From: Greg Kroah-Hartman Date: Thu, 10 Aug 2006 06:52:42 +0000 (-0700) Subject: start up some more 2.6.17 patches queued X-Git-Tag: v2.6.17.9~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a5ffaa8c5a9f8017920fd8e2a01c64ce1417e5b0;p=thirdparty%2Fkernel%2Fstable-queue.git start up some more 2.6.17 patches queued --- diff --git a/queue-2.6.17/disable-debugging-version-of-write_lock.patch b/queue-2.6.17/disable-debugging-version-of-write_lock.patch new file mode 100644 index 00000000000..0578bd1e3da --- /dev/null +++ b/queue-2.6.17/disable-debugging-version-of-write_lock.patch @@ -0,0 +1,75 @@ +From stable-bounces@linux.kernel.org Sat Aug 5 12:14:36 2006 +Message-Id: <200608051913.k75JDlTV010898@shell0.pdx.osdl.net> +To: torvalds@osdl.org +From: akpm@osdl.org +Date: Sat, 05 Aug 2006 12:13:47 -0700 +Cc: akpm@osdl.org, greg@kroah.com, mingo@elte.hu, stable@kernel.org, olson@unixfolk.com +Subject: disable debugging version of write_lock() + +From: Andrew Morton + +We've confirmed that the debug version of write_lock() can get stuck for long +enough to cause NMI watchdog timeouts and hence a crash. + +We don't know why, yet. Disable it for now. + +Also disable the similar read_lock() code. Just in case. + +Thanks to Dave Olson for reporting and testing. + +Acked-by: Ingo Molnar +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + lib/spinlock_debug.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- linux-2.6.17.8.orig/lib/spinlock_debug.c ++++ linux-2.6.17.8/lib/spinlock_debug.c +@@ -137,6 +137,7 @@ static void rwlock_bug(rwlock_t *lock, c + + #define RWLOCK_BUG_ON(cond, lock, msg) if (unlikely(cond)) rwlock_bug(lock, msg) + ++#if 0 /* __write_lock_debug() can lock up - maybe this can too? */ + static void __read_lock_debug(rwlock_t *lock) + { + int print_once = 1; +@@ -159,12 +160,12 @@ static void __read_lock_debug(rwlock_t * + } + } + } ++#endif + + void _raw_read_lock(rwlock_t *lock) + { + RWLOCK_BUG_ON(lock->magic != RWLOCK_MAGIC, lock, "bad magic"); +- if (unlikely(!__raw_read_trylock(&lock->raw_lock))) +- __read_lock_debug(lock); ++ __raw_read_lock(&lock->raw_lock); + } + + int _raw_read_trylock(rwlock_t *lock) +@@ -210,6 +211,7 @@ static inline void debug_write_unlock(rw + lock->owner_cpu = -1; + } + ++#if 0 /* This can cause lockups */ + static void __write_lock_debug(rwlock_t *lock) + { + int print_once = 1; +@@ -232,12 +234,12 @@ static void __write_lock_debug(rwlock_t + } + } + } ++#endif + + void _raw_write_lock(rwlock_t *lock) + { + debug_write_lock_before(lock); +- if (unlikely(!__raw_write_trylock(&lock->raw_lock))) +- __write_lock_debug(lock); ++ __raw_write_lock(&lock->raw_lock); + debug_write_lock_after(lock); + } + diff --git a/queue-2.6.17/fix-befs-slab-corruption.patch b/queue-2.6.17/fix-befs-slab-corruption.patch new file mode 100644 index 00000000000..1061c86881c --- /dev/null +++ b/queue-2.6.17/fix-befs-slab-corruption.patch @@ -0,0 +1,65 @@ +From stable-bounces@linux.kernel.org Sat Aug 5 12:15:54 2006 +Message-Id: <200608051914.k75JEthD011006@shell0.pdx.osdl.net> +To: torvalds@osdl.org +From: akpm@osdl.org +Date: Sat, 05 Aug 2006 12:14:55 -0700 +Cc: akpm@osdl.org, greg@kroah.com, jjk@acm.org, diegocg@gmail.com, stable@kernel.org +Subject: Fix BeFS slab corruption + +From: Diego Calleja + +In bugzilla #6941, Jens Kilian reported: + +"The function befs_utf2nls (in fs/befs/linuxvfs.c) writes a 0 byte past the +end of a block of memory allocated via kmalloc(), leading to memory +corruption. This happens only for filenames which are pure ASCII and a +multiple of 4 bytes in length. [...] + +Without DEBUG_SLAB, this leads to further corruption and hard lockups; I +believe this is the bug which has made kernels later than 2.6.8 unusable +for me. (This must be due to changes in memory management, the bug has +been in the BeFS driver since the time it was introduced (AFAICT).) + +Steps to reproduce: +Create a directory (in BeOS, naturally :-) with files named, e.g., +"1", "22", "333", "4444", ... Mount it in Linux and do an "ls" or "find"" + +This patch implements the suggested fix. Credits to Jens Kilian for +debugging the problem and finding the right fix. + +Signed-off-by: Diego Calleja +Cc: Jens Kilian +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + fs/befs/linuxvfs.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- linux-2.6.17.8.orig/fs/befs/linuxvfs.c ++++ linux-2.6.17.8/fs/befs/linuxvfs.c +@@ -512,7 +512,11 @@ befs_utf2nls(struct super_block *sb, con + wchar_t uni; + int unilen, utflen; + char *result; +- int maxlen = in_len; /* The utf8->nls conversion can't make more chars */ ++ /* The utf8->nls conversion won't make the final nls string bigger ++ * than the utf one, but if the string is pure ascii they'll have the ++ * same width and an extra char is needed to save the additional \0 ++ */ ++ int maxlen = in_len + 1; + + befs_debug(sb, "---> utf2nls()"); + +@@ -588,7 +592,10 @@ befs_nls2utf(struct super_block *sb, con + wchar_t uni; + int unilen, utflen; + char *result; +- int maxlen = 3 * in_len; ++ /* There're nls characters that will translate to 3-chars-wide UTF-8 ++ * characters, a additional byte is needed to save the final \0 ++ * in special cases */ ++ int maxlen = (3 * in_len) + 1; + + befs_debug(sb, "---> nls2utf()\n"); + diff --git a/queue-2.6.17/fix-ifla_address-handling.patch b/queue-2.6.17/fix-ifla_address-handling.patch new file mode 100644 index 00000000000..110dee12c0a --- /dev/null +++ b/queue-2.6.17/fix-ifla_address-handling.patch @@ -0,0 +1,56 @@ +From stable-bounces@linux.kernel.org Wed Aug 9 02:33:59 2006 +Date: Wed, 09 Aug 2006 02:33:28 -0700 (PDT) +Message-Id: <20060809.023328.08324505.davem@davemloft.net> +To: stable@kernel.org +From: David Miller +Subject: Fix IFLA_ADDRESS handling + +From: David Miller + +[RTNETLINK]: Fix IFLA_ADDRESS handling. + +The ->set_mac_address handlers expect a pointer to a +sockaddr which contains the MAC address, whereas +IFLA_ADDRESS provides just the MAC address itself. + +So whip up a sockaddr to wrap around the netlink +attribute for the ->set_mac_address call. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/rtnetlink.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- linux-2.6.17.8.orig/net/core/rtnetlink.c ++++ linux-2.6.17.8/net/core/rtnetlink.c +@@ -395,6 +395,9 @@ static int do_setlink(struct sk_buff *sk + } + + if (ida[IFLA_ADDRESS - 1]) { ++ struct sockaddr *sa; ++ int len; ++ + if (!dev->set_mac_address) { + err = -EOPNOTSUPP; + goto out; +@@ -406,7 +409,17 @@ static int do_setlink(struct sk_buff *sk + if (ida[IFLA_ADDRESS - 1]->rta_len != RTA_LENGTH(dev->addr_len)) + goto out; + +- err = dev->set_mac_address(dev, RTA_DATA(ida[IFLA_ADDRESS - 1])); ++ len = sizeof(sa_family_t) + dev->addr_len; ++ sa = kmalloc(len, GFP_KERNEL); ++ if (!sa) { ++ err = -ENOMEM; ++ goto out; ++ } ++ sa->sa_family = dev->type; ++ memcpy(sa->sa_data, RTA_DATA(ida[IFLA_ADDRESS - 1]), ++ dev->addr_len); ++ err = dev->set_mac_address(dev, sa); ++ kfree(sa); + if (err) + goto out; + send_addr_notify = 1; diff --git a/queue-2.6.17/fix-timer-race-in-dst-gc-code.patch b/queue-2.6.17/fix-timer-race-in-dst-gc-code.patch new file mode 100644 index 00000000000..9c5ac75b7ab --- /dev/null +++ b/queue-2.6.17/fix-timer-race-in-dst-gc-code.patch @@ -0,0 +1,66 @@ +From stable-bounces@linux.kernel.org Wed Aug 9 02:36:58 2006 +Date: Wed, 09 Aug 2006 02:36:33 -0700 (PDT) +Message-Id: <20060809.023633.62344115.davem@davemloft.net> +To: stable@kernel.org +From: David Miller +Subject: Fix timer race in dst GC code + +From: Dmitry Mishin + +[NET]: add_timer -> mod_timer() in dst_run_gc() + +Patch from Dmitry Mishin : + +Replace add_timer() by mod_timer() in dst_run_gc +in order to avoid BUG message. + + CPU1 CPU2 +dst_run_gc() entered dst_run_gc() entered +spin_lock(&dst_lock) ..... +del_timer(&dst_gc_timer) fail to get lock + .... mod_timer() <--- puts + timer back + to the list +add_timer(&dst_gc_timer) <--- BUG because timer is in list already. + +Found during OpenVZ internal testing. + +At first we thought that it is OpenVZ specific as we +added dst_run_gc(0) call in dst_dev_event(), +but as Alexey pointed to me it is possible to trigger +this condition in mainstream kernel. + +F.e. timer has fired on CPU2, but the handler was preeempted +by an irq before dst_lock is tried. +Meanwhile, someone on CPU1 adds an entry to gc list and +starts the timer. +If CPU2 was preempted long enough, this timer can expire +simultaneously with resuming timer handler on CPU1, arriving +exactly to the situation described. + +Signed-off-by: Dmitry Mishin +Signed-off-by: Kirill Korotaev +Signed-off-by: Alexey Kuznetsov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/dst.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- linux-2.6.17.8.orig/net/core/dst.c ++++ linux-2.6.17.8/net/core/dst.c +@@ -95,12 +95,11 @@ static void dst_run_gc(unsigned long dum + dst_gc_timer_inc = DST_GC_INC; + dst_gc_timer_expires = DST_GC_MIN; + } +- dst_gc_timer.expires = jiffies + dst_gc_timer_expires; + #if RT_CACHE_DEBUG >= 2 + printk("dst_total: %d/%d %ld\n", + atomic_read(&dst_total), delayed, dst_gc_timer_expires); + #endif +- add_timer(&dst_gc_timer); ++ mod_timer(&dst_gc_timer, jiffies + dst_gc_timer_expires); + + out: + spin_unlock(&dst_lock); diff --git a/queue-2.6.17/have-ext3-reject-file-handles-with-bad-inode-numbers-early.patch b/queue-2.6.17/have-ext3-reject-file-handles-with-bad-inode-numbers-early.patch new file mode 100644 index 00000000000..61f59853ca0 --- /dev/null +++ b/queue-2.6.17/have-ext3-reject-file-handles-with-bad-inode-numbers-early.patch @@ -0,0 +1,79 @@ +From stable-bounces@linux.kernel.org Fri Aug 4 08:36:24 2006 +Message-ID: <44D36946.7020601@redhat.com> +Date: Fri, 04 Aug 2006 10:35:34 -0500 +From: Eric Sandeen +To: Christoph Hellwig , Eric Sandeen , + Greg KH , linux-kernel@vger.kernel.org, + stable@kernel.org, torvalds@osdl.org, + Justin Forbes , + Zwane Mwaikambo , + "Theodore Ts'o" , Randy Dunlap , + Dave Jones , Chuck Wolber , + Chris Wedgwood , akpm@osdl.org, + alan@lxorguk.ukuu.org.uk, jack@suse.cz, neilb@suse.de, + Marcel Holtmann , + "Stephen C. Tweedie" +Subject: Have ext3 reject file handles with bad inode numbers early + +blatantly ripped off from Neil Brown's ext2 patch. + + +Signed-off-by: Eric Sandeen +Acked-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext3/super.c | 40 ++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 40 insertions(+) + +--- linux-2.6.17.8.orig/fs/ext3/super.c ++++ linux-2.6.17.8/fs/ext3/super.c +@@ -620,8 +620,48 @@ static struct super_operations ext3_sops + #endif + }; + ++static struct dentry *ext3_get_dentry(struct super_block *sb, void *vobjp) ++{ ++ __u32 *objp = vobjp; ++ unsigned long ino = objp[0]; ++ __u32 generation = objp[1]; ++ struct inode *inode; ++ struct dentry *result; ++ ++ if (ino != EXT3_ROOT_INO && ino < EXT3_FIRST_INO(sb)) ++ return ERR_PTR(-ESTALE); ++ if (ino > le32_to_cpu(EXT3_SB(sb)->s_es->s_inodes_count)) ++ return ERR_PTR(-ESTALE); ++ ++ /* iget isn't really right if the inode is currently unallocated!! ++ * ext3_read_inode currently does appropriate checks, but ++ * it might be "neater" to call ext3_get_inode first and check ++ * if the inode is valid..... ++ */ ++ inode = iget(sb, ino); ++ if (inode == NULL) ++ return ERR_PTR(-ENOMEM); ++ if (is_bad_inode(inode) ++ || (generation && inode->i_generation != generation) ++ ) { ++ /* we didn't find the right inode.. */ ++ iput(inode); ++ return ERR_PTR(-ESTALE); ++ } ++ /* now to find a dentry. ++ * If possible, get a well-connected one ++ */ ++ result = d_alloc_anon(inode); ++ if (!result) { ++ iput(inode); ++ return ERR_PTR(-ENOMEM); ++ } ++ return result; ++} ++ + static struct export_operations ext3_export_ops = { + .get_parent = ext3_get_parent, ++ .get_dentry = ext3_get_dentry, + }; + + enum { diff --git a/queue-2.6.17/ipx-header-length-validation-needed.patch b/queue-2.6.17/ipx-header-length-validation-needed.patch new file mode 100644 index 00000000000..39ebb8b2e7a --- /dev/null +++ b/queue-2.6.17/ipx-header-length-validation-needed.patch @@ -0,0 +1,32 @@ +From stable-bounces@linux.kernel.org Mon Aug 7 16:37:01 2006 +Date: Mon, 7 Aug 2006 16:36:02 -0700 +From: Stephen Hemminger +To: David Miller +Message-ID: <20060807163602.5c7a4a65@localhost.localdomain> +Cc: netdev@vger.kernel.org, stable@kernel.org, acme@ghostprotocols.net +Subject: ipx: header length validation needed + +From: Stephen Hemminger + +This patch will linearize and check there is enough data. +It handles the pprop case as well as avoiding a whole audit of +the routing code. + +Signed-off-by: Stephen Hemminger + +--- + net/ipx/af_ipx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- linux-2.6.17.8.orig/net/ipx/af_ipx.c ++++ linux-2.6.17.8/net/ipx/af_ipx.c +@@ -1647,7 +1647,8 @@ static int ipx_rcv(struct sk_buff *skb, + ipx_pktsize = ntohs(ipx->ipx_pktsize); + + /* Too small or invalid header? */ +- if (ipx_pktsize < sizeof(struct ipxhdr) || ipx_pktsize > skb->len) ++ if (ipx_pktsize < sizeof(struct ipxhdr) ++ || !pskb_may_pull(skb, ipx_pktsize)) + goto drop; + + if (ipx->ipx_checksum != IPX_NO_CHECKSUM && diff --git a/queue-2.6.17/kill-hash_highmem-from-route-cache-hash-sizing.patch b/queue-2.6.17/kill-hash_highmem-from-route-cache-hash-sizing.patch new file mode 100644 index 00000000000..c59a2ae11dc --- /dev/null +++ b/queue-2.6.17/kill-hash_highmem-from-route-cache-hash-sizing.patch @@ -0,0 +1,42 @@ +From stable-bounces@linux.kernel.org Wed Aug 9 02:35:56 2006 +Date: Wed, 09 Aug 2006 02:35:21 -0700 (PDT) +Message-Id: <20060809.023521.21927097.davem@davemloft.net> +To: stable@kernel.org +From: David Miller +Subject: Kill HASH_HIGHMEM from route cache hash sizing + +From: Kirill Korotaev + +[IPV4]: Limit rt cache size properly. + +During OpenVZ stress testing we found that UDP traffic with random src +can generate too much excessive rt hash growing leading finally to OOM +and kernel panics. + +It was found that for 4GB i686 system (having 1048576 total pages and +225280 normal zone pages) kernel allocates the following route hash: +syslog: IP route cache hash table entries: 262144 (order: 8, 1048576 +bytes) => ip_rt_max_size = 4194304 entries, i.e. max rt size is +4194304 * 256b = 1Gb of RAM > normal_zone + +Attached the patch which removes HASH_HIGHMEM flag from +alloc_large_system_hash() call. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.17.8.orig/net/ipv4/route.c ++++ linux-2.6.17.8/net/ipv4/route.c +@@ -3144,7 +3144,7 @@ int __init ip_rt_init(void) + rhash_entries, + (num_physpages >= 128 * 1024) ? + 15 : 17, +- HASH_HIGHMEM, ++ 0, + &rt_hash_log, + &rt_hash_mask, + 0); diff --git a/queue-2.6.17/series b/queue-2.6.17/series new file mode 100644 index 00000000000..a1536553cb1 --- /dev/null +++ b/queue-2.6.17/series @@ -0,0 +1,8 @@ +have-ext3-reject-file-handles-with-bad-inode-numbers-early.patch +sky2-phy-power-problem-on-88e805x.patch +kill-hash_highmem-from-route-cache-hash-sizing.patch +fix-timer-race-in-dst-gc-code.patch +fix-ifla_address-handling.patch +fix-befs-slab-corruption.patch +disable-debugging-version-of-write_lock.patch +ipx-header-length-validation-needed.patch diff --git a/queue-2.6.17/sky2-phy-power-problem-on-88e805x.patch b/queue-2.6.17/sky2-phy-power-problem-on-88e805x.patch new file mode 100644 index 00000000000..a5077ef5c61 --- /dev/null +++ b/queue-2.6.17/sky2-phy-power-problem-on-88e805x.patch @@ -0,0 +1,41 @@ +From stable-bounces@linux.kernel.org Wed Aug 9 14:17:16 2006 +Date: Wed, 9 Aug 2006 14:16:41 -0700 +From: Stephen Hemminger +To: stable@kernel.org +Message-ID: <20060809141641.7bb5aeaf@localhost.localdomain> +Subject: sky2: phy power problem on 88e805x + +From: Stephen Hemminger + +On the 88E805X chipsets (used in laptops), the PHY was not getting powered +out of shutdown properly. The variable reg1 was getting reused incorrectly. +This is probably the cause of the bug. + http://bugzilla.kernel.org/show_bug.cgi?id=6471 + +Signed-off-by: Stephen Hemminger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/sky2.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- linux-2.6.17.8.orig/drivers/net/sky2.c ++++ linux-2.6.17.8/drivers/net/sky2.c +@@ -233,6 +233,8 @@ static void sky2_set_power_state(struct + if (hw->ports > 1) + reg1 |= PCI_Y2_PHY2_COMA; + } ++ sky2_pci_write32(hw, PCI_DEV_REG1, reg1); ++ udelay(100); + + if (hw->chip_id == CHIP_ID_YUKON_EC_U) { + sky2_write16(hw, B0_CTST, Y2_HW_WOL_ON); +@@ -243,8 +245,6 @@ static void sky2_set_power_state(struct + sky2_pci_write32(hw, PCI_DEV_REG5, 0); + } + +- sky2_pci_write32(hw, PCI_DEV_REG1, reg1); +- + break; + + case PCI_D3hot: