--- /dev/null
+From stable-bounces@linux.kernel.org Sat Aug 26 07:24:40 2006
+Date: Sat, 26 Aug 2006 10:20:45 -0400
+From: Chuck Ebbert <76306.1226@compuserve.com>
+To: linux-stable <stable@kernel.org>
+Message-ID: <200608261023_MC3-1-C96A-6EC4@compuserve.com>
+Content-Disposition: inline
+Cc: Ernie Petrides <petrides@redhat.com>
+Subject: binfmt_elf: fix checks for bad address
+
+From: Ernie Petrides <petrides@redhat.com>
+
+[PATCH] binfmt_elf: fix checks for bad address
+
+Fix check for bad address; use macro instead of open-coding two checks.
+
+Taken from RHEL4 kernel update.
+
+ For background, the BAD_ADDR() macro should return TRUE if the address is
+ TASK_SIZE, because that's the lowest address that is *not* valid for
+ user-space mappings. The macro was correct in binfmt_aout.c but was wrong
+ for the "equal to" case in binfmt_elf.c. There were two in-line validations
+ of user-space addresses in binfmt_elf.c, which have been appropriately
+ converted to use the corrected BAD_ADDR() macro in the patch you posted
+ yesterday. Note that the size checks against TASK_SIZE are okay as coded.
+
+ The additional changes that I propose are below. These are in the error
+ paths for bad ELF entry addresses once load_elf_binary() has already
+ committed to exec'ing the new image (following the tearing down of the
+ task's original address space).
+
+ The 1st hunk deals with the interp-side of the outer "if". There were two
+ problems here. The printk() should be removed because this path can be
+ triggered at will by a bogus interpreter image created and used by a
+ malicious user. Further, the error code should not be ENOEXEC, because that
+ causes the loop in search_binary_handler() to continue trying other exec
+ handlers (twice, in fact). But it's too late for this to work correctly,
+ because the user address space has already been torn down, and an exec()
+ failure cannot be returned to the user code because the code no longer
+ exists. The only recovery is to force a SIGSEGV, but it's best to terminate
+ the search loop immediately. I somewhat arbitrarily chose EINVAL as a
+ fallback error code, but any error returned by load_elf_interp() will
+ override that (but this value will never be seen by user-space).
+
+ The 2nd hunk deals with the non-interp-side of the outer "if". There were
+ two problems here as well. The SIGSEGV needs to be forced, because a prior
+ sigaction() syscall might have set the associated disposition to SIG_IGN.
+ And the ENOEXEC should be changed to EINVAL as described above.
+
+Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/binfmt_elf.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- linux-2.6.17.11.orig/fs/binfmt_elf.c
++++ linux-2.6.17.11/fs/binfmt_elf.c
+@@ -86,7 +86,7 @@ static struct linux_binfmt elf_format =
+ .min_coredump = ELF_EXEC_PAGESIZE
+ };
+
+-#define BAD_ADDR(x) ((unsigned long)(x) > TASK_SIZE)
++#define BAD_ADDR(x) ((unsigned long)(x) >= TASK_SIZE)
+
+ static int set_brk(unsigned long start, unsigned long end)
+ {
+@@ -389,7 +389,7 @@ static unsigned long load_elf_interp(str
+ * <= p_memsize so it is only necessary to check p_memsz.
+ */
+ k = load_addr + eppnt->p_vaddr;
+- if (k > TASK_SIZE || eppnt->p_filesz > eppnt->p_memsz ||
++ if (BAD_ADDR(k) || eppnt->p_filesz > eppnt->p_memsz ||
+ eppnt->p_memsz > TASK_SIZE || TASK_SIZE - eppnt->p_memsz < k) {
+ error = -ENOMEM;
+ goto out_close;
+@@ -876,7 +876,7 @@ static int load_elf_binary(struct linux_
+ * allowed task size. Note that p_filesz must always be
+ * <= p_memsz so it is only necessary to check p_memsz.
+ */
+- if (k > TASK_SIZE || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
++ if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
+ elf_ppnt->p_memsz > TASK_SIZE ||
+ TASK_SIZE - elf_ppnt->p_memsz < k) {
+ /* set_brk can never work. Avoid overflows. */
+@@ -930,10 +930,9 @@ static int load_elf_binary(struct linux_
+ interpreter,
+ &interp_load_addr);
+ if (BAD_ADDR(elf_entry)) {
+- printk(KERN_ERR "Unable to load interpreter %.128s\n",
+- elf_interpreter);
+ force_sig(SIGSEGV, current);
+- retval = -ENOEXEC; /* Nobody gets to see this, but.. */
++ retval = IS_ERR((void *)elf_entry) ?
++ (int)elf_entry : -EINVAL;
+ goto out_free_dentry;
+ }
+ reloc_func_desc = interp_load_addr;
+@@ -944,8 +943,8 @@ static int load_elf_binary(struct linux_
+ } else {
+ elf_entry = loc->elf_ex.e_entry;
+ if (BAD_ADDR(elf_entry)) {
+- send_sig(SIGSEGV, current, 0);
+- retval = -ENOEXEC; /* Nobody gets to see this, but.. */
++ force_sig(SIGSEGV, current);
++ retval = -EINVAL;
+ goto out_free_dentry;
+ }
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Aug 29 22:39:00 2006
+From: Christian Borntraeger <borntrae@de.ibm.com>
+Date: Wed, 30 Aug 2006 07:38:11 +0200
+To: stable@kernel.org, Adrian Bunk <bunk@stusta.de>
+Message-Id: <200608300738.11274.borntrae@de.ibm.com>
+Cc: Bastian Blank <bastian@waldi.eu.org>
+Subject: bug in futex unqueue_me
+
+From: Christian Borntraeger <borntrae@de.ibm.com>
+
+This patch adds a barrier() in futex unqueue_me to avoid aliasing of two
+pointers.
+
+On my s390x system I saw the following oops:
+
+Unable to handle kernel pointer dereference at virtual kernel address
+0000000000000000
+Oops: 0004 [#1]
+CPU: 0 Not tainted
+Process mytool (pid: 13613, task: 000000003ecb6ac0, ksp: 00000000366bdbd8)
+Krnl PSW : 0704d00180000000 00000000003c9ac2 (_spin_lock+0xe/0x30)
+Krnl GPRS: 00000000ffffffff 000000003ecb6ac0 0000000000000000 0700000000000000
+ 0000000000000000 0000000000000000 000001fe00002028 00000000000c091f
+ 000001fe00002054 000001fe00002054 0000000000000000 00000000366bddc0
+ 00000000005ef8c0 00000000003d00e8 0000000000144f91 00000000366bdcb8
+Krnl Code: ba 4e 20 00 12 44 b9 16 00 3e a7 84 00 08 e3 e0 f0 88 00 04
+Call Trace:
+([<0000000000144f90>] unqueue_me+0x40/0xe4)
+ [<0000000000145a0c>] do_futex+0x33c/0xc40
+ [<000000000014643e>] sys_futex+0x12e/0x144
+ [<000000000010bb00>] sysc_noemu+0x10/0x16
+ [<000002000003741c>] 0x2000003741c
+
+The code in question is:
+
+static int unqueue_me(struct futex_q *q)
+{
+ int ret = 0;
+ spinlock_t *lock_ptr;
+
+ /* In the common case we don't take the spinlock, which is nice. */
+ retry:
+ lock_ptr = q->lock_ptr;
+ if (lock_ptr != 0) {
+ spin_lock(lock_ptr);
+ /*
+ * q->lock_ptr can change between reading it and
+ * spin_lock(), causing us to take the wrong lock. This
+ * corrects the race condition.
+[...]
+
+and my compiler (gcc 4.1.0) makes the following out of it:
+
+00000000000003c8 <unqueue_me>:
+ 3c8: eb bf f0 70 00 24 stmg %r11,%r15,112(%r15)
+ 3ce: c0 d0 00 00 00 00 larl %r13,3ce <unqueue_me+0x6>
+ 3d0: R_390_PC32DBL .rodata+0x2a
+ 3d4: a7 f1 1e 00 tml %r15,7680
+ 3d8: a7 84 00 01 je 3da <unqueue_me+0x12>
+ 3dc: b9 04 00 ef lgr %r14,%r15
+ 3e0: a7 fb ff d0 aghi %r15,-48
+ 3e4: b9 04 00 b2 lgr %r11,%r2
+ 3e8: e3 e0 f0 98 00 24 stg %r14,152(%r15)
+ 3ee: e3 c0 b0 28 00 04 lg %r12,40(%r11)
+ /* write q->lock_ptr in r12 */
+ 3f4: b9 02 00 cc ltgr %r12,%r12
+ 3f8: a7 84 00 4b je 48e <unqueue_me+0xc6>
+ /* if r12 is zero then jump over the code.... */
+ 3fc: e3 20 b0 28 00 04 lg %r2,40(%r11)
+ /* write q->lock_ptr in r2 */
+ 402: c0 e5 00 00 00 00 brasl %r14,402 <unqueue_me+0x3a>
+ 404: R_390_PC32DBL _spin_lock+0x2
+ /* use r2 as parameter for spin_lock */
+
+So the code becomes more or less:
+if (q->lock_ptr != 0) spin_lock(q->lock_ptr)
+instead of
+if (lock_ptr != 0) spin_lock(lock_ptr)
+
+Which caused the oops from above.
+After adding a barrier gcc creates code without this problem:
+[...] (the same)
+ 3ee: e3 c0 b0 28 00 04 lg %r12,40(%r11)
+ 3f4: b9 02 00 cc ltgr %r12,%r12
+ 3f8: b9 04 00 2c lgr %r2,%r12
+ 3fc: a7 84 00 48 je 48c <unqueue_me+0xc4>
+ 400: c0 e5 00 00 00 00 brasl %r14,400 <unqueue_me+0x38>
+ 402: R_390_PC32DBL _spin_lock+0x2
+
+As a general note, this code of unqueue_me seems a bit fishy. The retry logic
+of unqueue_me only works if we can guarantee, that the original value of
+q->lock_ptr is always a spinlock (Otherwise we overwrite kernel memory). We
+know that q->lock_ptr can change. I dont know what happens with the original
+spinlock, as I am not an expert with the futex code.
+
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Rusty Russell <rusty@rustcorp.com.au>
+Acked-by: Ingo Molnar <mingo@redhat.com>
+Cc: Thomas Gleixner <tglx@timesys.com>
+Signed-off-by: Christian Borntraeger <borntrae@de.ibm.com>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/futex.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- linux-2.6.17.11.orig/kernel/futex.c
++++ linux-2.6.17.11/kernel/futex.c
+@@ -593,6 +593,7 @@ static int unqueue_me(struct futex_q *q)
+ /* In the common case we don't take the spinlock, which is nice. */
+ retry:
+ lock_ptr = q->lock_ptr;
++ barrier();
+ if (lock_ptr != 0) {
+ spin_lock(lock_ptr);
+ /*
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Aug 31 23:13:57 2006
+Message-ID: <42895.10.207.160.203.1157091181.squirrel@10.207.160.104>
+Date: Fri, 1 Sep 2006 14:13:01 +0800 (MYT)
+From: "Ang Way Chuang" <wcang@nrg.cs.usm.my>
+To: stable@kernel.org
+Cc: chteh@nrg.cs.usm.my, vendor-sec@lst.de, Greg KH <greg@kroah.com>,
+ "Luiz Fernando N. Capitulino" <lcapitulino@mandriva.com.br>,
+ tcwan@cs.usm.my
+Subject: dvb-core: Proper handling ULE SNDU length of 0
+
+From: Ang Way Chuang <wcang@nrg.cs.usm.my>
+
+ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation
+code has a bug that allows an attacker to send a malformed ULE packet
+with SNDU length of 0 and bring down the receiving machine. This patch
+fix the bug and has been tested on version 2.6.17.11. This bug is 100%
+reproducible and the modified source code (GPL) used to produce this bug
+will be posted on http://nrg.cs.usm.my/downloads.htm shortly. The
+kernel will produce a dump during CRC32 checking on faulty ULE packet.
+
+
+Signed-off-by: Ang Way Chuang <wcang@nrg.cs.usm.my>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/dvb/dvb-core/dvb_net.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- linux-2.6.17.11.orig/drivers/media/dvb/dvb-core/dvb_net.c
++++ linux-2.6.17.11/drivers/media/dvb/dvb-core/dvb_net.c
+@@ -492,7 +492,8 @@ static void dvb_net_ule( struct net_devi
+ } else
+ priv->ule_dbit = 0;
+
+- if (priv->ule_sndu_len > 32763) {
++ if (priv->ule_sndu_len > 32763 ||
++ priv->ule_sndu_len < ((priv->ule_dbit) ? 4 : 4 + ETH_ALEN)) {
+ printk(KERN_WARNING "%lu: Invalid ULE SNDU length %u. "
+ "Resyncing.\n", priv->ts_count, priv->ule_sndu_len);
+ priv->ule_sndu_len = 0;
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Aug 29 00:24:06 2006
+Date: Tue, 29 Aug 2006 02:15:54 -0400
+From: Chuck Ebbert <76306.1226@compuserve.com>
+To: linux-stable <stable@kernel.org>
+Message-ID: <200608290218_MC3-1-C9AC-1176@compuserve.com>
+Content-Disposition: inline
+Cc: Trond Myklebust <trond.myklebust@fys.uio.no>
+Subject: fcntl(F_SETSIG) fix
+
+From: Trond Myklebust <trond.myklebust@fys.uio.no>
+
+[PATCH] fcntl(F_SETSIG) fix
+
+fcntl(F_SETSIG) no longer works on leases because
+lease_release_private_callback() gets called as the lease is copied in
+order to initialise it.
+
+The problem is that lease_alloc() performs an unnecessary initialisation,
+which sets the lease_manager_ops. Avoid the problem by allocating the
+target lease structure using locks_alloc_lock().
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/locks.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- linux-2.6.17.11.orig/fs/locks.c
++++ linux-2.6.17.11/fs/locks.c
+@@ -1389,8 +1389,9 @@ static int __setlease(struct file *filp,
+ if (!leases_enable)
+ goto out;
+
+- error = lease_alloc(filp, arg, &fl);
+- if (error)
++ error = -ENOMEM;
++ fl = locks_alloc_lock();
++ if (fl == NULL)
+ goto out;
+
+ locks_copy_lock(fl, lease);
+@@ -1398,6 +1399,7 @@ static int __setlease(struct file *filp,
+ locks_insert_lock(before, fl);
+
+ *flp = fl;
++ error = 0;
+ out:
+ return error;
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Aug 31 16:07:12 2006
+Date: Thu, 31 Aug 2006 16:06:16 -0700 (PDT)
+Message-Id: <20060831.160616.75186822.davem@davemloft.net>
+To: stable@kernel.org
+From: David Miller <davem@davemloft.net>
+Cc: bunk@stusta.de
+Subject: IPV6 OOPS'er triggerable by any user
+
+From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+
+[IPV6]: Fix kernel OOPs when setting sticky socket options.
+
+Bug noticed by Remi Denis-Courmont <rdenis@simphalempin.com>.
+
+Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/exthdrs.c | 29 ++++++++++++++++-------------
+ 1 file changed, 16 insertions(+), 13 deletions(-)
+
+--- linux-2.6.17.11.orig/net/ipv6/exthdrs.c
++++ linux-2.6.17.11/net/ipv6/exthdrs.c
+@@ -635,14 +635,17 @@ ipv6_renew_options(struct sock *sk, stru
+ struct ipv6_txoptions *opt2;
+ int err;
+
+- if (newtype != IPV6_HOPOPTS && opt->hopopt)
+- tot_len += CMSG_ALIGN(ipv6_optlen(opt->hopopt));
+- if (newtype != IPV6_RTHDRDSTOPTS && opt->dst0opt)
+- tot_len += CMSG_ALIGN(ipv6_optlen(opt->dst0opt));
+- if (newtype != IPV6_RTHDR && opt->srcrt)
+- tot_len += CMSG_ALIGN(ipv6_optlen(opt->srcrt));
+- if (newtype != IPV6_DSTOPTS && opt->dst1opt)
+- tot_len += CMSG_ALIGN(ipv6_optlen(opt->dst1opt));
++ if (opt) {
++ if (newtype != IPV6_HOPOPTS && opt->hopopt)
++ tot_len += CMSG_ALIGN(ipv6_optlen(opt->hopopt));
++ if (newtype != IPV6_RTHDRDSTOPTS && opt->dst0opt)
++ tot_len += CMSG_ALIGN(ipv6_optlen(opt->dst0opt));
++ if (newtype != IPV6_RTHDR && opt->srcrt)
++ tot_len += CMSG_ALIGN(ipv6_optlen(opt->srcrt));
++ if (newtype != IPV6_DSTOPTS && opt->dst1opt)
++ tot_len += CMSG_ALIGN(ipv6_optlen(opt->dst1opt));
++ }
++
+ if (newopt && newoptlen)
+ tot_len += CMSG_ALIGN(newoptlen);
+
+@@ -659,25 +662,25 @@ ipv6_renew_options(struct sock *sk, stru
+ opt2->tot_len = tot_len;
+ p = (char *)(opt2 + 1);
+
+- err = ipv6_renew_option(opt->hopopt, newopt, newoptlen,
++ err = ipv6_renew_option(opt ? opt->hopopt : NULL, newopt, newoptlen,
+ newtype != IPV6_HOPOPTS,
+ &opt2->hopopt, &p);
+ if (err)
+ goto out;
+
+- err = ipv6_renew_option(opt->dst0opt, newopt, newoptlen,
++ err = ipv6_renew_option(opt ? opt->dst0opt : NULL, newopt, newoptlen,
+ newtype != IPV6_RTHDRDSTOPTS,
+ &opt2->dst0opt, &p);
+ if (err)
+ goto out;
+
+- err = ipv6_renew_option(opt->srcrt, newopt, newoptlen,
++ err = ipv6_renew_option(opt ? opt->srcrt : NULL, newopt, newoptlen,
+ newtype != IPV6_RTHDR,
+- (struct ipv6_opt_hdr **)opt2->srcrt, &p);
++ (struct ipv6_opt_hdr **)&opt2->srcrt, &p);
+ if (err)
+ goto out;
+
+- err = ipv6_renew_option(opt->dst1opt, newopt, newoptlen,
++ err = ipv6_renew_option(opt ? opt->dst1opt : NULL, newopt, newoptlen,
+ newtype != IPV6_DSTOPTS,
+ &opt2->dst1opt, &p);
+ if (err)
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Aug 30 11:36:30 2006
+Date: Wed, 30 Aug 2006 11:35:49 -0700
+From: Andrew Morton <akpm@osdl.org>
+To: stable@kernel.org
+Message-Id: <20060830113549.4059dda3.akpm@osdl.org>
+Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
+Subject: Missing PCI id update for VIA IDE
+
+From: Alan Cox <alan@lxorguk.ukuu.org.uk>
+
+
+The following change from -mm is important to 2.6.18 (actually to 2.6.17
+but its too late for that). This was contributed over three months ago
+by VIA to Bartlomiej and nothing happened. As a result the new chipset
+is now out and Linux won't run on it. By the time 2.6.18 is finalised
+this will be the defacto standard VIA chipset so support would be a good
+plan.
+
+Tested in -mm for a while, its essentially a PCI ident update but for
+the bridge chip because VIA do things in weird ways.
+
+
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ drivers/ide/pci/via82cxxx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- linux-2.6.17.11.orig/drivers/ide/pci/via82cxxx.c
++++ linux-2.6.17.11/drivers/ide/pci/via82cxxx.c
+@@ -6,7 +6,7 @@
+ *
+ * vt82c576, vt82c586, vt82c586a, vt82c586b, vt82c596a, vt82c596b,
+ * vt82c686, vt82c686a, vt82c686b, vt8231, vt8233, vt8233c, vt8233a,
+- * vt8235, vt8237
++ * vt8235, vt8237, vt8237a
+ *
+ * Copyright (c) 2000-2002 Vojtech Pavlik
+ *
+@@ -82,6 +82,7 @@ static struct via_isa_bridge {
+ { "vt6410", PCI_DEVICE_ID_VIA_6410, 0x00, 0x2f, VIA_UDMA_133 | VIA_BAD_AST },
+ { "vt8251", PCI_DEVICE_ID_VIA_8251, 0x00, 0x2f, VIA_UDMA_133 | VIA_BAD_AST },
+ { "vt8237", PCI_DEVICE_ID_VIA_8237, 0x00, 0x2f, VIA_UDMA_133 | VIA_BAD_AST },
++ { "vt8237a", PCI_DEVICE_ID_VIA_8237A, 0x00, 0x2f, VIA_UDMA_133 | VIA_BAD_AST },
+ { "vt8235", PCI_DEVICE_ID_VIA_8235, 0x00, 0x2f, VIA_UDMA_133 | VIA_BAD_AST },
+ { "vt8233a", PCI_DEVICE_ID_VIA_8233A, 0x00, 0x2f, VIA_UDMA_133 | VIA_BAD_AST },
+ { "vt8233c", PCI_DEVICE_ID_VIA_8233C_0, 0x00, 0x2f, VIA_UDMA_100 },
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Sep 5 13:15:58 2006
+Date: Tue, 5 Sep 2006 22:15:08 +0200
+From: Adrian Bunk <bunk@stusta.de>
+To: stable@kernel.org
+Message-ID: <20060905201508.GJ9173@stusta.de>
+Content-Disposition: inline
+Cc: Chen-Li Tien <cltien@gmail.com>, David Miller <davem@davemloft.net>
+Subject: PKTGEN: Fix oops when used with balance-tlb bonding
+
+From: Chen-Li Tien <cltien@gmail.com>
+
+Signed-off-by: Chen-Li Tien <cltien@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+
+
+---
+ net/core/pktgen.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- linux-2.6.17.11.orig/net/core/pktgen.c
++++ linux-2.6.17.11/net/core/pktgen.c
+@@ -2149,6 +2149,8 @@ static struct sk_buff *fill_packet_ipv4(
+ skb->mac.raw = ((u8 *) iph) - 14 - pkt_dev->nr_labels*sizeof(u32);
+ skb->dev = odev;
+ skb->pkt_type = PACKET_HOST;
++ skb->nh.iph = iph;
++ skb->h.uh = udph;
+
+ if (pkt_dev->nfrags <= 0)
+ pgh = (struct pktgen_hdr *)skb_put(skb, datalen);
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Sep 6 07:12:42 2006
+Date: Wed, 06 Sep 2006 06:42:02 -0700 (PDT)
+Message-Id: <20060906.064202.41641990.davem@davemloft.net>
+To: bunk@stusta.de
+From: David Miller <davem@davemloft.net>
+Cc: cltien@gmail.com, stable@kernel.org
+Subject: PKTGEN: Make sure skb->{nh,h} are initialized in fill_packet_ipv6() too.
+
+From: David S. Miller <davem@sunset.davemloft.net>
+
+[PKTGEN]: Make sure skb->{nh,h} are initialized in fill_packet_ipv6() too.
+
+Mirror the bug fix from fill_packet_ipv4()
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/core/pktgen.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- linux-2.6.17.11.orig/net/core/pktgen.c
++++ linux-2.6.17.11/net/core/pktgen.c
+@@ -2460,6 +2460,8 @@ static struct sk_buff *fill_packet_ipv6(
+ skb->protocol = protocol;
+ skb->dev = odev;
+ skb->pkt_type = PACKET_HOST;
++ skb->nh.ipv6h = iph;
++ skb->h.uh = udph;
+
+ if (pkt_dev->nfrags <= 0)
+ pgh = (struct pktgen_hdr *)skb_put(skb, datalen);
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Aug 28 13:56:11 2006
+Date: Mon, 28 Aug 2006 13:55:32 -0700 (PDT)
+Message-Id: <20060828.135532.26965589.davem@davemloft.net>
+To: stable@kernel.org
+From: David Miller <davem@davemloft.net>
+Subject: SCTP: Fix sctp_primitive_ABORT() call in sctp_close().
+
+From: Sridhar Samudrala <sri@us.ibm.com>
+
+With the recent fix, the callers of sctp_primitive_ABORT()
+need to create an ABORT chunk and pass it as an argument rather
+than msghdr that was passed earlier.
+
+Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+
+---
+ net/sctp/socket.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- linux-2.6.17.11.orig/net/sctp/socket.c
++++ linux-2.6.17.11/net/sctp/socket.c
+@@ -1246,9 +1246,13 @@ SCTP_STATIC void sctp_close(struct sock
+ }
+ }
+
+- if (sock_flag(sk, SOCK_LINGER) && !sk->sk_lingertime)
+- sctp_primitive_ABORT(asoc, NULL);
+- else
++ if (sock_flag(sk, SOCK_LINGER) && !sk->sk_lingertime) {
++ struct sctp_chunk *chunk;
++
++ chunk = sctp_make_abort_user(asoc, NULL, 0);
++ if (chunk)
++ sctp_primitive_ABORT(asoc, chunk);
++ } else
+ sctp_primitive_SHUTDOWN(asoc, NULL);
+ }
+
dm-add-module-ref-counting.patch
dm-fix-block-device-initialisation.patch
dm-mirror-sector-offset-fix.patch
+tg3-disable-tso-by-default.patch
+sparc64-fix-x-server-crashes-on-sparc64.patch
+sctp-fix-sctp_primitive_abort-call-in-sctp_close.patch
+ipv6-oops-er-triggerable-by-any-user.patch
+fcntl-fix.patch
+bug-in-futex-unqueue_me.patch
+binfmt_elf-fix-checks-for-bad-address.patch
+uhci-hcd-fix-list-access-bug.patch
+silent-data-corruption-caused-by-xpc.patch
+pktgen-make-sure-skb-nh-h-are-initialized-in-fill_packet_ipv6-too.patch
+pktgen-fix-oops-when-used-with-balance-tlb-bonding.patch
+missing-pci-id-update-for-via-ide.patch
+dvb-core-proper-handling-ule-sndu-length-of-0.patch
--- /dev/null
+From dcn@sgi.com Fri Sep 1 08:59:42 2006
+Date: Fri, 1 Sep 2006 10:41:39 -0500
+From: Dean Nelson <dcn@sgi.com>
+To: Greg KH <greg@kroah.com>
+Cc: stable@kernel.org, Robin Holt <holt@sgi.com>, Dean Nelson <dcn@sgi.com>
+Subject: Silent data corruption caused by XPC
+Message-ID: <20060901154139.GA4437@sgi.com>
+Content-Disposition: inline
+
+From: Robin Holt <holt@sgi.com>
+
+Jack Steiner identified a problem where XPC can cause a silent
+data corruption. On module load, the placement may cause the
+xpc_remote_copy_buffer to span two physical pages. DMA transfers are
+done to the start virtual address translated to physical.
+
+This patch changes the buffer from a statically allocated buffer to a
+kmalloc'd buffer. Dean Nelson reviewed this before posting. I have
+tested it in the configuration that was showing the memory corruption
+and verified it works. I also added a BUG_ON statement to help catch
+this if a similar situation is encountered.
+
+Signed-off-by: Robin Holt <holt@sgi.com>
+Signed-off-by: Dean Nelson <dcn@sgi.com>
+Signed-off-by: Jack Steiner <steiner@sgi.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/ia64/sn/kernel/xpc_channel.c | 4 ++--
+ arch/ia64/sn/kernel/xpc_main.c | 28 ++++++++++++++++------------
+ arch/ia64/sn/kernel/xpc_partition.c | 24 ++++++++----------------
+ include/asm-ia64/sn/xp.h | 22 ++++++++++++++++++----
+ include/asm-ia64/sn/xpc.h | 4 +++-
+ 5 files changed, 47 insertions(+), 35 deletions(-)
+
+--- linux-2.6.17.11.orig/arch/ia64/sn/kernel/xpc_channel.c
++++ linux-2.6.17.11/arch/ia64/sn/kernel/xpc_channel.c
+@@ -279,8 +279,8 @@ xpc_pull_remote_cachelines(struct xpc_pa
+ return part->reason;
+ }
+
+- bte_ret = xp_bte_copy((u64) src, (u64) ia64_tpa((u64) dst),
+- (u64) cnt, (BTE_NORMAL | BTE_WACQUIRE), NULL);
++ bte_ret = xp_bte_copy((u64) src, (u64) dst, (u64) cnt,
++ (BTE_NORMAL | BTE_WACQUIRE), NULL);
+ if (bte_ret == BTE_SUCCESS) {
+ return xpcSuccess;
+ }
+--- linux-2.6.17.11.orig/arch/ia64/sn/kernel/xpc_main.c
++++ linux-2.6.17.11/arch/ia64/sn/kernel/xpc_main.c
+@@ -1052,6 +1052,8 @@ xpc_do_exit(enum xpc_retval reason)
+ if (xpc_sysctl) {
+ unregister_sysctl_table(xpc_sysctl);
+ }
++
++ kfree(xpc_remote_copy_buffer_base);
+ }
+
+
+@@ -1212,24 +1214,20 @@ xpc_init(void)
+ partid_t partid;
+ struct xpc_partition *part;
+ pid_t pid;
++ size_t buf_size;
+
+
+ if (!ia64_platform_is("sn2")) {
+ return -ENODEV;
+ }
+
+- /*
+- * xpc_remote_copy_buffer is used as a temporary buffer for bte_copy'ng
+- * various portions of a partition's reserved page. Its size is based
+- * on the size of the reserved page header and part_nasids mask. So we
+- * need to ensure that the other items will fit as well.
+- */
+- if (XPC_RP_VARS_SIZE > XPC_RP_HEADER_SIZE + XP_NASID_MASK_BYTES) {
+- dev_err(xpc_part, "xpc_remote_copy_buffer is not big enough\n");
+- return -EPERM;
+- }
+- DBUG_ON((u64) xpc_remote_copy_buffer !=
+- L1_CACHE_ALIGN((u64) xpc_remote_copy_buffer));
++
++ buf_size = max(XPC_RP_VARS_SIZE,
++ XPC_RP_HEADER_SIZE + XP_NASID_MASK_BYTES);
++ xpc_remote_copy_buffer = xpc_kmalloc_cacheline_aligned(buf_size,
++ GFP_KERNEL, &xpc_remote_copy_buffer_base);
++ if (xpc_remote_copy_buffer == NULL)
++ return -ENOMEM;
+
+ snprintf(xpc_part->bus_id, BUS_ID_SIZE, "part");
+ snprintf(xpc_chan->bus_id, BUS_ID_SIZE, "chan");
+@@ -1293,6 +1291,8 @@ xpc_init(void)
+ if (xpc_sysctl) {
+ unregister_sysctl_table(xpc_sysctl);
+ }
++
++ kfree(xpc_remote_copy_buffer_base);
+ return -EBUSY;
+ }
+
+@@ -1311,6 +1311,8 @@ xpc_init(void)
+ if (xpc_sysctl) {
+ unregister_sysctl_table(xpc_sysctl);
+ }
++
++ kfree(xpc_remote_copy_buffer_base);
+ return -EBUSY;
+ }
+
+@@ -1362,6 +1364,8 @@ xpc_init(void)
+ if (xpc_sysctl) {
+ unregister_sysctl_table(xpc_sysctl);
+ }
++
++ kfree(xpc_remote_copy_buffer_base);
+ return -EBUSY;
+ }
+
+--- linux-2.6.17.11.orig/arch/ia64/sn/kernel/xpc_partition.c
++++ linux-2.6.17.11/arch/ia64/sn/kernel/xpc_partition.c
+@@ -71,19 +71,15 @@ struct xpc_partition xpc_partitions[XP_M
+ * Generic buffer used to store a local copy of portions of a remote
+ * partition's reserved page (either its header and part_nasids mask,
+ * or its vars).
+- *
+- * xpc_discovery runs only once and is a seperate thread that is
+- * very likely going to be processing in parallel with receiving
+- * interrupts.
+ */
+-char ____cacheline_aligned xpc_remote_copy_buffer[XPC_RP_HEADER_SIZE +
+- XP_NASID_MASK_BYTES];
++char *xpc_remote_copy_buffer;
++void *xpc_remote_copy_buffer_base;
+
+
+ /*
+ * Guarantee that the kmalloc'd memory is cacheline aligned.
+ */
+-static void *
++void *
+ xpc_kmalloc_cacheline_aligned(size_t size, gfp_t flags, void **base)
+ {
+ /* see if kmalloc will give us cachline aligned memory by default */
+@@ -148,7 +144,7 @@ xpc_get_rsvd_page_pa(int nasid)
+ }
+ }
+
+- bte_res = xp_bte_copy(rp_pa, ia64_tpa(buf), buf_len,
++ bte_res = xp_bte_copy(rp_pa, buf, buf_len,
+ (BTE_NOTIFY | BTE_WACQUIRE), NULL);
+ if (bte_res != BTE_SUCCESS) {
+ dev_dbg(xpc_part, "xp_bte_copy failed %i\n", bte_res);
+@@ -447,7 +443,7 @@ xpc_check_remote_hb(void)
+
+ /* pull the remote_hb cache line */
+ bres = xp_bte_copy(part->remote_vars_pa,
+- ia64_tpa((u64) remote_vars),
++ (u64) remote_vars,
+ XPC_RP_VARS_SIZE,
+ (BTE_NOTIFY | BTE_WACQUIRE), NULL);
+ if (bres != BTE_SUCCESS) {
+@@ -498,8 +494,7 @@ xpc_get_remote_rp(int nasid, u64 *discov
+
+
+ /* pull over the reserved page header and part_nasids mask */
+-
+- bres = xp_bte_copy(*remote_rp_pa, ia64_tpa((u64) remote_rp),
++ bres = xp_bte_copy(*remote_rp_pa, (u64) remote_rp,
+ XPC_RP_HEADER_SIZE + xp_nasid_mask_bytes,
+ (BTE_NOTIFY | BTE_WACQUIRE), NULL);
+ if (bres != BTE_SUCCESS) {
+@@ -554,11 +549,8 @@ xpc_get_remote_vars(u64 remote_vars_pa,
+ return xpcVarsNotSet;
+ }
+
+-
+ /* pull over the cross partition variables */
+-
+- bres = xp_bte_copy(remote_vars_pa, ia64_tpa((u64) remote_vars),
+- XPC_RP_VARS_SIZE,
++ bres = xp_bte_copy(remote_vars_pa, (u64) remote_vars, XPC_RP_VARS_SIZE,
+ (BTE_NOTIFY | BTE_WACQUIRE), NULL);
+ if (bres != BTE_SUCCESS) {
+ return xpc_map_bte_errors(bres);
+@@ -1239,7 +1231,7 @@ xpc_initiate_partid_to_nasids(partid_t p
+
+ part_nasid_pa = (u64) XPC_RP_PART_NASIDS(part->remote_rp_pa);
+
+- bte_res = xp_bte_copy(part_nasid_pa, ia64_tpa((u64) nasid_mask),
++ bte_res = xp_bte_copy(part_nasid_pa, (u64) nasid_mask,
+ xp_nasid_mask_bytes, (BTE_NOTIFY | BTE_WACQUIRE), NULL);
+
+ return xpc_map_bte_errors(bte_res);
+--- linux-2.6.17.11.orig/include/asm-ia64/sn/xp.h
++++ linux-2.6.17.11/include/asm-ia64/sn/xp.h
+@@ -60,23 +60,37 @@
+ * the bte_copy() once in the hope that the failure was due to a temporary
+ * aberration (i.e., the link going down temporarily).
+ *
+- * See bte_copy for definition of the input parameters.
++ * src - physical address of the source of the transfer.
++ * vdst - virtual address of the destination of the transfer.
++ * len - number of bytes to transfer from source to destination.
++ * mode - see bte_copy() for definition.
++ * notification - see bte_copy() for definition.
+ *
+ * Note: xp_bte_copy() should never be called while holding a spinlock.
+ */
+ static inline bte_result_t
+-xp_bte_copy(u64 src, u64 dest, u64 len, u64 mode, void *notification)
++xp_bte_copy(u64 src, u64 vdst, u64 len, u64 mode, void *notification)
+ {
+ bte_result_t ret;
++ u64 pdst = ia64_tpa(vdst);
+
+
+- ret = bte_copy(src, dest, len, mode, notification);
++ /*
++ * Ensure that the physically mapped memory is contiguous.
++ *
++ * We do this by ensuring that the memory is from region 7 only.
++ * If the need should arise to use memory from one of the other
++ * regions, then modify the BUG_ON() statement to ensure that the
++ * memory from that region is always physically contiguous.
++ */
++ BUG_ON(REGION_NUMBER(vdst) != RGN_KERNEL);
+
++ ret = bte_copy(src, pdst, len, mode, notification);
+ if (ret != BTE_SUCCESS) {
+ if (!in_interrupt()) {
+ cond_resched();
+ }
+- ret = bte_copy(src, dest, len, mode, notification);
++ ret = bte_copy(src, pdst, len, mode, notification);
+ }
+
+ return ret;
+--- linux-2.6.17.11.orig/include/asm-ia64/sn/xpc.h
++++ linux-2.6.17.11/include/asm-ia64/sn/xpc.h
+@@ -684,7 +684,9 @@ extern struct xpc_vars *xpc_vars;
+ extern struct xpc_rsvd_page *xpc_rsvd_page;
+ extern struct xpc_vars_part *xpc_vars_part;
+ extern struct xpc_partition xpc_partitions[XP_MAX_PARTITIONS + 1];
+-extern char xpc_remote_copy_buffer[];
++extern char *xpc_remote_copy_buffer;
++extern void *xpc_remote_copy_buffer_base;
++extern void *xpc_kmalloc_cacheline_aligned(size_t, gfp_t, void **);
+ extern struct xpc_rsvd_page *xpc_rsvd_page_init(void);
+ extern void xpc_allow_IPI_ops(void);
+ extern void xpc_restrict_IPI_ops(void);
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Aug 28 00:41:14 2006
+Date: Mon, 28 Aug 2006 00:40:40 -0700 (PDT)
+Message-Id: <20060828.004040.10298405.davem@davemloft.net>
+To: stable@kernel.org
+From: David Miller <davem@davemloft.net>
+Subject: SPARC64: Fix X server crashes on sparc64
+
+From: David S. Miller <davem@davemloft.net>
+
+[SPARC64]: Fix X server hangs due to large pages.
+
+This problem was introduced by changeset
+14778d9072e53d2171f66ffd9657daff41acfaed
+
+Unlike the hugetlb code paths, the normal fault code is not setup to
+propagate PTE changes for large page sizes correctly like the ones we
+make for I/O mappings in io_remap_pfn_range().
+
+It is absolutely necessary to update all sub-ptes of a largepage
+mapping on a fault. Adding special handling for this would add
+considerably complexity to tlb_batch_add(). So let's just side-step
+the issue and forcefully dirty any writable PTEs created by
+io_remap_pfn_range().
+
+The only other real option would be to disable to large PTE code of
+io_remap_pfn_range() and we really don't want to do that.
+
+Much thanks to Mikael Pettersson for tracking down this problem and
+testing debug patches.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+
+---
+ arch/sparc64/mm/generic.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- linux-2.6.17.11.orig/arch/sparc64/mm/generic.c
++++ linux-2.6.17.11/arch/sparc64/mm/generic.c
+@@ -69,6 +69,8 @@ static inline void io_remap_pte_range(st
+ } else
+ offset += PAGE_SIZE;
+
++ if (pte_write(entry))
++ entry = pte_mkdirty(entry);
+ do {
+ BUG_ON(!pte_none(*pte));
+ set_pte_at(mm, address, pte, entry);
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Aug 25 14:55:37 2006
+From: "Michael Chan" <mchan@broadcom.com>
+To: stable@kernel.org, davem@davemloft.net
+Date: Fri, 25 Aug 2006 14:54:13 -0700
+Message-ID: <1156542854.5021.2.camel@rh4>
+Subject: TG3: Disable TSO by default
+
+From: Michael Chan <mchan@broadcom.com>
+
+Disable TSO by default on some chips due to hardware errata.
+
+Enabling TSO can lead to tx timeouts in some cases when the TSO
+header size exceeds 80 bytes on the affected chips. This limit
+can be exceeded when the TCP header contains the timestamp option
+plus 2 SACK blocks, for example. A more complete workaround is
+available in the next 2.6.18 kernel.
+
+Signed-off-by: Michael Chan <mchan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ drivers/net/tg3.c | 12 ++++++++----
+ drivers/net/tg3.h | 1 +
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+--- linux-2.6.17.11.orig/drivers/net/tg3.c
++++ linux-2.6.17.11/drivers/net/tg3.c
+@@ -69,8 +69,8 @@
+
+ #define DRV_MODULE_NAME "tg3"
+ #define PFX DRV_MODULE_NAME ": "
+-#define DRV_MODULE_VERSION "3.59"
+-#define DRV_MODULE_RELDATE "June 8, 2006"
++#define DRV_MODULE_VERSION "3.59.1"
++#define DRV_MODULE_RELDATE "August 25, 2006"
+
+ #define TG3_DEF_MAC_MODE 0
+ #define TG3_DEF_RX_MODE 0
+@@ -11381,11 +11381,15 @@ static int __devinit tg3_init_one(struct
+ tp->tg3_flags2 |= TG3_FLG2_TSO_CAPABLE;
+ }
+
+- /* TSO is on by default on chips that support hardware TSO.
++ /* TSO is on by default on chips that support HW_TSO_2.
++ * Some HW_TSO_1 capable chips have bugs that can lead to
++ * tx timeouts in some cases when TSO is enabled.
+ * Firmware TSO on older chips gives lower performance, so it
+ * is off by default, but can be enabled using ethtool.
+ */
+- if (tp->tg3_flags2 & TG3_FLG2_HW_TSO)
++ if ((tp->tg3_flags2 & TG3_FLG2_HW_TSO_2) ||
++ (GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5750 &&
++ tp->pci_chip_rev_id >= CHIPREV_ID_5750_C2))
+ dev->features |= NETIF_F_TSO;
+
+ #endif
+--- linux-2.6.17.11.orig/drivers/net/tg3.h
++++ linux-2.6.17.11/drivers/net/tg3.h
+@@ -125,6 +125,7 @@
+ #define CHIPREV_ID_5750_A0 0x4000
+ #define CHIPREV_ID_5750_A1 0x4001
+ #define CHIPREV_ID_5750_A3 0x4003
++#define CHIPREV_ID_5750_C2 0x4202
+ #define CHIPREV_ID_5752_A0_HW 0x5000
+ #define CHIPREV_ID_5752_A0 0x6000
+ #define CHIPREV_ID_5752_A1 0x6001
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Aug 31 11:19:22 2006
+Date: Thu, 31 Aug 2006 14:18:39 -0400 (EDT)
+From: Alan Stern <stern@rowland.harvard.edu>
+To: Greg KH <greg@kroah.com>, <stable@kernel.org>
+Message-ID: <Pine.LNX.4.44L0.0608311406200.15529-100000@iolanthe.rowland.org>
+Cc: Duncan Sands <baldrick@free.fr>,
+ USB development list <linux-usb-devel@lists.sourceforge.net>
+Subject: uhci-hcd: fix list access bug
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+When skipping to the last TD of an URB, go to the _last_ entry in the
+list instead of the _first_ entry (as780). This fixes Bugzilla #6747 and
+possibly others.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/host/uhci-q.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.17.11.orig/drivers/usb/host/uhci-q.c
++++ linux-2.6.17.11/drivers/usb/host/uhci-q.c
+@@ -264,7 +264,7 @@ static void uhci_fixup_toggles(struct uh
+ * need to change any toggles in this URB */
+ td = list_entry(urbp->td_list.next, struct uhci_td, list);
+ if (toggle > 1 || uhci_toggle(td_token(td)) == toggle) {
+- td = list_entry(urbp->td_list.next, struct uhci_td,
++ td = list_entry(urbp->td_list.prev, struct uhci_td,
+ list);
+ toggle = uhci_toggle(td_token(td)) ^ 1;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
