queue up current outstanding 2.6.19-stable patches

diff --git a/queue-2.6.19/check-for-populated-zone-in-__drain_pages.patch b/queue-2.6.19/check-for-populated-zone-in-__drain_pages.patch
new file mode 100644 (file)
index 0000000..68c0a2f
--- /dev/null
+++ b/queue-2.6.19/check-for-populated-zone-in-__drain_pages.patch
@@ -0,0 +1,52 @@
+From stable-bounces@linux.kernel.org  Sun Jan  7 14:34:05 2007
+Date: Fri, 5 Jan 2007 16:37:02 -0800
+From: Andrew Morton <akpm@osdl.org>
+To: stable@kernel.org
+Message-Id: <20070107142630.7eeaf09f.akpm@osdl.org>
+Cc: Christoph Lameter <clameter@engr.sgi.com>, Mauro Carvalho Chehab <mchehab@infradead.org>
+Subject: [PATCH] Check for populated zone in __drain_pages
+
+From: Christoph Lameter <clameter@sgi.com>
+
+Both process_zones() and drain_node_pages() check for populated zones
+before touching pagesets.  However, __drain_pages does not do so,
+
+This may result in a NULL pointer dereference for pagesets in unpopulated
+zones if a NUMA setup is combined with cpu hotplug.
+
+Initially the unpopulated zone has the pcp pointers pointing to the boot
+pagesets.  Since the zone is not populated the boot pageset pointers will
+not be changed during page allocator and slab bootstrap.
+
+If a cpu is later brought down (first call to __drain_pages()) then the pcp
+pointers for cpus in unpopulated zones are set to NULL since __drain_pages
+does not first check for an unpopulated zone.
+
+If the cpu is then brought up again then we call process_zones() which will
+ignore the unpopulated zone.  So the pageset pointers will still be NULL.
+
+If the cpu is then again brought down then __drain_pages will attempt to
+drain pages by following the NULL pageset pointer for unpopulated zones.
+
+Signed-off-by: Christoph Lameter <clameter@sgi.com>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f2e12bb272f2544d1504f982270e90ae3dcc4ff2
+
+ mm/page_alloc.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- linux-2.6.19.2.orig/mm/page_alloc.c
++++ linux-2.6.19.2/mm/page_alloc.c
+@@ -710,6 +710,9 @@ static void __drain_pages(unsigned int c
+       for_each_zone(zone) {
+               struct per_cpu_pageset *pset;
+ 
++              if (!populated_zone(zone))
++                      continue;
++
+               pset = zone_pcp(zone, cpu);
+               for (i = 0; i < ARRAY_SIZE(pset->pcp); i++) {
+                       struct per_cpu_pages *pcp;

diff --git a/queue-2.6.19/fix-hwrng-built-in-initcalls-priority.patch b/queue-2.6.19/fix-hwrng-built-in-initcalls-priority.patch
new file mode 100644 (file)
index 0000000..1207d72
--- /dev/null
+++ b/queue-2.6.19/fix-hwrng-built-in-initcalls-priority.patch
@@ -0,0 +1,81 @@
+From stable-bounces@linux.kernel.org  Mon Jan  8 07:43:33 2007
+From: Michael Buesch <mb@bu3sch.de>
+To: Andrew Morton <akpm@osdl.org>
+Date: Mon, 8 Jan 2007 16:34:54 +0100
+Message-Id: <200701081634.55078.mb@bu3sch.de>
+Cc: Linus Torvalds <torvalds@osdl.org>, dsaxena@plexity.net, jgarzik@redhat.com, info-linux@geode.amd.com, stable@kernel.org
+Subject: [stable] [PATCH] Fix HWRNG built-in initcalls priority
+
+This changes all HWRNG driver initcalls to module_init().
+We must probe the RNGs after the major kernel subsystems
+are already up and running (like PCI).
+This fixes Bug 7730.
+http://bugzilla.kernel.org/show_bug.cgi?id=7730
+
+Signed-off-by: Michael Buesch <mb@bu3sch.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+Not upstream yet.
+
+ drivers/char/hw_random/amd-rng.c    |    2 +-
+ drivers/char/hw_random/geode-rng.c  |    2 +-
+ drivers/char/hw_random/intel-rng.c  |    2 +-
+ drivers/char/hw_random/ixp4xx-rng.c |    2 +-
+ drivers/char/hw_random/via-rng.c    |    2 +-
+ 5 files changed, 5 insertions(+), 5 deletions(-)
+
+--- linux-2.6.19.2.orig/drivers/char/hw_random/amd-rng.c
++++ linux-2.6.19.2/drivers/char/hw_random/amd-rng.c
+@@ -144,7 +144,7 @@ static void __exit mod_exit(void)
+       hwrng_unregister(&amd_rng);
+ }
+ 
+-subsys_initcall(mod_init);
++module_init(mod_init);
+ module_exit(mod_exit);
+ 
+ MODULE_AUTHOR("The Linux Kernel team");
+--- linux-2.6.19.2.orig/drivers/char/hw_random/geode-rng.c
++++ linux-2.6.19.2/drivers/char/hw_random/geode-rng.c
+@@ -125,7 +125,7 @@ static void __exit mod_exit(void)
+       iounmap(mem);
+ }
+ 
+-subsys_initcall(mod_init);
++module_init(mod_init);
+ module_exit(mod_exit);
+ 
+ MODULE_DESCRIPTION("H/W RNG driver for AMD Geode LX CPUs");
+--- linux-2.6.19.2.orig/drivers/char/hw_random/intel-rng.c
++++ linux-2.6.19.2/drivers/char/hw_random/intel-rng.c
+@@ -350,7 +350,7 @@ static void __exit mod_exit(void)
+       iounmap(mem);
+ }
+ 
+-subsys_initcall(mod_init);
++module_init(mod_init);
+ module_exit(mod_exit);
+ 
+ MODULE_DESCRIPTION("H/W RNG driver for Intel chipsets");
+--- linux-2.6.19.2.orig/drivers/char/hw_random/ixp4xx-rng.c
++++ linux-2.6.19.2/drivers/char/hw_random/ixp4xx-rng.c
+@@ -64,7 +64,7 @@ static void __exit ixp4xx_rng_exit(void)
+       iounmap(rng_base);
+ }
+ 
+-subsys_initcall(ixp4xx_rng_init);
++module_init(ixp4xx_rng_init);
+ module_exit(ixp4xx_rng_exit);
+ 
+ MODULE_AUTHOR("Deepak Saxena <dsaxena@plexity.net>");
+--- linux-2.6.19.2.orig/drivers/char/hw_random/via-rng.c
++++ linux-2.6.19.2/drivers/char/hw_random/via-rng.c
+@@ -176,7 +176,7 @@ static void __exit mod_exit(void)
+       hwrng_unregister(&via_rng);
+ }
+ 
+-subsys_initcall(mod_init);
++module_init(mod_init);
+ module_exit(mod_exit);
+ 
+ MODULE_DESCRIPTION("H/W RNG driver for VIA chipsets");

diff --git a/queue-2.6.19/i2c-m41t00-do-not-forget-to-write-year.patch b/queue-2.6.19/i2c-m41t00-do-not-forget-to-write-year.patch
new file mode 100644 (file)
index 0000000..b7777d7
--- /dev/null
+++ b/queue-2.6.19/i2c-m41t00-do-not-forget-to-write-year.patch
@@ -0,0 +1,33 @@
+From stable-bounces@linux.kernel.org  Sun Jan  7 03:16:40 2007
+Date: Sun, 7 Jan 2007 12:09:21 +0100
+From: Jean Delvare <khali@linux-fr.org>
+To: stable@kernel.org
+Message-Id: <20070107120921.3757f32f.khali@linux-fr.org>
+Cc: Philippe De Muyter <phdm@macqel.be>
+Subject: i2c/m41t00: Do not forget to write year
+
+From: Philippe De Muyter <phdm@macqel.be>
+
+m41t00.c forgets to set the year field in set_rtc_time; fix that.
+
+Signed-off-by: Philippe De Muyter <phdm@macqel.be>
+Acked-by: Mark A. Greer <mgreer@mvista.com>
+Signed-off-by: Jean Delvare <khali@linux-fr.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+Merged in 2.6.20-rc4:
+http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=81ffbc04a8ea06c4bea534154f49ed598013ee6b
+
+ drivers/i2c/chips/m41t00.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- linux-2.6.19.2.orig/drivers/i2c/chips/m41t00.c
++++ linux-2.6.19.2/drivers/i2c/chips/m41t00.c
+@@ -209,6 +209,7 @@ m41t00_set(void *arg)
+       buf[m41t00_chip->hour] = (buf[m41t00_chip->hour] & ~0x3f) | (hour& 0x3f);
+       buf[m41t00_chip->day] = (buf[m41t00_chip->day] & ~0x3f) | (day & 0x3f);
+       buf[m41t00_chip->mon] = (buf[m41t00_chip->mon] & ~0x1f) | (mon & 0x1f);
++      buf[m41t00_chip->year] = year;
+ 
+       if (i2c_master_send(save_client, wbuf, 9) < 0)
+               dev_err(&save_client->dev, "m41t00_set: Write error\n");

diff --git a/queue-2.6.19/i2c-mv64xxx-fix-random-oops-at-boot.patch b/queue-2.6.19/i2c-mv64xxx-fix-random-oops-at-boot.patch
new file mode 100644 (file)
index 0000000..a09586c
--- /dev/null
+++ b/queue-2.6.19/i2c-mv64xxx-fix-random-oops-at-boot.patch
@@ -0,0 +1,71 @@
+From stable-bounces@linux.kernel.org  Sun Jan  7 02:57:04 2007
+Date: Sun, 7 Jan 2007 11:49:48 +0100
+From: Jean Delvare <khali@linux-fr.org>
+To: stable@kernel.org
+Message-Id: <20070107114948.2261a8aa.khali@linux-fr.org>
+Cc: Maxime Bizon <mbizon@freebox.fr>
+Subject: i2c-mv64xxx: Fix random oops at boot
+
+From: Maxime Bizon <mbizon@freebox.fr>
+
+I have a Marvell board which has the same i2c hw block than mv64xxx, so
+I'm trying to use i2c-mv64xxx driver.
+
+But I get the following random oops at boot:
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000002
+Backtrace: 
+[<c0397e4c>] (mv64xxx_i2c_intr+0x0/0x2b8) from [<c02879c4>] (__do_irq+0x4c/0x8c)
+[<c0287978>] (__do_irq+0x0/0x8c) from [<c0287c0c>] (do_level_IRQ+0x68/0xc0)
+ r8 = C0501E08  r7 = 00000005  r6 = C0501E08  r5 = 00000005
+ r4 = C048BB78 
+[<c0287ba4>] (do_level_IRQ+0x0/0xc0) from [<c02885f8>] (asm_do_IRQ+0x50/0x134)
+ r6 = C0449C78  r5 = F1020000  r4 = FFFFFFFF 
+[<c02885a8>] (asm_do_IRQ+0x0/0x134) from [<c02869c4>] (__irq_svc+0x24/0x100)
+ r8 = C1CAC400  r7 = 00000005  r6 = 00000002  r5 = F1020000
+ r4 = FFFFFFFF 
+[<c0287efc>] (setup_irq+0x0/0x124) from [<c02880d0>] (request_irq+0xb0/0xd0)
+ r7 = C041B2AC  r6 = C0397E4C  r5 = 00000000  r4 = 00000005
+[<c0288020>] (request_irq+0x0/0xd0) from [<c03985f4>] (mv64xxx_i2c_probe+0x148/0x244)
+[<c03984ac>] (mv64xxx_i2c_probe+0x0/0x244) from [<c038bedc>] (platform_drv_probe+0x20/0x24)
+
+
+The oops is caused by a spurious interrupt that occurs when request_irq
+is called. mv64xxx_i2c_fsm() tries to read drv_data->msg, which is NULL.
+
+I noticed that hardware init is done after requesting irq. Thus any
+pending irq from previous hardware usage may cause this.
+
+The following patch fixes it:
+
+Signed-off-by: Maxime Bizon <mbizon@freebox.fr>
+Acked-by: Mark A. Greer <mgreer@mvista.com>
+Signed-off-by: Jean Delvare <khali@linux-fr.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+Merged in 2.6.20-rc4:
+http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=3269bb63eb076318ce4fb554851d047e1c9aa1a5
+
+ drivers/i2c/busses/i2c-mv64xxx.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- linux-2.6.19.2.orig/drivers/i2c/busses/i2c-mv64xxx.c
++++ linux-2.6.19.2/drivers/i2c/busses/i2c-mv64xxx.c
+@@ -529,6 +529,8 @@ mv64xxx_i2c_probe(struct platform_device
+       platform_set_drvdata(pd, drv_data);
+       i2c_set_adapdata(&drv_data->adapter, drv_data);
+ 
++      mv64xxx_i2c_hw_init(drv_data);
++
+       if (request_irq(drv_data->irq, mv64xxx_i2c_intr, 0,
+                       MV64XXX_I2C_CTLR_NAME, drv_data)) {
+               dev_err(&drv_data->adapter.dev,
+@@ -542,8 +544,6 @@ mv64xxx_i2c_probe(struct platform_device
+               goto exit_free_irq;
+       }
+ 
+-      mv64xxx_i2c_hw_init(drv_data);
+-
+       return 0;
+ 
+       exit_free_irq:

diff --git a/queue-2.6.19/ib-mthca-fix-off-by-one-in-fmr-handling-on-memfree.patch b/queue-2.6.19/ib-mthca-fix-off-by-one-in-fmr-handling-on-memfree.patch
new file mode 100644 (file)
index 0000000..588cabc
--- /dev/null
+++ b/queue-2.6.19/ib-mthca-fix-off-by-one-in-fmr-handling-on-memfree.patch
@@ -0,0 +1,44 @@
+From stable-bounces@linux.kernel.org  Wed Jan 10 13:45:03 2007
+To: stable@kernel.org
+From: Roland Dreier <rdreier@cisco.com>
+Date: Wed, 10 Jan 2007 13:36:54 -0800
+Message-ID: <ada4pqyy361.fsf@cisco.com>
+Cc: "Michael S. Tsirkin" <mst@mellanox.co.il>, openib-general@openib.org
+Subject: [stable] [PATCH] IB/mthca: Fix off-by-one in FMR handling on memfree
+
+From: Michael S. Tsirkin <mst@mellanox.co.il>
+
+mthca_table_find() will return the wrong address when the table entry
+being searched for is exactly at the beginning of a sglist entry
+(other than the first), because it uses >= when it should use >.
+
+Example: assume we have 2 entries in scatterlist, 4K each, offset is
+4K.  The current code will return first entry + 4K when we really want
+the second entry.
+
+In particular this means mapping an FMR on a memfree HCA may end up
+writing the page table into the wrong place, leading to memory
+corruption and also causing the HCA to use an incorrect address
+translation table.
+
+Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il>
+Signed-off-by: Roland Dreier <rolandd@cisco.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+This is upstream, and fixes a data corruption/crash bug with storage
+over SRP.
+
+ drivers/infiniband/hw/mthca/mthca_memfree.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.19.2.orig/drivers/infiniband/hw/mthca/mthca_memfree.c
++++ linux-2.6.19.2/drivers/infiniband/hw/mthca/mthca_memfree.c
+@@ -232,7 +232,7 @@ void *mthca_table_find(struct mthca_icm_
+ 
+       list_for_each_entry(chunk, &icm->chunk_list, list) {
+               for (i = 0; i < chunk->npages; ++i) {
+-                      if (chunk->mem[i].length >= offset) {
++                      if (chunk->mem[i].length > offset) {
+                               page = chunk->mem[i].page;
+                               goto out;
+                       }

diff --git a/queue-2.6.19/md-pass-down-bio_rw_sync-in-raid-1-10.patch b/queue-2.6.19/md-pass-down-bio_rw_sync-in-raid-1-10.patch
new file mode 100644 (file)
index 0000000..08ac4a7
--- /dev/null
+++ b/queue-2.6.19/md-pass-down-bio_rw_sync-in-raid-1-10.patch
@@ -0,0 +1,157 @@
+From stable-bounces@linux.kernel.org  Mon Jan  8 15:10:39 2007
+Date: Mon, 8 Jan 2007 15:02:42 -0800
+From: Andrew Morton <akpm@osdl.org>
+To: Lars Ellenberg <Lars.Ellenberg@linbit.com>
+Message-Id: <20070108150242.1b39eda2.akpm@osdl.org>
+Cc: Neil Brown <neilb@suse.de>, linux-raid@vger.kernel.org, Ingo Molnar <mingo@redhat.com>, stable@kernel.org, Jens Axboe <jens.axboe@oracle.com>
+Subject: md: pass down BIO_RW_SYNC in raid{1,10}
+
+From: Lars Ellenberg <Lars.Ellenberg@linbit.com>
+
+md raidX make_request functions strip off the BIO_RW_SYNC flag, thus
+introducing additional latency.
+
+Fixing this in raid1 and raid10 seems to be straightforward enough.
+
+For our particular usage case in DRBD, passing this flag improved some
+initialization time from ~5 minutes to ~5 seconds.
+
+Acked-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Lars Ellenberg <lars@linbit.com>
+Acked-by: Jens Axboe <jens.axboe@oracle.com>
+Cc: <stable@kernel.org>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+Not upstream yet.
+
+ drivers/md/raid1.c  |   13 +++++++++----
+ drivers/md/raid10.c |   11 ++++++++---
+ 2 files changed, 17 insertions(+), 7 deletions(-)
+
+--- linux-2.6.19.2.orig/drivers/md/raid1.c
++++ linux-2.6.19.2/drivers/md/raid1.c
+@@ -775,6 +775,7 @@ static int make_request(request_queue_t 
+       struct bio_list bl;
+       struct page **behind_pages = NULL;
+       const int rw = bio_data_dir(bio);
++      const int do_sync = bio_sync(bio);
+       int do_barriers;
+ 
+       /*
+@@ -835,7 +836,7 @@ static int make_request(request_queue_t 
+               read_bio->bi_sector = r1_bio->sector + mirror->rdev->data_offset;
+               read_bio->bi_bdev = mirror->rdev->bdev;
+               read_bio->bi_end_io = raid1_end_read_request;
+-              read_bio->bi_rw = READ;
++              read_bio->bi_rw = READ | do_sync;
+               read_bio->bi_private = r1_bio;
+ 
+               generic_make_request(read_bio);
+@@ -906,7 +907,7 @@ static int make_request(request_queue_t 
+               mbio->bi_sector = r1_bio->sector + conf->mirrors[i].rdev->data_offset;
+               mbio->bi_bdev = conf->mirrors[i].rdev->bdev;
+               mbio->bi_end_io = raid1_end_write_request;
+-              mbio->bi_rw = WRITE | do_barriers;
++              mbio->bi_rw = WRITE | do_barriers | do_sync;
+               mbio->bi_private = r1_bio;
+ 
+               if (behind_pages) {
+@@ -941,6 +942,8 @@ static int make_request(request_queue_t 
+       blk_plug_device(mddev->queue);
+       spin_unlock_irqrestore(&conf->device_lock, flags);
+ 
++      if (do_sync)
++              md_wakeup_thread(mddev->thread);
+ #if 0
+       while ((bio = bio_list_pop(&bl)) != NULL)
+               generic_make_request(bio);
+@@ -1541,6 +1544,7 @@ static void raid1d(mddev_t *mddev)
+                        * We already have a nr_pending reference on these rdevs.
+                        */
+                       int i;
++                      const int do_sync = bio_sync(r1_bio->master_bio);
+                       clear_bit(R1BIO_BarrierRetry, &r1_bio->state);
+                       clear_bit(R1BIO_Barrier, &r1_bio->state);
+                       for (i=0; i < conf->raid_disks; i++)
+@@ -1561,7 +1565,7 @@ static void raid1d(mddev_t *mddev)
+                                               conf->mirrors[i].rdev->data_offset;
+                                       bio->bi_bdev = conf->mirrors[i].rdev->bdev;
+                                       bio->bi_end_io = raid1_end_write_request;
+-                                      bio->bi_rw = WRITE;
++                                      bio->bi_rw = WRITE | do_sync;
+                                       bio->bi_private = r1_bio;
+                                       r1_bio->bios[i] = bio;
+                                       generic_make_request(bio);
+@@ -1593,6 +1597,7 @@ static void raid1d(mddev_t *mddev)
+                                      (unsigned long long)r1_bio->sector);
+                               raid_end_bio_io(r1_bio);
+                       } else {
++                              const int do_sync = bio_sync(r1_bio->master_bio);
+                               r1_bio->bios[r1_bio->read_disk] =
+                                       mddev->ro ? IO_BLOCKED : NULL;
+                               r1_bio->read_disk = disk;
+@@ -1608,7 +1613,7 @@ static void raid1d(mddev_t *mddev)
+                               bio->bi_sector = r1_bio->sector + rdev->data_offset;
+                               bio->bi_bdev = rdev->bdev;
+                               bio->bi_end_io = raid1_end_read_request;
+-                              bio->bi_rw = READ;
++                              bio->bi_rw = READ | do_sync;
+                               bio->bi_private = r1_bio;
+                               unplug = 1;
+                               generic_make_request(bio);
+--- linux-2.6.19.2.orig/drivers/md/raid10.c
++++ linux-2.6.19.2/drivers/md/raid10.c
+@@ -782,6 +782,7 @@ static int make_request(request_queue_t 
+       int i;
+       int chunk_sects = conf->chunk_mask + 1;
+       const int rw = bio_data_dir(bio);
++      const int do_sync = bio_sync(bio);
+       struct bio_list bl;
+       unsigned long flags;
+ 
+@@ -863,7 +864,7 @@ static int make_request(request_queue_t 
+                       mirror->rdev->data_offset;
+               read_bio->bi_bdev = mirror->rdev->bdev;
+               read_bio->bi_end_io = raid10_end_read_request;
+-              read_bio->bi_rw = READ;
++              read_bio->bi_rw = READ | do_sync;
+               read_bio->bi_private = r10_bio;
+ 
+               generic_make_request(read_bio);
+@@ -909,7 +910,7 @@ static int make_request(request_queue_t 
+                       conf->mirrors[d].rdev->data_offset;
+               mbio->bi_bdev = conf->mirrors[d].rdev->bdev;
+               mbio->bi_end_io = raid10_end_write_request;
+-              mbio->bi_rw = WRITE;
++              mbio->bi_rw = WRITE | do_sync;
+               mbio->bi_private = r10_bio;
+ 
+               atomic_inc(&r10_bio->remaining);
+@@ -922,6 +923,9 @@ static int make_request(request_queue_t 
+       blk_plug_device(mddev->queue);
+       spin_unlock_irqrestore(&conf->device_lock, flags);
+ 
++      if (do_sync)
++              md_wakeup_thread(mddev->thread);
++
+       return 0;
+ }
+ 
+@@ -1563,6 +1567,7 @@ static void raid10d(mddev_t *mddev)
+                                      (unsigned long long)r10_bio->sector);
+                               raid_end_bio_io(r10_bio);
+                       } else {
++                              const int do_sync = bio_sync(r10_bio->master_bio);
+                               rdev = conf->mirrors[mirror].rdev;
+                               if (printk_ratelimit())
+                                       printk(KERN_ERR "raid10: %s: redirecting sector %llu to"
+@@ -1574,7 +1579,7 @@ static void raid10d(mddev_t *mddev)
+                               bio->bi_sector = r10_bio->devs[r10_bio->read_slot].addr
+                                       + rdev->data_offset;
+                               bio->bi_bdev = rdev->bdev;
+-                              bio->bi_rw = READ;
++                              bio->bi_rw = READ | do_sync;
+                               bio->bi_private = r10_bio;
+                               bio->bi_end_io = raid10_end_read_request;
+                               unplug = 1;

diff --git a/queue-2.6.19/netfilter-arp_tables-fix-userspace-compilation.patch b/queue-2.6.19/netfilter-arp_tables-fix-userspace-compilation.patch
new file mode 100644 (file)
index 0000000..b009526
--- /dev/null
+++ b/queue-2.6.19/netfilter-arp_tables-fix-userspace-compilation.patch
@@ -0,0 +1,29 @@
+From stable-bounces@linux.kernel.org  Tue Jan  9 23:13:06 2007
+From: Patrick McHardy <kaber@trash.net>
+To: stable@kernel.org
+Message-Id: <20070110070450.13495.10693.sendpatchset@localhost.localdomain>
+Date: Wed, 10 Jan 2007 08:04:50 +0100 (MET)
+Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy <kaber@trash.net>, davem@davemloft.net
+Subject: NETFILTER: arp_tables: fix userspace compilation
+
+The included patch translates arpt_counters to xt_counters, making
+userspace arptables compile against recent kernels.
+
+Signed-off-by: Bart De Schuymer <bdschuym@pandora.be>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ include/linux/netfilter_arp/arp_tables.h |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- linux-2.6.19.2.orig/include/linux/netfilter_arp/arp_tables.h
++++ linux-2.6.19.2/include/linux/netfilter_arp/arp_tables.h
+@@ -190,6 +190,7 @@ struct arpt_replace
+ 
+ /* The argument to ARPT_SO_ADD_COUNTERS. */
+ #define arpt_counters_info xt_counters_info
++#define arpt_counters xt_counters
+ 
+ /* The argument to ARPT_SO_GET_ENTRIES. */
+ struct arpt_get_entries

diff --git a/queue-2.6.19/netfilter-fix-routing-of-reject-target-generated-packets-in-output-chain.patch b/queue-2.6.19/netfilter-fix-routing-of-reject-target-generated-packets-in-output-chain.patch
new file mode 100644 (file)
index 0000000..4a4ebd3
--- /dev/null
+++ b/queue-2.6.19/netfilter-fix-routing-of-reject-target-generated-packets-in-output-chain.patch
@@ -0,0 +1,42 @@
+From stable-bounces@linux.kernel.org  Tue Jan  9 23:13:25 2007
+From: Patrick McHardy <kaber@trash.net>
+To: stable@kernel.org
+Message-Id: <20070110070446.13495.72221.sendpatchset@localhost.localdomain>
+Date: Wed, 10 Jan 2007 08:04:46 +0100 (MET)
+Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy <kaber@trash.net>, davem@davemloft.net
+Subject: NETFILTER: Fix routing of REJECT target generated packets in output chain
+
+Packets generated by the REJECT target in the output chain have a local
+destination address and a foreign source address. Make sure not to use
+the foreign source address for the output route lookup.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ net/ipv4/netfilter.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- linux-2.6.19.2.orig/net/ipv4/netfilter.c
++++ linux-2.6.19.2/net/ipv4/netfilter.c
+@@ -15,16 +15,19 @@ int ip_route_me_harder(struct sk_buff **
+       struct flowi fl = {};
+       struct dst_entry *odst;
+       unsigned int hh_len;
++      unsigned int type;
+ 
++      type = inet_addr_type(iph->saddr);
+       if (addr_type == RTN_UNSPEC)
+-              addr_type = inet_addr_type(iph->saddr);
++              addr_type = type;
+ 
+       /* some non-standard hacks like ipt_REJECT.c:send_reset() can cause
+        * packets with foreign saddr to appear on the NF_IP_LOCAL_OUT hook.
+        */
+       if (addr_type == RTN_LOCAL) {
+               fl.nl_u.ip4_u.daddr = iph->daddr;
+-              fl.nl_u.ip4_u.saddr = iph->saddr;
++              if (type == RTN_LOCAL)
++                      fl.nl_u.ip4_u.saddr = iph->saddr;
+               fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
+               fl.oif = (*pskb)->sk ? (*pskb)->sk->sk_bound_dev_if : 0;
+ #ifdef CONFIG_IP_ROUTE_FWMARK

diff --git a/queue-2.6.19/netfilter-nf_conntrack_ipv6-fix-crash-when-handling-fragments.patch b/queue-2.6.19/netfilter-nf_conntrack_ipv6-fix-crash-when-handling-fragments.patch
new file mode 100644 (file)
index 0000000..26646f7
--- /dev/null
+++ b/queue-2.6.19/netfilter-nf_conntrack_ipv6-fix-crash-when-handling-fragments.patch
@@ -0,0 +1,32 @@
+From stable-bounces@linux.kernel.org  Tue Jan  9 23:12:49 2007
+From: Patrick McHardy <kaber@trash.net>
+To: stable@kernel.org
+Message-Id: <20070110070447.13495.61360.sendpatchset@localhost.localdomain>
+Date: Wed, 10 Jan 2007 08:04:47 +0100 (MET)
+Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy <kaber@trash.net>, davem@davemloft.net
+Subject: NETFILTER: nf_conntrack_ipv6: fix crash when handling fragments
+
+When IPv6 connection tracking splits up a defragmented packet into
+its original fragments, the packets are taken from a list and are
+passed to the network stack with skb->next still set. This causes
+dev_hard_start_xmit to treat them as GSO fragments, resulting in
+a use after free when connection tracking handles the next fragment.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ net/ipv6/netfilter/nf_conntrack_reasm.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- linux-2.6.19.2.orig/net/ipv6/netfilter/nf_conntrack_reasm.c
++++ linux-2.6.19.2/net/ipv6/netfilter/nf_conntrack_reasm.c
+@@ -835,6 +835,8 @@ void nf_ct_frag6_output(unsigned int hoo
+               s->nfct_reasm = skb;
+ 
+               s2 = s->next;
++              s->next = NULL;
++
+               NF_HOOK_THRESH(PF_INET6, hooknum, s, in, out, okfn,
+                              NF_IP6_PRI_CONNTRACK_DEFRAG + 1);
+               s = s2;

diff --git a/queue-2.6.19/netfilter-tcp-conntrack-fix-ip_ct_tcp_flag_close_init-value.patch b/queue-2.6.19/netfilter-tcp-conntrack-fix-ip_ct_tcp_flag_close_init-value.patch
new file mode 100644 (file)
index 0000000..be57fbd
--- /dev/null
+++ b/queue-2.6.19/netfilter-tcp-conntrack-fix-ip_ct_tcp_flag_close_init-value.patch
@@ -0,0 +1,29 @@
+From stable-bounces@linux.kernel.org  Tue Jan  9 23:12:50 2007
+From: Patrick McHardy <kaber@trash.net>
+To: stable@kernel.org
+Message-Id: <20070110070448.13495.34404.sendpatchset@localhost.localdomain>
+Date: Wed, 10 Jan 2007 08:04:49 +0100 (MET)
+Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy <kaber@trash.net>, davem@davemloft.net
+Subject: NETFILTER: tcp conntrack: fix IP_CT_TCP_FLAG_CLOSE_INIT value
+
+IP_CT_TCP_FLAG_CLOSE_INIT is a flag and should have a value of 0x4 instead
+of 0x3, which is IP_CT_TCP_FLAG_WINDOW_SCALE | IP_CT_TCP_FLAG_SACK_PERM.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ include/linux/netfilter/nf_conntrack_tcp.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.19.2.orig/include/linux/netfilter/nf_conntrack_tcp.h
++++ linux-2.6.19.2/include/linux/netfilter/nf_conntrack_tcp.h
+@@ -25,7 +25,7 @@ enum tcp_conntrack {
+ #define IP_CT_TCP_FLAG_SACK_PERM              0x02
+ 
+ /* This sender sent FIN first */
+-#define IP_CT_TCP_FLAG_CLOSE_INIT             0x03
++#define IP_CT_TCP_FLAG_CLOSE_INIT             0x04
+ 
+ #ifdef __KERNEL__
+ 

diff --git a/queue-2.6.19/repair-snd-usb-usx2y-over-ohci.patch b/queue-2.6.19/repair-snd-usb-usx2y-over-ohci.patch
new file mode 100644 (file)
index 0000000..8c2b4d6
--- /dev/null
+++ b/queue-2.6.19/repair-snd-usb-usx2y-over-ohci.patch
@@ -0,0 +1,46 @@
+From stable-bounces@linux.kernel.org  Wed Jan 10 04:41:19 2007
+From: Karsten Wiese <annabellesgarden@yahoo.de>
+To: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 10 Jan 2007 13:33:27 +0100
+Message-Id: <200701101333.27236.annabellesgarden@yahoo.de>
+Cc: Matt Savigear <mcs_jack@savigear.com>, alsa-devel@lists.sourceforge.net, stable@kernel.org, Rui Capela <rncbc@rncbc.org>
+Subject: Repair snd-usb-usx2y over OHCI
+
+From: Karsten Wiese <fzu@wemgehoertderstaat.de>
+
+The previous patch "Repair snd-usb-usx2y for usb 2.6.18" assumed
+urb->start_frame roll over beyond MAX_INT for both UHCI & OHCI.
+This isn't true until now (kernel 2.6.20).
+Fix this by only looking at the common between OHCI & UHCI Frame number
+range.
+This is for mainline and stable kernels >= 2.6.18.
+
+Signed-off-by: Karsten Wiese <fzu@wemgehoertderstaat.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ sound/usb/usx2y/usbusx2yaudio.c |    2 +-
+ sound/usb/usx2y/usx2yhwdeppcm.c |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- linux-2.6.19.2.orig/sound/usb/usx2y/usbusx2yaudio.c
++++ linux-2.6.19.2/sound/usb/usx2y/usbusx2yaudio.c
+@@ -322,7 +322,7 @@ static void i_usX2Y_urb_complete(struct 
+               usX2Y_error_urb_status(usX2Y, subs, urb);
+               return;
+       }
+-      if (likely(urb->start_frame == usX2Y->wait_iso_frame))
++      if (likely((urb->start_frame & 0xFFFF) == (usX2Y->wait_iso_frame & 0xFFFF)))
+               subs->completed_urb = urb;
+       else {
+               usX2Y_error_sequence(usX2Y, subs, urb);
+--- linux-2.6.19.2.orig/sound/usb/usx2y/usx2yhwdeppcm.c
++++ linux-2.6.19.2/sound/usb/usx2y/usx2yhwdeppcm.c
+@@ -243,7 +243,7 @@ static void i_usX2Y_usbpcm_urb_complete(
+               usX2Y_error_urb_status(usX2Y, subs, urb);
+               return;
+       }
+-      if (likely(urb->start_frame == usX2Y->wait_iso_frame))
++      if (likely((urb->start_frame & 0xFFFF) == (usX2Y->wait_iso_frame & 0xFFFF)))
+               subs->completed_urb = urb;
+       else {
+               usX2Y_error_sequence(usX2Y, subs, urb);

diff --git a/queue-2.6.19/series b/queue-2.6.19/series
new file mode 100644 (file)
index 0000000..0f014c2
--- /dev/null
+++ b/queue-2.6.19/series
@@ -0,0 +1,11 @@
+i2c-mv64xxx-fix-random-oops-at-boot.patch
+i2c-m41t00-do-not-forget-to-write-year.patch
+check-for-populated-zone-in-__drain_pages.patch
+fix-hwrng-built-in-initcalls-priority.patch
+md-pass-down-bio_rw_sync-in-raid-1-10.patch
+netfilter-fix-routing-of-reject-target-generated-packets-in-output-chain.patch
+netfilter-nf_conntrack_ipv6-fix-crash-when-handling-fragments.patch
+netfilter-tcp-conntrack-fix-ip_ct_tcp_flag_close_init-value.patch
+netfilter-arp_tables-fix-userspace-compilation.patch
+repair-snd-usb-usx2y-over-ohci.patch
+ib-mthca-fix-off-by-one-in-fmr-handling-on-memfree.patch