git.osdn.net Git - linux-kernel-docs/linux-2.4.36.git/log

[PATCH] NFS server as a module with -mregparm=3

This patch makes it possible to compile the nfs server as a module, with
-mregparm=3 (at least on x86).

Such a combination did not work, as handle_sys_nfsservctl was called
from the sys_nfsservctl function (in fs/filesystems.c) with parameters
in registers, but tried to read them from the stack.

Signed-off-by: Krzysztof Strasburger

[PATCH] Don't panic on IDE DMA errors

Kernel 2.4.32 and earlier can panic when trying to read a corrupted
sector from an IDE disk.

The function ide_dma_timeout_retry can end a request early by calling
idedisk_error, but then goes on to use the request anyway causing a
kernel panic due to a null pointer exception. This patch fixes that.

[PATCH] Backport of CVE-2005-2709 fix

I've backported the fix for CVE-2005-2709 to 2.4 for Debian's 2.4
sarge kernel. Below is a patch against 2.4.32, in case one hasn't been
submitted to you yet. Please apply.

CVE-2005-2709

sysctl.c in Linux kernel before 2.6.14.1 allows local users to cause a
denial of service (kernel oops) and possibly execute code by opening an
interface file in /proc/sys/net/ipv4/conf/, waiting until the interface
is unregistered, then obtaining and modifying function pointers in
memory that was used for the ctl_table.

Signed-off-by: dann frazier <dannf@debian.org>

[PATCH] Reintroduction i386 CONFIG_DUMMY_KEYB option

This re-activates an option making it possible to replace the PS2
keyboard driver by a dummy one still compatible with CONFIG_VT. The code
has been in the kernel for a long time, only the option was hidden ! It
also has an equivalent in 2.6.

Patch from Nick Warne <nick@linicks.net>
Signed-off-by: Willy Tarreau <willy@w.ods.org>

[PATCH] airo.c/airo_cs.c: correct prototypes

This patch creates a file airo.h containing prototypes of the global
functions in airo.c used by airo_cs.c .

If you got strange problems with either airo_cs devices or in any other
completely unrelated part of the kernel shortly or long after a airo_cs
device was detected by the kernel, this might have been caused by the
fact that caller and callee disagreed regarding the size of the first
argument to init_airo_card()...

A similar patch was already included in Linus' 2.6 tree.

Signed-off-by: Adrian Bunk <bunk@stusta.de>

[PATCH] sis900: come alive after temporary memory shortage (fixed version)

I would like to inform you that unfortunately the committed patch is wrong
http://www.kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commit;h=ecf3337f76eaa94c5a771308d184dc248b74b725

+ int rx_work_limit =
+ (sis_priv->dirty_rx - sis_priv->cur_rx) % NUM_RX_DESC;

when dirty_rx = cur_rx it computes limit=0, but should be NUM_RX_DESC

Could you please drop the wrong patch and use a new one based on the version
approved by Daniele Venzano and Jeff Garzik
http://www.kernel.org/git/?p=linux/kernel/git/jgarzik/netdev-2.6.git;a=commitdiff_plain;h=7380a78a973a8109c13cb0e47617c456b6f6e1f5;hp=b2795f596932286ef12dc08857960d654f577405

  sis900: come alive after temporary memory shortage

  1) Forgotten counter incrementation in sis900_rx() in case
       it doesn't get memory for skb, that leads to whole interface failure.
       Problem is accompanied with messages:
      eth0: Memory squeeze,deferring packet.
      eth0: NULL pointer encountered in Rx ring, skipping

  2) If counter cur_rx overflows and there'll be temporary memory problems
       buffer can't be recreated later, when memory IS available.

  3) Limit the work in handler to prevent the endless packets processing
     if new packets are generated faster then handled.

Signed-off-by: Konstantin Khorenko <khorenko@sw.ru>
Signed-off-by: Vasily Averin <vvs@sw.ru>

Revert broken sis900 update

[PATCH] sis900: come alive after temporary memory shortage

Patch solves following problems:
1) Forgotten counter incrementation in sis900_rx() in case
      it doesn't get memory for skb, that leads to whole interface failure.
      Problem is accompanied with messages:
     eth0: Memory squeeze,deferring packet.
     eth0: NULL pointer encountered in Rx ring, skipping
2) If counter cur_rx overflows and there'll be temporary memory problems
      buffer can't be recreated later, when memory IS avaliable.
3) Limit the work in handler to prevent the endless packets processing if
      new packets are generated faster then handled.

Signed-off-by: Konstantin Khorenko <khorenko@sw.ru>
Signed-off-by: Vasily Averin <vvs@sw.ru>

[PATCH] add Pioneer DRM-624X to drivers/scsi/scsi_scan.c

The patch below made my Pioneer DRM-624X automatically be set up with
all 6 "drives". (6 slot SCSI CD changer). My DRM-604X already worked
this way already.

Already merged into v2.6.

Signed-off-by: Karl Magnus Kolstø <karl.kolsto@uib.no>

Change VERSION to v2.4.32

Change VERSION to 2.4.32-rc3

[PATCH] only disallow _setting_ of function key string

Mikael Pettersson <mikpe@csd.uu.se> noted that the current 2.6-git (and
2.4) patch to disallow KDSKBSENT for unpriviledged users should be less
restrictive allowing reading of current function key string entry, but
not writing.

Signed-off-by: Marcelo Tosatti <marcelo.tosatti@cyclades.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>

[PATCH] fix missing refcnt put with expire_nodest_conn

It seems we forgot to fix one place where ip_vs_conn_expire_now
is used. Callers should hold write lock or cp->refcnt (and not forget
it). This results in hanging template entries when expire_nodest_conn is
kicking in and trying to remove all connection entries for a specific
destination.

Julian Anastasov created a patch to fix this and asked me to forward it
for inclusion, after test and verification, which have happened the last
24 hours.

This problem also exists in 2.6.x kernels, patch will be sent to netdev.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Roberto Nibali <ratz@drugphish.ch>

Change VERSION to 2.4.32-rc2

[PATCH] fix memory leak in sd_mod.o

Handle freeing of sd_max_sectors in sd_exit().

Signed-off-by: Dan Aloni <da-x@monatomic.org>

[PATCH] Clear stale pred_flags when snd_wnd change

This bug is responsible for causing the infamous "Treason uncloaked"
messages that's been popping up everywhere since the printk was added.
It has usually been blamed on foreign operating systems.  However,
some of those reports implicate Linux as both systems are running
Linux or the TCP connection is going across the loopback interface.

In fact, there really is a bug in the Linux TCP header prediction code
that's been there since at least 2.1.8.  This bug was tracked down with
help from Dale Blount.

The effect of this bug ranges from harmless "Treason uncloaked"
messages to hung/aborted TCP connections.  The details of the bug
and fix is as follows.

When snd_wnd is updated, we only update pred_flags if
tcp_fast_path_check succeeds.  When it fails (for example,
when our rcvbuf is used up), we will leave pred_flags with
an out-of-date snd_wnd value.

When the out-of-date pred_flags happens to match the next incoming
packet we will again hit the fast path and use the current snd_wnd
which will be wrong.

In the case of the treason messages, it just happens that the snd_wnd
cached in pred_flags is zero while tp->snd_wnd is non-zero.  Therefore
when a zero-window packet comes in we incorrectly conclude that the
window is non-zero.

In fact if the peer continues to send us zero-window pure ACKs we
will continue making the same mistake.  It's only when the peer
transmits a zero-window packet with data attached that we get a
chance to snap out of it.  This is what triggers the treason
message at the next retransmit timeout.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

[PATCH] Fix infinite loop in udp_v6_get_port()

    [IPV6]: Fix infinite loop in udp_v6_get_port()

    This is CVE-2005-2973, and
    87bf9c97b4b3af8dec7b2b79cdfe7bfc0a0a03b2 in Linus' 2.6 Git Tree.
    It seems to be relevant to 2.4

    [IPV6]: Fix infinite loop in udp_v6_get_port()

    Original sign-off

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
    Mine, indicating that I think it is relevant to 2.4

Signed-off-by: Horms <horms@verge.net.au>

[PATCH] loadkeys requires root priviledges

Signed-off-by: Andrew Morton <akpm@osdl.org>

[PATCH] possible memory ordering bug in page reclaim

Is there anything that prevents PageDirty from theoretically being
speculatively loaded before page_count here? (see patch)

It would result in pagecache corruption in the following situation:

1                                2
find_get_page();
write to page                    write_lock(tree_lock);
SetPageDirty();                  if (page_count != 2
put_page();                          || PageDirty())

Now I'm worried that 2 might see PageDirty *before* SetPageDirty in
1, and page_count *after* put_page in 1.

[PATCH] AX.25: signed char bug

Date: Oct 14, 2005 6:29 PM

On architectures where the char type defaults to unsigned some of the
arithmetic in the AX.25 stack to fail, resulting in some packets being
dropped on receive.

Credits for tracking this down and the original patch to
Bob Brose N0QBJ <linuxhams@n0qbj-11.ampr.org>.

Signed-off-by: Ralf Baechle DL5RB <ralf@linux-mips.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>

[PATCH] usb: regression in usb-ohci

My fix for a problem in usb-ohci in 2.4.28 was simply broken.

The original problem was that the interrupt handler referenced an area below
a process' stack pointer, which worked everywhere except ia64. On ia86 such
practice causes a CPU trap.

I "fixed" it by moving the wait queue head to a place ... which was
freed immediately afterwards. I really have no idea what I was thinking.
It's not even a race of any sort, the code references a freed area
completely in sequence.

This patch is a sort of a two-step. First, it undoes what I did and returns
to the code in 2.4.27. Next, it puts a spinlock around the remove_wait_queue.
This ought to be safe for the vast majority of systems, and possibly fixes
the issue with ia64 (it was sort of hard to reproduce: it only happened on
an Altix).

My testing was light, but since the fix mostly reverts the broken patch,
I think it can go into the next test, -pre, or -rc release.

-- Pete

[PATCH] asus vt8235 router buggy bios workaround

Here is backport to 2.4 for fix to
http://bugzilla.kernel.org/show_bug.cgi?id=5235.

Similar problem has been reported before here:
http://groups.google.com/group/linux.kernel/browse_thread/thread/def4ca1
9dbc3cd4/5cffbf349f2c87a4?tvc=2&q=Aleksey+Gorelov&hl=en#5cffbf349f2c87a4
and was related to bug in BIOS reporting 82C686 router compatible to
586.

I suspect BIOS on this board has similar issue: reports VT8235 router to
be compatible with 586 one - which is obviously not true. Patch from the
link above has already incorporated in both 2.6 & 2.4 series, but might
not work in this particular case.

Signed-off-by: Aleksey Gorelov <aleksey_gorelov@phoenix.com>

[PATCH] Fix jiffies overflow in delay.h

There are several multiply overflows in delay.h:msecs_to_jiffies(). The
first one is the call to jiffies_to_msecs(MAX_JIFFY_OFFSET) which will
multiply MAX_JIFFY_OFFSET by (1000/HZ) or by 1000 during conversion,
while it was already high (~0UL>>1)-1 ... Needless to say that it's
wrong below 500 HZ and for all values not multiple of 1000 or which
don't divide 1000.

The second overflow can happen a few lines later, but this time on the
argument. The fix consists in defining a constant (macro) which depends
on HZ and fixes the absolute maximal value which we guarantee will not
produce an overflow. Fortunately, I've found no user of msecs_to_jiffies()
in mainline, although sys_poll() could benefit from it in order to avoid
a useless divide in the fast path.

But I think that the code needs be fixed anyway, considering that it
had been inherited by 2.6 for which I proposed the same fix. And it
is possible that some external patches use it.

[IPVS]: Add netdev and me as maintainer contacts

Signed-off-by: Horms <horms@verge.net.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

[NETFILTER]: this patch fixes a compilation issue with gcc 3.4.3.

Signed-off-by: Marcus Sundberg <marcus@ingate.com>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

[MCAST]: Fix MCAST_EXCLUDE line dupes

Signed-off-by: Denis Lukianov <denis@voxelsoft.com>
Signed-off-by: David L Stevens <dlstevens@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

[IPVS]: really invalidate persistent templates

Agostino di Salle noticed that persistent templates are not
invalidated due to buggy optimization.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>

[IPVS]: ip_vs_ftp breaks connections using persistence

ip_vs_ftp when loaded can create NAT connections with unknown
client port for passive FTP. For such expectations we lookup with
cport=0 on incoming packet but it matches the format of the persistence
templates causing packets to other persistent virtual servers to be
forwarded to real server without creating connection. Later the
reply packets are treated as foreign and not SNAT-ed.

This patch changes the connection lookup for packets from
clients:

* introduce IP_VS_CONN_F_TEMPLATE connection flag to mark the
connection as template
* create new connection lookup function just for templates - ip_vs_ct_in_get
* make sure ip_vs_conn_in_get hits only connections with
IP_VS_CONN_F_NO_CPORT flag set when s_port is 0. By this way
we avoid returning template when looking for cport=0 (ftp)

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>

[TCP]: Don't over-clamp window in tcp_clamp_window()

From: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>

Handle better the case where the sender sends full sized
frames initially, then moves to a mode where it trickles
out small amounts of data at a time.

This known problem is even mentioned in the comments
above tcp_grow_window() in tcp_input.c, specifically:

...
* The scheme does not work when sender sends good segments opening
* window and then starts to feed us spagetti. But it should work
* in common situations. Otherwise, we have to rely on queue collapsing.
...

When the sender gives full sized frames, the "struct sk_buff" overhead
from each packet is small. So we'll advertize a larger window.
If the sender moves to a mode where small segments are sent, this
ratio becomes tilted to the other extreme and we start overrunning
the socket buffer space.

tcp_clamp_window() tries to address this, but it's clamping of
tp->window_clamp is a wee bit too aggressive for this particular case.

Fix confirmed by Ion Badulescu.

Signed-off-by: David S. Miller <davem@davemloft.net>

[PATCH] CAN-2005-0204: AMD64, allows local users to write to privileged IO ports via OUTS instruction

Description: [CAN-2005-0204]: AMD64, allows local users to write to privileged IO ports via OUTS instruction
Patch author: Suresh Siddha (suresh.b.siddha@intel.com)
Upstream status: not applied
URL: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=146244
Patch source: Micah Anderson <micah@riseup.net> (debian-kernel)

Added definition of IO_BITMAP_BYTES for Debian's 2.4.27 and
submitted upstream for consideration for inclusion in 2.4 -- Horms

NFS: dprintk on -ENAMETOOLONG error handling

[PATCH] nfs client: handle long symlinks properly

In 2.4.31, the v2/3 nfs readlink accepts too long symlinks.
I have tested this by having a server return long symlinks.

diff -u linux-2.4.31.orig/fs/nfs/nfs2xdr.c linux-2.4.31/fs/nfs/nfs2xdr.c

[PATCH] Update PPPoE's configuration documentation

Following trivial patch updates the CONFIG_PPPOE options's
documentation.

o Update CONFIG_PPPOE option's documentation since ppp version
2.4.2 is already released (with PPPoE plug-in) and there is
no need a CVS checkout anymore

Signed-off-by: M.Baris Demiray <baris@labristeknoloji.com>
diff --git a/Documentation/Configure.help b/Documentation/Configure.help

[PATCH] IA64: page_not_present fault in region 5 is normal

Attached is a patch for the latest 2.4 tree
which is semantically identical to what was included in 2.6.
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=63028aa7f581d9d4e6889f9dc06ded2534250a76

Without this patch, exception handler can be unexpectedly invoked for
page-not-present fault in region 5 and cause panic etc.

Could you apply the attached patch to 2.4?
We tested the patch on 2.4.29 + linux-2.4.29-ia64-050312 patch
which is the latest version working on ia64.

Excerpt from ChangeLog-2.6.14-rc1:

When copying data from user-space to kernel-space by __copy_user(),
a page_not_present fault sometimes occurs at vmalloced kernel address
because of VHPT pre-fetching.

Ignore the page_not_present fault in ia64_do_page_fault() before
jumping into exception handlers.

Signed-off-by: Kiyoshi Ueda <k-ueda@ct.jp.nec.com>
Signed-off-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
diff --git a/arch/ia64/mm/fault.c b/arch/ia64/mm/fault.c

Update VERSION to 2.4.32-rc1

[PATCH] Lost sockfd_put() in routing_ioctl()

This patch adds lost sockfd_put() in 32bit compat rounting_ioctl() on
64bit platforms

I believe this is a security issues, since user can fget() file as many
times as he wants to. So file refcounter can be overlapped and first
fput() will free resources though there will be still structures
pointing to the file, mnt, dentry etc.
Also fput() sets f_dentry and f_vfsmnt to NULL,
so other file users will OOPS.

The oops can be done under files_lock and others, so this can be an
exploitable DoS on SMP. Didn't checked it on practice actually.

Signed-Off-By: Kirill Korotaev <dev@sw.ru>
Signed-Off-By: Maxim Giryaev <gem@sw.ru>
diff --git a/arch/ppc64/kernel/ioctl32.c b/arch/ppc64/kernel/ioctl32.c

[PATCH] lost fput in 32bit ioctl on x86-64

This patch adds lost fput in 32bit tiocgdev ioctl on x86-64

I believe this is a security issues, since user can fget() file as many
times as he wants to. So file refcounter can be overlapped and first
fput() will free resources though there will be still structures
pointing to the file, mnt, dentry etc.
Also fput() sets f_dentry and f_vfsmnt to NULL,
so other file users will OOPS.

The oops can be done under files_lock and others, so this is really
exploitable DoS on SMP. Didn't checked it on practice actually.

Signed-Off-By: Kirill Korotaev <dev@sw.ru>
Signed-Off-By: Maxim Giryaev <gem@sw.ru>
diff --git a/arch/x86_64/ia32/ia32_ioctl.c b/arch/x86_64/ia32/ia32_ioctl.c

[NETFILTER]: Handle NAT module load race

When the NAT module is loaded when connections are already confirmed
it must not change their tuples anymore. This is especially important
with CONFIG_NETFILTER_DEBUG, the netfilter listhelp functions will
refuse to remove an entry from a list when it can not be found on
the list, so when a changed tuple hashes to a new bucket the entry
is kept in the list until and after the conntrack is freed.

Allocate the exact conntrack tuple for NAT for already confirmed
connections or drop them if that fails.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

[PATCH] Andrea Arcangeli: avoid size_buffers_type overflow

size_buffers_type array, which is an unsigned long, can overflow
on 32-bits: its perfectly possible for PAE machines to have more
than 4Gb of data mapped by buffer_head's at the same time.

Avoid that by accounting 1/512 of the real size (size >> 9).

[PATCH] i386: fix incorrect FP signal delivery

i386 floating-point exception handling has a bug that can cause error
code 0 to be sent instead of the proper code during signal delivery.

This is caused by unconditionally checking the IS and c1 bits from the
FPU status word when they are not always relevant. The IS bit tells
whether an exception is a stack fault and is only relevant when the
exception is IE (invalid operation.) The C1 bit determines whether a
stack fault is overflow or underflow and is only relevant when IS and IE
are set.

diff --git a/arch/i386/kernel/traps.c b/arch/i386/kernel/traps.c

Merge /pub/scm/linux/kernel/git/davem/net-2.4

[IPV4]: Fix negative timer loop with lots of ipv4 peers.

From: Dave Johnson <djohnson+linux-kernel@sw.starentnetworks.com>

Found this bug while doing some scaling testing that created 500K inet
peers.

peer_check_expire() in net/ipv4/inetpeer.c isn't using inet_peer_gc_mintime
correctly and will end up creating an expire timer with less than the
minimum duration, and even zero/negative if enough active peers are
present.

If >65K peers, the timer will be less than inet_peer_gc_mintime, and with
>70K peers, the timer duration will reach zero and go negative.

The timer handler will continue to schedule another zero/negative timer in
a loop until peers can be aged. This can continue for at least a few
minutes or even longer if the peers remain active due to arriving packets
while the loop is occurring.

Bug is present in both 2.4 and 2.6. Same patch will apply to both just
fine.

Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

[SPARC64]: Use vmalloc() in do_netfilter_replace()

Otherwise the number of rules one can upload into the kernel
is severely limited.

Signed-off-by: David S. Miller <davem@davemloft.net>

[PATCH] cciss 2.4.60

This patch
        1) adds support for next series of Smart Array contollers.
        2) bumps version to 2.4.60.
        3) changes our copyright dates.
        4) adds code to bind to any HP controller with a cciss signature.
Built against 2.4.31. Please consider this for inclusion.

Signed-off-by: Mike Miller
Documentation/cciss.txt |    6 ++++
drivers/block/cciss.c   |   60 ++++++++++++++++++++++++++++++++++++++----------
include/linux/pci_ids.h |    4 +++
3 files changed, 57 insertions(+), 13 deletions(-)

[IPV6]: Route events reported with wrong netlink PID and seq number

Attached is backport of patch from jamal already in the 2.6 kernel -
It would be very nice to see it in the 2.4 kernel as well, as I keep
receiving reports from users that "Quagga IPv6 is broken with 2.4 kernel".

Signed-off-by: David S. Miller <davem@davemloft.net>

Revert unnecessary arch/ppc64/boot/zlib.c

It turns out that empty distance code tables are not an error, and that
a compressed block with only literals can validly have an empty table
and should not be flagged as a data error.

Some old versions of gzip had problems with this case, but it does not
affect the zlib code in the kernel.

Analysis and explanations thanks to Sergey Vlasov <vsu@altlinux.ru>

Revert unnecessary zlib_inflate/inftress.c fix

It turns out that empty distance code tables are not an error, and that
a compressed block with only literals can validly have an empty table
and should not be flagged as a data error.

Some old versions of gzip had problems with this case, but it does not
affect the zlib code in the kernel.

Analysis and explanations thanks to Sergey Vlasov <vsu@altlinux.ru>

[PATCH] Remove isofs useless unsigned " < 0" comparison

This patch fix gcc-3.4 warnings by remove useless "if (ivalue < 0)"
comparison.

[PATCH] update lm_sensors mailing list address

The lm_sensors project changed mailing lists.

Signed-off-by: Jean Delvare <khali@linux-fr.org>

[PATCH] isofs driver ignore parameters

It seems that Alexander Pytlev's original (simple) patch was correct.

Without it the logic looks a bit like this.

while (...) {
if iocharset
...
else if map
...
if session
...
if sbsector
...
else if check
...
...
else
return 1;
}

Now, if iocharset, map or session are matched, then none of the if or
else if clauses under sbsector will match (that is none of these clauses
match iocharset, map or session), and thus the else clause will be hit,
and the function will return 1 without parsing any furhter options.

With Alexander's fix, the if session and if sbsector clauses
become else if, and its easy to see that the return 1 won't
be premeturely called.

I have tested that this patch works using the testcase options
iocharset=koi8-r,gid=100, and checking that gid is set correctly
with the patch, and incorrectly without.

Here is the patch and signoff again, just for the record.
I will send a second patch to clean up the *value = 0 code
that Marcelo cast concerns over - its bogus but harmless.

Signed-off-by: Horms <horms@verge.net.au>

Change VERSION to v2.4.32-pre3

[PATCH] fix potential NULL dereferences in several serial driver methods (Julien Tinnes)

These patches from Julien Tinnes fix *potential* NULL dereferences in several
serial drivers. Although their known callers can't pass NULL, we cannot tell
about unknown callers (non-mainline patches), so it's safer to check.

Change VERSION to v2.4.32-pre2

[PATCH] PATCH: Fix outstanding gzip/zlib security issues

commit 243393c90f2b7cb781fd794e22786e9c8547901a
Add fakey 'deflateBound()' function to the in-kernel zlib routines

It's not the real deflateBound() in newer zlib libraries, partly because
the upcoming usage of it won't have the "stream" available, so we can't
have the same interfaces anyway.

commit fab5a60a29f98f17256a4183e34a414f6db67569
This uses the new deflateBound() thing to sanity-check the input to the
zlib decompressor before we even bother to start reading in the blocks.

Problem noted by Tim Yamin <plasmaroo@gentoo.org>
author Linus Torvalds <torvalds@g5.osdl.org>

[PATCH] fix oops when starting md multipath 2.4 kernel

The device major/minor numbers no longer match up values recorded in the
descriptor array in the md superblock. Because of the exception made in
the current code, the descriptor entries are removed and although the
real devices are present and accounted for, they are kicked out from
the array. This leaves the array with zero devices. When multipath_run()
is invoked, it blows up expecting to have had some disks.

Lars Marowsky-Bree suggested some patches for md multipath in 2002 but
never made it to mainline 2.4 kernel:

http://marc.theaimsgroup.com/?l=3Dlinux-kernel&m=3D103355467608953&w=3D=2
That patch is large and most of it is not requried for this particular
problem. The section that reinitializes the descriptor array from
current rdevs for the case of multipath will resolve this issue of
device names shift.

[PATCH] Fix Alpha AXP Cabriolet build

This humble acolyte runs a couple of ancient Alpha AXP 21064 boxes (using
Debian Sarge), and recently when upgrading the kernel from 2.4.18 to
2.4.31 (compiling vanilla sources off of www.kernel.org) I found that the
build would fail when linking the kernel binary. The error was an
unresolved reference to:

ns87312_enable_ide()

The Alpha variant used was "Cabriolet." The Cabriolet's are rather old,
circa 1995 or '96, motherboards based around the 21064, so I doubt that
there are many of them still running, but I like mine just the same ;-)

Anyhow, a simple one line fix to the arch/alpha/kernel/Makefile solves
this problem (patch file is attached). I've also attached the config file
I used for the build, as well as the boot messages from the kernel built
after the patch was applied.

[PATCH] fix RedBlackTree rb_next/rb_prev functions

I have found a bug in the source of rbtree.c file in /lib. In Kernel 2.6 it's
ok, but 2.4.31 has this error.

We try to use it with the jffs2 source code and only with this fix it work's
fine.

Signed-off-by: Marcelo Tosatti <marcelo.tosatti@cyclades.com>

[PATCH] Revert USB UHCI changes

On Thu, 28 Jul 2005, Johannes Erdfelt wrote:

> Am I missing something here? We're certainly adding TDs to the schedule, so
> why is this patch setting the QH bit?

This is pretty embarrassing.  I didn't realize that the 2.4 driver uses
TDs to mark interrupt queues.  (2.6 uses QHs, which makes more sense.)
Of course, if I had done better testing the problem would have shown up
right away.

So please accept my apology, the UHCI part of that patch was completely
wrong.  Below is another patch to revert it.  The lesson is clear -- from
now on I'll leave the 2.4 driver alone!

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>

[PATCH] Fix XTEA implementation

The XTEA implementation was incorrect due to a misinterpretation of
operator precedence. Because of the wide-spread nature of this
error, the erroneous implementation will be kept, albeit under the
new name of XETA.

Signed-off-by: Aaron Grothe <ajgrothe@yahoo.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

[PATCH] Remove bogus declaration of ipt_mutex

Fix compiler error (gcc-4.0) for bogus declaration of ipt_mutex

Signed-off-by: Harald Welte <laforge@netfilter.org>
diff -Nru linux-2.4.31/include/linux/netfilter_ipv4/ip_tables.h linux-2.4.32-pre2/include/linux/netfilter_ipv4/ip_tables.h

[PATCH] Fix incorrect Asus k7m irq router detection

Here is 2.4 version of a patch submitted earlier for 2.6 by Giancarlo
Formicuccia.

this patch:
http://marc.theaimsgroup.com/?l=bk-commits-head&m=111955644929114&w=2
uncovered a k7m bios bug, where the VT82C686A router is reported as
being "586-compatible". The two chips have different pirq mapping, so
this leads to "irq routing conflict" on many pci devices.

Patch for 2.4.32-pre2

Signed-off-by: Aleksey Gorelov <aleksey_gorelov@phoenix.com>
diff --git a/arch/i386/kernel/pci-irq.c b/arch/i386/kernel/pci-irq.c

[PATCH] ppc32: stop misusing ntps time_offset value

v2.4 backport

Signed-off-by: Horms <horms@verge.net.au>
From: john stultz <johnstul@us.ibm.com>
Date: Fri, 1 Jul 2005 05:08:54 +0000 (+1000)
Subject: [PATCH] ppc32: stop misusing ntps time_offset value
X-Git-Tag: v2.6.12.3
X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/gregkh/linux-2.6.12.y.git;a=commitdiff;h=8f399a7448e0b58eae969426f61b7e81d55d2639

  [PATCH] ppc32: stop misusing ntps time_offset value

  As part of my timeofday rework, I've been looking at the NTP code and I
  noticed that the PPC architecture is apparently misusing the NTP's
  time_offset (it is a terrible name!) value as some form of timezone offset.

  This could cause problems when time_offset changed by the NTP code.  This
  patch changes the PPC code so it uses a more clear local variable:
  timezone_offset.

Signed-off-by: John Stultz <johnstul@us.ibm.com>
Acked-by: Tom Rini <trini@kernel.crashing.org>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

[PATCH] i810_audio: use MMIO on systems that support it

Use MMIO accesses for devices that support it. This also enables
MMIO-only configurations.

Acked-by: Jeff Garzik <jgarzik@pobox.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

[PATCH] i810_audio: offset LVI from CIV to avoid stalled start

Offset LVI past CIV when starting DAC/ADC in order to prevent
stalled start.

Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Thomas Voegtle <tv@lio96.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

[PATCH] megaraid2 v2.10.10.1

This patch contains accumulated changes over the time.

Description of the changes.
### Version 2.10.10.1
Thu Jan 27 15:59:59 EDT 2005 - Seokmann Ju <sju@lsil.com>
1. There was a bug in the 'megadev_ioctl()' function that cause random
deletion error and has been fixed.

### Version 2.10.10.0
Fri Jan 21 15:59:59 EDT 2005 - Seokmann Ju <sju@lsil.com>
1. Fixed Tape drive issue : For any Direct CDB command to physical
device including tape, timeout value set by driver was 10 minutes. With
this value, most of command will return within timeout. However, for
those command like ERASE or FORMAT, it takes more than an hour depends
on capacity of the device and the command could be terminated before
it completes. To address this issue, the 'timeout' field in the DCDB
command will have NO TIMEOUT (i.e., 4) value as its timeout on DCDB
command.

2. Added NEC ROMB support : NEC MegaRAID PCI Express ROMB
controller

### Version 2.10.9.0
Fri Aug 13 15:59:59 EDT 2004 - Rajesh Prabhakaran <rajeshpr@lsil.com>
1. Added Support for 64-applications : mega_ioctl function and
nitioctl_t struct where changed to accomadate 64-bit addressing.

Signed-off-by: Seokmann Ju <seokmann.ju@lsil.com>
diff -Naur old/drivers/scsi/megaraid2.c new/drivers/scsi/megaraid2.c

Merge /pub/scm/linux/kernel/git/davem/net-2.4

[NETFILTER]: Use correct byteorder in ICMP NAT

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

[NETFILTER]: Fix potential memory corruption in NAT code (aka memory NAT)

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

[NETFILTER]: Fix ip6t_LOG sit tunnel logging

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

[NETFILTER]: Restore netfilter assumption in IPv6 multicast

Netfilter assumes that skb->data == skb->nh.ipv6h

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

[NETFILTER]: Fix deadlock with ip_queue/ip6_queue

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

[NETFILTER]: Ignore PSH on SYN/ACK in ipt_unclean

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

Merge ... /linux/kernel/git/davem/net-2.4.git

[IPVS]: Close race conditions on ip_vs_conn_tab list modification

In an smp system, it is possible for an connection timer to expire, calling
ip_vs_conn_expire while the connection table is being flushed, before
ct_write_lock_bh is acquired.

Since the list iterator loop in ip_vs_con_flush releases and re-acquires the
spinlock (even though it doesn't re-enable softirqs), it is possible for the
expiration function to modify the connection list, while it is being traversed
in ip_vs_conn_flush.

The result is that the next pointer gets set to NULL, and subsequently
dereferenced, resulting in an oops.

Signed-off-by: Neil Horman <nhorman@redhat.com>
Acked-by: JulianAnastasov
Signed-off-by: David S. Miller <davem@davemloft.net>

[NETLINK]: Fix two socket hashing bugs.

1) netlink_release() should only decrement the hash entry
   count if the socket was actually hashed.

   This was causing hash->entries to underflow, which
   resulting in all kinds of troubles.

   On 64-bit systems, this would cause the following
   conditional to erroneously trigger:

err = -ENOMEM;
if (BITS_PER_LONG > 32 && unlikely(hash->entries >= UINT_MAX))
goto err;

2) netlink_autobind() needs to propagate the error return from
   netlink_insert().  Otherwise, callers will not see the error
   as they should and thus try to operate on a socket with a zero pid,
   which is very bad.

   However, it should not propagate -EBUSY.  If two threads race
   to autobind the socket, that is fine.  This is consistent with the
   autobind behavior in other protocols.

   So bug #1 above, combined with this one, resulted in hangs
   on netlink_sendmsg() calls to the rtnetlink socket.  We'd try
   to do the user sendmsg() with the socket's pid set to zero,
   later we do a socket lookup using that pid (via the value we
   stashed away in NETLINK_CB(skb).pid), but that won't give us the
   user socket, it will give us the rtnetlink socket.  So when we
   try to wake up the receive queue, we dive back into rtnetlink_rcv()
   which tries to recursively take the rtnetlink semaphore.

Thanks to Jakub Jelink for providing backtraces.  Also, thanks to
Herbert Xu for supplying debugging patches to help track this down,
and also finding a mistake in an earlier version of this fix.

Signed-off-by: David S. Miller <davem@davemloft.net>

Merge ... /linux/kernel/git/davem/sparc-2.4.git/
rsync://rsync.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.4.git/

[SPARC64]: fix sys32_utimes(somefile, NULL)

This patch fixes utimes(somefile, NULL) syscalls on sparc64 kernel with
32-bit userland - use of uninitialized value resulted in making random
timestamps, which confused e.g. sudo.
It has been already fixed (by davem) in linux-2.6 tree 30 months ago.

Signed-off-by: Jakub Bogusz <qboosh@pld-linux.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

The gzip description is as good as the ChangeLog says it is -: "Set n to
length of v, to detect improper tables" and "Don't accidentally grow j
past z". The return 2 instead of the return 0 is so that we actually
error out if we also get inproper tables (for some reason the code
returned "OK" in such cases).

Fix outstanding security bugs in the Linux zlib implementations. See:

a) http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html
b) http://bugs.gentoo.org/show_bug.cgi?id=94584

Signed-off-by: Tim Yamin <plasmaroo@gentoo.org>
Signed-off-by: Tavis Ormandy <taviso@gentoo.org>

[PATCH] workaround inode cache (prune_icache/__refile_inode) SMP races

Over the past couple of weeks we have seen two races in the inode cache
code. The first is between [dispose_list()] and __refile_inode() and the
second is between prune_icache() and truncate_inodes(). I posted both of
these patches but wanted to make sure they got properly reviewed and
included in RHEL3-U6.

Fixes bug 155289.

The first scenerio is:

1.) cpu0 is in __sync_one() just about to call __refile_inode() after
taking the inode_lock and clearing I_LOCK.

spin_lock(&inode_lock);
inode->i_state &= ~I_LOCK;
if (!(inode->i_state & I_FREEING))
__refile_inode(inode);
wake_up(&inode->i_wait);

2.) cpu1 is in [dispose_list()] where it has dropped the inode_lock and calls
clear_inode(). It doesnt block because
I_LOCK is clear so it sets the inode state.

void clear_inode(struct inode *inode)
{
...
wait_on_inode(inode);
...
inode->i_state = I_CLEAR;
...
}

3.) cpu0 calls __refile_inode which places is on one of the four
possible inode lists

static inline void __refile_inode(struct inode *inode)
{
if (inode->i_state & I_DIRTY)
to = &inode->i_sb->s_dirty;
else if (atomic_read(&inode->i_count))
to = &inode_in_use;
else if (inode->i_data.nrpages)
to = &inode_unused_pagecache;
else
to = &inode_unused;

list_del(&inode->i_list);
list_add(&inode->i_list, to);
}

4.) cpu1 returns from clear_inode() then calls destroy_inode() which
kmem_cache_free()s it.

static void destroy_inode(struct inode *inode)
{

if (inode->i_sb->s_op->destroy_inode)
inode->i_sb->s_op->destroy_inode(inode);
else
kmem_cache_free(inode_cachep, inode);
}

5.) at this point we have an inode that has been kmem_cache_free()'d
that is also sitting one of the lists determined by __refile_inode(),
that cant be good!!! Also, the code looks the same in RHEL4.

The second scenerio is:

CPU0 is in prune_icache() called by kswapd and CPU1 is in
invalidate_inodes() called by the auto-mount daemon.

1.) CPU0: prune_icache() sets the I_LOCK bit in an inode on the
inode_unused_pagecache list, releases the inode_lock and calls
invalidate_inode_pages.

2.) CPU1: invalidate_inodes() calls invalidate_list() for the
inode_unused_pagecache list with the node_lock held and sets the
I_FREEING bit in the inode->i_state.

3.) CPU0: prune_icache() acquires the inode_lock and clears the I_LOCK
bit in the inode->i_state.

4.) CPU1: dispose_list() calls clear_inode() without the inode_lock
held. Since the I_LOCK bit is clear, clear_inode() sets inode->i_state =
I_CLEAR, clearing the I_FREEING bit.

5.) CPU0: prune_icache() calls __refile_inode() because clear_inode()
cleared I_FREEING without holding the inode_lock. This inode that is no
longer on the inode_unused_pagecache list which results in that inode
being placed on the inode_unused list.

6.) CPU1: dispose_list() calls destroy_inode() which kmem_cache_free()s
an inode that is also on the inode_unused list.

At this point there is an inode that has been kmem_cache_free()'d and is
also on the inode_unused list.

This patch to clear_inode() acquires the inode_lock before manipulating
the inode->i_state field. This is the only place in the kernel that
manipulates the inode without holding the inode_lock.

[PATCH] file_storage and UHCI bugfixes

The patch below (as547) corrects two minor errors, one in the
file_storage gadget driver (need to send a length-zero packet if a
control response is short) and one in the alternate UHCI driver (need
to set the QH bit in the frame list). Both of these are back-ports of
things that have been in 2.6 for several releases.

Alan Stern

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>

[PATCH] usb: printer double up()

Doing a double up() is actually safe in Linux, but still, it's a bug.
This fix is present in 2.6.13-rc3.

By Domen Puncer <domen@coderock.org>
up(&usblp->sem) was called twice in a row in this code path.

libata: update to 2.6.x latest

Minor stuff:
* doc updates
* pci id updates
* new ->host_stop behavior
* fix bugs in PIO data xfer, SATA probe, large disk SCSI xlat

Revert [NETLINK]: Fix two socket hashing bugs.

I premutarely applied this fix - its not complete yet.

Revert.

Change VERSION to 2.4.32-pre1

Merge ... /pub/scm/linux/kernel/git/davem/net-2.4

[PATCH] x86-64: Enable Nvidia timer override workaround for SMP kernels too

>From Tymm Twillman

In the 2.4.30/31 kernels there is now a backport from the 2.6 kernels of
a workaround for buggy timer overrides in the ACPI tables for many
nvidia chipset based motherboards.  Unfortunately the code for this on
x86-64 based systems is conditionally compiled in only for non-SMP
kernels.  This is a patch to remove the conditional and allow the code
to be compiled in for SMP kernels as well (we've seen a number of SMP
motherboards which intermittently lock up during boot, and otherwise
sometimes seem unstable without the workaround).  Patch so far has been
tested across numerous reboots and several hours uptime.

Signed-off-by: Andi Kleen <ak@suse.de>

[PATCH] x86-64: Fix build with !CONFIG_SWIOTLB

Allow compilation without CONFIG_SWIOTLB

Pointed out by Tymm Twillman. I did the patch slightly differently
than his version.

Signed-off-by: Andi Kleen <ak@suse.de>

[PATCH] x86_64: Disable exception stack for stack faults

Stack segment faults were executed on a exception stack. But they
use the normal return path and can schedule there, but scheduling
is not allowed on a exception stack.

Just drop the exception stack for stack segment faults. This
will make some oops triple fault now, but that's better than
allowing user triggerable oops.

Double faults still have this problem, but if they happen you
have enough other problems already that this one doesn't matter
anymore.

2.6 has a more complicated fix here that actually handles
this properly, but for 2.4 the simple version is better.

Found from RedHat QA using crashme

Signed-off-by: Andi Kleen <ak@suse.de>

[PATCH] Fix canonical checking for segment registers in ptrace

Fix canonical checking for segment registers in ptrace

This avoids a local DOS where a process could oops the kernel by
passing bogus values to ptrace. Some versions of UML did this.

Found by Alexander Nyberg

Signed-off-by: Andi Kleen <ak@suse.de>

[PATCH] Check for canonical addresses in ptrace

Check for canonical addresses in ptrace

This works around a AMD bug that allows to hang the CPU by passing
illegal addresses.

Signed-off-by: Andi Kleen <ak@suse.de>

[PATCH] Fix buffer overflow in x86-64/ia64 32bit execve

Fix buffer overflow in x86-64/ia64 32bit execve

Originally noted by Ilja van Sprundel

I fixed it for both x86-64 and IA64. Other architectures
are not affected.

Signed-off-by: Andi Kleen <ak@suse.de>

[NETLINK]: Fix two socket hashing bugs.

1) netlink_release() should only decrement the hash entry
   count if the socket was actually hashed.

   This was causing hash->entries to underflow, which
   resulting in all kinds of troubles.

   On 64-bit systems, this would cause the following
   conditional to erroneously trigger:

err = -ENOMEM;
if (BITS_PER_LONG > 32 && unlikely(hash->entries >= UINT_MAX))
goto err;

2) netlink_autobind() needs to propagate the error return from
   netlink_insert().  Otherwise, callers will not see the error
   as they should and thus try to operate on a socket with a zero pid,
   which is very bad.

   So bug #1 above, combined with this one, resulted in hangs
   on netlink_sendmsg() calls to the rtnetlink socket.  We'd try
   to do the user sendmsg() with the socket's pid set to zero,
   later we do a socket lookup using that pid (via the value we
   stashed away in NETLINK_CB(skb).pid), but that won't give us the
   user socket, it will give us the rtnetlink socket.  So when we
   try to wake up the receive queue, we dive back into rtnetlink_rcv()
   which tries to recursively take the rtnetlink semaphore.

Thanks to Jakub Jelink for providing backtraces, and Herbert Xu for
debugging patches to help track this down.

Signed-off-by: David S. Miller <davem@davemloft.net>

Merge ... /linux/kernel/git/davem/sparc-2.4

[SPARC64]: Fix cmsg length checks in Solaris emulation layer.

Signed-off-by: David S. Miller <davem@davemloft.net>

[SPARC64]: Fix conflicting __bzero_noasi() prototypes.

Signed-off-by: David S. Miller <davem@davemloft.net>

[PATCH] update netdev address

Change the address of netdev in 2.4 also.

[PATCH] newer i386/x86_64 assemblers prohibit instructions for moving between a seg register and a 32bit location

The new i386/x86_64 assemblers no longer accept instructions for moving
between a segment register and a 32bit memory location, i.e.,

        movl (%eax),%ds
        movl %ds,(%eax)

To generate instructions for moving between a segment register and a
16bit memory location without the 16bit operand size prefix, 0x66,

        mov (%eax),%ds
        mov %ds,(%eax)

should be used. It will work with both new and old assemblers. The
assembler starting from 2.16.90.0.1 will also support

        movw (%eax),%ds
        movw %ds,(%eax)

without the 0x66 prefix. I am enclosing patches for 2.4 and 2.6 kernels
here. The resulting kernel binaries should be unchanged as before, with
old and new assemblers, if gcc never generates memory access for

               unsigned gsindex;
               asm volatile("movl %%gs,%0" : "=g" (gsindex));

If gcc does generate memory access for the code above, the upper bits
in gsindex are undefined and the new assembler doesn't allow it.

Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

[PATCH] USB 2.4.31: ftdi_sio fixes

These are 7 fixes that Ian Abbott sent me in 2.4.31 frame and which were
delayed while 2.4.31 stabilized.

- A big batch of new IDs, backported from 2.6; with renamed CANview
- Change the message about zero length write to warning
- Fix custom baud bases (by Rogier Wolff)
- Unregister user-specified tables, or else we oops on rmmod
- Actually initialize user-specified devices, using FT8U232AM template
- Add ID for UM100 (by Armin Laugher)
- Restore RTS and DTR after B0 (originally by Nathan Croy)

[PATCH] Claim i_alloc_sem while changing file size in nfsd

nfsd should hold i_alloc_sem while calling notify_change
with ATTR_SIZE set, just like do_truncate does.

From: Oleg Drokin <green@linuxhacker.ru>
Signed-off-by: Neil Brown <neilb@cse.unsw.edu.au>
### Diffstat output
./fs/nfsd/vfs.c | 2 ++
1 files changed, 2 insertions(+)

diff ./fs/nfsd/vfs.c~current~ ./fs/nfsd/vfs.c

[PATCH] Don't drop setuid on directories when ownership changed by NFSd

..as setuid means something totally different on directories.

Signed-off-by: Neil Brown <neilb@cse.unsw.edu.au>
diff ./fs/nfsd/vfs.c~current~ ./fs/nfsd/vfs.c