--- /dev/null
+From 364ee7f3b15ba760d421573990d96bf27ce342ee Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Tue, 20 Jan 2009 14:06:49 -0800
+Subject: ipv6: Fix fib6_dump_table walker leak
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit: 7891cc818967e186be68caac32d84bfd0a3f0bd2 ]
+
+When a fib6 table dump is prematurely ended, we won't unlink
+its walker from the list. This causes all sorts of grief for
+other users of the list later.
+
+Reported-by: Chris Caputo <ccaputo@alt.net>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/ip6_fib.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+--- a/net/ipv6/ip6_fib.c
++++ b/net/ipv6/ip6_fib.c
+@@ -298,6 +298,10 @@ static void fib6_dump_end(struct netlink
+ struct fib6_walker_t *w = (void*)cb->args[2];
+
+ if (w) {
++ if (cb->args[4]) {
++ cb->args[4] = 0;
++ fib6_walker_unlink(w);
++ }
+ cb->args[2] = 0;
+ kfree(w);
+ }
+@@ -330,15 +334,12 @@ static int fib6_dump_table(struct fib6_t
+ read_lock_bh(&table->tb6_lock);
+ res = fib6_walk_continue(w);
+ read_unlock_bh(&table->tb6_lock);
+- if (res != 0) {
+- if (res < 0)
+- fib6_walker_unlink(w);
+- goto end;
++ if (res <= 0) {
++ fib6_walker_unlink(w);
++ cb->args[4] = 0;
+ }
+- fib6_walker_unlink(w);
+- cb->args[4] = 0;
+ }
+-end:
++
+ return res;
+ }
+
--- /dev/null
+From d7273aa0d1317dde4c52d1ba734aedf970e574da Mon Sep 17 00:00:00 2001
+From: Jarek Poplawski <jarkao2@gmail.com>
+Date: Tue, 20 Jan 2009 14:08:23 -0800
+Subject: pkt_sched: cls_u32: Fix locking in u32_change()
+
+From: Jarek Poplawski <jarkao2@gmail.com>
+
+[ Upstream commit: 6f57321422e0d359e83c978c2b03db77b967b7d5 ]
+
+New nodes are inserted in u32_change() under rtnl_lock() with wmb(),
+so without tcf_tree_lock() like in other classifiers (e.g. cls_fw).
+This isn't enough without rmb() on the read side, but on the other
+hand adding such barriers doesn't give any savings, so the lock is
+added instead.
+
+Reported-by: m0sia <m0sia@plotinka.ru>
+Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sched/cls_u32.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sched/cls_u32.c
++++ b/net/sched/cls_u32.c
+@@ -637,8 +637,9 @@ static int u32_change(struct tcf_proto *
+ break;
+
+ n->next = *ins;
+- wmb();
++ tcf_tree_lock(tp);
+ *ins = n;
++ tcf_tree_unlock(tp);
+
+ *arg = (unsigned long)n;
+ return 0;
--- /dev/null
+From ea9922a627dbb38fdcc42ed1b374a257d0652d35 Mon Sep 17 00:00:00 2001
+From: Jarek Poplawski <jarkao2@gmail.com>
+Date: Tue, 20 Jan 2009 14:06:26 -0800
+Subject: pkt_sched: sch_htb: Fix deadlock in hrtimers triggered by HTB
+
+From: Jarek Poplawski <jarkao2@gmail.com>
+
+[ Upstream commit: none
+
+ This is a quick fix for -stable purposes. Upstream fixes these
+ problems via a large set of invasive hrtimer changes. ]
+
+Most probably there is a (still unproven) race in hrtimers (before
+2.6.29 kernels), which causes a corruption of hrtimers rbtree. This
+patch doesn't fix it, but should let HTB avoid triggering the bug.
+
+Reported-by: Denys Fedoryschenko <denys@visp.net.lb>
+Reported-by: Badalian Vyacheslav <slavon@bigtelecom.ru>
+Reported-by: Chris Caputo <ccaputo@alt.net>
+Tested-by: Badalian Vyacheslav <slavon@bigtelecom.ru>
+Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sched/sch_htb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sched/sch_htb.c
++++ b/net/sched/sch_htb.c
+@@ -924,6 +924,7 @@ static struct sk_buff *htb_dequeue(struc
+ }
+ }
+ sch->qstats.overlimits++;
++ qdisc_watchdog_cancel(&q->watchdog);
+ qdisc_watchdog_schedule(&q->watchdog, next_event);
+ fin:
+ return skb;
--- /dev/null
+From b1b00c2e699d3905305e130a6fe11bd6efae4506 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <florian@openwrt.org>
+Date: Mon, 22 Dec 2008 19:40:38 -0800
+Subject: r6040: bump release number to 0.19
+
+From: Florian Fainelli <florian@openwrt.org>
+
+[ Upstream commit: 4707470ae7441733822efcd680b0ef3971921c4d ]
+
+This patch bumps the release number of the driver.
+
+Signed-off-by: Florian Fainelli <florian@openwrt.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/r6040.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/r6040.c
++++ b/drivers/net/r6040.c
+@@ -49,8 +49,8 @@
+ #include <asm/processor.h>
+
+ #define DRV_NAME "r6040"
+-#define DRV_VERSION "0.18"
+-#define DRV_RELDATE "13Jul2008"
++#define DRV_VERSION "0.19"
++#define DRV_RELDATE "18Dec2008"
+
+ /* PHY CHIP Address */
+ #define PHY1_ADDR 1 /* For MAC1 */
--- /dev/null
+From 46312f49ee0eca77bdb5cd318109624d2cbd8a01 Mon Sep 17 00:00:00 2001
+From: Joe Chou <Joe.Chou@rdc.com.tw>
+Date: Mon, 22 Dec 2008 19:38:17 -0800
+Subject: r6040: fix wrong logic in mdio code
+
+From: Joe Chou <Joe.Chou@rdc.com.tw>
+
+[ Upstream commit: 11e5e8f5d14a1229706576184d2cf4c4556ed94c ]
+
+This patch fixes a reverse logic in the MDIO code.
+
+Signed-off-by: Joe Chou <Joe.Chou@rdc.com.tw>
+Signed-off-by: Florian Fainelli <florian@openwrt.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/r6040.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/r6040.c
++++ b/drivers/net/r6040.c
+@@ -214,7 +214,7 @@ static int r6040_phy_read(void __iomem *
+ /* Wait for the read bit to be cleared */
+ while (limit--) {
+ cmd = ioread16(ioaddr + MMDIO);
+- if (cmd & MDIO_READ)
++ if (!(cmd & MDIO_READ))
+ break;
+ }
+
+@@ -233,7 +233,7 @@ static void r6040_phy_write(void __iomem
+ /* Wait for the write bit to be cleared */
+ while (limit--) {
+ cmd = ioread16(ioaddr + MMDIO);
+- if (cmd & MDIO_WRITE)
++ if (!(cmd & MDIO_WRITE))
+ break;
+ }
+ }
--- /dev/null
+From 2008eaf5aba4f7ca31f3d9a6ec1b220af4be04cd Mon Sep 17 00:00:00 2001
+From: Joe Chou <Joe.Chou@rdc.com.tw>
+Date: Mon, 22 Dec 2008 19:40:02 -0800
+Subject: r6040: save and restore MIER correctly in the interrupt routine
+
+From: Joe Chou <Joe.Chou@rdc.com.tw>
+
+[ Upstream commit: 3e7c469f07ff14cbf9a814739e1fc99a863e0943 ]
+
+This patch saves the MIER register contents before treating
+interrupts, then restores them correcty at the end of the
+interrupt routine.
+
+Signed-off-by: Joe Chou <Joe.Chou@rdc.com.tw>
+Signed-off-by: Florian Fainelli <florian@openwrt.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/r6040.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/r6040.c
++++ b/drivers/net/r6040.c
+@@ -681,8 +681,10 @@ static irqreturn_t r6040_interrupt(int i
+ struct net_device *dev = dev_id;
+ struct r6040_private *lp = netdev_priv(dev);
+ void __iomem *ioaddr = lp->base;
+- u16 status;
++ u16 misr, status;
+
++ /* Save MIER */
++ misr = ioread16(ioaddr + MIER);
+ /* Mask off RDC MAC interrupt */
+ iowrite16(MSK_INT, ioaddr + MIER);
+ /* Read MISR status and clear */
+@@ -702,7 +704,7 @@ static irqreturn_t r6040_interrupt(int i
+ dev->stats.rx_fifo_errors++;
+
+ /* Mask off RX interrupt */
+- iowrite16(ioread16(ioaddr + MIER) & ~RX_INTS, ioaddr + MIER);
++ misr &= ~RX_INTS;
+ netif_rx_schedule(dev, &lp->napi);
+ }
+
+@@ -710,6 +712,9 @@ static irqreturn_t r6040_interrupt(int i
+ if (status & TX_INTS)
+ r6040_tx(dev);
+
++ /* Restore RDC MAC interrupt */
++ iowrite16(misr, ioaddr + MIER);
++
+ return IRQ_HANDLED;
+ }
+
--- /dev/null
+From 3d41c2bd66b1618aa1062c3d98450a9a5f0d119e Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <yjwei@cn.fujitsu.com>
+Date: Tue, 20 Jan 2009 14:08:01 -0800
+Subject: sctp: Avoid memory overflow while FWD-TSN chunk is received with bad stream ID
+
+From: Wei Yongjun <yjwei@cn.fujitsu.com>
+
+[ Upstream commit: 9fcb95a105758b81ef0131cd18e2db5149f13e95 ]
+
+If FWD-TSN chunk is received with bad stream ID, the sctp will not do the
+validity check, this may cause memory overflow when overwrite the TSN of
+the stream ID.
+
+The FORWARD-TSN chunk is like this:
+
+FORWARD-TSN chunk
+ Type = 192
+ Flags = 0
+ Length = 172
+ NewTSN = 99
+ Stream = 10000
+ StreamSequence = 0xFFFF
+
+This patch fix this problem by discard the chunk if stream ID is not
+less than MIS.
+
+Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
+Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sctp/sm_statefuns.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -3635,6 +3635,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
+ {
+ struct sctp_chunk *chunk = arg;
+ struct sctp_fwdtsn_hdr *fwdtsn_hdr;
++ struct sctp_fwdtsn_skip *skip;
+ __u16 len;
+ __u32 tsn;
+
+@@ -3664,6 +3665,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
+ if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
+ goto discard_noforce;
+
++ /* Silently discard the chunk if stream-id is not valid */
++ sctp_walk_fwdtsn(skip, chunk) {
++ if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
++ goto discard_noforce;
++ }
++
+ sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
+ if (len > sizeof(struct sctp_fwdtsn_hdr))
+ sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
+@@ -3695,6 +3702,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
+ {
+ struct sctp_chunk *chunk = arg;
+ struct sctp_fwdtsn_hdr *fwdtsn_hdr;
++ struct sctp_fwdtsn_skip *skip;
+ __u16 len;
+ __u32 tsn;
+
+@@ -3724,6 +3732,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
+ if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
+ goto gen_shutdown;
+
++ /* Silently discard the chunk if stream-id is not valid */
++ sctp_walk_fwdtsn(skip, chunk) {
++ if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
++ goto gen_shutdown;
++ }
++
+ sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
+ if (len > sizeof(struct sctp_fwdtsn_hdr))
+ sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
--- /dev/null
+pkt_sched-sch_htb-fix-deadlock-in-hrtimers-triggered-by-htb.patch
+ipv6-fix-fib6_dump_table-walker-leak.patch
+sctp-avoid-memory-overflow-while-fwd-tsn-chunk-is-received-with-bad-stream-id.patch
+pkt_sched-cls_u32-fix-locking-in-u32_change.patch
+r6040-fix-wrong-logic-in-mdio-code.patch
+r6040-save-and-restore-mier-correctly-in-the-interrupt-routine.patch
+r6040-bump-release-number-to-0.19.patch
+tcp-don-t-mask-eof-and-socket-errors-on-nonblocking-splice-receive.patch
--- /dev/null
+From db76deb171d8ba2e30ab4928863d1ac59b186f97 Mon Sep 17 00:00:00 2001
+From: Lennert Buytenhek <buytenh@marvell.com>
+Date: Tue, 20 Jan 2009 15:25:21 -0800
+Subject: tcp: don't mask EOF and socket errors on nonblocking splice receive
+
+From: Lennert Buytenhek <buytenh@marvell.com>
+
+[ Upstream commit: 4f7d54f59bc470f0aaa932f747a95232d7ebf8b1 ]
+
+Currently, setting SPLICE_F_NONBLOCK on splice from a TCP socket
+results in masking of EOF (RDHUP) and error conditions on the socket
+by an -EAGAIN return. Move the NONBLOCK check in tcp_splice_read()
+to be after the EOF and error checks to fix this.
+
+Signed-off-by: Lennert Buytenhek <buytenh@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/tcp.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -576,10 +576,6 @@ ssize_t tcp_splice_read(struct socket *s
+ else if (!ret) {
+ if (spliced)
+ break;
+- if (flags & SPLICE_F_NONBLOCK) {
+- ret = -EAGAIN;
+- break;
+- }
+ if (sock_flag(sk, SOCK_DONE))
+ break;
+ if (sk->sk_err) {
+@@ -597,6 +593,10 @@ ssize_t tcp_splice_read(struct socket *s
+ ret = -ENOTCONN;
+ break;
+ }
++ if (flags & SPLICE_F_NONBLOCK) {
++ ret = -EAGAIN;
++ break;
++ }
+ if (!timeo) {
+ ret = -EAGAIN;
+ break;
projects / thirdparty / kernel / stable-queue.git / commitdiff
