From: Greg Kroah-Hartman Date: Sat, 10 Mar 2007 05:35:30 +0000 (-0800) Subject: 20 patches added to queue X-Git-Tag: v2.6.20.3~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1af77f32332e2878c36ac80d54fd8b050895d8a6;p=thirdparty%2Fkernel%2Fstable-queue.git 20 patches added to queue --- diff --git a/queue-2.6.20/bcm43xx-fix-problem-with-1-gb-ram.patch b/queue-2.6.20/bcm43xx-fix-problem-with-1-gb-ram.patch new file mode 100644 index 00000000000..e931267c93f --- /dev/null +++ b/queue-2.6.20/bcm43xx-fix-problem-with-1-gb-ram.patch @@ -0,0 +1,311 @@ +From stable-bounces@linux.kernel.org Wed Mar 7 10:07:33 2007 +From: Larry Finger +Date: Wed, 07 Mar 2007 13:05:58 -0500 +Subject: bcm43xx: Fix problem with >1 GB RAM +To: linux-stable +Message-ID: <45EEFF06.7010101@redhat.com> + +From: Larry Finger + +[PATCH] bcm43xx: Fix problem with >1 GB RAM + +Some versions of the bcm43xx chips only support 30-bit DMA, which means +that the descriptors and buffers must be in the first 1 GB of RAM. On +the i386 and x86_64 architectures with more than 1 GB RAM, an incorrect +assignment may occur. This patch ensures that the various DMA addresses +are within the capability of the chip. Testing has been limited to x86_64 +as no one has an i386 system with more than 1 GB RAM. + +Signed-off-by: Larry Finger +Signed-off-by: John W. Linville +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/bcm43xx/bcm43xx.h | 1 + drivers/net/wireless/bcm43xx/bcm43xx_dma.c | 171 +++++++++++++++++++++-------- + 2 files changed, 125 insertions(+), 47 deletions(-) + +--- a/drivers/net/wireless/bcm43xx/bcm43xx.h ++++ b/drivers/net/wireless/bcm43xx/bcm43xx.h +@@ -766,6 +766,7 @@ struct bcm43xx_private { + * This is currently always BCM43xx_BUSTYPE_PCI + */ + u8 bustype; ++ u64 dma_mask; + + u16 board_vendor; + u16 board_type; +--- a/drivers/net/wireless/bcm43xx/bcm43xx_dma.c ++++ b/drivers/net/wireless/bcm43xx/bcm43xx_dma.c +@@ -145,16 +145,14 @@ dma_addr_t map_descbuffer(struct bcm43xx + int tx) + { + dma_addr_t dmaaddr; ++ int direction = PCI_DMA_FROMDEVICE; + +- if (tx) { +- dmaaddr = dma_map_single(&ring->bcm->pci_dev->dev, +- buf, len, +- DMA_TO_DEVICE); +- } else { +- dmaaddr = dma_map_single(&ring->bcm->pci_dev->dev, ++ if (tx) ++ direction = PCI_DMA_TODEVICE; ++ ++ dmaaddr = pci_map_single(ring->bcm->pci_dev, + buf, len, +- DMA_FROM_DEVICE); +- } ++ direction); + + return dmaaddr; + } +@@ -166,13 +164,13 @@ void unmap_descbuffer(struct bcm43xx_dma + int tx) + { + if (tx) { +- dma_unmap_single(&ring->bcm->pci_dev->dev, ++ pci_unmap_single(ring->bcm->pci_dev, + addr, len, +- DMA_TO_DEVICE); ++ PCI_DMA_TODEVICE); + } else { +- dma_unmap_single(&ring->bcm->pci_dev->dev, ++ pci_unmap_single(ring->bcm->pci_dev, + addr, len, +- DMA_FROM_DEVICE); ++ PCI_DMA_FROMDEVICE); + } + } + +@@ -183,8 +181,8 @@ void sync_descbuffer_for_cpu(struct bcm4 + { + assert(!ring->tx); + +- dma_sync_single_for_cpu(&ring->bcm->pci_dev->dev, +- addr, len, DMA_FROM_DEVICE); ++ pci_dma_sync_single_for_cpu(ring->bcm->pci_dev, ++ addr, len, PCI_DMA_FROMDEVICE); + } + + static inline +@@ -194,8 +192,8 @@ void sync_descbuffer_for_device(struct b + { + assert(!ring->tx); + +- dma_sync_single_for_device(&ring->bcm->pci_dev->dev, +- addr, len, DMA_FROM_DEVICE); ++ pci_dma_sync_single_for_cpu(ring->bcm->pci_dev, ++ addr, len, PCI_DMA_TODEVICE); + } + + /* Unmap and free a descriptor buffer. */ +@@ -214,17 +212,53 @@ void free_descriptor_buffer(struct bcm43 + + static int alloc_ringmemory(struct bcm43xx_dmaring *ring) + { +- struct device *dev = &(ring->bcm->pci_dev->dev); +- +- ring->descbase = dma_alloc_coherent(dev, BCM43xx_DMA_RINGMEMSIZE, +- &(ring->dmabase), GFP_KERNEL); ++ ring->descbase = pci_alloc_consistent(ring->bcm->pci_dev, BCM43xx_DMA_RINGMEMSIZE, ++ &(ring->dmabase)); + if (!ring->descbase) { +- printk(KERN_ERR PFX "DMA ringmemory allocation failed\n"); +- return -ENOMEM; ++ /* Allocation may have failed due to pci_alloc_consistent ++ insisting on use of GFP_DMA, which is more restrictive ++ than necessary... */ ++ struct dma_desc *rx_ring; ++ dma_addr_t rx_ring_dma; ++ ++ rx_ring = kzalloc(BCM43xx_DMA_RINGMEMSIZE, GFP_KERNEL); ++ if (!rx_ring) ++ goto out_err; ++ ++ rx_ring_dma = pci_map_single(ring->bcm->pci_dev, rx_ring, ++ BCM43xx_DMA_RINGMEMSIZE, ++ PCI_DMA_BIDIRECTIONAL); ++ ++ if (pci_dma_mapping_error(rx_ring_dma) || ++ rx_ring_dma + BCM43xx_DMA_RINGMEMSIZE > ring->bcm->dma_mask) { ++ /* Sigh... */ ++ if (!pci_dma_mapping_error(rx_ring_dma)) ++ pci_unmap_single(ring->bcm->pci_dev, ++ rx_ring_dma, BCM43xx_DMA_RINGMEMSIZE, ++ PCI_DMA_BIDIRECTIONAL); ++ rx_ring_dma = pci_map_single(ring->bcm->pci_dev, ++ rx_ring, BCM43xx_DMA_RINGMEMSIZE, ++ PCI_DMA_BIDIRECTIONAL); ++ if (pci_dma_mapping_error(rx_ring_dma) || ++ rx_ring_dma + BCM43xx_DMA_RINGMEMSIZE > ring->bcm->dma_mask) { ++ assert(0); ++ if (!pci_dma_mapping_error(rx_ring_dma)) ++ pci_unmap_single(ring->bcm->pci_dev, ++ rx_ring_dma, BCM43xx_DMA_RINGMEMSIZE, ++ PCI_DMA_BIDIRECTIONAL); ++ goto out_err; ++ } ++ } ++ ++ ring->descbase = rx_ring; ++ ring->dmabase = rx_ring_dma; + } + memset(ring->descbase, 0, BCM43xx_DMA_RINGMEMSIZE); + + return 0; ++out_err: ++ printk(KERN_ERR PFX "DMA ringmemory allocation failed\n"); ++ return -ENOMEM; + } + + static void free_ringmemory(struct bcm43xx_dmaring *ring) +@@ -407,6 +441,29 @@ static int setup_rx_descbuffer(struct bc + if (unlikely(!skb)) + return -ENOMEM; + dmaaddr = map_descbuffer(ring, skb->data, ring->rx_buffersize, 0); ++ /* This hardware bug work-around adapted from the b44 driver. ++ The chip may be unable to do PCI DMA to/from anything above 1GB */ ++ if (pci_dma_mapping_error(dmaaddr) || ++ dmaaddr + ring->rx_buffersize > ring->bcm->dma_mask) { ++ /* This one has 30-bit addressing... */ ++ if (!pci_dma_mapping_error(dmaaddr)) ++ pci_unmap_single(ring->bcm->pci_dev, ++ dmaaddr, ring->rx_buffersize, ++ PCI_DMA_FROMDEVICE); ++ dev_kfree_skb_any(skb); ++ skb = __dev_alloc_skb(ring->rx_buffersize,GFP_DMA); ++ if (skb == NULL) ++ return -ENOMEM; ++ dmaaddr = pci_map_single(ring->bcm->pci_dev, ++ skb->data, ring->rx_buffersize, ++ PCI_DMA_FROMDEVICE); ++ if (pci_dma_mapping_error(dmaaddr) || ++ dmaaddr + ring->rx_buffersize > ring->bcm->dma_mask) { ++ assert(0); ++ dev_kfree_skb_any(skb); ++ return -ENOMEM; ++ } ++ } + meta->skb = skb; + meta->dmaaddr = dmaaddr; + skb->dev = ring->bcm->net_dev; +@@ -636,8 +693,10 @@ struct bcm43xx_dmaring * bcm43xx_setup_d + err = dmacontroller_setup(ring); + if (err) + goto err_free_ringmemory; ++ return ring; + + out: ++ printk(KERN_ERR PFX "Error in bcm43xx_setup_dmaring\n"); + return ring; + + err_free_ringmemory: +@@ -705,30 +764,16 @@ int bcm43xx_dma_init(struct bcm43xx_priv + struct bcm43xx_dmaring *ring; + int err = -ENOMEM; + int dma64 = 0; +- u64 mask = bcm43xx_get_supported_dma_mask(bcm); +- int nobits; + +- if (mask == DMA_64BIT_MASK) { ++ bcm->dma_mask = bcm43xx_get_supported_dma_mask(bcm); ++ if (bcm->dma_mask == DMA_64BIT_MASK) + dma64 = 1; +- nobits = 64; +- } else if (mask == DMA_32BIT_MASK) +- nobits = 32; +- else +- nobits = 30; +- err = pci_set_dma_mask(bcm->pci_dev, mask); +- err |= pci_set_consistent_dma_mask(bcm->pci_dev, mask); +- if (err) { +-#ifdef CONFIG_BCM43XX_PIO +- printk(KERN_WARNING PFX "DMA not supported on this device." +- " Falling back to PIO.\n"); +- bcm->__using_pio = 1; +- return -ENOSYS; +-#else +- printk(KERN_ERR PFX "FATAL: DMA not supported and PIO not configured. " +- "Please recompile the driver with PIO support.\n"); +- return -ENODEV; +-#endif /* CONFIG_BCM43XX_PIO */ +- } ++ err = pci_set_dma_mask(bcm->pci_dev, bcm->dma_mask); ++ if (err) ++ goto no_dma; ++ err = pci_set_consistent_dma_mask(bcm->pci_dev, bcm->dma_mask); ++ if (err) ++ goto no_dma; + + /* setup TX DMA channels. */ + ring = bcm43xx_setup_dmaring(bcm, 0, 1, dma64); +@@ -774,7 +819,9 @@ int bcm43xx_dma_init(struct bcm43xx_priv + dma->rx_ring3 = ring; + } + +- dprintk(KERN_INFO PFX "%d-bit DMA initialized\n", nobits); ++ dprintk(KERN_INFO PFX "%d-bit DMA initialized\n", ++ (bcm->dma_mask == DMA_64BIT_MASK) ? 64 : ++ (bcm->dma_mask == DMA_32BIT_MASK) ? 32 : 30); + err = 0; + out: + return err; +@@ -800,7 +847,17 @@ err_destroy_tx1: + err_destroy_tx0: + bcm43xx_destroy_dmaring(dma->tx_ring0); + dma->tx_ring0 = NULL; +- goto out; ++no_dma: ++#ifdef CONFIG_BCM43XX_PIO ++ printk(KERN_WARNING PFX "DMA not supported on this device." ++ " Falling back to PIO.\n"); ++ bcm->__using_pio = 1; ++ return -ENOSYS; ++#else ++ printk(KERN_ERR PFX "FATAL: DMA not supported and PIO not configured. " ++ "Please recompile the driver with PIO support.\n"); ++ return -ENODEV; ++#endif /* CONFIG_BCM43XX_PIO */ + } + + /* Generate a cookie for the TX header. */ +@@ -905,6 +962,7 @@ static void dma_tx_fragment(struct bcm43 + struct bcm43xx_dmadesc_generic *desc; + struct bcm43xx_dmadesc_meta *meta; + dma_addr_t dmaaddr; ++ struct sk_buff *bounce_skb; + + assert(skb_shinfo(skb)->nr_frags == 0); + +@@ -924,9 +982,28 @@ static void dma_tx_fragment(struct bcm43 + skb->len - sizeof(struct bcm43xx_txhdr), + (cur_frag == 0), + generate_cookie(ring, slot)); ++ dmaaddr = map_descbuffer(ring, skb->data, skb->len, 1); ++ if (dma_mapping_error(dmaaddr) || dmaaddr + skb->len > ring->bcm->dma_mask) { ++ /* chip cannot handle DMA to/from > 1GB, use bounce buffer (copied from b44 driver) */ ++ if (!dma_mapping_error(dmaaddr)) ++ unmap_descbuffer(ring, dmaaddr, skb->len, 1); ++ bounce_skb = __dev_alloc_skb(skb->len, GFP_ATOMIC|GFP_DMA); ++ if (!bounce_skb) ++ return; ++ dmaaddr = map_descbuffer(ring, bounce_skb->data, bounce_skb->len, 1); ++ if (dma_mapping_error(dmaaddr) || dmaaddr + skb->len > ring->bcm->dma_mask) { ++ if (!dma_mapping_error(dmaaddr)) ++ unmap_descbuffer(ring, dmaaddr, skb->len, 1); ++ dev_kfree_skb_any(bounce_skb); ++ assert(0); ++ return; ++ } ++ memcpy(skb_put(bounce_skb, skb->len), skb->data, skb->len); ++ dev_kfree_skb_any(skb); ++ skb = bounce_skb; ++ } + + meta->skb = skb; +- dmaaddr = map_descbuffer(ring, skb->data, skb->len, 1); + meta->dmaaddr = dmaaddr; + + fill_descriptor(ring, desc, dmaaddr, diff --git a/queue-2.6.20/conntrack-fix-nf-ip-_ct_iterate_cleanup-endless-loops.patch b/queue-2.6.20/conntrack-fix-nf-ip-_ct_iterate_cleanup-endless-loops.patch new file mode 100644 index 00000000000..8065c364f26 --- /dev/null +++ b/queue-2.6.20/conntrack-fix-nf-ip-_ct_iterate_cleanup-endless-loops.patch @@ -0,0 +1,88 @@ +From stable-bounces@linux.kernel.org Wed Mar 7 13:36:06 2007 +From: Patrick McHardy +Date: Wed, 7 Mar 2007 22:34:27 +0100 (MET) +Subject: conntrack: fix {nf, ip}_ct_iterate_cleanup endless loops +To: stable@kernel.org +Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy , +Message-ID: <20070307213348.22306.24109.sendpatchset@localhost.localdomain> + +From: Patrick McHardy + +[NETFILTER]: conntrack: fix {nf,ip}_ct_iterate_cleanup endless loops + +Fix {nf,ip}_ct_iterate_cleanup unconfirmed list handling: + +- unconfirmed entries can not be killed manually, they are removed on + confirmation or final destruction of the conntrack entry, which means + we might iterate forever without making forward progress. + + This can happen in combination with the conntrack event cache, which + holds a reference to the conntrack entry, which is only released when + the packet makes it all the way through the stack or a different + packet is handled. + +- taking references to an unconfirmed entry and using it outside the + locked section doesn't work, the list entries are not refcounted and + another CPU might already be waiting to destroy the entry + +What the code really wants to do is make sure the references of the hash +table to the selected conntrack entries are released, so they will be +destroyed once all references from skbs and the event cache are dropped. + +Since unconfirmed entries haven't even entered the hash yet, simply mark +them as dying and skip confirmation based on that. + +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/netfilter_ipv4/ip_conntrack_core.h | 2 +- + include/net/netfilter/nf_conntrack_core.h | 2 +- + net/ipv4/netfilter/ip_conntrack_core.c | 2 +- + net/netfilter/nf_conntrack_core.c | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +--- a/include/linux/netfilter_ipv4/ip_conntrack_core.h ++++ b/include/linux/netfilter_ipv4/ip_conntrack_core.h +@@ -45,7 +45,7 @@ static inline int ip_conntrack_confirm(s + int ret = NF_ACCEPT; + + if (ct) { +- if (!is_confirmed(ct)) ++ if (!is_confirmed(ct) && !is_dying(ct)) + ret = __ip_conntrack_confirm(pskb); + ip_ct_deliver_cached_events(ct); + } +--- a/include/net/netfilter/nf_conntrack_core.h ++++ b/include/net/netfilter/nf_conntrack_core.h +@@ -64,7 +64,7 @@ static inline int nf_conntrack_confirm(s + int ret = NF_ACCEPT; + + if (ct) { +- if (!nf_ct_is_confirmed(ct)) ++ if (!nf_ct_is_confirmed(ct) && !nf_ct_is_dying(ct)) + ret = __nf_conntrack_confirm(pskb); + nf_ct_deliver_cached_events(ct); + } +--- a/net/ipv4/netfilter/ip_conntrack_core.c ++++ b/net/ipv4/netfilter/ip_conntrack_core.c +@@ -1242,7 +1242,7 @@ get_next_corpse(int (*iter)(struct ip_co + list_for_each_entry(h, &unconfirmed, list) { + ct = tuplehash_to_ctrack(h); + if (iter(ct, data)) +- goto found; ++ set_bit(IPS_DYING_BIT, &ct->status); + } + write_unlock_bh(&ip_conntrack_lock); + return NULL; +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -1052,7 +1052,7 @@ get_next_corpse(int (*iter)(struct nf_co + list_for_each_entry(h, &unconfirmed, list) { + ct = nf_ct_tuplehash_to_ctrack(h); + if (iter(ct, data)) +- goto found; ++ set_bit(IPS_DYING_BIT, &ct->status); + } + write_unlock_bh(&nf_conntrack_lock); + return NULL; diff --git a/queue-2.6.20/fix-bug-7994-sleeping-function-called-from-invalid-context.patch b/queue-2.6.20/fix-bug-7994-sleeping-function-called-from-invalid-context.patch new file mode 100644 index 00000000000..f7bf7938b1f --- /dev/null +++ b/queue-2.6.20/fix-bug-7994-sleeping-function-called-from-invalid-context.patch @@ -0,0 +1,65 @@ +From stable-bounces@linux.kernel.org Wed Mar 7 11:36:06 2007 +From: Douglas Gilbert +Date: Wed, 07 Mar 2007 14:33:38 -0500 +Subject: Fix bug 7994 sleeping function called from invalid context +To: Greg KH +Cc: , stable@kernel.org +Message-ID: <45EF1392.2090001@torque.net> + +From: Douglas Gilbert + + - addresses the reported bug (with GFP_KERNEL -> GFP_ATOMIC) + - improves error checking, and + - is a subset of the changes to scsi_debug in lk 2.6.21-rc* + +Compiled and lightly tested (in lk 2.6.21-rc2 environment). + +Signed-off-by: Douglas Gilbert +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_debug.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/scsi_debug.c ++++ b/drivers/scsi/scsi_debug.c +@@ -954,7 +954,9 @@ static int resp_inquiry(struct scsi_cmnd + int alloc_len, n, ret; + + alloc_len = (cmd[3] << 8) + cmd[4]; +- arr = kzalloc(SDEBUG_MAX_INQ_ARR_SZ, GFP_KERNEL); ++ arr = kzalloc(SDEBUG_MAX_INQ_ARR_SZ, GFP_ATOMIC); ++ if (! arr) ++ return DID_REQUEUE << 16; + if (devip->wlun) + pq_pdt = 0x1e; /* present, wlun */ + else if (scsi_debug_no_lun_0 && (0 == devip->lun)) +@@ -1217,7 +1219,9 @@ static int resp_report_tgtpgs(struct scs + alen = ((cmd[6] << 24) + (cmd[7] << 16) + (cmd[8] << 8) + + cmd[9]); + +- arr = kzalloc(SDEBUG_MAX_TGTPGS_ARR_SZ, GFP_KERNEL); ++ arr = kzalloc(SDEBUG_MAX_TGTPGS_ARR_SZ, GFP_ATOMIC); ++ if (! arr) ++ return DID_REQUEUE << 16; + /* + * EVPD page 0x88 states we have two ports, one + * real and a fake port with no device connected. +@@ -1996,6 +2000,8 @@ static int scsi_debug_slave_configure(st + if (sdp->host->max_cmd_len != SCSI_DEBUG_MAX_CMD_LEN) + sdp->host->max_cmd_len = SCSI_DEBUG_MAX_CMD_LEN; + devip = devInfoReg(sdp); ++ if (NULL == devip) ++ return 1; /* no resources, will be marked offline */ + sdp->hostdata = devip; + if (sdp->host->cmd_per_lun) + scsi_adjust_queue_depth(sdp, SDEBUG_TAGGED_QUEUING, +@@ -2044,7 +2050,7 @@ static struct sdebug_dev_info * devInfoR + } + } + if (NULL == open_devip) { /* try and make a new one */ +- open_devip = kzalloc(sizeof(*open_devip),GFP_KERNEL); ++ open_devip = kzalloc(sizeof(*open_devip),GFP_ATOMIC); + if (NULL == open_devip) { + printk(KERN_ERR "%s: out of memory at line %d\n", + __FUNCTION__, __LINE__); diff --git a/queue-2.6.20/fix-callback-bug-in-connector.patch b/queue-2.6.20/fix-callback-bug-in-connector.patch new file mode 100644 index 00000000000..117e63651e3 --- /dev/null +++ b/queue-2.6.20/fix-callback-bug-in-connector.patch @@ -0,0 +1,78 @@ +From stable-bounces@linux.kernel.org Wed Mar 7 18:46:31 2007 +From: Philipp Reisner +Date: Wed, 07 Mar 2007 18:45:12 -0800 (PST) +Subject: Fix callback bug in connector +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070307.184512.78710320.davem@davemloft.net> + +From: Philipp Reisner + +[CONNECTOR]: Bugfix for cn_call_callback() + +When system under heavy stress and must allocate new work +instead of reusing old one, new work must use correct +completion callback. + +Patch is based on Philipp's and Lars' work. +I only cleaned small stuff (and removed spaces instead of tabs). + +Signed-off-by: Philipp Reisner +Signed-off-by: Lars Ellenberg +Signed-off-by: Evgeniy Polyakov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/connector/connector.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +--- a/drivers/connector/connector.c ++++ b/drivers/connector/connector.c +@@ -128,7 +128,7 @@ EXPORT_SYMBOL_GPL(cn_netlink_send); + */ + static int cn_call_callback(struct cn_msg *msg, void (*destruct_data)(void *), void *data) + { +- struct cn_callback_entry *__cbq; ++ struct cn_callback_entry *__cbq, *__new_cbq; + struct cn_dev *dev = &cdev; + int err = -ENODEV; + +@@ -148,27 +148,27 @@ static int cn_call_callback(struct cn_ms + } else { + struct cn_callback_data *d; + +- __cbq = kzalloc(sizeof(*__cbq), GFP_ATOMIC); +- if (__cbq) { +- d = &__cbq->data; ++ err = -ENOMEM; ++ __new_cbq = kzalloc(sizeof(struct cn_callback_entry), GFP_ATOMIC); ++ if (__new_cbq) { ++ d = &__new_cbq->data; + d->callback_priv = msg; + d->callback = __cbq->data.callback; + d->ddata = data; + d->destruct_data = destruct_data; +- d->free = __cbq; ++ d->free = __new_cbq; + +- INIT_WORK(&__cbq->work, ++ INIT_WORK(&__new_cbq->work, + &cn_queue_wrapper); +- ++ + if (queue_work(dev->cbdev->cn_queue, +- &__cbq->work)) ++ &__new_cbq->work)) + err = 0; + else { +- kfree(__cbq); ++ kfree(__new_cbq); + err = -EINVAL; + } +- } else +- err = -ENOMEM; ++ } + } + break; + } diff --git a/queue-2.6.20/fix-compat_getsockopt.patch b/queue-2.6.20/fix-compat_getsockopt.patch new file mode 100644 index 00000000000..39da3d6cc99 --- /dev/null +++ b/queue-2.6.20/fix-compat_getsockopt.patch @@ -0,0 +1,35 @@ +From stable-bounces@linux.kernel.org Wed Mar 7 18:44:09 2007 +From: Johannes Berg +Date: Wed, 07 Mar 2007 18:42:52 -0800 (PST) +Subject: Fix compat_getsockopt +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070307.184252.104033406.davem@davemloft.net> + + +From: Johannes Berg + +[NET]: Fix compat_sock_common_getsockopt typo. + +This patch fixes a typo in compat_sock_common_getsockopt. + +Signed-off-by: Johannes Berg +Acked-by: James Morris +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/sock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1597,7 +1597,7 @@ int compat_sock_common_getsockopt(struct + { + struct sock *sk = sock->sk; + +- if (sk->sk_prot->compat_setsockopt != NULL) ++ if (sk->sk_prot->compat_getsockopt != NULL) + return sk->sk_prot->compat_getsockopt(sk, level, optname, + optval, optlen); + return sk->sk_prot->getsockopt(sk, level, optname, optval, optlen); diff --git a/queue-2.6.20/fix-for-bugzilla-7544.patch b/queue-2.6.20/fix-for-bugzilla-7544.patch new file mode 100644 index 00000000000..a9e2944535f --- /dev/null +++ b/queue-2.6.20/fix-for-bugzilla-7544.patch @@ -0,0 +1,101 @@ +From fdcba53e2d58272bcdb5f1fad694602ccf02ad46 Mon Sep 17 00:00:00 2001 +From: Rainer Weikusat +Date: Wed, 3 Jan 2007 15:36:25 +0100 +Subject: fix for bugzilla #7544 (keyspan USB-to-serial converter) + +At least the Keyspan USA-19HS USB-to-serial converter supports +two different configurations, one where the input endpoints +have interrupt transfer type and one where they are bulk endpoints. +The default UHCI configuration uses the interrupt input endpoints. +The keyspan driver, OTOH, assumes that the device has only bulk +endpoints (all URBs are initialized by calling usb_fill_bulk_urb +in keyspan.c/ keyspan_setup_urb). This causes the interval field +of the input URBs to have a value of zero instead of one, which +'accidentally' worked with Linux at least up to 2.6.17.11 but +stopped to with 2.6.18, which changed the UHCI support code handling +URBs for interrupt endpoints. The patch below modifies to driver to +initialize its input URBs either as interrupt or as bulk URBs, +depending on the transfertype contained in the associated endpoint +descriptor (only tested with the default configuration) enabling +the driver to again receive data from the serial converter. + +Greg K-H reworked the patch. + +Signed-off-by: Rainer Weikusat +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/keyspan.c | 49 +++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 45 insertions(+), 4 deletions(-) + +--- a/drivers/usb/serial/keyspan.c ++++ b/drivers/usb/serial/keyspan.c +@@ -1275,11 +1275,31 @@ static int keyspan_fake_startup (struct + } + + /* Helper functions used by keyspan_setup_urbs */ ++static struct usb_endpoint_descriptor const *find_ep(struct usb_serial const *serial, ++ int endpoint) ++{ ++ struct usb_host_interface *iface_desc; ++ struct usb_endpoint_descriptor *ep; ++ int i; ++ ++ iface_desc = serial->interface->cur_altsetting; ++ for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { ++ ep = &iface_desc->endpoint[i].desc; ++ if (ep->bEndpointAddress == endpoint) ++ return ep; ++ } ++ dev_warn(&serial->interface->dev, "found no endpoint descriptor for " ++ "endpoint %x\n", endpoint); ++ return NULL; ++} ++ + static struct urb *keyspan_setup_urb (struct usb_serial *serial, int endpoint, + int dir, void *ctx, char *buf, int len, + void (*callback)(struct urb *)) + { + struct urb *urb; ++ struct usb_endpoint_descriptor const *ep_desc; ++ char const *ep_type_name; + + if (endpoint == -1) + return NULL; /* endpoint not needed */ +@@ -1291,11 +1311,32 @@ static struct urb *keyspan_setup_urb (st + return NULL; + } + +- /* Fill URB using supplied data. */ +- usb_fill_bulk_urb(urb, serial->dev, +- usb_sndbulkpipe(serial->dev, endpoint) | dir, +- buf, len, callback, ctx); ++ ep_desc = find_ep(serial, endpoint); ++ if (!ep_desc) { ++ /* leak the urb, something's wrong and the callers don't care */ ++ return urb; ++ } ++ if (usb_endpoint_xfer_int(ep_desc)) { ++ ep_type_name = "INT"; ++ usb_fill_int_urb(urb, serial->dev, ++ usb_sndintpipe(serial->dev, endpoint) | dir, ++ buf, len, callback, ctx, ++ ep_desc->bInterval); ++ } else if (usb_endpoint_xfer_bulk(ep_desc)) { ++ ep_type_name = "BULK"; ++ usb_fill_bulk_urb(urb, serial->dev, ++ usb_sndbulkpipe(serial->dev, endpoint) | dir, ++ buf, len, callback, ctx); ++ } else { ++ dev_warn(&serial->interface->dev, ++ "unsupported endpoint type %x\n", ++ ep_desc->bmAttributes & USB_ENDPOINT_XFERTYPE_MASK); ++ usb_free_urb(urb); ++ return NULL; ++ } + ++ dbg("%s - using urb %p for %s endpoint %x", ++ __func__, urb, ep_type_name, endpoint); + return urb; + } + diff --git a/queue-2.6.20/fix-sparc64-device-register-probing.patch b/queue-2.6.20/fix-sparc64-device-register-probing.patch new file mode 100644 index 00000000000..8d2421fa2a4 --- /dev/null +++ b/queue-2.6.20/fix-sparc64-device-register-probing.patch @@ -0,0 +1,100 @@ +From stable-bounces@linux.kernel.org Wed Mar 7 18:49:12 2007 +From: David Miller +Date: Wed, 07 Mar 2007 18:47:54 -0800 (PST) +Subject: Fix sparc64 device register probing +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070307.184754.85410399.davem@davemloft.net> + +From: David Miller + +[SPARC]: Fix bus handling in build_device_resources(). + +We mistakedly modify 'bus' in the innermost loop. What +should happen is that at each register index iteration, +we start with the same 'bus'. + +So preserve it's value at the top level, and use a loop +local variable 'dbus' for iteration. + +This bug causes registers other than the first to be +decoded improperly. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sparc/kernel/of_device.c | 7 ++++--- + arch/sparc64/kernel/of_device.c | 7 ++++--- + 2 files changed, 8 insertions(+), 6 deletions(-) + +--- a/arch/sparc/kernel/of_device.c ++++ b/arch/sparc/kernel/of_device.c +@@ -495,7 +495,7 @@ static void __init build_device_resource + u32 *reg = (preg + (index * ((na + ns) * 4))); + struct device_node *dp = op->node; + struct device_node *pp = p_op->node; +- struct of_bus *pbus; ++ struct of_bus *pbus, *dbus; + u64 size, result = OF_BAD_ADDR; + unsigned long flags; + int dna, dns; +@@ -516,6 +516,7 @@ static void __init build_device_resource + + dna = na; + dns = ns; ++ dbus = bus; + + while (1) { + dp = pp; +@@ -528,13 +529,13 @@ static void __init build_device_resource + pbus = of_match_bus(pp); + pbus->count_cells(dp, &pna, &pns); + +- if (build_one_resource(dp, bus, pbus, addr, ++ if (build_one_resource(dp, dbus, pbus, addr, + dna, dns, pna)) + break; + + dna = pna; + dns = pns; +- bus = pbus; ++ dbus = pbus; + } + + build_res: +--- a/arch/sparc64/kernel/of_device.c ++++ b/arch/sparc64/kernel/of_device.c +@@ -581,7 +581,7 @@ static void __init build_device_resource + u32 *reg = (preg + (index * ((na + ns) * 4))); + struct device_node *dp = op->node; + struct device_node *pp = p_op->node; +- struct of_bus *pbus; ++ struct of_bus *pbus, *dbus; + u64 size, result = OF_BAD_ADDR; + unsigned long flags; + int dna, dns; +@@ -599,6 +599,7 @@ static void __init build_device_resource + + dna = na; + dns = ns; ++ dbus = bus; + + while (1) { + dp = pp; +@@ -611,13 +612,13 @@ static void __init build_device_resource + pbus = of_match_bus(pp); + pbus->count_cells(dp, &pna, &pns); + +- if (build_one_resource(dp, bus, pbus, addr, ++ if (build_one_resource(dp, dbus, pbus, addr, + dna, dns, pna)) + break; + + dna = pna; + dns = pns; +- bus = pbus; ++ dbus = pbus; + } + + build_res: diff --git a/queue-2.6.20/fix-timewait-jiffies.patch b/queue-2.6.20/fix-timewait-jiffies.patch new file mode 100644 index 00000000000..65cee08137b --- /dev/null +++ b/queue-2.6.20/fix-timewait-jiffies.patch @@ -0,0 +1,31 @@ +From stable-bounces@linux.kernel.org Wed Mar 7 18:50:04 2007 +From: Eric Dumazet +Date: Wed, 07 Mar 2007 18:48:44 -0800 (PST) +Subject: Fix timewait jiffies +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070307.184844.39158390.davem@davemloft.net> + +From: Eric Dumazet + +[INET]: twcal_jiffie should be unsigned long, not int + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/inet_timewait_sock.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/inet_timewait_sock.h ++++ b/include/net/inet_timewait_sock.h +@@ -66,7 +66,7 @@ struct inet_hashinfo; + struct inet_timewait_death_row { + /* Short-time timewait calendar */ + int twcal_hand; +- int twcal_jiffie; ++ unsigned long twcal_jiffie; + struct timer_list twcal_timer; + struct hlist_head twcal_row[INET_TWDR_RECYCLE_SLOTS]; + diff --git a/queue-2.6.20/fix-udp-header-pointer-after-pskb_trim_rcsum.patch b/queue-2.6.20/fix-udp-header-pointer-after-pskb_trim_rcsum.patch new file mode 100644 index 00000000000..d979bf29c5e --- /dev/null +++ b/queue-2.6.20/fix-udp-header-pointer-after-pskb_trim_rcsum.patch @@ -0,0 +1,33 @@ +From stable-bounces@linux.kernel.org Wed Mar 7 18:52:15 2007 +From: Herbert Xu +Date: Wed, 07 Mar 2007 18:50:54 -0800 (PST) +Subject: Fix UDP header pointer after pskb_trim_rcsum() +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070307.185054.59656687.davem@davemloft.net> + + +From: Herbert Xu + +[UDP]: Reread uh pointer after pskb_trim + +The header may have moved when trimming. + +Signed-off-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/udp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1214,6 +1214,7 @@ int __udp4_lib_rcv(struct sk_buff *skb, + + if (ulen < sizeof(*uh) || pskb_trim_rcsum(skb, ulen)) + goto short_packet; ++ uh = skb->h.uh; + + udp4_csum_init(skb, uh); + diff --git a/queue-2.6.20/ip6_route_me_harder-should-take-into-account-mark.patch b/queue-2.6.20/ip6_route_me_harder-should-take-into-account-mark.patch new file mode 100644 index 00000000000..154400480dc --- /dev/null +++ b/queue-2.6.20/ip6_route_me_harder-should-take-into-account-mark.patch @@ -0,0 +1,30 @@ +From stable-bounces@linux.kernel.org Wed Mar 7 13:37:14 2007 +From: Yasuyuki Kozakai +Date: Wed, 7 Mar 2007 22:34:40 +0100 (MET) +Subject: ip6_route_me_harder should take into account mark +To: stable@kernel.org +Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy , davem@davemloft.net +Message-ID: <20070307213401.22306.7090.sendpatchset@localhost.localdomain> + +From: Yasuyuki Kozakai + +[NETFILTER]: ip6_route_me_harder should take into account mark + +Signed-off-by: Yasuyuki Kozakai +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/netfilter.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv6/netfilter.c ++++ b/net/ipv6/netfilter.c +@@ -15,6 +15,7 @@ int ip6_route_me_harder(struct sk_buff * + struct dst_entry *dst; + struct flowi fl = { + .oif = skb->sk ? skb->sk->sk_bound_dev_if : 0, ++ .mark = skb->mark, + .nl_u = + { .ip6_u = + { .daddr = iph->daddr, diff --git a/queue-2.6.20/nf_conntrack-fix-incorrect-classification-of-ipv6-fragments-as-established.patch b/queue-2.6.20/nf_conntrack-fix-incorrect-classification-of-ipv6-fragments-as-established.patch new file mode 100644 index 00000000000..558c170ee67 --- /dev/null +++ b/queue-2.6.20/nf_conntrack-fix-incorrect-classification-of-ipv6-fragments-as-established.patch @@ -0,0 +1,38 @@ +From stable-bounces@linux.kernel.org Wed Mar 7 13:37:25 2007 +From: Patrick McHardy +Date: Wed, 7 Mar 2007 22:34:42 +0100 (MET) +Subject: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED +To: stable@kernel.org +Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy , +Message-ID: <20070307213402.22306.75367.sendpatchset@localhost.localdomain> + +From: Patrick McHardy + +[NETFILTER]: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED + +The individual fragments of a packet reassembled by conntrack have the +conntrack reference from the reassembled packet attached, but nfctinfo +is not copied. This leaves it initialized to 0, which unfortunately is +the value of IP_CT_ESTABLISHED. + +The result is that all IPv6 fragments are tracked as ESTABLISHED, +allowing them to bypass a usual ruleset which accepts ESTABLISHED +packets early. + +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c ++++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c +@@ -257,6 +257,7 @@ static unsigned int ipv6_conntrack_in(un + } + nf_conntrack_get(reasm->nfct); + (*pskb)->nfct = reasm->nfct; ++ (*pskb)->nfctinfo = reasm->nfctinfo; + return NF_ACCEPT; + } + diff --git a/queue-2.6.20/nf_conntrack-nf_nat-fix-incorrect-config-ifdefs.patch b/queue-2.6.20/nf_conntrack-nf_nat-fix-incorrect-config-ifdefs.patch new file mode 100644 index 00000000000..ae058e772bc --- /dev/null +++ b/queue-2.6.20/nf_conntrack-nf_nat-fix-incorrect-config-ifdefs.patch @@ -0,0 +1,100 @@ +From stable-bounces@linux.kernel.org Wed Mar 7 13:35:50 2007 +From: Patrick McHardy +Date: Wed, 7 Mar 2007 22:34:29 +0100 (MET) +Subject: nf_conntrack/nf_nat: fix incorrect config ifdefs +To: stable@kernel.org +Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy , +Message-ID: <20070307213349.22306.32501.sendpatchset@localhost.localdomain> + +From: Patrick McHardy + +[NETFILTER]: nf_conntrack/nf_nat: fix incorrect config ifdefs + +The nf_conntrack_netlink config option is named CONFIG_NF_CT_NETLINK, +but multiple files use CONFIG_IP_NF_CONNTRACK_NETLINK or +CONFIG_NF_CONNTRACK_NETLINK for ifdefs. + +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/netfilter/nf_nat_core.c | 3 +-- + net/ipv4/netfilter/nf_nat_proto_gre.c | 3 +-- + net/ipv4/netfilter/nf_nat_proto_icmp.c | 3 +-- + net/ipv4/netfilter/nf_nat_proto_tcp.c | 3 +-- + net/ipv4/netfilter/nf_nat_proto_udp.c | 3 +-- + net/netfilter/nf_conntrack_proto_gre.c | 3 +-- + 6 files changed, 6 insertions(+), 12 deletions(-) + +--- a/net/ipv4/netfilter/nf_nat_core.c ++++ b/net/ipv4/netfilter/nf_nat_core.c +@@ -540,8 +540,7 @@ void nf_nat_protocol_unregister(struct n + } + EXPORT_SYMBOL(nf_nat_protocol_unregister); + +-#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \ +- defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE) ++#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) + int + nf_nat_port_range_to_nfattr(struct sk_buff *skb, + const struct nf_nat_range *range) +--- a/net/ipv4/netfilter/nf_nat_proto_gre.c ++++ b/net/ipv4/netfilter/nf_nat_proto_gre.c +@@ -152,8 +152,7 @@ static struct nf_nat_protocol gre __read + .manip_pkt = gre_manip_pkt, + .in_range = gre_in_range, + .unique_tuple = gre_unique_tuple, +-#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \ +- defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE) ++#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) + .range_to_nfattr = nf_nat_port_range_to_nfattr, + .nfattr_to_range = nf_nat_port_nfattr_to_range, + #endif +--- a/net/ipv4/netfilter/nf_nat_proto_icmp.c ++++ b/net/ipv4/netfilter/nf_nat_proto_icmp.c +@@ -78,8 +78,7 @@ struct nf_nat_protocol nf_nat_protocol_i + .manip_pkt = icmp_manip_pkt, + .in_range = icmp_in_range, + .unique_tuple = icmp_unique_tuple, +-#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \ +- defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE) ++#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) + .range_to_nfattr = nf_nat_port_range_to_nfattr, + .nfattr_to_range = nf_nat_port_nfattr_to_range, + #endif +--- a/net/ipv4/netfilter/nf_nat_proto_tcp.c ++++ b/net/ipv4/netfilter/nf_nat_proto_tcp.c +@@ -140,8 +140,7 @@ struct nf_nat_protocol nf_nat_protocol_t + .manip_pkt = tcp_manip_pkt, + .in_range = tcp_in_range, + .unique_tuple = tcp_unique_tuple, +-#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \ +- defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE) ++#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) + .range_to_nfattr = nf_nat_port_range_to_nfattr, + .nfattr_to_range = nf_nat_port_nfattr_to_range, + #endif +--- a/net/ipv4/netfilter/nf_nat_proto_udp.c ++++ b/net/ipv4/netfilter/nf_nat_proto_udp.c +@@ -130,8 +130,7 @@ struct nf_nat_protocol nf_nat_protocol_u + .manip_pkt = udp_manip_pkt, + .in_range = udp_in_range, + .unique_tuple = udp_unique_tuple, +-#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \ +- defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE) ++#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) + .range_to_nfattr = nf_nat_port_range_to_nfattr, + .nfattr_to_range = nf_nat_port_nfattr_to_range, + #endif +--- a/net/netfilter/nf_conntrack_proto_gre.c ++++ b/net/netfilter/nf_conntrack_proto_gre.c +@@ -281,8 +281,7 @@ static struct nf_conntrack_l4proto nf_co + .new = gre_new, + .destroy = gre_destroy, + .me = THIS_MODULE, +-#if defined(CONFIG_NF_CONNTRACK_NETLINK) || \ +- defined(CONFIG_NF_CONNTRACK_NETLINK_MODULE) ++#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) + .tuple_to_nfattr = nf_ct_port_tuple_to_nfattr, + .nfattr_to_tuple = nf_ct_port_nfattr_to_tuple, + #endif diff --git a/queue-2.6.20/nfnetlink_log-fix-crash-on-bridged-packet.patch b/queue-2.6.20/nfnetlink_log-fix-crash-on-bridged-packet.patch new file mode 100644 index 00000000000..5c4ec73a0ff --- /dev/null +++ b/queue-2.6.20/nfnetlink_log-fix-crash-on-bridged-packet.patch @@ -0,0 +1,36 @@ +From stable-bounces@linux.kernel.org Wed Mar 7 13:37:59 2007 +From: Patrick McHardy +Date: Wed, 7 Mar 2007 22:34:45 +0100 (MET) +Subject: nfnetlink_log: fix crash on bridged packet +To: stable@kernel.org +Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy , +Message-ID: <20070307213405.22306.94073.sendpatchset@localhost.localdomain> + +From: Patrick McHardy + +[NETFILTER]: nfnetlink_log: fix crash on bridged packet + +physoutdev is only set on purely bridged packet, when nfnetlink_log is used +in the OUTPUT/FORWARD/POSTROUTING hooks on packets forwarded from or to a +bridge it crashes when trying to dereference skb->nf_bridge->physoutdev. + +Reported by Holger Eitzenberger + +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nfnetlink_log.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -491,7 +491,7 @@ __build_packet_message(struct nfulnl_ins + * for physical device (when called from ipv4) */ + NFA_PUT(inst->skb, NFULA_IFINDEX_OUTDEV, + sizeof(tmp_uint), &tmp_uint); +- if (skb->nf_bridge) { ++ if (skb->nf_bridge && skb->nf_bridge->physoutdev) { + tmp_uint = + htonl(skb->nf_bridge->physoutdev->ifindex); + NFA_PUT(inst->skb, NFULA_IFINDEX_PHYSOUTDEV, diff --git a/queue-2.6.20/nfnetlink_log-fix-null-pointer-dereference.patch b/queue-2.6.20/nfnetlink_log-fix-null-pointer-dereference.patch new file mode 100644 index 00000000000..0be750860ea --- /dev/null +++ b/queue-2.6.20/nfnetlink_log-fix-null-pointer-dereference.patch @@ -0,0 +1,77 @@ +From stable-bounces@linux.kernel.org Wed Mar 7 13:37:25 2007 +From: Micha Mirosaw +Date: Wed, 7 Mar 2007 22:34:34 +0100 (MET) +Subject: nfnetlink_log: fix NULL pointer dereference +To: stable@kernel.org +Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy , +Message-ID: <20070307213355.22306.23166.sendpatchset@localhost.localdomain> + +From: Micha Mirosaw + +[NETFILTER]: nfnetlink_log: fix NULL pointer dereference + +Fix the nasty NULL dereference on multiple packets per netlink message. + +BUG: unable to handle kernel NULL pointer dereference at virtual address 00000004 + printing eip: +f8a4b3bf +*pde = 00000000 +Oops: 0002 [#1] +SMP +Modules linked in: nfnetlink_log ipt_ttl ipt_REDIRECT xt_tcpudp iptable_nat nf_nat nf_conntrack +_ipv4 xt_state ipt_ipp2p xt_NFLOG xt_hashlimit ip6_tables iptable_filter xt_multiport xt_mark i +pt_set iptable_raw xt_MARK iptable_mangle ip_tables cls_fw cls_u32 sch_esfq sch_htb ip_set_ipma +p ip_set ipt_ULOG x_tables dm_snapshot dm_mirror loop e1000 parport_pc parport e100 floppy ide_ +cd cdrom +CPU: 0 +EIP: 0060:[] Not tainted VLI +EFLAGS: 00010206 (2.6.20 #5) +EIP is at __nfulnl_send+0x24/0x51 [nfnetlink_log] +eax: 00000000 ebx: f2b5cbc0 ecx: c03f5f54 edx: c03f4000 +esi: f2b5cbc8 edi: c03f5f54 ebp: f8a4b3ec esp: c03f5f30 +ds: 007b es: 007b ss: 0068 +Process swapper (pid: 0, ti=c03f4000 task=c03bece0 task.ti=c03f4000) +Stack: f2b5cbc0 f8a4b401 00000100 c0444080 c012af49 00000000 f6f19100 f6f19000 + c1707800 c03f5f54 c03f5f54 00000123 00000021 c03e8d08 c0426380 00000009 + c0126932 00000000 00000046 c03e9980 c03e6000 0047b007 c01269bd 00000000 +Call Trace: + [] nfulnl_timer+0x15/0x25 [nfnetlink_log] + [] run_timer_softirq+0x10a/0x164 + [] __do_softirq+0x60/0xba + [] do_softirq+0x31/0x35 + [] do_IRQ+0x62/0x74 + [] common_interrupt+0x23/0x28 + [] default_idle+0x0/0x3f + [] default_idle+0x2d/0x3f + [] cpu_idle+0xa0/0xb9 + [] start_kernel+0x1a8/0x1ac + [] unknown_bootoption+0x0/0x181 + ======================= +Code: 5e 5f 5b 5e 5f 5d c3 53 89 c3 8d 40 1c 83 7b 1c 00 74 05 e8 2c ee 6d c7 83 7b 14 00 75 04 + 31 c0 eb 34 83 7b 10 01 76 09 8b 43 18 <66> c7 40 04 03 00 8b 53 34 8b 43 14 b9 40 00 00 00 e8 + 08 9a 84 +EIP: [] __nfulnl_send+0x24/0x51 [nfnetlink_log] SS:ESP 0068:c03f5f30 + <0>Kernel panic - not syncing: Fatal exception in interrupt + <0>Rebooting in 5 seconds.. + +Panic no more! + +Signed-off-by: Micha Mirosaw +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + + +--- + net/netfilter/nfnetlink_log.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -564,6 +564,7 @@ __build_packet_message(struct nfulnl_ins + } + + nlh->nlmsg_len = inst->skb->tail - old_tail; ++ inst->lastnlh = nlh; + return 0; + + nlmsg_failure: diff --git a/queue-2.6.20/nfnetlink_log-fix-possible-null-pointer-dereference.patch b/queue-2.6.20/nfnetlink_log-fix-possible-null-pointer-dereference.patch new file mode 100644 index 00000000000..cfdf0f28412 --- /dev/null +++ b/queue-2.6.20/nfnetlink_log-fix-possible-null-pointer-dereference.patch @@ -0,0 +1,42 @@ +From stable-bounces@linux.kernel.org Wed Mar 7 13:38:18 2007 +From: Michal Miroslaw +Date: Wed, 7 Mar 2007 22:34:36 +0100 (MET) +Subject: nfnetlink_log: fix possible NULL pointer dereference +To: stable@kernel.org +Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy , +Message-ID: <20070307213356.22306.90917.sendpatchset@localhost.localdomain> + +From: Michal Miroslaw + +[NETFILTER]: nfnetlink_log: fix possible NULL pointer dereference + +Eliminate possible NULL pointer dereference in nfulnl_recv_config(). + +Signed-off-by: Michal Miroslaw +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nfnetlink_log.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -867,6 +867,9 @@ nfulnl_recv_config(struct sock *ctnl, st + ret = -EINVAL; + break; + } ++ ++ if (!inst) ++ goto out; + } else { + if (!inst) { + UDEBUG("no config command, and no instance for " +@@ -920,6 +923,7 @@ nfulnl_recv_config(struct sock *ctnl, st + + out_put: + instance_put(inst); ++out: + return ret; + } + diff --git a/queue-2.6.20/nfnetlink_log-fix-reference-counting.patch b/queue-2.6.20/nfnetlink_log-fix-reference-counting.patch new file mode 100644 index 00000000000..4e6138da3a3 --- /dev/null +++ b/queue-2.6.20/nfnetlink_log-fix-reference-counting.patch @@ -0,0 +1,35 @@ +From stable-bounces@linux.kernel.org Wed Mar 7 13:37:14 2007 +From: Michal Miroslaw +Date: Wed, 7 Mar 2007 22:34:39 +0100 (MET) +Subject: nfnetlink_log: fix reference counting +To: stable@kernel.org +Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy , +Message-ID: <20070307213359.22306.49771.sendpatchset@localhost.localdomain> + +From: Michal Miroslaw + +[NETFILTER]: nfnetlink_log: fix reference counting + +Fix reference counting (memory leak) problem in __nfulnl_send() and callers +related to packet queueing. + +Signed-off-by: Michal Miroslaw +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nfnetlink_log.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -220,7 +220,8 @@ _instance_destroy2(struct nfulnl_instanc + /* timer "holds" one reference (we have one more) */ + if (timer_pending(&inst->timer)) { + del_timer(&inst->timer); +- instance_put(inst); ++ ++instance_put(inst); + } + if (inst->qlen) + __nfulnl_send(inst); diff --git a/queue-2.6.20/nfnetlink_log-fix-reference-leak.patch b/queue-2.6.20/nfnetlink_log-fix-reference-leak.patch new file mode 100644 index 00000000000..bb47aeeafbc --- /dev/null +++ b/queue-2.6.20/nfnetlink_log-fix-reference-leak.patch @@ -0,0 +1,46 @@ +From stable-bounces@linux.kernel.org Wed Mar 7 13:36:01 2007 +From: Patrick McHardy +Date: Wed, 7 Mar 2007 22:34:32 +0100 (MET) +Subject: nfnetlink_log: fix reference leak +To: stable@kernel.org +Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy , +Message-ID: <20070307213352.22306.5081.sendpatchset@localhost.localdomain> + +From: Patrick McHardy + +[NETFILTER]: nfnetlink_log: fix reference leak + +Stop reference leaking in nfulnl_log_packet(). If we start a timer we +are already taking another reference. + +Signed-off-by: Michal Miroslaw +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + + +--- + net/netfilter/nfnetlink_log.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -720,15 +720,16 @@ nfulnl_log_packet(unsigned int pf, + inst->timer.expires = jiffies + (inst->flushtimeout*HZ/100); + add_timer(&inst->timer); + } +- spin_unlock_bh(&inst->lock); + ++unlock_and_release: ++ spin_unlock_bh(&inst->lock); ++ instance_put(inst); + return; + + alloc_failure: +- spin_unlock_bh(&inst->lock); +- instance_put(inst); + UDEBUG("error allocating skb\n"); + /* FIXME: statistics */ ++ goto unlock_and_release; + } + + static int diff --git a/queue-2.6.20/nfnetlink_log-fix-use-after-free.patch b/queue-2.6.20/nfnetlink_log-fix-use-after-free.patch new file mode 100644 index 00000000000..94b65049383 --- /dev/null +++ b/queue-2.6.20/nfnetlink_log-fix-use-after-free.patch @@ -0,0 +1,35 @@ +From stable-bounces@linux.kernel.org Wed Mar 7 13:37:47 2007 +From: Patrick McHardy +Date: Wed, 7 Mar 2007 22:34:33 +0100 (MET) +Subject: nfnetlink_log: fix use after free +To: stable@kernel.org +Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy , +Message-ID: <20070307213354.22306.58320.sendpatchset@localhost.localdomain> + +From: Patrick McHardy + +[NETFILTER]: nfnetlink_log: fix use after free + +Paranoia: instance_put() might have freed the inst pointer when we +spin_unlock_bh(). + +Signed-off-by: Michal Miroslaw +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nfnetlink_log.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -397,8 +397,8 @@ static void nfulnl_timer(unsigned long d + if (timer_pending(&inst->timer)) /* is it always true or false here? */ + del_timer(&inst->timer); + __nfulnl_send(inst); +- instance_put(inst); + spin_unlock_bh(&inst->lock); ++ instance_put(inst); + } + + /* This is an inline function, we don't really care about a long diff --git a/queue-2.6.20/nfnetlink_log-zero-terminate-prefix.patch b/queue-2.6.20/nfnetlink_log-zero-terminate-prefix.patch new file mode 100644 index 00000000000..e500192db05 --- /dev/null +++ b/queue-2.6.20/nfnetlink_log-zero-terminate-prefix.patch @@ -0,0 +1,33 @@ +From stable-bounces@linux.kernel.org Wed Mar 7 13:37:36 2007 +From: Patrick McHardy +Date: Wed, 7 Mar 2007 22:34:43 +0100 (MET) +Subject: nfnetlink_log: zero-terminate prefix +To: stable@kernel.org +Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy , +Message-ID: <20070307213404.22306.77575.sendpatchset@localhost.localdomain> + +From: Patrick McHardy + +[NETFILTER]: nfnetlink_log: zero-terminate prefix + +Userspace expects a zero-terminated string, so include the trailing +zero in the netlink message. + +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nfnetlink_log.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -620,7 +620,7 @@ nfulnl_log_packet(unsigned int pf, + + plen = 0; + if (prefix) +- plen = strlen(prefix); ++ plen = strlen(prefix) + 1; + + /* all macros expand to constant values at compile time */ + /* FIXME: do we want to make the size calculation conditional based on diff --git a/queue-2.6.20/series b/queue-2.6.20/series new file mode 100644 index 00000000000..eee3699d905 --- /dev/null +++ b/queue-2.6.20/series @@ -0,0 +1,20 @@ +conntrack-fix-nf-ip-_ct_iterate_cleanup-endless-loops.patch +nf_conntrack-nf_nat-fix-incorrect-config-ifdefs.patch +tcp-conntrack-accept-syn-urg-as-valid.patch +nfnetlink_log-fix-reference-leak.patch +nfnetlink_log-fix-use-after-free.patch +nfnetlink_log-fix-null-pointer-dereference.patch +nfnetlink_log-fix-possible-null-pointer-dereference.patch +ip6_route_me_harder-should-take-into-account-mark.patch +nf_conntrack-fix-incorrect-classification-of-ipv6-fragments-as-established.patch +nfnetlink_log-zero-terminate-prefix.patch +nfnetlink_log-fix-crash-on-bridged-packet.patch +nfnetlink_log-fix-reference-counting.patch +fix-bug-7994-sleeping-function-called-from-invalid-context.patch +bcm43xx-fix-problem-with-1-gb-ram.patch +fix-compat_getsockopt.patch +fix-for-bugzilla-7544.patch +fix-callback-bug-in-connector.patch +fix-sparc64-device-register-probing.patch +fix-timewait-jiffies.patch +fix-udp-header-pointer-after-pskb_trim_rcsum.patch diff --git a/queue-2.6.20/tcp-conntrack-accept-syn-urg-as-valid.patch b/queue-2.6.20/tcp-conntrack-accept-syn-urg-as-valid.patch new file mode 100644 index 00000000000..e0fe537817d --- /dev/null +++ b/queue-2.6.20/tcp-conntrack-accept-syn-urg-as-valid.patch @@ -0,0 +1,52 @@ +From stable-bounces@linux.kernel.org Wed Mar 7 13:36:11 2007 +From: Patrick McHardy +Date: Wed, 7 Mar 2007 22:34:30 +0100 (MET) +Subject: tcp conntrack: accept SYN|URG as valid +To: stable@kernel.org +Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy , +Message-ID: <20070307213351.22306.59582.sendpatchset@localhost.localdomain> + +From: Patrick McHardy + +[NETFILTER]: tcp conntrack: accept SYN|URG as valid + +Some stacks apparently send packets with SYN|URG set. Linux accepts +these packets, so TCP conntrack should to. + +Pointed out by Martijn Posthuma . + +Signed-off-by: Patrick McHardy + +--- + net/ipv4/netfilter/ip_conntrack_proto_tcp.c | 4 +++- + net/netfilter/nf_conntrack_proto_tcp.c | 4 +++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +--- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c ++++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c +@@ -821,8 +821,10 @@ void ip_conntrack_tcp_update(struct sk_b + static const u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG) + 1] = + { + [TH_SYN] = 1, +- [TH_SYN|TH_ACK] = 1, + [TH_SYN|TH_PUSH] = 1, ++ [TH_SYN|TH_URG] = 1, ++ [TH_SYN|TH_PUSH|TH_URG] = 1, ++ [TH_SYN|TH_ACK] = 1, + [TH_SYN|TH_ACK|TH_PUSH] = 1, + [TH_RST] = 1, + [TH_RST|TH_ACK] = 1, +--- a/net/netfilter/nf_conntrack_proto_tcp.c ++++ b/net/netfilter/nf_conntrack_proto_tcp.c +@@ -778,8 +778,10 @@ EXPORT_SYMBOL_GPL(nf_conntrack_tcp_updat + static u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG) + 1] = + { + [TH_SYN] = 1, +- [TH_SYN|TH_ACK] = 1, + [TH_SYN|TH_PUSH] = 1, ++ [TH_SYN|TH_URG] = 1, ++ [TH_SYN|TH_PUSH|TH_URG] = 1, ++ [TH_SYN|TH_ACK] = 1, + [TH_SYN|TH_ACK|TH_PUSH] = 1, + [TH_RST] = 1, + [TH_RST|TH_ACK] = 1,