From: Greg Kroah-Hartman Date: Sat, 18 Apr 2009 00:56:58 +0000 (-0700) Subject: more .27 patches X-Git-Tag: v2.6.29.2~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0a576b2274cab2f9d5ef97f7bee1ede5bd77b387;p=thirdparty%2Fkernel%2Fstable-queue.git more .27 patches also fix a build issue with queue-2.6.27/0037-x86-mtrr-don-t-modify-RdDram-WrDram-bits-of-fixed.patch --- diff --git a/queue-2.6.27/0037-x86-mtrr-don-t-modify-RdDram-WrDram-bits-of-fixed.patch b/queue-2.6.27/0037-x86-mtrr-don-t-modify-RdDram-WrDram-bits-of-fixed.patch index ecd54e6de90..b17077bcd93 100644 --- a/queue-2.6.27/0037-x86-mtrr-don-t-modify-RdDram-WrDram-bits-of-fixed.patch +++ b/queue-2.6.27/0037-x86-mtrr-don-t-modify-RdDram-WrDram-bits-of-fixed.patch @@ -94,7 +94,7 @@ Signed-off-by: Chris Wright + + rdmsr(MSR_K8_SYSCFG, lo, hi); + if (lo & K8_MTRRFIXRANGE_DRAM_MODIFY) { -+ printk(KERN_ERR FW_WARN "MTRR: CPU %u: SYSCFG[MtrrFixDramModEn]" ++ printk(KERN_ERR "MTRR: CPU %u: SYSCFG[MtrrFixDramModEn]" + " not cleared by BIOS, clearing this bit\n", + smp_processor_id()); + lo &= ~K8_MTRRFIXRANGE_DRAM_MODIFY; diff --git a/queue-2.6.27/bas_gigaset-correctly-allocate-usb-interrupt-transfer-buffer.patch b/queue-2.6.27/bas_gigaset-correctly-allocate-usb-interrupt-transfer-buffer.patch new file mode 100644 index 00000000000..46cffa95bc5 --- /dev/null +++ b/queue-2.6.27/bas_gigaset-correctly-allocate-usb-interrupt-transfer-buffer.patch @@ -0,0 +1,81 @@ +From 3928f630f0d9fab7a6a43d7b48718be8e32f3fe1 Mon Sep 17 00:00:00 2001 +From: Tilman Schmidt +Date: Wed, 15 Apr 2009 03:25:43 -0700 +Subject: bas_gigaset: correctly allocate USB interrupt transfer buffer + + +[ Upstream commit 170ebf85160dd128e1c4206cc197cce7d1424705 ] + +Every USB transfer buffer has to be allocated individually by kmalloc. + +Impact: bugfix, no functional change + +Signed-off-by: Tilman Schmidt +Tested-by: Kolja Waschk +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/isdn/gigaset/bas-gigaset.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/drivers/isdn/gigaset/bas-gigaset.c ++++ b/drivers/isdn/gigaset/bas-gigaset.c +@@ -46,6 +46,9 @@ MODULE_PARM_DESC(cidmode, "Call-ID mode" + /* length limit according to Siemens 3070usb-protokoll.doc ch. 2.1 */ + #define IF_WRITEBUF 264 + ++/* interrupt pipe message size according to ibid. ch. 2.2 */ ++#define IP_MSGSIZE 3 ++ + /* Values for the Gigaset 307x */ + #define USB_GIGA_VENDOR_ID 0x0681 + #define USB_3070_PRODUCT_ID 0x0001 +@@ -110,7 +113,7 @@ struct bas_cardstate { + unsigned char *rcvbuf; /* AT reply receive buffer */ + + struct urb *urb_int_in; /* URB for interrupt pipe */ +- unsigned char int_in_buf[3]; ++ unsigned char *int_in_buf; + + spinlock_t lock; /* locks all following */ + int basstate; /* bitmap (BS_*) */ +@@ -657,7 +660,7 @@ static void read_int_callback(struct urb + } + + /* drop incomplete packets even if the missing bytes wouldn't matter */ +- if (unlikely(urb->actual_length < 3)) { ++ if (unlikely(urb->actual_length < IP_MSGSIZE)) { + dev_warn(cs->dev, "incomplete interrupt packet (%d bytes)\n", + urb->actual_length); + goto resubmit; +@@ -2127,6 +2130,7 @@ static void gigaset_reinitbcshw(struct b + static void gigaset_freecshw(struct cardstate *cs) + { + /* timers, URBs and rcvbuf are disposed of in disconnect */ ++ kfree(cs->hw.bas->int_in_buf); + kfree(cs->hw.bas); + cs->hw.bas = NULL; + } +@@ -2232,6 +2236,12 @@ static int gigaset_probe(struct usb_inte + } + hostif = interface->cur_altsetting; + } ++ ucs->int_in_buf = kmalloc(IP_MSGSIZE, GFP_KERNEL); ++ if (!ucs->int_in_buf) { ++ kfree(ucs); ++ pr_err("out of memory\n"); ++ return 0; ++ } + + /* Reject application specific interfaces + */ +@@ -2290,7 +2300,7 @@ static int gigaset_probe(struct usb_inte + usb_fill_int_urb(ucs->urb_int_in, udev, + usb_rcvintpipe(udev, + (endpoint->bEndpointAddress) & 0x0f), +- ucs->int_in_buf, 3, read_int_callback, cs, ++ ucs->int_in_buf, IP_MSGSIZE, read_int_callback, cs, + endpoint->bInterval); + if ((rc = usb_submit_urb(ucs->urb_int_in, GFP_KERNEL)) != 0) { + dev_err(cs->dev, "could not submit interrupt URB: %s\n", diff --git a/queue-2.6.27/bonding-fix-updating-of-speed-duplex-changes.patch b/queue-2.6.27/bonding-fix-updating-of-speed-duplex-changes.patch new file mode 100644 index 00000000000..01d2d1a1ef7 --- /dev/null +++ b/queue-2.6.27/bonding-fix-updating-of-speed-duplex-changes.patch @@ -0,0 +1,82 @@ +From 308ac80d677f5044d9b3437864e5d89a92feb5b2 Mon Sep 17 00:00:00 2001 +From: Jay Vosburgh +Date: Sat, 4 Apr 2009 17:23:15 -0700 +Subject: bonding: Fix updating of speed/duplex changes + + +[ Upstream commit 17d04500e2528217de5fe967599f98ee84348a9c ] + + This patch corrects an omission from the following commit: + +commit f0c76d61779b153dbfb955db3f144c62d02173c2 +Author: Jay Vosburgh +Date: Wed Jul 2 18:21:58 2008 -0700 + + bonding: refactor mii monitor + + The un-refactored code checked the link speed and duplex of +every slave on every pass; the refactored code did not do so. + + The 802.3ad and balance-alb/tlb modes utilize the speed and +duplex information, and require it to be kept up to date. This patch +adds a notifier check to perform the appropriate updating when the slave +device speed changes. + +Signed-off-by: Jay Vosburgh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/bonding/bond_main.c | 25 ++++++++++++++++++++----- + drivers/net/bonding/bonding.h | 6 ++++++ + 2 files changed, 26 insertions(+), 5 deletions(-) + +--- a/drivers/net/bonding/bonding.h ++++ b/drivers/net/bonding/bonding.h +@@ -248,6 +248,12 @@ static inline struct bonding *bond_get_b + return (struct bonding *)slave->dev->master->priv; + } + ++static inline bool bond_is_lb(const struct bonding *bond) ++{ ++ return bond->params.mode == BOND_MODE_TLB ++ || bond->params.mode == BOND_MODE_ALB; ++} ++ + #define BOND_FOM_NONE 0 + #define BOND_FOM_ACTIVE 1 + #define BOND_FOM_FOLLOW 2 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3516,11 +3516,26 @@ static int bond_slave_netdev_event(unsig + } + break; + case NETDEV_CHANGE: +- /* +- * TODO: is this what we get if somebody +- * sets up a hierarchical bond, then rmmod's +- * one of the slave bonding devices? +- */ ++ if (bond->params.mode == BOND_MODE_8023AD || bond_is_lb(bond)) { ++ struct slave *slave; ++ ++ slave = bond_get_slave_by_dev(bond, slave_dev); ++ if (slave) { ++ u16 old_speed = slave->speed; ++ u16 old_duplex = slave->duplex; ++ ++ bond_update_speed_duplex(slave); ++ ++ if (bond_is_lb(bond)) ++ break; ++ ++ if (old_speed != slave->speed) ++ bond_3ad_adapter_speed_changed(slave); ++ if (old_duplex != slave->duplex) ++ bond_3ad_adapter_duplex_changed(slave); ++ } ++ } ++ + break; + case NETDEV_DOWN: + /* diff --git a/queue-2.6.27/bridge-bad-error-handling-when-adding-invalid-ether-address.patch b/queue-2.6.27/bridge-bad-error-handling-when-adding-invalid-ether-address.patch new file mode 100644 index 00000000000..66a4ec6e819 --- /dev/null +++ b/queue-2.6.27/bridge-bad-error-handling-when-adding-invalid-ether-address.patch @@ -0,0 +1,33 @@ +From 8866e77e34c013658b231ba3690250c4db05e38d Mon Sep 17 00:00:00 2001 +From: Stephen Hemminger +Date: Wed, 25 Mar 2009 21:01:47 -0700 +Subject: bridge: bad error handling when adding invalid ether address + + +[ Upstream commit cda6d377ec6b2ee2e58d563d0bd7eb313e0165df ] + +This fixes an crash when empty bond device is added to a bridge. +If an interface with invalid ethernet address (all zero) is added +to a bridge, then bridge code detects it when setting up the forward +databas entry. But the error unwind is broken, the bridge port object +can get freed twice: once when ref count went to zeo, and once by kfree. +Since object is never really accessible, just free it. + +Signed-off-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/bridge/br_if.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/net/bridge/br_if.c ++++ b/net/bridge/br_if.c +@@ -419,7 +419,6 @@ err2: + err1: + kobject_del(&p->kobj); + err0: +- kobject_put(&p->kobj); + dev_set_promiscuity(dev, -1); + put_back: + dev_put(dev); diff --git a/queue-2.6.27/ipv6-don-t-use-tw-net-when-accounting-for-recycled-tw.patch b/queue-2.6.27/ipv6-don-t-use-tw-net-when-accounting-for-recycled-tw.patch new file mode 100644 index 00000000000..364524250b7 --- /dev/null +++ b/queue-2.6.27/ipv6-don-t-use-tw-net-when-accounting-for-recycled-tw.patch @@ -0,0 +1,41 @@ +From 6feb7acb128c3ee225d1444fe5bca386b5bd0fa3 Mon Sep 17 00:00:00 2001 +From: Pavel Emelyanov +Date: Thu, 26 Feb 2009 03:35:13 -0800 +Subject: ipv6: don't use tw net when accounting for recycled tw + + +[ Upstream commit 3f53a38131a4e7a053c0aa060aba0411242fb6b9 ] + +We already have a valid net in that place, but this is not just a +cleanup - the tw pointer can be NULL there sometimes, thus causing +an oops in NET_NS=y case. + +The same place in ipv4 code already works correctly using existing +net, rather than tw's one. + +The bug exists since 2.6.27. + +Signed-off-by: Pavel Emelyanov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/inet6_hashtables.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv6/inet6_hashtables.c ++++ b/net/ipv6/inet6_hashtables.c +@@ -210,11 +210,11 @@ unique: + + if (twp != NULL) { + *twp = tw; +- NET_INC_STATS_BH(twsk_net(tw), LINUX_MIB_TIMEWAITRECYCLED); ++ NET_INC_STATS_BH(net, LINUX_MIB_TIMEWAITRECYCLED); + } else if (tw != NULL) { + /* Silly. Should hash-dance instead... */ + inet_twsk_deschedule(tw, death_row); +- NET_INC_STATS_BH(twsk_net(tw), LINUX_MIB_TIMEWAITRECYCLED); ++ NET_INC_STATS_BH(net, LINUX_MIB_TIMEWAITRECYCLED); + + inet_twsk_put(tw); + } diff --git a/queue-2.6.27/ipv6-plug-sk_buff-leak-in-ipv6_rcv.patch b/queue-2.6.27/ipv6-plug-sk_buff-leak-in-ipv6_rcv.patch new file mode 100644 index 00000000000..a7c78e57889 --- /dev/null +++ b/queue-2.6.27/ipv6-plug-sk_buff-leak-in-ipv6_rcv.patch @@ -0,0 +1,52 @@ +From 5209180c240d396274624326a7ac86642db0b505 Mon Sep 17 00:00:00 2001 +From: Jesper Nilsson +Date: Fri, 27 Mar 2009 00:17:45 -0700 +Subject: ipv6: Plug sk_buff leak in ipv6_rcv (net/ipv6/ip6_input.c) + + +[ Upstream commit 71f6f6dfdf7c7a67462386d9ea05c1095a89c555 ] + +Commit 778d80be52699596bf70e0eb0761cf5e1e46088d +(ipv6: Add disable_ipv6 sysctl to disable IPv6 operaion on specific interface) +seems to have introduced a leak of sk_buff's for ipv6 traffic, +at least in some configurations where idev is NULL, or when ipv6 +is disabled via sysctl. + +The problem is that if the first condition of the if-statement +returns non-NULL, it returns an skb with only one reference, +and when the other conditions apply, execution jumps to the "out" +label, which does not call kfree_skb for it. + +To plug this leak, change to use the "drop" label instead. +(this relies on it being ok to call kfree_skb on NULL) +This also allows us to avoid calling rcu_read_unlock here, +and removes the only user of the "out" label. + +Signed-off-by: Jesper Nilsson +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/ip6_input.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/net/ipv6/ip6_input.c ++++ b/net/ipv6/ip6_input.c +@@ -74,8 +74,7 @@ int ipv6_rcv(struct sk_buff *skb, struct + if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL || + !idev || unlikely(idev->cnf.disable_ipv6)) { + IP6_INC_STATS_BH(idev, IPSTATS_MIB_INDISCARDS); +- rcu_read_unlock(); +- goto out; ++ goto drop; + } + + memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm)); +@@ -145,7 +144,6 @@ err: + drop: + rcu_read_unlock(); + kfree_skb(skb); +-out: + return 0; + } + diff --git a/queue-2.6.27/net-fix-sctp-breakage.patch b/queue-2.6.27/net-fix-sctp-breakage.patch new file mode 100644 index 00000000000..382be622ade --- /dev/null +++ b/queue-2.6.27/net-fix-sctp-breakage.patch @@ -0,0 +1,32 @@ +From e248c24d0d83f40328b11cddee7cb4fd090ebcf4 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Wed, 18 Mar 2009 19:12:42 -0700 +Subject: net: fix sctp breakage + + +[ Upstream commit cb0dc77de0d23615a845e45844a2e22fc224d7fe ] + +broken by commit 5e739d1752aca4e8f3e794d431503bfca3162df4; AFAICS should +be -stable fodder as well... + +Signed-off-by: Al Viro +Aced-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/sctp/endpointola.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sctp/endpointola.c ++++ b/net/sctp/endpointola.c +@@ -111,7 +111,8 @@ static struct sctp_endpoint *sctp_endpoi + if (sctp_addip_enable) { + auth_chunks->chunks[0] = SCTP_CID_ASCONF; + auth_chunks->chunks[1] = SCTP_CID_ASCONF_ACK; +- auth_chunks->param_hdr.length += htons(2); ++ auth_chunks->param_hdr.length = ++ htons(sizeof(sctp_paramhdr_t) + 2); + } + } + diff --git a/queue-2.6.27/netfilter-nf_conntrack_tcp-fix-unaligned-memory-access-in-tcp_sack.patch b/queue-2.6.27/netfilter-nf_conntrack_tcp-fix-unaligned-memory-access-in-tcp_sack.patch new file mode 100644 index 00000000000..24e25f03aaf --- /dev/null +++ b/queue-2.6.27/netfilter-nf_conntrack_tcp-fix-unaligned-memory-access-in-tcp_sack.patch @@ -0,0 +1,42 @@ +From 0c6310c4d90558e72e410c3777e29acdec6477e2 Mon Sep 17 00:00:00 2001 +From: Mark H. Weaver +Date: Mon, 23 Mar 2009 13:46:12 +0100 +Subject: netfilter: nf_conntrack_tcp: fix unaligned memory access in tcp_sack + + +[ Upstream commit 534f81a5068799799e264fd162e9488a129f98d4 ] + +This patch fixes an unaligned memory access in tcp_sack while reading +sequence numbers from TCP selective acknowledgement options. Prior to +applying this patch, upstream linux-2.6.27.20 was occasionally +generating messages like this on my sparc64 system: + + [54678.532071] Kernel unaligned access at TPC[6b17d4] tcp_packet+0xcd4/0xd00 + +Acked-by: David S. Miller +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_conntrack_proto_tcp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nf_conntrack_proto_tcp.c ++++ b/net/netfilter/nf_conntrack_proto_tcp.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + + #include + +@@ -466,7 +467,7 @@ static void tcp_sack(const struct sk_buf + for (i = 0; + i < (opsize - TCPOLEN_SACK_BASE); + i += TCPOLEN_SACK_PERBLOCK) { +- tmp = ntohl(*((__be32 *)(ptr+i)+1)); ++ tmp = get_unaligned_be32((__be32 *)(ptr+i)+1); + + if (after(tmp, *sack)) + *sack = tmp; diff --git a/queue-2.6.27/series b/queue-2.6.27/series index ec4964e115a..590503fefaa 100644 --- a/queue-2.6.27/series +++ b/queue-2.6.27/series @@ -9,3 +9,10 @@ 0032-Add-a-missing-unlock_kernel-in-raw_open.patch 0033-x86-PAT-PCI-Change-vma-prot-in-pci_mmap-to-reflec.patch 0037-x86-mtrr-don-t-modify-RdDram-WrDram-bits-of-fixed.patch +bas_gigaset-correctly-allocate-usb-interrupt-transfer-buffer.patch +bonding-fix-updating-of-speed-duplex-changes.patch +bridge-bad-error-handling-when-adding-invalid-ether-address.patch +ipv6-don-t-use-tw-net-when-accounting-for-recycled-tw.patch +ipv6-plug-sk_buff-leak-in-ipv6_rcv.patch +netfilter-nf_conntrack_tcp-fix-unaligned-memory-access-in-tcp_sack.patch +net-fix-sctp-breakage.patch