Commit: 5a848956b65ee5ca64fb7496a6b8135e07901499 Author: Adrian Bunk Wed, 25 Jul 2007 23:05:45 +0200 Linux 2.6.16.53 Commit: 906f7f2125c95ad2ee52e7b91e6ee7af3c25d2da Author: Adrian Bunk Sun, 22 Jul 2007 19:38:02 +0200 Linux 2.6.16.53-rc1 Commit: 8d2693e6821f1027e33e36284cc3cf0e8d915eb8 Author: Dmitry Butskoy Sun, 22 Jul 2007 18:29:30 +0200 [IPV6]: MSG_ERRQUEUE messages do not pass to connected raw sockets Taken from http://bugzilla.kernel.org/show_bug.cgi?id=8747 Problem Description: It is related to the possibility to obtain MSG_ERRQUEUE messages from the udp and raw sockets, both connected and unconnected. There is a little typo in net/ipv6/icmp.c code, which prevents such messages to be delivered to the errqueue of the correspond raw socket, when the socket is CONNECTED. The typo is due to swap of local/remote addresses. Consider __raw_v6_lookup() function from net/ipv6/raw.c. When a raw socket is looked up usual way, it is something like: sk = __raw_v6_lookup(sk, nexthdr, daddr, saddr, IP6CB(skb)->iif); where "daddr" is a destination address of the incoming packet (IOW our local address), "saddr" is a source address of the incoming packet (the remote end). But when the raw socket is looked up for some icmp error report, in net/ipv6/icmp.c:icmpv6_notify() , daddr/saddr are obtained from the echoed fragment of the "bad" packet, i.e. "daddr" is the original destination address of that packet, "saddr" is our local address. Hence, for icmpv6_notify() must use "saddr, daddr" in its arguments, not "daddr, saddr" ... Steps to reproduce: Create some raw socket, connect it to an address, and cause some error situation: f.e. set ttl=1 where the remote address is more than 1 hop to reach. Set IPV6_RECVERR . Then send something and wait for the error (f.e. poll() with POLLERR|POLLIN). You should receive "time exceeded" icmp message (because of "ttl=1"), but the socket do not receive it. If you do not connect your raw socket, you will receive MSG_ERRQUEUE successfully. (The reason is that for unconnected socket there are no actual checks for local/remote addresses). Signed-off-by: Andrew Morton Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: e5e0ad360edc354c661ef2ab49d42ae964fc46f7 Author: Patrick McHardy Sun, 22 Jul 2007 18:26:20 +0200 [NET]: Fix gen_estimator timer removal race As noticed by Jarek Poplawski , the timer removal in gen_kill_estimator races with the timer function rearming the timer. Check whether the timer list is empty before rearming the timer in the timer function to fix this. Signed-off-by: Patrick McHardy Acked-by: Jarek Poplawski Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: c88fee3c266ce5147abf2f4efd9bed4249e122d4 Author: Vlad Yasevich Sun, 22 Jul 2007 18:24:56 +0200 SCTP: Add scope_id validation for link-local binds SCTP currently permits users to bind to link-local addresses, but doesn't verify that the scope id specified at bind matches the interface that the address is configured on. It was report that this can hang a system. Signed-off-by: Vlad Yasevich Signed-off-by: Adrian Bunk Commit: c08c47f63dfeaebb96096f9c1c1b23e4aabc5eed Author: Johannes Berg Sun, 22 Jul 2007 18:11:42 +0200 [NET] skbuff: remove export of static symbol skb_clone_fraglist is static so it shouldn't be exported. Signed-off-by: Johannes Berg Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 1c4f0dd95d9bac9e2b87a627b563bc5d9fb34555 Author: Yasuyuki Kozakai Sun, 22 Jul 2007 18:07:48 +0200 [NETFILTER]: nf_conntrack: don't track locally generated special ICMP error The conntrack assigned to locally generated ICMP error is usually the one assigned to the original packet which has caused the error. But if the original packet is handled as invalid by nf_conntrack, no conntrack is assigned to the original packet. Then nf_ct_attach() cannot assign any conntrack to the ICMP error packet. In that case the current nf_conntrack_icmp assigns appropriate conntrack to it. But the current code mistakes the direction of the packet. As a result, NAT code mistakes the address to be mangled. To fix the bug, this changes nf_conntrack_icmp not to assign conntrack to such ICMP error. Actually no address is necessary to be mangled in this case. Spotted by Jordan Russell. Upstream commit ID: 130e7a83d7ec8c5c673225e0fa8ea37b1ed507a5 Signed-off-by: Yasuyuki Kozakai Signed-off-by: Patrick McHardy Signed-off-by: Adrian Bunk Commit: 4de632544dbaeabafba6aa42e9a1971ec8eeb022 Author: Albert Lee Sun, 22 Jul 2007 18:05:44 +0200 ide: clear bmdma status in ide_intr() for ICHx controllers (revised #4) patch 1/2 (revised): - Fix drive->waiting_for_dma to work with CDB-intr devices. - Do the dma status clearing in ide_intr() and add a new hwif->ide_dma_clear_irq for Intel ICHx controllers. Revised per Alan, Sergei and Bart's advice. Patch against 2.6.20-rc6. Tested ok on my ICH4 and pdc20275 adapters. Please review/apply, thanks. Signed-off-by: Albert Lee Signed-off-by: Adrian Bunk Commit: 8b9320927b5a4f7b506609d8c0aded13550e42a7 Author: Ingo Molnar Sun, 22 Jul 2007 18:03:53 +0200 8139too.c: fix netpoll deadlock fix deadlock in the 8139too driver: poll handlers should never forcibly enable local interrupts, because they might be used by netpoll/printk from IRQ context. ================================= [ INFO: inconsistent lock state ] 2.6.19 #11 --------------------------------- inconsistent {softirq-on-W} -> {in-softirq-W} usage. swapper/1 [HC0[0]:SC1[1]:HE1:SE0] takes: (&npinfo->poll_lock){-+..}, at: [] net_rx_action+0x64/0x1de {softirq-on-W} state was registered at: [] mark_lock+0x5b/0x39c [] mark_held_locks+0x4b/0x68 [] trace_hardirqs_on+0x115/0x139 [] rtl8139_poll+0x3d7/0x3f4 [] netpoll_poll+0x82/0x32f [] netpoll_send_skb+0xc9/0x12f [] netpoll_send_udp+0x253/0x25b [] write_msg+0x40/0x65 [] __call_console_drivers+0x45/0x51 [] _call_console_drivers+0x5d/0x61 [] release_console_sem+0x11f/0x1d8 [] register_console+0x1ac/0x1b3 [] init_netconsole+0x55/0x67 [] init+0x9a/0x24e [] kernel_thread_helper+0x7/0x10 [] 0xffffffff irq event stamp: 819992 hardirqs last enabled at (819992): [] net_rx_action+0x39/0x1de hardirqs last disabled at (819991): [] net_rx_action+0x141/0x1de softirqs last enabled at (817552): [] __do_softirq+0xa3/0xa8 softirqs last disabled at (819987): [] do_softirq+0x5b/0xc9 other info that might help us debug this: no locks held by swapper/1. stack backtrace: [] dump_trace+0x63/0x1e8 [] show_trace_log_lvl+0x19/0x2e [] show_trace+0x12/0x14 [] dump_stack+0x14/0x16 [] print_usage_bug+0x23c/0x246 [] mark_lock+0x108/0x39c [] __lock_acquire+0x361/0x9ed [] lock_acquire+0x56/0x72 [] _spin_lock+0x35/0x42 [] net_rx_action+0x64/0x1de [] __do_softirq+0x52/0xa8 [] do_softirq+0x5b/0xc9 [] irq_exit+0x3c/0x48 [] do_IRQ+0xa4/0xbd [] common_interrupt+0x2e/0x34 [] vprintk+0x2c0/0x309 [] printk+0x1b/0x1d [] init+0x80/0x24e [] kernel_thread_helper+0x7/0x10 ======================= Signed-off-by: Ingo Molnar Signed-off-by: Adrian Bunk Commit: 4e4c0eaae96b9a10dbde07acde81a1b488e1062e Author: Al Viro Sun, 22 Jul 2007 18:01:20 +0200 ieee1394: forgotten dereference... Going through the string and waiting for _pointer_ to become '\0' is not what the authors meant... Signed-off-by: Al Viro Acked-by: Ben Collins Signed-off-by: Adrian Bunk Commit: 1b80f9a0d13e0210ef56c3d2d0afc33e60e547a8 Author: Al Viro Sun, 22 Jul 2007 17:59:26 +0200 coda: wrong order of arguments of ->readdir() Shows how many people are testing coda - the bug had been there for 5 years and results of stepping on it are not subtle. Signed-off-by: Al Viro Signed-off-by: Adrian Bunk Commit: b98f003bbc89fc6eb3c8d8ea0094531a7918fe69 Author: Mark Glines Sun, 22 Jul 2007 17:51:59 +0200 [TCP]: Use default 32768-61000 outgoing port range in all cases. This diff changes the default port range used for outgoing connections, from "use 32768-61000 in most cases, but use N-4999 on small boxes (where N is a multiple of 1024, depending on just *how* small the box is)" to just "use 32768-61000 in all cases". I don't believe there are any drawbacks to this change, and it keeps outgoing connection ports farther away from the mess of IANA-registered ports. Signed-off-by: Mark Glines Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 7c2d455673d48507a58e8a9c1fda6720085edf12 Author: Vasily Averin Sun, 22 Jul 2007 17:46:29 +0200 [NET]: "wrong timeout value" in sk_wait_data() v2 sys_setsockopt() do not check properly timeout values for SO_RCVTIMEO/SO_SNDTIMEO, for example it's possible to set negative timeout values. POSIX do not defines behaviour for sys_setsockopt in case negative timeouts, but requires that setsockopt() shall fail with -EDOM if the send and receive timeout values are too big to fit into the timeout fields in the socket structure. In current implementation negative timeout can lead to error messages like "schedule_timeout: wrong timeout value". Proposed patch: - checks tv_usec and returns -EDOM if it is wrong - do not allows to set negative timeout values (sets 0 instead) and outputs ratelimited information message about such attempts. Signed-off-By: Vasily Averin Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 28cbc66ccc0fa838789ad01fabee9b25740f7468 Author: Jan Engelhardt Sun, 22 Jul 2007 17:44:18 +0200 [SPARC]: Linux always started with 9600 8N1 The Linux kernel ignored the PROM's serial settings (115200,n,8,1 in my case). This was because mode_prop remained "ttyX-mode" (expected: "ttya-mode") due to the constness of string literals when used with "char *". Since there is no "ttyX-mode" property in the PROM, Linux always used the default 9600. [ Investigation of the suncore.s assembler reveals that gcc optimizied away the stores, yet did not emit a warning, which is a pretty anti-social thing to do and is the only reason this bug lived for so long -DaveM ] Signed-off-by: Jan Engelhardt Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 0b5660372af4d953244bc30f4539cf35920fd893 Author: Dave Jones Sun, 22 Jul 2007 17:42:38 +0200 [IPV4]: Correct rp_filter help text. As mentioned in http://bugzilla.kernel.org/show_bug.cgi?id=5015 The helptext implies that this is on by default. This may be true on some distros (Fedora/RHEL have it enabled in /etc/sysctl.conf), but the kernel defaults to it off. Signed-off-by: Dave Jones Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: a5028e398f04cb2230fd6461a2b0f29ce0ca934a Author: David S. Miller Sun, 22 Jul 2007 17:39:23 +0200 [NET]: Fix BMSR_100{HALF,FULL}2 defines in linux/mii.h Noticed by Matvejchikov Ilya. Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: de3b9c4f8bb51494e57f8f938d96cdddb0ce76d4 Author: Patrick McHardy Sun, 22 Jul 2007 17:31:40 +0200 [NETFILTER]: {ip,nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference (CVE-2007-2876) When creating a new connection by sending an unknown chunk type, we don't transition to a valid state, causing a NULL pointer dereference in sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE]. Fix by don't creating new conntrack entry if initial state is invalid. Noticed by Vilmos Nebehaj Signed-off-by: Patrick McHardy Signed-off-by: Adrian Bunk Commit: 0343e394510ea3859a5ccb030984b4cdc74281cb Author: Andrew Morton Sun, 22 Jul 2007 16:09:40 +0200 ntfs_init_locked_inode(): fix array indexing Local variable `i' is a byte-counter. Don't use it as an index into an array of le32's. Reported-by: "young dave" Signed-off-by: Andrew Morton Signed-off-by: Adrian Bunk