From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Fri, 16 Mar 2007 23:24:48 +0000 (-0700)
Subject: more added
X-Git-Tag: v2.6.20.4~8
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=17d6a8d53ed9b226e1609efe8f3c4d2dbb48d20f;p=thirdparty%2Fkernel%2Fstable-queue.git

more added
---

diff --git a/queue-2.6.20/fix-read-past-end-of-array-in-md-linear.c.patch b/queue-2.6.20/fix-read-past-end-of-array-in-md-linear.c.patch
new file mode 100644
index 00000000000..3c83b9af7db
--- /dev/null
+++ b/queue-2.6.20/fix-read-past-end-of-array-in-md-linear.c.patch
@@ -0,0 +1,53 @@
+From stable-bounces@linux.kernel.org Fri Mar 16 14:39:36 2007
+From: Andy Isaacson <adi@hexapodia.org>
+Date: Fri, 16 Mar 2007 13:38:04 -0800
+Subject: fix read past end of array in md/linear.c
+To: torvalds@linux-foundation.org
+Cc: stable@kernel.org, akpm@linux-foundation.org, neilb@cse.unsw.edu.au, adi@hexapodia.org, ego@in.ibm.com
+Message-ID: <200703162138.l2GLc4bo022282@shell0.pdx.osdl.net>
+
+
+From: Andy Isaacson <adi@hexapodia.org>
+
+When iterating through an array, one must be careful to test one's index
+variable rather than another similarly-named variable.
+
+The loop will read off the end of conf->disks[] in the following
+(pathological) case:
+
+% dd bs=1 seek=840716287 if=/dev/zero of=d1 count=1
+% for i in 2 3 4; do dd if=/dev/zero of=d$i bs=1k count=$(($i+150)); done
+% ./vmlinux ubd0=root ubd1=d1 ubd2=d2 ubd3=d3 ubd4=d4
+# mdadm -C /dev/md0 --level=linear --raid-devices=4 /dev/ubd[1234]
+
+adding some printks, I saw this:
+[42949374.960000] hash_spacing = 821120
+[42949374.960000] cnt          = 4
+[42949374.960000] min_spacing  = 801
+[42949374.960000] j=0 size=820928 sz=820928
+[42949374.960000] i=0 sz=820928 hash_spacing=820928
+[42949374.960000] j=1 size=64 sz=64
+[42949374.960000] j=2 size=64 sz=128
+[42949374.960000] j=3 size=64 sz=192
+[42949374.960000] j=4 size=1515870810 sz=1515871002
+
+Cc: Gautham R Shenoy <ego@in.ibm.com>
+Acked-by: Neil Brown <neilb@cse.unsw.edu.au>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/md/linear.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/linear.c
++++ b/drivers/md/linear.c
+@@ -188,7 +188,7 @@ static linear_conf_t *linear_conf(mddev_
+ 	for (i=0; i < cnt-1 ; i++) {
+ 		sector_t sz = 0;
+ 		int j;
+-		for (j=i; i<cnt-1 && sz < min_spacing ; j++)
++		for (j = i; j < cnt - 1 && sz < min_spacing; j++)
+ 			sz += conf->disks[j].size;
+ 		if (sz >= min_spacing && sz < conf->hash_spacing)
+ 			conf->hash_spacing = sz;
diff --git a/queue-2.6.20/r8169-fix-a-race-between-pci-probe-and-dev_open.patch b/queue-2.6.20/r8169-fix-a-race-between-pci-probe-and-dev_open.patch
new file mode 100644
index 00000000000..6bf07397fdb
--- /dev/null
+++ b/queue-2.6.20/r8169-fix-a-race-between-pci-probe-and-dev_open.patch
@@ -0,0 +1,45 @@
+From stable-bounces@linux.kernel.org Wed Mar 14 23:58:50 2007
+From: Francois Romieu <romieu@fr.zoreil.com>
+Date: Wed, 14 Mar 2007 21:32:00 +0100
+Subject: r8169: fix a race between PCI probe and dev_open
+To: Daniel Drake <dsd@gentoo.org>
+Cc: stable@kernel.org
+Message-ID: <20070314203200.GB14435@electric-eye.fr.zoreil.com>
+Content-Disposition: inline
+
+Initialize the timer with the rest of the private-struct.
+
+Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
+Signed-off-by: Jeff Garzik <jeff@garzik.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/r8169.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/r8169.c
++++ b/drivers/net/r8169.c
+@@ -1369,11 +1369,7 @@ static inline void rtl8169_request_timer
+ 	    (tp->phy_version >= RTL_GIGA_PHY_VER_H))
+ 		return;
+ 
+-	init_timer(timer);
+-	timer->expires = jiffies + RTL8169_PHY_TIMEOUT;
+-	timer->data = (unsigned long)(dev);
+-	timer->function = rtl8169_phy_timer;
+-	add_timer(timer);
++	mod_timer(timer, jiffies + RTL8169_PHY_TIMEOUT);
+ }
+ 
+ #ifdef CONFIG_NET_POLL_CONTROLLER
+@@ -1686,6 +1682,10 @@ rtl8169_init_one(struct pci_dev *pdev, c
+ 	tp->mmio_addr = ioaddr;
+ 	tp->align = rtl_cfg_info[ent->driver_data].align;
+ 
++	init_timer(&tp->timer);
++	tp->timer.data = (unsigned long) dev;
++	tp->timer.function = rtl8169_phy_timer;
++
+ 	spin_lock_init(&tp->lock);
+ 
+ 	rc = register_netdev(dev);
diff --git a/queue-2.6.20/series b/queue-2.6.20/series
index 600892a74c1..e0eaabb0e8b 100644
--- a/queue-2.6.20/series
+++ b/queue-2.6.20/series
@@ -14,3 +14,5 @@ futex-pi-state-locking-fix.patch
 nfs-nfs_getattr-can-t-call-nfs_sync_mapping_range-for-non-regular-files.patch
 hrtimer-prevent-overrun-dos-in-hrtimer_forward.patch
 fix-mtime_sec_max-on-32-bit.patch
+fix-read-past-end-of-array-in-md-linear.c.patch
+r8169-fix-a-race-between-pci-probe-and-dev_open.patch