From: Greg Kroah-Hartman Date: Mon, 21 Aug 2006 18:21:23 +0000 (-0700) Subject: added more patches to queue X-Git-Tag: v2.6.17.10~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4813ac5179ee6fbb4683a1e75e3574cfba74edff;p=thirdparty%2Fkernel%2Fstable-queue.git added more patches to queue --- diff --git a/queue-2.6.17/deprecate-physdev-keys.patch b/queue-2.6.17/deprecate-physdev-keys.patch new file mode 100644 index 00000000000..f1263f529e9 --- /dev/null +++ b/queue-2.6.17/deprecate-physdev-keys.patch @@ -0,0 +1,81 @@ +From kay.sievers@vrfy.org Sat Aug 12 21:17:16 2006 +Date: Sun, 13 Aug 2006 06:17:09 +0200 +From: Kay Sievers +To: Greg KH +Subject: deprecate PHYSDEV* keys +Message-ID: <20060813041709.GA2960@vrfy.org> +Content-Disposition: inline + +From: Kay Sievers + +deprecate PHYSDEV* values in the uevent environment + +These values are no longer needed and inconsistent with the +stacking of class devices. The event environment should not +carry properties of a parent device. The key PHYSDEVDRIVER is +available as DRIVER, PHYDEVBUS is indentical SUBSYSTEM. Class +devices should not carry any of these values. + +Signed-off-by: Kay Sievers +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/feature-removal-schedule.txt | 10 ++++++++++ + drivers/base/class.c | 2 +- + drivers/base/core.c | 10 +++++++--- + 3 files changed, 18 insertions(+), 4 deletions(-) + +--- linux-2.6.17.9.orig/Documentation/feature-removal-schedule.txt ++++ linux-2.6.17.9/Documentation/feature-removal-schedule.txt +@@ -248,3 +248,13 @@ Why: The interface no longer has any cal + Who: Nick Piggin + + --------------------------- ++ ++What: PHYSDEVPATH, PHYSDEVBUS, PHYSDEVDRIVER in the uevent environment ++When: Oktober 2008 ++Why: The stacking of class devices makes these values misleading and ++ inconsistent. ++ Class devices should not carry any of these properties, and bus ++ devices have SUBSYTEM and DRIVER as a replacement. ++Who: Kay Sievers ++ ++--------------------------- +--- linux-2.6.17.9.orig/drivers/base/class.c ++++ linux-2.6.17.9/drivers/base/class.c +@@ -361,7 +361,7 @@ static int class_uevent(struct kset *kse + pr_debug("%s - name = %s\n", __FUNCTION__, class_dev->class_id); + + if (class_dev->dev) { +- /* add physical device, backing this device */ ++ /* add device, backing this class device (deprecated) */ + struct device *dev = class_dev->dev; + char *path = kobject_get_path(&dev->kobj, GFP_KERNEL); + +--- linux-2.6.17.9.orig/drivers/base/core.c ++++ linux-2.6.17.9/drivers/base/core.c +@@ -117,17 +117,21 @@ static int dev_uevent(struct kset *kset, + int length = 0; + int retval = 0; + +- /* add bus name of physical device */ ++ /* add bus name (same as SUBSYSTEM, deprecated) */ + if (dev->bus) + add_uevent_var(envp, num_envp, &i, + buffer, buffer_size, &length, + "PHYSDEVBUS=%s", dev->bus->name); + +- /* add driver name of physical device */ +- if (dev->driver) ++ /* add driver name (PHYSDEV* values are deprecated)*/ ++ if (dev->driver) { ++ add_uevent_var(envp, num_envp, &i, ++ buffer, buffer_size, &length, ++ "DRIVER=%s", dev->driver->name); + add_uevent_var(envp, num_envp, &i, + buffer, buffer_size, &length, + "PHYSDEVDRIVER=%s", dev->driver->name); ++ } + + /* terminate, set to next free slot, shrink available space */ + envp[i] = NULL; diff --git a/queue-2.6.17/dm-bug-oops-fix.patch b/queue-2.6.17/dm-bug-oops-fix.patch new file mode 100644 index 00000000000..02fd7bce67c --- /dev/null +++ b/queue-2.6.17/dm-bug-oops-fix.patch @@ -0,0 +1,72 @@ +From stable-bounces@linux.kernel.org Sun Aug 13 23:24:58 2006 +Message-Id: <200608140624.k7E6OKjC006995@shell0.pdx.osdl.net> +To: greg@kroah.com +From: akpm@osdl.org +Date: Sun, 13 Aug 2006 23:24:20 -0700 +Cc: akpm@osdl.org, torvalds@osdl.org, stable@kernel.org, agk@redhat.com, mirq-linux@rere.qmqm.pl +Subject: dm: BUG/OOPS fix + +From: Michal Miroslaw + +Fix BUG I tripped on while testing failover and multipathing. + +BUG shows up on error path in multipath_ctr() when parse_priority_group() +fails after returning at least once without error. The fix is to +initialize m->ti early - just after alloc()ing it. + +BUG: unable to handle kernel NULL pointer dereference at virtual address 00000000 + printing eip: +c027c3d2 +*pde = 00000000 +Oops: 0000 [#3] +Modules linked in: qla2xxx ext3 jbd mbcache sg ide_cd cdrom floppy +CPU: 0 +EIP: 0060:[] Not tainted VLI +EFLAGS: 00010202 (2.6.17.3 #1) +EIP is at dm_put_device+0xf/0x3b +eax: 00000001 ebx: ee4fcac0 ecx: 00000000 edx: ee4fcac0 +esi: ee4fc4e0 edi: ee4fc4e0 ebp: 00000000 esp: c5db3e78 +ds: 007b es: 007b ss: 0068 +Process multipathd (pid: 15912, threadinfo=c5db2000 task=ef485a90) +Stack: ec4eda40 c02816bd ee4fc4c0 00000000 f7e89498 f883e0bc c02816f6 f7e89480 + f7e8948c c0281801 ffffffea f7e89480 f883e080 c0281ffe 00000001 00000000 + 00000004 dfe9cab8 f7a693c0 f883e080 f883e0c0 ca4b99c0 c027c6ee 01400000 +Call Trace: + free_pgpaths+0x31/0x45 free_priority_group+0x25/0x2e + free_multipath+0x35/0x67 multipath_ctr+0x123/0x12d + dm_table_add_target+0x11e/0x18b populate_table+0x8a/0xaf + table_load+0x52/0xf9 ctl_ioctl+0xca/0xfc + table_load+0x0/0xf9 do_ioctl+0x3e/0x43 + vfs_ioctl+0x16c/0x178 sys_ioctl+0x48/0x60 + syscall_call+0x7/0xb +Code: 97 f0 00 00 00 89 c1 83 c9 01 80 e2 01 0f 44 c1 88 43 14 8b 04 24 59 5b 5e 5f 5d c3 53 89 c1 89 d3 ff 4a 08 0f 94 c0 84 c0 74 2a <8b> 01 8b 10 89 d8 e8 f6 fb ff ff 8b 03 8b 53 04 89 50 04 89 02 +EIP: [] dm_put_device+0xf/0x3b SS:ESP 0068:c5db3e78 + +Signed-off-by: Michal Miroslaw +Acked-by: Alasdair G Kergon +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-mpath.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- linux-2.6.17.9.orig/drivers/md/dm-mpath.c ++++ linux-2.6.17.9/drivers/md/dm-mpath.c +@@ -711,6 +711,8 @@ static int multipath_ctr(struct dm_targe + return -EINVAL; + } + ++ m->ti = ti; ++ + r = parse_features(&as, m, ti); + if (r) + goto bad; +@@ -752,7 +754,6 @@ static int multipath_ctr(struct dm_targe + } + + ti->private = m; +- m->ti = ti; + + return 0; + diff --git a/queue-2.6.17/fix-ipv4-routing-locking-bug.patch b/queue-2.6.17/fix-ipv4-routing-locking-bug.patch new file mode 100644 index 00000000000..bf82ebb68cb --- /dev/null +++ b/queue-2.6.17/fix-ipv4-routing-locking-bug.patch @@ -0,0 +1,84 @@ +From stable-bounces@linux.kernel.org Thu Aug 17 22:57:51 2006 +Date: Thu, 17 Aug 2006 22:57:22 -0700 (PDT) +Message-Id: <20060817.225722.41634450.davem@davemloft.net> +To: stable@kernel.org +From: David Miller +Subject: Fix ipv4 routing locking bug + + +From: Alexey Kuznetsov + +[IPV4]: severe locking bug in fib_semantics.c + +Found in 2.4 by Yixin Pan . + +> When I read fib_semantics.c of Linux-2.4.32, write_lock(&fib_info_lock) = +> is used in fib_release_info() instead of write_lock_bh(&fib_info_lock). = +> Is the following case possible: a BH interrupts fib_release_info() while = +> holding the write lock, and calls ip_check_fib_default() which calls = +> read_lock(&fib_info_lock), and spin forever. + +Signed-off-by: Alexey Kuznetsov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/fib_semantics.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- linux-2.6.17.9.orig/net/ipv4/fib_semantics.c ++++ linux-2.6.17.9/net/ipv4/fib_semantics.c +@@ -160,7 +160,7 @@ void free_fib_info(struct fib_info *fi) + + void fib_release_info(struct fib_info *fi) + { +- write_lock(&fib_info_lock); ++ write_lock_bh(&fib_info_lock); + if (fi && --fi->fib_treeref == 0) { + hlist_del(&fi->fib_hash); + if (fi->fib_prefsrc) +@@ -173,7 +173,7 @@ void fib_release_info(struct fib_info *f + fi->fib_dead = 1; + fib_info_put(fi); + } +- write_unlock(&fib_info_lock); ++ write_unlock_bh(&fib_info_lock); + } + + static __inline__ int nh_comp(const struct fib_info *fi, const struct fib_info *ofi) +@@ -599,7 +599,7 @@ static void fib_hash_move(struct hlist_h + unsigned int old_size = fib_hash_size; + unsigned int i, bytes; + +- write_lock(&fib_info_lock); ++ write_lock_bh(&fib_info_lock); + old_info_hash = fib_info_hash; + old_laddrhash = fib_info_laddrhash; + fib_hash_size = new_size; +@@ -640,7 +640,7 @@ static void fib_hash_move(struct hlist_h + } + fib_info_laddrhash = new_laddrhash; + +- write_unlock(&fib_info_lock); ++ write_unlock_bh(&fib_info_lock); + + bytes = old_size * sizeof(struct hlist_head *); + fib_hash_free(old_info_hash, bytes); +@@ -822,7 +822,7 @@ link_it: + + fi->fib_treeref++; + atomic_inc(&fi->fib_clntref); +- write_lock(&fib_info_lock); ++ write_lock_bh(&fib_info_lock); + hlist_add_head(&fi->fib_hash, + &fib_info_hash[fib_info_hashfn(fi)]); + if (fi->fib_prefsrc) { +@@ -841,7 +841,7 @@ link_it: + head = &fib_info_devhash[hash]; + hlist_add_head(&nh->nh_hash, head); + } endfor_nexthops(fi) +- write_unlock(&fib_info_lock); ++ write_unlock_bh(&fib_info_lock); + return fi; + + err_inval: diff --git a/queue-2.6.17/ia64-local-dos-with-corrupted-elfs.patch b/queue-2.6.17/ia64-local-dos-with-corrupted-elfs.patch new file mode 100644 index 00000000000..3cb352ba010 --- /dev/null +++ b/queue-2.6.17/ia64-local-dos-with-corrupted-elfs.patch @@ -0,0 +1,285 @@ +From stable-bounces@linux.kernel.org Wed Aug 16 01:57:04 2006 +Message-ID: <44E2DE22.6050603@sw.ru> +Date: Wed, 16 Aug 2006 12:58:10 +0400 +From: Kirill Korotaev +To: Chris Wright , Greg KH , stable@kernel.org, "David S. Miller" , "Luck, Tony" , xemul@sw.ru +Subject: IA64: local DoS with corrupted ELFs + +From: Kirill Korotaev + +This patch prevents cross-region mappings +on IA64 and SPARC which could lead to system crash. + +davem@ confirmed: "This looks fine to me." :) + +Signed-Off-By: Pavel Emelianov +Signed-Off-By: Kirill Korotaev +Signed-off-by: Greg Kroah-Hartman + + +--- + arch/ia64/kernel/sys_ia64.c | 28 ++++++++++++++++------------ + arch/sparc/kernel/sys_sparc.c | 27 +++++++++++++++------------ + arch/sparc64/kernel/sys_sparc.c | 36 ++++++++++++++++++++---------------- + include/asm-generic/mman.h | 6 ++++++ + include/asm-ia64/mman.h | 6 ++++++ + include/asm-sparc/mman.h | 6 ++++++ + include/asm-sparc64/mman.h | 6 ++++++ + mm/mmap.c | 13 +++++++++++-- + 8 files changed, 86 insertions(+), 42 deletions(-) + +--- linux-2.6.17.9.orig/arch/ia64/kernel/sys_ia64.c ++++ linux-2.6.17.9/arch/ia64/kernel/sys_ia64.c +@@ -164,10 +164,25 @@ sys_pipe (void) + return retval; + } + ++int ia64_map_check_rgn(unsigned long addr, unsigned long len, ++ unsigned long flags) ++{ ++ unsigned long roff; ++ ++ /* ++ * Don't permit mappings into unmapped space, the virtual page table ++ * of a region, or across a region boundary. Note: RGN_MAP_LIMIT is ++ * equal to 2^n-PAGE_SIZE (for some integer n <= 61) and len > 0. ++ */ ++ roff = REGION_OFFSET(addr); ++ if ((len > RGN_MAP_LIMIT) || (roff > (RGN_MAP_LIMIT - len))) ++ return -EINVAL; ++ return 0; ++} ++ + static inline unsigned long + do_mmap2 (unsigned long addr, unsigned long len, int prot, int flags, int fd, unsigned long pgoff) + { +- unsigned long roff; + struct file *file = NULL; + + flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE); +@@ -189,17 +204,6 @@ do_mmap2 (unsigned long addr, unsigned l + goto out; + } + +- /* +- * Don't permit mappings into unmapped space, the virtual page table of a region, +- * or across a region boundary. Note: RGN_MAP_LIMIT is equal to 2^n-PAGE_SIZE +- * (for some integer n <= 61) and len > 0. +- */ +- roff = REGION_OFFSET(addr); +- if ((len > RGN_MAP_LIMIT) || (roff > (RGN_MAP_LIMIT - len))) { +- addr = -EINVAL; +- goto out; +- } +- + down_write(¤t->mm->mmap_sem); + addr = do_mmap_pgoff(file, addr, len, prot, flags, pgoff); + up_write(¤t->mm->mmap_sem); +--- linux-2.6.17.9.orig/arch/sparc/kernel/sys_sparc.c ++++ linux-2.6.17.9/arch/sparc/kernel/sys_sparc.c +@@ -219,6 +219,21 @@ out: + return err; + } + ++int sparc_mmap_check(unsigned long addr, unsigned long len, unsigned long flags) ++{ ++ if (ARCH_SUN4C_SUN4 && ++ (len > 0x20000000 || ++ ((flags & MAP_FIXED) && ++ addr < 0xe0000000 && addr + len > 0x20000000))) ++ return -EINVAL; ++ ++ /* See asm-sparc/uaccess.h */ ++ if (len > TASK_SIZE - PAGE_SIZE || addr + len > TASK_SIZE - PAGE_SIZE) ++ return -EINVAL; ++ ++ return 0; ++} ++ + /* Linux version of mmap */ + static unsigned long do_mmap2(unsigned long addr, unsigned long len, + unsigned long prot, unsigned long flags, unsigned long fd, +@@ -233,25 +248,13 @@ static unsigned long do_mmap2(unsigned l + goto out; + } + +- retval = -EINVAL; + len = PAGE_ALIGN(len); +- if (ARCH_SUN4C_SUN4 && +- (len > 0x20000000 || +- ((flags & MAP_FIXED) && +- addr < 0xe0000000 && addr + len > 0x20000000))) +- goto out_putf; +- +- /* See asm-sparc/uaccess.h */ +- if (len > TASK_SIZE - PAGE_SIZE || addr + len > TASK_SIZE - PAGE_SIZE) +- goto out_putf; +- + flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE); + + down_write(¤t->mm->mmap_sem); + retval = do_mmap_pgoff(file, addr, len, prot, flags, pgoff); + up_write(¤t->mm->mmap_sem); + +-out_putf: + if (file) + fput(file); + out: +--- linux-2.6.17.9.orig/arch/sparc64/kernel/sys_sparc.c ++++ linux-2.6.17.9/arch/sparc64/kernel/sys_sparc.c +@@ -549,6 +549,26 @@ asmlinkage long sparc64_personality(unsi + return ret; + } + ++int sparc64_mmap_check(unsigned long addr, unsigned long len, ++ unsigned long flags) ++{ ++ if (test_thread_flag(TIF_32BIT)) { ++ if (len >= STACK_TOP32) ++ return -EINVAL; ++ ++ if ((flags & MAP_FIXED) && addr > STACK_TOP32 - len) ++ return -EINVAL; ++ } else { ++ if (len >= VA_EXCLUDE_START) ++ return -EINVAL; ++ ++ if ((flags & MAP_FIXED) && invalid_64bit_range(addr, len)) ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ + /* Linux version of mmap */ + asmlinkage unsigned long sys_mmap(unsigned long addr, unsigned long len, + unsigned long prot, unsigned long flags, unsigned long fd, +@@ -564,27 +584,11 @@ asmlinkage unsigned long sys_mmap(unsign + } + flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE); + len = PAGE_ALIGN(len); +- retval = -EINVAL; +- +- if (test_thread_flag(TIF_32BIT)) { +- if (len >= STACK_TOP32) +- goto out_putf; +- +- if ((flags & MAP_FIXED) && addr > STACK_TOP32 - len) +- goto out_putf; +- } else { +- if (len >= VA_EXCLUDE_START) +- goto out_putf; +- +- if ((flags & MAP_FIXED) && invalid_64bit_range(addr, len)) +- goto out_putf; +- } + + down_write(¤t->mm->mmap_sem); + retval = do_mmap(file, addr, len, prot, flags, off); + up_write(¤t->mm->mmap_sem); + +-out_putf: + if (file) + fput(file); + out: +--- linux-2.6.17.9.orig/include/asm-generic/mman.h ++++ linux-2.6.17.9/include/asm-generic/mman.h +@@ -39,4 +39,10 @@ + #define MAP_ANON MAP_ANONYMOUS + #define MAP_FILE 0 + ++#ifdef __KERNEL__ ++#ifndef arch_mmap_check ++#define arch_mmap_check(addr, len, flags) (0) ++#endif ++#endif ++ + #endif +--- linux-2.6.17.9.orig/include/asm-ia64/mman.h ++++ linux-2.6.17.9/include/asm-ia64/mman.h +@@ -8,6 +8,12 @@ + * David Mosberger-Tang , Hewlett-Packard Co + */ + ++#ifdef __KERNEL__ ++#define arch_mmap_check ia64_map_check_rgn ++int ia64_map_check_rgn(unsigned long addr, unsigned long len, ++ unsigned long flags); ++#endif ++ + #include + + #define MAP_GROWSDOWN 0x00100 /* stack-like segment */ +--- linux-2.6.17.9.orig/include/asm-sparc/mman.h ++++ linux-2.6.17.9/include/asm-sparc/mman.h +@@ -2,6 +2,12 @@ + #ifndef __SPARC_MMAN_H__ + #define __SPARC_MMAN_H__ + ++#ifdef __KERNEL__ ++#define arch_mmap_check sparc_mmap_check ++int sparc_mmap_check(unsigned long addr, unsigned long len, ++ unsigned long flags); ++#endif ++ + #include + + /* SunOS'ified... */ +--- linux-2.6.17.9.orig/include/asm-sparc64/mman.h ++++ linux-2.6.17.9/include/asm-sparc64/mman.h +@@ -2,6 +2,12 @@ + #ifndef __SPARC64_MMAN_H__ + #define __SPARC64_MMAN_H__ + ++#ifdef __KERNEL__ ++#define arch_mmap_check sparc64_mmap_check ++int sparc64_mmap_check(unsigned long addr, unsigned long len, ++ unsigned long flags); ++#endif ++ + #include + + /* SunOS'ified... */ +--- linux-2.6.17.9.orig/mm/mmap.c ++++ linux-2.6.17.9/mm/mmap.c +@@ -913,6 +913,10 @@ unsigned long do_mmap_pgoff(struct file + if (!len) + return -EINVAL; + ++ error = arch_mmap_check(addr, len, flags); ++ if (error) ++ return error; ++ + /* Careful about overflows.. */ + len = PAGE_ALIGN(len); + if (!len || len > TASK_SIZE) +@@ -1852,6 +1856,7 @@ unsigned long do_brk(unsigned long addr, + unsigned long flags; + struct rb_node ** rb_link, * rb_parent; + pgoff_t pgoff = addr >> PAGE_SHIFT; ++ int error; + + len = PAGE_ALIGN(len); + if (!len) +@@ -1860,6 +1865,12 @@ unsigned long do_brk(unsigned long addr, + if ((addr + len) > TASK_SIZE || (addr + len) < addr) + return -EINVAL; + ++ flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; ++ ++ error = arch_mmap_check(addr, len, flags); ++ if (error) ++ return error; ++ + /* + * mlock MCL_FUTURE? + */ +@@ -1900,8 +1911,6 @@ unsigned long do_brk(unsigned long addr, + if (security_vm_enough_memory(len >> PAGE_SHIFT)) + return -ENOMEM; + +- flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; +- + /* Can we just expand an old private anonymous mapping? */ + if (vma_merge(mm, prev, addr, addr + len, flags, + NULL, NULL, pgoff, NULL)) diff --git a/queue-2.6.17/ip_tables-fix-table-locking-in-ipt_do_table.patch b/queue-2.6.17/ip_tables-fix-table-locking-in-ipt_do_table.patch new file mode 100644 index 00000000000..c3433051752 --- /dev/null +++ b/queue-2.6.17/ip_tables-fix-table-locking-in-ipt_do_table.patch @@ -0,0 +1,61 @@ +From stable-bounces@linux.kernel.org Thu Aug 17 22:53:48 2006 +Message-ID: <44E555B9.9010009@trash.net> +Date: Fri, 18 Aug 2006 07:52:57 +0200 +From: Patrick McHardy +To: stable@kernel.org +Cc: Adrian Bunk +Subject: [NETFILTER]: ip_tables: fix table locking in ipt_do_table + +From: Patrick McHardy + +[NETFILTER]: ip_tables: fix table locking in ipt_do_table + +table->private might change because of ruleset changes, don't use it without +holding the lock. + +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/netfilter/arp_tables.c | 3 ++- + net/ipv4/netfilter/ip_tables.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- linux-2.6.17.9.orig/net/ipv4/netfilter/arp_tables.c ++++ linux-2.6.17.9/net/ipv4/netfilter/arp_tables.c +@@ -237,7 +237,7 @@ unsigned int arpt_do_table(struct sk_buf + struct arpt_entry *e, *back; + const char *indev, *outdev; + void *table_base; +- struct xt_table_info *private = table->private; ++ struct xt_table_info *private; + + /* ARP header, plus 2 device addresses, plus 2 IP addresses. */ + if (!pskb_may_pull((*pskb), (sizeof(struct arphdr) + +@@ -249,6 +249,7 @@ unsigned int arpt_do_table(struct sk_buf + outdev = out ? out->name : nulldevname; + + read_lock_bh(&table->lock); ++ private = table->private; + table_base = (void *)private->entries[smp_processor_id()]; + e = get_entry(table_base, private->hook_entry[hook]); + back = get_entry(table_base, private->underflow[hook]); +--- linux-2.6.17.9.orig/net/ipv4/netfilter/ip_tables.c ++++ linux-2.6.17.9/net/ipv4/netfilter/ip_tables.c +@@ -231,7 +231,7 @@ ipt_do_table(struct sk_buff **pskb, + const char *indev, *outdev; + void *table_base; + struct ipt_entry *e, *back; +- struct xt_table_info *private = table->private; ++ struct xt_table_info *private; + + /* Initialization */ + ip = (*pskb)->nh.iph; +@@ -248,6 +248,7 @@ ipt_do_table(struct sk_buff **pskb, + + read_lock_bh(&table->lock); + IP_NF_ASSERT(table->valid_hooks & (1 << hook)); ++ private = table->private; + table_base = (void *)private->entries[smp_processor_id()]; + e = get_entry(table_base, private->hook_entry[hook]); + diff --git a/queue-2.6.17/pci-fix-ich6-quirks.patch b/queue-2.6.17/pci-fix-ich6-quirks.patch new file mode 100644 index 00000000000..28d0902d822 --- /dev/null +++ b/queue-2.6.17/pci-fix-ich6-quirks.patch @@ -0,0 +1,46 @@ +From daniel.ritz-ml@swissonline.ch Fri Aug 18 07:50:50 2006 +From: Daniel Ritz +To: Greg KH , Andrew Morton +Subject: PCI: fix ICH6 quirks +Date: Fri, 18 Aug 2006 16:50:40 +0200 +Cc: Jean Delvare , + "linux-kernel" , + "linux-pci" +Content-Disposition: inline +Message-Id: <200608181650.41869.daniel.ritz-ml@swissonline.ch> + +From: Daniel Ritz + +[PATCH] PCI: fix ICH6 quirks + +- add the ICH6(R) LPC to the ICH6 ACPI quirks. currently only the ICH6-M is + handled. [ PCI_DEVICE_ID_INTEL_ICH6_1 is the ICH6-M LPC, ICH6_0 is the ICH6(R) ] +- remove the wrong quirk calling asus_hides_smbus_lpc() for ICH6. the register + modified in asus_hides_smbus_lpc() has a different meaning in ICH6. + +Signed-off-by: Daniel Ritz +Cc: Jean Delvare +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/quirks.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.17.9.orig/drivers/pci/quirks.c ++++ linux-2.6.17.9/drivers/pci/quirks.c +@@ -427,6 +427,7 @@ static void __devinit quirk_ich6_lpc_acp + pci_read_config_dword(dev, 0x48, ®ion); + quirk_io_region(dev, region, 64, PCI_BRIDGE_RESOURCES+1, "ICH6 GPIO"); + } ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH6_0, quirk_ich6_lpc_acpi ); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH6_1, quirk_ich6_lpc_acpi ); + + /* +@@ -1043,7 +1044,6 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_I + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82801CA_12, asus_hides_smbus_lpc ); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82801DB_12, asus_hides_smbus_lpc ); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82801EB_0, asus_hides_smbus_lpc ); +-DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH6_1, asus_hides_smbus_lpc ); + + static void __init asus_hides_smbus_lpc_ich6(struct pci_dev *dev) + { diff --git a/queue-2.6.17/serial-icom-select-fw_loader.patch b/queue-2.6.17/serial-icom-select-fw_loader.patch new file mode 100644 index 00000000000..2dc76941896 --- /dev/null +++ b/queue-2.6.17/serial-icom-select-fw_loader.patch @@ -0,0 +1,33 @@ +From stable-bounces@linux.kernel.org Wed Aug 16 10:54:58 2006 +Date: Wed, 16 Aug 2006 19:53:50 +0200 +From: Olaf Hering +To: stable@kernel.org, bunk@stusta.de, maks@sternwelten.at +Message-ID: <20060816175350.GA9888@aepfle.de> +Content-Disposition: inline +Cc: linux-kernel@vger.kernel.org +Subject: SERIAL: icom: select FW_LOADER + +From: Olaf Hering + +The icom driver uses request_firmware() +and thus needs to select FW_LOADER. + +Signed-off-by: maximilian attems +Signed-off-by: Olaf Hering +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/serial/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- linux-2.6.17.9.orig/drivers/serial/Kconfig ++++ linux-2.6.17.9/drivers/serial/Kconfig +@@ -803,6 +803,7 @@ config SERIAL_MPC52xx + tristate "Freescale MPC52xx family PSC serial support" + depends on PPC_MPC52xx + select SERIAL_CORE ++ select FW_LOADER + help + This drivers support the MPC52xx PSC serial ports. If you would + like to use them, you must answer Y or M to this option. Not that diff --git a/queue-2.6.17/series b/queue-2.6.17/series index 433b26b5ab5..95f7b62a1fa 100644 --- a/queue-2.6.17/series +++ b/queue-2.6.17/series @@ -1,3 +1,4 @@ +deprecate-physdev-keys.patch have-ext3-reject-file-handles-with-bad-inode-numbers-early.patch sky2-phy-power-problem-on-88e805x.patch kill-hash_highmem-from-route-cache-hash-sizing.patch @@ -7,3 +8,11 @@ fix-befs-slab-corruption.patch disable-debugging-version-of-write_lock.patch ipx-header-length-validation-needed.patch tpm-interrupt-clear-fix.patch +ulog-fix-panic-on-smp-kernels.patch +sys_getppid-oopses-on-debug-kernel.patch +serial-icom-select-fw_loader.patch +pci-fix-ich6-quirks.patch +ip_tables-fix-table-locking-in-ipt_do_table.patch +ia64-local-dos-with-corrupted-elfs.patch +fix-ipv4-routing-locking-bug.patch +dm-bug-oops-fix.patch diff --git a/queue-2.6.17/sys_getppid-oopses-on-debug-kernel.patch b/queue-2.6.17/sys_getppid-oopses-on-debug-kernel.patch new file mode 100644 index 00000000000..a453268b48c --- /dev/null +++ b/queue-2.6.17/sys_getppid-oopses-on-debug-kernel.patch @@ -0,0 +1,84 @@ +From stable-bounces@linux.kernel.org Sun Aug 13 23:25:48 2006 +Message-Id: <200608140624.k7E6ONGE007003@shell0.pdx.osdl.net> +To: greg@kroah.com +From: akpm@osdl.org +Date: Sun, 13 Aug 2006 23:24:23 -0700 +Cc: akpm@osdl.org, dev@openvz.org, stable@kernel.org, haveblue@us.ibm.com, dev@sw.ru, torvalds@osdl.org, oleg@tv-sign.ru +Subject: sys_getppid oopses on debug kernel + +From: Kirill Korotaev + +sys_getppid() optimization can access a freed memory. On kernels with +DEBUG_SLAB turned ON, this results in Oops. As Dave Hansen noted, this +optimization is also unsafe for memory hotplug. + +So this patch always takes the lock to be safe. + +[oleg@tv-sign.ru: simplifications] + +Signed-off-by: Kirill Korotaev +Cc: Dave Hansen +Signed-off-by: Oleg Nesterov +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/timer.c | 41 +++++++---------------------------------- + 1 file changed, 7 insertions(+), 34 deletions(-) + +--- linux-2.6.17.9.orig/kernel/timer.c ++++ linux-2.6.17.9/kernel/timer.c +@@ -975,46 +975,19 @@ asmlinkage long sys_getpid(void) + } + + /* +- * Accessing ->group_leader->real_parent is not SMP-safe, it could +- * change from under us. However, rather than getting any lock +- * we can use an optimistic algorithm: get the parent +- * pid, and go back and check that the parent is still +- * the same. If it has changed (which is extremely unlikely +- * indeed), we just try again.. +- * +- * NOTE! This depends on the fact that even if we _do_ +- * get an old value of "parent", we can happily dereference +- * the pointer (it was and remains a dereferencable kernel pointer +- * no matter what): we just can't necessarily trust the result +- * until we know that the parent pointer is valid. +- * +- * NOTE2: ->group_leader never changes from under us. ++ * Accessing ->real_parent is not SMP-safe, it could ++ * change from under us. However, we can use a stale ++ * value of ->real_parent under rcu_read_lock(), see ++ * release_task()->call_rcu(delayed_put_task_struct). + */ + asmlinkage long sys_getppid(void) + { + int pid; +- struct task_struct *me = current; +- struct task_struct *parent; + +- parent = me->group_leader->real_parent; +- for (;;) { +- pid = parent->tgid; +-#if defined(CONFIG_SMP) || defined(CONFIG_PREEMPT) +-{ +- struct task_struct *old = parent; ++ rcu_read_lock(); ++ pid = rcu_dereference(current->real_parent)->tgid; ++ rcu_read_unlock(); + +- /* +- * Make sure we read the pid before re-reading the +- * parent pointer: +- */ +- smp_rmb(); +- parent = me->group_leader->real_parent; +- if (old != parent) +- continue; +-} +-#endif +- break; +- } + return pid; + } + diff --git a/queue-2.6.17/ulog-fix-panic-on-smp-kernels.patch b/queue-2.6.17/ulog-fix-panic-on-smp-kernels.patch new file mode 100644 index 00000000000..7ed87f19aec --- /dev/null +++ b/queue-2.6.17/ulog-fix-panic-on-smp-kernels.patch @@ -0,0 +1,70 @@ +From stable-bounces@linux.kernel.org Fri Aug 11 17:46:20 2006 +Message-ID: <44DD24B8.5040307@trash.net> +Date: Sat, 12 Aug 2006 02:45:44 +0200 +From: Patrick McHardy +To: stable@kernel.org +Cc: Adrian Bunk +Subject: [NETFILTER]: ulog: fix panic on SMP kernels + +From: Mark Huang + +[NETFILTER]: ulog: fix panic on SMP kernels + +Fix kernel panic on various SMP machines. The culprit is a null +ub->skb in ulog_send(). If ulog_timer() has already been scheduled on +one CPU and is spinning on the lock, and ipt_ulog_packet() flushes the +queue on another CPU by calling ulog_send() right before it exits, +there will be no skbuff when ulog_timer() acquires the lock and calls +ulog_send(). Cancelling the timer in ulog_send() doesn't help because +it has already been scheduled and is running on the first CPU. + +Similar problem exists in ebt_ulog.c and nfnetlink_log.c. + +Signed-off-by: Mark Huang +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + +--- + net/bridge/netfilter/ebt_ulog.c | 3 +++ + net/ipv4/netfilter/ipt_ULOG.c | 5 +++++ + net/netfilter/nfnetlink_log.c | 3 +++ + 3 files changed, 11 insertions(+) + +--- linux-2.6.17.9.orig/net/bridge/netfilter/ebt_ulog.c ++++ linux-2.6.17.9/net/bridge/netfilter/ebt_ulog.c +@@ -75,6 +75,9 @@ static void ulog_send(unsigned int nlgro + if (timer_pending(&ub->timer)) + del_timer(&ub->timer); + ++ if (!ub->skb) ++ return; ++ + /* last nlmsg needs NLMSG_DONE */ + if (ub->qlen > 1) + ub->lastnlh->nlmsg_type = NLMSG_DONE; +--- linux-2.6.17.9.orig/net/ipv4/netfilter/ipt_ULOG.c ++++ linux-2.6.17.9/net/ipv4/netfilter/ipt_ULOG.c +@@ -116,6 +116,11 @@ static void ulog_send(unsigned int nlgro + del_timer(&ub->timer); + } + ++ if (!ub->skb) { ++ DEBUGP("ipt_ULOG: ulog_send: nothing to send\n"); ++ return; ++ } ++ + /* last nlmsg needs NLMSG_DONE */ + if (ub->qlen > 1) + ub->lastnlh->nlmsg_type = NLMSG_DONE; +--- linux-2.6.17.9.orig/net/netfilter/nfnetlink_log.c ++++ linux-2.6.17.9/net/netfilter/nfnetlink_log.c +@@ -366,6 +366,9 @@ __nfulnl_send(struct nfulnl_instance *in + if (timer_pending(&inst->timer)) + del_timer(&inst->timer); + ++ if (!inst->skb) ++ return 0; ++ + if (inst->qlen > 1) + inst->lastnlh->nlmsg_type = NLMSG_DONE; +