From: Greg Kroah-Hartman Date: Thu, 22 Jan 2009 19:27:59 +0000 (-0800) Subject: start some .27 patches X-Git-Tag: v2.6.27.13~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=843d56ecd60e3b16cafc43d53ef23e0ea16f1e42;p=thirdparty%2Fkernel%2Fstable-queue.git start some .27 patches --- diff --git a/queue-2.6.27/ipv6-fix-fib6_dump_table-walker-leak.patch b/queue-2.6.27/ipv6-fix-fib6_dump_table-walker-leak.patch new file mode 100644 index 00000000000..ca6569b47d9 --- /dev/null +++ b/queue-2.6.27/ipv6-fix-fib6_dump_table-walker-leak.patch @@ -0,0 +1,55 @@ +From 364ee7f3b15ba760d421573990d96bf27ce342ee Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Tue, 20 Jan 2009 14:06:49 -0800 +Subject: ipv6: Fix fib6_dump_table walker leak + +From: Herbert Xu + +[ Upstream commit: 7891cc818967e186be68caac32d84bfd0a3f0bd2 ] + +When a fib6 table dump is prematurely ended, we won't unlink +its walker from the list. This causes all sorts of grief for +other users of the list later. + +Reported-by: Chris Caputo +Signed-off-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/ip6_fib.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -298,6 +298,10 @@ static void fib6_dump_end(struct netlink + struct fib6_walker_t *w = (void*)cb->args[2]; + + if (w) { ++ if (cb->args[4]) { ++ cb->args[4] = 0; ++ fib6_walker_unlink(w); ++ } + cb->args[2] = 0; + kfree(w); + } +@@ -330,15 +334,12 @@ static int fib6_dump_table(struct fib6_t + read_lock_bh(&table->tb6_lock); + res = fib6_walk_continue(w); + read_unlock_bh(&table->tb6_lock); +- if (res != 0) { +- if (res < 0) +- fib6_walker_unlink(w); +- goto end; ++ if (res <= 0) { ++ fib6_walker_unlink(w); ++ cb->args[4] = 0; + } +- fib6_walker_unlink(w); +- cb->args[4] = 0; + } +-end: ++ + return res; + } + diff --git a/queue-2.6.27/pkt_sched-cls_u32-fix-locking-in-u32_change.patch b/queue-2.6.27/pkt_sched-cls_u32-fix-locking-in-u32_change.patch new file mode 100644 index 00000000000..7f1e3a8673e --- /dev/null +++ b/queue-2.6.27/pkt_sched-cls_u32-fix-locking-in-u32_change.patch @@ -0,0 +1,37 @@ +From d7273aa0d1317dde4c52d1ba734aedf970e574da Mon Sep 17 00:00:00 2001 +From: Jarek Poplawski +Date: Tue, 20 Jan 2009 14:08:23 -0800 +Subject: pkt_sched: cls_u32: Fix locking in u32_change() + +From: Jarek Poplawski + +[ Upstream commit: 6f57321422e0d359e83c978c2b03db77b967b7d5 ] + +New nodes are inserted in u32_change() under rtnl_lock() with wmb(), +so without tcf_tree_lock() like in other classifiers (e.g. cls_fw). +This isn't enough without rmb() on the read side, but on the other +hand adding such barriers doesn't give any savings, so the lock is +added instead. + +Reported-by: m0sia +Signed-off-by: Jarek Poplawski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/sched/cls_u32.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -637,8 +637,9 @@ static int u32_change(struct tcf_proto * + break; + + n->next = *ins; +- wmb(); ++ tcf_tree_lock(tp); + *ins = n; ++ tcf_tree_unlock(tp); + + *arg = (unsigned long)n; + return 0; diff --git a/queue-2.6.27/pkt_sched-sch_htb-fix-deadlock-in-hrtimers-triggered-by-htb.patch b/queue-2.6.27/pkt_sched-sch_htb-fix-deadlock-in-hrtimers-triggered-by-htb.patch new file mode 100644 index 00000000000..18ab0b9396e --- /dev/null +++ b/queue-2.6.27/pkt_sched-sch_htb-fix-deadlock-in-hrtimers-triggered-by-htb.patch @@ -0,0 +1,38 @@ +From ea9922a627dbb38fdcc42ed1b374a257d0652d35 Mon Sep 17 00:00:00 2001 +From: Jarek Poplawski +Date: Tue, 20 Jan 2009 14:06:26 -0800 +Subject: pkt_sched: sch_htb: Fix deadlock in hrtimers triggered by HTB + +From: Jarek Poplawski + +[ Upstream commit: none + + This is a quick fix for -stable purposes. Upstream fixes these + problems via a large set of invasive hrtimer changes. ] + +Most probably there is a (still unproven) race in hrtimers (before +2.6.29 kernels), which causes a corruption of hrtimers rbtree. This +patch doesn't fix it, but should let HTB avoid triggering the bug. + +Reported-by: Denys Fedoryschenko +Reported-by: Badalian Vyacheslav +Reported-by: Chris Caputo +Tested-by: Badalian Vyacheslav +Signed-off-by: Jarek Poplawski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/sched/sch_htb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sched/sch_htb.c ++++ b/net/sched/sch_htb.c +@@ -924,6 +924,7 @@ static struct sk_buff *htb_dequeue(struc + } + } + sch->qstats.overlimits++; ++ qdisc_watchdog_cancel(&q->watchdog); + qdisc_watchdog_schedule(&q->watchdog, next_event); + fin: + return skb; diff --git a/queue-2.6.27/r6040-bump-release-number-to-0.19.patch b/queue-2.6.27/r6040-bump-release-number-to-0.19.patch new file mode 100644 index 00000000000..3283bec27dd --- /dev/null +++ b/queue-2.6.27/r6040-bump-release-number-to-0.19.patch @@ -0,0 +1,32 @@ +From b1b00c2e699d3905305e130a6fe11bd6efae4506 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Mon, 22 Dec 2008 19:40:38 -0800 +Subject: r6040: bump release number to 0.19 + +From: Florian Fainelli + +[ Upstream commit: 4707470ae7441733822efcd680b0ef3971921c4d ] + +This patch bumps the release number of the driver. + +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/r6040.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/r6040.c ++++ b/drivers/net/r6040.c +@@ -49,8 +49,8 @@ + #include + + #define DRV_NAME "r6040" +-#define DRV_VERSION "0.18" +-#define DRV_RELDATE "13Jul2008" ++#define DRV_VERSION "0.19" ++#define DRV_RELDATE "18Dec2008" + + /* PHY CHIP Address */ + #define PHY1_ADDR 1 /* For MAC1 */ diff --git a/queue-2.6.27/r6040-fix-wrong-logic-in-mdio-code.patch b/queue-2.6.27/r6040-fix-wrong-logic-in-mdio-code.patch new file mode 100644 index 00000000000..8e93e5fda0e --- /dev/null +++ b/queue-2.6.27/r6040-fix-wrong-logic-in-mdio-code.patch @@ -0,0 +1,40 @@ +From 46312f49ee0eca77bdb5cd318109624d2cbd8a01 Mon Sep 17 00:00:00 2001 +From: Joe Chou +Date: Mon, 22 Dec 2008 19:38:17 -0800 +Subject: r6040: fix wrong logic in mdio code + +From: Joe Chou + +[ Upstream commit: 11e5e8f5d14a1229706576184d2cf4c4556ed94c ] + +This patch fixes a reverse logic in the MDIO code. + +Signed-off-by: Joe Chou +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/r6040.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/r6040.c ++++ b/drivers/net/r6040.c +@@ -214,7 +214,7 @@ static int r6040_phy_read(void __iomem * + /* Wait for the read bit to be cleared */ + while (limit--) { + cmd = ioread16(ioaddr + MMDIO); +- if (cmd & MDIO_READ) ++ if (!(cmd & MDIO_READ)) + break; + } + +@@ -233,7 +233,7 @@ static void r6040_phy_write(void __iomem + /* Wait for the write bit to be cleared */ + while (limit--) { + cmd = ioread16(ioaddr + MMDIO); +- if (cmd & MDIO_WRITE) ++ if (!(cmd & MDIO_WRITE)) + break; + } + } diff --git a/queue-2.6.27/r6040-save-and-restore-mier-correctly-in-the-interrupt-routine.patch b/queue-2.6.27/r6040-save-and-restore-mier-correctly-in-the-interrupt-routine.patch new file mode 100644 index 00000000000..09ff1c7a346 --- /dev/null +++ b/queue-2.6.27/r6040-save-and-restore-mier-correctly-in-the-interrupt-routine.patch @@ -0,0 +1,55 @@ +From 2008eaf5aba4f7ca31f3d9a6ec1b220af4be04cd Mon Sep 17 00:00:00 2001 +From: Joe Chou +Date: Mon, 22 Dec 2008 19:40:02 -0800 +Subject: r6040: save and restore MIER correctly in the interrupt routine + +From: Joe Chou + +[ Upstream commit: 3e7c469f07ff14cbf9a814739e1fc99a863e0943 ] + +This patch saves the MIER register contents before treating +interrupts, then restores them correcty at the end of the +interrupt routine. + +Signed-off-by: Joe Chou +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/r6040.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/net/r6040.c ++++ b/drivers/net/r6040.c +@@ -681,8 +681,10 @@ static irqreturn_t r6040_interrupt(int i + struct net_device *dev = dev_id; + struct r6040_private *lp = netdev_priv(dev); + void __iomem *ioaddr = lp->base; +- u16 status; ++ u16 misr, status; + ++ /* Save MIER */ ++ misr = ioread16(ioaddr + MIER); + /* Mask off RDC MAC interrupt */ + iowrite16(MSK_INT, ioaddr + MIER); + /* Read MISR status and clear */ +@@ -702,7 +704,7 @@ static irqreturn_t r6040_interrupt(int i + dev->stats.rx_fifo_errors++; + + /* Mask off RX interrupt */ +- iowrite16(ioread16(ioaddr + MIER) & ~RX_INTS, ioaddr + MIER); ++ misr &= ~RX_INTS; + netif_rx_schedule(dev, &lp->napi); + } + +@@ -710,6 +712,9 @@ static irqreturn_t r6040_interrupt(int i + if (status & TX_INTS) + r6040_tx(dev); + ++ /* Restore RDC MAC interrupt */ ++ iowrite16(misr, ioaddr + MIER); ++ + return IRQ_HANDLED; + } + diff --git a/queue-2.6.27/sctp-avoid-memory-overflow-while-fwd-tsn-chunk-is-received-with-bad-stream-id.patch b/queue-2.6.27/sctp-avoid-memory-overflow-while-fwd-tsn-chunk-is-received-with-bad-stream-id.patch new file mode 100644 index 00000000000..e26a05aa00a --- /dev/null +++ b/queue-2.6.27/sctp-avoid-memory-overflow-while-fwd-tsn-chunk-is-received-with-bad-stream-id.patch @@ -0,0 +1,79 @@ +From 3d41c2bd66b1618aa1062c3d98450a9a5f0d119e Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Tue, 20 Jan 2009 14:08:01 -0800 +Subject: sctp: Avoid memory overflow while FWD-TSN chunk is received with bad stream ID + +From: Wei Yongjun + +[ Upstream commit: 9fcb95a105758b81ef0131cd18e2db5149f13e95 ] + +If FWD-TSN chunk is received with bad stream ID, the sctp will not do the +validity check, this may cause memory overflow when overwrite the TSN of +the stream ID. + +The FORWARD-TSN chunk is like this: + +FORWARD-TSN chunk + Type = 192 + Flags = 0 + Length = 172 + NewTSN = 99 + Stream = 10000 + StreamSequence = 0xFFFF + +This patch fix this problem by discard the chunk if stream ID is not +less than MIS. + +Signed-off-by: Wei Yongjun +Signed-off-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/sctp/sm_statefuns.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -3635,6 +3635,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c + { + struct sctp_chunk *chunk = arg; + struct sctp_fwdtsn_hdr *fwdtsn_hdr; ++ struct sctp_fwdtsn_skip *skip; + __u16 len; + __u32 tsn; + +@@ -3664,6 +3665,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c + if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) + goto discard_noforce; + ++ /* Silently discard the chunk if stream-id is not valid */ ++ sctp_walk_fwdtsn(skip, chunk) { ++ if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams) ++ goto discard_noforce; ++ } ++ + sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); + if (len > sizeof(struct sctp_fwdtsn_hdr)) + sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, +@@ -3695,6 +3702,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f + { + struct sctp_chunk *chunk = arg; + struct sctp_fwdtsn_hdr *fwdtsn_hdr; ++ struct sctp_fwdtsn_skip *skip; + __u16 len; + __u32 tsn; + +@@ -3724,6 +3732,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f + if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) + goto gen_shutdown; + ++ /* Silently discard the chunk if stream-id is not valid */ ++ sctp_walk_fwdtsn(skip, chunk) { ++ if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams) ++ goto gen_shutdown; ++ } ++ + sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); + if (len > sizeof(struct sctp_fwdtsn_hdr)) + sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, diff --git a/queue-2.6.27/series b/queue-2.6.27/series new file mode 100644 index 00000000000..de81b216f31 --- /dev/null +++ b/queue-2.6.27/series @@ -0,0 +1,8 @@ +pkt_sched-sch_htb-fix-deadlock-in-hrtimers-triggered-by-htb.patch +ipv6-fix-fib6_dump_table-walker-leak.patch +sctp-avoid-memory-overflow-while-fwd-tsn-chunk-is-received-with-bad-stream-id.patch +pkt_sched-cls_u32-fix-locking-in-u32_change.patch +r6040-fix-wrong-logic-in-mdio-code.patch +r6040-save-and-restore-mier-correctly-in-the-interrupt-routine.patch +r6040-bump-release-number-to-0.19.patch +tcp-don-t-mask-eof-and-socket-errors-on-nonblocking-splice-receive.patch diff --git a/queue-2.6.27/tcp-don-t-mask-eof-and-socket-errors-on-nonblocking-splice-receive.patch b/queue-2.6.27/tcp-don-t-mask-eof-and-socket-errors-on-nonblocking-splice-receive.patch new file mode 100644 index 00000000000..ef71d5d2231 --- /dev/null +++ b/queue-2.6.27/tcp-don-t-mask-eof-and-socket-errors-on-nonblocking-splice-receive.patch @@ -0,0 +1,46 @@ +From db76deb171d8ba2e30ab4928863d1ac59b186f97 Mon Sep 17 00:00:00 2001 +From: Lennert Buytenhek +Date: Tue, 20 Jan 2009 15:25:21 -0800 +Subject: tcp: don't mask EOF and socket errors on nonblocking splice receive + +From: Lennert Buytenhek + +[ Upstream commit: 4f7d54f59bc470f0aaa932f747a95232d7ebf8b1 ] + +Currently, setting SPLICE_F_NONBLOCK on splice from a TCP socket +results in masking of EOF (RDHUP) and error conditions on the socket +by an -EAGAIN return. Move the NONBLOCK check in tcp_splice_read() +to be after the EOF and error checks to fix this. + +Signed-off-by: Lennert Buytenhek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/tcp.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -576,10 +576,6 @@ ssize_t tcp_splice_read(struct socket *s + else if (!ret) { + if (spliced) + break; +- if (flags & SPLICE_F_NONBLOCK) { +- ret = -EAGAIN; +- break; +- } + if (sock_flag(sk, SOCK_DONE)) + break; + if (sk->sk_err) { +@@ -597,6 +593,10 @@ ssize_t tcp_splice_read(struct socket *s + ret = -ENOTCONN; + break; + } ++ if (flags & SPLICE_F_NONBLOCK) { ++ ret = -EAGAIN; ++ break; ++ } + if (!timeo) { + ret = -EAGAIN; + break;