From: Greg Kroah-Hartman Date: Wed, 16 Nov 2005 05:56:58 +0000 (-0800) Subject: add Dave Jones to review list. Also move the 2.6.14.2 patches to the proper directory X-Git-Tag: v2.6.14.3~12^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=836eb720171ccb7ef9e60c8f3b5fb750de725664;p=thirdparty%2Fkernel%2Fstable-queue.git add Dave Jones to review list. Also move the 2.6.14.2 patches to the proper directory --- diff --git a/00 b/00 index d1df1f26b49..20affcc6e32 100644 --- a/00 +++ b/00 @@ -4,6 +4,7 @@ Cc: Justin Forbes , Zwane Mwaikambo , Theodore Ts'o , Randy Dunlap , + Dave Jones , Chuck Wolber , torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk Subject: [00/@num@] -stable review diff --git a/2.6.14.2/airo.c-airo_cs.c-correct-prototypes.patch b/2.6.14.2/airo.c-airo_cs.c-correct-prototypes.patch new file mode 100644 index 00000000000..1a8cdc30024 --- /dev/null +++ b/2.6.14.2/airo.c-airo_cs.c-correct-prototypes.patch @@ -0,0 +1,72 @@ +From stable-bounces@linux.kernel.org Sat Nov 5 08:42:46 2005 +Date: Sat, 5 Nov 2005 17:42:27 +0100 +From: Adrian Bunk +To: jgarzik@pobox.com +Message-ID: <20051105164227.GK5368@stusta.de> +Content-Disposition: inline +Cc: netdev@vger.kernel.org, Benjamin Reed , linux-kernel@vger.kernel.org, stable@kernel.org +Subject: airo.c/airo_cs.c: correct prototypes + +This patch creates a file airo.h containing prototypes of the global +functions in airo.c used by airo_cs.c . + +If you got strange problems with either airo_cs devices or in any other +completely unrelated part of the kernel shortly or long after a airo_cs +device was detected by the kernel, this might have been caused by the +fact that caller and callee disagreed regarding the size of the first +argument to init_airo_card()... + +Signed-off-by: Adrian Bunk +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/airo.c | 2 ++ + drivers/net/wireless/airo.h | 9 +++++++++ + drivers/net/wireless/airo_cs.c | 6 ++---- + 3 files changed, 13 insertions(+), 4 deletions(-) + +--- /dev/null ++++ linux-2.6.14.1/drivers/net/wireless/airo.h +@@ -0,0 +1,9 @@ ++#ifndef _AIRO_H_ ++#define _AIRO_H_ ++ ++struct net_device *init_airo_card(unsigned short irq, int port, int is_pcmcia, ++ struct device *dmdev); ++int reset_airo_card(struct net_device *dev); ++void stop_airo_card(struct net_device *dev, int freeres); ++ ++#endif /* _AIRO_H_ */ +--- linux-2.6.14.1.orig/drivers/net/wireless/airo.c ++++ linux-2.6.14.1/drivers/net/wireless/airo.c +@@ -46,6 +46,8 @@ + #include + #include + ++#include "airo.h" ++ + #ifdef CONFIG_PCI + static struct pci_device_id card_ids[] = { + { 0x14b9, 1, PCI_ANY_ID, PCI_ANY_ID, }, +--- linux-2.6.14.1.orig/drivers/net/wireless/airo_cs.c ++++ linux-2.6.14.1/drivers/net/wireless/airo_cs.c +@@ -42,6 +42,8 @@ + #include + #include + ++#include "airo.h" ++ + /* + All the PCMCIA modules use PCMCIA_DEBUG to control debugging. If + you do not define PCMCIA_DEBUG at all, all the debug code will be +@@ -78,10 +80,6 @@ MODULE_SUPPORTED_DEVICE("Aironet 4500, 4 + event handler. + */ + +-struct net_device *init_airo_card( int, int, int, struct device * ); +-void stop_airo_card( struct net_device *, int ); +-int reset_airo_card( struct net_device * ); +- + static void airo_config(dev_link_t *link); + static void airo_release(dev_link_t *link); + static int airo_event(event_t event, int priority, diff --git a/2.6.14.2/cfq-io-sched-fix.patch b/2.6.14.2/cfq-io-sched-fix.patch new file mode 100644 index 00000000000..ab0a480d31d --- /dev/null +++ b/2.6.14.2/cfq-io-sched-fix.patch @@ -0,0 +1,72 @@ +From stable-bounces@linux.kernel.org Mon Oct 31 04:51:49 2005 +Date: Mon, 31 Oct 2005 13:52:39 +0100 +From: Jens Axboe +To: stable@kernel.org +Cc: +Subject: [PATCH] Oops on suspend after on-the-fly switch to anticipatory i/o scheduler - PowerBook5, 4 + +Paul Collins wrote: +>I boot with elevator=cfq (wanted to try the ionice stuff, never got +>around to it). Having decided to go back to the anticipatory +>scheduler, I did the following: +> +># echo anticipatory > /sys/block/hda/queue/scheduler +># echo anticipatory > /sys/block/hdc/queue/scheduler +> +>A while later I did 'sudo snooze', which produced the Oops below. +> +>Booting with elevator=as and then changing to cfq, sleep works fine. +>But if I resume and change back to anticipatory I get a similar Oops +>on the next 'sudo snooze'. +> +> +> Oops: kernel access of bad area, sig: 11 [#1] +> NIP: C01E1948 LR: C01D6A60 SP: EFBC5C20 REGS: efbc5b70 TRAP: 0300 +>Not tainted +> MSR: 00001032 EE: 0 PR: 0 FP: 0 ME: 1 IR/DR: 11 +> DAR: 00000020, DSISR: 40000000 +> TASK = efb012c0[1213] 'pmud' THREAD: efbc4000 +> Last syscall: 54 GPR00: 00080000 EFBC5C20 EFB012C0 EFE9E044 +>EFBC5CE8 00000002 00000000 C03B0000 GPR08: C046E5D8 00000000 +>C03B47C8 E6A58360 22042422 1001E4DC 10010000 10000000 GPR16: +>10000000 10000000 10000000 7FE4EB40 10000000 10000000 10010000 +>C0400000 GPR24: C0380000 00000002 00000002 C046E0C0 00000000 +>00000002 00000000 EFBC5CE8 NIP [c01e1948] as_insert_request+0xa8/0x6b0 +> LR [c01d6a60] __elv_add_request+0xa0/0x100 +> Call trace: +> [c01d6a60] __elv_add_request+0xa0/0x100 +> [c01ffb84] ide_do_drive_cmd+0xb4/0x190 +> [c01fc1c0] generic_ide_suspend+0x80/0xa0 +> [c01d4574] suspend_device+0x104/0x160 +> [c01d47c0] device_suspend+0x120/0x330 +> [c03f3b50] pmac_suspend_devices+0x50/0x1b0 +> [c03f4294] pmu_ioctl+0x344/0x9b0 +> [c0082aa4] do_ioctl+0x84/0x90 +> [c0082b3c] vfs_ioctl+0x8c/0x460 +> [c0082f50] sys_ioctl+0x40/0x80 +> [c0004850] ret_from_syscall+0x0/0x4c + +Don't clear ->elevator_data on exit, if we are switching queues we are +overwriting the data of the new io scheduler. + +Signed-off-by: Jens Axboe +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/cfq-iosched.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- linux-2.6.14.1.orig/drivers/block/cfq-iosched.c ++++ linux-2.6.14.1/drivers/block/cfq-iosched.c +@@ -2260,10 +2260,8 @@ static void cfq_put_cfqd(struct cfq_data + if (!atomic_dec_and_test(&cfqd->ref)) + return; + +- blk_put_queue(q); +- + cfq_shutdown_timer_wq(cfqd); +- q->elevator->elevator_data = NULL; ++ blk_put_queue(q); + + mempool_destroy(cfqd->crq_pool); + kfree(cfqd->crq_hash); diff --git a/2.6.14.2/fix-alpha-breakage.patch b/2.6.14.2/fix-alpha-breakage.patch new file mode 100644 index 00000000000..59a2a05641e --- /dev/null +++ b/2.6.14.2/fix-alpha-breakage.patch @@ -0,0 +1,27 @@ +From nobody Mon Sep 17 00:00:00 2001 +Subject: [PATCH] fix alpha breakage +From: Ivan Kokshaysky +Date: 1130634943 -0700 + +barrier.h uses barrier() in non-SMP case. And doesn't include compiler.h. + +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + include/asm-alpha/barrier.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- linux-2.6.14.1.orig/include/asm-alpha/barrier.h ++++ linux-2.6.14.1/include/asm-alpha/barrier.h +@@ -1,6 +1,8 @@ + #ifndef __BARRIER_H + #define __BARRIER_H + ++#include ++ + #define mb() \ + __asm__ __volatile__("mb": : :"memory") + diff --git a/2.6.14.2/fix-de_thread-vs-send_group_sendqueue-race.patch b/2.6.14.2/fix-de_thread-vs-send_group_sendqueue-race.patch new file mode 100644 index 00000000000..fe83ad22e5d --- /dev/null +++ b/2.6.14.2/fix-de_thread-vs-send_group_sendqueue-race.patch @@ -0,0 +1,76 @@ +From oleg@tv-sign.ru Mon Nov 7 08:58:50 2005 +Date: Mon, 07 Nov 2005 21:12:43 +0300 +From: Oleg Nesterov +To: paulmck@us.ibm.com, Roland McGrath , + George Anzinger , akpm@osdl.org, + linux-kernel@vger.kernel.org, dipankar@in.ibm.com, mingo@elte.hu, + suzannew@cs.pdx.edu, Chris Wright +Subject: [PATCH] fix de_thread() vs send_group_sigqueue() race + +When non-leader thread does exec, de_thread calls release_task(leader) before +calling exit_itimers(). If local timer interrupt happens in between, it can +oops in send_group_sigqueue() while taking ->sighand->siglock == NULL. + +However, we can't change send_group_sigqueue() to check p->signal != NULL, +because sys_timer_create() does get_task_struct() only in SIGEV_THREAD_ID +case. So it is possible that this task_struct was already freed and we can't +trust p->signal. + +This patch changes de_thread() so that leader released after exit_itimers() +call. + +Signed-off-by: Oleg Nesterov +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + fs/exec.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- linux-2.6.14.1.orig/fs/exec.c ++++ linux-2.6.14.1/fs/exec.c +@@ -593,6 +593,7 @@ static inline int de_thread(struct task_ + struct signal_struct *sig = tsk->signal; + struct sighand_struct *newsighand, *oldsighand = tsk->sighand; + spinlock_t *lock = &oldsighand->siglock; ++ struct task_struct *leader = NULL; + int count; + + /* +@@ -668,7 +669,7 @@ static inline int de_thread(struct task_ + * and to assume its PID: + */ + if (!thread_group_leader(current)) { +- struct task_struct *leader = current->group_leader, *parent; ++ struct task_struct *parent; + struct dentry *proc_dentry1, *proc_dentry2; + unsigned long exit_state, ptrace; + +@@ -677,6 +678,7 @@ static inline int de_thread(struct task_ + * It should already be zombie at this point, most + * of the time. + */ ++ leader = current->group_leader; + while (leader->exit_state != EXIT_ZOMBIE) + yield(); + +@@ -736,7 +738,6 @@ static inline int de_thread(struct task_ + proc_pid_flush(proc_dentry2); + + BUG_ON(exit_state != EXIT_ZOMBIE); +- release_task(leader); + } + + /* +@@ -746,8 +747,11 @@ static inline int de_thread(struct task_ + sig->flags = 0; + + no_thread_group: +- BUG_ON(atomic_read(&sig->count) != 1); + exit_itimers(sig); ++ if (leader) ++ release_task(leader); ++ ++ BUG_ON(atomic_read(&sig->count) != 1); + + if (atomic_read(&oldsighand->count) == 1) { + /* diff --git a/2.6.14.2/fix-ptrace-self-attach-rule.patch b/2.6.14.2/fix-ptrace-self-attach-rule.patch new file mode 100644 index 00000000000..9300c5c1b0f --- /dev/null +++ b/2.6.14.2/fix-ptrace-self-attach-rule.patch @@ -0,0 +1,25 @@ +From torvalds@osdl.org Wed Nov 9 12:04:07 2005 +Date: Wed, 9 Nov 2005 11:37:57 -0800 (PST) +From: Linus Torvalds +Subject: Fix ptrace self-attach rule + +Before we did CLONE_THREAD, the way to check whether we were attaching +to ourselves was to just check "current == task", but with CLONE_THREAD +we should check that the thread group ID matches instead. + +Signed-off-by: Linus Torvalds +--- +diff --git a/kernel/ptrace.c b/kernel/ptrace.c +index 5b8dd98..b88d418 100644 +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -155,7 +155,7 @@ int ptrace_attach(struct task_struct *ta + retval = -EPERM; + if (task->pid <= 1) + goto bad; +- if (task == current) ++ if (task->tgid == current->tgid) + goto bad; + /* the same process cannot be attached many times */ + if (task->ptrace & PT_PTRACED) + diff --git a/2.6.14.2/fix-signal-live-leak-in-copy_process.patch b/2.6.14.2/fix-signal-live-leak-in-copy_process.patch new file mode 100644 index 00000000000..6b7d3fbe030 --- /dev/null +++ b/2.6.14.2/fix-signal-live-leak-in-copy_process.patch @@ -0,0 +1,29 @@ +From oleg@tv-sign.ru Sat Oct 29 08:24:41 2005 +Date: Sat, 29 Oct 2005 19:37:40 +0400 +From: Oleg Nesterov +To: linux-kernel@vger.kernel.org +Cc: Roland McGrath , Ingo Molnar , Chris Wright , Linus Torvalds , Andrew Morton +Subject: [PATCH] fix signal->live leak in copy_process() + +exit_signal() (called from copy_process's error path) should decrement +->signal->live, otherwise forking process will miss 'group_dead' in +do_exit(). + +Signed-off-by: Oleg Nesterov +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + kernel/signal.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- linux-2.6.14.1.orig/kernel/signal.c ++++ linux-2.6.14.1/kernel/signal.c +@@ -406,6 +406,8 @@ void __exit_signal(struct task_struct *t + + void exit_signal(struct task_struct *tsk) + { ++ atomic_dec(&tsk->signal->live); ++ + write_lock_irq(&tasklist_lock); + __exit_signal(tsk); + write_unlock_irq(&tasklist_lock); diff --git a/2.6.14.2/fix-zero-size-datagram-reception.patch b/2.6.14.2/fix-zero-size-datagram-reception.patch new file mode 100644 index 00000000000..486af6f929c --- /dev/null +++ b/2.6.14.2/fix-zero-size-datagram-reception.patch @@ -0,0 +1,32 @@ +From stable-bounces@linux.kernel.org Wed Nov 2 15:36:17 2005 +Date: Thu, 3 Nov 2005 07:55:38 +1100 +To: Arnaldo Carvalho de Melo , netdev@vger.kernel.org, stable@kernel.org +Message-ID: <20051102205538.GA24276@gondor.apana.org.au> +Content-Disposition: inline +From: Herbert Xu +Cc: phillips@istop.com +Subject: [NET] Fix zero-size datagram reception + +The recent rewrite of skb_copy_datagram_iovec broke the reception of +zero-size datagrams. This patch fixes it. + +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/datagram.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- linux-2.6.14.1.orig/net/core/datagram.c ++++ linux-2.6.14.1/net/core/datagram.c +@@ -213,6 +213,10 @@ int skb_copy_datagram_iovec(const struct + { + int i, err, fraglen, end = 0; + struct sk_buff *next = skb_shinfo(skb)->frag_list; ++ ++ if (!len) ++ return 0; ++ + next_skb: + fraglen = skb_headlen(skb); + i = -1; diff --git a/2.6.14.2/ipvs-fix-connection-leak.patch b/2.6.14.2/ipvs-fix-connection-leak.patch new file mode 100644 index 00000000000..3e34e151ebd --- /dev/null +++ b/2.6.14.2/ipvs-fix-connection-leak.patch @@ -0,0 +1,42 @@ +From stable-bounces@linux.kernel.org Tue Nov 8 13:15:57 2005 +Date: Tue, 8 Nov 2005 23:16:08 +0200 (EET) +From: Julian Anastasov +To: stable@kernel.org +Cc: "David S. Miller" , Roberto Nibali +Subject: [PATCH] ipvs: fix connection leak if expire_nodest_conn=1 + + +There was a fix in 2.6.13 that changed the behaviour of +ip_vs_conn_expire_now function not to put reference to connection, its +callers should hold write lock or connection refcnt. But we forgot to +convert one caller, when the real server for connection is unavailable +caller should put the connection reference. It happens only when sysctl +var expire_nodest_conn is set to 1 and such connections never expire. +Thanks to Roberto Nibali who found the problem and tested a 2.4.32-rc2 +patch, which is equal to this 2.6 version. + +Signed-off-by: Julian Anastasov +Signed-off-by: Roberto Nibali +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ipvs/ip_vs_core.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- linux-2.6.14.1.orig/net/ipv4/ipvs/ip_vs_core.c ++++ linux-2.6.14.1/net/ipv4/ipvs/ip_vs_core.c +@@ -1009,11 +1009,10 @@ ip_vs_in(unsigned int hooknum, struct sk + if (sysctl_ip_vs_expire_nodest_conn) { + /* try to expire the connection immediately */ + ip_vs_conn_expire_now(cp); +- } else { +- /* don't restart its timer, and silently +- drop the packet. */ +- __ip_vs_conn_put(cp); + } ++ /* don't restart its timer, and silently ++ drop the packet. */ ++ __ip_vs_conn_put(cp); + return NF_DROP; + } + diff --git a/2.6.14.2/prism54_frame_size.patch b/2.6.14.2/prism54_frame_size.patch new file mode 100644 index 00000000000..2f1f2ad46bf --- /dev/null +++ b/2.6.14.2/prism54_frame_size.patch @@ -0,0 +1,44 @@ +From stable-bounces@linux.kernel.org Fri Oct 28 13:12:10 2005 +Date: Sat, 22 Oct 2005 11:01:02 +0200 +From: Roger While +To: netdev@vger.kernel.org +Cc: jgarzik@pobox.com +Subject: [PATCH 2.6.14-rc5] prism54 : Fix frame length + +prism54 is leaking information when passing transmits to the firmware. +There is no requirement to adjust the length to >= ETH_ZLEN. +Just pass the skb length (after possible adjustment). + +This should also be considered for 2.6.13 stable. + +Signed-off-by: Roger While +Acked-by: Jeff Garzik +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/prism54/islpci_eth.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +--- linux-2.6.14.1.orig/drivers/net/wireless/prism54/islpci_eth.c ++++ linux-2.6.14.1/drivers/net/wireless/prism54/islpci_eth.c +@@ -97,12 +97,6 @@ islpci_eth_transmit(struct sk_buff *skb, + /* lock the driver code */ + spin_lock_irqsave(&priv->slock, flags); + +- /* determine the amount of fragments needed to store the frame */ +- +- frame_size = skb->len < ETH_ZLEN ? ETH_ZLEN : skb->len; +- if (init_wds) +- frame_size += 6; +- + /* check whether the destination queue has enough fragments for the frame */ + curr_frag = le32_to_cpu(cb->driver_curr_frag[ISL38XX_CB_TX_DATA_LQ]); + if (unlikely(curr_frag - priv->free_data_tx >= ISL38XX_CB_TX_QSIZE)) { +@@ -213,6 +207,7 @@ islpci_eth_transmit(struct sk_buff *skb, + /* store the skb address for future freeing */ + priv->data_low_tx[index] = skb; + /* set the proper fragment start address and size information */ ++ frame_size = skb->len; + fragment->size = cpu_to_le16(frame_size); + fragment->flags = cpu_to_le16(0); /* set to 1 if more fragments */ + fragment->address = cpu_to_le32(pci_map_address); diff --git a/2.6.14.2/series b/2.6.14.2/series new file mode 100644 index 00000000000..b89b9bd25e0 --- /dev/null +++ b/2.6.14.2/series @@ -0,0 +1,12 @@ +prism54_frame_size.patch +xfs-modular-quota-build-fix.patch +cfq-io-sched-fix.patch +usb-interface-modalias-fix.patch +tcp-bic-max-increment-too-large.patch +airo.c-airo_cs.c-correct-prototypes.patch +fix-zero-size-datagram-reception.patch +fix-signal-live-leak-in-copy_process.patch +fix-de_thread-vs-send_group_sendqueue-race.patch +ipvs-fix-connection-leak.patch +fix-alpha-breakage.patch +fix-ptrace-self-attach-rule.patch diff --git a/2.6.14.2/stable.mbox b/2.6.14.2/stable.mbox new file mode 100644 index 00000000000..8363e5d6ff5 --- /dev/null +++ b/2.6.14.2/stable.mbox @@ -0,0 +1,878 @@ +From greg@press.kroah.org Wed Nov 9 10:26:10 2005 +Message-Id: <20051109182205.294803000@press.kroah.org> +Date: Wed, 09 Nov 2005 10:22:05 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk +Subject: [patch 00/11] - stable review +Content-Length: 737 +Lines: 17 + +This is the start of the stable review cycle for the 2.6.14.2 release. +There are 11 patches in this series, all will be posted as a response to +this one. If anyone has any issues with these being applied, please let +us know. If anyone is a maintainer of the proper subsystem, and wants +to add a signed-off-by: line to the patch, please respond with it. + +These patches are sent out with a number of different people on the Cc: +line. If you wish to be a reviewer, please email stable@kernel.org to +add your name to the list. If you want to be off the reviewer list, +also email us. + +Responses should be made by Saturday, November 12, 18:00:00 UTC Anything +received after that time, might be too late. + +thanks, + +the -stable release team + +From greg@press.kroah.org Wed Nov 9 10:26:10 2005 +Message-Id: <20051109182610.480063000@press.kroah.org> +References: <20051109182205.294803000@press.kroah.org> +Date: Wed, 09 Nov 2005 10:22:06 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk +Subject: [patch 01/11] prism54 : Fix frame length +Content-Disposition: inline; filename=prism54_frame_size.patch +Content-Length: 1581 +Lines: 39 + +From: Roger While + +prism54 is leaking information when passing transmits to the firmware. +There is no requirement to adjust the length to >= ETH_ZLEN. +Just pass the skb length (after possible adjustment). + +Signed-off-by: Roger While +Acked-by: Jeff Garzik +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/prism54/islpci_eth.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +--- linux-2.6.14.1.orig/drivers/net/wireless/prism54/islpci_eth.c ++++ linux-2.6.14.1/drivers/net/wireless/prism54/islpci_eth.c +@@ -97,12 +97,6 @@ islpci_eth_transmit(struct sk_buff *skb, + /* lock the driver code */ + spin_lock_irqsave(&priv->slock, flags); + +- /* determine the amount of fragments needed to store the frame */ +- +- frame_size = skb->len < ETH_ZLEN ? ETH_ZLEN : skb->len; +- if (init_wds) +- frame_size += 6; +- + /* check whether the destination queue has enough fragments for the frame */ + curr_frag = le32_to_cpu(cb->driver_curr_frag[ISL38XX_CB_TX_DATA_LQ]); + if (unlikely(curr_frag - priv->free_data_tx >= ISL38XX_CB_TX_QSIZE)) { +@@ -213,6 +207,7 @@ islpci_eth_transmit(struct sk_buff *skb, + /* store the skb address for future freeing */ + priv->data_low_tx[index] = skb; + /* set the proper fragment start address and size information */ ++ frame_size = skb->len; + fragment->size = cpu_to_le16(frame_size); + fragment->flags = cpu_to_le16(0); /* set to 1 if more fragments */ + fragment->address = cpu_to_le32(pci_map_address); + +-- + +From greg@press.kroah.org Wed Nov 9 10:26:10 2005 +Message-Id: <20051109182610.613111000@press.kroah.org> +References: <20051109182205.294803000@press.kroah.org> +Date: Wed, 09 Nov 2005 10:22:07 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, stable@kernel.org, linux-xfs@oss.sgi.com, xfs-masters@oss.sgi.com, Dimitri Puzin , nathans@sgi.com +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk, bunk@stusta.de +Subject: [patch 02/11] fix XFS_QUOTA for modular XFS +Content-Disposition: inline; filename=xfs-modular-quota-build-fix.patch +Content-Length: 1268 +Lines: 38 + +From: Dimitri Puzin + +This patch by Dimitri Puzin submitted through kernel Bugzilla #5514 +fixes the following issue: + +Cannot build XFS filesystem support as module with quota support. It +works only when the XFS filesystem support is compiled into the kernel. +Menuconfig prevents from setting CONFIG_XFS_FS=m and CONFIG_XFS_QUOTA=y. + +How to reproduce: configure the XFS filesystem with quota support as +module. The resulting kernel won't have quota support compiled into +xfs.ko. + +Fix: Changing the fs/xfs/Kconfig file from tristate to bool lets you +configure the quota support to be compiled into the XFS module. The +Makefile-linux-2.6 checks only for CONFIG_XFS_QUOTA=y. + +Signed-off-by: Adrian Bunk +Signed-off-by: Nathan Scott +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.14.1.orig/fs/xfs/Kconfig ++++ linux-2.6.14.1/fs/xfs/Kconfig +@@ -24,7 +24,7 @@ config XFS_EXPORT + default y + + config XFS_QUOTA +- tristate "XFS Quota support" ++ bool "XFS Quota support" + depends on XFS_FS + help + If you say Y here, you will be able to set limits for disk usage on + +-- + +From greg@press.kroah.org Wed Nov 9 10:26:10 2005 +Message-Id: <20051109182610.738560000@press.kroah.org> +References: <20051109182205.294803000@press.kroah.org> +Date: Wed, 09 Nov 2005 10:22:08 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk, axboe@suse.de +Subject: [patch 03/11] Oops on suspend after on-the-fly switch to anticipatory i/o scheduler - PowerBook5, 4 +Content-Disposition: inline; filename=cfq-io-sched-fix.patch +Content-Length: 2492 +Lines: 69 + +From: Jens Axboe + +Paul Collins wrote: +>I boot with elevator=cfq (wanted to try the ionice stuff, never got +>around to it). Having decided to go back to the anticipatory +>scheduler, I did the following: +> +># echo anticipatory > /sys/block/hda/queue/scheduler +># echo anticipatory > /sys/block/hdc/queue/scheduler +> +>A while later I did 'sudo snooze', which produced the Oops below. +> +>Booting with elevator=as and then changing to cfq, sleep works fine. +>But if I resume and change back to anticipatory I get a similar Oops +>on the next 'sudo snooze'. +> +> +> Oops: kernel access of bad area, sig: 11 [#1] +> NIP: C01E1948 LR: C01D6A60 SP: EFBC5C20 REGS: efbc5b70 TRAP: 0300 +>Not tainted +> MSR: 00001032 EE: 0 PR: 0 FP: 0 ME: 1 IR/DR: 11 +> DAR: 00000020, DSISR: 40000000 +> TASK = efb012c0[1213] 'pmud' THREAD: efbc4000 +> Last syscall: 54 GPR00: 00080000 EFBC5C20 EFB012C0 EFE9E044 +>EFBC5CE8 00000002 00000000 C03B0000 GPR08: C046E5D8 00000000 +>C03B47C8 E6A58360 22042422 1001E4DC 10010000 10000000 GPR16: +>10000000 10000000 10000000 7FE4EB40 10000000 10000000 10010000 +>C0400000 GPR24: C0380000 00000002 00000002 C046E0C0 00000000 +>00000002 00000000 EFBC5CE8 NIP [c01e1948] as_insert_request+0xa8/0x6b0 +> LR [c01d6a60] __elv_add_request+0xa0/0x100 +> Call trace: +> [c01d6a60] __elv_add_request+0xa0/0x100 +> [c01ffb84] ide_do_drive_cmd+0xb4/0x190 +> [c01fc1c0] generic_ide_suspend+0x80/0xa0 +> [c01d4574] suspend_device+0x104/0x160 +> [c01d47c0] device_suspend+0x120/0x330 +> [c03f3b50] pmac_suspend_devices+0x50/0x1b0 +> [c03f4294] pmu_ioctl+0x344/0x9b0 +> [c0082aa4] do_ioctl+0x84/0x90 +> [c0082b3c] vfs_ioctl+0x8c/0x460 +> [c0082f50] sys_ioctl+0x40/0x80 +> [c0004850] ret_from_syscall+0x0/0x4c + +Don't clear ->elevator_data on exit, if we are switching queues we are +overwriting the data of the new io scheduler. + +Signed-off-by: Jens Axboe +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/cfq-iosched.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- linux-2.6.14.1.orig/drivers/block/cfq-iosched.c ++++ linux-2.6.14.1/drivers/block/cfq-iosched.c +@@ -2260,10 +2260,8 @@ static void cfq_put_cfqd(struct cfq_data + if (!atomic_dec_and_test(&cfqd->ref)) + return; + +- blk_put_queue(q); +- + cfq_shutdown_timer_wq(cfqd); +- q->elevator->elevator_data = NULL; ++ blk_put_queue(q); + + mempool_destroy(cfqd->crq_pool); + kfree(cfqd->crq_hash); + +-- + +From greg@press.kroah.org Wed Nov 9 10:26:11 2005 +Message-Id: <20051109182610.915344000@press.kroah.org> +References: <20051109182205.294803000@press.kroah.org> +Date: Wed, 09 Nov 2005 10:22:09 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk +Subject: [patch 04/11] USB: always export interface information for modalias +Content-Disposition: inline; filename=usb-interface-modalias-fix.patch +Content-Length: 5236 +Lines: 152 + +From: Greg Kroah-Hartman + +This fixes a problem with some cdc acm devices that were not getting +automatically loaded as the module alias was not being reported +properly. + +This check was for back in the days when we only reported hotplug events +for the main usb device, not the interfaces. We should always give the +interface information for MODALIAS/modalias as it can be needed. + +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/sysfs.c | 33 +++++++++--------------- + drivers/usb/core/usb.c | 63 +++++++++++++++++------------------------------ + 2 files changed, 36 insertions(+), 60 deletions(-) + +--- linux-2.6.14.1.orig/drivers/usb/core/sysfs.c ++++ linux-2.6.14.1/drivers/usb/core/sysfs.c +@@ -292,30 +292,23 @@ static ssize_t show_modalias(struct devi + { + struct usb_interface *intf; + struct usb_device *udev; +- int len; ++ struct usb_host_interface *alt; + + intf = to_usb_interface(dev); + udev = interface_to_usbdev(intf); ++ alt = intf->cur_altsetting; + +- len = sprintf(buf, "usb:v%04Xp%04Xd%04Xdc%02Xdsc%02Xdp%02Xic", +- le16_to_cpu(udev->descriptor.idVendor), +- le16_to_cpu(udev->descriptor.idProduct), +- le16_to_cpu(udev->descriptor.bcdDevice), +- udev->descriptor.bDeviceClass, +- udev->descriptor.bDeviceSubClass, +- udev->descriptor.bDeviceProtocol); +- buf += len; +- +- if (udev->descriptor.bDeviceClass == 0) { +- struct usb_host_interface *alt = intf->cur_altsetting; +- +- return len + sprintf(buf, "%02Xisc%02Xip%02X\n", +- alt->desc.bInterfaceClass, +- alt->desc.bInterfaceSubClass, +- alt->desc.bInterfaceProtocol); +- } else { +- return len + sprintf(buf, "*isc*ip*\n"); +- } ++ return sprintf(buf, "usb:v%04Xp%04Xd%04Xdc%02Xdsc%02Xdp%02X" ++ "ic%02Xisc%02Xip%02X\n", ++ le16_to_cpu(udev->descriptor.idVendor), ++ le16_to_cpu(udev->descriptor.idProduct), ++ le16_to_cpu(udev->descriptor.bcdDevice), ++ udev->descriptor.bDeviceClass, ++ udev->descriptor.bDeviceSubClass, ++ udev->descriptor.bDeviceProtocol, ++ alt->desc.bInterfaceClass, ++ alt->desc.bInterfaceSubClass, ++ alt->desc.bInterfaceProtocol); + } + static DEVICE_ATTR(modalias, S_IRUGO, show_modalias, NULL); + +--- linux-2.6.14.1.orig/drivers/usb/core/usb.c ++++ linux-2.6.14.1/drivers/usb/core/usb.c +@@ -557,6 +557,7 @@ static int usb_hotplug (struct device *d + { + struct usb_interface *intf; + struct usb_device *usb_dev; ++ struct usb_host_interface *alt; + int i = 0; + int length = 0; + +@@ -573,7 +574,8 @@ static int usb_hotplug (struct device *d + + intf = to_usb_interface(dev); + usb_dev = interface_to_usbdev (intf); +- ++ alt = intf->cur_altsetting; ++ + if (usb_dev->devnum < 0) { + pr_debug ("usb %s: already deleted?\n", dev->bus_id); + return -ENODEV; +@@ -615,46 +617,27 @@ static int usb_hotplug (struct device *d + usb_dev->descriptor.bDeviceProtocol)) + return -ENOMEM; + +- if (usb_dev->descriptor.bDeviceClass == 0) { +- struct usb_host_interface *alt = intf->cur_altsetting; ++ if (add_hotplug_env_var(envp, num_envp, &i, ++ buffer, buffer_size, &length, ++ "INTERFACE=%d/%d/%d", ++ alt->desc.bInterfaceClass, ++ alt->desc.bInterfaceSubClass, ++ alt->desc.bInterfaceProtocol)) ++ return -ENOMEM; + +- /* 2.4 only exposed interface zero. in 2.5, hotplug +- * agents are called for all interfaces, and can use +- * $DEVPATH/bInterfaceNumber if necessary. +- */ +- if (add_hotplug_env_var(envp, num_envp, &i, +- buffer, buffer_size, &length, +- "INTERFACE=%d/%d/%d", +- alt->desc.bInterfaceClass, +- alt->desc.bInterfaceSubClass, +- alt->desc.bInterfaceProtocol)) +- return -ENOMEM; +- +- if (add_hotplug_env_var(envp, num_envp, &i, +- buffer, buffer_size, &length, +- "MODALIAS=usb:v%04Xp%04Xd%04Xdc%02Xdsc%02Xdp%02Xic%02Xisc%02Xip%02X", +- le16_to_cpu(usb_dev->descriptor.idVendor), +- le16_to_cpu(usb_dev->descriptor.idProduct), +- le16_to_cpu(usb_dev->descriptor.bcdDevice), +- usb_dev->descriptor.bDeviceClass, +- usb_dev->descriptor.bDeviceSubClass, +- usb_dev->descriptor.bDeviceProtocol, +- alt->desc.bInterfaceClass, +- alt->desc.bInterfaceSubClass, +- alt->desc.bInterfaceProtocol)) +- return -ENOMEM; +- } else { +- if (add_hotplug_env_var(envp, num_envp, &i, +- buffer, buffer_size, &length, +- "MODALIAS=usb:v%04Xp%04Xd%04Xdc%02Xdsc%02Xdp%02Xic*isc*ip*", +- le16_to_cpu(usb_dev->descriptor.idVendor), +- le16_to_cpu(usb_dev->descriptor.idProduct), +- le16_to_cpu(usb_dev->descriptor.bcdDevice), +- usb_dev->descriptor.bDeviceClass, +- usb_dev->descriptor.bDeviceSubClass, +- usb_dev->descriptor.bDeviceProtocol)) +- return -ENOMEM; +- } ++ if (add_hotplug_env_var(envp, num_envp, &i, ++ buffer, buffer_size, &length, ++ "MODALIAS=usb:v%04Xp%04Xd%04Xdc%02Xdsc%02Xdp%02Xic%02Xisc%02Xip%02X", ++ le16_to_cpu(usb_dev->descriptor.idVendor), ++ le16_to_cpu(usb_dev->descriptor.idProduct), ++ le16_to_cpu(usb_dev->descriptor.bcdDevice), ++ usb_dev->descriptor.bDeviceClass, ++ usb_dev->descriptor.bDeviceSubClass, ++ usb_dev->descriptor.bDeviceProtocol, ++ alt->desc.bInterfaceClass, ++ alt->desc.bInterfaceSubClass, ++ alt->desc.bInterfaceProtocol)) ++ return -ENOMEM; + + envp[i] = NULL; + + +-- + +From greg@press.kroah.org Wed Nov 9 10:26:11 2005 +Message-Id: <20051109182611.161372000@press.kroah.org> +References: <20051109182205.294803000@press.kroah.org> +Date: Wed, 09 Nov 2005 10:22:10 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, stable@kernel.org, Arnaldo Carvalho de Melo , "David S. Miller" , netdev@vger.kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk +Subject: [patch 05/11] tcp: BIC max increment too large +Content-Disposition: inline; filename=tcp-bic-max-increment-too-large.patch +Content-Length: 984 +Lines: 31 + +From: Stephen Hemminger + +The max growth of BIC TCP is too large. Original code was based on +BIC 1.0 and the default there was 32. Later code (2.6.13) included +compensation for delayed acks, and should have reduced the default +value to 16; since normally TCP gets one ack for every two packets sent. + +The current value of 32 makes BIC too aggressive and unfair to other +flows. + +Submitted-by: Injong Rhee +Signed-off-by: Stephen Hemminger +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/tcp_bic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.14.1.orig/net/ipv4/tcp_bic.c ++++ linux-2.6.14.1/net/ipv4/tcp_bic.c +@@ -27,7 +27,7 @@ + */ + + static int fast_convergence = 1; +-static int max_increment = 32; ++static int max_increment = 16; + static int low_window = 14; + static int beta = 819; /* = 819/1024 (BICTCP_BETA_SCALE) */ + static int low_utilization_threshold = 153; + +-- + +From greg@press.kroah.org Wed Nov 9 10:26:11 2005 +Message-Id: <20051109182611.287276000@press.kroah.org> +References: <20051109182205.294803000@press.kroah.org> +Date: Wed, 09 Nov 2005 10:22:11 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk, jgarzik@pobox.com, bunk@stusta.de, netdev@vger.kernel.org, Benjamin Reed +Subject: [patch 06/11] airo.c/airo_cs.c: correct prototypes +Content-Disposition: inline; filename=airo.c-airo_cs.c-correct-prototypes.patch +Content-Length: 2139 +Lines: 67 + +From: Adrian Bunk + +This patch creates a file airo.h containing prototypes of the global +functions in airo.c used by airo_cs.c . + +If you got strange problems with either airo_cs devices or in any other +completely unrelated part of the kernel shortly or long after a airo_cs +device was detected by the kernel, this might have been caused by the +fact that caller and callee disagreed regarding the size of the first +argument to init_airo_card()... + +Signed-off-by: Adrian Bunk +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/airo.c | 2 ++ + drivers/net/wireless/airo.h | 9 +++++++++ + drivers/net/wireless/airo_cs.c | 6 ++---- + 3 files changed, 13 insertions(+), 4 deletions(-) + +--- /dev/null ++++ linux-2.6.14.1/drivers/net/wireless/airo.h +@@ -0,0 +1,9 @@ ++#ifndef _AIRO_H_ ++#define _AIRO_H_ ++ ++struct net_device *init_airo_card(unsigned short irq, int port, int is_pcmcia, ++ struct device *dmdev); ++int reset_airo_card(struct net_device *dev); ++void stop_airo_card(struct net_device *dev, int freeres); ++ ++#endif /* _AIRO_H_ */ +--- linux-2.6.14.1.orig/drivers/net/wireless/airo.c ++++ linux-2.6.14.1/drivers/net/wireless/airo.c +@@ -46,6 +46,8 @@ + #include + #include + ++#include "airo.h" ++ + #ifdef CONFIG_PCI + static struct pci_device_id card_ids[] = { + { 0x14b9, 1, PCI_ANY_ID, PCI_ANY_ID, }, +--- linux-2.6.14.1.orig/drivers/net/wireless/airo_cs.c ++++ linux-2.6.14.1/drivers/net/wireless/airo_cs.c +@@ -42,6 +42,8 @@ + #include + #include + ++#include "airo.h" ++ + /* + All the PCMCIA modules use PCMCIA_DEBUG to control debugging. If + you do not define PCMCIA_DEBUG at all, all the debug code will be +@@ -78,10 +80,6 @@ MODULE_SUPPORTED_DEVICE("Aironet 4500, 4 + event handler. + */ + +-struct net_device *init_airo_card( int, int, int, struct device * ); +-void stop_airo_card( struct net_device *, int ); +-int reset_airo_card( struct net_device * ); +- + static void airo_config(dev_link_t *link); + static void airo_release(dev_link_t *link); + static int airo_event(event_t event, int priority, + +-- + +From greg@press.kroah.org Wed Nov 9 10:26:11 2005 +Message-Id: <20051109182611.416183000@press.kroah.org> +References: <20051109182205.294803000@press.kroah.org> +Date: Wed, 09 Nov 2005 10:22:12 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, stable@kernel.org, Arnaldo Carvalho de Melo , netdev@vger.kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , Randy Dunlap , + Chuck Wolber , torvalds@osdl.org, + akpm@osdl.org, alan@lxorguk.ukuu.org.uk, herbert@gondor.apana.org.au, + phillips@istop.com +Subject: [patch 07/11] NET: Fix zero-size datagram reception +Content-Disposition: inline; filename=fix-zero-size-datagram-reception.patch +Content-Length: 657 +Lines: 27 + +From: Herbert Xu + +The recent rewrite of skb_copy_datagram_iovec broke the reception of +zero-size datagrams. This patch fixes it. + +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/datagram.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- linux-2.6.14.1.orig/net/core/datagram.c ++++ linux-2.6.14.1/net/core/datagram.c +@@ -213,6 +213,10 @@ int skb_copy_datagram_iovec(const struct + { + int i, err, fraglen, end = 0; + struct sk_buff *next = skb_shinfo(skb)->frag_list; ++ ++ if (!len) ++ return 0; ++ + next_skb: + fraglen = skb_headlen(skb); + i = -1; + +-- + +From greg@press.kroah.org Wed Nov 9 10:26:11 2005 +Message-Id: <20051109182611.553094000@press.kroah.org> +References: <20051109182205.294803000@press.kroah.org> +Date: Wed, 09 Nov 2005 10:22:13 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk, oleg@tv-sign.ru, roland@redhat.com, + mingo@elte.hu +Subject: [patch 08/11] - fix signal->live leak in copy_process() +Content-Disposition: inline; filename=fix-signal-live-leak-in-copy_process.patch +Content-Length: 715 +Lines: 26 + +From: Oleg Nesterov + +exit_signal() (called from copy_process's error path) should decrement +->signal->live, otherwise forking process will miss 'group_dead' in +do_exit(). + +Signed-off-by: Oleg Nesterov +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + kernel/signal.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- linux-2.6.14.1.orig/kernel/signal.c ++++ linux-2.6.14.1/kernel/signal.c +@@ -406,6 +406,8 @@ void __exit_signal(struct task_struct *t + + void exit_signal(struct task_struct *tsk) + { ++ atomic_dec(&tsk->signal->live); ++ + write_lock_irq(&tasklist_lock); + __exit_signal(tsk); + write_unlock_irq(&tasklist_lock); + +-- + +From greg@press.kroah.org Wed Nov 9 10:26:11 2005 +Message-Id: <20051109182611.759132000@press.kroah.org> +References: <20051109182205.294803000@press.kroah.org> +Date: Wed, 09 Nov 2005 10:22:14 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk, oleg@tv-sign.ru, roland@redhat.com, + paulmck@us.ibm.com, george@mvista.com, dipankar@in.ibm.com, + mingo@elte.hu, suzannew@cs.pdx.edu +Subject: [patch 09/11] fix de_thread() vs send_group_sigqueue() race +Content-Disposition: inline; filename=fix-de_thread-vs-send_group_sendqueue-race.patch +Content-Length: 2181 +Lines: 71 + +From: Oleg Nesterov + +When non-leader thread does exec, de_thread calls release_task(leader) before +calling exit_itimers(). If local timer interrupt happens in between, it can +oops in send_group_sigqueue() while taking ->sighand->siglock == NULL. + +However, we can't change send_group_sigqueue() to check p->signal != NULL, +because sys_timer_create() does get_task_struct() only in SIGEV_THREAD_ID +case. So it is possible that this task_struct was already freed and we can't +trust p->signal. + +This patch changes de_thread() so that leader released after exit_itimers() +call. + +Signed-off-by: Oleg Nesterov +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + fs/exec.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- linux-2.6.14.1.orig/fs/exec.c ++++ linux-2.6.14.1/fs/exec.c +@@ -593,6 +593,7 @@ static inline int de_thread(struct task_ + struct signal_struct *sig = tsk->signal; + struct sighand_struct *newsighand, *oldsighand = tsk->sighand; + spinlock_t *lock = &oldsighand->siglock; ++ struct task_struct *leader = NULL; + int count; + + /* +@@ -668,7 +669,7 @@ static inline int de_thread(struct task_ + * and to assume its PID: + */ + if (!thread_group_leader(current)) { +- struct task_struct *leader = current->group_leader, *parent; ++ struct task_struct *parent; + struct dentry *proc_dentry1, *proc_dentry2; + unsigned long exit_state, ptrace; + +@@ -677,6 +678,7 @@ static inline int de_thread(struct task_ + * It should already be zombie at this point, most + * of the time. + */ ++ leader = current->group_leader; + while (leader->exit_state != EXIT_ZOMBIE) + yield(); + +@@ -736,7 +738,6 @@ static inline int de_thread(struct task_ + proc_pid_flush(proc_dentry2); + + BUG_ON(exit_state != EXIT_ZOMBIE); +- release_task(leader); + } + + /* +@@ -746,8 +747,11 @@ static inline int de_thread(struct task_ + sig->flags = 0; + + no_thread_group: +- BUG_ON(atomic_read(&sig->count) != 1); + exit_itimers(sig); ++ if (leader) ++ release_task(leader); ++ ++ BUG_ON(atomic_read(&sig->count) != 1); + + if (atomic_read(&oldsighand->count) == 1) { + /* + +-- + +From greg@press.kroah.org Wed Nov 9 10:26:11 2005 +Message-Id: <20051109182611.884140000@press.kroah.org> +References: <20051109182205.294803000@press.kroah.org> +Date: Wed, 09 Nov 2005 10:22:15 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk, ja@ssi.bg, davem@davemloft.net, + ratz@drugphish.ch +Subject: [patch 10/11] ipvs: fix connection leak if expire_nodest_conn=1 +Content-Disposition: inline; filename=ipvs-fix-connection-leak.patch +Content-Length: 1375 +Lines: 39 + +From: Julian Anastasov + + +There was a fix in 2.6.13 that changed the behaviour of +ip_vs_conn_expire_now function not to put reference to connection, its +callers should hold write lock or connection refcnt. But we forgot to +convert one caller, when the real server for connection is unavailable +caller should put the connection reference. It happens only when sysctl +var expire_nodest_conn is set to 1 and such connections never expire. +Thanks to Roberto Nibali who found the problem and tested a 2.4.32-rc2 +patch, which is equal to this 2.6 version. + +Signed-off-by: Julian Anastasov +Signed-off-by: Roberto Nibali +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ipvs/ip_vs_core.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- linux-2.6.14.1.orig/net/ipv4/ipvs/ip_vs_core.c ++++ linux-2.6.14.1/net/ipv4/ipvs/ip_vs_core.c +@@ -1009,11 +1009,10 @@ ip_vs_in(unsigned int hooknum, struct sk + if (sysctl_ip_vs_expire_nodest_conn) { + /* try to expire the connection immediately */ + ip_vs_conn_expire_now(cp); +- } else { +- /* don't restart its timer, and silently +- drop the packet. */ +- __ip_vs_conn_put(cp); + } ++ /* don't restart its timer, and silently ++ drop the packet. */ ++ __ip_vs_conn_put(cp); + return NF_DROP; + } + + +-- + +From greg@press.kroah.org Wed Nov 9 10:26:12 2005 +Message-Id: <20051109182612.011064000@press.kroah.org> +References: <20051109182205.294803000@press.kroah.org> +Date: Wed, 09 Nov 2005 10:22:16 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk, ink@jurassic.park.msu.ru, + viro@ftp.linux.org.uk +Subject: [patch 11/11] fix alpha breakage +Content-Disposition: inline; filename=fix-alpha-breakage.patch +Content-Length: 682 +Lines: 26 + +From: Ivan Kokshaysky + +barrier.h uses barrier() in non-SMP case. And doesn't include compiler.h. + +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + include/asm-alpha/barrier.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- linux-2.6.14.1.orig/include/asm-alpha/barrier.h ++++ linux-2.6.14.1/include/asm-alpha/barrier.h +@@ -1,6 +1,8 @@ + #ifndef __BARRIER_H + #define __BARRIER_H + ++#include ++ + #define mb() \ + __asm__ __volatile__("mb": : :"memory") + + +-- + +From torvalds@osdl.org Wed Nov 9 12:04:07 2005 +Date: Wed, 9 Nov 2005 11:37:57 -0800 (PST) +From: Linus Torvalds +Subject: Fix ptrace self-attach rule +Content-Length: 651 +Lines: 19 + +Before we did CLONE_THREAD, the way to check whether we were attaching +to ourselves was to just check "current == task", but with CLONE_THREAD +we should check that the thread group ID matches instead. + +Signed-off-by: Linus Torvalds +--- +diff --git a/kernel/ptrace.c b/kernel/ptrace.c +index 5b8dd98..b88d418 100644 +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -155,7 +155,7 @@ int ptrace_attach(struct task_struct *ta + retval = -EPERM; + if (task->pid <= 1) + goto bad; +- if (task == current) ++ if (task->tgid == current->tgid) + goto bad; + /* the same process cannot be attached many times */ + if (task->ptrace & PT_PTRACED) + diff --git a/2.6.14.2/tcp-bic-max-increment-too-large.patch b/2.6.14.2/tcp-bic-max-increment-too-large.patch new file mode 100644 index 00000000000..63bc8d43e27 --- /dev/null +++ b/2.6.14.2/tcp-bic-max-increment-too-large.patch @@ -0,0 +1,35 @@ +From stable-bounces@linux.kernel.org Sat Nov 5 10:41:13 2005 +Date: Tue, 1 Nov 2005 15:26:45 -0800 +From: Stephen Hemminger +To: Arnaldo Carvalho de Melo , "David S. Miller" +Message-ID: <20051101152645.31075d19@dxpl.pdx.osdl.net> +Cc: netdev@vger.kernel.org +Subject: tcp: BIC max increment too large + +The max growth of BIC TCP is too large. Original code was based on +BIC 1.0 and the default there was 32. Later code (2.6.13) included +compensation for delayed acks, and should have reduced the default +value to 16; since normally TCP gets one ack for every two packets sent. + +The current value of 32 makes BIC too aggressive and unfair to other +flows. + +Submitted-by: Injong Rhee +Signed-off-by: Stephen Hemminger +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/tcp_bic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.14.1.orig/net/ipv4/tcp_bic.c ++++ linux-2.6.14.1/net/ipv4/tcp_bic.c +@@ -27,7 +27,7 @@ + */ + + static int fast_convergence = 1; +-static int max_increment = 32; ++static int max_increment = 16; + static int low_window = 14; + static int beta = 819; /* = 819/1024 (BICTCP_BETA_SCALE) */ + static int low_utilization_threshold = 153; diff --git a/2.6.14.2/usb-interface-modalias-fix.patch b/2.6.14.2/usb-interface-modalias-fix.patch new file mode 100644 index 00000000000..3181c7b59da --- /dev/null +++ b/2.6.14.2/usb-interface-modalias-fix.patch @@ -0,0 +1,153 @@ +From linux-usb-devel-admin@lists.sourceforge.net Fri Oct 28 20:19:30 2005 +Date: Fri, 28 Oct 2005 20:09:17 -0700 +From: Greg Kroah-Hartman +Subject: USB: always export interface information for modalias + +This fixes a problem with some cdc acm devices that were not getting +automatically loaded as the module alias was not being reported +properly. + +This check was for back in the days when we only reported hotplug events +for the main usb device, not the interfaces. We should always give the +interface information for MODALIAS/modalias as it can be needed. + +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/sysfs.c | 33 +++++++++--------------- + drivers/usb/core/usb.c | 63 +++++++++++++++++------------------------------ + 2 files changed, 36 insertions(+), 60 deletions(-) + +--- linux-2.6.14.1.orig/drivers/usb/core/sysfs.c ++++ linux-2.6.14.1/drivers/usb/core/sysfs.c +@@ -292,30 +292,23 @@ static ssize_t show_modalias(struct devi + { + struct usb_interface *intf; + struct usb_device *udev; +- int len; ++ struct usb_host_interface *alt; + + intf = to_usb_interface(dev); + udev = interface_to_usbdev(intf); ++ alt = intf->cur_altsetting; + +- len = sprintf(buf, "usb:v%04Xp%04Xd%04Xdc%02Xdsc%02Xdp%02Xic", +- le16_to_cpu(udev->descriptor.idVendor), +- le16_to_cpu(udev->descriptor.idProduct), +- le16_to_cpu(udev->descriptor.bcdDevice), +- udev->descriptor.bDeviceClass, +- udev->descriptor.bDeviceSubClass, +- udev->descriptor.bDeviceProtocol); +- buf += len; +- +- if (udev->descriptor.bDeviceClass == 0) { +- struct usb_host_interface *alt = intf->cur_altsetting; +- +- return len + sprintf(buf, "%02Xisc%02Xip%02X\n", +- alt->desc.bInterfaceClass, +- alt->desc.bInterfaceSubClass, +- alt->desc.bInterfaceProtocol); +- } else { +- return len + sprintf(buf, "*isc*ip*\n"); +- } ++ return sprintf(buf, "usb:v%04Xp%04Xd%04Xdc%02Xdsc%02Xdp%02X" ++ "ic%02Xisc%02Xip%02X\n", ++ le16_to_cpu(udev->descriptor.idVendor), ++ le16_to_cpu(udev->descriptor.idProduct), ++ le16_to_cpu(udev->descriptor.bcdDevice), ++ udev->descriptor.bDeviceClass, ++ udev->descriptor.bDeviceSubClass, ++ udev->descriptor.bDeviceProtocol, ++ alt->desc.bInterfaceClass, ++ alt->desc.bInterfaceSubClass, ++ alt->desc.bInterfaceProtocol); + } + static DEVICE_ATTR(modalias, S_IRUGO, show_modalias, NULL); + +--- linux-2.6.14.1.orig/drivers/usb/core/usb.c ++++ linux-2.6.14.1/drivers/usb/core/usb.c +@@ -557,6 +557,7 @@ static int usb_hotplug (struct device *d + { + struct usb_interface *intf; + struct usb_device *usb_dev; ++ struct usb_host_interface *alt; + int i = 0; + int length = 0; + +@@ -573,7 +574,8 @@ static int usb_hotplug (struct device *d + + intf = to_usb_interface(dev); + usb_dev = interface_to_usbdev (intf); +- ++ alt = intf->cur_altsetting; ++ + if (usb_dev->devnum < 0) { + pr_debug ("usb %s: already deleted?\n", dev->bus_id); + return -ENODEV; +@@ -615,46 +617,27 @@ static int usb_hotplug (struct device *d + usb_dev->descriptor.bDeviceProtocol)) + return -ENOMEM; + +- if (usb_dev->descriptor.bDeviceClass == 0) { +- struct usb_host_interface *alt = intf->cur_altsetting; ++ if (add_hotplug_env_var(envp, num_envp, &i, ++ buffer, buffer_size, &length, ++ "INTERFACE=%d/%d/%d", ++ alt->desc.bInterfaceClass, ++ alt->desc.bInterfaceSubClass, ++ alt->desc.bInterfaceProtocol)) ++ return -ENOMEM; + +- /* 2.4 only exposed interface zero. in 2.5, hotplug +- * agents are called for all interfaces, and can use +- * $DEVPATH/bInterfaceNumber if necessary. +- */ +- if (add_hotplug_env_var(envp, num_envp, &i, +- buffer, buffer_size, &length, +- "INTERFACE=%d/%d/%d", +- alt->desc.bInterfaceClass, +- alt->desc.bInterfaceSubClass, +- alt->desc.bInterfaceProtocol)) +- return -ENOMEM; +- +- if (add_hotplug_env_var(envp, num_envp, &i, +- buffer, buffer_size, &length, +- "MODALIAS=usb:v%04Xp%04Xd%04Xdc%02Xdsc%02Xdp%02Xic%02Xisc%02Xip%02X", +- le16_to_cpu(usb_dev->descriptor.idVendor), +- le16_to_cpu(usb_dev->descriptor.idProduct), +- le16_to_cpu(usb_dev->descriptor.bcdDevice), +- usb_dev->descriptor.bDeviceClass, +- usb_dev->descriptor.bDeviceSubClass, +- usb_dev->descriptor.bDeviceProtocol, +- alt->desc.bInterfaceClass, +- alt->desc.bInterfaceSubClass, +- alt->desc.bInterfaceProtocol)) +- return -ENOMEM; +- } else { +- if (add_hotplug_env_var(envp, num_envp, &i, +- buffer, buffer_size, &length, +- "MODALIAS=usb:v%04Xp%04Xd%04Xdc%02Xdsc%02Xdp%02Xic*isc*ip*", +- le16_to_cpu(usb_dev->descriptor.idVendor), +- le16_to_cpu(usb_dev->descriptor.idProduct), +- le16_to_cpu(usb_dev->descriptor.bcdDevice), +- usb_dev->descriptor.bDeviceClass, +- usb_dev->descriptor.bDeviceSubClass, +- usb_dev->descriptor.bDeviceProtocol)) +- return -ENOMEM; +- } ++ if (add_hotplug_env_var(envp, num_envp, &i, ++ buffer, buffer_size, &length, ++ "MODALIAS=usb:v%04Xp%04Xd%04Xdc%02Xdsc%02Xdp%02Xic%02Xisc%02Xip%02X", ++ le16_to_cpu(usb_dev->descriptor.idVendor), ++ le16_to_cpu(usb_dev->descriptor.idProduct), ++ le16_to_cpu(usb_dev->descriptor.bcdDevice), ++ usb_dev->descriptor.bDeviceClass, ++ usb_dev->descriptor.bDeviceSubClass, ++ usb_dev->descriptor.bDeviceProtocol, ++ alt->desc.bInterfaceClass, ++ alt->desc.bInterfaceSubClass, ++ alt->desc.bInterfaceProtocol)) ++ return -ENOMEM; + + envp[i] = NULL; + diff --git a/2.6.14.2/xfs-modular-quota-build-fix.patch b/2.6.14.2/xfs-modular-quota-build-fix.patch new file mode 100644 index 00000000000..b01c74ae561 --- /dev/null +++ b/2.6.14.2/xfs-modular-quota-build-fix.patch @@ -0,0 +1,45 @@ +From stable-bounces@linux.kernel.org Fri Oct 28 13:33:36 2005 +Date: Fri, 28 Oct 2005 22:33:25 +0200 +From: Adrian Bunk +To: Andrew Morton , stable@kernel.org +Cc: linux-xfs@oss.sgi.com, xfs-masters@oss.sgi.com, + Dimitri Puzin , nathans@sgi.com, + linux-kernel@vger.kernel.org +Subject: [PATCH] fix XFS_QUOTA for modular XFS + +From: Dimitri Puzin + +This patch by Dimitri Puzin submitted through kernel Bugzilla #5514 +fixes the following issue: + +Cannot build XFS filesystem support as module with quota support. It +works only when the XFS filesystem support is compiled into the kernel. +Menuconfig prevents from setting CONFIG_XFS_FS=m and CONFIG_XFS_QUOTA=y. + +How to reproduce: configure the XFS filesystem with quota support as +module. The resulting kernel won't have quota support compiled into +xfs.ko. + +Fix: Changing the fs/xfs/Kconfig file from tristate to bool lets you +configure the quota support to be compiled into the XFS module. The +Makefile-linux-2.6 checks only for CONFIG_XFS_QUOTA=y. + +Signed-off-by: Adrian Bunk +Signed-off-by: Nathan Scott +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.14.1.orig/fs/xfs/Kconfig ++++ linux-2.6.14.1/fs/xfs/Kconfig +@@ -24,7 +24,7 @@ config XFS_EXPORT + default y + + config XFS_QUOTA +- tristate "XFS Quota support" ++ bool "XFS Quota support" + depends on XFS_FS + help + If you say Y here, you will be able to set limits for disk usage on diff --git a/reviewer_list b/reviewer_list index 462a235de92..e689dc4ecdc 100644 --- a/reviewer_list +++ b/reviewer_list @@ -11,3 +11,4 @@ Asked to be on it: Theodore Ts'o Randy.Dunlap Chuck Wolber + Dave Jones