Linux Kernel Documents

Fork

• linux-2.6
• linux-2.4.36

Change VERSION to 2.4.36.9

- bonding: fix panic when taking bond interface down before removing module
- forcedeth: fix checksum flag
- net: Fix recursive descent in __scm_destroy().
- ext: Avoid printk floods in the face of directory
- hfsplus: fix Buffer overflow with a corrupted image
- netfilter: snmp nat leaks memory in case of failure
- i2c: The i2c mailing list is moving
- i2c: Update comment of I2C_FUNC_SMBUS_*_I2C_BLOCK
- backport vlan device unregister fix

Signed-off-by: Willy Tarreau <w@1wt.eu>

net: Fix recursive descent in __scm_destroy().

[backport of 2.6 commit f8d570a4745835f2238a33b537218a1bb03fc671]

__scm_destroy() walks the list of file descriptors in the scm_fp_list
pointed to by the scm_cookie argument.

Those, in turn, can close sockets and invoke __scm_destroy() again.

There is nothing which limits how deeply this can occur.

The idea for how to fix this is from Linus. Basically, we do all of
the fput()s at the top level by collecting all of the scm_fp_list
objects hit by an fput(). Inside of the initial __scm_destroy() we
keep running the list until it is empty.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>

forcedeth: fix checksum flag

[backport of 2.6 commit edcfe5f7e307846e578fb88d69fa27051fded0ab]

Fix the checksum feature advertised in device flags. The hardware support
TCP/UDP over IPv4 and TCP/UDP over IPv6 (without IPv6 extension headers).
However, the kernel feature flags do not distinguish IPv6 with/without
extension headers.

Therefore, the driver needs to use NETIF_F_IP_CSUM instead of
NETIF_F_HW_CSUM since the latter includes all IPv6 packets.

A future patch can be created to check for extension headers and perform
software checksum calculation.

Signed-off-by: Ayaz Abdulla <aabdulla@nvidia.com>
Cc: Jeff Garzik <jgarzik@pobox.com>
Cc: Manfred Spraul <manfred@colorfullife.com
Cc: <stable@kernel.org> [2.6.25.x, 2.6.26.x]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>

hfsplus: fix Buffer overflow with a corrupted image

[backport of 2.6 commit efc7ffcb4237f8cb9938909041c4ed38f6e1bf40]

When an hfsplus image gets corrupted it might happen that the catalog
namelength field gets b0rked. If we mount such an image the memcpy() in
hfsplus_cat_build_key_uni() writes more than the 255 that fit in the name
field. Depending on the size of the overwritten data, we either only get
memory corruption or also trigger an oops like this:

[ 221.628020] BUG: unable to handle kernel paging request at c82b0000
[ 221.629066] IP: [<c022d4b1>] hfsplus_find_cat+0x10d/0x151
[ 221.629066] *pde = 0ea29163 *pte = 082b0160
[ 221.629066] Oops: 0002 [#1] PREEMPT DEBUG_PAGEALLOC
[ 221.629066] Modules linked in:
[ 221.629066]
[ 221.629066] Pid: 4845, comm: mount Not tainted (2.6.27-rc4-00123-gd3ee1b4-dirty #28)
[ 221.629066] EIP: 0060:[<c022d4b1>] EFLAGS: 00010206 CPU: 0
[ 221.629066] EIP is at hfsplus_find_cat+0x10d/0x151
[ 221.629066] EAX: 00000029 EBX: 00016210 ECX: 000042c2 EDX: 00000002
[ 221.629066] ESI: c82d70ca EDI: c82b0000 EBP: c82d1bcc ESP: c82d199c
[ 221.629066] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
[ 221.629066] Process mount (pid: 4845, ti=c82d1000 task=c8224060 task.ti=c82d1000)
[ 221.629066] Stack: c080b3c4 c82aa8f8 c82d19c2 00016210 c080b3be c82d1bd4 c82aa8f0 00000300
[ 221.629066] 01000000 750008b1 74006e00 74006900 65006c00 c82d6400 c013bd35 c8224060
[ 221.629066] 00000036 00000046 c82d19f0 00000082 c8224548 c8224060 00000036 c0d653cc
[ 221.629066] Call Trace:
[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[ 221.629066] [<c0107aa3>] ? native_sched_clock+0x82/0x96
[ 221.629066] [<c01302d2>] ? __kernel_text_address+0x1b/0x27
[ 221.629066] [<c010487a>] ? dump_trace+0xca/0xd6
[ 221.629066] [<c0109e32>] ? save_stack_address+0x0/0x2c
[ 221.629066] [<c0109eaf>] ? save_stack_trace+0x1c/0x3a
[ 221.629066] [<c013b571>] ? save_trace+0x37/0x8d
[ 221.629066] [<c013b62e>] ? add_lock_to_list+0x67/0x8d
[ 221.629066] [<c013ea1c>] ? validate_chain+0x8a4/0x9f4
[ 221.629066] [<c013553d>] ? down+0xc/0x2f
[ 221.629066] [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0
[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[ 221.629066] [<c0107aa3>] ? native_sched_clock+0x82/0x96
[ 221.629066] [<c013da5d>] ? mark_held_locks+0x43/0x5a
[ 221.629066] [<c013dc3a>] ? trace_hardirqs_on+0xb/0xd
[ 221.629066] [<c013dbf4>] ? trace_hardirqs_on_caller+0xf4/0x12f
[ 221.629066] [<c06abec8>] ? _spin_unlock_irqrestore+0x42/0x58
[ 221.629066] [<c013555c>] ? down+0x2b/0x2f
[ 221.629066] [<c022aa68>] ? hfsplus_iget+0xa0/0x154
[ 221.629066] [<c022b0b9>] ? hfsplus_fill_super+0x280/0x447
[ 221.629066] [<c0107aa3>] ? native_sched_clock+0x82/0x96
[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[ 221.629066] [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0
[ 221.629066] [<c041c9e4>] ? string+0x2b/0x74
[ 221.629066] [<c041cd16>] ? vsnprintf+0x2e9/0x512
[ 221.629066] [<c010487a>] ? dump_trace+0xca/0xd6
[ 221.629066] [<c0109eaf>] ? save_stack_trace+0x1c/0x3a
[ 221.629066] [<c0109eaf>] ? save_stack_trace+0x1c/0x3a
[ 221.629066] [<c013b571>] ? save_trace+0x37/0x8d
[ 221.629066] [<c013b62e>] ? add_lock_to_list+0x67/0x8d
[ 221.629066] [<c013ea1c>] ? validate_chain+0x8a4/0x9f4
[ 221.629066] [<c01354d3>] ? up+0xc/0x2f
[ 221.629066] [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0
[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[ 221.629066] [<c0107aa3>] ? native_sched_clock+0x82/0x96
[ 221.629066] [<c041cfb7>] ? snprintf+0x1b/0x1d
[ 221.629066] [<c01ba466>] ? disk_name+0x25/0x67
[ 221.629066] [<c0183960>] ? get_sb_bdev+0xcd/0x10b
[ 221.629066] [<c016ad92>] ? kstrdup+0x2a/0x4c
[ 221.629066] [<c022a7b3>] ? hfsplus_get_sb+0x13/0x15
[ 221.629066] [<c022ae39>] ? hfsplus_fill_super+0x0/0x447
[ 221.629066] [<c0183583>] ? vfs_kern_mount+0x3b/0x76
[ 221.629066] [<c0183602>] ? do_kern_mount+0x32/0xba
[ 221.629066] [<c01960d4>] ? do_new_mount+0x46/0x74
[ 221.629066] [<c0196277>] ? do_mount+0x175/0x193
[ 221.629066] [<c013dbf4>] ? trace_hardirqs_on_caller+0xf4/0x12f
[ 221.629066] [<c01663b2>] ? __get_free_pages+0x1e/0x24
[ 221.629066] [<c06ac07b>] ? lock_kernel+0x19/0x8c
[ 221.629066] [<c01962e6>] ? sys_mount+0x51/0x9b
[ 221.629066] [<c01962f9>] ? sys_mount+0x64/0x9b
[ 221.629066] [<c01038bd>] ? sysenter_do_call+0x12/0x31
[ 221.629066] =======================
[ 221.629066] Code: 89 c2 c1 e2 08 c1 e8 08 09 c2 8b 85 e8 fd ff ff 66 89 50 06 89 c7 53 83 c7 08 56 57 68 c4 b3 80 c0 e8 8c 5c ef ff 89 d9 c1 e9 02 <
f3> a5 89 d9 83 e1 03 74 02 f3 a4 83 c3 06 8b 95 e8 fd ff ff 0f
[ 221.629066] EIP: [<c022d4b1>] hfsplus_find_cat+0x10d/0x151 SS:ESP 0068:c82d199c
[ 221.629066] ---[ end trace e417a1d67f0d0066 ]---

Since hfsplus_cat_build_key_uni() returns void and only has one callsite,
the check is performed at the callsite.

Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
Reviewed-by: Pekka Enberg <penberg@cs.helsinki.fi>
Cc: Roman Zippel <zippel@linux-m68k.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>

bonding: fix panic when taking bond interface down before removing module

[backport of 2.6 commit ce39a800ea87c655de49af021c8b20ee323cb40d]

A panic was discovered with bonding when using mode 5 or 6 and trying to
remove the slaves from the bond after the interface was taken down.
When calling 'ifconfig bond0 down' the following happens:

bond_close()
bond_alb_deinitialize()
tlb_deinitialize()
kfree(bond_info->tx_hashtbl)
bond_info->tx_hashtbl = NULL

Unfortunately if there are still slaves in the bond, when removing the
module the following happens:

bonding_exit()
bond_free_all()
bond_release_all()
bond_alb_deinit_slave()
tlb_clear_slave()
tx_hash_table = BOND_ALB_INFO(bond).tx_hashtbl
u32 next_index = tx_hash_table[index].next

As you might guess we panic when trying to access a few entries into the
table that no longer exists.

I experimented with several options (like moving the calls to
tlb_deinitialize somewhere else), but it really makes the most sense to
be part of the bond_close routine. It also didn't seem logical move
tlb_clear_slave around too much, so the simplest option seems to add a
check in tlb_clear_slave to make sure we haven't already wiped the
tx_hashtbl away before searching for all the non-existent hash-table
entries that used to point to the slave as the output interface.

Signed-off-by: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>

ext: Avoid printk floods in the face of directory

This is a trivial backport of the following upstream commits:

- bd39597cbd42a784105a04010100e27267481c67 (ext2)
- cdbf6dba28e8e6268c8420857696309470009fd9 (ext3)

This addresses CVE-2008-3528

ext[23]: Avoid printk floods in the face of directory corruption

Note: some people thinks this represents a security bug, since it
might make the system go away while it is printing a large number of
console messages, especially if a serial console is involved. Hence,
it has been assigned CVE-2008-3528, but it requires that the attacker
either has physical access to your machine to insert a USB disk with a
corrupted filesystem image (at which point why not just hit the power
button), or is otherwise able to convince the system administrator to
mount an arbitrary filesystem image (at which point why not just
include a setuid shell or world-writable hard disk device file or some
such). Me, I think they're just being silly. --tytso

Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Cc: linux-ext4@vger.kernel.org
Cc: Eugene Teo <eugeneteo@kernel.sg>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
[w@1wt.eu: backport from 2.6-stable to 2.4. Removed all ext4 references]
Signed-off-by: Willy Tarreau <w@1wt.eu>

netfilter: snmp nat leaks memory in case of failure

(backport of 2.6 commit 311670f3ea90115f2f1840e3e9770ed71e06e6c3)

Signed-off-by: Ilpo J舐vinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[ w@1wt.eu: file is ip_nat_snmp_basic.c in 2.4 ]
Signed-off-by: Willy Tarreau <w@1wt.eu>

backport vlan device unregister fix

Hi.

The attached patch was merged into 2.6.8 kernel, see

http://www.linux.sgi.com/archives/netdev/2004-08/msg00076.html

However, no similar fix is in 2.4. I've faced the problem on a
2.4.26 kernel (with external patches) and with DEBUG_SLAB turned on.
When I unregister network device with attached vlan device, the vlan
device structure is freed too early (because of wrong refcounting) and
dev_mc_discard call in unregister_netdevice uses this freed memmory,
which causes oops.

Signed-off-by: Marcel Šebek <sebek64@post.cz>

i2c: Update comment of I2C_FUNC_SMBUS_*_I2C_BLOCK

Update the comment of I2C_FUNC_SMBUS_*_I2C_BLOCK, makes it in line
with the external i2c repository and the 2.6 kernel.

Signed-off-by: Jean Delvare <khali@linux-fr.org>

i2c: The i2c mailing list is moving

Replace all references (actually, just one) to the old i2c mailing
list.

Signed-off-by: Jean Delvare <khali@linux-fr.org>

Change VERSION to 2.4.36.8

- security: avoid calling a NULL function pointer in drivers/video/tvaudio.c
- doc: mention chain-compiling for really old gccs
- CVE-2008-3275 Linux kernel local filesystem DoS
- Remove suid/sgid bits on truncate() (CVE-2008-4210)
- tcp: Clear probes_out more aggressively in tcp_ack().
- x86 would not build without CONFIG_VT
- pc_keyb: fix breakage on ia64/mips/mips64
- doc: fix examples and add suggestions about depmod
- netfilter: ip6t_{hbh,dst}: Rejects not-strict mode on rule insertion

Signed-off-by: Willy Tarreau <w@1wt.eu>

security: avoid calling a NULL function pointer in drivers/video/tvaudio.c

NULL function pointers are very bad security wise. This one got caught by
kerneloops.org quite a few times, so it's happening in the field....

Fix is simple, check the function pointer for NULL, like 6 other places
in the same function are already doing.

Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
[2.6 commit: 5ba2f67afb02c5302b2898949ed6fc3b3d37dcf1]
Signed-off-by: Willy Tarreau <w@1wt.eu>

Remove suid/sgid bits on truncate() (CVE-2008-4210)

Hi Willy,

I noticed that CVE-2008-4210 is missing from the linux-2.4.git tree.

Don (cc'ed) proposed this:

Cc: Don Howard <dhoward@redhat.com>
Test-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Willy Tarreau <w@1wt.eu>

CVE-2008-3275 Linux kernel local filesystem DoS

This is a backport for CVE-2008-3275.

"Lookup can install a child dentry for a deleted directory. This keeps
the directory dentry alive, and the inode pinned in the cache and on
disk, even after all external references have gone away.

This isn't a big problem normally, since memory pressure or umount
will clear out the directory dentry and its children, releasing the
inode. But for UBIFS this causes problems because its orphan area can
overflow.

Fix this by returning ENOENT for all lookups on a S_DEAD directory
before creating a child dentry."

Signed-off-by: Eugene Teo <eugeneteo@kernel.sg>
[ WT: problem and fix confirmed on ramfs using method described
at http://lkml.org/lkml/2008/7/2/83 ]
Signed-off-by: Willy Tarreau <w@1wt.eu>

netfilter: ip6t_{hbh,dst}: Rejects not-strict mode on rule insertion

[2.6 commit: 8ca31ce52a5cfd03b960fd81a49197ae85d25347]

The current code ignores rules for internal options in HBH/DST options
header in packet processing if 'Not strict' mode is specified (which is not
implemented). Clearly it is not expected by user.

Kernel should reject HBH/DST rule insertion with 'Not strict' mode
in the first place.

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Willy Tarreau <w@1wt.eu>

tcp: Clear probes_out more aggressively in tcp_ack().

backport of 2.6 commit 4b53fb67e385b856a991d402096379dab462170a

Test conditions : 2.4.36 kernel using this iptables configuration
iptables -N SLOWLO
iptables -A SLOWLO -m limit --limit 2/sec --limit-burst 1 -j ACCEPT
iptables -A SLOWLO -j DROP
iptables -A OUTPUT -o lo -p tcp --dport 12000 -j SLOWLO

borrowed ss from iproute2-2.4.7-now-ss020116-try.tar.gz,
I had the same result on 2.4.36.7 as Eric Dumazet on 2.6.25 without the patch with his test program.

---- From David S. Miller commit log message

This is based upon an excellent bug report from Eric Dumazet.

tcp_ack() should clear ->icsk_probes_out even if there are packets
outstanding. Otherwise if we get a sequence of ACKs while we do have
packets outstanding over and over again, we'll never clear the
probes_out value and eventually think the connection is too sick and
we'll reset it.

This appears to be some "optimization" added to tcp_ack() in the 2.4.x
timeframe. In 2.2.x, probes_out is pretty much always cleared by
tcp_ack().

Here is Eric's original report:

----------------------------------------
Apparently, we can in some situations reset TCP connections in a couple of seconds when some frames are lost.

In order to reproduce the problem, please try the following program on linux-2.6.25.*

Setup some iptables rules to allow two frames per second sent on loopback interface to tcp destination port 12000
...

Then run the attached program and see the output :

./test_tcp-input
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 40 127.0.0.1:32769 127.0.0.1:12000 timer:(persist,180ms,1)
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 40 127.0.0.1:32769 127.0.0.1:12000 timer:(persist,180ms,3)
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 40 127.0.0.1:32769 127.0.0.1:12000 timer:(persist,180ms,5)
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 40 127.0.0.1:32769 127.0.0.1:12000 timer:(persist,180ms,7)
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 40 127.0.0.1:32769 127.0.0.1:12000 timer:(persist,180ms,9)
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 40 127.0.0.1:32769 127.0.0.1:12000 timer:(persist,180ms,11)
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 40 127.0.0.1:32769 127.0.0.1:12000 timer:(persist,180ms,13)
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 40 127.0.0.1:32769 127.0.0.1:12000 timer:(persist,180ms,15)
write(): Connection timed out
wrote 880 bytes but was interrupted after 10 seconds
ESTAB 0 0 127.0.0.1:12000 127.0.0.1:32769
Exiting read() because no data available (4000 ms timeout).
read 860 bytes

While this tcp session makes progress (sending frames with 50 bytes of payload, every 500ms), linux tcp stack decides to reset it, when tcp_retries 2 is reached (default value : 15)

...

Source of program :

/*
* small producer/consumer program.
* setup a listener on 127.0.0.1:12000
* Forks a child
* child connect to 127.0.0.1, and sends 10 bytes on this tcp socket every 100 ms
* Father accepts connection, and read all data
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <stdio.h>
#include <time.h>
#include <sys/poll.h>

int port = 12000;
char buffer[4096];
int main(int argc, char *argv[])
{
int lfd = socket(AF_INET, SOCK_STREAM, 0);
struct sockaddr_in socket_address;
time_t t0, t1;
int on = 1, sfd, res;
unsigned long total = 0;
socklen_t alen = sizeof(socket_address);
pid_t pid;

time(&t0);
socket_address.sin_family = AF_INET;
socket_address.sin_port = htons(port);
socket_address.sin_addr.s_addr = htonl(INADDR_LOOPBACK);

if (lfd == -1) {
perror("socket()");
return 1;
}
setsockopt(lfd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(int));
if (bind(lfd, (struct sockaddr *)&socket_address, sizeof(socket_address)) == -1) {
perror("bind");
close(lfd);
return 1;
}
if (listen(lfd, 1) == -1) {
perror("listen()");
close(lfd);
return 1;
}
pid = fork();
if (pid == 0) {
int i, cfd = socket(AF_INET, SOCK_STREAM, 0);
close(lfd);
if (connect(cfd, (struct sockaddr *)&socket_address, sizeof(socket_address)) == -1) {
perror("connect()");
return 1;
}
for (i = 0 ; ;) {
res = write(cfd, "blablabla\n", 10);
if (res > 0) total += res;
else if (res == -1) {
perror("write()");
break;
} else break;
usleep(100000);
if (++i == 10) {
system("ss -on dst 127.0.0.1:12000");
i = 0;
}
}
time(&t1);
fprintf(stderr, "wrote %lu bytes but was interrupted after %g seconds\n", total, difftime(t1, t0));
system("ss -on | grep 127.0.0.1:12000");
close(cfd);
return 0;
}
sfd = accept(lfd, (struct sockaddr *)&socket_address, &alen);
if (sfd == -1) {
perror("accept");
return 1;
}
close(lfd);
while (1) {
struct pollfd pfd[1];
pfd[0].fd = sfd;
pfd[0].events = POLLIN;
if (poll(pfd, 1, 4000) == 0) {
fprintf(stderr, "Exiting read() because no data available (4000 ms timeout).\n");
break;
}
res = read(sfd, buffer, sizeof(buffer));
if (res > 0) total += res;
else if (res == 0) break;
else perror("read()");
}
fprintf(stderr, "read %lu bytes\n", total);
close(sfd);
return 0;
}
----------------------------------------

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gilles Espinasse g.esp@free.fr
Signed-off-by: Willy Tarreau <w@1wt.eu>

doc: fix examples and add suggestions about depmod

Grant Coady has reported these useful suggestions and workaround
for possible build errors related to building a new compiler.

Signed-off-by: Willy Tarreau <w@1wt.eu>

doc: mention chain-compiling for really old gccs

Compiling gcc 2.95.3 directly with 4.x breaks. Mention
chain-compiling as a way to get around that, and end
up with as ancient a gcc as you might like.

Signed-off-by: Erik Inge Bols <knan-lkml@anduin.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>

pc_keyb: fix breakage on ia64/mips/mips64

Commit f8db8c9c81afb4b04c146cae0e2a1fd311de1f22 fixed the keyboard
controller jammed issue on keyboard-less PCs, but introduced the
problem for other architectures (ia64/mips/mips64) which already
define their own keyboard probing method.

This patch gives precedence to these archs' probing method and only
defines the setup option if no arch-specific method was defined.

Signed-off-by: Willy Tarreau <w@1wt.eu>

x86 would not build without CONFIG_VT

I've been using this patch for a while without noticing it never
went into mainline. It is required to build i386 without CONFIG_VT.

Signed-off-by: Willy Tarreau <w@1wt.eu>

Change VERSION to 2.4.36.7

- sctp: Make sure N * sizeof(union sctp_addr) does not overflow (CVE-2008-2826)
- wan: Missing capability checks in sbni_ioctl() (CVE-2008-3525)
- [PPPOE]: Missing result check in __pppoe_xmit().
- udf: fix uid/gid permissions
- net pppoe: Check packet length on all receive paths
- ipv6: use timer pending
- sctp: Do not leak memory on multiple listen() calls
- sctp: Allow only 1 listening socket with SO_REUSEADDR
- doc: explain how to build a suitable gcc in Documentation/using-newer-gcc.txt
- sound: fix warning due to incorrect error code checking in ad1889
- sky2: fix uninitialized "mss" variable in sky2_xmit_frame()
- Correct the upto value during list conntrack information

Signed-off-by: Willy Tarreau <w@1wt.eu>

sky2: fix uninitialized "mss" variable in sky2_xmit_frame()

This variable was initialized within the #if NETIF_F_TSO block
which is not used on kernel 2.4. This has probably caused a
bunch of unstability. This driver would need a new backport
anyway.

Signed-off-by: Willy Tarreau <w@1wt.eu>

sound: fix warning due to incorrect error code checking in ad1889

ad1889.c: In function `ad1889_ac97_init':
ad1889.c:857: warning: comparison is always false due to limited range of data type

This is caused by a short being compared against 0xFFFFFF while
0xFFFF was indeed expected. The missing device would just never
have been detected.

Signed-off-by: Willy Tarreau <w@1wt.eu>

doc: explain how to build a suitable gcc in Documentation/using-newer-gcc.txt

Since many people are using recent distros which do not ship a compatible
gcc anymore, here's a procedure explaining in details how to build an older
gcc to build kernel 2.4.

Signed-off-by: Willy Tarreau <w@1wt.eu>

sctp: Make sure N * sizeof(union sctp_addr) does not overflow (CVE-2008-2826)

[backport of 2.6 commit 735ce972fbc8a65fb17788debd7bbe7b4383cc62]

As noticed by Gabriel Campana, the kmalloc() length arg
passed in by sctp_getsockopt_local_addrs_old() can overflow
if ->addr_num is large enough.

Therefore, enforce an appropriate limit.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>

sctp: Allow only 1 listening socket with SO_REUSEADDR

[backport of 2.6 commit 4e54064e0a13b7a7d4a481123c1783f770538e30]

When multiple socket bind to the same port with SO_REUSEADDR,
only 1 can be listining.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>

sctp: Do not leak memory on multiple listen() calls

[backport of 2.6 commit 23b29ed80bd7184398317a111dc488605cb66c7f]

SCTP permits multiple listen call and on subsequent calls
we leak he memory allocated for the crypto transforms.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>

udf: fix uid/gid permissions

This change made it into the 2.6 branch since 2.6.15 and fixes a problem
where the UDF code would change the ownership of files in a UDF filesystem
when they were different thatn the current user, when possible. Example: after
creating a CD using udf as a regular user, if you mounted the CD as root, the
udf code would reset the ownership of all the files on the cd, causing
unecessary write operations. I found this fix while working with an old patch
which adds packet-writing to the 2.4 kernel. This fix is from the original
author (or maintainer) of the udf code.

Note: this was fixed upstream in 4d6660eb3665f22d16aff466eb9d45df6102b254.

wan: Missing capability checks in sbni_ioctl() (CVE-2008-3525)

[backport of 2.6 commit f2455eb176ac87081bbfc9a44b21c7cd2bc1967e]

There are missing capability checks in the following code:

1300 static int
1301 sbni_ioctl( struct net_device *dev, struct ifreq *ifr, int cmd)
1302 {
[...]
1319 case SIOCDEVRESINSTATS :
1320 if( current->euid != 0 ) /* root only */
1321 return -EPERM;
[...]
1336 case SIOCDEVSHWSTATE :
1337 if( current->euid != 0 ) /* root only */
1338 return -EPERM;
[...]
1357 case SIOCDEVENSLAVE :
1358 if( current->euid != 0 ) /* root only */
1359 return -EPERM;
[...]
1372 case SIOCDEVEMANSIPATE :
1373 if( current->euid != 0 ) /* root only */
1374 return -EPERM;

Here's my proposed fix:

Missing capability checks.

Signed-off-by: Eugene Teo <eugeneteo@kernel.sg>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>

[PPPOE]: Missing result check in __pppoe_xmit().

[backport of 2.6 commit 9bc18091a5e44a368827f539289b99788eb27d4e]

skb_clone() may fail, we should check the result.

Coverity CID: 1215.

Signed-off-by: Florin Malita <fmalita@gmail.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>