+
+ rdmsr(MSR_K8_SYSCFG, lo, hi);
+ if (lo & K8_MTRRFIXRANGE_DRAM_MODIFY) {
-+ printk(KERN_ERR FW_WARN "MTRR: CPU %u: SYSCFG[MtrrFixDramModEn]"
++ printk(KERN_ERR "MTRR: CPU %u: SYSCFG[MtrrFixDramModEn]"
+ " not cleared by BIOS, clearing this bit\n",
+ smp_processor_id());
+ lo &= ~K8_MTRRFIXRANGE_DRAM_MODIFY;
--- /dev/null
+From 3928f630f0d9fab7a6a43d7b48718be8e32f3fe1 Mon Sep 17 00:00:00 2001
+From: Tilman Schmidt <tilman@imap.cc>
+Date: Wed, 15 Apr 2009 03:25:43 -0700
+Subject: bas_gigaset: correctly allocate USB interrupt transfer buffer
+
+
+[ Upstream commit 170ebf85160dd128e1c4206cc197cce7d1424705 ]
+
+Every USB transfer buffer has to be allocated individually by kmalloc.
+
+Impact: bugfix, no functional change
+
+Signed-off-by: Tilman Schmidt <tilman@imap.cc>
+Tested-by: Kolja Waschk <kawk@users.sourceforge.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/isdn/gigaset/bas-gigaset.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/drivers/isdn/gigaset/bas-gigaset.c
++++ b/drivers/isdn/gigaset/bas-gigaset.c
+@@ -46,6 +46,9 @@ MODULE_PARM_DESC(cidmode, "Call-ID mode"
+ /* length limit according to Siemens 3070usb-protokoll.doc ch. 2.1 */
+ #define IF_WRITEBUF 264
+
++/* interrupt pipe message size according to ibid. ch. 2.2 */
++#define IP_MSGSIZE 3
++
+ /* Values for the Gigaset 307x */
+ #define USB_GIGA_VENDOR_ID 0x0681
+ #define USB_3070_PRODUCT_ID 0x0001
+@@ -110,7 +113,7 @@ struct bas_cardstate {
+ unsigned char *rcvbuf; /* AT reply receive buffer */
+
+ struct urb *urb_int_in; /* URB for interrupt pipe */
+- unsigned char int_in_buf[3];
++ unsigned char *int_in_buf;
+
+ spinlock_t lock; /* locks all following */
+ int basstate; /* bitmap (BS_*) */
+@@ -657,7 +660,7 @@ static void read_int_callback(struct urb
+ }
+
+ /* drop incomplete packets even if the missing bytes wouldn't matter */
+- if (unlikely(urb->actual_length < 3)) {
++ if (unlikely(urb->actual_length < IP_MSGSIZE)) {
+ dev_warn(cs->dev, "incomplete interrupt packet (%d bytes)\n",
+ urb->actual_length);
+ goto resubmit;
+@@ -2127,6 +2130,7 @@ static void gigaset_reinitbcshw(struct b
+ static void gigaset_freecshw(struct cardstate *cs)
+ {
+ /* timers, URBs and rcvbuf are disposed of in disconnect */
++ kfree(cs->hw.bas->int_in_buf);
+ kfree(cs->hw.bas);
+ cs->hw.bas = NULL;
+ }
+@@ -2232,6 +2236,12 @@ static int gigaset_probe(struct usb_inte
+ }
+ hostif = interface->cur_altsetting;
+ }
++ ucs->int_in_buf = kmalloc(IP_MSGSIZE, GFP_KERNEL);
++ if (!ucs->int_in_buf) {
++ kfree(ucs);
++ pr_err("out of memory\n");
++ return 0;
++ }
+
+ /* Reject application specific interfaces
+ */
+@@ -2290,7 +2300,7 @@ static int gigaset_probe(struct usb_inte
+ usb_fill_int_urb(ucs->urb_int_in, udev,
+ usb_rcvintpipe(udev,
+ (endpoint->bEndpointAddress) & 0x0f),
+- ucs->int_in_buf, 3, read_int_callback, cs,
++ ucs->int_in_buf, IP_MSGSIZE, read_int_callback, cs,
+ endpoint->bInterval);
+ if ((rc = usb_submit_urb(ucs->urb_int_in, GFP_KERNEL)) != 0) {
+ dev_err(cs->dev, "could not submit interrupt URB: %s\n",
--- /dev/null
+From 308ac80d677f5044d9b3437864e5d89a92feb5b2 Mon Sep 17 00:00:00 2001
+From: Jay Vosburgh <fubar@us.ibm.com>
+Date: Sat, 4 Apr 2009 17:23:15 -0700
+Subject: bonding: Fix updating of speed/duplex changes
+
+
+[ Upstream commit 17d04500e2528217de5fe967599f98ee84348a9c ]
+
+ This patch corrects an omission from the following commit:
+
+commit f0c76d61779b153dbfb955db3f144c62d02173c2
+Author: Jay Vosburgh <fubar@us.ibm.com>
+Date: Wed Jul 2 18:21:58 2008 -0700
+
+ bonding: refactor mii monitor
+
+ The un-refactored code checked the link speed and duplex of
+every slave on every pass; the refactored code did not do so.
+
+ The 802.3ad and balance-alb/tlb modes utilize the speed and
+duplex information, and require it to be kept up to date. This patch
+adds a notifier check to perform the appropriate updating when the slave
+device speed changes.
+
+Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/bonding/bond_main.c | 25 ++++++++++++++++++++-----
+ drivers/net/bonding/bonding.h | 6 ++++++
+ 2 files changed, 26 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/bonding/bonding.h
++++ b/drivers/net/bonding/bonding.h
+@@ -248,6 +248,12 @@ static inline struct bonding *bond_get_b
+ return (struct bonding *)slave->dev->master->priv;
+ }
+
++static inline bool bond_is_lb(const struct bonding *bond)
++{
++ return bond->params.mode == BOND_MODE_TLB
++ || bond->params.mode == BOND_MODE_ALB;
++}
++
+ #define BOND_FOM_NONE 0
+ #define BOND_FOM_ACTIVE 1
+ #define BOND_FOM_FOLLOW 2
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3516,11 +3516,26 @@ static int bond_slave_netdev_event(unsig
+ }
+ break;
+ case NETDEV_CHANGE:
+- /*
+- * TODO: is this what we get if somebody
+- * sets up a hierarchical bond, then rmmod's
+- * one of the slave bonding devices?
+- */
++ if (bond->params.mode == BOND_MODE_8023AD || bond_is_lb(bond)) {
++ struct slave *slave;
++
++ slave = bond_get_slave_by_dev(bond, slave_dev);
++ if (slave) {
++ u16 old_speed = slave->speed;
++ u16 old_duplex = slave->duplex;
++
++ bond_update_speed_duplex(slave);
++
++ if (bond_is_lb(bond))
++ break;
++
++ if (old_speed != slave->speed)
++ bond_3ad_adapter_speed_changed(slave);
++ if (old_duplex != slave->duplex)
++ bond_3ad_adapter_duplex_changed(slave);
++ }
++ }
++
+ break;
+ case NETDEV_DOWN:
+ /*
--- /dev/null
+From 8866e77e34c013658b231ba3690250c4db05e38d Mon Sep 17 00:00:00 2001
+From: Stephen Hemminger <shemminger@vyatta.com>
+Date: Wed, 25 Mar 2009 21:01:47 -0700
+Subject: bridge: bad error handling when adding invalid ether address
+
+
+[ Upstream commit cda6d377ec6b2ee2e58d563d0bd7eb313e0165df ]
+
+This fixes an crash when empty bond device is added to a bridge.
+If an interface with invalid ethernet address (all zero) is added
+to a bridge, then bridge code detects it when setting up the forward
+databas entry. But the error unwind is broken, the bridge port object
+can get freed twice: once when ref count went to zeo, and once by kfree.
+Since object is never really accessible, just free it.
+
+Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/bridge/br_if.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/net/bridge/br_if.c
++++ b/net/bridge/br_if.c
+@@ -419,7 +419,6 @@ err2:
+ err1:
+ kobject_del(&p->kobj);
+ err0:
+- kobject_put(&p->kobj);
+ dev_set_promiscuity(dev, -1);
+ put_back:
+ dev_put(dev);
--- /dev/null
+From 6feb7acb128c3ee225d1444fe5bca386b5bd0fa3 Mon Sep 17 00:00:00 2001
+From: Pavel Emelyanov <xemul@openvz.org>
+Date: Thu, 26 Feb 2009 03:35:13 -0800
+Subject: ipv6: don't use tw net when accounting for recycled tw
+
+
+[ Upstream commit 3f53a38131a4e7a053c0aa060aba0411242fb6b9 ]
+
+We already have a valid net in that place, but this is not just a
+cleanup - the tw pointer can be NULL there sometimes, thus causing
+an oops in NET_NS=y case.
+
+The same place in ipv4 code already works correctly using existing
+net, rather than tw's one.
+
+The bug exists since 2.6.27.
+
+Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/inet6_hashtables.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/inet6_hashtables.c
++++ b/net/ipv6/inet6_hashtables.c
+@@ -210,11 +210,11 @@ unique:
+
+ if (twp != NULL) {
+ *twp = tw;
+- NET_INC_STATS_BH(twsk_net(tw), LINUX_MIB_TIMEWAITRECYCLED);
++ NET_INC_STATS_BH(net, LINUX_MIB_TIMEWAITRECYCLED);
+ } else if (tw != NULL) {
+ /* Silly. Should hash-dance instead... */
+ inet_twsk_deschedule(tw, death_row);
+- NET_INC_STATS_BH(twsk_net(tw), LINUX_MIB_TIMEWAITRECYCLED);
++ NET_INC_STATS_BH(net, LINUX_MIB_TIMEWAITRECYCLED);
+
+ inet_twsk_put(tw);
+ }
--- /dev/null
+From 5209180c240d396274624326a7ac86642db0b505 Mon Sep 17 00:00:00 2001
+From: Jesper Nilsson <jesper.nilsson@axis.com>
+Date: Fri, 27 Mar 2009 00:17:45 -0700
+Subject: ipv6: Plug sk_buff leak in ipv6_rcv (net/ipv6/ip6_input.c)
+
+
+[ Upstream commit 71f6f6dfdf7c7a67462386d9ea05c1095a89c555 ]
+
+Commit 778d80be52699596bf70e0eb0761cf5e1e46088d
+(ipv6: Add disable_ipv6 sysctl to disable IPv6 operaion on specific interface)
+seems to have introduced a leak of sk_buff's for ipv6 traffic,
+at least in some configurations where idev is NULL, or when ipv6
+is disabled via sysctl.
+
+The problem is that if the first condition of the if-statement
+returns non-NULL, it returns an skb with only one reference,
+and when the other conditions apply, execution jumps to the "out"
+label, which does not call kfree_skb for it.
+
+To plug this leak, change to use the "drop" label instead.
+(this relies on it being ok to call kfree_skb on NULL)
+This also allows us to avoid calling rcu_read_unlock here,
+and removes the only user of the "out" label.
+
+Signed-off-by: Jesper Nilsson <jesper.nilsson@axis.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/ip6_input.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/net/ipv6/ip6_input.c
++++ b/net/ipv6/ip6_input.c
+@@ -74,8 +74,7 @@ int ipv6_rcv(struct sk_buff *skb, struct
+ if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL ||
+ !idev || unlikely(idev->cnf.disable_ipv6)) {
+ IP6_INC_STATS_BH(idev, IPSTATS_MIB_INDISCARDS);
+- rcu_read_unlock();
+- goto out;
++ goto drop;
+ }
+
+ memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm));
+@@ -145,7 +144,6 @@ err:
+ drop:
+ rcu_read_unlock();
+ kfree_skb(skb);
+-out:
+ return 0;
+ }
+
--- /dev/null
+From e248c24d0d83f40328b11cddee7cb4fd090ebcf4 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Wed, 18 Mar 2009 19:12:42 -0700
+Subject: net: fix sctp breakage
+
+
+[ Upstream commit cb0dc77de0d23615a845e45844a2e22fc224d7fe ]
+
+broken by commit 5e739d1752aca4e8f3e794d431503bfca3162df4; AFAICS should
+be -stable fodder as well...
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Aced-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sctp/endpointola.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sctp/endpointola.c
++++ b/net/sctp/endpointola.c
+@@ -111,7 +111,8 @@ static struct sctp_endpoint *sctp_endpoi
+ if (sctp_addip_enable) {
+ auth_chunks->chunks[0] = SCTP_CID_ASCONF;
+ auth_chunks->chunks[1] = SCTP_CID_ASCONF_ACK;
+- auth_chunks->param_hdr.length += htons(2);
++ auth_chunks->param_hdr.length =
++ htons(sizeof(sctp_paramhdr_t) + 2);
+ }
+ }
+
--- /dev/null
+From 0c6310c4d90558e72e410c3777e29acdec6477e2 Mon Sep 17 00:00:00 2001
+From: Mark H. Weaver <mhw@netris.org>
+Date: Mon, 23 Mar 2009 13:46:12 +0100
+Subject: netfilter: nf_conntrack_tcp: fix unaligned memory access in tcp_sack
+
+
+[ Upstream commit 534f81a5068799799e264fd162e9488a129f98d4 ]
+
+This patch fixes an unaligned memory access in tcp_sack while reading
+sequence numbers from TCP selective acknowledgement options. Prior to
+applying this patch, upstream linux-2.6.27.20 was occasionally
+generating messages like this on my sparc64 system:
+
+ [54678.532071] Kernel unaligned access at TPC[6b17d4] tcp_packet+0xcd4/0xd00
+
+Acked-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/netfilter/nf_conntrack_proto_tcp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_proto_tcp.c
++++ b/net/netfilter/nf_conntrack_proto_tcp.c
+@@ -15,6 +15,7 @@
+ #include <linux/skbuff.h>
+ #include <linux/ipv6.h>
+ #include <net/ip6_checksum.h>
++#include <asm/unaligned.h>
+
+ #include <net/tcp.h>
+
+@@ -466,7 +467,7 @@ static void tcp_sack(const struct sk_buf
+ for (i = 0;
+ i < (opsize - TCPOLEN_SACK_BASE);
+ i += TCPOLEN_SACK_PERBLOCK) {
+- tmp = ntohl(*((__be32 *)(ptr+i)+1));
++ tmp = get_unaligned_be32((__be32 *)(ptr+i)+1);
+
+ if (after(tmp, *sack))
+ *sack = tmp;
0032-Add-a-missing-unlock_kernel-in-raw_open.patch
0033-x86-PAT-PCI-Change-vma-prot-in-pci_mmap-to-reflec.patch
0037-x86-mtrr-don-t-modify-RdDram-WrDram-bits-of-fixed.patch
+bas_gigaset-correctly-allocate-usb-interrupt-transfer-buffer.patch
+bonding-fix-updating-of-speed-duplex-changes.patch
+bridge-bad-error-handling-when-adding-invalid-ether-address.patch
+ipv6-don-t-use-tw-net-when-accounting-for-recycled-tw.patch
+ipv6-plug-sk_buff-leak-in-ipv6_rcv.patch
+netfilter-nf_conntrack_tcp-fix-unaligned-memory-access-in-tcp_sack.patch
+net-fix-sctp-breakage.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
