Commit Graph

51428 Commits

Author SHA1 Message Date
Linus Torvalds 9631eb0bc1 Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
* master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6:
  [NETFILTER]: ipt_CLUSTERIP: fix oops in checkentry function
  [TCP]: slow_start_after_idle should influence cwnd validation too
  [SC92031]: Fix priv->lock context
  [NET_SCHED]: cls_tcindex: fix compatibility breakage
2007-04-10 17:22:16 -07:00
Linus Torvalds b4dfd6bc35 Merge branch 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux-2.6
* 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux-2.6:
  [IA64] SGI Altix : fix pcibr_dmamap_ate32() bug
  [IA64] Fix CPU freq displayed in /proc/cpuinfo
  [IA64] Fix wrong assumption about irq and vector in msi_ia64.c
  [IA64] BTE error timer fix
2007-04-10 17:21:57 -07:00
Danny Kukawka a7a832de9e ide: add "optical" to sysfs "media" attribute
Add "optical" to sysfs "media" attribute as already in /proc

Signed-off-by: Danny Kukawka <dkukawka@suse.de>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
2007-04-10 22:39:14 +02:00
Stuart Hayes 76ca1af10e ide: ugly messages trying to open CD drive with no media present
I get the following error messages when trying to open a CD device
(specifically, the Teac CD-ROM CD-224E) that has no media present:

hda: packet command error: status=3D0x51 { DriveReady SeekComplete Error }
hda: packet command error: error=3D0x54 { AbortedCommand LastFailedSense=0x05 }
ide: failed opcode was: unknown

This happens when a "start stop unit" command (0x1b 0 0 0 3 0 0 0 0 0)
is sent to the drive to try to close the CD-ROM tray, but this drive
doesn't have that capability (it's a slim portable-type CD-ROM), so it
reports sense key 5 (illegal request) with asc/ascq 24/0.  This is
exactly how SFF8090i says it should respond.

But ide-cd.c (in cdrom_decode_status() ) just sees sense key 5 and spews
out an error.  It then goes on to request sense data, and
cdrom_log_sense() understands this error and doesn't log it.

The patch, for kernel 2.6.20.4, suppresses this error message.

Signed-off-by: Stuart Hayes <stuart_hayes@dell.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
2007-04-10 22:38:43 +02:00
Suleiman Souhlal 23450319e2 ide: correctly prevent IDE timer expiry function to run if request was already handled
It is possible for the timer expiry function to run even though the
request has already been handled: ide_timer_expiry() only checks that
the handler is not NULL, but it is possible that we have handled a
request (thus clearing the handler) and then started a new request
(thus starting the timer again, and setting a handler). 

A simple way to exhibit this is to set the DMA timeout to 1 jiffy and
run dd: The kernel will panic after a few minutes because
ide_timer_expiry() tries to add a timer when it's already active.

To fix this, we simply add a request generation count that gets
incremented at every interrupt, and check in ide_timer_expiry() that
we have not already handled a new interrupt before running the expiry
function.

Signed-off-by: Suleiman Souhlal <suleiman@google.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
2007-04-10 22:38:37 +02:00
Jaroslav Kysela 50c9cc2e54 [NETFILTER]: ipt_CLUSTERIP: fix oops in checkentry function
The clusterip_config_find_get() already increases entries reference
counter, so there is no reason to do it twice in checkentry() callback.

This causes the config to be freed before it is removed from the list,
resulting in a crash when adding the next rule.

Signed-off-by: Jaroslav Kysela <perex@suse.cz>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-04-10 13:26:48 -07:00
Larry Finger ec759a2b38 [PATCH] bcm43xx: Fix PPC machine checks and match loopback gain specs
The specifications for loopback_gain calculation and for G PHY
initialization have been updated. This patch implements them and
fixes a machine check error that occurs for PPC architecture with a
phy->rev of 1.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2007-04-10 14:35:57 -04:00
Larry Finger 81e880064d [PATCH] bcm43xx: Fix 802.11b/g scan limits to match regulatory reqs
In 802.11b/g mode, bcm43xx actively scans channels 1-14 no matter what
locale has been set, either in the sprom or by the locale option. This
behaviorviolates regulatory rules everywhere in the world except
Japan. This patch changes the default range to the correct value if the
locale has been set, and to channels 1-13 if no locale has been set.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2007-04-10 14:35:57 -04:00
Daniel Drake 92b3e2e925 [PATCH] zd1211rw: Fix E2P_PHY_REG patching
Due to conflicting/confusing defines in the vendor driver, we were
reading E2P_PHY_REG from the wrong location.

CR157 patching was slightly incorrect in that the vendor driver only
patches in an 8-bit value, whereas we were patching 24 bits.

Additionally, CR157 patching was happening on both zd1211 and zd1211b,
but this should only happen on zd1211.

Signed-off-by: Daniel Drake <dsd@gentoo.org>
Signed-off-by: Ulrich Kunitz <kune@deine-taler.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2007-04-10 14:35:56 -04:00
Michael S. Tsirkin 6371ea3d48 IPoIB/cm: Fix DMA direction typo
Receive buffers need to be mapped with DMA_FROM_DEVICE.  Incorrectly
mapping with DMA_TO_DEVICE causes a hard lock on ppc64 machines with
an IOMMU.

This fixes <https://bugs.openfabrics.org/show_bug.cgi?id=431>

Signed-off-by: Michael S. Tsirkin <mst@dev.mellanox.co.il>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
2007-04-10 08:58:30 -07:00
Daniel Drake ae6ead4623 [PATCH] zd1211rw: Reject AL2230S devices
zd1211rw currently detects AL2230S-based devices as AL2230, and hence
programs the RF incorrectly. Transmit silently fails on this
misconfiguration.

After this patch, AL2230S devices are rejected with an error message, to
avoid any confusion with an apparent driver bug.

Signed-off-by: Daniel Drake <dsd@gentoo.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2007-04-10 11:03:29 -04:00
Wang Zhenyu 52ea0718ea [AGPGART] intel_agp: fix G965 GTT size detect
On G965, I810_PGETBL_CTL is a mmio offset, but we wrongly take it
as pci config space offset in detecting GTT size. This one line patch
fixs this.

Signed-off-by: Wang Zhenyu <zhenyu.z.wang@intel.com>
Signed-off-by: Dave Jones <davej@redhat.com>
2007-04-09 22:09:58 -04:00
David S. Miller 15d33c070d [TCP]: slow_start_after_idle should influence cwnd validation too
For the cases that slow_start_after_idle are meant to deal
with, it is almost a certainty that the congestion window
tests will think the connection is application limited and
we'll thus decrease the cwnd there too.  This defeats the
whole point of setting slow_start_after_idle to zero.

So test it there too.

We do not cancel out the entire tcp_cwnd_validate() function
so that if the sysctl is changed we still have the validation
state maintained.

Signed-off-by: David S. Miller <davem@davemloft.net>
2007-04-09 13:31:15 -07:00
Herbert Xu 699784b761 [SC92031]: Fix priv->lock context
The spin_lock calls made in dev->open and dev->close must disable
BH since open/close are made in process context.  Conversely, the
call in dev->hard_start_xmit does not need to disable BH since it
is already executing with BH disabled.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-04-09 13:31:14 -07:00
Patrick McHardy bb8a954f27 [NET_SCHED]: cls_tcindex: fix compatibility breakage
Userspace uses an integer for TCA_TCINDEX_SHIFT, the kernel was changed
to expect and use a u16 value in 2.6.11, which broke compatibility on
big endian machines. Change back to use int.

Reported by Ole Reinartz <ole.reinartz@gmx.de>

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-04-09 13:31:13 -07:00
Linus Torvalds 90f30eccf4 Merge branch 'for-2.6.21' of master.kernel.org:/pub/scm/linux/kernel/git/davej/agpgart
* 'for-2.6.21' of master.kernel.org:/pub/scm/linux/kernel/git/davej/agpgart:
  [AGPGART] intel_agp: PCI id update for Intel 965GM
2007-04-09 11:45:18 -07:00
Stefan Richter 199c1167f5 ieee1394: change deprecation status of dv1394
Nobody ported ffmpeg from dv1394 to rawiso yet, and there is no
justification to remove dv1394 right now.

Nevertheless, a strong deprecation of this ABI makes a lot of sense,
especially as Kristian H's drivers shape up to be an attractive
alternative to the existing ones.  But we don't have a schedule at the
moment.

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2007-04-09 18:52:27 +02:00
Andrew Morton c2481cc4a8 [PATCH] i386: irqbalance_disable() section fix
WARNING: arch/i386/kernel/built-in.o - Section mismatch: reference to .init.text:irqbalance_disable from .text between 'quirk_intel_irqbalance' (at offset 0x80a5) and 'i8237A_suspend'

Cc: Andi Kleen <ak@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-04-08 19:47:55 -07:00
Andrew Morton c993c7355d [PATCH] x86_64 early quirks: fix early_qrk[] section tag
WARNING: arch/x86_64/kernel/built-in.o - Section mismatch: reference to .init.text:nvidia_bugs from .data between 'early_qrk' (at offset 0x8428) and 'enable_cpu_hotplug'
WARNING: arch/x86_64/kernel/built-in.o - Section mismatch: reference to .init.text:via_bugs from .data between 'early_qrk' (at offset 0x8438) and 'enable_cpu_hotplug'
WARNING: arch/x86_64/kernel/built-in.o - Section mismatch: reference to .init.text:ati_bugs from .data between 'early_qrk' (at offset 0x8448) and 'enable_cpu_hotplug'

The compiler is putting it into .data because the __initdata is in the wrong
place.

Cc: Andi Kleen <ak@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-04-08 19:47:55 -07:00
David Brownell b6d2cccb55 [PATCH] omap_cf: oops-on-suspend fix
Convert omap_cf into a platform_driver ...  this resolves oopsing during
suspend/resume.

Evidently folk haven't tried suspend/resume on an OSK (the main platform
for this driver) since September or so, which is when platform_device
learned about suspend_late()/resume_early() and stopped being able to
suspend/resume without a platform_driver.

Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Cc: Dominik Brodowski <linux@dominikbrodowski.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-04-08 19:47:55 -07:00
Zachary Amsden 49f1971051 [PATCH] Proper fix for highmem kmap_atomic functions for VMI for 2.6.21
Since lazy MMU batching mode still allows interrupts to enter, it is
possible for interrupt handlers to try to use kmap_atomic, which fails when
lazy mode is active, since the PTE update to highmem will be delayed.  The
best workaround is to issue an explicit flush in kmap_atomic_functions
case; this is the only way nested PTE updates can happen in the interrupt
handler.

Thanks to Jeremy Fitzhardinge for noting the bug and suggestions on a fix.

This patch gets reverted again when we start 2.6.22 and the bug gets fixed
differently.

Signed-off-by: Zachary Amsden <zach@vmware.com>
Cc: Andi Kleen <ak@muc.de>
Cc: Jeremy Fitzhardinge <jeremy@goop.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-04-08 19:47:55 -07:00
Timo Savola a5bfffac64 [PATCH] fuse: validate rootmode mount option
If rootmode isn't valid, we hit the BUG() in fuse_init_inode.  Now
EINVAL is returned.

Signed-off-by: Timo Savola <tsavola@movial.fi>
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-04-08 19:47:55 -07:00
Wang Zhenyu 4598af33d9 [AGPGART] intel_agp: PCI id update for Intel 965GM
Update PCI id info for Intel 965GM chipset.

Signed-off-by: Wang Zhenyu <zhenyu.z.wang@intel.com>
Signed-off-by: Dave Jones <davej@redhat.com>
2007-04-08 21:31:58 -04:00
Linus Torvalds d354d2f4a6 sched.c: Remove unused variable 'relative'
Getting rid of the p->children printout in show_task() left behind an
unused variable.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-04-07 10:18:33 -07:00
Ingo Molnar 35f6f753b7 [PATCH] sched: get rid of p->children use in show_task()
the p->parent PID printout gives us all the information about the
task tree that we need - the eldest_child()/older_sibling()/
younger_sibling() printouts are mostly historic and i do not
remember ever having used those fields. (IMO in fact they confuse
the SysRq-T output.) So remove them.

This code has sentimental value though, those fields and
printouts are one of the oldest ones still surviving from
Linux v0.95's kernel/sched.c:

        if (p->p_ysptr || p->p_osptr)
                printk("   Younger sib=%d, older sib=%d\n\r",
                        p->p_ysptr ? p->p_ysptr->pid : -1,
                        p->p_osptr ? p->p_osptr->pid : -1);
        else
                printk("\n\r");

written 15 years ago, in early 1992.

Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Linus 'snif' Torvalds <torvalds@linux-foundation.org>
2007-04-07 10:06:51 -07:00
Tejun Heo 7f30e49ee1 [PATCH] irq-devres: fix failure path of devm_request_irq()
devres should be deallocated with devres_free() not kfree().  This bug
corrupts slab on IRQ request failure.  Fix it.

Signed-off-by: Tejun Heo <htejun@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Greg KH <gregkh@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-04-07 10:05:21 -07:00
Ingo Molnar 995f054f2a [PATCH] high-res timers: resume fix
Soeren Sonnenburg reported that upon resume he is getting
this backtrace:

 [<c0119637>] smp_apic_timer_interrupt+0x57/0x90
 [<c0142d30>] retrigger_next_event+0x0/0xb0
 [<c0104d30>] apic_timer_interrupt+0x28/0x30
 [<c0142d30>] retrigger_next_event+0x0/0xb0
 [<c0140068>] __kfifo_put+0x8/0x90
 [<c0130fe5>] on_each_cpu+0x35/0x60
 [<c0143538>] clock_was_set+0x18/0x20
 [<c0135cdc>] timekeeping_resume+0x7c/0xa0
 [<c02aabe1>] __sysdev_resume+0x11/0x80
 [<c02ab0c7>] sysdev_resume+0x47/0x80
 [<c02b0b05>] device_power_up+0x5/0x10

it turns out that on resume we mistakenly re-enable interrupts too
early.  Do the timer retrigger only on the current CPU.

Signed-off-by: Ingo Molnar <mingo@elte.hu>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Soeren Sonnenburg <kernel@nn7.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-04-07 10:03:43 -07:00
Linus Torvalds bbef618190 Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
* master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6:
  [TG3]: Fix crash during tg3_init_one().
  [IPV6]: Revert recent change to rt6_check_dev().
  [XFRM]: beet: fix IP option decapsulation
  [XFRM]: beet: fix beet mode decapsulation
  [XFRM]: beet: use IPOPT_NOP for option padding
  [XFRM]: beet: fix IP option encapsulation
2007-04-06 18:15:30 -07:00
Michael Chan b8fa2f3a82 [TG3]: Fix crash during tg3_init_one().
The driver will crash when the chip has been initialized by EFI before
tg3_init_one().  In this case, the driver will call tg3_chip_reset()
before allocating consistent memory.

The bug is fixed by checking for tp->hw_status before accessing it
during tg3_chip_reset().

Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-04-06 17:35:37 -07:00
Mike Habeck 2e0d232bff [IA64] SGI Altix : fix pcibr_dmamap_ate32() bug
On a SGI Altix TIOCP based PCI bus we need to include the ATE_PIO attribute
bit if we're mapping a 32bit MSI address.

Signed-off-by: Mike Habeck <habeck@sgi.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
2007-04-06 15:38:12 -07:00
Venki Pallipadi 8a3a78d149 [IA64] Fix CPU freq displayed in /proc/cpuinfo
My patch: git commit=95235ca2c20ac0b31a8eb39e2d599bcc3e9c9a10 introduced a bug
in IA64 cpuinfo output.

Patch changed the proc_freq from 1HZ resolution to 1KHz resolution, but left
format string unchanged at " %lu.%06lu". Below is the fix.

Thanks to Bjorn for catching this.

Signed-off-by: Venkatesh Pallipadi <venkatesh.pallipadi@intel.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
2007-04-06 15:37:45 -07:00
Ishimatsu Yasuaki 9438a1218e [IA64] Fix wrong assumption about irq and vector in msi_ia64.c
This patch fixes a wrong assumption in ia64 MSI code that IRQ equals
vector.

Signed-off-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
Signed-off-by: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
2007-04-06 15:37:06 -07:00
Russ Anderson fbff71e1ec [IA64] BTE error timer fix
The bte recovery_timer was not being set correctly.

Signed-off-by: Russ Anderson <rja@sgi.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
2007-04-06 15:31:33 -07:00
David S. Miller 161980f4c6 [IPV6]: Revert recent change to rt6_check_dev().
This reverts a0d78ebf3a

It causes pings to link-local addresses to fail.

Signed-off-by: David S. Miller <davem@davemloft.net>
2007-04-06 11:42:27 -07:00
Linus Torvalds a21bd69e15 Linux 2.6.21-rc6
.. perfect? Ahh, sure.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-04-05 19:36:56 -07:00
Patrick McHardy 254d0d24e3 [XFRM]: beet: fix IP option decapsulation
Beet mode looks for the beet pseudo header after the outer IP header,
which is wrong since that is followed by the ESP header. Additionally
it needs to adjust the packet length after removing the pseudo header
and point the data pointer to the real data location.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-04-05 16:03:33 -07:00
Patrick McHardy d4b1e84062 [XFRM]: beet: fix beet mode decapsulation
Beet mode decapsulation fails to properly set up the skb pointers, which
only works by accident in combination with CONFIG_NETFILTER, since in that
case the skb is fixed up in xfrm4_input before passing it to the netfilter
hooks.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-04-05 15:59:41 -07:00
Patrick McHardy 04fef9893a [XFRM]: beet: use IPOPT_NOP for option padding
draft-nikander-esp-beet-mode-07.txt states "The padding MUST be filled
with NOP options as defined in Internet Protocol [1] section 3.1
Internet header format.", so do that.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-04-05 15:54:39 -07:00
Patrick McHardy c5027c9a89 [XFRM]: beet: fix IP option encapsulation
Beet mode calculates an incorrect value for the transport header location
when IP options are present, resulting in encapsulation errors.

The correct location is 4 or 8 bytes before the end of the original IP
header, depending on whether the pseudo header is padded.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-04-05 15:54:02 -07:00
Erez Zilber 1d426d6418 IB/iser: Don't defer connection failure notification to workqueue
When a connection is terminated asynchronously from the iSCSI layer's
perspective, iSER needs to notify the iSCSI layer that the connection
has failed.  This is done using a workqueue (switched to from the iSER
tasklet context).  Meanwhile, the connection object (that holds the
work struct) is released.  If the workqueue function wasn't called
yet, it will be called later with a NULL pointer, which will crash the
kernel.

The context switch (tasklet to workqueue) is not required, and
everything can be done from the iSER tasklet. This eliminates the NULL
work struct bug (and simplifies the code).

Signed-off-by: Erez Zilber <erezz@voltaire.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
2007-04-05 09:46:04 -07:00
Adam Kropelin 8da7d1bae5 HID: Do not discard truncated input reports
Truncated reports should not be discarded since it prevents buggy
devices from communicating with userspace.

Prior to the regession introduced in 2.6.20, a shorter-than-expected
report in hid_input_report() was passed thru after having the missing
bytes cleared. This behavior was established over a few patches in the
2.6.early-teens days, including commit
cd6104572b.

This patch restores the previous behavior and fixes the regression.

Signed-off-by: Adam Kropelin <akropel1@rochester.rr.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2007-04-05 16:06:30 +02:00
Herbert Xu 4c4d51a731 [IPSEC]: Reject packets within replay window but outside the bit mask
Up until this point we've accepted replay window settings greater than
32 but our bit mask can only accomodate 32 packets.  Thus any packet
with a sequence number within the window but outside the bit mask would
be accepted.

This patch causes those packets to be rejected instead.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-04-05 00:07:39 -07:00
Mitsuru Chinen 60e5c16641 [IPv6]: Exclude truncated packets from InHdrErrors statistics
Incoming trancated packets are counted as not only InTruncatedPkts but
also InHdrErrors. They should be counted as InTruncatedPkts only.

Signed-off-by: Mitsuru Chinen <mitch@linux.vnet.ibm.com>
Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-04-04 23:54:59 -07:00
Jean Delvare 75559c167b [APPLETALK]: Fix a remotely triggerable crash
When we receive an AppleTalk frame shorter than what its header says,
we still attempt to verify its checksum, and trip on the BUG_ON() at
the end of function atalk_sum_skb() because of the length mismatch.

This has security implications because this can be triggered by simply
sending a specially crafted ethernet frame to a target victim,
effectively crashing that host. Thus this qualifies, I think, as a
remote DoS. Here is the frame I used to trigger the crash, in npg
format:

<Appletalk Killer>
{
# Ethernet header -----

  XX XX XX XX XX XX  # Destination MAC
  00 00 00 00 00 00  # Source MAC
  00 1D              # Length

# LLC header -----

  AA AA 03
  08 00 07 80 9B  # Appletalk

# Appletalk header -----

  00 1B        # Packet length (invalid)
  00 01        # Fake checksum 
  00 00 00 00  # Destination and source networks
  00 00 00 00  # Destination and source nodes and ports

# Payload -----

  0C 0D 0E 0F 10 11 12 13
  14
}

The destination MAC address must be set to those of the victim.

The severity is mitigated by two requirements:
* The target host must have the appletalk kernel module loaded. I
  suspect this isn't so frequent.
* AppleTalk frames are non-IP, thus I guess they can only travel on
  local networks. I am no network expert though, maybe it is possible
  to somehow encapsulate AppleTalk packets over IP.

The bug has been reported back in June 2004:
  http://bugzilla.kernel.org/show_bug.cgi?id=2979
But it wasn't investigated, and was closed in July 2006 as both
reporters had vanished meanwhile.

This code was new in kernel 2.6.0-test5:
  http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=7ab442d7e0a76402c12553ee256f756097cae2d2
And not modified since then, so we can assume that vanilla kernels
2.6.0-test5 and later, and distribution kernels based thereon, are
affected.

Note that I still do not know for sure what triggered the bug in the
real-world cases. The frame could have been corrupted by the kernel if
we have a bug hiding somewhere. But more likely, we are receiving the
faulty frame from the network.

Signed-off-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-04-04 23:52:46 -07:00
Maciej Zenczykowski 58e9491390 [PATCH] ia64: desc_empty thinko/typo fix
Just a one-byter for an ia64 thinko/typo - already fixed for i386 and x86_64.

Acked-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-04-04 21:12:48 -07:00
Yoichi Yuasa ba6e8564f4 [PATCH] Fix build error on zs serial driver
drivers/tc/zs.c:73:24: error: asm/dec/tc.h: No such file or directory

Signed-off-by: Yoichi Yuasa <yoichi_yuasa@tripeaks.co.jp>
Acked-by: Maciej W. Rozycki <macro@linux-mips.org>
Cc: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-04-04 21:12:47 -07:00
john stultz 98de9e3ba2 [PATCH] fix jiffies clocksource inittime
In debugging a problem w/ the -rt tree, I noticed that on systems that mark
the tsc as unstable before it is registered, the TSC would still be
selected and used for a short period of time.  Digging in it looks to be a
result of the mix of the clocksource list changes and my clocksource
initialization changes.

With the -rt tree, using a bad TSC, even for a short period of time can
results in a hang at boot.  I was not able to reproduce this hang w/
mainline, but I'm not completely certain that someone won't trip on it.

This patch resolves the issue by initializing the jiffies clocksource
earlier so a bad TSC won't get selected just because nothing else is yet
registered.

Signed-off-by: John Stultz <johnstul@us.ibm.com>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Andi Kleen <ak@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-04-04 21:12:47 -07:00
Mike Miller (OS Dev) 7f42d3b8a7 [PATCH] cciss: add init of drv->cylinders back to cciss_geometry_inquiry
This patch adds initialization of drv->cylinders back into the failing case in
cciss_geometry_inquiry. I inadvertently removed it in one my 2TB updates.

Signed-off-by: Mike Miller <mike.miller@hp.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-04-04 21:12:47 -07:00
Andrew Morton 2363cc0264 [PATCH] remove protection of LANANA-reserved majors
Revert all this.  It can cause device-mapper to receive a different major from
earlier kernels and it turns out that the Amanda backup program (via GNU tar,
apparently) checks major numbers on files when performing incremental backups.

Which is a bit broken of Amanda (or tar), but this feature isn't important
enough to justify the churn.

Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-04-04 21:12:47 -07:00
Rafael J. Wysocki c75fd0ee6e [PATCH] swsusp: fix memory shrinker
Fix a bug in the swsusp's memory shrinker that causes some systems using
highmem to refuse to suspend to disk if image_size is set above 1/2 of
available RAM.

Special thanks to Jiri Slaby for reporting the problem and assistance in
debugging it.

Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Cc: Jiri Slaby <jirislaby@gmail.com>
Cc: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-04-04 21:12:47 -07:00