--- /dev/null
+From stable-bounces@linux.kernel.org Wed Mar 7 10:07:33 2007
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Wed, 07 Mar 2007 13:05:58 -0500
+Subject: bcm43xx: Fix problem with >1 GB RAM
+To: linux-stable <stable@kernel.org>
+Message-ID: <45EEFF06.7010101@redhat.com>
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+[PATCH] bcm43xx: Fix problem with >1 GB RAM
+
+Some versions of the bcm43xx chips only support 30-bit DMA, which means
+that the descriptors and buffers must be in the first 1 GB of RAM. On
+the i386 and x86_64 architectures with more than 1 GB RAM, an incorrect
+assignment may occur. This patch ensures that the various DMA addresses
+are within the capability of the chip. Testing has been limited to x86_64
+as no one has an i386 system with more than 1 GB RAM.
+
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/bcm43xx/bcm43xx.h | 1
+ drivers/net/wireless/bcm43xx/bcm43xx_dma.c | 171 +++++++++++++++++++++--------
+ 2 files changed, 125 insertions(+), 47 deletions(-)
+
+--- a/drivers/net/wireless/bcm43xx/bcm43xx.h
++++ b/drivers/net/wireless/bcm43xx/bcm43xx.h
+@@ -766,6 +766,7 @@ struct bcm43xx_private {
+ * This is currently always BCM43xx_BUSTYPE_PCI
+ */
+ u8 bustype;
++ u64 dma_mask;
+
+ u16 board_vendor;
+ u16 board_type;
+--- a/drivers/net/wireless/bcm43xx/bcm43xx_dma.c
++++ b/drivers/net/wireless/bcm43xx/bcm43xx_dma.c
+@@ -145,16 +145,14 @@ dma_addr_t map_descbuffer(struct bcm43xx
+ int tx)
+ {
+ dma_addr_t dmaaddr;
++ int direction = PCI_DMA_FROMDEVICE;
+
+- if (tx) {
+- dmaaddr = dma_map_single(&ring->bcm->pci_dev->dev,
+- buf, len,
+- DMA_TO_DEVICE);
+- } else {
+- dmaaddr = dma_map_single(&ring->bcm->pci_dev->dev,
++ if (tx)
++ direction = PCI_DMA_TODEVICE;
++
++ dmaaddr = pci_map_single(ring->bcm->pci_dev,
+ buf, len,
+- DMA_FROM_DEVICE);
+- }
++ direction);
+
+ return dmaaddr;
+ }
+@@ -166,13 +164,13 @@ void unmap_descbuffer(struct bcm43xx_dma
+ int tx)
+ {
+ if (tx) {
+- dma_unmap_single(&ring->bcm->pci_dev->dev,
++ pci_unmap_single(ring->bcm->pci_dev,
+ addr, len,
+- DMA_TO_DEVICE);
++ PCI_DMA_TODEVICE);
+ } else {
+- dma_unmap_single(&ring->bcm->pci_dev->dev,
++ pci_unmap_single(ring->bcm->pci_dev,
+ addr, len,
+- DMA_FROM_DEVICE);
++ PCI_DMA_FROMDEVICE);
+ }
+ }
+
+@@ -183,8 +181,8 @@ void sync_descbuffer_for_cpu(struct bcm4
+ {
+ assert(!ring->tx);
+
+- dma_sync_single_for_cpu(&ring->bcm->pci_dev->dev,
+- addr, len, DMA_FROM_DEVICE);
++ pci_dma_sync_single_for_cpu(ring->bcm->pci_dev,
++ addr, len, PCI_DMA_FROMDEVICE);
+ }
+
+ static inline
+@@ -194,8 +192,8 @@ void sync_descbuffer_for_device(struct b
+ {
+ assert(!ring->tx);
+
+- dma_sync_single_for_device(&ring->bcm->pci_dev->dev,
+- addr, len, DMA_FROM_DEVICE);
++ pci_dma_sync_single_for_cpu(ring->bcm->pci_dev,
++ addr, len, PCI_DMA_TODEVICE);
+ }
+
+ /* Unmap and free a descriptor buffer. */
+@@ -214,17 +212,53 @@ void free_descriptor_buffer(struct bcm43
+
+ static int alloc_ringmemory(struct bcm43xx_dmaring *ring)
+ {
+- struct device *dev = &(ring->bcm->pci_dev->dev);
+-
+- ring->descbase = dma_alloc_coherent(dev, BCM43xx_DMA_RINGMEMSIZE,
+- &(ring->dmabase), GFP_KERNEL);
++ ring->descbase = pci_alloc_consistent(ring->bcm->pci_dev, BCM43xx_DMA_RINGMEMSIZE,
++ &(ring->dmabase));
+ if (!ring->descbase) {
+- printk(KERN_ERR PFX "DMA ringmemory allocation failed\n");
+- return -ENOMEM;
++ /* Allocation may have failed due to pci_alloc_consistent
++ insisting on use of GFP_DMA, which is more restrictive
++ than necessary... */
++ struct dma_desc *rx_ring;
++ dma_addr_t rx_ring_dma;
++
++ rx_ring = kzalloc(BCM43xx_DMA_RINGMEMSIZE, GFP_KERNEL);
++ if (!rx_ring)
++ goto out_err;
++
++ rx_ring_dma = pci_map_single(ring->bcm->pci_dev, rx_ring,
++ BCM43xx_DMA_RINGMEMSIZE,
++ PCI_DMA_BIDIRECTIONAL);
++
++ if (pci_dma_mapping_error(rx_ring_dma) ||
++ rx_ring_dma + BCM43xx_DMA_RINGMEMSIZE > ring->bcm->dma_mask) {
++ /* Sigh... */
++ if (!pci_dma_mapping_error(rx_ring_dma))
++ pci_unmap_single(ring->bcm->pci_dev,
++ rx_ring_dma, BCM43xx_DMA_RINGMEMSIZE,
++ PCI_DMA_BIDIRECTIONAL);
++ rx_ring_dma = pci_map_single(ring->bcm->pci_dev,
++ rx_ring, BCM43xx_DMA_RINGMEMSIZE,
++ PCI_DMA_BIDIRECTIONAL);
++ if (pci_dma_mapping_error(rx_ring_dma) ||
++ rx_ring_dma + BCM43xx_DMA_RINGMEMSIZE > ring->bcm->dma_mask) {
++ assert(0);
++ if (!pci_dma_mapping_error(rx_ring_dma))
++ pci_unmap_single(ring->bcm->pci_dev,
++ rx_ring_dma, BCM43xx_DMA_RINGMEMSIZE,
++ PCI_DMA_BIDIRECTIONAL);
++ goto out_err;
++ }
++ }
++
++ ring->descbase = rx_ring;
++ ring->dmabase = rx_ring_dma;
+ }
+ memset(ring->descbase, 0, BCM43xx_DMA_RINGMEMSIZE);
+
+ return 0;
++out_err:
++ printk(KERN_ERR PFX "DMA ringmemory allocation failed\n");
++ return -ENOMEM;
+ }
+
+ static void free_ringmemory(struct bcm43xx_dmaring *ring)
+@@ -407,6 +441,29 @@ static int setup_rx_descbuffer(struct bc
+ if (unlikely(!skb))
+ return -ENOMEM;
+ dmaaddr = map_descbuffer(ring, skb->data, ring->rx_buffersize, 0);
++ /* This hardware bug work-around adapted from the b44 driver.
++ The chip may be unable to do PCI DMA to/from anything above 1GB */
++ if (pci_dma_mapping_error(dmaaddr) ||
++ dmaaddr + ring->rx_buffersize > ring->bcm->dma_mask) {
++ /* This one has 30-bit addressing... */
++ if (!pci_dma_mapping_error(dmaaddr))
++ pci_unmap_single(ring->bcm->pci_dev,
++ dmaaddr, ring->rx_buffersize,
++ PCI_DMA_FROMDEVICE);
++ dev_kfree_skb_any(skb);
++ skb = __dev_alloc_skb(ring->rx_buffersize,GFP_DMA);
++ if (skb == NULL)
++ return -ENOMEM;
++ dmaaddr = pci_map_single(ring->bcm->pci_dev,
++ skb->data, ring->rx_buffersize,
++ PCI_DMA_FROMDEVICE);
++ if (pci_dma_mapping_error(dmaaddr) ||
++ dmaaddr + ring->rx_buffersize > ring->bcm->dma_mask) {
++ assert(0);
++ dev_kfree_skb_any(skb);
++ return -ENOMEM;
++ }
++ }
+ meta->skb = skb;
+ meta->dmaaddr = dmaaddr;
+ skb->dev = ring->bcm->net_dev;
+@@ -636,8 +693,10 @@ struct bcm43xx_dmaring * bcm43xx_setup_d
+ err = dmacontroller_setup(ring);
+ if (err)
+ goto err_free_ringmemory;
++ return ring;
+
+ out:
++ printk(KERN_ERR PFX "Error in bcm43xx_setup_dmaring\n");
+ return ring;
+
+ err_free_ringmemory:
+@@ -705,30 +764,16 @@ int bcm43xx_dma_init(struct bcm43xx_priv
+ struct bcm43xx_dmaring *ring;
+ int err = -ENOMEM;
+ int dma64 = 0;
+- u64 mask = bcm43xx_get_supported_dma_mask(bcm);
+- int nobits;
+
+- if (mask == DMA_64BIT_MASK) {
++ bcm->dma_mask = bcm43xx_get_supported_dma_mask(bcm);
++ if (bcm->dma_mask == DMA_64BIT_MASK)
+ dma64 = 1;
+- nobits = 64;
+- } else if (mask == DMA_32BIT_MASK)
+- nobits = 32;
+- else
+- nobits = 30;
+- err = pci_set_dma_mask(bcm->pci_dev, mask);
+- err |= pci_set_consistent_dma_mask(bcm->pci_dev, mask);
+- if (err) {
+-#ifdef CONFIG_BCM43XX_PIO
+- printk(KERN_WARNING PFX "DMA not supported on this device."
+- " Falling back to PIO.\n");
+- bcm->__using_pio = 1;
+- return -ENOSYS;
+-#else
+- printk(KERN_ERR PFX "FATAL: DMA not supported and PIO not configured. "
+- "Please recompile the driver with PIO support.\n");
+- return -ENODEV;
+-#endif /* CONFIG_BCM43XX_PIO */
+- }
++ err = pci_set_dma_mask(bcm->pci_dev, bcm->dma_mask);
++ if (err)
++ goto no_dma;
++ err = pci_set_consistent_dma_mask(bcm->pci_dev, bcm->dma_mask);
++ if (err)
++ goto no_dma;
+
+ /* setup TX DMA channels. */
+ ring = bcm43xx_setup_dmaring(bcm, 0, 1, dma64);
+@@ -774,7 +819,9 @@ int bcm43xx_dma_init(struct bcm43xx_priv
+ dma->rx_ring3 = ring;
+ }
+
+- dprintk(KERN_INFO PFX "%d-bit DMA initialized\n", nobits);
++ dprintk(KERN_INFO PFX "%d-bit DMA initialized\n",
++ (bcm->dma_mask == DMA_64BIT_MASK) ? 64 :
++ (bcm->dma_mask == DMA_32BIT_MASK) ? 32 : 30);
+ err = 0;
+ out:
+ return err;
+@@ -800,7 +847,17 @@ err_destroy_tx1:
+ err_destroy_tx0:
+ bcm43xx_destroy_dmaring(dma->tx_ring0);
+ dma->tx_ring0 = NULL;
+- goto out;
++no_dma:
++#ifdef CONFIG_BCM43XX_PIO
++ printk(KERN_WARNING PFX "DMA not supported on this device."
++ " Falling back to PIO.\n");
++ bcm->__using_pio = 1;
++ return -ENOSYS;
++#else
++ printk(KERN_ERR PFX "FATAL: DMA not supported and PIO not configured. "
++ "Please recompile the driver with PIO support.\n");
++ return -ENODEV;
++#endif /* CONFIG_BCM43XX_PIO */
+ }
+
+ /* Generate a cookie for the TX header. */
+@@ -905,6 +962,7 @@ static void dma_tx_fragment(struct bcm43
+ struct bcm43xx_dmadesc_generic *desc;
+ struct bcm43xx_dmadesc_meta *meta;
+ dma_addr_t dmaaddr;
++ struct sk_buff *bounce_skb;
+
+ assert(skb_shinfo(skb)->nr_frags == 0);
+
+@@ -924,9 +982,28 @@ static void dma_tx_fragment(struct bcm43
+ skb->len - sizeof(struct bcm43xx_txhdr),
+ (cur_frag == 0),
+ generate_cookie(ring, slot));
++ dmaaddr = map_descbuffer(ring, skb->data, skb->len, 1);
++ if (dma_mapping_error(dmaaddr) || dmaaddr + skb->len > ring->bcm->dma_mask) {
++ /* chip cannot handle DMA to/from > 1GB, use bounce buffer (copied from b44 driver) */
++ if (!dma_mapping_error(dmaaddr))
++ unmap_descbuffer(ring, dmaaddr, skb->len, 1);
++ bounce_skb = __dev_alloc_skb(skb->len, GFP_ATOMIC|GFP_DMA);
++ if (!bounce_skb)
++ return;
++ dmaaddr = map_descbuffer(ring, bounce_skb->data, bounce_skb->len, 1);
++ if (dma_mapping_error(dmaaddr) || dmaaddr + skb->len > ring->bcm->dma_mask) {
++ if (!dma_mapping_error(dmaaddr))
++ unmap_descbuffer(ring, dmaaddr, skb->len, 1);
++ dev_kfree_skb_any(bounce_skb);
++ assert(0);
++ return;
++ }
++ memcpy(skb_put(bounce_skb, skb->len), skb->data, skb->len);
++ dev_kfree_skb_any(skb);
++ skb = bounce_skb;
++ }
+
+ meta->skb = skb;
+- dmaaddr = map_descbuffer(ring, skb->data, skb->len, 1);
+ meta->dmaaddr = dmaaddr;
+
+ fill_descriptor(ring, desc, dmaaddr,
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Mar 7 13:36:06 2007
+From: Patrick McHardy <kaber@trash.net>
+Date: Wed, 7 Mar 2007 22:34:27 +0100 (MET)
+Subject: conntrack: fix {nf, ip}_ct_iterate_cleanup endless loops
+To: stable@kernel.org
+Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy <kaber@trash.net>, <davem@davemloft.net>
+Message-ID: <20070307213348.22306.24109.sendpatchset@localhost.localdomain>
+
+From: Patrick McHardy <kaber@trash.net>
+
+[NETFILTER]: conntrack: fix {nf,ip}_ct_iterate_cleanup endless loops
+
+Fix {nf,ip}_ct_iterate_cleanup unconfirmed list handling:
+
+- unconfirmed entries can not be killed manually, they are removed on
+ confirmation or final destruction of the conntrack entry, which means
+ we might iterate forever without making forward progress.
+
+ This can happen in combination with the conntrack event cache, which
+ holds a reference to the conntrack entry, which is only released when
+ the packet makes it all the way through the stack or a different
+ packet is handled.
+
+- taking references to an unconfirmed entry and using it outside the
+ locked section doesn't work, the list entries are not refcounted and
+ another CPU might already be waiting to destroy the entry
+
+What the code really wants to do is make sure the references of the hash
+table to the selected conntrack entries are released, so they will be
+destroyed once all references from skbs and the event cache are dropped.
+
+Since unconfirmed entries haven't even entered the hash yet, simply mark
+them as dying and skip confirmation based on that.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/netfilter_ipv4/ip_conntrack_core.h | 2 +-
+ include/net/netfilter/nf_conntrack_core.h | 2 +-
+ net/ipv4/netfilter/ip_conntrack_core.c | 2 +-
+ net/netfilter/nf_conntrack_core.c | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/include/linux/netfilter_ipv4/ip_conntrack_core.h
++++ b/include/linux/netfilter_ipv4/ip_conntrack_core.h
+@@ -45,7 +45,7 @@ static inline int ip_conntrack_confirm(s
+ int ret = NF_ACCEPT;
+
+ if (ct) {
+- if (!is_confirmed(ct))
++ if (!is_confirmed(ct) && !is_dying(ct))
+ ret = __ip_conntrack_confirm(pskb);
+ ip_ct_deliver_cached_events(ct);
+ }
+--- a/include/net/netfilter/nf_conntrack_core.h
++++ b/include/net/netfilter/nf_conntrack_core.h
+@@ -64,7 +64,7 @@ static inline int nf_conntrack_confirm(s
+ int ret = NF_ACCEPT;
+
+ if (ct) {
+- if (!nf_ct_is_confirmed(ct))
++ if (!nf_ct_is_confirmed(ct) && !nf_ct_is_dying(ct))
+ ret = __nf_conntrack_confirm(pskb);
+ nf_ct_deliver_cached_events(ct);
+ }
+--- a/net/ipv4/netfilter/ip_conntrack_core.c
++++ b/net/ipv4/netfilter/ip_conntrack_core.c
+@@ -1242,7 +1242,7 @@ get_next_corpse(int (*iter)(struct ip_co
+ list_for_each_entry(h, &unconfirmed, list) {
+ ct = tuplehash_to_ctrack(h);
+ if (iter(ct, data))
+- goto found;
++ set_bit(IPS_DYING_BIT, &ct->status);
+ }
+ write_unlock_bh(&ip_conntrack_lock);
+ return NULL;
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -1052,7 +1052,7 @@ get_next_corpse(int (*iter)(struct nf_co
+ list_for_each_entry(h, &unconfirmed, list) {
+ ct = nf_ct_tuplehash_to_ctrack(h);
+ if (iter(ct, data))
+- goto found;
++ set_bit(IPS_DYING_BIT, &ct->status);
+ }
+ write_unlock_bh(&nf_conntrack_lock);
+ return NULL;
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Mar 7 11:36:06 2007
+From: Douglas Gilbert <dougg@torque.net>
+Date: Wed, 07 Mar 2007 14:33:38 -0500
+Subject: Fix bug 7994 sleeping function called from invalid context
+To: Greg KH <gregkh@suse.de>
+Cc: <James.Bottomley@SteelEye.com>, stable@kernel.org
+Message-ID: <45EF1392.2090001@torque.net>
+
+From: Douglas Gilbert <dougg@torque.net>
+
+ - addresses the reported bug (with GFP_KERNEL -> GFP_ATOMIC)
+ - improves error checking, and
+ - is a subset of the changes to scsi_debug in lk 2.6.21-rc*
+
+Compiled and lightly tested (in lk 2.6.21-rc2 environment).
+
+Signed-off-by: Douglas Gilbert <dougg@torque.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/scsi_debug.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/scsi_debug.c
++++ b/drivers/scsi/scsi_debug.c
+@@ -954,7 +954,9 @@ static int resp_inquiry(struct scsi_cmnd
+ int alloc_len, n, ret;
+
+ alloc_len = (cmd[3] << 8) + cmd[4];
+- arr = kzalloc(SDEBUG_MAX_INQ_ARR_SZ, GFP_KERNEL);
++ arr = kzalloc(SDEBUG_MAX_INQ_ARR_SZ, GFP_ATOMIC);
++ if (! arr)
++ return DID_REQUEUE << 16;
+ if (devip->wlun)
+ pq_pdt = 0x1e; /* present, wlun */
+ else if (scsi_debug_no_lun_0 && (0 == devip->lun))
+@@ -1217,7 +1219,9 @@ static int resp_report_tgtpgs(struct scs
+ alen = ((cmd[6] << 24) + (cmd[7] << 16) + (cmd[8] << 8)
+ + cmd[9]);
+
+- arr = kzalloc(SDEBUG_MAX_TGTPGS_ARR_SZ, GFP_KERNEL);
++ arr = kzalloc(SDEBUG_MAX_TGTPGS_ARR_SZ, GFP_ATOMIC);
++ if (! arr)
++ return DID_REQUEUE << 16;
+ /*
+ * EVPD page 0x88 states we have two ports, one
+ * real and a fake port with no device connected.
+@@ -1996,6 +2000,8 @@ static int scsi_debug_slave_configure(st
+ if (sdp->host->max_cmd_len != SCSI_DEBUG_MAX_CMD_LEN)
+ sdp->host->max_cmd_len = SCSI_DEBUG_MAX_CMD_LEN;
+ devip = devInfoReg(sdp);
++ if (NULL == devip)
++ return 1; /* no resources, will be marked offline */
+ sdp->hostdata = devip;
+ if (sdp->host->cmd_per_lun)
+ scsi_adjust_queue_depth(sdp, SDEBUG_TAGGED_QUEUING,
+@@ -2044,7 +2050,7 @@ static struct sdebug_dev_info * devInfoR
+ }
+ }
+ if (NULL == open_devip) { /* try and make a new one */
+- open_devip = kzalloc(sizeof(*open_devip),GFP_KERNEL);
++ open_devip = kzalloc(sizeof(*open_devip),GFP_ATOMIC);
+ if (NULL == open_devip) {
+ printk(KERN_ERR "%s: out of memory at line %d\n",
+ __FUNCTION__, __LINE__);
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Mar 7 18:46:31 2007
+From: Philipp Reisner <philipp.reisner@linbit.com>
+Date: Wed, 07 Mar 2007 18:45:12 -0800 (PST)
+Subject: Fix callback bug in connector
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070307.184512.78710320.davem@davemloft.net>
+
+From: Philipp Reisner <philipp.reisner@linbit.com>
+
+[CONNECTOR]: Bugfix for cn_call_callback()
+
+When system under heavy stress and must allocate new work
+instead of reusing old one, new work must use correct
+completion callback.
+
+Patch is based on Philipp's and Lars' work.
+I only cleaned small stuff (and removed spaces instead of tabs).
+
+Signed-off-by: Philipp Reisner <philipp.reisner@linbit.com>
+Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
+Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/connector/connector.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+--- a/drivers/connector/connector.c
++++ b/drivers/connector/connector.c
+@@ -128,7 +128,7 @@ EXPORT_SYMBOL_GPL(cn_netlink_send);
+ */
+ static int cn_call_callback(struct cn_msg *msg, void (*destruct_data)(void *), void *data)
+ {
+- struct cn_callback_entry *__cbq;
++ struct cn_callback_entry *__cbq, *__new_cbq;
+ struct cn_dev *dev = &cdev;
+ int err = -ENODEV;
+
+@@ -148,27 +148,27 @@ static int cn_call_callback(struct cn_ms
+ } else {
+ struct cn_callback_data *d;
+
+- __cbq = kzalloc(sizeof(*__cbq), GFP_ATOMIC);
+- if (__cbq) {
+- d = &__cbq->data;
++ err = -ENOMEM;
++ __new_cbq = kzalloc(sizeof(struct cn_callback_entry), GFP_ATOMIC);
++ if (__new_cbq) {
++ d = &__new_cbq->data;
+ d->callback_priv = msg;
+ d->callback = __cbq->data.callback;
+ d->ddata = data;
+ d->destruct_data = destruct_data;
+- d->free = __cbq;
++ d->free = __new_cbq;
+
+- INIT_WORK(&__cbq->work,
++ INIT_WORK(&__new_cbq->work,
+ &cn_queue_wrapper);
+-
++
+ if (queue_work(dev->cbdev->cn_queue,
+- &__cbq->work))
++ &__new_cbq->work))
+ err = 0;
+ else {
+- kfree(__cbq);
++ kfree(__new_cbq);
+ err = -EINVAL;
+ }
+- } else
+- err = -ENOMEM;
++ }
+ }
+ break;
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Mar 7 18:44:09 2007
+From: Johannes Berg <johannes@sipsolutions.net>
+Date: Wed, 07 Mar 2007 18:42:52 -0800 (PST)
+Subject: Fix compat_getsockopt
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070307.184252.104033406.davem@davemloft.net>
+
+
+From: Johannes Berg <johannes@sipsolutions.net>
+
+[NET]: Fix compat_sock_common_getsockopt typo.
+
+This patch fixes a typo in compat_sock_common_getsockopt.
+
+Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
+Acked-by: James Morris <jmorris@namei.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/core/sock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1597,7 +1597,7 @@ int compat_sock_common_getsockopt(struct
+ {
+ struct sock *sk = sock->sk;
+
+- if (sk->sk_prot->compat_setsockopt != NULL)
++ if (sk->sk_prot->compat_getsockopt != NULL)
+ return sk->sk_prot->compat_getsockopt(sk, level, optname,
+ optval, optlen);
+ return sk->sk_prot->getsockopt(sk, level, optname, optval, optlen);
--- /dev/null
+From fdcba53e2d58272bcdb5f1fad694602ccf02ad46 Mon Sep 17 00:00:00 2001
+From: Rainer Weikusat <rainer.weikusat@sncag.com>
+Date: Wed, 3 Jan 2007 15:36:25 +0100
+Subject: fix for bugzilla #7544 (keyspan USB-to-serial converter)
+
+At least the Keyspan USA-19HS USB-to-serial converter supports
+two different configurations, one where the input endpoints
+have interrupt transfer type and one where they are bulk endpoints.
+The default UHCI configuration uses the interrupt input endpoints.
+The keyspan driver, OTOH, assumes that the device has only bulk
+endpoints (all URBs are initialized by calling usb_fill_bulk_urb
+in keyspan.c/ keyspan_setup_urb). This causes the interval field
+of the input URBs to have a value of zero instead of one, which
+'accidentally' worked with Linux at least up to 2.6.17.11 but
+stopped to with 2.6.18, which changed the UHCI support code handling
+URBs for interrupt endpoints. The patch below modifies to driver to
+initialize its input URBs either as interrupt or as bulk URBs,
+depending on the transfertype contained in the associated endpoint
+descriptor (only tested with the default configuration) enabling
+the driver to again receive data from the serial converter.
+
+Greg K-H reworked the patch.
+
+Signed-off-by: Rainer Weikusat <rweikusat@sncag.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/serial/keyspan.c | 49 +++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 45 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/serial/keyspan.c
++++ b/drivers/usb/serial/keyspan.c
+@@ -1275,11 +1275,31 @@ static int keyspan_fake_startup (struct
+ }
+
+ /* Helper functions used by keyspan_setup_urbs */
++static struct usb_endpoint_descriptor const *find_ep(struct usb_serial const *serial,
++ int endpoint)
++{
++ struct usb_host_interface *iface_desc;
++ struct usb_endpoint_descriptor *ep;
++ int i;
++
++ iface_desc = serial->interface->cur_altsetting;
++ for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
++ ep = &iface_desc->endpoint[i].desc;
++ if (ep->bEndpointAddress == endpoint)
++ return ep;
++ }
++ dev_warn(&serial->interface->dev, "found no endpoint descriptor for "
++ "endpoint %x\n", endpoint);
++ return NULL;
++}
++
+ static struct urb *keyspan_setup_urb (struct usb_serial *serial, int endpoint,
+ int dir, void *ctx, char *buf, int len,
+ void (*callback)(struct urb *))
+ {
+ struct urb *urb;
++ struct usb_endpoint_descriptor const *ep_desc;
++ char const *ep_type_name;
+
+ if (endpoint == -1)
+ return NULL; /* endpoint not needed */
+@@ -1291,11 +1311,32 @@ static struct urb *keyspan_setup_urb (st
+ return NULL;
+ }
+
+- /* Fill URB using supplied data. */
+- usb_fill_bulk_urb(urb, serial->dev,
+- usb_sndbulkpipe(serial->dev, endpoint) | dir,
+- buf, len, callback, ctx);
++ ep_desc = find_ep(serial, endpoint);
++ if (!ep_desc) {
++ /* leak the urb, something's wrong and the callers don't care */
++ return urb;
++ }
++ if (usb_endpoint_xfer_int(ep_desc)) {
++ ep_type_name = "INT";
++ usb_fill_int_urb(urb, serial->dev,
++ usb_sndintpipe(serial->dev, endpoint) | dir,
++ buf, len, callback, ctx,
++ ep_desc->bInterval);
++ } else if (usb_endpoint_xfer_bulk(ep_desc)) {
++ ep_type_name = "BULK";
++ usb_fill_bulk_urb(urb, serial->dev,
++ usb_sndbulkpipe(serial->dev, endpoint) | dir,
++ buf, len, callback, ctx);
++ } else {
++ dev_warn(&serial->interface->dev,
++ "unsupported endpoint type %x\n",
++ ep_desc->bmAttributes & USB_ENDPOINT_XFERTYPE_MASK);
++ usb_free_urb(urb);
++ return NULL;
++ }
+
++ dbg("%s - using urb %p for %s endpoint %x",
++ __func__, urb, ep_type_name, endpoint);
+ return urb;
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Mar 7 18:49:12 2007
+From: David Miller <davem@davemloft.net>
+Date: Wed, 07 Mar 2007 18:47:54 -0800 (PST)
+Subject: Fix sparc64 device register probing
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070307.184754.85410399.davem@davemloft.net>
+
+From: David Miller <davem@davemloft.net>
+
+[SPARC]: Fix bus handling in build_device_resources().
+
+We mistakedly modify 'bus' in the innermost loop. What
+should happen is that at each register index iteration,
+we start with the same 'bus'.
+
+So preserve it's value at the top level, and use a loop
+local variable 'dbus' for iteration.
+
+This bug causes registers other than the first to be
+decoded improperly.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/sparc/kernel/of_device.c | 7 ++++---
+ arch/sparc64/kernel/of_device.c | 7 ++++---
+ 2 files changed, 8 insertions(+), 6 deletions(-)
+
+--- a/arch/sparc/kernel/of_device.c
++++ b/arch/sparc/kernel/of_device.c
+@@ -495,7 +495,7 @@ static void __init build_device_resource
+ u32 *reg = (preg + (index * ((na + ns) * 4)));
+ struct device_node *dp = op->node;
+ struct device_node *pp = p_op->node;
+- struct of_bus *pbus;
++ struct of_bus *pbus, *dbus;
+ u64 size, result = OF_BAD_ADDR;
+ unsigned long flags;
+ int dna, dns;
+@@ -516,6 +516,7 @@ static void __init build_device_resource
+
+ dna = na;
+ dns = ns;
++ dbus = bus;
+
+ while (1) {
+ dp = pp;
+@@ -528,13 +529,13 @@ static void __init build_device_resource
+ pbus = of_match_bus(pp);
+ pbus->count_cells(dp, &pna, &pns);
+
+- if (build_one_resource(dp, bus, pbus, addr,
++ if (build_one_resource(dp, dbus, pbus, addr,
+ dna, dns, pna))
+ break;
+
+ dna = pna;
+ dns = pns;
+- bus = pbus;
++ dbus = pbus;
+ }
+
+ build_res:
+--- a/arch/sparc64/kernel/of_device.c
++++ b/arch/sparc64/kernel/of_device.c
+@@ -581,7 +581,7 @@ static void __init build_device_resource
+ u32 *reg = (preg + (index * ((na + ns) * 4)));
+ struct device_node *dp = op->node;
+ struct device_node *pp = p_op->node;
+- struct of_bus *pbus;
++ struct of_bus *pbus, *dbus;
+ u64 size, result = OF_BAD_ADDR;
+ unsigned long flags;
+ int dna, dns;
+@@ -599,6 +599,7 @@ static void __init build_device_resource
+
+ dna = na;
+ dns = ns;
++ dbus = bus;
+
+ while (1) {
+ dp = pp;
+@@ -611,13 +612,13 @@ static void __init build_device_resource
+ pbus = of_match_bus(pp);
+ pbus->count_cells(dp, &pna, &pns);
+
+- if (build_one_resource(dp, bus, pbus, addr,
++ if (build_one_resource(dp, dbus, pbus, addr,
+ dna, dns, pna))
+ break;
+
+ dna = pna;
+ dns = pns;
+- bus = pbus;
++ dbus = pbus;
+ }
+
+ build_res:
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Mar 7 18:50:04 2007
+From: Eric Dumazet <dada1@cosmosbay.com>
+Date: Wed, 07 Mar 2007 18:48:44 -0800 (PST)
+Subject: Fix timewait jiffies
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070307.184844.39158390.davem@davemloft.net>
+
+From: Eric Dumazet <dada1@cosmosbay.com>
+
+[INET]: twcal_jiffie should be unsigned long, not int
+
+Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/net/inet_timewait_sock.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/net/inet_timewait_sock.h
++++ b/include/net/inet_timewait_sock.h
+@@ -66,7 +66,7 @@ struct inet_hashinfo;
+ struct inet_timewait_death_row {
+ /* Short-time timewait calendar */
+ int twcal_hand;
+- int twcal_jiffie;
++ unsigned long twcal_jiffie;
+ struct timer_list twcal_timer;
+ struct hlist_head twcal_row[INET_TWDR_RECYCLE_SLOTS];
+
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Mar 7 18:52:15 2007
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Wed, 07 Mar 2007 18:50:54 -0800 (PST)
+Subject: Fix UDP header pointer after pskb_trim_rcsum()
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070307.185054.59656687.davem@davemloft.net>
+
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[UDP]: Reread uh pointer after pskb_trim
+
+The header may have moved when trimming.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/udp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1214,6 +1214,7 @@ int __udp4_lib_rcv(struct sk_buff *skb,
+
+ if (ulen < sizeof(*uh) || pskb_trim_rcsum(skb, ulen))
+ goto short_packet;
++ uh = skb->h.uh;
+
+ udp4_csum_init(skb, uh);
+
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Mar 7 13:37:14 2007
+From: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
+Date: Wed, 7 Mar 2007 22:34:40 +0100 (MET)
+Subject: ip6_route_me_harder should take into account mark
+To: stable@kernel.org
+Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy <kaber@trash.net>, davem@davemloft.net
+Message-ID: <20070307213401.22306.7090.sendpatchset@localhost.localdomain>
+
+From: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
+
+[NETFILTER]: ip6_route_me_harder should take into account mark
+
+Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/netfilter.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv6/netfilter.c
++++ b/net/ipv6/netfilter.c
+@@ -15,6 +15,7 @@ int ip6_route_me_harder(struct sk_buff *
+ struct dst_entry *dst;
+ struct flowi fl = {
+ .oif = skb->sk ? skb->sk->sk_bound_dev_if : 0,
++ .mark = skb->mark,
+ .nl_u =
+ { .ip6_u =
+ { .daddr = iph->daddr,
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Mar 7 13:37:25 2007
+From: Patrick McHardy <kaber@trash.net>
+Date: Wed, 7 Mar 2007 22:34:42 +0100 (MET)
+Subject: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED
+To: stable@kernel.org
+Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy <kaber@trash.net>, <davem@davemloft.net>
+Message-ID: <20070307213402.22306.75367.sendpatchset@localhost.localdomain>
+
+From: Patrick McHardy <kaber@trash.net>
+
+[NETFILTER]: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED
+
+The individual fragments of a packet reassembled by conntrack have the
+conntrack reference from the reassembled packet attached, but nfctinfo
+is not copied. This leaves it initialized to 0, which unfortunately is
+the value of IP_CT_ESTABLISHED.
+
+The result is that all IPv6 fragments are tracked as ESTABLISHED,
+allowing them to bypass a usual ruleset which accepts ESTABLISHED
+packets early.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
++++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+@@ -257,6 +257,7 @@ static unsigned int ipv6_conntrack_in(un
+ }
+ nf_conntrack_get(reasm->nfct);
+ (*pskb)->nfct = reasm->nfct;
++ (*pskb)->nfctinfo = reasm->nfctinfo;
+ return NF_ACCEPT;
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Mar 7 13:35:50 2007
+From: Patrick McHardy <kaber@trash.net>
+Date: Wed, 7 Mar 2007 22:34:29 +0100 (MET)
+Subject: nf_conntrack/nf_nat: fix incorrect config ifdefs
+To: stable@kernel.org
+Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy <kaber@trash.net>, <davem@davemloft.net>
+Message-ID: <20070307213349.22306.32501.sendpatchset@localhost.localdomain>
+
+From: Patrick McHardy <kaber@trash.net>
+
+[NETFILTER]: nf_conntrack/nf_nat: fix incorrect config ifdefs
+
+The nf_conntrack_netlink config option is named CONFIG_NF_CT_NETLINK,
+but multiple files use CONFIG_IP_NF_CONNTRACK_NETLINK or
+CONFIG_NF_CONNTRACK_NETLINK for ifdefs.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/netfilter/nf_nat_core.c | 3 +--
+ net/ipv4/netfilter/nf_nat_proto_gre.c | 3 +--
+ net/ipv4/netfilter/nf_nat_proto_icmp.c | 3 +--
+ net/ipv4/netfilter/nf_nat_proto_tcp.c | 3 +--
+ net/ipv4/netfilter/nf_nat_proto_udp.c | 3 +--
+ net/netfilter/nf_conntrack_proto_gre.c | 3 +--
+ 6 files changed, 6 insertions(+), 12 deletions(-)
+
+--- a/net/ipv4/netfilter/nf_nat_core.c
++++ b/net/ipv4/netfilter/nf_nat_core.c
+@@ -540,8 +540,7 @@ void nf_nat_protocol_unregister(struct n
+ }
+ EXPORT_SYMBOL(nf_nat_protocol_unregister);
+
+-#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
+- defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
++#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
+ int
+ nf_nat_port_range_to_nfattr(struct sk_buff *skb,
+ const struct nf_nat_range *range)
+--- a/net/ipv4/netfilter/nf_nat_proto_gre.c
++++ b/net/ipv4/netfilter/nf_nat_proto_gre.c
+@@ -152,8 +152,7 @@ static struct nf_nat_protocol gre __read
+ .manip_pkt = gre_manip_pkt,
+ .in_range = gre_in_range,
+ .unique_tuple = gre_unique_tuple,
+-#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
+- defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
++#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
+ .range_to_nfattr = nf_nat_port_range_to_nfattr,
+ .nfattr_to_range = nf_nat_port_nfattr_to_range,
+ #endif
+--- a/net/ipv4/netfilter/nf_nat_proto_icmp.c
++++ b/net/ipv4/netfilter/nf_nat_proto_icmp.c
+@@ -78,8 +78,7 @@ struct nf_nat_protocol nf_nat_protocol_i
+ .manip_pkt = icmp_manip_pkt,
+ .in_range = icmp_in_range,
+ .unique_tuple = icmp_unique_tuple,
+-#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
+- defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
++#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
+ .range_to_nfattr = nf_nat_port_range_to_nfattr,
+ .nfattr_to_range = nf_nat_port_nfattr_to_range,
+ #endif
+--- a/net/ipv4/netfilter/nf_nat_proto_tcp.c
++++ b/net/ipv4/netfilter/nf_nat_proto_tcp.c
+@@ -140,8 +140,7 @@ struct nf_nat_protocol nf_nat_protocol_t
+ .manip_pkt = tcp_manip_pkt,
+ .in_range = tcp_in_range,
+ .unique_tuple = tcp_unique_tuple,
+-#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
+- defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
++#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
+ .range_to_nfattr = nf_nat_port_range_to_nfattr,
+ .nfattr_to_range = nf_nat_port_nfattr_to_range,
+ #endif
+--- a/net/ipv4/netfilter/nf_nat_proto_udp.c
++++ b/net/ipv4/netfilter/nf_nat_proto_udp.c
+@@ -130,8 +130,7 @@ struct nf_nat_protocol nf_nat_protocol_u
+ .manip_pkt = udp_manip_pkt,
+ .in_range = udp_in_range,
+ .unique_tuple = udp_unique_tuple,
+-#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
+- defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
++#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
+ .range_to_nfattr = nf_nat_port_range_to_nfattr,
+ .nfattr_to_range = nf_nat_port_nfattr_to_range,
+ #endif
+--- a/net/netfilter/nf_conntrack_proto_gre.c
++++ b/net/netfilter/nf_conntrack_proto_gre.c
+@@ -281,8 +281,7 @@ static struct nf_conntrack_l4proto nf_co
+ .new = gre_new,
+ .destroy = gre_destroy,
+ .me = THIS_MODULE,
+-#if defined(CONFIG_NF_CONNTRACK_NETLINK) || \
+- defined(CONFIG_NF_CONNTRACK_NETLINK_MODULE)
++#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
+ .tuple_to_nfattr = nf_ct_port_tuple_to_nfattr,
+ .nfattr_to_tuple = nf_ct_port_nfattr_to_tuple,
+ #endif
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Mar 7 13:37:59 2007
+From: Patrick McHardy <kaber@trash.net>
+Date: Wed, 7 Mar 2007 22:34:45 +0100 (MET)
+Subject: nfnetlink_log: fix crash on bridged packet
+To: stable@kernel.org
+Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy <kaber@trash.net>, <davem@davemloft.net>
+Message-ID: <20070307213405.22306.94073.sendpatchset@localhost.localdomain>
+
+From: Patrick McHardy <kaber@trash.net>
+
+[NETFILTER]: nfnetlink_log: fix crash on bridged packet
+
+physoutdev is only set on purely bridged packet, when nfnetlink_log is used
+in the OUTPUT/FORWARD/POSTROUTING hooks on packets forwarded from or to a
+bridge it crashes when trying to dereference skb->nf_bridge->physoutdev.
+
+Reported by Holger Eitzenberger <heitzenberger@astaro.com>
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/netfilter/nfnetlink_log.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nfnetlink_log.c
++++ b/net/netfilter/nfnetlink_log.c
+@@ -491,7 +491,7 @@ __build_packet_message(struct nfulnl_ins
+ * for physical device (when called from ipv4) */
+ NFA_PUT(inst->skb, NFULA_IFINDEX_OUTDEV,
+ sizeof(tmp_uint), &tmp_uint);
+- if (skb->nf_bridge) {
++ if (skb->nf_bridge && skb->nf_bridge->physoutdev) {
+ tmp_uint =
+ htonl(skb->nf_bridge->physoutdev->ifindex);
+ NFA_PUT(inst->skb, NFULA_IFINDEX_PHYSOUTDEV,
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Mar 7 13:37:25 2007
+From: Micha Mirosaw <mirq-linux@rere.qmqm.pl>
+Date: Wed, 7 Mar 2007 22:34:34 +0100 (MET)
+Subject: nfnetlink_log: fix NULL pointer dereference
+To: stable@kernel.org
+Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy <kaber@trash.net>, <davem@davemloft.net>
+Message-ID: <20070307213355.22306.23166.sendpatchset@localhost.localdomain>
+
+From: Micha Mirosaw <mirq-linux@rere.qmqm.pl>
+
+[NETFILTER]: nfnetlink_log: fix NULL pointer dereference
+
+Fix the nasty NULL dereference on multiple packets per netlink message.
+
+BUG: unable to handle kernel NULL pointer dereference at virtual address 00000004
+ printing eip:
+f8a4b3bf
+*pde = 00000000
+Oops: 0002 [#1]
+SMP
+Modules linked in: nfnetlink_log ipt_ttl ipt_REDIRECT xt_tcpudp iptable_nat nf_nat nf_conntrack
+_ipv4 xt_state ipt_ipp2p xt_NFLOG xt_hashlimit ip6_tables iptable_filter xt_multiport xt_mark i
+pt_set iptable_raw xt_MARK iptable_mangle ip_tables cls_fw cls_u32 sch_esfq sch_htb ip_set_ipma
+p ip_set ipt_ULOG x_tables dm_snapshot dm_mirror loop e1000 parport_pc parport e100 floppy ide_
+cd cdrom
+CPU: 0
+EIP: 0060:[<f8a4b3bf>] Not tainted VLI
+EFLAGS: 00010206 (2.6.20 #5)
+EIP is at __nfulnl_send+0x24/0x51 [nfnetlink_log]
+eax: 00000000 ebx: f2b5cbc0 ecx: c03f5f54 edx: c03f4000
+esi: f2b5cbc8 edi: c03f5f54 ebp: f8a4b3ec esp: c03f5f30
+ds: 007b es: 007b ss: 0068
+Process swapper (pid: 0, ti=c03f4000 task=c03bece0 task.ti=c03f4000)
+Stack: f2b5cbc0 f8a4b401 00000100 c0444080 c012af49 00000000 f6f19100 f6f19000
+ c1707800 c03f5f54 c03f5f54 00000123 00000021 c03e8d08 c0426380 00000009
+ c0126932 00000000 00000046 c03e9980 c03e6000 0047b007 c01269bd 00000000
+Call Trace:
+ [<f8a4b401>] nfulnl_timer+0x15/0x25 [nfnetlink_log]
+ [<c012af49>] run_timer_softirq+0x10a/0x164
+ [<c0126932>] __do_softirq+0x60/0xba
+ [<c01269bd>] do_softirq+0x31/0x35
+ [<c0104f6e>] do_IRQ+0x62/0x74
+ [<c01036cb>] common_interrupt+0x23/0x28
+ [<c0101018>] default_idle+0x0/0x3f
+ [<c0101045>] default_idle+0x2d/0x3f
+ [<c01010fa>] cpu_idle+0xa0/0xb9
+ [<c03fb7f5>] start_kernel+0x1a8/0x1ac
+ [<c03fb293>] unknown_bootoption+0x0/0x181
+ =======================
+Code: 5e 5f 5b 5e 5f 5d c3 53 89 c3 8d 40 1c 83 7b 1c 00 74 05 e8 2c ee 6d c7 83 7b 14 00 75 04
+ 31 c0 eb 34 83 7b 10 01 76 09 8b 43 18 <66> c7 40 04 03 00 8b 53 34 8b 43 14 b9 40 00 00 00 e8
+ 08 9a 84
+EIP: [<f8a4b3bf>] __nfulnl_send+0x24/0x51 [nfnetlink_log] SS:ESP 0068:c03f5f30
+ <0>Kernel panic - not syncing: Fatal exception in interrupt
+ <0>Rebooting in 5 seconds..
+
+Panic no more!
+
+Signed-off-by: Micha Mirosaw <mirq-linux@rere.qmqm.pl>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ net/netfilter/nfnetlink_log.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/netfilter/nfnetlink_log.c
++++ b/net/netfilter/nfnetlink_log.c
+@@ -564,6 +564,7 @@ __build_packet_message(struct nfulnl_ins
+ }
+
+ nlh->nlmsg_len = inst->skb->tail - old_tail;
++ inst->lastnlh = nlh;
+ return 0;
+
+ nlmsg_failure:
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Mar 7 13:38:18 2007
+From: Michal Miroslaw <mirq-linux@rere.qmqm.pl>
+Date: Wed, 7 Mar 2007 22:34:36 +0100 (MET)
+Subject: nfnetlink_log: fix possible NULL pointer dereference
+To: stable@kernel.org
+Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy <kaber@trash.net>, <davem@davemloft.net>
+Message-ID: <20070307213356.22306.90917.sendpatchset@localhost.localdomain>
+
+From: Michal Miroslaw <mirq-linux@rere.qmqm.pl>
+
+[NETFILTER]: nfnetlink_log: fix possible NULL pointer dereference
+
+Eliminate possible NULL pointer dereference in nfulnl_recv_config().
+
+Signed-off-by: Michal Miroslaw <mirq-linux@rere.qmqm.pl>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/netfilter/nfnetlink_log.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/netfilter/nfnetlink_log.c
++++ b/net/netfilter/nfnetlink_log.c
+@@ -867,6 +867,9 @@ nfulnl_recv_config(struct sock *ctnl, st
+ ret = -EINVAL;
+ break;
+ }
++
++ if (!inst)
++ goto out;
+ } else {
+ if (!inst) {
+ UDEBUG("no config command, and no instance for "
+@@ -920,6 +923,7 @@ nfulnl_recv_config(struct sock *ctnl, st
+
+ out_put:
+ instance_put(inst);
++out:
+ return ret;
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Mar 7 13:37:14 2007
+From: Michal Miroslaw <mirq-linux@rere.qmqm.pl>
+Date: Wed, 7 Mar 2007 22:34:39 +0100 (MET)
+Subject: nfnetlink_log: fix reference counting
+To: stable@kernel.org
+Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy <kaber@trash.net>, <davem@davemloft.net>
+Message-ID: <20070307213359.22306.49771.sendpatchset@localhost.localdomain>
+
+From: Michal Miroslaw <mirq-linux@rere.qmqm.pl>
+
+[NETFILTER]: nfnetlink_log: fix reference counting
+
+Fix reference counting (memory leak) problem in __nfulnl_send() and callers
+related to packet queueing.
+
+Signed-off-by: Michal Miroslaw <mirq-linux@rere.qmqm.pl>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/netfilter/nfnetlink_log.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nfnetlink_log.c
++++ b/net/netfilter/nfnetlink_log.c
+@@ -220,7 +220,8 @@ _instance_destroy2(struct nfulnl_instanc
+ /* timer "holds" one reference (we have one more) */
+ if (timer_pending(&inst->timer)) {
+ del_timer(&inst->timer);
+- instance_put(inst);
++
++instance_put(inst);
+ }
+ if (inst->qlen)
+ __nfulnl_send(inst);
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Mar 7 13:36:01 2007
+From: Patrick McHardy <kaber@trash.net>
+Date: Wed, 7 Mar 2007 22:34:32 +0100 (MET)
+Subject: nfnetlink_log: fix reference leak
+To: stable@kernel.org
+Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy <kaber@trash.net>, <davem@davemloft.net>
+Message-ID: <20070307213352.22306.5081.sendpatchset@localhost.localdomain>
+
+From: Patrick McHardy <kaber@trash.net>
+
+[NETFILTER]: nfnetlink_log: fix reference leak
+
+Stop reference leaking in nfulnl_log_packet(). If we start a timer we
+are already taking another reference.
+
+Signed-off-by: Michal Miroslaw <mirq-linux@rere.qmqm.pl>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ net/netfilter/nfnetlink_log.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/net/netfilter/nfnetlink_log.c
++++ b/net/netfilter/nfnetlink_log.c
+@@ -720,15 +720,16 @@ nfulnl_log_packet(unsigned int pf,
+ inst->timer.expires = jiffies + (inst->flushtimeout*HZ/100);
+ add_timer(&inst->timer);
+ }
+- spin_unlock_bh(&inst->lock);
+
++unlock_and_release:
++ spin_unlock_bh(&inst->lock);
++ instance_put(inst);
+ return;
+
+ alloc_failure:
+- spin_unlock_bh(&inst->lock);
+- instance_put(inst);
+ UDEBUG("error allocating skb\n");
+ /* FIXME: statistics */
++ goto unlock_and_release;
+ }
+
+ static int
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Mar 7 13:37:47 2007
+From: Patrick McHardy <kaber@trash.net>
+Date: Wed, 7 Mar 2007 22:34:33 +0100 (MET)
+Subject: nfnetlink_log: fix use after free
+To: stable@kernel.org
+Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy <kaber@trash.net>, <davem@davemloft.net>
+Message-ID: <20070307213354.22306.58320.sendpatchset@localhost.localdomain>
+
+From: Patrick McHardy <kaber@trash.net>
+
+[NETFILTER]: nfnetlink_log: fix use after free
+
+Paranoia: instance_put() might have freed the inst pointer when we
+spin_unlock_bh().
+
+Signed-off-by: Michal Miroslaw <mirq-linux@rere.qmqm.pl>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/netfilter/nfnetlink_log.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nfnetlink_log.c
++++ b/net/netfilter/nfnetlink_log.c
+@@ -397,8 +397,8 @@ static void nfulnl_timer(unsigned long d
+ if (timer_pending(&inst->timer)) /* is it always true or false here? */
+ del_timer(&inst->timer);
+ __nfulnl_send(inst);
+- instance_put(inst);
+ spin_unlock_bh(&inst->lock);
++ instance_put(inst);
+ }
+
+ /* This is an inline function, we don't really care about a long
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Mar 7 13:37:36 2007
+From: Patrick McHardy <kaber@trash.net>
+Date: Wed, 7 Mar 2007 22:34:43 +0100 (MET)
+Subject: nfnetlink_log: zero-terminate prefix
+To: stable@kernel.org
+Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy <kaber@trash.net>, <davem@davemloft.net>
+Message-ID: <20070307213404.22306.77575.sendpatchset@localhost.localdomain>
+
+From: Patrick McHardy <kaber@trash.net>
+
+[NETFILTER]: nfnetlink_log: zero-terminate prefix
+
+Userspace expects a zero-terminated string, so include the trailing
+zero in the netlink message.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/netfilter/nfnetlink_log.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nfnetlink_log.c
++++ b/net/netfilter/nfnetlink_log.c
+@@ -620,7 +620,7 @@ nfulnl_log_packet(unsigned int pf,
+
+ plen = 0;
+ if (prefix)
+- plen = strlen(prefix);
++ plen = strlen(prefix) + 1;
+
+ /* all macros expand to constant values at compile time */
+ /* FIXME: do we want to make the size calculation conditional based on
--- /dev/null
+conntrack-fix-nf-ip-_ct_iterate_cleanup-endless-loops.patch
+nf_conntrack-nf_nat-fix-incorrect-config-ifdefs.patch
+tcp-conntrack-accept-syn-urg-as-valid.patch
+nfnetlink_log-fix-reference-leak.patch
+nfnetlink_log-fix-use-after-free.patch
+nfnetlink_log-fix-null-pointer-dereference.patch
+nfnetlink_log-fix-possible-null-pointer-dereference.patch
+ip6_route_me_harder-should-take-into-account-mark.patch
+nf_conntrack-fix-incorrect-classification-of-ipv6-fragments-as-established.patch
+nfnetlink_log-zero-terminate-prefix.patch
+nfnetlink_log-fix-crash-on-bridged-packet.patch
+nfnetlink_log-fix-reference-counting.patch
+fix-bug-7994-sleeping-function-called-from-invalid-context.patch
+bcm43xx-fix-problem-with-1-gb-ram.patch
+fix-compat_getsockopt.patch
+fix-for-bugzilla-7544.patch
+fix-callback-bug-in-connector.patch
+fix-sparc64-device-register-probing.patch
+fix-timewait-jiffies.patch
+fix-udp-header-pointer-after-pskb_trim_rcsum.patch
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Mar 7 13:36:11 2007
+From: Patrick McHardy <kaber@trash.net>
+Date: Wed, 7 Mar 2007 22:34:30 +0100 (MET)
+Subject: tcp conntrack: accept SYN|URG as valid
+To: stable@kernel.org
+Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy <kaber@trash.net>, <davem@davemloft.net>
+Message-ID: <20070307213351.22306.59582.sendpatchset@localhost.localdomain>
+
+From: Patrick McHardy <kaber@trash.net>
+
+[NETFILTER]: tcp conntrack: accept SYN|URG as valid
+
+Some stacks apparently send packets with SYN|URG set. Linux accepts
+these packets, so TCP conntrack should to.
+
+Pointed out by Martijn Posthuma <posthuma@sangine.com>.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+
+---
+ net/ipv4/netfilter/ip_conntrack_proto_tcp.c | 4 +++-
+ net/netfilter/nf_conntrack_proto_tcp.c | 4 +++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
++++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
+@@ -821,8 +821,10 @@ void ip_conntrack_tcp_update(struct sk_b
+ static const u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG) + 1] =
+ {
+ [TH_SYN] = 1,
+- [TH_SYN|TH_ACK] = 1,
+ [TH_SYN|TH_PUSH] = 1,
++ [TH_SYN|TH_URG] = 1,
++ [TH_SYN|TH_PUSH|TH_URG] = 1,
++ [TH_SYN|TH_ACK] = 1,
+ [TH_SYN|TH_ACK|TH_PUSH] = 1,
+ [TH_RST] = 1,
+ [TH_RST|TH_ACK] = 1,
+--- a/net/netfilter/nf_conntrack_proto_tcp.c
++++ b/net/netfilter/nf_conntrack_proto_tcp.c
+@@ -778,8 +778,10 @@ EXPORT_SYMBOL_GPL(nf_conntrack_tcp_updat
+ static u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG) + 1] =
+ {
+ [TH_SYN] = 1,
+- [TH_SYN|TH_ACK] = 1,
+ [TH_SYN|TH_PUSH] = 1,
++ [TH_SYN|TH_URG] = 1,
++ [TH_SYN|TH_PUSH|TH_URG] = 1,
++ [TH_SYN|TH_ACK] = 1,
+ [TH_SYN|TH_ACK|TH_PUSH] = 1,
+ [TH_RST] = 1,
+ [TH_RST|TH_ACK] = 1,
projects / thirdparty / kernel / stable-queue.git / commitdiff
