From: Greg Kroah-Hartman Date: Wed, 6 Sep 2006 21:09:36 +0000 (-0700) Subject: more patches added to queue X-Git-Tag: v2.6.17.12~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d9069f05436a90d6e9721856b9c506e54f314add;p=thirdparty%2Fkernel%2Fstable-queue.git more patches added to queue --- diff --git a/queue-2.6.17/binfmt_elf-fix-checks-for-bad-address.patch b/queue-2.6.17/binfmt_elf-fix-checks-for-bad-address.patch new file mode 100644 index 00000000000..ea47291d0d0 --- /dev/null +++ b/queue-2.6.17/binfmt_elf-fix-checks-for-bad-address.patch @@ -0,0 +1,108 @@ +From stable-bounces@linux.kernel.org Sat Aug 26 07:24:40 2006 +Date: Sat, 26 Aug 2006 10:20:45 -0400 +From: Chuck Ebbert <76306.1226@compuserve.com> +To: linux-stable +Message-ID: <200608261023_MC3-1-C96A-6EC4@compuserve.com> +Content-Disposition: inline +Cc: Ernie Petrides +Subject: binfmt_elf: fix checks for bad address + +From: Ernie Petrides + +[PATCH] binfmt_elf: fix checks for bad address + +Fix check for bad address; use macro instead of open-coding two checks. + +Taken from RHEL4 kernel update. + + For background, the BAD_ADDR() macro should return TRUE if the address is + TASK_SIZE, because that's the lowest address that is *not* valid for + user-space mappings. The macro was correct in binfmt_aout.c but was wrong + for the "equal to" case in binfmt_elf.c. There were two in-line validations + of user-space addresses in binfmt_elf.c, which have been appropriately + converted to use the corrected BAD_ADDR() macro in the patch you posted + yesterday. Note that the size checks against TASK_SIZE are okay as coded. + + The additional changes that I propose are below. These are in the error + paths for bad ELF entry addresses once load_elf_binary() has already + committed to exec'ing the new image (following the tearing down of the + task's original address space). + + The 1st hunk deals with the interp-side of the outer "if". There were two + problems here. The printk() should be removed because this path can be + triggered at will by a bogus interpreter image created and used by a + malicious user. Further, the error code should not be ENOEXEC, because that + causes the loop in search_binary_handler() to continue trying other exec + handlers (twice, in fact). But it's too late for this to work correctly, + because the user address space has already been torn down, and an exec() + failure cannot be returned to the user code because the code no longer + exists. The only recovery is to force a SIGSEGV, but it's best to terminate + the search loop immediately. I somewhat arbitrarily chose EINVAL as a + fallback error code, but any error returned by load_elf_interp() will + override that (but this value will never be seen by user-space). + + The 2nd hunk deals with the non-interp-side of the outer "if". There were + two problems here as well. The SIGSEGV needs to be forced, because a prior + sigaction() syscall might have set the associated disposition to SIG_IGN. + And the ENOEXEC should be changed to EINVAL as described above. + +Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com> +Signed-off-by: Greg Kroah-Hartman + +--- + fs/binfmt_elf.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- linux-2.6.17.11.orig/fs/binfmt_elf.c ++++ linux-2.6.17.11/fs/binfmt_elf.c +@@ -86,7 +86,7 @@ static struct linux_binfmt elf_format = + .min_coredump = ELF_EXEC_PAGESIZE + }; + +-#define BAD_ADDR(x) ((unsigned long)(x) > TASK_SIZE) ++#define BAD_ADDR(x) ((unsigned long)(x) >= TASK_SIZE) + + static int set_brk(unsigned long start, unsigned long end) + { +@@ -389,7 +389,7 @@ static unsigned long load_elf_interp(str + * <= p_memsize so it is only necessary to check p_memsz. + */ + k = load_addr + eppnt->p_vaddr; +- if (k > TASK_SIZE || eppnt->p_filesz > eppnt->p_memsz || ++ if (BAD_ADDR(k) || eppnt->p_filesz > eppnt->p_memsz || + eppnt->p_memsz > TASK_SIZE || TASK_SIZE - eppnt->p_memsz < k) { + error = -ENOMEM; + goto out_close; +@@ -876,7 +876,7 @@ static int load_elf_binary(struct linux_ + * allowed task size. Note that p_filesz must always be + * <= p_memsz so it is only necessary to check p_memsz. + */ +- if (k > TASK_SIZE || elf_ppnt->p_filesz > elf_ppnt->p_memsz || ++ if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz || + elf_ppnt->p_memsz > TASK_SIZE || + TASK_SIZE - elf_ppnt->p_memsz < k) { + /* set_brk can never work. Avoid overflows. */ +@@ -930,10 +930,9 @@ static int load_elf_binary(struct linux_ + interpreter, + &interp_load_addr); + if (BAD_ADDR(elf_entry)) { +- printk(KERN_ERR "Unable to load interpreter %.128s\n", +- elf_interpreter); + force_sig(SIGSEGV, current); +- retval = -ENOEXEC; /* Nobody gets to see this, but.. */ ++ retval = IS_ERR((void *)elf_entry) ? ++ (int)elf_entry : -EINVAL; + goto out_free_dentry; + } + reloc_func_desc = interp_load_addr; +@@ -944,8 +943,8 @@ static int load_elf_binary(struct linux_ + } else { + elf_entry = loc->elf_ex.e_entry; + if (BAD_ADDR(elf_entry)) { +- send_sig(SIGSEGV, current, 0); +- retval = -ENOEXEC; /* Nobody gets to see this, but.. */ ++ force_sig(SIGSEGV, current); ++ retval = -EINVAL; + goto out_free_dentry; + } + } diff --git a/queue-2.6.17/bug-in-futex-unqueue_me.patch b/queue-2.6.17/bug-in-futex-unqueue_me.patch new file mode 100644 index 00000000000..a043c9fb2f7 --- /dev/null +++ b/queue-2.6.17/bug-in-futex-unqueue_me.patch @@ -0,0 +1,117 @@ +From stable-bounces@linux.kernel.org Tue Aug 29 22:39:00 2006 +From: Christian Borntraeger +Date: Wed, 30 Aug 2006 07:38:11 +0200 +To: stable@kernel.org, Adrian Bunk +Message-Id: <200608300738.11274.borntrae@de.ibm.com> +Cc: Bastian Blank +Subject: bug in futex unqueue_me + +From: Christian Borntraeger + +This patch adds a barrier() in futex unqueue_me to avoid aliasing of two +pointers. + +On my s390x system I saw the following oops: + +Unable to handle kernel pointer dereference at virtual kernel address +0000000000000000 +Oops: 0004 [#1] +CPU: 0 Not tainted +Process mytool (pid: 13613, task: 000000003ecb6ac0, ksp: 00000000366bdbd8) +Krnl PSW : 0704d00180000000 00000000003c9ac2 (_spin_lock+0xe/0x30) +Krnl GPRS: 00000000ffffffff 000000003ecb6ac0 0000000000000000 0700000000000000 + 0000000000000000 0000000000000000 000001fe00002028 00000000000c091f + 000001fe00002054 000001fe00002054 0000000000000000 00000000366bddc0 + 00000000005ef8c0 00000000003d00e8 0000000000144f91 00000000366bdcb8 +Krnl Code: ba 4e 20 00 12 44 b9 16 00 3e a7 84 00 08 e3 e0 f0 88 00 04 +Call Trace: +([<0000000000144f90>] unqueue_me+0x40/0xe4) + [<0000000000145a0c>] do_futex+0x33c/0xc40 + [<000000000014643e>] sys_futex+0x12e/0x144 + [<000000000010bb00>] sysc_noemu+0x10/0x16 + [<000002000003741c>] 0x2000003741c + +The code in question is: + +static int unqueue_me(struct futex_q *q) +{ + int ret = 0; + spinlock_t *lock_ptr; + + /* In the common case we don't take the spinlock, which is nice. */ + retry: + lock_ptr = q->lock_ptr; + if (lock_ptr != 0) { + spin_lock(lock_ptr); + /* + * q->lock_ptr can change between reading it and + * spin_lock(), causing us to take the wrong lock. This + * corrects the race condition. +[...] + +and my compiler (gcc 4.1.0) makes the following out of it: + +00000000000003c8 : + 3c8: eb bf f0 70 00 24 stmg %r11,%r15,112(%r15) + 3ce: c0 d0 00 00 00 00 larl %r13,3ce + 3d0: R_390_PC32DBL .rodata+0x2a + 3d4: a7 f1 1e 00 tml %r15,7680 + 3d8: a7 84 00 01 je 3da + 3dc: b9 04 00 ef lgr %r14,%r15 + 3e0: a7 fb ff d0 aghi %r15,-48 + 3e4: b9 04 00 b2 lgr %r11,%r2 + 3e8: e3 e0 f0 98 00 24 stg %r14,152(%r15) + 3ee: e3 c0 b0 28 00 04 lg %r12,40(%r11) + /* write q->lock_ptr in r12 */ + 3f4: b9 02 00 cc ltgr %r12,%r12 + 3f8: a7 84 00 4b je 48e + /* if r12 is zero then jump over the code.... */ + 3fc: e3 20 b0 28 00 04 lg %r2,40(%r11) + /* write q->lock_ptr in r2 */ + 402: c0 e5 00 00 00 00 brasl %r14,402 + 404: R_390_PC32DBL _spin_lock+0x2 + /* use r2 as parameter for spin_lock */ + +So the code becomes more or less: +if (q->lock_ptr != 0) spin_lock(q->lock_ptr) +instead of +if (lock_ptr != 0) spin_lock(lock_ptr) + +Which caused the oops from above. +After adding a barrier gcc creates code without this problem: +[...] (the same) + 3ee: e3 c0 b0 28 00 04 lg %r12,40(%r11) + 3f4: b9 02 00 cc ltgr %r12,%r12 + 3f8: b9 04 00 2c lgr %r2,%r12 + 3fc: a7 84 00 48 je 48c + 400: c0 e5 00 00 00 00 brasl %r14,400 + 402: R_390_PC32DBL _spin_lock+0x2 + +As a general note, this code of unqueue_me seems a bit fishy. The retry logic +of unqueue_me only works if we can guarantee, that the original value of +q->lock_ptr is always a spinlock (Otherwise we overwrite kernel memory). We +know that q->lock_ptr can change. I dont know what happens with the original +spinlock, as I am not an expert with the futex code. + +Cc: Martin Schwidefsky +Cc: Rusty Russell +Acked-by: Ingo Molnar +Cc: Thomas Gleixner +Signed-off-by: Christian Borntraeger +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/futex.c | 1 + + 1 file changed, 1 insertion(+) + +--- linux-2.6.17.11.orig/kernel/futex.c ++++ linux-2.6.17.11/kernel/futex.c +@@ -593,6 +593,7 @@ static int unqueue_me(struct futex_q *q) + /* In the common case we don't take the spinlock, which is nice. */ + retry: + lock_ptr = q->lock_ptr; ++ barrier(); + if (lock_ptr != 0) { + spin_lock(lock_ptr); + /* diff --git a/queue-2.6.17/dvb-core-proper-handling-ule-sndu-length-of-0.patch b/queue-2.6.17/dvb-core-proper-handling-ule-sndu-length-of-0.patch new file mode 100644 index 00000000000..49c95a3ec61 --- /dev/null +++ b/queue-2.6.17/dvb-core-proper-handling-ule-sndu-length-of-0.patch @@ -0,0 +1,40 @@ +From stable-bounces@linux.kernel.org Thu Aug 31 23:13:57 2006 +Message-ID: <42895.10.207.160.203.1157091181.squirrel@10.207.160.104> +Date: Fri, 1 Sep 2006 14:13:01 +0800 (MYT) +From: "Ang Way Chuang" +To: stable@kernel.org +Cc: chteh@nrg.cs.usm.my, vendor-sec@lst.de, Greg KH , + "Luiz Fernando N. Capitulino" , + tcwan@cs.usm.my +Subject: dvb-core: Proper handling ULE SNDU length of 0 + +From: Ang Way Chuang + +ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation +code has a bug that allows an attacker to send a malformed ULE packet +with SNDU length of 0 and bring down the receiving machine. This patch +fix the bug and has been tested on version 2.6.17.11. This bug is 100% +reproducible and the modified source code (GPL) used to produce this bug +will be posted on http://nrg.cs.usm.my/downloads.htm shortly. The +kernel will produce a dump during CRC32 checking on faulty ULE packet. + + +Signed-off-by: Ang Way Chuang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/dvb/dvb-core/dvb_net.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- linux-2.6.17.11.orig/drivers/media/dvb/dvb-core/dvb_net.c ++++ linux-2.6.17.11/drivers/media/dvb/dvb-core/dvb_net.c +@@ -492,7 +492,8 @@ static void dvb_net_ule( struct net_devi + } else + priv->ule_dbit = 0; + +- if (priv->ule_sndu_len > 32763) { ++ if (priv->ule_sndu_len > 32763 || ++ priv->ule_sndu_len < ((priv->ule_dbit) ? 4 : 4 + ETH_ALEN)) { + printk(KERN_WARNING "%lu: Invalid ULE SNDU length %u. " + "Resyncing.\n", priv->ts_count, priv->ule_sndu_len); + priv->ule_sndu_len = 0; diff --git a/queue-2.6.17/fcntl-fix.patch b/queue-2.6.17/fcntl-fix.patch new file mode 100644 index 00000000000..64b0dd555b5 --- /dev/null +++ b/queue-2.6.17/fcntl-fix.patch @@ -0,0 +1,51 @@ +From stable-bounces@linux.kernel.org Tue Aug 29 00:24:06 2006 +Date: Tue, 29 Aug 2006 02:15:54 -0400 +From: Chuck Ebbert <76306.1226@compuserve.com> +To: linux-stable +Message-ID: <200608290218_MC3-1-C9AC-1176@compuserve.com> +Content-Disposition: inline +Cc: Trond Myklebust +Subject: fcntl(F_SETSIG) fix + +From: Trond Myklebust + +[PATCH] fcntl(F_SETSIG) fix + +fcntl(F_SETSIG) no longer works on leases because +lease_release_private_callback() gets called as the lease is copied in +order to initialise it. + +The problem is that lease_alloc() performs an unnecessary initialisation, +which sets the lease_manager_ops. Avoid the problem by allocating the +target lease structure using locks_alloc_lock(). + +Signed-off-by: Trond Myklebust +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + fs/locks.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- linux-2.6.17.11.orig/fs/locks.c ++++ linux-2.6.17.11/fs/locks.c +@@ -1389,8 +1389,9 @@ static int __setlease(struct file *filp, + if (!leases_enable) + goto out; + +- error = lease_alloc(filp, arg, &fl); +- if (error) ++ error = -ENOMEM; ++ fl = locks_alloc_lock(); ++ if (fl == NULL) + goto out; + + locks_copy_lock(fl, lease); +@@ -1398,6 +1399,7 @@ static int __setlease(struct file *filp, + locks_insert_lock(before, fl); + + *flp = fl; ++ error = 0; + out: + return error; + } diff --git a/queue-2.6.17/ipv6-oops-er-triggerable-by-any-user.patch b/queue-2.6.17/ipv6-oops-er-triggerable-by-any-user.patch new file mode 100644 index 00000000000..7d82eaf8364 --- /dev/null +++ b/queue-2.6.17/ipv6-oops-er-triggerable-by-any-user.patch @@ -0,0 +1,81 @@ +From stable-bounces@linux.kernel.org Thu Aug 31 16:07:12 2006 +Date: Thu, 31 Aug 2006 16:06:16 -0700 (PDT) +Message-Id: <20060831.160616.75186822.davem@davemloft.net> +To: stable@kernel.org +From: David Miller +Cc: bunk@stusta.de +Subject: IPV6 OOPS'er triggerable by any user + +From: YOSHIFUJI Hideaki + +[IPV6]: Fix kernel OOPs when setting sticky socket options. + +Bug noticed by Remi Denis-Courmont . + +Signed-off-by: YOSHIFUJI Hideaki +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/exthdrs.c | 29 ++++++++++++++++------------- + 1 file changed, 16 insertions(+), 13 deletions(-) + +--- linux-2.6.17.11.orig/net/ipv6/exthdrs.c ++++ linux-2.6.17.11/net/ipv6/exthdrs.c +@@ -635,14 +635,17 @@ ipv6_renew_options(struct sock *sk, stru + struct ipv6_txoptions *opt2; + int err; + +- if (newtype != IPV6_HOPOPTS && opt->hopopt) +- tot_len += CMSG_ALIGN(ipv6_optlen(opt->hopopt)); +- if (newtype != IPV6_RTHDRDSTOPTS && opt->dst0opt) +- tot_len += CMSG_ALIGN(ipv6_optlen(opt->dst0opt)); +- if (newtype != IPV6_RTHDR && opt->srcrt) +- tot_len += CMSG_ALIGN(ipv6_optlen(opt->srcrt)); +- if (newtype != IPV6_DSTOPTS && opt->dst1opt) +- tot_len += CMSG_ALIGN(ipv6_optlen(opt->dst1opt)); ++ if (opt) { ++ if (newtype != IPV6_HOPOPTS && opt->hopopt) ++ tot_len += CMSG_ALIGN(ipv6_optlen(opt->hopopt)); ++ if (newtype != IPV6_RTHDRDSTOPTS && opt->dst0opt) ++ tot_len += CMSG_ALIGN(ipv6_optlen(opt->dst0opt)); ++ if (newtype != IPV6_RTHDR && opt->srcrt) ++ tot_len += CMSG_ALIGN(ipv6_optlen(opt->srcrt)); ++ if (newtype != IPV6_DSTOPTS && opt->dst1opt) ++ tot_len += CMSG_ALIGN(ipv6_optlen(opt->dst1opt)); ++ } ++ + if (newopt && newoptlen) + tot_len += CMSG_ALIGN(newoptlen); + +@@ -659,25 +662,25 @@ ipv6_renew_options(struct sock *sk, stru + opt2->tot_len = tot_len; + p = (char *)(opt2 + 1); + +- err = ipv6_renew_option(opt->hopopt, newopt, newoptlen, ++ err = ipv6_renew_option(opt ? opt->hopopt : NULL, newopt, newoptlen, + newtype != IPV6_HOPOPTS, + &opt2->hopopt, &p); + if (err) + goto out; + +- err = ipv6_renew_option(opt->dst0opt, newopt, newoptlen, ++ err = ipv6_renew_option(opt ? opt->dst0opt : NULL, newopt, newoptlen, + newtype != IPV6_RTHDRDSTOPTS, + &opt2->dst0opt, &p); + if (err) + goto out; + +- err = ipv6_renew_option(opt->srcrt, newopt, newoptlen, ++ err = ipv6_renew_option(opt ? opt->srcrt : NULL, newopt, newoptlen, + newtype != IPV6_RTHDR, +- (struct ipv6_opt_hdr **)opt2->srcrt, &p); ++ (struct ipv6_opt_hdr **)&opt2->srcrt, &p); + if (err) + goto out; + +- err = ipv6_renew_option(opt->dst1opt, newopt, newoptlen, ++ err = ipv6_renew_option(opt ? opt->dst1opt : NULL, newopt, newoptlen, + newtype != IPV6_DSTOPTS, + &opt2->dst1opt, &p); + if (err) diff --git a/queue-2.6.17/missing-pci-id-update-for-via-ide.patch b/queue-2.6.17/missing-pci-id-update-for-via-ide.patch new file mode 100644 index 00000000000..617507b094f --- /dev/null +++ b/queue-2.6.17/missing-pci-id-update-for-via-ide.patch @@ -0,0 +1,48 @@ +From stable-bounces@linux.kernel.org Wed Aug 30 11:36:30 2006 +Date: Wed, 30 Aug 2006 11:35:49 -0700 +From: Andrew Morton +To: stable@kernel.org +Message-Id: <20060830113549.4059dda3.akpm@osdl.org> +Cc: Alan Cox +Subject: Missing PCI id update for VIA IDE + +From: Alan Cox + + +The following change from -mm is important to 2.6.18 (actually to 2.6.17 +but its too late for that). This was contributed over three months ago +by VIA to Bartlomiej and nothing happened. As a result the new chipset +is now out and Linux won't run on it. By the time 2.6.18 is finalised +this will be the defacto standard VIA chipset so support would be a good +plan. + +Tested in -mm for a while, its essentially a PCI ident update but for +the bridge chip because VIA do things in weird ways. + + +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/ide/pci/via82cxxx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- linux-2.6.17.11.orig/drivers/ide/pci/via82cxxx.c ++++ linux-2.6.17.11/drivers/ide/pci/via82cxxx.c +@@ -6,7 +6,7 @@ + * + * vt82c576, vt82c586, vt82c586a, vt82c586b, vt82c596a, vt82c596b, + * vt82c686, vt82c686a, vt82c686b, vt8231, vt8233, vt8233c, vt8233a, +- * vt8235, vt8237 ++ * vt8235, vt8237, vt8237a + * + * Copyright (c) 2000-2002 Vojtech Pavlik + * +@@ -82,6 +82,7 @@ static struct via_isa_bridge { + { "vt6410", PCI_DEVICE_ID_VIA_6410, 0x00, 0x2f, VIA_UDMA_133 | VIA_BAD_AST }, + { "vt8251", PCI_DEVICE_ID_VIA_8251, 0x00, 0x2f, VIA_UDMA_133 | VIA_BAD_AST }, + { "vt8237", PCI_DEVICE_ID_VIA_8237, 0x00, 0x2f, VIA_UDMA_133 | VIA_BAD_AST }, ++ { "vt8237a", PCI_DEVICE_ID_VIA_8237A, 0x00, 0x2f, VIA_UDMA_133 | VIA_BAD_AST }, + { "vt8235", PCI_DEVICE_ID_VIA_8235, 0x00, 0x2f, VIA_UDMA_133 | VIA_BAD_AST }, + { "vt8233a", PCI_DEVICE_ID_VIA_8233A, 0x00, 0x2f, VIA_UDMA_133 | VIA_BAD_AST }, + { "vt8233c", PCI_DEVICE_ID_VIA_8233C_0, 0x00, 0x2f, VIA_UDMA_100 }, diff --git a/queue-2.6.17/pktgen-fix-oops-when-used-with-balance-tlb-bonding.patch b/queue-2.6.17/pktgen-fix-oops-when-used-with-balance-tlb-bonding.patch new file mode 100644 index 00000000000..a715a790147 --- /dev/null +++ b/queue-2.6.17/pktgen-fix-oops-when-used-with-balance-tlb-bonding.patch @@ -0,0 +1,31 @@ +From stable-bounces@linux.kernel.org Tue Sep 5 13:15:58 2006 +Date: Tue, 5 Sep 2006 22:15:08 +0200 +From: Adrian Bunk +To: stable@kernel.org +Message-ID: <20060905201508.GJ9173@stusta.de> +Content-Disposition: inline +Cc: Chen-Li Tien , David Miller +Subject: PKTGEN: Fix oops when used with balance-tlb bonding + +From: Chen-Li Tien + +Signed-off-by: Chen-Li Tien +Signed-off-by: David S. Miller +Signed-off-by: Adrian Bunk + + +--- + net/core/pktgen.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- linux-2.6.17.11.orig/net/core/pktgen.c ++++ linux-2.6.17.11/net/core/pktgen.c +@@ -2149,6 +2149,8 @@ static struct sk_buff *fill_packet_ipv4( + skb->mac.raw = ((u8 *) iph) - 14 - pkt_dev->nr_labels*sizeof(u32); + skb->dev = odev; + skb->pkt_type = PACKET_HOST; ++ skb->nh.iph = iph; ++ skb->h.uh = udph; + + if (pkt_dev->nfrags <= 0) + pgh = (struct pktgen_hdr *)skb_put(skb, datalen); diff --git a/queue-2.6.17/pktgen-make-sure-skb-nh-h-are-initialized-in-fill_packet_ipv6-too.patch b/queue-2.6.17/pktgen-make-sure-skb-nh-h-are-initialized-in-fill_packet_ipv6-too.patch new file mode 100644 index 00000000000..d5e35439cdd --- /dev/null +++ b/queue-2.6.17/pktgen-make-sure-skb-nh-h-are-initialized-in-fill_packet_ipv6-too.patch @@ -0,0 +1,32 @@ +From stable-bounces@linux.kernel.org Wed Sep 6 07:12:42 2006 +Date: Wed, 06 Sep 2006 06:42:02 -0700 (PDT) +Message-Id: <20060906.064202.41641990.davem@davemloft.net> +To: bunk@stusta.de +From: David Miller +Cc: cltien@gmail.com, stable@kernel.org +Subject: PKTGEN: Make sure skb->{nh,h} are initialized in fill_packet_ipv6() too. + +From: David S. Miller + +[PKTGEN]: Make sure skb->{nh,h} are initialized in fill_packet_ipv6() too. + +Mirror the bug fix from fill_packet_ipv4() + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/pktgen.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- linux-2.6.17.11.orig/net/core/pktgen.c ++++ linux-2.6.17.11/net/core/pktgen.c +@@ -2460,6 +2460,8 @@ static struct sk_buff *fill_packet_ipv6( + skb->protocol = protocol; + skb->dev = odev; + skb->pkt_type = PACKET_HOST; ++ skb->nh.ipv6h = iph; ++ skb->h.uh = udph; + + if (pkt_dev->nfrags <= 0) + pgh = (struct pktgen_hdr *)skb_put(skb, datalen); diff --git a/queue-2.6.17/sctp-fix-sctp_primitive_abort-call-in-sctp_close.patch b/queue-2.6.17/sctp-fix-sctp_primitive_abort-call-in-sctp_close.patch new file mode 100644 index 00000000000..8a71d11c9c7 --- /dev/null +++ b/queue-2.6.17/sctp-fix-sctp_primitive_abort-call-in-sctp_close.patch @@ -0,0 +1,39 @@ +From stable-bounces@linux.kernel.org Mon Aug 28 13:56:11 2006 +Date: Mon, 28 Aug 2006 13:55:32 -0700 (PDT) +Message-Id: <20060828.135532.26965589.davem@davemloft.net> +To: stable@kernel.org +From: David Miller +Subject: SCTP: Fix sctp_primitive_ABORT() call in sctp_close(). + +From: Sridhar Samudrala + +With the recent fix, the callers of sctp_primitive_ABORT() +need to create an ABORT chunk and pass it as an argument rather +than msghdr that was passed earlier. + +Signed-off-by: Sridhar Samudrala +Signed-off-by: David S. Miller + +--- + net/sctp/socket.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- linux-2.6.17.11.orig/net/sctp/socket.c ++++ linux-2.6.17.11/net/sctp/socket.c +@@ -1246,9 +1246,13 @@ SCTP_STATIC void sctp_close(struct sock + } + } + +- if (sock_flag(sk, SOCK_LINGER) && !sk->sk_lingertime) +- sctp_primitive_ABORT(asoc, NULL); +- else ++ if (sock_flag(sk, SOCK_LINGER) && !sk->sk_lingertime) { ++ struct sctp_chunk *chunk; ++ ++ chunk = sctp_make_abort_user(asoc, NULL, 0); ++ if (chunk) ++ sctp_primitive_ABORT(asoc, chunk); ++ } else + sctp_primitive_SHUTDOWN(asoc, NULL); + } + diff --git a/queue-2.6.17/series b/queue-2.6.17/series index 4716a58b955..954e0985bd7 100644 --- a/queue-2.6.17/series +++ b/queue-2.6.17/series @@ -14,3 +14,16 @@ dm-fix-mapped-device-ref-counting.patch dm-add-module-ref-counting.patch dm-fix-block-device-initialisation.patch dm-mirror-sector-offset-fix.patch +tg3-disable-tso-by-default.patch +sparc64-fix-x-server-crashes-on-sparc64.patch +sctp-fix-sctp_primitive_abort-call-in-sctp_close.patch +ipv6-oops-er-triggerable-by-any-user.patch +fcntl-fix.patch +bug-in-futex-unqueue_me.patch +binfmt_elf-fix-checks-for-bad-address.patch +uhci-hcd-fix-list-access-bug.patch +silent-data-corruption-caused-by-xpc.patch +pktgen-make-sure-skb-nh-h-are-initialized-in-fill_packet_ipv6-too.patch +pktgen-fix-oops-when-used-with-balance-tlb-bonding.patch +missing-pci-id-update-for-via-ide.patch +dvb-core-proper-handling-ule-sndu-length-of-0.patch diff --git a/queue-2.6.17/silent-data-corruption-caused-by-xpc.patch b/queue-2.6.17/silent-data-corruption-caused-by-xpc.patch new file mode 100644 index 00000000000..72fa3784c6d --- /dev/null +++ b/queue-2.6.17/silent-data-corruption-caused-by-xpc.patch @@ -0,0 +1,252 @@ +From dcn@sgi.com Fri Sep 1 08:59:42 2006 +Date: Fri, 1 Sep 2006 10:41:39 -0500 +From: Dean Nelson +To: Greg KH +Cc: stable@kernel.org, Robin Holt , Dean Nelson +Subject: Silent data corruption caused by XPC +Message-ID: <20060901154139.GA4437@sgi.com> +Content-Disposition: inline + +From: Robin Holt + +Jack Steiner identified a problem where XPC can cause a silent +data corruption. On module load, the placement may cause the +xpc_remote_copy_buffer to span two physical pages. DMA transfers are +done to the start virtual address translated to physical. + +This patch changes the buffer from a statically allocated buffer to a +kmalloc'd buffer. Dean Nelson reviewed this before posting. I have +tested it in the configuration that was showing the memory corruption +and verified it works. I also added a BUG_ON statement to help catch +this if a similar situation is encountered. + +Signed-off-by: Robin Holt +Signed-off-by: Dean Nelson +Signed-off-by: Jack Steiner +Signed-off-by: Tony Luck +Signed-off-by: Greg Kroah-Hartman + +--- + arch/ia64/sn/kernel/xpc_channel.c | 4 ++-- + arch/ia64/sn/kernel/xpc_main.c | 28 ++++++++++++++++------------ + arch/ia64/sn/kernel/xpc_partition.c | 24 ++++++++---------------- + include/asm-ia64/sn/xp.h | 22 ++++++++++++++++++---- + include/asm-ia64/sn/xpc.h | 4 +++- + 5 files changed, 47 insertions(+), 35 deletions(-) + +--- linux-2.6.17.11.orig/arch/ia64/sn/kernel/xpc_channel.c ++++ linux-2.6.17.11/arch/ia64/sn/kernel/xpc_channel.c +@@ -279,8 +279,8 @@ xpc_pull_remote_cachelines(struct xpc_pa + return part->reason; + } + +- bte_ret = xp_bte_copy((u64) src, (u64) ia64_tpa((u64) dst), +- (u64) cnt, (BTE_NORMAL | BTE_WACQUIRE), NULL); ++ bte_ret = xp_bte_copy((u64) src, (u64) dst, (u64) cnt, ++ (BTE_NORMAL | BTE_WACQUIRE), NULL); + if (bte_ret == BTE_SUCCESS) { + return xpcSuccess; + } +--- linux-2.6.17.11.orig/arch/ia64/sn/kernel/xpc_main.c ++++ linux-2.6.17.11/arch/ia64/sn/kernel/xpc_main.c +@@ -1052,6 +1052,8 @@ xpc_do_exit(enum xpc_retval reason) + if (xpc_sysctl) { + unregister_sysctl_table(xpc_sysctl); + } ++ ++ kfree(xpc_remote_copy_buffer_base); + } + + +@@ -1212,24 +1214,20 @@ xpc_init(void) + partid_t partid; + struct xpc_partition *part; + pid_t pid; ++ size_t buf_size; + + + if (!ia64_platform_is("sn2")) { + return -ENODEV; + } + +- /* +- * xpc_remote_copy_buffer is used as a temporary buffer for bte_copy'ng +- * various portions of a partition's reserved page. Its size is based +- * on the size of the reserved page header and part_nasids mask. So we +- * need to ensure that the other items will fit as well. +- */ +- if (XPC_RP_VARS_SIZE > XPC_RP_HEADER_SIZE + XP_NASID_MASK_BYTES) { +- dev_err(xpc_part, "xpc_remote_copy_buffer is not big enough\n"); +- return -EPERM; +- } +- DBUG_ON((u64) xpc_remote_copy_buffer != +- L1_CACHE_ALIGN((u64) xpc_remote_copy_buffer)); ++ ++ buf_size = max(XPC_RP_VARS_SIZE, ++ XPC_RP_HEADER_SIZE + XP_NASID_MASK_BYTES); ++ xpc_remote_copy_buffer = xpc_kmalloc_cacheline_aligned(buf_size, ++ GFP_KERNEL, &xpc_remote_copy_buffer_base); ++ if (xpc_remote_copy_buffer == NULL) ++ return -ENOMEM; + + snprintf(xpc_part->bus_id, BUS_ID_SIZE, "part"); + snprintf(xpc_chan->bus_id, BUS_ID_SIZE, "chan"); +@@ -1293,6 +1291,8 @@ xpc_init(void) + if (xpc_sysctl) { + unregister_sysctl_table(xpc_sysctl); + } ++ ++ kfree(xpc_remote_copy_buffer_base); + return -EBUSY; + } + +@@ -1311,6 +1311,8 @@ xpc_init(void) + if (xpc_sysctl) { + unregister_sysctl_table(xpc_sysctl); + } ++ ++ kfree(xpc_remote_copy_buffer_base); + return -EBUSY; + } + +@@ -1362,6 +1364,8 @@ xpc_init(void) + if (xpc_sysctl) { + unregister_sysctl_table(xpc_sysctl); + } ++ ++ kfree(xpc_remote_copy_buffer_base); + return -EBUSY; + } + +--- linux-2.6.17.11.orig/arch/ia64/sn/kernel/xpc_partition.c ++++ linux-2.6.17.11/arch/ia64/sn/kernel/xpc_partition.c +@@ -71,19 +71,15 @@ struct xpc_partition xpc_partitions[XP_M + * Generic buffer used to store a local copy of portions of a remote + * partition's reserved page (either its header and part_nasids mask, + * or its vars). +- * +- * xpc_discovery runs only once and is a seperate thread that is +- * very likely going to be processing in parallel with receiving +- * interrupts. + */ +-char ____cacheline_aligned xpc_remote_copy_buffer[XPC_RP_HEADER_SIZE + +- XP_NASID_MASK_BYTES]; ++char *xpc_remote_copy_buffer; ++void *xpc_remote_copy_buffer_base; + + + /* + * Guarantee that the kmalloc'd memory is cacheline aligned. + */ +-static void * ++void * + xpc_kmalloc_cacheline_aligned(size_t size, gfp_t flags, void **base) + { + /* see if kmalloc will give us cachline aligned memory by default */ +@@ -148,7 +144,7 @@ xpc_get_rsvd_page_pa(int nasid) + } + } + +- bte_res = xp_bte_copy(rp_pa, ia64_tpa(buf), buf_len, ++ bte_res = xp_bte_copy(rp_pa, buf, buf_len, + (BTE_NOTIFY | BTE_WACQUIRE), NULL); + if (bte_res != BTE_SUCCESS) { + dev_dbg(xpc_part, "xp_bte_copy failed %i\n", bte_res); +@@ -447,7 +443,7 @@ xpc_check_remote_hb(void) + + /* pull the remote_hb cache line */ + bres = xp_bte_copy(part->remote_vars_pa, +- ia64_tpa((u64) remote_vars), ++ (u64) remote_vars, + XPC_RP_VARS_SIZE, + (BTE_NOTIFY | BTE_WACQUIRE), NULL); + if (bres != BTE_SUCCESS) { +@@ -498,8 +494,7 @@ xpc_get_remote_rp(int nasid, u64 *discov + + + /* pull over the reserved page header and part_nasids mask */ +- +- bres = xp_bte_copy(*remote_rp_pa, ia64_tpa((u64) remote_rp), ++ bres = xp_bte_copy(*remote_rp_pa, (u64) remote_rp, + XPC_RP_HEADER_SIZE + xp_nasid_mask_bytes, + (BTE_NOTIFY | BTE_WACQUIRE), NULL); + if (bres != BTE_SUCCESS) { +@@ -554,11 +549,8 @@ xpc_get_remote_vars(u64 remote_vars_pa, + return xpcVarsNotSet; + } + +- + /* pull over the cross partition variables */ +- +- bres = xp_bte_copy(remote_vars_pa, ia64_tpa((u64) remote_vars), +- XPC_RP_VARS_SIZE, ++ bres = xp_bte_copy(remote_vars_pa, (u64) remote_vars, XPC_RP_VARS_SIZE, + (BTE_NOTIFY | BTE_WACQUIRE), NULL); + if (bres != BTE_SUCCESS) { + return xpc_map_bte_errors(bres); +@@ -1239,7 +1231,7 @@ xpc_initiate_partid_to_nasids(partid_t p + + part_nasid_pa = (u64) XPC_RP_PART_NASIDS(part->remote_rp_pa); + +- bte_res = xp_bte_copy(part_nasid_pa, ia64_tpa((u64) nasid_mask), ++ bte_res = xp_bte_copy(part_nasid_pa, (u64) nasid_mask, + xp_nasid_mask_bytes, (BTE_NOTIFY | BTE_WACQUIRE), NULL); + + return xpc_map_bte_errors(bte_res); +--- linux-2.6.17.11.orig/include/asm-ia64/sn/xp.h ++++ linux-2.6.17.11/include/asm-ia64/sn/xp.h +@@ -60,23 +60,37 @@ + * the bte_copy() once in the hope that the failure was due to a temporary + * aberration (i.e., the link going down temporarily). + * +- * See bte_copy for definition of the input parameters. ++ * src - physical address of the source of the transfer. ++ * vdst - virtual address of the destination of the transfer. ++ * len - number of bytes to transfer from source to destination. ++ * mode - see bte_copy() for definition. ++ * notification - see bte_copy() for definition. + * + * Note: xp_bte_copy() should never be called while holding a spinlock. + */ + static inline bte_result_t +-xp_bte_copy(u64 src, u64 dest, u64 len, u64 mode, void *notification) ++xp_bte_copy(u64 src, u64 vdst, u64 len, u64 mode, void *notification) + { + bte_result_t ret; ++ u64 pdst = ia64_tpa(vdst); + + +- ret = bte_copy(src, dest, len, mode, notification); ++ /* ++ * Ensure that the physically mapped memory is contiguous. ++ * ++ * We do this by ensuring that the memory is from region 7 only. ++ * If the need should arise to use memory from one of the other ++ * regions, then modify the BUG_ON() statement to ensure that the ++ * memory from that region is always physically contiguous. ++ */ ++ BUG_ON(REGION_NUMBER(vdst) != RGN_KERNEL); + ++ ret = bte_copy(src, pdst, len, mode, notification); + if (ret != BTE_SUCCESS) { + if (!in_interrupt()) { + cond_resched(); + } +- ret = bte_copy(src, dest, len, mode, notification); ++ ret = bte_copy(src, pdst, len, mode, notification); + } + + return ret; +--- linux-2.6.17.11.orig/include/asm-ia64/sn/xpc.h ++++ linux-2.6.17.11/include/asm-ia64/sn/xpc.h +@@ -684,7 +684,9 @@ extern struct xpc_vars *xpc_vars; + extern struct xpc_rsvd_page *xpc_rsvd_page; + extern struct xpc_vars_part *xpc_vars_part; + extern struct xpc_partition xpc_partitions[XP_MAX_PARTITIONS + 1]; +-extern char xpc_remote_copy_buffer[]; ++extern char *xpc_remote_copy_buffer; ++extern void *xpc_remote_copy_buffer_base; ++extern void *xpc_kmalloc_cacheline_aligned(size_t, gfp_t, void **); + extern struct xpc_rsvd_page *xpc_rsvd_page_init(void); + extern void xpc_allow_IPI_ops(void); + extern void xpc_restrict_IPI_ops(void); diff --git a/queue-2.6.17/sparc64-fix-x-server-crashes-on-sparc64.patch b/queue-2.6.17/sparc64-fix-x-server-crashes-on-sparc64.patch new file mode 100644 index 00000000000..3de74a91b3d --- /dev/null +++ b/queue-2.6.17/sparc64-fix-x-server-crashes-on-sparc64.patch @@ -0,0 +1,47 @@ +From stable-bounces@linux.kernel.org Mon Aug 28 00:41:14 2006 +Date: Mon, 28 Aug 2006 00:40:40 -0700 (PDT) +Message-Id: <20060828.004040.10298405.davem@davemloft.net> +To: stable@kernel.org +From: David Miller +Subject: SPARC64: Fix X server crashes on sparc64 + +From: David S. Miller + +[SPARC64]: Fix X server hangs due to large pages. + +This problem was introduced by changeset +14778d9072e53d2171f66ffd9657daff41acfaed + +Unlike the hugetlb code paths, the normal fault code is not setup to +propagate PTE changes for large page sizes correctly like the ones we +make for I/O mappings in io_remap_pfn_range(). + +It is absolutely necessary to update all sub-ptes of a largepage +mapping on a fault. Adding special handling for this would add +considerably complexity to tlb_batch_add(). So let's just side-step +the issue and forcefully dirty any writable PTEs created by +io_remap_pfn_range(). + +The only other real option would be to disable to large PTE code of +io_remap_pfn_range() and we really don't want to do that. + +Much thanks to Mikael Pettersson for tracking down this problem and +testing debug patches. + +Signed-off-by: David S. Miller + +--- + arch/sparc64/mm/generic.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- linux-2.6.17.11.orig/arch/sparc64/mm/generic.c ++++ linux-2.6.17.11/arch/sparc64/mm/generic.c +@@ -69,6 +69,8 @@ static inline void io_remap_pte_range(st + } else + offset += PAGE_SIZE; + ++ if (pte_write(entry)) ++ entry = pte_mkdirty(entry); + do { + BUG_ON(!pte_none(*pte)); + set_pte_at(mm, address, pte, entry); diff --git a/queue-2.6.17/tg3-disable-tso-by-default.patch b/queue-2.6.17/tg3-disable-tso-by-default.patch new file mode 100644 index 00000000000..1c53ee7f31f --- /dev/null +++ b/queue-2.6.17/tg3-disable-tso-by-default.patch @@ -0,0 +1,68 @@ +From stable-bounces@linux.kernel.org Fri Aug 25 14:55:37 2006 +From: "Michael Chan" +To: stable@kernel.org, davem@davemloft.net +Date: Fri, 25 Aug 2006 14:54:13 -0700 +Message-ID: <1156542854.5021.2.camel@rh4> +Subject: TG3: Disable TSO by default + +From: Michael Chan + +Disable TSO by default on some chips due to hardware errata. + +Enabling TSO can lead to tx timeouts in some cases when the TSO +header size exceeds 80 bytes on the affected chips. This limit +can be exceeded when the TCP header contains the timestamp option +plus 2 SACK blocks, for example. A more complete workaround is +available in the next 2.6.18 kernel. + +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/net/tg3.c | 12 ++++++++---- + drivers/net/tg3.h | 1 + + 2 files changed, 9 insertions(+), 4 deletions(-) + +--- linux-2.6.17.11.orig/drivers/net/tg3.c ++++ linux-2.6.17.11/drivers/net/tg3.c +@@ -69,8 +69,8 @@ + + #define DRV_MODULE_NAME "tg3" + #define PFX DRV_MODULE_NAME ": " +-#define DRV_MODULE_VERSION "3.59" +-#define DRV_MODULE_RELDATE "June 8, 2006" ++#define DRV_MODULE_VERSION "3.59.1" ++#define DRV_MODULE_RELDATE "August 25, 2006" + + #define TG3_DEF_MAC_MODE 0 + #define TG3_DEF_RX_MODE 0 +@@ -11381,11 +11381,15 @@ static int __devinit tg3_init_one(struct + tp->tg3_flags2 |= TG3_FLG2_TSO_CAPABLE; + } + +- /* TSO is on by default on chips that support hardware TSO. ++ /* TSO is on by default on chips that support HW_TSO_2. ++ * Some HW_TSO_1 capable chips have bugs that can lead to ++ * tx timeouts in some cases when TSO is enabled. + * Firmware TSO on older chips gives lower performance, so it + * is off by default, but can be enabled using ethtool. + */ +- if (tp->tg3_flags2 & TG3_FLG2_HW_TSO) ++ if ((tp->tg3_flags2 & TG3_FLG2_HW_TSO_2) || ++ (GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5750 && ++ tp->pci_chip_rev_id >= CHIPREV_ID_5750_C2)) + dev->features |= NETIF_F_TSO; + + #endif +--- linux-2.6.17.11.orig/drivers/net/tg3.h ++++ linux-2.6.17.11/drivers/net/tg3.h +@@ -125,6 +125,7 @@ + #define CHIPREV_ID_5750_A0 0x4000 + #define CHIPREV_ID_5750_A1 0x4001 + #define CHIPREV_ID_5750_A3 0x4003 ++#define CHIPREV_ID_5750_C2 0x4202 + #define CHIPREV_ID_5752_A0_HW 0x5000 + #define CHIPREV_ID_5752_A0 0x6000 + #define CHIPREV_ID_5752_A1 0x6001 diff --git a/queue-2.6.17/uhci-hcd-fix-list-access-bug.patch b/queue-2.6.17/uhci-hcd-fix-list-access-bug.patch new file mode 100644 index 00000000000..aa84b6c44b6 --- /dev/null +++ b/queue-2.6.17/uhci-hcd-fix-list-access-bug.patch @@ -0,0 +1,33 @@ +From stable-bounces@linux.kernel.org Thu Aug 31 11:19:22 2006 +Date: Thu, 31 Aug 2006 14:18:39 -0400 (EDT) +From: Alan Stern +To: Greg KH , +Message-ID: +Cc: Duncan Sands , + USB development list +Subject: uhci-hcd: fix list access bug + +From: Alan Stern + +When skipping to the last TD of an URB, go to the _last_ entry in the +list instead of the _first_ entry (as780). This fixes Bugzilla #6747 and +possibly others. + +Signed-off-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/uhci-q.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.17.11.orig/drivers/usb/host/uhci-q.c ++++ linux-2.6.17.11/drivers/usb/host/uhci-q.c +@@ -264,7 +264,7 @@ static void uhci_fixup_toggles(struct uh + * need to change any toggles in this URB */ + td = list_entry(urbp->td_list.next, struct uhci_td, list); + if (toggle > 1 || uhci_toggle(td_token(td)) == toggle) { +- td = list_entry(urbp->td_list.next, struct uhci_td, ++ td = list_entry(urbp->td_list.prev, struct uhci_td, + list); + toggle = uhci_toggle(td_token(td)) ^ 1; +