commit 5794567d5138ea5af652ff5be1e86c246110a542 Author: Greg Kroah-Hartman Date: Tue Mar 13 11:27:08 2007 -0700 Linux 2.6.20.3 commit 83d8af5f4226c3ab9156cbb77d5b079b65f31f19 Author: Herbert Xu Date: Wed Mar 7 18:50:54 2007 -0800 Fix UDP header pointer after pskb_trim_rcsum() [UDP]: Reread uh pointer after pskb_trim The header may have moved when trimming. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d9577efca33ece3024f337fd38c1f8ea5ee0acf0 Author: Eric Dumazet Date: Wed Mar 7 18:48:44 2007 -0800 Fix timewait jiffies [INET]: twcal_jiffie should be unsigned long, not int Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 46bda9eca2e14448ec85272259fb7d4aa5ac32b8 Author: David Miller Date: Wed Mar 7 18:47:54 2007 -0800 Fix sparc64 device register probing [SPARC]: Fix bus handling in build_device_resources(). We mistakedly modify 'bus' in the innermost loop. What should happen is that at each register index iteration, we start with the same 'bus'. So preserve it's value at the top level, and use a loop local variable 'dbus' for iteration. This bug causes registers other than the first to be decoded improperly. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7644d8b697ad46a666be8d254e4f89fd6a4b5b3e Author: Philipp Reisner Date: Wed Mar 7 18:45:12 2007 -0800 Fix callback bug in connector [CONNECTOR]: Bugfix for cn_call_callback() When system under heavy stress and must allocate new work instead of reusing old one, new work must use correct completion callback. Patch is based on Philipp's and Lars' work. I only cleaned small stuff (and removed spaces instead of tabs). Signed-off-by: Philipp Reisner Signed-off-by: Lars Ellenberg Signed-off-by: Evgeniy Polyakov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e0b61b96bd5c5339687b9e4d2b5cb96e6ee621a9 Author: Rainer Weikusat Date: Wed Jan 3 15:36:25 2007 +0100 fix for bugzilla #7544 (keyspan USB-to-serial converter) At least the Keyspan USA-19HS USB-to-serial converter supports two different configurations, one where the input endpoints have interrupt transfer type and one where they are bulk endpoints. The default UHCI configuration uses the interrupt input endpoints. The keyspan driver, OTOH, assumes that the device has only bulk endpoints (all URBs are initialized by calling usb_fill_bulk_urb in keyspan.c/ keyspan_setup_urb). This causes the interval field of the input URBs to have a value of zero instead of one, which 'accidentally' worked with Linux at least up to 2.6.17.11 but stopped to with 2.6.18, which changed the UHCI support code handling URBs for interrupt endpoints. The patch below modifies to driver to initialize its input URBs either as interrupt or as bulk URBs, depending on the transfertype contained in the associated endpoint descriptor (only tested with the default configuration) enabling the driver to again receive data from the serial converter. Greg K-H reworked the patch. Signed-off-by: Rainer Weikusat Signed-off-by: Greg Kroah-Hartman commit 8e60ba6a590037eb05b317745802b3c07eb280b7 Author: Johannes Berg Date: Wed Mar 7 18:42:52 2007 -0800 Fix compat_getsockopt [NET]: Fix compat_sock_common_getsockopt typo. This patch fixes a typo in compat_sock_common_getsockopt. Signed-off-by: Johannes Berg Acked-by: James Morris Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 063438ec2904be5563fb461ef3e75c76d5cf8feb Author: Larry Finger Date: Wed Mar 7 13:05:58 2007 -0500 bcm43xx: Fix problem with >1 GB RAM Some versions of the bcm43xx chips only support 30-bit DMA, which means that the descriptors and buffers must be in the first 1 GB of RAM. On the i386 and x86_64 architectures with more than 1 GB RAM, an incorrect assignment may occur. This patch ensures that the various DMA addresses are within the capability of the chip. Testing has been limited to x86_64 as no one has an i386 system with more than 1 GB RAM. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit ba5617decc4ccfefd2d4e638316d388e64233fcb Author: Douglas Gilbert Date: Wed Mar 7 14:33:38 2007 -0500 Fix bug 7994 sleeping function called from invalid context - addresses the reported bug (with GFP_KERNEL -> GFP_ATOMIC) - improves error checking, and - is a subset of the changes to scsi_debug in lk 2.6.21-rc* Compiled and lightly tested (in lk 2.6.21-rc2 environment). Signed-off-by: Douglas Gilbert Signed-off-by: Greg Kroah-Hartman commit 7f5c005cb148fe91362e14a1f78517b8b37f9abd Author: Patrick McHardy Date: Wed Mar 7 22:34:45 2007 +0100 nfnetlink_log: fix crash on bridged packet [NETFILTER]: nfnetlink_log: fix crash on bridged packet physoutdev is only set on purely bridged packet, when nfnetlink_log is used in the OUTPUT/FORWARD/POSTROUTING hooks on packets forwarded from or to a bridge it crashes when trying to dereference skb->nf_bridge->physoutdev. Reported by Holger Eitzenberger Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit d00aff441937a3ed3b424f2bf57f5639318e7c58 Author: Patrick McHardy Date: Wed Mar 7 22:34:43 2007 +0100 nfnetlink_log: zero-terminate prefix [NETFILTER]: nfnetlink_log: zero-terminate prefix Userspace expects a zero-terminated string, so include the trailing zero in the netlink message. Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 868f0120e0f93d070ea7f3e969c09dbab8ad7bc7 Author: Patrick McHardy Date: Wed Mar 7 22:34:42 2007 +0100 nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED [NETFILTER]: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED The individual fragments of a packet reassembled by conntrack have the conntrack reference from the reassembled packet attached, but nfctinfo is not copied. This leaves it initialized to 0, which unfortunately is the value of IP_CT_ESTABLISHED. The result is that all IPv6 fragments are tracked as ESTABLISHED, allowing them to bypass a usual ruleset which accepts ESTABLISHED packets early. Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 1742d4d4fc88bc43f3eecf07db20ee677af63364 Author: Yasuyuki Kozakai Date: Wed Mar 7 22:34:40 2007 +0100 ip6_route_me_harder should take into account mark [NETFILTER]: ip6_route_me_harder should take into account mark Signed-off-by: Yasuyuki Kozakai Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit edc34643c2d2046163482f792dd1085dccf70780 Author: Michal Miroslaw Date: Wed Mar 7 22:34:36 2007 +0100 nfnetlink_log: fix possible NULL pointer dereference [NETFILTER]: nfnetlink_log: fix possible NULL pointer dereference Eliminate possible NULL pointer dereference in nfulnl_recv_config(). Signed-off-by: Michal Miroslaw Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit ce51319b9dea6eb93b7fc37fe52af9fb114e3f2e Author: Micha Mirosaw Date: Wed Mar 7 22:34:34 2007 +0100 nfnetlink_log: fix NULL pointer dereference [NETFILTER]: nfnetlink_log: fix NULL pointer dereference Fix the nasty NULL dereference on multiple packets per netlink message. BUG: unable to handle kernel NULL pointer dereference at virtual address 00000004 printing eip: f8a4b3bf *pde = 00000000 Oops: 0002 [#1] SMP Modules linked in: nfnetlink_log ipt_ttl ipt_REDIRECT xt_tcpudp iptable_nat nf_nat nf_conntrack _ipv4 xt_state ipt_ipp2p xt_NFLOG xt_hashlimit ip6_tables iptable_filter xt_multiport xt_mark i pt_set iptable_raw xt_MARK iptable_mangle ip_tables cls_fw cls_u32 sch_esfq sch_htb ip_set_ipma p ip_set ipt_ULOG x_tables dm_snapshot dm_mirror loop e1000 parport_pc parport e100 floppy ide_ cd cdrom CPU: 0 EIP: 0060:[] Not tainted VLI EFLAGS: 00010206 (2.6.20 #5) EIP is at __nfulnl_send+0x24/0x51 [nfnetlink_log] eax: 00000000 ebx: f2b5cbc0 ecx: c03f5f54 edx: c03f4000 esi: f2b5cbc8 edi: c03f5f54 ebp: f8a4b3ec esp: c03f5f30 ds: 007b es: 007b ss: 0068 Process swapper (pid: 0, ti=c03f4000 task=c03bece0 task.ti=c03f4000) Stack: f2b5cbc0 f8a4b401 00000100 c0444080 c012af49 00000000 f6f19100 f6f19000 c1707800 c03f5f54 c03f5f54 00000123 00000021 c03e8d08 c0426380 00000009 c0126932 00000000 00000046 c03e9980 c03e6000 0047b007 c01269bd 00000000 Call Trace: [] nfulnl_timer+0x15/0x25 [nfnetlink_log] [] run_timer_softirq+0x10a/0x164 [] __do_softirq+0x60/0xba [] do_softirq+0x31/0x35 [] do_IRQ+0x62/0x74 [] common_interrupt+0x23/0x28 [] default_idle+0x0/0x3f [] default_idle+0x2d/0x3f [] cpu_idle+0xa0/0xb9 [] start_kernel+0x1a8/0x1ac [] unknown_bootoption+0x0/0x181 ======================= Code: 5e 5f 5b 5e 5f 5d c3 53 89 c3 8d 40 1c 83 7b 1c 00 74 05 e8 2c ee 6d c7 83 7b 14 00 75 04 31 c0 eb 34 83 7b 10 01 76 09 8b 43 18 <66> c7 40 04 03 00 8b 53 34 8b 43 14 b9 40 00 00 00 e8 08 9a 84 EIP: [] __nfulnl_send+0x24/0x51 [nfnetlink_log] SS:ESP 0068:c03f5f30 <0>Kernel panic - not syncing: Fatal exception in interrupt <0>Rebooting in 5 seconds.. Panic no more! Signed-off-by: Micha Mirosaw Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 08bfad45bd7e07dad209f593499fea2d05c1f75c Author: Patrick McHardy Date: Wed Mar 7 22:34:33 2007 +0100 nfnetlink_log: fix use after free [NETFILTER]: nfnetlink_log: fix use after free Paranoia: instance_put() might have freed the inst pointer when we spin_unlock_bh(). Signed-off-by: Michal Miroslaw Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 752d2d17421b051448d7e3765a80040af11cc02b Author: Patrick McHardy Date: Wed Mar 7 22:34:32 2007 +0100 nfnetlink_log: fix reference leak [NETFILTER]: nfnetlink_log: fix reference leak Stop reference leaking in nfulnl_log_packet(). If we start a timer we are already taking another reference. Signed-off-by: Michal Miroslaw Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 23dfe33bc777bef8606e10b4db5c451e26ce1a9f Author: Patrick McHardy Date: Wed Mar 7 22:34:30 2007 +0100 tcp conntrack: accept SYN|URG as valid [NETFILTER]: tcp conntrack: accept SYN|URG as valid Some stacks apparently send packets with SYN|URG set. Linux accepts these packets, so TCP conntrack should to. Pointed out by Martijn Posthuma . Signed-off-by: Patrick McHardy commit 51248d46885c36b5656627189b7a19546d5b5b7f Author: Patrick McHardy Date: Wed Mar 7 22:34:29 2007 +0100 nf_conntrack/nf_nat: fix incorrect config ifdefs [NETFILTER]: nf_conntrack/nf_nat: fix incorrect config ifdefs The nf_conntrack_netlink config option is named CONFIG_NF_CT_NETLINK, but multiple files use CONFIG_IP_NF_CONNTRACK_NETLINK or CONFIG_NF_CONNTRACK_NETLINK for ifdefs. Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 48c0c8eb99316f63cb154e8a11942a06811a6e8b Author: Patrick McHardy Date: Wed Mar 7 22:34:27 2007 +0100 conntrack: fix {nf, ip}_ct_iterate_cleanup endless loops [NETFILTER]: conntrack: fix {nf,ip}_ct_iterate_cleanup endless loops Fix {nf,ip}_ct_iterate_cleanup unconfirmed list handling: - unconfirmed entries can not be killed manually, they are removed on confirmation or final destruction of the conntrack entry, which means we might iterate forever without making forward progress. This can happen in combination with the conntrack event cache, which holds a reference to the conntrack entry, which is only released when the packet makes it all the way through the stack or a different packet is handled. - taking references to an unconfirmed entry and using it outside the locked section doesn't work, the list entries are not refcounted and another CPU might already be waiting to destroy the entry What the code really wants to do is make sure the references of the hash table to the selected conntrack entries are released, so they will be destroyed once all references from skbs and the event cache are dropped. Since unconfirmed entries haven't even entered the hash yet, simply mark them as dying and skip confirmation based on that. Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman