From: Greg Kroah-Hartman Date: Sat, 17 Mar 2007 05:03:00 +0000 (-0700) Subject: more patches added to queue X-Git-Tag: v2.6.20.4~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b9bc17de88f41aca1fabdd52231b6a18a6dd825c;p=thirdparty%2Fkernel%2Fstable-queue.git more patches added to queue --- diff --git a/queue-2.6.20/copy-over-mac_len-when-cloning-an-skb.patch b/queue-2.6.20/copy-over-mac_len-when-cloning-an-skb.patch new file mode 100644 index 00000000000..bb13341d3d1 --- /dev/null +++ b/queue-2.6.20/copy-over-mac_len-when-cloning-an-skb.patch @@ -0,0 +1,33 @@ +From stable-bounces@linux.kernel.org Fri Mar 16 18:33:38 2007 +From: Alexey Dobriyan +Date: Fri, 16 Mar 2007 18:32:09 -0700 (PDT) +Subject: Copy over mac_len when cloning an skb +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070316.183209.85412524.davem@davemloft.net> + +From: Alexey Dobriyan + +[NET]: Copy mac_len in skb_clone() as well + +ANK says: "It is rarely used, that's wy it was not noticed. +But in the places, where it is used, it should be disaster." + +Signed-off-by: Alexey Dobriyan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/skbuff.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -464,6 +464,7 @@ struct sk_buff *skb_clone(struct sk_buff + memcpy(n->cb, skb->cb, sizeof(skb->cb)); + C(len); + C(data_len); ++ C(mac_len); + C(csum); + C(local_df); + n->cloned = 1; diff --git a/queue-2.6.20/fix-extraneous-ipsec-larval-sa-creation.patch b/queue-2.6.20/fix-extraneous-ipsec-larval-sa-creation.patch new file mode 100644 index 00000000000..ff169825892 --- /dev/null +++ b/queue-2.6.20/fix-extraneous-ipsec-larval-sa-creation.patch @@ -0,0 +1,51 @@ +From stable-bounces@linux.kernel.org Fri Mar 16 18:29:15 2007 +From: Joy Latten +Date: Fri, 16 Mar 2007 18:27:51 -0700 (PDT) +Subject: Fix extraneous IPSEC larval SA creation +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070316.182751.71091097.davem@davemloft.net> + +From: Joy Latten + +[XFRM]: Fix missing protocol comparison of larval SAs. + +I noticed that in xfrm_state_add we look for the larval SA in a few +places without checking for protocol match. So when using both +AH and ESP, whichever one gets added first, deletes the larval SA. +It seems AH always gets added first and ESP is always the larval +SA's protocol since the xfrm->tmpl has it first. Thus causing the +additional km_query() + +Adding the check eliminates accidental double SA creation. + +Signed-off-by: Joy Latten +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/xfrm/xfrm_state.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -707,7 +707,8 @@ static struct xfrm_state *__find_acq_cor + x->props.mode != mode || + x->props.family != family || + x->km.state != XFRM_STATE_ACQ || +- x->id.spi != 0) ++ x->id.spi != 0 || ++ x->id.proto != proto) + continue; + + switch (family) { +@@ -804,7 +805,8 @@ int xfrm_state_add(struct xfrm_state *x) + + if (use_spi && x->km.seq) { + x1 = __xfrm_find_acq_byseq(x->km.seq); +- if (x1 && xfrm_addr_cmp(&x1->id.daddr, &x->id.daddr, family)) { ++ if (x1 && ((x1->id.proto != x->id.proto) || ++ xfrm_addr_cmp(&x1->id.daddr, &x->id.daddr, family))) { + xfrm_state_put(x1); + x1 = NULL; + } diff --git a/queue-2.6.20/fix-gfp_kernel-with-preemption-disabled-in-fib_trie.patch b/queue-2.6.20/fix-gfp_kernel-with-preemption-disabled-in-fib_trie.patch new file mode 100644 index 00000000000..ea6d7ddb18c --- /dev/null +++ b/queue-2.6.20/fix-gfp_kernel-with-preemption-disabled-in-fib_trie.patch @@ -0,0 +1,53 @@ +From stable-bounces@linux.kernel.org Fri Mar 16 18:31:35 2007 +From: Robert Olsson +Date: Fri, 16 Mar 2007 18:30:13 -0700 (PDT) +Subject: [stable] [PATCH]: Fix GFP_KERNEL with preemption disabled in fib_trie +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070316.183013.78709573.davem@davemloft.net> + +From: Robert Olsson + +[IPV4]: Do not disable preemption in trie_leaf_remove(). + +Hello, Just discussed this Patrick... + +We have two users of trie_leaf_remove, fn_trie_flush and fn_trie_delete +both are holding RTNL. So there shouldn't be need for this preempt stuff. +This is assumed to a leftover from an older RCU-take. + +> Mhh .. I think I just remembered something - me incorrectly suggesting +> to add it there while we were talking about this at OLS :) IIRC the +> idea was to make sure tnode_free (which at that time didn't use +> call_rcu) wouldn't free memory while still in use in a rcu read-side +> critical section. It should have been synchronize_rcu of course, +> but with tnode_free using call_rcu it seems to be completely +> unnecessary. So I guess we can simply remove it. + +Signed-off-by: Robert Olsson +Signed-off-by: Patrick McHardy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/fib_trie.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -1528,7 +1528,6 @@ static int trie_leaf_remove(struct trie + t->revision++; + t->size--; + +- preempt_disable(); + tp = NODE_PARENT(n); + tnode_free((struct tnode *) n); + +@@ -1538,7 +1537,6 @@ static int trie_leaf_remove(struct trie + rcu_assign_pointer(t->trie, trie_rebalance(t, tp)); + } else + rcu_assign_pointer(t->trie, NULL); +- preempt_enable(); + + return 1; + } diff --git a/queue-2.6.20/fix-ipv6-flow-label-inheritance.patch b/queue-2.6.20/fix-ipv6-flow-label-inheritance.patch new file mode 100644 index 00000000000..5235487c6de --- /dev/null +++ b/queue-2.6.20/fix-ipv6-flow-label-inheritance.patch @@ -0,0 +1,38 @@ +From stable-bounces@linux.kernel.org Fri Mar 16 18:32:49 2007 +From: Masayuki Nakagawa +Date: Fri, 16 Mar 2007 18:31:22 -0700 (PDT) +Subject: Fix ipv6 flow label inheritance +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070316.183122.21595280.davem@davemloft.net> + +From: Masayuki Nakagawa + +[IPV6]: ipv6_fl_socklist is inadvertently shared. + +The ipv6_fl_socklist from listening socket is inadvertently shared +with new socket created for connection. This leads to a variety of +interesting, but fatal, bugs. For example, removing one of the +sockets may lead to the other socket's encountering a page fault +when the now freed list is referenced. + +The fix is to not share the flow label list with the new socket. + +Signed-off-by: Masayuki Nakagawa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/tcp_ipv6.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1453,6 +1453,7 @@ static struct sock * tcp_v6_syn_recv_soc + First: no IPv4 options. + */ + newinet->opt = NULL; ++ newnp->ipv6_fl_list = NULL; + + /* Clone RX bits */ + newnp->rxopt.all = np->rxopt.all; diff --git a/queue-2.6.20/fix-page-allocation-debugging-on-sparc64.patch b/queue-2.6.20/fix-page-allocation-debugging-on-sparc64.patch new file mode 100644 index 00000000000..e647e6f79c5 --- /dev/null +++ b/queue-2.6.20/fix-page-allocation-debugging-on-sparc64.patch @@ -0,0 +1,166 @@ +From stable-bounces@linux.kernel.org Fri Mar 16 18:52:21 2007 +From: David Miller +Date: Fri, 16 Mar 2007 18:51:00 -0700 (PDT) +Subject: Fix page allocation debugging on sparc64 +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070316.185100.115910396.davem@davemloft.net> + +From: David Miller + +[SPARC64]: Get DEBUG_PAGEALLOC working again. + +We have to make sure to use base-pagesize TLB entries even during the +early transition period where we need TLB miss handling but don't have +the kernel page tables setup yet for the linear region. + +Also, it is necessary therefore to not use the 4MB TSB for these +translations, and instead use the normal kernel TSB. This allows us +to also get rid of the 4MB tsb for debug builds which shrinks the +kernel a little bit. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sparc64/kernel/ktlb.S | 8 +++++++- + arch/sparc64/mm/init.c | 30 ++++++++++++++++++++++++++++-- + include/asm-sparc64/tsb.h | 2 ++ + 3 files changed, 37 insertions(+), 3 deletions(-) + +--- a/arch/sparc64/kernel/ktlb.S ++++ b/arch/sparc64/kernel/ktlb.S +@@ -138,9 +138,15 @@ kvmap_dtlb_4v: + brgez,pn %g4, kvmap_dtlb_nonlinear + nop + ++#ifdef CONFIG_DEBUG_PAGEALLOC ++ /* Index through the base page size TSB even for linear ++ * mappings when using page allocation debugging. ++ */ ++ KERN_TSB_LOOKUP_TL1(%g4, %g6, %g5, %g1, %g2, %g3, kvmap_dtlb_load) ++#else + /* Correct TAG_TARGET is already in %g6, check 4mb TSB. */ + KERN_TSB4M_LOOKUP_TL1(%g6, %g5, %g1, %g2, %g3, kvmap_dtlb_load) +- ++#endif + /* TSB entry address left in %g1, lookup linear PTE. + * Must preserve %g1 and %g6 (TAG). + */ +--- a/arch/sparc64/mm/init.c ++++ b/arch/sparc64/mm/init.c +@@ -59,8 +59,10 @@ unsigned long kern_linear_pte_xor[2] __r + */ + unsigned long kpte_linear_bitmap[KPTE_BITMAP_BYTES / sizeof(unsigned long)]; + ++#ifndef CONFIG_DEBUG_PAGEALLOC + /* A special kernel TSB for 4MB and 256MB linear mappings. */ + struct tsb swapper_4m_tsb[KERNEL_TSB4M_NENTRIES]; ++#endif + + #define MAX_BANKS 32 + +@@ -1301,7 +1303,12 @@ static void __init tsb_phys_patch(void) + } + + /* Don't mark as init, we give this to the Hypervisor. */ +-static struct hv_tsb_descr ktsb_descr[2]; ++#ifndef CONFIG_DEBUG_PAGEALLOC ++#define NUM_KTSB_DESCR 2 ++#else ++#define NUM_KTSB_DESCR 1 ++#endif ++static struct hv_tsb_descr ktsb_descr[NUM_KTSB_DESCR]; + extern struct tsb swapper_tsb[KERNEL_TSB_NENTRIES]; + + static void __init sun4v_ktsb_init(void) +@@ -1340,6 +1347,7 @@ static void __init sun4v_ktsb_init(void) + ktsb_descr[0].tsb_base = ktsb_pa; + ktsb_descr[0].resv = 0; + ++#ifndef CONFIG_DEBUG_PAGEALLOC + /* Second KTSB for 4MB/256MB mappings. */ + ktsb_pa = (kern_base + + ((unsigned long)&swapper_4m_tsb[0] - KERNBASE)); +@@ -1352,6 +1360,7 @@ static void __init sun4v_ktsb_init(void) + ktsb_descr[1].ctx_idx = 0; + ktsb_descr[1].tsb_base = ktsb_pa; + ktsb_descr[1].resv = 0; ++#endif + } + + void __cpuinit sun4v_ktsb_register(void) +@@ -1364,7 +1373,7 @@ void __cpuinit sun4v_ktsb_register(void) + pa = kern_base + ((unsigned long)&ktsb_descr[0] - KERNBASE); + + func = HV_FAST_MMU_TSB_CTX0; +- arg0 = 2; ++ arg0 = NUM_KTSB_DESCR; + arg1 = pa; + __asm__ __volatile__("ta %6" + : "=&r" (func), "=&r" (arg0), "=&r" (arg1) +@@ -1393,7 +1402,9 @@ void __init paging_init(void) + + /* Invalidate both kernel TSBs. */ + memset(swapper_tsb, 0x40, sizeof(swapper_tsb)); ++#ifndef CONFIG_DEBUG_PAGEALLOC + memset(swapper_4m_tsb, 0x40, sizeof(swapper_4m_tsb)); ++#endif + + if (tlb_type == hypervisor) + sun4v_pgprot_init(); +@@ -1725,8 +1736,13 @@ static void __init sun4u_pgprot_init(voi + pg_iobits = (_PAGE_VALID | _PAGE_PRESENT_4U | __DIRTY_BITS_4U | + __ACCESS_BITS_4U | _PAGE_E_4U); + ++#ifdef CONFIG_DEBUG_PAGEALLOC ++ kern_linear_pte_xor[0] = (_PAGE_VALID | _PAGE_SZBITS_4U) ^ ++ 0xfffff80000000000; ++#else + kern_linear_pte_xor[0] = (_PAGE_VALID | _PAGE_SZ4MB_4U) ^ + 0xfffff80000000000; ++#endif + kern_linear_pte_xor[0] |= (_PAGE_CP_4U | _PAGE_CV_4U | + _PAGE_P_4U | _PAGE_W_4U); + +@@ -1769,13 +1785,23 @@ static void __init sun4v_pgprot_init(voi + _PAGE_E = _PAGE_E_4V; + _PAGE_CACHE = _PAGE_CACHE_4V; + ++#ifdef CONFIG_DEBUG_PAGEALLOC ++ kern_linear_pte_xor[0] = (_PAGE_VALID | _PAGE_SZBITS_4V) ^ ++ 0xfffff80000000000; ++#else + kern_linear_pte_xor[0] = (_PAGE_VALID | _PAGE_SZ4MB_4V) ^ + 0xfffff80000000000; ++#endif + kern_linear_pte_xor[0] |= (_PAGE_CP_4V | _PAGE_CV_4V | + _PAGE_P_4V | _PAGE_W_4V); + ++#ifdef CONFIG_DEBUG_PAGEALLOC ++ kern_linear_pte_xor[1] = (_PAGE_VALID | _PAGE_SZBITS_4V) ^ ++ 0xfffff80000000000; ++#else + kern_linear_pte_xor[1] = (_PAGE_VALID | _PAGE_SZ256MB_4V) ^ + 0xfffff80000000000; ++#endif + kern_linear_pte_xor[1] |= (_PAGE_CP_4V | _PAGE_CV_4V | + _PAGE_P_4V | _PAGE_W_4V); + +--- a/include/asm-sparc64/tsb.h ++++ b/include/asm-sparc64/tsb.h +@@ -264,6 +264,7 @@ extern struct tsb_phys_patch_entry __tsb + be,a,pt %xcc, OK_LABEL; \ + mov REG4, REG1; + ++#ifndef CONFIG_DEBUG_PAGEALLOC + /* This version uses a trick, the TAG is already (VADDR >> 22) so + * we can make use of that for the index computation. + */ +@@ -277,5 +278,6 @@ extern struct tsb_phys_patch_entry __tsb + cmp REG3, TAG; \ + be,a,pt %xcc, OK_LABEL; \ + mov REG4, REG1; ++#endif + + #endif /* !(_SPARC64_TSB_H) */ diff --git a/queue-2.6.20/fix-sparc64-hugepage-bugs.patch b/queue-2.6.20/fix-sparc64-hugepage-bugs.patch new file mode 100644 index 00000000000..2dcf4ac29c5 --- /dev/null +++ b/queue-2.6.20/fix-sparc64-hugepage-bugs.patch @@ -0,0 +1,41 @@ +From stable-bounces@linux.kernel.org Fri Mar 16 18:50:32 2007 +From: David Miller +Date: Fri, 16 Mar 2007 18:49:06 -0700 (PDT) +Subject: Fix sparc64 hugepage bugs +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070316.184906.39158526.davem@davemloft.net> + +From: David Miller + +[SPARC64]: Add missing HPAGE_MASK masks on address parameters. + +These pte loops all assume the passed in address is HPAGE +aligned, make sure that is actually true. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sparc64/mm/hugetlbpage.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/sparc64/mm/hugetlbpage.c ++++ b/arch/sparc64/mm/hugetlbpage.c +@@ -248,6 +248,7 @@ void set_huge_pte_at(struct mm_struct *m + if (!pte_present(*ptep) && pte_present(entry)) + mm->context.huge_pte_count++; + ++ addr &= HPAGE_MASK; + for (i = 0; i < (1 << HUGETLB_PAGE_ORDER); i++) { + set_pte_at(mm, addr, ptep, entry); + ptep++; +@@ -266,6 +267,8 @@ pte_t huge_ptep_get_and_clear(struct mm_ + if (pte_present(entry)) + mm->context.huge_pte_count--; + ++ addr &= HPAGE_MASK; ++ + for (i = 0; i < (1 << HUGETLB_PAGE_ORDER); i++) { + pte_clear(mm, addr, ptep); + addr += PAGE_SIZE; diff --git a/queue-2.6.20/irda-irttp_dup-spin_lock-initialisation.patch b/queue-2.6.20/irda-irttp_dup-spin_lock-initialisation.patch new file mode 100644 index 00000000000..0cd0badd4d5 --- /dev/null +++ b/queue-2.6.20/irda-irttp_dup-spin_lock-initialisation.patch @@ -0,0 +1,36 @@ +From stable-bounces@linux.kernel.org Fri Mar 16 19:06:12 2007 +From: Samuel Ortiz +Date: Sat, 17 Mar 2007 04:04:27 +0200 +Subject: IrDA: irttp_dup spin_lock initialisation +To: "David S. Miller" +Cc: netdev@vger.kernel.org, Guennadi Liakhovetski , stable@kernel.org, irda-users@lists.sourceforge.net +Message-ID: <20070317020427.GF3429@sortiz.org> +Content-Disposition: inline + +From: Samuel Ortiz + +Without this initialization one gets + +kernel BUG at kernel/rtmutex_common.h:80! + +This patch should also be included in the -stable kernel. + +Signed-off-by: G. Liakhovetski +Signed-off-by: Samuel Ortiz +Cc: David Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/irda/irttp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/irda/irttp.c ++++ b/net/irda/irttp.c +@@ -1455,6 +1455,7 @@ struct tsap_cb *irttp_dup(struct tsap_cb + + /* Not everything should be copied */ + new->notify.instance = instance; ++ spin_lock_init(&new->lock); + init_timer(&new->todo_timer); + + skb_queue_head_init(&new->rx_queue); diff --git a/queue-2.6.20/series b/queue-2.6.20/series index 7d4ca1b78d8..7aaf2e80a7b 100644 --- a/queue-2.6.20/series +++ b/queue-2.6.20/series @@ -15,3 +15,10 @@ hrtimer-prevent-overrun-dos-in-hrtimer_forward.patch fix-mtime_sec_max-on-32-bit.patch fix-read-past-end-of-array-in-md-linear.c.patch r8169-fix-a-race-between-pci-probe-and-dev_open.patch +fix-extraneous-ipsec-larval-sa-creation.patch +fix-gfp_kernel-with-preemption-disabled-in-fib_trie.patch +fix-ipv6-flow-label-inheritance.patch +copy-over-mac_len-when-cloning-an-skb.patch +fix-sparc64-hugepage-bugs.patch +fix-page-allocation-debugging-on-sparc64.patch +irda-irttp_dup-spin_lock-initialisation.patch