--- /dev/null
+From stable-bounces@linux.kernel.org Sat Nov 25 22:52:47 2006
+Date: Wed, 22 Nov 2006 23:59:02 GMT
+Message-Id: <200611222359.kAMNx2kk029387@hera.kernel.org>
+From: davej@redhat.com
+To: stable@kernel.org
+Subject: AGP: Allocate AGP pages with GFP_DMA32 by default
+
+From: Linus Torvalds <torvalds@osdl.org>
+
+Not all graphic page remappers support physical addresses over the 4GB
+mark for remapping, so while some do (the AMD64 GART always did, and I
+just fixed the i965 to do so properly), we're safest off just forcing
+GFP_DMA32 allocations to make sure graphics pages get allocated in the
+low 32-bit address space by default.
+
+AGP sub-drivers that really care, and can do better, could just choose
+to implement their own allocator (or we could add another "64-bit safe"
+default allocator for their use), but quite frankly, you're not likely
+to care in practice.
+
+So for now, this trivial change means that we won't be allocating pages
+that we can't map correctly by mistake on x86-64.
+
+[ On traditional 32-bit x86, this could never happen, because GFP_KERNEL
+ would never allocate any highmem memory anyway ]
+
+Acked-by: Andi Kleen <ak@suse.de>
+Acked-by: Dave Jones <davej@redhat.com>
+Cc: Eric Anholt <eric@anholt.net>
+Cc: Keith Packard <keithp@keithp.com>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ drivers/char/agp/generic.c | 2 +-
+ drivers/char/agp/intel-agp.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- linux-2.6.18.3.orig/drivers/char/agp/generic.c
++++ linux-2.6.18.3/drivers/char/agp/generic.c
+@@ -1042,7 +1042,7 @@ void *agp_generic_alloc_page(struct agp_
+ {
+ struct page * page;
+
+- page = alloc_page(GFP_KERNEL);
++ page = alloc_page(GFP_KERNEL | GFP_DMA32);
+ if (page == NULL)
+ return NULL;
+
+--- linux-2.6.18.3.orig/drivers/char/agp/intel-agp.c
++++ linux-2.6.18.3/drivers/char/agp/intel-agp.c
+@@ -160,7 +160,7 @@ static void *i8xx_alloc_pages(void)
+ {
+ struct page * page;
+
+- page = alloc_pages(GFP_KERNEL, 2);
++ page = alloc_pages(GFP_KERNEL | GFP_DMA32, 2);
+ if (page == NULL)
+ return NULL;
+
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Nov 20 09:12:55 2006
+Message-ID: <4561E013.2010801@gentoo.org>
+Date: Mon, 20 Nov 2006 12:04:19 -0500
+From: Daniel Drake <dsd@gentoo.org>
+To: stable@kernel.org
+Cc: ferdy@gentoo.org
+Subject: alpha: Fix ALPHA_EV56 dependencies typo
+
+From: Fernando J. Pereda <ferdy@gentoo.org>
+
+There appears to be a typo in the EV56 config option. NORITAKE and PRIMO are
+be able to set a variation of either.
+
+Signed-off-by: Daniel Drake <dsd@gentoo.org>
+Cc: Richard Henderson <rth@twiddle.net>
+Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ arch/alpha/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.18.3.orig/arch/alpha/Kconfig
++++ linux-2.6.18.3/arch/alpha/Kconfig
+@@ -381,7 +381,7 @@ config ALPHA_EV56
+
+ config ALPHA_EV56
+ prompt "EV56 CPU (speed >= 333MHz)?"
+- depends on ALPHA_NORITAKE && ALPHA_PRIMO
++ depends on ALPHA_NORITAKE || ALPHA_PRIMO
+
+ config ALPHA_EV56
+ prompt "EV56 CPU (speed >= 400MHz)?"
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Nov 22 03:25:19 2006
+From: maks@sternwelten.at
+Date: Wed, 22 Nov 2006 02:59:08 GMT
+Message-Id: <200611220259.kAM2x8mT004945@hera.kernel.org>
+To: stable@kernel.org
+Subject: BLUETOOTH: Fix unaligned access in hci_send_to_sock.
+
+From: David S. Miller <davem@davemloft.net>
+
+The "u16 *" derefs of skb->data need to be wrapped inside of
+a get_unaligned().
+
+Thanks to Gustavo Zacarias for the bug report.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ net/bluetooth/hci_sock.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- linux-2.6.18.3.orig/net/bluetooth/hci_sock.c
++++ linux-2.6.18.3/net/bluetooth/hci_sock.c
+@@ -120,10 +120,13 @@ void hci_send_to_sock(struct hci_dev *hd
+ if (!hci_test_bit(evt, &flt->event_mask))
+ continue;
+
+- if (flt->opcode && ((evt == HCI_EV_CMD_COMPLETE &&
+- flt->opcode != *(__u16 *)(skb->data + 3)) ||
+- (evt == HCI_EV_CMD_STATUS &&
+- flt->opcode != *(__u16 *)(skb->data + 4))))
++ if (flt->opcode &&
++ ((evt == HCI_EV_CMD_COMPLETE &&
++ flt->opcode !=
++ get_unaligned((__u16 *)(skb->data + 3))) ||
++ (evt == HCI_EV_CMD_STATUS &&
++ flt->opcode !=
++ get_unaligned((__u16 *)(skb->data + 4)))))
+ continue;
+ }
+
--- /dev/null
+From cbf093e8c7447a202e376199cc017161262bd7cd Mon Sep 17 00:00:00 2001
+From: Robin Holt <holt@sgi.com>
+Date: Tue, 14 Nov 2006 20:50:59 -0600
+Subject: IA64: bte_unaligned_copy() transfers one extra cache line.
+
+When called to do a transfer that has a start offset within the cache
+line which is uneven between source and destination and a length which
+terminates the source of the copy exactly on a cache line, one extra
+line gets copied into a temporary buffer. This is normally not an issue
+since the buffer is a kernel buffer and only the requested information
+gets copied into the user buffer.
+
+The problem arises when the source ends at the very last physical page
+of memory. That last cache line does not exist and results in the SHUB
+chip raising an MCA.
+
+Signed-off-by: Robin Holt <holt@sgi.com>
+Signed-off-by: Dean Nelson <dcn@sgi.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ arch/ia64/sn/kernel/bte.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- linux-2.6.18.3.orig/arch/ia64/sn/kernel/bte.c
++++ linux-2.6.18.3/arch/ia64/sn/kernel/bte.c
+@@ -382,14 +382,13 @@ bte_result_t bte_unaligned_copy(u64 src,
+ * bcopy to the destination.
+ */
+
+- /* Add the leader from source */
+- headBteLen = len + (src & L1_CACHE_MASK);
+- /* Add the trailing bytes from footer. */
+- headBteLen += L1_CACHE_BYTES - (headBteLen & L1_CACHE_MASK);
+- headBteSource = src & ~L1_CACHE_MASK;
+ headBcopySrcOffset = src & L1_CACHE_MASK;
+ headBcopyDest = dest;
+ headBcopyLen = len;
++
++ headBteSource = src - headBcopySrcOffset;
++ /* Add the leading and trailing bytes from source */
++ headBteLen = L1_CACHE_ALIGN(len + headBcopySrcOffset);
+ }
+
+ if (headBcopyLen > 0) {
--- /dev/null
+From stable-bounces@linux.kernel.org Sat Nov 25 11:14:02 2006
+Message-Id: <200611251909.kAPJ9KE5009945@shell0.pdx.osdl.net>
+To: torvalds@osdl.org
+From: akpm@osdl.org
+Date: Sat, 25 Nov 2006 11:09:20 -0800
+Cc: akpm@osdl.org, stable@kernel.org, miklos@szeredi.hu
+Subject: fuse: fix Oops in lookup
+
+From: Miklos Szeredi <miklos@szeredi.hu>
+
+Fix bug in certain error paths of lookup routines. The request object was
+reused for sending FORGET, which is illegal. This bug could cause an Oops
+in 2.6.18. In earlier versions it might silently corrupt memory, but this
+is very unlikely.
+
+These error paths are never triggered by libfuse, so this wasn't noticed
+even with the 2.6.18 kernel, only with a filesystem using the raw kernel
+interface.
+
+Thanks to Russ Cox for the bug report and test filesystem.
+
+Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
+Cc: <stable@kernel.org>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+[chrisw: backport to 2.6.18 -stable]
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ fs/fuse/dir.c | 52 ++++++++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 38 insertions(+), 14 deletions(-)
+
+--- linux-2.6.18.3.orig/fs/fuse/dir.c
++++ linux-2.6.18.3/fs/fuse/dir.c
+@@ -138,6 +138,7 @@ static int fuse_dentry_revalidate(struct
+ struct fuse_entry_out outarg;
+ struct fuse_conn *fc;
+ struct fuse_req *req;
++ struct fuse_req *forget_req;
+
+ /* Doesn't hurt to "reset" the validity timeout */
+ fuse_invalidate_entry_cache(entry);
+@@ -151,21 +152,29 @@ static int fuse_dentry_revalidate(struct
+ if (IS_ERR(req))
+ return 0;
+
++ forget_req = fuse_get_req(fc);
++ if (IS_ERR(forget_req)) {
++ fuse_put_request(fc, req);
++ return 0;
++ }
++
+ fuse_lookup_init(req, entry->d_parent->d_inode, entry, &outarg);
+ request_send(fc, req);
+ err = req->out.h.error;
++ fuse_put_request(fc, req);
+ /* Zero nodeid is same as -ENOENT */
+ if (!err && !outarg.nodeid)
+ err = -ENOENT;
+ if (!err) {
+ struct fuse_inode *fi = get_fuse_inode(inode);
+ if (outarg.nodeid != get_node_id(inode)) {
+- fuse_send_forget(fc, req, outarg.nodeid, 1);
++ fuse_send_forget(fc, forget_req,
++ outarg.nodeid, 1);
+ return 0;
+ }
+ fi->nlookup ++;
+ }
+- fuse_put_request(fc, req);
++ fuse_put_request(fc, forget_req);
+ if (err || (outarg.attr.mode ^ inode->i_mode) & S_IFMT)
+ return 0;
+
+@@ -214,6 +223,7 @@ static struct dentry *fuse_lookup(struct
+ struct inode *inode = NULL;
+ struct fuse_conn *fc = get_fuse_conn(dir);
+ struct fuse_req *req;
++ struct fuse_req *forget_req;
+
+ if (entry->d_name.len > FUSE_NAME_MAX)
+ return ERR_PTR(-ENAMETOOLONG);
+@@ -222,9 +232,16 @@ static struct dentry *fuse_lookup(struct
+ if (IS_ERR(req))
+ return ERR_PTR(PTR_ERR(req));
+
++ forget_req = fuse_get_req(fc);
++ if (IS_ERR(forget_req)) {
++ fuse_put_request(fc, req);
++ return ERR_PTR(PTR_ERR(forget_req));
++ }
++
+ fuse_lookup_init(req, dir, entry, &outarg);
+ request_send(fc, req);
+ err = req->out.h.error;
++ fuse_put_request(fc, req);
+ /* Zero nodeid is same as -ENOENT, but with valid timeout */
+ if (!err && outarg.nodeid &&
+ (invalid_nodeid(outarg.nodeid) || !valid_mode(outarg.attr.mode)))
+@@ -233,11 +250,11 @@ static struct dentry *fuse_lookup(struct
+ inode = fuse_iget(dir->i_sb, outarg.nodeid, outarg.generation,
+ &outarg.attr);
+ if (!inode) {
+- fuse_send_forget(fc, req, outarg.nodeid, 1);
++ fuse_send_forget(fc, forget_req, outarg.nodeid, 1);
+ return ERR_PTR(-ENOMEM);
+ }
+ }
+- fuse_put_request(fc, req);
++ fuse_put_request(fc, forget_req);
+ if (err && err != -ENOENT)
+ return ERR_PTR(err);
+
+@@ -375,6 +392,13 @@ static int create_new_entry(struct fuse_
+ struct fuse_entry_out outarg;
+ struct inode *inode;
+ int err;
++ struct fuse_req *forget_req;
++
++ forget_req = fuse_get_req(fc);
++ if (IS_ERR(forget_req)) {
++ fuse_put_request(fc, req);
++ return PTR_ERR(forget_req);
++ }
+
+ req->in.h.nodeid = get_node_id(dir);
+ req->out.numargs = 1;
+@@ -382,24 +406,24 @@ static int create_new_entry(struct fuse_
+ req->out.args[0].value = &outarg;
+ request_send(fc, req);
+ err = req->out.h.error;
+- if (err) {
+- fuse_put_request(fc, req);
+- return err;
+- }
++ fuse_put_request(fc, req);
++ if (err)
++ goto out_put_forget_req;
++
+ err = -EIO;
+ if (invalid_nodeid(outarg.nodeid))
+- goto out_put_request;
++ goto out_put_forget_req;
+
+ if ((outarg.attr.mode ^ mode) & S_IFMT)
+- goto out_put_request;
++ goto out_put_forget_req;
+
+ inode = fuse_iget(dir->i_sb, outarg.nodeid, outarg.generation,
+ &outarg.attr);
+ if (!inode) {
+- fuse_send_forget(fc, req, outarg.nodeid, 1);
++ fuse_send_forget(fc, forget_req, outarg.nodeid, 1);
+ return -ENOMEM;
+ }
+- fuse_put_request(fc, req);
++ fuse_put_request(fc, forget_req);
+
+ if (dir_alias(inode)) {
+ iput(inode);
+@@ -411,8 +435,8 @@ static int create_new_entry(struct fuse_
+ fuse_invalidate_attr(dir);
+ return 0;
+
+- out_put_request:
+- fuse_put_request(fc, req);
++ out_put_forget_req:
++ fuse_put_request(fc, forget_req);
+ return err;
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Nov 23 18:10:52 2006
+From: maks@sternwelten.at
+Date: Wed, 22 Nov 2006 02:59:09 GMT
+Message-Id: <200611220259.kAM2x9xc004965@hera.kernel.org>
+To: stable@kernel.org
+Subject: IPV6: Fix address/interface handling in UDP and DCCP, according to the scoping architecture.
+
+From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+
+TCP and RAW do not have this issue. Closes Bug #7432.
+
+Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ net/dccp/ipv6.c | 2 +-
+ net/ipv6/udp.c | 7 +++----
+ 2 files changed, 4 insertions(+), 5 deletions(-)
+
+--- linux-2.6.18.3.orig/net/dccp/ipv6.c
++++ linux-2.6.18.3/net/dccp/ipv6.c
+@@ -276,7 +276,7 @@ static void dccp_v6_err(struct sk_buff *
+ __u64 seq;
+
+ sk = inet6_lookup(&dccp_hashinfo, &hdr->daddr, dh->dccph_dport,
+- &hdr->saddr, dh->dccph_sport, skb->dev->ifindex);
++ &hdr->saddr, dh->dccph_sport, inet6_iif(skb));
+
+ if (sk == NULL) {
+ ICMP6_INC_STATS_BH(__in6_dev_get(skb->dev), ICMP6_MIB_INERRORS);
+--- linux-2.6.18.3.orig/net/ipv6/udp.c
++++ linux-2.6.18.3/net/ipv6/udp.c
+@@ -314,14 +314,13 @@ static void udpv6_err(struct sk_buff *sk
+ {
+ struct ipv6_pinfo *np;
+ struct ipv6hdr *hdr = (struct ipv6hdr*)skb->data;
+- struct net_device *dev = skb->dev;
+ struct in6_addr *saddr = &hdr->saddr;
+ struct in6_addr *daddr = &hdr->daddr;
+ struct udphdr *uh = (struct udphdr*)(skb->data+offset);
+ struct sock *sk;
+ int err;
+
+- sk = udp_v6_lookup(daddr, uh->dest, saddr, uh->source, dev->ifindex);
++ sk = udp_v6_lookup(daddr, uh->dest, saddr, uh->source, inet6_iif(skb));
+
+ if (sk == NULL)
+ return;
+@@ -415,7 +414,7 @@ static void udpv6_mcast_deliver(struct u
+
+ read_lock(&udp_hash_lock);
+ sk = sk_head(&udp_hash[ntohs(uh->dest) & (UDP_HTABLE_SIZE - 1)]);
+- dif = skb->dev->ifindex;
++ dif = inet6_iif(skb);
+ sk = udp_v6_mcast_next(sk, uh->dest, daddr, uh->source, saddr, dif);
+ if (!sk) {
+ kfree_skb(skb);
+@@ -496,7 +495,7 @@ static int udpv6_rcv(struct sk_buff **ps
+ * check socket cache ... must talk to Alan about his plans
+ * for sock caches... i'll skip this for now.
+ */
+- sk = udp_v6_lookup(saddr, uh->source, daddr, uh->dest, dev->ifindex);
++ sk = udp_v6_lookup(saddr, uh->source, daddr, uh->dest, inet6_iif(skb));
+
+ if (sk == NULL) {
+ if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb))
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Nov 17 12:12:33 2006
+Message-ID: <455E16AB.1010101@trash.net>
+Date: Fri, 17 Nov 2006 21:08:11 +0100
+From: Patrick McHardy <kaber@trash.net>
+To: "David S. Miller" <davem@davemloft.net>
+Cc: stable@kernel.org
+Subject: NETFILTER: H.323 conntrack: fix crash with CONFIG_IP_NF_CT_ACCT
+
+H.323 connection tracking code calls ip_ct_refresh_acct() when
+processing RCFs and URQs but passes NULL as the skb.
+When CONFIG_IP_NF_CT_ACCT is enabled, the connection tracking core tries
+to derefence the skb, which results in an obvious panic.
+A similar fix was applied on the SIP connection tracking code some time
+ago.
+
+Signed-off-by: Faidon Liambotis <paravoid@debian.org>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+commit 76b0c2b63fd5a2da358b36a22b7bf99298dde0b7
+tree cd96ddb4c4cd5ffb44ed5a47fa3be41267eea99a
+parent 1b9bb3c14c60324b54645ffefbe6d270f9fd191c
+author Faidon Liambotis <paravoid@debian.org> Fri, 17 Nov 2006 21:01:25 +0100
+committer Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 21:01:25 +0100
+
+ net/ipv4/netfilter/ip_conntrack_helper_h323.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- linux-2.6.18.3.orig/net/ipv4/netfilter/ip_conntrack_helper_h323.c
++++ linux-2.6.18.3/net/ipv4/netfilter/ip_conntrack_helper_h323.c
+@@ -1417,7 +1417,7 @@ static int process_rcf(struct sk_buff **
+ DEBUGP
+ ("ip_ct_ras: set RAS connection timeout to %u seconds\n",
+ info->timeout);
+- ip_ct_refresh_acct(ct, ctinfo, NULL, info->timeout * HZ);
++ ip_ct_refresh(ct, *pskb, info->timeout * HZ);
+
+ /* Set expect timeout */
+ read_lock_bh(&ip_conntrack_lock);
+@@ -1465,7 +1465,7 @@ static int process_urq(struct sk_buff **
+ info->sig_port[!dir] = 0;
+
+ /* Give it 30 seconds for UCF or URJ */
+- ip_ct_refresh_acct(ct, ctinfo, NULL, 30 * HZ);
++ ip_ct_refresh(ct, *pskb, 30 * HZ);
+
+ return 0;
+ }
--- /dev/null
+From dfbc9e9d33adb1ac9910dd7f8ceb911947039a52 Mon Sep 17 00:00:00 2001
+From: Daniel Ritz <daniel.ritz-ml@swissonline.ch>
+Date: Sat, 18 Nov 2006 22:19:34 -0800
+Subject: [PATCH] pcmcia: fix 'rmmod pcmcia' with unbound devices
+
+Having unbound PCMCIA devices: doing a 'find /sys' after a 'rmmod pcmcia'
+gives an oops because the pcmcia_device is not unregisterd from the driver
+core.
+
+fixes bugzilla #7481
+
+Signed-off-by: Daniel Ritz <daniel.ritz@gmx.ch>
+Acked-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Cc: Pavol Gono <Palo.Gono@gmail.com>
+Cc: <stable@kernel.org>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+[chrisw: add subsequent mutex fix]
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/pcmcia/ds.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- linux-2.6.18.3.orig/drivers/pcmcia/ds.c
++++ linux-2.6.18.3/drivers/pcmcia/ds.c
+@@ -1264,6 +1264,11 @@ static void pcmcia_bus_remove_socket(str
+ socket->pcmcia_state.dead = 1;
+ pccard_register_pcmcia(socket, NULL);
+
++ /* unregister any unbound devices */
++ mutex_lock(&socket->skt_mutex);
++ pcmcia_card_remove(socket, NULL);
++ mutex_unlock(&socket->skt_mutex);
++
+ pcmcia_put_socket(socket);
+
+ return;
netfilter-kconfig-fix-xt_physdev-dependencies.patch
netfilter-xt_connsecmark-fix-kconfig-dependencies.patch
bcm43xx-drain-tx-status-before-starting-irqs.patch
+netfilter-h.323-conntrack-fix-crash-with-config_ip_nf_ct_acct.patch
+pcmcia-fix-rmmod-pcmcia-with-unbound-devices.patch
+v4l-do-not-enable-video_v4l2-unconditionally.patch
+x86-microcode-don-t-check-the-size.patch
+alpha-fix-alpha_ev56-dependencies-typo.patch
+softmac-fix-a-slab-corruption-in-wep-restricted-key-association.patch
+tg3-add-missing-unlock-in-tg3_open-error-path.patch
+ipv6-fix-address-interface-handling-in-udp-and-dccp-according-to-the-scoping-architecture.patch
+bte_unaligned_copy-transfers-one-extra-cache-line.patch
+bluetooth-fix-unaligned-access-in-hci_send_to_sock.patch
+agp-allocate-agp-pages-with-gfp_dma32-by-default.patch
+fuse-fix-oops-in-lookup.patch
+udp-make-udp_encap_rcv-use-pskb_may_pull.patch
--- /dev/null
+From 6684e59aa3cf6cb7ebf04ea2953198500c93b0a9 Mon Sep 17 00:00:00 2001
+Message-ID: <4561E092.5030201@gentoo.org>
+From: Laurent Riffard <laurent.riffard@free.fr>
+Date: Thu, 12 Oct 2006 00:17:36 +0200
+Subject: softmac: fix a slab corruption in WEP restricted key association
+
+Fix a slab corruption in ieee80211softmac_auth(). The size of a buffer
+was miscomputed.
+
+see http://bugzilla.kernel.org/show_bug.cgi?id=7245
+
+Acked-by: Daniel Drake <dsd@gentoo.org>
+Signed-off-by: Laurent Riffard <laurent.riffard@free.fr>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ net/ieee80211/softmac/ieee80211softmac_io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.18.3.orig/net/ieee80211/softmac/ieee80211softmac_io.c
++++ linux-2.6.18.3/net/ieee80211/softmac/ieee80211softmac_io.c
+@@ -304,7 +304,7 @@ ieee80211softmac_auth(struct ieee80211_a
+ 2 + /* Auth Transaction Seq */
+ 2 + /* Status Code */
+ /* Challenge Text IE */
+- is_shared_response ? 0 : 1 + 1 + net->challenge_len
++ (is_shared_response ? 1 + 1 + net->challenge_len : 0)
+ );
+ if (unlikely((*pkt) == NULL))
+ return 0;
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Nov 22 03:50:30 2006
+From: maks@sternwelten.at
+Date: Wed, 22 Nov 2006 02:59:09 GMT
+Message-Id: <200611220259.kAM2x95e004973@hera.kernel.org>
+To: stable@kernel.org
+Subject: TG3: Add missing unlock in tg3_open() error path.
+
+From: Ira W. Snyder <kernel@irasnyder.com>
+
+Sparse noticed a locking imbalance in tg3_open(). This patch adds an
+unlock to one of the error paths, so that tg3_open() always exits
+without the lock held.
+
+Signed-off-by: Ira W. Snyder <kernel@irasnyder.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ drivers/net/tg3.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- linux-2.6.18.3.orig/drivers/net/tg3.c
++++ linux-2.6.18.3/drivers/net/tg3.c
+@@ -6889,8 +6889,10 @@ static int tg3_open(struct net_device *d
+ tg3_full_lock(tp, 0);
+
+ err = tg3_set_power_state(tp, PCI_D0);
+- if (err)
++ if (err) {
++ tg3_full_unlock(tp);
+ return err;
++ }
+
+ tg3_disable_ints(tp);
+ tp->tg3_flags &= ~TG3_FLAG_INIT_COMPLETE;
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Nov 28 20:41:40 2006
+Date: Tue, 28 Nov 2006 20:36:46 -0800 (PST)
+Message-Id: <20061128.203646.85408792.davem@davemloft.net>
+To: stable@kernel.org
+From: David Miller <davem@davemloft.net>
+Cc: bunk@stusta.de
+Subject: UDP: Make udp_encap_rcv use pskb_may_pull
+
+From: Olaf Kirch <okir@suse.de>
+
+IPsec with NAT-T breaks on some notebooks using the latest e1000 chipset,
+when header split is enabled. When receiving sufficiently large packets, the
+driver puts everything up to and including the UDP header into the header
+portion of the skb, and the rest goes into the paged part. udp_encap_rcv
+forgets to use pskb_may_pull, and fails to decapsulate it. Instead, it
+passes it up it to the IKE daemon.
+
+Signed-off-by: Olaf Kirch <okir@suse.de>
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ net/ipv4/udp.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+--- linux-2.6.18.3.orig/net/ipv4/udp.c
++++ linux-2.6.18.3/net/ipv4/udp.c
+@@ -892,23 +892,32 @@ static int udp_encap_rcv(struct sock * s
+ return 1;
+ #else
+ struct udp_sock *up = udp_sk(sk);
+- struct udphdr *uh = skb->h.uh;
++ struct udphdr *uh;
+ struct iphdr *iph;
+ int iphlen, len;
+
+- __u8 *udpdata = (__u8 *)uh + sizeof(struct udphdr);
+- __u32 *udpdata32 = (__u32 *)udpdata;
++ __u8 *udpdata;
++ __u32 *udpdata32;
+ __u16 encap_type = up->encap_type;
+
+ /* if we're overly short, let UDP handle it */
+- if (udpdata > skb->tail)
++ len = skb->len - sizeof(struct udphdr);
++ if (len <= 0)
+ return 1;
+
+ /* if this is not encapsulated socket, then just return now */
+ if (!encap_type)
+ return 1;
+
+- len = skb->tail - udpdata;
++ /* If this is a paged skb, make sure we pull up
++ * whatever data we need to look at. */
++ if (!pskb_may_pull(skb, sizeof(struct udphdr) + min(len, 8)))
++ return 1;
++
++ /* Now we can get the pointers */
++ uh = skb->h.uh;
++ udpdata = (__u8 *)uh + sizeof(struct udphdr);
++ udpdata32 = (__u32 *)udpdata;
+
+ switch (encap_type) {
+ default:
--- /dev/null
+From stable-bounces@linux.kernel.org Sun Nov 19 19:21:58 2006
+Message-ID: <45611E4B.8060002@linuxtv.org>
+Date: Sun, 19 Nov 2006 22:17:31 -0500
+From: Michael Krufky <mkrufky@linuxtv.org>
+To: stable@kernel.org
+Cc: v4l-dvb maintainer list <v4l-dvb-maintainer@linuxtv.org>
+Subject: V4L: Do not enable VIDEO_V4L2 unconditionally
+
+From: Maciej W. Rozycki <macro@linux-mips.org>
+
+V4L: Do not enable VIDEO_V4L2 unconditionally
+
+The VIDEO_V4L2 config setting is enabled unconditionally, even for
+configurations with no support for this subsystem whatsoever. The
+following patch adds the necessary dependency.
+
+Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
+Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/media/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- linux-2.6.18.3.orig/drivers/media/Kconfig
++++ linux-2.6.18.3/drivers/media/Kconfig
+@@ -54,6 +54,7 @@ config VIDEO_V4L1_COMPAT
+
+ config VIDEO_V4L2
+ bool
++ depends on VIDEO_DEV
+ default y
+
+ source "drivers/media/video/Kconfig"
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Nov 20 09:11:33 2006
+Message-ID: <4561DFB6.9050304@gentoo.org>
+Date: Mon, 20 Nov 2006 12:02:46 -0500
+From: Daniel Drake <dsd@gentoo.org>
+To: stable@kernel.org
+Cc: shaohua.li@intel.com
+Subject: x86 microcode: don't check the size
+
+From: Shaohua Li <shaohua.li@intel.com>
+
+IA32 manual says if micorcode update's size is 0, then the size is
+default size (2048 bytes). But this doesn't suggest all microcode
+update's size should be above 2048 bytes to me. We actually had a
+microcode update whose size is 1024 bytes. The patch just removed the
+check.
+
+Backported to 2.6.18 by Daniel Drake.
+
+Signed-off-by: Daniel Drake <dsd@gentoo.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ arch/i386/kernel/microcode.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+--- linux-2.6.18.3.orig/arch/i386/kernel/microcode.c
++++ linux-2.6.18.3/arch/i386/kernel/microcode.c
+@@ -250,14 +250,14 @@ static int find_matching_ucodes (void)
+ }
+
+ total_size = get_totalsize(&mc_header);
+- if ((cursor + total_size > user_buffer_size) || (total_size < DEFAULT_UCODE_TOTALSIZE)) {
++ if (cursor + total_size > user_buffer_size) {
+ printk(KERN_ERR "microcode: error! Bad data in microcode data file\n");
+ error = -EINVAL;
+ goto out;
+ }
+
+ data_size = get_datasize(&mc_header);
+- if ((data_size + MC_HEADER_SIZE > total_size) || (data_size < DEFAULT_UCODE_DATASIZE)) {
++ if (data_size + MC_HEADER_SIZE > total_size) {
+ printk(KERN_ERR "microcode: error! Bad data in microcode data file\n");
+ error = -EINVAL;
+ goto out;
+@@ -460,11 +460,6 @@ static ssize_t microcode_write (struct f
+ {
+ ssize_t ret;
+
+- if (len < DEFAULT_UCODE_TOTALSIZE) {
+- printk(KERN_ERR "microcode: not enough data\n");
+- return -EINVAL;
+- }
+-
+ if ((len >> PAGE_SHIFT) > num_physpages) {
+ printk(KERN_ERR "microcode: too much data (max %ld pages)\n", num_physpages);
+ return -EINVAL;
projects / thirdparty / kernel / stable-queue.git / commitdiff
