• R/O
  • HTTP
  • SSH
  • HTTPS

linux-2.4.36: Liste der Commits

2.4.36-stable kernel tree


RSS
Rev. Zeit Autor
8b315cb 2007-02-04 07:00:54 Willy Tarreau

Merge branch 'skge'

99405c2 2007-02-04 06:56:26 Willy Tarreau

[PATCH] merge 2.6 backport of skge/sky2 network drivers

Quite a bunch of x86 motherboards equipped with a Gigabit LAN
port make use of a Marvell chip which requires the vendor's driver
from www.marvell.com. This driver is known to have some troubles,
among which losing frames under UDP-only trafic such as NFS and
DNS.

Stephen Hemminger has rewritten two separate drivers from scratch
for those chips to solve many problems in the historical driver.
A backport of his work is provided here as an alternate driver
for people experiencing problems with the vendor's one.

Current versions (skge-1.6 and sky2-1.5) do not support NAPI and
as such, consume slightly more CPU than the vendor's driver, but
at least they do seem to work correctly on UP. No test has been
performed on SMP yet.

Signed-off-by: Willy Tarreau <w@1wt.eu>

7214447 2007-02-03 18:53:25 Christian Praehauser

[NET] ethernet: Fix first packet goes out with MAC 00:00:00:00:00:00

This is a backport of a patch which was first included in Linux 2.6.16-rc5.
What follows between the "======" markers is the original description.

======
When you turn off ARP on a netdevice then the first packet always goes
out with a dstMAC of all zeroes. This is because the first packet is
used to resolve ARP entries. Even though the ARP entry may be resolved
(I tried by setting a static ARP entry for a host i was pinging from),
it gets overwritten by virtue of having the netdevice disabling ARP.

Subsequent packets go out fine with correct dstMAC address (which may
be why people have ignored reporting this issue).

To cut the story short:

the culprit code is in net/ethernet/eth.c::eth_header()
----
/*
* Anyway, the loopback-device should never use this function...
*/

if (dev->flags & (IFF_LOOPBACK|IFF_NOARP))
{
memset(eth->h_dest, 0, dev->addr_len);
return ETH_HLEN;
}

if(daddr)
{
memcpy(eth->h_dest,daddr,dev->addr_len);
return ETH_HLEN;
}
----

Note how the h_dest is being reset when device has IFF_NOARP.

As a note:
All devices including loopback pass a daddr. loopback in fact passes
a 0 all the time ;->
This means i can delete the check totaly or i can remove the IFF_NOARP

Alexey says:
--------------------
I think, it was me who did this crap. It was so long ago I do not remember
why it was made.

I remember some troubles with dummy device. It tried to resolve
addresses, apparently, without success and generated errors instead of
blackholing. I think the problem was eventually solved at neighbour
level.

After some thinking I suspect the deletion of this chunk could change
behaviour of some parts which do not use neighbour cache f.e. packet
socket.

I think safer approach would be to move this chunk after if (daddr).
And the possibility to remove this completely could be analyzed later.
--------------------

Patch updated with Alexey's safer suggestions.

Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Acked-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
======

This problem also arises when transmitting IP multicast packets. If you send an
IP multicast stream over an ethernet network interface ethX and turn off ARP on
ethX then Linux will produce an ethernet frame with a dest. addresses of
00:00:00:00:00:00 (which is invalid). As IP multicast addresses are directly
mapped to HW (MAC) addresses without invoking any ARP protocol mechanisms - for
IP4 this mapping is performed by the function ip_eth_mc_map - it makes perfect
sense to do this even if ARP is disabled. Further, this problem may occur
periodically, everytime the corresponding struct dst_entry is garbage-collected
(e.g. ~ every 10 minutes).

Patch ported to Linux 2.4 by Christian Praehauser.

Signed-off-by: Christian Praehauser <cpraehaus@cosy.sbg.ac.at>

f1affe8 2007-02-03 18:44:42 Oliver Neukum

[PATCH] proper locking on disconnect for mdc800

this makes mdc800 take the necessary lock in disconnect() to prevent
submission of an URB for a disconnected device.

Signed-off-by: Oliver Neukum <oliver@neukum.name>

db3511d 2007-02-01 06:59:44 dann frazier

[PATCH] smbfs: fix problems introduced by last security backport

Users have reported a symlink issue with my recent smbfs backport.
Turns out my backport overlooked a second 2.6 patch w/ the fix:
http://linux.bkbits.net:8080/linux-2.6/?PAGE=cset&REV=419e7b76CdrmRG_NZ8LKj9DUUBGu1w

This is a backport of Haroldo Gamal's 2.6 patch that fixes the symlink
issue, and also cleans up an unnecessary double assignment. As his
commit message notes, you will need the userspace patches from Samba
Bug #999 in order to use the permission/ownership assigned by the
server.

Signed-off-by: dann frazier <dannf@debian.org>

22adbf2 2006-12-24 05:34:20 Willy Tarreau

Change VERSION to 2.4.34

ba974cf 2006-12-23 07:00:32 Willy Tarreau

Change VERSION to 2.4.34-rc4

- Call init_timer() for ISDN PPP CCP reset state timer (CVE-2006-5749)

05dca9b 2006-12-22 07:41:50 Marcel Holtmann

[PATCH] Call init_timer() for ISDN PPP CCP reset state timer (CVE-2006-5749)

The function isdn_ppp_ccp_reset_alloc_state() sets ->timer.function
and ->timer.data and later on calls add_timer() with no init_timer()
ever done. The call of init_timer() is needed, because otherwise the
call of add_timer() will result in an instant death.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

00262a7 2006-12-18 17:32:18 Willy Tarreau

Change VERSION to 2.4.34-rc3

- zeromap may find a pte
- Fix incorrect user space access locking in mincore() (CVE-2006-4814)

72c7eb6 2006-12-18 17:28:44 Linus Torvalds

[PATCH] Fix incorrect user space access locking in mincore() (CVE-2006-4814)

Fix incorrect user space access locking in mincore()

Doug Chapman noticed that mincore() will do a "copy_to_user()" of the
result while holding the mmap semaphore for reading, which is a big
no-no. While a recursive read-lock on a semaphore in the case of a page
fault happens to work, we don't actually allow them due to deadlock
scenarios with writers due to fairness issues.

Doug and Marcel sent in a patch to fix it, but I decided to just rewrite
the mess instead - not just fixing the locking problem, but making the
code smaller and (imho) much easier to understand.

Hugh "ported" it to 2.4:
please note two slight changes to behaviour under error conditions:

(a) mincore used to report -EINVAL if input len was so big that the
given area wrapped: that shouldn't be a distinct case from crossing
a hole in the address space, 2.6.11 corrected the error to -ENOMEM,
and this patch extends that correction to 2.4.

(b) mincore used to report -ENOMEM if the given area crossed a hole
in the address space, but continued to fill in the vector for file-
backed regions above - yet didn't fill the vector with non-present
entries for the hole, just ignored it. This patch continues to
report -ENOMEM if the given area crosses a hole in the address
space, but simply stops filling the vector at that point. We
doubt any app could be relying on the previous weird behaviour.

Cc: Doug Chapman <dchapman@redhat.com>
Cc: Marcel Holtmann <holtmann@redhat.com>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Hugh Dickins <hugh@veritas.com>

8aa6357 2006-12-18 17:23:51 Hugh Dickins

[PATCH] zeromap may find a pte

Ramiro Voicu hit 2.6's BUG_ON(!pte_none(*pte)) in zeromap_pte_range:
kernel bugzilla 7645. Right: read_zero_pagealigned uses down_read of
mmap_sem, but another thread's racing read of /dev/zero, or a normal
fault, can easily set that pte again, in between zap_page_range and
zeromap_page_range getting there. It's been wrong ever since 2.4.3.

The simple fix is to use down_write instead, but that would serialize
reads of /dev/zero more than at present: perhaps some app would be
badly affected. So instead let zeromap_page_range return the error
instead of BUG in forget_pte, and read_zero_pagealigned break to the
slower clear_user loop in that case - no need to optimize for it.

Signed-off-by: Hugh Dickins <hugh@veritas.com>

9a66dcf 2006-12-15 00:30:27 Willy Tarreau

Change VERSION to 2.4.34-rc2

- [Bluetooth] Add packet size checks for CAPI messages (CVE-2006-6106)

58d134d 2006-12-14 21:55:21 Marcel Holtmann

[PATCH] [Bluetooth] Add packet size checks for CAPI messages (CVE-2006-6106)

With malformed packets it might be possible to overwrite internal
CMTP and CAPI data structures. This patch adds additional length
checks to prevent these kinds of remote attacks.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

94701ea 2006-12-05 22:48:17 Willy Tarreau

Change VERSION to 2.4.34-rc1

- smbfs : don't ignore uid/gid/mode mount opts w/ unix extensions (CVE-2006-5871)
- i2c cleanup : several cleanups
- fix for transient error in usb printer driver
- task stte leak in pegasus usb driver
- Masking bug in 6pack driver
- x86 microcode: dont check the size
- rio: typo in bitwise AND expression.
- flashpoint: use '!' instead of '~' with EE_SYNC_MASK
- jfs: incorrect use of "&&" instead of "&"
- arm: incorrect use of "&&" instead of "&"
- e100: incorrect use of "&&" instead of "&"
- ps2esdi: typo may cause premature timeout
- fbcon: incorrect use of "&&" instead of "&"

d4e03b3 2006-12-05 17:29:52 dann frazier

[PATCH] smbfs : don't ignore uid/gid/mode mount opts w/ unix extensions

smbfs in 2.4 currently ignores the uid, gid & mode mount options if
unix extensions are enabled. Here is a backport of Haroldo Gamal's 2.6 fix for
Debian's 2.4.27 kernel that should apply cleanly to latest 2.4 git.

This issue has been assigned CVE-2006-5871.

Signed-off-by: dann frazier <dannf@debian.org>

c462963 2006-12-05 17:29:38 Oliver Neukum

[PATCH] task stte leak in pegasus usb driver

Hi,

this is a conservative port of a 2.6 fix for the pegasus driver which leaks
TASK_UNINTERRUPTIBLE in error cases. In case of an error the state
needs to be reset to TASK_RUNNING.

Regards
Oliver

Signed-off-by: Oliver Neukum <oliver@neukum.name>
Acked-by: Petko Manolov <petkan@nucleusys.com>

f3f1dfb 2006-12-05 17:27:21 Shaohua Li

[PATCH] x86 microcode: dont check the size

(backported from 2.6)

IA32 manual says if micorcode update's size is 0, then the size is
default size (2048 bytes). But this doesn't suggest all microcode
update's size should be above 2048 bytes to me. We actually had a
microcode update whose size is 1024 bytes. The patch just removed the
check.

Backported to 2.6.18 by Daniel Drake.

Signed-off-by: Daniel Drake <dsd@gentoo.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Acked-by: Shaohua Li <shaohua.li@intel.com>

d0e38a4 2006-12-05 17:25:40 Oliver Neukum

[PATCH] fix for transient error in usb printer driver

Hi,

this is a port of a fix for 2.6 which handles transient errors while
writing to the printer. The buffer has to be marked free again if
urb submission fails, as the completion handler can't do it.
Please apply to the 2.4 tree.

Regards
Oliver

Signed-off-by: Oliver Neukum <oliver@neukum.name>

7c34142 2006-12-05 17:22:57 Jean Delvare

[PATCH] i2c cleanup : warning fix

Fix the following warning on x86_64:

i2c-proc.c: In function "i2c_proc_real":
i2c-proc.c:388: warning: passing argument 3 of "i2c_write_reals" from incompatible pointer type

This was fixed in a similar way in i2c-SVN in April 2003.

Signed-off-by: Jean Delvare <khali@linux-fr.org>

dee9163 2006-12-05 17:22:54 Jean Delvare

[PATCH] i2c cleanup : resync algo ids

Resync i2c algorithm IDs with the values used in the 2.6 kernel
tree and the external i2c tree. These are arbitrary values anyway,
not exported to user-space.

Signed-off-by: Jean Delvare <khali@linux-fr.org>

3b05ac4 2006-12-05 17:22:52 Jean Delvare

[PATCH] i2c cleanup : simplify code

Simplify core i2c code as was done in the external i2c tree. There are
three type of changes:
* Flatten imbricated if/else constructs
* Drop useless masking
* Change void* parameters to char* to avoid having to cast them
everywhere we use them

Signed-off-by: Jean Delvare <khali@linux-fr.org>

ca07ecd 2006-12-05 17:22:51 Jean Delvare

[PATCH] i2c cleanup : c99 struct init

Switch all i2c drivers to use the C99-style structure initialization,
as it is way safer.

Note that some hardcoded 100 are converted to HZ in the process,
as this was the true intent of the original code.

Signed-off-by: Jean Delvare <khali@linux-fr.org>

dacc5bf 2006-12-05 17:22:49 Jean Delvare

[PATCH] i2c cleanup : dead code removal

Discard dead code from the i2c subsystem.

Signed-off-by: Jean Delvare <khali@linux-fr.org>

b498501 2006-12-05 17:22:47 Jean Delvare

[PATCH] i2c cleanup : typos and whitespace

Trivial changes picked from the i2c SVN repository. This includes:
* Documentation updates
* Comment updates
* Whitespace changes
* Typo fixes in strings and comments
* Includes reordering
* Drop of includes and comments relative to kernel version 2.0 to 2.3
The idea is to minimize the meaningless differences between both theres
so that real differences are easier to see.

Signed-off-by: Jean Delvare <khali@linux-fr.org>

9821bc8 2006-11-26 17:47:06 Willy Tarreau

[PATCH] fbcon: incorrect use of "&&" instead of "&"

The use of "&&" in the following statement causes unexpected
cases to be matched since __SCROLL_YMASK = 0x0f :

switch (p->scrollmode && __SCROLL_YMASK)
case __SCROLL_YWRAP: ... /* 0x02 */
case __SCROLL_YPAN: ... /* 0x01 */

The YWRAP case can never be matched and the YPAN case may be
matched by mistake. Obvious fix is to replace && with &. This
bug is not present in 2.6.

Signed-off-by: Willy Tarreau <w@1wt.eu>
Acked-By: Geert Uytterhoeven <geert@linux-m68k.org>

8f9ef6a 2006-11-26 07:14:14 Willy Tarreau

[PATCH] ps2esdi: typo may cause premature timeout

The stop condition in the following statement causes an immediate
break out of the loop because ESDI_TIMEOUT=0xf000 and the result
of the !(inb()) expression can only be either 0 or 1, which means
that i never gets counted down.

for (i = ESDI_TIMEOUT;
i & !(inb(ESDI_STATUS) & STATUS_STAT_AVAIL);
i--);

The obvious cause is the use of "i & !" instead of "i && !". This
was already fixed in 2.6.

Signed-off-by: Willy Tarreau <w@1wt.eu>

843aad3 2006-11-26 07:02:20 Willy Tarreau

[PATCH] e100: incorrect use of "&&" instead of "&"

In e100_do_ethtool_ioctl(), bdp->flags is a bitfield and is
checked for some bits but the AND operation is performed with
&& instead of &. Obvious fix is to use "&" as in all other
places. 2.6 does not seem affected.

Signed-off-by: Willy Tarreau <w@1wt.eu>
Acked-by: David Miller <davem@davemloft.net>

9c99598 2006-11-26 06:45:04 Willy Tarreau

[PATCH] arm: incorrect use of "&&" instead of "&"

In integrator_init_irq(), the use of "&&" in the following
statement causes all interrupts to be marked valid regardless
of INTEGRATOR_SC_VALID_INT, as long as it's non-zero :

if (((1 << i) && INTEGRATOR_SC_VALID_INT) != 0)

Obvious fix is to replace it with "&". This was already fixed
in 2.6.

Signed-off-by: Willy Tarreau <w@1wt.eu>
Acked-by: Russell King <rmk+lkml@arm.linux.org.uk>

1ab590d 2006-11-26 06:37:39 Willy Tarreau

[PATCH] jfs: incorrect use of "&&" instead of "&"

in jfs_txnmgr, the use of "tblk->flag && COMMIT_DELETE" in a
if() condition is obviously wrong. This bug has already been
fixed in 2.6.

Signed-off-by: Willy Tarreau <w@1wt.eu>
Acked-by: Dave Kleikamp <shaggy@linux.vnet.ibm.com>

550e2d9 2006-11-24 06:21:08 Willy Tarreau

[PATCH] flashpoint: use '!' instead of '~' with EE_SYNC_MASK

Trivial typo found by grep in 2.4 code, already fixed in 2.6.
The complement mask was computed with '!' instead of '~' while
the mask was not 1 :

#define EE_SYNC_MASK (BIT(0)+BIT(1))
currTar_Info->TarEEValue = (currTar_Info->TarEEValue & !EE_SYNC_MASK)
temp2.tempb[0] = (temp2.tempb[0] & !EE_SYNC_MASK) | syncVal;
temp2.tempb[1] = (temp2.tempb[1] & !EE_SYNC_MASK) | syncVal;

Show on old repository browser