--- /dev/null
+From stable-bounces@linux.kernel.org Tue Aug 21 20:53:33 2007
+From: Gerrit Renker <gerrit@erg.abdn.ac.uk>
+Date: Tue, 21 Aug 2007 20:53:27 -0700 (PDT)
+Subject: DCCP: Fix DCCP GFP_KERNEL allocation in atomic context
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070821.205327.26278036.davem@davemloft.net>
+
+From: Gerrit Renker <gerrit@erg.abdn.ac.uk>
+
+This fixes the following bug reported in syslog:
+
+[ 4039.051658] BUG: sleeping function called from invalid context at /usr/src/davem-2.6/mm/slab.c:3032
+[ 4039.051668] in_atomic():1, irqs_disabled():0
+[ 4039.051670] INFO: lockdep is turned off.
+[ 4039.051674] [<c0104c0f>] show_trace_log_lvl+0x1a/0x30
+[ 4039.051687] [<c0104d4d>] show_trace+0x12/0x14
+[ 4039.051691] [<c0104d65>] dump_stack+0x16/0x18
+[ 4039.051695] [<c011371e>] __might_sleep+0xaf/0xbe
+[ 4039.051700] [<c0157b66>] __kmalloc+0xb1/0xd0
+[ 4039.051706] [<f090416f>] ccid2_hc_tx_alloc_seq+0x35/0xc3 [dccp_ccid2]
+[ 4039.051717] [<f09048d6>] ccid2_hc_tx_packet_sent+0x27f/0x2d9 [dccp_ccid2]
+[ 4039.051723] [<f085486b>] dccp_write_xmit+0x1eb/0x338 [dccp]
+[ 4039.051741] [<f085603d>] dccp_sendmsg+0x113/0x18f [dccp]
+[ 4039.051750] [<c03907fc>] inet_sendmsg+0x2e/0x4c
+[ 4039.051758] [<c033a47d>] sock_aio_write+0xd5/0x107
+[ 4039.051766] [<c015abc1>] do_sync_write+0xcd/0x11c
+[ 4039.051772] [<c015b296>] vfs_write+0x118/0x11f
+[ 4039.051840] [<c015b932>] sys_write+0x3d/0x64
+[ 4039.051845] [<c0103e7c>] syscall_call+0x7/0xb
+[ 4039.051848] =======================
+
+The problem was that GFP_KERNEL was used; fixed by using gfp_any().
+
+Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
+Signed-off-by: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/dccp/ccids/ccid2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/dccp/ccids/ccid2.c
++++ b/net/dccp/ccids/ccid2.c
+@@ -298,7 +298,7 @@ static void ccid2_hc_tx_packet_sent(stru
+ int rc;
+
+ ccid2_pr_debug("allocating more space in history\n");
+- rc = ccid2_hc_tx_alloc_seq(hctx, CCID2_SEQBUF_LEN, GFP_KERNEL);
++ rc = ccid2_hc_tx_alloc_seq(hctx, CCID2_SEQBUF_LEN, gfp_any());
+ BUG_ON(rc); /* XXX what do we do? */
+
+ next = hctx->ccid2hctx_seqh->ccid2s_next;
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Aug 21 21:04:16 2007
+From: David Miller <davem@davemloft.net>
+Date: Tue, 21 Aug 2007 21:04:07 -0700 (PDT)
+Subject: Fix soft-fp underflow handling.
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070821.210407.55726339.davem@davemloft.net>
+
+
+From: David Miller <davem@davemloft.net>
+
+The underflow exception cases were wrong.
+
+This is one weird area of ieee1754 handling in that the underflow
+behavior changes based upon whether underflow is enabled in the trap
+enable mask of the FPU control register. As a specific case the Sparc
+V9 manual gives us the following description:
+
+--------------------
+If UFM = 0: Underflow occurs if a nonzero result is tiny and a
+ loss of accuracy occurs. Tininess may be detected
+ before or after rounding. Loss of accuracy may be
+ either a denormalization loss or an inexact result.
+
+If UFM = 1: Underflow occurs if a nonzero result is tiny.
+ Tininess may be detected before or after rounding.
+--------------------
+
+What this amounts to in the packing case is if we go subnormal,
+we set underflow if any of the following are true:
+
+1) rounding sets inexact
+2) we ended up rounding back up to normal (this is the case where
+ we set the exponent to 1 and set the fraction to zero), this
+ should set inexact too
+3) underflow is set in FPU control register trap-enable mask
+
+The initially discovered example was "DBL_MIN / 16.0" which
+incorrectly generated an underflow. It should not, unless underflow
+is set in the trap-enable mask of the FPU csr.
+
+Another example, "0x0.0000000000001p-1022 / 16.0", should signal both
+inexact and underflow. The cpu implementations and ieee1754
+literature is very clear about this. This is case #2 above.
+
+However, if underflow is set in the trap enable mask, only underflow
+should be set and reported as a trap. That is handled properly by the
+prioritization logic in
+
+arch/sparc{,64}/math-emu/math.c:record_exception().
+
+Based upon a report and test case from Jakub Jelinek.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/asm-sparc/sfp-machine.h | 6 ++++++
+ include/asm-sparc64/sfp-machine.h | 2 ++
+ include/math-emu/op-common.h | 5 ++++-
+ include/math-emu/soft-fp.h | 7 +++++++
+ 4 files changed, 19 insertions(+), 1 deletion(-)
+
+--- a/include/asm-sparc/sfp-machine.h
++++ b/include/asm-sparc/sfp-machine.h
+@@ -203,4 +203,10 @@ extern struct task_struct *last_task_use
+ #define FP_INHIBIT_RESULTS ((last_task_used_math->thread.fsr >> 23) & _fex)
+ #endif
+
++#ifdef CONFIG_SMP
++#define FP_TRAPPING_EXCEPTIONS ((current->thread.fsr >> 23) & 0x1f)
++#else
++#define FP_TRAPPING_EXCEPTIONS ((last_task_used_math->thread.fsr >> 23) & 0x1f)
++#endif
++
+ #endif
+--- a/include/asm-sparc64/sfp-machine.h
++++ b/include/asm-sparc64/sfp-machine.h
+@@ -88,4 +88,6 @@
+
+ #define FP_INHIBIT_RESULTS ((current_thread_info()->xfsr[0] >> 23) & _fex)
+
++#define FP_TRAPPING_EXCEPTIONS ((current_thread_info()->xfsr[0] >> 23) & 0x1f)
++
+ #endif
+--- a/include/math-emu/op-common.h
++++ b/include/math-emu/op-common.h
+@@ -145,13 +145,16 @@ do { \
+ { \
+ X##_e = 1; \
+ _FP_FRAC_SET_##wc(X, _FP_ZEROFRAC_##wc); \
++ FP_SET_EXCEPTION(FP_EX_INEXACT); \
+ } \
+ else \
+ { \
+ X##_e = 0; \
+ _FP_FRAC_SRL_##wc(X, _FP_WORKBITS); \
+- FP_SET_EXCEPTION(FP_EX_UNDERFLOW); \
+ } \
++ if ((FP_CUR_EXCEPTIONS & FP_EX_INEXACT) || \
++ (FP_TRAPPING_EXCEPTIONS & FP_EX_UNDERFLOW)) \
++ FP_SET_EXCEPTION(FP_EX_UNDERFLOW); \
+ } \
+ else \
+ { \
+--- a/include/math-emu/soft-fp.h
++++ b/include/math-emu/soft-fp.h
+@@ -97,12 +97,19 @@
+ #define FP_INHIBIT_RESULTS 0
+ #endif
+
++#ifndef FP_TRAPPING_EXCEPTIONS
++#define FP_TRAPPING_EXCEPTIONS 0
++#endif
++
+ #define FP_SET_EXCEPTION(ex) \
+ _fex |= (ex)
+
+ #define FP_UNSET_EXCEPTION(ex) \
+ _fex &= ~(ex)
+
++#define FP_CUR_EXCEPTIONS \
++ (_fex)
++
+ #define FP_CLEAR_EXCEPTIONS \
+ _fex = 0
+
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Aug 22 14:12:27 2007
+From: Zachary Amsden <zach@vmware.com>
+Date: Wed, 22 Aug 2007 14:02:02 -0700
+Subject: i386: fix lazy mode vmalloc synchronization for paravirt
+To: torvalds@linux-foundation.org
+Cc: zach@vmware.com, akpm@linux-foundation.org, ak@suse.de, jeremy@goop.org, stable@kernel.org
+Message-ID: <200708222102.l7ML22xn004152@imap1.linux-foundation.org>
+
+
+From: Zachary Amsden <zach@vmware.com>
+
+Found this looping Ubuntu installs with VMI.
+
+If unlucky enough to hit a vmalloc sync fault during a lazy mode
+operation (from an IRQ handler for a module which was not yet populated
+in current page directory, or from inside copy_one_pte, which touches
+swap_map, and hit in an unused 4M region), the required PDE update would
+never get flushed, causing an infinite page fault loop.
+
+This bug affects any paravirt-ops backend which uses lazy updates, I
+believe that makes it a bug in Xen, VMI and lguest. It only happens on
+LOWMEM kernels.
+
+
+Touching vmalloc memory in the middle of a lazy mode update can generate a
+kernel PDE update, which must be flushed immediately. The fix is to leave
+lazy mode when doing a vmalloc sync.
+
+Signed-off-by: Zachary Amsden <zach@vmware.com>
+Cc: Andi Kleen <ak@suse.de>
+Cc: Jeremy Fitzhardinge <jeremy@goop.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/i386/mm/fault.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/arch/i386/mm/fault.c
++++ b/arch/i386/mm/fault.c
+@@ -249,9 +249,10 @@ static inline pmd_t *vmalloc_sync_one(pg
+ pmd_k = pmd_offset(pud_k, address);
+ if (!pmd_present(*pmd_k))
+ return NULL;
+- if (!pmd_present(*pmd))
++ if (!pmd_present(*pmd)) {
+ set_pmd(pmd, *pmd_k);
+- else
++ arch_flush_lazy_mmu_mode();
++ } else
+ BUG_ON(pmd_page(*pmd) != pmd_page(*pmd_k));
+ return pmd_k;
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Aug 21 21:01:16 2007
+From: Wei Yongjun <yjwei@cn.fujitsu.com>
+Date: Tue, 21 Aug 2007 21:01:01 -0700 (PDT)
+Subject: IPV6: Fix kernel panic while send SCTP data with IP fragments
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070821.210101.17863194.davem@davemloft.net>
+
+
+From: Wei Yongjun <yjwei@cn.fujitsu.com>
+
+If ICMP6 message with "Packet Too Big" is received after send SCTP DATA,
+kernel panic will occur when SCTP DATA is send again.
+
+This is because of a bad dest address when call to skb_copy_bits().
+
+The messages sequence is like this:
+
+Endpoint A Endpoint B
+ <------- SCTP DATA (size=1432)
+ICMP6 message ------->
+(Packet Too Big pmtu=1280)
+ <------- Resend SCTP DATA (size=1432)
+------------kernel panic---------------
+
+ printing eip:
+c05be62a
+*pde = 00000000
+Oops: 0002 [#1]
+SMP
+Modules linked in: scomm l2cap bluetooth ipv6 dm_mirror dm_mod video output sbs battery lp floppy sg i2c_piix4 i2c_core pcnet32 mii button ac parport_pc parport ide_cd cdrom serio_raw mptspi mptscsih mptbase scsi_transport_spi sd_mod scsi_mod ext3 jbd ehci_hcd ohci_hcd uhci_hcd
+CPU: 0
+EIP: 0060:[<c05be62a>] Not tainted VLI
+EFLAGS: 00010282 (2.6.23-rc2 #1)
+EIP is at skb_copy_bits+0x4f/0x1ef
+eax: 000004d0 ebx: ce12a980 ecx: 00000134 edx: cfd5a880
+esi: c8246858 edi: 00000000 ebp: c0759b14 esp: c0759adc
+ds: 007b es: 007b fs: 00d8 gs: 0000 ss: 0068
+Process swapper (pid: 0, ti=c0759000 task=c06d0340 task.ti=c0713000)
+Stack: c0759b88 c0405867 ce12a980 c8bff838 c789c084 00000000 00000028 cfd5a880
+ d09f1890 000005dc 0000007b ce12a980 cfd5a880 c8bff838 c0759b88 d09bc521
+ 000004d0 fffff96c 00000200 00000100 c0759b50 cfd5a880 00000246 c0759bd4
+Call Trace:
+ [<c0405e1d>] show_trace_log_lvl+0x1a/0x2f
+ [<c0405ecd>] show_stack_log_lvl+0x9b/0xa3
+ [<c040608d>] show_registers+0x1b8/0x289
+ [<c0406271>] die+0x113/0x246
+ [<c0625dbc>] do_page_fault+0x4ad/0x57e
+ [<c0624642>] error_code+0x72/0x78
+ [<d09bc521>] ip6_output+0x8e5/0xab2 [ipv6]
+ [<d09bcec1>] ip6_xmit+0x2ea/0x3a3 [ipv6]
+ [<d0a3f2ca>] sctp_v6_xmit+0x248/0x253 [sctp]
+ [<d0a3c934>] sctp_packet_transmit+0x53f/0x5ae [sctp]
+ [<d0a34bf8>] sctp_outq_flush+0x555/0x587 [sctp]
+ [<d0a34d3c>] sctp_retransmit+0xf8/0x10f [sctp]
+ [<d0a3d183>] sctp_icmp_frag_needed+0x57/0x5b [sctp]
+ [<d0a3ece2>] sctp_v6_err+0xcd/0x148 [sctp]
+ [<d09cf1ce>] icmpv6_notify+0xe6/0x167 [ipv6]
+ [<d09d009a>] icmpv6_rcv+0x7d7/0x849 [ipv6]
+ [<d09be240>] ip6_input+0x1dc/0x310 [ipv6]
+ [<d09be965>] ipv6_rcv+0x294/0x2df [ipv6]
+ [<c05c3789>] netif_receive_skb+0x2d2/0x335
+ [<c05c5733>] process_backlog+0x7f/0xd0
+ [<c05c58f6>] net_rx_action+0x96/0x17e
+ [<c042e722>] __do_softirq+0x64/0xcd
+ [<c0406f37>] do_softirq+0x5c/0xac
+ =======================
+Code: 00 00 29 ca 89 d0 2b 45 e0 89 55 ec 85 c0 7e 35 39 45 08 8b 55 e4 0f 4e 45 08 8b 75 e0 8b 7d dc 89 c1 c1 e9 02 03 b2 a0 00 00 00 <f3> a5 89 c1 83 e1 03 74 02 f3 a4 29 45 08 0f 84 7b 01 00 00 01
+EIP: [<c05be62a>] skb_copy_bits+0x4f/0x1ef SS:ESP 0068:c0759adc
+Kernel panic - not syncing: Fatal exception in interrupt
+
+Arnaldo says:
+====================
+Thanks! I'm to blame for this one, problem was introduced in:
+
+b0e380b1d8a8e0aca215df97702f99815f05c094
+
+ /*
+ * Copy a block of the IP datagram.
+ */
+- if (skb_copy_bits(skb, ptr, frag->h.raw, len))
++ if (skb_copy_bits(skb, ptr, skb_transport_header(skb),
+len))
+ BUG();
+ left -= len;
+====================
+
+Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
+Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Signed-off-by: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/ip6_output.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -790,7 +790,7 @@ slow_path:
+ /*
+ * Copy a block of the IP datagram.
+ */
+- if (skb_copy_bits(skb, ptr, skb_transport_header(skb), len))
++ if (skb_copy_bits(skb, ptr, skb_transport_header(frag), len))
+ BUG();
+ left -= len;
+
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Aug 21 21:02:39 2007
+Author: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+Date: Tue, 21 Aug 2007 21:02:27 -0700 (PDT)
+Subject: IPv6: Invalid semicolon after if statement
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070821.210227.68041458.davem@davemloft.net>
+
+
+Author: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+
+A similar fix to netfilter from Eric Dumazet inspired me to
+look around a bit by using some grep/sed stuff as looking for
+this kind of bugs seemed easy to automate. This is one of them
+I found where it looks like this semicolon is not valid.
+
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/ipv6_sockglue.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/ipv6_sockglue.c
++++ b/net/ipv6/ipv6_sockglue.c
+@@ -825,7 +825,7 @@ static int ipv6_getsockopt_sticky(struct
+ return 0;
+
+ len = min_t(unsigned int, len, ipv6_optlen(hdr));
+- if (copy_to_user(optval, hdr, len));
++ if (copy_to_user(optval, hdr, len))
+ return -EFAULT;
+ return ipv6_optlen(hdr);
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Aug 21 21:09:22 2007
+Author: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Tue, 21 Aug 2007 21:09:15 -0700 (PDT)
+Subject: NET: Fix missing rcu unlock in __sock_create()
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070821.210915.02298604.davem@davemloft.net>
+
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[NET]: Fix unbalanced rcu_read_unlock in __sock_create
+
+The recent RCU work created an unbalanced rcu_read_unlock
+in __sock_create. This patch fixes that. Reported by
+oleg 123.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/socket.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1169,7 +1169,7 @@ static int __sock_create(int family, int
+ module_put(pf->owner);
+ err = security_socket_post_create(sock, family, type, protocol, kern);
+ if (err)
+- goto out_release;
++ goto out_sock_release;
+ *res = sock;
+
+ return 0;
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Aug 21 21:05:24 2007
+Author: Chuck Ebbert <cebbert@redhat.com>
+Date: Tue, 21 Aug 2007 21:05:14 -0700 (PDT)
+Subject: Netfilter: Missing Kbuild entry for netfilter
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070821.210514.10298205.davem@davemloft.net>
+
+
+Author: Chuck Ebbert <cebbert@redhat.com>
+
+Add xt_statistic.h to the list of headers to install.
+
+Apparently needed to build newer versions of iptables.
+
+Signed-off-by: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/netfilter/Kbuild | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/linux/netfilter/Kbuild
++++ b/include/linux/netfilter/Kbuild
+@@ -28,6 +28,7 @@ header-y += xt_policy.h
+ header-y += xt_realm.h
+ header-y += xt_sctp.h
+ header-y += xt_state.h
++header-y += xt_statistic.h
+ header-y += xt_string.h
+ header-y += xt_tcpmss.h
+ header-y += xt_tcpudp.h
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Aug 21 21:20:37 2007
+From: David Miller <davem@davemloft.net>
+Date: Tue, 21 Aug 2007 21:20:25 -0700 (PDT)
+Subject: PPP: Fix PPP buffer sizing.
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070821.212025.107251526.davem@davemloft.net>
+
+
+From: Konstantin Sharlaimov <konstantin.sharlaimov@gmail.com>
+
+This patch addresses the issue with "osize too small" errors in mppe
+encryption. The patch fixes the issue with wrong output buffer size
+being passed to ppp decompression routine.
+
+--------------------
+As pointed out by Suresh Mahalingam, the issue addressed by
+ppp-fix-osize-too-small-errors-when-decoding patch is not fully resolved yet.
+The size of allocated output buffer is correct, however it size passed to
+ppp->rcomp->decompress in ppp_generic.c if wrong. The patch fixes that.
+--------------------
+
+Signed-off-by: Konstantin Sharlaimov <konstantin.sharlaimov@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/ppp_generic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ppp_generic.c
++++ b/drivers/net/ppp_generic.c
+@@ -1726,7 +1726,7 @@ ppp_decompress_frame(struct ppp *ppp, st
+ }
+ /* the decompressor still expects the A/C bytes in the hdr */
+ len = ppp->rcomp->decompress(ppp->rc_state, skb->data - 2,
+- skb->len + 2, ns->data, ppp->mru + PPP_HDRLEN);
++ skb->len + 2, ns->data, obuff_size);
+ if (len < 0) {
+ /* Pass the compressed frame to pppd as an
+ error indication. */
ocfs2-fix-bad-source-start-calculation-during-kernel-writes.patch
net-share-correct-feature-code-between-bridging-and-bonding.patch
sky2-don-t-clear-phy-power-bits.patch
+uml-fix-previous-request-size-limit-fix.patch
+i386-fix-lazy-mode-vmalloc-synchronization-for-paravirt.patch
+signalfd-fix-interaction-with-posix-timers.patch
+signalfd-make-it-group-wide-fix-posix-timers-scheduling.patch
+dccp-fix-dccp-gfp_kernel-allocation-in-atomic-context.patch
+ipv6-fix-kernel-panic-while-send-sctp-data-with-ip-fragments.patch
+ipv6-invalid-semicolon-after-if-statement.patch
+fix-soft-fp-underflow-handling.patch
+netfilter-missing-kbuild-entry-for-netfilter.patch
+snap-fix-snap-protocol-header-accesses.patch
+net-fix-missing-rcu-unlock-in-__sock_create.patch
+sparc64-fix-sparc64-task-stack-traces.patch
+sparc64-fix-sparc64-pci-config-accesses-on-sun4u.patch
+tcp-do-not-autobind-ports-for-tcp-sockets.patch
+tcp-fix-tcp-rate-halving-on-bidirectional-flows.patch
+tcp-fix-tcp-handling-of-sack-in-bidirectional-flows.patch
+ppp-fix-ppp-buffer-sizing.patch
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Aug 22 14:13:21 2007
+From: Oleg Nesterov <oleg@tv-sign.ru>
+Date: Wed, 22 Aug 2007 14:01:42 -0700
+Subject: signalfd: fix interaction with posix-timers
+To: torvalds@linux-foundation.org
+Cc: mtk-manpages@gmx.net, benh@kernel.crashing.org, oleg@tv-sign.ru, stable@kernel.org, tglx@linutronix.de, davidel@xmailserver.org, akpm@linux-foundation.org, mingo@elte.hu, roland@redhat.com
+Message-ID: <200708222101.l7ML1h3K004059@imap1.linux-foundation.org>
+
+
+From: Oleg Nesterov <oleg@tv-sign.ru>
+
+dequeue_signal:
+
+ if (__SI_TIMER) {
+ spin_unlock(&tsk->sighand->siglock);
+ do_schedule_next_timer(info);
+ spin_lock(&tsk->sighand->siglock);
+ }
+
+Unless tsk == curent, this is absolutely unsafe: nothing prevents tsk from
+exiting. If signalfd was passed to another process, do_schedule_next_timer()
+is just wrong.
+
+Add yet another "tsk == current" check into dequeue_signal().
+
+This patch fixes an oopsable bug, but breaks the scheduling of posix timers
+if the shared __SI_TIMER signal was fetched via signalfd attached to another
+sub-thread. Mostly fixed by the next patch.
+
+Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Davide Libenzi <davidel@xmailserver.org>
+Cc: Ingo Molnar <mingo@elte.hu>
+Cc: Michael Kerrisk <mtk-manpages@gmx.net>
+Cc: Roland McGrath <roland@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/signal.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -368,7 +368,7 @@ int dequeue_signal(struct task_struct *t
+ /* We only dequeue private signals from ourselves, we don't let
+ * signalfd steal them
+ */
+- if (tsk == current)
++ if (likely(tsk == current))
+ signr = __dequeue_signal(&tsk->pending, mask, info);
+ if (!signr) {
+ signr = __dequeue_signal(&tsk->signal->shared_pending,
+@@ -415,7 +415,7 @@ int dequeue_signal(struct task_struct *t
+ if (!(tsk->signal->flags & SIGNAL_GROUP_EXIT))
+ tsk->signal->flags |= SIGNAL_STOP_DEQUEUED;
+ }
+- if ( signr &&
++ if (signr && likely(tsk == current) &&
+ ((info->si_code & __SI_MASK) == __SI_TIMER) &&
+ info->si_sys_private){
+ /*
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Aug 22 14:13:21 2007
+From: Oleg Nesterov <oleg@tv-sign.ru>
+Date: Wed, 22 Aug 2007 14:01:48 -0700
+Subject: signalfd: make it group-wide, fix posix-timers scheduling
+To: torvalds@linux-foundation.org
+Cc: mtk-manpages@gmx.net, benh@kernel.crashing.org, oleg@tv-sign.ru, stable@kernel.org, tglx@linutronix.de, davidel@xmailserver.org, akpm@linux-foundation.org, mingo@elte.hu, roland@redhat.com
+Message-ID: <200708222101.l7ML1mI3004063@imap1.linux-foundation.org>
+
+
+From: Oleg Nesterov <oleg@tv-sign.ru>
+
+With this patch any thread can dequeue its own private signals via signalfd,
+even if it was created by another sub-thread.
+
+To do so, we pass "current" to dequeue_signal() if the caller is from the same
+thread group. This also fixes the scheduling of posix timers broken by the
+previous patch.
+
+If the caller doesn't belong to this thread group, we can't handle __SI_TIMER
+case properly anyway. Perhaps we should forbid the cross-process signalfd usage
+and convert ctx->tsk to ctx->sighand.
+
+Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Davide Libenzi <davidel@xmailserver.org>
+Cc: Ingo Molnar <mingo@elte.hu>
+Cc: Michael Kerrisk <mtk-manpages@gmx.net>
+Cc: Roland McGrath <roland@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/exec.c | 9 ++-------
+ fs/signalfd.c | 14 ++++++++++----
+ 2 files changed, 12 insertions(+), 11 deletions(-)
+
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -586,18 +586,12 @@ static int de_thread(struct task_struct
+ int count;
+
+ /*
+- * Tell all the sighand listeners that this sighand has
+- * been detached. The signalfd_detach() function grabs the
+- * sighand lock, if signal listeners are present on the sighand.
+- */
+- signalfd_detach(tsk);
+-
+- /*
+ * If we don't share sighandlers, then we aren't sharing anything
+ * and we can just re-use it all.
+ */
+ if (atomic_read(&oldsighand->count) <= 1) {
+ BUG_ON(atomic_read(&sig->count) != 1);
++ signalfd_detach(tsk);
+ exit_itimers(sig);
+ return 0;
+ }
+@@ -736,6 +730,7 @@ static int de_thread(struct task_struct
+ sig->flags = 0;
+
+ no_thread_group:
++ signalfd_detach(tsk);
+ exit_itimers(sig);
+ if (leader)
+ release_task(leader);
+--- a/fs/signalfd.c
++++ b/fs/signalfd.c
+@@ -56,12 +56,18 @@ static int signalfd_lock(struct signalfd
+ sighand = lock_task_sighand(lk->tsk, &lk->flags);
+ rcu_read_unlock();
+
+- if (sighand && !ctx->tsk) {
++ if (!sighand)
++ return 0;
++
++ if (!ctx->tsk) {
+ unlock_task_sighand(lk->tsk, &lk->flags);
+- sighand = NULL;
++ return 0;
+ }
+
+- return sighand != NULL;
++ if (lk->tsk->tgid == current->tgid)
++ lk->tsk = current;
++
++ return 1;
+ }
+
+ static void signalfd_unlock(struct signalfd_lockctx *lk)
+@@ -331,7 +337,7 @@ asmlinkage long sys_signalfd(int ufd, si
+
+ init_waitqueue_head(&ctx->wqh);
+ ctx->sigmask = sigmask;
+- ctx->tsk = current;
++ ctx->tsk = current->group_leader;
+
+ sighand = current->sighand;
+ /*
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Aug 21 21:07:37 2007
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Tue, 21 Aug 2007 21:07:30 -0700 (PDT)
+Subject: SNAP: Fix SNAP protocol header accesses.
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070821.210730.01204785.davem@davemloft.net>
+
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+The snap_rcv code reads 5 bytes so we should make sure that
+we have 5 bytes in the head before proceeding.
+
+Based on diagnosis and fix by Evgeniy Polyakov, reported by
+Alan J. Wylie.
+
+Patch also kills the skb->sk assignment before kfree_skb
+since it's redundant.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/802/psnap.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/net/802/psnap.c
++++ b/net/802/psnap.c
+@@ -55,6 +55,9 @@ static int snap_rcv(struct sk_buff *skb,
+ .type = __constant_htons(ETH_P_SNAP),
+ };
+
++ if (unlikely(!pskb_may_pull(skb, 5)))
++ goto drop;
++
+ rcu_read_lock();
+ proto = find_snap_client(skb_transport_header(skb));
+ if (proto) {
+@@ -62,14 +65,18 @@ static int snap_rcv(struct sk_buff *skb,
+ skb->transport_header += 5;
+ skb_pull_rcsum(skb, 5);
+ rc = proto->rcvfunc(skb, dev, &snap_packet_type, orig_dev);
+- } else {
+- skb->sk = NULL;
+- kfree_skb(skb);
+- rc = 1;
+ }
+-
+ rcu_read_unlock();
++
++ if (unlikely(!proto))
++ goto drop;
++
++out:
+ return rc;
++
++drop:
++ kfree_skb(skb);
++ goto out;
+ }
+
+ /*
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Aug 21 21:12:39 2007
+From: David Miller <davem@davemloft.net>
+Date: Tue, 21 Aug 2007 21:12:32 -0700 (PDT)
+Subject: SPARC64: Fix sparc64 PCI config accesses on sun4u
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070821.211232.27783208.davem@davemloft.net>
+
+
+From: David Miller <davem@davemloft.net>
+
+[SPARC64]: Fix sun4u PCI config space accesses on sun4u.
+
+Don't provide fake PCI config space for sun4u.
+
+Also, put back the funny host controller space handling that
+at least Sabre needs. You have to read PCI host controller
+registers at their nature size otherwise you get zeros instead
+of correct values.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/sparc64/kernel/pci.c | 15 +++-
+ arch/sparc64/kernel/pci_common.c | 123 ++++++++++++++++++++++++++++++++++++---
+ 2 files changed, 126 insertions(+), 12 deletions(-)
+
+--- a/arch/sparc64/kernel/pci.c
++++ b/arch/sparc64/kernel/pci.c
+@@ -422,10 +422,15 @@ struct pci_dev *of_create_pci_dev(struct
+ dev->multifunction = 0; /* maybe a lie? */
+
+ if (host_controller) {
+- dev->vendor = 0x108e;
+- dev->device = 0x8000;
+- dev->subsystem_vendor = 0x0000;
+- dev->subsystem_device = 0x0000;
++ if (tlb_type != hypervisor) {
++ pci_read_config_word(dev, PCI_VENDOR_ID,
++ &dev->vendor);
++ pci_read_config_word(dev, PCI_DEVICE_ID,
++ &dev->device);
++ } else {
++ dev->vendor = PCI_VENDOR_ID_SUN;
++ dev->device = 0x80f0;
++ }
+ dev->cfg_size = 256;
+ dev->class = PCI_CLASS_BRIDGE_HOST << 8;
+ sprintf(pci_name(dev), "%04x:%02x:%02x.%d", pci_domain_nr(bus),
+@@ -817,7 +822,7 @@ int pci_host_bridge_read_pci_cfg(struct
+ {
+ static u8 fake_pci_config[] = {
+ 0x8e, 0x10, /* Vendor: 0x108e (Sun) */
+- 0x00, 0x80, /* Device: 0x8000 (PBM) */
++ 0xf0, 0x80, /* Device: 0x80f0 (Fire) */
+ 0x46, 0x01, /* Command: 0x0146 (SERR, PARITY, MASTER, MEM) */
+ 0xa0, 0x22, /* Status: 0x02a0 (DEVSEL_MED, FB2B, 66MHZ) */
+ 0x00, 0x00, 0x00, 0x06, /* Class: 0x06000000 host bridge */
+--- a/arch/sparc64/kernel/pci_common.c
++++ b/arch/sparc64/kernel/pci_common.c
+@@ -44,6 +44,67 @@ static void *sun4u_config_mkaddr(struct
+ return (void *) (pbm->config_space | bus | devfn | reg);
+ }
+
++/* At least on Sabre, it is necessary to access all PCI host controller
++ * registers at their natural size, otherwise zeros are returned.
++ * Strange but true, and I see no language in the UltraSPARC-IIi
++ * programmer's manual that mentions this even indirectly.
++ */
++static int sun4u_read_pci_cfg_host(struct pci_pbm_info *pbm,
++ unsigned char bus, unsigned int devfn,
++ int where, int size, u32 *value)
++{
++ u32 tmp32, *addr;
++ u16 tmp16;
++ u8 tmp8;
++
++ addr = sun4u_config_mkaddr(pbm, bus, devfn, where);
++ if (!addr)
++ return PCIBIOS_SUCCESSFUL;
++
++ switch (size) {
++ case 1:
++ if (where < 8) {
++ unsigned long align = (unsigned long) addr;
++
++ align &= ~1;
++ pci_config_read16((u16 *)align, &tmp16);
++ if (where & 1)
++ *value = tmp16 >> 8;
++ else
++ *value = tmp16 & 0xff;
++ } else {
++ pci_config_read8((u8 *)addr, &tmp8);
++ *value = (u32) tmp8;
++ }
++ break;
++
++ case 2:
++ if (where < 8) {
++ pci_config_read16((u16 *)addr, &tmp16);
++ *value = (u32) tmp16;
++ } else {
++ pci_config_read8((u8 *)addr, &tmp8);
++ *value = (u32) tmp8;
++ pci_config_read8(((u8 *)addr) + 1, &tmp8);
++ *value |= ((u32) tmp8) << 8;
++ }
++ break;
++
++ case 4:
++ tmp32 = 0xffffffff;
++ sun4u_read_pci_cfg_host(pbm, bus, devfn,
++ where, 2, &tmp32);
++ *value = tmp32;
++
++ tmp32 = 0xffffffff;
++ sun4u_read_pci_cfg_host(pbm, bus, devfn,
++ where + 2, 2, &tmp32);
++ *value |= tmp32 << 16;
++ break;
++ }
++ return PCIBIOS_SUCCESSFUL;
++}
++
+ static int sun4u_read_pci_cfg(struct pci_bus *bus_dev, unsigned int devfn,
+ int where, int size, u32 *value)
+ {
+@@ -53,10 +114,6 @@ static int sun4u_read_pci_cfg(struct pci
+ u16 tmp16;
+ u8 tmp8;
+
+- if (bus_dev == pbm->pci_bus && devfn == 0x00)
+- return pci_host_bridge_read_pci_cfg(bus_dev, devfn, where,
+- size, value);
+-
+ switch (size) {
+ case 1:
+ *value = 0xff;
+@@ -69,6 +126,10 @@ static int sun4u_read_pci_cfg(struct pci
+ break;
+ }
+
++ if (!bus_dev->number && !PCI_SLOT(devfn))
++ return sun4u_read_pci_cfg_host(pbm, bus, devfn, where,
++ size, value);
++
+ addr = sun4u_config_mkaddr(pbm, bus, devfn, where);
+ if (!addr)
+ return PCIBIOS_SUCCESSFUL;
+@@ -101,6 +162,53 @@ static int sun4u_read_pci_cfg(struct pci
+ return PCIBIOS_SUCCESSFUL;
+ }
+
++static int sun4u_write_pci_cfg_host(struct pci_pbm_info *pbm,
++ unsigned char bus, unsigned int devfn,
++ int where, int size, u32 value)
++{
++ u32 *addr;
++
++ addr = sun4u_config_mkaddr(pbm, bus, devfn, where);
++ if (!addr)
++ return PCIBIOS_SUCCESSFUL;
++
++ switch (size) {
++ case 1:
++ if (where < 8) {
++ unsigned long align = (unsigned long) addr;
++ u16 tmp16;
++
++ align &= ~1;
++ pci_config_read16((u16 *)align, &tmp16);
++ if (where & 1) {
++ tmp16 &= 0x00ff;
++ tmp16 |= value << 8;
++ } else {
++ tmp16 &= 0xff00;
++ tmp16 |= value;
++ }
++ pci_config_write16((u16 *)align, tmp16);
++ } else
++ pci_config_write8((u8 *)addr, value);
++ break;
++ case 2:
++ if (where < 8) {
++ pci_config_write16((u16 *)addr, value);
++ } else {
++ pci_config_write8((u8 *)addr, value & 0xff);
++ pci_config_write8(((u8 *)addr) + 1, value >> 8);
++ }
++ break;
++ case 4:
++ sun4u_write_pci_cfg_host(pbm, bus, devfn,
++ where, 2, value & 0xffff);
++ sun4u_write_pci_cfg_host(pbm, bus, devfn,
++ where + 2, 2, value >> 16);
++ break;
++ }
++ return PCIBIOS_SUCCESSFUL;
++}
++
+ static int sun4u_write_pci_cfg(struct pci_bus *bus_dev, unsigned int devfn,
+ int where, int size, u32 value)
+ {
+@@ -108,9 +216,10 @@ static int sun4u_write_pci_cfg(struct pc
+ unsigned char bus = bus_dev->number;
+ u32 *addr;
+
+- if (bus_dev == pbm->pci_bus && devfn == 0x00)
+- return pci_host_bridge_write_pci_cfg(bus_dev, devfn, where,
+- size, value);
++ if (!bus_dev->number && !PCI_SLOT(devfn))
++ return sun4u_write_pci_cfg_host(pbm, bus, devfn, where,
++ size, value);
++
+ addr = sun4u_config_mkaddr(pbm, bus, devfn, where);
+ if (!addr)
+ return PCIBIOS_SUCCESSFUL;
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Aug 21 21:11:19 2007
+From: David Miller <davem@davemloft.net>
+Date: Tue, 21 Aug 2007 21:11:14 -0700 (PDT)
+Subject: SPARC64: Fix sparc64 task stack traces.
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070821.211114.68156127.davem@davemloft.net>
+
+
+From: David Miller <davem@davemloft.net>
+
+It didn't handle that case at all, and now dump_stack()
+can be implemented directly as show_stack(current, NULL)
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/sparc64/kernel/traps.c | 18 +++++++++++-------
+ arch/sparc64/mm/fault.c | 5 +----
+ 2 files changed, 12 insertions(+), 11 deletions(-)
+
+--- a/arch/sparc64/kernel/traps.c
++++ b/arch/sparc64/kernel/traps.c
+@@ -2134,12 +2134,20 @@ static void user_instruction_dump (unsig
+ void show_stack(struct task_struct *tsk, unsigned long *_ksp)
+ {
+ unsigned long pc, fp, thread_base, ksp;
+- void *tp = task_stack_page(tsk);
++ struct thread_info *tp;
+ struct reg_window *rw;
+ int count = 0;
+
+ ksp = (unsigned long) _ksp;
+-
++ if (!tsk)
++ tsk = current;
++ tp = task_thread_info(tsk);
++ if (ksp == 0UL) {
++ if (tsk == current)
++ asm("mov %%fp, %0" : "=r" (ksp));
++ else
++ ksp = tp->ksp;
++ }
+ if (tp == current_thread_info())
+ flushw_all();
+
+@@ -2168,11 +2176,7 @@ void show_stack(struct task_struct *tsk,
+
+ void dump_stack(void)
+ {
+- unsigned long *ksp;
+-
+- __asm__ __volatile__("mov %%fp, %0"
+- : "=r" (ksp));
+- show_stack(current, ksp);
++ show_stack(current, NULL);
+ }
+
+ EXPORT_SYMBOL(dump_stack);
+--- a/arch/sparc64/mm/fault.c
++++ b/arch/sparc64/mm/fault.c
+@@ -112,15 +112,12 @@ static void __kprobes unhandled_fault(un
+
+ static void bad_kernel_pc(struct pt_regs *regs, unsigned long vaddr)
+ {
+- unsigned long *ksp;
+-
+ printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
+ regs->tpc);
+ printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
+ print_symbol("RPC: <%s>\n", regs->u_regs[15]);
+ printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
+- __asm__("mov %%sp, %0" : "=r" (ksp));
+- show_stack(current, ksp);
++ dump_stack();
+ unhandled_fault(regs->tpc, current, regs);
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Aug 21 21:14:48 2007
+From: David Miller <davem@davemloft.net>
+Date: Tue, 21 Aug 2007 21:14:45 -0700 (PDT)
+Subject: TCP: Do not autobind ports for TCP sockets
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070821.211445.57159185.davem@davemloft.net>
+
+From: David Miller <davem@davemloft.net>
+
+[TCP]: Invoke tcp_sendmsg() directly, do not use inet_sendmsg().
+
+As discovered by Evegniy Polyakov, if we try to sendmsg after
+a connection reset, we can do incredibly stupid things.
+
+The core issue is that inet_sendmsg() tries to autobind the
+socket, but we should never do that for TCP. Instead we should
+just go straight into TCP's sendmsg() code which will do all
+of the necessary state and pending socket error checks.
+
+TCP's sendpage already directly vectors to tcp_sendpage(), so this
+merely brings sendmsg() in line with that.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/net/tcp.h | 2 +-
+ net/ipv4/af_inet.c | 2 +-
+ net/ipv4/tcp.c | 3 ++-
+ net/ipv4/tcp_ipv4.c | 1 -
+ net/ipv6/af_inet6.c | 2 +-
+ net/ipv6/tcp_ipv6.c | 1 -
+ 6 files changed, 5 insertions(+), 6 deletions(-)
+
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -281,7 +281,7 @@ extern int tcp_v4_remember_stamp(struc
+
+ extern int tcp_v4_tw_remember_stamp(struct inet_timewait_sock *tw);
+
+-extern int tcp_sendmsg(struct kiocb *iocb, struct sock *sk,
++extern int tcp_sendmsg(struct kiocb *iocb, struct socket *sock,
+ struct msghdr *msg, size_t size);
+ extern ssize_t tcp_sendpage(struct socket *sock, struct page *page, int offset, size_t size, int flags);
+
+--- a/net/ipv4/af_inet.c
++++ b/net/ipv4/af_inet.c
+@@ -831,7 +831,7 @@ const struct proto_ops inet_stream_ops =
+ .shutdown = inet_shutdown,
+ .setsockopt = sock_common_setsockopt,
+ .getsockopt = sock_common_getsockopt,
+- .sendmsg = inet_sendmsg,
++ .sendmsg = tcp_sendmsg,
+ .recvmsg = sock_common_recvmsg,
+ .mmap = sock_no_mmap,
+ .sendpage = tcp_sendpage,
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -658,9 +658,10 @@ static inline int select_size(struct soc
+ return tmp;
+ }
+
+-int tcp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
++int tcp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
+ size_t size)
+ {
++ struct sock *sk = sock->sk;
+ struct iovec *iov;
+ struct tcp_sock *tp = tcp_sk(sk);
+ struct sk_buff *skb;
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -2434,7 +2434,6 @@ struct proto tcp_prot = {
+ .shutdown = tcp_shutdown,
+ .setsockopt = tcp_setsockopt,
+ .getsockopt = tcp_getsockopt,
+- .sendmsg = tcp_sendmsg,
+ .recvmsg = tcp_recvmsg,
+ .backlog_rcv = tcp_v4_do_rcv,
+ .hash = tcp_v4_hash,
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -487,7 +487,7 @@ const struct proto_ops inet6_stream_ops
+ .shutdown = inet_shutdown, /* ok */
+ .setsockopt = sock_common_setsockopt, /* ok */
+ .getsockopt = sock_common_getsockopt, /* ok */
+- .sendmsg = inet_sendmsg, /* ok */
++ .sendmsg = tcp_sendmsg, /* ok */
+ .recvmsg = sock_common_recvmsg, /* ok */
+ .mmap = sock_no_mmap,
+ .sendpage = tcp_sendpage,
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -2135,7 +2135,6 @@ struct proto tcpv6_prot = {
+ .shutdown = tcp_shutdown,
+ .setsockopt = tcp_setsockopt,
+ .getsockopt = tcp_getsockopt,
+- .sendmsg = tcp_sendmsg,
+ .recvmsg = tcp_recvmsg,
+ .backlog_rcv = tcp_v6_do_rcv,
+ .hash = tcp_v6_hash,
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Aug 21 21:18:16 2007
+From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+Date: Tue, 21 Aug 2007 21:18:07 -0700 (PDT)
+Subject: TCP: Fix TCP handling of SACK in bidirectional flows.
+To: stable@kernel.org
+Cc: bunk@stuata.de
+Message-ID: <20070821.211807.35355759.davem@davemloft.net>
+
+
+From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+
+It's possible that new SACK blocks that should trigger new LOST
+markings arrive with new data (which previously made is_dupack
+false). In addition, I think this fixes a case where we get
+a cumulative ACK with enough SACK blocks to trigger the fast
+recovery (is_dupack would be false there too).
+
+I'm not completely pleased with this solution because readability
+of the code is somewhat questionable as 'is_dupack' in SACK case
+is no longer about dupacks only but would mean something like
+'lost_marker_work_todo' too... But because of Eifel stuff done
+in CA_Recovery, the FLAG_DATA_SACKED check cannot be placed to
+the if statement which seems attractive solution. Nevertheless,
+I didn't like adding another variable just for that either... :-)
+
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/tcp_input.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -2112,7 +2112,10 @@ tcp_fastretrans_alert(struct sock *sk, u
+ {
+ struct inet_connection_sock *icsk = inet_csk(sk);
+ struct tcp_sock *tp = tcp_sk(sk);
+- int is_dupack = (tp->snd_una == prior_snd_una && !(flag&FLAG_NOT_DUP));
++ int is_dupack = (tp->snd_una == prior_snd_una &&
++ (!(flag&FLAG_NOT_DUP) ||
++ ((flag&FLAG_DATA_SACKED) &&
++ (tp->fackets_out > tp->reordering))));
+
+ /* Some technical things:
+ * 1. Reno does not count dupacks (sacked_out) automatically. */
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Aug 21 21:17:09 2007
+From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+Date: Tue, 21 Aug 2007 21:17:03 -0700 (PDT)
+Subject: TCP: Fix TCP rate-halving on bidirectional flows.
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070821.211703.107684703.davem@davemloft.net>
+
+From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+
+Actually, the ratehalving seems to work too well, as cwnd is
+reduced on every second ACK even though the packets in flight
+remains unchanged. Recoveries in a bidirectional flows suffer
+quite badly because of this, both NewReno and SACK are affected.
+
+After this patch, rate halving is performed for ACK only if
+packets in flight was supposedly changed too.
+
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/tcp_input.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -1851,19 +1851,22 @@ static inline u32 tcp_cwnd_min(const str
+ }
+
+ /* Decrease cwnd each second ack. */
+-static void tcp_cwnd_down(struct sock *sk)
++static void tcp_cwnd_down(struct sock *sk, int flag)
+ {
+ struct tcp_sock *tp = tcp_sk(sk);
+ int decr = tp->snd_cwnd_cnt + 1;
+
+- tp->snd_cwnd_cnt = decr&1;
+- decr >>= 1;
++ if ((flag&FLAG_FORWARD_PROGRESS) ||
++ (IsReno(tp) && !(flag&FLAG_NOT_DUP))) {
++ tp->snd_cwnd_cnt = decr&1;
++ decr >>= 1;
+
+- if (decr && tp->snd_cwnd > tcp_cwnd_min(sk))
+- tp->snd_cwnd -= decr;
++ if (decr && tp->snd_cwnd > tcp_cwnd_min(sk))
++ tp->snd_cwnd -= decr;
+
+- tp->snd_cwnd = min(tp->snd_cwnd, tcp_packets_in_flight(tp)+1);
+- tp->snd_cwnd_stamp = tcp_time_stamp;
++ tp->snd_cwnd = min(tp->snd_cwnd, tcp_packets_in_flight(tp)+1);
++ tp->snd_cwnd_stamp = tcp_time_stamp;
++ }
+ }
+
+ /* Nothing was retransmitted or returned timestamp is less
+@@ -2060,7 +2063,7 @@ static void tcp_try_to_open(struct sock
+ }
+ tcp_moderate_cwnd(tp);
+ } else {
+- tcp_cwnd_down(sk);
++ tcp_cwnd_down(sk, flag);
+ }
+ }
+
+@@ -2260,7 +2263,7 @@ tcp_fastretrans_alert(struct sock *sk, u
+
+ if (is_dupack || tcp_head_timedout(sk))
+ tcp_update_scoreboard(sk);
+- tcp_cwnd_down(sk);
++ tcp_cwnd_down(sk, flag);
+ tcp_xmit_retransmit_queue(sk);
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Aug 22 14:12:27 2007
+From: Jeff Dike <jdike@addtoit.com>
+Date: Wed, 22 Aug 2007 14:01:53 -0700
+Subject: uml: fix previous request size limit fix
+To: torvalds@linux-foundation.org
+Cc: akpm@linux-foundation.org, jdike@linux.intel.com, jdike@addtoit.com, stable@kernel.org
+Message-ID: <200708222101.l7ML1sQn004096@imap1.linux-foundation.org>
+
+
+From: Jeff Dike <jdike@addtoit.com>
+
+The previous patch which limited the number of sectors in a single request
+to a COWed device was correct in concept, but the limit was implemented in
+the wrong place.
+
+By putting it in ubd_add, it covered the cases where the COWing was
+specified on the command line. However, when the command line only has the
+COW file specified, the fact that it's a COW file isn't known until it's
+opened, so the limit is missed in these cases.
+
+This patch moves the sector limit from ubd_add to ubd_open_dev.
+
+Signed-off-by: Jeff Dike <jdike@linux.intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/um/drivers/ubd_kern.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/um/drivers/ubd_kern.c
++++ b/arch/um/drivers/ubd_kern.c
+@@ -612,6 +612,8 @@ static int ubd_open_dev(struct ubd *ubd_
+ ubd_dev->fd = fd;
+
+ if(ubd_dev->cow.file != NULL){
++ blk_queue_max_sectors(ubd_dev->queue, 8 * sizeof(long));
++
+ err = -ENOMEM;
+ ubd_dev->cow.bitmap = (void *) vmalloc(ubd_dev->cow.bitmap_len);
+ if(ubd_dev->cow.bitmap == NULL){
+@@ -712,8 +714,6 @@ static int ubd_add(int n, char **error_o
+ ubd_dev->queue->queuedata = ubd_dev;
+
+ blk_queue_max_hw_segments(ubd_dev->queue, MAX_SG);
+- if(ubd_dev->cow.file != NULL)
+- blk_queue_max_sectors(ubd_dev->queue, 8 * sizeof(long));
+ err = ubd_disk_register(MAJOR_NR, ubd_dev->size, n, &ubd_gendisk[n]);
+ if(err){
+ *error_out = "Failed to register device";
projects / thirdparty / kernel / stable-queue.git / commitdiff
