricated if/else constructs
* Drop useless masking
* Change void* parameters to char* to avoid having to cast them
everywhere we use them

Signed-off-by: Jean Delvare <khali@linux-fr.org>

[PATCH] i2c cleanup : c99 struct init

Switch all i2c drivers to use the C99-style structure initialization,
as it is way safer.

Note that some hardcoded 100 are converted to HZ in the process,
as this was the true intent of the original code.

Signed-off-by: Jean Delvare <khali@linux-fr.org>

[PATCH] i2c cleanup : dead code removal

Discard dead code from the i2c subsystem.

Signed-off-by: Jean Delvare <khali@linux-fr.org>

[PATCH] i2c cleanup : typos and whitespace

Trivial changes picked from the i2c SVN repository. This includes:
* Documentation updates
* Comment updates
* Whitespace changes
* Typo fixes in strings and comments
* Includes reordering
* Drop of includes and comments relative to kernel version 2.0 to 2.3
The idea is to minimize the meaningless differences between both theres
so that real differences are easier to see.

Signed-off-by: Jean Delvare <khali@linux-fr.org>

[PATCH] fbcon: incorrect use of "&&" instead of "&"

The use of "&&" in the following statement causes unexpected
cases to be matched since __SCROLL_YMASK = 0x0f :

    switch (p->scrollmode && __SCROLL_YMASK)
        case __SCROLL_YWRAP: ...  /* 0x02 */
        case __SCROLL_YPAN: ...   /* 0x01 */

The YWRAP case can never be matched and the YPAN case may be
matched by mistake. Obvious fix is to replace && with &. This
bug is not present in 2.6.

Signed-off-by: Willy Tarreau <w@1wt.eu>
Acked-By: Geert Uytterhoeven <geert@linux-m68k.org>

[PATCH] ps2esdi: typo may cause premature timeout

The stop condition in the following statement causes an immediate
break out of the loop because ESDI_TIMEOUT=0xf000 and the result
of the !(inb()) expression can only be either 0 or 1, which means
that i never gets counted down.

   for (i = ESDI_TIMEOUT;
        i & !(inb(ESDI_STATUS) & STATUS_STAT_AVAIL);
        i--);

The obvious cause is the use of "i & !" instead of "i && !". This
was already fixed in 2.6.

Signed-off-by: Willy Tarreau <w@1wt.eu>

[PATCH] e100: incorrect use of "&&" instead of "&"

In e100_do_ethtool_ioctl(), bdp->flags is a bitfield and is
checked for some bits but the AND operation is performed with
&& instead of &. Obvious fix is to use "&" as in all other
places. 2.6 does not seem affected.

Signed-off-by: Willy Tarreau <w@1wt.eu>
Acked-by: David Miller <davem@davemloft.net>

[PATCH] arm: incorrect use of "&&" instead of "&"

In integrator_init_irq(), the use of "&&" in the following
statement causes all interrupts to be marked valid regardless
of INTEGRATOR_SC_VALID_INT, as long as it's non-zero :

if (((1 << i) && INTEGRATOR_SC_VALID_INT) != 0)

Obvious fix is to replace it with "&". This was already fixed
in 2.6.

Signed-off-by: Willy Tarreau <w@1wt.eu>
Acked-by: Russell King <rmk+lkml@arm.linux.org.uk>

[PATCH] jfs: incorrect use of "&&" instead of "&"

in jfs_txnmgr, the use of "tblk->flag && COMMIT_DELETE" in a
if() condition is obviously wrong. This bug has already been
fixed in 2.6.

Signed-off-by: Willy Tarreau <w@1wt.eu>
Acked-by: Dave Kleikamp <shaggy@linux.vnet.ibm.com>

[PATCH] flashpoint: use '!' instead of '~' with EE_SYNC_MASK

Trivial typo found by grep in 2.4 code, already fixed in 2.6.
The complement mask was computed with '!' instead of '~' while
the mask was not 1 :

  #define  EE_SYNC_MASK      (BIT(0)+BIT(1))
  currTar_Info->TarEEValue = (currTar_Info->TarEEValue & !EE_SYNC_MASK)
  temp2.tempb[0] = (temp2.tempb[0] & !EE_SYNC_MASK) | syncVal;
  temp2.tempb[1] = (temp2.tempb[1] & !EE_SYNC_MASK) | syncVal;

[PATCH] rio: typo in bitwise AND expression.

The line :

hp->Mode &= !RIO_PCI_INT_ENABLE;

is obviously wrong as RIO_PCI_INT_ENABLE=0x04 and is used as a bitmask
2 lines before. Getting no IRQ would not disable RIO_PCI_INT_ENABLE
but rather RIO_PCI_BOOT_FROM_RAM which equals 0x01.

Obvious fix is to change ! for ~.

Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Patrick vd Lageweg <patrick@BitWizard.nl>

[PATCH] Masking bug in 6pack driver

Looks like a broken masking to me, binary not is used where bitwise not
was intended.

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>

Change VERSION to 2.4.34-pre6

    - [I2C] update web site address and contacts
    - [I2C] do not ignore error when returning from i2c_add_adapter()
    - [I2C] i2c-matroxfb: Struct init conversion
    - [I2C] Fix copy-n-paste error in i2c Config.in.
    - [I2C] remove non-existing functions declarations.
    - knfsd: Fix race that can disable NFS server.
    - i2c-elv: fix erroneous '&&' operator
    - fix "&& 0xffff" typo in gdth.c
    - fix obvious "&& 0xFFFFFF" typo in cpqfcTSworker
    - fix "&& 0xff" typo in qeth_qdio_input_handler
    - fix two "&& 0x03" in usbnet
    - EXT3: avoid crashing by not dividing by zero.
    - EXT2: avoid crashing by not dividing by zero.
    - [GCC4] fix build error in arch/alpha/kernel/osf_sys.c
    - [GCC4] fix build error in arch/alpha/kernel/irq.c
    - [GCC4] fix build error in arch/alpha/lib/io.c
    - [GCC4] fix build error in arch/alpha/math-emu/math.c

[PATCH][I2C] remove non-existing functions declarations.

Drop the function declarations for slave mode support of i2c adapters.
This was never implemented.

Partial backport of:
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=6d3aae9d74221b00e2cbf50a353527e5a71a58ba

Signed-off-by: Jean Delvare <khali@linux-fr.org>

[PATCH][I2C] Fix copy-n-paste error in i2c Config.in.

Backport from a Linux 2.6 patch by Arthur Othieno:
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=be53f9b2a08e647396ceaa004199ae4b032a9bd2

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Cc: Arthur Othieno <apgo@patchbomb.org>

[PATCH][I2C] i2c-matroxfb: Struct init conversion

Convert the struct i2c_algo_bit_data initialization to proper C99
style.

Backport from:
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=8241cb1401873e18bba746fd3f6c56ce4252a61f

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Cc: Petr Vandrovec <vandrove@vc.cvut.cz>

[PATCH][I2C] do not ignore error when returning from i2c_add_adapter()

i2c_add_adapter may fail. Most i2c algorithm drivers ignore this
fact, fix them. This is a backport from a patch from Mark M. Hoffman
to Linux 2.6.

Signed-off-by: Jean Delvare <khali@linux-fr.org>

[PATCH][I2C] update web site address and contacts

We have a new mailing list dedicated to linux i2c:
http://lists.lm-sensors.org/mailman/listinfo/i2c

The lm-sensors website moved to http://www.lm-sensors.org/.

Signed-off-by: Jean Delvare <khali@linux-fr.org>

[GCC4] fix build error in arch/alpha/math-emu/math.c

This patch fixes this error with gcc 4 on alpha :

gcc-4.1 -D__KERNEL__ -I/data/git/public/linux-2.4/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fno-builtin-sprintf -fomit-frame-pointer -Wno-pointer-sign -pipe -mno-fp-regs -ffixed-8 -mcpu=ev6 -Wa,-mev6 -nostdinc -iwithprefix include -DKBUILD_BASENAME=math -c -o math.o math.c
math.c: In function 'alpha_fp_emul':
math.c:204: warning: right shift count is negative
math.c:204: warning: left shift count >= width of type
math.c:220: warning: left shift count is negative
math.c:238: warning: statement with no effect
math.c:258: error: invalid lvalue in assignment
math.c:258: warning: right shift count >= width of type
math.c:258: warning: right shift count >= width of type
math.c:262: error: invalid lvalue in assignment
math.c:262: warning: right shift count >= width of type
math.c:262: warning: right shift count >= width of type
math.c:270: warning: statement with no effect
math.c:270: warning: statement with no effect
math.c:270: warning: statement with no effect
math.c:277: warning: statement with no effect
math.c:277: warning: statement with no effect
math.c:277: warning: statement with no effect

[GCC4] fix build error in arch/alpha/lib/io.c

This patch fixes this error with gcc 4 on alpha :

gcc-4.1 -D__KERNEL__ -I/data/git/public/linux-2.4/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fno-builtin-sprintf -fomit-frame-pointer -Wno-pointer-sign -pipe -mno-fp-regs -ffixed-8 -mcpu=ev6 -Wa,-mev6 -nostdinc -iwithprefix include -DKBUILD_BASENAME=io -c -o io.o io.c
io.c: In function 'insb':
io.c:146: error: invalid lvalue in increment
io.c:157: error: invalid lvalue in increment
io.c:163: error: invalid lvalue in increment
io.c: In function 'insw':
io.c:185: error: invalid lvalue in increment
io.c:194: error: invalid lvalue in increment
io.c: In function 'insl':
io.c:222: error: invalid lvalue in increment
io.c:233: error: invalid lvalue in increment
io.c:239: error: invalid lvalue in increment
io.c:249: error: invalid lvalue in increment
io.c:251: error: invalid lvalue in increment
io.c:256: error: invalid lvalue in increment
io.c:266: error: invalid lvalue in increment
io.c:271: error: invalid lvalue in increment
io.c:275: error: invalid lvalue in increment
io.c: In function 'outsb':
io.c:293: error: invalid lvalue in increment
io.c: In function 'outsw':
io.c:310: error: invalid lvalue in increment
io.c:318: error: invalid lvalue in increment
io.c: In function 'outsl':
io.c:348: error: invalid lvalue in increment
io.c:358: error: invalid lvalue in increment
io.c:363: error: invalid lvalue in increment
io.c:374: error: invalid lvalue in increment
io.c:376: error: invalid lvalue in increment
io.c:380: error: invalid lvalue in increment
io.c:391: error: invalid lvalue in increment
io.c:395: error: invalid lvalue in increment
io.c:400: error: invalid lvalue in increment

[GCC4] fix build error in arch/alpha/kernel/irq.c

This patch fixes this error with gcc 4 on alpha :

gcc-4.1 -D__KERNEL__ -I/data/git/public/linux-2.4/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fno-builtin-sprintf -fomit-frame-pointer -Wno-pointer-sign -pipe -mno-fp-regs -ffixed-8 -mcpu=ev6 -Wa,-mev6 -nostdinc -iwithprefix include -DKBUILD_BASENAME=irq -c -o irq.o irq.c
irq.c: In function 'handle_irq':
irq.c:619: error: invalid lvalue in increment

[GCC4] fix build error in arch/alpha/kernel/osf_sys.c

This patches fixes this error with gcc 4 on alpha :

gcc-4.1 -D__KERNEL__ -I/data/git/public/linux-2.4/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fno-builtin-sprintf -fomit-frame-pointer -Wno-pointer-sign -pipe -mno-fp-regs -ffixed-8 -mcpu=ev6 -Wa,-mev6 -nostdinc -iwithprefix include -DKBUILD_BASENAME=osf_sys -c -o osf_sys.o osf_sys.c
osf_sys.c: In function 'osf_filldir':
osf_sys.c:128: error: invalid lvalue in assignment

[PATCH] EXT2: avoid crashing by not dividing by zero.

backport a few checks from 2.6 to avoid dividing by zero on invalid
superblocks.

[PATCH] EXT3: avoid crashing by not dividing by zero.

backport a few checks from 2.6 to avoid dividing by zero on invalid
superblocks.

[PATCH] fix two "&& 0x03" in usbnet

just another obvious typo.

[PATCH] fix "&& 0xff" typo in qeth_qdio_input_handler

this one is already OK in 2.6.

[PATCH] fix obvious "&& 0xFFFFFF" typo in cpqfcTSworker

[PATCH] fix "&& 0xffff" typo in gdth.c

same as 2.6 patch.

[PATCH-2.4] i2c-elv: fix erroneous '&&' operator

There was clearly a typo in i2c-elv.c.

Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Jean Delvare <khali@linux-fr.org>

[PATCH] knfsd: Fix race that can disable NFS server.

This is a long standing bug that seems to have only recently become
apparent, presumably due to increasing use of NFS over TCP - many
distros seem to be making it the default.

The SK_CONN bit gets set when a listening socket may be ready
for an accept, just as SK_DATA is set when data may be available.

It is entirely possible for svc_tcp_accept to be called with neither
of these set.  It doesn't happen often but there is a small race in
svc_sock_enqueue as SK_CONN and SK_DATA are tested outside the
spin_lock.  They could be cleared immediately after the test and
before the lock is gained.

This normally shouldn't be a problem.  The sockets are non-blocking so
trying to read() or accept() when ther is nothing to do is not a problem.

However: svc_tcp_recvfrom makes the decision "Should I accept() or
should I read()" based on whether SK_CONN is set or not.  This usually
works but is not safe.  The decision should be based on whether it is
a TCP_LISTEN socket or a TCP_CONNECTED socket.

Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>

Change VERSION to 2.4.34-pre5
    - WATCHDOG: sc1200wdt.c pnp unregister fix.
    - incorrect timeout in mtd AMD driver of 2.4 kernel
    - SCTP: Always linearise packet on input
    - ISDN: fix drivers, by handling errors thrown by ->readstat()
    - copy_from_user information leak on s390.
    - s390 : fix typo in recent copy_from_user fix
    - [S390] user readable uninitialised kernel memory (3rd version)
    - [NETFILTER]: Fix deadlock on NAT helper unload
    - [BRIDGE]: netfilter deadlock
    - i386: remove unsigned long long cast in __pte() macro.
    - 2.4.x: i386/x86_64 bitops clobberings

[PATCH] WATCHDOG: sc1200wdt.c pnp unregister fix.

(backport from 2.6-stable)

If no devices found or invalid parameter is specified,
scl200wdt_pnp_driver is left unregistered.
It breaks global list of pnp drivers.

Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
For 2.4 backport :
Acked-by: Wim Van Sebroeck <wim@iguana.be>

[PATCH] ISDN: fix drivers, by handling errors thrown by ->readstat()

(backport from 2.6-stable)

This is a particularly ugly on-failure bug, possibly security, since the
lack of error handling here is covering up another class of bug: failure to
handle copy_to_user() return values.

The I4L API function ->readstat() returns an integer, and by looking at
several existing driver implementations, it is clear that a negative return
value was meant to indicate an error.

Given that several drivers already return a negative value indicating an
errno-style error, the current code would blindly accept that [negative]
value as a valid amount of bytes read. Obvious damage ensues.

Correcting ->readstat() handling to properly notice errors fixes the
existing code to work correctly on error, and enables future patches to
more easily indicate errors during operation.

Signed-off-by: Jeff Garzik <jeff@garzik.org>
Cc: Karsten Keil <kkeil@suse.de>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
For 2.4 backport :
Acked-by: Karsten Keil <kkeil@suse.de>

[PATCH] SCTP: Always linearise packet on input

(backported from 2.6-stable)

I was looking at a RHEL5 bug report involving Xen and SCTP
(https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212550).
It turns out that SCTP wasn't written to handle skb fragments at
all. The absence of any calls to skb_may_pull is testament to
that.

It just so happens that Xen creates fragmented packets more often
than other scenarios (header & data split when going from domU to
dom0). That's what caused this bug to show up.

Until someone has the time sits down and audits the entire net/sctp
directory, here is a conservative and safe solution that simply
linearises all packets on input.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
For 2.4 backport :
Acked-by: David S. Miller <davem@davemloft.net>

[BRIDGE]: netfilter deadlock

A deadlock was found in bridge netfilter code (2.4 only), when a
device is removed. The device removal path causes a BPDU to be
generated and ends up self deadlocking on the BR lock.

Simple fix would be to avoid generating config bpdu's immediately when
becoming root bridge, and just let the first hello timer tick do that.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

[PATCH] incorrect timeout in mtd AMD driver of 2.4 kernel

I found a problem in the MTD driver for AMD flash chips that caused
occasional write errors on my WiFi router running OpenWrt. The driver
uses (HZ/1000) to calculate a timeout value of at least 1 msec, but
since HZ is 100, the timeout is effectively zero. The fix is to
increment the timeout by 1 jiffie, which is also done in the 2.6 kernel.
The patch also fixes two missing newlines.

[PATCH] 2.4.x: i386/x86_64 bitops clobberings

Problem reported by Jan Kiszka <jan.kiszka@web.de> :
"After going through debugging hell with some out-of-tree code,
  I realised that this patch :

  http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=92934bcbf96bc9dc931c40ca5f1a57685b7b813b

  makes a difference: current 2.6 works with the following code
  sequence as expected (printk is executed), 2.4 fails. I used
  gcc 3.3.6-13 (Debian).

  unsigned long a = 1;

  int module_init(void)
  {
        unsigned long b = 0;
        int x;

        x = __test_and_set_bit(0, &b);
        if (__test_and_set_bit(0, &a))
                printk("x = %d\n", x);

        return -1;
  }

  I ported the x86 part back to 2.4.33 and my problem disappeared. "

The problem with this patch is that the use of "+m" in asm statements
triggers bugs in gcc 2.95 which is supported by kernel 2.4. For
instance, cyclades.c does not build anymore :

$ gcc -O2 -pipe -c cyclades-c.c
cyclades.c: In function `cyy_interrupt':
/usr/src/git/linux-2.4/include/asm/bitops.h:134: inconsistent operand constraints in an `asm'
cyclades.c: In function `cyz_handle_rx':
/usr/src/git/linux-2.4/include/asm/bitops.h:134: inconsistent operand constraints in an `asm'

As explained by Richard Henderson here, the equivalent construct
"=m"(x) : "m"(x) works on any version of gcc :

  http://marc.theaimsgroup.com/?l=3Dlinux-kernel&m=3D107475162200773&w=3D2

I successfully verified on the example code above and on cyclades.c
that the exact same code is produced on x86 with this construct with
gcc 2.95.3, 3.3.6, 3.4.4, and 4.1.1, and Jan confirmed it also fixed
his problem, so it looks fine.

Just like in the former patch for 2.6, this one was applied to both
i386 and x86_64.

Signed-Off-By: Willy Tarreau <w@1wt.eu>
Acked-By: Jan Kiszka <jan.kiszka@web.de>

[S390] user readable uninitialised kernel memory (3rd version)

Fixed a label and a few comments.

Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>

[PATCH] s390 : fix typo in recent copy_from_user fix

unfortunatly a bug crept into the bug fix for 2.4: the arguments of the
mvcle that is supposed to clear the kernel buffer have been swapped for
64 bit (the code is fine for 31 bit :-/).

[PATCH] i386: remove unsigned long long cast in __pte() macro.

From PaX Team :
"I've just seen the commit of the __pte() macro fixes and i'm not
sure that a blind unsigned long long cast is the proper way to
handle the warnings. the thing is, if there's a warning as Ralf
said, then it means that the user of the macro is not passing the
proper argument to the macro, hence there's a likelyhood that the
caller itself may not be doing what it intended to do."

"I don't know about MIPS, but under i386/PAE the higher 32 bits do
carry 'interesting' bits (not only physical page number bits but
on NX capable CPUs the NX bit itself as well), so they can't be
blindly made 0 by doing an unsigned long long cast, it should be
decided by the user of the macro instead."

"So my suggestion would be to fix the callers instead of doing the
cast, that is, have gcc point out everyone not passing a properly
set up argument, figure out if a cast is proper (as i said, at
least on PAE it will loose important bits) and fix the caller."

Also, the only user seems to be drm-40/ffb_drv.c, which is only
enabled for sparc64. So the warning would never appear anyway.

Acked-By: Willy Tarreau <w@1wt.eu>

[NETFILTER]: Fix deadlock on NAT helper unload

When a NAT helper is unlocked conntrack/NAT may deadlock because of
the following lock sequence:

.. ip_nat_helper_unregister
-> ip_ct_selective_cleanup
-> get_next_corpse              (ip_conntrack_lock)
-> kill_helper                  (ip_nat_lock)

.. ip_nat_fn                    (ip_nat_lock)
-> ip_nat_setup_info
-> ip_conntrack_alter_reply     (ip_conntrack_lock)

Taking ip_nat_lock in kill_helper() is unnecessary since the helper assigned
to a connection is immutable and new connections can't have the helper that
is beeing unloaded assigned since it is already removed from the global list.

Reported by <doublefacer007@gmail.com>.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

[PATCH] copy_from_user information leak on s390.

There is/has been a bug with copy_from_user on s390. The problem is that
it does not pad the kernel buffer with zeroes in case of a fault on the
user address. That allows a malicious user to read uninitialized kernel
memory. The bug is already fixed upstream:

http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=52149ba6b0ddf3e9d965257cc0513193650b3ea8

The uaccess code for s390 has changed recently, for older 2.6 versions
you need a different patch, and for 2.4 yet another one.

Description: kernel: user readable uninitialised kernel memory.
Symptom:     None.
Problem:     A user space program can read uninitialised kernel memory
             by appending to a file from a bad address and then reading
             the result back. The cause is the copy_from_user function
             that does not clear the remaining bytes of the kernel
             buffer after it got a fault on the user space address.
Solution:    Fix the copy_from_user function to clear the remaining bytes
             of the kernel buffer after a user space fault.

Martin Schwidefsky
Linux for zSeries Development & Services
IBM Deutschland Entwicklung GmbH

Change VERSION to 2.4.34-pre4

- Backport fix for CVE-2006-4997 to 2.4 tree
- fbdev: correct buffer size limit in fbmem_read_proc()
- really fix size display for sun partitions larger than 1TByte
- i386: fix overflow in vmap on an x86 system which has more than 4GB memory.
- Advertise PPPoE MTU
- MIPS & i386: fix long long cast in pte macro
- block: fix negative bias of ios_in_flight (CONFIG_BLK_STATS) because of unbalanced I/O accounting
- x86_64: Fix missing delay when the TSC counter just overflowed
- fix Configure.help concerning rp_filter

[PATCH] i386: fix long long cast in pte macro

From PaX Team :
the current idiom used for initializing a structure of two unsigned longs
from unsigned long long is wrong, it effectively loses the upper 32 bits
which in this particular case could turn a non-executable PTE into an
executable one on NX capable i386 (i.e., it's a potential security bug).
fortunately the in-tree users in 2.4 (drivers/char/drm-4.0/ffb_drv.c
and arch/mips/baget/baget.c) are not affected.

Added the (unsigned long long) cast as suggested by Ralf Baechle to
silent gcc when shifting right 32-bit arguments.

Acked-by: Willy Tarreau <w@1wt.eu>

[PATCH] MIPS: fix long long cast in pte macro

From PaX Team :
the current idiom used for initializing a structure of two unsigned longs
from unsigned long long is wrong, it effectively loses the upper 32 bits
which in this particular case could turn a non-executable PTE into an
executable one on NX capable i386 (i.e., it's a potential security bug).
fortunately the in-tree users in 2.4 (drivers/char/drm-4.0/ffb_drv.c
and arch/mips/baget/baget.c) are not affected.

From Ralf Baechle :
I need a slight change to get this to build without warning for MIPS.
The argument passed to __pte() might be just a 32-bit int, so >> 32 will
upset gcc big time. I believe the same problem exists for i386, so
here's the patch with the necessary cast for both architectures.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>

Revert "[PATCH] MIPS: fix long long cast in pte macro"

The commit was bogus, it contained both the MIPS and the i386
fixes.

This reverts 5f81c2baacdb36638446d1356beb4ce4e13baedb commit.

[PATCH] MIPS: fix long long cast in pte macro

From PaX Team :
the current idiom used for initializing a structure of two unsigned longs
from unsigned long long is wrong, it effectively loses the upper 32 bits
which in this particular case could turn a non-executable PTE into an
executable one on NX capable i386 (i.e., it's a potential security bug).
fortunately the in-tree users in 2.4 (drivers/char/drm-4.0/ffb_drv.c
and arch/mips/baget/baget.c) are not affected.

From Ralf Baechle :
I need a slight change to get this to build without warning for MIPS.
The argument passed to __pte() might be just a 32-bit int, so >> 32 will
upset gcc big time. I believe the same problem exists for i386, so
here's the patch with the necessary cast for both architectures.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>

[PATCH] really fix size display for sun partitions larger than 1TByte

Problem: the last fix introduced by Jeff Mahoney for kernel 2.6 was not
complete for kernel 2.4 (as applied). I found out that add_gd_partition
is called by any type of partition (2.4). add_gd_partition is defined
as add_gd_partition (int, int), what makes no sense to me as negative
numbers should never occur here. As long as add_gd_partition is not
changed to add_gd_partition (unsigned, unsigned), /proc/partitions will
keep showing negative numbers.

If ever someone could look into this, within the different partition
type files in linux/fs/partitions the parameters to add_gd_partitions
seem to be chosen arbitrarily between int, unsigned and unsigned long,
whatever seemed to be appropriate, I think it would make sense to get
consistent parameters to add_gd_partition from all partition types here.
Especially if one takes into account that sizeof (long) and sizeof (int)
may differ significantly i. e. on sparc.

Signed-off-by: Dieter Jurzitza <DJurzitza@HarmanBecker.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>

[PATCH] fix Configure.help concerning rp_filter

Adrian Buciuman reported that Configure.help is wrong regarding
rp_filter, while ip_sysctl.txt is right. rp_filter is OFF by
default.

[PATCH] Backport fix for CVE-2006-4997 to 2.4 tree

Backport fix for CVE-2006-4997 to 2.4 tree, compile tested.
Original commit message follows.

[ATM] CLIP: Do not refer freed skbuff in clip_mkip().

In clip_mkip(), skb->dev is dereferenced after clip_push(),
which frees up skb.

Advisory: AD_LAB-06009 (<adlab@venustech.com.cn>).

Original patch by YOSHIFUJI Hideaki.

Signed-off-by: dann frazier <dannf@debian.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

[PATCH] fbdev: correct buffer size limit in fbmem_read_proc()

Address http://bugzilla.kernel.org/show_bug.cgi?id=7189

It should check `clen', not `len'.

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: <jurij@wooyd.org>
Cc: "Antonino A. Daplas" <adaplas@pol.net>
Cc: <stable@kernel.org>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Andrew Morton <akpm@osdl.org>

[PATCH] Advertise PPPoE MTU

PPPoE must advertise the underlying device's MTU via the ppp channel
descriptor structure, as multilink functionality depends on it.

Signed-off-by: Michal Ostrowski <mostrows@earthlink.net>
Acked-by: Paul Mackerras <paulus@samba.org>

[PATCH] x86_64: Fix missing delay when the TSC counter just overflowed

I'd seen a problem that *delay functions return in too short delay.
It happens when the lower 32bit of TSC counter is overflowed.
This patch fixes the problem. This is back-port of Andi Kleen's
2.6 fix.

http://www.kernel.org/git/?p=linux/kernel/git/tglx/history.git;a=commit;h=6c51e28ffbbebf49437ec63ac4f9e385d60827e5

Signed-off-by: Toyo Abe <toyoa@mvista.com>

[PATCH] i386: fix overflow in vmap on an x86 system which has more than 4GB memory.

(max_mapnr << PAGE_SHIFT) would overflow on a system which has
4GB memory or more, and so could cause vmap to fail every time.

Signed-off-by: Michael Chen <micche@ati.com>
Signed-off-by: Hugh Dickins <hugh@veritas.com>

[PATCH] block: fix negative bias of ios_in_flight (CONFIG_BLK_STATS) because of unbalanced I/O accounting

Fix for unbalanced I/O accounting, that caused ios_in_flight
(CONFIG_BLK_STATS) to become and stay negative, as suggested by Jens
Axboe.

An added boolean field "io_account" in struct request is assumed to be
initialized to false on new requests. On starting I/O accounting, true is
assigned to the field. On ending I/O accounting, accounting is only
executed if the field has already been assigned true previously. Thus,
this fixes unbalanced cases where requests such as non-data get enqueued
without starting to account (ide_do_drive_cmd?) but the end of accounting
gets executed on finishing the same requests (ide_end_drive_cmd,
end_that_request_last, req_finished_io).

The precondition of io_account being initialized to false is ensured by

1) ide_init_drive_taskfile / ide_init_drive_cmd memset'ing the whole
request to zero, for requests that were potentially accounted unbalanced,
and

2) get_request assigning zero to io_account on allocating a request from
the free list cache (or slab cache initially), for the majority of
requests such as those involving data.

Jens preferred this to other discussed solutions and it should fix all
those unbalanced cases at once without touching each of them individually.

For more details, please see previous posts of this thread
http://www.uwsg.iu.edu/hypermail/linux/kernel/0608.2/0776.html.

I tested the patch with 2.4.24 and 2.4.33.3 successfully on an UP ia32
machine with one /dev/hda.

Signed-off-by: Steffen Maier <smaier@users.sourceforge.net>

Change VERSION to 2.4.34-pre3

This pre-version only includes GCC4 fixes and nothing else.
Build should work at least on i386, x86_64, PPC and sparc64.

Merge branch 'gcc4'

Change VERSION to 2.4.34-pre2

     - drivers/scsi/sg.c : fix CVE-2006-1528
     - [SCTP] Fix sctp_primitive_ABORT() call in sctp_close()
     - Fix possible UDF deadlock and memory corruption (CVE-2006-4145)
     - binfmt_elf.c : fix checks for bad address
     - [DISKLABEL] SUN: Fix signed int usage for sector count
     - cciss: do not mark cciss_scsi_detect __init
     - i386 : fix exception processing in early boot
     - crypto : prevent cryptoloop from oopsing on stupid ciphers
     - loop.c: kernel_thread() retval check
     - [SCTP] Local privilege elevation - CVE-2006-3745
     - powerpc: Clear HID0 attention enable on PPC970 at boot time
     - Revert "export memchr() which is used by smbfs and lp driver."
     - [SPARC] export memchr() which is used by smbfs and lp driver.

[PATCH] i386 : fix exception processing in early boot

fix the longest existing kernel bug ever (since 0.01 ;-). basically,
the dummy interrupt handler installed for the early boot period does
not work for exceptions that push an error code as well, effectively
making the iret at the end of the handler to trigger another exception,
ad infinitum, or rather, until the kernel stack runs over, trashes all
memory below and eventually causes a CPU reset or a hang. without this
fix the early printk facility in 2.6 is also rather useless.

[PATCH] Fix possible UDF deadlock and memory corruption (CVE-2006-4145)

Here is a backport of the fix for CVE-2006-4145 fix from 2.6[1]
I've compile-tested it.

[1] http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.17.y.git;a=commit;h=7127be29378b1230eb8dd8b84f18d6b69c56e959

Description in the original patch follows :

UDF code is not really ready to handle extents larger that 1GB. This
is the easy way to forbid creating those. Also truncation code did not
count with the case when there are no extents in the file and we are
extending the file.

Signed-off-by: dann frazier <dannf@debian.org>

[PATCH] [SCTP] Fix sctp_primitive_ABORT() call in sctp_close()

Here is a 2.4 backport of David's fix for a problem with the recent
embargoed patch for CVE-2006-3745. Compile-tested, original
description follows:

[SCTP]: Fix sctp_primitive_ABORT() call in sctp_close().

With the recent fix, the callers of sctp_primitive_ABORT()
need to create an ABORT chunk and pass it as an argument rather
than msghdr that was passed earlier.

Signed-off-by: dann frazier <dannf@debian.org>

[PATCH] cciss: do not mark cciss_scsi_detect __init

if the cciss driver is compiled in then later discovery requests
initiated from userland will result in calling free'd memory since
the detect method is marked as __init. suggested fix is to simply
not mark it as __init, 2.6 has done it as well.

[PATCH] loop.c: kernel_thread() retval check

Patch extracted from 2.4.33-ow1. It has also been ported to 2.6 by
Julio Auto.

Basically, the code in drivers/block/loop.c did not check the return
value from kernel_thread(). If kernel_thread() would fail, the code
would misbehave (IIRC, the invoking process would become unkillable).

An easy way to trigger the bug was to run losetup under strace (as
root), and this is also how I tested the error path added with this
patch.

This change has been a part of publicly released -ow patches for 8+
months.

There are more instances of kernel_thread() calls that do not check the
return value; some of the remaining ones might need to be fixed, too.

Acked-by: Alan Cox <alan@redhat.com>

[DISKLABEL] SUN: Fix signed int usage for sector count

The current sun disklabel code uses a signed int for the sector count.
When partitions larger than 1 TB are used, the cast to a sector_t causes
the partition sizes to be invalid:

# cat /proc/paritions | grep sdan
   66   112 2146435072 sdan
   66   115 9223372036853660736 sdan3
   66   120 9223372036853660736 sdan8

This patch switches the sector count to an unsigned int to fix this.

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

[PATCH] crypto : prevent cryptoloop from oopsing on stupid ciphers

With the cryptoloop patch applied, it's possible to request
ECB mode encryption, which will result in a Oops because of
uninitialized function pointers. Initializing them to the
nocrypt_iv() function does not completely solve the problem
because cryptoloop does not check the return code, and kernel
memory will leak uninitialized through cryptoloop.

Proposed solution :
  Can we maybe define working but IV-ignoring functions for ECB (like I
  did), but use memory-clearing nocrypt*() for CFB and CTR (as long as
  these are not supported)?  Of course, all of these will return -ENOSYS.

Response from Herbert Xu :
  In cryptodev-2.6, with block ciphers you can no longer select CFB/CTR
  until someone writes support for them so this is no longer an issue.
  For 2.4, I don't really mind either way what nocrypt does.

Final solution :
  OK, I've merged Willy's suggestion for the memset()s into the patch
  that I had submitted previously.  The resulting patch is attached.

[PATCH] [SCTP] Local privilege elevation - CVE-2006-3745

Avoid the use of buggy get_user_iov_size(). sctp_make_abort_user()
now takes the msg_len along with the msg so that we don't have to
recalculate the bytes in iovec. It also uses memcpy_fromiovec()
so that we don't go beyond the length of the allocated buffer.

Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>

[PATCH] binfmt_elf.c : fix checks for bad address

Fix check for bad address; use macro instead of open-coding two checks.

Explanation from Ernie Petries in 2.6 commit :

  For background, the BAD_ADDR() macro should return TRUE if the address is
  TASK_SIZE, because that's the lowest address that is *not* valid for
  user-space mappings.  The macro was correct in binfmt_aout.c but was wrong
  for the "equal to" case in binfmt_elf.c.  There were two in-line validations
  of user-space addresses in binfmt_elf.c, which have been appropriately
  converted to use the corrected BAD_ADDR() macro in the patch you posted
  yesterday.  Note that the size checks against TASK_SIZE are okay as coded.

Note that this patch slightly differs from Ernie's in that the printk()
only got commented out instead of being removed, since a rate limited call
is expected soon.

[PATCH] [SPARC] export memchr() which is used by smbfs and lp driver.

Previous attempt at fixing smbfs build on sparc broke at least x86_64.
This patch is less intrusive and exports memchr() only on sparc and
sparc64.

Signed-off-by: Willy Tarreau <w@1wt.eu>

[PATCH] Revert "[PATCH] export memchr() which is used by smbfs and lp driver."

This reverts aa8eb4b22e6ecd3aa24e824c55239ddedf4dedad commit.

This patch broke x86_64 build and probably others. Better export
memchr() on architectures which need it.

[GCC4] SPARC64: fix UP build error in arch/sparc64/mm/init.c

This patch fixes an invalid-lvalue error when compiling a
2.4.34-pre1 kernel on sparc64 with gcc-4.1.1. The kernel
must be configured with CONFIG_SMP=n for the error to trigger.
(I didn't save the error message, sorry.)

A kernel compiled with gcc-4.1.1 boots fine on my Ultra5
and can rebuild itself, and generally seems no less solid
than the 2.4.33 I compiled with gcc-3.4.6.

Signed-off-by: Mikael Pettersson <mikpe@it.uu.se>

[PATCH] drivers/scsi/sg.c : fix CVE-2006-1528

Here is a 2.4 backport of Douglas Gilbert's 2.6 fix for
CVE-2006-1528.

(GIT: 1c8e71d72026ed4c6ba0fdfd7eebd865f4fd1415)

Signed-off-by: dann frazier <dannf@debian.org>

[PATCH] powerpc: Clear HID0 attention enable on PPC970 at boot time

Clear HID0[en_attn] at CPU init time on PPC970. Closes CVE-2006-4093.
Back-ported from 2.6 after notification from Adrian Bunk and Greg KH.

Original 2.6 patch Signed-off-by: Olof Johansson <olof@lixom.net>
below :

http://kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.17.y.git;a=commit;h=35a472de81cfdb37f3cfb49fde4987d99b81f996

Change VERSION to 2.4.34-pre1

[GCC4] SPARC: fix build error in drivers/fc4/soc.c

This patch fixes this error with gcc 4 on sparc :

soc.h: In function 'xram_copy_from':
soc.h:121: error: invalid lvalue in increment
soc.h: In function 'xram_copy_to':
soc.h:128: error: invalid lvalue in increment

[GCC4] SPARC: fix build error in arch/sparc/kernel/time.c

This patch fixes this error with gcc 4 (encountered on sparc) :

time.c:49: error: static declaration of 'mstk48t08_regs' follows non-static declaration
/usr/src/linux-2.4.33-gcc4-sparc/include/asm/mostek.h:130: error: previous declaration of 'mstk48t08_regs' was here

[GCC4] SPARC: fix build error in arch/sparc/kernel/signal.c

This patch fixes this error with gcc 4 (encountered on sparc) :

signal.c: In function 'do_sys_sigstack':
signal.c:1339: error: invalid lvalue in assignment

[GCC4] SPARC64: fix build error in drivers/sbus/char/pcikbd.c

This patch fixes this error with gcc 4 (encountered on sparc64) :

pcikbd.c:61: error: static declaration of 'pcikbd_iobase' follows non-static declaration
pcikbd.h:34: error: previous declaration of 'pcikbd_iobase' was here
pcikbd.c:62: error: static declaration of 'pcikbd_irq' follows non-static declaration
pcikbd.h:35: error: previous declaration of 'pcikbd_irq' was here

[GCC4] SPARC64: fix build error in arch/sparc64/kernel/time.c

This patch fixes this error with gcc 4 (encountered on sparc64) :

time.c:50: error: static declaration of 'mstk48t08_regs' follows non-static declaration
/usr/src/linux-2.4.33-gcc4-u60/include/asm/mostek.h:137: error: previous declaration of 'mstk48t08_regs' was here
time.c:51: error: static declaration of 'mstk48t59_regs' follows non-static declaration
/usr/src/linux-2.4.33-gcc4-u60/include/asm/mostek.h:144: error: previous declaration of 'mstk48t59_regs' was here