OSDN Git Service
David Stevens [Tue, 27 Dec 2005 00:37:17 +0000 (16:37 -0800)]
[IGMP]: workaround for IGMP v1/v2 bug
From: David Stevens <dlstevens@us.ibm.com>
As explained at:
http://www.cs.ucsb.edu/~krishna/igmp_dos/
With IGMP version 1 and 2 it is possible to inject a unicast
report to a client which will make it ignore multicast
reports sent later by the router.
The fix is to only accept the report if is was sent to a
multicast or unicast address.
Signed-off-by: David S. Miller <davem@davemloft.net>
Marcelo Tosatti [Fri, 23 Dec 2005 21:13:05 +0000 (19:13 -0200)]
Merge w.ods.org/kernel/2.4/linux-2.4-upstream
Dave Anderson [Fri, 25 Nov 2005 03:00:35 +0000 (12:00 +0900)]
[PATCH] x86-64: user code panics kernel in exec.c (CVE-2005-2708)
There seems to be a local DoS in exec on AMD64 / linux 2.4
when the system is under memory pressure.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161925
Comment #9 From Dave Anderson on 2005-08-31 14:36 EST
I don't particularly care for either patch suggestion. The problem is
that load_elf_binary() -- which is trying to load a legitimate ELF
binary, is returning -ENOEXEC back to search_binary_handler() because
load_elf_interp() has returned a BAD_ADDR:
if (elf_interpreter) {
if (interpreter_type == INTERPRETER_AOUT)
elf_entry = load_aout_interp(&interp_ex,
interpreter);
else
elf_entry = load_elf_interp(&interp_elf_ex,
interpreter,
&interp_load_addr);
if (BAD_ADDR(elf_entry)) {
printk(KERN_ERR "Unable to load interpreter\n");
send_sig(SIGSEGV, current, 0);
retval = -ENOEXEC; /* Nobody gets to see this, but.. */
goto out_free_dentry;
}
reloc_func_desc = interp_load_addr;
allow_write_access(interpreter);
fput(interpreter);
kfree(elf_interpreter);
}
and *because* search_binary_handler() sees the -ENOEXEC, it kicks off
the attempt to load the bogus module. And therein lies the problem, for
whatever reason, the modprobe process results in the double-fault, and
the original exec operation continues, and fails as it should. But that
all may be a red herring, since ENOEXEC with respect to execve means:
ENOEXEC An executable is not in a recognised format, is for the wrong
architecture, or has some other format error that means it can-
not be executed.
However in this case, that's not at all true. It's legitimate, but the
attempt to load the /lib64/ld-linux-x86-64.so.2 interpreter into the
limited address space fails, and load_elf_interp() returns -ENOMEM. But
the ENOMEM is "lost" in the elf_entry variable. However, if -ENOMEM is
in fact returned back to search_binary_handler(), it all works just
fine. ENOMEM with respect to execve means:
ENOMEM Insufficient kernel memory was available.
which isn't *exactly* what's going on here, but pretty close...
There's also the question of why the modprobe is failing, given that the
bogus module name doesn't exist. You would think that shouldn't cause
the kernel to double-fault. I mean do *all* of the request_module()
calls in the kernel require that the target module pre-exist? Since the
kernel seems to handle it differently/successfully on at least i386
and ia64, I haven't determined whether the request_module() is even
attempted on those architectures, or whether the operation fails in a
different code path.
Pete Zaitcev [Fri, 23 Dec 2005 01:20:22 +0000 (17:20 -0800)]
[PATCH] usb: ehci in 2.4 with async_unlink
This is a long-standing problem. I had people hitting it from time to time,
but they would always go under instead of testing and reporting. Now one
gentleman reports stepping on this bug under simpler to reproduce conditions
than before. In his case, I/O stops when two DVD drives are connected
to the same bus.
I would like this to be in a test release after 2.4.32.
-- Pete
David S. Miller [Wed, 21 Dec 2005 21:39:23 +0000 (13:39 -0800)]
[SPARC64]: More fully work around Spitfire Errata 51.
It appears that a memory barrier soon after a mispredicted
branch, not just in the delay slot, can cause the hang
condition of this cpu errata.
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Fri, 26 Aug 2005 22:19:11 +0000 (15:19 -0700)]
[SPARC64]: Revamp Spitfire error trap handling.
Current uncorrectable error handling was poor enough
that the processor could just loop taking the same
trap over and over again. Fix things up so that we
at least get a log message and perhaps even some register
state.
In the process, much consolidation became possible,
particularly with the correctable error handler.
Prefix assembler and C function names with "spitfire"
to indicate that these are for Ultra-I/II/IIi/IIe only.
More work is needed to make these routines robust and
featureful to the level of the Ultra-III error handlers.
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Fri, 26 Aug 2005 21:49:00 +0000 (14:49 -0700)]
[SPARC64]: Do not call winfix_dax blindly
Verify we really are taking a data access exception trap, at TL1, from
one of the window spill/fill handlers.
Else call a new function, data_access_exception_tl1, to log the error.
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Fri, 26 Aug 2005 21:18:06 +0000 (14:18 -0700)]
[SPARC64]: Fix trap state reading for instruction_access_exception.
1) Read ASI_IMMU SFSR not ASI_DMMU.
2) IMMU has no SFAR, read TPC instead
3) Delete old and incorrect comment about the DTLB protection
trap having a dependency on the SFSR contents in order to
function correctly
Signed-off-by: David S. Miller <davem@davemloft.net>
Willy Tarreau [Tue, 13 Dec 2005 11:05:00 +0000 (12:05 +0100)]
[PATCH] Fix SATA update KM_IRQ issue with highmem
On Tue, Dec 13, 2005 at 12:04:51AM -0500, Jeff Garzik wrote:
> Best place to add compat defines/enums such as the proposed is
> include/linux/libata-compat.h.
This seems fair to me, particularly since it does not exist in 2.6. I've
checked that there does not seem to exist any file included after it which
need to know about kmap types (even on ia64), so it should be safe to
redefine KM_IRQ0 in libata-compat.h.
Horms [Mon, 19 Dec 2005 10:16:12 +0000 (19:16 +0900)]
[PATCH] local denial-of-service with file lease
[PATCH] VFS: local denial-of-service with file leases
Remove time_out_leases() printk that's easily triggered by users.
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Above is the signoff information for
f3a9388e4ebea57583272007311fffa26ebbb305 included in Linus's 2.6 tree.
As this is CVE-2005-3857 I am proposing its inclusion in 2.4
Signed-off-by: Horms <horms@verge.net.au>
Vijay Sampath [Sun, 18 Dec 2005 18:50:54 +0000 (10:50 -0800)]
[PATCH] MTD: kernel stuck in tight loop occasionally on flash access
We are running a Timesys modified version of the 2.4 kernel.
Occasionally we see board lockups on heavy file system and direct MTD
flash accesses. I have traced this down to a bug in the 2.4 MTD code
(chip driver to be specific) and see this problem even in the latest 2.4
kernel (2.4.32). I realize that this problem may not be seen by others
using the stock kernel, but I think it needs to be fixed anyway for
correctness.
The problem is in cfi_cmdset_0001.c, and is present in drivers for other
chips as well. In the function cfi_intelext_sync() function before
calling schedule(), the current process needs to be put to sleep by
calling set_current_state(TASK_UNINTERRUPTIBLE). If it is not put to
sleep, the task remains in the run queue of the kernel and if its
priority is high enough, the kernel will constantly keep scheduling this
process, the state of the chip will never change.
Adding this one line seems to make our lockups go away. There were
questions raised as to why TASK_UNINTERRUPTIBLE. The same driver uses
TASK_UNINTERRUPTIBLE in other similar places while waiting for hardware
to complete erasing etc. I chose the same thing.
I am not subscribed to the mailing list, so please CC me on any replies.
Signed-off-by: Vijay Sampath <vijay.sampath@aktino.com>
NeilBrown [Tue, 29 Nov 2005 12:04:13 +0000 (13:04 +0100)]
[PATCH] dcache: avoid race when updating nr_unused count of unused dentries
ChangeSet
2004/05/29 10:58:56-07:00 akpm@osdl.org
[PATCH] fs/dcache.c: avoid race when updating nr_unused count of unused dentries.
From: NeilBrown <neilb@cse.unsw.edu.au>
d_count == 1 is no guarantee that dentry is on the dentry_unused list, even
if it has just been incremented inside dcache_lock, as dput can decrement
at any time.
This test from Greg Banks is much safer, and is more transparently correct.
Cc: Maneesh Soni <maneesh@in.ibm.com>, Dipankar Sarma <dipankar@in.ibm.com>
From: Greg Banks <gnb@melbourne.sgi.com>
Signed-off-by: Neil Brown <neilb@cse.unsw.edu.au>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Marcus Meissner [Tue, 29 Nov 2005 10:59:07 +0000 (11:59 +0100)]
[PATCH] Fix sendmsg overflow (CVE-2005-2490)
Al Viro reported a flaw in sendmsg(). "When we copy 32bit ->msg_control
contents to kernel, we walk the same userland data twice without sanity
checks on the second pass. Moreover, if original looks small enough, we
end up copying to on-stack array."
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2490
Acked-by: okir@suse.de
Akira Tsukamoto [Mon, 5 Dec 2005 02:30:29 +0000 (11:30 +0900)]
[PATCH] ide: add recent ATI IXP300/400 PATA support
This patch just adds recent ATI IXP300/400 ATA133 controler to ide, atiixp.c
for 2.4 kernel.
People in my lab been using it for a while and seems to have no problem,
so I decided to post it here.
Signed-off-by: Akira Tsukamoto <akira-t@s9.dion.ne.jp>
Acked-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
Vasily Averin [Sun, 27 Nov 2005 17:15:06 +0000 (20:15 +0300)]
[PATCH] aic7xxx: reset handler selects a wrong command
To transport scsi reset command to device aic7xxx reset handler looks at
the driver's pending_list and searches any proper command. However the
search condition has been inverted: ahc_match_scb() returns TRUE if a
matched command is found.
As a result the reset on required devices did not turn out well, a
correctly working neighbour device may be surprised by the reset.
aic7xxx reset handler reports about the success, but really the original
situation is not corrected yet.
The problem has been found first on 2.4 kernels but still it is present in
latest 2.6 drivers too.
[SCSI] aic7xxx: reset handler selects a wrong command
To transport scsi reset command to device aic7xxx reset handler looks at the
driver's pending_list and searches any proper command. However the search
condition has been inverted: ahc_match_scb() returns TRUE if a matched command
is found.
As a result the reset on required devices did not turn out well, a correctly
working neighbour device may be surprised by the reset. aic7xxx reset handler
reports about the success, but really the original situation is not corrected yet.
Signed-off-by: Vasily Averin <vvs@sw.ru>
Yan Zheng [Tue, 29 Nov 2005 10:40:10 +0000 (11:40 +0100)]
[PATCH] IPv6: fix refcnt of struct ip6_flowlabel
This looks like another potential "local DoS" since this is in
setsockopt(IPV6_FLOWLABEL_MGR). Users can cause a flow label to be
kfreed() without removing it from the socket; and then overwrite its
contents. This can trigger random kernel memory corruption.
Acked-by: okir@suse.de
Linus Torvalds [Tue, 29 Nov 2005 10:38:30 +0000 (11:38 +0100)]
[PATCH] Fix ptrace self-attach rule (2.6 backport)
Patch-mainline: v2.6.14.2
Acked-by: Karsten Keil <kkeil@suse.de>
X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/gregkh/linux-2.6.14.y.git;a=commitdiff;h=
082d52c56f642d21b771a13221068d40915a1409
[PATCH] Fix ptrace self-attach rule
Before we did CLONE_THREAD, the way to check whether we were attaching
to ourselves was to just check "current == task", but with CLONE_THREAD
we should check that the thread group ID matches instead.
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Willy Tarreau [Wed, 2 Nov 2005 21:31:09 +0000 (22:31 +0100)]
[PATCH] IPv6: small fix for ip6_mc_msfilter
Multicast source filters aren't widely used yet, and that's really
the only feature that's affected if an application actually exercises
this bug, as far as I can tell. An ordinary filter-less multicast join
should still work, and only forwarded multicast traffic making use of
filters and doing empty-source filters with the MSFILTER ioctl would
be at risk of not getting multicast traffic forwarded to them because
the reports generated would not be based on the correct counts.
Initial 2.6 patch by Yan Zheng, bug explanation by David Stevens,
patch ACKed by David.
Signed-off-by: Willy Tarreau <willy@w.ods.org>
Jeff Garzik [Thu, 1 Dec 2005 21:40:40 +0000 (16:40 -0500)]
[libata] fix potential oops in pdev_printk() compat helper
Jeff Garzik [Wed, 30 Nov 2005 21:24:50 +0000 (16:24 -0500)]
[libata] fix build
Jeff Garzik [Wed, 30 Nov 2005 21:19:23 +0000 (16:19 -0500)]
[libata] resync with 2.6.15-rc3
* ->host_stop() cleanups
* remove ata_chk_err(), ->chk_err()
* many ATAPI fixes
* error handling fixes
* use stub pci_set_consistent_dma_mask(), for easier sync with 2.6.x
* use pdev_printk() for easier sync with 2.6.x dev_printk()
* PATA updates (unused for now)
* PIO updates
* ATA passthru support
* new PCI IDs
Jeff Garzik [Wed, 30 Nov 2005 18:39:59 +0000 (13:39 -0500)]
[libata] resync with 2.6.14
* Change license from OSL+GPL to GPL
* Minor additions for new hardware support
* Minor bug fixes
* __iomem markers
* EH locking cleanup (note, causes bug, which will be fixed in later cset)
* use generic pci_intx()
* use pci_iomap(), pci_iounmap()
* ata_piix: fix probe
* 'atapi_enabled' module option, replaces #define
* PIO data xfer fixes
* ATAPI interrupt handling fixes
* support START STOP UNIT scsi command
* scsi READ/WRITE translation edge case fixes
* sata_sil: go faster, on controllers without mod15write support
Jeff Garzik [Wed, 30 Nov 2005 17:33:22 +0000 (12:33 -0500)]
[libata sata_sx4] trim trailing whitespace
Preparation for resync with 2.6.14.
Jeff Garzik [Wed, 30 Nov 2005 16:23:46 +0000 (11:23 -0500)]
[libata] resync with kernel 2.6.13
Minor update, no major changes/fixes.
ahci: add MODULE_VERSION()
ata_piix: disable AHCI if active
sata_sx4: fix DMA length setting bug
bump libata/driver versions where appropriate
Akira Tsukamoto [Thu, 24 Nov 2005 18:00:05 +0000 (03:00 +0900)]
[PATCH] fix for clock running too fast
This one line patch adds upper bound testing inside timer_irq_works()
when evaluating whether irq timer works or not on boot up.
It fix the machines having problem with clock running too fast.
What this patch do is, if timer interrupts running too fast through
IO-APIC IRQ then false back to i8259A IRQ.
Signed-off-by: Akira Tsukamoto <akira-t@s9.dion.ne.jp>
Acked-by: Ingo Molnar <mingo@elte.hu>
Adrian Bunk [Sat, 26 Nov 2005 23:36:37 +0000 (00:36 +0100)]
[PATCH] drivers/scsi/dpt_i2o.c: fix a NULL pointer dereference
The Coverity checker spotted this obvious NULL pointer dereference.
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Acked-by: Mark Salyzyn <mark_salyzyn@adaptec.com>
drivers/scsi/dpt_i2o.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
Krzysztof Strasburger [Wed, 2 Nov 2005 09:43:36 +0000 (10:43 +0100)]
[PATCH] NFS server as a module with -mregparm=3
This patch makes it possible to compile the nfs server as a module, with
-mregparm=3 (at least on x86).
Such a combination did not work, as handle_sys_nfsservctl was called
from the sys_nfsservctl function (in fs/filesystems.c) with parameters
in registers, but tried to read them from the stack.
Signed-off-by: Krzysztof Strasburger
Chris Ross [Wed, 23 Nov 2005 15:56:00 +0000 (15:56 +0000)]
[PATCH] Don't panic on IDE DMA errors
Kernel 2.4.32 and earlier can panic when trying to read a corrupted
sector from an IDE disk.
The function ide_dma_timeout_retry can end a request early by calling
idedisk_error, but then goes on to use the request anyway causing a
kernel panic due to a null pointer exception. This patch fixes that.
dann frazier [Fri, 18 Nov 2005 22:42:19 +0000 (15:42 -0700)]
[PATCH] Backport of CVE-2005-2709 fix
I've backported the fix for CVE-2005-2709 to 2.4 for Debian's 2.4
sarge kernel. Below is a patch against 2.4.32, in case one hasn't been
submitted to you yet. Please apply.
CVE-2005-2709
sysctl.c in Linux kernel before 2.6.14.1 allows local users to cause a
denial of service (kernel oops) and possibly execute code by opening an
interface file in /proc/sys/net/ipv4/conf/, waiting until the interface
is unregistered, then obtaining and modifying function pointers in
memory that was used for the ctl_table.
Signed-off-by: dann frazier <dannf@debian.org>
Nick Warne [Mon, 28 Nov 2005 05:49:58 +0000 (06:49 +0100)]
[PATCH] Reintroduction i386 CONFIG_DUMMY_KEYB option
This re-activates an option making it possible to replace the PS2
keyboard driver by a dummy one still compatible with CONFIG_VT. The code
has been in the kernel for a long time, only the option was hidden ! It
also has an equivalent in 2.6.
Patch from Nick Warne <nick@linicks.net>
Signed-off-by: Willy Tarreau <willy@w.ods.org>
Adrian Bunk [Tue, 8 Nov 2005 02:02:12 +0000 (03:02 +0100)]
[PATCH] airo.c/airo_cs.c: correct prototypes
This patch creates a file airo.h containing prototypes of the global
functions in airo.c used by airo_cs.c .
If you got strange problems with either airo_cs devices or in any other
completely unrelated part of the kernel shortly or long after a airo_cs
device was detected by the kernel, this might have been caused by the
fact that caller and callee disagreed regarding the size of the first
argument to init_airo_card()...
A similar patch was already included in Linus' 2.6 tree.
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Vasily Averin [Sat, 26 Nov 2005 09:23:59 +0000 (12:23 +0300)]
[PATCH] sis900: come alive after temporary memory shortage (fixed version)
I would like to inform you that unfortunately the committed patch is wrong
http://www.kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commit;h=
ecf3337f76eaa94c5a771308d184dc248b74b725
+ int rx_work_limit =
+ (sis_priv->dirty_rx - sis_priv->cur_rx) % NUM_RX_DESC;
when dirty_rx = cur_rx it computes limit=0, but should be NUM_RX_DESC
Could you please drop the wrong patch and use a new one based on the version
approved by Daniele Venzano and Jeff Garzik
http://www.kernel.org/git/?p=linux/kernel/git/jgarzik/netdev-2.6.git;a=commitdiff_plain;h=
7380a78a973a8109c13cb0e47617c456b6f6e1f5;hp=
b2795f596932286ef12dc08857960d654f577405
sis900: come alive after temporary memory shortage
1) Forgotten counter incrementation in sis900_rx() in case
it doesn't get memory for skb, that leads to whole interface failure.
Problem is accompanied with messages:
eth0: Memory squeeze,deferring packet.
eth0: NULL pointer encountered in Rx ring, skipping
2) If counter cur_rx overflows and there'll be temporary memory problems
buffer can't be recreated later, when memory IS available.
3) Limit the work in handler to prevent the endless packets processing
if new packets are generated faster then handled.
Signed-off-by: Konstantin Khorenko <khorenko@sw.ru>
Signed-off-by: Vasily Averin <vvs@sw.ru>
Marcelo Tosatti [Sun, 27 Nov 2005 18:01:17 +0000 (12:01 -0600)]
Revert broken sis900 update
Konstantin Khorenko [Mon, 26 Sep 2005 12:40:42 +0000 (16:40 +0400)]
[PATCH] sis900: come alive after temporary memory shortage
Patch solves following problems:
1) Forgotten counter incrementation in sis900_rx() in case
it doesn't get memory for skb, that leads to whole interface failure.
Problem is accompanied with messages:
eth0: Memory squeeze,deferring packet.
eth0: NULL pointer encountered in Rx ring, skipping
2) If counter cur_rx overflows and there'll be temporary memory problems
buffer can't be recreated later, when memory IS avaliable.
3) Limit the work in handler to prevent the endless packets processing if
new packets are generated faster then handled.
Signed-off-by: Konstantin Khorenko <khorenko@sw.ru>
Signed-off-by: Vasily Averin <vvs@sw.ru>
Karl Magnus Kolstoe [Wed, 2 Nov 2005 13:11:36 +0000 (14:11 +0100)]
[PATCH] add Pioneer DRM-624X to drivers/scsi/scsi_scan.c
The patch below made my Pioneer DRM-624X automatically be set up with
all 6 "drives". (6 slot SCSI CD changer). My DRM-604X already worked
this way already.
Already merged into v2.6.
Signed-off-by: Karl Magnus Kolstø <karl.kolsto@uib.no>
Marcelo Tosatti [Fri, 18 Nov 2005 10:45:22 +0000 (04:45 -0600)]
Change VERSION to v2.4.32
Marcelo Tosatti [Mon, 7 Nov 2005 14:25:36 +0000 (08:25 -0600)]
Change VERSION to 2.4.32-rc3
Marcelo Tosatti [Tue, 1 Nov 2005 16:03:08 +0000 (14:03 -0200)]
[PATCH] only disallow _setting_ of function key string
Mikael Pettersson <mikpe@csd.uu.se> noted that the current 2.6-git (and
2.4) patch to disallow KDSKBSENT for unpriviledged users should be less
restrictive allowing reading of current function key string entry, but
not writing.
Signed-off-by: Marcelo Tosatti <marcelo.tosatti@cyclades.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Roberto Nibali [Fri, 4 Nov 2005 09:41:57 +0000 (10:41 +0100)]
[PATCH] fix missing refcnt put with expire_nodest_conn
It seems we forgot to fix one place where ip_vs_conn_expire_now
is used. Callers should hold write lock or cp->refcnt (and not forget
it). This results in hanging template entries when expire_nodest_conn is
kicking in and trying to remove all connection entries for a specific
destination.
Julian Anastasov created a patch to fix this and asked me to forward it
for inclusion, after test and verification, which have happened the last
24 hours.
This problem also exists in 2.6.x kernels, patch will be sent to netdev.
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Roberto Nibali <ratz@drugphish.ch>
Marcelo Tosatti [Mon, 31 Oct 2005 12:44:59 +0000 (06:44 -0600)]
Change VERSION to 2.4.32-rc2
Dan Aloni [Sun, 30 Oct 2005 17:03:57 +0000 (19:03 +0200)]
[PATCH] fix memory leak in sd_mod.o
Handle freeing of sd_max_sectors in sd_exit().
Signed-off-by: Dan Aloni <da-x@monatomic.org>
Herbert Xu [Thu, 27 Oct 2005 11:47:00 +0000 (06:47 -0500)]
[PATCH] Clear stale pred_flags when snd_wnd change
This bug is responsible for causing the infamous "Treason uncloaked"
messages that's been popping up everywhere since the printk was added.
It has usually been blamed on foreign operating systems. However,
some of those reports implicate Linux as both systems are running
Linux or the TCP connection is going across the loopback interface.
In fact, there really is a bug in the Linux TCP header prediction code
that's been there since at least 2.1.8. This bug was tracked down with
help from Dale Blount.
The effect of this bug ranges from harmless "Treason uncloaked"
messages to hung/aborted TCP connections. The details of the bug
and fix is as follows.
When snd_wnd is updated, we only update pred_flags if
tcp_fast_path_check succeeds. When it fails (for example,
when our rcvbuf is used up), we will leave pred_flags with
an out-of-date snd_wnd value.
When the out-of-date pred_flags happens to match the next incoming
packet we will again hit the fast path and use the current snd_wnd
which will be wrong.
In the case of the treason messages, it just happens that the snd_wnd
cached in pred_flags is zero while tp->snd_wnd is non-zero. Therefore
when a zero-window packet comes in we incorrectly conclude that the
window is non-zero.
In fact if the peer continues to send us zero-window pure ACKs we
will continue making the same mistake. It's only when the peer
transmits a zero-window packet with data attached that we get a
chance to snap out of it. This is what triggers the treason
message at the next retransmit timeout.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Horms [Thu, 27 Oct 2005 06:36:39 +0000 (15:36 +0900)]
[PATCH] Fix infinite loop in udp_v6_get_port()
[IPV6]: Fix infinite loop in udp_v6_get_port()
This is CVE-2005-2973, and
87bf9c97b4b3af8dec7b2b79cdfe7bfc0a0a03b2 in Linus' 2.6 Git Tree.
It seems to be relevant to 2.4
[IPV6]: Fix infinite loop in udp_v6_get_port()
Original sign-off
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mine, indicating that I think it is relevant to 2.4
Signed-off-by: Horms <horms@verge.net.au>
Andrew Morton [Tue, 18 Oct 2005 04:41:48 +0000 (13:41 +0900)]
[PATCH] loadkeys requires root priviledges
Signed-off-by: Andrew Morton <akpm@osdl.org>
Nick Piggin [Sat, 22 Oct 2005 14:22:44 +0000 (00:22 +1000)]
[PATCH] possible memory ordering bug in page reclaim
Is there anything that prevents PageDirty from theoretically being
speculatively loaded before page_count here? (see patch)
It would result in pagecache corruption in the following situation:
1 2
find_get_page();
write to page write_lock(tree_lock);
SetPageDirty(); if (page_count != 2
put_page(); || PageDirty())
Now I'm worried that 2 might see PageDirty *before* SetPageDirty in
1, and page_count *after* put_page in 1.
Ralf Baechle [Mon, 24 Oct 2005 22:09:08 +0000 (20:09 -0200)]
[PATCH] AX.25: signed char bug
Date: Oct 14, 2005 6:29 PM
On architectures where the char type defaults to unsigned some of the
arithmetic in the AX.25 stack to fail, resulting in some packets being
dropped on receive.
Credits for tracking this down and the original patch to
Bob Brose N0QBJ <linuxhams@n0qbj-11.ampr.org>.
Signed-off-by: Ralf Baechle DL5RB <ralf@linux-mips.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
Pete Zaitcev [Sun, 23 Oct 2005 03:37:18 +0000 (20:37 -0700)]
[PATCH] usb: regression in usb-ohci
My fix for a problem in usb-ohci in 2.4.28 was simply broken.
The original problem was that the interrupt handler referenced an area below
a process' stack pointer, which worked everywhere except ia64. On ia86 such
practice causes a CPU trap.
I "fixed" it by moving the wait queue head to a place ... which was
freed immediately afterwards. I really have no idea what I was thinking.
It's not even a race of any sort, the code references a freed area
completely in sequence.
This patch is a sort of a two-step. First, it undoes what I did and returns
to the code in 2.4.27. Next, it puts a spinlock around the remove_wait_queue.
This ought to be safe for the vast majority of systems, and possibly fixes
the issue with ia64 (it was sort of hard to reproduce: it only happened on
an Altix).
My testing was light, but since the fix mostly reverts the broken patch,
I think it can go into the next test, -pre, or -rc release.
-- Pete
Aleksey Gorelov [Tue, 27 Sep 2005 02:47:18 +0000 (19:47 -0700)]
[PATCH] asus vt8235 router buggy bios workaround
Here is backport to 2.4 for fix to
http://bugzilla.kernel.org/show_bug.cgi?id=5235.
Similar problem has been reported before here:
http://groups.google.com/group/linux.kernel/browse_thread/thread/
def4ca1
9dbc3cd4/
5cffbf349f2c87a4?tvc=2&q=Aleksey+Gorelov&hl=en#
5cffbf349f2c87a4
and was related to bug in BIOS reporting 82C686 router compatible to
586.
I suspect BIOS on this board has similar issue: reports VT8235 router to
be compatible with 586 one - which is obviously not true. Patch from the
link above has already incorporated in both 2.6 & 2.4 series, but might
not work in this particular case.
Signed-off-by: Aleksey Gorelov <aleksey_gorelov@phoenix.com>
Willy Tarreau [Tue, 11 Oct 2005 22:16:28 +0000 (00:16 +0200)]
[PATCH] Fix jiffies overflow in delay.h
There are several multiply overflows in delay.h:msecs_to_jiffies(). The
first one is the call to jiffies_to_msecs(MAX_JIFFY_OFFSET) which will
multiply MAX_JIFFY_OFFSET by (1000/HZ) or by 1000 during conversion,
while it was already high (~0UL>>1)-1 ... Needless to say that it's
wrong below 500 HZ and for all values not multiple of 1000 or which
don't divide 1000.
The second overflow can happen a few lines later, but this time on the
argument. The fix consists in defining a constant (macro) which depends
on HZ and fixes the absolute maximal value which we guarantee will not
produce an overflow. Fortunately, I've found no user of msecs_to_jiffies()
in mainline, although sys_poll() could benefit from it in order to avoid
a useless divide in the fast path.
But I think that the code needs be fixed anyway, considering that it
had been inherited by 2.6 for which I proposed the same fix. And it
is possible that some external patches use it.
Horms [Fri, 30 Sep 2005 02:47:58 +0000 (19:47 -0700)]
[IPVS]: Add netdev and me as maintainer contacts
Signed-off-by: Horms <horms@verge.net.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Marcus Sundberg [Fri, 30 Sep 2005 00:35:16 +0000 (17:35 -0700)]
[NETFILTER]: this patch fixes a compilation issue with gcc 3.4.3.
Signed-off-by: Marcus Sundberg <marcus@ingate.com>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Denis Lukianov [Fri, 30 Sep 2005 00:34:02 +0000 (17:34 -0700)]
[MCAST]: Fix MCAST_EXCLUDE line dupes
Signed-off-by: Denis Lukianov <denis@voxelsoft.com>
Signed-off-by: David L Stevens <dlstevens@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Julian Anastasov [Fri, 30 Sep 2005 00:32:59 +0000 (17:32 -0700)]
[IPVS]: really invalidate persistent templates
Agostino di Salle noticed that persistent templates are not
invalidated due to buggy optimization.
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
Julian Anastasov [Fri, 30 Sep 2005 00:32:25 +0000 (17:32 -0700)]
[IPVS]: ip_vs_ftp breaks connections using persistence
ip_vs_ftp when loaded can create NAT connections with unknown
client port for passive FTP. For such expectations we lookup with
cport=0 on incoming packet but it matches the format of the persistence
templates causing packets to other persistent virtual servers to be
forwarded to real server without creating connection. Later the
reply packets are treated as foreign and not SNAT-ed.
This patch changes the connection lookup for packets from
clients:
* introduce IP_VS_CONN_F_TEMPLATE connection flag to mark the
connection as template
* create new connection lookup function just for templates - ip_vs_ct_in_get
* make sure ip_vs_conn_in_get hits only connections with
IP_VS_CONN_F_NO_CPORT flag set when s_port is 0. By this way
we avoid returning template when looking for cport=0 (ftp)
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
Alexey Kuznetsov [Fri, 30 Sep 2005 00:28:26 +0000 (17:28 -0700)]
[TCP]: Don't over-clamp window in tcp_clamp_window()
From: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Handle better the case where the sender sends full sized
frames initially, then moves to a mode where it trickles
out small amounts of data at a time.
This known problem is even mentioned in the comments
above tcp_grow_window() in tcp_input.c, specifically:
...
* The scheme does not work when sender sends good segments opening
* window and then starts to feed us spagetti. But it should work
* in common situations. Otherwise, we have to rely on queue collapsing.
...
When the sender gives full sized frames, the "struct sk_buff" overhead
from each packet is small. So we'll advertize a larger window.
If the sender moves to a mode where small segments are sent, this
ratio becomes tilted to the other extreme and we start overrunning
the socket buffer space.
tcp_clamp_window() tries to address this, but it's clamping of
tp->window_clamp is a wee bit too aggressive for this particular case.
Fix confirmed by Ion Badulescu.
Signed-off-by: David S. Miller <davem@davemloft.net>
Horms [Thu, 22 Sep 2005 02:30:25 +0000 (11:30 +0900)]
[PATCH] CAN-2005-0204: AMD64, allows local users to write to privileged IO ports via OUTS instruction
Description: [CAN-2005-0204]: AMD64, allows local users to write to privileged IO ports via OUTS instruction
Patch author: Suresh Siddha (suresh.b.siddha@intel.com)
Upstream status: not applied
URL: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=146244
Patch source: Micah Anderson <micah@riseup.net> (debian-kernel)
Added definition of IO_BITMAP_BYTES for Debian's 2.4.27 and
submitted upstream for consideration for inclusion in 2.4 -- Horms
Marcelo Tosatti [Thu, 22 Sep 2005 19:53:03 +0000 (16:53 -0300)]
NFS: dprintk on -ENAMETOOLONG error handling
Assar [Wed, 14 Sep 2005 20:59:25 +0000 (16:59 -0400)]
[PATCH] nfs client: handle long symlinks properly
In 2.4.31, the v2/3 nfs readlink accepts too long symlinks.
I have tested this by having a server return long symlinks.
diff -u linux-2.4.31.orig/fs/nfs/nfs2xdr.c linux-2.4.31/fs/nfs/nfs2xdr.c
M.Baris Demiray [Mon, 22 Aug 2005 21:38:50 +0000 (21:38 +0000)]
[PATCH] Update PPPoE's configuration documentation
Following trivial patch updates the CONFIG_PPPOE options's
documentation.
o Update CONFIG_PPPOE option's documentation since ppp version
2.4.2 is already released (with PPPoE plug-in) and there is
no need a CVS checkout anymore
Signed-off-by: M.Baris Demiray <baris@labristeknoloji.com>
diff --git a/Documentation/Configure.help b/Documentation/Configure.help
Kiyoshi Ueda [Tue, 13 Sep 2005 14:15:57 +0000 (10:15 -0400)]
[PATCH] IA64: page_not_present fault in region 5 is normal
Attached is a patch for the latest 2.4 tree
which is semantically identical to what was included in 2.6.
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=
63028aa7f581d9d4e6889f9dc06ded2534250a76
Without this patch, exception handler can be unexpectedly invoked for
page-not-present fault in region 5 and cause panic etc.
Could you apply the attached patch to 2.4?
We tested the patch on 2.4.29 + linux-2.4.29-ia64-050312 patch
which is the latest version working on ia64.
Excerpt from ChangeLog-2.6.14-rc1:
When copying data from user-space to kernel-space by __copy_user(),
a page_not_present fault sometimes occurs at vmalloced kernel address
because of VHPT pre-fetching.
Ignore the page_not_present fault in ia64_do_page_fault() before
jumping into exception handlers.
Signed-off-by: Kiyoshi Ueda <k-ueda@ct.jp.nec.com>
Signed-off-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
diff --git a/arch/ia64/mm/fault.c b/arch/ia64/mm/fault.c
Marcelo Tosatti [Mon, 19 Sep 2005 14:58:47 +0000 (11:58 -0300)]
Update VERSION to 2.4.32-rc1
Kirill Korotaev [Fri, 9 Sep 2005 09:59:48 +0000 (13:59 +0400)]
[PATCH] Lost sockfd_put() in routing_ioctl()
This patch adds lost sockfd_put() in 32bit compat rounting_ioctl() on
64bit platforms
I believe this is a security issues, since user can fget() file as many
times as he wants to. So file refcounter can be overlapped and first
fput() will free resources though there will be still structures
pointing to the file, mnt, dentry etc.
Also fput() sets f_dentry and f_vfsmnt to NULL,
so other file users will OOPS.
The oops can be done under files_lock and others, so this can be an
exploitable DoS on SMP. Didn't checked it on practice actually.
Signed-Off-By: Kirill Korotaev <dev@sw.ru>
Signed-Off-By: Maxim Giryaev <gem@sw.ru>
diff --git a/arch/ppc64/kernel/ioctl32.c b/arch/ppc64/kernel/ioctl32.c
Kirill Korotaev [Fri, 9 Sep 2005 09:26:16 +0000 (13:26 +0400)]
[PATCH] lost fput in 32bit ioctl on x86-64
This patch adds lost fput in 32bit tiocgdev ioctl on x86-64
I believe this is a security issues, since user can fget() file as many
times as he wants to. So file refcounter can be overlapped and first
fput() will free resources though there will be still structures
pointing to the file, mnt, dentry etc.
Also fput() sets f_dentry and f_vfsmnt to NULL,
so other file users will OOPS.
The oops can be done under files_lock and others, so this is really
exploitable DoS on SMP. Didn't checked it on practice actually.
Signed-Off-By: Kirill Korotaev <dev@sw.ru>
Signed-Off-By: Maxim Giryaev <gem@sw.ru>
diff --git a/arch/x86_64/ia32/ia32_ioctl.c b/arch/x86_64/ia32/ia32_ioctl.c
Patrick McHardy [Wed, 7 Sep 2005 03:01:15 +0000 (20:01 -0700)]
[NETFILTER]: Handle NAT module load race
When the NAT module is loaded when connections are already confirmed
it must not change their tuples anymore. This is especially important
with CONFIG_NETFILTER_DEBUG, the netfilter listhelp functions will
refuse to remove an entry from a list when it can not be found on
the list, so when a changed tuple hashes to a new bucket the entry
is kept in the list until and after the conntrack is freed.
Allocate the exact conntrack tuple for NAT for already confirmed
connections or drop them if that fails.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Marcelo Tosatti [Sat, 3 Sep 2005 22:42:00 +0000 (19:42 -0300)]
[PATCH] Andrea Arcangeli: avoid size_buffers_type overflow
size_buffers_type array, which is an unsigned long, can overflow
on 32-bits: its perfectly possible for PAE machines to have more
than 4Gb of data mapped by buffer_head's at the same time.
Avoid that by accounting 1/512 of the real size (size >> 9).
Chuck Ebbert [Mon, 22 Aug 2005 23:43:57 +0000 (19:43 -0400)]
[PATCH] i386: fix incorrect FP signal delivery
i386 floating-point exception handling has a bug that can cause error
code 0 to be sent instead of the proper code during signal delivery.
This is caused by unconditionally checking the IS and c1 bits from the
FPU status word when they are not always relevant. The IS bit tells
whether an exception is a stack fault and is only relevant when the
exception is IE (invalid operation.) The C1 bit determines whether a
stack fault is overflow or underflow and is only relevant when IS and IE
are set.
diff --git a/arch/i386/kernel/traps.c b/arch/i386/kernel/traps.c
Marcelo Tosatti [Tue, 23 Aug 2005 20:43:26 +0000 (17:43 -0300)]
Merge /pub/scm/linux/kernel/git/davem/net-2.4
Dave Johnson [Tue, 23 Aug 2005 16:09:00 +0000 (09:09 -0700)]
[IPV4]: Fix negative timer loop with lots of ipv4 peers.
From: Dave Johnson <djohnson+linux-kernel@sw.starentnetworks.com>
Found this bug while doing some scaling testing that created 500K inet
peers.
peer_check_expire() in net/ipv4/inetpeer.c isn't using inet_peer_gc_mintime
correctly and will end up creating an expire timer with less than the
minimum duration, and even zero/negative if enough active peers are
present.
If >65K peers, the timer will be less than inet_peer_gc_mintime, and with
>70K peers, the timer duration will reach zero and go negative.
The timer handler will continue to schedule another zero/negative timer in
a loop until peers can be aged. This can continue for at least a few
minutes or even longer if the peers remain active due to arriving packets
while the loop is occurring.
Bug is present in both 2.4 and 2.6. Same patch will apply to both just
fine.
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gustavo Zacarias [Mon, 22 Aug 2005 20:31:24 +0000 (13:31 -0700)]
[SPARC64]: Use vmalloc() in do_netfilter_replace()
Otherwise the number of rules one can upload into the kernel
is severely limited.
Signed-off-by: David S. Miller <davem@davemloft.net>
mikem [Mon, 15 Aug 2005 21:17:50 +0000 (16:17 -0500)]
[PATCH] cciss 2.4.60
This patch
1) adds support for next series of Smart Array contollers.
2) bumps version to 2.4.60.
3) changes our copyright dates.
4) adds code to bind to any HP controller with a cciss signature.
Built against 2.4.31. Please consider this for inclusion.
Signed-off-by: Mike Miller
Documentation/cciss.txt | 6 ++++
drivers/block/cciss.c | 60 ++++++++++++++++++++++++++++++++++++++----------
include/linux/pci_ids.h | 4 +++
3 files changed, 57 insertions(+), 13 deletions(-)
Hasso Tepper [Fri, 19 Aug 2005 20:07:09 +0000 (13:07 -0700)]
[IPV6]: Route events reported with wrong netlink PID and seq number
Attached is backport of patch from jamal already in the 2.6 kernel -
It would be very nice to see it in the 2.4 kernel as well, as I keep
receiving reports from users that "Quagga IPv6 is broken with 2.4 kernel".
Signed-off-by: David S. Miller <davem@davemloft.net>
Marcelo Tosatti [Fri, 19 Aug 2005 12:49:12 +0000 (09:49 -0300)]
Revert unnecessary arch/ppc64/boot/zlib.c
It turns out that empty distance code tables are not an error, and that
a compressed block with only literals can validly have an empty table
and should not be flagged as a data error.
Some old versions of gzip had problems with this case, but it does not
affect the zlib code in the kernel.
Analysis and explanations thanks to Sergey Vlasov <vsu@altlinux.ru>
Marcelo Tosatti [Thu, 18 Aug 2005 18:44:34 +0000 (15:44 -0300)]
Revert unnecessary zlib_inflate/inftress.c fix
It turns out that empty distance code tables are not an error, and that
a compressed block with only literals can validly have an empty table
and should not be flagged as a data error.
Some old versions of gzip had problems with this case, but it does not
affect the zlib code in the kernel.
Analysis and explanations thanks to Sergey Vlasov <vsu@altlinux.ru>
Andrey J. Melnikoff (TEMHOTA [Thu, 18 Aug 2005 12:01:14 +0000 (16:01 +0400)]
[PATCH] Remove isofs useless unsigned " < 0" comparison
This patch fix gcc-3.4 warnings by remove useless "if (ivalue < 0)"
comparison.
Jean Delvare [Sun, 14 Aug 2005 15:09:33 +0000 (17:09 +0200)]
[PATCH] update lm_sensors mailing list address
The lm_sensors project changed mailing lists.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Horms [Tue, 16 Aug 2005 08:38:09 +0000 (17:38 +0900)]
[PATCH] isofs driver ignore parameters
It seems that Alexander Pytlev's original (simple) patch was correct.
Without it the logic looks a bit like this.
while (...) {
if iocharset
...
else if map
...
if session
...
if sbsector
...
else if check
...
...
else
return 1;
}
Now, if iocharset, map or session are matched, then none of the if or
else if clauses under sbsector will match (that is none of these clauses
match iocharset, map or session), and thus the else clause will be hit,
and the function will return 1 without parsing any furhter options.
With Alexander's fix, the if session and if sbsector clauses
become else if, and its easy to see that the return 1 won't
be premeturely called.
I have tested that this patch works using the testcase options
iocharset=koi8-r,gid=100, and checking that gid is set correctly
with the patch, and incorrectly without.
Here is the patch and signoff again, just for the record.
I will send a second patch to clean up the *value = 0 code
that Marcelo cast concerns over - its bogus but harmless.
Signed-off-by: Horms <horms@verge.net.au>
Marcelo Tosatti [Tue, 9 Aug 2005 01:15:09 +0000 (22:15 -0300)]
Change VERSION to v2.4.32-pre3
Willy TARREAU [Sun, 7 Aug 2005 06:10:42 +0000 (08:10 +0200)]
[PATCH] fix potential NULL dereferences in several serial driver methods (Julien Tinnes)
These patches from Julien Tinnes fix *potential* NULL dereferences in several
serial drivers. Although their known callers can't pass NULL, we cannot tell
about unknown callers (non-mainline patches), so it's safer to check.
Marcelo Tosatti [Sun, 7 Aug 2005 23:28:47 +0000 (20:28 -0300)]
Change VERSION to v2.4.32-pre2
Linus Torvalds [Sat, 6 Aug 2005 18:33:11 +0000 (11:33 -0700)]
[PATCH] PATCH: Fix outstanding gzip/zlib security issues
commit
243393c90f2b7cb781fd794e22786e9c8547901a
Add fakey 'deflateBound()' function to the in-kernel zlib routines
It's not the real deflateBound() in newer zlib libraries, partly because
the upcoming usage of it won't have the "stream" available, so we can't
have the same interfaces anyway.
commit
fab5a60a29f98f17256a4183e34a414f6db67569
This uses the new deflateBound() thing to sanity-check the input to the
zlib decompressor before we even bother to start reading in the blocks.
Problem noted by Tim Yamin <plasmaroo@gentoo.org>
author Linus Torvalds <torvalds@g5.osdl.org>
Lars Marowsky-Bree [Sat, 6 Aug 2005 22:26:00 +0000 (19:26 -0300)]
[PATCH] fix oops when starting md multipath 2.4 kernel
The device major/minor numbers no longer match up values recorded in the
descriptor array in the md superblock. Because of the exception made in
the current code, the descriptor entries are removed and although the
real devices are present and accounted for, they are kicked out from
the array. This leaves the array with zero devices. When multipath_run()
is invoked, it blows up expecting to have had some disks.
Lars Marowsky-Bree suggested some patches for md multipath in 2002 but
never made it to mainline 2.4 kernel:
http://marc.theaimsgroup.com/?l=3Dlinux-kernel&m=
3D103355467608953&w=3D=2
That patch is large and most of it is not requried for this particular
problem. The section that reinitializes the descriptor array from
current rdevs for the case of multipath will resolve this issue of
device names shift.
bdupree@techfinesse.com [Fri, 5 Aug 2005 20:38:19 +0000 (15:38 -0500)]
[PATCH] Fix Alpha AXP Cabriolet build
This humble acolyte runs a couple of ancient Alpha AXP 21064 boxes (using
Debian Sarge), and recently when upgrading the kernel from 2.4.18 to
2.4.31 (compiling vanilla sources off of www.kernel.org) I found that the
build would fail when linking the kernel binary. The error was an
unresolved reference to:
ns87312_enable_ide()
The Alpha variant used was "Cabriolet." The Cabriolet's are rather old,
circa 1995 or '96, motherboards based around the 21064, so I doubt that
there are many of them still running, but I like mine just the same ;-)
Anyhow, a simple one line fix to the arch/alpha/kernel/Makefile solves
this problem (patch file is attached). I've also attached the config file
I used for the build, as well as the boot messages from the kernel built
after the patch was applied.
deep-blue@t-online.de [Sat, 6 Aug 2005 17:58:47 +0000 (14:58 -0300)]
[PATCH] fix RedBlackTree rb_next/rb_prev functions
I have found a bug in the source of rbtree.c file in /lib. In Kernel 2.6 it's
ok, but 2.4.31 has this error.
We try to use it with the jffs2 source code and only with this fix it work's
fine.
Signed-off-by: Marcelo Tosatti <marcelo.tosatti@cyclades.com>
Alan Stern [Fri, 29 Jul 2005 14:03:17 +0000 (10:03 -0400)]
[PATCH] Revert USB UHCI changes
On Thu, 28 Jul 2005, Johannes Erdfelt wrote:
> Am I missing something here? We're certainly adding TDs to the schedule, so
> why is this patch setting the QH bit?
This is pretty embarrassing. I didn't realize that the 2.4 driver uses
TDs to mark interrupt queues. (2.6 uses QHs, which makes more sense.)
Of course, if I had done better testing the problem would have shown up
right away.
So please accept my apology, the UHCI part of that patch was completely
wrong. Below is another patch to revert it. The lesson is clear -- from
now on I'll leave the 2.4 driver alone!
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Aaron Grothe [Thu, 28 Jul 2005 11:42:23 +0000 (21:42 +1000)]
[PATCH] Fix XTEA implementation
The XTEA implementation was incorrect due to a misinterpretation of
operator precedence. Because of the wide-spread nature of this
error, the erroneous implementation will be kept, albeit under the
new name of XETA.
Signed-off-by: Aaron Grothe <ajgrothe@yahoo.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Harald Welte [Fri, 29 Jul 2005 12:47:43 +0000 (14:47 +0200)]
[PATCH] Remove bogus declaration of ipt_mutex
Fix compiler error (gcc-4.0) for bogus declaration of ipt_mutex
Signed-off-by: Harald Welte <laforge@netfilter.org>
diff -Nru linux-2.4.31/include/linux/netfilter_ipv4/ip_tables.h linux-2.4.32-pre2/include/linux/netfilter_ipv4/ip_tables.h
Aleksey Gorelov [Fri, 29 Jul 2005 22:04:29 +0000 (15:04 -0700)]
[PATCH] Fix incorrect Asus k7m irq router detection
Here is 2.4 version of a patch submitted earlier for 2.6 by Giancarlo
Formicuccia.
this patch:
http://marc.theaimsgroup.com/?l=bk-commits-head&m=
111955644929114&w=2
uncovered a k7m bios bug, where the VT82C686A router is reported as
being "586-compatible". The two chips have different pirq mapping, so
this leads to "irq routing conflict" on many pci devices.
Patch for 2.4.32-pre2
Signed-off-by: Aleksey Gorelov <aleksey_gorelov@phoenix.com>
diff --git a/arch/i386/kernel/pci-irq.c b/arch/i386/kernel/pci-irq.c
Horms [Tue, 2 Aug 2005 07:16:51 +0000 (16:16 +0900)]
[PATCH] ppc32: stop misusing ntps time_offset value
v2.4 backport
Signed-off-by: Horms <horms@verge.net.au>
From: john stultz <johnstul@us.ibm.com>
Date: Fri, 1 Jul 2005 05:08:54 +0000 (+1000)
Subject: [PATCH] ppc32: stop misusing ntps time_offset value
X-Git-Tag: v2.6.12.3
X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/gregkh/linux-2.6.12.y.git;a=commitdiff;h=
8f399a7448e0b58eae969426f61b7e81d55d2639
[PATCH] ppc32: stop misusing ntps time_offset value
As part of my timeofday rework, I've been looking at the NTP code and I
noticed that the PPC architecture is apparently misusing the NTP's
time_offset (it is a terrible name!) value as some form of timezone offset.
This could cause problems when time_offset changed by the NTP code. This
patch changes the PPC code so it uses a more clear local variable:
timezone_offset.
Signed-off-by: John Stultz <johnstul@us.ibm.com>
Acked-by: Tom Rini <trini@kernel.crashing.org>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
John W. Linville [Wed, 3 Aug 2005 18:59:57 +0000 (14:59 -0400)]
[PATCH] i810_audio: use MMIO on systems that support it
Use MMIO accesses for devices that support it. This also enables
MMIO-only configurations.
Acked-by: Jeff Garzik <jgarzik@pobox.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
John W. Linville [Wed, 3 Aug 2005 18:36:35 +0000 (14:36 -0400)]
[PATCH] i810_audio: offset LVI from CIV to avoid stalled start
Offset LVI past CIV when starting DAC/ADC in order to prevent
stalled start.
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Thomas Voegtle <tv@lio96.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Ju, Seokmann [Thu, 4 Aug 2005 21:09:22 +0000 (17:09 -0400)]
[PATCH] megaraid2 v2.10.10.1
This patch contains accumulated changes over the time.
Description of the changes.
### Version 2.10.10.1
Thu Jan 27 15:59:59 EDT 2005 - Seokmann Ju <sju@lsil.com>
1. There was a bug in the 'megadev_ioctl()' function that cause random
deletion error and has been fixed.
### Version 2.10.10.0
Fri Jan 21 15:59:59 EDT 2005 - Seokmann Ju <sju@lsil.com>
1. Fixed Tape drive issue : For any Direct CDB command to physical
device including tape, timeout value set by driver was 10 minutes. With
this value, most of command will return within timeout. However, for
those command like ERASE or FORMAT, it takes more than an hour depends
on capacity of the device and the command could be terminated before
it completes. To address this issue, the 'timeout' field in the DCDB
command will have NO TIMEOUT (i.e., 4) value as its timeout on DCDB
command.
2. Added NEC ROMB support : NEC MegaRAID PCI Express ROMB
controller
### Version 2.10.9.0
Fri Aug 13 15:59:59 EDT 2004 - Rajesh Prabhakaran <rajeshpr@lsil.com>
1. Added Support for 64-applications : mega_ioctl function and
nitioctl_t struct where changed to accomadate 64-bit addressing.
Signed-off-by: Seokmann Ju <seokmann.ju@lsil.com>
diff -Naur old/drivers/scsi/megaraid2.c new/drivers/scsi/megaraid2.c
Marcelo Tosatti [Fri, 5 Aug 2005 20:11:36 +0000 (17:11 -0300)]
Merge /pub/scm/linux/kernel/git/davem/net-2.4
Patrick McHardy [Mon, 1 Aug 2005 03:19:18 +0000 (20:19 -0700)]
[NETFILTER]: Use correct byteorder in ICMP NAT
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Mon, 1 Aug 2005 03:19:02 +0000 (20:19 -0700)]
[NETFILTER]: Fix potential memory corruption in NAT code (aka memory NAT)
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Mon, 1 Aug 2005 03:18:03 +0000 (20:18 -0700)]
[NETFILTER]: Fix ip6t_LOG sit tunnel logging
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Mon, 1 Aug 2005 03:17:31 +0000 (20:17 -0700)]
[NETFILTER]: Restore netfilter assumption in IPv6 multicast
Netfilter assumes that skb->data == skb->nh.ipv6h
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Mon, 1 Aug 2005 03:16:50 +0000 (20:16 -0700)]
[NETFILTER]: Fix deadlock with ip_queue/ip6_queue
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Mon, 1 Aug 2005 03:16:20 +0000 (20:16 -0700)]
[NETFILTER]: Ignore PSH on SYN/ACK in ipt_unclean
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Marcelo Tosatti [Tue, 26 Jul 2005 16:01:08 +0000 (13:01 -0300)]
Merge ... /linux/kernel/git/davem/net-2.4.git
Neil Horman [Tue, 26 Jul 2005 20:30:06 +0000 (13:30 -0700)]
[IPVS]: Close race conditions on ip_vs_conn_tab list modification
In an smp system, it is possible for an connection timer to expire, calling
ip_vs_conn_expire while the connection table is being flushed, before
ct_write_lock_bh is acquired.
Since the list iterator loop in ip_vs_con_flush releases and re-acquires the
spinlock (even though it doesn't re-enable softirqs), it is possible for the
expiration function to modify the connection list, while it is being traversed
in ip_vs_conn_flush.
The result is that the next pointer gets set to NULL, and subsequently
dereferenced, resulting in an oops.
Signed-off-by: Neil Horman <nhorman@redhat.com>
Acked-by: JulianAnastasov
Signed-off-by: David S. Miller <davem@davemloft.net>