Commit bbc4a9ce authored by Dann Frazier's avatar Dann Frazier

merge in 2.6.18.dfsg.1-13

svn path=/dists/etch-security/linux-2.6/; revision=9060
parents 65e034df be5ce735
......@@ -219,7 +219,7 @@ CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_MULTIPATH_CACHED=y
# CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set
CONFIG_IP_ROUTE_MULTIPATH_RR=m
CONFIG_IP_ROUTE_MULTIPATH_RANDOM=m
CONFIG_IP_ROUTE_MULTIPATH_WRANDOM=m
......
......@@ -100,7 +100,7 @@ CONFIG_ZLIB_DEFLATE=m
# CONFIG_TCG_TPM is not set
CONFIG_TCG_ATMEL=m
CONFIG_TCG_NSC=m
CONFIG_IP_ROUTE_MULTIPATH_CACHED=y
# CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set
CONFIG_6PACK=m
CONFIG_DVB_USB_DTT200U=m
CONFIG_DVB_USB_DIGITV=m
......
[abi]
abiname: 4
abiname: 5
[base]
arches:
......
......@@ -265,7 +265,7 @@ CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_MULTIPATH_CACHED=y
# CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set
CONFIG_IP_ROUTE_MULTIPATH_RR=m
CONFIG_IP_ROUTE_MULTIPATH_RANDOM=m
CONFIG_IP_ROUTE_MULTIPATH_WRANDOM=m
......
......@@ -265,7 +265,7 @@ CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_MULTIPATH_CACHED=y
# CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set
CONFIG_IP_ROUTE_MULTIPATH_RR=m
CONFIG_IP_ROUTE_MULTIPATH_RANDOM=m
CONFIG_IP_ROUTE_MULTIPATH_WRANDOM=m
......
......@@ -160,8 +160,7 @@ CONFIG_SOUND=m
# CONFIG_ECONET is not set
# CONFIG_SND_BT87X is not set
CONFIG_NET_FC=y
# CONFIG_SCSI_QLOGIC_1280 is not set
# Digital Video Broadcasting Devices
CONFIG_SCSI_QLOGIC_1280=m
CONFIG_PARPORT_NOT_PC=y
# CONFIG_PHONE is not set
CONFIG_CODA_FS=m
......
linux-2.6 (2.6.18.dfsg.1-12etch3) stable-security; urgency=high
linux-2.6 (2.6.18.dfsg.1-13etch1) stable-security; urgency=high
* bugfix/bluetooth-l2cap-hci-info-leaks.patch
[SECURITY] Fix information leaks in setsockopt() implementations
......@@ -12,6 +12,46 @@ linux-2.6 (2.6.18.dfsg.1-12etch3) stable-security; urgency=high
-- dann frazier <dannf@debian.org> Wed, 04 Jul 2007 08:57:36 -0600
linux-2.6 (2.6.18.dfsg.1-13) stable; urgency=high
[ Bastian Blank ]
* [vserver] Fix overflow in network accounting. (closes: #412132)
* [vserver] Fix lock accounting. (closes: #417631)
* Bump ABI to 5.
* Make modules packages binnmuable.
* [sparc] Enable Qlogic QLA SCSI support. (closes: #417629)
[ dann frazier ]
* bugfix/listxattr-mem-corruption.patch
[SECURITY] Fix userspace corruption vulnerability caused by
incorrectly promoted return values in bad_inode_ops
This patch changes the kernel ABI.
See CVE-2006-5753
* bugfix/all/vserver/net-mount-fix.patch
Fix mounting of network filesystems with VX_BINARY_MOUNT caps
(closes: #418076)
* Disable broken CONFIG_IP_ROUTE_MULTIPATH_CACHED setting. (closes: #418344)
* bugfix/ipv6-disallow-RH0-by-default.patch
[SECURITY] Avoid a remote DoS (network amplification between two routers)
by disabling type0 IPv6 route headers by default. Can be re-enabled via
a sysctl interface. Thanks to Vlad Yasevich for porting help.
This patch changes the kernel ABI.
See CVE-2007-2242
* Fix an oops which potentially results in data corruption in the gdth driver.
(closes: #412092)
* bugfix/amd64-make-gart-ptes-uncacheable.patch
Fix silent data corruption using GART iommu (closes: #404148)
[ maximilian attems ]
* Backport support for i965 to agp too. (closes: #406111)
* Compile fix for UML CONFIG_MODE_TT=y. (closes: #412957)
* Fix ide-generic jmicron device conflict. (closes: #421281)
[ Martin Michlmayr ]
* Fix wrong checksum for split TCP packets on 64-bit MIPS. (closes: #421283)
-- dann frazier <dannf@debian.org> Mon, 21 May 2007 14:45:13 -0600
linux-2.6 (2.6.18.dfsg.1-12etch2) stable-security; urgency=high
* bugfix/nfnetlink_log-null-deref.patch
......
......@@ -5,6 +5,8 @@ DEB_BUILD_ARCH := $(shell dpkg-architecture -qDEB_BUILD_ARCH)
include $(__MODULES_DIR)rules.defs
__BINNMU := $(shell dpkg-parsechangelog | sed -ne 's,^Version: .*\+b\(.*\)$$,\1,p')
BUILD_STAMP = $(STAMPS_DIR)/build-base
build: debian/control $(BUILD_STAMP)
......@@ -36,8 +38,14 @@ CONTROL_FILES += $(wildcard debian/arch/defines) $(wildcard debian/arch/*/define
GENCONTROL = $(__MODULES_DIR)gencontrol.py
debian/control debian/rules.gen: $(CONTROL_FILES)
if [ -f debian/control ] && [ -f debian/control.md5sum ] && [ -f debian/rules.gen ]; then \
if md5sum $^ | diff - debian/control.md5sum > /dev/null; then true; else \
$(MAKE) -f debian/rules debian/control-real; \
if [ "$(__BINNMU)" ]; then \
if ! grep -v debian/changelog debian/control.md5sum | md5sum --check - --status; then \
$(MAKE) -f debian/rules debian/control-real; \
fi \
else \
if ! md5sum --check debian/control.md5sum --status; then \
$(MAKE) -f debian/rules debian/control-real; \
fi \
fi \
else \
$(MAKE) -f debian/rules debian/control-real; \
......
--- linux-2.6.16.43-vs2.0.3-rc1/include/linux/vs_socket.h 2007-03-28 02:23:16 +0200
+++ linux-2.6.16.43-vs2.0.3-rc2/include/linux/vs_socket.h 2007-03-17 16:20:04 +0100
@@ -36,8 +36,8 @@ static inline void __vx_acc_sock(struct
if (vxi) {
int type = vx_sock_type(family);
- atomic_inc(&vxi->cacct.sock[type][pos].count);
- atomic_add(size, &vxi->cacct.sock[type][pos].total);
+ atomic_long_inc(&vxi->cacct.sock[type][pos].count);
+ atomic_long_add(size, &vxi->cacct.sock[type][pos].total);
}
}
--- linux-2.6.16.43-vs2.0.3-rc1/include/linux/vserver/cvirt_def.h 2007-03-28 02:23:16 +0200
+++ linux-2.6.16.43-vs2.0.3-rc2/include/linux/vserver/cvirt_def.h 2007-03-17 16:20:04 +0100
@@ -62,8 +62,8 @@ struct _vx_cvirt {
};
struct _vx_sock_acc {
- atomic_t count;
- atomic_t total;
+ atomic_long_t count;
+ atomic_long_t total;
};
/* context sub struct */
--- linux-2.6.16.43-vs2.0.3-rc1/kernel/vserver/cvirt_init.h 2007-03-28 02:23:17 +0200
+++ linux-2.6.16.43-vs2.0.3-rc2/kernel/vserver/cvirt_init.h 2007-03-17 16:20:04 +0100
@@ -68,8 +68,8 @@ static inline void vx_info_init_cacct(st
for (i=0; i<5; i++) {
for (j=0; j<3; j++) {
- atomic_set(&cacct->sock[i][j].count, 0);
- atomic_set(&cacct->sock[i][j].total, 0);
+ atomic_long_set(&cacct->sock[i][j].count, 0);
+ atomic_long_set(&cacct->sock[i][j].total, 0);
}
}
}
--- linux-2.6.16.43-vs2.0.3-rc1/kernel/vserver/cvirt_proc.h 2007-03-28 02:23:17 +0200
+++ linux-2.6.16.43-vs2.0.3-rc2/kernel/vserver/cvirt_proc.h 2007-03-17 16:20:04 +0100
@@ -58,13 +58,13 @@ static inline int vx_info_proc_cvirt(str
static inline long vx_sock_count(struct _vx_cacct *cacct, int type, int pos)
{
- return atomic_read(&cacct->sock[type][pos].count);
+ return atomic_long_read(&cacct->sock[type][pos].count);
}
static inline long vx_sock_total(struct _vx_cacct *cacct, int type, int pos)
{
- return atomic_read(&cacct->sock[type][pos].total);
+ return atomic_long_read(&cacct->sock[type][pos].total);
}
static inline int vx_info_proc_cacct(struct _vx_cacct *cacct, char *buffer)
--- linux-2.6.16.43-vs2.0.3-rc1/fs/locks.c 2007-03-28 02:23:15 +0200
+++ linux-2.6.16.43-vs2.0.3-rc2/fs/locks.c 2007-03-17 16:20:04 +0100
@@ -759,6 +759,7 @@ static int flock_lock_file(struct file *
new_fl = locks_alloc_lock();
if (new_fl == NULL)
goto out;
+ new_fl->fl_xid = -1;
/*
* If a higher-priority process was blocked on the old file lock,
* give it the opportunity to lock the file.
@@ -780,8 +781,8 @@ static int flock_lock_file(struct file *
if (request->fl_flags & FL_ACCESS)
goto out;
locks_copy_lock(new_fl, request);
- vx_locks_inc(new_fl);
locks_insert_lock(&inode->i_flock, new_fl);
+ vx_locks_inc(new_fl);
new_fl = NULL;
error = 0;
@@ -1383,8 +1384,8 @@ static int __setlease(struct file *filp,
goto out;
locks_copy_lock(fl, lease);
-
locks_insert_lock(before, fl);
+ vx_locks_inc(fl);
*flp = fl;
error = 0;
diff -NurpP --minimal linux-2.6.18.5-vs2.0.2.2-rc9/fs/super.c linux-2.6.18.5-vs2.0.3-rc1/fs/super.c
--- linux-2.6.18.5-vs2.0.2.2-rc9/fs/super.c 2006-09-20 17:59:47 +0200
+++ linux-2.6.18.5-vs2.0.3-rc1/fs/super.c 2006-12-13 23:06:16 +0100
@@ -848,7 +848,7 @@ vfs_kern_mount(struct file_system_type *
sb = mnt->mnt_sb;
error = -EPERM;
- if (!capable(CAP_SYS_ADMIN) && !sb->s_bdev &&
+ if (!vx_capable(CAP_SYS_ADMIN, VXC_BINARY_MOUNT) && !sb->s_bdev &&
(sb->s_magic != PROC_SUPER_MAGIC) &&
(sb->s_magic != DEVPTS_SUPER_MAGIC))
goto out_sb;
From: Joachim Deguara <joachim.deguara@amd.com>
Date: Tue, 24 Apr 2007 11:05:36 +0000 (+0200)
Subject: [PATCH] x86-64: make GART PTEs uncacheable
X-Git-Tag: v2.6.21~9^2~3
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=cf6387daf8858bdcb3e123034ca422e8979d73f1
[PATCH] x86-64: make GART PTEs uncacheable
This patches fixes the silent data corruption problems being seen using the
GART iommu where 4kB of data where incorrect (seen mostly on Nvidia CK804
systems). This fix, to mark the memory regin the GART PTEs reside on as
uncacheable, also brings the code in line with the AGP specification.
Signed-off-by: Joachim Deguara <joachim.deguara@amd.com>
Signed-off-by: Andi Kleen <ak@suse.de>
---
diff --git a/arch/x86_64/kernel/pci-gart.c b/arch/x86_64/kernel/pci-gart.c
index 2bac8c6..0bae862 100644
--- a/arch/x86_64/kernel/pci-gart.c
+++ b/arch/x86_64/kernel/pci-gart.c
@@ -519,7 +519,11 @@ static __init int init_k8_gatt(struct agp_kern_info *info)
gatt_size = (aper_size >> PAGE_SHIFT) * sizeof(u32);
gatt = (void *)__get_free_pages(GFP_KERNEL, get_order(gatt_size));
if (!gatt)
- panic("Cannot allocate GATT table");
+ panic("Cannot allocate GATT table");
+ if (change_page_attr_addr((unsigned long)gatt, gatt_size >> PAGE_SHIFT, PAGE_KERNEL_NOCACHE))
+ panic("Could not set GART PTEs to uncacheable pages");
+ global_flush_tlb();
+
memset(gatt, 0, gatt_size);
agp_gatt_table = gatt;
commit b428b51ed9a4ff8445ea50769961f948480c1d36
Author: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Date: Sun Oct 29 22:46:41 2006 -0800
[PATCH] Fix "Remove the use of _syscallX macros in UML"
Fix commit 5f4c6bc1f369f20807a8e753c2308d1629478c61: it spits out warnings
about missing syscall prototype (it is in <unistd.h>) and it does not
recognize that two uses of _syscallX are to be resolved against kernel
headers in the source tree, not against _syscallX; they in fact do not
compile and would not work anyway.
If _syscallX macros will be removed from the kernel tree altogether, the
only reasonable solution for that piece of code is switching to open-coded
inline assembly (it's remapping the whole executable from memory, except
the page containing this code).
Signed-off-by: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Cc: Jeff Dike <jdike@addtoit.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
diff --git a/arch/um/sys-i386/unmap.c b/arch/um/sys-i386/unmap.c
index 8e55cd5..1b0ad0e 100644
--- a/arch/um/sys-i386/unmap.c
+++ b/arch/um/sys-i386/unmap.c
@@ -5,17 +5,20 @@
#include <linux/mman.h>
#include <asm/unistd.h>
-#include <sys/syscall.h>
+static int errno;
+
+static inline _syscall2(int,munmap,void *,start,size_t,len)
+static inline _syscall6(void *,mmap2,void *,addr,size_t,len,int,prot,int,flags,int,fd,off_t,offset)
int switcheroo(int fd, int prot, void *from, void *to, int size)
{
- if (syscall(__NR_munmap, to, size) < 0){
+ if(munmap(to, size) < 0){
return(-1);
}
- if (syscall(__NR_mmap2, to, size, prot, MAP_SHARED | MAP_FIXED, fd, 0) == (void*) -1 ){
+ if(mmap2(to, size, prot, MAP_SHARED | MAP_FIXED, fd, 0) == (void*) -1 ){
return(-1);
}
- if (syscall(__NR_munmap, from, size) < 0){
+ if(munmap(from, size) < 0){
return(-1);
}
return(0);
diff --git a/arch/um/sys-x86_64/unmap.c b/arch/um/sys-x86_64/unmap.c
index 57c9286..f4a4bff 100644
--- a/arch/um/sys-x86_64/unmap.c
+++ b/arch/um/sys-x86_64/unmap.c
@@ -5,17 +5,20 @@
#include <linux/mman.h>
#include <asm/unistd.h>
-#include <sys/syscall.h>
+static int errno;
+
+static inline _syscall2(int,munmap,void *,start,size_t,len)
+static inline _syscall6(void *,mmap,void *,addr,size_t,len,int,prot,int,flags,int,fd,off_t,offset)
int switcheroo(int fd, int prot, void *from, void *to, int size)
{
- if (syscall(__NR_munmap, to, size) < 0){
+ if(munmap(to, size) < 0){
return(-1);
}
- if (syscall(__NR_mmap, to, size, prot, MAP_SHARED | MAP_FIXED, fd, 0) == (void*) -1){
+ if(mmap(to, size, prot, MAP_SHARED | MAP_FIXED, fd, 0) == (void*) -1){
return(-1);
}
- if (syscall(__NR_munmap, from, size) < 0){
+ if(munmap(from, size) < 0){
return(-1);
}
return(0);
From: Joerg Dorchain <joerg@dorchain.net>
Date: Tue, 6 Mar 2007 10:46:54 +0000 (-0800)
Subject: [SCSI] gdth: fix oops in gdth_copy_cmd()
X-Git-Tag: v2.6.21~211^2
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=bb9ba31ca3b88fd396e38950d1caedf2f83521c6
[SCSI] gdth: fix oops in gdth_copy_cmd()
Recent alterations to the gdth_fill_raw_cmd() path no longer set the
sg_ranz field for zero transfer commands. However, this field is used
lower down in the function to initialise ha->cmd_len to the size of
the firmware packet. If this uninitialised field contains a bogus
value, ha->cmd_len can become much larger than the actual firmware
packet and end up oopsing in gdth_copy_cmd() as it tries to copy this
huge packet to the device (usually because it runs into an unallocated
page).
The fix is to initialise the sg_ranz field to zero at the start of
gdth_fill_raw_cmd().
Signed-off-by: Joerg Dorchain <joerg@dorchain.net>
Acked-by: "Leubner, Achim" <Achim_Leubner@adaptec.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
---
diff --git a/drivers/scsi/gdth.c b/drivers/scsi/gdth.c
index 8c81cec..60446b8 100644
--- a/drivers/scsi/gdth.c
+++ b/drivers/scsi/gdth.c
@@ -3091,6 +3091,7 @@ static int gdth_fill_raw_cmd(int hanum,Scsi_Cmnd *scp,unchar b)
cmdp->u.raw64.direction =
gdth_direction_tab[scp->cmnd[0]]==DOU ? GDTH_DATA_OUT:GDTH_DATA_IN;
memcpy(cmdp->u.raw64.cmd,scp->cmnd,16);
+ cmdp->u.raw64.sg_ranz = 0;
} else {
cmdp->u.raw.reserved = 0;
cmdp->u.raw.mdisc_time = 0;
@@ -3107,6 +3108,7 @@ static int gdth_fill_raw_cmd(int hanum,Scsi_Cmnd *scp,unchar b)
cmdp->u.raw.direction =
gdth_direction_tab[scp->cmnd[0]]==DOU ? GDTH_DATA_OUT:GDTH_DATA_IN;
memcpy(cmdp->u.raw.cmd,scp->cmnd,12);
+ cmdp->u.raw.sg_ranz = 0;
}
if (scp->use_sg) {
From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Date: Thu, 26 Apr 2007 04:56:57 +0000 (-0700)
Subject: [PATCH] IPV6: Disallow RH0 by default.
X-Git-Tag: v2.6.20.9~1
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=010831ab8436dfd9304b203467566fb6b135c24f
[PATCH] IPV6: Disallow RH0 by default.
[IPV6]: Disallow RH0 by default.
A security issue is emerging. Disallow Routing Header Type 0 by default
as we have been doing for IPv4.
Note: We allow RH2 by default because it is harmless.
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
Backported to Debian's 2.6.18 by dann frazier and Vlad Yasevich
diff -urpN linux-source-2.6.18.orig/Documentation/networking/ip-sysctl.txt linux-source-2.6.18/Documentation/networking/ip-sysctl.txt
--- linux-source-2.6.18.orig/Documentation/networking/ip-sysctl.txt 2007-05-11 15:09:21.000000000 -0600
+++ linux-source-2.6.18/Documentation/networking/ip-sysctl.txt 2007-05-11 15:10:03.000000000 -0600
@@ -775,6 +775,14 @@ accept_redirects - BOOLEAN
Functional default: enabled if local forwarding is disabled.
disabled if local forwarding is enabled.
+accept_source_route - INTEGER
+ Accept source routing (routing extension header).
+
+ > 0: Accept routing header.
+ = 0: Do not accept routing header.
+
+ Default: 0
+
autoconf - BOOLEAN
Autoconfigure addresses using Prefix Information in Router
Advertisements.
diff -urpN linux-source-2.6.18.orig/include/linux/ipv6.h linux-source-2.6.18/include/linux/ipv6.h
--- linux-source-2.6.18.orig/include/linux/ipv6.h 2007-05-11 15:09:21.000000000 -0600
+++ linux-source-2.6.18/include/linux/ipv6.h 2007-05-11 15:10:03.000000000 -0600
@@ -153,6 +153,7 @@ struct ipv6_devconf {
__s32 accept_ra_rt_info_max_plen;
#endif
#endif
+ __s32 accept_source_route;
void *sysctl;
};
@@ -180,6 +181,7 @@ enum {
DEVCONF_ACCEPT_RA_RTR_PREF,
DEVCONF_RTR_PROBE_INTERVAL,
DEVCONF_ACCEPT_RA_RT_INFO_MAX_PLEN,
+ DEVCONF_ACCEPT_SOURCE_ROUTE,
DEVCONF_MAX
};
diff -urpN linux-source-2.6.18.orig/include/linux/sysctl.h linux-source-2.6.18/include/linux/sysctl.h
--- linux-source-2.6.18.orig/include/linux/sysctl.h 2007-05-11 15:09:21.000000000 -0600
+++ linux-source-2.6.18/include/linux/sysctl.h 2007-05-11 15:10:03.000000000 -0600
@@ -553,6 +553,7 @@ enum {
NET_IPV6_ACCEPT_RA_RTR_PREF=20,
NET_IPV6_RTR_PROBE_INTERVAL=21,
NET_IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN=22,
+ NET_IPV6_ACCEPT_SOURCE_ROUTE=23,
__NET_IPV6_MAX
};
diff -urpN linux-source-2.6.18.orig/net/ipv6/addrconf.c linux-source-2.6.18/net/ipv6/addrconf.c
--- linux-source-2.6.18.orig/net/ipv6/addrconf.c 2007-05-11 15:09:21.000000000 -0600
+++ linux-source-2.6.18/net/ipv6/addrconf.c 2007-05-11 15:10:07.000000000 -0600
@@ -173,6 +173,7 @@ struct ipv6_devconf ipv6_devconf = {
.accept_ra_rt_info_max_plen = 0,
#endif
#endif
+ .accept_source_route = 0, /* we do not accept RH0 by default. */
};
static struct ipv6_devconf ipv6_devconf_dflt = {
@@ -203,6 +204,7 @@ static struct ipv6_devconf ipv6_devconf_
.accept_ra_rt_info_max_plen = 0,
#endif
#endif
+ .accept_source_route = 0, /* we do not accept RH0 by default. */
};
/* IPv6 Wildcard Address and Loopback Address defined by RFC2553 */
@@ -3333,6 +3335,7 @@ static void inline ipv6_store_devconf(st
array[DEVCONF_ACCEPT_RA_RT_INFO_MAX_PLEN] = cnf->accept_ra_rt_info_max_plen;
#endif
#endif
+ array[DEVCONF_ACCEPT_SOURCE_ROUTE] = cnf->accept_source_route;
}
/* Maximum length of ifinfomsg attributes */
@@ -3847,6 +3850,14 @@ static struct addrconf_sysctl_table
#endif
#endif
{
+ .ctl_name = NET_IPV6_ACCEPT_SOURCE_ROUTE,
+ .procname = "accept_source_route",
+ .data = &ipv6_devconf.accept_source_route,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec,
+ },
+ {
.ctl_name = 0, /* sentinel */
}
},
diff -urpN linux-source-2.6.18.orig/net/ipv6/exthdrs.c linux-source-2.6.18/net/ipv6/exthdrs.c
--- linux-source-2.6.18.orig/net/ipv6/exthdrs.c 2007-05-11 15:09:21.000000000 -0600
+++ linux-source-2.6.18/net/ipv6/exthdrs.c 2007-05-11 15:10:03.000000000 -0600
@@ -221,10 +221,24 @@ static int ipv6_rthdr_rcv(struct sk_buff
struct inet6_skb_parm *opt = IP6CB(skb);
struct in6_addr *addr;
struct in6_addr daddr;
+ struct inet6_dev *idev;
int n, i;
-
struct ipv6_rt_hdr *hdr;
struct rt0_hdr *rthdr;
+ int accept_source_route = ipv6_devconf.accept_source_route;
+
+ if (accept_source_route == 0 ||
+ ((idev = in6_dev_get(skb->dev)) == NULL)) {
+ kfree_skb(skb);
+ return -1;
+ }
+ if (idev->cnf.accept_source_route == 0) {
+ in6_dev_put(idev);
+ kfree_skb(skb);
+ return -1;
+ }
+
+ in6_dev_put(idev);
if (!pskb_may_pull(skb, (skb->h.raw-skb->data)+8) ||
!pskb_may_pull(skb, (skb->h.raw-skb->data)+((skb->h.raw[1]+1)<<3))) {
@@ -235,6 +249,12 @@ static int ipv6_rthdr_rcv(struct sk_buff
hdr = (struct ipv6_rt_hdr *) skb->h.raw;
+ if (hdr->type != IPV6_SRCRT_TYPE_0) {
+ IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS);
+ icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->type) - skb->nh.raw);
+ return -1;
+ }
+
if (ipv6_addr_is_multicast(&skb->nh.ipv6h->daddr) ||
skb->pkt_type != PACKET_HOST) {
IP6_INC_STATS_BH(IPSTATS_MIB_INADDRERRORS);
@@ -253,12 +273,6 @@ looped_back:
return 1;
}
- if (hdr->type != IPV6_SRCRT_TYPE_0) {
- IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS);
- icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->type) - skb->nh.raw);
- return -1;
- }
-
if (hdr->hdrlen & 0x01) {
IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS);
icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->hdrlen) - skb->nh.raw);
From git-commits-head-owner@vger.kernel.org Wed Jan 31 20:14:02 2007
Date: Tue, 30 Jan 2007 18:59:36 GMT
Message-Id: <200701301859.l0UIxaDi025785@hera.kernel.org>
From: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
To: git-commits-head@vger.kernel.org
Subject: ide/generic: Jmicron has its own drivers now
Gitweb: http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=3e9e4c8606127592cda22159cc2440ea48963ae4
Commit: 3e9e4c8606127592cda22159cc2440ea48963ae4
Parent: e5c073ff24604d4dbb2fbcedb17da6df768468d3
Author: Alan Cox <alan@redhat.com>
AuthorDate: Sat Jan 27 13:46:45 2007 +0100
Committer: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
CommitDate: Sat Jan 27 13:46:45 2007 +0100
ide/generic: Jmicron has its own drivers now
Drop ide-generic support for Jmicron identifiers as we now trust Jmicron.c for
this with drivers/ide. The code check remains for the all-generic-ide case.
Signed-off-by: Alan Cox <alan@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
---
drivers/ide/pci/generic.c | 35 -----------------------------------
1 files changed, 0 insertions(+), 35 deletions(-)
diff --git a/drivers/ide/pci/generic.c b/drivers/ide/pci/generic.c
index 9f30688..3143cb0 100644
--- a/drivers/ide/pci/generic.c
+++ b/drivers/ide/pci/generic.c
@@ -185,36 +185,6 @@ static ide_pci_device_t generic_chipsets[] __devinitdata = {
.channels = 2,
.autodma = AUTODMA,
.bootable = OFF_BOARD,
- },{ /* 15 */
- .name = "JMB361",
- .init_hwif = init_hwif_generic,
- .channels = 2,
- .autodma = AUTODMA,
- .bootable = OFF_BOARD,
- },{ /* 16 */
- .name = "JMB363",
- .init_hwif = init_hwif_generic,
- .channels = 2,
- .autodma = AUTODMA,
- .bootable = OFF_BOARD,
- },{ /* 17 */
- .name = "JMB365",
- .init_hwif = init_hwif_generic,
- .channels = 2,
- .autodma = AUTODMA,
- .bootable = OFF_BOARD,
- },{ /* 18 */
- .name = "JMB366",
- .init_hwif = init_hwif_generic,
- .channels = 2,
- .autodma = AUTODMA,
- .bootable = OFF_BOARD,
- },{ /* 19 */
- .name = "JMB368",
- .init_hwif = init_hwif_generic,
- .channels = 2,
- .autodma = AUTODMA,
- .bootable = OFF_BOARD,
}
};
@@ -281,11 +251,6 @@ static struct pci_device_id generic_pci_tbl[] = {
{ PCI_VENDOR_ID_TOSHIBA,PCI_DEVICE_ID_TOSHIBA_PICCOLO_1, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 12},
{ PCI_VENDOR_ID_TOSHIBA,PCI_DEVICE_ID_TOSHIBA_PICCOLO_2, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 13},
{ PCI_VENDOR_ID_NETCELL,PCI_DEVICE_ID_REVOLUTION, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 14},
- { PCI_VENDOR_ID_JMICRON, PCI_DEVICE_ID_JMICRON_JMB361, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 15},
- { PCI_VENDOR_ID_JMICRON, PCI_DEVICE_ID_JMICRON_JMB363, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 16},
- { PCI_VENDOR_ID_JMICRON, PCI_DEVICE_ID_JMICRON_JMB365, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 17},
- { PCI_VENDOR_ID_JMICRON, PCI_DEVICE_ID_JMICRON_JMB366, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 18},
- { PCI_VENDOR_ID_JMICRON, PCI_DEVICE_ID_JMICRON_JMB368, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 19},
/* Must come last. If you add entries adjust this table appropriately and the init_one code */
{ PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_STORAGE_IDE << 8, 0xFFFFFF00UL, 0},
{ 0, },
This diff is collapsed.
Author: Dave Johnson <djohnson+linux-mips@sw.starentnetworks.com> Wed Apr 18 10:39:41 2007 -0400
Comitter: Ralf Baechle <ralf@linux-mips.org> Wed Apr 18 17:13:29 2007 +0100
Commit: d3b6f8214113e8bad8a0ce3ab1d37b6be1e5a22e
Gitweb: http://www.linux-mips.org/g/linux/d3b6f821
Branch: linux-2.6.18-stable
I've traced down an off-by-one TCP checksum calculation error under
the following conditions:
1) The TCP code needs to split a full-sized packet due to a reduced
MSS (typically due to the addition of TCP options mid-stream like
SACK).
_AND_
2) The checksum of the 2nd fragment is larger than the checksum of the
original packet. After subtraction this results in a checksum for
the 1st fragment with bits 16..31 set to 1. (this is ok)
_AND_
3) The checksum of the 1st fragment's TCP header plus the previously
32bit checksum of the 1st fragment DOES NOT cause a 32bit overflow
when added together. This results in a checksum of the TCP header
plus TCP data that still has the upper 16 bits as 1's.
_THEN_
4) The TCP+data checksum is added to the checksum of the pseudo IP
header with csum_tcpudp_nofold() incorrectly (the bug).
The problem is the checksum of the TCP+data is passed to
csum_tcpudp_nofold() as an 32bit unsigned value, however the assembly
code acts on it as if it is a 64bit unsigned value.
This causes an incorrect 32->64bit extension if the sum has bit 31
set. The resulting checksum is off by one.
This problems is data and TCP header dependent due to #2 and #3
above so it doesn't occur on every TCP packet split.
Signed-off-by: Dave Johnson <djohnson+linux-mips@sw.starentnetworks.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
(cherry picked from commit 3be5b819ac5c9395b60556ae3434ff62d7ded2e7)
---
include/asm-mips/checksum.h | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/include/asm-mips/checksum.h b/include/asm-mips/checksum.h
index a5e6050..5f71650 100644
--- a/include/asm-mips/checksum.h
+++ b/include/asm-mips/checksum.h
@@ -159,7 +159,7 @@ static inline unsigned int csum_tcpudp_nofold(unsigned long saddr,
#else
"r" (((unsigned long)(proto)<<16) + len),
#endif
- "r" (sum));
+ "r" ((__force unsigned long)sum));
return sum;
}
From: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
To: git-commits-head@vger.kernel.org
Subject: [AGPGART] Intel 965 Express support.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Git-Commit: 65c25aadfa4e917060e99fe459f33a6a07db53cc
X-Git-Parent: 115b384cf87249d76adb0b21aca11ee22128927d
commit 65c25aadfa4e917060e99fe459f33a6a07db53cc
tree 510a3fd7bd869cb49d27f22e0f9191d4bca44138
parent 115b384cf87249d76adb0b21aca11ee22128927d
author Eric Anholt <eric@anholt.net> 1157558238 -0400
committer Dave Jones <davej@redhat.com> 1157558238 -0400
[AGPGART] Intel 965 Express support.
From: Alan Hourihane <alanh@tungstengraphics.com>
From: Eric Anholt <eric@anholt.net>
Signed-off-by: Dave Jones <davej@redhat.com>
drivers/char/agp/intel-agp.c | 163 ++++++++++++++++++++++++++++++++++++++++---
1 file changed, 152 insertions(+), 11 deletions(-)
diff --git a/drivers/char/agp/intel-agp.c b/drivers/char/agp/intel-agp.c
index 42a1cb8..a425f27 100644
--- a/drivers/char/agp/intel-agp.c
+++ b/drivers/char/agp/intel-agp.c
@@ -2,14 +2,6 @@
* Intel AGPGART routines.
*/
-/*
- * Intel(R) 855GM/852GM and 865G support added by David Dawes
- * <dawes@tungstengraphics.com>.
- *