From: Chris Wright Date: Thu, 11 Jan 2007 01:02:04 +0000 (-0800) Subject: queue up current outstanding 2.6.19-stable patches X-Git-Tag: v2.6.19.2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2223d3521f413ab0a142df60fe6411a3b02fd9d5;p=thirdparty%2Fkernel%2Fstable-queue.git queue up current outstanding 2.6.19-stable patches --- diff --git a/queue-2.6.19/check-for-populated-zone-in-__drain_pages.patch b/queue-2.6.19/check-for-populated-zone-in-__drain_pages.patch new file mode 100644 index 00000000000..68c0a2ff166 --- /dev/null +++ b/queue-2.6.19/check-for-populated-zone-in-__drain_pages.patch @@ -0,0 +1,52 @@ +From stable-bounces@linux.kernel.org Sun Jan 7 14:34:05 2007 +Date: Fri, 5 Jan 2007 16:37:02 -0800 +From: Andrew Morton +To: stable@kernel.org +Message-Id: <20070107142630.7eeaf09f.akpm@osdl.org> +Cc: Christoph Lameter , Mauro Carvalho Chehab +Subject: [PATCH] Check for populated zone in __drain_pages + +From: Christoph Lameter + +Both process_zones() and drain_node_pages() check for populated zones +before touching pagesets. However, __drain_pages does not do so, + +This may result in a NULL pointer dereference for pagesets in unpopulated +zones if a NUMA setup is combined with cpu hotplug. + +Initially the unpopulated zone has the pcp pointers pointing to the boot +pagesets. Since the zone is not populated the boot pageset pointers will +not be changed during page allocator and slab bootstrap. + +If a cpu is later brought down (first call to __drain_pages()) then the pcp +pointers for cpus in unpopulated zones are set to NULL since __drain_pages +does not first check for an unpopulated zone. + +If the cpu is then brought up again then we call process_zones() which will +ignore the unpopulated zone. So the pageset pointers will still be NULL. + +If the cpu is then again brought down then __drain_pages will attempt to +drain pages by following the NULL pageset pointer for unpopulated zones. + +Signed-off-by: Christoph Lameter +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +--- +http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f2e12bb272f2544d1504f982270e90ae3dcc4ff2 + + mm/page_alloc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- linux-2.6.19.2.orig/mm/page_alloc.c ++++ linux-2.6.19.2/mm/page_alloc.c +@@ -710,6 +710,9 @@ static void __drain_pages(unsigned int c + for_each_zone(zone) { + struct per_cpu_pageset *pset; + ++ if (!populated_zone(zone)) ++ continue; ++ + pset = zone_pcp(zone, cpu); + for (i = 0; i < ARRAY_SIZE(pset->pcp); i++) { + struct per_cpu_pages *pcp; diff --git a/queue-2.6.19/fix-hwrng-built-in-initcalls-priority.patch b/queue-2.6.19/fix-hwrng-built-in-initcalls-priority.patch new file mode 100644 index 00000000000..1207d7222bb --- /dev/null +++ b/queue-2.6.19/fix-hwrng-built-in-initcalls-priority.patch @@ -0,0 +1,81 @@ +From stable-bounces@linux.kernel.org Mon Jan 8 07:43:33 2007 +From: Michael Buesch +To: Andrew Morton +Date: Mon, 8 Jan 2007 16:34:54 +0100 +Message-Id: <200701081634.55078.mb@bu3sch.de> +Cc: Linus Torvalds , dsaxena@plexity.net, jgarzik@redhat.com, info-linux@geode.amd.com, stable@kernel.org +Subject: [stable] [PATCH] Fix HWRNG built-in initcalls priority + +This changes all HWRNG driver initcalls to module_init(). +We must probe the RNGs after the major kernel subsystems +are already up and running (like PCI). +This fixes Bug 7730. +http://bugzilla.kernel.org/show_bug.cgi?id=7730 + +Signed-off-by: Michael Buesch +Signed-off-by: Chris Wright +--- +Not upstream yet. + + drivers/char/hw_random/amd-rng.c | 2 +- + drivers/char/hw_random/geode-rng.c | 2 +- + drivers/char/hw_random/intel-rng.c | 2 +- + drivers/char/hw_random/ixp4xx-rng.c | 2 +- + drivers/char/hw_random/via-rng.c | 2 +- + 5 files changed, 5 insertions(+), 5 deletions(-) + +--- linux-2.6.19.2.orig/drivers/char/hw_random/amd-rng.c ++++ linux-2.6.19.2/drivers/char/hw_random/amd-rng.c +@@ -144,7 +144,7 @@ static void __exit mod_exit(void) + hwrng_unregister(&amd_rng); + } + +-subsys_initcall(mod_init); ++module_init(mod_init); + module_exit(mod_exit); + + MODULE_AUTHOR("The Linux Kernel team"); +--- linux-2.6.19.2.orig/drivers/char/hw_random/geode-rng.c ++++ linux-2.6.19.2/drivers/char/hw_random/geode-rng.c +@@ -125,7 +125,7 @@ static void __exit mod_exit(void) + iounmap(mem); + } + +-subsys_initcall(mod_init); ++module_init(mod_init); + module_exit(mod_exit); + + MODULE_DESCRIPTION("H/W RNG driver for AMD Geode LX CPUs"); +--- linux-2.6.19.2.orig/drivers/char/hw_random/intel-rng.c ++++ linux-2.6.19.2/drivers/char/hw_random/intel-rng.c +@@ -350,7 +350,7 @@ static void __exit mod_exit(void) + iounmap(mem); + } + +-subsys_initcall(mod_init); ++module_init(mod_init); + module_exit(mod_exit); + + MODULE_DESCRIPTION("H/W RNG driver for Intel chipsets"); +--- linux-2.6.19.2.orig/drivers/char/hw_random/ixp4xx-rng.c ++++ linux-2.6.19.2/drivers/char/hw_random/ixp4xx-rng.c +@@ -64,7 +64,7 @@ static void __exit ixp4xx_rng_exit(void) + iounmap(rng_base); + } + +-subsys_initcall(ixp4xx_rng_init); ++module_init(ixp4xx_rng_init); + module_exit(ixp4xx_rng_exit); + + MODULE_AUTHOR("Deepak Saxena "); +--- linux-2.6.19.2.orig/drivers/char/hw_random/via-rng.c ++++ linux-2.6.19.2/drivers/char/hw_random/via-rng.c +@@ -176,7 +176,7 @@ static void __exit mod_exit(void) + hwrng_unregister(&via_rng); + } + +-subsys_initcall(mod_init); ++module_init(mod_init); + module_exit(mod_exit); + + MODULE_DESCRIPTION("H/W RNG driver for VIA chipsets"); diff --git a/queue-2.6.19/i2c-m41t00-do-not-forget-to-write-year.patch b/queue-2.6.19/i2c-m41t00-do-not-forget-to-write-year.patch new file mode 100644 index 00000000000..b7777d70644 --- /dev/null +++ b/queue-2.6.19/i2c-m41t00-do-not-forget-to-write-year.patch @@ -0,0 +1,33 @@ +From stable-bounces@linux.kernel.org Sun Jan 7 03:16:40 2007 +Date: Sun, 7 Jan 2007 12:09:21 +0100 +From: Jean Delvare +To: stable@kernel.org +Message-Id: <20070107120921.3757f32f.khali@linux-fr.org> +Cc: Philippe De Muyter +Subject: i2c/m41t00: Do not forget to write year + +From: Philippe De Muyter + +m41t00.c forgets to set the year field in set_rtc_time; fix that. + +Signed-off-by: Philippe De Muyter +Acked-by: Mark A. Greer +Signed-off-by: Jean Delvare +Signed-off-by: Chris Wright +--- +Merged in 2.6.20-rc4: +http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=81ffbc04a8ea06c4bea534154f49ed598013ee6b + + drivers/i2c/chips/m41t00.c | 1 + + 1 file changed, 1 insertion(+) + +--- linux-2.6.19.2.orig/drivers/i2c/chips/m41t00.c ++++ linux-2.6.19.2/drivers/i2c/chips/m41t00.c +@@ -209,6 +209,7 @@ m41t00_set(void *arg) + buf[m41t00_chip->hour] = (buf[m41t00_chip->hour] & ~0x3f) | (hour& 0x3f); + buf[m41t00_chip->day] = (buf[m41t00_chip->day] & ~0x3f) | (day & 0x3f); + buf[m41t00_chip->mon] = (buf[m41t00_chip->mon] & ~0x1f) | (mon & 0x1f); ++ buf[m41t00_chip->year] = year; + + if (i2c_master_send(save_client, wbuf, 9) < 0) + dev_err(&save_client->dev, "m41t00_set: Write error\n"); diff --git a/queue-2.6.19/i2c-mv64xxx-fix-random-oops-at-boot.patch b/queue-2.6.19/i2c-mv64xxx-fix-random-oops-at-boot.patch new file mode 100644 index 00000000000..a09586c5f23 --- /dev/null +++ b/queue-2.6.19/i2c-mv64xxx-fix-random-oops-at-boot.patch @@ -0,0 +1,71 @@ +From stable-bounces@linux.kernel.org Sun Jan 7 02:57:04 2007 +Date: Sun, 7 Jan 2007 11:49:48 +0100 +From: Jean Delvare +To: stable@kernel.org +Message-Id: <20070107114948.2261a8aa.khali@linux-fr.org> +Cc: Maxime Bizon +Subject: i2c-mv64xxx: Fix random oops at boot + +From: Maxime Bizon + +I have a Marvell board which has the same i2c hw block than mv64xxx, so +I'm trying to use i2c-mv64xxx driver. + +But I get the following random oops at boot: + +Unable to handle kernel NULL pointer dereference at virtual address 00000002 +Backtrace: +[] (mv64xxx_i2c_intr+0x0/0x2b8) from [] (__do_irq+0x4c/0x8c) +[] (__do_irq+0x0/0x8c) from [] (do_level_IRQ+0x68/0xc0) + r8 = C0501E08 r7 = 00000005 r6 = C0501E08 r5 = 00000005 + r4 = C048BB78 +[] (do_level_IRQ+0x0/0xc0) from [] (asm_do_IRQ+0x50/0x134) + r6 = C0449C78 r5 = F1020000 r4 = FFFFFFFF +[] (asm_do_IRQ+0x0/0x134) from [] (__irq_svc+0x24/0x100) + r8 = C1CAC400 r7 = 00000005 r6 = 00000002 r5 = F1020000 + r4 = FFFFFFFF +[] (setup_irq+0x0/0x124) from [] (request_irq+0xb0/0xd0) + r7 = C041B2AC r6 = C0397E4C r5 = 00000000 r4 = 00000005 +[] (request_irq+0x0/0xd0) from [] (mv64xxx_i2c_probe+0x148/0x244) +[] (mv64xxx_i2c_probe+0x0/0x244) from [] (platform_drv_probe+0x20/0x24) + + +The oops is caused by a spurious interrupt that occurs when request_irq +is called. mv64xxx_i2c_fsm() tries to read drv_data->msg, which is NULL. + +I noticed that hardware init is done after requesting irq. Thus any +pending irq from previous hardware usage may cause this. + +The following patch fixes it: + +Signed-off-by: Maxime Bizon +Acked-by: Mark A. Greer +Signed-off-by: Jean Delvare +Signed-off-by: Chris Wright +--- +Merged in 2.6.20-rc4: +http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=3269bb63eb076318ce4fb554851d047e1c9aa1a5 + + drivers/i2c/busses/i2c-mv64xxx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- linux-2.6.19.2.orig/drivers/i2c/busses/i2c-mv64xxx.c ++++ linux-2.6.19.2/drivers/i2c/busses/i2c-mv64xxx.c +@@ -529,6 +529,8 @@ mv64xxx_i2c_probe(struct platform_device + platform_set_drvdata(pd, drv_data); + i2c_set_adapdata(&drv_data->adapter, drv_data); + ++ mv64xxx_i2c_hw_init(drv_data); ++ + if (request_irq(drv_data->irq, mv64xxx_i2c_intr, 0, + MV64XXX_I2C_CTLR_NAME, drv_data)) { + dev_err(&drv_data->adapter.dev, +@@ -542,8 +544,6 @@ mv64xxx_i2c_probe(struct platform_device + goto exit_free_irq; + } + +- mv64xxx_i2c_hw_init(drv_data); +- + return 0; + + exit_free_irq: diff --git a/queue-2.6.19/ib-mthca-fix-off-by-one-in-fmr-handling-on-memfree.patch b/queue-2.6.19/ib-mthca-fix-off-by-one-in-fmr-handling-on-memfree.patch new file mode 100644 index 00000000000..588cabc40ba --- /dev/null +++ b/queue-2.6.19/ib-mthca-fix-off-by-one-in-fmr-handling-on-memfree.patch @@ -0,0 +1,44 @@ +From stable-bounces@linux.kernel.org Wed Jan 10 13:45:03 2007 +To: stable@kernel.org +From: Roland Dreier +Date: Wed, 10 Jan 2007 13:36:54 -0800 +Message-ID: +Cc: "Michael S. Tsirkin" , openib-general@openib.org +Subject: [stable] [PATCH] IB/mthca: Fix off-by-one in FMR handling on memfree + +From: Michael S. Tsirkin + +mthca_table_find() will return the wrong address when the table entry +being searched for is exactly at the beginning of a sglist entry +(other than the first), because it uses >= when it should use >. + +Example: assume we have 2 entries in scatterlist, 4K each, offset is +4K. The current code will return first entry + 4K when we really want +the second entry. + +In particular this means mapping an FMR on a memfree HCA may end up +writing the page table into the wrong place, leading to memory +corruption and also causing the HCA to use an incorrect address +translation table. + +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Roland Dreier +Signed-off-by: Chris Wright +--- +This is upstream, and fixes a data corruption/crash bug with storage +over SRP. + + drivers/infiniband/hw/mthca/mthca_memfree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.19.2.orig/drivers/infiniband/hw/mthca/mthca_memfree.c ++++ linux-2.6.19.2/drivers/infiniband/hw/mthca/mthca_memfree.c +@@ -232,7 +232,7 @@ void *mthca_table_find(struct mthca_icm_ + + list_for_each_entry(chunk, &icm->chunk_list, list) { + for (i = 0; i < chunk->npages; ++i) { +- if (chunk->mem[i].length >= offset) { ++ if (chunk->mem[i].length > offset) { + page = chunk->mem[i].page; + goto out; + } diff --git a/queue-2.6.19/md-pass-down-bio_rw_sync-in-raid-1-10.patch b/queue-2.6.19/md-pass-down-bio_rw_sync-in-raid-1-10.patch new file mode 100644 index 00000000000..08ac4a74612 --- /dev/null +++ b/queue-2.6.19/md-pass-down-bio_rw_sync-in-raid-1-10.patch @@ -0,0 +1,157 @@ +From stable-bounces@linux.kernel.org Mon Jan 8 15:10:39 2007 +Date: Mon, 8 Jan 2007 15:02:42 -0800 +From: Andrew Morton +To: Lars Ellenberg +Message-Id: <20070108150242.1b39eda2.akpm@osdl.org> +Cc: Neil Brown , linux-raid@vger.kernel.org, Ingo Molnar , stable@kernel.org, Jens Axboe +Subject: md: pass down BIO_RW_SYNC in raid{1,10} + +From: Lars Ellenberg + +md raidX make_request functions strip off the BIO_RW_SYNC flag, thus +introducing additional latency. + +Fixing this in raid1 and raid10 seems to be straightforward enough. + +For our particular usage case in DRBD, passing this flag improved some +initialization time from ~5 minutes to ~5 seconds. + +Acked-by: NeilBrown +Signed-off-by: Lars Ellenberg +Acked-by: Jens Axboe +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +--- +Not upstream yet. + + drivers/md/raid1.c | 13 +++++++++---- + drivers/md/raid10.c | 11 ++++++++--- + 2 files changed, 17 insertions(+), 7 deletions(-) + +--- linux-2.6.19.2.orig/drivers/md/raid1.c ++++ linux-2.6.19.2/drivers/md/raid1.c +@@ -775,6 +775,7 @@ static int make_request(request_queue_t + struct bio_list bl; + struct page **behind_pages = NULL; + const int rw = bio_data_dir(bio); ++ const int do_sync = bio_sync(bio); + int do_barriers; + + /* +@@ -835,7 +836,7 @@ static int make_request(request_queue_t + read_bio->bi_sector = r1_bio->sector + mirror->rdev->data_offset; + read_bio->bi_bdev = mirror->rdev->bdev; + read_bio->bi_end_io = raid1_end_read_request; +- read_bio->bi_rw = READ; ++ read_bio->bi_rw = READ | do_sync; + read_bio->bi_private = r1_bio; + + generic_make_request(read_bio); +@@ -906,7 +907,7 @@ static int make_request(request_queue_t + mbio->bi_sector = r1_bio->sector + conf->mirrors[i].rdev->data_offset; + mbio->bi_bdev = conf->mirrors[i].rdev->bdev; + mbio->bi_end_io = raid1_end_write_request; +- mbio->bi_rw = WRITE | do_barriers; ++ mbio->bi_rw = WRITE | do_barriers | do_sync; + mbio->bi_private = r1_bio; + + if (behind_pages) { +@@ -941,6 +942,8 @@ static int make_request(request_queue_t + blk_plug_device(mddev->queue); + spin_unlock_irqrestore(&conf->device_lock, flags); + ++ if (do_sync) ++ md_wakeup_thread(mddev->thread); + #if 0 + while ((bio = bio_list_pop(&bl)) != NULL) + generic_make_request(bio); +@@ -1541,6 +1544,7 @@ static void raid1d(mddev_t *mddev) + * We already have a nr_pending reference on these rdevs. + */ + int i; ++ const int do_sync = bio_sync(r1_bio->master_bio); + clear_bit(R1BIO_BarrierRetry, &r1_bio->state); + clear_bit(R1BIO_Barrier, &r1_bio->state); + for (i=0; i < conf->raid_disks; i++) +@@ -1561,7 +1565,7 @@ static void raid1d(mddev_t *mddev) + conf->mirrors[i].rdev->data_offset; + bio->bi_bdev = conf->mirrors[i].rdev->bdev; + bio->bi_end_io = raid1_end_write_request; +- bio->bi_rw = WRITE; ++ bio->bi_rw = WRITE | do_sync; + bio->bi_private = r1_bio; + r1_bio->bios[i] = bio; + generic_make_request(bio); +@@ -1593,6 +1597,7 @@ static void raid1d(mddev_t *mddev) + (unsigned long long)r1_bio->sector); + raid_end_bio_io(r1_bio); + } else { ++ const int do_sync = bio_sync(r1_bio->master_bio); + r1_bio->bios[r1_bio->read_disk] = + mddev->ro ? IO_BLOCKED : NULL; + r1_bio->read_disk = disk; +@@ -1608,7 +1613,7 @@ static void raid1d(mddev_t *mddev) + bio->bi_sector = r1_bio->sector + rdev->data_offset; + bio->bi_bdev = rdev->bdev; + bio->bi_end_io = raid1_end_read_request; +- bio->bi_rw = READ; ++ bio->bi_rw = READ | do_sync; + bio->bi_private = r1_bio; + unplug = 1; + generic_make_request(bio); +--- linux-2.6.19.2.orig/drivers/md/raid10.c ++++ linux-2.6.19.2/drivers/md/raid10.c +@@ -782,6 +782,7 @@ static int make_request(request_queue_t + int i; + int chunk_sects = conf->chunk_mask + 1; + const int rw = bio_data_dir(bio); ++ const int do_sync = bio_sync(bio); + struct bio_list bl; + unsigned long flags; + +@@ -863,7 +864,7 @@ static int make_request(request_queue_t + mirror->rdev->data_offset; + read_bio->bi_bdev = mirror->rdev->bdev; + read_bio->bi_end_io = raid10_end_read_request; +- read_bio->bi_rw = READ; ++ read_bio->bi_rw = READ | do_sync; + read_bio->bi_private = r10_bio; + + generic_make_request(read_bio); +@@ -909,7 +910,7 @@ static int make_request(request_queue_t + conf->mirrors[d].rdev->data_offset; + mbio->bi_bdev = conf->mirrors[d].rdev->bdev; + mbio->bi_end_io = raid10_end_write_request; +- mbio->bi_rw = WRITE; ++ mbio->bi_rw = WRITE | do_sync; + mbio->bi_private = r10_bio; + + atomic_inc(&r10_bio->remaining); +@@ -922,6 +923,9 @@ static int make_request(request_queue_t + blk_plug_device(mddev->queue); + spin_unlock_irqrestore(&conf->device_lock, flags); + ++ if (do_sync) ++ md_wakeup_thread(mddev->thread); ++ + return 0; + } + +@@ -1563,6 +1567,7 @@ static void raid10d(mddev_t *mddev) + (unsigned long long)r10_bio->sector); + raid_end_bio_io(r10_bio); + } else { ++ const int do_sync = bio_sync(r10_bio->master_bio); + rdev = conf->mirrors[mirror].rdev; + if (printk_ratelimit()) + printk(KERN_ERR "raid10: %s: redirecting sector %llu to" +@@ -1574,7 +1579,7 @@ static void raid10d(mddev_t *mddev) + bio->bi_sector = r10_bio->devs[r10_bio->read_slot].addr + + rdev->data_offset; + bio->bi_bdev = rdev->bdev; +- bio->bi_rw = READ; ++ bio->bi_rw = READ | do_sync; + bio->bi_private = r10_bio; + bio->bi_end_io = raid10_end_read_request; + unplug = 1; diff --git a/queue-2.6.19/netfilter-arp_tables-fix-userspace-compilation.patch b/queue-2.6.19/netfilter-arp_tables-fix-userspace-compilation.patch new file mode 100644 index 00000000000..b00952674f3 --- /dev/null +++ b/queue-2.6.19/netfilter-arp_tables-fix-userspace-compilation.patch @@ -0,0 +1,29 @@ +From stable-bounces@linux.kernel.org Tue Jan 9 23:13:06 2007 +From: Patrick McHardy +To: stable@kernel.org +Message-Id: <20070110070450.13495.10693.sendpatchset@localhost.localdomain> +Date: Wed, 10 Jan 2007 08:04:50 +0100 (MET) +Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy , davem@davemloft.net +Subject: NETFILTER: arp_tables: fix userspace compilation + +The included patch translates arpt_counters to xt_counters, making +userspace arptables compile against recent kernels. + +Signed-off-by: Bart De Schuymer +Signed-off-by: Patrick McHardy +Signed-off-by: Chris Wright +--- + + include/linux/netfilter_arp/arp_tables.h | 1 + + 1 file changed, 1 insertion(+) + +--- linux-2.6.19.2.orig/include/linux/netfilter_arp/arp_tables.h ++++ linux-2.6.19.2/include/linux/netfilter_arp/arp_tables.h +@@ -190,6 +190,7 @@ struct arpt_replace + + /* The argument to ARPT_SO_ADD_COUNTERS. */ + #define arpt_counters_info xt_counters_info ++#define arpt_counters xt_counters + + /* The argument to ARPT_SO_GET_ENTRIES. */ + struct arpt_get_entries diff --git a/queue-2.6.19/netfilter-fix-routing-of-reject-target-generated-packets-in-output-chain.patch b/queue-2.6.19/netfilter-fix-routing-of-reject-target-generated-packets-in-output-chain.patch new file mode 100644 index 00000000000..4a4ebd3dd78 --- /dev/null +++ b/queue-2.6.19/netfilter-fix-routing-of-reject-target-generated-packets-in-output-chain.patch @@ -0,0 +1,42 @@ +From stable-bounces@linux.kernel.org Tue Jan 9 23:13:25 2007 +From: Patrick McHardy +To: stable@kernel.org +Message-Id: <20070110070446.13495.72221.sendpatchset@localhost.localdomain> +Date: Wed, 10 Jan 2007 08:04:46 +0100 (MET) +Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy , davem@davemloft.net +Subject: NETFILTER: Fix routing of REJECT target generated packets in output chain + +Packets generated by the REJECT target in the output chain have a local +destination address and a foreign source address. Make sure not to use +the foreign source address for the output route lookup. + +Signed-off-by: Patrick McHardy +Signed-off-by: Chris Wright +--- + net/ipv4/netfilter.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- linux-2.6.19.2.orig/net/ipv4/netfilter.c ++++ linux-2.6.19.2/net/ipv4/netfilter.c +@@ -15,16 +15,19 @@ int ip_route_me_harder(struct sk_buff ** + struct flowi fl = {}; + struct dst_entry *odst; + unsigned int hh_len; ++ unsigned int type; + ++ type = inet_addr_type(iph->saddr); + if (addr_type == RTN_UNSPEC) +- addr_type = inet_addr_type(iph->saddr); ++ addr_type = type; + + /* some non-standard hacks like ipt_REJECT.c:send_reset() can cause + * packets with foreign saddr to appear on the NF_IP_LOCAL_OUT hook. + */ + if (addr_type == RTN_LOCAL) { + fl.nl_u.ip4_u.daddr = iph->daddr; +- fl.nl_u.ip4_u.saddr = iph->saddr; ++ if (type == RTN_LOCAL) ++ fl.nl_u.ip4_u.saddr = iph->saddr; + fl.nl_u.ip4_u.tos = RT_TOS(iph->tos); + fl.oif = (*pskb)->sk ? (*pskb)->sk->sk_bound_dev_if : 0; + #ifdef CONFIG_IP_ROUTE_FWMARK diff --git a/queue-2.6.19/netfilter-nf_conntrack_ipv6-fix-crash-when-handling-fragments.patch b/queue-2.6.19/netfilter-nf_conntrack_ipv6-fix-crash-when-handling-fragments.patch new file mode 100644 index 00000000000..26646f7814b --- /dev/null +++ b/queue-2.6.19/netfilter-nf_conntrack_ipv6-fix-crash-when-handling-fragments.patch @@ -0,0 +1,32 @@ +From stable-bounces@linux.kernel.org Tue Jan 9 23:12:49 2007 +From: Patrick McHardy +To: stable@kernel.org +Message-Id: <20070110070447.13495.61360.sendpatchset@localhost.localdomain> +Date: Wed, 10 Jan 2007 08:04:47 +0100 (MET) +Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy , davem@davemloft.net +Subject: NETFILTER: nf_conntrack_ipv6: fix crash when handling fragments + +When IPv6 connection tracking splits up a defragmented packet into +its original fragments, the packets are taken from a list and are +passed to the network stack with skb->next still set. This causes +dev_hard_start_xmit to treat them as GSO fragments, resulting in +a use after free when connection tracking handles the next fragment. + +Signed-off-by: Patrick McHardy +Signed-off-by: Chris Wright +--- + + net/ipv6/netfilter/nf_conntrack_reasm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- linux-2.6.19.2.orig/net/ipv6/netfilter/nf_conntrack_reasm.c ++++ linux-2.6.19.2/net/ipv6/netfilter/nf_conntrack_reasm.c +@@ -835,6 +835,8 @@ void nf_ct_frag6_output(unsigned int hoo + s->nfct_reasm = skb; + + s2 = s->next; ++ s->next = NULL; ++ + NF_HOOK_THRESH(PF_INET6, hooknum, s, in, out, okfn, + NF_IP6_PRI_CONNTRACK_DEFRAG + 1); + s = s2; diff --git a/queue-2.6.19/netfilter-tcp-conntrack-fix-ip_ct_tcp_flag_close_init-value.patch b/queue-2.6.19/netfilter-tcp-conntrack-fix-ip_ct_tcp_flag_close_init-value.patch new file mode 100644 index 00000000000..be57fbda84f --- /dev/null +++ b/queue-2.6.19/netfilter-tcp-conntrack-fix-ip_ct_tcp_flag_close_init-value.patch @@ -0,0 +1,29 @@ +From stable-bounces@linux.kernel.org Tue Jan 9 23:12:50 2007 +From: Patrick McHardy +To: stable@kernel.org +Message-Id: <20070110070448.13495.34404.sendpatchset@localhost.localdomain> +Date: Wed, 10 Jan 2007 08:04:49 +0100 (MET) +Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy , davem@davemloft.net +Subject: NETFILTER: tcp conntrack: fix IP_CT_TCP_FLAG_CLOSE_INIT value + +IP_CT_TCP_FLAG_CLOSE_INIT is a flag and should have a value of 0x4 instead +of 0x3, which is IP_CT_TCP_FLAG_WINDOW_SCALE | IP_CT_TCP_FLAG_SACK_PERM. + +Signed-off-by: Patrick McHardy +Signed-off-by: Chris Wright +--- + + include/linux/netfilter/nf_conntrack_tcp.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.19.2.orig/include/linux/netfilter/nf_conntrack_tcp.h ++++ linux-2.6.19.2/include/linux/netfilter/nf_conntrack_tcp.h +@@ -25,7 +25,7 @@ enum tcp_conntrack { + #define IP_CT_TCP_FLAG_SACK_PERM 0x02 + + /* This sender sent FIN first */ +-#define IP_CT_TCP_FLAG_CLOSE_INIT 0x03 ++#define IP_CT_TCP_FLAG_CLOSE_INIT 0x04 + + #ifdef __KERNEL__ + diff --git a/queue-2.6.19/repair-snd-usb-usx2y-over-ohci.patch b/queue-2.6.19/repair-snd-usb-usx2y-over-ohci.patch new file mode 100644 index 00000000000..8c2b4d6ae33 --- /dev/null +++ b/queue-2.6.19/repair-snd-usb-usx2y-over-ohci.patch @@ -0,0 +1,46 @@ +From stable-bounces@linux.kernel.org Wed Jan 10 04:41:19 2007 +From: Karsten Wiese +To: Takashi Iwai +Date: Wed, 10 Jan 2007 13:33:27 +0100 +Message-Id: <200701101333.27236.annabellesgarden@yahoo.de> +Cc: Matt Savigear , alsa-devel@lists.sourceforge.net, stable@kernel.org, Rui Capela +Subject: Repair snd-usb-usx2y over OHCI + +From: Karsten Wiese + +The previous patch "Repair snd-usb-usx2y for usb 2.6.18" assumed +urb->start_frame roll over beyond MAX_INT for both UHCI & OHCI. +This isn't true until now (kernel 2.6.20). +Fix this by only looking at the common between OHCI & UHCI Frame number +range. +This is for mainline and stable kernels >= 2.6.18. + +Signed-off-by: Karsten Wiese +Signed-off-by: Chris Wright +--- + sound/usb/usx2y/usbusx2yaudio.c | 2 +- + sound/usb/usx2y/usx2yhwdeppcm.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- linux-2.6.19.2.orig/sound/usb/usx2y/usbusx2yaudio.c ++++ linux-2.6.19.2/sound/usb/usx2y/usbusx2yaudio.c +@@ -322,7 +322,7 @@ static void i_usX2Y_urb_complete(struct + usX2Y_error_urb_status(usX2Y, subs, urb); + return; + } +- if (likely(urb->start_frame == usX2Y->wait_iso_frame)) ++ if (likely((urb->start_frame & 0xFFFF) == (usX2Y->wait_iso_frame & 0xFFFF))) + subs->completed_urb = urb; + else { + usX2Y_error_sequence(usX2Y, subs, urb); +--- linux-2.6.19.2.orig/sound/usb/usx2y/usx2yhwdeppcm.c ++++ linux-2.6.19.2/sound/usb/usx2y/usx2yhwdeppcm.c +@@ -243,7 +243,7 @@ static void i_usX2Y_usbpcm_urb_complete( + usX2Y_error_urb_status(usX2Y, subs, urb); + return; + } +- if (likely(urb->start_frame == usX2Y->wait_iso_frame)) ++ if (likely((urb->start_frame & 0xFFFF) == (usX2Y->wait_iso_frame & 0xFFFF))) + subs->completed_urb = urb; + else { + usX2Y_error_sequence(usX2Y, subs, urb); diff --git a/queue-2.6.19/series b/queue-2.6.19/series new file mode 100644 index 00000000000..0f014c2e0b4 --- /dev/null +++ b/queue-2.6.19/series @@ -0,0 +1,11 @@ +i2c-mv64xxx-fix-random-oops-at-boot.patch +i2c-m41t00-do-not-forget-to-write-year.patch +check-for-populated-zone-in-__drain_pages.patch +fix-hwrng-built-in-initcalls-priority.patch +md-pass-down-bio_rw_sync-in-raid-1-10.patch +netfilter-fix-routing-of-reject-target-generated-packets-in-output-chain.patch +netfilter-nf_conntrack_ipv6-fix-crash-when-handling-fragments.patch +netfilter-tcp-conntrack-fix-ip_ct_tcp_flag_close_init-value.patch +netfilter-arp_tables-fix-userspace-compilation.patch +repair-snd-usb-usx2y-over-ohci.patch +ib-mthca-fix-off-by-one-in-fmr-handling-on-memfree.patch