commit 5b825ed22b02691e39774e8b2a077d1807969ec7 Merge: a4c80d2... d883a03... Author: Linus Torvalds Date: Fri Dec 21 15:52:24 2007 -0800 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (23 commits) [IPV4]: OOPS with NETLINK_FIB_LOOKUP netlink socket [NET]: Fix function put_cmsg() which may cause usr application memory overflow [ATM]: Spelling fixes [NETFILTER] ipv4: Spelling fixes [NETFILTER]: Spelling fixes [SCTP]: Spelling fixes [NETLABEL]: Spelling fixes [PKT_SCHED]: Spelling fixes [NET] net/core/: Spelling fixes [IPV6]: Spelling fixes [IRDA]: Spelling fixes [DCCP]: Spelling fixes [NET] include/net/: Spelling fixes [NET]: Correct two mistaken skb_reset_mac_header() conversions. [IPV4] ip_gre: set mac_header correctly in receive path [XFRM]: Audit function arguments misordered [IPSEC]: Avoid undefined shift operation when testing algorithm ID [IPV4] ARP: Remove not used code [TG3]: Endianness bugfix. [TG3]: Endianness annotations. ... commit a4c80d2ae2cac531c6655f75658dae02c488abc7 Merge: 76be895... 5b2afff... Author: Linus Torvalds Date: Fri Dec 21 15:52:01 2007 -0800 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.6 * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.6: [SPARC32]: Spelling fixes [SPARC64]: Spelling fixes [SPARC64]: Fix OOPS in dma_sync_*_for_device() commit 76be895001f2b0bee42a7685e942d3e08d5dd46c Author: Christoph Lameter Date: Fri Dec 21 14:37:37 2007 -0800 SLUB: Improve hackbench speed Increase the mininum number of partial slabs to keep around and put partial slabs to the end of the partial queue so that they can add more objects. Signed-off-by: Christoph Lameter Reviewed-by: Pekka Enberg Acked-by: Ingo Molnar Signed-off-by: Linus Torvalds commit d883a0367149506e8b7a3f31891d1ea30b9377f3 Author: Denis V. Lunev Date: Fri Dec 21 02:01:53 2007 -0800 [IPV4]: OOPS with NETLINK_FIB_LOOKUP netlink socket [ Regression added by changeset: cd40b7d3983c708aabe3d3008ec64ffce56d33b0 [NET]: make netlink user -> kernel interface synchronious -DaveM ] nl_fib_input re-reuses incoming skb to send the reply. This means that this packet will be freed twice, namely in: - netlink_unicast_kernel - on receive path Use clone to send as a cure, the caller is responsible for kfree_skb on error. Thanks to Alexey Dobryan, who originally found the problem. Signed-off-by: Denis V. Lunev Signed-off-by: David S. Miller commit 1ac70e7ad24a88710cf9b6d7ababaefa2b575df0 Author: Wei Yongjun Date: Thu Dec 20 14:36:44 2007 -0800 [NET]: Fix function put_cmsg() which may cause usr application memory overflow When used function put_cmsg() to copy kernel information to user application memory, if the memory length given by user application is not enough, by the bad length calculate of msg.msg_controllen, put_cmsg() function may cause the msg.msg_controllen to be a large value, such as 0xFFFFFFF0, so the following put_cmsg() can also write data to usr application memory even usr has no valid memory to store this. This may cause usr application memory overflow. int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data) { struct cmsghdr __user *cm = (__force struct cmsghdr __user *)msg->msg_control; struct cmsghdr cmhdr; int cmlen = CMSG_LEN(len); ~~~~~~~~~~~~~~~~~~~~~ int err; if (MSG_CMSG_COMPAT & msg->msg_flags) return put_cmsg_compat(msg, level, type, len, data); if (cm==NULL || msg->msg_controllen < sizeof(*cm)) { msg->msg_flags |= MSG_CTRUNC; return 0; /* XXX: return error? check spec. */ } if (msg->msg_controllen < cmlen) { ~~~~~~~~~~~~~~~~~~~~~~~~ msg->msg_flags |= MSG_CTRUNC; cmlen = msg->msg_controllen; } cmhdr.cmsg_level = level; cmhdr.cmsg_type = type; cmhdr.cmsg_len = cmlen; err = -EFAULT; if (copy_to_user(cm, &cmhdr, sizeof cmhdr)) goto out; if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr))) goto out; cmlen = CMSG_SPACE(len); ~~~~~~~~~~~~~~~~~~~~~~~~~~~ If MSG_CTRUNC flags is set, msg->msg_controllen is less than CMSG_SPACE(len), "msg->msg_controllen -= cmlen" will cause unsinged int type msg->msg_controllen to be a large value. ~~~~~~~~~~~~~~~~~~~~~~~~~~~ msg->msg_control += cmlen; msg->msg_controllen -= cmlen; ~~~~~~~~~~~~~~~~~~~~~ err = 0; out: return err; } The same promble exists in put_cmsg_compat(). This patch can fix this problem. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller commit c5c0f33d8e5b1219c86757e6afffd6f96823e521 Author: Joe Perches Date: Thu Dec 20 14:05:37 2007 -0800 [ATM]: Spelling fixes Signed-off-by: Joe Perches Signed-off-by: David S. Miller commit e00ccd4a787fe03887f81467babcf8d057f8718d Author: Joe Perches Date: Thu Dec 20 14:05:03 2007 -0800 [NETFILTER] ipv4: Spelling fixes Signed-off-by: Joe Perches Signed-off-by: David S. Miller commit c82381775062cd8d55579959e1fd710f0e607985 Author: Joe Perches Date: Thu Dec 20 14:04:24 2007 -0800 [NETFILTER]: Spelling fixes Signed-off-by: Joe Perches Signed-off-by: David S. Miller commit 7aa1b54b74d813e01c46a5344c52f06037a95da0 Author: Joe Perches Date: Thu Dec 20 14:03:52 2007 -0800 [SCTP]: Spelling fixes Signed-off-by: Joe Perches Signed-off-by: David S. Miller commit e185446ce83f327428624fc4a0392794249311a2 Author: Joe Perches Date: Thu Dec 20 14:03:11 2007 -0800 [NETLABEL]: Spelling fixes Signed-off-by: Joe Perches Signed-off-by: David S. Miller commit 9a94b35184bf095b885ca80099381f8547d5be3a Author: Joe Perches Date: Thu Dec 20 14:02:40 2007 -0800 [PKT_SCHED]: Spelling fixes Signed-off-by: Joe Perches Signed-off-by: David S. Miller commit 53ccaae1ef749ef87a484a0aa5351c557c0a690e Author: Joe Perches Date: Thu Dec 20 14:02:06 2007 -0800 [NET] net/core/: Spelling fixes Signed-off-by: Joe Perches Signed-off-by: David S. Miller commit bea851954717ebb0dee557a951e28bb277e1cc1d Author: Joe Perches Date: Thu Dec 20 14:01:35 2007 -0800 [IPV6]: Spelling fixes Signed-off-by: Joe Perches Signed-off-by: David S. Miller commit cc53ded272ecf8d62c9f3b48baadc5165a0b6d7b Author: Joe Perches Date: Thu Dec 20 14:00:51 2007 -0800 [IRDA]: Spelling fixes Signed-off-by: Joe Perches Signed-off-by: David S. Miller commit 5e8e034cc5154abd639aa5c05d13e24e535c6a9c Author: Joe Perches Date: Thu Dec 20 13:59:39 2007 -0800 [DCCP]: Spelling fixes Signed-off-by: Joe Perches Signed-off-by: David S. Miller commit f4ab2f72e9340207ae95e2a7622a74220a61f46a Author: Joe Perches Date: Thu Dec 20 13:56:32 2007 -0800 [NET] include/net/: Spelling fixes Signed-off-by: Joe Perches Signed-off-by: David S. Miller commit 5b2afff23ab7f34222398fc357253c1e5caed363 Author: Joe Perches Date: Thu Dec 20 13:55:45 2007 -0800 [SPARC32]: Spelling fixes Signed-off-by: Joe Perches Signed-off-by: David S. Miller commit 33ccc190d1ef5a7ad519c35bb1ef1d0d68a65287 Author: Joe Perches Date: Thu Dec 20 13:55:10 2007 -0800 [SPARC64]: Spelling fixes Signed-off-by: Joe Perches Signed-off-by: David S. Miller commit 36bb61346d9e64b55285f27363e93a6e96f2abba Author: David S. Miller Date: Thu Dec 20 01:29:45 2007 -0800 [SPARC64]: Fix OOPS in dma_sync_*_for_device() I included these operations vector cases for situations where we never need to do anything, the entries aren't filled in by any implementation, so we OOPS trying to invoke NULL pointer functions. Really make them NOPs, to fix the bug. Signed-off-by: David S. Miller commit c6e6ca712b5cc06a662f900c0484d49d7334af64 Author: David S. Miller Date: Thu Dec 20 00:25:54 2007 -0800 [NET]: Correct two mistaken skb_reset_mac_header() conversions. This operation helper abstracts: skb->mac_header = skb->data; but it was done in two more places which were actually: skb->mac_header = skb->network_header; and those are corrected here. Signed-off-by: David S. Miller commit 1d0691674764098304ae4c63c715f5883b4d3784 Author: Timo Teras Date: Thu Dec 20 00:10:33 2007 -0800 [IPV4] ip_gre: set mac_header correctly in receive path mac_header update in ipgre_recv() was incorrectly changed to skb_reset_mac_header() when it was introduced. Signed-off-by: Timo Teras Signed-off-by: David S. Miller commit 5951cab136d8b7e84696061dc2e69c402bc94f61 Author: Paul Moore Date: Thu Dec 20 00:00:45 2007 -0800 [XFRM]: Audit function arguments misordered In several places the arguments to the xfrm_audit_start() function are in the wrong order resulting in incorrect user information being reported. This patch corrects this by pacing the arguments in the correct order. Signed-off-by: Paul Moore Signed-off-by: David S. Miller commit f398035f2dec0a6150833b0bc105057953594edb Author: Herbert Xu Date: Wed Dec 19 23:44:29 2007 -0800 [IPSEC]: Avoid undefined shift operation when testing algorithm ID The aalgos/ealgos fields are only 32 bits wide. However, af_key tries to test them with the expression 1 << id where id can be as large as 253. This produces different behaviour on different architectures. The following patch explicitly checks whether ID is greater than 31 and fails the check if that's the case. We cannot easily extend the mask to be longer than 32 bits due to exposure to user-space. Besides, this whole interface is obsolete anyway in favour of the xfrm_user interface which doesn't use this bit mask in templates (well not within the kernel anyway). Signed-off-by: Herbert Xu Signed-off-by: David S. Miller commit e0260feddf8a68301c75cdfff9ec251d5851b006 Author: Mark Ryden Date: Wed Dec 19 23:38:11 2007 -0800 [IPV4] ARP: Remove not used code In arp_process() (net/ipv4/arp.c), there is unused code: definition and assignment of tha (target hw address ). Signed-off-by: Mark Ryden Signed-off-by: David S. Miller commit 286e310f94b9459f3fa975333781c969b1041522 Author: Al Viro Date: Mon Dec 17 23:00:31 2007 -0800 [TG3]: Endianness bugfix. tg3_nvram_write_block_unbuffered() is reading data from nvram into allocated buffer before overwriting a part of it with user-supplied data. Then it feeds the entire page back to nvram. It should be storing the words it had read as little-endian, not as host-endian. Note that tg3_set_eeprom() does exactly that for padding the same data to full words before it gets passed down to tg3_nvram_write_block() and then to tg3_nvram_write_block_unbuffered(). Moreover, when we get to sending the entire thing back to nvram, we go through it word-by-word, doing essentially writel(swab32(le32_to_cpu(word)), ...) so if we want them to reach the card in host-independent endianness, we'd better really have all that buffer filled with fixed-endian. For user-supplied part we obviously do have that (it's an array of octets memcpy'd in), ditto for padding of user-supplied part to word boundaries (taken care of in tg3_set_eeprom()). The rest of the buffer gets filled by tg3_nvram_write_block_unbuffered() and it would damn better be consistent with that (and with tg3_get_eeprom(), while we are at it - there we also convert the words read from nvram to little-endian before returning the buffer to user). The bug should get triggered on big-endian boxen when set_eeprom is done for less than entire page. Then the words that should've been unaffected at all will actually get byteswapped in place in nvram. Signed-off-by: Al Viro Signed-off-by: David S. Miller commit b9fc7dc514566e9788c7f064bb08f8b6e2fe6f72 Author: Al Viro Date: Mon Dec 17 22:59:57 2007 -0800 [TG3]: Endianness annotations. Fixed misannotations, introduced a new helper - tg3_nvram_read_le(). It gets __le32 * instead of u32 * and puts there the value converted to little-endian. A lot of callers of tg3_nvram_read() were doing that; converted them to tg3_nvram_read_le(). At that point the driver is practically endian-clean; the only remaining place is an actual bug, AFAICS; will be dealt with in the next patch. Signed-off-by: Al Viro Signed-off-by: David S. Miller commit 20880e8936e467fe30d79aa838c8d24b7073648f Author: Cyrill Gorcunov Date: Thu Dec 13 16:17:03 2007 -0800 NET: mac80211: fix inappropriate memory freeing Fix inappropriate memory freeing in case of requested rate_control_ops was not found. In this case the list head entity is going to be accidentally wasted. Signed-off-by: Cyrill Gorcunov Acked-by: Michael Wu Signed-off-by: Andrew Morton Signed-off-by: John W. Linville commit 3333590e94262aebb5d0fb767cc7ed8b2359705c Author: Johannes Berg Date: Wed Dec 12 16:31:52 2007 +0100 mac80211: fix header ops When using recvfrom() on a SOCK_DGRAM packet socket, I noticed that the MAC address passed back for wireless frames was always completely wrong. The reason for this is that the header parse function assigned to our virtual interfaces is a function parsing an 802.11 rather than 802.3 header. This patch fixes it by keeping the default ethernet header operations assigned. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville commit 2d192d9552881f4cf88e62072047c72ef2b5aa7f Author: Michael Wu Date: Sat Nov 10 00:15:25 2007 -0500 mac80211: Drop out of associated state if link is lost There is no point in staying in IEEE80211_ASSOCIATED if there is no sta_info entry to receive frames with. Signed-off-by: Michael Wu Signed-off-by: John W. Linville