[patch 00/23] -stable review

[patch 00/23] -stable review

[Chris Wright]

This is the start of the stable review cycle for the 2.6.18.5 release.
There are 23 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let us know.  If anyone is a maintainer of the proper subsystem, and
wants to add a Signed-off-by: line to the patch, please respond with it.

These patches are sent out with a number of different people on the
Cc: line.  If you wish to be a reviewer, please email stable@kernel.org
to add your name to the list.  If you want to be off the reviewer list,
also email us.

Responses should be made by Fri Dec 01 22:00 UTC.  Anything received
after that time might be too late.

thanks,
the -stable release team
--

[patch 01/23] scsi: clear garbage after CDBs on SG_IO

[Chris Wright]

[-- Attachment #1: scsi-clear-garbage-after-cdbs-on-sg_io.patch --]
[-- Type: text/plain, Size: 1768 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Tejun Heo <htejun@gmail.com>

ATAPI devices transfer fixed number of bytes for CDBs (12 or 16).  Some
ATAPI devices choke when shorter CDB is used and the left bytes contain
garbage.  Block SG_IO cleared left bytes but SCSI SG_IO didn't.  This patch
makes SCSI SG_IO clear it and simplify CDB clearing in block SG_IO.

Signed-off-by: Tejun Heo <htejun@gmail.com>
Cc: Mathieu Fluhr <mfluhr@nero.com>
Cc: James Bottomley <James.Bottomley@steeleye.com>
Cc: Douglas Gilbert <dougg@torque.net>
Acked-by: Jens Axboe <jens.axboe@oracle.com>
Cc: <stable@kernel.org>
Acked-by: Jeff Garzik <jgarzik@pobox.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 block/scsi_ioctl.c      |    3 +--
 drivers/scsi/scsi_lib.c |    1 +
 2 files changed, 2 insertions(+), 2 deletions(-)

--- linux-2.6.18.4.orig/block/scsi_ioctl.c
+++ linux-2.6.18.4/block/scsi_ioctl.c
@@ -286,9 +286,8 @@ static int sg_io(struct file *file, requ
 	 * fill in request structure
 	 */
 	rq->cmd_len = hdr->cmd_len;
+	memset(rq->cmd, 0, BLK_MAX_CDB); /* ATAPI hates garbage after CDB */
 	memcpy(rq->cmd, cmd, hdr->cmd_len);
-	if (sizeof(rq->cmd) != hdr->cmd_len)
-		memset(rq->cmd + hdr->cmd_len, 0, sizeof(rq->cmd) - hdr->cmd_len);
 
 	memset(sense, 0, sizeof(sense));
 	rq->sense = sense;
--- linux-2.6.18.4.orig/drivers/scsi/scsi_lib.c
+++ linux-2.6.18.4/drivers/scsi/scsi_lib.c
@@ -408,6 +408,7 @@ int scsi_execute_async(struct scsi_devic
 		goto free_req;
 
 	req->cmd_len = cmd_len;
+	memset(req->cmd, 0, BLK_MAX_CDB); /* ATAPI hates garbage after CDB */
 	memcpy(req->cmd, cmd, req->cmd_len);
 	req->sense = sioc->sense;
 	req->sense_len = 0;

--

[patch 02/23] NETFILTER: Missing check for CAP_NET_ADMIN in iptables compat layer

[Chris Wright]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: netfilter-missing-check-for-cap_net_admin-in-iptables-compat-layer.patch --]
[-- Type: text/plain, Size: 1505 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Patrick McHardy <kaber@trash.net>

The 32bit compatibility layer has no CAP_NET_ADMIN check in
compat_do_ipt_get_ctl, which for example allows to list the current
iptables rules even without having that capability (the non-compat
version requires it). Other capabilities might be required to exploit
the bug (eg. CAP_NET_RAW to get the nfnetlink socket?), so a plain user
can't exploit it, but a setup actually using the posix capability system
might very well hit such a constellation of granted capabilities.

Signed-off-by: Björn Steinbrink <B.Steinbrink@gmx.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>

---
commit 4410392a8258fd972fc08a336278b14c82b2774f
tree 567261d003b2a8fb08c2d89d0d708dd06f357f49
parent b4d854665eafe32b48e0eecadb91a73f6eea0055
author Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:22:07 +0100
committer Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:22:07 +0100

 net/ipv4/netfilter/ip_tables.c |    3 +++
 1 file changed, 3 insertions(+)

--- linux-2.6.18.4.orig/net/ipv4/netfilter/ip_tables.c
+++ linux-2.6.18.4/net/ipv4/netfilter/ip_tables.c
@@ -1994,6 +1994,9 @@ compat_do_ipt_get_ctl(struct sock *sk, i
 {
 	int ret;
 
+	if (!capable(CAP_NET_ADMIN))
+		return -EPERM;
+
 	switch (cmd) {
 	case IPT_SO_GET_INFO:
 		ret = get_info(user, len, 1);

--

[patch 03/23] NETFILTER: ip_tables: compat error way cleanup

[Chris Wright]

[-- Attachment #1: netfilter-ip_tables-compat-error-way-cleanup.patch --]
[-- Type: text/plain, Size: 1194 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Patrick McHardy <kaber@trash.net>

This patch adds forgotten compat_flush_offset() call to error way of
translate_compat_table().  May lead to table corruption on the next
compat_do_replace().

Signed-off-by: Vasily Averin <vvs@openvz.org>
Acked-by: Dmitry Mishin <dim@openvz.org>
Acked-by: Kirill Korotaev <dev@openvz.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>

---
commit efb1447a67abac93048ad7af0c59cd9b5a9177a6
tree 9d56a6e758a3ad0e617f2527ac4b4efdeba5b64a
parent 4410392a8258fd972fc08a336278b14c82b2774f
author Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:22:39 +0100
committer Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:22:39 +0100

 net/ipv4/netfilter/ip_tables.c |    1 +
 1 file changed, 1 insertion(+)

--- linux-2.6.18.4.orig/net/ipv4/netfilter/ip_tables.c
+++ linux-2.6.18.4/net/ipv4/netfilter/ip_tables.c
@@ -1775,6 +1775,7 @@ free_newinfo:
 out:
 	return ret;
 out_unlock:
+	compat_flush_offsets();
 	xt_compat_unlock(AF_INET);
 	goto out;
 }

--

[patch 04/23] NETFILTER: ip_tables: fix module refcount leaks in compat error paths

[Chris Wright]

[-- Attachment #1: netfilter-ip_tables-fix-module-refcount-leaks-in-compat-error-paths.patch --]
[-- Type: text/plain, Size: 4637 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Patrick McHardy <kaber@trash.net>

Based on patch by myself with additional fixes from Dmitry Mishin <dim@openvz.org>.

Signed-off-by: Dmitry Mishin <dim@openvz.org>
Acked-by: Vasily Averin <vvs@openvz.org>
Acked-by: Kirill Korotaev <dev@openvz.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>

---
commit 94a3d63f9ca6cb404f62ee4186d20fec3e8bdc97
tree 86873a5eff586598eceabdbe4c042c55f62d4fbc
parent efb1447a67abac93048ad7af0c59cd9b5a9177a6
author Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:23:20 +0100
committer Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:23:20 +0100

 net/ipv4/netfilter/ip_tables.c |   36 +++++++++++++++++++-----------------
 1 file changed, 19 insertions(+), 17 deletions(-)

--- linux-2.6.18.4.orig/net/ipv4/netfilter/ip_tables.c
+++ linux-2.6.18.4/net/ipv4/netfilter/ip_tables.c
@@ -1537,7 +1537,7 @@ check_compat_entry_size_and_hooks(struct
 	ret = IPT_MATCH_ITERATE(e, compat_check_calc_match, name, &e->ip,
 			e->comefrom, &off, &j);
 	if (ret != 0)
-		goto out;
+		goto cleanup_matches;
 
 	t = ipt_get_target(e);
 	target = try_then_request_module(xt_find_target(AF_INET,
@@ -1547,7 +1547,7 @@ check_compat_entry_size_and_hooks(struct
 	if (IS_ERR(target) || !target) {
 		duprintf("check_entry: `%s' not found\n", t->u.user.name);
 		ret = target ? PTR_ERR(target) : -ENOENT;
-		goto out;
+		goto cleanup_matches;
 	}
 	t->u.kernel.target = target;
 
@@ -1574,7 +1574,10 @@ check_compat_entry_size_and_hooks(struct
 
 	(*i)++;
 	return 0;
+
 out:
+	module_put(t->u.kernel.target->me);
+cleanup_matches:
 	IPT_MATCH_ITERATE(e, cleanup_match, &j);
 	return ret;
 }
@@ -1597,18 +1600,16 @@ static inline int compat_copy_match_from
 	ret = xt_check_match(match, AF_INET, dm->u.match_size - sizeof(*dm),
 			     name, hookmask, ip->proto,
 			     ip->invflags & IPT_INV_PROTO);
-	if (ret)
-		return ret;
 
-	if (m->u.kernel.match->checkentry
+	if (!ret && m->u.kernel.match->checkentry
 	    && !m->u.kernel.match->checkentry(name, ip, match, dm->data,
 					      dm->u.match_size - sizeof(*dm),
 					      hookmask)) {
 		duprintf("ip_tables: check failed for `%s'.\n",
 			 m->u.kernel.match->name);
-		return -EINVAL;
+		ret = -EINVAL;
 	}
-	return 0;
+	return ret;
 }
 
 static int compat_copy_entry_from_user(struct ipt_entry *e, void **dstptr,
@@ -1630,7 +1631,7 @@ static int compat_copy_entry_from_user(s
 	ret = IPT_MATCH_ITERATE(e, compat_copy_match_from_user, dstptr, size,
 			name, &de->ip, de->comefrom);
 	if (ret)
-		goto out;
+		goto err;
 	de->target_offset = e->target_offset - (origsize - *size);
 	t = ipt_get_target(e);
 	target = t->u.kernel.target;
@@ -1653,22 +1654,22 @@ static int compat_copy_entry_from_user(s
 			      name, e->comefrom, e->ip.proto,
 			      e->ip.invflags & IPT_INV_PROTO);
 	if (ret)
-		goto out;
+		goto err;
 
 	ret = -EINVAL;
 	if (t->u.kernel.target == &ipt_standard_target) {
 		if (!standard_check(t, *size))
-			goto out;
+			goto err;
 	} else if (t->u.kernel.target->checkentry
 		   && !t->u.kernel.target->checkentry(name, de, target,
 				t->data, t->u.target_size - sizeof(*t),
 				de->comefrom)) {
 		duprintf("ip_tables: compat: check failed for `%s'.\n",
 			 t->u.kernel.target->name);
-		goto out;
+		goto err;
 	}
 	ret = 0;
-out:
+ err:
 	return ret;
 }
 
@@ -1682,7 +1683,7 @@ translate_compat_table(const char *name,
 		unsigned int *hook_entries,
 		unsigned int *underflows)
 {
-	unsigned int i;
+	unsigned int i, j;
 	struct xt_table_info *newinfo, *info;
 	void *pos, *entry0, *entry1;
 	unsigned int size;
@@ -1700,21 +1701,21 @@ translate_compat_table(const char *name,
 	}
 
 	duprintf("translate_compat_table: size %u\n", info->size);
-	i = 0;
+	j = 0;
 	xt_compat_lock(AF_INET);
 	/* Walk through entries, checking offsets. */
 	ret = IPT_ENTRY_ITERATE(entry0, total_size,
 				check_compat_entry_size_and_hooks,
 				info, &size, entry0,
 				entry0 + total_size,
-				hook_entries, underflows, &i, name);
+				hook_entries, underflows, &j, name);
 	if (ret != 0)
 		goto out_unlock;
 
 	ret = -EINVAL;
-	if (i != number) {
+	if (j != number) {
 		duprintf("translate_compat_table: %u not %u entries\n",
-			 i, number);
+			 j, number);
 		goto out_unlock;
 	}
 
@@ -1773,6 +1774,7 @@ translate_compat_table(const char *name,
 free_newinfo:
 	xt_free_table_info(newinfo);
 out:
+	IPT_ENTRY_ITERATE(entry0, total_size, cleanup_entry, &j);
 	return ret;
 out_unlock:
 	compat_flush_offsets();

--

[patch 05/23] NETFILTER: Missed and reordered checks in {arp,ip,ip6}_tables

[Chris Wright]

[-- Attachment #1: netfilter-missed-and-reordered-checks-in-arp-ip-ip6-_tables.patch --]
[-- Type: text/plain, Size: 11730 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Patrick McHardy <kaber@trash.net>

Backport fix for missing ruleset validation in {arp,ip,ip6}_tables
and a fix on top which fixes a regression in the first patch.

There is a number of issues in parsing user-provided table in
translate_table(). Malicious user with CAP_NET_ADMIN may crash system by
passing special-crafted table to the *_tables.

The first issue is that mark_source_chains() function is called before entry
content checks. In case of standard target, mark_source_chains() function
uses t->verdict field in order to determine new position. But the check, that
this field leads no further, than the table end, is in check_entry(), which
is called later, than mark_source_chains().

The second issue, that there is no check that target_offset points inside
entry. If so, *_ITERATE_MATCH macro will follow further, than the entry
ends. As a result, we'll have oops or memory disclosure.

And the third issue, that there is no check that the target is completely
inside entry. Results are the same, as in previous issue.

Upstream commit 590bdf7fd2292b47c428111cb1360e312eff207e introduced a
regression in match/target hook validation. mark_source_chains builds
a bitmask for each rule representing the hooks it can be reached from,
which is then used by the matches and targets to make sure they are
only called from valid hooks. The patch moved the match/target specific
validation before the mark_source_chains call, at which point the mask
is always zero.

This patch returns back to the old order and moves the standard checks
to mark_source_chains. This allows to get rid of a special case for
standard targets as a nice side-effect.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>

---
commit 1cfcb663c5a6d8b4b1172ff481af1b597bc8b54e
tree 61c5b135ee292681f38945a3549cb9005aec1d7c
parent b2ab160e1a3a1eb3fcc80132d8d7db5687a7a113
author Patrick McHardy <kaber@trash.net> Tue, 21 Nov 2006 11:17:03 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 21 Nov 2006 11:24:51 +0100

 net/ipv4/netfilter/arp_tables.c |   37 +++++++++++++---------
 net/ipv4/netfilter/ip_tables.c  |   65 +++++++++++++++++++---------------------
 net/ipv6/netfilter/ip6_tables.c |   53 ++++++++++++++------------------
 3 files changed, 77 insertions(+), 78 deletions(-)

--- linux-2.6.18.4.orig/net/ipv4/netfilter/arp_tables.c
+++ linux-2.6.18.4/net/ipv4/netfilter/arp_tables.c
@@ -380,6 +380,13 @@ static int mark_source_chains(struct xt_
 			    && unconditional(&e->arp)) {
 				unsigned int oldpos, size;
 
+				if (t->verdict < -NF_MAX_VERDICT - 1) {
+					duprintf("mark_source_chains: bad "
+						"negative verdict (%i)\n",
+								t->verdict);
+					return 0;
+				}
+
 				/* Return: backtrack through the last
 				 * big jump.
 				 */
@@ -409,6 +416,14 @@ static int mark_source_chains(struct xt_
 				if (strcmp(t->target.u.user.name,
 					   ARPT_STANDARD_TARGET) == 0
 				    && newpos >= 0) {
+					if (newpos > newinfo->size -
+						sizeof(struct arpt_entry)) {
+						duprintf("mark_source_chains: "
+							"bad verdict (%i)\n",
+								newpos);
+						return 0;
+					}
+
 					/* This a jump; chase it. */
 					duprintf("Jump rule %u -> %u\n",
 						 pos, newpos);
@@ -431,8 +446,6 @@ static int mark_source_chains(struct xt_
 static inline int standard_check(const struct arpt_entry_target *t,
 				 unsigned int max_offset)
 {
-	struct arpt_standard_target *targ = (void *)t;
-
 	/* Check standard info. */
 	if (t->u.target_size
 	    != ARPT_ALIGN(sizeof(struct arpt_standard_target))) {
@@ -442,18 +455,6 @@ static inline int standard_check(const s
 		return 0;
 	}
 
-	if (targ->verdict >= 0
-	    && targ->verdict > max_offset - sizeof(struct arpt_entry)) {
-		duprintf("arpt_standard_check: bad verdict (%i)\n",
-			 targ->verdict);
-		return 0;
-	}
-
-	if (targ->verdict < -NF_MAX_VERDICT - 1) {
-		duprintf("arpt_standard_check: bad negative verdict (%i)\n",
-			 targ->verdict);
-		return 0;
-	}
 	return 1;
 }
 
@@ -471,7 +472,13 @@ static inline int check_entry(struct arp
 		return -EINVAL;
 	}
 
+	if (e->target_offset + sizeof(struct arpt_entry_target) > e->next_offset)
+		return -EINVAL;
+
 	t = arpt_get_target(e);
+	if (e->target_offset + t->u.target_size > e->next_offset)
+		return -EINVAL;
+
 	target = try_then_request_module(xt_find_target(NF_ARP, t->u.user.name,
 							t->u.user.revision),
 					 "arpt_%s", t->u.user.name);
@@ -641,7 +648,7 @@ static int translate_table(const char *n
 
 	if (ret != 0) {
 		ARPT_ENTRY_ITERATE(entry0, newinfo->size,
-				   cleanup_entry, &i);
+				cleanup_entry, &i);
 		return ret;
 	}
 
--- linux-2.6.18.4.orig/net/ipv4/netfilter/ip_tables.c
+++ linux-2.6.18.4/net/ipv4/netfilter/ip_tables.c
@@ -404,6 +404,13 @@ mark_source_chains(struct xt_table_info 
 			    && unconditional(&e->ip)) {
 				unsigned int oldpos, size;
 
+				if (t->verdict < -NF_MAX_VERDICT - 1) {
+					duprintf("mark_source_chains: bad "
+						"negative verdict (%i)\n",
+								t->verdict);
+					return 0;
+				}
+
 				/* Return: backtrack through the last
 				   big jump. */
 				do {
@@ -441,6 +448,13 @@ mark_source_chains(struct xt_table_info 
 				if (strcmp(t->target.u.user.name,
 					   IPT_STANDARD_TARGET) == 0
 				    && newpos >= 0) {
+					if (newpos > newinfo->size -
+						sizeof(struct ipt_entry)) {
+						duprintf("mark_source_chains: "
+							"bad verdict (%i)\n",
+								newpos);
+						return 0;
+					}
 					/* This a jump; chase it. */
 					duprintf("Jump rule %u -> %u\n",
 						 pos, newpos);
@@ -474,27 +488,6 @@ cleanup_match(struct ipt_entry_match *m,
 }
 
 static inline int
-standard_check(const struct ipt_entry_target *t,
-	       unsigned int max_offset)
-{
-	struct ipt_standard_target *targ = (void *)t;
-
-	/* Check standard info. */
-	if (targ->verdict >= 0
-	    && targ->verdict > max_offset - sizeof(struct ipt_entry)) {
-		duprintf("ipt_standard_check: bad verdict (%i)\n",
-			 targ->verdict);
-		return 0;
-	}
-	if (targ->verdict < -NF_MAX_VERDICT - 1) {
-		duprintf("ipt_standard_check: bad negative verdict (%i)\n",
-			 targ->verdict);
-		return 0;
-	}
-	return 1;
-}
-
-static inline int
 check_match(struct ipt_entry_match *m,
 	    const char *name,
 	    const struct ipt_ip *ip,
@@ -552,12 +545,18 @@ check_entry(struct ipt_entry *e, const c
 		return -EINVAL;
 	}
 
+	if (e->target_offset + sizeof(struct ipt_entry_target) > e->next_offset)
+		return -EINVAL;
+
 	j = 0;
 	ret = IPT_MATCH_ITERATE(e, check_match, name, &e->ip, e->comefrom, &j);
 	if (ret != 0)
 		goto cleanup_matches;
 
 	t = ipt_get_target(e);
+	ret = -EINVAL;
+	if (e->target_offset + t->u.target_size > e->next_offset)
+			goto cleanup_matches;
 	target = try_then_request_module(xt_find_target(AF_INET,
 						     t->u.user.name,
 						     t->u.user.revision),
@@ -575,12 +574,7 @@ check_entry(struct ipt_entry *e, const c
 	if (ret)
 		goto err;
 
-	if (t->u.kernel.target == &ipt_standard_target) {
-		if (!standard_check(t, size)) {
-			ret = -EINVAL;
-			goto cleanup_matches;
-		}
-	} else if (t->u.kernel.target->checkentry
+	if (t->u.kernel.target->checkentry
 		   && !t->u.kernel.target->checkentry(name, e, target, t->data,
 						      t->u.target_size
 						      - sizeof(*t),
@@ -730,7 +724,7 @@ translate_table(const char *name,
 
 	if (ret != 0) {
 		IPT_ENTRY_ITERATE(entry0, newinfo->size,
-				  cleanup_entry, &i);
+				cleanup_entry, &i);
 		return ret;
 	}
 
@@ -1531,6 +1525,10 @@ check_compat_entry_size_and_hooks(struct
 		return -EINVAL;
 	}
 
+	if (e->target_offset + sizeof(struct compat_xt_entry_target) >
+								e->next_offset)
+		return -EINVAL;
+
 	off = 0;
 	entry_offset = (void *)e - (void *)base;
 	j = 0;
@@ -1540,6 +1538,9 @@ check_compat_entry_size_and_hooks(struct
 		goto cleanup_matches;
 
 	t = ipt_get_target(e);
+	ret = -EINVAL;
+	if (e->target_offset + t->u.target_size > e->next_offset)
+			goto cleanup_matches;
 	target = try_then_request_module(xt_find_target(AF_INET,
 						     t->u.user.name,
 						     t->u.user.revision),
@@ -1656,19 +1657,15 @@ static int compat_copy_entry_from_user(s
 	if (ret)
 		goto err;
 
-	ret = -EINVAL;
-	if (t->u.kernel.target == &ipt_standard_target) {
-		if (!standard_check(t, *size))
-			goto err;
-	} else if (t->u.kernel.target->checkentry
+	if (t->u.kernel.target->checkentry
 		   && !t->u.kernel.target->checkentry(name, de, target,
 				t->data, t->u.target_size - sizeof(*t),
 				de->comefrom)) {
 		duprintf("ip_tables: compat: check failed for `%s'.\n",
 			 t->u.kernel.target->name);
+		ret = -EINVAL;
 		goto err;
 	}
-	ret = 0;
  err:
 	return ret;
 }
--- linux-2.6.18.4.orig/net/ipv6/netfilter/ip6_tables.c
+++ linux-2.6.18.4/net/ipv6/netfilter/ip6_tables.c
@@ -444,6 +444,13 @@ mark_source_chains(struct xt_table_info 
 			    && unconditional(&e->ipv6)) {
 				unsigned int oldpos, size;
 
+				if (t->verdict < -NF_MAX_VERDICT - 1) {
+					duprintf("mark_source_chains: bad "
+						"negative verdict (%i)\n",
+								t->verdict);
+					return 0;
+				}
+
 				/* Return: backtrack through the last
 				   big jump. */
 				do {
@@ -481,6 +488,13 @@ mark_source_chains(struct xt_table_info 
 				if (strcmp(t->target.u.user.name,
 					   IP6T_STANDARD_TARGET) == 0
 				    && newpos >= 0) {
+					if (newpos > newinfo->size -
+						sizeof(struct ip6t_entry)) {
+						duprintf("mark_source_chains: "
+							"bad verdict (%i)\n",
+								newpos);
+						return 0;
+					}
 					/* This a jump; chase it. */
 					duprintf("Jump rule %u -> %u\n",
 						 pos, newpos);
@@ -514,27 +528,6 @@ cleanup_match(struct ip6t_entry_match *m
 }
 
 static inline int
-standard_check(const struct ip6t_entry_target *t,
-	       unsigned int max_offset)
-{
-	struct ip6t_standard_target *targ = (void *)t;
-
-	/* Check standard info. */
-	if (targ->verdict >= 0
-	    && targ->verdict > max_offset - sizeof(struct ip6t_entry)) {
-		duprintf("ip6t_standard_check: bad verdict (%i)\n",
-			 targ->verdict);
-		return 0;
-	}
-	if (targ->verdict < -NF_MAX_VERDICT - 1) {
-		duprintf("ip6t_standard_check: bad negative verdict (%i)\n",
-			 targ->verdict);
-		return 0;
-	}
-	return 1;
-}
-
-static inline int
 check_match(struct ip6t_entry_match *m,
 	    const char *name,
 	    const struct ip6t_ip6 *ipv6,
@@ -592,12 +585,19 @@ check_entry(struct ip6t_entry *e, const 
 		return -EINVAL;
 	}
 
+	if (e->target_offset + sizeof(struct ip6t_entry_target) >
+								e->next_offset)
+		return -EINVAL;
+
 	j = 0;
 	ret = IP6T_MATCH_ITERATE(e, check_match, name, &e->ipv6, e->comefrom, &j);
 	if (ret != 0)
 		goto cleanup_matches;
 
 	t = ip6t_get_target(e);
+	ret = -EINVAL;
+	if (e->target_offset + t->u.target_size > e->next_offset)
+			goto cleanup_matches;
 	target = try_then_request_module(xt_find_target(AF_INET6,
 							t->u.user.name,
 							t->u.user.revision),
@@ -615,12 +615,7 @@ check_entry(struct ip6t_entry *e, const 
 	if (ret)
 		goto err;
 
-	if (t->u.kernel.target == &ip6t_standard_target) {
-		if (!standard_check(t, size)) {
-			ret = -EINVAL;
-			goto cleanup_matches;
-		}
-	} else if (t->u.kernel.target->checkentry
+	if (t->u.kernel.target->checkentry
 		   && !t->u.kernel.target->checkentry(name, e, target, t->data,
 						      t->u.target_size
 						      - sizeof(*t),
@@ -770,7 +765,7 @@ translate_table(const char *name,
 
 	if (ret != 0) {
 		IP6T_ENTRY_ITERATE(entry0, newinfo->size,
-				  cleanup_entry, &i);
+				   cleanup_entry, &i);
 		return ret;
 	}
 
@@ -780,7 +775,7 @@ translate_table(const char *name,
 			memcpy(newinfo->entries[i], entry0, newinfo->size);
 	}
 
-	return ret;
+	return 0;
 }
 
 /* Gets counters. */

--

[patch 06/23] NETFILTER: arp_tables: missing unregistration on module unload

[Chris Wright]

[-- Attachment #1: netfilter-arp_tables-missing-unregistration-on-module-unload.patch --]
[-- Type: text/plain, Size: 853 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Patrick McHardy <kaber@trash.net>

---
commit 6b22b99ecd431b63aece1fa5b1faa01b75a8302e
tree 7969fd96d4daad6eaf8a10a0659702ca3e404439
parent 0ef4760e162ea44c847cca7393b36e5bcac5414e
author Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:24:43 +0100
committer Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:24:43 +0100

 net/ipv4/netfilter/arp_tables.c |    2 ++
 1 file changed, 2 insertions(+)

--- linux-2.6.18.4.orig/net/ipv4/netfilter/arp_tables.c
+++ linux-2.6.18.4/net/ipv4/netfilter/arp_tables.c
@@ -1211,6 +1211,8 @@ err1:
 static void __exit arp_tables_fini(void)
 {
 	nf_unregister_sockopt(&arpt_sockopts);
+	xt_unregister_target(&arpt_error_target);
+	xt_unregister_target(&arpt_standard_target);
 	xt_proto_fini(NF_ARP);
 }
 

--

[patch 07/23] NETFILTER: Honour source routing for LVS-NAT

[Chris Wright]

[-- Attachment #1: netfilter-honour-source-routing-for-lvs-nat.patch --]
[-- Type: text/plain, Size: 4620 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Patrick McHardy <kaber@trash.net>

For policy routing, packets originating from this machine itself may be
routed differently to packets passing through. We want this packet to be
routed as if it came from this machine itself. So re-compute the routing
information using ip_route_me_harder().

This patch is derived from work by Ken Brownfield

This patch (-stable version) also includes commit
b4c4ed175ff0ee816df48571cfa9b73f521964b6 ([NETFILTER]: add type parameter
to ip_route_me_harder), which is a precondition for the fix.

Cc: Ken Brownfield <krb@irridia.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>

---
commit cf08e74a590c945d3c0b95886ea3fad8ff73793d
tree d5c1a44360bb9a4a2d59e37a9f0dc3c6ce0b6c49
parent 6b22b99ecd431b63aece1fa5b1faa01b75a8302e
author Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:25:11 +0100
committer Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:25:11 +0100

 include/linux/netfilter_ipv4.h         |    2 +-
 net/ipv4/ipvs/ip_vs_core.c             |   10 ++++++++++
 net/ipv4/netfilter.c                   |    9 ++++++---
 net/ipv4/netfilter/ip_nat_standalone.c |    3 ++-
 net/ipv4/netfilter/iptable_mangle.c    |    3 ++-
 5 files changed, 21 insertions(+), 6 deletions(-)

--- linux-2.6.18.4.orig/include/linux/netfilter_ipv4.h
+++ linux-2.6.18.4/include/linux/netfilter_ipv4.h
@@ -77,7 +77,7 @@ enum nf_ip_hook_priorities {
 #define SO_ORIGINAL_DST 80
 
 #ifdef __KERNEL__
-extern int ip_route_me_harder(struct sk_buff **pskb);
+extern int ip_route_me_harder(struct sk_buff **pskb, unsigned addr_type);
 extern int ip_xfrm_me_harder(struct sk_buff **pskb);
 extern unsigned int nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
 				   unsigned int dataoff, u_int8_t protocol);
--- linux-2.6.18.4.orig/net/ipv4/ipvs/ip_vs_core.c
+++ linux-2.6.18.4/net/ipv4/ipvs/ip_vs_core.c
@@ -813,6 +813,16 @@ ip_vs_out(unsigned int hooknum, struct s
 	skb->nh.iph->saddr = cp->vaddr;
 	ip_send_check(skb->nh.iph);
 
+ 	/* For policy routing, packets originating from this
+ 	 * machine itself may be routed differently to packets
+ 	 * passing through.  We want this packet to be routed as
+ 	 * if it came from this machine itself.  So re-compute
+ 	 * the routing information.
+ 	 */
+ 	if (ip_route_me_harder(pskb, RTN_LOCAL) != 0)
+ 		goto drop;
+	skb = *pskb;
+
 	IP_VS_DBG_PKT(10, pp, skb, 0, "After SNAT");
 
 	ip_vs_out_stats(cp, skb);
--- linux-2.6.18.4.orig/net/ipv4/netfilter.c
+++ linux-2.6.18.4/net/ipv4/netfilter.c
@@ -8,7 +8,7 @@
 #include <net/ip.h>
 
 /* route_me_harder function, used by iptable_nat, iptable_mangle + ip_queue */
-int ip_route_me_harder(struct sk_buff **pskb)
+int ip_route_me_harder(struct sk_buff **pskb, unsigned addr_type)
 {
 	struct iphdr *iph = (*pskb)->nh.iph;
 	struct rtable *rt;
@@ -16,10 +16,13 @@ int ip_route_me_harder(struct sk_buff **
 	struct dst_entry *odst;
 	unsigned int hh_len;
 
+	if (addr_type == RTN_UNSPEC)
+		addr_type = inet_addr_type(iph->saddr);
+
 	/* some non-standard hacks like ipt_REJECT.c:send_reset() can cause
 	 * packets with foreign saddr to appear on the NF_IP_LOCAL_OUT hook.
 	 */
-	if (inet_addr_type(iph->saddr) == RTN_LOCAL) {
+	if (addr_type == RTN_LOCAL) {
 		fl.nl_u.ip4_u.daddr = iph->daddr;
 		fl.nl_u.ip4_u.saddr = iph->saddr;
 		fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
@@ -156,7 +159,7 @@ static int nf_ip_reroute(struct sk_buff 
 		if (!(iph->tos == rt_info->tos
 		      && iph->daddr == rt_info->daddr
 		      && iph->saddr == rt_info->saddr))
-			return ip_route_me_harder(pskb);
+			return ip_route_me_harder(pskb, RTN_UNSPEC);
 	}
 	return 0;
 }
--- linux-2.6.18.4.orig/net/ipv4/netfilter/ip_nat_standalone.c
+++ linux-2.6.18.4/net/ipv4/netfilter/ip_nat_standalone.c
@@ -275,7 +275,8 @@ ip_nat_local_fn(unsigned int hooknum,
 		       ct->tuplehash[!dir].tuple.src.u.all
 #endif
 		    )
-			return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;
+			if (ip_route_me_harder(pskb, RTN_UNSPEC))
+				ret = NF_DROP;
 	}
 	return ret;
 }
--- linux-2.6.18.4.orig/net/ipv4/netfilter/iptable_mangle.c
+++ linux-2.6.18.4/net/ipv4/netfilter/iptable_mangle.c
@@ -157,7 +157,8 @@ ipt_local_hook(unsigned int hook,
 		|| (*pskb)->nfmark != nfmark
 #endif
 		|| (*pskb)->nh.iph->tos != tos))
-		return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;
+		if (ip_route_me_harder(pskb, RTN_UNSPEC))
+			ret = NF_DROP;
 
 	return ret;
 }

--

[patch 08/23] NETFILTER: Kconfig: fix xt_physdev dependencies

[Chris Wright]

[-- Attachment #1: netfilter-kconfig-fix-xt_physdev-dependencies.patch --]
[-- Type: text/plain, Size: 1333 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Patrick McHardy <kaber@trash.net>

xt_physdev depends on bridge netfilter, which is a boolean, but can still
be built modular because of special handling in the bridge makefile. Add
a dependency on BRIDGE to prevent XT_MATCH_PHYSDEV=y, BRIDGE=m.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>

---
commit ca6adddd237afa4910bab5e9e8ba0685f37c2bfe
tree 45c88fae3ec75a90ffac423906e662bdb36e8251
parent cf08e74a590c945d3c0b95886ea3fad8ff73793d
author Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:25:31 +0100
committer Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:25:31 +0100

 net/netfilter/Kconfig |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.18.4.orig/net/netfilter/Kconfig
+++ linux-2.6.18.4/net/netfilter/Kconfig
@@ -342,7 +342,7 @@ config NETFILTER_XT_MATCH_MULTIPORT
 
 config NETFILTER_XT_MATCH_PHYSDEV
 	tristate '"physdev" match support'
-	depends on NETFILTER_XTABLES && BRIDGE_NETFILTER
+	depends on NETFILTER_XTABLES && BRIDGE && BRIDGE_NETFILTER
 	help
 	  Physdev packet matching matches against the physical bridge ports
 	  the IP packet arrived on or will leave by.

--

[patch 09/23] NETFILTER: xt_CONNSECMARK: fix Kconfig dependencies

[Chris Wright]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: netfilter-xt_connsecmark-fix-kconfig-dependencies.patch --]
[-- Type: text/plain, Size: 1425 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Patrick McHardy <kaber@trash.net>

CONNSECMARK needs conntrack, add missing dependency to fix linking error
with CONNSECMARK=y and CONNTRACK=m.

Reported by Toralf Förster <toralf.foerster@gmx.de>.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>

---
commit 7f013c33ba2b02614c856d715b65d858bc1ec47f
tree 7ba757cfe1e953e47726bdcf956c16d07d94aa6e
parent ca6adddd237afa4910bab5e9e8ba0685f37c2bfe
author Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:25:54 +0100
committer Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:25:54 +0100

 net/netfilter/Kconfig |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- linux-2.6.18.4.orig/net/netfilter/Kconfig
+++ linux-2.6.18.4/net/netfilter/Kconfig
@@ -197,7 +197,9 @@ config NETFILTER_XT_TARGET_SECMARK
 
 config NETFILTER_XT_TARGET_CONNSECMARK
 	tristate '"CONNSECMARK" target support'
-	depends on NETFILTER_XTABLES && (NF_CONNTRACK_SECMARK || IP_NF_CONNTRACK_SECMARK)
+	depends on NETFILTER_XTABLES && \
+		   ((NF_CONNTRACK && NF_CONNTRACK_SECMARK) || \
+		    (IP_NF_CONNTRACK && IP_NF_CONNTRACK_SECMARK))
 	help
 	  The CONNSECMARK target copies security markings from packets
 	  to connections, and restores security markings from connections

--

[patch 10/23] bcm43xx: Drain TX status before starting IRQs

[Chris Wright]

[-- Attachment #1: bcm43xx-drain-tx-status-before-starting-irqs.patch --]
[-- Type: text/plain, Size: 1772 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Michael Buesch <mb@bu3sch.de>

Drain the Microcode TX-status-FIFO before we enable IRQs.
This is required, because the FIFO may still have entries left
from a previous run. Those would immediately fire after enabling
IRQs and would lead to an oops in the DMA TXstatus handling code.

Cc: "John W. Linville" <linville@tuxdriver.com>
Signed-off-by: Michael Buesch <mb@bu3sch.de>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 drivers/net/wireless/bcm43xx/bcm43xx_main.c |   18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

--- linux-2.6.18.4.orig/drivers/net/wireless/bcm43xx/bcm43xx_main.c
+++ linux-2.6.18.4/drivers/net/wireless/bcm43xx/bcm43xx_main.c
@@ -1463,6 +1463,23 @@ static void handle_irq_transmit_status(s
 	}
 }
 
+static void drain_txstatus_queue(struct bcm43xx_private *bcm)
+{
+	u32 dummy;
+
+	if (bcm->current_core->rev < 5)
+		return;
+	/* Read all entries from the microcode TXstatus FIFO
+	 * and throw them away.
+	 */
+	while (1) {
+		dummy = bcm43xx_read32(bcm, BCM43xx_MMIO_XMITSTAT_0);
+		if (!dummy)
+			break;
+		dummy = bcm43xx_read32(bcm, BCM43xx_MMIO_XMITSTAT_1);
+	}
+}
+
 static void bcm43xx_generate_noise_sample(struct bcm43xx_private *bcm)
 {
 	bcm43xx_shm_write16(bcm, BCM43xx_SHM_SHARED, 0x408, 0x7F7F);
@@ -3517,6 +3534,7 @@ int bcm43xx_select_wireless_core(struct 
 	bcm43xx_macfilter_clear(bcm, BCM43xx_MACFILTER_ASSOC);
 	bcm43xx_macfilter_set(bcm, BCM43xx_MACFILTER_SELF, (u8 *)(bcm->net_dev->dev_addr));
 	bcm43xx_security_init(bcm);
+	drain_txstatus_queue(bcm);
 	ieee80211softmac_start(bcm->net_dev);
 
 	/* Let's go! Be careful after enabling the IRQs.

--

[patch 11/23] NETFILTER: H.323 conntrack: fix crash with CONFIG_IP_NF_CT_ACCT

[Chris Wright]

[-- Attachment #1: netfilter-h.323-conntrack-fix-crash-with-config_ip_nf_ct_acct.patch --]
[-- Type: text/plain, Size: 1738 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Patrick McHardy <kaber@trash.net>

H.323 connection tracking code calls ip_ct_refresh_acct() when
processing RCFs and URQs but passes NULL as the skb.
When CONFIG_IP_NF_CT_ACCT is enabled, the connection tracking core tries
to derefence the skb, which results in an obvious panic.
A similar fix was applied on the SIP connection tracking code some time
ago.

Signed-off-by: Faidon Liambotis <paravoid@debian.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>

---
commit 76b0c2b63fd5a2da358b36a22b7bf99298dde0b7
tree cd96ddb4c4cd5ffb44ed5a47fa3be41267eea99a
parent 1b9bb3c14c60324b54645ffefbe6d270f9fd191c
author Faidon Liambotis <paravoid@debian.org> Fri, 17 Nov 2006 21:01:25 +0100
committer Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 21:01:25 +0100

 net/ipv4/netfilter/ip_conntrack_helper_h323.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- linux-2.6.18.4.orig/net/ipv4/netfilter/ip_conntrack_helper_h323.c
+++ linux-2.6.18.4/net/ipv4/netfilter/ip_conntrack_helper_h323.c
@@ -1417,7 +1417,7 @@ static int process_rcf(struct sk_buff **
 		DEBUGP
 		    ("ip_ct_ras: set RAS connection timeout to %u seconds\n",
 		     info->timeout);
-		ip_ct_refresh_acct(ct, ctinfo, NULL, info->timeout * HZ);
+		ip_ct_refresh(ct, *pskb, info->timeout * HZ);
 
 		/* Set expect timeout */
 		read_lock_bh(&ip_conntrack_lock);
@@ -1465,7 +1465,7 @@ static int process_urq(struct sk_buff **
 	info->sig_port[!dir] = 0;
 
 	/* Give it 30 seconds for UCF or URJ */
-	ip_ct_refresh_acct(ct, ctinfo, NULL, 30 * HZ);
+	ip_ct_refresh(ct, *pskb, 30 * HZ);
 
 	return 0;
 }

--

[patch 12/23] pcmcia: fix rmmod pcmcia with unbound devices

[Chris Wright]

[-- Attachment #1: pcmcia-fix-rmmod-pcmcia-with-unbound-devices.patch --]
[-- Type: text/plain, Size: 1154 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Daniel Ritz <daniel.ritz-ml@swissonline.ch>

Having unbound PCMCIA devices: doing a 'find /sys' after a 'rmmod pcmcia'
gives an oops because the pcmcia_device is not unregisterd from the driver
core.

fixes bugzilla #7481

Signed-off-by: Daniel Ritz <daniel.ritz@gmx.ch>
Acked-by: Dominik Brodowski <linux@dominikbrodowski.net>
Cc: Pavol Gono <Palo.Gono@gmail.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
[chrisw: add subsequent mutex fix]
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 drivers/pcmcia/ds.c |    5 +++++
 1 file changed, 5 insertions(+)

--- linux-2.6.18.4.orig/drivers/pcmcia/ds.c
+++ linux-2.6.18.4/drivers/pcmcia/ds.c
@@ -1264,6 +1264,11 @@ static void pcmcia_bus_remove_socket(str
 	socket->pcmcia_state.dead = 1;
 	pccard_register_pcmcia(socket, NULL);
 
+	/* unregister any unbound devices */
+	mutex_lock(&socket->skt_mutex);
+	pcmcia_card_remove(socket, NULL);
+	mutex_unlock(&socket->skt_mutex);
+
 	pcmcia_put_socket(socket);
 
 	return;

--

[patch 13/23] V4L: Do not enable VIDEO_V4L2 unconditionally

[Chris Wright]

[-- Attachment #1: v4l-do-not-enable-video_v4l2-unconditionally.patch --]
[-- Type: text/plain, Size: 894 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Maciej W. Rozycki <macro@linux-mips.org>

V4L: Do not enable VIDEO_V4L2 unconditionally

The VIDEO_V4L2 config setting is enabled unconditionally, even for
configurations with no support for this subsystem whatsoever. The
following patch adds the necessary dependency.

Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 drivers/media/Kconfig |    1 +
 1 file changed, 1 insertion(+)

--- linux-2.6.18.4.orig/drivers/media/Kconfig
+++ linux-2.6.18.4/drivers/media/Kconfig
@@ -54,6 +54,7 @@ config VIDEO_V4L1_COMPAT
 
 config VIDEO_V4L2
 	bool
+	depends on VIDEO_DEV
 	default y
 
 source "drivers/media/video/Kconfig"

--

[patch 14/23] x86 microcode: dont check the size

[Chris Wright]

[-- Attachment #1: x86-microcode-don-t-check-the-size.patch --]
[-- Type: text/plain, Size: 1761 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Shaohua Li <shaohua.li@intel.com>

IA32 manual says if micorcode update's size is 0, then the size is
default size (2048 bytes). But this doesn't suggest all microcode
update's size should be above 2048 bytes to me. We actually had a
microcode update whose size is 1024 bytes. The patch just removed the
check.

Backported to 2.6.18 by Daniel Drake.

Signed-off-by: Daniel Drake <dsd@gentoo.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 arch/i386/kernel/microcode.c |    9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

--- linux-2.6.18.4.orig/arch/i386/kernel/microcode.c
+++ linux-2.6.18.4/arch/i386/kernel/microcode.c
@@ -250,14 +250,14 @@ static int find_matching_ucodes (void) 
 		}
 
 		total_size = get_totalsize(&mc_header);
-		if ((cursor + total_size > user_buffer_size) || (total_size < DEFAULT_UCODE_TOTALSIZE)) {
+		if (cursor + total_size > user_buffer_size) {
 			printk(KERN_ERR "microcode: error! Bad data in microcode data file\n");
 			error = -EINVAL;
 			goto out;
 		}
 
 		data_size = get_datasize(&mc_header);
-		if ((data_size + MC_HEADER_SIZE > total_size) || (data_size < DEFAULT_UCODE_DATASIZE)) {
+		if (data_size + MC_HEADER_SIZE > total_size) {
 			printk(KERN_ERR "microcode: error! Bad data in microcode data file\n");
 			error = -EINVAL;
 			goto out;
@@ -460,11 +460,6 @@ static ssize_t microcode_write (struct f
 {
 	ssize_t ret;
 
-	if (len < DEFAULT_UCODE_TOTALSIZE) {
-		printk(KERN_ERR "microcode: not enough data\n"); 
-		return -EINVAL;
-	}
-
 	if ((len >> PAGE_SHIFT) > num_physpages) {
 		printk(KERN_ERR "microcode: too much data (max %ld pages)\n", num_physpages);
 		return -EINVAL;

--

[patch 15/23] alpha: Fix ALPHA_EV56 dependencies typo

[Chris Wright]

[-- Attachment #1: alpha-fix-alpha_ev56-dependencies-typo.patch --]
[-- Type: text/plain, Size: 942 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Fernando J. Pereda <ferdy@gentoo.org>

There appears to be a typo in the EV56 config option. NORITAKE and PRIMO are
be able to set a variation of either.

Signed-off-by: Daniel Drake <dsd@gentoo.org>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 arch/alpha/Kconfig |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.18.4.orig/arch/alpha/Kconfig
+++ linux-2.6.18.4/arch/alpha/Kconfig
@@ -381,7 +381,7 @@ config ALPHA_EV56
 
 config ALPHA_EV56
 	prompt "EV56 CPU (speed >= 333MHz)?"
-	depends on ALPHA_NORITAKE && ALPHA_PRIMO
+	depends on ALPHA_NORITAKE || ALPHA_PRIMO
 
 config ALPHA_EV56
 	prompt "EV56 CPU (speed >= 400MHz)?"

--

[patch 16/23] softmac: fix a slab corruption in WEP restricted key association

[Chris Wright]

[-- Attachment #1: softmac-fix-a-slab-corruption-in-wep-restricted-key-association.patch --]
[-- Type: text/plain, Size: 1042 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Laurent Riffard <laurent.riffard@free.fr>

Fix a slab corruption in ieee80211softmac_auth(). The size of a buffer
was miscomputed.

see http://bugzilla.kernel.org/show_bug.cgi?id=7245

Acked-by: Daniel Drake <dsd@gentoo.org>
Signed-off-by: Laurent Riffard <laurent.riffard@free.fr>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 net/ieee80211/softmac/ieee80211softmac_io.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.18.4.orig/net/ieee80211/softmac/ieee80211softmac_io.c
+++ linux-2.6.18.4/net/ieee80211/softmac/ieee80211softmac_io.c
@@ -304,7 +304,7 @@ ieee80211softmac_auth(struct ieee80211_a
 		2 +		/* Auth Transaction Seq */
 		2 +		/* Status Code */
 		 /* Challenge Text IE */
-		is_shared_response ? 0 : 1 + 1 + net->challenge_len
+		(is_shared_response ? 1 + 1 + net->challenge_len : 0)
 	);
 	if (unlikely((*pkt) == NULL))
 		return 0;

--

[patch 17/23] TG3: Add missing unlock in tg3_open() error path.

[Chris Wright]

[-- Attachment #1: tg3-add-missing-unlock-in-tg3_open-error-path.patch --]
[-- Type: text/plain, Size: 887 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Ira W. Snyder <kernel@irasnyder.com>

Sparse noticed a locking imbalance in tg3_open(). This patch adds an
unlock to one of the error paths, so that tg3_open() always exits
without the lock held.

Signed-off-by: Ira W. Snyder <kernel@irasnyder.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 drivers/net/tg3.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- linux-2.6.18.4.orig/drivers/net/tg3.c
+++ linux-2.6.18.4/drivers/net/tg3.c
@@ -6889,8 +6889,10 @@ static int tg3_open(struct net_device *d
 	tg3_full_lock(tp, 0);
 
 	err = tg3_set_power_state(tp, PCI_D0);
-	if (err)
+	if (err) {
+		tg3_full_unlock(tp);
 		return err;
+	}
 
 	tg3_disable_ints(tp);
 	tp->tg3_flags &= ~TG3_FLAG_INIT_COMPLETE;

--

[patch 18/23] IPV6: Fix address/interface handling in UDP and DCCP, according to the scoping architecture.

[Chris Wright]

[-- Attachment #1: ipv6-fix-address-interface-handling-in-udp-and-dccp-according-to-the-scoping-architecture.patch --]
[-- Type: text/plain, Size: 2214 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>

TCP and RAW do not have this issue.  Closes Bug #7432.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 net/dccp/ipv6.c |    2 +-
 net/ipv6/udp.c  |    7 +++----
 2 files changed, 4 insertions(+), 5 deletions(-)

--- linux-2.6.18.4.orig/net/dccp/ipv6.c
+++ linux-2.6.18.4/net/dccp/ipv6.c
@@ -276,7 +276,7 @@ static void dccp_v6_err(struct sk_buff *
 	__u64 seq;
 
 	sk = inet6_lookup(&dccp_hashinfo, &hdr->daddr, dh->dccph_dport,
-			  &hdr->saddr, dh->dccph_sport, skb->dev->ifindex);
+			  &hdr->saddr, dh->dccph_sport, inet6_iif(skb));
 
 	if (sk == NULL) {
 		ICMP6_INC_STATS_BH(__in6_dev_get(skb->dev), ICMP6_MIB_INERRORS);
--- linux-2.6.18.4.orig/net/ipv6/udp.c
+++ linux-2.6.18.4/net/ipv6/udp.c
@@ -314,14 +314,13 @@ static void udpv6_err(struct sk_buff *sk
 {
 	struct ipv6_pinfo *np;
 	struct ipv6hdr *hdr = (struct ipv6hdr*)skb->data;
-	struct net_device *dev = skb->dev;
 	struct in6_addr *saddr = &hdr->saddr;
 	struct in6_addr *daddr = &hdr->daddr;
 	struct udphdr *uh = (struct udphdr*)(skb->data+offset);
 	struct sock *sk;
 	int err;
 
-	sk = udp_v6_lookup(daddr, uh->dest, saddr, uh->source, dev->ifindex);
+	sk = udp_v6_lookup(daddr, uh->dest, saddr, uh->source, inet6_iif(skb));
    
 	if (sk == NULL)
 		return;
@@ -415,7 +414,7 @@ static void udpv6_mcast_deliver(struct u
 
 	read_lock(&udp_hash_lock);
 	sk = sk_head(&udp_hash[ntohs(uh->dest) & (UDP_HTABLE_SIZE - 1)]);
-	dif = skb->dev->ifindex;
+	dif = inet6_iif(skb);
 	sk = udp_v6_mcast_next(sk, uh->dest, daddr, uh->source, saddr, dif);
 	if (!sk) {
 		kfree_skb(skb);
@@ -496,7 +495,7 @@ static int udpv6_rcv(struct sk_buff **ps
 	 * check socket cache ... must talk to Alan about his plans
 	 * for sock caches... i'll skip this for now.
 	 */
-	sk = udp_v6_lookup(saddr, uh->source, daddr, uh->dest, dev->ifindex);
+	sk = udp_v6_lookup(saddr, uh->source, daddr, uh->dest, inet6_iif(skb));
 
 	if (sk == NULL) {
 		if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb))

--

[patch 19/23] IA64: bte_unaligned_copy() transfers one extra cache line.

[Chris Wright]

[-- Attachment #1: bte_unaligned_copy-transfers-one-extra-cache-line.patch --]
[-- Type: text/plain, Size: 1677 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Robin Holt <holt@sgi.com>

When called to do a transfer that has a start offset within the cache
line which is uneven between source and destination and a length which
terminates the source of the copy exactly on a cache line, one extra
line gets copied into a temporary buffer.  This is normally not an issue
since the buffer is a kernel buffer and only the requested information
gets copied into the user buffer.

The problem arises when the source ends at the very last physical page
of memory.  That last cache line does not exist and results in the SHUB
chip raising an MCA.

Signed-off-by: Robin Holt <holt@sgi.com>
Signed-off-by: Dean Nelson <dcn@sgi.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 arch/ia64/sn/kernel/bte.c |    9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

--- linux-2.6.18.4.orig/arch/ia64/sn/kernel/bte.c
+++ linux-2.6.18.4/arch/ia64/sn/kernel/bte.c
@@ -382,14 +382,13 @@ bte_result_t bte_unaligned_copy(u64 src,
 		 * bcopy to the destination.
 		 */
 
-		/* Add the leader from source */
-		headBteLen = len + (src & L1_CACHE_MASK);
-		/* Add the trailing bytes from footer. */
-		headBteLen += L1_CACHE_BYTES - (headBteLen & L1_CACHE_MASK);
-		headBteSource = src & ~L1_CACHE_MASK;
 		headBcopySrcOffset = src & L1_CACHE_MASK;
 		headBcopyDest = dest;
 		headBcopyLen = len;
+
+		headBteSource = src - headBcopySrcOffset;
+		/* Add the leading and trailing bytes from source */
+		headBteLen = L1_CACHE_ALIGN(len + headBcopySrcOffset);
 	}
 
 	if (headBcopyLen > 0) {

--

[patch 20/23] BLUETOOTH: Fix unaligned access in hci_send_to_sock.

[Chris Wright]

[-- Attachment #1: bluetooth-fix-unaligned-access-in-hci_send_to_sock.patch --]
[-- Type: text/plain, Size: 1166 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: David S. Miller <davem@davemloft.net>

The "u16 *" derefs of skb->data need to be wrapped inside of
a get_unaligned().

Thanks to Gustavo Zacarias for the bug report.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 net/bluetooth/hci_sock.c |   11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

--- linux-2.6.18.4.orig/net/bluetooth/hci_sock.c
+++ linux-2.6.18.4/net/bluetooth/hci_sock.c
@@ -120,10 +120,13 @@ void hci_send_to_sock(struct hci_dev *hd
 			if (!hci_test_bit(evt, &flt->event_mask))
 				continue;
 
-			if (flt->opcode && ((evt == HCI_EV_CMD_COMPLETE && 
-					flt->opcode != *(__u16 *)(skb->data + 3)) ||
-					(evt == HCI_EV_CMD_STATUS && 
-					flt->opcode != *(__u16 *)(skb->data + 4))))
+			if (flt->opcode &&
+			    ((evt == HCI_EV_CMD_COMPLETE &&
+			      flt->opcode !=
+			      get_unaligned((__u16 *)(skb->data + 3))) ||
+			     (evt == HCI_EV_CMD_STATUS &&
+			      flt->opcode !=
+			      get_unaligned((__u16 *)(skb->data + 4)))))
 				continue;
 		}
 

--

[patch 21/23] AGP: Allocate AGP pages with GFP_DMA32 by default

[Chris Wright]

[-- Attachment #1: agp-allocate-agp-pages-with-gfp_dma32-by-default.patch --]
[-- Type: text/plain, Size: 1937 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Linus Torvalds <torvalds@osdl.org>

Not all graphic page remappers support physical addresses over the 4GB
mark for remapping, so while some do (the AMD64 GART always did, and I
just fixed the i965 to do so properly), we're safest off just forcing
GFP_DMA32 allocations to make sure graphics pages get allocated in the
low 32-bit address space by default.

AGP sub-drivers that really care, and can do better, could just choose
to implement their own allocator (or we could add another "64-bit safe"
default allocator for their use), but quite frankly, you're not likely
to care in practice.

So for now, this trivial change means that we won't be allocating pages
that we can't map correctly by mistake on x86-64.

[ On traditional 32-bit x86, this could never happen, because GFP_KERNEL
  would never allocate any highmem memory anyway ]

Acked-by: Andi Kleen <ak@suse.de>
Acked-by: Dave Jones <davej@redhat.com>
Cc: Eric Anholt <eric@anholt.net>
Cc: Keith Packard <keithp@keithp.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 drivers/char/agp/generic.c   |    2 +-
 drivers/char/agp/intel-agp.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

--- linux-2.6.18.4.orig/drivers/char/agp/generic.c
+++ linux-2.6.18.4/drivers/char/agp/generic.c
@@ -1042,7 +1042,7 @@ void *agp_generic_alloc_page(struct agp_
 {
 	struct page * page;
 
-	page = alloc_page(GFP_KERNEL);
+	page = alloc_page(GFP_KERNEL | GFP_DMA32);
 	if (page == NULL)
 		return NULL;
 
--- linux-2.6.18.4.orig/drivers/char/agp/intel-agp.c
+++ linux-2.6.18.4/drivers/char/agp/intel-agp.c
@@ -160,7 +160,7 @@ static void *i8xx_alloc_pages(void)
 {
 	struct page * page;
 
-	page = alloc_pages(GFP_KERNEL, 2);
+	page = alloc_pages(GFP_KERNEL | GFP_DMA32, 2);
 	if (page == NULL)
 		return NULL;
 

--

[patch 22/23] fuse: fix Oops in lookup

[Chris Wright]

[-- Attachment #1: fuse-fix-oops-in-lookup.patch --]
[-- Type: text/plain, Size: 4799 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Miklos Szeredi <miklos@szeredi.hu>

Fix bug in certain error paths of lookup routines.  The request object was
reused for sending FORGET, which is illegal.  This bug could cause an Oops
in 2.6.18.  In earlier versions it might silently corrupt memory, but this
is very unlikely.

These error paths are never triggered by libfuse, so this wasn't noticed
even with the 2.6.18 kernel, only with a filesystem using the raw kernel
interface.

Thanks to Russ Cox for the bug report and test filesystem.

Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
[chrisw: backport to 2.6.18 -stable]
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 fs/fuse/dir.c |   52 ++++++++++++++++++++++++++++++++++++++--------------
 1 file changed, 38 insertions(+), 14 deletions(-)

--- linux-2.6.18.4.orig/fs/fuse/dir.c
+++ linux-2.6.18.4/fs/fuse/dir.c
@@ -138,6 +138,7 @@ static int fuse_dentry_revalidate(struct
 		struct fuse_entry_out outarg;
 		struct fuse_conn *fc;
 		struct fuse_req *req;
+		struct fuse_req *forget_req;
 
 		/* Doesn't hurt to "reset" the validity timeout */
 		fuse_invalidate_entry_cache(entry);
@@ -151,21 +152,29 @@ static int fuse_dentry_revalidate(struct
 		if (IS_ERR(req))
 			return 0;
 
+		forget_req = fuse_get_req(fc);
+		if (IS_ERR(forget_req)) {
+			fuse_put_request(fc, req);
+			return 0;
+		}
+
 		fuse_lookup_init(req, entry->d_parent->d_inode, entry, &outarg);
 		request_send(fc, req);
 		err = req->out.h.error;
+		fuse_put_request(fc, req);
 		/* Zero nodeid is same as -ENOENT */
 		if (!err && !outarg.nodeid)
 			err = -ENOENT;
 		if (!err) {
 			struct fuse_inode *fi = get_fuse_inode(inode);
 			if (outarg.nodeid != get_node_id(inode)) {
-				fuse_send_forget(fc, req, outarg.nodeid, 1);
+				fuse_send_forget(fc, forget_req,
+						 outarg.nodeid, 1);
 				return 0;
 			}
 			fi->nlookup ++;
 		}
-		fuse_put_request(fc, req);
+		fuse_put_request(fc, forget_req);
 		if (err || (outarg.attr.mode ^ inode->i_mode) & S_IFMT)
 			return 0;
 
@@ -214,6 +223,7 @@ static struct dentry *fuse_lookup(struct
 	struct inode *inode = NULL;
 	struct fuse_conn *fc = get_fuse_conn(dir);
 	struct fuse_req *req;
+	struct fuse_req *forget_req;
 
 	if (entry->d_name.len > FUSE_NAME_MAX)
 		return ERR_PTR(-ENAMETOOLONG);
@@ -222,9 +232,16 @@ static struct dentry *fuse_lookup(struct
 	if (IS_ERR(req))
 		return ERR_PTR(PTR_ERR(req));
 
+	forget_req = fuse_get_req(fc);
+	if (IS_ERR(forget_req)) {
+		fuse_put_request(fc, req);
+		return ERR_PTR(PTR_ERR(forget_req));
+	}
+
 	fuse_lookup_init(req, dir, entry, &outarg);
 	request_send(fc, req);
 	err = req->out.h.error;
+	fuse_put_request(fc, req);
 	/* Zero nodeid is same as -ENOENT, but with valid timeout */
 	if (!err && outarg.nodeid &&
 	    (invalid_nodeid(outarg.nodeid) || !valid_mode(outarg.attr.mode)))
@@ -233,11 +250,11 @@ static struct dentry *fuse_lookup(struct
 		inode = fuse_iget(dir->i_sb, outarg.nodeid, outarg.generation,
 				  &outarg.attr);
 		if (!inode) {
-			fuse_send_forget(fc, req, outarg.nodeid, 1);
+			fuse_send_forget(fc, forget_req, outarg.nodeid, 1);
 			return ERR_PTR(-ENOMEM);
 		}
 	}
-	fuse_put_request(fc, req);
+	fuse_put_request(fc, forget_req);
 	if (err && err != -ENOENT)
 		return ERR_PTR(err);
 
@@ -375,6 +392,13 @@ static int create_new_entry(struct fuse_
 	struct fuse_entry_out outarg;
 	struct inode *inode;
 	int err;
+	struct fuse_req *forget_req;
+
+	forget_req = fuse_get_req(fc);
+	if (IS_ERR(forget_req)) {
+		fuse_put_request(fc, req);
+		return PTR_ERR(forget_req);
+	}
 
 	req->in.h.nodeid = get_node_id(dir);
 	req->out.numargs = 1;
@@ -382,24 +406,24 @@ static int create_new_entry(struct fuse_
 	req->out.args[0].value = &outarg;
 	request_send(fc, req);
 	err = req->out.h.error;
-	if (err) {
-		fuse_put_request(fc, req);
-		return err;
-	}
+	fuse_put_request(fc, req);
+	if (err)
+		goto out_put_forget_req;
+
 	err = -EIO;
 	if (invalid_nodeid(outarg.nodeid))
-		goto out_put_request;
+		goto out_put_forget_req;
 
 	if ((outarg.attr.mode ^ mode) & S_IFMT)
-		goto out_put_request;
+		goto out_put_forget_req;
 
 	inode = fuse_iget(dir->i_sb, outarg.nodeid, outarg.generation,
 			  &outarg.attr);
 	if (!inode) {
-		fuse_send_forget(fc, req, outarg.nodeid, 1);
+		fuse_send_forget(fc, forget_req, outarg.nodeid, 1);
 		return -ENOMEM;
 	}
-	fuse_put_request(fc, req);
+	fuse_put_request(fc, forget_req);
 
 	if (dir_alias(inode)) {
 		iput(inode);
@@ -411,8 +435,8 @@ static int create_new_entry(struct fuse_
 	fuse_invalidate_attr(dir);
 	return 0;
 
- out_put_request:
-	fuse_put_request(fc, req);
+ out_put_forget_req:
+	fuse_put_request(fc, forget_req);
 	return err;
 }
 

--

[patch 23/23] UDP: Make udp_encap_rcv use pskb_may_pull

[Chris Wright]

[-- Attachment #1: udp-make-udp_encap_rcv-use-pskb_may_pull.patch --]
[-- Type: text/plain, Size: 1906 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Olaf Kirch <okir@suse.de>

IPsec with NAT-T breaks on some notebooks using the latest e1000 chipset,
when header split is enabled. When receiving sufficiently large packets, the
driver puts everything up to and including the UDP header into the header
portion of the skb, and the rest goes into the paged part. udp_encap_rcv
forgets to use pskb_may_pull, and fails to decapsulate it. Instead, it
passes it up it to the IKE daemon.

Signed-off-by: Olaf Kirch <okir@suse.de>
Signed-off-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 net/ipv4/udp.c |   19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

--- linux-2.6.18.4.orig/net/ipv4/udp.c
+++ linux-2.6.18.4/net/ipv4/udp.c
@@ -892,23 +892,32 @@ static int udp_encap_rcv(struct sock * s
 	return 1; 
 #else
 	struct udp_sock *up = udp_sk(sk);
-  	struct udphdr *uh = skb->h.uh;
+  	struct udphdr *uh;
 	struct iphdr *iph;
 	int iphlen, len;
   
-	__u8 *udpdata = (__u8 *)uh + sizeof(struct udphdr);
-	__u32 *udpdata32 = (__u32 *)udpdata;
+	__u8 *udpdata;
+	__u32 *udpdata32;
 	__u16 encap_type = up->encap_type;
 
 	/* if we're overly short, let UDP handle it */
-	if (udpdata > skb->tail)
+	len = skb->len - sizeof(struct udphdr);
+	if (len <= 0)
 		return 1;
 
 	/* if this is not encapsulated socket, then just return now */
 	if (!encap_type)
 		return 1;
 
-	len = skb->tail - udpdata;
+	/* If this is a paged skb, make sure we pull up
+	 * whatever data we need to look at. */
+	if (!pskb_may_pull(skb, sizeof(struct udphdr) + min(len, 8)))
+		return 1;
+
+	/* Now we can get the pointers */
+	uh = skb->h.uh;
+	udpdata = (__u8 *)uh + sizeof(struct udphdr);
+	udpdata32 = (__u32 *)udpdata;
 
 	switch (encap_type) {
 	default:

--

Re: [patch 00/23] -stable review

[Dave Jones]

On Wed, Nov 29, 2006 at 02:00:11PM -0800, Chris Wright wrote:
 > This is the start of the stable review cycle for the 2.6.18.5 release.
 > There are 23 patches in this series, all will be posted as a response
 > to this one.  If anyone has any issues with these being applied, please
 > let us know.  If anyone is a maintainer of the proper subsystem, and
 > wants to add a Signed-off-by: line to the patch, please respond with it.
 > 
 > These patches are sent out with a number of different people on the
 > Cc: line.  If you wish to be a reviewer, please email stable@kernel.org
 > to add your name to the list.  If you want to be off the reviewer list,
 > also email us.
 > 
 > Responses should be made by Fri Dec 01 22:00 UTC.  Anything received
 > after that time might be too late.

*cough* rc1.gz ?

		Dave

-- 
http://www.codemonkey.org.uk

Re: [stable] [patch 00/23] -stable review

[Chris Wright]

* Dave Jones (davej@redhat.com) wrote:
> *cough* rc1.gz ?

*sigh* thanks for the kick.  pushed.
-chris

Re: [patch 14/23] x86 microcode: dont check the size

[Willy Tarreau]

Shaohua,

this one seems appropriate for 2.4 too. It is OK for you if I merge it ?

Thanks,
Willy

On Wed, Nov 29, 2006 at 02:00:25PM -0800, Chris Wright wrote:
> -stable review patch.  If anyone has any objections, please let us know.
> ------------------
> 
> From: Shaohua Li <shaohua.li@intel.com>
> 
> IA32 manual says if micorcode update's size is 0, then the size is
> default size (2048 bytes). But this doesn't suggest all microcode
> update's size should be above 2048 bytes to me. We actually had a
> microcode update whose size is 1024 bytes. The patch just removed the
> check.
> 
> Backported to 2.6.18 by Daniel Drake.
> 
> Signed-off-by: Daniel Drake <dsd@gentoo.org>
> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
> ---
>  arch/i386/kernel/microcode.c |    9 ++-------
>  1 file changed, 2 insertions(+), 7 deletions(-)
> 
> --- linux-2.6.18.4.orig/arch/i386/kernel/microcode.c
> +++ linux-2.6.18.4/arch/i386/kernel/microcode.c
> @@ -250,14 +250,14 @@ static int find_matching_ucodes (void) 
>  		}
>  
>  		total_size = get_totalsize(&mc_header);
> -		if ((cursor + total_size > user_buffer_size) || (total_size < DEFAULT_UCODE_TOTALSIZE)) {
> +		if (cursor + total_size > user_buffer_size) {
>  			printk(KERN_ERR "microcode: error! Bad data in microcode data file\n");
>  			error = -EINVAL;
>  			goto out;
>  		}
>  
>  		data_size = get_datasize(&mc_header);
> -		if ((data_size + MC_HEADER_SIZE > total_size) || (data_size < DEFAULT_UCODE_DATASIZE)) {
> +		if (data_size + MC_HEADER_SIZE > total_size) {
>  			printk(KERN_ERR "microcode: error! Bad data in microcode data file\n");
>  			error = -EINVAL;
>  			goto out;
> @@ -460,11 +460,6 @@ static ssize_t microcode_write (struct f
>  {
>  	ssize_t ret;
>  
> -	if (len < DEFAULT_UCODE_TOTALSIZE) {
> -		printk(KERN_ERR "microcode: not enough data\n"); 
> -		return -EINVAL;
> -	}
> -
>  	if ((len >> PAGE_SHIFT) > num_physpages) {
>  		printk(KERN_ERR "microcode: too much data (max %ld pages)\n", num_physpages);
>  		return -EINVAL;
> 
> --
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch 14/23] x86 microcode: dont check the size

[Bill Davidsen]

Willy Tarreau wrote:
> Shaohua,
> 
> this one seems appropriate for 2.4 too. It is OK for you if I merge it ?
> 
> Thanks,
> Willy
> 
> On Wed, Nov 29, 2006 at 02:00:25PM -0800, Chris Wright wrote:
>> -stable review patch.  If anyone has any objections, please let us know.
>> ------------------
>>
>> From: Shaohua Li <shaohua.li@intel.com>
>>
>> IA32 manual says if micorcode update's size is 0, then the size is
>> default size (2048 bytes). But this doesn't suggest all microcode
>> update's size should be above 2048 bytes to me. We actually had a
>> microcode update whose size is 1024 bytes. The patch just removed the
>> check.

I agree with what you said, but unless I miss something, not what you 
did... I don't see the code to get the size and set it to 2k if it's 
zero. I would expect after the call to get_totalsize() that there would 
be a line like:
   if (unlikely(total_size == 0)) total_size = DEFAULT_UCODE_TOTALSIZE;
or some similar logic to do what the manual suggests, that zero is a 
valid value.

I may be totally misreading this, of course, I'm taking the manual quote 
as gospel.

-- 
Bill Davidsen <davidsen@tmr.com>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

Re: [patch 14/23] x86 microcode: dont check the size

[Shaohua Li]

On Sat, 2006-12-02 at 07:44 +0100, Willy Tarreau wrote:
> Shaohua,
> 
> this one seems appropriate for 2.4 too. It is OK for you if I merge it ?
Yes, 2.4 and 2.6 use the same driver. It should be fine to merge it.

Thanks,
Shaohua

> On Wed, Nov 29, 2006 at 02:00:25PM -0800, Chris Wright wrote:
> > -stable review patch.  If anyone has any objections, please let us know.
> > ------------------
> > 
> > From: Shaohua Li <shaohua.li@intel.com>
> > 
> > IA32 manual says if micorcode update's size is 0, then the size is
> > default size (2048 bytes). But this doesn't suggest all microcode
> > update's size should be above 2048 bytes to me. We actually had a
> > microcode update whose size is 1024 bytes. The patch just removed the
> > check.
> > 
> > Backported to 2.6.18 by Daniel Drake.
> > 
> > Signed-off-by: Daniel Drake <dsd@gentoo.org>
> > Signed-off-by: Chris Wright <chrisw@sous-sol.org>
> > ---
> >  arch/i386/kernel/microcode.c |    9 ++-------
> >  1 file changed, 2 insertions(+), 7 deletions(-)
> > 
> > --- linux-2.6.18.4.orig/arch/i386/kernel/microcode.c
> > +++ linux-2.6.18.4/arch/i386/kernel/microcode.c
> > @@ -250,14 +250,14 @@ static int find_matching_ucodes (void) 
> >  		}
> >  
> >  		total_size = get_totalsize(&mc_header);
> > -		if ((cursor + total_size > user_buffer_size) || (total_size < DEFAULT_UCODE_TOTALSIZE)) {
> > +		if (cursor + total_size > user_buffer_size) {
> >  			printk(KERN_ERR "microcode: error! Bad data in microcode data file\n");
> >  			error = -EINVAL;
> >  			goto out;
> >  		}
> >  
> >  		data_size = get_datasize(&mc_header);
> > -		if ((data_size + MC_HEADER_SIZE > total_size) || (data_size < DEFAULT_UCODE_DATASIZE)) {
> > +		if (data_size + MC_HEADER_SIZE > total_size) {
> >  			printk(KERN_ERR "microcode: error! Bad data in microcode data file\n");
> >  			error = -EINVAL;
> >  			goto out;
> > @@ -460,11 +460,6 @@ static ssize_t microcode_write (struct f
> >  {
> >  	ssize_t ret;
> >  
> > -	if (len < DEFAULT_UCODE_TOTALSIZE) {
> > -		printk(KERN_ERR "microcode: not enough data\n"); 
> > -		return -EINVAL;
> > -	}
> > -
> >  	if ((len >> PAGE_SHIFT) > num_physpages) {
> >  		printk(KERN_ERR "microcode: too much data (max %ld pages)\n", num_physpages);
> >  		return -EINVAL;
> > 
> > --
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch 14/23] x86 microcode: dont check the size

[Willy Tarreau]

On Mon, Dec 04, 2006 at 09:04:03AM +0800, Shaohua Li wrote:
> On Sat, 2006-12-02 at 07:44 +0100, Willy Tarreau wrote:
> > Shaohua,
> > 
> > this one seems appropriate for 2.4 too. It is OK for you if I merge it ?
> Yes, 2.4 and 2.6 use the same driver. It should be fine to merge it.
> 
> Thanks,
> Shaohua

Queued, thank you !
Willy