From: Greg Kroah-Hartman Date: Wed, 7 Mar 2007 01:16:02 +0000 (-0800) Subject: more 2.6.20 stable patches X-Git-Tag: v2.6.20.2~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a8ba13cda8d4146020d43c41f295cb03ef59d019;p=thirdparty%2Fkernel%2Fstable-queue.git more 2.6.20 stable patches --- diff --git a/queue-2.6.20/bcm43xx-fix-for-4309.patch b/queue-2.6.20/bcm43xx-fix-for-4309.patch new file mode 100644 index 00000000000..f872799f5b4 --- /dev/null +++ b/queue-2.6.20/bcm43xx-fix-for-4309.patch @@ -0,0 +1,37 @@ +From stable-bounces@linux.kernel.org Sat Feb 17 09:45:44 2007 +From: Stefano Brivio +Date: Sat, 17 Feb 2007 18:43:14 +0100 +Subject: bcm43xx: fix for 4309 +To: stable@kernel.org +Cc: John Linville , Stefano Brivio , Larry Finger +Message-ID: <200702171843.14872.mb@bu3sch.de> +Content-Disposition: inline + +From: Stefano Brivio + +BCM4309 devices aren't working properly as A PHYs aren't supported yet, but +we probe 802.11a cores anyway. This fixes it, while still allowing for A PHY code +to be developed in the future. + +Signed-off-by: Stefano Brivio +Cc: Michael Buesch +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/bcm43xx/bcm43xx_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- linux-2.6.20.1.orig/drivers/net/wireless/bcm43xx/bcm43xx_main.c ++++ linux-2.6.20.1/drivers/net/wireless/bcm43xx/bcm43xx_main.c +@@ -2736,8 +2736,9 @@ static int bcm43xx_probe_cores(struct bc + * dangling pins on the second core. Be careful + * and ignore these cores here. + */ +- if (bcm->pci_dev->device != 0x4324) { +- dprintk(KERN_INFO PFX "Ignoring additional 802.11 core.\n"); ++ if (1 /*bcm->pci_dev->device != 0x4324*/ ) { ++ /* TODO: A PHY */ ++ dprintk(KERN_INFO PFX "Ignoring additional 802.11a core.\n"); + continue; + } + } diff --git a/queue-2.6.20/clear-tcp-segmentation-offload-state-in-ipt_reject.patch b/queue-2.6.20/clear-tcp-segmentation-offload-state-in-ipt_reject.patch new file mode 100644 index 00000000000..11cac24213f --- /dev/null +++ b/queue-2.6.20/clear-tcp-segmentation-offload-state-in-ipt_reject.patch @@ -0,0 +1,39 @@ +From stable-bounces@linux.kernel.org Tue Feb 13 18:14:08 2007 +From: Herbert Xu +Date: Tue, 13 Feb 2007 18:12:38 -0800 (PST) +Subject: Clear TCP segmentation offload state in ipt_REJECT +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070213.181238.74561510.davem@davemloft.net> + +From: Herbert Xu + +[NETFILTER]: Clear GSO bits for TCP reset packet + +The TCP reset packet is copied from the original. This +includes all the GSO bits which do not apply to the new +packet. So we should clear those bits. + +Spotted by Patrick McHardy. + +Signed-off-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/netfilter/ipt_REJECT.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- linux-2.6.20.1.orig/net/ipv4/netfilter/ipt_REJECT.c ++++ linux-2.6.20.1/net/ipv4/netfilter/ipt_REJECT.c +@@ -79,6 +79,10 @@ static void send_reset(struct sk_buff *o + nskb->mark = 0; + skb_init_secmark(nskb); + ++ skb_shinfo(nskb)->gso_size = 0; ++ skb_shinfo(nskb)->gso_segs = 0; ++ skb_shinfo(nskb)->gso_type = 0; ++ + tcph = (struct tcphdr *)((u_int32_t*)nskb->nh.iph + nskb->nh.iph->ihl); + + /* Swap source and dest */ diff --git a/queue-2.6.20/fix-atmarp.h-for-userspace.patch b/queue-2.6.20/fix-atmarp.h-for-userspace.patch new file mode 100644 index 00000000000..5a3b178bee7 --- /dev/null +++ b/queue-2.6.20/fix-atmarp.h-for-userspace.patch @@ -0,0 +1,36 @@ +From stable-bounces@linux.kernel.org Tue Feb 13 18:12:53 2007 +From: David Miller +Date: Tue, 13 Feb 2007 18:11:27 -0800 (PST) +Subject: Fix atmarp.h for userspace +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070213.181127.39158302.davem@davemloft.net> + + +From: David Miller + +[ATM]: atmarp.h needs to always include linux/types.h + +To provide the __be* types, even for userspace includes. + +Reported by Andrew Walrond. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/atmarp.h | 2 -- + 1 file changed, 2 deletions(-) + +--- linux-2.6.20.1.orig/include/linux/atmarp.h ++++ linux-2.6.20.1/include/linux/atmarp.h +@@ -6,9 +6,7 @@ + #ifndef _LINUX_ATMARP_H + #define _LINUX_ATMARP_H + +-#ifdef __KERNEL__ + #include +-#endif + #include + #include + diff --git a/queue-2.6.20/fix-bug-7994-sleeping-function-called-from-invalid-context-at-mm-slab.c-3034.patch b/queue-2.6.20/fix-bug-7994-sleeping-function-called-from-invalid-context-at-mm-slab.c-3034.patch new file mode 100644 index 00000000000..62f470a763a --- /dev/null +++ b/queue-2.6.20/fix-bug-7994-sleeping-function-called-from-invalid-context-at-mm-slab.c-3034.patch @@ -0,0 +1,51 @@ +From stable-bounces@linux.kernel.org Tue Feb 13 09:33:02 2007 +From: Douglas Gilbert +Date: Tue, 13 Feb 2007 09:31:38 -0800 +Subject: Fix Bug 7994: sleeping function called from invalid context at mm/slab.c:3034 +To: stable@kernel.org +Cc: Douglas Gilbert +Message-ID: <20070213093138.b4fa28c5.akpm@linux-foundation.org> + +From: Douglas Gilbert + +ChangeLog: + - Use GFP_ATOMIC for allocations that can be called + from the queuecommand() entry point + +Signed-off-by: Douglas Gilbert +Cc: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_debug.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- linux-2.6.20.1.orig/drivers/scsi/scsi_debug.c ++++ linux-2.6.20.1/drivers/scsi/scsi_debug.c +@@ -954,7 +954,7 @@ static int resp_inquiry(struct scsi_cmnd + int alloc_len, n, ret; + + alloc_len = (cmd[3] << 8) + cmd[4]; +- arr = kzalloc(SDEBUG_MAX_INQ_ARR_SZ, GFP_KERNEL); ++ arr = kzalloc(SDEBUG_MAX_INQ_ARR_SZ, GFP_ATOMIC); + if (devip->wlun) + pq_pdt = 0x1e; /* present, wlun */ + else if (scsi_debug_no_lun_0 && (0 == devip->lun)) +@@ -1217,7 +1217,7 @@ static int resp_report_tgtpgs(struct scs + alen = ((cmd[6] << 24) + (cmd[7] << 16) + (cmd[8] << 8) + + cmd[9]); + +- arr = kzalloc(SDEBUG_MAX_TGTPGS_ARR_SZ, GFP_KERNEL); ++ arr = kzalloc(SDEBUG_MAX_TGTPGS_ARR_SZ, GFP_ATOMIC); + /* + * EVPD page 0x88 states we have two ports, one + * real and a fake port with no device connected. +@@ -2044,7 +2044,7 @@ static struct sdebug_dev_info * devInfoR + } + } + if (NULL == open_devip) { /* try and make a new one */ +- open_devip = kzalloc(sizeof(*open_devip),GFP_KERNEL); ++ open_devip = kzalloc(sizeof(*open_devip),GFP_ATOMIC); + if (NULL == open_devip) { + printk(KERN_ERR "%s: out of memory at line %d\n", + __FUNCTION__, __LINE__); diff --git a/queue-2.6.20/fix-ipx-module-unload.patch b/queue-2.6.20/fix-ipx-module-unload.patch new file mode 100644 index 00000000000..22b2bf3d6be --- /dev/null +++ b/queue-2.6.20/fix-ipx-module-unload.patch @@ -0,0 +1,65 @@ +From stable-bounces@linux.kernel.org Tue Feb 13 18:21:10 2007 +From: Jiri Bohac +Date: Tue, 13 Feb 2007 18:19:47 -0800 (PST) +Subject: Fix IPX module unload +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070213.181947.28789120.davem@davemloft.net> + +From: Jiri Bohac + +[IPX]: Fix NULL pointer dereference on ipx unload + +Fixes a null pointer dereference when unloading the ipx module. + +On initialization of the ipx module, registering certain packet +types can fail. When this happens, unloading the module later +dereferences NULL pointers. This patch fixes that. Please apply. + +Signed-off-by: Jiri Bohac +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipx/af_ipx.c | 26 +++++++++++++++++--------- + 1 file changed, 17 insertions(+), 9 deletions(-) + +--- linux-2.6.20.1.orig/net/ipx/af_ipx.c ++++ linux-2.6.20.1/net/ipx/af_ipx.c +@@ -2035,19 +2035,27 @@ static void __exit ipx_proto_finito(void + + ipxitf_cleanup(); + +- unregister_snap_client(pSNAP_datalink); +- pSNAP_datalink = NULL; +- +- unregister_8022_client(p8022_datalink); +- p8022_datalink = NULL; ++ if (pSNAP_datalink) { ++ unregister_snap_client(pSNAP_datalink); ++ pSNAP_datalink = NULL; ++ } ++ ++ if (p8022_datalink) { ++ unregister_8022_client(p8022_datalink); ++ p8022_datalink = NULL; ++ } + + dev_remove_pack(&ipx_8023_packet_type); +- destroy_8023_client(p8023_datalink); +- p8023_datalink = NULL; ++ if (p8023_datalink) { ++ destroy_8023_client(p8023_datalink); ++ p8023_datalink = NULL; ++ } + + dev_remove_pack(&ipx_dix_packet_type); +- destroy_EII_client(pEII_datalink); +- pEII_datalink = NULL; ++ if (pEII_datalink) { ++ destroy_EII_client(pEII_datalink); ++ pEII_datalink = NULL; ++ } + + proto_unregister(&ipx_proto); + sock_unregister(ipx_family_ops.family); diff --git a/queue-2.6.20/fix-oops-in-xfrm_audit_log.patch b/queue-2.6.20/fix-oops-in-xfrm_audit_log.patch new file mode 100644 index 00000000000..46b8a53a17d --- /dev/null +++ b/queue-2.6.20/fix-oops-in-xfrm_audit_log.patch @@ -0,0 +1,98 @@ +From stable-bounces@linux.kernel.org Tue Feb 13 18:24:16 2007 +From: David Miller +Date: Tue, 13 Feb 2007 18:22:46 -0800 (PST) +Subject: Fix oops in xfrm_audit_log() +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070213.182246.88476061.davem@davemloft.net> + +From: David Miller + +[XFRM]: Fix OOPSes in xfrm_audit_log(). + +Make sure that this function is called correctly, and +add BUG() checking to ensure the arguments are sane. + +Based upon a patch by Joy Latten. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/key/af_key.c | 11 ++++++----- + net/xfrm/xfrm_policy.c | 7 ++++++- + net/xfrm/xfrm_user.c | 12 +++++++----- + 3 files changed, 19 insertions(+), 11 deletions(-) + +--- linux-2.6.20.1.orig/net/key/af_key.c ++++ linux-2.6.20.1/net/key/af_key.c +@@ -2297,16 +2297,17 @@ static int pfkey_spddelete(struct sock * + &sel, tmp.security, 1); + security_xfrm_policy_free(&tmp); + +- xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, +- AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL); +- + if (xp == NULL) + return -ENOENT; + +- err = 0; ++ err = security_xfrm_policy_delete(xp); + +- if ((err = security_xfrm_policy_delete(xp))) ++ xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, ++ AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); ++ ++ if (err) + goto out; ++ + c.seq = hdr->sadb_msg_seq; + c.pid = hdr->sadb_msg_pid; + c.event = XFRM_MSG_DELPOLICY; +--- linux-2.6.20.1.orig/net/xfrm/xfrm_policy.c ++++ linux-2.6.20.1/net/xfrm/xfrm_policy.c +@@ -1997,9 +1997,14 @@ void xfrm_audit_log(uid_t auid, u32 sid, + if (audit_enabled == 0) + return; + ++ BUG_ON((type == AUDIT_MAC_IPSEC_ADDSA || ++ type == AUDIT_MAC_IPSEC_DELSA) && !x); ++ BUG_ON((type == AUDIT_MAC_IPSEC_ADDSPD || ++ type == AUDIT_MAC_IPSEC_DELSPD) && !xp); ++ + audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type); + if (audit_buf == NULL) +- return; ++ return; + + switch(type) { + case AUDIT_MAC_IPSEC_ADDSA: +--- linux-2.6.20.1.orig/net/xfrm/xfrm_user.c ++++ linux-2.6.20.1/net/xfrm/xfrm_user.c +@@ -1273,10 +1273,6 @@ static int xfrm_get_policy(struct sk_buf + xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, delete); + security_xfrm_policy_free(&tmp); + } +- if (delete) +- xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, +- AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL); +- + if (xp == NULL) + return -ENOENT; + +@@ -1292,8 +1288,14 @@ static int xfrm_get_policy(struct sk_buf + MSG_DONTWAIT); + } + } else { +- if ((err = security_xfrm_policy_delete(xp)) != 0) ++ err = security_xfrm_policy_delete(xp); ++ ++ xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, ++ AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); ++ ++ if (err != 0) + goto out; ++ + c.data.byid = p->index; + c.event = nlh->nlmsg_type; + c.seq = nlh->nlmsg_seq; diff --git a/queue-2.6.20/i386-fix-broken-config_compat_vdso-on-i386.patch b/queue-2.6.20/i386-fix-broken-config_compat_vdso-on-i386.patch new file mode 100644 index 00000000000..59d2910bc49 --- /dev/null +++ b/queue-2.6.20/i386-fix-broken-config_compat_vdso-on-i386.patch @@ -0,0 +1,43 @@ +From stable-bounces@linux.kernel.org Sat Feb 17 04:49:08 2007 +From: "Jan Beulich" +Date: Sat, 17 Feb 2007 13:33:31 +0100 +Subject: i386: Fix broken CONFIG_COMPAT_VDSO on i386 +To: stable@kernel.org +Message-ID: <200702171333.31042.ak@suse.de> +Content-Disposition: inline + +From: "Jan Beulich" + +After updating several machines to 2.6.20, I can't boot anymore the single +one of them that supports the NX bit and is configured as a 32-bit system. + +My understanding is that the VDSO changes in 2.6.20-rc7 were not fully +cooked, in that with that config option enabled VDSO_SYM(x) now equals +x, meaning that an address in the fixmap area is now being passed to +apps via AT_SYSINFO. However, the page is mapped with PAGE_READONLY +rather than PAGE_READONLY_EXEC. + +I'm not certain whether having app code go through the fixmap area is +intended, but in case it is here is the simple patch that makes things work +again. + +Cc: Theodore Tso +Signed-off-by: Jan Beulich +Signed-off-by: Andi Kleen +Signed-off-by: Greg Kroah-Hartman + +--- + arch/i386/kernel/sysenter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.20.1.orig/arch/i386/kernel/sysenter.c ++++ linux-2.6.20.1/arch/i386/kernel/sysenter.c +@@ -77,7 +77,7 @@ int __init sysenter_setup(void) + syscall_page = (void *)get_zeroed_page(GFP_ATOMIC); + + #ifdef CONFIG_COMPAT_VDSO +- __set_fixmap(FIX_VDSO, __pa(syscall_page), PAGE_READONLY); ++ __set_fixmap(FIX_VDSO, __pa(syscall_page), PAGE_READONLY_EXEC); + printk("Compat vDSO mapped to %08lx.\n", __fix_to_virt(FIX_VDSO)); + #endif + diff --git a/queue-2.6.20/md-fix-raid10-recovery-problem.patch b/queue-2.6.20/md-fix-raid10-recovery-problem.patch new file mode 100644 index 00000000000..960950873e6 --- /dev/null +++ b/queue-2.6.20/md-fix-raid10-recovery-problem.patch @@ -0,0 +1,117 @@ +From stable-bounces@linux.kernel.org Mon Feb 19 22:36:48 2007 +From: NeilBrown +Date: Tue, 20 Feb 2007 17:34:47 +1100 +Subject: md: Fix raid10 recovery problem. +To: Andrew Morton +Cc: linux-raid@vger.kernel.org, linux-kernel@vger.kernel.org, stable@kernel.org +Message-ID: <1070220063447.16129@suse.de> + +From: NeilBrown + +There are two errors that can lead to recovery problems with raid10 +when used in 'far' more (not the default). + +Due to a '>' instead of '>=' the wrong block is located which would +result in garbage being written to some random location, quite +possible outside the range of the device, causing the newly +reconstructed device to fail. + +The device size calculation had some rounding errors (it didn't round +when it should) and so recovery would go a few blocks too far which +would again cause a write to a random block address and probably +a device error. + +The code for working with device sizes was fairly confused and spread +out, so this has been tided up a bit. + +Signed-off-by: Neil Brown +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/md/raid10.c | 38 ++++++++++++++++++++------------------ + 1 file changed, 20 insertions(+), 18 deletions(-) + +--- linux-2.6.20.1.orig/drivers/md/raid10.c ++++ linux-2.6.20.1/drivers/md/raid10.c +@@ -429,7 +429,7 @@ static sector_t raid10_find_virt(conf_t + if (dev < 0) + dev += conf->raid_disks; + } else { +- while (sector > conf->stride) { ++ while (sector >= conf->stride) { + sector -= conf->stride; + if (dev < conf->near_copies) + dev += conf->raid_disks - conf->near_copies; +@@ -1801,6 +1801,7 @@ static sector_t sync_request(mddev_t *md + for (k=0; kcopies; k++) + if (r10_bio->devs[k].devnum == i) + break; ++ BUG_ON(k == conf->copies); + bio = r10_bio->devs[1].bio; + bio->bi_next = biolist; + biolist = bio; +@@ -2021,19 +2022,30 @@ static int run(mddev_t *mddev) + if (!conf->tmppage) + goto out_free_conf; + ++ conf->mddev = mddev; ++ conf->raid_disks = mddev->raid_disks; + conf->near_copies = nc; + conf->far_copies = fc; + conf->copies = nc*fc; + conf->far_offset = fo; + conf->chunk_mask = (sector_t)(mddev->chunk_size>>9)-1; + conf->chunk_shift = ffz(~mddev->chunk_size) - 9; ++ size = mddev->size >> (conf->chunk_shift-1); ++ sector_div(size, fc); ++ size = size * conf->raid_disks; ++ sector_div(size, nc); ++ /* 'size' is now the number of chunks in the array */ ++ /* calculate "used chunks per device" in 'stride' */ ++ stride = size * conf->copies; ++ sector_div(stride, conf->raid_disks); ++ mddev->size = stride << (conf->chunk_shift-1); ++ + if (fo) +- conf->stride = 1 << conf->chunk_shift; +- else { +- stride = mddev->size >> (conf->chunk_shift-1); ++ stride = 1; ++ else + sector_div(stride, fc); +- conf->stride = stride << conf->chunk_shift; +- } ++ conf->stride = stride << conf->chunk_shift; ++ + conf->r10bio_pool = mempool_create(NR_RAID10_BIOS, r10bio_pool_alloc, + r10bio_pool_free, conf); + if (!conf->r10bio_pool) { +@@ -2063,8 +2075,6 @@ static int run(mddev_t *mddev) + + disk->head_position = 0; + } +- conf->raid_disks = mddev->raid_disks; +- conf->mddev = mddev; + spin_lock_init(&conf->device_lock); + INIT_LIST_HEAD(&conf->retry_list); + +@@ -2106,16 +2116,8 @@ static int run(mddev_t *mddev) + /* + * Ok, everything is just fine now + */ +- if (conf->far_offset) { +- size = mddev->size >> (conf->chunk_shift-1); +- size *= conf->raid_disks; +- size <<= conf->chunk_shift; +- sector_div(size, conf->far_copies); +- } else +- size = conf->stride * conf->raid_disks; +- sector_div(size, conf->near_copies); +- mddev->array_size = size/2; +- mddev->resync_max_sectors = size; ++ mddev->array_size = size << (conf->chunk_shift-1); ++ mddev->resync_max_sectors = size << conf->chunk_shift; + + mddev->queue->unplug_fn = raid10_unplug; + mddev->queue->issue_flush_fn = raid10_issue_flush; diff --git a/queue-2.6.20/prevent-pseudo-garbage-in-syn-s-advertized-window.patch b/queue-2.6.20/prevent-pseudo-garbage-in-syn-s-advertized-window.patch new file mode 100644 index 00000000000..36730ba3b34 --- /dev/null +++ b/queue-2.6.20/prevent-pseudo-garbage-in-syn-s-advertized-window.patch @@ -0,0 +1,58 @@ +From 600ff0c24bb71482e7f0da948a931d5c5d72838a Mon Sep 17 00:00:00 2001 +From: Ilpo Järvinen +Date: Tue, 13 Feb 2007 12:42:11 -0800 +Subject: [TCP]: Prevent pseudo garbage in SYN's advertized window +Message-Id: <20070213.182131.102574822.davem@davemloft.net> + +From: Ilpo Järvinen + +TCP may advertize up to 16-bits window in SYN packets (no window +scaling allowed). At the same time, TCP may have rcv_wnd +(32-bits) that does not fit to 16-bits without window scaling +resulting in pseudo garbage into advertized window from the +low-order bits of rcv_wnd. This can happen at least when +mss <= (1< +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/tcp_output.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- linux-2.6.20.1.orig/net/ipv4/tcp_output.c ++++ linux-2.6.20.1/net/ipv4/tcp_output.c +@@ -481,7 +481,7 @@ static int tcp_transmit_skb(struct sock + /* RFC1323: The window in SYN & SYN/ACK segments + * is never scaled. + */ +- th->window = htons(tp->rcv_wnd); ++ th->window = htons(min(tp->rcv_wnd, 65535U)); + } else { + th->window = htons(tcp_select_window(sk)); + } +@@ -2160,7 +2160,7 @@ struct sk_buff * tcp_make_synack(struct + } + + /* RFC1323: The window in SYN & SYN/ACK segments is never scaled. */ +- th->window = htons(req->rcv_wnd); ++ th->window = htons(min(req->rcv_wnd, 65535U)); + + TCP_SKB_CB(skb)->when = tcp_time_stamp; + tcp_syn_build_options((__be32 *)(th + 1), dst_metric(dst, RTAX_ADVMSS), ireq->tstamp_ok, diff --git a/queue-2.6.20/series b/queue-2.6.20/series index c0fef20a230..5b8f2fceee2 100644 --- a/queue-2.6.20/series +++ b/queue-2.6.20/series @@ -31,3 +31,16 @@ ehci-turn-off-remote-wakeup-during-shutdown.patch avoid-using-nfsd-process-pools-on-smp-machines.patch fix-recently-introduced-problem-with-shutting-down-a-busy-nfs-server.patch uhci-fix-port-resume-problem.patch +fix-bug-7994-sleeping-function-called-from-invalid-context-at-mm-slab.c-3034.patch +fix-atmarp.h-for-userspace.patch +clear-tcp-segmentation-offload-state-in-ipt_reject.patch +fix-ipx-module-unload.patch +prevent-pseudo-garbage-in-syn-s-advertized-window.patch +fix-oops-in-xfrm_audit_log.patch +sky2-pause-flush.patch +sky2-tx-timeout-deadlock.patch +x86_64-fix-wrong-gcc-check-in-bitops.h.patch +x86-don-t-require-the-vdso-for-handling-a.out-signals.patch +i386-fix-broken-config_compat_vdso-on-i386.patch +bcm43xx-fix-for-4309.patch +md-fix-raid10-recovery-problem.patch diff --git a/queue-2.6.20/sky2-pause-flush.patch b/queue-2.6.20/sky2-pause-flush.patch new file mode 100644 index 00000000000..43ed50e2674 --- /dev/null +++ b/queue-2.6.20/sky2-pause-flush.patch @@ -0,0 +1,32 @@ +From stable-bounces@linux.kernel.org Fri Feb 16 15:00:49 2007 +From: Stephen Hemminger +Date: Fri, 16 Feb 2007 14:56:10 -0800 +Subject: sky2: dont flush good pause frames +To: stable@kernel.org +Message-ID: <20070216225836.148603000@linux-foundation.org> +Content-Disposition: inline; filename=sky2-pause-flush.patch + +From: Stephen Hemminger + +Don't mark pause frames as errors. This problem caused transmitter not +to pause and would effectively take out a gigabit switch because the +it can't handle overrun. + +Signed-off-by: Stephen Hemminger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/sky2.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.20.1.orig/drivers/net/sky2.h ++++ linux-2.6.20.1/drivers/net/sky2.h +@@ -1579,7 +1579,7 @@ enum { + + GMR_FS_ANY_ERR = GMR_FS_RX_FF_OV | GMR_FS_CRC_ERR | + GMR_FS_FRAGMENT | GMR_FS_LONG_ERR | +- GMR_FS_MII_ERR | GMR_FS_GOOD_FC | GMR_FS_BAD_FC | ++ GMR_FS_MII_ERR | GMR_FS_BAD_FC | + GMR_FS_UN_SIZE | GMR_FS_JABBER, + }; + diff --git a/queue-2.6.20/sky2-tx-timeout-deadlock.patch b/queue-2.6.20/sky2-tx-timeout-deadlock.patch new file mode 100644 index 00000000000..d3b41987e18 --- /dev/null +++ b/queue-2.6.20/sky2-tx-timeout-deadlock.patch @@ -0,0 +1,49 @@ +From stable-bounces@linux.kernel.org Fri Feb 16 15:00:49 2007 +From: Stephen Hemminger +Date: Fri, 16 Feb 2007 14:56:11 -0800 +Subject: sky2: transmit timeout deadlock +To: stable@kernel.org +Message-ID: <20070216225836.237453000@linux-foundation.org> +Content-Disposition: inline; filename=sky2-tx-timeout-deadlock.patch + +From: Stephen Hemminger + +The code in transmit timeout incorrectly assumed that netif_tx_lock +was not set. + +Signed-off-by: Stephen Hemminger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/sky2.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- linux-2.6.20.1.orig/drivers/net/sky2.c ++++ linux-2.6.20.1/drivers/net/sky2.c +@@ -1796,6 +1796,7 @@ out: + + /* Transmit timeout is only called if we are running, carries is up + * and tx queue is full (stopped). ++ * Called with netif_tx_lock held. + */ + static void sky2_tx_timeout(struct net_device *dev) + { +@@ -1821,17 +1822,14 @@ static void sky2_tx_timeout(struct net_d + sky2_write8(hw, STAT_TX_TIMER_CTRL, TIM_START); + } else if (report != sky2->tx_cons) { + printk(KERN_INFO PFX "status report lost?\n"); +- +- netif_tx_lock_bh(dev); + sky2_tx_complete(sky2, report); +- netif_tx_unlock_bh(dev); + } else { + printk(KERN_INFO PFX "hardware hung? flushing\n"); + + sky2_write32(hw, Q_ADDR(txq, Q_CSR), BMU_STOP); + sky2_write32(hw, Y2_QADDR(txq, PREF_UNIT_CTRL), PREF_UNIT_RST_SET); + +- sky2_tx_clean(dev); ++ sky2_tx_complete(sky2, sky2->tx_prod); + + sky2_qset(hw, txq); + sky2_prefetch_init(hw, txq, sky2->tx_le_map, TX_RING_SIZE - 1); diff --git a/queue-2.6.20/x86-don-t-require-the-vdso-for-handling-a.out-signals.patch b/queue-2.6.20/x86-don-t-require-the-vdso-for-handling-a.out-signals.patch new file mode 100644 index 00000000000..94301ad9bef --- /dev/null +++ b/queue-2.6.20/x86-don-t-require-the-vdso-for-handling-a.out-signals.patch @@ -0,0 +1,93 @@ +From stable-bounces@linux.kernel.org Sat Feb 17 04:48:52 2007 +From: Andi Kleen +Date: Sat, 17 Feb 2007 13:33:00 +0100 +Subject: x86: Don't require the vDSO for handling a.out signals +To: stable@kernel.org +Message-ID: <200702171333.00846.ak@suse.de> +Content-Disposition: inline + +From: Andi Kleen + +x86: Don't require the vDSO for handling a.out signals + +and in other strange binfmts. vDSO is not necessarily mapped there. + +This fixes signals in a.out programs + +Signed-off-by: Andi Kleen +Signed-off-by: Greg Kroah-Hartman + +--- + arch/i386/kernel/signal.c | 6 +++++- + arch/x86_64/ia32/ia32_signal.c | 7 ++++++- + fs/binfmt_elf.c | 3 ++- + include/linux/binfmts.h | 1 + + 4 files changed, 14 insertions(+), 3 deletions(-) + +--- linux-2.6.20.1.orig/arch/i386/kernel/signal.c ++++ linux-2.6.20.1/arch/i386/kernel/signal.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -349,7 +350,10 @@ static int setup_frame(int sig, struct k + goto give_sigsegv; + } + +- restorer = (void *)VDSO_SYM(&__kernel_sigreturn); ++ if (current->binfmt->hasvdso) ++ restorer = (void *)VDSO_SYM(&__kernel_sigreturn); ++ else ++ restorer = (void *)&frame->retcode; + if (ka->sa.sa_flags & SA_RESTORER) + restorer = ka->sa.sa_restorer; + +--- linux-2.6.20.1.orig/arch/x86_64/ia32/ia32_signal.c ++++ linux-2.6.20.1/arch/x86_64/ia32/ia32_signal.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -449,7 +450,11 @@ int ia32_setup_frame(int sig, struct k_s + + /* Return stub is in 32bit vsyscall page */ + { +- void __user *restorer = VSYSCALL32_SIGRETURN; ++ void __user *restorer; ++ if (current->binfmt->hasvdso) ++ restorer = VSYSCALL32_SIGRETURN; ++ else ++ restorer = (void *)&frame->retcode; + if (ka->sa.sa_flags & SA_RESTORER) + restorer = ka->sa.sa_restorer; + err |= __put_user(ptr_to_compat(restorer), &frame->pretcode); +--- linux-2.6.20.1.orig/fs/binfmt_elf.c ++++ linux-2.6.20.1/fs/binfmt_elf.c +@@ -76,7 +76,8 @@ static struct linux_binfmt elf_format = + .load_binary = load_elf_binary, + .load_shlib = load_elf_library, + .core_dump = elf_core_dump, +- .min_coredump = ELF_EXEC_PAGESIZE ++ .min_coredump = ELF_EXEC_PAGESIZE, ++ .hasvdso = 1 + }; + + #define BAD_ADDR(x) ((unsigned long)(x) >= TASK_SIZE) +--- linux-2.6.20.1.orig/include/linux/binfmts.h ++++ linux-2.6.20.1/include/linux/binfmts.h +@@ -59,6 +59,7 @@ struct linux_binfmt { + int (*load_shlib)(struct file *); + int (*core_dump)(long signr, struct pt_regs * regs, struct file * file); + unsigned long min_coredump; /* minimal dump size */ ++ int hasvdso; + }; + + extern int register_binfmt(struct linux_binfmt *); diff --git a/queue-2.6.20/x86_64-fix-wrong-gcc-check-in-bitops.h.patch b/queue-2.6.20/x86_64-fix-wrong-gcc-check-in-bitops.h.patch new file mode 100644 index 00000000000..1118d9e537a --- /dev/null +++ b/queue-2.6.20/x86_64-fix-wrong-gcc-check-in-bitops.h.patch @@ -0,0 +1,31 @@ +From stable-bounces@linux.kernel.org Sat Feb 17 04:48:52 2007 +From: Andi Kleen +Date: Sat, 17 Feb 2007 13:35:00 +0100 +Subject: x86_64: Fix wrong gcc check in bitops.h +To: stable@kernel.org +Message-ID: <200702171335.00583.ak@suse.de> +Content-Disposition: inline + + + +gcc 5.0 will likely not have the constraint problem + +Signed-off-by: Andi Kleen +Signed-off-by: Greg Kroah-Hartman + + +--- + include/asm-x86_64/bitops.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.20.1.orig/include/asm-x86_64/bitops.h ++++ linux-2.6.20.1/include/asm-x86_64/bitops.h +@@ -7,7 +7,7 @@ + + #include + +-#if __GNUC__ < 4 || __GNUC_MINOR__ < 1 ++#if __GNUC__ < 4 || (__GNUC__ == 4 && __GNUC_MINOR__ < 1) + /* Technically wrong, but this avoids compilation errors on some gcc + versions. */ + #define ADDR "=m" (*(volatile long *) addr)