From: Chris Wright Date: Thu, 17 May 2007 01:55:22 +0000 (-0700) Subject: Add queue-2.6.21 queue prepping for 2.6.21.2 review cycle X-Git-Tag: v2.6.21.2~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=05ab505f2909acf3a614d3e6a32271c4c1f8a69d;p=thirdparty%2Fkernel%2Fstable-queue.git Add queue-2.6.21 queue prepping for 2.6.21.2 review cycle --- diff --git a/queue-2.6.21/acpi-fix-2.6.21-boot-regression-on-p4-ht.patch b/queue-2.6.21/acpi-fix-2.6.21-boot-regression-on-p4-ht.patch new file mode 100644 index 00000000000..87f96b0637e --- /dev/null +++ b/queue-2.6.21/acpi-fix-2.6.21-boot-regression-on-p4-ht.patch @@ -0,0 +1,46 @@ +From stable-bounces@linux.kernel.org Sat Apr 28 17:39:28 2007 +From: Len Brown +To: stable@kernel.org +Date: Sat, 28 Apr 2007 20:37:26 -0400 +Message-Id: <200704282037.26662.lenb@kernel.org> +Cc: linux-acpi@vger.kernel.org +Subject: ACPI: Fix 2.6.21 boot regression on P4/HT + +Up through 2.6.20 we cleared the FADT.CSTATE_CONTROL field +for FADT versions before r3, because it made no sense +for that reserved field to be set for pre-ACPI 2.0 systems. + +It turns out that not clearing this field exposes +Linux to SMM BIOS failures, so do the same in 2.6.21. + +http://bugzilla.kernel.org/show_bug.cgi?id=8346 + +Signed-off-by: Len Brown +Signed-off-by: Chris Wright +--- + drivers/acpi/tables/tbfadt.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- linux-2.6.21.1.orig/drivers/acpi/tables/tbfadt.c ++++ linux-2.6.21.1/drivers/acpi/tables/tbfadt.c +@@ -347,6 +347,20 @@ static void acpi_tb_convert_fadt(void) + acpi_gbl_xpm1b_enable.space_id = acpi_gbl_FADT.xpm1a_event_block.space_id; + + } ++ /* ++ * _CST object and C States change notification start with ++ * ACPI 2.0 (FADT r3). Although the field should be Reserved ++ * and 0 before then, some pre-r3 FADT set this field and ++ * it results in SMM-related boot failures. For them, clear it. ++ */ ++ if ((acpi_gbl_FADT.header.revision < 3) && ++ (acpi_gbl_FADT.cst_control != 0)) { ++ ACPI_WARNING((AE_INFO, ++ "Ignoring BIOS FADT r%u C-state control", ++ acpi_gbl_FADT.header.revision)); ++ acpi_gbl_FADT.cst_control = 0; ++ } ++ + } + + /****************************************************************************** diff --git a/queue-2.6.21/alsa-hda-codec-fix-resume-of-stac92xx-codecs.patch b/queue-2.6.21/alsa-hda-codec-fix-resume-of-stac92xx-codecs.patch new file mode 100644 index 00000000000..21582eeacc7 --- /dev/null +++ b/queue-2.6.21/alsa-hda-codec-fix-resume-of-stac92xx-codecs.patch @@ -0,0 +1,31 @@ +From stable-bounces@linux.kernel.org Fri May 11 21:38:36 2007 +Message-ID: <4644FC34.9090105@gentoo.org> +Date: Fri, 11 May 2007 19:28:52 -0400 +From: Daniel Drake +To: stable@kernel.org +Cc: Takashi Iwai +Subject: ALSA: hda-codec - Fix resume of STAC92xx codecs + +From: Takashi Iwai + +Added a missing call to resume mixer controls for STAC92xx codecs. + +Signed-off-by: Takashi Iwai +Signed-off-by: Jaroslav Kysela +Signed-off-by: Chris Wright +--- + +--- + sound/pci/hda/patch_sigmatel.c | 1 + + 1 file changed, 1 insertion(+) + +--- linux-2.6.21.1.orig/sound/pci/hda/patch_sigmatel.c ++++ linux-2.6.21.1/sound/pci/hda/patch_sigmatel.c +@@ -1751,6 +1751,7 @@ static int stac92xx_resume(struct hda_co + + stac92xx_init(codec); + stac92xx_set_config_regs(codec); ++ snd_hda_resume_ctls(codec, spec->mixer); + for (i = 0; i < spec->num_mixers; i++) + snd_hda_resume_ctls(codec, spec->mixers[i]); + if (spec->multiout.dig_out_nid) diff --git a/queue-2.6.21/arm-fix-handling-of-svc-mode-undefined-instructions.patch b/queue-2.6.21/arm-fix-handling-of-svc-mode-undefined-instructions.patch new file mode 100644 index 00000000000..230dc21602b --- /dev/null +++ b/queue-2.6.21/arm-fix-handling-of-svc-mode-undefined-instructions.patch @@ -0,0 +1,48 @@ +From stable-bounces@linux.kernel.org Fri May 4 13:59:15 2007 +From: Dan Williams +To: stable@kernel.org +Date: Fri, 04 May 2007 11:22:23 -0700 +Message-ID: <20070504182222.28946.58494.stgit@dwillia2-linux.ch.intel.com> +Cc: rmk@arm.linux.org.uk +Subject: arm: fix handling of svc mode undefined instructions + +Now that do_undefinstr handles kernel and user mode undefined +instruction exceptions it must not assume that interrupts are enabled at +entry. + +Cc: Russell King +Signed-off-by: Dan Williams +Signed-off-by: Chris Wright +--- + + arch/arm/kernel/traps.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- linux-2.6.21.1.orig/arch/arm/kernel/traps.c ++++ linux-2.6.21.1/arch/arm/kernel/traps.c +@@ -273,6 +273,7 @@ asmlinkage void do_undefinstr(struct pt_ + struct undef_hook *hook; + siginfo_t info; + void __user *pc; ++ unsigned long flags; + + /* + * According to the ARM ARM, PC is 2 or 4 bytes ahead, +@@ -291,7 +292,7 @@ asmlinkage void do_undefinstr(struct pt_ + get_user(instr, (u32 __user *)pc); + } + +- spin_lock_irq(&undef_lock); ++ spin_lock_irqsave(&undef_lock, flags); + list_for_each_entry(hook, &undef_hook, node) { + if ((instr & hook->instr_mask) == hook->instr_val && + (regs->ARM_cpsr & hook->cpsr_mask) == hook->cpsr_val) { +@@ -301,7 +302,7 @@ asmlinkage void do_undefinstr(struct pt_ + } + } + } +- spin_unlock_irq(&undef_lock); ++ spin_unlock_irqrestore(&undef_lock, flags); + + #ifdef CONFIG_DEBUG_USER + if (user_debug & UDBG_UNDEFINED) { diff --git a/queue-2.6.21/bnx2-block-mii-access-when-ifdown.patch b/queue-2.6.21/bnx2-block-mii-access-when-ifdown.patch new file mode 100644 index 00000000000..1d52198f6d0 --- /dev/null +++ b/queue-2.6.21/bnx2-block-mii-access-when-ifdown.patch @@ -0,0 +1,41 @@ +From stable-bounces@linux.kernel.org Mon May 7 18:19:40 2007 +From: "Michael Chan" +To: stable@kernel.org +Date: Mon, 07 May 2007 19:04:28 -0700 +Message-ID: <1178589868.10892.14.camel@dell> +Subject: BNX2: Block MII access when ifdown. + +The device may be in D3hot state and should not allow MII register +access. + +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +--- + +--- + drivers/net/bnx2.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- linux-2.6.21.1.orig/drivers/net/bnx2.c ++++ linux-2.6.21.1/drivers/net/bnx2.c +@@ -5564,6 +5564,9 @@ bnx2_ioctl(struct net_device *dev, struc + case SIOCGMIIREG: { + u32 mii_regval; + ++ if (!netif_running(dev)) ++ return -EAGAIN; ++ + spin_lock_bh(&bp->phy_lock); + err = bnx2_read_phy(bp, data->reg_num & 0x1f, &mii_regval); + spin_unlock_bh(&bp->phy_lock); +@@ -5577,6 +5580,9 @@ bnx2_ioctl(struct net_device *dev, struc + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + ++ if (!netif_running(dev)) ++ return -EAGAIN; ++ + spin_lock_bh(&bp->phy_lock); + err = bnx2_write_phy(bp, data->reg_num & 0x1f, data->val_in); + spin_unlock_bh(&bp->phy_lock); diff --git a/queue-2.6.21/bnx2-fix-tso-problem-with-small-mss.patch b/queue-2.6.21/bnx2-fix-tso-problem-with-small-mss.patch new file mode 100644 index 00000000000..dfe3178595f --- /dev/null +++ b/queue-2.6.21/bnx2-fix-tso-problem-with-small-mss.patch @@ -0,0 +1,35 @@ +From stable-bounces@linux.kernel.org Mon May 7 18:19:10 2007 +From: "Michael Chan" +To: stable@kernel.org +Date: Mon, 07 May 2007 19:04:17 -0700 +Message-ID: <1178589857.10892.13.camel@dell> +Subject: BNX2: Fix TSO problem with small MSS. + +Remove the check for skb->len greater than MTU when doing TSO. When +the destination has a smaller MSS than the source, a TSO packet may +be smaller than the MTU at the source and we still need to process it +as a TSO packet. + +Thanks to Brian Ristuccia for +reporting the problem. + +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright + +--- + drivers/net/bnx2.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- linux-2.6.21.1.orig/drivers/net/bnx2.c ++++ linux-2.6.21.1/drivers/net/bnx2.c +@@ -4510,8 +4510,7 @@ bnx2_start_xmit(struct sk_buff *skb, str + vlan_tag_flags |= + (TX_BD_FLAGS_VLAN_TAG | (vlan_tx_tag_get(skb) << 16)); + } +- if ((mss = skb_shinfo(skb)->gso_size) && +- (skb->len > (bp->dev->mtu + ETH_HLEN))) { ++ if ((mss = skb_shinfo(skb)->gso_size)) { + u32 tcp_opt_len, ip_tcp_len; + + if (skb_header_cloned(skb) && diff --git a/queue-2.6.21/bnx2-save-pci-state-during-suspend.patch b/queue-2.6.21/bnx2-save-pci-state-during-suspend.patch new file mode 100644 index 00000000000..cf186de2419 --- /dev/null +++ b/queue-2.6.21/bnx2-save-pci-state-during-suspend.patch @@ -0,0 +1,37 @@ +From stable-bounces@linux.kernel.org Mon May 7 18:21:54 2007 +From: "Michael Chan" +To: stable@kernel.org +Date: Mon, 07 May 2007 19:04:35 -0700 +Message-ID: <1178589875.10892.15.camel@dell> +Subject: BNX2: Save PCI state during suspend. + +This is needed to save the MSI state which will be lost during +suspend. + +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +--- + +--- + drivers/net/bnx2.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- linux-2.6.21.1.orig/drivers/net/bnx2.c ++++ linux-2.6.21.1/drivers/net/bnx2.c +@@ -6148,6 +6148,7 @@ bnx2_suspend(struct pci_dev *pdev, pm_me + reset_code = BNX2_DRV_MSG_CODE_SUSPEND_NO_WOL; + bnx2_reset_chip(bp, reset_code); + bnx2_free_skbs(bp); ++ pci_save_state(pdev); + bnx2_set_power_state(bp, pci_choose_state(pdev, state)); + return 0; + } +@@ -6161,6 +6162,7 @@ bnx2_resume(struct pci_dev *pdev) + if (!netif_running(dev)) + return 0; + ++ pci_restore_state(pdev); + bnx2_set_power_state(bp, PCI_D0); + netif_device_attach(dev); + bnx2_init_nic(bp); diff --git a/queue-2.6.21/bnx2-update-version-and-reldate.patch b/queue-2.6.21/bnx2-update-version-and-reldate.patch new file mode 100644 index 00000000000..5021d7e00b4 --- /dev/null +++ b/queue-2.6.21/bnx2-update-version-and-reldate.patch @@ -0,0 +1,31 @@ +From stable-bounces@linux.kernel.org Mon May 7 18:20:51 2007 +From: "Michael Chan" +To: stable@kernel.org +Date: Mon, 07 May 2007 19:04:43 -0700 +Message-ID: <1178589884.10892.16.camel@dell> +Subject: BNX2: Update version and reldate. + +Update version to 1.5.8.1. + +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +--- + +--- + drivers/net/bnx2.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- linux-2.6.21.1.orig/drivers/net/bnx2.c ++++ linux-2.6.21.1/drivers/net/bnx2.c +@@ -54,8 +54,8 @@ + + #define DRV_MODULE_NAME "bnx2" + #define PFX DRV_MODULE_NAME ": " +-#define DRV_MODULE_VERSION "1.5.8" +-#define DRV_MODULE_RELDATE "April 24, 2007" ++#define DRV_MODULE_VERSION "1.5.8.1" ++#define DRV_MODULE_RELDATE "May 7, 2007" + + #define RUN_AT(x) (jiffies + (x)) + diff --git a/queue-2.6.21/clocksource-fix-resume-logic.patch b/queue-2.6.21/clocksource-fix-resume-logic.patch new file mode 100644 index 00000000000..61873ed2153 --- /dev/null +++ b/queue-2.6.21/clocksource-fix-resume-logic.patch @@ -0,0 +1,158 @@ +From stable-bounces@linux.kernel.org Wed May 9 03:16:20 2007 +Message-Id: <200705090935.l499ZFxi019985@shell0.pdx.osdl.net> +To: torvalds@linux-foundation.org +From: akpm@linux-foundation.org +Date: Wed, 09 May 2007 02:35:15 -0700 +Cc: johnstul@us.ibm.com, ak@suse.de, stable@kernel.org, tglx@linutronix.de, akpm@linux-foundation.org, mingo@elte.hu +Subject: clocksource: fix resume logic + +From: Thomas Gleixner + +We need to make sure that the clocksources are resumed, when timekeeping is +resumed. The current resume logic does not guarantee this. + +Add a resume function pointer to the clocksource struct, so clocksource +drivers which need to reinitialize the clocksource can provide a resume +function. + +Add a resume function, which calls the maybe available clocksource resume +functions and resets the watchdog function, so a stable TSC can be used +accross suspend/resume. + +Signed-off-by: Thomas Gleixner +Cc: john stultz +Cc: Andi Kleen +Cc: Ingo Molnar +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +--- + + include/linux/clocksource.h | 3 ++ + kernel/time/clocksource.c | 45 ++++++++++++++++++++++++++++++++++++++++++++ + kernel/timer.c | 2 + + 3 files changed, 50 insertions(+) + +--- linux-2.6.21.1.orig/include/linux/clocksource.h ++++ linux-2.6.21.1/include/linux/clocksource.h +@@ -48,6 +48,7 @@ struct clocksource; + * @shift: cycle to nanosecond divisor (power of two) + * @flags: flags describing special properties + * @vread: vsyscall based read ++ * @resume: resume function for the clocksource, if necessary + * @cycle_interval: Used internally by timekeeping core, please ignore. + * @xtime_interval: Used internally by timekeeping core, please ignore. + */ +@@ -61,6 +62,7 @@ struct clocksource { + u32 shift; + unsigned long flags; + cycle_t (*vread)(void); ++ void (*resume)(void); + + /* timekeeping specific data, ignore */ + cycle_t cycle_last, cycle_interval; +@@ -198,6 +200,7 @@ static inline void clocksource_calculate + extern int clocksource_register(struct clocksource*); + extern struct clocksource* clocksource_get_next(void); + extern void clocksource_change_rating(struct clocksource *cs, int rating); ++extern void clocksource_resume(void); + + #ifdef CONFIG_GENERIC_TIME_VSYSCALL + extern void update_vsyscall(struct timespec *ts, struct clocksource *c); +--- linux-2.6.21.1.orig/kernel/time/clocksource.c ++++ linux-2.6.21.1/kernel/time/clocksource.c +@@ -74,6 +74,8 @@ static struct clocksource *watchdog; + static struct timer_list watchdog_timer; + static DEFINE_SPINLOCK(watchdog_lock); + static cycle_t watchdog_last; ++static int watchdog_resumed; ++ + /* + * Interval: 0.5sec Treshold: 0.0625s + */ +@@ -98,15 +100,26 @@ static void clocksource_watchdog(unsigne + struct clocksource *cs, *tmp; + cycle_t csnow, wdnow; + int64_t wd_nsec, cs_nsec; ++ int resumed; + + spin_lock(&watchdog_lock); + ++ resumed = watchdog_resumed; ++ if (unlikely(resumed)) ++ watchdog_resumed = 0; ++ + wdnow = watchdog->read(); + wd_nsec = cyc2ns(watchdog, (wdnow - watchdog_last) & watchdog->mask); + watchdog_last = wdnow; + + list_for_each_entry_safe(cs, tmp, &watchdog_list, wd_list) { + csnow = cs->read(); ++ ++ if (unlikely(resumed)) { ++ cs->wd_last = csnow; ++ continue; ++ } ++ + /* Initialized ? */ + if (!(cs->flags & CLOCK_SOURCE_WATCHDOG)) { + if ((cs->flags & CLOCK_SOURCE_IS_CONTINUOUS) && +@@ -136,6 +149,13 @@ static void clocksource_watchdog(unsigne + } + spin_unlock(&watchdog_lock); + } ++static void clocksource_resume_watchdog(void) ++{ ++ spin_lock(&watchdog_lock); ++ watchdog_resumed = 1; ++ spin_unlock(&watchdog_lock); ++} ++ + static void clocksource_check_watchdog(struct clocksource *cs) + { + struct clocksource *cse; +@@ -182,9 +202,34 @@ static void clocksource_check_watchdog(s + if (cs->flags & CLOCK_SOURCE_IS_CONTINUOUS) + cs->flags |= CLOCK_SOURCE_VALID_FOR_HRES; + } ++ ++static inline void clocksource_resume_watchdog(void) { } + #endif + + /** ++ * clocksource_resume - resume the clocksource(s) ++ */ ++void clocksource_resume(void) ++{ ++ struct list_head *tmp; ++ unsigned long flags; ++ ++ spin_lock_irqsave(&clocksource_lock, flags); ++ ++ list_for_each(tmp, &clocksource_list) { ++ struct clocksource *cs; ++ ++ cs = list_entry(tmp, struct clocksource, list); ++ if (cs->resume) ++ cs->resume(); ++ } ++ ++ clocksource_resume_watchdog(); ++ ++ spin_unlock_irqrestore(&clocksource_lock, flags); ++} ++ ++/** + * clocksource_get_next - Returns the selected clocksource + * + */ +--- linux-2.6.21.1.orig/kernel/timer.c ++++ linux-2.6.21.1/kernel/timer.c +@@ -1903,6 +1903,8 @@ unregister_time_interpolator(struct time + prev = &curr->next; + } + ++ clocksource_resume(); ++ + write_seqlock_irqsave(&xtime_lock, flags); + if (ti == time_interpolator) { + /* we lost the best time-interpolator: */ diff --git a/queue-2.6.21/cxacru-fix-infinite-loop-when-trying-to-cancel-polling-task.patch b/queue-2.6.21/cxacru-fix-infinite-loop-when-trying-to-cancel-polling-task.patch new file mode 100644 index 00000000000..5f1d49bcfc2 --- /dev/null +++ b/queue-2.6.21/cxacru-fix-infinite-loop-when-trying-to-cancel-polling-task.patch @@ -0,0 +1,119 @@ +From stable-bounces@linux.kernel.org Mon Apr 30 12:02:47 2007 +Message-ID: <46363C9A.8080000@simon.arlott.org.uk> +Date: Mon, 30 Apr 2007 19:59:38 +0100 +From: Simon Arlott +To: stable@kernel.org +Subject: cxacru: Fix infinite loop when trying to cancel polling task + +As part of the device initialisation cxacru_atm_start starts +a rearming status polling task, which is cancelled in +cxacru_unbind. Failure to ever start the task means an +infinite loop occurs trying to cancel it. + +Possible reasons for not starting the polling task: +* Firmware files missing +* Device initialisation fails +* User unplugs device or unloads module + +Effect: +* Infinite loop in khubd trying to add/remove the device (or rmmod if timed right) + +Signed-off-by: Simon Arlott +Signed-off-by: Chris Wright +--- +Fixed for 2.6.22 by 6a02c996bce297a782432e29c69268356e97fadd. + + drivers/usb/atm/cxacru.c | 40 ++++++++++++++++++++++++++++++++++++---- + 1 file changed, 36 insertions(+), 4 deletions(-) + +--- linux-2.6.21.1.orig/drivers/usb/atm/cxacru.c ++++ linux-2.6.21.1/drivers/usb/atm/cxacru.c +@@ -146,6 +146,12 @@ enum cxacru_info_idx { + CXINF_MAX = 0x1c, + }; + ++enum poll_state { ++ CX_INIT, ++ CX_POLLING, ++ CX_ABORT ++}; ++ + struct cxacru_modem_type { + u32 pll_f_clk; + u32 pll_b_clk; +@@ -159,6 +165,8 @@ struct cxacru_data { + + int line_status; + struct delayed_work poll_work; ++ struct mutex poll_state_serialize; ++ enum poll_state poll_state; + + /* contol handles */ + struct mutex cm_serialize; +@@ -356,7 +364,7 @@ static int cxacru_atm_start(struct usbat + /* + struct atm_dev *atm_dev = usbatm_instance->atm_dev; + */ +- int ret; ++ int ret, start_polling = 1; + + dbg("cxacru_atm_start"); + +@@ -376,7 +384,15 @@ static int cxacru_atm_start(struct usbat + } + + /* Start status polling */ +- cxacru_poll_status(&instance->poll_work.work); ++ mutex_lock(&instance->poll_state_serialize); ++ if (instance->poll_state == CX_INIT) ++ instance->poll_state = CX_POLLING; ++ else /* poll_state == CX_ABORT */ ++ start_polling = 0; ++ mutex_unlock(&instance->poll_state_serialize); ++ ++ if (start_polling) ++ cxacru_poll_status(&instance->poll_work.work); + return 0; + } + +@@ -685,6 +701,9 @@ static int cxacru_bind(struct usbatm_dat + instance->usbatm = usbatm_instance; + instance->modem_type = (struct cxacru_modem_type *) id->driver_info; + ++ mutex_init(&instance->poll_state_serialize); ++ instance->poll_state = CX_INIT; ++ + instance->rcv_buf = (u8 *) __get_free_page(GFP_KERNEL); + if (!instance->rcv_buf) { + dbg("cxacru_bind: no memory for rcv_buf"); +@@ -744,6 +763,7 @@ static void cxacru_unbind(struct usbatm_ + struct usb_interface *intf) + { + struct cxacru_data *instance = usbatm_instance->driver_data; ++ int stop_polling = 1; + + dbg("cxacru_unbind entered"); + +@@ -752,8 +772,20 @@ static void cxacru_unbind(struct usbatm_ + return; + } + +- while (!cancel_delayed_work(&instance->poll_work)) +- flush_scheduled_work(); ++ mutex_lock(&instance->poll_state_serialize); ++ if (instance->poll_state != CX_POLLING) { ++ /* Polling hasn't started yet and with ++ * the mutex locked it can be prevented ++ * from starting. ++ */ ++ instance->poll_state = CX_ABORT; ++ stop_polling = 0; ++ } ++ mutex_unlock(&instance->poll_state_serialize); ++ ++ if (stop_polling) ++ while (!cancel_delayed_work(&instance->poll_work)) ++ flush_scheduled_work(); + + usb_kill_urb(instance->snd_urb); + usb_kill_urb(instance->rcv_urb); diff --git a/queue-2.6.21/driver-core-don-t-free-devt_attr-till-the-device-is-released.patch b/queue-2.6.21/driver-core-don-t-free-devt_attr-till-the-device-is-released.patch new file mode 100644 index 00000000000..8c079b71f77 --- /dev/null +++ b/queue-2.6.21/driver-core-don-t-free-devt_attr-till-the-device-is-released.patch @@ -0,0 +1,53 @@ +From stable-bounces@linux.kernel.org Thu May 10 07:47:30 2007 +Message-ID: <46432FFD.1040304@gmail.com> +Date: Thu, 10 May 2007 16:45:17 +0200 +From: Tejun Heo +To: Greg KH +Cc: stable@kernel.org, Alan Stern , linux-usb-devel@lists.sourceforge.net, Chris Rankin +Subject: driver-core: don't free devt_attr till the device is released + +Currently, devt_attr for the "dev" file is freed immediately on device +removal, but if the "dev" sysfs file is open when a device is removed, +sysfs will access its attribute structure for further access including +close resulting in jumping to garbled address. Fix it by postponing +freeing devt_attr to device release time. + +Note that devt_attr for class_device is already freed on release. + +This bug is reported by Chris Rankin as bugzilla bug#8198. + +Signed-off-by: Tejun Heo +Cc: Chris Rankin +Signed-off-by: Chris Wright +--- +Applies well to 2.6.20 and 21. As sysfs-immediate-disconnect doesn't +seem to be included in 2.6.22, this should be included in linus#master +too (applies well there as well). + + drivers/base/core.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- linux-2.6.21.1.orig/drivers/base/core.c ++++ linux-2.6.21.1/drivers/base/core.c +@@ -93,6 +93,9 @@ static void device_release(struct kobjec + { + struct device * dev = to_dev(kobj); + ++ kfree(dev->devt_attr); ++ dev->devt_attr = NULL; ++ + if (dev->release) + dev->release(dev); + else if (dev->type && dev->type->release) +@@ -765,10 +768,8 @@ void device_del(struct device * dev) + + if (parent) + klist_del(&dev->knode_parent); +- if (dev->devt_attr) { ++ if (dev->devt_attr) + device_remove_file(dev, dev->devt_attr); +- kfree(dev->devt_attr); +- } + if (dev->class) { + sysfs_remove_link(&dev->kobj, "subsystem"); + /* If this is not a "fake" compatible device, remove the diff --git a/queue-2.6.21/fat-fix-vfat-compat-ioctls-on-64-bit-systems.patch b/queue-2.6.21/fat-fix-vfat-compat-ioctls-on-64-bit-systems.patch new file mode 100644 index 00000000000..dd7f6fd0cbc --- /dev/null +++ b/queue-2.6.21/fat-fix-vfat-compat-ioctls-on-64-bit-systems.patch @@ -0,0 +1,312 @@ +From stable-bounces@linux.kernel.org Tue May 8 00:34:00 2007 +Message-Id: <200705080731.l487VTWR017264@shell0.pdx.osdl.net> +To: torvalds@linux-foundation.org +From: akpm@linux-foundation.org +Date: Tue, 08 May 2007 00:31:28 -0700 +Cc: akpm@linux-foundation.org, stable@kernel.org, hirofumi@mail.parknet.co.jp, bartoldeman@users.sourceforge.net +Subject: fat: fix VFAT compat ioctls on 64-bit systems + +From: OGAWA Hirofumi + +If you compile and run the below test case in an msdos or vfat directory on +an x86-64 system with -m32 you'll get garbage in the kernel_dirent struct +followed by a SIGSEGV. + +The patch fixes this. + +Reported and initial fix by Bart Oldeman + +#include +#include +#include +#include +#include +#include +struct kernel_dirent { + long d_ino; + long d_off; + unsigned short d_reclen; + char d_name[256]; /* We must not include limits.h! */ +}; +#define VFAT_IOCTL_READDIR_BOTH _IOR('r', 1, struct kernel_dirent [2]) +#define VFAT_IOCTL_READDIR_SHORT _IOR('r', 2, struct kernel_dirent [2]) + +int main(void) +{ + int fd = open(".", O_RDONLY); + struct kernel_dirent de[2]; + + while (1) { + int i = ioctl(fd, VFAT_IOCTL_READDIR_BOTH, (long)de); + if (i == -1) break; + if (de[0].d_reclen == 0) break; + printf("SFN: reclen=%2d off=%d ino=%d, %-12s", + de[0].d_reclen, de[0].d_off, de[0].d_ino, de[0].d_name); + if (de[1].d_reclen) + printf("\tLFN: reclen=%2d off=%d ino=%d, %s", + de[1].d_reclen, de[1].d_off, de[1].d_ino, de[1].d_name); + printf("\n"); + } + return 0; +} + +Signed-off-by: Bart Oldeman +Signed-off-by: OGAWA Hirofumi +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +--- + + fs/fat/dir.c | 199 +++++++++++++++++++++++++++++------------------------------ + 1 file changed, 100 insertions(+), 99 deletions(-) + +--- linux-2.6.21.1.orig/fs/fat/dir.c ++++ linux-2.6.21.1/fs/fat/dir.c +@@ -422,7 +422,7 @@ EODir: + EXPORT_SYMBOL_GPL(fat_search_long); + + struct fat_ioctl_filldir_callback { +- struct dirent __user *dirent; ++ void __user *dirent; + int result; + /* for dir ioctl */ + const char *longname; +@@ -647,62 +647,85 @@ static int fat_readdir(struct file *filp + return __fat_readdir(inode, filp, dirent, filldir, 0, 0); + } + +-static int fat_ioctl_filldir(void *__buf, const char *name, int name_len, +- loff_t offset, u64 ino, unsigned int d_type) ++#define FAT_IOCTL_FILLDIR_FUNC(func, dirent_type) \ ++static int func(void *__buf, const char *name, int name_len, \ ++ loff_t offset, u64 ino, unsigned int d_type) \ ++{ \ ++ struct fat_ioctl_filldir_callback *buf = __buf; \ ++ struct dirent_type __user *d1 = buf->dirent; \ ++ struct dirent_type __user *d2 = d1 + 1; \ ++ \ ++ if (buf->result) \ ++ return -EINVAL; \ ++ buf->result++; \ ++ \ ++ if (name != NULL) { \ ++ /* dirent has only short name */ \ ++ if (name_len >= sizeof(d1->d_name)) \ ++ name_len = sizeof(d1->d_name) - 1; \ ++ \ ++ if (put_user(0, d2->d_name) || \ ++ put_user(0, &d2->d_reclen) || \ ++ copy_to_user(d1->d_name, name, name_len) || \ ++ put_user(0, d1->d_name + name_len) || \ ++ put_user(name_len, &d1->d_reclen)) \ ++ goto efault; \ ++ } else { \ ++ /* dirent has short and long name */ \ ++ const char *longname = buf->longname; \ ++ int long_len = buf->long_len; \ ++ const char *shortname = buf->shortname; \ ++ int short_len = buf->short_len; \ ++ \ ++ if (long_len >= sizeof(d1->d_name)) \ ++ long_len = sizeof(d1->d_name) - 1; \ ++ if (short_len >= sizeof(d1->d_name)) \ ++ short_len = sizeof(d1->d_name) - 1; \ ++ \ ++ if (copy_to_user(d2->d_name, longname, long_len) || \ ++ put_user(0, d2->d_name + long_len) || \ ++ put_user(long_len, &d2->d_reclen) || \ ++ put_user(ino, &d2->d_ino) || \ ++ put_user(offset, &d2->d_off) || \ ++ copy_to_user(d1->d_name, shortname, short_len) || \ ++ put_user(0, d1->d_name + short_len) || \ ++ put_user(short_len, &d1->d_reclen)) \ ++ goto efault; \ ++ } \ ++ return 0; \ ++efault: \ ++ buf->result = -EFAULT; \ ++ return -EFAULT; \ ++} ++ ++FAT_IOCTL_FILLDIR_FUNC(fat_ioctl_filldir, dirent) ++ ++static int fat_ioctl_readdir(struct inode *inode, struct file *filp, ++ void __user *dirent, filldir_t filldir, ++ int short_only, int both) + { +- struct fat_ioctl_filldir_callback *buf = __buf; +- struct dirent __user *d1 = buf->dirent; +- struct dirent __user *d2 = d1 + 1; +- +- if (buf->result) +- return -EINVAL; +- buf->result++; +- +- if (name != NULL) { +- /* dirent has only short name */ +- if (name_len >= sizeof(d1->d_name)) +- name_len = sizeof(d1->d_name) - 1; +- +- if (put_user(0, d2->d_name) || +- put_user(0, &d2->d_reclen) || +- copy_to_user(d1->d_name, name, name_len) || +- put_user(0, d1->d_name + name_len) || +- put_user(name_len, &d1->d_reclen)) +- goto efault; +- } else { +- /* dirent has short and long name */ +- const char *longname = buf->longname; +- int long_len = buf->long_len; +- const char *shortname = buf->shortname; +- int short_len = buf->short_len; +- +- if (long_len >= sizeof(d1->d_name)) +- long_len = sizeof(d1->d_name) - 1; +- if (short_len >= sizeof(d1->d_name)) +- short_len = sizeof(d1->d_name) - 1; +- +- if (copy_to_user(d2->d_name, longname, long_len) || +- put_user(0, d2->d_name + long_len) || +- put_user(long_len, &d2->d_reclen) || +- put_user(ino, &d2->d_ino) || +- put_user(offset, &d2->d_off) || +- copy_to_user(d1->d_name, shortname, short_len) || +- put_user(0, d1->d_name + short_len) || +- put_user(short_len, &d1->d_reclen)) +- goto efault; ++ struct fat_ioctl_filldir_callback buf; ++ int ret; ++ ++ buf.dirent = dirent; ++ buf.result = 0; ++ mutex_lock(&inode->i_mutex); ++ ret = -ENOENT; ++ if (!IS_DEADDIR(inode)) { ++ ret = __fat_readdir(inode, filp, &buf, filldir, ++ short_only, both); + } +- return 0; +-efault: +- buf->result = -EFAULT; +- return -EFAULT; ++ mutex_unlock(&inode->i_mutex); ++ if (ret >= 0) ++ ret = buf.result; ++ return ret; + } + +-static int fat_dir_ioctl(struct inode * inode, struct file * filp, +- unsigned int cmd, unsigned long arg) ++static int fat_dir_ioctl(struct inode *inode, struct file *filp, ++ unsigned int cmd, unsigned long arg) + { +- struct fat_ioctl_filldir_callback buf; +- struct dirent __user *d1; +- int ret, short_only, both; ++ struct dirent __user *d1 = (struct dirent __user *)arg; ++ int short_only, both; + + switch (cmd) { + case VFAT_IOCTL_READDIR_SHORT: +@@ -717,7 +740,6 @@ static int fat_dir_ioctl(struct inode * + return fat_generic_ioctl(inode, filp, cmd, arg); + } + +- d1 = (struct dirent __user *)arg; + if (!access_ok(VERIFY_WRITE, d1, sizeof(struct dirent[2]))) + return -EFAULT; + /* +@@ -728,69 +750,48 @@ static int fat_dir_ioctl(struct inode * + if (put_user(0, &d1->d_reclen)) + return -EFAULT; + +- buf.dirent = d1; +- buf.result = 0; +- mutex_lock(&inode->i_mutex); +- ret = -ENOENT; +- if (!IS_DEADDIR(inode)) { +- ret = __fat_readdir(inode, filp, &buf, fat_ioctl_filldir, +- short_only, both); +- } +- mutex_unlock(&inode->i_mutex); +- if (ret >= 0) +- ret = buf.result; +- return ret; ++ return fat_ioctl_readdir(inode, filp, d1, fat_ioctl_filldir, ++ short_only, both); + } + + #ifdef CONFIG_COMPAT + #define VFAT_IOCTL_READDIR_BOTH32 _IOR('r', 1, struct compat_dirent[2]) + #define VFAT_IOCTL_READDIR_SHORT32 _IOR('r', 2, struct compat_dirent[2]) + +-static long fat_compat_put_dirent32(struct dirent *d, +- struct compat_dirent __user *d32) +-{ +- if (!access_ok(VERIFY_WRITE, d32, sizeof(struct compat_dirent))) +- return -EFAULT; ++FAT_IOCTL_FILLDIR_FUNC(fat_compat_ioctl_filldir, compat_dirent) + +- __put_user(d->d_ino, &d32->d_ino); +- __put_user(d->d_off, &d32->d_off); +- __put_user(d->d_reclen, &d32->d_reclen); +- if (__copy_to_user(d32->d_name, d->d_name, d->d_reclen)) +- return -EFAULT; +- +- return 0; +-} +- +-static long fat_compat_dir_ioctl(struct file *file, unsigned cmd, ++static long fat_compat_dir_ioctl(struct file *filp, unsigned cmd, + unsigned long arg) + { +- struct compat_dirent __user *p = compat_ptr(arg); +- int ret; +- mm_segment_t oldfs = get_fs(); +- struct dirent d[2]; ++ struct inode *inode = filp->f_path.dentry->d_inode; ++ struct compat_dirent __user *d1 = compat_ptr(arg); ++ int short_only, both; + + switch (cmd) { +- case VFAT_IOCTL_READDIR_BOTH32: +- cmd = VFAT_IOCTL_READDIR_BOTH; +- break; + case VFAT_IOCTL_READDIR_SHORT32: +- cmd = VFAT_IOCTL_READDIR_SHORT; ++ short_only = 1; ++ both = 0; ++ break; ++ case VFAT_IOCTL_READDIR_BOTH32: ++ short_only = 0; ++ both = 1; + break; + default: + return -ENOIOCTLCMD; + } + +- set_fs(KERNEL_DS); +- lock_kernel(); +- ret = fat_dir_ioctl(file->f_path.dentry->d_inode, file, +- cmd, (unsigned long) &d); +- unlock_kernel(); +- set_fs(oldfs); +- if (ret >= 0) { +- ret |= fat_compat_put_dirent32(&d[0], p); +- ret |= fat_compat_put_dirent32(&d[1], p + 1); +- } +- return ret; ++ if (!access_ok(VERIFY_WRITE, d1, sizeof(struct compat_dirent[2]))) ++ return -EFAULT; ++ /* ++ * Yes, we don't need this put_user() absolutely. However old ++ * code didn't return the right value. So, app use this value, ++ * in order to check whether it is EOF. ++ */ ++ if (put_user(0, &d1->d_reclen)) ++ return -EFAULT; ++ ++ return fat_ioctl_readdir(inode, filp, d1, fat_compat_ioctl_filldir, ++ short_only, both); + } + #endif /* CONFIG_COMPAT */ + diff --git a/queue-2.6.21/fix-for-bugzilla-8426-massive-slowdown-on-scsi-cd-dvd-drive-connected-to-mptspi-driver.patch b/queue-2.6.21/fix-for-bugzilla-8426-massive-slowdown-on-scsi-cd-dvd-drive-connected-to-mptspi-driver.patch new file mode 100644 index 00000000000..a2cb8433e8f --- /dev/null +++ b/queue-2.6.21/fix-for-bugzilla-8426-massive-slowdown-on-scsi-cd-dvd-drive-connected-to-mptspi-driver.patch @@ -0,0 +1,48 @@ +From stable-bounces@linux.kernel.org Thu May 10 23:11:14 2007 +Message-Id: <200705110601.l4B6183j008187@shell0.pdx.osdl.net> +To: James.Bottomley@steeleye.com +From: akpm@linux-foundation.org +Date: Thu, 10 May 2007 23:01:08 -0700 +Cc: akpm@linux-foundation.org, Eric.Moore@lsil.com, stable@kernel.org, linux-scsi@vger.kernel.org, doug.chapman@hp.com +Subject: fix for bugzilla 8426: massive slowdown on SCSI CD/DVD drive connected to mptspi driver + +From: Doug Chapman + +Patch for: http://bugzilla.kernel.org/show_bug.cgi?id=8426 + +A recent code cleanup that moved code from mptscsih to mptspi inadvertently +change the order some code was called. This caused a massive slowdown (of +150x to 300x) on the CD/DVD drive on the high-end HP Integrity servers. + +Signed-off-by: Doug Chapman +Cc: "Moore, Eric Dean" +Cc: James Bottomley +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +--- +[chrisw: Why is this not upstream yet?] + + drivers/message/fusion/mptspi.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- linux-2.6.21.1.orig/drivers/message/fusion/mptspi.c ++++ linux-2.6.21.1/drivers/message/fusion/mptspi.c +@@ -726,13 +726,15 @@ static int mptspi_slave_configure(struct + struct _MPT_SCSI_HOST *hd = + (struct _MPT_SCSI_HOST *)sdev->host->hostdata; + VirtTarget *vtarget = scsi_target(sdev)->hostdata; +- int ret = mptscsih_slave_configure(sdev); ++ int ret; ++ ++ mptspi_initTarget(hd, vtarget, sdev); ++ ++ ret = mptscsih_slave_configure(sdev); + + if (ret) + return ret; + +- mptspi_initTarget(hd, vtarget, sdev); +- + ddvprintk((MYIOC_s_INFO_FMT "id=%d min_period=0x%02x" + " max_offset=0x%02x max_width=%d\n", hd->ioc->name, + sdev->id, spi_min_period(scsi_target(sdev)), diff --git a/queue-2.6.21/fix-leaky-resv_huge_pages-when-cpuset-is-in-use.patch b/queue-2.6.21/fix-leaky-resv_huge_pages-when-cpuset-is-in-use.patch new file mode 100644 index 00000000000..3d645e3d13f --- /dev/null +++ b/queue-2.6.21/fix-leaky-resv_huge_pages-when-cpuset-is-in-use.patch @@ -0,0 +1,56 @@ +From stable-bounces@linux.kernel.org Wed May 9 02:36:13 2007 +Message-Id: <200705090933.l499X98T019451@shell0.pdx.osdl.net> +To: torvalds@linux-foundation.org +From: akpm@linux-foundation.org +Date: Wed, 09 May 2007 02:33:09 -0700 +Cc: dwg@au1.ibm.com, kenchen@google.com, mbligh@google.com, agl@us.ibm.com, akpm@linux-foundation.org, stable@kernel.org, david@gibson.dropbear.id.au +Subject: fix leaky resv_huge_pages when cpuset is in use + +From: "Ken Chen" + +The internal hugetlb resv_huge_pages variable can permanently leak nonzero +value in the error path of hugetlb page fault handler when hugetlb page is +used in combination of cpuset. The leaked count can permanently trap N +number of hugetlb pages in unusable "reserved" state. + +Steps to reproduce the bug: + + (1) create two cpuset, user1 and user2 + (2) reserve 50 htlb pages in cpuset user1 + (3) attempt to shmget/shmat 50 htlb page inside cpuset user2 + (4) kernel oom the user process in step 3 + (5) ipcrm the shm segment + +At this point resv_huge_pages will have a count of 49, even though +there are no active hugetlbfs file nor hugetlb shared memory segment +in the system. The leak is permanent and there is no recovery method +other than system reboot. The leaked count will hold up all future use +of that many htlb pages in all cpusets. + +The culprit is that the error path of alloc_huge_page() did not +properly undo the change it made to resv_huge_page, causing +inconsistent state. + +Signed-off-by: Ken Chen +Cc: David Gibson +Cc: Adam Litke +Cc: Martin Bligh +Acked-by: David Gibson +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +--- + + mm/hugetlb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- linux-2.6.21.1.orig/mm/hugetlb.c ++++ linux-2.6.21.1/mm/hugetlb.c +@@ -140,6 +140,8 @@ static struct page *alloc_huge_page(stru + return page; + + fail: ++ if (vma->vm_flags & VM_MAYSHARE) ++ resv_huge_pages++; + spin_unlock(&hugetlb_lock); + return NULL; + } diff --git a/queue-2.6.21/highres-dyntick-prevent-xtime-lock-contention.patch b/queue-2.6.21/highres-dyntick-prevent-xtime-lock-contention.patch new file mode 100644 index 00000000000..20533ee78ed --- /dev/null +++ b/queue-2.6.21/highres-dyntick-prevent-xtime-lock-contention.patch @@ -0,0 +1,141 @@ +From stable-bounces@linux.kernel.org Tue May 8 00:48:08 2007 +Message-Id: <200705080730.l487U3xB017106@shell0.pdx.osdl.net> +To: torvalds@linux-foundation.org +From: akpm@linux-foundation.org +Date: Tue, 08 May 2007 00:30:03 -0700 +Cc: rostedt@goodmis.org, stable@kernel.org, mlord@pobox.com, tglx@linutronix.de, akpm@linux-foundation.org, mingo@elte.hu +Subject: highres/dyntick: prevent xtime lock contention + +From: Thomas Gleixner + +While the !highres/!dyntick code assigns the duty of the do_timer() call to +one specific CPU, this was dropped in the highres/dyntick part during +development. + +Steven Rostedt discovered the xtime lock contention on highres/dyntick due +to several CPUs trying to update jiffies. + +Add the single CPU assignement back. In the dyntick case this needs to be +handled carefully, as the CPU which has the do_timer() duty must drop the +assignement and let it be grabbed by another CPU, which is active. +Otherwise the do_timer() calls would not happen during the long sleep. + +Signed-off-by: Thomas Gleixner +Acked-by: Ingo Molnar +Cc: Steven Rostedt +Acked-by: Mark Lord +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +--- + + kernel/time/tick-common.c | 8 +++++++- + kernel/time/tick-internal.h | 1 + + kernel/time/tick-sched.c | 42 ++++++++++++++++++++++++++++++++++++++++-- + 3 files changed, 48 insertions(+), 3 deletions(-) + +--- linux-2.6.21.1.orig/kernel/time/tick-common.c ++++ linux-2.6.21.1/kernel/time/tick-common.c +@@ -31,7 +31,7 @@ DEFINE_PER_CPU(struct tick_device, tick_ + */ + ktime_t tick_next_period; + ktime_t tick_period; +-static int tick_do_timer_cpu = -1; ++int tick_do_timer_cpu __read_mostly = -1; + DEFINE_SPINLOCK(tick_device_lock); + + /* +@@ -295,6 +295,12 @@ static void tick_shutdown(unsigned int * + clockevents_exchange_device(dev, NULL); + td->evtdev = NULL; + } ++ /* Transfer the do_timer job away from this cpu */ ++ if (*cpup == tick_do_timer_cpu) { ++ int cpu = first_cpu(cpu_online_map); ++ ++ tick_do_timer_cpu = (cpu != NR_CPUS) ? cpu : -1; ++ } + spin_unlock_irqrestore(&tick_device_lock, flags); + } + +--- linux-2.6.21.1.orig/kernel/time/tick-internal.h ++++ linux-2.6.21.1/kernel/time/tick-internal.h +@@ -5,6 +5,7 @@ DECLARE_PER_CPU(struct tick_device, tick + extern spinlock_t tick_device_lock; + extern ktime_t tick_next_period; + extern ktime_t tick_period; ++extern int tick_do_timer_cpu __read_mostly; + + extern void tick_setup_periodic(struct clock_event_device *dev, int broadcast); + extern void tick_handle_periodic(struct clock_event_device *dev); +--- linux-2.6.21.1.orig/kernel/time/tick-sched.c ++++ linux-2.6.21.1/kernel/time/tick-sched.c +@@ -221,6 +221,18 @@ void tick_nohz_stop_sched_tick(void) + ts->tick_stopped = 1; + ts->idle_jiffies = last_jiffies; + } ++ ++ /* ++ * If this cpu is the one which updates jiffies, then ++ * give up the assignment and let it be taken by the ++ * cpu which runs the tick timer next, which might be ++ * this cpu as well. If we don't drop this here the ++ * jiffies might be stale and do_timer() never ++ * invoked. ++ */ ++ if (cpu == tick_do_timer_cpu) ++ tick_do_timer_cpu = -1; ++ + /* + * calculate the expiry time for the next timer wheel + * timer +@@ -338,12 +350,24 @@ static void tick_nohz_handler(struct clo + { + struct tick_sched *ts = &__get_cpu_var(tick_cpu_sched); + struct pt_regs *regs = get_irq_regs(); ++ int cpu = smp_processor_id(); + ktime_t now = ktime_get(); + + dev->next_event.tv64 = KTIME_MAX; + ++ /* ++ * Check if the do_timer duty was dropped. We don't care about ++ * concurrency: This happens only when the cpu in charge went ++ * into a long sleep. If two cpus happen to assign themself to ++ * this duty, then the jiffies update is still serialized by ++ * xtime_lock. ++ */ ++ if (unlikely(tick_do_timer_cpu == -1)) ++ tick_do_timer_cpu = cpu; ++ + /* Check, if the jiffies need an update */ +- tick_do_update_jiffies64(now); ++ if (tick_do_timer_cpu == cpu) ++ tick_do_update_jiffies64(now); + + /* + * When we are idle and the tick is stopped, we have to touch +@@ -431,9 +455,23 @@ static enum hrtimer_restart tick_sched_t + struct hrtimer_cpu_base *base = timer->base->cpu_base; + struct pt_regs *regs = get_irq_regs(); + ktime_t now = ktime_get(); ++ int cpu = smp_processor_id(); ++ ++#ifdef CONFIG_NO_HZ ++ /* ++ * Check if the do_timer duty was dropped. We don't care about ++ * concurrency: This happens only when the cpu in charge went ++ * into a long sleep. If two cpus happen to assign themself to ++ * this duty, then the jiffies update is still serialized by ++ * xtime_lock. ++ */ ++ if (unlikely(tick_do_timer_cpu == -1)) ++ tick_do_timer_cpu = cpu; ++#endif + + /* Check, if the jiffies need an update */ +- tick_do_update_jiffies64(now); ++ if (tick_do_timer_cpu == cpu) ++ tick_do_update_jiffies64(now); + + /* + * Do not call, when we are not in irq context and have diff --git a/queue-2.6.21/i386-hpet-check-if-the-counter-works.patch b/queue-2.6.21/i386-hpet-check-if-the-counter-works.patch new file mode 100644 index 00000000000..8f67ba2d9b5 --- /dev/null +++ b/queue-2.6.21/i386-hpet-check-if-the-counter-works.patch @@ -0,0 +1,60 @@ +From stable-bounces@linux.kernel.org Fri May 11 11:12:05 2007 +From: Thomas Gleixner +To: Andi Kleen +Date: Fri, 11 May 2007 20:13:10 +0200 +Message-Id: <1178907191.22481.72.camel@localhost.localdomain> +Cc: guilherme@centralinf.com.br, johnstul@us.ibm.com, akpm@linux-foundation.org, stable@kernel.org +Subject: i386: HPET, check if the counter works + +Some systems have a HPET which is not incrementing, which leads to a +complete hang. Detect it during HPET setup. + +Signed-off-by: Thomas Gleixner +Signed-off-by: Chris Wright +--- +[chrisw: Why is this not upstream yet?] + +--- + arch/i386/kernel/hpet.c | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +--- linux-2.6.21.1.orig/arch/i386/kernel/hpet.c ++++ linux-2.6.21.1/arch/i386/kernel/hpet.c +@@ -226,7 +226,8 @@ int __init hpet_enable(void) + { + unsigned long id; + uint64_t hpet_freq; +- u64 tmp; ++ u64 tmp, start, now; ++ cycle_t t1; + + if (!is_hpet_capable()) + return 0; +@@ -273,6 +274,27 @@ int __init hpet_enable(void) + /* Start the counter */ + hpet_start_counter(); + ++ /* Verify whether hpet counter works */ ++ t1 = read_hpet(); ++ rdtscll(start); ++ ++ /* ++ * We don't know the TSC frequency yet, but waiting for ++ * 200000 TSC cycles is safe: ++ * 4 GHz == 50us ++ * 1 GHz == 200us ++ */ ++ do { ++ rep_nop(); ++ rdtscll(now); ++ } while ((now - start) < 200000UL); ++ ++ if (t1 == read_hpet()) { ++ printk(KERN_WARNING ++ "HPET counter not counting. HPET disabled\n"); ++ goto out_nohpet; ++ } ++ + /* Initialize and register HPET clocksource + * + * hpet period is in femto seconds per cycle diff --git a/queue-2.6.21/iop-fix-iop_getttimeoffset.patch b/queue-2.6.21/iop-fix-iop_getttimeoffset.patch new file mode 100644 index 00000000000..1b77c2dd96f --- /dev/null +++ b/queue-2.6.21/iop-fix-iop_getttimeoffset.patch @@ -0,0 +1,51 @@ +From stable-bounces@linux.kernel.org Wed May 2 11:45:45 2007 +From: Dan Williams +To: stable@kernel.org +Date: Wed, 02 May 2007 11:43:14 -0700 +Message-ID: <20070502184314.10289.8158.stgit@dwillia2-linux.ch.intel.com> +Cc: rmk@arm.linux.org.uk +Subject: iop: fix iop_getttimeoffset + +Fix a typo which causes a necessary cpwait to be missed on iop3xx, Michael +Brunner + +Save a register in the assembly routine, rmk + +Cc: Lennert Buytenhek +Cc: Russell King +Signed-off-by: Dan Williams +Signed-off-by: Chris Wright +--- + + arch/arm/plat-iop/time.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- linux-2.6.21.1.orig/arch/arm/plat-iop/time.c ++++ linux-2.6.21.1/arch/arm/plat-iop/time.c +@@ -32,22 +32,22 @@ static unsigned long next_jiffy_time; + + unsigned long iop_gettimeoffset(void) + { +- unsigned long offset, temp1, temp2; ++ unsigned long offset, temp; + + /* enable cp6, if necessary, to avoid taking the overhead of an + * undefined instruction trap + */ + asm volatile ( + "mrc p15, 0, %0, c15, c1, 0\n\t" +- "ands %1, %0, #(1 << 6)\n\t" ++ "tst %0, #(1 << 6)\n\t" + "orreq %0, %0, #(1 << 6)\n\t" + "mcreq p15, 0, %0, c15, c1, 0\n\t" +-#ifdef CONFIG_XSCALE ++#ifdef CONFIG_CPU_XSCALE + "mrceq p15, 0, %0, c15, c1, 0\n\t" + "moveq %0, %0\n\t" + "subeq pc, pc, #4\n\t" + #endif +- : "=r"(temp1), "=r"(temp2) : : "cc"); ++ : "=r"(temp) : : "cc"); + + offset = next_jiffy_time - read_tcr1(); + diff --git a/queue-2.6.21/iop13xx-fix-i-o-address-translation.patch b/queue-2.6.21/iop13xx-fix-i-o-address-translation.patch new file mode 100644 index 00000000000..8cb173cec5d --- /dev/null +++ b/queue-2.6.21/iop13xx-fix-i-o-address-translation.patch @@ -0,0 +1,114 @@ +From stable-bounces@linux.kernel.org Wed May 2 11:45:25 2007 +From: Dan Williams +To: stable@kernel.org +Date: Wed, 02 May 2007 11:43:19 -0700 +Message-ID: <20070502184319.10289.25924.stgit@dwillia2-linux.ch.intel.com> +Cc: rmk@arm.linux.org.uk +Subject: iop13xx: fix i/o address translation + +PCI devices were being programmed with an incorrect base address value. +This patch moves I/O space into a 16-bit addressable region and corrects +the i/o offset. + +Much thanks to Martin Michlmayr for tracking this issue and testing +debug patches. + +Cc: Martin Michlmayr +Cc: Russell King +Signed-off-by: Dan Williams +Signed-off-by: Chris Wright +--- + + arch/arm/mach-iop13xx/pci.c | 8 ++++---- + include/asm-arm/arch-iop13xx/iop13xx.h | 22 +++++++++++++--------- + 2 files changed, 17 insertions(+), 13 deletions(-) + +--- linux-2.6.21.1.orig/arch/arm/mach-iop13xx/pci.c ++++ linux-2.6.21.1/arch/arm/mach-iop13xx/pci.c +@@ -1023,7 +1023,7 @@ int iop13xx_pci_setup(int nr, struct pci + << IOP13XX_ATUX_PCIXSR_FUNC_NUM; + __raw_writel(pcixsr, IOP13XX_ATUX_PCIXSR); + +- res[0].start = IOP13XX_PCIX_LOWER_IO_PA; ++ res[0].start = IOP13XX_PCIX_LOWER_IO_PA + IOP13XX_PCIX_IO_BUS_OFFSET; + res[0].end = IOP13XX_PCIX_UPPER_IO_PA; + res[0].name = "IQ81340 ATUX PCI I/O Space"; + res[0].flags = IORESOURCE_IO; +@@ -1033,7 +1033,7 @@ int iop13xx_pci_setup(int nr, struct pci + res[1].name = "IQ81340 ATUX PCI Memory Space"; + res[1].flags = IORESOURCE_MEM; + sys->mem_offset = IOP13XX_PCIX_MEM_OFFSET; +- sys->io_offset = IOP13XX_PCIX_IO_OFFSET; ++ sys->io_offset = IOP13XX_PCIX_LOWER_IO_PA; + break; + case IOP13XX_INIT_ATU_ATUE: + /* Note: the function number field in the PCSR is ro */ +@@ -1044,7 +1044,7 @@ int iop13xx_pci_setup(int nr, struct pci + + __raw_writel(pcsr, IOP13XX_ATUE_PCSR); + +- res[0].start = IOP13XX_PCIE_LOWER_IO_PA; ++ res[0].start = IOP13XX_PCIE_LOWER_IO_PA + IOP13XX_PCIE_IO_BUS_OFFSET; + res[0].end = IOP13XX_PCIE_UPPER_IO_PA; + res[0].name = "IQ81340 ATUE PCI I/O Space"; + res[0].flags = IORESOURCE_IO; +@@ -1054,7 +1054,7 @@ int iop13xx_pci_setup(int nr, struct pci + res[1].name = "IQ81340 ATUE PCI Memory Space"; + res[1].flags = IORESOURCE_MEM; + sys->mem_offset = IOP13XX_PCIE_MEM_OFFSET; +- sys->io_offset = IOP13XX_PCIE_IO_OFFSET; ++ sys->io_offset = IOP13XX_PCIE_LOWER_IO_PA; + sys->map_irq = iop13xx_pcie_map_irq; + break; + default: +--- linux-2.6.21.1.orig/include/asm-arm/arch-iop13xx/iop13xx.h ++++ linux-2.6.21.1/include/asm-arm/arch-iop13xx/iop13xx.h +@@ -27,19 +27,24 @@ static inline int iop13xx_cpu_id(void) + #define IOP13XX_PCI_OFFSET IOP13XX_MAX_RAM_SIZE + + /* PCI MAP +- * 0x0000.0000 - 0x8000.0000 1:1 mapping with Physical RAM +- * 0x8000.0000 - 0x8800.0000 PCIX/PCIE memory window (128MB) +-*/ ++ * bus range cpu phys cpu virt note ++ * 0x0000.0000 + 2GB (n/a) (n/a) inbound, 1:1 mapping with Physical RAM ++ * 0x8000.0000 + 928M 0x1.8000.0000 (ioremap) PCIX outbound memory window ++ * 0x8000.0000 + 928M 0x2.8000.0000 (ioremap) PCIE outbound memory window ++ * ++ * IO MAP ++ * 0x1000 + 64K 0x0.fffb.1000 0xfec6.1000 PCIX outbound i/o window ++ * 0x1000 + 64K 0x0.fffd.1000 0xfed7.1000 PCIE outbound i/o window ++ */ + #define IOP13XX_PCIX_IO_WINDOW_SIZE 0x10000UL + #define IOP13XX_PCIX_LOWER_IO_PA 0xfffb0000UL + #define IOP13XX_PCIX_LOWER_IO_VA 0xfec60000UL +-#define IOP13XX_PCIX_LOWER_IO_BA 0x0fff0000UL ++#define IOP13XX_PCIX_LOWER_IO_BA 0x0UL /* OIOTVR */ ++#define IOP13XX_PCIX_IO_BUS_OFFSET 0x1000UL + #define IOP13XX_PCIX_UPPER_IO_PA (IOP13XX_PCIX_LOWER_IO_PA +\ + IOP13XX_PCIX_IO_WINDOW_SIZE - 1) + #define IOP13XX_PCIX_UPPER_IO_VA (IOP13XX_PCIX_LOWER_IO_VA +\ + IOP13XX_PCIX_IO_WINDOW_SIZE - 1) +-#define IOP13XX_PCIX_IO_OFFSET (IOP13XX_PCIX_LOWER_IO_VA -\ +- IOP13XX_PCIX_LOWER_IO_BA) + #define IOP13XX_PCIX_IO_PHYS_TO_VIRT(addr) (u32) ((u32) addr -\ + (IOP13XX_PCIX_LOWER_IO_PA\ + - IOP13XX_PCIX_LOWER_IO_VA)) +@@ -65,15 +70,14 @@ static inline int iop13xx_cpu_id(void) + #define IOP13XX_PCIE_IO_WINDOW_SIZE 0x10000UL + #define IOP13XX_PCIE_LOWER_IO_PA 0xfffd0000UL + #define IOP13XX_PCIE_LOWER_IO_VA 0xfed70000UL +-#define IOP13XX_PCIE_LOWER_IO_BA 0x0fff0000UL ++#define IOP13XX_PCIE_LOWER_IO_BA 0x0UL /* OIOTVR */ ++#define IOP13XX_PCIE_IO_BUS_OFFSET 0x1000UL + #define IOP13XX_PCIE_UPPER_IO_PA (IOP13XX_PCIE_LOWER_IO_PA +\ + IOP13XX_PCIE_IO_WINDOW_SIZE - 1) + #define IOP13XX_PCIE_UPPER_IO_VA (IOP13XX_PCIE_LOWER_IO_VA +\ + IOP13XX_PCIE_IO_WINDOW_SIZE - 1) + #define IOP13XX_PCIE_UPPER_IO_BA (IOP13XX_PCIE_LOWER_IO_BA +\ + IOP13XX_PCIE_IO_WINDOW_SIZE - 1) +-#define IOP13XX_PCIE_IO_OFFSET (IOP13XX_PCIE_LOWER_IO_VA -\ +- IOP13XX_PCIE_LOWER_IO_BA) + #define IOP13XX_PCIE_IO_PHYS_TO_VIRT(addr) (u32) ((u32) addr -\ + (IOP13XX_PCIE_LOWER_IO_PA\ + - IOP13XX_PCIE_LOWER_IO_VA)) diff --git a/queue-2.6.21/ip-nf-_nat_proto_gre-do-not-modify-corrupt-grev0-packets-through-nat.patch b/queue-2.6.21/ip-nf-_nat_proto_gre-do-not-modify-corrupt-grev0-packets-through-nat.patch new file mode 100644 index 00000000000..b37995c5bb3 --- /dev/null +++ b/queue-2.6.21/ip-nf-_nat_proto_gre-do-not-modify-corrupt-grev0-packets-through-nat.patch @@ -0,0 +1,164 @@ +From stable-bounces@linux.kernel.org Wed May 2 21:13:25 2007 +Message-ID: <46393773.60005@trash.net> +Date: Thu, 03 May 2007 03:14:27 +0200 +From: Patrick McHardy +To: "stable@kernel.org" +Cc: "David S. Miller" , Adrian Bunk +Subject: [NETFILTER]: {ip, nf}_nat_proto_gre: do not modify/corrupt GREv0 packets through NAT + +From: Jorge Boncompte + +While porting some changes of the 2.6.21-rc7 pptp/proto_gre conntrack +and nat modules to a 2.4.32 kernel I noticed that the gre_key function +returns a wrong pointer to the GRE key of a version 0 packet thus +corrupting the packet payload. + +The intended behaviour for GREv0 packets is to act like +nf_conntrack_proto_generic/nf_nat_proto_unknown so I have ripped the +offending functions (not used anymore) and modified the +nf_nat_proto_gre modules to not touch version 0 (non PPTP) packets. + +Signed-off-by: Jorge Boncompte +Signed-off-by: Patrick McHardy +Signed-off-by: Chris Wright + +--- +commit 244c67aee5750eb3a79c727d09c01a500e68bbbe +tree 29bbce944bba681886a6d58c0c6b7bca3858c0e1 +parent 8d8b10482fffcb72b15515231bb942e2ad6395c9 +author Jorge Boncompte Thu, 03 May 2007 02:50:51 +0200 +committer Patrick McHardy Thu, 03 May 2007 02:50:51 +0200 + + include/linux/netfilter/nf_conntrack_proto_gre.h | 18 ---------------- + include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h | 19 ----------------- + net/ipv4/netfilter/ip_nat_proto_gre.c | 20 +++++++----------- + net/ipv4/netfilter/nf_nat_proto_gre.c | 20 +++++++----------- + 4 files changed, 16 insertions(+), 61 deletions(-) + +--- linux-2.6.21.1.orig/include/linux/netfilter/nf_conntrack_proto_gre.h ++++ linux-2.6.21.1/include/linux/netfilter/nf_conntrack_proto_gre.h +@@ -87,24 +87,6 @@ int nf_ct_gre_keymap_add(struct nf_conn + /* delete keymap entries */ + void nf_ct_gre_keymap_destroy(struct nf_conn *ct); + +-/* get pointer to gre key, if present */ +-static inline __be32 *gre_key(struct gre_hdr *greh) +-{ +- if (!greh->key) +- return NULL; +- if (greh->csum || greh->routing) +- return (__be32 *)(greh+sizeof(*greh)+4); +- return (__be32 *)(greh+sizeof(*greh)); +-} +- +-/* get pointer ot gre csum, if present */ +-static inline __sum16 *gre_csum(struct gre_hdr *greh) +-{ +- if (!greh->csum) +- return NULL; +- return (__sum16 *)(greh+sizeof(*greh)); +-} +- + extern void nf_ct_gre_keymap_flush(void); + extern void nf_nat_need_gre(void); + +--- linux-2.6.21.1.orig/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h ++++ linux-2.6.21.1/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h +@@ -90,25 +90,6 @@ int ip_ct_gre_keymap_add(struct ip_connt + /* delete keymap entries */ + void ip_ct_gre_keymap_destroy(struct ip_conntrack *ct); + +- +-/* get pointer to gre key, if present */ +-static inline __be32 *gre_key(struct gre_hdr *greh) +-{ +- if (!greh->key) +- return NULL; +- if (greh->csum || greh->routing) +- return (__be32 *) (greh+sizeof(*greh)+4); +- return (__be32 *) (greh+sizeof(*greh)); +-} +- +-/* get pointer ot gre csum, if present */ +-static inline __sum16 *gre_csum(struct gre_hdr *greh) +-{ +- if (!greh->csum) +- return NULL; +- return (__sum16 *) (greh+sizeof(*greh)); +-} +- + #endif /* __KERNEL__ */ + + #endif /* _CONNTRACK_PROTO_GRE_H */ +--- linux-2.6.21.1.orig/net/ipv4/netfilter/ip_nat_proto_gre.c ++++ linux-2.6.21.1/net/ipv4/netfilter/ip_nat_proto_gre.c +@@ -70,6 +70,11 @@ gre_unique_tuple(struct ip_conntrack_tup + __be16 *keyptr; + unsigned int min, i, range_size; + ++ /* If there is no master conntrack we are not PPTP, ++ do not change tuples */ ++ if (!conntrack->master) ++ return 0; ++ + if (maniptype == IP_NAT_MANIP_SRC) + keyptr = &tuple->src.u.gre.key; + else +@@ -122,18 +127,9 @@ gre_manip_pkt(struct sk_buff **pskb, + if (maniptype == IP_NAT_MANIP_DST) { + /* key manipulation is always dest */ + switch (greh->version) { +- case 0: +- if (!greh->key) { +- DEBUGP("can't nat GRE w/o key\n"); +- break; +- } +- if (greh->csum) { +- /* FIXME: Never tested this code... */ +- nf_proto_csum_replace4(gre_csum(greh), *pskb, +- *(gre_key(greh)), +- tuple->dst.u.gre.key, 0); +- } +- *(gre_key(greh)) = tuple->dst.u.gre.key; ++ case GRE_VERSION_1701: ++ /* We do not currently NAT any GREv0 packets. ++ * Try to behave like "ip_nat_proto_unknown" */ + break; + case GRE_VERSION_PPTP: + DEBUGP("call_id -> 0x%04x\n", +--- linux-2.6.21.1.orig/net/ipv4/netfilter/nf_nat_proto_gre.c ++++ linux-2.6.21.1/net/ipv4/netfilter/nf_nat_proto_gre.c +@@ -72,6 +72,11 @@ gre_unique_tuple(struct nf_conntrack_tup + __be16 *keyptr; + unsigned int min, i, range_size; + ++ /* If there is no master conntrack we are not PPTP, ++ do not change tuples */ ++ if (!conntrack->master) ++ return 0; ++ + if (maniptype == IP_NAT_MANIP_SRC) + keyptr = &tuple->src.u.gre.key; + else +@@ -122,18 +127,9 @@ gre_manip_pkt(struct sk_buff **pskb, uns + if (maniptype != IP_NAT_MANIP_DST) + return 1; + switch (greh->version) { +- case 0: +- if (!greh->key) { +- DEBUGP("can't nat GRE w/o key\n"); +- break; +- } +- if (greh->csum) { +- /* FIXME: Never tested this code... */ +- nf_proto_csum_replace4(gre_csum(greh), *pskb, +- *(gre_key(greh)), +- tuple->dst.u.gre.key, 0); +- } +- *(gre_key(greh)) = tuple->dst.u.gre.key; ++ case GRE_VERSION_1701: ++ /* We do not currently NAT any GREv0 packets. ++ * Try to behave like "nf_nat_proto_unknown" */ + break; + case GRE_VERSION_PPTP: + DEBUGP("call_id -> 0x%04x\n", ntohs(tuple->dst.u.gre.key)); diff --git a/queue-2.6.21/ipmi-fix-si-address-space-settings.patch b/queue-2.6.21/ipmi-fix-si-address-space-settings.patch new file mode 100644 index 00000000000..22f5646430a --- /dev/null +++ b/queue-2.6.21/ipmi-fix-si-address-space-settings.patch @@ -0,0 +1,37 @@ +From stable-bounces@linux.kernel.org Sat May 12 10:39:11 2007 +Message-Id: <200705121736.l4CHawq1012120@shell0.pdx.osdl.net> +To: torvalds@linux-foundation.org +From: akpm@linux-foundation.org +Date: Sat, 12 May 2007 10:36:58 -0700 +Cc: Patrick.Schoeller@hp.com, akpm@linux-foundation.org, stable@kernel.org, minyard@acm.org +Subject: IPMI: fix SI address space settings + +From: Corey Minyard + +Fix a rather obvious error that Patrick found in the setup routines. Need to +set the proper address space in the ACPI case. + +Signed-off-by: Corey Minyard +Cc: Patrick Schoeller +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +--- + + drivers/char/ipmi/ipmi_si_intf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- linux-2.6.21.1.orig/drivers/char/ipmi/ipmi_si_intf.c ++++ linux-2.6.21.1/drivers/char/ipmi/ipmi_si_intf.c +@@ -1859,10 +1859,10 @@ static __devinit int try_init_acpi(struc + + if (spmi->addr.space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) { + info->io_setup = mem_setup; +- info->io.addr_type = IPMI_IO_ADDR_SPACE; ++ info->io.addr_type = IPMI_MEM_ADDR_SPACE; + } else if (spmi->addr.space_id == ACPI_ADR_SPACE_SYSTEM_IO) { + info->io_setup = port_setup; +- info->io.addr_type = IPMI_MEM_ADDR_SPACE; ++ info->io.addr_type = IPMI_IO_ADDR_SPACE; + } else { + kfree(info); + printk("ipmi_si: Unknown ACPI I/O Address type\n"); diff --git a/queue-2.6.21/ipsec-check-validity-of-direction-in-xfrm_policy_byid.patch b/queue-2.6.21/ipsec-check-validity-of-direction-in-xfrm_policy_byid.patch new file mode 100644 index 00000000000..141af1ce55d --- /dev/null +++ b/queue-2.6.21/ipsec-check-validity-of-direction-in-xfrm_policy_byid.patch @@ -0,0 +1,44 @@ +From stable-bounces@linux.kernel.org Tue May 15 01:38:35 2007 +Date: Tue, 15 May 2007 01:36:48 -0700 (PDT) +Message-Id: <20070515.013648.68156824.davem@davemloft.net> +To: stable@kernel.org +From: David Miller +Cc: bunk@stusta.de +Subject: IPSEC: Check validity of direction in xfrm_policy_byid + +From: Herbert Xu + +The function xfrm_policy_byid takes a dir argument but finds the policy +using the index instead. We only use the dir argument to update the +policy count for that direction. Since the user can supply any value +for dir, this can corrupt our policy count. + +I know this is the problem because a few days ago I was deleting +policies by hand using indicies and accidentally typed in the wrong +direction. It still deleted the policy and at the time I thought +that was cool. In retrospect it isn't such a good idea :) + +I decided against letting it delete the policy anyway just in case +we ever remove the connection between indicies and direction. + +Signed-off-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright + +--- + net/xfrm/xfrm_policy.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- linux-2.6.21.1.orig/net/xfrm/xfrm_policy.c ++++ linux-2.6.21.1/net/xfrm/xfrm_policy.c +@@ -782,6 +782,10 @@ struct xfrm_policy *xfrm_policy_byid(u8 + struct hlist_head *chain; + struct hlist_node *entry; + ++ *err = -ENOENT; ++ if (xfrm_policy_id2dir(id) != dir) ++ return NULL; ++ + *err = 0; + write_lock_bh(&xfrm_policy_lock); + chain = xfrm_policy_byidx + idx_hash(id); diff --git a/queue-2.6.21/ipv6-do-no-rely-on-skb-dst-before-it-is-assigned.patch b/queue-2.6.21/ipv6-do-no-rely-on-skb-dst-before-it-is-assigned.patch new file mode 100644 index 00000000000..a8d34b5423b --- /dev/null +++ b/queue-2.6.21/ipv6-do-no-rely-on-skb-dst-before-it-is-assigned.patch @@ -0,0 +1,69 @@ +From stable-bounces@linux.kernel.org Tue May 15 00:06:43 2007 +Date: Tue, 15 May 2007 00:04:56 -0700 (PDT) +Message-Id: <20070515.000456.116354901.davem@davemloft.net> +To: stable@kernel.org +From: David Miller +Cc: bunk@stusta.de +Subject: IPV6: Do no rely on skb->dst before it is assigned. + +From: YOSHIFUJI Hideaki + +Because skb->dst is assigned in ip6_route_input(), it is really +bad to use it in hop-by-hop option handler(s). + +Closes: Bug #8450 (Eric Sesterhenn ) +Signed-off-by: YOSHIFUJI Hideaki +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright + +--- + net/ipv6/exthdrs.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- linux-2.6.21.1.orig/net/ipv6/exthdrs.c ++++ linux-2.6.21.1/net/ipv6/exthdrs.c +@@ -638,6 +638,14 @@ EXPORT_SYMBOL_GPL(ipv6_invert_rthdr); + Hop-by-hop options. + **********************************/ + ++/* ++ * Note: we cannot rely on skb->dst before we assign it in ip6_route_input(). ++ */ ++static inline struct inet6_dev *ipv6_skb_idev(struct sk_buff *skb) ++{ ++ return skb->dst ? ip6_dst_idev(skb->dst) : __in6_dev_get(skb->dev); ++} ++ + /* Router Alert as of RFC 2711 */ + + static int ipv6_hop_ra(struct sk_buff **skbp, int optoff) +@@ -664,25 +672,25 @@ static int ipv6_hop_jumbo(struct sk_buff + if (skb->nh.raw[optoff+1] != 4 || (optoff&3) != 2) { + LIMIT_NETDEBUG(KERN_DEBUG "ipv6_hop_jumbo: wrong jumbo opt length/alignment %d\n", + skb->nh.raw[optoff+1]); +- IP6_INC_STATS_BH(ip6_dst_idev(skb->dst), ++ IP6_INC_STATS_BH(ipv6_skb_idev(skb), + IPSTATS_MIB_INHDRERRORS); + goto drop; + } + + pkt_len = ntohl(*(__be32*)(skb->nh.raw+optoff+2)); + if (pkt_len <= IPV6_MAXPLEN) { +- IP6_INC_STATS_BH(ip6_dst_idev(skb->dst), IPSTATS_MIB_INHDRERRORS); ++ IP6_INC_STATS_BH(ipv6_skb_idev(skb), IPSTATS_MIB_INHDRERRORS); + icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, optoff+2); + return 0; + } + if (skb->nh.ipv6h->payload_len) { +- IP6_INC_STATS_BH(ip6_dst_idev(skb->dst), IPSTATS_MIB_INHDRERRORS); ++ IP6_INC_STATS_BH(ipv6_skb_idev(skb), IPSTATS_MIB_INHDRERRORS); + icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, optoff); + return 0; + } + + if (pkt_len > skb->len - sizeof(struct ipv6hdr)) { +- IP6_INC_STATS_BH(ip6_dst_idev(skb->dst), IPSTATS_MIB_INTRUNCATEDPKTS); ++ IP6_INC_STATS_BH(ipv6_skb_idev(skb), IPSTATS_MIB_INTRUNCATEDPKTS); + goto drop; + } + diff --git a/queue-2.6.21/ipv6-fix-slab-corruption-running-ip6sic.patch b/queue-2.6.21/ipv6-fix-slab-corruption-running-ip6sic.patch new file mode 100644 index 00000000000..b33d0958b77 --- /dev/null +++ b/queue-2.6.21/ipv6-fix-slab-corruption-running-ip6sic.patch @@ -0,0 +1,28 @@ +From stable-bounces@linux.kernel.org Wed May 9 01:22:55 2007 +Date: Wed, 09 May 2007 01:20:59 -0700 (PDT) +Message-Id: <20070509.012059.10297819.davem@davemloft.net> +To: stable@kernel.org +From: David Miller +Cc: bunk@stusta.de +Subject: IPV6: Fix slab corruption running ip6sic + +From: Eric Sesterhenn + +Signed-off-by: Andrew Morton +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +--- + net/ipv6/xfrm6_tunnel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.21.1.orig/net/ipv6/xfrm6_tunnel.c ++++ linux-2.6.21.1/net/ipv6/xfrm6_tunnel.c +@@ -261,7 +261,7 @@ static int xfrm6_tunnel_rcv(struct sk_bu + __be32 spi; + + spi = xfrm6_tunnel_spi_lookup((xfrm_address_t *)&iph->saddr); +- return xfrm6_rcv_spi(skb, spi); ++ return xfrm6_rcv_spi(skb, spi) > 0 ? : 0; + } + + static int xfrm6_tunnel_err(struct sk_buff *skb, struct inet6_skb_parm *opt, diff --git a/queue-2.6.21/ipv6-reverse-sense-of-promisc-tests-in-ip6_mc_input.patch b/queue-2.6.21/ipv6-reverse-sense-of-promisc-tests-in-ip6_mc_input.patch new file mode 100644 index 00000000000..cb8328fd254 --- /dev/null +++ b/queue-2.6.21/ipv6-reverse-sense-of-promisc-tests-in-ip6_mc_input.patch @@ -0,0 +1,32 @@ +From stable-bounces@linux.kernel.org Tue May 15 01:24:50 2007 +Date: Tue, 15 May 2007 01:22:59 -0700 (PDT) +Message-Id: <20070515.012259.10298321.davem@davemloft.net> +To: stable@kernel.org +From: David Miller +Cc: bunk@stusta.de +Subject: IPV6: Reverse sense of promisc tests in ip6_mc_input + +From: Corey Mutter + +Reverse the sense of the promiscuous-mode tests in ip6_mc_input(). + +Signed-off-by: Corey Mutter +Signed-off-by: David L Stevens +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright + +--- + net/ipv6/ip6_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.21.1.orig/net/ipv6/ip6_input.c ++++ linux-2.6.21.1/net/ipv6/ip6_input.c +@@ -235,7 +235,7 @@ int ip6_mc_input(struct sk_buff *skb) + IP6_INC_STATS_BH(ip6_dst_idev(skb->dst), IPSTATS_MIB_INMCASTPKTS); + + hdr = skb->nh.ipv6h; +- deliver = likely(!(skb->dev->flags & (IFF_PROMISC|IFF_ALLMULTI))) || ++ deliver = unlikely(skb->dev->flags & (IFF_PROMISC|IFF_ALLMULTI)) || + ipv6_chk_mcast_addr(skb->dev, &hdr->daddr, NULL); + + /* diff --git a/queue-2.6.21/ipv6-route-assign-rt6i_idev-for-ip6_-prohibit-blk_hole-_entry.patch b/queue-2.6.21/ipv6-route-assign-rt6i_idev-for-ip6_-prohibit-blk_hole-_entry.patch new file mode 100644 index 00000000000..19454d1ae9c --- /dev/null +++ b/queue-2.6.21/ipv6-route-assign-rt6i_idev-for-ip6_-prohibit-blk_hole-_entry.patch @@ -0,0 +1,34 @@ +From stable-bounces@linux.kernel.org Tue May 15 00:17:31 2007 +Date: Tue, 15 May 2007 00:15:44 -0700 (PDT) +Message-Id: <20070515.001544.101595078.davem@davemloft.net> +To: stable@kernel.org +From: David Miller +Cc: bunk@stusta.de +Subject: IPV6 ROUTE: Assign rt6i_idev for ip6_{prohibit,blk_hole}_entry. + +From: YOSHIFUJI Hideaki + +I think this is less critical, but is also suitable for -stable +release. + +Signed-off-by: YOSHIFUJI Hideaki +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright + +--- + net/ipv6/addrconf.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- linux-2.6.21.1.orig/net/ipv6/addrconf.c ++++ linux-2.6.21.1/net/ipv6/addrconf.c +@@ -4062,6 +4062,10 @@ int __init addrconf_init(void) + return err; + + ip6_null_entry.rt6i_idev = in6_dev_get(&loopback_dev); ++#ifdef CONFIG_IPV6_MULTIPLE_TABLES ++ ip6_prohibit_entry.rt6i_idev = in6_dev_get(&loopback_dev); ++ ip6_blk_hole_entry.rt6i_idev = in6_dev_get(&loopback_dev); ++#endif + + register_netdevice_notifier(&ipv6_dev_notf); + diff --git a/queue-2.6.21/ipv6-send-icmpv6-error-on-scope-violations.patch b/queue-2.6.21/ipv6-send-icmpv6-error-on-scope-violations.patch new file mode 100644 index 00000000000..9e4416d6de1 --- /dev/null +++ b/queue-2.6.21/ipv6-send-icmpv6-error-on-scope-violations.patch @@ -0,0 +1,45 @@ +From stable-bounces@linux.kernel.org Tue May 15 00:03:54 2007 +Date: Tue, 15 May 2007 00:02:07 -0700 (PDT) +Message-Id: <20070515.000207.107940353.davem@davemloft.net> +To: stable@kernel.org +From: David Miller +Cc: bunk@stusta.de +Subject: IPV6: Send ICMPv6 error on scope violations. + +From: David L Stevens + +When an IPv6 router is forwarding a packet with a link-local scope source +address off-link, RFC 4007 requires it to send an ICMPv6 destination +unreachable with code 2 ("not neighbor"), but Linux doesn't. Fix below. + +Signed-off-by: David L Stevens +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright + +--- + net/ipv6/ip6_output.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- linux-2.6.21.1.orig/net/ipv6/ip6_output.c ++++ linux-2.6.21.1/net/ipv6/ip6_output.c +@@ -449,10 +449,17 @@ int ip6_forward(struct sk_buff *skb) + */ + if (xrlim_allow(dst, 1*HZ)) + ndisc_send_redirect(skb, n, target); +- } else if (ipv6_addr_type(&hdr->saddr)&(IPV6_ADDR_MULTICAST|IPV6_ADDR_LOOPBACK +- |IPV6_ADDR_LINKLOCAL)) { ++ } else { ++ int addrtype = ipv6_addr_type(&hdr->saddr); ++ + /* This check is security critical. */ +- goto error; ++ if (addrtype & (IPV6_ADDR_MULTICAST|IPV6_ADDR_LOOPBACK)) ++ goto error; ++ if (addrtype & IPV6_ADDR_LINKLOCAL) { ++ icmpv6_send(skb, ICMPV6_DEST_UNREACH, ++ ICMPV6_NOT_NEIGHBOUR, 0, skb->dev); ++ goto error; ++ } + } + + if (skb->len > dst_mtu(dst)) { diff --git a/queue-2.6.21/ipv6-track-device-renames-in-snmp6.patch b/queue-2.6.21/ipv6-track-device-renames-in-snmp6.patch new file mode 100644 index 00000000000..0b9ef2ccc58 --- /dev/null +++ b/queue-2.6.21/ipv6-track-device-renames-in-snmp6.patch @@ -0,0 +1,56 @@ +From stable-bounces@linux.kernel.org Thu Apr 26 16:50:13 2007 +Date: Thu, 26 Apr 2007 16:42:47 -0700 +From: Stephen Hemminger +To: , "David S. Miller" +Message-ID: <20070426164247.3b3b2c7a@freekitty> +Cc: stable@kernel.org +Subject: ipv6: track device renames in snmp6 + +When network device's are renamed, the IPV6 snmp6 code +gets confused. It doesn't track name changes so it will OOPS +when network device's are removed. + +The fix is trivial, just unregister/re-register in notify handler. + +Signed-off-by: Stephen Hemminger +Signed-off-by: Chris Wright + +--- + net/ipv6/addrconf.c | 6 ++++-- + net/ipv6/proc.c | 1 + + 2 files changed, 5 insertions(+), 2 deletions(-) + +--- linux-2.6.21.1.orig/net/ipv6/addrconf.c ++++ linux-2.6.21.1/net/ipv6/addrconf.c +@@ -2281,8 +2281,9 @@ static int addrconf_notify(struct notifi + break; + + case NETDEV_CHANGENAME: +-#ifdef CONFIG_SYSCTL + if (idev) { ++ snmp6_unregister_dev(idev); ++#ifdef CONFIG_SYSCTL + addrconf_sysctl_unregister(&idev->cnf); + neigh_sysctl_unregister(idev->nd_parms); + neigh_sysctl_register(dev, idev->nd_parms, +@@ -2290,8 +2291,9 @@ static int addrconf_notify(struct notifi + &ndisc_ifinfo_sysctl_change, + NULL); + addrconf_sysctl_register(idev, &idev->cnf); +- } + #endif ++ snmp6_register_dev(idev); ++ } + break; + }; + +--- linux-2.6.21.1.orig/net/ipv6/proc.c ++++ linux-2.6.21.1/net/ipv6/proc.c +@@ -236,6 +236,7 @@ int snmp6_unregister_dev(struct inet6_de + return -EINVAL; + remove_proc_entry(idev->stats.proc_dir_entry->name, + proc_net_devsnmp6); ++ idev->stats.proc_dir_entry = NULL; + return 0; + } + diff --git a/queue-2.6.21/jfs-fix-race-waking-up-jfsio-kernel-thread.patch b/queue-2.6.21/jfs-fix-race-waking-up-jfsio-kernel-thread.patch new file mode 100644 index 00000000000..61cfcecb2e3 --- /dev/null +++ b/queue-2.6.21/jfs-fix-race-waking-up-jfsio-kernel-thread.patch @@ -0,0 +1,38 @@ +From stable-bounces@linux.kernel.org Tue May 15 20:55:43 2007 +From: Dave Kleikamp +To: stable@kernel.org +Date: Tue, 15 May 2007 22:53:36 -0500 +Message-Id: <1179287616.8339.8.camel@kleikamp.austin.ibm.com> +Cc: linux-kernel +Subject: JFS: Fix race waking up jfsIO kernel thread + +It's possible for a journal I/O request to be added to the log_redrive +queue and the jfsIO thread to be awakened after the thread releases +log_redrive_lock but before it sets its state to TASK_INTERRUPTIBLE. + +The jfsIO thread should set the state before giving up the spinlock, so +the waking thread will really wake it. + +Signed-off-by: Dave Kleikamp +Signed-off-by: Chris Wright +--- + fs/jfs/jfs_logmgr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- linux-2.6.21.1.orig/fs/jfs/jfs_logmgr.c ++++ linux-2.6.21.1/fs/jfs/jfs_logmgr.c +@@ -2354,12 +2354,13 @@ int jfsIOWait(void *arg) + lbmStartIO(bp); + spin_lock_irq(&log_redrive_lock); + } +- spin_unlock_irq(&log_redrive_lock); + + if (freezing(current)) { ++ spin_unlock_irq(&log_redrive_lock); + refrigerator(); + } else { + set_current_state(TASK_INTERRUPTIBLE); ++ spin_unlock_irq(&log_redrive_lock); + schedule(); + current->state = TASK_RUNNING; + } diff --git a/queue-2.6.21/kbuild-fixdep-segfault-on-pathological-string-o-death.patch b/queue-2.6.21/kbuild-fixdep-segfault-on-pathological-string-o-death.patch new file mode 100644 index 00000000000..ddc60e3e204 --- /dev/null +++ b/queue-2.6.21/kbuild-fixdep-segfault-on-pathological-string-o-death.patch @@ -0,0 +1,40 @@ +From stable-bounces@linux.kernel.org Wed May 2 12:49:39 2007 +Date: Wed, 2 May 2007 21:48:37 +0200 +From: Sam Ravnborg +To: stable@kernel.org +Message-ID: <20070502194837.GB9044@uranus.ravnborg.org> +Subject: kbuild: fixdep segfault on pathological string-o-death + +From: Andy Green + +build scripts: fixdep blows segfault on string CONFIG_MODULE seen + +The string "CONFIG_MODULE" appearing anywhere in a source file causes +fixdep to segfault. This string appeared in the wild in the current +mISDN sources (I think they meant CONFIG_MODULES). But it shouldn't +segfault (esp as CONFIG_MODULE appeared in a quoted string). + +Signed-off-by: Andy Green +Signed-off-by: Sam Ravnborg +Signed-off-by: Chris Wright +--- + +This is not an important fix per see - but I do not like SEGV during compilation... +Will be pushed to Linus today. + + Sam + + scripts/basic/fixdep.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- linux-2.6.21.1.orig/scripts/basic/fixdep.c ++++ linux-2.6.21.1/scripts/basic/fixdep.c +@@ -249,6 +249,8 @@ void parse_config_file(char *map, size_t + found: + if (!memcmp(q - 7, "_MODULE", 7)) + q -= 7; ++ if( (q-p-7) < 0 ) ++ continue; + use_config(p+7, q-p-7); + } + } diff --git a/queue-2.6.21/knfsd-avoid-use-of-unitialised-variables-on-error-path-when-nfs-exports.patch b/queue-2.6.21/knfsd-avoid-use-of-unitialised-variables-on-error-path-when-nfs-exports.patch new file mode 100644 index 00000000000..86b3dea99d6 --- /dev/null +++ b/queue-2.6.21/knfsd-avoid-use-of-unitialised-variables-on-error-path-when-nfs-exports.patch @@ -0,0 +1,49 @@ +From stable-bounces@linux.kernel.org Sun May 6 17:37:33 2007 +From: NeilBrown +To: Andrew Morton +Date: Mon, 7 May 2007 10:35:15 +1000 +Message-Id: <1070507003515.24070@suse.de> +Cc: Neil Brown , nfs@lists.sourceforge.net, stable@kernel.org +Subject: knfsd: Avoid use of unitialised variables on error path when nfs exports. + +We need to zero various parts of 'exp' before any 'goto out', otherwise +when we go to free the contents... we die. + +Signed-off-by: Neil Brown +Signed-off-by: Chris Wright +--- + + fs/nfsd/export.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff .prev/fs/nfsd/export.c ./fs/nfsd/export.c +--- linux-2.6.21.1.orig/fs/nfsd/export.c ++++ linux-2.6.21.1/fs/nfsd/export.c +@@ -469,6 +469,13 @@ static int svc_export_parse(struct cache + nd.dentry = NULL; + exp.ex_path = NULL; + ++ /* fs locations */ ++ exp.ex_fslocs.locations = NULL; ++ exp.ex_fslocs.locations_count = 0; ++ exp.ex_fslocs.migrated = 0; ++ ++ exp.ex_uuid = NULL; ++ + if (mesg[mlen-1] != '\n') + return -EINVAL; + mesg[mlen-1] = 0; +@@ -509,13 +516,6 @@ static int svc_export_parse(struct cache + if (exp.h.expiry_time == 0) + goto out; + +- /* fs locations */ +- exp.ex_fslocs.locations = NULL; +- exp.ex_fslocs.locations_count = 0; +- exp.ex_fslocs.migrated = 0; +- +- exp.ex_uuid = NULL; +- + /* flags */ + err = get_int(&mesg, &an_int); + if (err == -ENOENT) diff --git a/queue-2.6.21/knfsd-rpc-fix-server-side-wrapping-of-krb5i-replies.patch b/queue-2.6.21/knfsd-rpc-fix-server-side-wrapping-of-krb5i-replies.patch new file mode 100644 index 00000000000..92cb79d2da4 --- /dev/null +++ b/queue-2.6.21/knfsd-rpc-fix-server-side-wrapping-of-krb5i-replies.patch @@ -0,0 +1,39 @@ +From stable-bounces@linux.kernel.org Sun May 6 17:37:48 2007 +From: NeilBrown +To: Andrew Morton +Date: Mon, 7 May 2007 10:35:21 +1000 +Message-Id: <1070507003521.24086@suse.de> +Cc: Neil Brown , "J. Bruce Fields" , nfs@lists.sourceforge.net, stable@kernel.org +Subject: knfsd: rpc: fix server-side wrapping of krb5i replies + +It's not necessarily correct to assume that the xdr_buf used to hold the +server's reply must have page data whenever it has tail data. + +And there's no need for us to deal with that case separately anyway. + +Acked-by: "J. Bruce Fields" +Signed-off-by: Neil Brown +Signed-off-by: Chris Wright +--- + + net/sunrpc/auth_gss/svcauth_gss.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff .prev/net/sunrpc/auth_gss/svcauth_gss.c ./net/sunrpc/auth_gss/svcauth_gss.c +--- linux-2.6.21.1.orig/net/sunrpc/auth_gss/svcauth_gss.c ++++ linux-2.6.21.1/net/sunrpc/auth_gss/svcauth_gss.c +@@ -1196,13 +1196,7 @@ svcauth_gss_wrap_resp_integ(struct svc_r + if (xdr_buf_subsegment(resbuf, &integ_buf, integ_offset, + integ_len)) + BUG(); +- if (resbuf->page_len == 0 +- && resbuf->head[0].iov_len + RPC_MAX_AUTH_SIZE +- < PAGE_SIZE) { +- BUG_ON(resbuf->tail[0].iov_len); +- /* Use head for everything */ +- resv = &resbuf->head[0]; +- } else if (resbuf->tail[0].iov_base == NULL) { ++ if (resbuf->tail[0].iov_base == NULL) { + if (resbuf->head[0].iov_len + RPC_MAX_AUTH_SIZE > PAGE_SIZE) + goto out_err; + resbuf->tail[0].iov_base = resbuf->head[0].iov_base diff --git a/queue-2.6.21/libata-sff-undo-bug-introduced-with-pci_iomap-changes.patch b/queue-2.6.21/libata-sff-undo-bug-introduced-with-pci_iomap-changes.patch new file mode 100644 index 00000000000..cb3264918dc --- /dev/null +++ b/queue-2.6.21/libata-sff-undo-bug-introduced-with-pci_iomap-changes.patch @@ -0,0 +1,78 @@ +From linux-kernel-owner+glk-linux-kernel-3=40m.gmane.org-S932184AbXEALti@vger.kernel.org Wed May 16 17:02:07 2007 +Date: Tue, 1 May 2007 12:53:27 +0100 +Message-ID: <20070501125327.52dd92e4@the-village.bc.nu> +From: Alan Cox +To: Tejun Heo , jeff@garzik.org +Subject: libata-sff: Undo bug introduced with pci_iomap changes + +If you have a controller with one channel disabled and unmapped the new +iomap code blindly tries to iomap unconfigured BARs. Later on the code +does the right thing and checks for unmapped bars but it is done in the +wrong order + +Reorder the checks and make the iomap conditional + +Tejun: I think the code below is now correct but would appreciate you +giving it a review. + +Signed-off-by: Alan Cox +Acked-by: Tejun Heo +Signed-off-by: Chris Wright +--- +[chrisw: Why is this not upstream yet?] + + drivers/ata/libata-sff.c | 35 +++++++++++++++++++++++------------ + 1 file changed, 23 insertions(+), 12 deletions(-) + +--- linux-2.6.21.1.orig/drivers/ata/libata-sff.c ++++ linux-2.6.21.1/drivers/ata/libata-sff.c +@@ -557,12 +557,30 @@ ata_pci_init_native_mode(struct pci_dev + int i, p = 0; + void __iomem * const *iomap; + ++ /* Discard disabled ports. Some controllers show their ++ unused channels this way */ ++ if (ata_resources_present(pdev, 0) == 0) ++ ports &= ~ATA_PORT_PRIMARY; ++ if (ata_resources_present(pdev, 1) == 0) ++ ports &= ~ATA_PORT_SECONDARY; ++ + /* iomap BARs */ +- for (i = 0; i < 4; i++) { +- if (pcim_iomap(pdev, i, 0) == NULL) { +- dev_printk(KERN_ERR, &pdev->dev, +- "failed to iomap PCI BAR %d\n", i); +- return NULL; ++ if (ports & ATA_PORT_PRIMARY) { ++ for (i = 0; i <= 1; i++) { ++ if (pcim_iomap(pdev, i, 0) == NULL) { ++ dev_printk(KERN_ERR, &pdev->dev, ++ "failed to iomap PCI BAR %d\n", i); ++ return NULL; ++ } ++ } ++ } ++ if (ports & ATA_PORT_SECONDARY) { ++ for (i = 2; i <= 3; i++) { ++ if (pcim_iomap(pdev, i, 0) == NULL) { ++ dev_printk(KERN_ERR, &pdev->dev, ++ "failed to iomap PCI BAR %d\n", i); ++ return NULL; ++ } + } + } + +@@ -577,13 +595,6 @@ ata_pci_init_native_mode(struct pci_dev + probe_ent->irq = pdev->irq; + probe_ent->irq_flags = IRQF_SHARED; + +- /* Discard disabled ports. Some controllers show their +- unused channels this way */ +- if (ata_resources_present(pdev, 0) == 0) +- ports &= ~ATA_PORT_PRIMARY; +- if (ata_resources_present(pdev, 1) == 0) +- ports &= ~ATA_PORT_SECONDARY; +- + if (ports & ATA_PORT_PRIMARY) { + probe_ent->port[p].cmd_addr = iomap[0]; + probe_ent->port[p].altstatus_addr = diff --git a/queue-2.6.21/md-avoid-a-possibility-that-a-read-error-can-wrongly-propagate-through-md-raid1-to-a-filesystem.patch b/queue-2.6.21/md-avoid-a-possibility-that-a-read-error-can-wrongly-propagate-through-md-raid1-to-a-filesystem.patch new file mode 100644 index 00000000000..94894366de0 --- /dev/null +++ b/queue-2.6.21/md-avoid-a-possibility-that-a-read-error-can-wrongly-propagate-through-md-raid1-to-a-filesystem.patch @@ -0,0 +1,85 @@ +From stable-bounces@linux.kernel.org Wed May 9 23:24:47 2007 +From: NeilBrown +To: Andrew Morton +Date: Thu, 10 May 2007 16:22:25 +1000 +Message-Id: <1070510062225.20388@suse.de> +Cc: linux-raid@vger.kernel.org, Neil Brown , stable@kernel.org +Subject: md: Avoid a possibility that a read error can wrongly propagate through md/raid1 to a filesystem. + +When a raid1 has only one working drive, we want read error to +propagate up to the filesystem as there is no point failing the last +drive in an array. + +Currently the code perform this check is racy. If a write and a read +a both submitted to a device on a 2-drive raid1, and the write fails +followed by the read failing, the read will see that there is only one +working drive and will pass the failure up, even though the one +working drive is actually the *other* one. + +So, tighten up the locking. + +Signed-off-by: Neil Brown +Signed-off-by: Chris Wright +--- + + drivers/md/raid1.c | 33 +++++++++++++++++++-------------- + 1 file changed, 19 insertions(+), 14 deletions(-) + +diff .prev/drivers/md/raid1.c ./drivers/md/raid1.c +--- linux-2.6.21.1.orig/drivers/md/raid1.c ++++ linux-2.6.21.1/drivers/md/raid1.c +@@ -271,21 +271,25 @@ static int raid1_end_read_request(struct + */ + update_head_pos(mirror, r1_bio); + +- if (uptodate || (conf->raid_disks - conf->mddev->degraded) <= 1) { +- /* +- * Set R1BIO_Uptodate in our master bio, so that +- * we will return a good error code for to the higher +- * levels even if IO on some other mirrored buffer fails. +- * +- * The 'master' represents the composite IO operation to +- * user-side. So if something waits for IO, then it will +- * wait for the 'master' bio. ++ if (uptodate) ++ set_bit(R1BIO_Uptodate, &r1_bio->state); ++ else { ++ /* If all other devices have failed, we want to return ++ * the error upwards rather than fail the last device. ++ * Here we redefine "uptodate" to mean "Don't want to retry" + */ +- if (uptodate) +- set_bit(R1BIO_Uptodate, &r1_bio->state); ++ unsigned long flags; ++ spin_lock_irqsave(&conf->device_lock, flags); ++ if (r1_bio->mddev->degraded == conf->raid_disks || ++ (r1_bio->mddev->degraded == conf->raid_disks-1 && ++ !test_bit(Faulty, &conf->mirrors[mirror].rdev->flags))) ++ uptodate = 1; ++ spin_unlock_irqrestore(&conf->device_lock, flags); ++ } + ++ if (uptodate) + raid_end_bio_io(r1_bio); +- } else { ++ else { + /* + * oops, read error: + */ +@@ -992,13 +996,14 @@ static void error(mddev_t *mddev, mdk_rd + unsigned long flags; + spin_lock_irqsave(&conf->device_lock, flags); + mddev->degraded++; ++ set_bit(Faulty, &rdev->flags); + spin_unlock_irqrestore(&conf->device_lock, flags); + /* + * if recovery is running, make sure it aborts. + */ + set_bit(MD_RECOVERY_ERR, &mddev->recovery); +- } +- set_bit(Faulty, &rdev->flags); ++ } else ++ set_bit(Faulty, &rdev->flags); + set_bit(MD_CHANGE_DEVS, &mddev->flags); + printk(KERN_ALERT "raid1: Disk failure on %s, disabling device. \n" + " Operation continuing on %d devices\n", diff --git a/queue-2.6.21/net_sched-prio-qdisc-boundary-condition.patch b/queue-2.6.21/net_sched-prio-qdisc-boundary-condition.patch new file mode 100644 index 00000000000..5de1b173b1f --- /dev/null +++ b/queue-2.6.21/net_sched-prio-qdisc-boundary-condition.patch @@ -0,0 +1,32 @@ +From stable-bounces@linux.kernel.org Tue May 15 01:25:35 2007 +Date: Tue, 15 May 2007 01:23:46 -0700 (PDT) +Message-Id: <20070515.012346.34759663.davem@davemloft.net> +To: stable@kernel.org +From: David Miller +Cc: bunk@stusta.de +Subject: NET_SCHED: prio qdisc boundary condition + +From: Jamal Hadi Salim + +This fixes an out-of-boundary condition when the classified +band equals q->bands. Caught by Alexey + +Signed-off-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright + +--- + net/sched/sch_prio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.21.1.orig/net/sched/sch_prio.c ++++ linux-2.6.21.1/net/sched/sch_prio.c +@@ -74,7 +74,7 @@ prio_classify(struct sk_buff *skb, struc + band = res.classid; + } + band = TC_H_MIN(band) - 1; +- if (band > q->bands) ++ if (band >= q->bands) + return q->queues[q->prio2band[0]]; + + return q->queues[band]; diff --git a/queue-2.6.21/netfilter-ip-nf-_conntrack-fix-use-after-free-in-helper-destroy-callback-invocation.patch b/queue-2.6.21/netfilter-ip-nf-_conntrack-fix-use-after-free-in-helper-destroy-callback-invocation.patch new file mode 100644 index 00000000000..c618aefbce4 --- /dev/null +++ b/queue-2.6.21/netfilter-ip-nf-_conntrack-fix-use-after-free-in-helper-destroy-callback-invocation.patch @@ -0,0 +1,101 @@ +From stable-bounces@linux.kernel.org Wed May 16 09:58:34 2007 +Message-ID: <464B37AB.5040802@trash.net> +Date: Wed, 16 May 2007 18:56:11 +0200 +From: Patrick McHardy +To: stable@kernel.org +Cc: Netfilter Development Mailinglist , "David S. Miller" +Subject: NETFILTER: {ip,nf}_conntrack: fix use-after-free in helper destroy callback invocation + +When the helper module is removed for a master connection that has a +fulfilled expectation, but has already timed out and got removed from +the hash tables, nf_conntrack_helper_unregister can't find the master +connection to unset the helper, causing a use-after-free when the +expected connection is destroyed and releases the last reference to +the master. + +The helper destroy callback was introduced for the PPtP helper to clean +up expectations and expected connections when the master connection +times out, but doing this from destroy_conntrack only works for +unfulfilled expectations since expected connections hold a reference +to the master, preventing its destruction. Move the destroy callback to +the timeout function, which fixes both problems. + +Reported/tested by Gabor Burjan . + +Signed-off-by: Patrick McHardy +Signed-off-by: Chris Wright +--- +commit 441f15ce23ef5c4d149b7e7985f63c1ddd334c45 +tree 8783e067803def0fc2773ef3515190143ac47320 +parent 8d8b10482fffcb72b15515231bb942e2ad6395c9 +author Patrick McHardy Wed, 16 May 2007 18:52:36 +0200 +committer Patrick McHardy Wed, 16 May 2007 18:52:36 +0200 + + net/ipv4/netfilter/ip_conntrack_core.c | 10 +++++----- + net/netfilter/nf_conntrack_core.c | 8 ++++---- + 2 files changed, 9 insertions(+), 9 deletions(-) + +--- linux-2.6.21.1.orig/net/ipv4/netfilter/ip_conntrack_core.c ++++ linux-2.6.21.1/net/ipv4/netfilter/ip_conntrack_core.c +@@ -302,7 +302,6 @@ destroy_conntrack(struct nf_conntrack *n + { + struct ip_conntrack *ct = (struct ip_conntrack *)nfct; + struct ip_conntrack_protocol *proto; +- struct ip_conntrack_helper *helper; + typeof(ip_conntrack_destroyed) destroyed; + + DEBUGP("destroy_conntrack(%p)\n", ct); +@@ -312,10 +311,6 @@ destroy_conntrack(struct nf_conntrack *n + ip_conntrack_event(IPCT_DESTROY, ct); + set_bit(IPS_DYING_BIT, &ct->status); + +- helper = ct->helper; +- if (helper && helper->destroy) +- helper->destroy(ct); +- + /* To make sure we don't get any weird locking issues here: + * destroy_conntrack() MUST NOT be called with a write lock + * to ip_conntrack_lock!!! -HW */ +@@ -356,6 +351,11 @@ destroy_conntrack(struct nf_conntrack *n + static void death_by_timeout(unsigned long ul_conntrack) + { + struct ip_conntrack *ct = (void *)ul_conntrack; ++ struct ip_conntrack_helper *helper; ++ ++ helper = ct->helper; ++ if (helper && helper->destroy) ++ helper->destroy(ct); + + write_lock_bh(&ip_conntrack_lock); + /* Inside lock so preempt is disabled on module removal path. +--- linux-2.6.21.1.orig/net/netfilter/nf_conntrack_core.c ++++ linux-2.6.21.1/net/netfilter/nf_conntrack_core.c +@@ -315,7 +315,6 @@ static void + destroy_conntrack(struct nf_conntrack *nfct) + { + struct nf_conn *ct = (struct nf_conn *)nfct; +- struct nf_conn_help *help = nfct_help(ct); + struct nf_conntrack_l3proto *l3proto; + struct nf_conntrack_l4proto *l4proto; + typeof(nf_conntrack_destroyed) destroyed; +@@ -327,9 +326,6 @@ destroy_conntrack(struct nf_conntrack *n + nf_conntrack_event(IPCT_DESTROY, ct); + set_bit(IPS_DYING_BIT, &ct->status); + +- if (help && help->helper && help->helper->destroy) +- help->helper->destroy(ct); +- + /* To make sure we don't get any weird locking issues here: + * destroy_conntrack() MUST NOT be called with a write lock + * to nf_conntrack_lock!!! -HW */ +@@ -375,6 +371,10 @@ destroy_conntrack(struct nf_conntrack *n + static void death_by_timeout(unsigned long ul_conntrack) + { + struct nf_conn *ct = (void *)ul_conntrack; ++ struct nf_conn_help *help = nfct_help(ct); ++ ++ if (help && help->helper && help->helper->destroy) ++ help->helper->destroy(ct); + + write_lock_bh(&nf_conntrack_lock); + /* Inside lock so preempt is disabled on module removal path. diff --git a/queue-2.6.21/netpoll-fix-tx-queue-overflow-in-trapped-mode.patch b/queue-2.6.21/netpoll-fix-tx-queue-overflow-in-trapped-mode.patch new file mode 100644 index 00000000000..4db2315caf4 --- /dev/null +++ b/queue-2.6.21/netpoll-fix-tx-queue-overflow-in-trapped-mode.patch @@ -0,0 +1,50 @@ +From stable-bounces@linux.kernel.org Wed May 9 01:29:47 2007 +Date: Wed, 09 May 2007 01:27:55 -0700 (PDT) +Message-Id: <20070509.012755.02298606.davem@davemloft.net> +To: stable@kernel.org +From: David Miller +Cc: bunk@stusta.de +Subject: NETPOLL: Fix TX queue overflow in trapped mode. + +From: Sergei Shtylyov + +CONFIG_NETPOLL_TRAP causes the TX queue controls to be completely bypassed in +the netpoll's "trapped" mode which easily causes overflows in the drivers with +short TX queues (most notably, in 8139too with its 4-deep queue). So, make +this option more sensible by making it only bypass the TX softirq wakeup. + +Signed-off-by: Sergei Shtylyov +Acked-by: Jeff Garzik +Acked-by: Tom Rini +Acked-by: Matt Mackall +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +--- + include/linux/netdevice.h | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- linux-2.6.21.1.orig/include/linux/netdevice.h ++++ linux-2.6.21.1/include/linux/netdevice.h +@@ -647,8 +647,10 @@ static inline void netif_start_queue(str + static inline void netif_wake_queue(struct net_device *dev) + { + #ifdef CONFIG_NETPOLL_TRAP +- if (netpoll_trap()) ++ if (netpoll_trap()) { ++ clear_bit(__LINK_STATE_XOFF, &dev->state); + return; ++ } + #endif + if (test_and_clear_bit(__LINK_STATE_XOFF, &dev->state)) + __netif_schedule(dev); +@@ -656,10 +658,6 @@ static inline void netif_wake_queue(stru + + static inline void netif_stop_queue(struct net_device *dev) + { +-#ifdef CONFIG_NETPOLL_TRAP +- if (netpoll_trap()) +- return; +-#endif + set_bit(__LINK_STATE_XOFF, &dev->state); + } + diff --git a/queue-2.6.21/netpoll-remove-config_netpoll_rx.patch b/queue-2.6.21/netpoll-remove-config_netpoll_rx.patch new file mode 100644 index 00000000000..51717c38560 --- /dev/null +++ b/queue-2.6.21/netpoll-remove-config_netpoll_rx.patch @@ -0,0 +1,37 @@ +From stable-bounces@linux.kernel.org Wed May 9 01:31:23 2007 +Date: Wed, 09 May 2007 01:29:18 -0700 (PDT) +Message-Id: <20070509.012918.68157237.davem@davemloft.net> +To: stable@kernel.org +From: David Miller +Cc: bunk@stusta.de +Subject: NETPOLL: Remove CONFIG_NETPOLL_RX + +From: Sergei Shtylyov + +Get rid of the CONFIG_NETPOLL_RX option completely since all the +dependencies have been removed long ago... + +Signed-off-by: Sergei Shtylyov +Acked-by: Jeff Garzik +Acked-by: Matt Mackall +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright + +--- + drivers/net/Kconfig | 5 ----- + 1 file changed, 5 deletions(-) + +--- linux-2.6.21.1.orig/drivers/net/Kconfig ++++ linux-2.6.21.1/drivers/net/Kconfig +@@ -2929,11 +2929,6 @@ endif #NETDEVICES + config NETPOLL + def_bool NETCONSOLE + +-config NETPOLL_RX +- bool "Netpoll support for trapping incoming packets" +- default n +- depends on NETPOLL +- + config NETPOLL_TRAP + bool "Netpoll traffic trapping" + default n diff --git a/queue-2.6.21/oom-fix-constraint-deadlock.patch b/queue-2.6.21/oom-fix-constraint-deadlock.patch new file mode 100644 index 00000000000..bdf522fb06e --- /dev/null +++ b/queue-2.6.21/oom-fix-constraint-deadlock.patch @@ -0,0 +1,69 @@ +From stable-bounces@linux.kernel.org Sun May 6 15:23:33 2007 +Message-Id: <200705062150.l46Lo1r4024550@shell0.pdx.osdl.net> +To: torvalds@linux-foundation.org +From: akpm@linux-foundation.org +Date: Sun, 06 May 2007 14:50:00 -0700 +Cc: npiggin@suse.de, clameter@engr.sgi.com, ak@suse.de, mbligh@mbligh.org, rientjes@google.com, akpm@linux-foundation.org, stable@kernel.org +Subject: oom: fix constraint deadlock + +From: David Rientjes + +Fixes a deadlock in the OOM killer for allocations that are not +__GFP_HARDWALL. + +Before the OOM killer checks for the allocation constraint, it takes +callback_mutex. + +constrained_alloc() iterates through each zone in the allocation zonelist +and calls cpuset_zone_allowed_softwall() to determine whether an allocation +for gfp_mask is possible. If a zone's node is not in the OOM-triggering +task's mems_allowed, it is not exiting, and we did not fail on a +__GFP_HARDWALL allocation, cpuset_zone_allowed_softwall() attempts to take +callback_mutex to check the nearest exclusive ancestor of current's cpuset. + This results in deadlock. + +We now take callback_mutex after iterating through the zonelist since we +don't need it yet. + +Cc: Andi Kleen +Cc: Nick Piggin +Cc: Christoph Lameter +Cc: Martin J. Bligh +Signed-off-by: David Rientjes +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +--- + + mm/oom_kill.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- linux-2.6.21.1.orig/mm/oom_kill.c ++++ linux-2.6.21.1/mm/oom_kill.c +@@ -397,6 +397,7 @@ void out_of_memory(struct zonelist *zone + struct task_struct *p; + unsigned long points = 0; + unsigned long freed = 0; ++ int constraint; + + blocking_notifier_call_chain(&oom_notify_list, 0, &freed); + if (freed > 0) +@@ -411,14 +412,15 @@ void out_of_memory(struct zonelist *zone + show_mem(); + } + +- cpuset_lock(); +- read_lock(&tasklist_lock); +- + /* + * Check if there were limitations on the allocation (only relevant for + * NUMA) that may require different handling. + */ +- switch (constrained_alloc(zonelist, gfp_mask)) { ++ constraint = constrained_alloc(zonelist, gfp_mask); ++ cpuset_lock(); ++ read_lock(&tasklist_lock); ++ ++ switch (constraint) { + case CONSTRAINT_MEMORY_POLICY: + oom_kill_process(current, points, + "No available memory (MPOL_BIND)"); diff --git a/queue-2.6.21/pci-quirks-disable-msi-on-rs400-200-and-rs480.patch b/queue-2.6.21/pci-quirks-disable-msi-on-rs400-200-and-rs480.patch new file mode 100644 index 00000000000..3f50ed023ee --- /dev/null +++ b/queue-2.6.21/pci-quirks-disable-msi-on-rs400-200-and-rs480.patch @@ -0,0 +1,59 @@ +From stable-bounces@linux.kernel.org Thu May 10 23:01:01 2007 +Message-Id: <200705110558.l4B5wpgh007979@shell0.pdx.osdl.net> +To: greg@kroah.com +From: akpm@linux-foundation.org +Date: Thu, 10 May 2007 22:58:51 -0700 +Cc: akpm@linux-foundation.org, htejun@gmail.com, stable@kernel.org, jeff@garzik.org, torresmat@gmail.com +Subject: pci-quirks: disable MSI on RS400-200 and RS480 + +From: Tejun Heo + +MSI doesn't work on RS400-200 and RS480 requiring pci=nomsi kernel boot +parameter for ahci to work. This patch renames quirk_svw_msi() to +quirk_disable_all_msi() and use it to disable MSI on those chips. + + http://thread.gmane.org/gmane.linux.ide/17820 + http://thread.gmane.org/gmane.linux.ide/17516 + https://bugzilla.novell.com/show_bug.cgi?id=263893 + +Signed-off-by: Tejun Heo +Cc: Matí-as Alejandro Torres +Cc: Greg K-H +Cc: Jeff Garzik +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +--- + + drivers/pci/quirks.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- linux-2.6.21.1.orig/drivers/pci/quirks.c ++++ linux-2.6.21.1/drivers/pci/quirks.c +@@ -1737,18 +1737,20 @@ DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_N + quirk_nvidia_ck804_pcie_aer_ext_cap); + + #ifdef CONFIG_PCI_MSI +-/* The Serverworks PCI-X chipset does not support MSI. We cannot easily rely +- * on setting PCI_BUS_FLAGS_NO_MSI in its bus flags because there are actually +- * some other busses controlled by the chipset even if Linux is not aware of it. +- * Instead of setting the flag on all busses in the machine, simply disable MSI +- * globally. ++/* Some chipsets do not support MSI. We cannot easily rely on setting ++ * PCI_BUS_FLAGS_NO_MSI in its bus flags because there are actually ++ * some other busses controlled by the chipset even if Linux is not ++ * aware of it. Instead of setting the flag on all busses in the ++ * machine, simply disable MSI globally. + */ +-static void __init quirk_svw_msi(struct pci_dev *dev) ++static void __init quirk_disable_all_msi(struct pci_dev *dev) + { + pci_no_msi(); + printk(KERN_WARNING "PCI: MSI quirk detected. MSI deactivated.\n"); + } +-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_SERVERWORKS, PCI_DEVICE_ID_SERVERWORKS_GCNB_LE, quirk_svw_msi); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_SERVERWORKS, PCI_DEVICE_ID_SERVERWORKS_GCNB_LE, quirk_disable_all_msi); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RS400_200, quirk_disable_all_msi); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RS480, quirk_disable_all_msi); + + /* Disable MSI on chipsets that are known to not support it */ + static void __devinit quirk_disable_msi(struct pci_dev *dev) diff --git a/queue-2.6.21/ppp-fix-ppp_deflate-issues-with-recent-zlib_inflate-changes.patch b/queue-2.6.21/ppp-fix-ppp_deflate-issues-with-recent-zlib_inflate-changes.patch new file mode 100644 index 00000000000..4ad5530ecca --- /dev/null +++ b/queue-2.6.21/ppp-fix-ppp_deflate-issues-with-recent-zlib_inflate-changes.patch @@ -0,0 +1,46 @@ +From stable-bounces@linux.kernel.org Sun May 6 15:22:41 2007 +Message-Id: <200705062151.l46LpuEB025013@shell0.pdx.osdl.net> +To: torvalds@linux-foundation.org +From: akpm@linux-foundation.org +Date: Sun, 06 May 2007 14:51:56 -0700 +Cc: akpm@linux-foundation.org, stefan.wenk@gmx.at, rpurdie@rpsys.net, stable@kernel.org +Subject: ppp: Fix ppp_deflate issues with recent zlib_inflate changes + +From: Richard Purdie + +The last zlib_inflate update broke certain corner cases for ppp_deflate +decompression handling. This patch fixes some logic to make things work +properly again. Users other than ppp_deflate (the only Z_PACKET_FLUSH +user) should be unaffected. + +Fixes bug 8405 (confirmed by Stefan) + +Signed-off-by: Richard Purdie +Cc: Stefan Wenk +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +--- + + lib/zlib_inflate/inflate.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- linux-2.6.21.1.orig/lib/zlib_inflate/inflate.c ++++ linux-2.6.21.1/lib/zlib_inflate/inflate.c +@@ -743,12 +743,14 @@ int zlib_inflate(z_streamp strm, int flu + + strm->data_type = state->bits + (state->last ? 64 : 0) + + (state->mode == TYPE ? 128 : 0); +- if (((in == 0 && out == 0) || flush == Z_FINISH) && ret == Z_OK) +- ret = Z_BUF_ERROR; + + if (flush == Z_PACKET_FLUSH && ret == Z_OK && +- (strm->avail_out != 0 || strm->avail_in == 0)) ++ strm->avail_out != 0 && strm->avail_in == 0) + return zlib_inflateSyncPacket(strm); ++ ++ if (((in == 0 && out == 0) || flush == Z_FINISH) && ret == Z_OK) ++ ret = Z_BUF_ERROR; ++ + return ret; + } + diff --git a/queue-2.6.21/reiserfs-suppress-lockdep-warning.patch b/queue-2.6.21/reiserfs-suppress-lockdep-warning.patch new file mode 100644 index 00000000000..4458444dd23 --- /dev/null +++ b/queue-2.6.21/reiserfs-suppress-lockdep-warning.patch @@ -0,0 +1,36 @@ +From stable-bounces@linux.kernel.org Mon Apr 30 15:11:55 2007 +Message-Id: <200704302209.l3UM9oqQ016058@shell0.pdx.osdl.net> +To: torvalds@linux-foundation.org +From: akpm@linux-foundation.org +Date: Mon, 30 Apr 2007 15:09:50 -0700 +Cc: tiwai@suse.de, adaplas@pol.net, akpm@linux-foundation.org, stable@kernel.org, jeffm@suse.de +Subject: reiserfs: suppress lockdep warning + +From: Jeff Mahoney + +We're getting lockdep warnings due to a post-2.6.21-rc7 bugfix. + +The xattr_sem can never be taken in the manner described. Internal inodes +are protected by I_PRIVATE. Add the appropriate annotation. + +Cc: +Cc: "Antonino A. Daplas" +Cc: Takashi Iwai +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +--- + + fs/reiserfs/xattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.21.1.orig/fs/reiserfs/xattr.c ++++ linux-2.6.21.1/fs/reiserfs/xattr.c +@@ -68,7 +68,7 @@ static struct dentry *get_xa_root(struct + if (!privroot) + return ERR_PTR(-ENODATA); + +- mutex_lock(&privroot->d_inode->i_mutex); ++ mutex_lock_nested(&privroot->d_inode->i_mutex, I_MUTEX_XATTR); + if (REISERFS_SB(sb)->xattr_root) { + xaroot = dget(REISERFS_SB(sb)->xattr_root); + goto out; diff --git a/queue-2.6.21/restore-semantics-of-routing-header-processing.patch b/queue-2.6.21/restore-semantics-of-routing-header-processing.patch new file mode 100644 index 00000000000..40b312e6806 --- /dev/null +++ b/queue-2.6.21/restore-semantics-of-routing-header-processing.patch @@ -0,0 +1,115 @@ +From stable-bounces@linux.kernel.org Fri May 11 09:19:11 2007 +Date: Sat, 12 May 2007 01:17:28 +0900 (JST) +Message-Id: <20070512.011728.16743460.yoshfuji@linux-ipv6.org> +To: davem@davemloft.net +From: YOSHIFUJI Hideaki +Cc: yoshfuji@linux-ipv6.org, netdev@vger.kernel.org, stable@kernel.org +Subject: IPV6: Restore semantics of Routing Header processing. + +The "fix" for emerging security threats was overkill and it broke +basic semantic of IPv6 routing header processing. We should assume +RT0 (or even RT2, depends on configuration) as "unknown" RH type so +that we +- silently ignore the routing header if segleft == 0 +- or, send ICMPv6 Parameter Problem message back to the sender, + otherwise. + +Signed-off-by: YOSHIFUJI Hideaki +Signed-off-by: Chris Wright +--- + net/ipv6/exthdrs.c | 46 ++++++++++++++++------------------------------ + 1 file changed, 16 insertions(+), 30 deletions(-) + +--- linux-2.6.21.1.orig/net/ipv6/exthdrs.c ++++ linux-2.6.21.1/net/ipv6/exthdrs.c +@@ -368,22 +368,13 @@ static int ipv6_rthdr_rcv(struct sk_buff + struct rt0_hdr *rthdr; + int accept_source_route = ipv6_devconf.accept_source_route; + +- if (accept_source_route < 0 || +- ((idev = in6_dev_get(skb->dev)) == NULL)) { +- kfree_skb(skb); +- return -1; +- } +- if (idev->cnf.accept_source_route < 0) { ++ idev = in6_dev_get(skb->dev); ++ if (idev) { ++ if (accept_source_route > idev->cnf.accept_source_route) ++ accept_source_route = idev->cnf.accept_source_route; + in6_dev_put(idev); +- kfree_skb(skb); +- return -1; + } + +- if (accept_source_route > idev->cnf.accept_source_route) +- accept_source_route = idev->cnf.accept_source_route; +- +- in6_dev_put(idev); +- + if (!pskb_may_pull(skb, (skb->h.raw-skb->data)+8) || + !pskb_may_pull(skb, (skb->h.raw-skb->data)+((skb->h.raw[1]+1)<<3))) { + IP6_INC_STATS_BH(ip6_dst_idev(skb->dst), +@@ -394,23 +385,6 @@ static int ipv6_rthdr_rcv(struct sk_buff + + hdr = (struct ipv6_rt_hdr *) skb->h.raw; + +- switch (hdr->type) { +-#ifdef CONFIG_IPV6_MIP6 +- case IPV6_SRCRT_TYPE_2: +- break; +-#endif +- case IPV6_SRCRT_TYPE_0: +- if (accept_source_route > 0) +- break; +- kfree_skb(skb); +- return -1; +- default: +- IP6_INC_STATS_BH(ip6_dst_idev(skb->dst), +- IPSTATS_MIB_INHDRERRORS); +- icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->type) - skb->nh.raw); +- return -1; +- } +- + if (ipv6_addr_is_multicast(&skb->nh.ipv6h->daddr) || + skb->pkt_type != PACKET_HOST) { + IP6_INC_STATS_BH(ip6_dst_idev(skb->dst), +@@ -450,6 +424,8 @@ looped_back: + + switch (hdr->type) { + case IPV6_SRCRT_TYPE_0: ++ if (accept_source_route <= 0) ++ goto unknown_rh; + if (hdr->hdrlen & 0x01) { + IP6_INC_STATS_BH(ip6_dst_idev(skb->dst), + IPSTATS_MIB_INHDRERRORS); +@@ -459,6 +435,8 @@ looped_back: + break; + #ifdef CONFIG_IPV6_MIP6 + case IPV6_SRCRT_TYPE_2: ++ if (accept_source_route < 0) ++ goto unknown_rh; + /* Silently discard invalid RTH type 2 */ + if (hdr->hdrlen != 2 || hdr->segments_left != 1) { + IP6_INC_STATS_BH(ip6_dst_idev(skb->dst), +@@ -468,6 +446,8 @@ looped_back: + } + break; + #endif ++ default: ++ goto unknown_rh; + } + + /* +@@ -569,6 +549,12 @@ looped_back: + skb_push(skb, skb->data - skb->nh.raw); + dst_input(skb); + return -1; ++ ++unknown_rh: ++ IP6_INC_STATS_BH(ip6_dst_idev(skb->dst), IPSTATS_MIB_INHDRERRORS); ++ icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, ++ (&hdr->type) - skb->nh.raw); ++ return -1; + } + + static struct inet6_protocol rthdr_protocol = { diff --git a/queue-2.6.21/sata_via-add-missing-pm-hooks.patch b/queue-2.6.21/sata_via-add-missing-pm-hooks.patch new file mode 100644 index 00000000000..1bd5526fa5a --- /dev/null +++ b/queue-2.6.21/sata_via-add-missing-pm-hooks.patch @@ -0,0 +1,42 @@ +From stable-bounces@linux.kernel.org Fri May 4 06:32:42 2007 +Message-ID: <463B357A.4090703@gmail.com> +Date: Fri, 04 May 2007 15:30:34 +0200 +From: Tejun Heo +To: Jeff Garzik , IDE/ATA development list , stable@kernel.org +Cc: Jeroen Janssen +Subject: sata_via: add missing PM hooks + +For some reason, sata_via is missing PM hooks. Add them. Spotted by +Jeroen Janssen . + +Signed-off-by: Tejun Heo +Cc: Jeroen Janssen +Signed-off-by: Chris Wright +--- + drivers/ata/sata_via.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- linux-2.6.21.1.orig/drivers/ata/sata_via.c ++++ linux-2.6.21.1/drivers/ata/sata_via.c +@@ -97,6 +97,10 @@ static struct pci_driver svia_pci_driver + .name = DRV_NAME, + .id_table = svia_pci_tbl, + .probe = svia_init_one, ++#ifdef CONFIG_PM ++ .suspend = ata_pci_device_suspend, ++ .resume = ata_pci_device_resume, ++#endif + .remove = ata_pci_remove_one, + }; + +@@ -116,6 +120,10 @@ static struct scsi_host_template svia_sh + .slave_configure = ata_scsi_slave_config, + .slave_destroy = ata_scsi_slave_destroy, + .bios_param = ata_std_bios_param, ++#ifdef CONFIG_PM ++ .suspend = ata_scsi_device_suspend, ++ .resume = ata_scsi_device_resume, ++#endif + }; + + static const struct ata_port_operations vt6420_sata_ops = { diff --git a/queue-2.6.21/sctp-fix-sctp_getsockopt_local_addrs_old-to-use-local-storage.patch b/queue-2.6.21/sctp-fix-sctp_getsockopt_local_addrs_old-to-use-local-storage.patch new file mode 100644 index 00000000000..e29bca36936 --- /dev/null +++ b/queue-2.6.21/sctp-fix-sctp_getsockopt_local_addrs_old-to-use-local-storage.patch @@ -0,0 +1,243 @@ +From stable-bounces@linux.kernel.org Wed May 9 01:33:28 2007 +Date: Wed, 09 May 2007 01:31:28 -0700 (PDT) +Message-Id: <20070509.013128.27783020.davem@davemloft.net> +To: stable@kernel.org +From: David Miller +Cc: bunk@stusta.de +Subject: SCTP: Fix sctp_getsockopt_local_addrs_old() to use local storage. + +From: Vlad Yasevich + +sctp_getsockopt_local_addrs_old() in net/sctp/socket.c calls +copy_to_user() while the spinlock addr_lock is held. this should not +be done as copy_to_user() might sleep. the call to +sctp_copy_laddrs_to_user() while holding the lock is also problematic +as it calls copy_to_user() + +Signed-off-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright + +--- + net/sctp/socket.c | 96 +++++++++++++++++++++++++++++++++--------------------- + 1 file changed, 60 insertions(+), 36 deletions(-) + +--- linux-2.6.21.1.orig/net/sctp/socket.c ++++ linux-2.6.21.1/net/sctp/socket.c +@@ -3847,7 +3847,7 @@ static int sctp_getsockopt_peer_addrs(st + memcpy(&temp, &from->ipaddr, sizeof(temp)); + sctp_get_pf_specific(sk->sk_family)->addr_v4map(sp, &temp); + addrlen = sctp_get_af_specific(sk->sk_family)->sockaddr_len; +- if(space_left < addrlen) ++ if (space_left < addrlen) + return -ENOMEM; + if (copy_to_user(to, &temp, addrlen)) + return -EFAULT; +@@ -3936,8 +3936,9 @@ done: + /* Helper function that copies local addresses to user and returns the number + * of addresses copied. + */ +-static int sctp_copy_laddrs_to_user_old(struct sock *sk, __u16 port, int max_addrs, +- void __user *to) ++static int sctp_copy_laddrs_old(struct sock *sk, __u16 port, ++ int max_addrs, void *to, ++ int *bytes_copied) + { + struct list_head *pos, *next; + struct sctp_sockaddr_entry *addr; +@@ -3954,10 +3955,10 @@ static int sctp_copy_laddrs_to_user_old( + sctp_get_pf_specific(sk->sk_family)->addr_v4map(sctp_sk(sk), + &temp); + addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len; +- if (copy_to_user(to, &temp, addrlen)) +- return -EFAULT; ++ memcpy(to, &temp, addrlen); + + to += addrlen; ++ *bytes_copied += addrlen; + cnt ++; + if (cnt >= max_addrs) break; + } +@@ -3965,8 +3966,8 @@ static int sctp_copy_laddrs_to_user_old( + return cnt; + } + +-static int sctp_copy_laddrs_to_user(struct sock *sk, __u16 port, +- void __user **to, size_t space_left) ++static int sctp_copy_laddrs(struct sock *sk, __u16 port, void *to, ++ size_t space_left, int *bytes_copied) + { + struct list_head *pos, *next; + struct sctp_sockaddr_entry *addr; +@@ -3983,14 +3984,14 @@ static int sctp_copy_laddrs_to_user(stru + sctp_get_pf_specific(sk->sk_family)->addr_v4map(sctp_sk(sk), + &temp); + addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len; +- if(space_leftaddress_list.next, + struct sctp_sockaddr_entry, list); + if (sctp_is_any(&addr->a)) { +- cnt = sctp_copy_laddrs_to_user_old(sk, bp->port, +- getaddrs.addr_num, +- to); +- if (cnt < 0) { +- err = cnt; +- goto unlock; +- } ++ cnt = sctp_copy_laddrs_old(sk, bp->port, ++ getaddrs.addr_num, ++ addrs, &bytes_copied); + goto copy_getaddrs; + } + } +@@ -4066,22 +4074,29 @@ static int sctp_getsockopt_local_addrs_o + memcpy(&temp, &addr->a, sizeof(temp)); + sctp_get_pf_specific(sk->sk_family)->addr_v4map(sp, &temp); + addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len; +- if (copy_to_user(to, &temp, addrlen)) { +- err = -EFAULT; +- goto unlock; +- } ++ memcpy(addrs, &temp, addrlen); + to += addrlen; ++ bytes_copied += addrlen; + cnt ++; + if (cnt >= getaddrs.addr_num) break; + } + + copy_getaddrs: ++ sctp_read_unlock(addr_lock); ++ ++ /* copy the entire address list into the user provided space */ ++ if (copy_to_user(to, addrs, bytes_copied)) { ++ err = -EFAULT; ++ goto error; ++ } ++ ++ /* copy the leading structure back to user */ + getaddrs.addr_num = cnt; + if (copy_to_user(optval, &getaddrs, sizeof(struct sctp_getaddrs_old))) + err = -EFAULT; + +-unlock: +- sctp_read_unlock(addr_lock); ++error: ++ kfree(addrs); + return err; + } + +@@ -4101,7 +4116,8 @@ static int sctp_getsockopt_local_addrs(s + rwlock_t *addr_lock; + int err = 0; + size_t space_left; +- int bytes_copied; ++ int bytes_copied = 0; ++ void *addrs; + + if (len <= sizeof(struct sctp_getaddrs)) + return -EINVAL; +@@ -4129,6 +4145,9 @@ static int sctp_getsockopt_local_addrs(s + to = optval + offsetof(struct sctp_getaddrs,addrs); + space_left = len - sizeof(struct sctp_getaddrs) - + offsetof(struct sctp_getaddrs,addrs); ++ addrs = kmalloc(space_left, GFP_KERNEL); ++ if (!addrs) ++ return -ENOMEM; + + sctp_read_lock(addr_lock); + +@@ -4139,11 +4158,11 @@ static int sctp_getsockopt_local_addrs(s + addr = list_entry(bp->address_list.next, + struct sctp_sockaddr_entry, list); + if (sctp_is_any(&addr->a)) { +- cnt = sctp_copy_laddrs_to_user(sk, bp->port, +- &to, space_left); ++ cnt = sctp_copy_laddrs(sk, bp->port, addrs, ++ space_left, &bytes_copied); + if (cnt < 0) { + err = cnt; +- goto unlock; ++ goto error; + } + goto copy_getaddrs; + } +@@ -4154,26 +4173,31 @@ static int sctp_getsockopt_local_addrs(s + memcpy(&temp, &addr->a, sizeof(temp)); + sctp_get_pf_specific(sk->sk_family)->addr_v4map(sp, &temp); + addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len; +- if(space_left < addrlen) +- return -ENOMEM; /*fixme: right error?*/ +- if (copy_to_user(to, &temp, addrlen)) { +- err = -EFAULT; +- goto unlock; ++ if (space_left < addrlen) { ++ err = -ENOMEM; /*fixme: right error?*/ ++ goto error; + } ++ memcpy(addrs, &temp, addrlen); + to += addrlen; ++ bytes_copied += addrlen; + cnt ++; + space_left -= addrlen; + } + + copy_getaddrs: ++ sctp_read_unlock(addr_lock); ++ ++ if (copy_to_user(to, addrs, bytes_copied)) { ++ err = -EFAULT; ++ goto error; ++ } + if (put_user(cnt, &((struct sctp_getaddrs __user *)optval)->addr_num)) + return -EFAULT; +- bytes_copied = ((char __user *)to) - optval; + if (put_user(bytes_copied, optlen)) + return -EFAULT; + +-unlock: +- sctp_read_unlock(addr_lock); ++error: ++ kfree(addrs); + return err; + } + diff --git a/queue-2.6.21/sctp-prevent-oops-if-hmac-modules-didn-t-load.patch b/queue-2.6.21/sctp-prevent-oops-if-hmac-modules-didn-t-load.patch new file mode 100644 index 00000000000..fc406212e6b --- /dev/null +++ b/queue-2.6.21/sctp-prevent-oops-if-hmac-modules-didn-t-load.patch @@ -0,0 +1,39 @@ +From stable-bounces@linux.kernel.org Tue May 15 01:34:26 2007 +Date: Tue, 15 May 2007 01:32:35 -0700 (PDT) +Message-Id: <20070515.013235.31256147.davem@davemloft.net> +To: stable@kernel.org +From: David Miller +Cc: bunk@stusta.de +Subject: SCTP: Prevent OOPS if hmac modules didn't load + +From: Vlad Yasevich + +SCTP was checking for NULL when trying to detect hmac +allocation failure where it should have been using IS_ERR. +Also, print a rate limited warning to the log telling the +user what happend. + +Signed-off-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright + +--- + net/sctp/socket.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- linux-2.6.21.1.orig/net/sctp/socket.c ++++ linux-2.6.21.1/net/sctp/socket.c +@@ -4985,7 +4985,12 @@ int sctp_inet_listen(struct socket *sock + /* Allocate HMAC for generating cookie. */ + if (sctp_hmac_alg) { + tfm = crypto_alloc_hash(sctp_hmac_alg, 0, CRYPTO_ALG_ASYNC); +- if (!tfm) { ++ if (IS_ERR(tfm)) { ++ if (net_ratelimit()) { ++ printk(KERN_INFO ++ "SCTP: failed to load transform for %s: %ld\n", ++ sctp_hmac_alg, PTR_ERR(tfm)); ++ } + err = -ENOSYS; + goto out; + } diff --git a/queue-2.6.21/serial-sunhv-add-an-id-string.patch b/queue-2.6.21/serial-sunhv-add-an-id-string.patch new file mode 100644 index 00000000000..e4be31d0961 --- /dev/null +++ b/queue-2.6.21/serial-sunhv-add-an-id-string.patch @@ -0,0 +1,33 @@ +From stable-bounces@linux.kernel.org Tue May 15 01:41:55 2007 +Date: Tue, 15 May 2007 01:40:09 -0700 (PDT) +Message-Id: <20070515.014009.26532099.davem@davemloft.net> +To: stable@kernel.org +From: David Miller +Cc: bunk@stusta.de +Subject: SERIAL SUNHV: Add an ID string. + +From: "David S. Miller" + +The 'compatible' property can be SUNW,sun4v-console as +well as 'qcn'. + +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright + +--- + drivers/serial/sunhv.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- linux-2.6.21.1.orig/drivers/serial/sunhv.c ++++ linux-2.6.21.1/drivers/serial/sunhv.c +@@ -493,6 +493,10 @@ static struct of_device_id hv_match[] = + .name = "console", + .compatible = "qcn", + }, ++ { ++ .name = "console", ++ .compatible = "SUNW,sun4v-console", ++ }, + {}, + }; + MODULE_DEVICE_TABLE(of, hv_match); diff --git a/queue-2.6.21/series b/queue-2.6.21/series new file mode 100644 index 00000000000..1f70aee736e --- /dev/null +++ b/queue-2.6.21/series @@ -0,0 +1,66 @@ +ipv6-track-device-renames-in-snmp6.patch +sis900-allocate-rx-replacement-buffer-before-rx-operation.patch +smc911x-fix-compilation-breakage-wjen-debug-is-on.patch +acpi-fix-2.6.21-boot-regression-on-p4-ht.patch +cxacru-fix-infinite-loop-when-trying-to-cancel-polling-task.patch +reiserfs-suppress-lockdep-warning.patch +libata-sff-undo-bug-introduced-with-pci_iomap-changes.patch +iop-fix-iop_getttimeoffset.patch +iop13xx-fix-i-o-address-translation.patch +kbuild-fixdep-segfault-on-pathological-string-o-death.patch +ip-nf-_nat_proto_gre-do-not-modify-corrupt-grev0-packets-through-nat.patch +sata_via-add-missing-pm-hooks.patch +arm-fix-handling-of-svc-mode-undefined-instructions.patch +oom-fix-constraint-deadlock.patch +slob-fix-page-order-calculation-on-not-4kb-page.patch +ppp-fix-ppp_deflate-issues-with-recent-zlib_inflate-changes.patch +knfsd-avoid-use-of-unitialised-variables-on-error-path-when-nfs-exports.patch +knfsd-rpc-fix-server-side-wrapping-of-krb5i-replies.patch +skge-default-wol-should-be-magic-only.patch +skge-allow-wol-except-for-known-broken-chips.patch +tg3-fix-tso-bugs.patch +tg3-remove-reset-during-mac-address-changes.patch +tg3-update-version-and-reldate.patch +bnx2-fix-tso-problem-with-small-mss.patch +bnx2-block-mii-access-when-ifdown.patch +bnx2-save-pci-state-during-suspend.patch +bnx2-update-version-and-reldate.patch +highres-dyntick-prevent-xtime-lock-contention.patch +fat-fix-vfat-compat-ioctls-on-64-bit-systems.patch +udf-decrement-correct-link-count-in-udf_rmdir.patch +ipv6-fix-slab-corruption-running-ip6sic.patch +netpoll-fix-tx-queue-overflow-in-trapped-mode.patch +netpoll-remove-config_netpoll_rx.patch +sctp-fix-sctp_getsockopt_local_addrs_old-to-use-local-storage.patch +tcp-zero-out-rx_opt-in-tcp_disconnect.patch +fix-leaky-resv_huge_pages-when-cpuset-is-in-use.patch +clocksource-fix-resume-logic.patch +md-avoid-a-possibility-that-a-read-error-can-wrongly-propagate-through-md-raid1-to-a-filesystem.patch +driver-core-don-t-free-devt_attr-till-the-device-is-released.patch +pci-quirks-disable-msi-on-rs400-200-and-rs480.patch +fix-for-bugzilla-8426-massive-slowdown-on-scsi-cd-dvd-drive-connected-to-mptspi-driver.patch +i386-hpet-check-if-the-counter-works.patch +# still awaiting an ack +#restore-semantics-of-routing-header-processing.patch +alsa-hda-codec-fix-resume-of-stac92xx-codecs.patch +ipmi-fix-si-address-space-settings.patch +x86_64-fix-vgettimeofday.patch +ipv6-send-icmpv6-error-on-scope-violations.patch +ipv6-do-no-rely-on-skb-dst-before-it-is-assigned.patch +ipv6-route-assign-rt6i_idev-for-ip6_-prohibit-blk_hole-_entry.patch +ipv6-reverse-sense-of-promisc-tests-in-ip6_mc_input.patch +net_sched-prio-qdisc-boundary-condition.patch +sctp-prevent-oops-if-hmac-modules-didn-t-load.patch +ipsec-check-validity-of-direction-in-xfrm_policy_byid.patch +sparc64-add-missing-cpus_empty-check-in-hypervisor-xcall-handling.patch +sparc64-fix-recursion-in-prom-tree-building.patch +serial-sunhv-add-an-id-string.patch +sparc64-bump-promintr_max-to-32.patch +sparc64-be-more-resiliant-with-pci-i-o-space-regs.patch +sky2-88e8056-allow.patch +sky2-88e8071-support-not-ready.patch +skge-shutdown.patch +sky2-fix-oops-on-shutdown.patch +usb-hid-hiddev-fix-race-between-hiddev_send_event-and-hiddev_release.patch +jfs-fix-race-waking-up-jfsio-kernel-thread.patch +netfilter-ip-nf-_conntrack-fix-use-after-free-in-helper-destroy-callback-invocation.patch diff --git a/queue-2.6.21/sis900-allocate-rx-replacement-buffer-before-rx-operation.patch b/queue-2.6.21/sis900-allocate-rx-replacement-buffer-before-rx-operation.patch new file mode 100644 index 00000000000..ee9db79405d --- /dev/null +++ b/queue-2.6.21/sis900-allocate-rx-replacement-buffer-before-rx-operation.patch @@ -0,0 +1,52 @@ +From dc5a144991ba803bc8afded105c9db1dea0e57ab Mon Sep 17 00:00:00 2001 +From: Neil Horman +Date: Thu, 26 Apr 2007 13:47:36 -0400 +Subject: sis900: Allocate rx replacement buffer before rx operation + +Just found a hole in my last patch. It was reported to me that shortly after we +integrated this patch. The report was of an oops that took place inside of +netif_rx when using the sis900 driver. Looking at my origional patch I noted +that there was a spot between the new skb_alloc and the refill_rx_ring label +where skb got reassigned to the pointer currently held in the rx_ring for the +purposes of receiveing the frame. The result of this is however that the buffer +that gets passed to netif_rx (if it is called), then gets placed right back into +the rx_ring. So if you receive frames fast enough the skb being processed by +the network stack can get corrupted. The reporter is testing out the fix I've +written for this below (I'm not near my hardware at the moment to test myself), +but I wanted to post it for review ASAP. I'll post test results when I hear +them, but I think this is a pretty straightforward fix. It just uses a separate +pointer to do the rx operation, so that we don't improperly reassign the pointer +that we use to refill the rx ring. + +Signed-off-by: Neil Horman +Signed-off-by: Jeff Garzik +Signed-off-by: Chris Wright +--- + drivers/net/sis900.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- linux-2.6.21.1.orig/drivers/net/sis900.c ++++ linux-2.6.21.1/drivers/net/sis900.c +@@ -1754,6 +1754,7 @@ static int sis900_rx(struct net_device * + sis_priv->rx_ring[entry].cmdsts = RX_BUF_SIZE; + } else { + struct sk_buff * skb; ++ struct sk_buff * rx_skb; + + pci_unmap_single(sis_priv->pci_dev, + sis_priv->rx_ring[entry].bufptr, RX_BUF_SIZE, +@@ -1787,10 +1788,10 @@ static int sis900_rx(struct net_device * + } + + /* give the socket buffer to upper layers */ +- skb = sis_priv->rx_skbuff[entry]; +- skb_put(skb, rx_size); +- skb->protocol = eth_type_trans(skb, net_dev); +- netif_rx(skb); ++ rx_skb = sis_priv->rx_skbuff[entry]; ++ skb_put(rx_skb, rx_size); ++ rx_skb->protocol = eth_type_trans(rx_skb, net_dev); ++ netif_rx(rx_skb); + + /* some network statistics */ + if ((rx_status & BCAST) == MCAST) diff --git a/queue-2.6.21/skge-allow-wol-except-for-known-broken-chips.patch b/queue-2.6.21/skge-allow-wol-except-for-known-broken-chips.patch new file mode 100644 index 00000000000..cc4790bde44 --- /dev/null +++ b/queue-2.6.21/skge-allow-wol-except-for-known-broken-chips.patch @@ -0,0 +1,36 @@ +From stable-bounces@linux.kernel.org Mon May 7 11:04:00 2007 +Date: Mon, 7 May 2007 11:01:55 -0700 +From: Stephen Hemminger +To: Jeff Garzik +Message-ID: <20070507110155.2063c74d@freekitty> +Cc: stable@kernel.org +Subject: skge: allow WOL except for known broken chips + +Wake On Lan works correctly on Yukon-FE and other variants. + +Signed-off-by: Stephen Hemminger +Signed-off-by: Chris Wright + +--- + drivers/net/skge.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- linux-2.6.21.1.orig/drivers/net/skge.c ++++ linux-2.6.21.1/drivers/net/skge.c +@@ -135,10 +135,13 @@ static void skge_get_regs(struct net_dev + /* Wake on Lan only supported on Yukon chips with rev 1 or above */ + static u32 wol_supported(const struct skge_hw *hw) + { +- if (hw->chip_id == CHIP_ID_YUKON && hw->chip_rev != 0) +- return WAKE_MAGIC | WAKE_PHY; +- else ++ if (hw->chip_id == CHIP_ID_GENESIS) + return 0; ++ ++ if (hw->chip_id == CHIP_ID_YUKON && hw->chip_rev == 0) ++ return 0; ++ ++ return WAKE_MAGIC | WAKE_PHY; + } + + static u32 pci_wake_enabled(struct pci_dev *dev) diff --git a/queue-2.6.21/skge-default-wol-should-be-magic-only.patch b/queue-2.6.21/skge-default-wol-should-be-magic-only.patch new file mode 100644 index 00000000000..6717e5798ad --- /dev/null +++ b/queue-2.6.21/skge-default-wol-should-be-magic-only.patch @@ -0,0 +1,32 @@ +From stable-bounces@linux.kernel.org Tue May 8 13:38:21 2007 +Date: Tue, 8 May 2007 13:36:20 -0700 +From: Stephen Hemminger +To: Jeff Garzik +Message-ID: <20070508133620.0a7c6d12@localhost> +Cc: stable@kernel.org +Subject: skge: default WOL should be magic only (rev2) + +By default, the skge driver now enables wake on magic and wake on PHY. +This is a bad default (bug), wake on PHY means machine will never shutdown +if connected to a switch. + +Signed-off-by: Stephen Hemminger a +Signed-off-by: Chris Wright + +--- + drivers/net/skge.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- linux-2.6.21.1.orig/drivers/net/skge.c ++++ linux-2.6.21.1/drivers/net/skge.c +@@ -3583,7 +3583,9 @@ static struct net_device *skge_devinit(s + skge->duplex = -1; + skge->speed = -1; + skge->advertising = skge_supported_modes(hw); +- skge->wol = pci_wake_enabled(hw->pdev) ? wol_supported(hw) : 0; ++ ++ if (pci_wake_enabled(hw->pdev)) ++ skge->wol = wol_supported(hw) & WAKE_MAGIC; + + hw->dev[port] = dev; + diff --git a/queue-2.6.21/skge-shutdown.patch b/queue-2.6.21/skge-shutdown.patch new file mode 100644 index 00000000000..bad1fffab49 --- /dev/null +++ b/queue-2.6.21/skge-shutdown.patch @@ -0,0 +1,51 @@ +From stable-bounces@linux.kernel.org Tue May 15 15:20:30 2007 +Message-Id: <20070515220903.789054831@linux-foundation.org> +Date: Tue, 15 May 2007 15:08:26 -0700 +From: Stephen Hemminger +To: stable@kernel.org +Cc: netdev@vger.kernel.org +Subject: skge: crash on shutdown/suspend + +If device fails during module startup for some reason (like unsupported chip +version) then driver would crash dereferencing a null pointer, on shutdown +or suspend/resume. + +Signed-off-by: Stephen Hemminger +Signed-off-by: Chris Wright + +--- + drivers/net/skge.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- linux-2.6.21.1.orig/drivers/net/skge.c ++++ linux-2.6.21.1/drivers/net/skge.c +@@ -3794,6 +3794,9 @@ static int skge_suspend(struct pci_dev * + struct skge_hw *hw = pci_get_drvdata(pdev); + int i, err, wol = 0; + ++ if (!hw) ++ return 0; ++ + err = pci_save_state(pdev); + if (err) + return err; +@@ -3822,6 +3825,9 @@ static int skge_resume(struct pci_dev *p + struct skge_hw *hw = pci_get_drvdata(pdev); + int i, err; + ++ if (!hw) ++ return 0; ++ + err = pci_set_power_state(pdev, PCI_D0); + if (err) + goto out; +@@ -3860,6 +3866,9 @@ static void skge_shutdown(struct pci_dev + struct skge_hw *hw = pci_get_drvdata(pdev); + int i, wol = 0; + ++ if (!hw) ++ return; ++ + for (i = 0; i < hw->ports; i++) { + struct net_device *dev = hw->dev[i]; + struct skge_port *skge = netdev_priv(dev); diff --git a/queue-2.6.21/sky2-88e8056-allow.patch b/queue-2.6.21/sky2-88e8056-allow.patch new file mode 100644 index 00000000000..3b3cd87982c --- /dev/null +++ b/queue-2.6.21/sky2-88e8056-allow.patch @@ -0,0 +1,31 @@ +From stable-bounces@linux.kernel.org Tue May 15 15:20:13 2007 +Message-Id: <20070515220903.648019094@linux-foundation.org> +Date: Tue, 15 May 2007 15:08:24 -0700 +From: Stephen Hemminger +To: stable@kernel.org +Cc: netdev@vger.kernel.org +Subject: sky2: allow 88E8056 + +It looks like the problems of Gigabyte 88E8056 are unique to that chip +motherboard and maybe fixable by EEPROM update. + +Signed-off-by: Stephen Hemminger +Signed-off-by: Chris Wright + +--- + drivers/net/sky2.c | 3 --- + 1 file changed, 3 deletions(-) + +--- linux-2.6.21.1.orig/drivers/net/sky2.c ++++ linux-2.6.21.1/drivers/net/sky2.c +@@ -123,10 +123,7 @@ static const struct pci_device_id sky2_i + { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x4361) }, /* 88E8050 */ + { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x4362) }, /* 88E8053 */ + { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x4363) }, /* 88E8055 */ +-#ifdef broken +- /* This device causes data corruption problems that are not resolved */ + { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x4364) }, /* 88E8056 */ +-#endif + { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x4366) }, /* 88EC036 */ + { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x4367) }, /* 88EC032 */ + { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x4368) }, /* 88EC034 */ diff --git a/queue-2.6.21/sky2-88e8071-support-not-ready.patch b/queue-2.6.21/sky2-88e8071-support-not-ready.patch new file mode 100644 index 00000000000..a4421a18cab --- /dev/null +++ b/queue-2.6.21/sky2-88e8071-support-not-ready.patch @@ -0,0 +1,28 @@ +From stable-bounces@linux.kernel.org Tue May 15 15:20:04 2007 +Message-Id: <20070515220903.737015029@linux-foundation.org> +Date: Tue, 15 May 2007 15:08:25 -0700 +From: Stephen Hemminger +To: stable@kernel.org +Cc: netdev@vger.kernel.org +Subject: sky2: 88e8071 support not ready + +The driver is not ready to support 88e8071 chip, it requires several +more changes (not done yet). If this chip is present, system will hang on boot. + +Signed-off-by: Stephen Hemminger + +--- + drivers/net/sky2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.21.1.orig/drivers/net/sky2.c ++++ linux-2.6.21.1/drivers/net/sky2.c +@@ -129,7 +129,7 @@ static const struct pci_device_id sky2_i + { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x4368) }, /* 88EC034 */ + { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x4369) }, /* 88EC042 */ + { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x436A) }, /* 88E8058 */ +- { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x436B) }, /* 88E8071 */ ++// { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x436B) }, /* 88E8071 */ + { 0 } + }; + diff --git a/queue-2.6.21/sky2-fix-oops-on-shutdown.patch b/queue-2.6.21/sky2-fix-oops-on-shutdown.patch new file mode 100644 index 00000000000..e859e6198d5 --- /dev/null +++ b/queue-2.6.21/sky2-fix-oops-on-shutdown.patch @@ -0,0 +1,59 @@ +From stable-bounces@linux.kernel.org Tue May 15 15:20:24 2007 +Message-Id: <20070515220903.877649648@linux-foundation.org> +Date: Tue, 15 May 2007 15:08:27 -0700 +From: Stephen Hemminger +To: stable@kernel.org +Cc: netdev@vger.kernel.org +Subject: sky2: fix oops on shutdown + +If the device fails during module startup for some reason like unsupported chip +version then the driver would crash dereferencing a null pointer, on shutdown +or suspend/resume. + +Signed-off-by: Stephen Hemminger +Signed-off-by: Chris Wright + +--- + drivers/net/sky2.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- linux-2.6.21.1.orig/drivers/net/sky2.c ++++ linux-2.6.21.1/drivers/net/sky2.c +@@ -3719,6 +3719,7 @@ err_out_free_regions: + pci_release_regions(pdev); + pci_disable_device(pdev); + err_out: ++ pci_set_drvdata(pdev, NULL); + return err; + } + +@@ -3771,6 +3772,9 @@ static int sky2_suspend(struct pci_dev * + struct sky2_hw *hw = pci_get_drvdata(pdev); + int i, wol = 0; + ++ if (!hw) ++ return 0; ++ + del_timer_sync(&hw->idle_timer); + netif_poll_disable(hw->dev[0]); + +@@ -3802,6 +3806,9 @@ static int sky2_resume(struct pci_dev *p + struct sky2_hw *hw = pci_get_drvdata(pdev); + int i, err; + ++ if (!hw) ++ return 0; ++ + err = pci_set_power_state(pdev, PCI_D0); + if (err) + goto out; +@@ -3848,6 +3855,9 @@ static void sky2_shutdown(struct pci_dev + struct sky2_hw *hw = pci_get_drvdata(pdev); + int i, wol = 0; + ++ if (!hw) ++ return; ++ + del_timer_sync(&hw->idle_timer); + netif_poll_disable(hw->dev[0]); + diff --git a/queue-2.6.21/slob-fix-page-order-calculation-on-not-4kb-page.patch b/queue-2.6.21/slob-fix-page-order-calculation-on-not-4kb-page.patch new file mode 100644 index 00000000000..1a34fdbbde3 --- /dev/null +++ b/queue-2.6.21/slob-fix-page-order-calculation-on-not-4kb-page.patch @@ -0,0 +1,68 @@ +From stable-bounces@linux.kernel.org Sun May 6 14:52:46 2007 +Message-Id: <200705062150.l46LoJ7S024625@shell0.pdx.osdl.net> +To: torvalds@linux-foundation.org +From: akpm@linux-foundation.org +Date: Sun, 06 May 2007 14:50:19 -0700 +Cc: stable@kernel.org, akpm@linux-foundation.org, akinobu.mita@gmail.com, mpm@selenic.com +Subject: slob: fix page order calculation on not 4KB page + +From: Akinobu Mita + +SLOB doesn't calculate correct page order when page size is not 4KB. This +patch fixes it with using get_order() instead of find_order() which is SLOB +version of get_order(). + +Signed-off-by: Akinobu Mita +Acked-by: Matt Mackall +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +--- + + mm/slob.c | 15 +++------------ + 1 file changed, 3 insertions(+), 12 deletions(-) + +--- linux-2.6.21.1.orig/mm/slob.c ++++ linux-2.6.21.1/mm/slob.c +@@ -150,15 +150,6 @@ static void slob_free(void *block, int s + spin_unlock_irqrestore(&slob_lock, flags); + } + +-static int FASTCALL(find_order(int size)); +-static int fastcall find_order(int size) +-{ +- int order = 0; +- for ( ; size > 4096 ; size >>=1) +- order++; +- return order; +-} +- + void *__kmalloc(size_t size, gfp_t gfp) + { + slob_t *m; +@@ -174,7 +165,7 @@ void *__kmalloc(size_t size, gfp_t gfp) + if (!bb) + return 0; + +- bb->order = find_order(size); ++ bb->order = get_order(size); + bb->pages = (void *)__get_free_pages(gfp, bb->order); + + if (bb->pages) { +@@ -284,7 +275,7 @@ void *kmem_cache_alloc(struct kmem_cache + if (c->size < PAGE_SIZE) + b = slob_alloc(c->size, flags, c->align); + else +- b = (void *)__get_free_pages(flags, find_order(c->size)); ++ b = (void *)__get_free_pages(flags, get_order(c->size)); + + if (c->ctor) + c->ctor(b, c, SLAB_CTOR_CONSTRUCTOR); +@@ -311,7 +302,7 @@ void kmem_cache_free(struct kmem_cache * + if (c->size < PAGE_SIZE) + slob_free(b, c->size); + else +- free_pages((unsigned long)b, find_order(c->size)); ++ free_pages((unsigned long)b, get_order(c->size)); + } + EXPORT_SYMBOL(kmem_cache_free); + diff --git a/queue-2.6.21/smc911x-fix-compilation-breakage-wjen-debug-is-on.patch b/queue-2.6.21/smc911x-fix-compilation-breakage-wjen-debug-is-on.patch new file mode 100644 index 00000000000..ff932327743 --- /dev/null +++ b/queue-2.6.21/smc911x-fix-compilation-breakage-wjen-debug-is-on.patch @@ -0,0 +1,31 @@ +From stable-bounces@linux.kernel.org Sat Apr 28 08:34:17 2007 +Message-ID: <46336900.5060007@pobox.com> +Date: Sat, 28 Apr 2007 11:32:16 -0400 +From: Jeff Garzik +To: stable@kernel.org +Cc: vwool@ru.mvista.com, dustin@sensoria.com +Subject: smc911x: fix compilation breakage wjen debug is on + +From: Vitaly Wool + +the patch below fixes compilation breakage of smc911x driver when ENABLE_SMC_DEBUG_PKTS equals to 1. + +Signed-off-by: Vitaly Wool +Signed-off-by: Chris Wright +--- + + drivers/net/smc911x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + + +--- linux-2.6.21.1.orig/drivers/net/smc911x.c ++++ linux-2.6.21.1/drivers/net/smc911x.c +@@ -499,7 +499,7 @@ static inline void smc911x_rcv(struct n + SMC_SET_RX_CFG(RX_CFG_RX_END_ALGN4_ | ((2<<8) & RX_CFG_RXDOFF_)); + SMC_PULL_DATA(data, pkt_len+2+3); + +- DBG(SMC_DEBUG_PKTS, "%s: Received packet\n", dev->name,); ++ DBG(SMC_DEBUG_PKTS, "%s: Received packet\n", dev->name); + PRINT_PKT(data, ((pkt_len - 4) <= 64) ? pkt_len - 4 : 64); + dev->last_rx = jiffies; + skb->dev = dev; diff --git a/queue-2.6.21/sparc64-add-missing-cpus_empty-check-in-hypervisor-xcall-handling.patch b/queue-2.6.21/sparc64-add-missing-cpus_empty-check-in-hypervisor-xcall-handling.patch new file mode 100644 index 00000000000..0f6bfe3cc49 --- /dev/null +++ b/queue-2.6.21/sparc64-add-missing-cpus_empty-check-in-hypervisor-xcall-handling.patch @@ -0,0 +1,29 @@ +From stable-bounces@linux.kernel.org Tue May 15 01:39:44 2007 +Date: Tue, 15 May 2007 01:37:56 -0700 (PDT) +Message-Id: <20070515.013756.106434867.davem@davemloft.net> +To: stable@kernel.org +From: David Miller +Cc: bunk@stusta.de +Subject: SPARC64: Add missing cpus_empty() check in hypervisor xcall handling. + +From: "David S. Miller" + +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright + +--- + arch/sparc64/kernel/smp.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- linux-2.6.21.1.orig/arch/sparc64/kernel/smp.c ++++ linux-2.6.21.1/arch/sparc64/kernel/smp.c +@@ -566,6 +566,9 @@ static void hypervisor_xcall_deliver(u64 + unsigned long flags, status; + int cnt, retries, this_cpu, prev_sent, i; + ++ if (cpus_empty(mask)) ++ return; ++ + /* We have to do this whole thing with interrupts fully disabled. + * Otherwise if we send an xcall from interrupt context it will + * corrupt both our mondo block and cpu list state. diff --git a/queue-2.6.21/sparc64-be-more-resiliant-with-pci-i-o-space-regs.patch b/queue-2.6.21/sparc64-be-more-resiliant-with-pci-i-o-space-regs.patch new file mode 100644 index 00000000000..0264d896b40 --- /dev/null +++ b/queue-2.6.21/sparc64-be-more-resiliant-with-pci-i-o-space-regs.patch @@ -0,0 +1,36 @@ +From stable-bounces@linux.kernel.org Tue May 15 01:48:08 2007 +Date: Tue, 15 May 2007 01:46:19 -0700 (PDT) +Message-Id: <20070515.014619.26966351.davem@davemloft.net> +To: stable@kernel.org +From: David Miller +Cc: bunk@stusta.de +Subject: SPARC64: Be more resiliant with PCI I/O space regs. + +From: "David S. Miller" + +If we miss on the ranges, just toss the translation up to the parent +instead of failing. + +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright + +--- + arch/sparc64/kernel/of_device.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- linux-2.6.21.1.orig/arch/sparc64/kernel/of_device.c ++++ linux-2.6.21.1/arch/sparc64/kernel/of_device.c +@@ -508,6 +508,13 @@ static int __init build_one_resource(str + return 0; + } + ++ /* When we miss an I/O space match on PCI, just pass it up ++ * to the next PCI bridge and/or controller. ++ */ ++ if (!strcmp(bus->name, "pci") && ++ (addr[0] & 0x03000000) == 0x01000000) ++ return 0; ++ + return 1; + } + diff --git a/queue-2.6.21/sparc64-bump-promintr_max-to-32.patch b/queue-2.6.21/sparc64-bump-promintr_max-to-32.patch new file mode 100644 index 00000000000..2d3e69a324b --- /dev/null +++ b/queue-2.6.21/sparc64-bump-promintr_max-to-32.patch @@ -0,0 +1,31 @@ +From stable-bounces@linux.kernel.org Tue May 15 01:44:27 2007 +Date: Tue, 15 May 2007 01:42:34 -0700 (PDT) +Message-Id: <20070515.014234.35355035.davem@davemloft.net> +To: stable@kernel.org +From: David Miller +Cc: bunk@stusta.de +Subject: SPARC64: Bump PROMINTR_MAX to 32. + +From: "David S. Miller" + +Some devices have more than 15 which was the previous +setting. + +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright + +--- + include/asm-sparc64/openprom.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.21.1.orig/include/asm-sparc64/openprom.h ++++ linux-2.6.21.1/include/asm-sparc64/openprom.h +@@ -177,7 +177,7 @@ struct linux_nodeops { + /* More fun PROM structures for device probing. */ + #define PROMREG_MAX 24 + #define PROMVADDR_MAX 16 +-#define PROMINTR_MAX 15 ++#define PROMINTR_MAX 32 + + struct linux_prom_registers { + unsigned which_io; /* hi part of physical address */ diff --git a/queue-2.6.21/sparc64-fix-recursion-in-prom-tree-building.patch b/queue-2.6.21/sparc64-fix-recursion-in-prom-tree-building.patch new file mode 100644 index 00000000000..99edb7aad5f --- /dev/null +++ b/queue-2.6.21/sparc64-fix-recursion-in-prom-tree-building.patch @@ -0,0 +1,60 @@ +From stable-bounces@linux.kernel.org Tue May 15 01:40:55 2007 +Date: Tue, 15 May 2007 01:39:05 -0700 (PDT) +Message-Id: <20070515.013905.77057238.davem@davemloft.net> +To: stable@kernel.org +From: David Miller +Cc: bunk@stusta.de +Subject: SPARC64: Fix recursion in PROM tree building. + +From: "David S. Miller" + +Use iteration for scanning of PROM node siblings. + +Based upon a patch by Greg Onufer, who found this bug. + +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright + +--- + arch/sparc64/kernel/prom.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- linux-2.6.21.1.orig/arch/sparc64/kernel/prom.c ++++ linux-2.6.21.1/arch/sparc64/kernel/prom.c +@@ -1555,10 +1555,21 @@ static struct device_node * __init creat + + static struct device_node * __init build_tree(struct device_node *parent, phandle node, struct device_node ***nextp) + { ++ struct device_node *ret = NULL, *prev_sibling = NULL; + struct device_node *dp; + +- dp = create_node(node, parent); +- if (dp) { ++ while (1) { ++ dp = create_node(node, parent); ++ if (!dp) ++ break; ++ ++ if (prev_sibling) ++ prev_sibling->sibling = dp; ++ ++ if (!ret) ++ ret = dp; ++ prev_sibling = dp; ++ + *(*nextp) = dp; + *nextp = &dp->allnext; + +@@ -1567,10 +1578,10 @@ static struct device_node * __init build + + dp->child = build_tree(dp, prom_getchild(node), nextp); + +- dp->sibling = build_tree(parent, prom_getsibling(node), nextp); ++ node = prom_getsibling(node); + } + +- return dp; ++ return ret; + } + + void __init prom_build_devicetree(void) diff --git a/queue-2.6.21/tcp-zero-out-rx_opt-in-tcp_disconnect.patch b/queue-2.6.21/tcp-zero-out-rx_opt-in-tcp_disconnect.patch new file mode 100644 index 00000000000..74ea8f1f650 --- /dev/null +++ b/queue-2.6.21/tcp-zero-out-rx_opt-in-tcp_disconnect.patch @@ -0,0 +1,45 @@ +From stable-bounces@linux.kernel.org Wed May 9 01:35:55 2007 +Date: Wed, 09 May 2007 01:33:58 -0700 (PDT) +Message-Id: <20070509.013358.77058720.davem@davemloft.net> +To: stable@kernel.org +From: David Miller +Cc: bunk@stusta.de +Subject: TCP: zero out rx_opt in tcp_disconnect() + +From: Srinivas Aji + +When the server drops its connection, NFS client reconnects using the +same socket after disconnecting. If the new connection's SYN,ACK +doesn't contain the TCP timestamp option and the old connection's did, +tp->tcp_header_len is recomputed assuming no timestamp header but +tp->rx_opt.tstamp_ok remains set. Then tcp_build_and_update_options() +adds in a timestamp option past the end of the allocated TCP header, +overwriting TCP data, or when the data is in skb_shinfo(skb)->frags[], +overwriting skb_shinfo(skb) causing a crash soon after. (The issue was +debugged from such a crash.) + +Similarly, wscale_ok and sack_ok also get set based on the SYN,ACK +packet but not reset on disconnect, since they are zeroed out at +initialization. The patch zeroes out the entire tp->rx_opt struct in +tcp_disconnect() to avoid this sort of problem. + +Signed-off-by: Srinivas Aji +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright + +--- + net/ipv4/tcp.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- linux-2.6.21.1.orig/net/ipv4/tcp.c ++++ linux-2.6.21.1/net/ipv4/tcp.c +@@ -1759,8 +1759,7 @@ int tcp_disconnect(struct sock *sk, int + tcp_clear_retrans(tp); + inet_csk_delack_init(sk); + sk->sk_send_head = NULL; +- tp->rx_opt.saw_tstamp = 0; +- tcp_sack_reset(&tp->rx_opt); ++ memset(&tp->rx_opt, 0, sizeof(tp->rx_opt)); + __sk_dst_reset(sk); + + BUG_TRAP(!inet->num || icsk->icsk_bind_hash); diff --git a/queue-2.6.21/tg3-fix-tso-bugs.patch b/queue-2.6.21/tg3-fix-tso-bugs.patch new file mode 100644 index 00000000000..e22fd60fb71 --- /dev/null +++ b/queue-2.6.21/tg3-fix-tso-bugs.patch @@ -0,0 +1,58 @@ +From stable-bounces@linux.kernel.org Mon May 7 18:19:19 2007 +From: "Michael Chan" +To: stable@kernel.org +Date: Mon, 07 May 2007 19:03:37 -0700 +Message-ID: <1178589817.10892.10.camel@dell> +Subject: TG3: Fix TSO bugs. + +1. Remove the check for skb->len greater than MTU when doing TSO. +When the destination has a smaller MSS than the source, a TSO packet +may be smaller than the MTU and we still need to process it as a TSO +packet. + +2. On 5705A3 devices with TSO enabled, the DMA engine can hang due to a +hardware bug. This patch avoids the hanging condition by reducing the +DMA burst size. + +Signed-off-by: Matt Carlson +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +--- + +--- + drivers/net/tg3.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- linux-2.6.21.1.orig/drivers/net/tg3.c ++++ linux-2.6.21.1/drivers/net/tg3.c +@@ -3895,8 +3895,7 @@ static int tg3_start_xmit(struct sk_buff + entry = tp->tx_prod; + base_flags = 0; + mss = 0; +- if (skb->len > (tp->dev->mtu + ETH_HLEN) && +- (mss = skb_shinfo(skb)->gso_size) != 0) { ++ if ((mss = skb_shinfo(skb)->gso_size) != 0) { + int tcp_opt_len, ip_tcp_len; + + if (skb_header_cloned(skb) && +@@ -4053,8 +4052,7 @@ static int tg3_start_xmit_dma_bug(struct + if (skb->ip_summed == CHECKSUM_PARTIAL) + base_flags |= TXD_FLAG_TCPUDP_CSUM; + mss = 0; +- if (skb->len > (tp->dev->mtu + ETH_HLEN) && +- (mss = skb_shinfo(skb)->gso_size) != 0) { ++ if ((mss = skb_shinfo(skb)->gso_size) != 0) { + int tcp_opt_len, ip_tcp_len, hdr_len; + + if (skb_header_cloned(skb) && +@@ -6348,8 +6346,7 @@ static int tg3_reset_hw(struct tg3 *tp, + tp->pci_chip_rev_id != CHIPREV_ID_5705_A0) || + (GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5750)) { + if (tp->tg3_flags2 & TG3_FLG2_TSO_CAPABLE && +- (tp->pci_chip_rev_id == CHIPREV_ID_5705_A1 || +- tp->pci_chip_rev_id == CHIPREV_ID_5705_A2)) { ++ GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5705) { + rdmac_mode |= RDMAC_MODE_FIFO_SIZE_128; + } else if (!(tr32(TG3PCI_PCISTATE) & PCISTATE_BUS_SPEED_HIGH) && + !(tp->tg3_flags2 & TG3_FLG2_IS_5788)) { diff --git a/queue-2.6.21/tg3-remove-reset-during-mac-address-changes.patch b/queue-2.6.21/tg3-remove-reset-during-mac-address-changes.patch new file mode 100644 index 00000000000..c64a8d3d523 --- /dev/null +++ b/queue-2.6.21/tg3-remove-reset-during-mac-address-changes.patch @@ -0,0 +1,103 @@ +From stable-bounces@linux.kernel.org Mon May 7 18:21:11 2007 +From: "Michael Chan" +To: stable@kernel.org +Date: Mon, 07 May 2007 19:03:53 -0700 +Message-ID: <1178589833.10892.11.camel@dell> +Subject: TG3: Remove reset during MAC address changes. + +The reset was added a while back so that ASF could re-init whatever +MAC address it wanted to use after the MAC address was changed. +Instead of resetting, we can just keep MAC address 1 unchanged during +MAC address changes if MAC address 1 is different from MAC address 0. + +This fixes 2 problems: + +1. Bonding calls set_mac_address in contexts that cannot sleep. +It no longer sleeps with the chip reset removed. + +2. When ASF shares the same MAC address as the NIC, it needs to +always do that even when the MAC address is changed. + +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +--- + +--- + drivers/net/tg3.c | 35 ++++++++++++++++++----------------- + 1 file changed, 18 insertions(+), 17 deletions(-) + +--- linux-2.6.21.1.orig/drivers/net/tg3.c ++++ linux-2.6.21.1/drivers/net/tg3.c +@@ -5934,7 +5934,7 @@ static int tg3_load_tso_firmware(struct + + + /* tp->lock is held. */ +-static void __tg3_set_mac_addr(struct tg3 *tp) ++static void __tg3_set_mac_addr(struct tg3 *tp, int skip_mac_1) + { + u32 addr_high, addr_low; + int i; +@@ -5946,6 +5946,8 @@ static void __tg3_set_mac_addr(struct tg + (tp->dev->dev_addr[4] << 8) | + (tp->dev->dev_addr[5] << 0)); + for (i = 0; i < 4; i++) { ++ if (i == 1 && skip_mac_1) ++ continue; + tw32(MAC_ADDR_0_HIGH + (i * 8), addr_high); + tw32(MAC_ADDR_0_LOW + (i * 8), addr_low); + } +@@ -5972,7 +5974,7 @@ static int tg3_set_mac_addr(struct net_d + { + struct tg3 *tp = netdev_priv(dev); + struct sockaddr *addr = p; +- int err = 0; ++ int err = 0, skip_mac_1 = 0; + + if (!is_valid_ether_addr(addr->sa_data)) + return -EINVAL; +@@ -5983,22 +5985,21 @@ static int tg3_set_mac_addr(struct net_d + return 0; + + if (tp->tg3_flags & TG3_FLAG_ENABLE_ASF) { +- /* Reset chip so that ASF can re-init any MAC addresses it +- * needs. +- */ +- tg3_netif_stop(tp); +- tg3_full_lock(tp, 1); ++ u32 addr0_high, addr0_low, addr1_high, addr1_low; + +- tg3_halt(tp, RESET_KIND_SHUTDOWN, 1); +- err = tg3_restart_hw(tp, 0); +- if (!err) +- tg3_netif_start(tp); +- tg3_full_unlock(tp); +- } else { +- spin_lock_bh(&tp->lock); +- __tg3_set_mac_addr(tp); +- spin_unlock_bh(&tp->lock); ++ addr0_high = tr32(MAC_ADDR_0_HIGH); ++ addr0_low = tr32(MAC_ADDR_0_LOW); ++ addr1_high = tr32(MAC_ADDR_1_HIGH); ++ addr1_low = tr32(MAC_ADDR_1_LOW); ++ ++ /* Skip MAC addr 1 if ASF is using it. */ ++ if ((addr0_high != addr1_high || addr0_low != addr1_low) && ++ !(addr1_high == 0 && addr1_low == 0)) ++ skip_mac_1 = 1; + } ++ spin_lock_bh(&tp->lock); ++ __tg3_set_mac_addr(tp, skip_mac_1); ++ spin_unlock_bh(&tp->lock); + + return err; + } +@@ -6315,7 +6316,7 @@ static int tg3_reset_hw(struct tg3 *tp, + tp->rx_jumbo_ptr); + + /* Initialize MAC address and backoff seed. */ +- __tg3_set_mac_addr(tp); ++ __tg3_set_mac_addr(tp, 0); + + /* MTU + ethernet header + FCS + optional VLAN tag */ + tw32(MAC_RX_MTU_SIZE, tp->dev->mtu + ETH_HLEN + 8); diff --git a/queue-2.6.21/tg3-update-version-and-reldate.patch b/queue-2.6.21/tg3-update-version-and-reldate.patch new file mode 100644 index 00000000000..de0e8f66c22 --- /dev/null +++ b/queue-2.6.21/tg3-update-version-and-reldate.patch @@ -0,0 +1,29 @@ +From stable-bounces@linux.kernel.org Mon May 7 18:21:02 2007 +From: "Michael Chan" +To: stable@kernel.org +Date: Mon, 07 May 2007 19:04:04 -0700 +Message-ID: <1178589844.10892.12.camel@dell> +Subject: TG3: Update version and reldate. + +Update version to 3.75.1. + +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller + +--- + drivers/net/tg3.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- linux-2.6.21.1.orig/drivers/net/tg3.c ++++ linux-2.6.21.1/drivers/net/tg3.c +@@ -64,8 +64,8 @@ + + #define DRV_MODULE_NAME "tg3" + #define PFX DRV_MODULE_NAME ": " +-#define DRV_MODULE_VERSION "3.75" +-#define DRV_MODULE_RELDATE "March 23, 2007" ++#define DRV_MODULE_VERSION "3.75.1" ++#define DRV_MODULE_RELDATE "May 7, 2007" + + #define TG3_DEF_MAC_MODE 0 + #define TG3_DEF_RX_MODE 0 diff --git a/queue-2.6.21/udf-decrement-correct-link-count-in-udf_rmdir.patch b/queue-2.6.21/udf-decrement-correct-link-count-in-udf_rmdir.patch new file mode 100644 index 00000000000..0c5d3074bb0 --- /dev/null +++ b/queue-2.6.21/udf-decrement-correct-link-count-in-udf_rmdir.patch @@ -0,0 +1,42 @@ +From stable-bounces@linux.kernel.org Tue May 8 00:33:59 2007 +Message-Id: <200705080731.l487VVSL017268@shell0.pdx.osdl.net> +To: torvalds@linux-foundation.org +From: akpm@linux-foundation.org +Date: Tue, 08 May 2007 00:31:31 -0700 +Cc: jack@ucw.cz, akpm@linux-foundation.org, haveblue@us.ibm.com, stable@kernel.org, molletts@yahoo.com +Subject: udf: decrement correct link count in udf_rmdir + +From: Stephen Mollett + +It appears that a minor thinko occurred in udf_rmdir and the +(already-cleared) link count on the directory that is being removed was +being decremented instead of the link count on its parent directory. This +gives rise to lots of kernel messages similar to: + +UDF-fs warning (device loop1): udf_rmdir: empty directory has nlink != 2 (8) + +when removing directory trees. No other ill effects have been observed but +I guess it could theoretically result in the link count overflowing on a +very long-lived, much modified directory. + +Signed-off-by: Stephen Mollett +Cc: Dave Hansen +Cc: Jan Kara +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +--- + + fs/udf/namei.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.21.1.orig/fs/udf/namei.c ++++ linux-2.6.21.1/fs/udf/namei.c +@@ -878,7 +878,7 @@ static int udf_rmdir(struct inode * dir, + inode->i_nlink); + clear_nlink(inode); + inode->i_size = 0; +- inode_dec_link_count(inode); ++ inode_dec_link_count(dir); + inode->i_ctime = dir->i_ctime = dir->i_mtime = current_fs_time(dir->i_sb); + mark_inode_dirty(dir); + diff --git a/queue-2.6.21/usb-hid-hiddev-fix-race-between-hiddev_send_event-and-hiddev_release.patch b/queue-2.6.21/usb-hid-hiddev-fix-race-between-hiddev_send_event-and-hiddev_release.patch new file mode 100644 index 00000000000..a4da9d91b60 --- /dev/null +++ b/queue-2.6.21/usb-hid-hiddev-fix-race-between-hiddev_send_event-and-hiddev_release.patch @@ -0,0 +1,94 @@ +From stable-bounces@linux.kernel.org Tue May 15 15:44:33 2007 +Date: Wed, 16 May 2007 00:44:59 +0200 (CEST) +From: Jiri Kosina +To: stable@kernel.org +Message-ID: +Subject: USB HID: hiddev - fix race between hiddev_send_event() and hiddev_release() + +From: Jiri Kosina + +USB HID: hiddev - fix race between hiddev_send_event() and hiddev_release() + +There is a small race window in which hiddev_release() could corrupt the +list that is being processed for new event in hiddev_send_event(). +Synchronize the operations over this list. + +Signed-off-by: Jiri Kosina +Signed-off-by: Chris Wright +--- +(in Linus' tree as cdcb44e87bedcf5070eece61f89f9373a3810031) + +--- + drivers/usb/input/hiddev.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- linux-2.6.21.1.orig/drivers/usb/input/hiddev.c ++++ linux-2.6.21.1/drivers/usb/input/hiddev.c +@@ -51,6 +51,7 @@ struct hiddev { + wait_queue_head_t wait; + struct hid_device *hid; + struct list_head list; ++ spinlock_t list_lock; + }; + + struct hiddev_list { +@@ -161,7 +162,9 @@ static void hiddev_send_event(struct hid + { + struct hiddev *hiddev = hid->hiddev; + struct hiddev_list *list; ++ unsigned long flags; + ++ spin_lock_irqsave(&hiddev->list_lock, flags); + list_for_each_entry(list, &hiddev->list, node) { + if (uref->field_index != HID_FIELD_INDEX_NONE || + (list->flags & HIDDEV_FLAG_REPORT) != 0) { +@@ -171,6 +174,7 @@ static void hiddev_send_event(struct hid + kill_fasync(&list->fasync, SIGIO, POLL_IN); + } + } ++ spin_unlock_irqrestore(&hiddev->list_lock, flags); + + wake_up_interruptible(&hiddev->wait); + } +@@ -235,9 +239,13 @@ static int hiddev_fasync(int fd, struct + static int hiddev_release(struct inode * inode, struct file * file) + { + struct hiddev_list *list = file->private_data; ++ unsigned long flags; + + hiddev_fasync(-1, file, 0); ++ ++ spin_lock_irqsave(&list->hiddev->list_lock, flags); + list_del(&list->node); ++ spin_unlock_irqrestore(&list->hiddev->list_lock, flags); + + if (!--list->hiddev->open) { + if (list->hiddev->exist) +@@ -257,6 +265,7 @@ static int hiddev_release(struct inode * + static int hiddev_open(struct inode *inode, struct file *file) + { + struct hiddev_list *list; ++ unsigned long flags; + + int i = iminor(inode) - HIDDEV_MINOR_BASE; + +@@ -267,7 +276,11 @@ static int hiddev_open(struct inode *ino + return -ENOMEM; + + list->hiddev = hiddev_table[i]; ++ ++ spin_lock_irqsave(&list->hiddev->list_lock, flags); + list_add_tail(&list->node, &hiddev_table[i]->list); ++ spin_unlock_irqrestore(&list->hiddev->list_lock, flags); ++ + file->private_data = list; + + if (!list->hiddev->open++) +@@ -773,6 +786,7 @@ int hiddev_connect(struct hid_device *hi + + init_waitqueue_head(&hiddev->wait); + INIT_LIST_HEAD(&hiddev->list); ++ spin_lock_init(&hiddev->list_lock); + hiddev->hid = hid; + hiddev->exist = 1; + diff --git a/queue-2.6.21/x86_64-fix-vgettimeofday.patch b/queue-2.6.21/x86_64-fix-vgettimeofday.patch new file mode 100644 index 00000000000..92021275941 --- /dev/null +++ b/queue-2.6.21/x86_64-fix-vgettimeofday.patch @@ -0,0 +1,27 @@ +From stable-bounces@linux.kernel.org Tue May 15 02:10:08 2007 +Date: Tue, 15 May 2007 10:17:58 +0200 +From: Eric Dumazet +To: Andi Kleen +Message-Id: <20070515101758.51d6bc47.dada1@cosmosbay.com> +Cc: dang@gentoo.org, john stultz , stable@kernel.org, Andrew Morton , Thomas Gleixner +Subject: [PATCH] x86_64 : Fix vgettimeofday() + +vgettimeofday() may return some bad timeval values, (tv_usec = 1000000), because of a wrong compare. + +Signed-off-by: Eric Dumazet +Signed-off-by: Chris Wright +--- + arch/x86_64/kernel/vsyscall.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.21.1.orig/arch/x86_64/kernel/vsyscall.c ++++ linux-2.6.21.1/arch/x86_64/kernel/vsyscall.c +@@ -132,7 +132,7 @@ static __always_inline void do_vgettimeo + + /* convert to usecs and add to timespec: */ + tv->tv_usec += nsec_delta / NSEC_PER_USEC; +- while (tv->tv_usec > USEC_PER_SEC) { ++ while (tv->tv_usec >= USEC_PER_SEC) { + tv->tv_sec += 1; + tv->tv_usec -= USEC_PER_SEC; + }