David S. Miller [Fri, 13 Apr 2007 23:37:54 +0000 (16:37 -0700)]
[NETFILTER] arp_tables: Fix unaligned accesses.
There are two device string comparison loops in arp_packet_match().
The first one goes byte-by-byte but the second one tries to be
clever and cast the string to a long and compare by longs.
The device name strings in the arp table entries are not guarenteed
to be aligned enough to make this value, so just use byte-by-byte
for both cases.
Based upon a report by <drraid@gmail.com>.
Signed-off-by: David S. Miller <davem@davemloft.net>
A packet which is being discarded because of no routes in the
forwarding path should not be counted as OutNoRoutes but as
InNoRoutes.
Additionally, on this occasion, a packet whose destinaion is
not valid should be counted as InAddrErrors separately.
Based on patch from Mitsuru Chinen <mitch@linux.vnet.ibm.com>.
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
We are using size of security context from xfrm_policy to determine
how much space to alloc skb and then putting security context from
xfrm_state into skb. Should have been using size of security context
from xfrm_state to alloc skb. Following fix does that
Signed-off-by: Joy Latten <latten@austin.ibm.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
[VLAN]: Allow VLAN interface on top of bridge interface
When a VLAN interface is created on top of a bridge interface and
netfilter is enabled to see the bridged packets, the packets can be
corrupted when passing through the netfilter code. This is caused by the
VLAN driver not setting the 'protocol' and 'nh' members of the sk_buff
structure. In general, this is no problem as the VLAN interface is mostly
connected to a physical ethernet interface which does not use the
'protocol' and 'nh' members. For a bridge interface, however, these
members do matter.
Signed-off-by: Jerome Borsboom <j.borsboom@erasmusmc.nl> Signed-off-by: David S. Miller <davem@davemloft.net>
While building a test kernel for the new esp driver (against
git-current), I hit this bug. Trivial fix, put the inline declaration
in the right place. :)
Signed-off-by: Tom "spot" Callaway <tcallawa@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
autofs_dentry_release() ends up clearing the ->dentry and ->inode members
of autofs_info before removing it from the rehash list. The list is
protected by the rehash lock in both functions, but since
autofs_dentry_release() starts tearing the autofs_info struct down before
removing it from the list, autofs_lookup_unhashed() can get a autofs_info
with a NULL dentry.
This patch moves the clearing of ->dentry and ->inode after the removal
from the rehash list.
Signed-off-by: Jeff Mahoney <jeffm@suse.com> Acked-by: Ian Kent <raven@themaw.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This patch fixes a bug in function decrementing a key of stat data item.
Offset of reiserfs keys are compared as signed values. To set key offset
to maximal possible value maximal signed value has to be used.
This bug is responsible for severe reiserfs filesystem corruption which
shows itself as warning vs-13060. reiserfsck fixes this corruption by
filesystem tree rebuilding.
Signed-off-by: Vladimir Saveliev <vs@namesys.com> Cc: <reiserfs-dev@namesys.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Neil Brown [Thu, 12 Apr 2007 06:28:44 +0000 (23:28 -0700)]
[PATCH] md: fix calculation for size of filemap_attr array in md/bitmap
If 'num_pages' were ever 1 more than a multiple of 8 (32bit platforms)
or of 16 (64 bit platforms). filemap_attr would be allocated one
'unsigned long' shorter than required. We need a round-up in there.
Signed-off-by: Neil Brown <neilb@suse.de> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[PATCH] cciss: unregister from SCSI before tearing down device resources
We must unregister from SCSI before we unmap device resources and unhook
the IRQ handler. Otherwise, SCSI may send us more requests, and we won't
be able to handle them.
I see the following oops during every reboot of my HP DL360:
Randy Dunlap [Thu, 12 Apr 2007 06:28:41 +0000 (23:28 -0700)]
[PATCH] fix kernel oops with badly formatted module option
Catch malformed kernel parameter usage of "param = value". Spaces are not
supported, but don't cause a kernel fault on such usage, just report an
error.
Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com> Acked-by: Larry Finger <Larry.Finger@lwfinger.net> Acked-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Andrew Morton [Thu, 12 Apr 2007 21:45:32 +0000 (14:45 -0700)]
[PKTGEN]: Add try_to_freeze()
The pktgen module prevents suspend-to-disk. Fix.
Acked-by: "Michal Piotrowski" <michal.k.k.piotrowski@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Roland McGrath [Thu, 12 Apr 2007 20:13:42 +0000 (13:13 -0700)]
[SPARC]: avoid CHILD_MAX and OPEN_MAX constants
I don't figure anyone really cares about SunOS syscall emulation, and I
certainly don't. But I'm getting rid of uses of the OPEN_MAX and CHILD_MAX
compile-time constant, and these are almost the only ones. OPEN_MAX is a
bogus constant with no meaning about anything. The RLIMIT_NOFILE resource
limit is what sysconf (_SC_OPEN_MAX) actually wants to return.
The CHILD_MAX cases weren't actually using anything I want to get rid of,
but I noticed that they are there and are wrong too. The CHILD_MAX value
is not really unlimited as a -1 return from sysconf indicates. The
RLIMIT_NPROC resource limit is what sysconf (_SC_CHILD_MAX) wants to return.
Signed-off-by: Roland McGrath <roland@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Steve Wise [Thu, 12 Apr 2007 12:56:34 +0000 (07:56 -0500)]
RDMA/cxgb3: Add set_tcb_rpl_handler
As of commit 6cdbd77e ("cxgb3 - missing CPL hanler and register
setting."), the cxgb3 ethernet NIC driver no longer handles SET_TCB
replies, so we need to do it in the iWARP driver.
Signed-off-by: Steve Wise <swise@opengridcomputing.com> Acked-by: Divy Le Ray <divy@chelsio.com> Signed-off-by: Roland Dreier <rolandd@cisco.com>
David S. Miller [Thu, 12 Apr 2007 04:38:45 +0000 (21:38 -0700)]
[SPARC64]: Fix SBUS IOMMU allocation code.
There are several IOMMU allocator bugs. Instead of trying to fix this
overly complicated code, just mirror the PCI IOMMU arena allocator
which is very stable and well stress tested.
I tried to make the code as identical as possible so we can switch
sun4u PCI and SBUS over to a common piece of IOMMU code. All that
will be need are two callbacks, one to do a full IOMMU flush and one
to do a streaming buffer flush.
This patch gets rid of a lot of hangs and mysterious crashes on SBUS
sparc64 systems, at least for me.
Signed-off-by: David S. Miller <davem@davemloft.net>
Merge branch 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/netdev-2.6
* 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/netdev-2.6:
myri10ge: update driver version to 1.3.0-1.233
myri10ge: more Intel chipsets providing aligned PCIe completions
myri10ge: fix management of the firmware 4KB boundary crossing restriction
cxgb3 - missing CPL hanler and register setting.
cxgb3 - MAC watchdog update
cxgb3 - avoid deadlock with mac watchdog
skge: fix wake on lan
sky2: phy workarounds for Yukon EC-U A1
sky2: turn on clocks when doing resume
sky2: turn carrier off when down
skge: turn carrier off when down
[PATCH] bcm43xx: Fix PPC machine checks and match loopback gain specs
[PATCH] bcm43xx: Fix 802.11b/g scan limits to match regulatory reqs
[PATCH] zd1211rw: Fix E2P_PHY_REG patching
[PATCH] zd1211rw: Reject AL2230S devices
[PATCH] PM: use kobject_name() to access kobject names
Noone should use kobj.name directly since it may contain garbage.
Objects with longer names have them stored in separately allocated
memory pointed to by kobj->k_name.
Emil Larsson [Fri, 30 Mar 2007 05:48:46 +0000 (22:48 -0700)]
USB: Nikon D80 unusual device patch
the Nikon D80 camera will not work without an UNUSUAL_DEV entry embodied
in the attached patch (made against 2.6.20.3). Hope you find it helpful,
or if not, pass it along to someone who does.
From: Emil Larsson <emil@swip.net> Signed-off-by: Phil Dibowitz <phil@ipom.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alan Stern [Mon, 9 Apr 2007 15:52:31 +0000 (11:52 -0400)]
EHCI: fix remote wakeup regression in 2.6.21-rc
There is one significant difference between the behavior of root hubs
(as embodied in host controller hardware) and external hubs: When a
remote-wakeup signal is received, an external hub sends an interrupt
message at the _end_ of the resume sequence but a root hub generates
and interrupt at the _beginning_ of the resume sequence. The host
system must poll for the end of the sequence.
When ehci-hcd was converted to interrupt-driven operation instead of
using polling, the remaining need for this particular poll was
overlooked. This patch (as894) fixes the problem.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
myri10ge: fix management of the firmware 4KB boundary crossing restriction
Simpler way of dealing with the firmware 4KB boundary crossing
restriction for rx buffers. This fixes a variety of memory
corruption issues when using an "uncommon" MTU with a 16KB
page size.
Signed-off-by: Brice Goglin <brice@myri.com> Signed-off-by: Jeff Garzik <jeff@garzik.org>
Driver needs to turn off carrier when down, otherwise it can
confuse bonding and bridging and looks like carrier is on immediately
when it is brought back up.
Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org> Signed-off-by: Jeff Garzik <jeff@garzik.org>
[PATCH] Input: ucb1400 - set up driver's name to show in sysfs
The UCB1400 is missing a name parameter in the device_driver struct.
This causes missing information in the /sys tree and seems to cause
other problems with the AC97 functionality. This was tested on a PXA270
system.
* master.kernel.org:/pub/scm/linux/kernel/git/bart/ide-2.6:
ide: add "optical" to sysfs "media" attribute
ide: ugly messages trying to open CD drive with no media present
ide: correctly prevent IDE timer expiry function to run if request was already handled
This happens when a "start stop unit" command (0x1b 0 0 0 3 0 0 0 0 0)
is sent to the drive to try to close the CD-ROM tray, but this drive
doesn't have that capability (it's a slim portable-type CD-ROM), so it
reports sense key 5 (illegal request) with asc/ascq 24/0. This is
exactly how SFF8090i says it should respond.
But ide-cd.c (in cdrom_decode_status() ) just sees sense key 5 and spews
out an error. It then goes on to request sense data, and
cdrom_log_sense() understands this error and doesn't log it.
The patch, for kernel 2.6.20.4, suppresses this error message.
Signed-off-by: Stuart Hayes <stuart_hayes@dell.com> Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
ide: correctly prevent IDE timer expiry function to run if request was already handled
It is possible for the timer expiry function to run even though the
request has already been handled: ide_timer_expiry() only checks that
the handler is not NULL, but it is possible that we have handled a
request (thus clearing the handler) and then started a new request
(thus starting the timer again, and setting a handler).
A simple way to exhibit this is to set the DMA timeout to 1 jiffy and
run dd: The kernel will panic after a few minutes because
ide_timer_expiry() tries to add a timer when it's already active.
To fix this, we simply add a request generation count that gets
incremented at every interrupt, and check in ide_timer_expiry() that
we have not already handled a new interrupt before running the expiry
function.
Larry Finger [Sat, 7 Apr 2007 19:11:03 +0000 (14:11 -0500)]
[PATCH] bcm43xx: Fix PPC machine checks and match loopback gain specs
The specifications for loopback_gain calculation and for G PHY
initialization have been updated. This patch implements them and
fixes a machine check error that occurs for PPC architecture with a
phy->rev of 1.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Larry Finger [Sat, 7 Apr 2007 18:54:35 +0000 (13:54 -0500)]
[PATCH] bcm43xx: Fix 802.11b/g scan limits to match regulatory reqs
In 802.11b/g mode, bcm43xx actively scans channels 1-14 no matter what
locale has been set, either in the sprom or by the locale option. This
behaviorviolates regulatory rules everywhere in the world except
Japan. This patch changes the default range to the correct value if the
locale has been set, and to channels 1-13 if no locale has been set.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Daniel Drake [Tue, 3 Apr 2007 22:17:37 +0000 (23:17 +0100)]
[PATCH] zd1211rw: Fix E2P_PHY_REG patching
Due to conflicting/confusing defines in the vendor driver, we were
reading E2P_PHY_REG from the wrong location.
CR157 patching was slightly incorrect in that the vendor driver only
patches in an 8-bit value, whereas we were patching 24 bits.
Additionally, CR157 patching was happening on both zd1211 and zd1211b,
but this should only happen on zd1211.
Signed-off-by: Daniel Drake <dsd@gentoo.org> Signed-off-by: Ulrich Kunitz <kune@deine-taler.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
David S. Miller [Mon, 9 Apr 2007 20:23:14 +0000 (13:23 -0700)]
[TCP]: slow_start_after_idle should influence cwnd validation too
For the cases that slow_start_after_idle are meant to deal
with, it is almost a certainty that the congestion window
tests will think the connection is application limited and
we'll thus decrease the cwnd there too. This defeats the
whole point of setting slow_start_after_idle to zero.
So test it there too.
We do not cancel out the entire tcp_cwnd_validate() function
so that if the sysctl is changed we still have the validation
state maintained.
Signed-off-by: David S. Miller <davem@davemloft.net>
Herbert Xu [Mon, 9 Apr 2007 18:51:15 +0000 (11:51 -0700)]
[SC92031]: Fix priv->lock context
The spin_lock calls made in dev->open and dev->close must disable
BH since open/close are made in process context. Conversely, the
call in dev->hard_start_xmit does not need to disable BH since it
is already executing with BH disabled.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Userspace uses an integer for TCA_TCINDEX_SHIFT, the kernel was changed
to expect and use a u16 value in 2.6.11, which broke compatibility on
big endian machines. Change back to use int.
Reported by Ole Reinartz <ole.reinartz@gmx.de>
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Stefan Richter [Wed, 21 Mar 2007 23:40:06 +0000 (00:40 +0100)]
ieee1394: change deprecation status of dv1394
Nobody ported ffmpeg from dv1394 to rawiso yet, and there is no
justification to remove dv1394 right now.
Nevertheless, a strong deprecation of this ABI makes a lot of sense,
especially as Kristian H's drivers shape up to be an attractive
alternative to the existing ones. But we don't have a schedule at the
moment.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Andrew Morton [Sun, 8 Apr 2007 23:04:04 +0000 (16:04 -0700)]
[PATCH] i386: irqbalance_disable() section fix
WARNING: arch/i386/kernel/built-in.o - Section mismatch: reference to .init.text:irqbalance_disable from .text between 'quirk_intel_irqbalance' (at offset 0x80a5) and 'i8237A_suspend'
Andrew Morton [Sun, 8 Apr 2007 23:04:03 +0000 (16:04 -0700)]
[PATCH] x86_64 early quirks: fix early_qrk[] section tag
WARNING: arch/x86_64/kernel/built-in.o - Section mismatch: reference to .init.text:nvidia_bugs from .data between 'early_qrk' (at offset 0x8428) and 'enable_cpu_hotplug'
WARNING: arch/x86_64/kernel/built-in.o - Section mismatch: reference to .init.text:via_bugs from .data between 'early_qrk' (at offset 0x8438) and 'enable_cpu_hotplug'
WARNING: arch/x86_64/kernel/built-in.o - Section mismatch: reference to .init.text:ati_bugs from .data between 'early_qrk' (at offset 0x8448) and 'enable_cpu_hotplug'
The compiler is putting it into .data because the __initdata is in the wrong
place.
David Brownell [Sun, 8 Apr 2007 23:04:02 +0000 (16:04 -0700)]
[PATCH] omap_cf: oops-on-suspend fix
Convert omap_cf into a platform_driver ... this resolves oopsing during
suspend/resume.
Evidently folk haven't tried suspend/resume on an OSK (the main platform
for this driver) since September or so, which is when platform_device
learned about suspend_late()/resume_early() and stopped being able to
suspend/resume without a platform_driver.
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Cc: Dominik Brodowski <linux@dominikbrodowski.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[PATCH] Proper fix for highmem kmap_atomic functions for VMI for 2.6.21
Since lazy MMU batching mode still allows interrupts to enter, it is
possible for interrupt handlers to try to use kmap_atomic, which fails when
lazy mode is active, since the PTE update to highmem will be delayed. The
best workaround is to issue an explicit flush in kmap_atomic_functions
case; this is the only way nested PTE updates can happen in the interrupt
handler.
Thanks to Jeremy Fitzhardinge for noting the bug and suggestions on a fix.
This patch gets reverted again when we start 2.6.22 and the bug gets fixed
differently.
Signed-off-by: Zachary Amsden <zach@vmware.com> Cc: Andi Kleen <ak@muc.de> Cc: Jeremy Fitzhardinge <jeremy@goop.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[PATCH] sched: get rid of p->children use in show_task()
the p->parent PID printout gives us all the information about the
task tree that we need - the eldest_child()/older_sibling()/
younger_sibling() printouts are mostly historic and i do not
remember ever having used those fields. (IMO in fact they confuse
the SysRq-T output.) So remove them.
This code has sentimental value though, those fields and
printouts are one of the oldest ones still surviving from
Linux v0.95's kernel/sched.c:
Michael Chan [Sat, 7 Apr 2007 00:35:37 +0000 (17:35 -0700)]
[TG3]: Fix crash during tg3_init_one().
The driver will crash when the chip has been initialized by EFI before
tg3_init_one(). In this case, the driver will call tg3_chip_reset()
before allocating consistent memory.
The bug is fixed by checking for tp->hw_status before accessing it
during tg3_chip_reset().
Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Thu, 5 Apr 2007 23:03:33 +0000 (16:03 -0700)]
[XFRM]: beet: fix IP option decapsulation
Beet mode looks for the beet pseudo header after the outer IP header,
which is wrong since that is followed by the ESP header. Additionally
it needs to adjust the packet length after removing the pseudo header
and point the data pointer to the real data location.
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Thu, 5 Apr 2007 22:59:41 +0000 (15:59 -0700)]
[XFRM]: beet: fix beet mode decapsulation
Beet mode decapsulation fails to properly set up the skb pointers, which
only works by accident in combination with CONFIG_NETFILTER, since in that
case the skb is fixed up in xfrm4_input before passing it to the netfilter
hooks.
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Thu, 5 Apr 2007 22:54:39 +0000 (15:54 -0700)]
[XFRM]: beet: use IPOPT_NOP for option padding
draft-nikander-esp-beet-mode-07.txt states "The padding MUST be filled
with NOP options as defined in Internet Protocol [1] section 3.1
Internet header format.", so do that.
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
IB/iser: Don't defer connection failure notification to workqueue
When a connection is terminated asynchronously from the iSCSI layer's
perspective, iSER needs to notify the iSCSI layer that the connection
has failed. This is done using a workqueue (switched to from the iSER
tasklet context). Meanwhile, the connection object (that holds the
work struct) is released. If the workqueue function wasn't called
yet, it will be called later with a NULL pointer, which will crash the
kernel.
The context switch (tasklet to workqueue) is not required, and
everything can be done from the iSER tasklet. This eliminates the NULL
work struct bug (and simplifies the code).
Signed-off-by: Erez Zilber <erezz@voltaire.com> Signed-off-by: Roland Dreier <rolandd@cisco.com>
Adam Kropelin [Thu, 5 Apr 2007 14:06:30 +0000 (16:06 +0200)]
HID: Do not discard truncated input reports
Truncated reports should not be discarded since it prevents buggy
devices from communicating with userspace.
Prior to the regession introduced in 2.6.20, a shorter-than-expected
report in hid_input_report() was passed thru after having the missing
bytes cleared. This behavior was established over a few patches in the
2.6.early-teens days, including commit cd6104572bca9e4afe0dcdb8ecd65ef90b01297b.
This patch restores the previous behavior and fixes the regression.
Signed-off-by: Adam Kropelin <akropel1@rochester.rr.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Herbert Xu [Thu, 5 Apr 2007 07:07:39 +0000 (00:07 -0700)]
[IPSEC]: Reject packets within replay window but outside the bit mask
Up until this point we've accepted replay window settings greater than
32 but our bit mask can only accomodate 32 packets. Thus any packet
with a sequence number within the window but outside the bit mask would
be accepted.
This patch causes those packets to be rejected instead.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
[IPv6]: Exclude truncated packets from InHdrErrors statistics
Incoming trancated packets are counted as not only InTruncatedPkts but
also InHdrErrors. They should be counted as InTruncatedPkts only.
Signed-off-by: Mitsuru Chinen <mitch@linux.vnet.ibm.com> Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Jean Delvare [Thu, 5 Apr 2007 06:52:46 +0000 (23:52 -0700)]
[APPLETALK]: Fix a remotely triggerable crash
When we receive an AppleTalk frame shorter than what its header says,
we still attempt to verify its checksum, and trip on the BUG_ON() at
the end of function atalk_sum_skb() because of the length mismatch.
This has security implications because this can be triggered by simply
sending a specially crafted ethernet frame to a target victim,
effectively crashing that host. Thus this qualifies, I think, as a
remote DoS. Here is the frame I used to trigger the crash, in npg
format:
<Appletalk Killer>
{
# Ethernet header -----
XX XX XX XX XX XX # Destination MAC
00 00 00 00 00 00 # Source MAC
00 1D # Length
The destination MAC address must be set to those of the victim.
The severity is mitigated by two requirements:
* The target host must have the appletalk kernel module loaded. I
suspect this isn't so frequent.
* AppleTalk frames are non-IP, thus I guess they can only travel on
local networks. I am no network expert though, maybe it is possible
to somehow encapsulate AppleTalk packets over IP.
The bug has been reported back in June 2004:
http://bugzilla.kernel.org/show_bug.cgi?id=2979
But it wasn't investigated, and was closed in July 2006 as both
reporters had vanished meanwhile.
This code was new in kernel 2.6.0-test5:
http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=7ab442d7e0a76402c12553ee256f756097cae2d2
And not modified since then, so we can assume that vanilla kernels
2.6.0-test5 and later, and distribution kernels based thereon, are
affected.
Note that I still do not know for sure what triggered the bug in the
real-world cases. The frame could have been corrupted by the kernel if
we have a bug hiding somewhere. But more likely, we are receiving the
faulty frame from the network.
Signed-off-by: Jean Delvare <jdelvare@suse.de> Signed-off-by: David S. Miller <davem@davemloft.net>
john stultz [Thu, 5 Apr 2007 02:08:24 +0000 (19:08 -0700)]
[PATCH] fix jiffies clocksource inittime
In debugging a problem w/ the -rt tree, I noticed that on systems that mark
the tsc as unstable before it is registered, the TSC would still be
selected and used for a short period of time. Digging in it looks to be a
result of the mix of the clocksource list changes and my clocksource
initialization changes.
With the -rt tree, using a bad TSC, even for a short period of time can
results in a hang at boot. I was not able to reproduce this hang w/
mainline, but I'm not completely certain that someone won't trip on it.
This patch resolves the issue by initializing the jiffies clocksource
earlier so a bad TSC won't get selected just because nothing else is yet
registered.
Signed-off-by: John Stultz <johnstul@us.ibm.com> Acked-by: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@elte.hu> Cc: Andi Kleen <ak@suse.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>