--- /dev/null
+From gregkh@mini.kroah.org Wed Dec 12 22:28:35 2007
+Message-Id: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:11 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk
+Subject: [patch 00/36] 2.6.22-stable review
+Content-Length: 715
+Lines: 17
+
+This is the start of the stable review cycle for the 2.6.22.15 release.
+There are 36 patches in this series, all will be posted as a response to
+this one. If anyone has any issues with these being applied, please let
+us know. If anyone is a maintainer of the proper subsystem, and wants
+to add a Signed-off-by: line to the patch, please respond with it.
+
+These patches are sent out with a number of different people on the Cc:
+line. If you wish to be a reviewer, please email stable@kernel.org to
+add your name to the list. If you want to be off the reviewer list,
+also email us.
+
+Responses should be made by Friday, Dec 14 20:00:00 UTC. Anything
+received after that time might be too late.
+
+thanks,
+
+greg k-h
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:35 2007
+Message-Id: <20071213062835.422342274@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:12 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ greg@kroah.com,
+ chrisw@sous-sol.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ csnook@redhat.com,
+ kronos.it@gmail.com,
+ Jay Cliburn <jacliburn@bellsouth.net>,
+ Jeff Garzik <jeff@garzik.org>
+Subject: [patch 01/36] atl1: disable broken 64-bit DMA
+Content-Disposition: inline; filename=atl1-disable-broken-64-bit-dma.patch
+Content-Length: 2706
+Lines: 86
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Luca Tettamanti <kronos.it@gmail.com>
+
+atl1: disable broken 64-bit DMA
+
+[ Upstream commit: 5f08e46b621a769e52a9545a23ab1d5fb2aec1d4 ]
+
+The L1 network chip can DMA to 64-bit addresses, but multiple descriptor
+rings share a single register for the high 32 bits of their address, so
+only a single, aligned, 4 GB physical address range can be used at a time.
+As a result, we need to confine the driver to a 32-bit DMA mask, otherwise
+we see occasional data corruption errors in systems containing 4 or more
+gigabytes of RAM.
+
+Signed-off-by: Luca Tettamanti <kronos.it@gmail.com>
+Signed-off-by: Jay Cliburn <jacliburn@bellsouth.net>
+Acked-by: Chris Snook <csnook@redhat.com>
+Signed-off-by: Jeff Garzik <jeff@garzik.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ drivers/net/atl1/atl1_main.c | 25 +++++++++++++------------
+ 1 file changed, 13 insertions(+), 12 deletions(-)
+
+--- a/drivers/net/atl1/atl1_main.c
++++ b/drivers/net/atl1/atl1_main.c
+@@ -2097,21 +2097,26 @@ static int __devinit atl1_probe(struct p
+ struct net_device *netdev;
+ struct atl1_adapter *adapter;
+ static int cards_found = 0;
+- bool pci_using_64 = true;
+ int err;
+
+ err = pci_enable_device(pdev);
+ if (err)
+ return err;
+
+- err = pci_set_dma_mask(pdev, DMA_64BIT_MASK);
++ /*
++ * The atl1 chip can DMA to 64-bit addresses, but it uses a single
++ * shared register for the high 32 bits, so only a single, aligned,
++ * 4 GB physical address range can be used at a time.
++ *
++ * Supporting 64-bit DMA on this hardware is more trouble than it's
++ * worth. It is far easier to limit to 32-bit DMA than update
++ * various kernel subsystems to support the mechanics required by a
++ * fixed-high-32-bit system.
++ */
++ err = pci_set_dma_mask(pdev, DMA_32BIT_MASK);
+ if (err) {
+- err = pci_set_dma_mask(pdev, DMA_32BIT_MASK);
+- if (err) {
+- dev_err(&pdev->dev, "no usable DMA configuration\n");
+- goto err_dma;
+- }
+- pci_using_64 = false;
++ dev_err(&pdev->dev, "no usable DMA configuration\n");
++ goto err_dma;
+ }
+ /* Mark all PCI regions associated with PCI device
+ * pdev as being reserved by owner atl1_driver_name
+@@ -2176,7 +2181,6 @@ static int __devinit atl1_probe(struct p
+
+ netdev->ethtool_ops = &atl1_ethtool_ops;
+ adapter->bd_number = cards_found;
+- adapter->pci_using_64 = pci_using_64;
+
+ /* setup the private structure */
+ err = atl1_sw_init(adapter);
+@@ -2193,9 +2197,6 @@ static int __devinit atl1_probe(struct p
+ */
+ /* netdev->features |= NETIF_F_TSO; */
+
+- if (pci_using_64)
+- netdev->features |= NETIF_F_HIGHDMA;
+-
+ netdev->features |= NETIF_F_LLTX;
+
+ /*
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:35 2007
+Message-Id: <20071213062835.578344453@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:13 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Christian Borntraeger <borntraeger@de.ibm.com>,
+ Jan Kara <jack@suse.cz>,
+ Nick Piggin <npiggin@suse.de>,
+ "Eric W. Biederman" <ebiederm@xmission.com>
+Subject: [patch 02/36] rd: fix data corruption on memory pressure Future of Linux 2.6.22.y series
+Content-Disposition: inline; filename=rd-fix-data-corruption-on-memory-pressure.patch
+Content-Length: 2552
+Lines: 70
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+
+commit 5d0360ee96a5ef953dbea45873c2a8c87e77d59b upstream.
+
+We have seen ramdisk based install systems, where some pages of mapped
+libraries and programs were suddendly zeroed under memory pressure. This
+should not happen, as the ramdisk avoids freeing its pages by keeping
+them dirty all the time.
+
+It turns out that there is a case, where the VM makes a ramdisk page
+clean, without telling the ramdisk driver. On memory pressure
+shrink_zone runs and it starts to run shrink_active_list. There is a
+check for buffer_heads_over_limit, and if true, pagevec_strip is called.
+pagevec_strip calls try_to_release_page. If the mapping has no
+releasepage callback, try_to_free_buffers is called. try_to_free_buffers
+has now a special logic for some file systems to make a dirty page
+clean, if all buffers are clean. Thats what happened in our test case.
+
+The simplest solution is to provide a noop-releasepage callback for the
+ramdisk driver. This avoids try_to_free_buffers for ramdisk pages.
+
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Acked-by: Nick Piggin <npiggin@suse.de>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ drivers/block/rd.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/drivers/block/rd.c
++++ b/drivers/block/rd.c
+@@ -189,6 +189,18 @@ static int ramdisk_set_page_dirty(struct
+ return 0;
+ }
+
++/*
++ * releasepage is called by pagevec_strip/try_to_release_page if
++ * buffers_heads_over_limit is true. Without a releasepage function
++ * try_to_free_buffers is called instead. That can unset the dirty
++ * bit of our ram disk pages, which will be eventually freed, even
++ * if the page is still in use.
++ */
++static int ramdisk_releasepage(struct page *page, gfp_t dummy)
++{
++ return 0;
++}
++
+ static const struct address_space_operations ramdisk_aops = {
+ .readpage = ramdisk_readpage,
+ .prepare_write = ramdisk_prepare_write,
+@@ -196,6 +208,7 @@ static const struct address_space_operat
+ .writepage = ramdisk_writepage,
+ .set_page_dirty = ramdisk_set_page_dirty,
+ .writepages = ramdisk_writepages,
++ .releasepage = ramdisk_releasepage,
+ };
+
+ static int rd_blkdev_pagecache_IO(int rw, struct bio_vec *vec, sector_t sector,
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:35 2007
+Message-Id: <20071213062835.735409189@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:14 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ torvalds@linux-foundation.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ oleg@tv-sign.ru,
+ roland@redhat.com,
+ scott@ubuntu.com
+Subject: [patch 03/36] wait_task_stopped(): pass correct exit_code to wait_noreap_copyout()
+Content-Disposition: inline; filename=wait_task_stopped-pass-correct-exit_code-to-wait_noreap_copyout.patch
+Content-Length: 1464
+Lines: 46
+
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Scott James Remnant <scott@ubuntu.com>
+
+patch e6ceb32aa25fc33f21af84cc7a32fe289b3e860c in mainline.
+
+In wait_task_stopped() exit_code already contains the right value for the
+si_status member of siginfo, and this is simply set in the non WNOWAIT
+case.
+
+If you call waitid() with a stopped or traced process, you'll get the signal
+in siginfo.si_status as expected -- however if you call waitid(WNOWAIT) at the
+same time, you'll get the signal << 8 | 0x7f
+
+Pass it unchanged to wait_noreap_copyout(); we would only need to shift it
+and add 0x7f if we were returning it in the user status field and that
+isn't used for any function that permits WNOWAIT.
+
+Signed-off-by: Scott James Remnant <scott@ubuntu.com>
+Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
+Cc: Roland McGrath <roland@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/exit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -1339,7 +1339,7 @@ static int wait_task_stopped(struct task
+ if (unlikely(!exit_code) || unlikely(p->exit_state))
+ goto bail_ref;
+ return wait_noreap_copyout(p, pid, uid,
+- why, (exit_code << 8) | 0x7f,
++ why, exit_code,
+ infop, ru);
+ }
+
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:36 2007
+Message-Id: <20071213062835.897732365@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:15 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ linux-usb@vger.kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Oliver Neukum <oneukum@suse.de>
+Subject: [patch 04/36] USB: make the microtek driver and HAL cooperate
+Content-Disposition: inline; filename=usb-make-the-microtek-driver-and-hal-cooperate.patch
+Content-Length: 833
+Lines: 33
+
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Oliver Neukum <oliver@neukum.org>
+
+patch 5cf1973a44bd298e3cfce6f6af8faa8c9d0a6d55 in mainline
+
+to make HAL like the microtek driver's devices the parent must be
+correctly set.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/image/microtek.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/image/microtek.c
++++ b/drivers/usb/image/microtek.c
+@@ -823,7 +823,7 @@ static int mts_usb_probe(struct usb_inte
+ goto out_kfree2;
+
+ new_desc->host->hostdata[0] = (unsigned long)new_desc;
+- if (scsi_add_host(new_desc->host, NULL)) {
++ if (scsi_add_host(new_desc->host, &dev->dev)) {
+ err_retval = -EIO;
+ goto out_host_put;
+ }
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:36 2007
+Message-Id: <20071213062836.054576319@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:16 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ linux-usb@vger.kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ David Brownell <dbrownell@users.sourceforge.net>,
+ Dave Miller <davem@davemloft.net>,
+ Dely Sy <dely.l.sy@intel.com>,
+ Alan Stern <stern@rowland.harvard.edu>
+Subject: [patch 05/36] USB: fix up EHCI startup synchronization
+Content-Disposition: inline; filename=usb-fix-up-ehci-startup-synchronization.patch
+Content-Length: 1757
+Lines: 47
+
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: David Brownell <david-b@pacbell.net>
+
+patch 1cb52658b4f5b10a9e91f8e1c21ca2bcc1b9a3ca in mainline.
+
+A recent patch added software synchronization during EHCI startup,
+so ports aren't switched away from the companion controllers after
+resets have started. This patch adds a short delay letting hardware
+finish that port switching before any new resets begin ... so both
+ends of that hardware race window are closed.
+
+Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
+Cc: Dave Miller <davem@davemloft.net>
+Cc: Dely Sy <dely.l.sy@intel.com>
+Cc: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/host/ehci-hcd.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/ehci-hcd.c
++++ b/drivers/usb/host/ehci-hcd.c
+@@ -571,12 +571,15 @@ static int ehci_run (struct usb_hcd *hcd
+ * from the companions to the EHCI controller. If any of the
+ * companions are in the middle of a port reset at the time, it
+ * could cause trouble. Write-locking ehci_cf_port_reset_rwsem
+- * guarantees that no resets are in progress.
++ * guarantees that no resets are in progress. After we set CF,
++ * a short delay lets the hardware catch up; new resets shouldn't
++ * be started before the port switching actions could complete.
+ */
+ down_write(&ehci_cf_port_reset_rwsem);
+ hcd->state = HC_STATE_RUNNING;
+ ehci_writel(ehci, FLAG_CF, &ehci->regs->configured_flag);
+ ehci_readl(ehci, &ehci->regs->command); /* unblock posted writes */
++ msleep(5);
+ up_write(&ehci_cf_port_reset_rwsem);
+
+ temp = HC_VERSION(ehci_readl(ehci, &ehci->caps->hc_capbase));
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:36 2007
+Message-Id: <20071213062836.207109355@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:17 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Adrian Bunk <bunk@kernel.org>,
+ Willy Tarreau <wtarreau@hera.kernel.org>,
+ Hugh Dickins <hugh@veritas.com>
+Subject: [patch 06/36] tmpfs: restore missing clear_highpage
+Content-Disposition: inline; filename=tmpfs-restore-missing-clear_highpage.patch
+Content-Length: 1455
+Lines: 51
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Hugh Dickins <hugh@veritas.com>
+
+patch e84e2e132c9c66d8498e7710d4ea532d1feaaac5 in mainline
+
+tmpfs was misconverted to __GFP_ZERO in 2.6.11. There's an unusual case in
+which shmem_getpage receives the page from its caller instead of allocating.
+We must cover this case by clear_highpage before SetPageUptodate, as before.
+
+Signed-off-by: Hugh Dickins <hugh@veritas.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/shmem.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -1066,7 +1066,7 @@ shmem_alloc_page(gfp_t gfp, struct shmem
+ pvma.vm_policy = mpol_shared_policy_lookup(&info->policy, idx);
+ pvma.vm_pgoff = idx;
+ pvma.vm_end = PAGE_SIZE;
+- page = alloc_page_vma(gfp | __GFP_ZERO, &pvma, 0);
++ page = alloc_page_vma(gfp, &pvma, 0);
+ mpol_free(pvma.vm_policy);
+ return page;
+ }
+@@ -1086,7 +1086,7 @@ shmem_swapin(struct shmem_inode_info *in
+ static inline struct page *
+ shmem_alloc_page(gfp_t gfp,struct shmem_inode_info *info, unsigned long idx)
+ {
+- return alloc_page(gfp | __GFP_ZERO);
++ return alloc_page(gfp);
+ }
+ #endif
+
+@@ -1295,6 +1295,7 @@ repeat:
+
+ info->alloced++;
+ spin_unlock(&info->lock);
++ clear_highpage(filepage);
+ flush_dcache_page(filepage);
+ SetPageUptodate(filepage);
+ }
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:36 2007
+Message-Id: <20071213062836.364735088@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:18 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Netfilter Development Mailinglist <netfilter-devel@vger.kernel.org>,
+ "David S. Miller" <davem@davemloft.net>,
+ Li Zefan <lizf@cn.fujitsu.com>,
+ Patrick McHardy <kaber@trash.net>
+Subject: [patch 07/36] nf_nat: fix memset error
+Content-Disposition: inline; filename=nf_nat-fix-memset-error.patch
+Content-Length: 1155
+Lines: 42
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Li Zefan <lizf@cn.fujitsu.com>
+
+This patch fixes an incorrect memset in the NAT code, causing
+misbehaviour when unloading and reloading the NAT module.
+Applies to stable-2.6.22 and stable-2.6.23.
+
+Please apply, thanks.
+[NETFILTER]: nf_nat: fix memset error
+
+Upstream commit e0bf9cf15fc30d300b7fbd821c6bc975531fab44
+
+The size passing to memset is the size of a pointer. Fixes
+misbehaviour when unloading and reloading the NAT module.
+
+Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ net/ipv4/netfilter/nf_nat_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/netfilter/nf_nat_core.c
++++ b/net/ipv4/netfilter/nf_nat_core.c
+@@ -633,7 +633,7 @@ static int clean_nat(struct nf_conn *i,
+
+ if (!nat)
+ return 0;
+- memset(nat, 0, sizeof(nat));
++ memset(nat, 0, sizeof(*nat));
+ i->status &= ~(IPS_NAT_MASK | IPS_NAT_DONE_MASK | IPS_SEQ_ADJUST);
+ return 0;
+ }
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:36 2007
+Message-Id: <20071213062836.518921151@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:19 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ Greg KH <greg@kroah.com>
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Benny Halevy <bhalevy@fs1.bhalevy.com>,
+ Herbert Xu <herbert@gondor.apana.org.au>
+Subject: [patch 08/36] libcrc32c: keep intermediate crc state in cpu order
+Content-Disposition: inline; filename=libcrc32c-keep-intermediate-crc-state-in-cpu-order.patch
+Content-Length: 1483
+Lines: 55
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+It's upstream changeset ef19454bd437b2ba14c9cda1de85debd9f383484.
+
+[LIB] crc32c: Keep intermediate crc state in cpu order
+
+crypto/crc32.c:chksum_final() is computing the digest as
+*(__le32 *)out = ~cpu_to_le32(mctx->crc);
+so the low-level crc32c_le routines should just keep
+the crc in cpu order, otherwise it is getting swabbed
+one too many times on big-endian machines.
+
+Signed-off-by: Benny Halevy <bhalevy@fs1.bhalevy.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ lib/libcrc32c.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/lib/libcrc32c.c
++++ b/lib/libcrc32c.c
+@@ -33,7 +33,6 @@
+ #include <linux/crc32c.h>
+ #include <linux/compiler.h>
+ #include <linux/module.h>
+-#include <asm/byteorder.h>
+
+ MODULE_AUTHOR("Clay Haapala <chaapala@cisco.com>");
+ MODULE_DESCRIPTION("CRC32c (Castagnoli) calculations");
+@@ -161,15 +160,13 @@ static const u32 crc32c_table[256] = {
+ */
+
+ u32 __attribute_pure__
+-crc32c_le(u32 seed, unsigned char const *data, size_t length)
++crc32c_le(u32 crc, unsigned char const *data, size_t length)
+ {
+- u32 crc = __cpu_to_le32(seed);
+-
+ while (length--)
+ crc =
+ crc32c_table[(crc ^ *data++) & 0xFFL] ^ (crc >> 8);
+
+- return __le32_to_cpu(crc);
++ return crc;
+ }
+
+ #endif /* CRC_LE_BITS == 8 */
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:36 2007
+Message-Id: <20071213062836.671868648@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:20 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Karsten Keil <kkeil@suse.de>
+Subject: [patch 09/36] isdn: avoid copying overly-long strings
+Content-Disposition: inline; filename=isdn-avoid-copying-overly-long-strings.patch
+Content-Length: 1772
+Lines: 60
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Karsten Keil <kkeil@suse.de>
+
+patch 0f13864e5b24d9cbe18d125d41bfa4b726a82e40 in mainline.
+
+Addresses http://bugzilla.kernel.org/show_bug.cgi?id=9416
+
+Signed-off-by: Karsten Keil <kkeil@suse.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/isdn/i4l/isdn_net.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/isdn/i4l/isdn_net.c
++++ b/drivers/isdn/i4l/isdn_net.c
+@@ -2126,7 +2126,7 @@ isdn_net_find_icall(int di, int ch, int
+ u_long flags;
+ isdn_net_dev *p;
+ isdn_net_phone *n;
+- char nr[32];
++ char nr[ISDN_MSNLEN];
+ char *my_eaz;
+
+ /* Search name in netdev-chain */
+@@ -2135,7 +2135,7 @@ isdn_net_find_icall(int di, int ch, int
+ nr[1] = '\0';
+ printk(KERN_INFO "isdn_net: Incoming call without OAD, assuming '0'\n");
+ } else
+- strcpy(nr, setup->phone);
++ strlcpy(nr, setup->phone, ISDN_MSNLEN);
+ si1 = (int) setup->si1;
+ si2 = (int) setup->si2;
+ if (!setup->eazmsn[0]) {
+@@ -2802,7 +2802,7 @@ isdn_net_setcfg(isdn_net_ioctl_cfg * cfg
+ chidx = -1;
+ }
+ }
+- strcpy(lp->msn, cfg->eaz);
++ strlcpy(lp->msn, cfg->eaz, sizeof(lp->msn));
+ lp->pre_device = drvidx;
+ lp->pre_channel = chidx;
+ lp->onhtime = cfg->onhtime;
+@@ -2951,7 +2951,7 @@ isdn_net_addphone(isdn_net_ioctl_phone *
+ if (p) {
+ if (!(n = kmalloc(sizeof(isdn_net_phone), GFP_KERNEL)))
+ return -ENOMEM;
+- strcpy(n->num, phone->phone);
++ strlcpy(n->num, phone->phone, sizeof(n->num));
+ n->next = p->local->phone[phone->outgoing & 1];
+ p->local->phone[phone->outgoing & 1] = n;
+ return 0;
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:36 2007
+Message-Id: <20071213062836.825564188@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:21 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ torvalds@linux-foundation.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ adlab@venustech.com.cn,
+ kkeil@suse.de
+Subject: [patch 10/36] I4L: fix isdn_ioctl memory overrun vulnerability
+Content-Disposition: inline; filename=i4l-fix-isdn_ioctl-memory-overrun-vulnerability.patch
+Content-Length: 1995
+Lines: 60
+
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Karsten Keil <kkeil@suse.de>
+
+patch eafe1aa37e6ec2d56f14732b5240c4dd09f0613a in mainline.
+
+Fix possible memory overrun issue in the isdn ioctl code. Found by ADLAB
+<adlab@venustech.com.cn>
+
+Signed-off-by: Karsten Keil <kkeil@suse.de>
+Cc: ADLAB <adlab@venustech.com.cn>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/isdn/i4l/isdn_common.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/isdn/i4l/isdn_common.c
++++ b/drivers/isdn/i4l/isdn_common.c
+@@ -1514,6 +1514,7 @@ isdn_ioctl(struct inode *inode, struct f
+ if (copy_from_user(&iocts, argp,
+ sizeof(isdn_ioctl_struct)))
+ return -EFAULT;
++ iocts.drvid[sizeof(iocts.drvid)-1] = 0;
+ if (strlen(iocts.drvid)) {
+ if ((p = strchr(iocts.drvid, ',')))
+ *p = 0;
+@@ -1598,6 +1599,7 @@ isdn_ioctl(struct inode *inode, struct f
+ if (copy_from_user(&iocts, argp,
+ sizeof(isdn_ioctl_struct)))
+ return -EFAULT;
++ iocts.drvid[sizeof(iocts.drvid)-1] = 0;
+ if (strlen(iocts.drvid)) {
+ drvidx = -1;
+ for (i = 0; i < ISDN_MAX_DRIVERS; i++)
+@@ -1642,7 +1644,7 @@ isdn_ioctl(struct inode *inode, struct f
+ } else {
+ p = (char __user *) iocts.arg;
+ for (i = 0; i < 10; i++) {
+- sprintf(bname, "%s%s",
++ snprintf(bname, sizeof(bname), "%s%s",
+ strlen(dev->drv[drvidx]->msn2eaz[i]) ?
+ dev->drv[drvidx]->msn2eaz[i] : "_",
+ (i < 9) ? "," : "\0");
+@@ -1672,6 +1674,7 @@ isdn_ioctl(struct inode *inode, struct f
+ char *p;
+ if (copy_from_user(&iocts, argp, sizeof(isdn_ioctl_struct)))
+ return -EFAULT;
++ iocts.drvid[sizeof(iocts.drvid)-1] = 0;
+ if (strlen(iocts.drvid)) {
+ if ((p = strchr(iocts.drvid, ',')))
+ *p = 0;
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:37 2007
+Message-Id: <20071213062836.979784685@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:22 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Thomas Gleixner <tglx@linutronix.de>,
+ Ingo Molnar <mingo@elte.hu>
+Subject: [patch 11/36] hrtimers: avoid overflow for large relative timeouts (CVE-2007-5966)
+Content-Disposition: inline; filename=hrtimers-avoid-overflow-for-large-relative-timeouts.patch
+Content-Length: 1517
+Lines: 49
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+patch 62f0f61e6673e67151a7c8c0f9a09c7ea43fe2b5 in mainline
+
+Relative hrtimers with a large timeout value might end up as negative
+timer values, when the current time is added in hrtimer_start().
+
+This in turn is causing the clockevents_set_next() function to set an
+huge timeout and sleep for quite a long time when we have a clock
+source which is capable of long sleeps like HPET. With PIT this almost
+goes unnoticed as the maximum delta is ~27ms. The non-hrt/nohz code
+sorts this out in the next timer interrupt, so we never noticed that
+problem which has been there since the first day of hrtimers.
+
+This bug became more apparent in 2.6.24 which activates HPET on more
+hardware.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/hrtimer.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/kernel/hrtimer.c
++++ b/kernel/hrtimer.c
+@@ -825,6 +825,14 @@ hrtimer_start(struct hrtimer *timer, kti
+ #ifdef CONFIG_TIME_LOW_RES
+ tim = ktime_add(tim, base->resolution);
+ #endif
++ /*
++ * Careful here: User space might have asked for a
++ * very long sleep, so the add above might result in a
++ * negative number, which enqueues the timer in front
++ * of the queue.
++ */
++ if (tim.tv64 < 0)
++ tim.tv64 = KTIME_MAX;
+ }
+ timer->expires = tim;
+
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:37 2007
+Message-Id: <20071213062837.133569907@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:23 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Steven Rostedt <srostedt@redhat.com>,
+ Ingo Molnar <mingo@elte.hu>,
+ Thomas Gleixner <tglx@linutronix.de>
+Subject: [patch 12/36] futex: fix for futex_wait signal stack corruption
+Content-Disposition: inline; filename=futex-fix-for-futex_wait-signal-stack-corruption.patch
+Content-Length: 7326
+Lines: 218
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Steven Rostedt <srostedt@redhat.com>
+
+patch ce6bd420f43b28038a2c6e8fbb86ad24014727b6 in mainline.
+
+David Holmes found a bug in the -rt tree with respect to
+pthread_cond_timedwait. After trying his test program on the latest git
+from mainline, I found the bug was there too. The bug he was seeing
+that his test program showed, was that if one were to do a "Ctrl-Z" on a
+process that was in the pthread_cond_timedwait, and then did a "bg" on
+that process, it would return with a "-ETIMEDOUT" but early. That is,
+the timer would go off early.
+
+Looking into this, I found the source of the problem. And it is a rather
+nasty bug at that.
+
+Here's the relevant code from kernel/futex.c: (not in order in the file)
+
+[...]
+smlinkage long sys_futex(u32 __user *uaddr, int op, u32 val,
+ struct timespec __user *utime, u32 __user *uaddr2,
+ u32 val3)
+{
+ struct timespec ts;
+ ktime_t t, *tp = NULL;
+ u32 val2 = 0;
+ int cmd = op & FUTEX_CMD_MASK;
+
+ if (utime && (cmd == FUTEX_WAIT || cmd == FUTEX_LOCK_PI)) {
+ if (copy_from_user(&ts, utime, sizeof(ts)) != 0)
+ return -EFAULT;
+ if (!timespec_valid(&ts))
+ return -EINVAL;
+
+ t = timespec_to_ktime(ts);
+ if (cmd == FUTEX_WAIT)
+ t = ktime_add(ktime_get(), t);
+ tp = &t;
+ }
+[...]
+ return do_futex(uaddr, op, val, tp, uaddr2, val2, val3);
+}
+
+[...]
+
+long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,
+ u32 __user *uaddr2, u32 val2, u32 val3)
+{
+ int ret;
+ int cmd = op & FUTEX_CMD_MASK;
+ struct rw_semaphore *fshared = NULL;
+
+ if (!(op & FUTEX_PRIVATE_FLAG))
+ fshared = ¤t->mm->mmap_sem;
+
+ switch (cmd) {
+ case FUTEX_WAIT:
+ ret = futex_wait(uaddr, fshared, val, timeout);
+
+[...]
+
+static int futex_wait(u32 __user *uaddr, struct rw_semaphore *fshared,
+ u32 val, ktime_t *abs_time)
+{
+[...]
+ struct restart_block *restart;
+ restart = ¤t_thread_info()->restart_block;
+ restart->fn = futex_wait_restart;
+ restart->arg0 = (unsigned long)uaddr;
+ restart->arg1 = (unsigned long)val;
+ restart->arg2 = (unsigned long)abs_time;
+ restart->arg3 = 0;
+ if (fshared)
+ restart->arg3 |= ARG3_SHARED;
+ return -ERESTART_RESTARTBLOCK;
+[...]
+
+static long futex_wait_restart(struct restart_block *restart)
+{
+ u32 __user *uaddr = (u32 __user *)restart->arg0;
+ u32 val = (u32)restart->arg1;
+ ktime_t *abs_time = (ktime_t *)restart->arg2;
+ struct rw_semaphore *fshared = NULL;
+
+ restart->fn = do_no_restart_syscall;
+ if (restart->arg3 & ARG3_SHARED)
+ fshared = ¤t->mm->mmap_sem;
+ return (long)futex_wait(uaddr, fshared, val, abs_time);
+}
+
+So when the futex_wait is interrupt by a signal we break out of the
+hrtimer code and set up or return from signal. This code does not return
+back to userspace, so we set up a RESTARTBLOCK. The bug here is that we
+save the "abs_time" which is a pointer to the stack variable "ktime_t t"
+from sys_futex.
+
+This returns and unwinds the stack before we get to call our signal. On
+return from the signal we go to futex_wait_restart, where we update all
+the parameters for futex_wait and call it. But here we have a problem
+where abs_time is no longer valid.
+
+I verified this with print statements, and sure enough, what abs_time
+was set to ends up being garbage when we get to futex_wait_restart.
+
+The solution I did to solve this (with input from Linus Torvalds)
+was to add unions to the restart_block to allow system calls to
+use the restart with specific parameters. This way the futex code now
+saves the time in a 64bit value in the restart block instead of storing
+it on the stack.
+
+Note: I'm a bit nervious to add "linux/types.h" and use u32 and u64
+in thread_info.h, when there's a #ifdef __KERNEL__ just below that.
+Not sure what that is there for. If this turns out to be a problem, I've
+tested this with using "unsigned int" for u32 and "unsigned long long" for
+u64 and it worked just the same. I'm using u32 and u64 just to be
+consistent with what the futex code uses.
+
+Signed-off-by: Steven Rostedt <srostedt@redhat.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/thread_info.h | 17 +++++++++++++++--
+ kernel/futex.c | 25 +++++++++++++------------
+ 2 files changed, 28 insertions(+), 14 deletions(-)
+
+--- a/include/linux/thread_info.h
++++ b/include/linux/thread_info.h
+@@ -7,12 +7,25 @@
+ #ifndef _LINUX_THREAD_INFO_H
+ #define _LINUX_THREAD_INFO_H
+
++#include <linux/types.h>
++
+ /*
+- * System call restart block.
++ * System call restart block.
+ */
+ struct restart_block {
+ long (*fn)(struct restart_block *);
+- unsigned long arg0, arg1, arg2, arg3;
++ union {
++ struct {
++ unsigned long arg0, arg1, arg2, arg3;
++ };
++ /* For futex_wait */
++ struct {
++ u32 *uaddr;
++ u32 val;
++ u32 flags;
++ u64 time;
++ } futex;
++ };
+ };
+
+ extern long do_no_restart_syscall(struct restart_block *parm);
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -1129,9 +1129,9 @@ static int fixup_pi_state_owner(u32 __us
+
+ /*
+ * In case we must use restart_block to restart a futex_wait,
+- * we encode in the 'arg3' shared capability
++ * we encode in the 'flags' shared capability
+ */
+-#define ARG3_SHARED 1
++#define FLAGS_SHARED 1
+
+ static long futex_wait_restart(struct restart_block *restart);
+ static int futex_wait(u32 __user *uaddr, struct rw_semaphore *fshared,
+@@ -1272,12 +1272,13 @@ static int futex_wait(u32 __user *uaddr,
+ struct restart_block *restart;
+ restart = ¤t_thread_info()->restart_block;
+ restart->fn = futex_wait_restart;
+- restart->arg0 = (unsigned long)uaddr;
+- restart->arg1 = (unsigned long)val;
+- restart->arg2 = (unsigned long)abs_time;
+- restart->arg3 = 0;
++ restart->futex.uaddr = (u32 *)uaddr;
++ restart->futex.val = val;
++ restart->futex.time = abs_time->tv64;
++ restart->futex.flags = 0;
++
+ if (fshared)
+- restart->arg3 |= ARG3_SHARED;
++ restart->futex.flags |= FLAGS_SHARED;
+ return -ERESTART_RESTARTBLOCK;
+ }
+
+@@ -1293,15 +1294,15 @@ static int futex_wait(u32 __user *uaddr,
+
+ static long futex_wait_restart(struct restart_block *restart)
+ {
+- u32 __user *uaddr = (u32 __user *)restart->arg0;
+- u32 val = (u32)restart->arg1;
+- ktime_t *abs_time = (ktime_t *)restart->arg2;
++ u32 __user *uaddr = (u32 __user *)restart->futex.uaddr;
+ struct rw_semaphore *fshared = NULL;
++ ktime_t t;
+
++ t.tv64 = restart->futex.time;
+ restart->fn = do_no_restart_syscall;
+- if (restart->arg3 & ARG3_SHARED)
++ if (restart->futex.flags & FLAGS_SHARED)
+ fshared = ¤t->mm->mmap_sem;
+- return (long)futex_wait(uaddr, fshared, val, abs_time);
++ return (long)futex_wait(uaddr, fshared, restart->futex.val, &t);
+ }
+
+
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:37 2007
+Message-Id: <20071213062837.292845035@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:24 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Ayaz Abdulla <aabdulla@nvidia.com>,
+ Jeff Garzik <jgarzik@redhat.com>
+Subject: [patch 13/36] forcedeth: new mcp79 pci ids
+Content-Disposition: inline; filename=forcedeth-new-mcp79-pci-ids.patch
+Content-Length: 2850
+Lines: 62
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Ayaz Abdulla <aabdulla@nvidia.com>
+
+patch 490dde8990c55662596a4be71b5070bd7d382d4a in mainline.
+
+This patch adds new device ids and features for mcp79 devices into the
+forcedeth driver.
+
+Signed-off-by: Ayaz Abdulla <aabdulla@nvidia.com>
+Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+index 92ce2e3..f9ba0ac 100644
+---
+ drivers/net/forcedeth.c | 16 ++++++++++++++++
+ include/linux/pci_ids.h | 4 ++++
+ 2 files changed, 20 insertions(+)
+
+--- a/drivers/net/forcedeth.c
++++ b/drivers/net/forcedeth.c
+@@ -5553,6 +5553,22 @@ static struct pci_device_id pci_tbl[] =
+ PCI_DEVICE(PCI_VENDOR_ID_NVIDIA, PCI_DEVICE_ID_NVIDIA_NVENET_27),
+ .driver_data = DEV_NEED_TIMERIRQ|DEV_NEED_LINKTIMER|DEV_HAS_HIGH_DMA|DEV_HAS_POWER_CNTRL|DEV_HAS_MSI|DEV_HAS_PAUSEFRAME_TX|DEV_HAS_STATISTICS_V2|DEV_HAS_TEST_EXTENDED|DEV_HAS_MGMT_UNIT,
+ },
++ { /* MCP79 Ethernet Controller */
++ PCI_DEVICE(PCI_VENDOR_ID_NVIDIA, PCI_DEVICE_ID_NVIDIA_NVENET_36),
++ .driver_data = DEV_NEED_TIMERIRQ|DEV_NEED_LINKTIMER|DEV_HAS_CHECKSUM|DEV_HAS_HIGH_DMA|DEV_HAS_MSI|DEV_HAS_POWER_CNTRL|DEV_HAS_PAUSEFRAME_TX|DEV_HAS_STATISTICS_V2|DEV_HAS_TEST_EXTENDED|DEV_HAS_MGMT_UNIT,
++ },
++ { /* MCP79 Ethernet Controller */
++ PCI_DEVICE(PCI_VENDOR_ID_NVIDIA, PCI_DEVICE_ID_NVIDIA_NVENET_37),
++ .driver_data = DEV_NEED_TIMERIRQ|DEV_NEED_LINKTIMER|DEV_HAS_CHECKSUM|DEV_HAS_HIGH_DMA|DEV_HAS_MSI|DEV_HAS_POWER_CNTRL|DEV_HAS_PAUSEFRAME_TX|DEV_HAS_STATISTICS_V2|DEV_HAS_TEST_EXTENDED|DEV_HAS_MGMT_UNIT,
++ },
++ { /* MCP79 Ethernet Controller */
++ PCI_DEVICE(PCI_VENDOR_ID_NVIDIA, PCI_DEVICE_ID_NVIDIA_NVENET_38),
++ .driver_data = DEV_NEED_TIMERIRQ|DEV_NEED_LINKTIMER|DEV_HAS_CHECKSUM|DEV_HAS_HIGH_DMA|DEV_HAS_MSI|DEV_HAS_POWER_CNTRL|DEV_HAS_PAUSEFRAME_TX|DEV_HAS_STATISTICS_V2|DEV_HAS_TEST_EXTENDED|DEV_HAS_MGMT_UNIT,
++ },
++ { /* MCP79 Ethernet Controller */
++ PCI_DEVICE(PCI_VENDOR_ID_NVIDIA, PCI_DEVICE_ID_NVIDIA_NVENET_39),
++ .driver_data = DEV_NEED_TIMERIRQ|DEV_NEED_LINKTIMER|DEV_HAS_CHECKSUM|DEV_HAS_HIGH_DMA|DEV_HAS_MSI|DEV_HAS_POWER_CNTRL|DEV_HAS_PAUSEFRAME_TX|DEV_HAS_STATISTICS_V2|DEV_HAS_TEST_EXTENDED|DEV_HAS_MGMT_UNIT,
++ },
+ {0,},
+ };
+
+--- a/include/linux/pci_ids.h
++++ b/include/linux/pci_ids.h
+@@ -1239,6 +1239,10 @@
+ #define PCI_DEVICE_ID_NVIDIA_NFORCE_MCP67_IDE 0x0560
+ #define PCI_DEVICE_ID_NVIDIA_NFORCE_MCP73_IDE 0x056C
+ #define PCI_DEVICE_ID_NVIDIA_NFORCE_MCP77_IDE 0x0759
++#define PCI_DEVICE_ID_NVIDIA_NVENET_36 0x0AB0
++#define PCI_DEVICE_ID_NVIDIA_NVENET_37 0x0AB1
++#define PCI_DEVICE_ID_NVIDIA_NVENET_38 0x0AB2
++#define PCI_DEVICE_ID_NVIDIA_NVENET_39 0x0AB3
+
+ #define PCI_VENDOR_ID_IMS 0x10e0
+ #define PCI_DEVICE_ID_IMS_TT128 0x9128
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:37 2007
+Message-Id: <20071213062837.446550912@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:25 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Ayaz Abdulla <aabdulla@nvidia.com>,
+ Alex Howells <astinus@gentoo.org>,
+ Jeff Garzik <jeff@garzik.org>
+Subject: [patch 14/36] forcedeth boot delay fix
+Content-Disposition: inline; filename=forcedeth-boot-delay-fix.patch
+Content-Length: 2162
+Lines: 58
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Ayaz Abdulla <aabdulla@nvidia.com>
+
+patch 9e555930bd873d238f5f7b9d76d3bf31e6e3ce93 in mainline.
+
+Fix a long boot delay in the forcedeth driver. During initialization, the
+timeout for the handshake between mgmt unit and driver can be very long.
+The patch reduces the timeout by eliminating a extra loop around the
+timeout logic.
+
+Addresses http://bugzilla.kernel.org/show_bug.cgi?id=9308
+
+Signed-off-by: Ayaz Abdulla <aabdulla@nvidia.com>
+Cc: Alex Howells <astinus@gentoo.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Jeff Garzik <jeff@garzik.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/forcedeth.c | 22 +++++++++-------------
+ 1 file changed, 9 insertions(+), 13 deletions(-)
+
+--- a/drivers/net/forcedeth.c
++++ b/drivers/net/forcedeth.c
+@@ -5283,19 +5283,15 @@ static int __devinit nv_probe(struct pci
+ if (readl(base + NvRegTransmitterControl) & NVREG_XMITCTL_SYNC_PHY_INIT) {
+ np->mac_in_use = readl(base + NvRegTransmitterControl) & NVREG_XMITCTL_MGMT_ST;
+ dprintk(KERN_INFO "%s: mgmt unit is running. mac in use %x.\n", pci_name(pci_dev), np->mac_in_use);
+- for (i = 0; i < 5000; i++) {
+- msleep(1);
+- if (nv_mgmt_acquire_sema(dev)) {
+- /* management unit setup the phy already? */
+- if ((readl(base + NvRegTransmitterControl) & NVREG_XMITCTL_SYNC_MASK) ==
+- NVREG_XMITCTL_SYNC_PHY_INIT) {
+- /* phy is inited by mgmt unit */
+- phyinitialized = 1;
+- dprintk(KERN_INFO "%s: Phy already initialized by mgmt unit.\n", pci_name(pci_dev));
+- } else {
+- /* we need to init the phy */
+- }
+- break;
++ if (nv_mgmt_acquire_sema(dev)) {
++ /* management unit setup the phy already? */
++ if ((readl(base + NvRegTransmitterControl) & NVREG_XMITCTL_SYNC_MASK) ==
++ NVREG_XMITCTL_SYNC_PHY_INIT) {
++ /* phy is inited by mgmt unit */
++ phyinitialized = 1;
++ dprintk(KERN_INFO "%s: Phy already initialized by mgmt unit.\n", pci_name(pci_dev));
++ } else {
++ /* we need to init the phy */
+ }
+ }
+ }
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:37 2007
+Message-Id: <20071213062837.600240865@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:26 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ torvalds@linux-foundation.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ rleigh@whinlatter.ukfsn.org,
+ benh@kernel.crashing.org,
+ mb@bu3sch.de,
+ khali@linux-fr.org,
+ adaplas@pol.net
+Subject: [patch 15/36] fb_ddc: fix DDC lines quirk
+Content-Disposition: inline; filename=fb_ddc-fix-ddc-lines-quirk.patch
+Content-Length: 3258
+Lines: 90
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Jean Delvare <khali@linux-fr.org>
+
+patch b64d70825abbf706bbe80be1b11b09514b71f45e in mainline.
+
+The code in fb_ddc_read() is said to be based on the implementation of the
+radeon driver:
+http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=fc5891c8a3ba284f13994d7bc1f1bfa8283982de
+
+However, comparing the old radeon driver code with the new fb_ddc code
+reveals some differences. Most notably, the I2C bus lines are held at the
+end of the function, while the original code was releasing them (as the
+comment above correctly says.)
+
+There are a few other differences, which appear to be responsible for read
+failures on my system. While tracing low-level I2C code in i2c-algo-bit, I
+noticed that the initial attempt to read the EDID always failed. It takes
+one retry for the read to succeed. As we are about to remove this
+automatic retry property from i2c-algo-bit, reading the EDID would really
+fail.
+
+As a summary, the I2C lines quirk which is supposedly needed to read EDID
+on some older monitors is currently breaking the (first) read on all other
+monitors (and might not even work with older ones - did anyone try since
+October 2006?)
+
+After applying the patch below, which makes the code in fb_ddc_read()
+really similar to what the radeon driver used to have, the first EDID read
+succeeds again.
+
+On top of that, as it appears that this code has been broken for one year
+now and nobody seems to have complained, I'm curious if it makes sense to
+keep this quirk in place. It makes the code more complex and slower just
+for the sake of monitors which I guess nobody uses anymore. Can't we just
+get rid of it?
+
+Signed-off-by: Jean Delvare <khali@linux-fr.org>
+Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Tested-by: Roger Leigh <rleigh@whinlatter.ukfsn.org>
+Tested-by: Michael Buesch <mb@bu3sch.de>
+Cc: "Antonino A. Daplas" <adaplas@pol.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/video/fb_ddc.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/video/fb_ddc.c
++++ b/drivers/video/fb_ddc.c
+@@ -56,13 +56,12 @@ unsigned char *fb_ddc_read(struct i2c_ad
+ int i, j;
+
+ algo_data->setscl(algo_data->data, 1);
+- algo_data->setscl(algo_data->data, 0);
+
+ for (i = 0; i < 3; i++) {
+ /* For some old monitors we need the
+ * following process to initialize/stop DDC
+ */
+- algo_data->setsda(algo_data->data, 0);
++ algo_data->setsda(algo_data->data, 1);
+ msleep(13);
+
+ algo_data->setscl(algo_data->data, 1);
+@@ -97,14 +96,15 @@ unsigned char *fb_ddc_read(struct i2c_ad
+ algo_data->setsda(algo_data->data, 1);
+ msleep(15);
+ algo_data->setscl(algo_data->data, 0);
++ algo_data->setsda(algo_data->data, 0);
+ if (edid)
+ break;
+ }
+ /* Release the DDC lines when done or the Apple Cinema HD display
+ * will switch off
+ */
+- algo_data->setsda(algo_data->data, 0);
+- algo_data->setscl(algo_data->data, 0);
++ algo_data->setsda(algo_data->data, 1);
++ algo_data->setscl(algo_data->data, 1);
+
+ return edid;
+ }
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:37 2007
+Message-Id: <20071213062837.755857149@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:27 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ davem@davemloft.net
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Herbert Xu <herbert@gondor.apana.org.au>
+Subject: [patch 16/36] TCP: Problem bug with sysctl_tcp_congestion_control function
+Content-Disposition: inline; filename=tcp-problem-bug-with-sysctl_tcp_congestion_control-function.patch
+Content-Length: 1900
+Lines: 50
+
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+
+From: Sam Jansen <sjansen@google.com>
+
+[TCP]: Problem bug with sysctl_tcp_congestion_control function
+
+[ Upstream commit: 5487796f0c9475586277a0a7a91211ce5746fa6a ]
+
+sysctl_tcp_congestion_control seems to have a bug that prevents it
+from actually calling the tcp_set_default_congestion_control
+function. This is not so apparent because it does not return an error
+and generally the /proc interface is used to configure the default TCP
+congestion control algorithm. This is present in 2.6.18 onwards and
+probably earlier, though I have not inspected 2.6.15--2.6.17.
+
+sysctl_tcp_congestion_control calls sysctl_string and expects a successful
+return code of 0. In such a case it actually sets the congestion control
+algorithm with tcp_set_default_congestion_control. Otherwise, it returns the
+value returned by sysctl_string. This was correct in 2.6.14, as sysctl_string
+returned 0 on success. However, sysctl_string was updated to return 1 on
+success around about 2.6.15 and sysctl_tcp_congestion_control was not updated.
+Even though sysctl_tcp_congestion_control returns 1, do_sysctl_strategy
+converts this return code to '0', so the caller never notices the error.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/sysctl_net_ipv4.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/sysctl_net_ipv4.c
++++ b/net/ipv4/sysctl_net_ipv4.c
+@@ -121,7 +121,7 @@ static int sysctl_tcp_congestion_control
+
+ tcp_get_default_congestion_control(val);
+ ret = sysctl_string(&tbl, name, nlen, oldval, oldlenp, newval, newlen);
+- if (ret == 0 && newval && newlen)
++ if (ret == 1 && newval && newlen)
+ ret = tcp_set_default_congestion_control(val);
+ return ret;
+ }
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:38 2007
+Message-Id: <20071213062837.910712959@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:28 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ davem@davemloft.net
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ =?ISO-8859-15?q?Ilpo=20J=E4rvinen?= <ilpo.jarvinen@helsinki.fi>,
+ Herbert Xu <herbert@gondor.apana.org.au>
+Subject: [patch 17/36] TCP: MTUprobe: fix potential sk_send_head corruption
+Content-Disposition: inline; filename=tcp-mtuprobe-fix-potential-sk_send_head-corruption.patch
+Content-Length: 1540
+Lines: 50
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+
+[TCP] MTUprobe: fix potential sk_send_head corruption
+
+[ Upstream commit: 6e42141009ff18297fe19d19296738b742f861db ]
+
+When the abstraction functions got added, conversion here was
+made incorrectly. As a result, the skb may end up pointing
+to skb which got included to the probe skb and then was freed.
+For it to trigger, however, skb_transmit must fail sending as
+well.
+
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/net/tcp.h | 3 +++
+ net/ipv4/tcp_output.c | 1 -
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -1258,6 +1258,9 @@ static inline void tcp_insert_write_queu
+ struct sock *sk)
+ {
+ __skb_insert(new, skb->prev, skb, &sk->sk_write_queue);
++
++ if (sk->sk_send_head == skb)
++ sk->sk_send_head = new;
+ }
+
+ static inline void tcp_unlink_write_queue(struct sk_buff *skb, struct sock *sk)
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -1279,7 +1279,6 @@ static int tcp_mtu_probe(struct sock *sk
+
+ skb = tcp_send_head(sk);
+ tcp_insert_write_queue_before(nskb, skb, sk);
+- tcp_advance_send_head(sk, skb);
+
+ TCP_SKB_CB(nskb)->seq = TCP_SKB_CB(skb)->seq;
+ TCP_SKB_CB(nskb)->end_seq = TCP_SKB_CB(skb)->seq + probe_size;
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:38 2007
+Message-Id: <20071213062838.062753166@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:29 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ bunk@kernel.org,
+ <davem@davemloft.net>
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Herbert Xu <herbert@gondor.apana.org.au>
+Subject: [patch 18/36] PFKEY: Sending an SADB_GET responds with an SADB_GET
+Content-Disposition: inline; filename=pfkey-sending-an-sadb_get-responds-with-an-sadb_get.patch
+Content-Length: 1026
+Lines: 35
+
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Charles Hardin <chardin@2wire.com>
+
+[PFKEY]: Sending an SADB_GET responds with an SADB_GET
+
+[ Upstream commit: 435000bebd94aae3a7a50078d142d11683d3b193 ]
+
+Kernel needs to respond to an SADB_GET with the same message type to
+conform to the RFC 2367 Section 3.1.5
+
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/key/af_key.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -1543,7 +1543,7 @@ static int pfkey_get(struct sock *sk, st
+
+ out_hdr = (struct sadb_msg *) out_skb->data;
+ out_hdr->sadb_msg_version = hdr->sadb_msg_version;
+- out_hdr->sadb_msg_type = SADB_DUMP;
++ out_hdr->sadb_msg_type = SADB_GET;
+ out_hdr->sadb_msg_satype = pfkey_proto2satype(proto);
+ out_hdr->sadb_msg_errno = 0;
+ out_hdr->sadb_msg_reserved = 0;
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:38 2007
+Message-Id: <20071213062838.216760984@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:30 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ davem@davemloft.net
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Eric Dumazet <dada1@cosmosbay.com>,
+ Herbert Xu <herbert@gondor.apana.org.au>
+Subject: [patch 19/36] NET: Corrects a bug in ip_rt_acct_read()
+Content-Disposition: inline; filename=net-corrects-a-bug-in-ip_rt_acct_read.patch
+Content-Length: 1391
+Lines: 50
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Eric Dumazet <dada1@cosmosbay.com>
+
+[NET]: Corrects a bug in ip_rt_acct_read()
+
+[ Upstream commit: 483b23ffa3a5f44767038b0a676d757e0668437e ]
+
+It seems that stats of cpu 0 are counted twice, since
+for_each_possible_cpu() is looping on all possible cpus, including 0
+
+Before percpu conversion of ip_rt_acct, we should also remove the
+assumption that CPU 0 is online (or even possible)
+
+Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/route.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -3150,18 +3150,14 @@ static int ip_rt_acct_read(char *buffer,
+ offset /= sizeof(u32);
+
+ if (length > 0) {
+- u32 *src = ((u32 *) IP_RT_ACCT_CPU(0)) + offset;
+ u32 *dst = (u32 *) buffer;
+
+- /* Copy first cpu. */
+ *start = buffer;
+- memcpy(dst, src, length);
++ memset(dst, 0, length);
+
+- /* Add the other cpus in, one int at a time */
+ for_each_possible_cpu(i) {
+ unsigned int j;
+-
+- src = ((u32 *) IP_RT_ACCT_CPU(i)) + offset;
++ u32 *src = ((u32 *) IP_RT_ACCT_CPU(i)) + offset;
+
+ for (j = 0; j < length/4; j++)
+ dst[j] += src[j];
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:38 2007
+Message-Id: <20071213062838.372004924@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:31 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ bunk@kernel.org,
+ davem@davemloft.net
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Herbert Xu <herbert@gondor.apana.org.au>
+Subject: [patch 20/36] IPV4: Remove bogus ifdef mess in arp_process
+Content-Disposition: inline; filename=ipv4-remove-bogus-ifdef-mess-in-arp_process.patch
+Content-Length: 2438
+Lines: 89
+
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Adrian Bunk <bunk@kernel.org>
+
+[IPV4]: Remove bogus ifdef mess in arp_process
+
+[ Upstream commit: 3660019e5f96fd9a8b7d4214a96523c0bf7b676d ]
+
+The #ifdef's in arp_process() were not only a mess, they were also wrong
+in the CONFIG_NET_ETHERNET=n and (CONFIG_NETDEV_1000=y or
+CONFIG_NETDEV_10000=y) cases.
+
+Since they are not required this patch removes them.
+
+Also removed are some #ifdef's around #include's that caused compile
+errors after this change.
+
+Signed-off-by: Adrian Bunk <bunk@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: David Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/arp.c | 19 -------------------
+ 1 file changed, 19 deletions(-)
+
+--- a/net/ipv4/arp.c
++++ b/net/ipv4/arp.c
+@@ -110,12 +110,8 @@
+ #include <net/tcp.h>
+ #include <net/sock.h>
+ #include <net/arp.h>
+-#if defined(CONFIG_AX25) || defined(CONFIG_AX25_MODULE)
+ #include <net/ax25.h>
+-#if defined(CONFIG_NETROM) || defined(CONFIG_NETROM_MODULE)
+ #include <net/netrom.h>
+-#endif
+-#endif
+ #if defined(CONFIG_ATM_CLIP) || defined(CONFIG_ATM_CLIP_MODULE)
+ #include <net/atmclip.h>
+ struct neigh_table *clip_tbl_hook;
+@@ -729,20 +725,10 @@ static int arp_process(struct sk_buff *s
+ htons(dev_type) != arp->ar_hrd)
+ goto out;
+ break;
+-#ifdef CONFIG_NET_ETHERNET
+ case ARPHRD_ETHER:
+-#endif
+-#ifdef CONFIG_TR
+ case ARPHRD_IEEE802_TR:
+-#endif
+-#ifdef CONFIG_FDDI
+ case ARPHRD_FDDI:
+-#endif
+-#ifdef CONFIG_NET_FC
+ case ARPHRD_IEEE802:
+-#endif
+-#if defined(CONFIG_NET_ETHERNET) || defined(CONFIG_TR) || \
+- defined(CONFIG_FDDI) || defined(CONFIG_NET_FC)
+ /*
+ * ETHERNET, Token Ring and Fibre Channel (which are IEEE 802
+ * devices, according to RFC 2625) devices will accept ARP
+@@ -757,21 +743,16 @@ static int arp_process(struct sk_buff *s
+ arp->ar_pro != htons(ETH_P_IP))
+ goto out;
+ break;
+-#endif
+-#if defined(CONFIG_AX25) || defined(CONFIG_AX25_MODULE)
+ case ARPHRD_AX25:
+ if (arp->ar_pro != htons(AX25_P_IP) ||
+ arp->ar_hrd != htons(ARPHRD_AX25))
+ goto out;
+ break;
+-#if defined(CONFIG_NETROM) || defined(CONFIG_NETROM_MODULE)
+ case ARPHRD_NETROM:
+ if (arp->ar_pro != htons(AX25_P_IP) ||
+ arp->ar_hrd != htons(ARPHRD_NETROM))
+ goto out;
+ break;
+-#endif
+-#endif
+ }
+
+ /* Understand only these message types */
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:38 2007
+Message-Id: <20071213062838.526590921@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:32 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ davem@davemloft.net
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Herbert Xu <herbert@gondor.apana.org.au>
+Subject: [patch 21/36] CRYPTO api: Fix potential race in crypto_remove_spawn
+Content-Disposition: inline; filename=crypto-api-fix-potential-race-in-crypto_remove_spawn.patch
+Content-Length: 1328
+Lines: 50
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[CRYPTO] api: Fix potential race in crypto_remove_spawn
+
+[ Upstream commit: 38cb2419f544ad413c7f7aa8c17fd7377610cdd8 ]
+
+As it is crypto_remove_spawn may try to unregister an instance which is
+yet to be registered. This patch fixes this by checking whether the
+instance has been registered before attempting to remove it.
+
+It also removes a bogus cra_destroy check in crypto_register_instance as
+1) it's outside the mutex;
+2) we have a check in __crypto_register_alg already.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: David Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ crypto/algapi.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/crypto/algapi.c
++++ b/crypto/algapi.c
+@@ -98,6 +98,9 @@ static void crypto_remove_spawn(struct c
+ return;
+
+ inst->alg.cra_flags |= CRYPTO_ALG_DEAD;
++ if (hlist_unhashed(&inst->list))
++ return;
++
+ if (!tmpl || !crypto_tmpl_get(tmpl))
+ return;
+
+@@ -333,9 +336,6 @@ int crypto_register_instance(struct cryp
+ LIST_HEAD(list);
+ int err = -EINVAL;
+
+- if (inst->alg.cra_destroy)
+- goto err;
+-
+ err = crypto_check_alg(&inst->alg);
+ if (err)
+ goto err;
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:38 2007
+Message-Id: <20071213062838.682746481@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:33 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ bunk@kernel.org,
+ davem@davemloft.net
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ chas williams <chas@cmf.nrl.navy.mil>,
+ Herbert Xu <herbert@gondor.apana.org.au>
+Subject: [patch 22/36] ATM: initialize lock and tasklet earlier
+Content-Disposition: inline; filename=atm-initialize-lock-and-tasklet-earlier.patch
+Content-Length: 1513
+Lines: 52
+
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: chas williams <chas@cmf.nrl.navy.mil>
+
+[ATM]: [he] initialize lock and tasklet earlier
+
+[ Upstream commit: 8a8037ac9dbe4eb20ce50aa20244faf77444f4a3 ]
+
+if you are lucky (unlucky?) enough to have shared interrupts, the
+interrupt handler can be called before the tasklet and lock are ready
+for use.
+
+Signed-off-by: chas williams <chas@cmf.nrl.navy.mil>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: David Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/atm/he.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/atm/he.c
++++ b/drivers/atm/he.c
+@@ -394,6 +394,11 @@ he_init_one(struct pci_dev *pci_dev, con
+ he_dev->atm_dev->dev_data = he_dev;
+ atm_dev->dev_data = he_dev;
+ he_dev->number = atm_dev->number;
++#ifdef USE_TASKLET
++ tasklet_init(&he_dev->tasklet, he_tasklet, (unsigned long) he_dev);
++#endif
++ spin_lock_init(&he_dev->global_lock);
++
+ if (he_start(atm_dev)) {
+ he_stop(he_dev);
+ err = -ENODEV;
+@@ -1173,11 +1178,6 @@ he_start(struct atm_dev *dev)
+ if ((err = he_init_irq(he_dev)) != 0)
+ return err;
+
+-#ifdef USE_TASKLET
+- tasklet_init(&he_dev->tasklet, he_tasklet, (unsigned long) he_dev);
+-#endif
+- spin_lock_init(&he_dev->global_lock);
+-
+ /* 4.11 enable pci bus controller state machines */
+ host_cntl |= (OUTFF_ENB | CMDFF_ENB |
+ QUICK_RD_RETRY | QUICK_WR_RETRY | PERR_INT_ENB);
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:38 2007
+Message-Id: <20071213062838.836059269@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:34 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ bunk@kernel.org,
+ <davem@davemloft.net>
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Florian Zumbiehl <florz@florz.de>,
+ Herbert Xu <herbert@gondor.apana.org.au>
+Subject: [patch 23/36] UNIX: EOF on non-blocking SOCK_SEQPACKET
+Content-Disposition: inline; filename=unix-eof-on-non-blocking-sock_seqpacket.patch
+Content-Length: 2413
+Lines: 86
+
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Florian Zumbiehl <florz@florz.de>
+
+[UNIX]: EOF on non-blocking SOCK_SEQPACKET
+
+[ Upstream commit: 0a11225887fe6cbccd882404dc36ddc50f47daf9 ]
+
+I am not absolutely sure whether this actually is a bug (as in: I've got
+no clue what the standards say or what other implementations do), but at
+least I was pretty surprised when I noticed that a recv() on a
+non-blocking unix domain socket of type SOCK_SEQPACKET (which is connection
+oriented, after all) where the remote end has closed the connection
+returned -1 (EAGAIN) rather than 0 to indicate end of file.
+
+This is a test case:
+
+| #include <sys/types.h>
+| #include <unistd.h>
+| #include <sys/socket.h>
+| #include <sys/un.h>
+| #include <fcntl.h>
+| #include <string.h>
+| #include <stdlib.h>
+|
+| int main(){
+| int sock;
+| struct sockaddr_un addr;
+| char buf[4096];
+| int pfds[2];
+|
+| pipe(pfds);
+| sock=socket(PF_UNIX,SOCK_SEQPACKET,0);
+| addr.sun_family=AF_UNIX;
+| strcpy(addr.sun_path,"/tmp/foobar_testsock");
+| bind(sock,(struct sockaddr *)&addr,sizeof(addr));
+| listen(sock,1);
+| if(fork()){
+| close(sock);
+| sock=socket(PF_UNIX,SOCK_SEQPACKET,0);
+| connect(sock,(struct sockaddr *)&addr,sizeof(addr));
+| fcntl(sock,F_SETFL,fcntl(sock,F_GETFL)|O_NONBLOCK);
+| close(pfds[1]);
+| read(pfds[0],buf,sizeof(buf));
+| recv(sock,buf,sizeof(buf),0); // <-- this one
+| }else accept(sock,NULL,NULL);
+| exit(0);
+| }
+
+If you try it, make sure /tmp/foobar_testsock doesn't exist.
+
+The marked recv() returns -1 (EAGAIN) on 2.6.23.9. Below you find a
+patch that fixes that.
+
+Signed-off-by: Florian Zumbiehl <florz@florz.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/unix/af_unix.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -1608,8 +1608,15 @@ static int unix_dgram_recvmsg(struct kio
+ mutex_lock(&u->readlock);
+
+ skb = skb_recv_datagram(sk, flags, noblock, &err);
+- if (!skb)
++ if (!skb) {
++ unix_state_lock(sk);
++ /* Signal EOF on disconnected non-blocking SEQPACKET socket. */
++ if (sk->sk_type == SOCK_SEQPACKET && err == -EAGAIN &&
++ (sk->sk_shutdown & RCV_SHUTDOWN))
++ err = 0;
++ unix_state_unlock(sk);
+ goto out_unlock;
++ }
+
+ wake_up_interruptible(&u->peer_wait);
+
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:39 2007
+Message-Id: <20071213062838.997507703@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:35 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ <davem@davemloft.net>
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Pablo Neira Ayuso <pablo@netfilter.org>,
+ Patrick McHardy <kaber@trash.net>,
+ Herbert Xu <herbert@gondor.apana.org.au>
+Subject: [patch 24/36] TEXTSEARCH: Do not allow zero length patterns in the textsearch infrastructure
+Content-Disposition: inline; filename=textsearch-do-not-allow-zero-length-patterns-in-the-textsearch-infrastructure.patch
+Content-Length: 1726
+Lines: 56
+
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[TEXTSEARCH]: Do not allow zero length patterns in the textsearch infrastructure
+
+[ Upstream commit: e03ba84adb62fbc6049325a5bc00ef6932fa5e39 ]
+
+If a zero length pattern is passed then return EINVAL.
+Avoids infinite loops (bm) or invalid memory accesses (kmp).
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ lib/textsearch.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/lib/textsearch.c
++++ b/lib/textsearch.c
+@@ -7,7 +7,7 @@
+ * 2 of the License, or (at your option) any later version.
+ *
+ * Authors: Thomas Graf <tgraf@suug.ch>
+- * Pablo Neira Ayuso <pablo@eurodev.net>
++ * Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * ==========================================================================
+ *
+@@ -250,7 +250,8 @@ unsigned int textsearch_find_continuous(
+ * the various search algorithms.
+ *
+ * Returns a new textsearch configuration according to the specified
+- * parameters or a ERR_PTR().
++ * parameters or a ERR_PTR(). If a zero length pattern is passed, this
++ * function returns EINVAL.
+ */
+ struct ts_config *textsearch_prepare(const char *algo, const void *pattern,
+ unsigned int len, gfp_t gfp_mask, int flags)
+@@ -259,6 +260,9 @@ struct ts_config *textsearch_prepare(con
+ struct ts_config *conf;
+ struct ts_ops *ops;
+
++ if (len == 0)
++ return ERR_PTR(-EINVAL);
++
+ ops = lookup_ts_algo(algo);
+ #ifdef CONFIG_KMOD
+ /*
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:39 2007
+Message-Id: <20071213062839.153662355@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:36 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ <davem@davemloft.net>
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Stephen Hemminger <shemminger@linux-foundation.org>,
+ Herbert Xu <herbert@gondor.apana.org.au>
+Subject: [patch 25/36] TCP: illinois: Incorrect beta usage
+Content-Disposition: inline; filename=tcp-illinois-incorrect-beta-usage.patch
+Content-Length: 1344
+Lines: 44
+
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Stephen Hemminger <shemminger@linux-foundation.org>
+
+[TCP] illinois: Incorrect beta usage
+
+[ Upstream commit: a357dde9df33f28611e6a3d4f88265e39bcc8880 ]
+
+Lachlan Andrew observed that my TCP-Illinois implementation uses the
+beta value incorrectly:
+The parameter beta in the paper specifies the amount to decrease
+*by*: that is, on loss,
+ W <- W - beta*W
+but in tcp_illinois_ssthresh() uses beta as the amount
+to decrease *to*: W <- beta*W
+
+This bug makes the Linux TCP-Illinois get less-aggressive on uncongested network,
+hurting performance. Note: since the base beta value is .5, it has no
+impact on a congested network.
+
+Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/tcp_illinois.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_illinois.c
++++ b/net/ipv4/tcp_illinois.c
+@@ -300,7 +300,7 @@ static u32 tcp_illinois_ssthresh(struct
+ struct illinois *ca = inet_csk_ca(sk);
+
+ /* Multiplicative decrease */
+- return max((tp->snd_cwnd * ca->beta) >> BETA_SHIFT, 2U);
++ return max(tp->snd_cwnd - ((tp->snd_cwnd * ca->beta) >> BETA_SHIFT), 2U);
+ }
+
+
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:39 2007
+Message-Id: <20071213062839.307852191@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:37 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ <davem@davemloft.net>
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ David Howells <dhowells@redhat.com>,
+ Herbert Xu <herbert@gondor.apana.org.au>
+Subject: [patch 26/36] RXRPC: Add missing select on CRYPTO
+Content-Disposition: inline; filename=rxrpc-add-missing-select-on-crypto.patch
+Content-Length: 806
+Lines: 33
+
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: David Howells <dhowells@redhat.com>
+
+[RXRPC]: Add missing select on CRYPTO
+
+[ Upstream commit: d5a784b3719ae364f49ecff12a0248f6e4252720 ]
+
+AF_RXRPC uses the crypto services, so should depend on or select CRYPTO.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/rxrpc/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/rxrpc/Kconfig
++++ b/net/rxrpc/Kconfig
+@@ -5,6 +5,7 @@
+ config AF_RXRPC
+ tristate "RxRPC session sockets"
+ depends on INET && EXPERIMENTAL
++ select CRYPTO
+ select KEYS
+ help
+ Say Y or M here to include support for RxRPC session sockets (just
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:39 2007
+Message-Id: <20071213062839.461340151@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:38 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ bunk@kernel.org,
+ <davem@davemloft.net>
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Evgeniy Polyakov <johnpol@2ka.mipt.ru>,
+ Herbert Xu <herbert@gondor.apana.org.au>
+Subject: [patch 27/36] IPV6: Restore IPv6 when MTU is big enough
+Content-Disposition: inline; filename=ipv6-restore-ipv6-when-mtu-is-big-enough.patch
+Content-Length: 1632
+Lines: 64
+
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
+
+[IPV6]: Restore IPv6 when MTU is big enough
+
+[ Upstream commit: d31c7b8fa303eb81311f27b80595b8d2cbeef950 ]
+
+Avaid provided test application, so bug got fixed.
+
+IPv6 addrconf removes ipv6 inner device from netdev each time cmu
+changes and new value is less than IPV6_MIN_MTU (1280 bytes).
+When mtu is changed and new value is greater than IPV6_MIN_MTU,
+it does not add ipv6 addresses and inner device bac.
+
+This patch fixes that.
+
+Tested with Avaid's application, which works ok now.
+
+Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/addrconf.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -2285,6 +2285,9 @@ static int addrconf_notify(struct notifi
+ break;
+ }
+
++ if (!idev && dev->mtu >= IPV6_MIN_MTU)
++ idev = ipv6_add_dev(dev);
++
+ if (idev)
+ idev->if_flags |= IF_READY;
+ } else {
+@@ -2349,12 +2352,18 @@ static int addrconf_notify(struct notifi
+ break;
+
+ case NETDEV_CHANGEMTU:
+- if ( idev && dev->mtu >= IPV6_MIN_MTU) {
++ if (idev && dev->mtu >= IPV6_MIN_MTU) {
+ rt6_mtu_change(dev, dev->mtu);
+ idev->cnf.mtu6 = dev->mtu;
+ break;
+ }
+
++ if (!idev && dev->mtu >= IPV6_MIN_MTU) {
++ idev = ipv6_add_dev(dev);
++ if (idev)
++ break;
++ }
++
+ /* MTU falled under IPV6_MIN_MTU. Stop IPv6 on this interface. */
+
+ case NETDEV_DOWN:
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:39 2007
+Message-Id: <20071213062839.617781517@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:39 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ <davem@davemloft.net>
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Pavel Emelyanov <xemul@openvz.org>,
+ Steven Whitehouse <swhiteho@redhat.com>,
+ Herbert Xu <herbert@gondor.apana.org.au>
+Subject: [patch 28/36] DECNET: dn_nl_deladdr() almost always returns no error
+Content-Disposition: inline; filename=decnet-dn_nl_deladdr-almost-always-returns-no-error.patch
+Content-Length: 1451
+Lines: 51
+
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Pavel Emelyanov <xemul@openvz.org>
+
+[DECNET]: dn_nl_deladdr() almost always returns no error
+
+[ Upstream commit: 3ccd86241b277249d5ac08e91eddfade47184520 ]
+
+As far as I see from the err variable initialization
+the dn_nl_deladdr() routine was designed to report errors
+like "EADDRNOTAVAIL" and probaby "ENODEV".
+
+But the code sets this err to 0 after the first nlmsg_parse
+and goes on, returning this 0 in any case.
+
+Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
+Acked-by: Steven Whitehouse <swhiteho@redhat.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/decnet/dn_dev.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/decnet/dn_dev.c
++++ b/net/decnet/dn_dev.c
+@@ -651,16 +651,18 @@ static int dn_nl_deladdr(struct sk_buff
+ struct dn_dev *dn_db;
+ struct ifaddrmsg *ifm;
+ struct dn_ifaddr *ifa, **ifap;
+- int err = -EADDRNOTAVAIL;
++ int err;
+
+ err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, dn_ifa_policy);
+ if (err < 0)
+ goto errout;
+
++ err = -ENODEV;
+ ifm = nlmsg_data(nlh);
+ if ((dn_db = dn_dev_by_index(ifm->ifa_index)) == NULL)
+ goto errout;
+
++ err = -EADDRNOTAVAIL;
+ for (ifap = &dn_db->ifa_list; (ifa = *ifap); ifap = &ifa->ifa_next) {
+ if (tb[IFA_LOCAL] &&
+ nla_memcmp(tb[IFA_LOCAL], &ifa->ifa_local, 2))
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:39 2007
+Message-Id: <20071213062839.773513326@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:40 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ bunk@kernel.org,
+ <davem@davemloft.net>
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Pavel Emelyanov <xemul@openvz.org>,
+ Herbert Xu <herbert@gondor.apana.org.au>
+Subject: [patch 29/36] BRIDGE: Lost call to br_fdb_fini() in br_init() error path
+Content-Disposition: inline; filename=bridge-lost-call-to-br_fdb_fini-in-br_init-error-path.patch
+Content-Length: 1026
+Lines: 45
+
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Pavel Emelyanov <xemul@openvz.org>
+
+[BRIDGE]: Lost call to br_fdb_fini() in br_init() error path
+
+[ Upstream commit: 17efdd45755c0eb8d1418a1368ef7c7ebbe98c6e ]
+
+In case the br_netfilter_init() (or any subsequent call)
+fails, the br_fdb_fini() must be called to free the allocated
+in br_fdb_init() br_fdb_cache kmem cache.
+
+Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/bridge/br.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/bridge/br.c
++++ b/net/bridge/br.c
+@@ -39,7 +39,7 @@ static int __init br_init(void)
+
+ err = br_fdb_init();
+ if (err)
+- goto err_out1;
++ goto err_out;
+
+ err = br_netfilter_init();
+ if (err)
+@@ -65,6 +65,8 @@ err_out3:
+ err_out2:
+ br_netfilter_fini();
+ err_out1:
++ br_fdb_fini();
++err_out:
+ llc_sap_put(br_stp_sap);
+ return err;
+ }
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:40 2007
+Message-Id: <20071213062839.928355516@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:41 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Neil Brown <neilb@suse.de>,
+ "Luiz Fernando N. Capitulino" <lcapitulino@gmail.com>,
+ "J. Bruce Fields" <bfields@citi.umich.edu>,
+ Oliver Pintr <oliver.pntr@gmail.com>
+Subject: [patch 30/36] knfsd: Validate filehandle type in fsid_source
+Content-Disposition: inline; filename=knfsd-validate-filehandle-type-in-fsid_source.patch
+Content-Length: 1747
+Lines: 62
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Neil Brown <neilb@suse.de>
+
+patch b8da0d1c27f144bce999c653467106f3f0d5a308 in mainline.
+
+fsid_source decided where to get the 'fsid' number to
+return for a GETATTR based on the type of filehandle.
+It can be from the device, from the fsid, or from the
+UUID.
+
+It is possible for the filehandle to be inconsistent
+with the export information, so make sure the export information
+actually has the info implied by the value returned by
+fsid_source.
+
+Signed-off-by: Neil Brown <neilb@suse.de>
+Cc: "Luiz Fernando N. Capitulino" <lcapitulino@gmail.com>
+Signed-off-by: "J. Bruce Fields" <bfields@citi.umich.edu>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Oliver Pintr <oliver.pntr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfsd/nfsfh.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+--- a/fs/nfsd/nfsfh.c
++++ b/fs/nfsd/nfsfh.c
+@@ -565,13 +565,23 @@ enum fsid_source fsid_source(struct svc_
+ case FSID_DEV:
+ case FSID_ENCODE_DEV:
+ case FSID_MAJOR_MINOR:
+- return FSIDSOURCE_DEV;
++ if (fhp->fh_export->ex_dentry->d_inode->i_sb->s_type->fs_flags
++ & FS_REQUIRES_DEV)
++ return FSIDSOURCE_DEV;
++ break;
+ case FSID_NUM:
+- return FSIDSOURCE_FSID;
+- default:
+ if (fhp->fh_export->ex_flags & NFSEXP_FSID)
+ return FSIDSOURCE_FSID;
+- else
+- return FSIDSOURCE_UUID;
++ break;
++ default:
++ break;
+ }
++ /* either a UUID type filehandle, or the filehandle doesn't
++ * match the export.
++ */
++ if (fhp->fh_export->ex_flags & NFSEXP_FSID)
++ return FSIDSOURCE_FSID;
++ if (fhp->fh_export->ex_uuid)
++ return FSIDSOURCE_UUID;
++ return FSIDSOURCE_DEV;
+ }
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:40 2007
+Message-Id: <20071213062840.081499488@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:42 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk
+Subject: [patch 31/36] Revert "Fix SMP poweroff hangs"
+Content-Disposition: inline; filename=revert-fix-smp-poweroff-hangs.patch
+Content-Length: 1551
+Lines: 55
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Greg Kroah-Hartman <gregkh@suse.de>
+
+This reverts the following changeset in 2.6.22.10 that caused a lot of
+reported problems.
+
+ From: Mark Lord <lkml@rtr.ca>
+
+ commit 4047727e5ae33f9b8d2b7766d1994ea6e5ec2991 from upstream
+
+ We need to disable all CPUs other than the boot CPU (usually 0) before
+ attempting to power-off modern SMP machines. This fixes the
+ hang-on-poweroff issue on my MythTV SMP box, and also on Thomas Gleixner's
+ new toybox.
+
+ Signed-off-by: Mark Lord <mlord@pobox.com>
+ Acked-by: Thomas Gleixner <tglx@linutronix.de>
+ Cc: "Rafael J. Wysocki" <rjw@sisk.pl>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+There still is a remaining shutdown problem in 2.6.22 with old APM based
+systems, but this fix is not the correct one
+
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ kernel/sys.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/kernel/sys.c
++++ b/kernel/sys.c
+@@ -31,7 +31,6 @@
+ #include <linux/cn_proc.h>
+ #include <linux/getcpu.h>
+ #include <linux/task_io_accounting_ops.h>
+-#include <linux/cpu.h>
+
+ #include <linux/compat.h>
+ #include <linux/syscalls.h>
+@@ -866,7 +865,6 @@ EXPORT_SYMBOL_GPL(kernel_halt);
+ void kernel_power_off(void)
+ {
+ kernel_shutdown_prepare(SYSTEM_POWER_OFF);
+- disable_nonboot_cpus();
+ printk(KERN_EMERG "Power down.\n");
+ machine_power_off();
+ }
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:40 2007
+Message-Id: <20071213062840.238415313@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:43 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ "Rafael J. Wysocki" <rjw@sisk.pl>,
+ David Chinner <dgc@sgi.com>,
+ Lachlan McIlroy <lachlan@sgi.com>,
+ Oliver Pintr <oliver.pntr@gmail.com>
+Subject: [patch 32/36] XFS: Make xfsbufd threads freezable
+Content-Disposition: inline; filename=xfs-make-xfsbufd-threads-freezable.patch
+Content-Length: 980
+Lines: 38
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Rafael J. Wysocki <rjw@sisk.pl>
+
+patch 978c7b2ff49597ab76ff7529a933bd366941ac25 in mainline
+
+Fix breakage caused by commit 831441862956fffa17b9801db37e6ea1650b0f69
+that did not introduce the necessary call to set_freezable() in
+xfs/linux-2.6/xfs_buf.c .
+
+SGI-PV: 974224
+SGI-Modid: xfs-linux-melb:xfs-kern:30203a
+
+Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
+Signed-off-by: David Chinner <dgc@sgi.com>
+Signed-off-by: Lachlan McIlroy <lachlan@sgi.com>
+Cc: Oliver Pintr <oliver.pntr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/xfs/linux-2.6/xfs_buf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/xfs/linux-2.6/xfs_buf.c
++++ b/fs/xfs/linux-2.6/xfs_buf.c
+@@ -1733,6 +1733,8 @@ xfsbufd(
+
+ current->flags |= PF_MEMALLOC;
+
++ set_freezable();
++
+ do {
+ if (unlikely(freezing(current))) {
+ set_bit(XBT_FORCE_SLEEP, &target->bt_flags);
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:40 2007
+Message-Id: <20071213062840.397252791@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:44 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ davem@davemloft.net
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Patrick McHardy <kaber@trash.net>,
+ Herbert Xu <herbert@gondor.apana.org.au>
+Subject: [patch 33/36] XFRM: Fix leak of expired xfrm_states
+Content-Disposition: inline; filename=xfrm-fix-leak-of-expired-xfrm_states.patch
+Content-Length: 1124
+Lines: 38
+
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Patrick McHardy <kaber@trash.net>
+
+[XFRM]: Fix leak of expired xfrm_states
+
+[ Upstream commit: 5dba4797115c8fa05c1a4d12927a6ae0b33ffc41 ]
+
+The xfrm_timer calls __xfrm_state_delete, which drops the final reference
+manually without triggering destruction of the state. Change it to use
+xfrm_state_put to add the state to the gc list when we're dropping the
+last reference. The timer function may still continue to use the state
+safely since the final destruction does a del_timer_sync().
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/xfrm/xfrm_state.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -371,7 +371,7 @@ int __xfrm_state_delete(struct xfrm_stat
+ * The xfrm_state_alloc call gives a reference, and that
+ * is what we are dropping here.
+ */
+- __xfrm_state_put(x);
++ xfrm_state_put(x);
+ err = 0;
+ }
+
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:40 2007
+Message-Id: <20071213062840.558793002@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:45 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ Greg KH <greg@kroah.com>
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ <davem@davemloft.net>,
+ Patrick McHardy <kaber@trash.net>,
+ Herbert Xu <herbert@gondor.apana.org.au>
+Subject: [patch 34/36] NETFILTER: xt_TCPMSS: remove network triggerable WARN_ON
+Content-Disposition: inline; filename=netfilter-xt_tcpmss-remove-network-triggerable-warn_on.patch
+Content-Length: 1004
+Lines: 37
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Patrick McHardy <kaber@trash.net>
+
+[NETFILTER]: xt_TCPMSS: remove network triggerable WARN_ON
+
+[ Upstream commit: 9dc0564e862b1b9a4677dec2c736b12169e03e99 ]
+
+ipv6_skip_exthdr() returns -1 for invalid packets. don't WARN_ON
+that.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/netfilter/xt_TCPMSS.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/net/netfilter/xt_TCPMSS.c
++++ b/net/netfilter/xt_TCPMSS.c
+@@ -178,10 +178,8 @@ xt_tcpmss_target6(struct sk_buff **pskb,
+
+ nexthdr = ipv6h->nexthdr;
+ tcphoff = ipv6_skip_exthdr(*pskb, sizeof(*ipv6h), &nexthdr);
+- if (tcphoff < 0) {
+- WARN_ON(1);
++ if (tcphoff < 0)
+ return NF_DROP;
+- }
+ ret = tcpmss_mangle_packet(pskb, targinfo, tcphoff,
+ sizeof(*ipv6h) + sizeof(struct tcphdr));
+ if (ret < 0)
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:40 2007
+Message-Id: <20071213062840.713714047@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:46 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ IDE/ATA development list <linux-ide@vger.kernel.org>
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Michael Tokarev <mjt@tls.msk.ru>,
+ Jeff Garzik <jeff@garzik.org>,
+ Diego Torres <dtorres@coral.dnsalias.org>,
+ Tejun Heo <htejun@gmail.com>
+Subject: [patch 35/36] libata: kill spurious NCQ completion detection
+Content-Disposition: inline; filename=libata-kill-spurious-ncq-completion-detection.patch
+Content-Length: 5851
+Lines: 168
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Tejun Heo <htejun@gmail.com>
+
+patch 459ad68893a84fb0881e57919340b97edbbc3dc7 in mainline.
+
+Spurious NCQ completion detection implemented in ahci was incorrect.
+On AHCI receving and processing FISes and raising interrupts are not
+interlocked and spurious interrupts are expected.
+
+For example, if an interrupt occurs while interrupt handler is running
+and the running interrupt handler handles the event the new IRQ
+indicated, after IRQ handler finishes, it will be executed again
+because IRQ pending bit is set by the new interrupt but there won't be
+anything to process.
+
+Please read the following message for more information.
+
+ http://article.gmane.org/gmane.linux.ide/26012
+
+This patch...
+
+* Removes all spurious IRQ whining from ahci. Spurious NCQ completion
+ detection was completely wrong. Spurious D2H Register FIS taught us
+ that some early drives send spurious D2H Register FIS with I bit set
+ while NCQ commands are in progress but none of recent drives does
+ that and even the ones which show such behavior can do NCQ fine.
+
+* Kills all NCQ blacklist entries which were added because of spurious
+ NCQ completions. I tracked down each commit and verified all
+ removed ones are actually added because of spurious completions.
+
+ WD740ADFD-00NLR1 wasn't deleted but moved upward because the drive
+ not only had spurious NCQ completions but also is slow on sequential
+ data transfers if NCQ is enabled.
+
+ Maxtor 7V300F0 was added by 0e3dbc01d53940fe10e5a5cfec15ede3e929c918
+ from Alan Cox. I can only find evidences that the drive only had
+ troubles with spuruious completions by searching the mailing list.
+ This entry needs to be verified and removed if it doesn't have other
+ NCQ related problems.
+
+Signed-off-by: Tejun Heo <htejun@gmail.com>
+Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
+Signed-off-by: Jeff Garzik <jeff@garzik.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ata/ahci.c | 65 ----------------------------------------------
+ drivers/ata/libata-core.c | 10 -------
+ 2 files changed, 2 insertions(+), 73 deletions(-)
+
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -1241,7 +1241,7 @@ static void ahci_host_intr(struct ata_po
+ struct ata_eh_info *ehi = &ap->eh_info;
+ struct ahci_port_priv *pp = ap->private_data;
+ u32 status, qc_active;
+- int rc, known_irq = 0;
++ int rc;
+
+ status = readl(port_mmio + PORT_IRQ_STAT);
+ writel(status, port_mmio + PORT_IRQ_STAT);
+@@ -1257,74 +1257,11 @@ static void ahci_host_intr(struct ata_po
+ qc_active = readl(port_mmio + PORT_CMD_ISSUE);
+
+ rc = ata_qc_complete_multiple(ap, qc_active, NULL);
+- if (rc > 0)
+- return;
+ if (rc < 0) {
+ ehi->err_mask |= AC_ERR_HSM;
+ ehi->action |= ATA_EH_SOFTRESET;
+ ata_port_freeze(ap);
+- return;
+- }
+-
+- /* hmmm... a spurious interupt */
+-
+- /* if !NCQ, ignore. No modern ATA device has broken HSM
+- * implementation for non-NCQ commands.
+- */
+- if (!ap->sactive)
+- return;
+-
+- if (status & PORT_IRQ_D2H_REG_FIS) {
+- if (!pp->ncq_saw_d2h)
+- ata_port_printk(ap, KERN_INFO,
+- "D2H reg with I during NCQ, "
+- "this message won't be printed again\n");
+- pp->ncq_saw_d2h = 1;
+- known_irq = 1;
+- }
+-
+- if (status & PORT_IRQ_DMAS_FIS) {
+- if (!pp->ncq_saw_dmas)
+- ata_port_printk(ap, KERN_INFO,
+- "DMAS FIS during NCQ, "
+- "this message won't be printed again\n");
+- pp->ncq_saw_dmas = 1;
+- known_irq = 1;
+- }
+-
+- if (status & PORT_IRQ_SDB_FIS) {
+- const __le32 *f = pp->rx_fis + RX_FIS_SDB;
+-
+- if (le32_to_cpu(f[1])) {
+- /* SDB FIS containing spurious completions
+- * might be dangerous, whine and fail commands
+- * with HSM violation. EH will turn off NCQ
+- * after several such failures.
+- */
+- ata_ehi_push_desc(ehi,
+- "spurious completions during NCQ "
+- "issue=0x%x SAct=0x%x FIS=%08x:%08x",
+- readl(port_mmio + PORT_CMD_ISSUE),
+- readl(port_mmio + PORT_SCR_ACT),
+- le32_to_cpu(f[0]), le32_to_cpu(f[1]));
+- ehi->err_mask |= AC_ERR_HSM;
+- ehi->action |= ATA_EH_SOFTRESET;
+- ata_port_freeze(ap);
+- } else {
+- if (!pp->ncq_saw_sdb)
+- ata_port_printk(ap, KERN_INFO,
+- "spurious SDB FIS %08x:%08x during NCQ, "
+- "this message won't be printed again\n",
+- le32_to_cpu(f[0]), le32_to_cpu(f[1]));
+- pp->ncq_saw_sdb = 1;
+- }
+- known_irq = 1;
+ }
+-
+- if (!known_irq)
+- ata_port_printk(ap, KERN_INFO, "spurious interrupt "
+- "(irq_stat 0x%x active_tag 0x%x sactive 0x%x)\n",
+- status, ap->active_tag, ap->sactive);
+ }
+
+ static void ahci_irq_clear(struct ata_port *ap)
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -3785,6 +3785,7 @@ static const struct ata_blacklist_entry
+ /* Devices where NCQ should be avoided */
+ /* NCQ is slow */
+ { "WDC WD740ADFD-00", NULL, ATA_HORKAGE_NONCQ },
++ { "WDC WD740ADFD-00NLR1", NULL, ATA_HORKAGE_NONCQ, },
+ /* http://thread.gmane.org/gmane.linux.ide/14907 */
+ { "FUJITSU MHT2060BH", NULL, ATA_HORKAGE_NONCQ },
+ /* NCQ is broken */
+@@ -3803,15 +3804,6 @@ static const struct ata_blacklist_entry
+ { "HTS541060G9SA00", "MB3OC60D", ATA_HORKAGE_NONCQ, },
+ { "HTS541080G9SA00", "MB4OC60D", ATA_HORKAGE_NONCQ, },
+ { "HTS541010G9SA00", "MBZOC60D", ATA_HORKAGE_NONCQ, },
+- /* Drives which do spurious command completion */
+- { "HTS541680J9SA00", "SB2IC7EP", ATA_HORKAGE_NONCQ, },
+- { "HTS541612J9SA00", "SBDIC7JP", ATA_HORKAGE_NONCQ, },
+- { "Hitachi HTS541616J9SA00", "SB4OC70P", ATA_HORKAGE_NONCQ, },
+- { "WDC WD740ADFD-00NLR1", NULL, ATA_HORKAGE_NONCQ, },
+- { "FUJITSU MHV2080BH", "00840028", ATA_HORKAGE_NONCQ, },
+- { "ST9160821AS", "3.CLF", ATA_HORKAGE_NONCQ, },
+- { "ST3160812AS", "3.AD", ATA_HORKAGE_NONCQ, },
+- { "SAMSUNG HD401LJ", "ZZ100-15", ATA_HORKAGE_NONCQ, },
+
+ /* End Marker */
+ { }
+
+--
+
+From gregkh@mini.kroah.org Wed Dec 12 22:28:41 2007
+Message-Id: <20071213062840.869269426@mini.kroah.org>
+References: <20071213062511.265908583@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Wed, 12 Dec 2007 22:25:47 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ Greg KH <greg@kroah.com>
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ bunk@kernel.org,
+ <davem@davemloft.net>,
+ Pavel Emelyanov <xemul@openvz.org>,
+ Herbert Xu <herbert@gondor.apana.org.au>
+Subject: [patch 36/36] BRIDGE: Properly dereference the br_should_route_hook
+Content-Disposition: inline; filename=bridge-properly-dereference-the-br_should_route_hook.patch
+Content-Length: 2038
+Lines: 74
+
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Pavel Emelyanov <xemul@openvz.org>
+
+[BRIDGE]: Properly dereference the br_should_route_hook
+
+[ Upstream commit: 82de382ce8e1c7645984616728dc7aaa057821e4 ]
+
+This hook is protected with the RCU, so simple
+
+if (br_should_route_hook)
+ br_should_route_hook(...)
+
+is not enough on some architectures.
+
+Use the rcu_dereference/rcu_assign_pointer in this case.
+
+Fixed Stephen's comment concerning using the typeof().
+
+Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/bridge/br_input.c | 7 ++++---
+ net/bridge/netfilter/ebtable_broute.c | 4 ++--
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -127,6 +127,7 @@ static inline int is_link_local(const un
+ struct sk_buff *br_handle_frame(struct net_bridge_port *p, struct sk_buff *skb)
+ {
+ const unsigned char *dest = eth_hdr(skb)->h_dest;
++ int (*rhook)(struct sk_buff **pskb);
+
+ if (!is_valid_ether_addr(eth_hdr(skb)->h_source))
+ goto drop;
+@@ -148,9 +149,9 @@ struct sk_buff *br_handle_frame(struct n
+
+ switch (p->state) {
+ case BR_STATE_FORWARDING:
+-
+- if (br_should_route_hook) {
+- if (br_should_route_hook(&skb))
++ rhook = rcu_dereference(br_should_route_hook);
++ if (rhook != NULL) {
++ if (rhook(&skb))
+ return skb;
+ dest = eth_hdr(skb)->h_dest;
+ }
+--- a/net/bridge/netfilter/ebtable_broute.c
++++ b/net/bridge/netfilter/ebtable_broute.c
+@@ -70,13 +70,13 @@ static int __init ebtable_broute_init(vo
+ if (ret < 0)
+ return ret;
+ /* see br_input.c */
+- br_should_route_hook = ebt_broute;
++ rcu_assign_pointer(br_should_route_hook, ebt_broute);
+ return ret;
+ }
+
+ static void __exit ebtable_broute_fini(void)
+ {
+- br_should_route_hook = NULL;
++ rcu_assign_pointer(br_should_route_hook, NULL);
+ synchronize_net();
+ ebt_unregister_table(&broute_table);
+ }
+
+--
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
