--- /dev/null
+From kay.sievers@vrfy.org Sat Aug 12 21:17:16 2006
+Date: Sun, 13 Aug 2006 06:17:09 +0200
+From: Kay Sievers <kay.sievers@vrfy.org>
+To: Greg KH <greg@kroah.com>
+Subject: deprecate PHYSDEV* keys
+Message-ID: <20060813041709.GA2960@vrfy.org>
+Content-Disposition: inline
+
+From: Kay Sievers <kay.sievers@suse.de>
+
+deprecate PHYSDEV* values in the uevent environment
+
+These values are no longer needed and inconsistent with the
+stacking of class devices. The event environment should not
+carry properties of a parent device. The key PHYSDEVDRIVER is
+available as DRIVER, PHYDEVBUS is indentical SUBSYSTEM. Class
+devices should not carry any of these values.
+
+Signed-off-by: Kay Sievers <kay.sievers@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ Documentation/feature-removal-schedule.txt | 10 ++++++++++
+ drivers/base/class.c | 2 +-
+ drivers/base/core.c | 10 +++++++---
+ 3 files changed, 18 insertions(+), 4 deletions(-)
+
+--- linux-2.6.17.9.orig/Documentation/feature-removal-schedule.txt
++++ linux-2.6.17.9/Documentation/feature-removal-schedule.txt
+@@ -248,3 +248,13 @@ Why: The interface no longer has any cal
+ Who: Nick Piggin <npiggin@suse.de>
+
+ ---------------------------
++
++What: PHYSDEVPATH, PHYSDEVBUS, PHYSDEVDRIVER in the uevent environment
++When: Oktober 2008
++Why: The stacking of class devices makes these values misleading and
++ inconsistent.
++ Class devices should not carry any of these properties, and bus
++ devices have SUBSYTEM and DRIVER as a replacement.
++Who: Kay Sievers <kay.sievers@suse.de>
++
++---------------------------
+--- linux-2.6.17.9.orig/drivers/base/class.c
++++ linux-2.6.17.9/drivers/base/class.c
+@@ -361,7 +361,7 @@ static int class_uevent(struct kset *kse
+ pr_debug("%s - name = %s\n", __FUNCTION__, class_dev->class_id);
+
+ if (class_dev->dev) {
+- /* add physical device, backing this device */
++ /* add device, backing this class device (deprecated) */
+ struct device *dev = class_dev->dev;
+ char *path = kobject_get_path(&dev->kobj, GFP_KERNEL);
+
+--- linux-2.6.17.9.orig/drivers/base/core.c
++++ linux-2.6.17.9/drivers/base/core.c
+@@ -117,17 +117,21 @@ static int dev_uevent(struct kset *kset,
+ int length = 0;
+ int retval = 0;
+
+- /* add bus name of physical device */
++ /* add bus name (same as SUBSYSTEM, deprecated) */
+ if (dev->bus)
+ add_uevent_var(envp, num_envp, &i,
+ buffer, buffer_size, &length,
+ "PHYSDEVBUS=%s", dev->bus->name);
+
+- /* add driver name of physical device */
+- if (dev->driver)
++ /* add driver name (PHYSDEV* values are deprecated)*/
++ if (dev->driver) {
++ add_uevent_var(envp, num_envp, &i,
++ buffer, buffer_size, &length,
++ "DRIVER=%s", dev->driver->name);
+ add_uevent_var(envp, num_envp, &i,
+ buffer, buffer_size, &length,
+ "PHYSDEVDRIVER=%s", dev->driver->name);
++ }
+
+ /* terminate, set to next free slot, shrink available space */
+ envp[i] = NULL;
--- /dev/null
+From stable-bounces@linux.kernel.org Sun Aug 13 23:24:58 2006
+Message-Id: <200608140624.k7E6OKjC006995@shell0.pdx.osdl.net>
+To: greg@kroah.com
+From: akpm@osdl.org
+Date: Sun, 13 Aug 2006 23:24:20 -0700
+Cc: akpm@osdl.org, torvalds@osdl.org, stable@kernel.org, agk@redhat.com, mirq-linux@rere.qmqm.pl
+Subject: dm: BUG/OOPS fix
+
+From: Michal Miroslaw <mirq-linux@rere.qmqm.pl>
+
+Fix BUG I tripped on while testing failover and multipathing.
+
+BUG shows up on error path in multipath_ctr() when parse_priority_group()
+fails after returning at least once without error. The fix is to
+initialize m->ti early - just after alloc()ing it.
+
+BUG: unable to handle kernel NULL pointer dereference at virtual address 00000000
+ printing eip:
+c027c3d2
+*pde = 00000000
+Oops: 0000 [#3]
+Modules linked in: qla2xxx ext3 jbd mbcache sg ide_cd cdrom floppy
+CPU: 0
+EIP: 0060:[<c027c3d2>] Not tainted VLI
+EFLAGS: 00010202 (2.6.17.3 #1)
+EIP is at dm_put_device+0xf/0x3b
+eax: 00000001 ebx: ee4fcac0 ecx: 00000000 edx: ee4fcac0
+esi: ee4fc4e0 edi: ee4fc4e0 ebp: 00000000 esp: c5db3e78
+ds: 007b es: 007b ss: 0068
+Process multipathd (pid: 15912, threadinfo=c5db2000 task=ef485a90)
+Stack: ec4eda40 c02816bd ee4fc4c0 00000000 f7e89498 f883e0bc c02816f6 f7e89480
+ f7e8948c c0281801 ffffffea f7e89480 f883e080 c0281ffe 00000001 00000000
+ 00000004 dfe9cab8 f7a693c0 f883e080 f883e0c0 ca4b99c0 c027c6ee 01400000
+Call Trace:
+ <c02816bd> free_pgpaths+0x31/0x45 <c02816f6> free_priority_group+0x25/0x2e
+ <c0281801> free_multipath+0x35/0x67 <c0281ffe> multipath_ctr+0x123/0x12d
+ <c027c6ee> dm_table_add_target+0x11e/0x18b <c027e5b4> populate_table+0x8a/0xaf
+ <c027e62b> table_load+0x52/0xf9 <c027ec23> ctl_ioctl+0xca/0xfc
+ <c027e5d9> table_load+0x0/0xf9 <c0152146> do_ioctl+0x3e/0x43
+ <c0152360> vfs_ioctl+0x16c/0x178 <c01523b4> sys_ioctl+0x48/0x60
+ <c01029b3> syscall_call+0x7/0xb
+Code: 97 f0 00 00 00 89 c1 83 c9 01 80 e2 01 0f 44 c1 88 43 14 8b 04 24 59 5b 5e 5f 5d c3 53 89 c1 89 d3 ff 4a 08 0f 94 c0 84 c0 74 2a <8b> 01 8b 10 89 d8 e8 f6 fb ff ff 8b 03 8b 53 04 89 50 04 89 02
+EIP: [<c027c3d2>] dm_put_device+0xf/0x3b SS:ESP 0068:c5db3e78
+
+Signed-off-by: Michal Miroslaw <mirq-linux@rere.qmqm.pl>
+Acked-by: Alasdair G Kergon <agk@redhat.com>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/md/dm-mpath.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- linux-2.6.17.9.orig/drivers/md/dm-mpath.c
++++ linux-2.6.17.9/drivers/md/dm-mpath.c
+@@ -711,6 +711,8 @@ static int multipath_ctr(struct dm_targe
+ return -EINVAL;
+ }
+
++ m->ti = ti;
++
+ r = parse_features(&as, m, ti);
+ if (r)
+ goto bad;
+@@ -752,7 +754,6 @@ static int multipath_ctr(struct dm_targe
+ }
+
+ ti->private = m;
+- m->ti = ti;
+
+ return 0;
+
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Aug 17 22:57:51 2006
+Date: Thu, 17 Aug 2006 22:57:22 -0700 (PDT)
+Message-Id: <20060817.225722.41634450.davem@davemloft.net>
+To: stable@kernel.org
+From: David Miller <davem@davemloft.net>
+Subject: Fix ipv4 routing locking bug
+
+
+From: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
+
+[IPV4]: severe locking bug in fib_semantics.c
+
+Found in 2.4 by Yixin Pan <yxpan@hotmail.com>.
+
+> When I read fib_semantics.c of Linux-2.4.32, write_lock(&fib_info_lock) =
+> is used in fib_release_info() instead of write_lock_bh(&fib_info_lock). =
+> Is the following case possible: a BH interrupts fib_release_info() while =
+> holding the write lock, and calls ip_check_fib_default() which calls =
+> read_lock(&fib_info_lock), and spin forever.
+
+Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/fib_semantics.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- linux-2.6.17.9.orig/net/ipv4/fib_semantics.c
++++ linux-2.6.17.9/net/ipv4/fib_semantics.c
+@@ -160,7 +160,7 @@ void free_fib_info(struct fib_info *fi)
+
+ void fib_release_info(struct fib_info *fi)
+ {
+- write_lock(&fib_info_lock);
++ write_lock_bh(&fib_info_lock);
+ if (fi && --fi->fib_treeref == 0) {
+ hlist_del(&fi->fib_hash);
+ if (fi->fib_prefsrc)
+@@ -173,7 +173,7 @@ void fib_release_info(struct fib_info *f
+ fi->fib_dead = 1;
+ fib_info_put(fi);
+ }
+- write_unlock(&fib_info_lock);
++ write_unlock_bh(&fib_info_lock);
+ }
+
+ static __inline__ int nh_comp(const struct fib_info *fi, const struct fib_info *ofi)
+@@ -599,7 +599,7 @@ static void fib_hash_move(struct hlist_h
+ unsigned int old_size = fib_hash_size;
+ unsigned int i, bytes;
+
+- write_lock(&fib_info_lock);
++ write_lock_bh(&fib_info_lock);
+ old_info_hash = fib_info_hash;
+ old_laddrhash = fib_info_laddrhash;
+ fib_hash_size = new_size;
+@@ -640,7 +640,7 @@ static void fib_hash_move(struct hlist_h
+ }
+ fib_info_laddrhash = new_laddrhash;
+
+- write_unlock(&fib_info_lock);
++ write_unlock_bh(&fib_info_lock);
+
+ bytes = old_size * sizeof(struct hlist_head *);
+ fib_hash_free(old_info_hash, bytes);
+@@ -822,7 +822,7 @@ link_it:
+
+ fi->fib_treeref++;
+ atomic_inc(&fi->fib_clntref);
+- write_lock(&fib_info_lock);
++ write_lock_bh(&fib_info_lock);
+ hlist_add_head(&fi->fib_hash,
+ &fib_info_hash[fib_info_hashfn(fi)]);
+ if (fi->fib_prefsrc) {
+@@ -841,7 +841,7 @@ link_it:
+ head = &fib_info_devhash[hash];
+ hlist_add_head(&nh->nh_hash, head);
+ } endfor_nexthops(fi)
+- write_unlock(&fib_info_lock);
++ write_unlock_bh(&fib_info_lock);
+ return fi;
+
+ err_inval:
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Aug 16 01:57:04 2006
+Message-ID: <44E2DE22.6050603@sw.ru>
+Date: Wed, 16 Aug 2006 12:58:10 +0400
+From: Kirill Korotaev <dev@sw.ru>
+To: Chris Wright <chrisw@osdl.org>, Greg KH <greg@kroah.com>, stable@kernel.org, "David S. Miller" <davem@davemloft.net>, "Luck, Tony" <tony.luck@intel.com>, xemul@sw.ru
+Subject: IA64: local DoS with corrupted ELFs
+
+From: Kirill Korotaev <dev@sw.ru>
+
+This patch prevents cross-region mappings
+on IA64 and SPARC which could lead to system crash.
+
+davem@ confirmed: "This looks fine to me." :)
+
+Signed-Off-By: Pavel Emelianov <xemul@openvz.org>
+Signed-Off-By: Kirill Korotaev <dev@openvz.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ arch/ia64/kernel/sys_ia64.c | 28 ++++++++++++++++------------
+ arch/sparc/kernel/sys_sparc.c | 27 +++++++++++++++------------
+ arch/sparc64/kernel/sys_sparc.c | 36 ++++++++++++++++++++----------------
+ include/asm-generic/mman.h | 6 ++++++
+ include/asm-ia64/mman.h | 6 ++++++
+ include/asm-sparc/mman.h | 6 ++++++
+ include/asm-sparc64/mman.h | 6 ++++++
+ mm/mmap.c | 13 +++++++++++--
+ 8 files changed, 86 insertions(+), 42 deletions(-)
+
+--- linux-2.6.17.9.orig/arch/ia64/kernel/sys_ia64.c
++++ linux-2.6.17.9/arch/ia64/kernel/sys_ia64.c
+@@ -164,10 +164,25 @@ sys_pipe (void)
+ return retval;
+ }
+
++int ia64_map_check_rgn(unsigned long addr, unsigned long len,
++ unsigned long flags)
++{
++ unsigned long roff;
++
++ /*
++ * Don't permit mappings into unmapped space, the virtual page table
++ * of a region, or across a region boundary. Note: RGN_MAP_LIMIT is
++ * equal to 2^n-PAGE_SIZE (for some integer n <= 61) and len > 0.
++ */
++ roff = REGION_OFFSET(addr);
++ if ((len > RGN_MAP_LIMIT) || (roff > (RGN_MAP_LIMIT - len)))
++ return -EINVAL;
++ return 0;
++}
++
+ static inline unsigned long
+ do_mmap2 (unsigned long addr, unsigned long len, int prot, int flags, int fd, unsigned long pgoff)
+ {
+- unsigned long roff;
+ struct file *file = NULL;
+
+ flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+@@ -189,17 +204,6 @@ do_mmap2 (unsigned long addr, unsigned l
+ goto out;
+ }
+
+- /*
+- * Don't permit mappings into unmapped space, the virtual page table of a region,
+- * or across a region boundary. Note: RGN_MAP_LIMIT is equal to 2^n-PAGE_SIZE
+- * (for some integer n <= 61) and len > 0.
+- */
+- roff = REGION_OFFSET(addr);
+- if ((len > RGN_MAP_LIMIT) || (roff > (RGN_MAP_LIMIT - len))) {
+- addr = -EINVAL;
+- goto out;
+- }
+-
+ down_write(¤t->mm->mmap_sem);
+ addr = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+ up_write(¤t->mm->mmap_sem);
+--- linux-2.6.17.9.orig/arch/sparc/kernel/sys_sparc.c
++++ linux-2.6.17.9/arch/sparc/kernel/sys_sparc.c
+@@ -219,6 +219,21 @@ out:
+ return err;
+ }
+
++int sparc_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
++{
++ if (ARCH_SUN4C_SUN4 &&
++ (len > 0x20000000 ||
++ ((flags & MAP_FIXED) &&
++ addr < 0xe0000000 && addr + len > 0x20000000)))
++ return -EINVAL;
++
++ /* See asm-sparc/uaccess.h */
++ if (len > TASK_SIZE - PAGE_SIZE || addr + len > TASK_SIZE - PAGE_SIZE)
++ return -EINVAL;
++
++ return 0;
++}
++
+ /* Linux version of mmap */
+ static unsigned long do_mmap2(unsigned long addr, unsigned long len,
+ unsigned long prot, unsigned long flags, unsigned long fd,
+@@ -233,25 +248,13 @@ static unsigned long do_mmap2(unsigned l
+ goto out;
+ }
+
+- retval = -EINVAL;
+ len = PAGE_ALIGN(len);
+- if (ARCH_SUN4C_SUN4 &&
+- (len > 0x20000000 ||
+- ((flags & MAP_FIXED) &&
+- addr < 0xe0000000 && addr + len > 0x20000000)))
+- goto out_putf;
+-
+- /* See asm-sparc/uaccess.h */
+- if (len > TASK_SIZE - PAGE_SIZE || addr + len > TASK_SIZE - PAGE_SIZE)
+- goto out_putf;
+-
+ flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+
+ down_write(¤t->mm->mmap_sem);
+ retval = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+ up_write(¤t->mm->mmap_sem);
+
+-out_putf:
+ if (file)
+ fput(file);
+ out:
+--- linux-2.6.17.9.orig/arch/sparc64/kernel/sys_sparc.c
++++ linux-2.6.17.9/arch/sparc64/kernel/sys_sparc.c
+@@ -549,6 +549,26 @@ asmlinkage long sparc64_personality(unsi
+ return ret;
+ }
+
++int sparc64_mmap_check(unsigned long addr, unsigned long len,
++ unsigned long flags)
++{
++ if (test_thread_flag(TIF_32BIT)) {
++ if (len >= STACK_TOP32)
++ return -EINVAL;
++
++ if ((flags & MAP_FIXED) && addr > STACK_TOP32 - len)
++ return -EINVAL;
++ } else {
++ if (len >= VA_EXCLUDE_START)
++ return -EINVAL;
++
++ if ((flags & MAP_FIXED) && invalid_64bit_range(addr, len))
++ return -EINVAL;
++ }
++
++ return 0;
++}
++
+ /* Linux version of mmap */
+ asmlinkage unsigned long sys_mmap(unsigned long addr, unsigned long len,
+ unsigned long prot, unsigned long flags, unsigned long fd,
+@@ -564,27 +584,11 @@ asmlinkage unsigned long sys_mmap(unsign
+ }
+ flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+ len = PAGE_ALIGN(len);
+- retval = -EINVAL;
+-
+- if (test_thread_flag(TIF_32BIT)) {
+- if (len >= STACK_TOP32)
+- goto out_putf;
+-
+- if ((flags & MAP_FIXED) && addr > STACK_TOP32 - len)
+- goto out_putf;
+- } else {
+- if (len >= VA_EXCLUDE_START)
+- goto out_putf;
+-
+- if ((flags & MAP_FIXED) && invalid_64bit_range(addr, len))
+- goto out_putf;
+- }
+
+ down_write(¤t->mm->mmap_sem);
+ retval = do_mmap(file, addr, len, prot, flags, off);
+ up_write(¤t->mm->mmap_sem);
+
+-out_putf:
+ if (file)
+ fput(file);
+ out:
+--- linux-2.6.17.9.orig/include/asm-generic/mman.h
++++ linux-2.6.17.9/include/asm-generic/mman.h
+@@ -39,4 +39,10 @@
+ #define MAP_ANON MAP_ANONYMOUS
+ #define MAP_FILE 0
+
++#ifdef __KERNEL__
++#ifndef arch_mmap_check
++#define arch_mmap_check(addr, len, flags) (0)
++#endif
++#endif
++
+ #endif
+--- linux-2.6.17.9.orig/include/asm-ia64/mman.h
++++ linux-2.6.17.9/include/asm-ia64/mman.h
+@@ -8,6 +8,12 @@
+ * David Mosberger-Tang <davidm@hpl.hp.com>, Hewlett-Packard Co
+ */
+
++#ifdef __KERNEL__
++#define arch_mmap_check ia64_map_check_rgn
++int ia64_map_check_rgn(unsigned long addr, unsigned long len,
++ unsigned long flags);
++#endif
++
+ #include <asm-generic/mman.h>
+
+ #define MAP_GROWSDOWN 0x00100 /* stack-like segment */
+--- linux-2.6.17.9.orig/include/asm-sparc/mman.h
++++ linux-2.6.17.9/include/asm-sparc/mman.h
+@@ -2,6 +2,12 @@
+ #ifndef __SPARC_MMAN_H__
+ #define __SPARC_MMAN_H__
+
++#ifdef __KERNEL__
++#define arch_mmap_check sparc_mmap_check
++int sparc_mmap_check(unsigned long addr, unsigned long len,
++ unsigned long flags);
++#endif
++
+ #include <asm-generic/mman.h>
+
+ /* SunOS'ified... */
+--- linux-2.6.17.9.orig/include/asm-sparc64/mman.h
++++ linux-2.6.17.9/include/asm-sparc64/mman.h
+@@ -2,6 +2,12 @@
+ #ifndef __SPARC64_MMAN_H__
+ #define __SPARC64_MMAN_H__
+
++#ifdef __KERNEL__
++#define arch_mmap_check sparc64_mmap_check
++int sparc64_mmap_check(unsigned long addr, unsigned long len,
++ unsigned long flags);
++#endif
++
+ #include <asm-generic/mman.h>
+
+ /* SunOS'ified... */
+--- linux-2.6.17.9.orig/mm/mmap.c
++++ linux-2.6.17.9/mm/mmap.c
+@@ -913,6 +913,10 @@ unsigned long do_mmap_pgoff(struct file
+ if (!len)
+ return -EINVAL;
+
++ error = arch_mmap_check(addr, len, flags);
++ if (error)
++ return error;
++
+ /* Careful about overflows.. */
+ len = PAGE_ALIGN(len);
+ if (!len || len > TASK_SIZE)
+@@ -1852,6 +1856,7 @@ unsigned long do_brk(unsigned long addr,
+ unsigned long flags;
+ struct rb_node ** rb_link, * rb_parent;
+ pgoff_t pgoff = addr >> PAGE_SHIFT;
++ int error;
+
+ len = PAGE_ALIGN(len);
+ if (!len)
+@@ -1860,6 +1865,12 @@ unsigned long do_brk(unsigned long addr,
+ if ((addr + len) > TASK_SIZE || (addr + len) < addr)
+ return -EINVAL;
+
++ flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
++
++ error = arch_mmap_check(addr, len, flags);
++ if (error)
++ return error;
++
+ /*
+ * mlock MCL_FUTURE?
+ */
+@@ -1900,8 +1911,6 @@ unsigned long do_brk(unsigned long addr,
+ if (security_vm_enough_memory(len >> PAGE_SHIFT))
+ return -ENOMEM;
+
+- flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
+-
+ /* Can we just expand an old private anonymous mapping? */
+ if (vma_merge(mm, prev, addr, addr + len, flags,
+ NULL, NULL, pgoff, NULL))
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Aug 17 22:53:48 2006
+Message-ID: <44E555B9.9010009@trash.net>
+Date: Fri, 18 Aug 2006 07:52:57 +0200
+From: Patrick McHardy <kaber@trash.net>
+To: stable@kernel.org
+Cc: Adrian Bunk <bunk@stusta.de>
+Subject: [NETFILTER]: ip_tables: fix table locking in ipt_do_table
+
+From: Patrick McHardy <kaber@trash.net>
+
+[NETFILTER]: ip_tables: fix table locking in ipt_do_table
+
+table->private might change because of ruleset changes, don't use it without
+holding the lock.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/netfilter/arp_tables.c | 3 ++-
+ net/ipv4/netfilter/ip_tables.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- linux-2.6.17.9.orig/net/ipv4/netfilter/arp_tables.c
++++ linux-2.6.17.9/net/ipv4/netfilter/arp_tables.c
+@@ -237,7 +237,7 @@ unsigned int arpt_do_table(struct sk_buf
+ struct arpt_entry *e, *back;
+ const char *indev, *outdev;
+ void *table_base;
+- struct xt_table_info *private = table->private;
++ struct xt_table_info *private;
+
+ /* ARP header, plus 2 device addresses, plus 2 IP addresses. */
+ if (!pskb_may_pull((*pskb), (sizeof(struct arphdr) +
+@@ -249,6 +249,7 @@ unsigned int arpt_do_table(struct sk_buf
+ outdev = out ? out->name : nulldevname;
+
+ read_lock_bh(&table->lock);
++ private = table->private;
+ table_base = (void *)private->entries[smp_processor_id()];
+ e = get_entry(table_base, private->hook_entry[hook]);
+ back = get_entry(table_base, private->underflow[hook]);
+--- linux-2.6.17.9.orig/net/ipv4/netfilter/ip_tables.c
++++ linux-2.6.17.9/net/ipv4/netfilter/ip_tables.c
+@@ -231,7 +231,7 @@ ipt_do_table(struct sk_buff **pskb,
+ const char *indev, *outdev;
+ void *table_base;
+ struct ipt_entry *e, *back;
+- struct xt_table_info *private = table->private;
++ struct xt_table_info *private;
+
+ /* Initialization */
+ ip = (*pskb)->nh.iph;
+@@ -248,6 +248,7 @@ ipt_do_table(struct sk_buff **pskb,
+
+ read_lock_bh(&table->lock);
+ IP_NF_ASSERT(table->valid_hooks & (1 << hook));
++ private = table->private;
+ table_base = (void *)private->entries[smp_processor_id()];
+ e = get_entry(table_base, private->hook_entry[hook]);
+
--- /dev/null
+From daniel.ritz-ml@swissonline.ch Fri Aug 18 07:50:50 2006
+From: Daniel Ritz <daniel.ritz-ml@swissonline.ch>
+To: Greg KH <gregkh@suse.de>, Andrew Morton <akpm@osdl.org>
+Subject: PCI: fix ICH6 quirks
+Date: Fri, 18 Aug 2006 16:50:40 +0200
+Cc: Jean Delvare <khali@linux-fr.org>,
+ "linux-kernel" <linux-kernel@vger.kernel.org>,
+ "linux-pci" <linux-pci@atrey.karlin.mff.cuni.cz>
+Content-Disposition: inline
+Message-Id: <200608181650.41869.daniel.ritz-ml@swissonline.ch>
+
+From: Daniel Ritz <daniel.ritz-ml@swissonline.ch>
+
+[PATCH] PCI: fix ICH6 quirks
+
+- add the ICH6(R) LPC to the ICH6 ACPI quirks. currently only the ICH6-M is
+ handled. [ PCI_DEVICE_ID_INTEL_ICH6_1 is the ICH6-M LPC, ICH6_0 is the ICH6(R) ]
+- remove the wrong quirk calling asus_hides_smbus_lpc() for ICH6. the register
+ modified in asus_hides_smbus_lpc() has a different meaning in ICH6.
+
+Signed-off-by: Daniel Ritz <daniel.ritz@gmx.ch>
+Cc: Jean Delvare <khali@linux-fr.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/pci/quirks.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.17.9.orig/drivers/pci/quirks.c
++++ linux-2.6.17.9/drivers/pci/quirks.c
+@@ -427,6 +427,7 @@ static void __devinit quirk_ich6_lpc_acp
+ pci_read_config_dword(dev, 0x48, ®ion);
+ quirk_io_region(dev, region, 64, PCI_BRIDGE_RESOURCES+1, "ICH6 GPIO");
+ }
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH6_0, quirk_ich6_lpc_acpi );
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH6_1, quirk_ich6_lpc_acpi );
+
+ /*
+@@ -1043,7 +1044,6 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_I
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82801CA_12, asus_hides_smbus_lpc );
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82801DB_12, asus_hides_smbus_lpc );
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82801EB_0, asus_hides_smbus_lpc );
+-DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH6_1, asus_hides_smbus_lpc );
+
+ static void __init asus_hides_smbus_lpc_ich6(struct pci_dev *dev)
+ {
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Aug 16 10:54:58 2006
+Date: Wed, 16 Aug 2006 19:53:50 +0200
+From: Olaf Hering <olaf@aepfle.de>
+To: stable@kernel.org, bunk@stusta.de, maks@sternwelten.at
+Message-ID: <20060816175350.GA9888@aepfle.de>
+Content-Disposition: inline
+Cc: linux-kernel@vger.kernel.org
+Subject: SERIAL: icom: select FW_LOADER
+
+From: Olaf Hering <olaf@aepfle.de>
+
+The icom driver uses request_firmware()
+and thus needs to select FW_LOADER.
+
+Signed-off-by: maximilian attems <maks@sternwelten.at>
+Signed-off-by: Olaf Hering <olh@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ drivers/serial/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- linux-2.6.17.9.orig/drivers/serial/Kconfig
++++ linux-2.6.17.9/drivers/serial/Kconfig
+@@ -803,6 +803,7 @@ config SERIAL_MPC52xx
+ tristate "Freescale MPC52xx family PSC serial support"
+ depends on PPC_MPC52xx
+ select SERIAL_CORE
++ select FW_LOADER
+ help
+ This drivers support the MPC52xx PSC serial ports. If you would
+ like to use them, you must answer Y or M to this option. Not that
+deprecate-physdev-keys.patch
have-ext3-reject-file-handles-with-bad-inode-numbers-early.patch
sky2-phy-power-problem-on-88e805x.patch
kill-hash_highmem-from-route-cache-hash-sizing.patch
disable-debugging-version-of-write_lock.patch
ipx-header-length-validation-needed.patch
tpm-interrupt-clear-fix.patch
+ulog-fix-panic-on-smp-kernels.patch
+sys_getppid-oopses-on-debug-kernel.patch
+serial-icom-select-fw_loader.patch
+pci-fix-ich6-quirks.patch
+ip_tables-fix-table-locking-in-ipt_do_table.patch
+ia64-local-dos-with-corrupted-elfs.patch
+fix-ipv4-routing-locking-bug.patch
+dm-bug-oops-fix.patch
--- /dev/null
+From stable-bounces@linux.kernel.org Sun Aug 13 23:25:48 2006
+Message-Id: <200608140624.k7E6ONGE007003@shell0.pdx.osdl.net>
+To: greg@kroah.com
+From: akpm@osdl.org
+Date: Sun, 13 Aug 2006 23:24:23 -0700
+Cc: akpm@osdl.org, dev@openvz.org, stable@kernel.org, haveblue@us.ibm.com, dev@sw.ru, torvalds@osdl.org, oleg@tv-sign.ru
+Subject: sys_getppid oopses on debug kernel
+
+From: Kirill Korotaev <dev@sw.ru>
+
+sys_getppid() optimization can access a freed memory. On kernels with
+DEBUG_SLAB turned ON, this results in Oops. As Dave Hansen noted, this
+optimization is also unsafe for memory hotplug.
+
+So this patch always takes the lock to be safe.
+
+[oleg@tv-sign.ru: simplifications]
+
+Signed-off-by: Kirill Korotaev <dev@openvz.org>
+Cc: Dave Hansen <haveblue@us.ibm.com>
+Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/timer.c | 41 +++++++----------------------------------
+ 1 file changed, 7 insertions(+), 34 deletions(-)
+
+--- linux-2.6.17.9.orig/kernel/timer.c
++++ linux-2.6.17.9/kernel/timer.c
+@@ -975,46 +975,19 @@ asmlinkage long sys_getpid(void)
+ }
+
+ /*
+- * Accessing ->group_leader->real_parent is not SMP-safe, it could
+- * change from under us. However, rather than getting any lock
+- * we can use an optimistic algorithm: get the parent
+- * pid, and go back and check that the parent is still
+- * the same. If it has changed (which is extremely unlikely
+- * indeed), we just try again..
+- *
+- * NOTE! This depends on the fact that even if we _do_
+- * get an old value of "parent", we can happily dereference
+- * the pointer (it was and remains a dereferencable kernel pointer
+- * no matter what): we just can't necessarily trust the result
+- * until we know that the parent pointer is valid.
+- *
+- * NOTE2: ->group_leader never changes from under us.
++ * Accessing ->real_parent is not SMP-safe, it could
++ * change from under us. However, we can use a stale
++ * value of ->real_parent under rcu_read_lock(), see
++ * release_task()->call_rcu(delayed_put_task_struct).
+ */
+ asmlinkage long sys_getppid(void)
+ {
+ int pid;
+- struct task_struct *me = current;
+- struct task_struct *parent;
+
+- parent = me->group_leader->real_parent;
+- for (;;) {
+- pid = parent->tgid;
+-#if defined(CONFIG_SMP) || defined(CONFIG_PREEMPT)
+-{
+- struct task_struct *old = parent;
++ rcu_read_lock();
++ pid = rcu_dereference(current->real_parent)->tgid;
++ rcu_read_unlock();
+
+- /*
+- * Make sure we read the pid before re-reading the
+- * parent pointer:
+- */
+- smp_rmb();
+- parent = me->group_leader->real_parent;
+- if (old != parent)
+- continue;
+-}
+-#endif
+- break;
+- }
+ return pid;
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Aug 11 17:46:20 2006
+Message-ID: <44DD24B8.5040307@trash.net>
+Date: Sat, 12 Aug 2006 02:45:44 +0200
+From: Patrick McHardy <kaber@trash.net>
+To: stable@kernel.org
+Cc: Adrian Bunk <bunk@stusta.de>
+Subject: [NETFILTER]: ulog: fix panic on SMP kernels
+
+From: Mark Huang <mlhuang@cs.princeton.edu>
+
+[NETFILTER]: ulog: fix panic on SMP kernels
+
+Fix kernel panic on various SMP machines. The culprit is a null
+ub->skb in ulog_send(). If ulog_timer() has already been scheduled on
+one CPU and is spinning on the lock, and ipt_ulog_packet() flushes the
+queue on another CPU by calling ulog_send() right before it exits,
+there will be no skbuff when ulog_timer() acquires the lock and calls
+ulog_send(). Cancelling the timer in ulog_send() doesn't help because
+it has already been scheduled and is running on the first CPU.
+
+Similar problem exists in ebt_ulog.c and nfnetlink_log.c.
+
+Signed-off-by: Mark Huang <mlhuang@cs.princeton.edu>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/bridge/netfilter/ebt_ulog.c | 3 +++
+ net/ipv4/netfilter/ipt_ULOG.c | 5 +++++
+ net/netfilter/nfnetlink_log.c | 3 +++
+ 3 files changed, 11 insertions(+)
+
+--- linux-2.6.17.9.orig/net/bridge/netfilter/ebt_ulog.c
++++ linux-2.6.17.9/net/bridge/netfilter/ebt_ulog.c
+@@ -75,6 +75,9 @@ static void ulog_send(unsigned int nlgro
+ if (timer_pending(&ub->timer))
+ del_timer(&ub->timer);
+
++ if (!ub->skb)
++ return;
++
+ /* last nlmsg needs NLMSG_DONE */
+ if (ub->qlen > 1)
+ ub->lastnlh->nlmsg_type = NLMSG_DONE;
+--- linux-2.6.17.9.orig/net/ipv4/netfilter/ipt_ULOG.c
++++ linux-2.6.17.9/net/ipv4/netfilter/ipt_ULOG.c
+@@ -116,6 +116,11 @@ static void ulog_send(unsigned int nlgro
+ del_timer(&ub->timer);
+ }
+
++ if (!ub->skb) {
++ DEBUGP("ipt_ULOG: ulog_send: nothing to send\n");
++ return;
++ }
++
+ /* last nlmsg needs NLMSG_DONE */
+ if (ub->qlen > 1)
+ ub->lastnlh->nlmsg_type = NLMSG_DONE;
+--- linux-2.6.17.9.orig/net/netfilter/nfnetlink_log.c
++++ linux-2.6.17.9/net/netfilter/nfnetlink_log.c
+@@ -366,6 +366,9 @@ __nfulnl_send(struct nfulnl_instance *in
+ if (timer_pending(&inst->timer))
+ del_timer(&inst->timer);
+
++ if (!inst->skb)
++ return 0;
++
+ if (inst->qlen > 1)
+ inst->lastnlh->nlmsg_type = NLMSG_DONE;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
