--- /dev/null
+From stable-bounces@linux.kernel.org Sat Aug 5 12:14:36 2006
+Message-Id: <200608051913.k75JDlTV010898@shell0.pdx.osdl.net>
+To: torvalds@osdl.org
+From: akpm@osdl.org
+Date: Sat, 05 Aug 2006 12:13:47 -0700
+Cc: akpm@osdl.org, greg@kroah.com, mingo@elte.hu, stable@kernel.org, olson@unixfolk.com
+Subject: disable debugging version of write_lock()
+
+From: Andrew Morton <akpm@osdl.org>
+
+We've confirmed that the debug version of write_lock() can get stuck for long
+enough to cause NMI watchdog timeouts and hence a crash.
+
+We don't know why, yet. Disable it for now.
+
+Also disable the similar read_lock() code. Just in case.
+
+Thanks to Dave Olson <olson@unixfolk.com> for reporting and testing.
+
+Acked-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ lib/spinlock_debug.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- linux-2.6.17.8.orig/lib/spinlock_debug.c
++++ linux-2.6.17.8/lib/spinlock_debug.c
+@@ -137,6 +137,7 @@ static void rwlock_bug(rwlock_t *lock, c
+
+ #define RWLOCK_BUG_ON(cond, lock, msg) if (unlikely(cond)) rwlock_bug(lock, msg)
+
++#if 0 /* __write_lock_debug() can lock up - maybe this can too? */
+ static void __read_lock_debug(rwlock_t *lock)
+ {
+ int print_once = 1;
+@@ -159,12 +160,12 @@ static void __read_lock_debug(rwlock_t *
+ }
+ }
+ }
++#endif
+
+ void _raw_read_lock(rwlock_t *lock)
+ {
+ RWLOCK_BUG_ON(lock->magic != RWLOCK_MAGIC, lock, "bad magic");
+- if (unlikely(!__raw_read_trylock(&lock->raw_lock)))
+- __read_lock_debug(lock);
++ __raw_read_lock(&lock->raw_lock);
+ }
+
+ int _raw_read_trylock(rwlock_t *lock)
+@@ -210,6 +211,7 @@ static inline void debug_write_unlock(rw
+ lock->owner_cpu = -1;
+ }
+
++#if 0 /* This can cause lockups */
+ static void __write_lock_debug(rwlock_t *lock)
+ {
+ int print_once = 1;
+@@ -232,12 +234,12 @@ static void __write_lock_debug(rwlock_t
+ }
+ }
+ }
++#endif
+
+ void _raw_write_lock(rwlock_t *lock)
+ {
+ debug_write_lock_before(lock);
+- if (unlikely(!__raw_write_trylock(&lock->raw_lock)))
+- __write_lock_debug(lock);
++ __raw_write_lock(&lock->raw_lock);
+ debug_write_lock_after(lock);
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Sat Aug 5 12:15:54 2006
+Message-Id: <200608051914.k75JEthD011006@shell0.pdx.osdl.net>
+To: torvalds@osdl.org
+From: akpm@osdl.org
+Date: Sat, 05 Aug 2006 12:14:55 -0700
+Cc: akpm@osdl.org, greg@kroah.com, jjk@acm.org, diegocg@gmail.com, stable@kernel.org
+Subject: Fix BeFS slab corruption
+
+From: Diego Calleja <diegocg@gmail.com>
+
+In bugzilla #6941, Jens Kilian reported:
+
+"The function befs_utf2nls (in fs/befs/linuxvfs.c) writes a 0 byte past the
+end of a block of memory allocated via kmalloc(), leading to memory
+corruption. This happens only for filenames which are pure ASCII and a
+multiple of 4 bytes in length. [...]
+
+Without DEBUG_SLAB, this leads to further corruption and hard lockups; I
+believe this is the bug which has made kernels later than 2.6.8 unusable
+for me. (This must be due to changes in memory management, the bug has
+been in the BeFS driver since the time it was introduced (AFAICT).)
+
+Steps to reproduce:
+Create a directory (in BeOS, naturally :-) with files named, e.g.,
+"1", "22", "333", "4444", ... Mount it in Linux and do an "ls" or "find""
+
+This patch implements the suggested fix. Credits to Jens Kilian for
+debugging the problem and finding the right fix.
+
+Signed-off-by: Diego Calleja <diegocg@gmail.com>
+Cc: Jens Kilian <jjk@acm.org>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/befs/linuxvfs.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- linux-2.6.17.8.orig/fs/befs/linuxvfs.c
++++ linux-2.6.17.8/fs/befs/linuxvfs.c
+@@ -512,7 +512,11 @@ befs_utf2nls(struct super_block *sb, con
+ wchar_t uni;
+ int unilen, utflen;
+ char *result;
+- int maxlen = in_len; /* The utf8->nls conversion can't make more chars */
++ /* The utf8->nls conversion won't make the final nls string bigger
++ * than the utf one, but if the string is pure ascii they'll have the
++ * same width and an extra char is needed to save the additional \0
++ */
++ int maxlen = in_len + 1;
+
+ befs_debug(sb, "---> utf2nls()");
+
+@@ -588,7 +592,10 @@ befs_nls2utf(struct super_block *sb, con
+ wchar_t uni;
+ int unilen, utflen;
+ char *result;
+- int maxlen = 3 * in_len;
++ /* There're nls characters that will translate to 3-chars-wide UTF-8
++ * characters, a additional byte is needed to save the final \0
++ * in special cases */
++ int maxlen = (3 * in_len) + 1;
+
+ befs_debug(sb, "---> nls2utf()\n");
+
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Aug 9 02:33:59 2006
+Date: Wed, 09 Aug 2006 02:33:28 -0700 (PDT)
+Message-Id: <20060809.023328.08324505.davem@davemloft.net>
+To: stable@kernel.org
+From: David Miller <davem@davemloft.net>
+Subject: Fix IFLA_ADDRESS handling
+
+From: David Miller <davem@davemloft.net>
+
+[RTNETLINK]: Fix IFLA_ADDRESS handling.
+
+The ->set_mac_address handlers expect a pointer to a
+sockaddr which contains the MAC address, whereas
+IFLA_ADDRESS provides just the MAC address itself.
+
+So whip up a sockaddr to wrap around the netlink
+attribute for the ->set_mac_address call.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/core/rtnetlink.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- linux-2.6.17.8.orig/net/core/rtnetlink.c
++++ linux-2.6.17.8/net/core/rtnetlink.c
+@@ -395,6 +395,9 @@ static int do_setlink(struct sk_buff *sk
+ }
+
+ if (ida[IFLA_ADDRESS - 1]) {
++ struct sockaddr *sa;
++ int len;
++
+ if (!dev->set_mac_address) {
+ err = -EOPNOTSUPP;
+ goto out;
+@@ -406,7 +409,17 @@ static int do_setlink(struct sk_buff *sk
+ if (ida[IFLA_ADDRESS - 1]->rta_len != RTA_LENGTH(dev->addr_len))
+ goto out;
+
+- err = dev->set_mac_address(dev, RTA_DATA(ida[IFLA_ADDRESS - 1]));
++ len = sizeof(sa_family_t) + dev->addr_len;
++ sa = kmalloc(len, GFP_KERNEL);
++ if (!sa) {
++ err = -ENOMEM;
++ goto out;
++ }
++ sa->sa_family = dev->type;
++ memcpy(sa->sa_data, RTA_DATA(ida[IFLA_ADDRESS - 1]),
++ dev->addr_len);
++ err = dev->set_mac_address(dev, sa);
++ kfree(sa);
+ if (err)
+ goto out;
+ send_addr_notify = 1;
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Aug 9 02:36:58 2006
+Date: Wed, 09 Aug 2006 02:36:33 -0700 (PDT)
+Message-Id: <20060809.023633.62344115.davem@davemloft.net>
+To: stable@kernel.org
+From: David Miller <davem@davemloft.net>
+Subject: Fix timer race in dst GC code
+
+From: Dmitry Mishin <dim@openvz.org>
+
+[NET]: add_timer -> mod_timer() in dst_run_gc()
+
+Patch from Dmitry Mishin <dim@openvz.org>:
+
+Replace add_timer() by mod_timer() in dst_run_gc
+in order to avoid BUG message.
+
+ CPU1 CPU2
+dst_run_gc() entered dst_run_gc() entered
+spin_lock(&dst_lock) .....
+del_timer(&dst_gc_timer) fail to get lock
+ .... mod_timer() <--- puts
+ timer back
+ to the list
+add_timer(&dst_gc_timer) <--- BUG because timer is in list already.
+
+Found during OpenVZ internal testing.
+
+At first we thought that it is OpenVZ specific as we
+added dst_run_gc(0) call in dst_dev_event(),
+but as Alexey pointed to me it is possible to trigger
+this condition in mainstream kernel.
+
+F.e. timer has fired on CPU2, but the handler was preeempted
+by an irq before dst_lock is tried.
+Meanwhile, someone on CPU1 adds an entry to gc list and
+starts the timer.
+If CPU2 was preempted long enough, this timer can expire
+simultaneously with resuming timer handler on CPU1, arriving
+exactly to the situation described.
+
+Signed-off-by: Dmitry Mishin <dim@openvz.org>
+Signed-off-by: Kirill Korotaev <dev@openvz.org>
+Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/core/dst.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- linux-2.6.17.8.orig/net/core/dst.c
++++ linux-2.6.17.8/net/core/dst.c
+@@ -95,12 +95,11 @@ static void dst_run_gc(unsigned long dum
+ dst_gc_timer_inc = DST_GC_INC;
+ dst_gc_timer_expires = DST_GC_MIN;
+ }
+- dst_gc_timer.expires = jiffies + dst_gc_timer_expires;
+ #if RT_CACHE_DEBUG >= 2
+ printk("dst_total: %d/%d %ld\n",
+ atomic_read(&dst_total), delayed, dst_gc_timer_expires);
+ #endif
+- add_timer(&dst_gc_timer);
++ mod_timer(&dst_gc_timer, jiffies + dst_gc_timer_expires);
+
+ out:
+ spin_unlock(&dst_lock);
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Aug 4 08:36:24 2006
+Message-ID: <44D36946.7020601@redhat.com>
+Date: Fri, 04 Aug 2006 10:35:34 -0500
+From: Eric Sandeen <esandeen@redhat.com>
+To: Christoph Hellwig <hch@infradead.org>, Eric Sandeen <esandeen@redhat.com>,
+ Greg KH <gregkh@suse.de>, linux-kernel@vger.kernel.org,
+ stable@kernel.org, torvalds@osdl.org,
+ Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ "Theodore Ts'o" <tytso@mit.edu>, Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>, Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>, akpm@osdl.org,
+ alan@lxorguk.ukuu.org.uk, jack@suse.cz, neilb@suse.de,
+ Marcel Holtmann <marcel@holtmann.org>,
+ "Stephen C. Tweedie" <sct@redhat.com>
+Subject: Have ext3 reject file handles with bad inode numbers early
+
+blatantly ripped off from Neil Brown's ext2 patch.
+
+
+Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
+Acked-by: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ext3/super.c | 40 ++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 40 insertions(+)
+
+--- linux-2.6.17.8.orig/fs/ext3/super.c
++++ linux-2.6.17.8/fs/ext3/super.c
+@@ -620,8 +620,48 @@ static struct super_operations ext3_sops
+ #endif
+ };
+
++static struct dentry *ext3_get_dentry(struct super_block *sb, void *vobjp)
++{
++ __u32 *objp = vobjp;
++ unsigned long ino = objp[0];
++ __u32 generation = objp[1];
++ struct inode *inode;
++ struct dentry *result;
++
++ if (ino != EXT3_ROOT_INO && ino < EXT3_FIRST_INO(sb))
++ return ERR_PTR(-ESTALE);
++ if (ino > le32_to_cpu(EXT3_SB(sb)->s_es->s_inodes_count))
++ return ERR_PTR(-ESTALE);
++
++ /* iget isn't really right if the inode is currently unallocated!!
++ * ext3_read_inode currently does appropriate checks, but
++ * it might be "neater" to call ext3_get_inode first and check
++ * if the inode is valid.....
++ */
++ inode = iget(sb, ino);
++ if (inode == NULL)
++ return ERR_PTR(-ENOMEM);
++ if (is_bad_inode(inode)
++ || (generation && inode->i_generation != generation)
++ ) {
++ /* we didn't find the right inode.. */
++ iput(inode);
++ return ERR_PTR(-ESTALE);
++ }
++ /* now to find a dentry.
++ * If possible, get a well-connected one
++ */
++ result = d_alloc_anon(inode);
++ if (!result) {
++ iput(inode);
++ return ERR_PTR(-ENOMEM);
++ }
++ return result;
++}
++
+ static struct export_operations ext3_export_ops = {
+ .get_parent = ext3_get_parent,
++ .get_dentry = ext3_get_dentry,
+ };
+
+ enum {
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Aug 7 16:37:01 2006
+Date: Mon, 7 Aug 2006 16:36:02 -0700
+From: Stephen Hemminger <shemminger@osdl.org>
+To: David Miller <davem@davemloft.net>
+Message-ID: <20060807163602.5c7a4a65@localhost.localdomain>
+Cc: netdev@vger.kernel.org, stable@kernel.org, acme@ghostprotocols.net
+Subject: ipx: header length validation needed
+
+From: Stephen Hemminger <shemminger@osdl.org>
+
+This patch will linearize and check there is enough data.
+It handles the pprop case as well as avoiding a whole audit of
+the routing code.
+
+Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
+
+---
+ net/ipx/af_ipx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- linux-2.6.17.8.orig/net/ipx/af_ipx.c
++++ linux-2.6.17.8/net/ipx/af_ipx.c
+@@ -1647,7 +1647,8 @@ static int ipx_rcv(struct sk_buff *skb,
+ ipx_pktsize = ntohs(ipx->ipx_pktsize);
+
+ /* Too small or invalid header? */
+- if (ipx_pktsize < sizeof(struct ipxhdr) || ipx_pktsize > skb->len)
++ if (ipx_pktsize < sizeof(struct ipxhdr)
++ || !pskb_may_pull(skb, ipx_pktsize))
+ goto drop;
+
+ if (ipx->ipx_checksum != IPX_NO_CHECKSUM &&
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Aug 9 02:35:56 2006
+Date: Wed, 09 Aug 2006 02:35:21 -0700 (PDT)
+Message-Id: <20060809.023521.21927097.davem@davemloft.net>
+To: stable@kernel.org
+From: David Miller <davem@davemloft.net>
+Subject: Kill HASH_HIGHMEM from route cache hash sizing
+
+From: Kirill Korotaev <dev@sw.ru>
+
+[IPV4]: Limit rt cache size properly.
+
+During OpenVZ stress testing we found that UDP traffic with random src
+can generate too much excessive rt hash growing leading finally to OOM
+and kernel panics.
+
+It was found that for 4GB i686 system (having 1048576 total pages and
+225280 normal zone pages) kernel allocates the following route hash:
+syslog: IP route cache hash table entries: 262144 (order: 8, 1048576
+bytes) => ip_rt_max_size = 4194304 entries, i.e. max rt size is
+4194304 * 256b = 1Gb of RAM > normal_zone
+
+Attached the patch which removes HASH_HIGHMEM flag from
+alloc_large_system_hash() call.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/route.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.17.8.orig/net/ipv4/route.c
++++ linux-2.6.17.8/net/ipv4/route.c
+@@ -3144,7 +3144,7 @@ int __init ip_rt_init(void)
+ rhash_entries,
+ (num_physpages >= 128 * 1024) ?
+ 15 : 17,
+- HASH_HIGHMEM,
++ 0,
+ &rt_hash_log,
+ &rt_hash_mask,
+ 0);
--- /dev/null
+have-ext3-reject-file-handles-with-bad-inode-numbers-early.patch
+sky2-phy-power-problem-on-88e805x.patch
+kill-hash_highmem-from-route-cache-hash-sizing.patch
+fix-timer-race-in-dst-gc-code.patch
+fix-ifla_address-handling.patch
+fix-befs-slab-corruption.patch
+disable-debugging-version-of-write_lock.patch
+ipx-header-length-validation-needed.patch
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Aug 9 14:17:16 2006
+Date: Wed, 9 Aug 2006 14:16:41 -0700
+From: Stephen Hemminger <shemminger@osdl.org>
+To: stable@kernel.org
+Message-ID: <20060809141641.7bb5aeaf@localhost.localdomain>
+Subject: sky2: phy power problem on 88e805x
+
+From: Stephen Hemminger <shemminger@osdl.org>
+
+On the 88E805X chipsets (used in laptops), the PHY was not getting powered
+out of shutdown properly. The variable reg1 was getting reused incorrectly.
+This is probably the cause of the bug.
+ http://bugzilla.kernel.org/show_bug.cgi?id=6471
+
+Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/sky2.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- linux-2.6.17.8.orig/drivers/net/sky2.c
++++ linux-2.6.17.8/drivers/net/sky2.c
+@@ -233,6 +233,8 @@ static void sky2_set_power_state(struct
+ if (hw->ports > 1)
+ reg1 |= PCI_Y2_PHY2_COMA;
+ }
++ sky2_pci_write32(hw, PCI_DEV_REG1, reg1);
++ udelay(100);
+
+ if (hw->chip_id == CHIP_ID_YUKON_EC_U) {
+ sky2_write16(hw, B0_CTST, Y2_HW_WOL_ON);
+@@ -243,8 +245,6 @@ static void sky2_set_power_state(struct
+ sky2_pci_write32(hw, PCI_DEV_REG5, 0);
+ }
+
+- sky2_pci_write32(hw, PCI_DEV_REG1, reg1);
+-
+ break;
+
+ case PCI_D3hot:
projects / thirdparty / kernel / stable-queue.git / commitdiff
