--- /dev/null
+From stable-bounces@linux.kernel.org Sat Jul 15 17:21:18 2006
+From: Marcel Holtmann <marcel@holtmann.org>
+To: Greg KH <gregkh@suse.de>
+Date: Sun, 16 Jul 2006 02:20:53 +0200
+Message-Id: <1153009253.12764.20.camel@localhost>
+Cc: Andrew Morton <akpm@osdl.org>, torvalds@osdl.org,
+ linux-kernel@vger.kernel.org, stable@kernel.org
+Subject: Don't allow chmod() on the /proc/<pid>/ files
+
+From: Marcel Holtmann <marcel@holtmann.org>
+
+Don't allow chmod() on the /proc/<pid>/ files
+
+This just turns off chmod() on the /proc/<pid>/ files, since there is no
+good reason to allow it, and had we disallowed it originally, the nasty
+/proc race exploit wouldn't have been possible.
+
+The other patches already fixed the problem chmod() could cause, so this
+is really just some final mop-up..
+
+This particular version is based off a patch by Eugene and Marcel which
+had much better naming than my original equivalent one.
+
+Signed-off-by: Eugene Teo <eteo@redhat.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/proc/base.c | 33 ++++++++++++++++++++++++++++++++-
+ 1 file changed, 32 insertions(+), 1 deletion(-)
+
+--- linux-2.6.17.7.orig/fs/proc/base.c
++++ linux-2.6.17.7/fs/proc/base.c
+@@ -596,6 +596,27 @@ static int proc_permission(struct inode
+ return proc_check_root(inode);
+ }
+
++static int proc_setattr(struct dentry *dentry, struct iattr *attr)
++{
++ int error;
++ struct inode *inode = dentry->d_inode;
++
++ if (attr->ia_valid & ATTR_MODE)
++ return -EPERM;
++
++ error = inode_change_ok(inode, attr);
++ if (!error) {
++ error = security_inode_setattr(dentry, attr);
++ if (!error)
++ error = inode_setattr(inode, attr);
++ }
++ return error;
++}
++
++static struct inode_operations proc_def_inode_operations = {
++ .setattr = proc_setattr,
++};
++
+ static int proc_task_permission(struct inode *inode, int mask, struct nameidata *nd)
+ {
+ struct dentry *root;
+@@ -987,6 +1008,7 @@ static struct file_operations proc_oom_a
+
+ static struct inode_operations proc_mem_inode_operations = {
+ .permission = proc_permission,
++ .setattr = proc_setattr,
+ };
+
+ #ifdef CONFIG_AUDITSYSCALL
+@@ -1184,7 +1206,8 @@ out:
+
+ static struct inode_operations proc_pid_link_inode_operations = {
+ .readlink = proc_pid_readlink,
+- .follow_link = proc_pid_follow_link
++ .follow_link = proc_pid_follow_link,
++ .setattr = proc_setattr,
+ };
+
+ #define NUMBUF 10
+@@ -1356,6 +1379,7 @@ static struct inode *proc_pid_make_inode
+ ei->task = NULL;
+ inode->i_mtime = inode->i_atime = inode->i_ctime = CURRENT_TIME;
+ inode->i_ino = fake_ino(task->pid, ino);
++ inode->i_op = &proc_def_inode_operations;
+
+ if (!pid_alive(task))
+ goto out_unlock;
+@@ -1579,11 +1603,13 @@ static struct file_operations proc_task_
+ static struct inode_operations proc_fd_inode_operations = {
+ .lookup = proc_lookupfd,
+ .permission = proc_permission,
++ .setattr = proc_setattr,
+ };
+
+ static struct inode_operations proc_task_inode_operations = {
+ .lookup = proc_task_lookup,
+ .permission = proc_task_permission,
++ .setattr = proc_setattr,
+ };
+
+ #ifdef CONFIG_SECURITY
+@@ -1873,10 +1899,12 @@ static struct file_operations proc_tid_b
+
+ static struct inode_operations proc_tgid_base_inode_operations = {
+ .lookup = proc_tgid_base_lookup,
++ .setattr = proc_setattr,
+ };
+
+ static struct inode_operations proc_tid_base_inode_operations = {
+ .lookup = proc_tid_base_lookup,
++ .setattr = proc_setattr,
+ };
+
+ #ifdef CONFIG_SECURITY
+@@ -1918,10 +1946,12 @@ static struct dentry *proc_tid_attr_look
+
+ static struct inode_operations proc_tgid_attr_inode_operations = {
+ .lookup = proc_tgid_attr_lookup,
++ .setattr = proc_setattr,
+ };
+
+ static struct inode_operations proc_tid_attr_inode_operations = {
+ .lookup = proc_tid_attr_lookup,
++ .setattr = proc_setattr,
+ };
+ #endif
+
+@@ -1946,6 +1976,7 @@ static void *proc_self_follow_link(struc
+ static struct inode_operations proc_self_inode_operations = {
+ .readlink = proc_self_readlink,
+ .follow_link = proc_self_follow_link,
++ .setattr = proc_setattr,
+ };
+
+ /**
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Jul 28 15:08:08 2006
+Message-ID: <44CA8A59.40002@intel.com>
+Date: Fri, 28 Jul 2006 15:06:17 -0700
+From: Auke Kok <auke-jan.h.kok@intel.com>
+To: Greg KH <greg@kroah.com>, stable@kernel.org
+Cc: Auke Kok <auke-jan.h.kok@intel.com>, NetDev <netdev@vger.kernel.org>,
+ "John W. Linville" <linville@tuxdriver.com>,
+ Jesse Brandeburg <jesse.brandeburg@intel.com>,
+ "Ronciak,
+ John" <john.ronciak@intel.com>,
+ "Kok, Auke" <auke@foo-projects.org>
+Subject: e1000: add forgotten PCI ID for supported device
+
+From: Auke Kok <auke-jan.h.kok@intel.com>
+
+The Intel(R) PRO/1000 82572EI card is fully supported by 7.0.33-k2 and
+onward. Add the device ID so this card works with 2.6.17.y onward. This
+device ID was accidentally omitted.
+
+Signed-off-by: Auke Kok <auke-jan.h.kok@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/e1000/e1000_hw.c | 1 +
+ drivers/net/e1000/e1000_hw.h | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- linux-2.6.17.7.orig/drivers/net/e1000/e1000_hw.c
++++ linux-2.6.17.7/drivers/net/e1000/e1000_hw.c
+@@ -353,6 +353,7 @@ e1000_set_mac_type(struct e1000_hw *hw)
+ case E1000_DEV_ID_82572EI_COPPER:
+ case E1000_DEV_ID_82572EI_FIBER:
+ case E1000_DEV_ID_82572EI_SERDES:
++ case E1000_DEV_ID_82572EI:
+ hw->mac_type = e1000_82572;
+ break;
+ case E1000_DEV_ID_82573E:
+--- linux-2.6.17.7.orig/drivers/net/e1000/e1000_hw.h
++++ linux-2.6.17.7/drivers/net/e1000/e1000_hw.h
+@@ -462,6 +462,7 @@ int32_t e1000_check_phy_reset_block(stru
+ #define E1000_DEV_ID_82572EI_COPPER 0x107D
+ #define E1000_DEV_ID_82572EI_FIBER 0x107E
+ #define E1000_DEV_ID_82572EI_SERDES 0x107F
++#define E1000_DEV_ID_82572EI 0x10B9
+ #define E1000_DEV_ID_82573E 0x108B
+ #define E1000_DEV_ID_82573E_IAMT 0x108C
+ #define E1000_DEV_ID_82573L 0x109A
--- /dev/null
+From stable-bounces@linux.kernel.org Sun Jul 30 03:04:26 2006
+Message-Id: <200607301003.k6UA31hC002485@shell0.pdx.osdl.net>
+To: torvalds@osdl.org
+From: akpm@osdl.org
+Date: Sun, 30 Jul 2006 03:03:01 -0700
+Cc: akpm@osdl.org, jack@suse.cz, esandeen@redhat.com, neilb@suse.de,
+ sct@redhat.com, marcel@holtmann.org, stable@kernel.org
+Subject: ext3: avoid triggering ext3_error on bad NFS file handle
+
+From: Neil Brown <neilb@suse.de>
+
+The inode number out of an NFS file handle gets passed eventually to
+ext3_get_inode_block() without any checking. If ext3_get_inode_block()
+allows it to trigger an error, then bad filehandles can have unpleasant
+effect - ext3_error() will usually cause a forced read-only remount, or a
+panic if `errors=panic' was used.
+
+So remove the call to ext3_error there and put a matching check in
+ext3/namei.c where inode numbers are read off storage.
+
+[akpm@osdl.org: fix off-by-one error]
+Signed-off-by: Neil Brown <neilb@suse.de>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Cc: Marcel Holtmann <marcel@holtmann.org>
+Cc: "Stephen C. Tweedie" <sct@redhat.com>
+Cc: Eric Sandeen <esandeen@redhat.com>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ext3/inode.c | 13 +++++++------
+ fs/ext3/namei.c | 15 +++++++++++++--
+ include/linux/ext3_fs.h | 9 +++++++++
+ 3 files changed, 29 insertions(+), 8 deletions(-)
+
+--- linux-2.6.17.7.orig/fs/ext3/inode.c
++++ linux-2.6.17.7/fs/ext3/inode.c
+@@ -2402,14 +2402,15 @@ static unsigned long ext3_get_inode_bloc
+ struct buffer_head *bh;
+ struct ext3_group_desc * gdp;
+
+-
+- if ((ino != EXT3_ROOT_INO && ino != EXT3_JOURNAL_INO &&
+- ino != EXT3_RESIZE_INO && ino < EXT3_FIRST_INO(sb)) ||
+- ino > le32_to_cpu(EXT3_SB(sb)->s_es->s_inodes_count)) {
+- ext3_error(sb, "ext3_get_inode_block",
+- "bad inode number: %lu", ino);
++ if (!ext3_valid_inum(sb, ino)) {
++ /*
++ * This error is already checked for in namei.c unless we are
++ * looking at an NFS filehandle, in which case no error
++ * report is needed
++ */
+ return 0;
+ }
++
+ block_group = (ino - 1) / EXT3_INODES_PER_GROUP(sb);
+ if (block_group >= EXT3_SB(sb)->s_groups_count) {
+ ext3_error(sb,"ext3_get_inode_block","group >= groups count");
+--- linux-2.6.17.7.orig/fs/ext3/namei.c
++++ linux-2.6.17.7/fs/ext3/namei.c
+@@ -1000,7 +1000,12 @@ static struct dentry *ext3_lookup(struct
+ if (bh) {
+ unsigned long ino = le32_to_cpu(de->inode);
+ brelse (bh);
+- inode = iget(dir->i_sb, ino);
++ if (!ext3_valid_inum(dir->i_sb, ino)) {
++ ext3_error(dir->i_sb, "ext3_lookup",
++ "bad inode number: %lu", ino);
++ inode = NULL;
++ } else
++ inode = iget(dir->i_sb, ino);
+
+ if (!inode)
+ return ERR_PTR(-EACCES);
+@@ -1028,7 +1033,13 @@ struct dentry *ext3_get_parent(struct de
+ return ERR_PTR(-ENOENT);
+ ino = le32_to_cpu(de->inode);
+ brelse(bh);
+- inode = iget(child->d_inode->i_sb, ino);
++
++ if (!ext3_valid_inum(child->d_inode->i_sb, ino)) {
++ ext3_error(child->d_inode->i_sb, "ext3_get_parent",
++ "bad inode number: %lu", ino);
++ inode = NULL;
++ } else
++ inode = iget(child->d_inode->i_sb, ino);
+
+ if (!inode)
+ return ERR_PTR(-EACCES);
+--- linux-2.6.17.7.orig/include/linux/ext3_fs.h
++++ linux-2.6.17.7/include/linux/ext3_fs.h
+@@ -495,6 +495,15 @@ static inline struct ext3_inode_info *EX
+ {
+ return container_of(inode, struct ext3_inode_info, vfs_inode);
+ }
++
++static inline int ext3_valid_inum(struct super_block *sb, unsigned long ino)
++{
++ return ino == EXT3_ROOT_INO ||
++ ino == EXT3_JOURNAL_INO ||
++ ino == EXT3_RESIZE_INO ||
++ (ino >= EXT3_FIRST_INO(sb) &&
++ ino <= le32_to_cpu(EXT3_SB(sb)->s_es->s_inodes_count));
++}
+ #else
+ /* Assume that user mode programs are passing in an ext3fs superblock, not
+ * a kernel struct super_block. This will allow us to call the feature-test
--- /dev/null
+From stable-bounces@linux.kernel.org Sun Jul 30 03:05:05 2006
+Message-Id: <200607301004.k6UA4E5T002773@shell0.pdx.osdl.net>
+To: torvalds@osdl.org
+From: akpm@osdl.org
+Date: Sun, 30 Jul 2006 03:04:14 -0700
+Cc: akpm@osdl.org, pbadari@us.ibm.com, stable@kernel.org
+Subject: ext3 -nobh option causes oops
+
+From: Badari Pulavarty <pbadari@us.ibm.com>
+
+For files other than IFREG, nobh option doesn't make sense. Modifications
+to them are journalled and needs buffer heads to do that. Without this
+patch, we get kernel oops in page_buffers().
+
+Signed-off-by: Badari Pulavarty <pbadari@us.ibm.com>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ext3/inode.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- linux-2.6.17.7.orig/fs/ext3/inode.c
++++ linux-2.6.17.7/fs/ext3/inode.c
+@@ -1159,7 +1159,7 @@ retry:
+ ret = PTR_ERR(handle);
+ goto out;
+ }
+- if (test_opt(inode->i_sb, NOBH))
++ if (test_opt(inode->i_sb, NOBH) && ext3_should_writeback_data(inode))
+ ret = nobh_prepare_write(page, from, to, ext3_get_block);
+ else
+ ret = block_prepare_write(page, from, to, ext3_get_block);
+@@ -1245,7 +1245,7 @@ static int ext3_writeback_commit_write(s
+ if (new_i_size > EXT3_I(inode)->i_disksize)
+ EXT3_I(inode)->i_disksize = new_i_size;
+
+- if (test_opt(inode->i_sb, NOBH))
++ if (test_opt(inode->i_sb, NOBH) && ext3_should_writeback_data(inode))
+ ret = nobh_commit_write(file, page, from, to);
+ else
+ ret = generic_commit_write(file, page, from, to);
+@@ -1495,7 +1495,7 @@ static int ext3_writeback_writepage(stru
+ goto out_fail;
+ }
+
+- if (test_opt(inode->i_sb, NOBH))
++ if (test_opt(inode->i_sb, NOBH) && ext3_should_writeback_data(inode))
+ ret = nobh_writepage(page, ext3_get_block, wbc);
+ else
+ ret = block_write_full_page(page, ext3_get_block, wbc);
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Aug 2 17:21:12 2006
+From: Neil Brown <neilb@suse.de>
+To: Philipp Matthias Hahn <pmhahn@svs.Informatik.Uni-Oldenburg.de>
+Date: Thu, 3 Aug 2006 10:20:12 +1000
+Message-ID: <17617.16700.274788.869486@cse.unsw.edu.au>
+Cc: akpm@osdl.org, nfs@lists.sourceforge.net, stable@kernel.org,
+ linux-kernel@vger.kernel.org
+Subject: Fix race related problem when adding items to and svcrpc auth cache.
+
+From: Neil Brown <neilb@suse.de>
+
+Fix race related problem when adding items to and svcrpc auth cache.
+
+If we don't find the item we are lookng for, we allocate a new one,
+and then grab the lock again and search to see if it has been added
+while we did the alloc.
+If it had been added we need to 'cache_put' the newly created item
+that we are never going to use. But as it hasn't been initialised
+properly, putting it can cause an oops.
+
+So move the ->init call earlier to that it will always be fully
+initilised if we have to put it.
+
+Thanks to Philipp Matthias Hahn <pmhahn@svs.Informatik.Uni-Oldenburg.de>
+for reporting the problem.
+
+Signed-off-by: Neil Brown <neilb@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ net/sunrpc/cache.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- linux-2.6.17.7.orig/net/sunrpc/cache.c
++++ linux-2.6.17.7/net/sunrpc/cache.c
+@@ -71,7 +71,12 @@ struct cache_head *sunrpc_cache_lookup(s
+ new = detail->alloc();
+ if (!new)
+ return NULL;
++ /* must fully initialise 'new', else
++ * we might get lose if we need to
++ * cache_put it soon.
++ */
+ cache_init(new);
++ detail->init(new, key);
+
+ write_lock(&detail->hash_lock);
+
+@@ -85,7 +90,6 @@ struct cache_head *sunrpc_cache_lookup(s
+ return tmp;
+ }
+ }
+- detail->init(new, key);
+ new->next = *head;
+ *head = new;
+ detail->entries++;
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Jul 24 17:33:30 2006
+Message-ID: <44C56652.5020606@trash.net>
+Date: Tue, 25 Jul 2006 02:31:14 +0200
+From: Patrick McHardy <kaber@trash.net>
+To: stable@kernel.org
+Cc: "David S. Miller" <davem@davemloft.net>
+Subject: [NETFILTER]: H.323 helper: fix possible NULL-ptr dereference
+
+From: Patrick McHardy <kaber@trash.net>
+
+[NETFILTER]: H.323 helper: fix possible NULL-ptr dereference
+
+An RCF message containing a timeout results in a NULL-ptr dereference if
+no RRQ has been seen before.
+
+Noticed by the "SATURN tool", reported by Thomas Dillig <tdillig@stanford.edu>
+and Isil Dillig <isil@stanford.edu>.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/netfilter/ip_conntrack_helper_h323.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.17.7.orig/net/ipv4/netfilter/ip_conntrack_helper_h323.c
++++ linux-2.6.17.7/net/ipv4/netfilter/ip_conntrack_helper_h323.c
+@@ -1092,7 +1092,7 @@ static struct ip_conntrack_expect *find_
+ tuple.dst.protonum = IPPROTO_TCP;
+
+ exp = __ip_conntrack_expect_find(&tuple);
+- if (exp->master == ct)
++ if (exp && exp->master == ct)
+ return exp;
+ return NULL;
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Jul 26 12:48:02 2006
+Date: Wed, 26 Jul 2006 21:47:41 +0200
+From: Jean Delvare <khali@linux-fr.org>
+To: stable@kernel.org
+Message-Id: <20060726214741.d895b5e0.khali@linux-fr.org>
+Subject: scx200_acb: Fix the state machine
+Content-Disposition: inline; filename=i2c-01-scx200_acb-fix-state-machine.patch
+
+From: Thomas Andrews <tandrews@grok.co.za>
+
+Fix the scx200_acb state machine:
+
+* Nack was sent one byte too late on reads >= 2 bytes.
+* Stop bit was set one byte too late on reads.
+
+Signed-off-by: Jean Delvare <khali@linux-fr.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/i2c/busses/scx200_acb.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- linux-2.6.17.7.orig/drivers/i2c/busses/scx200_acb.c
++++ linux-2.6.17.7/drivers/i2c/busses/scx200_acb.c
+@@ -181,21 +181,21 @@ static void scx200_acb_machine(struct sc
+ break;
+
+ case state_read:
+- /* Set ACK if receiving the last byte */
+- if (iface->len == 1)
++ /* Set ACK if _next_ byte will be the last one */
++ if (iface->len == 2)
+ outb(inb(ACBCTL1) | ACBCTL1_ACK, ACBCTL1);
+ else
+ outb(inb(ACBCTL1) & ~ACBCTL1_ACK, ACBCTL1);
+
+- *iface->ptr++ = inb(ACBSDA);
+- --iface->len;
+-
+- if (iface->len == 0) {
++ if (iface->len == 1) {
+ iface->result = 0;
+ iface->state = state_idle;
+ outb(inb(ACBCTL1) | ACBCTL1_STOP, ACBCTL1);
+ }
+
++ *iface->ptr++ = inb(ACBSDA);
++ --iface->len;
++
+ break;
+
+ case state_write:
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Jul 26 12:52:59 2006
+Date: Wed, 26 Jul 2006 21:50:15 +0200
+From: Jean Delvare <khali@linux-fr.org>
+To: stable@kernel.org
+Message-Id: <20060726215015.9da8afda.khali@linux-fr.org>
+Subject: scx200_acb: Fix the block transactions
+Content-Disposition: inline; filename=i2c-02-scx200_acb-fix-block-transactions.patch
+
+From: Jean Delvare <khali@linux-fr.org>
+
+The scx200_acb i2c bus driver pretends to support SMBus block
+transactions, but in fact it implements the more simple I2C block
+transactions. Additionally, it lacks sanity checks on the length
+of the block transactions, which could lead to a buffer overrun.
+
+This fixes an oops reported by Alexander Atanasov:
+http://marc.theaimsgroup.com/?l=linux-kernel&m=114970382125094
+
+Thanks to Ben Gardner for fixing my bugs :)
+
+Signed-off-by: Jean Delvare <khali@linux-fr.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/i2c/busses/scx200_acb.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- linux-2.6.17.7.orig/drivers/i2c/busses/scx200_acb.c
++++ linux-2.6.17.7/drivers/i2c/busses/scx200_acb.c
+@@ -304,8 +304,12 @@ static s32 scx200_acb_smbus_xfer(struct
+ buffer = (u8 *)&cur_word;
+ break;
+
+- case I2C_SMBUS_BLOCK_DATA:
++ case I2C_SMBUS_I2C_BLOCK_DATA:
++ if (rw == I2C_SMBUS_READ)
++ data->block[0] = I2C_SMBUS_BLOCK_MAX; /* For now */
+ len = data->block[0];
++ if (len == 0 || len > I2C_SMBUS_BLOCK_MAX)
++ return -EINVAL;
+ buffer = &data->block[1];
+ break;
+
+@@ -369,7 +373,7 @@ static u32 scx200_acb_func(struct i2c_ad
+ {
+ return I2C_FUNC_SMBUS_QUICK | I2C_FUNC_SMBUS_BYTE |
+ I2C_FUNC_SMBUS_BYTE_DATA | I2C_FUNC_SMBUS_WORD_DATA |
+- I2C_FUNC_SMBUS_BLOCK_DATA;
++ I2C_FUNC_SMBUS_I2C_BLOCK;
+ }
+
+ /* For now, we only handle combined mode (smbus) */
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Jul 26 12:53:36 2006
+Date: Wed, 26 Jul 2006 21:53:13 +0200
+From: Jean Delvare <khali@linux-fr.org>
+To: stable@kernel.org
+Message-Id: <20060726215313.907eb30d.khali@linux-fr.org>
+Subject: i2c: Fix 'ignore' module parameter handling in i2c-core
+Content-Disposition: inline; filename=i2c-03-fix-ignore-module-parameter-handling.patch
+
+From: "Mark M. Hoffman" <mhoffman@lightlink.com>
+
+This patch fixes a bug in the handling of 'ignore' module parameters of I2C
+client drivers.
+
+Signed-off-by: Mark M. Hoffman <mhoffman@lightlink.com>
+Signed-off-by: Jean Delvare <khali@linux-fr.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/i2c/i2c-core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- linux-2.6.17.7.orig/drivers/i2c/i2c-core.c
++++ linux-2.6.17.7/drivers/i2c/i2c-core.c
+@@ -756,9 +756,9 @@ int i2c_probe(struct i2c_adapter *adapte
+ "parameter for adapter %d, "
+ "addr 0x%02x\n", adap_id,
+ address_data->ignore[j + 1]);
++ ignore = 1;
++ break;
+ }
+- ignore = 1;
+- break;
+ }
+ if (ignore)
+ continue;
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Aug 2 10:43:49 2006
+Date: Wed, 2 Aug 2006 19:40:06 +0200 (CEST)
+From: Stefan Richter <stefanr@s5r6.in-berlin.de>
+To: Linus Torvalds <torvalds@osdl.org>, stable@kernel.org
+Message-ID: <tkrat.f5b216d7ca35e7f2@s5r6.in-berlin.de>
+Content-Disposition: INLINE
+Cc: Ben Collins <bcollins@ubuntu.com>, linux-kernel@vger.kernel.org
+Subject: ieee1394: sbp2: enable auto spin-up for Maxtor disks
+
+From: Stefan Richter <stefanr@s5r6.in-berlin.de>
+
+At least Maxtor OneTouch III require a "start stop unit" command after
+auto spin-down before the next access can proceed. This patch activates
+the responsible code in scsi_mod for all Maxtor SBP-2 disks.
+https://bugzilla.novell.com/show_bug.cgi?id=183011
+
+Maybe that should be done for all SBP-2 disks, but better be cautious.
+
+Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ieee1394/sbp2.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- linux-2.6.17.7.orig/drivers/ieee1394/sbp2.c
++++ linux-2.6.17.7/drivers/ieee1394/sbp2.c
+@@ -2541,6 +2541,9 @@ static int sbp2scsi_slave_configure(stru
+ sdev->skip_ms_page_8 = 1;
+ if (scsi_id->workarounds & SBP2_WORKAROUND_FIX_CAPACITY)
+ sdev->fix_capacity = 1;
++ if (scsi_id->ne->guid_vendor_id == 0x0010b9 && /* Maxtor's OUI */
++ (sdev->type == TYPE_DISK || sdev->type == TYPE_RBC))
++ sdev->allow_restart = 1;
+ return 0;
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Sun Jul 30 03:04:04 2006
+Message-Id: <200607301003.k6UA3SlC002568@shell0.pdx.osdl.net>
+To: torvalds@osdl.org
+From: akpm@osdl.org
+Date: Sun, 30 Jul 2006 03:03:28 -0700
+Cc: akpm@osdl.org, jes@trained-monkey.org, stable@kernel.org
+Subject: invalidate_bdev() speedup
+
+From: Andrew Morton <akpm@osdl.org>
+
+We can immediately bale from invalidate_bdev() if the blockdev has no
+pagecache.
+
+This solves the huge IPI storms which hald is causing on the big ia64
+machines when it polls CDROM drives.
+
+Acked-by: Jes Sorensen <jes@sgi.com>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/buffer.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- linux-2.6.17.7.orig/fs/buffer.c
++++ linux-2.6.17.7/fs/buffer.c
+@@ -473,13 +473,18 @@ out:
+ pass does the actual I/O. */
+ void invalidate_bdev(struct block_device *bdev, int destroy_dirty_buffers)
+ {
++ struct address_space *mapping = bdev->bd_inode->i_mapping;
++
++ if (mapping->nrpages == 0)
++ return;
++
+ invalidate_bh_lrus();
+ /*
+ * FIXME: what about destroy_dirty_buffers?
+ * We really want to use invalidate_inode_pages2() for
+ * that, but not until that's cleaned up.
+ */
+- invalidate_inode_pages(bdev->bd_inode->i_mapping);
++ invalidate_inode_pages(mapping);
+ }
+
+ /*
Date: Thu, 15 Jun 2006 04:41:52 -0400
Subject: PCI: fix issues with extended conf space when MMCONFIG disabled because of e820
-On 15 Jun 2006 03:45:10 +0200, Andi Kleen wrote:
+From: Chuck Ebbert <76306.1226@compuserve.com>
+On 15 Jun 2006 03:45:10 +0200, Andi Kleen wrote:
> Anyways I would say that if the BIOS can't get MCFG right then
> it's likely not been validated on that board and shouldn't be used.
pci-fix-issues-with-extended-conf-space-when-mmconfig-disabled-because-of-e820.patch
+don-t-allow-chmod-on-the-proc-pid-files.patch
+h.323-helper-fix-possible-null-ptr-dereference.patch
+i2c-01-scx200_acb-fix-state-machine.patch
+i2c-02-scx200_acb-fix-block-transactions.patch
+i2c-03-fix-ignore-module-parameter-handling.patch
+sky2-napi-bug.patch
+uhci-fix-handling-of-short-last-packet.patch
+update-frag_list-in-pskb_trim.patch
+vlan-state-handling-fix.patch
+sparc64-quad-float-emulation-fix.patch
+invalidate_bdev-speedup.patch
+ieee1394-sbp2-enable-auto-spin-up-for-maxtor-disks.patch
+fix-race-related-problem-when-adding-items-to-and-svcrpc-auth-cache.patch
+ext3-nobh-option-causes-oops.patch
+ext3-avoid-triggering-ext3_error-on-bad-nfs-file-handle.patch
+e1000-add-forgotten-pci-id-for-supported-device.patch
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Jul 17 10:52:35 2006
+Date: Mon, 17 Jul 2006 13:51:50 -0400
+From: Stephen Hemminger <shemminger@osdl.org>
+To: stable@kernel.org
+Message-ID: <20060717135150.09aea07d@localhost.localdomain>
+Subject: sky2: NAPI bug
+
+From: Stephen Hemminger <shemminger@osdl.org>
+
+If the sky2 driver decides to defer processing because it's NAPI
+packet quota is done, then it won't correctly handle the rest
+when it is rescheduled.
+
+Signed-off-by: Stephen Hemminger <sch@sch-laptop.localdomain>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/sky2.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- linux-2.6.17.7.orig/drivers/net/sky2.c
++++ linux-2.6.17.7/drivers/net/sky2.c
+@@ -2187,9 +2187,6 @@ static int sky2_poll(struct net_device *
+ int work_done = 0;
+ u32 status = sky2_read32(hw, B0_Y2_SP_EISR);
+
+- if (!~status)
+- goto out;
+-
+ if (status & Y2_IS_HW_ERR)
+ sky2_hw_intr(hw);
+
+@@ -2226,7 +2223,7 @@ static int sky2_poll(struct net_device *
+
+ if (sky2_more_work(hw))
+ return 1;
+-out:
++
+ netif_rx_complete(dev0);
+
+ sky2_read32(hw, B0_Y2_SP_LISR);
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Jul 27 17:03:23 2006
+Date: Thu, 27 Jul 2006 17:02:36 -0700 (PDT)
+Message-Id: <20060727.170236.92582647.davem@davemloft.net>
+To: stable@kernel.org
+From: David Miller <davem@davemloft.net>
+Subject: Sparc64 quad-float emulation fix
+
+From: David Miller <davem@davemloft.net>
+
+[SPARC64]: Fix quad-float multiply emulation.
+
+Something is wrong with the 3-multiply (vs. 4-multiply) optimized
+version of _FP_MUL_MEAT_2_*(), so just use the slower version
+which actually computes correct values.
+
+Noticed by Rene Rebe
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/asm-sparc64/sfp-machine.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.17.7.orig/include/asm-sparc64/sfp-machine.h
++++ linux-2.6.17.7/include/asm-sparc64/sfp-machine.h
+@@ -34,7 +34,7 @@
+ #define _FP_MUL_MEAT_D(R,X,Y) \
+ _FP_MUL_MEAT_1_wide(_FP_WFRACBITS_D,R,X,Y,umul_ppmm)
+ #define _FP_MUL_MEAT_Q(R,X,Y) \
+- _FP_MUL_MEAT_2_wide_3mul(_FP_WFRACBITS_Q,R,X,Y,umul_ppmm)
++ _FP_MUL_MEAT_2_wide(_FP_WFRACBITS_Q,R,X,Y,umul_ppmm)
+
+ #define _FP_DIV_MEAT_S(R,X,Y) _FP_DIV_MEAT_1_imm(S,R,X,Y,_FP_DIV_HELP_imm)
+ #define _FP_DIV_MEAT_D(R,X,Y) _FP_DIV_MEAT_1_udiv_norm(D,R,X,Y)
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Jul 24 09:07:30 2006
+Date: Mon, 24 Jul 2006 12:06:55 -0400 (EDT)
+From: Alan Stern <stern@rowland.harvard.edu>
+To: stable@kernel.org
+Message-ID: <Pine.LNX.4.44L0.0607241155180.15411-100000@iolanthe.rowland.org>
+Cc: Juan Pedro Paredes Caballero <juampe@iquis.com>, Duncan Sands <baldrick@free.fr>, Andrew Beverley <andy@andybev.com>
+Subject: UHCI: Fix handling of short last packet
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+This patch (as753) fixes the way uhci-hcd handles a short packet when it
+is the last packet of an URB. Right now the driver handles short packets
+the same no matter when they occur. However, the controller stops
+transferring packets when the short packet is not the last one (otherwise
+it would be reading beyond the end of the device's data) and needs to be
+restarted, whereas no such need occurs when the short packet is the last
+one.
+
+The result of the bug is that USB endpoint queues experience intermittent
+hangs, a regression in 2.6.17 with respect to earlier kernels. The bug
+was raised in Bugzilla #6752 and this patch fixed it.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ drivers/usb/host/uhci-q.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- linux-2.6.17.7.orig/drivers/usb/host/uhci-q.c
++++ linux-2.6.17.7/drivers/usb/host/uhci-q.c
+@@ -896,12 +896,14 @@ static int uhci_result_common(struct uhc
+ /*
+ * This URB stopped short of its end. We have to
+ * fix up the toggles of the following URBs on the
+- * queue and restart the queue.
++ * queue and restart the queue. But only if this
++ * TD isn't the last one in the URB.
+ *
+ * Do this only the first time we encounter the
+ * short URB.
+ */
+- if (!urbp->short_transfer) {
++ if (!urbp->short_transfer &&
++ &td->list != urbp->td_list.prev) {
+ urbp->short_transfer = 1;
+ urbp->qh->initial_toggle =
+ uhci_toggle(td_token(td)) ^ 1;
--- /dev/null
+From stable-bounces@linux.kernel.org Sun Jul 30 15:52:09 2006
+Date: Mon, 31 Jul 2006 08:50:37 +1000
+To: Greg KH <greg@kroah.com>
+Message-ID: <20060730225037.GA21685@gondor.apana.org.au>
+Content-Disposition: inline
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: netdev@vger.kernel.org, stable@kernel.org, David Miller <davem@davemloft.net>
+Subject: [NET]: Update frag_list in pskb_trim
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[NET]: Update frag_list in pskb_trim
+
+When pskb_trim has to defer to ___pksb_trim to trim the frag_list part of
+the packet, the frag_list is not updated to reflect the trimming. This
+will usually work fine until you hit something that uses the packet length
+or tail from the frag_list.
+
+Examples include esp_output and ip_fragment.
+
+Another problem caused by this is that you can end up with a linear packet
+with a frag_list attached.
+
+It is possible to get away with this if we audit everything to make sure
+that they always consult skb->len before going down onto frag_list. In
+fact we can do the samething for the paged part as well to avoid copying
+the data area of the skb. For now though, let's do the conservative fix
+and update frag_list.
+
+Many thanks to Marco Berizzi for helping me to track down this bug.
+
+This 4-year old bug took 3 months to track down. Marco was very patient
+indeed :)
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/skbuff.h | 24 +++++------
+ net/core/skbuff.c | 106 ++++++++++++++++++++++++++++++++++---------------
+ 2 files changed, 86 insertions(+), 44 deletions(-)
+
+--- linux-2.6.17.7.orig/include/linux/skbuff.h
++++ linux-2.6.17.7/include/linux/skbuff.h
+@@ -967,15 +967,16 @@ static inline void skb_reserve(struct sk
+ #define NET_SKB_PAD 16
+ #endif
+
+-extern int ___pskb_trim(struct sk_buff *skb, unsigned int len, int realloc);
++extern int ___pskb_trim(struct sk_buff *skb, unsigned int len);
+
+ static inline void __skb_trim(struct sk_buff *skb, unsigned int len)
+ {
+- if (!skb->data_len) {
+- skb->len = len;
+- skb->tail = skb->data + len;
+- } else
+- ___pskb_trim(skb, len, 0);
++ if (unlikely(skb->data_len)) {
++ WARN_ON(1);
++ return;
++ }
++ skb->len = len;
++ skb->tail = skb->data + len;
+ }
+
+ /**
+@@ -985,6 +986,7 @@ static inline void __skb_trim(struct sk_
+ *
+ * Cut the length of a buffer down by removing data from the tail. If
+ * the buffer is already under the length specified it is not modified.
++ * The skb must be linear.
+ */
+ static inline void skb_trim(struct sk_buff *skb, unsigned int len)
+ {
+@@ -995,12 +997,10 @@ static inline void skb_trim(struct sk_bu
+
+ static inline int __pskb_trim(struct sk_buff *skb, unsigned int len)
+ {
+- if (!skb->data_len) {
+- skb->len = len;
+- skb->tail = skb->data+len;
+- return 0;
+- }
+- return ___pskb_trim(skb, len, 1);
++ if (skb->data_len)
++ return ___pskb_trim(skb, len);
++ __skb_trim(skb, len);
++ return 0;
+ }
+
+ static inline int pskb_trim(struct sk_buff *skb, unsigned int len)
+--- linux-2.6.17.7.orig/net/core/skbuff.c
++++ linux-2.6.17.7/net/core/skbuff.c
+@@ -251,11 +251,11 @@ nodata:
+ }
+
+
+-static void skb_drop_fraglist(struct sk_buff *skb)
++static void skb_drop_list(struct sk_buff **listp)
+ {
+- struct sk_buff *list = skb_shinfo(skb)->frag_list;
++ struct sk_buff *list = *listp;
+
+- skb_shinfo(skb)->frag_list = NULL;
++ *listp = NULL;
+
+ do {
+ struct sk_buff *this = list;
+@@ -264,6 +264,11 @@ static void skb_drop_fraglist(struct sk_
+ } while (list);
+ }
+
++static inline void skb_drop_fraglist(struct sk_buff *skb)
++{
++ skb_drop_list(&skb_shinfo(skb)->frag_list);
++}
++
+ static void skb_clone_fraglist(struct sk_buff *skb)
+ {
+ struct sk_buff *list;
+@@ -802,49 +807,86 @@ struct sk_buff *skb_pad(struct sk_buff *
+ return nskb;
+ }
+
+-/* Trims skb to length len. It can change skb pointers, if "realloc" is 1.
+- * If realloc==0 and trimming is impossible without change of data,
+- * it is BUG().
++/* Trims skb to length len. It can change skb pointers.
+ */
+
+-int ___pskb_trim(struct sk_buff *skb, unsigned int len, int realloc)
++int ___pskb_trim(struct sk_buff *skb, unsigned int len)
+ {
++ struct sk_buff **fragp;
++ struct sk_buff *frag;
+ int offset = skb_headlen(skb);
+ int nfrags = skb_shinfo(skb)->nr_frags;
+ int i;
++ int err;
+
+- for (i = 0; i < nfrags; i++) {
++ if (skb_cloned(skb) &&
++ unlikely((err = pskb_expand_head(skb, 0, 0, GFP_ATOMIC))))
++ return err;
++
++ i = 0;
++ if (offset >= len)
++ goto drop_pages;
++
++ for (; i < nfrags; i++) {
+ int end = offset + skb_shinfo(skb)->frags[i].size;
+- if (end > len) {
+- if (skb_cloned(skb)) {
+- BUG_ON(!realloc);
+- if (pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
+- return -ENOMEM;
+- }
+- if (len <= offset) {
+- put_page(skb_shinfo(skb)->frags[i].page);
+- skb_shinfo(skb)->nr_frags--;
+- } else {
+- skb_shinfo(skb)->frags[i].size = len - offset;
+- }
++
++ if (end < len) {
++ offset = end;
++ continue;
++ }
++
++ skb_shinfo(skb)->frags[i++].size = len - offset;
++
++drop_pages:
++ skb_shinfo(skb)->nr_frags = i;
++
++ for (; i < nfrags; i++)
++ put_page(skb_shinfo(skb)->frags[i].page);
++
++ if (skb_shinfo(skb)->frag_list)
++ skb_drop_fraglist(skb);
++ goto done;
++ }
++
++ for (fragp = &skb_shinfo(skb)->frag_list; (frag = *fragp);
++ fragp = &frag->next) {
++ int end = offset + frag->len;
++
++ if (skb_shared(frag)) {
++ struct sk_buff *nfrag;
++
++ nfrag = skb_clone(frag, GFP_ATOMIC);
++ if (unlikely(!nfrag))
++ return -ENOMEM;
++
++ nfrag->next = frag->next;
++ kfree_skb(frag);
++ frag = nfrag;
++ *fragp = frag;
+ }
+- offset = end;
++
++ if (end < len) {
++ offset = end;
++ continue;
++ }
++
++ if (end > len &&
++ unlikely((err = pskb_trim(frag, len - offset))))
++ return err;
++
++ if (frag->next)
++ skb_drop_list(&frag->next);
++ break;
+ }
+
+- if (offset < len) {
++done:
++ if (len > skb_headlen(skb)) {
+ skb->data_len -= skb->len - len;
+ skb->len = len;
+ } else {
+- if (len <= skb_headlen(skb)) {
+- skb->len = len;
+- skb->data_len = 0;
+- skb->tail = skb->data + len;
+- if (skb_shinfo(skb)->frag_list && !skb_cloned(skb))
+- skb_drop_fraglist(skb);
+- } else {
+- skb->data_len -= skb->len - len;
+- skb->len = len;
+- }
++ skb->len = len;
++ skb->data_len = 0;
++ skb->tail = skb->data + len;
+ }
+
+ return 0;
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Jul 24 13:54:38 2006
+Date: Mon, 24 Jul 2006 13:54:15 -0700 (PDT)
+Message-Id: <20060724.135415.68158299.davem@davemloft.net>
+To: stable@kernel.org
+From: David Miller <davem@davemloft.net>
+Subject: VLAN state handling fix
+
+From: Stefan Rompf <stefan@loplof.de>
+
+[VLAN]: Fix link state propagation
+
+When the queue of the underlying device is stopped at initialization time
+or the device is marked "not present", the state will be propagated to the
+vlan device and never change. Based on an analysis by Patrick McHardy.
+
+Signed-off-by: Stefan Rompf <stefan@loplof.de>
+ACKed-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/8021q/vlan.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- linux-2.6.17.7.orig/net/8021q/vlan.c
++++ linux-2.6.17.7/net/8021q/vlan.c
+@@ -67,10 +67,6 @@ static struct packet_type vlan_packet_ty
+ .func = vlan_skb_recv, /* VLAN receive method */
+ };
+
+-/* Bits of netdev state that are propagated from real device to virtual */
+-#define VLAN_LINK_STATE_MASK \
+- ((1<<__LINK_STATE_PRESENT)|(1<<__LINK_STATE_NOCARRIER)|(1<<__LINK_STATE_DORMANT))
+-
+ /* End of global variables definitions. */
+
+ /*
+@@ -470,7 +466,9 @@ static struct net_device *register_vlan_
+ new_dev->flags = real_dev->flags;
+ new_dev->flags &= ~IFF_UP;
+
+- new_dev->state = real_dev->state & ~(1<<__LINK_STATE_START);
++ new_dev->state = (real_dev->state & ((1<<__LINK_STATE_NOCARRIER) |
++ (1<<__LINK_STATE_DORMANT))) |
++ (1<<__LINK_STATE_PRESENT);
+
+ /* need 4 bytes for extra VLAN header info,
+ * hope the underlying device can handle it.
projects / thirdparty / kernel / stable-queue.git / commitdiff
