From: Chris Wright Date: Wed, 29 Nov 2006 18:41:58 +0000 (-0800) Subject: add another batch of stable patches X-Git-Tag: v2.6.18.4~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=43910b3ccfd9836f00a06fa3b803f29dbd19e9be;p=thirdparty%2Fkernel%2Fstable-queue.git add another batch of stable patches --- diff --git a/queue-2.6.18/agp-allocate-agp-pages-with-gfp_dma32-by-default.patch b/queue-2.6.18/agp-allocate-agp-pages-with-gfp_dma32-by-default.patch new file mode 100644 index 00000000000..b94d5479c4c --- /dev/null +++ b/queue-2.6.18/agp-allocate-agp-pages-with-gfp_dma32-by-default.patch @@ -0,0 +1,60 @@ +From stable-bounces@linux.kernel.org Sat Nov 25 22:52:47 2006 +Date: Wed, 22 Nov 2006 23:59:02 GMT +Message-Id: <200611222359.kAMNx2kk029387@hera.kernel.org> +From: davej@redhat.com +To: stable@kernel.org +Subject: AGP: Allocate AGP pages with GFP_DMA32 by default + +From: Linus Torvalds + +Not all graphic page remappers support physical addresses over the 4GB +mark for remapping, so while some do (the AMD64 GART always did, and I +just fixed the i965 to do so properly), we're safest off just forcing +GFP_DMA32 allocations to make sure graphics pages get allocated in the +low 32-bit address space by default. + +AGP sub-drivers that really care, and can do better, could just choose +to implement their own allocator (or we could add another "64-bit safe" +default allocator for their use), but quite frankly, you're not likely +to care in practice. + +So for now, this trivial change means that we won't be allocating pages +that we can't map correctly by mistake on x86-64. + +[ On traditional 32-bit x86, this could never happen, because GFP_KERNEL + would never allocate any highmem memory anyway ] + +Acked-by: Andi Kleen +Acked-by: Dave Jones +Cc: Eric Anholt +Cc: Keith Packard +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +--- + + drivers/char/agp/generic.c | 2 +- + drivers/char/agp/intel-agp.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- linux-2.6.18.3.orig/drivers/char/agp/generic.c ++++ linux-2.6.18.3/drivers/char/agp/generic.c +@@ -1042,7 +1042,7 @@ void *agp_generic_alloc_page(struct agp_ + { + struct page * page; + +- page = alloc_page(GFP_KERNEL); ++ page = alloc_page(GFP_KERNEL | GFP_DMA32); + if (page == NULL) + return NULL; + +--- linux-2.6.18.3.orig/drivers/char/agp/intel-agp.c ++++ linux-2.6.18.3/drivers/char/agp/intel-agp.c +@@ -160,7 +160,7 @@ static void *i8xx_alloc_pages(void) + { + struct page * page; + +- page = alloc_pages(GFP_KERNEL, 2); ++ page = alloc_pages(GFP_KERNEL | GFP_DMA32, 2); + if (page == NULL) + return NULL; + diff --git a/queue-2.6.18/alpha-fix-alpha_ev56-dependencies-typo.patch b/queue-2.6.18/alpha-fix-alpha_ev56-dependencies-typo.patch new file mode 100644 index 00000000000..680884e10f4 --- /dev/null +++ b/queue-2.6.18/alpha-fix-alpha_ev56-dependencies-typo.patch @@ -0,0 +1,34 @@ +From stable-bounces@linux.kernel.org Mon Nov 20 09:12:55 2006 +Message-ID: <4561E013.2010801@gentoo.org> +Date: Mon, 20 Nov 2006 12:04:19 -0500 +From: Daniel Drake +To: stable@kernel.org +Cc: ferdy@gentoo.org +Subject: alpha: Fix ALPHA_EV56 dependencies typo + +From: Fernando J. Pereda + +There appears to be a typo in the EV56 config option. NORITAKE and PRIMO are +be able to set a variation of either. + +Signed-off-by: Daniel Drake +Cc: Richard Henderson +Cc: Ivan Kokshaysky +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +--- + arch/alpha/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.18.3.orig/arch/alpha/Kconfig ++++ linux-2.6.18.3/arch/alpha/Kconfig +@@ -381,7 +381,7 @@ config ALPHA_EV56 + + config ALPHA_EV56 + prompt "EV56 CPU (speed >= 333MHz)?" +- depends on ALPHA_NORITAKE && ALPHA_PRIMO ++ depends on ALPHA_NORITAKE || ALPHA_PRIMO + + config ALPHA_EV56 + prompt "EV56 CPU (speed >= 400MHz)?" diff --git a/queue-2.6.18/bluetooth-fix-unaligned-access-in-hci_send_to_sock.patch b/queue-2.6.18/bluetooth-fix-unaligned-access-in-hci_send_to_sock.patch new file mode 100644 index 00000000000..bfc9e078d1c --- /dev/null +++ b/queue-2.6.18/bluetooth-fix-unaligned-access-in-hci_send_to_sock.patch @@ -0,0 +1,41 @@ +From stable-bounces@linux.kernel.org Wed Nov 22 03:25:19 2006 +From: maks@sternwelten.at +Date: Wed, 22 Nov 2006 02:59:08 GMT +Message-Id: <200611220259.kAM2x8mT004945@hera.kernel.org> +To: stable@kernel.org +Subject: BLUETOOTH: Fix unaligned access in hci_send_to_sock. + +From: David S. Miller + +The "u16 *" derefs of skb->data need to be wrapped inside of +a get_unaligned(). + +Thanks to Gustavo Zacarias for the bug report. + +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +--- + + net/bluetooth/hci_sock.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- linux-2.6.18.3.orig/net/bluetooth/hci_sock.c ++++ linux-2.6.18.3/net/bluetooth/hci_sock.c +@@ -120,10 +120,13 @@ void hci_send_to_sock(struct hci_dev *hd + if (!hci_test_bit(evt, &flt->event_mask)) + continue; + +- if (flt->opcode && ((evt == HCI_EV_CMD_COMPLETE && +- flt->opcode != *(__u16 *)(skb->data + 3)) || +- (evt == HCI_EV_CMD_STATUS && +- flt->opcode != *(__u16 *)(skb->data + 4)))) ++ if (flt->opcode && ++ ((evt == HCI_EV_CMD_COMPLETE && ++ flt->opcode != ++ get_unaligned((__u16 *)(skb->data + 3))) || ++ (evt == HCI_EV_CMD_STATUS && ++ flt->opcode != ++ get_unaligned((__u16 *)(skb->data + 4))))) + continue; + } + diff --git a/queue-2.6.18/bte_unaligned_copy-transfers-one-extra-cache-line.patch b/queue-2.6.18/bte_unaligned_copy-transfers-one-extra-cache-line.patch new file mode 100644 index 00000000000..7a4f422e7e6 --- /dev/null +++ b/queue-2.6.18/bte_unaligned_copy-transfers-one-extra-cache-line.patch @@ -0,0 +1,45 @@ +From cbf093e8c7447a202e376199cc017161262bd7cd Mon Sep 17 00:00:00 2001 +From: Robin Holt +Date: Tue, 14 Nov 2006 20:50:59 -0600 +Subject: IA64: bte_unaligned_copy() transfers one extra cache line. + +When called to do a transfer that has a start offset within the cache +line which is uneven between source and destination and a length which +terminates the source of the copy exactly on a cache line, one extra +line gets copied into a temporary buffer. This is normally not an issue +since the buffer is a kernel buffer and only the requested information +gets copied into the user buffer. + +The problem arises when the source ends at the very last physical page +of memory. That last cache line does not exist and results in the SHUB +chip raising an MCA. + +Signed-off-by: Robin Holt +Signed-off-by: Dean Nelson +Signed-off-by: Tony Luck +Signed-off-by: Chris Wright +--- + arch/ia64/sn/kernel/bte.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- linux-2.6.18.3.orig/arch/ia64/sn/kernel/bte.c ++++ linux-2.6.18.3/arch/ia64/sn/kernel/bte.c +@@ -382,14 +382,13 @@ bte_result_t bte_unaligned_copy(u64 src, + * bcopy to the destination. + */ + +- /* Add the leader from source */ +- headBteLen = len + (src & L1_CACHE_MASK); +- /* Add the trailing bytes from footer. */ +- headBteLen += L1_CACHE_BYTES - (headBteLen & L1_CACHE_MASK); +- headBteSource = src & ~L1_CACHE_MASK; + headBcopySrcOffset = src & L1_CACHE_MASK; + headBcopyDest = dest; + headBcopyLen = len; ++ ++ headBteSource = src - headBcopySrcOffset; ++ /* Add the leading and trailing bytes from source */ ++ headBteLen = L1_CACHE_ALIGN(len + headBcopySrcOffset); + } + + if (headBcopyLen > 0) { diff --git a/queue-2.6.18/fuse-fix-oops-in-lookup.patch b/queue-2.6.18/fuse-fix-oops-in-lookup.patch new file mode 100644 index 00000000000..bba48ccb138 --- /dev/null +++ b/queue-2.6.18/fuse-fix-oops-in-lookup.patch @@ -0,0 +1,170 @@ +From stable-bounces@linux.kernel.org Sat Nov 25 11:14:02 2006 +Message-Id: <200611251909.kAPJ9KE5009945@shell0.pdx.osdl.net> +To: torvalds@osdl.org +From: akpm@osdl.org +Date: Sat, 25 Nov 2006 11:09:20 -0800 +Cc: akpm@osdl.org, stable@kernel.org, miklos@szeredi.hu +Subject: fuse: fix Oops in lookup + +From: Miklos Szeredi + +Fix bug in certain error paths of lookup routines. The request object was +reused for sending FORGET, which is illegal. This bug could cause an Oops +in 2.6.18. In earlier versions it might silently corrupt memory, but this +is very unlikely. + +These error paths are never triggered by libfuse, so this wasn't noticed +even with the 2.6.18 kernel, only with a filesystem using the raw kernel +interface. + +Thanks to Russ Cox for the bug report and test filesystem. + +Signed-off-by: Miklos Szeredi +Cc: +Signed-off-by: Andrew Morton +[chrisw: backport to 2.6.18 -stable] +Signed-off-by: Chris Wright +--- + + fs/fuse/dir.c | 52 ++++++++++++++++++++++++++++++++++++++-------------- + 1 file changed, 38 insertions(+), 14 deletions(-) + +--- linux-2.6.18.3.orig/fs/fuse/dir.c ++++ linux-2.6.18.3/fs/fuse/dir.c +@@ -138,6 +138,7 @@ static int fuse_dentry_revalidate(struct + struct fuse_entry_out outarg; + struct fuse_conn *fc; + struct fuse_req *req; ++ struct fuse_req *forget_req; + + /* Doesn't hurt to "reset" the validity timeout */ + fuse_invalidate_entry_cache(entry); +@@ -151,21 +152,29 @@ static int fuse_dentry_revalidate(struct + if (IS_ERR(req)) + return 0; + ++ forget_req = fuse_get_req(fc); ++ if (IS_ERR(forget_req)) { ++ fuse_put_request(fc, req); ++ return 0; ++ } ++ + fuse_lookup_init(req, entry->d_parent->d_inode, entry, &outarg); + request_send(fc, req); + err = req->out.h.error; ++ fuse_put_request(fc, req); + /* Zero nodeid is same as -ENOENT */ + if (!err && !outarg.nodeid) + err = -ENOENT; + if (!err) { + struct fuse_inode *fi = get_fuse_inode(inode); + if (outarg.nodeid != get_node_id(inode)) { +- fuse_send_forget(fc, req, outarg.nodeid, 1); ++ fuse_send_forget(fc, forget_req, ++ outarg.nodeid, 1); + return 0; + } + fi->nlookup ++; + } +- fuse_put_request(fc, req); ++ fuse_put_request(fc, forget_req); + if (err || (outarg.attr.mode ^ inode->i_mode) & S_IFMT) + return 0; + +@@ -214,6 +223,7 @@ static struct dentry *fuse_lookup(struct + struct inode *inode = NULL; + struct fuse_conn *fc = get_fuse_conn(dir); + struct fuse_req *req; ++ struct fuse_req *forget_req; + + if (entry->d_name.len > FUSE_NAME_MAX) + return ERR_PTR(-ENAMETOOLONG); +@@ -222,9 +232,16 @@ static struct dentry *fuse_lookup(struct + if (IS_ERR(req)) + return ERR_PTR(PTR_ERR(req)); + ++ forget_req = fuse_get_req(fc); ++ if (IS_ERR(forget_req)) { ++ fuse_put_request(fc, req); ++ return ERR_PTR(PTR_ERR(forget_req)); ++ } ++ + fuse_lookup_init(req, dir, entry, &outarg); + request_send(fc, req); + err = req->out.h.error; ++ fuse_put_request(fc, req); + /* Zero nodeid is same as -ENOENT, but with valid timeout */ + if (!err && outarg.nodeid && + (invalid_nodeid(outarg.nodeid) || !valid_mode(outarg.attr.mode))) +@@ -233,11 +250,11 @@ static struct dentry *fuse_lookup(struct + inode = fuse_iget(dir->i_sb, outarg.nodeid, outarg.generation, + &outarg.attr); + if (!inode) { +- fuse_send_forget(fc, req, outarg.nodeid, 1); ++ fuse_send_forget(fc, forget_req, outarg.nodeid, 1); + return ERR_PTR(-ENOMEM); + } + } +- fuse_put_request(fc, req); ++ fuse_put_request(fc, forget_req); + if (err && err != -ENOENT) + return ERR_PTR(err); + +@@ -375,6 +392,13 @@ static int create_new_entry(struct fuse_ + struct fuse_entry_out outarg; + struct inode *inode; + int err; ++ struct fuse_req *forget_req; ++ ++ forget_req = fuse_get_req(fc); ++ if (IS_ERR(forget_req)) { ++ fuse_put_request(fc, req); ++ return PTR_ERR(forget_req); ++ } + + req->in.h.nodeid = get_node_id(dir); + req->out.numargs = 1; +@@ -382,24 +406,24 @@ static int create_new_entry(struct fuse_ + req->out.args[0].value = &outarg; + request_send(fc, req); + err = req->out.h.error; +- if (err) { +- fuse_put_request(fc, req); +- return err; +- } ++ fuse_put_request(fc, req); ++ if (err) ++ goto out_put_forget_req; ++ + err = -EIO; + if (invalid_nodeid(outarg.nodeid)) +- goto out_put_request; ++ goto out_put_forget_req; + + if ((outarg.attr.mode ^ mode) & S_IFMT) +- goto out_put_request; ++ goto out_put_forget_req; + + inode = fuse_iget(dir->i_sb, outarg.nodeid, outarg.generation, + &outarg.attr); + if (!inode) { +- fuse_send_forget(fc, req, outarg.nodeid, 1); ++ fuse_send_forget(fc, forget_req, outarg.nodeid, 1); + return -ENOMEM; + } +- fuse_put_request(fc, req); ++ fuse_put_request(fc, forget_req); + + if (dir_alias(inode)) { + iput(inode); +@@ -411,8 +435,8 @@ static int create_new_entry(struct fuse_ + fuse_invalidate_attr(dir); + return 0; + +- out_put_request: +- fuse_put_request(fc, req); ++ out_put_forget_req: ++ fuse_put_request(fc, forget_req); + return err; + } + diff --git a/queue-2.6.18/ipv6-fix-address-interface-handling-in-udp-and-dccp-according-to-the-scoping-architecture.patch b/queue-2.6.18/ipv6-fix-address-interface-handling-in-udp-and-dccp-according-to-the-scoping-architecture.patch new file mode 100644 index 00000000000..7f8ae50a44b --- /dev/null +++ b/queue-2.6.18/ipv6-fix-address-interface-handling-in-udp-and-dccp-according-to-the-scoping-architecture.patch @@ -0,0 +1,67 @@ +From stable-bounces@linux.kernel.org Thu Nov 23 18:10:52 2006 +From: maks@sternwelten.at +Date: Wed, 22 Nov 2006 02:59:09 GMT +Message-Id: <200611220259.kAM2x9xc004965@hera.kernel.org> +To: stable@kernel.org +Subject: IPV6: Fix address/interface handling in UDP and DCCP, according to the scoping architecture. + +From: YOSHIFUJI Hideaki + +TCP and RAW do not have this issue. Closes Bug #7432. + +Signed-off-by: YOSHIFUJI Hideaki +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +--- + + net/dccp/ipv6.c | 2 +- + net/ipv6/udp.c | 7 +++---- + 2 files changed, 4 insertions(+), 5 deletions(-) + +--- linux-2.6.18.3.orig/net/dccp/ipv6.c ++++ linux-2.6.18.3/net/dccp/ipv6.c +@@ -276,7 +276,7 @@ static void dccp_v6_err(struct sk_buff * + __u64 seq; + + sk = inet6_lookup(&dccp_hashinfo, &hdr->daddr, dh->dccph_dport, +- &hdr->saddr, dh->dccph_sport, skb->dev->ifindex); ++ &hdr->saddr, dh->dccph_sport, inet6_iif(skb)); + + if (sk == NULL) { + ICMP6_INC_STATS_BH(__in6_dev_get(skb->dev), ICMP6_MIB_INERRORS); +--- linux-2.6.18.3.orig/net/ipv6/udp.c ++++ linux-2.6.18.3/net/ipv6/udp.c +@@ -314,14 +314,13 @@ static void udpv6_err(struct sk_buff *sk + { + struct ipv6_pinfo *np; + struct ipv6hdr *hdr = (struct ipv6hdr*)skb->data; +- struct net_device *dev = skb->dev; + struct in6_addr *saddr = &hdr->saddr; + struct in6_addr *daddr = &hdr->daddr; + struct udphdr *uh = (struct udphdr*)(skb->data+offset); + struct sock *sk; + int err; + +- sk = udp_v6_lookup(daddr, uh->dest, saddr, uh->source, dev->ifindex); ++ sk = udp_v6_lookup(daddr, uh->dest, saddr, uh->source, inet6_iif(skb)); + + if (sk == NULL) + return; +@@ -415,7 +414,7 @@ static void udpv6_mcast_deliver(struct u + + read_lock(&udp_hash_lock); + sk = sk_head(&udp_hash[ntohs(uh->dest) & (UDP_HTABLE_SIZE - 1)]); +- dif = skb->dev->ifindex; ++ dif = inet6_iif(skb); + sk = udp_v6_mcast_next(sk, uh->dest, daddr, uh->source, saddr, dif); + if (!sk) { + kfree_skb(skb); +@@ -496,7 +495,7 @@ static int udpv6_rcv(struct sk_buff **ps + * check socket cache ... must talk to Alan about his plans + * for sock caches... i'll skip this for now. + */ +- sk = udp_v6_lookup(saddr, uh->source, daddr, uh->dest, dev->ifindex); ++ sk = udp_v6_lookup(saddr, uh->source, daddr, uh->dest, inet6_iif(skb)); + + if (sk == NULL) { + if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) diff --git a/queue-2.6.18/netfilter-h.323-conntrack-fix-crash-with-config_ip_nf_ct_acct.patch b/queue-2.6.18/netfilter-h.323-conntrack-fix-crash-with-config_ip_nf_ct_acct.patch new file mode 100644 index 00000000000..66de2c4a286 --- /dev/null +++ b/queue-2.6.18/netfilter-h.323-conntrack-fix-crash-with-config_ip_nf_ct_acct.patch @@ -0,0 +1,49 @@ +From stable-bounces@linux.kernel.org Fri Nov 17 12:12:33 2006 +Message-ID: <455E16AB.1010101@trash.net> +Date: Fri, 17 Nov 2006 21:08:11 +0100 +From: Patrick McHardy +To: "David S. Miller" +Cc: stable@kernel.org +Subject: NETFILTER: H.323 conntrack: fix crash with CONFIG_IP_NF_CT_ACCT + +H.323 connection tracking code calls ip_ct_refresh_acct() when +processing RCFs and URQs but passes NULL as the skb. +When CONFIG_IP_NF_CT_ACCT is enabled, the connection tracking core tries +to derefence the skb, which results in an obvious panic. +A similar fix was applied on the SIP connection tracking code some time +ago. + +Signed-off-by: Faidon Liambotis +Signed-off-by: Patrick McHardy +Signed-off-by: Chris Wright + +--- +commit 76b0c2b63fd5a2da358b36a22b7bf99298dde0b7 +tree cd96ddb4c4cd5ffb44ed5a47fa3be41267eea99a +parent 1b9bb3c14c60324b54645ffefbe6d270f9fd191c +author Faidon Liambotis Fri, 17 Nov 2006 21:01:25 +0100 +committer Patrick McHardy Fri, 17 Nov 2006 21:01:25 +0100 + + net/ipv4/netfilter/ip_conntrack_helper_h323.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- linux-2.6.18.3.orig/net/ipv4/netfilter/ip_conntrack_helper_h323.c ++++ linux-2.6.18.3/net/ipv4/netfilter/ip_conntrack_helper_h323.c +@@ -1417,7 +1417,7 @@ static int process_rcf(struct sk_buff ** + DEBUGP + ("ip_ct_ras: set RAS connection timeout to %u seconds\n", + info->timeout); +- ip_ct_refresh_acct(ct, ctinfo, NULL, info->timeout * HZ); ++ ip_ct_refresh(ct, *pskb, info->timeout * HZ); + + /* Set expect timeout */ + read_lock_bh(&ip_conntrack_lock); +@@ -1465,7 +1465,7 @@ static int process_urq(struct sk_buff ** + info->sig_port[!dir] = 0; + + /* Give it 30 seconds for UCF or URJ */ +- ip_ct_refresh_acct(ct, ctinfo, NULL, 30 * HZ); ++ ip_ct_refresh(ct, *pskb, 30 * HZ); + + return 0; + } diff --git a/queue-2.6.18/pcmcia-fix-rmmod-pcmcia-with-unbound-devices.patch b/queue-2.6.18/pcmcia-fix-rmmod-pcmcia-with-unbound-devices.patch new file mode 100644 index 00000000000..33c93e991a6 --- /dev/null +++ b/queue-2.6.18/pcmcia-fix-rmmod-pcmcia-with-unbound-devices.patch @@ -0,0 +1,37 @@ +From dfbc9e9d33adb1ac9910dd7f8ceb911947039a52 Mon Sep 17 00:00:00 2001 +From: Daniel Ritz +Date: Sat, 18 Nov 2006 22:19:34 -0800 +Subject: [PATCH] pcmcia: fix 'rmmod pcmcia' with unbound devices + +Having unbound PCMCIA devices: doing a 'find /sys' after a 'rmmod pcmcia' +gives an oops because the pcmcia_device is not unregisterd from the driver +core. + +fixes bugzilla #7481 + +Signed-off-by: Daniel Ritz +Acked-by: Dominik Brodowski +Cc: Pavol Gono +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +[chrisw: add subsequent mutex fix] +Signed-off-by: Chris Wright +--- + drivers/pcmcia/ds.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- linux-2.6.18.3.orig/drivers/pcmcia/ds.c ++++ linux-2.6.18.3/drivers/pcmcia/ds.c +@@ -1264,6 +1264,11 @@ static void pcmcia_bus_remove_socket(str + socket->pcmcia_state.dead = 1; + pccard_register_pcmcia(socket, NULL); + ++ /* unregister any unbound devices */ ++ mutex_lock(&socket->skt_mutex); ++ pcmcia_card_remove(socket, NULL); ++ mutex_unlock(&socket->skt_mutex); ++ + pcmcia_put_socket(socket); + + return; diff --git a/queue-2.6.18/series b/queue-2.6.18/series index e5ac9853e78..0ccd0f71a59 100644 --- a/queue-2.6.18/series +++ b/queue-2.6.18/series @@ -8,3 +8,16 @@ netfilter-honour-source-routing-for-lvs-nat.patch netfilter-kconfig-fix-xt_physdev-dependencies.patch netfilter-xt_connsecmark-fix-kconfig-dependencies.patch bcm43xx-drain-tx-status-before-starting-irqs.patch +netfilter-h.323-conntrack-fix-crash-with-config_ip_nf_ct_acct.patch +pcmcia-fix-rmmod-pcmcia-with-unbound-devices.patch +v4l-do-not-enable-video_v4l2-unconditionally.patch +x86-microcode-don-t-check-the-size.patch +alpha-fix-alpha_ev56-dependencies-typo.patch +softmac-fix-a-slab-corruption-in-wep-restricted-key-association.patch +tg3-add-missing-unlock-in-tg3_open-error-path.patch +ipv6-fix-address-interface-handling-in-udp-and-dccp-according-to-the-scoping-architecture.patch +bte_unaligned_copy-transfers-one-extra-cache-line.patch +bluetooth-fix-unaligned-access-in-hci_send_to_sock.patch +agp-allocate-agp-pages-with-gfp_dma32-by-default.patch +fuse-fix-oops-in-lookup.patch +udp-make-udp_encap_rcv-use-pskb_may_pull.patch diff --git a/queue-2.6.18/softmac-fix-a-slab-corruption-in-wep-restricted-key-association.patch b/queue-2.6.18/softmac-fix-a-slab-corruption-in-wep-restricted-key-association.patch new file mode 100644 index 00000000000..24249c00fa9 --- /dev/null +++ b/queue-2.6.18/softmac-fix-a-slab-corruption-in-wep-restricted-key-association.patch @@ -0,0 +1,30 @@ +From 6684e59aa3cf6cb7ebf04ea2953198500c93b0a9 Mon Sep 17 00:00:00 2001 +Message-ID: <4561E092.5030201@gentoo.org> +From: Laurent Riffard +Date: Thu, 12 Oct 2006 00:17:36 +0200 +Subject: softmac: fix a slab corruption in WEP restricted key association + +Fix a slab corruption in ieee80211softmac_auth(). The size of a buffer +was miscomputed. + +see http://bugzilla.kernel.org/show_bug.cgi?id=7245 + +Acked-by: Daniel Drake +Signed-off-by: Laurent Riffard +Signed-off-by: John W. Linville +Signed-off-by: Chris Wright +--- + net/ieee80211/softmac/ieee80211softmac_io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.18.3.orig/net/ieee80211/softmac/ieee80211softmac_io.c ++++ linux-2.6.18.3/net/ieee80211/softmac/ieee80211softmac_io.c +@@ -304,7 +304,7 @@ ieee80211softmac_auth(struct ieee80211_a + 2 + /* Auth Transaction Seq */ + 2 + /* Status Code */ + /* Challenge Text IE */ +- is_shared_response ? 0 : 1 + 1 + net->challenge_len ++ (is_shared_response ? 1 + 1 + net->challenge_len : 0) + ); + if (unlikely((*pkt) == NULL)) + return 0; diff --git a/queue-2.6.18/tg3-add-missing-unlock-in-tg3_open-error-path.patch b/queue-2.6.18/tg3-add-missing-unlock-in-tg3_open-error-path.patch new file mode 100644 index 00000000000..a73041fa5a8 --- /dev/null +++ b/queue-2.6.18/tg3-add-missing-unlock-in-tg3_open-error-path.patch @@ -0,0 +1,35 @@ +From stable-bounces@linux.kernel.org Wed Nov 22 03:50:30 2006 +From: maks@sternwelten.at +Date: Wed, 22 Nov 2006 02:59:09 GMT +Message-Id: <200611220259.kAM2x95e004973@hera.kernel.org> +To: stable@kernel.org +Subject: TG3: Add missing unlock in tg3_open() error path. + +From: Ira W. Snyder + +Sparse noticed a locking imbalance in tg3_open(). This patch adds an +unlock to one of the error paths, so that tg3_open() always exits +without the lock held. + +Signed-off-by: Ira W. Snyder +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +--- + + drivers/net/tg3.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- linux-2.6.18.3.orig/drivers/net/tg3.c ++++ linux-2.6.18.3/drivers/net/tg3.c +@@ -6889,8 +6889,10 @@ static int tg3_open(struct net_device *d + tg3_full_lock(tp, 0); + + err = tg3_set_power_state(tp, PCI_D0); +- if (err) ++ if (err) { ++ tg3_full_unlock(tp); + return err; ++ } + + tg3_disable_ints(tp); + tp->tg3_flags &= ~TG3_FLAG_INIT_COMPLETE; diff --git a/queue-2.6.18/udp-make-udp_encap_rcv-use-pskb_may_pull.patch b/queue-2.6.18/udp-make-udp_encap_rcv-use-pskb_may_pull.patch new file mode 100644 index 00000000000..360ffd391b1 --- /dev/null +++ b/queue-2.6.18/udp-make-udp_encap_rcv-use-pskb_may_pull.patch @@ -0,0 +1,65 @@ +From stable-bounces@linux.kernel.org Tue Nov 28 20:41:40 2006 +Date: Tue, 28 Nov 2006 20:36:46 -0800 (PST) +Message-Id: <20061128.203646.85408792.davem@davemloft.net> +To: stable@kernel.org +From: David Miller +Cc: bunk@stusta.de +Subject: UDP: Make udp_encap_rcv use pskb_may_pull + +From: Olaf Kirch + +IPsec with NAT-T breaks on some notebooks using the latest e1000 chipset, +when header split is enabled. When receiving sufficiently large packets, the +driver puts everything up to and including the UDP header into the header +portion of the skb, and the rest goes into the paged part. udp_encap_rcv +forgets to use pskb_may_pull, and fails to decapsulate it. Instead, it +passes it up it to the IKE daemon. + +Signed-off-by: Olaf Kirch +Signed-off-by: Jean Delvare +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +--- + net/ipv4/udp.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- linux-2.6.18.3.orig/net/ipv4/udp.c ++++ linux-2.6.18.3/net/ipv4/udp.c +@@ -892,23 +892,32 @@ static int udp_encap_rcv(struct sock * s + return 1; + #else + struct udp_sock *up = udp_sk(sk); +- struct udphdr *uh = skb->h.uh; ++ struct udphdr *uh; + struct iphdr *iph; + int iphlen, len; + +- __u8 *udpdata = (__u8 *)uh + sizeof(struct udphdr); +- __u32 *udpdata32 = (__u32 *)udpdata; ++ __u8 *udpdata; ++ __u32 *udpdata32; + __u16 encap_type = up->encap_type; + + /* if we're overly short, let UDP handle it */ +- if (udpdata > skb->tail) ++ len = skb->len - sizeof(struct udphdr); ++ if (len <= 0) + return 1; + + /* if this is not encapsulated socket, then just return now */ + if (!encap_type) + return 1; + +- len = skb->tail - udpdata; ++ /* If this is a paged skb, make sure we pull up ++ * whatever data we need to look at. */ ++ if (!pskb_may_pull(skb, sizeof(struct udphdr) + min(len, 8))) ++ return 1; ++ ++ /* Now we can get the pointers */ ++ uh = skb->h.uh; ++ udpdata = (__u8 *)uh + sizeof(struct udphdr); ++ udpdata32 = (__u32 *)udpdata; + + switch (encap_type) { + default: diff --git a/queue-2.6.18/v4l-do-not-enable-video_v4l2-unconditionally.patch b/queue-2.6.18/v4l-do-not-enable-video_v4l2-unconditionally.patch new file mode 100644 index 00000000000..77ce56e7e19 --- /dev/null +++ b/queue-2.6.18/v4l-do-not-enable-video_v4l2-unconditionally.patch @@ -0,0 +1,34 @@ +From stable-bounces@linux.kernel.org Sun Nov 19 19:21:58 2006 +Message-ID: <45611E4B.8060002@linuxtv.org> +Date: Sun, 19 Nov 2006 22:17:31 -0500 +From: Michael Krufky +To: stable@kernel.org +Cc: v4l-dvb maintainer list +Subject: V4L: Do not enable VIDEO_V4L2 unconditionally + +From: Maciej W. Rozycki + +V4L: Do not enable VIDEO_V4L2 unconditionally + +The VIDEO_V4L2 config setting is enabled unconditionally, even for +configurations with no support for this subsystem whatsoever. The +following patch adds the necessary dependency. + +Signed-off-by: Maciej W. Rozycki +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Michael Krufky +Signed-off-by: Chris Wright +--- + drivers/media/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- linux-2.6.18.3.orig/drivers/media/Kconfig ++++ linux-2.6.18.3/drivers/media/Kconfig +@@ -54,6 +54,7 @@ config VIDEO_V4L1_COMPAT + + config VIDEO_V4L2 + bool ++ depends on VIDEO_DEV + default y + + source "drivers/media/video/Kconfig" diff --git a/queue-2.6.18/x86-microcode-don-t-check-the-size.patch b/queue-2.6.18/x86-microcode-don-t-check-the-size.patch new file mode 100644 index 00000000000..80a2fa0de04 --- /dev/null +++ b/queue-2.6.18/x86-microcode-don-t-check-the-size.patch @@ -0,0 +1,55 @@ +From stable-bounces@linux.kernel.org Mon Nov 20 09:11:33 2006 +Message-ID: <4561DFB6.9050304@gentoo.org> +Date: Mon, 20 Nov 2006 12:02:46 -0500 +From: Daniel Drake +To: stable@kernel.org +Cc: shaohua.li@intel.com +Subject: x86 microcode: don't check the size + +From: Shaohua Li + +IA32 manual says if micorcode update's size is 0, then the size is +default size (2048 bytes). But this doesn't suggest all microcode +update's size should be above 2048 bytes to me. We actually had a +microcode update whose size is 1024 bytes. The patch just removed the +check. + +Backported to 2.6.18 by Daniel Drake. + +Signed-off-by: Daniel Drake +Signed-off-by: Chris Wright +--- + arch/i386/kernel/microcode.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +--- linux-2.6.18.3.orig/arch/i386/kernel/microcode.c ++++ linux-2.6.18.3/arch/i386/kernel/microcode.c +@@ -250,14 +250,14 @@ static int find_matching_ucodes (void) + } + + total_size = get_totalsize(&mc_header); +- if ((cursor + total_size > user_buffer_size) || (total_size < DEFAULT_UCODE_TOTALSIZE)) { ++ if (cursor + total_size > user_buffer_size) { + printk(KERN_ERR "microcode: error! Bad data in microcode data file\n"); + error = -EINVAL; + goto out; + } + + data_size = get_datasize(&mc_header); +- if ((data_size + MC_HEADER_SIZE > total_size) || (data_size < DEFAULT_UCODE_DATASIZE)) { ++ if (data_size + MC_HEADER_SIZE > total_size) { + printk(KERN_ERR "microcode: error! Bad data in microcode data file\n"); + error = -EINVAL; + goto out; +@@ -460,11 +460,6 @@ static ssize_t microcode_write (struct f + { + ssize_t ret; + +- if (len < DEFAULT_UCODE_TOTALSIZE) { +- printk(KERN_ERR "microcode: not enough data\n"); +- return -EINVAL; +- } +- + if ((len >> PAGE_SHIFT) > num_physpages) { + printk(KERN_ERR "microcode: too much data (max %ld pages)\n", num_physpages); + return -EINVAL;