From: Greg Kroah-Hartman Date: Thu, 3 Aug 2006 07:09:16 +0000 (-0700) Subject: lots of 2.6.17-stable patches queued up X-Git-Tag: v2.6.17.8~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e6bd396149e71882262de877cdfde58719a94bc6;p=thirdparty%2Fkernel%2Fstable-queue.git lots of 2.6.17-stable patches queued up --- diff --git a/queue-2.6.17/don-t-allow-chmod-on-the-proc-pid-files.patch b/queue-2.6.17/don-t-allow-chmod-on-the-proc-pid-files.patch new file mode 100644 index 00000000000..e55862f1118 --- /dev/null +++ b/queue-2.6.17/don-t-allow-chmod-on-the-proc-pid-files.patch @@ -0,0 +1,136 @@ +From stable-bounces@linux.kernel.org Sat Jul 15 17:21:18 2006 +From: Marcel Holtmann +To: Greg KH +Date: Sun, 16 Jul 2006 02:20:53 +0200 +Message-Id: <1153009253.12764.20.camel@localhost> +Cc: Andrew Morton , torvalds@osdl.org, + linux-kernel@vger.kernel.org, stable@kernel.org +Subject: Don't allow chmod() on the /proc// files + +From: Marcel Holtmann + +Don't allow chmod() on the /proc// files + +This just turns off chmod() on the /proc// files, since there is no +good reason to allow it, and had we disallowed it originally, the nasty +/proc race exploit wouldn't have been possible. + +The other patches already fixed the problem chmod() could cause, so this +is really just some final mop-up.. + +This particular version is based off a patch by Eugene and Marcel which +had much better naming than my original equivalent one. + +Signed-off-by: Eugene Teo +Signed-off-by: Marcel Holtmann +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/base.c | 33 ++++++++++++++++++++++++++++++++- + 1 file changed, 32 insertions(+), 1 deletion(-) + +--- linux-2.6.17.7.orig/fs/proc/base.c ++++ linux-2.6.17.7/fs/proc/base.c +@@ -596,6 +596,27 @@ static int proc_permission(struct inode + return proc_check_root(inode); + } + ++static int proc_setattr(struct dentry *dentry, struct iattr *attr) ++{ ++ int error; ++ struct inode *inode = dentry->d_inode; ++ ++ if (attr->ia_valid & ATTR_MODE) ++ return -EPERM; ++ ++ error = inode_change_ok(inode, attr); ++ if (!error) { ++ error = security_inode_setattr(dentry, attr); ++ if (!error) ++ error = inode_setattr(inode, attr); ++ } ++ return error; ++} ++ ++static struct inode_operations proc_def_inode_operations = { ++ .setattr = proc_setattr, ++}; ++ + static int proc_task_permission(struct inode *inode, int mask, struct nameidata *nd) + { + struct dentry *root; +@@ -987,6 +1008,7 @@ static struct file_operations proc_oom_a + + static struct inode_operations proc_mem_inode_operations = { + .permission = proc_permission, ++ .setattr = proc_setattr, + }; + + #ifdef CONFIG_AUDITSYSCALL +@@ -1184,7 +1206,8 @@ out: + + static struct inode_operations proc_pid_link_inode_operations = { + .readlink = proc_pid_readlink, +- .follow_link = proc_pid_follow_link ++ .follow_link = proc_pid_follow_link, ++ .setattr = proc_setattr, + }; + + #define NUMBUF 10 +@@ -1356,6 +1379,7 @@ static struct inode *proc_pid_make_inode + ei->task = NULL; + inode->i_mtime = inode->i_atime = inode->i_ctime = CURRENT_TIME; + inode->i_ino = fake_ino(task->pid, ino); ++ inode->i_op = &proc_def_inode_operations; + + if (!pid_alive(task)) + goto out_unlock; +@@ -1579,11 +1603,13 @@ static struct file_operations proc_task_ + static struct inode_operations proc_fd_inode_operations = { + .lookup = proc_lookupfd, + .permission = proc_permission, ++ .setattr = proc_setattr, + }; + + static struct inode_operations proc_task_inode_operations = { + .lookup = proc_task_lookup, + .permission = proc_task_permission, ++ .setattr = proc_setattr, + }; + + #ifdef CONFIG_SECURITY +@@ -1873,10 +1899,12 @@ static struct file_operations proc_tid_b + + static struct inode_operations proc_tgid_base_inode_operations = { + .lookup = proc_tgid_base_lookup, ++ .setattr = proc_setattr, + }; + + static struct inode_operations proc_tid_base_inode_operations = { + .lookup = proc_tid_base_lookup, ++ .setattr = proc_setattr, + }; + + #ifdef CONFIG_SECURITY +@@ -1918,10 +1946,12 @@ static struct dentry *proc_tid_attr_look + + static struct inode_operations proc_tgid_attr_inode_operations = { + .lookup = proc_tgid_attr_lookup, ++ .setattr = proc_setattr, + }; + + static struct inode_operations proc_tid_attr_inode_operations = { + .lookup = proc_tid_attr_lookup, ++ .setattr = proc_setattr, + }; + #endif + +@@ -1946,6 +1976,7 @@ static void *proc_self_follow_link(struc + static struct inode_operations proc_self_inode_operations = { + .readlink = proc_self_readlink, + .follow_link = proc_self_follow_link, ++ .setattr = proc_setattr, + }; + + /** diff --git a/queue-2.6.17/e1000-add-forgotten-pci-id-for-supported-device.patch b/queue-2.6.17/e1000-add-forgotten-pci-id-for-supported-device.patch new file mode 100644 index 00000000000..ae4baf3b8e8 --- /dev/null +++ b/queue-2.6.17/e1000-add-forgotten-pci-id-for-supported-device.patch @@ -0,0 +1,47 @@ +From stable-bounces@linux.kernel.org Fri Jul 28 15:08:08 2006 +Message-ID: <44CA8A59.40002@intel.com> +Date: Fri, 28 Jul 2006 15:06:17 -0700 +From: Auke Kok +To: Greg KH , stable@kernel.org +Cc: Auke Kok , NetDev , + "John W. Linville" , + Jesse Brandeburg , + "Ronciak, + John" , + "Kok, Auke" +Subject: e1000: add forgotten PCI ID for supported device + +From: Auke Kok + +The Intel(R) PRO/1000 82572EI card is fully supported by 7.0.33-k2 and +onward. Add the device ID so this card works with 2.6.17.y onward. This +device ID was accidentally omitted. + +Signed-off-by: Auke Kok +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/e1000/e1000_hw.c | 1 + + drivers/net/e1000/e1000_hw.h | 1 + + 2 files changed, 2 insertions(+) + +--- linux-2.6.17.7.orig/drivers/net/e1000/e1000_hw.c ++++ linux-2.6.17.7/drivers/net/e1000/e1000_hw.c +@@ -353,6 +353,7 @@ e1000_set_mac_type(struct e1000_hw *hw) + case E1000_DEV_ID_82572EI_COPPER: + case E1000_DEV_ID_82572EI_FIBER: + case E1000_DEV_ID_82572EI_SERDES: ++ case E1000_DEV_ID_82572EI: + hw->mac_type = e1000_82572; + break; + case E1000_DEV_ID_82573E: +--- linux-2.6.17.7.orig/drivers/net/e1000/e1000_hw.h ++++ linux-2.6.17.7/drivers/net/e1000/e1000_hw.h +@@ -462,6 +462,7 @@ int32_t e1000_check_phy_reset_block(stru + #define E1000_DEV_ID_82572EI_COPPER 0x107D + #define E1000_DEV_ID_82572EI_FIBER 0x107E + #define E1000_DEV_ID_82572EI_SERDES 0x107F ++#define E1000_DEV_ID_82572EI 0x10B9 + #define E1000_DEV_ID_82573E 0x108B + #define E1000_DEV_ID_82573E_IAMT 0x108C + #define E1000_DEV_ID_82573L 0x109A diff --git a/queue-2.6.17/ext3-avoid-triggering-ext3_error-on-bad-nfs-file-handle.patch b/queue-2.6.17/ext3-avoid-triggering-ext3_error-on-bad-nfs-file-handle.patch new file mode 100644 index 00000000000..7dd5ed91c94 --- /dev/null +++ b/queue-2.6.17/ext3-avoid-triggering-ext3_error-on-bad-nfs-file-handle.patch @@ -0,0 +1,108 @@ +From stable-bounces@linux.kernel.org Sun Jul 30 03:04:26 2006 +Message-Id: <200607301003.k6UA31hC002485@shell0.pdx.osdl.net> +To: torvalds@osdl.org +From: akpm@osdl.org +Date: Sun, 30 Jul 2006 03:03:01 -0700 +Cc: akpm@osdl.org, jack@suse.cz, esandeen@redhat.com, neilb@suse.de, + sct@redhat.com, marcel@holtmann.org, stable@kernel.org +Subject: ext3: avoid triggering ext3_error on bad NFS file handle + +From: Neil Brown + +The inode number out of an NFS file handle gets passed eventually to +ext3_get_inode_block() without any checking. If ext3_get_inode_block() +allows it to trigger an error, then bad filehandles can have unpleasant +effect - ext3_error() will usually cause a forced read-only remount, or a +panic if `errors=panic' was used. + +So remove the call to ext3_error there and put a matching check in +ext3/namei.c where inode numbers are read off storage. + +[akpm@osdl.org: fix off-by-one error] +Signed-off-by: Neil Brown +Signed-off-by: Jan Kara +Cc: Marcel Holtmann +Cc: "Stephen C. Tweedie" +Cc: Eric Sandeen +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext3/inode.c | 13 +++++++------ + fs/ext3/namei.c | 15 +++++++++++++-- + include/linux/ext3_fs.h | 9 +++++++++ + 3 files changed, 29 insertions(+), 8 deletions(-) + +--- linux-2.6.17.7.orig/fs/ext3/inode.c ++++ linux-2.6.17.7/fs/ext3/inode.c +@@ -2402,14 +2402,15 @@ static unsigned long ext3_get_inode_bloc + struct buffer_head *bh; + struct ext3_group_desc * gdp; + +- +- if ((ino != EXT3_ROOT_INO && ino != EXT3_JOURNAL_INO && +- ino != EXT3_RESIZE_INO && ino < EXT3_FIRST_INO(sb)) || +- ino > le32_to_cpu(EXT3_SB(sb)->s_es->s_inodes_count)) { +- ext3_error(sb, "ext3_get_inode_block", +- "bad inode number: %lu", ino); ++ if (!ext3_valid_inum(sb, ino)) { ++ /* ++ * This error is already checked for in namei.c unless we are ++ * looking at an NFS filehandle, in which case no error ++ * report is needed ++ */ + return 0; + } ++ + block_group = (ino - 1) / EXT3_INODES_PER_GROUP(sb); + if (block_group >= EXT3_SB(sb)->s_groups_count) { + ext3_error(sb,"ext3_get_inode_block","group >= groups count"); +--- linux-2.6.17.7.orig/fs/ext3/namei.c ++++ linux-2.6.17.7/fs/ext3/namei.c +@@ -1000,7 +1000,12 @@ static struct dentry *ext3_lookup(struct + if (bh) { + unsigned long ino = le32_to_cpu(de->inode); + brelse (bh); +- inode = iget(dir->i_sb, ino); ++ if (!ext3_valid_inum(dir->i_sb, ino)) { ++ ext3_error(dir->i_sb, "ext3_lookup", ++ "bad inode number: %lu", ino); ++ inode = NULL; ++ } else ++ inode = iget(dir->i_sb, ino); + + if (!inode) + return ERR_PTR(-EACCES); +@@ -1028,7 +1033,13 @@ struct dentry *ext3_get_parent(struct de + return ERR_PTR(-ENOENT); + ino = le32_to_cpu(de->inode); + brelse(bh); +- inode = iget(child->d_inode->i_sb, ino); ++ ++ if (!ext3_valid_inum(child->d_inode->i_sb, ino)) { ++ ext3_error(child->d_inode->i_sb, "ext3_get_parent", ++ "bad inode number: %lu", ino); ++ inode = NULL; ++ } else ++ inode = iget(child->d_inode->i_sb, ino); + + if (!inode) + return ERR_PTR(-EACCES); +--- linux-2.6.17.7.orig/include/linux/ext3_fs.h ++++ linux-2.6.17.7/include/linux/ext3_fs.h +@@ -495,6 +495,15 @@ static inline struct ext3_inode_info *EX + { + return container_of(inode, struct ext3_inode_info, vfs_inode); + } ++ ++static inline int ext3_valid_inum(struct super_block *sb, unsigned long ino) ++{ ++ return ino == EXT3_ROOT_INO || ++ ino == EXT3_JOURNAL_INO || ++ ino == EXT3_RESIZE_INO || ++ (ino >= EXT3_FIRST_INO(sb) && ++ ino <= le32_to_cpu(EXT3_SB(sb)->s_es->s_inodes_count)); ++} + #else + /* Assume that user mode programs are passing in an ext3fs superblock, not + * a kernel struct super_block. This will allow us to call the feature-test diff --git a/queue-2.6.17/ext3-nobh-option-causes-oops.patch b/queue-2.6.17/ext3-nobh-option-causes-oops.patch new file mode 100644 index 00000000000..d2ffabc83e5 --- /dev/null +++ b/queue-2.6.17/ext3-nobh-option-causes-oops.patch @@ -0,0 +1,51 @@ +From stable-bounces@linux.kernel.org Sun Jul 30 03:05:05 2006 +Message-Id: <200607301004.k6UA4E5T002773@shell0.pdx.osdl.net> +To: torvalds@osdl.org +From: akpm@osdl.org +Date: Sun, 30 Jul 2006 03:04:14 -0700 +Cc: akpm@osdl.org, pbadari@us.ibm.com, stable@kernel.org +Subject: ext3 -nobh option causes oops + +From: Badari Pulavarty + +For files other than IFREG, nobh option doesn't make sense. Modifications +to them are journalled and needs buffer heads to do that. Without this +patch, we get kernel oops in page_buffers(). + +Signed-off-by: Badari Pulavarty +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext3/inode.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- linux-2.6.17.7.orig/fs/ext3/inode.c ++++ linux-2.6.17.7/fs/ext3/inode.c +@@ -1159,7 +1159,7 @@ retry: + ret = PTR_ERR(handle); + goto out; + } +- if (test_opt(inode->i_sb, NOBH)) ++ if (test_opt(inode->i_sb, NOBH) && ext3_should_writeback_data(inode)) + ret = nobh_prepare_write(page, from, to, ext3_get_block); + else + ret = block_prepare_write(page, from, to, ext3_get_block); +@@ -1245,7 +1245,7 @@ static int ext3_writeback_commit_write(s + if (new_i_size > EXT3_I(inode)->i_disksize) + EXT3_I(inode)->i_disksize = new_i_size; + +- if (test_opt(inode->i_sb, NOBH)) ++ if (test_opt(inode->i_sb, NOBH) && ext3_should_writeback_data(inode)) + ret = nobh_commit_write(file, page, from, to); + else + ret = generic_commit_write(file, page, from, to); +@@ -1495,7 +1495,7 @@ static int ext3_writeback_writepage(stru + goto out_fail; + } + +- if (test_opt(inode->i_sb, NOBH)) ++ if (test_opt(inode->i_sb, NOBH) && ext3_should_writeback_data(inode)) + ret = nobh_writepage(page, ext3_get_block, wbc); + else + ret = block_write_full_page(page, ext3_get_block, wbc); diff --git a/queue-2.6.17/fix-race-related-problem-when-adding-items-to-and-svcrpc-auth-cache.patch b/queue-2.6.17/fix-race-related-problem-when-adding-items-to-and-svcrpc-auth-cache.patch new file mode 100644 index 00000000000..4d2a36bab67 --- /dev/null +++ b/queue-2.6.17/fix-race-related-problem-when-adding-items-to-and-svcrpc-auth-cache.patch @@ -0,0 +1,57 @@ +From stable-bounces@linux.kernel.org Wed Aug 2 17:21:12 2006 +From: Neil Brown +To: Philipp Matthias Hahn +Date: Thu, 3 Aug 2006 10:20:12 +1000 +Message-ID: <17617.16700.274788.869486@cse.unsw.edu.au> +Cc: akpm@osdl.org, nfs@lists.sourceforge.net, stable@kernel.org, + linux-kernel@vger.kernel.org +Subject: Fix race related problem when adding items to and svcrpc auth cache. + +From: Neil Brown + +Fix race related problem when adding items to and svcrpc auth cache. + +If we don't find the item we are lookng for, we allocate a new one, +and then grab the lock again and search to see if it has been added +while we did the alloc. +If it had been added we need to 'cache_put' the newly created item +that we are never going to use. But as it hasn't been initialised +properly, putting it can cause an oops. + +So move the ->init call earlier to that it will always be fully +initilised if we have to put it. + +Thanks to Philipp Matthias Hahn +for reporting the problem. + +Signed-off-by: Neil Brown +Signed-off-by: Greg Kroah-Hartman + + +--- + net/sunrpc/cache.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- linux-2.6.17.7.orig/net/sunrpc/cache.c ++++ linux-2.6.17.7/net/sunrpc/cache.c +@@ -71,7 +71,12 @@ struct cache_head *sunrpc_cache_lookup(s + new = detail->alloc(); + if (!new) + return NULL; ++ /* must fully initialise 'new', else ++ * we might get lose if we need to ++ * cache_put it soon. ++ */ + cache_init(new); ++ detail->init(new, key); + + write_lock(&detail->hash_lock); + +@@ -85,7 +90,6 @@ struct cache_head *sunrpc_cache_lookup(s + return tmp; + } + } +- detail->init(new, key); + new->next = *head; + *head = new; + detail->entries++; diff --git a/queue-2.6.17/h.323-helper-fix-possible-null-ptr-dereference.patch b/queue-2.6.17/h.323-helper-fix-possible-null-ptr-dereference.patch new file mode 100644 index 00000000000..2d7463f1801 --- /dev/null +++ b/queue-2.6.17/h.323-helper-fix-possible-null-ptr-dereference.patch @@ -0,0 +1,36 @@ +From stable-bounces@linux.kernel.org Mon Jul 24 17:33:30 2006 +Message-ID: <44C56652.5020606@trash.net> +Date: Tue, 25 Jul 2006 02:31:14 +0200 +From: Patrick McHardy +To: stable@kernel.org +Cc: "David S. Miller" +Subject: [NETFILTER]: H.323 helper: fix possible NULL-ptr dereference + +From: Patrick McHardy + +[NETFILTER]: H.323 helper: fix possible NULL-ptr dereference + +An RCF message containing a timeout results in a NULL-ptr dereference if +no RRQ has been seen before. + +Noticed by the "SATURN tool", reported by Thomas Dillig +and Isil Dillig . + +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/netfilter/ip_conntrack_helper_h323.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.17.7.orig/net/ipv4/netfilter/ip_conntrack_helper_h323.c ++++ linux-2.6.17.7/net/ipv4/netfilter/ip_conntrack_helper_h323.c +@@ -1092,7 +1092,7 @@ static struct ip_conntrack_expect *find_ + tuple.dst.protonum = IPPROTO_TCP; + + exp = __ip_conntrack_expect_find(&tuple); +- if (exp->master == ct) ++ if (exp && exp->master == ct) + return exp; + return NULL; + } diff --git a/queue-2.6.17/i2c-01-scx200_acb-fix-state-machine.patch b/queue-2.6.17/i2c-01-scx200_acb-fix-state-machine.patch new file mode 100644 index 00000000000..9430bb158bf --- /dev/null +++ b/queue-2.6.17/i2c-01-scx200_acb-fix-state-machine.patch @@ -0,0 +1,52 @@ +From stable-bounces@linux.kernel.org Wed Jul 26 12:48:02 2006 +Date: Wed, 26 Jul 2006 21:47:41 +0200 +From: Jean Delvare +To: stable@kernel.org +Message-Id: <20060726214741.d895b5e0.khali@linux-fr.org> +Subject: scx200_acb: Fix the state machine +Content-Disposition: inline; filename=i2c-01-scx200_acb-fix-state-machine.patch + +From: Thomas Andrews + +Fix the scx200_acb state machine: + +* Nack was sent one byte too late on reads >= 2 bytes. +* Stop bit was set one byte too late on reads. + +Signed-off-by: Jean Delvare +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/scx200_acb.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- linux-2.6.17.7.orig/drivers/i2c/busses/scx200_acb.c ++++ linux-2.6.17.7/drivers/i2c/busses/scx200_acb.c +@@ -181,21 +181,21 @@ static void scx200_acb_machine(struct sc + break; + + case state_read: +- /* Set ACK if receiving the last byte */ +- if (iface->len == 1) ++ /* Set ACK if _next_ byte will be the last one */ ++ if (iface->len == 2) + outb(inb(ACBCTL1) | ACBCTL1_ACK, ACBCTL1); + else + outb(inb(ACBCTL1) & ~ACBCTL1_ACK, ACBCTL1); + +- *iface->ptr++ = inb(ACBSDA); +- --iface->len; +- +- if (iface->len == 0) { ++ if (iface->len == 1) { + iface->result = 0; + iface->state = state_idle; + outb(inb(ACBCTL1) | ACBCTL1_STOP, ACBCTL1); + } + ++ *iface->ptr++ = inb(ACBSDA); ++ --iface->len; ++ + break; + + case state_write: diff --git a/queue-2.6.17/i2c-02-scx200_acb-fix-block-transactions.patch b/queue-2.6.17/i2c-02-scx200_acb-fix-block-transactions.patch new file mode 100644 index 00000000000..d9cf9e2d1b2 --- /dev/null +++ b/queue-2.6.17/i2c-02-scx200_acb-fix-block-transactions.patch @@ -0,0 +1,52 @@ +From stable-bounces@linux.kernel.org Wed Jul 26 12:52:59 2006 +Date: Wed, 26 Jul 2006 21:50:15 +0200 +From: Jean Delvare +To: stable@kernel.org +Message-Id: <20060726215015.9da8afda.khali@linux-fr.org> +Subject: scx200_acb: Fix the block transactions +Content-Disposition: inline; filename=i2c-02-scx200_acb-fix-block-transactions.patch + +From: Jean Delvare + +The scx200_acb i2c bus driver pretends to support SMBus block +transactions, but in fact it implements the more simple I2C block +transactions. Additionally, it lacks sanity checks on the length +of the block transactions, which could lead to a buffer overrun. + +This fixes an oops reported by Alexander Atanasov: +http://marc.theaimsgroup.com/?l=linux-kernel&m=114970382125094 + +Thanks to Ben Gardner for fixing my bugs :) + +Signed-off-by: Jean Delvare +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/scx200_acb.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- linux-2.6.17.7.orig/drivers/i2c/busses/scx200_acb.c ++++ linux-2.6.17.7/drivers/i2c/busses/scx200_acb.c +@@ -304,8 +304,12 @@ static s32 scx200_acb_smbus_xfer(struct + buffer = (u8 *)&cur_word; + break; + +- case I2C_SMBUS_BLOCK_DATA: ++ case I2C_SMBUS_I2C_BLOCK_DATA: ++ if (rw == I2C_SMBUS_READ) ++ data->block[0] = I2C_SMBUS_BLOCK_MAX; /* For now */ + len = data->block[0]; ++ if (len == 0 || len > I2C_SMBUS_BLOCK_MAX) ++ return -EINVAL; + buffer = &data->block[1]; + break; + +@@ -369,7 +373,7 @@ static u32 scx200_acb_func(struct i2c_ad + { + return I2C_FUNC_SMBUS_QUICK | I2C_FUNC_SMBUS_BYTE | + I2C_FUNC_SMBUS_BYTE_DATA | I2C_FUNC_SMBUS_WORD_DATA | +- I2C_FUNC_SMBUS_BLOCK_DATA; ++ I2C_FUNC_SMBUS_I2C_BLOCK; + } + + /* For now, we only handle combined mode (smbus) */ diff --git a/queue-2.6.17/i2c-03-fix-ignore-module-parameter-handling.patch b/queue-2.6.17/i2c-03-fix-ignore-module-parameter-handling.patch new file mode 100644 index 00000000000..11e5d61cb31 --- /dev/null +++ b/queue-2.6.17/i2c-03-fix-ignore-module-parameter-handling.patch @@ -0,0 +1,35 @@ +From stable-bounces@linux.kernel.org Wed Jul 26 12:53:36 2006 +Date: Wed, 26 Jul 2006 21:53:13 +0200 +From: Jean Delvare +To: stable@kernel.org +Message-Id: <20060726215313.907eb30d.khali@linux-fr.org> +Subject: i2c: Fix 'ignore' module parameter handling in i2c-core +Content-Disposition: inline; filename=i2c-03-fix-ignore-module-parameter-handling.patch + +From: "Mark M. Hoffman" + +This patch fixes a bug in the handling of 'ignore' module parameters of I2C +client drivers. + +Signed-off-by: Mark M. Hoffman +Signed-off-by: Jean Delvare +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/i2c-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- linux-2.6.17.7.orig/drivers/i2c/i2c-core.c ++++ linux-2.6.17.7/drivers/i2c/i2c-core.c +@@ -756,9 +756,9 @@ int i2c_probe(struct i2c_adapter *adapte + "parameter for adapter %d, " + "addr 0x%02x\n", adap_id, + address_data->ignore[j + 1]); ++ ignore = 1; ++ break; + } +- ignore = 1; +- break; + } + if (ignore) + continue; diff --git a/queue-2.6.17/ieee1394-sbp2-enable-auto-spin-up-for-maxtor-disks.patch b/queue-2.6.17/ieee1394-sbp2-enable-auto-spin-up-for-maxtor-disks.patch new file mode 100644 index 00000000000..1b77e84b629 --- /dev/null +++ b/queue-2.6.17/ieee1394-sbp2-enable-auto-spin-up-for-maxtor-disks.patch @@ -0,0 +1,37 @@ +From stable-bounces@linux.kernel.org Wed Aug 2 10:43:49 2006 +Date: Wed, 2 Aug 2006 19:40:06 +0200 (CEST) +From: Stefan Richter +To: Linus Torvalds , stable@kernel.org +Message-ID: +Content-Disposition: INLINE +Cc: Ben Collins , linux-kernel@vger.kernel.org +Subject: ieee1394: sbp2: enable auto spin-up for Maxtor disks + +From: Stefan Richter + +At least Maxtor OneTouch III require a "start stop unit" command after +auto spin-down before the next access can proceed. This patch activates +the responsible code in scsi_mod for all Maxtor SBP-2 disks. +https://bugzilla.novell.com/show_bug.cgi?id=183011 + +Maybe that should be done for all SBP-2 disks, but better be cautious. + +Signed-off-by: Stefan Richter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ieee1394/sbp2.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- linux-2.6.17.7.orig/drivers/ieee1394/sbp2.c ++++ linux-2.6.17.7/drivers/ieee1394/sbp2.c +@@ -2541,6 +2541,9 @@ static int sbp2scsi_slave_configure(stru + sdev->skip_ms_page_8 = 1; + if (scsi_id->workarounds & SBP2_WORKAROUND_FIX_CAPACITY) + sdev->fix_capacity = 1; ++ if (scsi_id->ne->guid_vendor_id == 0x0010b9 && /* Maxtor's OUI */ ++ (sdev->type == TYPE_DISK || sdev->type == TYPE_RBC)) ++ sdev->allow_restart = 1; + return 0; + } + diff --git a/queue-2.6.17/invalidate_bdev-speedup.patch b/queue-2.6.17/invalidate_bdev-speedup.patch new file mode 100644 index 00000000000..2bc7b06cc2b --- /dev/null +++ b/queue-2.6.17/invalidate_bdev-speedup.patch @@ -0,0 +1,46 @@ +From stable-bounces@linux.kernel.org Sun Jul 30 03:04:04 2006 +Message-Id: <200607301003.k6UA3SlC002568@shell0.pdx.osdl.net> +To: torvalds@osdl.org +From: akpm@osdl.org +Date: Sun, 30 Jul 2006 03:03:28 -0700 +Cc: akpm@osdl.org, jes@trained-monkey.org, stable@kernel.org +Subject: invalidate_bdev() speedup + +From: Andrew Morton + +We can immediately bale from invalidate_bdev() if the blockdev has no +pagecache. + +This solves the huge IPI storms which hald is causing on the big ia64 +machines when it polls CDROM drives. + +Acked-by: Jes Sorensen +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + fs/buffer.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- linux-2.6.17.7.orig/fs/buffer.c ++++ linux-2.6.17.7/fs/buffer.c +@@ -473,13 +473,18 @@ out: + pass does the actual I/O. */ + void invalidate_bdev(struct block_device *bdev, int destroy_dirty_buffers) + { ++ struct address_space *mapping = bdev->bd_inode->i_mapping; ++ ++ if (mapping->nrpages == 0) ++ return; ++ + invalidate_bh_lrus(); + /* + * FIXME: what about destroy_dirty_buffers? + * We really want to use invalidate_inode_pages2() for + * that, but not until that's cleaned up. + */ +- invalidate_inode_pages(bdev->bd_inode->i_mapping); ++ invalidate_inode_pages(mapping); + } + + /* diff --git a/queue-2.6.17/pci-fix-issues-with-extended-conf-space-when-mmconfig-disabled-because-of-e820.patch b/queue-2.6.17/pci-fix-issues-with-extended-conf-space-when-mmconfig-disabled-because-of-e820.patch index 0ef4c2e3898..ed8eea7416a 100644 --- a/queue-2.6.17/pci-fix-issues-with-extended-conf-space-when-mmconfig-disabled-because-of-e820.patch +++ b/queue-2.6.17/pci-fix-issues-with-extended-conf-space-when-mmconfig-disabled-because-of-e820.patch @@ -3,8 +3,9 @@ From: Chuck Ebbert <76306.1226@compuserve.com> Date: Thu, 15 Jun 2006 04:41:52 -0400 Subject: PCI: fix issues with extended conf space when MMCONFIG disabled because of e820 -On 15 Jun 2006 03:45:10 +0200, Andi Kleen wrote: +From: Chuck Ebbert <76306.1226@compuserve.com> +On 15 Jun 2006 03:45:10 +0200, Andi Kleen wrote: > Anyways I would say that if the BIOS can't get MCFG right then > it's likely not been validated on that board and shouldn't be used. diff --git a/queue-2.6.17/series b/queue-2.6.17/series index ccf71dc84b6..71c663974c2 100644 --- a/queue-2.6.17/series +++ b/queue-2.6.17/series @@ -1 +1,17 @@ pci-fix-issues-with-extended-conf-space-when-mmconfig-disabled-because-of-e820.patch +don-t-allow-chmod-on-the-proc-pid-files.patch +h.323-helper-fix-possible-null-ptr-dereference.patch +i2c-01-scx200_acb-fix-state-machine.patch +i2c-02-scx200_acb-fix-block-transactions.patch +i2c-03-fix-ignore-module-parameter-handling.patch +sky2-napi-bug.patch +uhci-fix-handling-of-short-last-packet.patch +update-frag_list-in-pskb_trim.patch +vlan-state-handling-fix.patch +sparc64-quad-float-emulation-fix.patch +invalidate_bdev-speedup.patch +ieee1394-sbp2-enable-auto-spin-up-for-maxtor-disks.patch +fix-race-related-problem-when-adding-items-to-and-svcrpc-auth-cache.patch +ext3-nobh-option-causes-oops.patch +ext3-avoid-triggering-ext3_error-on-bad-nfs-file-handle.patch +e1000-add-forgotten-pci-id-for-supported-device.patch diff --git a/queue-2.6.17/sky2-napi-bug.patch b/queue-2.6.17/sky2-napi-bug.patch new file mode 100644 index 00000000000..4b1661728d4 --- /dev/null +++ b/queue-2.6.17/sky2-napi-bug.patch @@ -0,0 +1,41 @@ +From stable-bounces@linux.kernel.org Mon Jul 17 10:52:35 2006 +Date: Mon, 17 Jul 2006 13:51:50 -0400 +From: Stephen Hemminger +To: stable@kernel.org +Message-ID: <20060717135150.09aea07d@localhost.localdomain> +Subject: sky2: NAPI bug + +From: Stephen Hemminger + +If the sky2 driver decides to defer processing because it's NAPI +packet quota is done, then it won't correctly handle the rest +when it is rescheduled. + +Signed-off-by: Stephen Hemminger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/sky2.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- linux-2.6.17.7.orig/drivers/net/sky2.c ++++ linux-2.6.17.7/drivers/net/sky2.c +@@ -2187,9 +2187,6 @@ static int sky2_poll(struct net_device * + int work_done = 0; + u32 status = sky2_read32(hw, B0_Y2_SP_EISR); + +- if (!~status) +- goto out; +- + if (status & Y2_IS_HW_ERR) + sky2_hw_intr(hw); + +@@ -2226,7 +2223,7 @@ static int sky2_poll(struct net_device * + + if (sky2_more_work(hw)) + return 1; +-out: ++ + netif_rx_complete(dev0); + + sky2_read32(hw, B0_Y2_SP_LISR); diff --git a/queue-2.6.17/sparc64-quad-float-emulation-fix.patch b/queue-2.6.17/sparc64-quad-float-emulation-fix.patch new file mode 100644 index 00000000000..037354129e5 --- /dev/null +++ b/queue-2.6.17/sparc64-quad-float-emulation-fix.patch @@ -0,0 +1,35 @@ +From stable-bounces@linux.kernel.org Thu Jul 27 17:03:23 2006 +Date: Thu, 27 Jul 2006 17:02:36 -0700 (PDT) +Message-Id: <20060727.170236.92582647.davem@davemloft.net> +To: stable@kernel.org +From: David Miller +Subject: Sparc64 quad-float emulation fix + +From: David Miller + +[SPARC64]: Fix quad-float multiply emulation. + +Something is wrong with the 3-multiply (vs. 4-multiply) optimized +version of _FP_MUL_MEAT_2_*(), so just use the slower version +which actually computes correct values. + +Noticed by Rene Rebe + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/asm-sparc64/sfp-machine.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.17.7.orig/include/asm-sparc64/sfp-machine.h ++++ linux-2.6.17.7/include/asm-sparc64/sfp-machine.h +@@ -34,7 +34,7 @@ + #define _FP_MUL_MEAT_D(R,X,Y) \ + _FP_MUL_MEAT_1_wide(_FP_WFRACBITS_D,R,X,Y,umul_ppmm) + #define _FP_MUL_MEAT_Q(R,X,Y) \ +- _FP_MUL_MEAT_2_wide_3mul(_FP_WFRACBITS_Q,R,X,Y,umul_ppmm) ++ _FP_MUL_MEAT_2_wide(_FP_WFRACBITS_Q,R,X,Y,umul_ppmm) + + #define _FP_DIV_MEAT_S(R,X,Y) _FP_DIV_MEAT_1_imm(S,R,X,Y,_FP_DIV_HELP_imm) + #define _FP_DIV_MEAT_D(R,X,Y) _FP_DIV_MEAT_1_udiv_norm(D,R,X,Y) diff --git a/queue-2.6.17/uhci-fix-handling-of-short-last-packet.patch b/queue-2.6.17/uhci-fix-handling-of-short-last-packet.patch new file mode 100644 index 00000000000..71280e8a170 --- /dev/null +++ b/queue-2.6.17/uhci-fix-handling-of-short-last-packet.patch @@ -0,0 +1,49 @@ +From stable-bounces@linux.kernel.org Mon Jul 24 09:07:30 2006 +Date: Mon, 24 Jul 2006 12:06:55 -0400 (EDT) +From: Alan Stern +To: stable@kernel.org +Message-ID: +Cc: Juan Pedro Paredes Caballero , Duncan Sands , Andrew Beverley +Subject: UHCI: Fix handling of short last packet + +From: Alan Stern + +This patch (as753) fixes the way uhci-hcd handles a short packet when it +is the last packet of an URB. Right now the driver handles short packets +the same no matter when they occur. However, the controller stops +transferring packets when the short packet is not the last one (otherwise +it would be reading beyond the end of the device's data) and needs to be +restarted, whereas no such need occurs when the short packet is the last +one. + +The result of the bug is that USB endpoint queues experience intermittent +hangs, a regression in 2.6.17 with respect to earlier kernels. The bug +was raised in Bugzilla #6752 and this patch fixed it. + +Signed-off-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/usb/host/uhci-q.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- linux-2.6.17.7.orig/drivers/usb/host/uhci-q.c ++++ linux-2.6.17.7/drivers/usb/host/uhci-q.c +@@ -896,12 +896,14 @@ static int uhci_result_common(struct uhc + /* + * This URB stopped short of its end. We have to + * fix up the toggles of the following URBs on the +- * queue and restart the queue. ++ * queue and restart the queue. But only if this ++ * TD isn't the last one in the URB. + * + * Do this only the first time we encounter the + * short URB. + */ +- if (!urbp->short_transfer) { ++ if (!urbp->short_transfer && ++ &td->list != urbp->td_list.prev) { + urbp->short_transfer = 1; + urbp->qh->initial_toggle = + uhci_toggle(td_token(td)) ^ 1; diff --git a/queue-2.6.17/update-frag_list-in-pskb_trim.patch b/queue-2.6.17/update-frag_list-in-pskb_trim.patch new file mode 100644 index 00000000000..05eb650c3e9 --- /dev/null +++ b/queue-2.6.17/update-frag_list-in-pskb_trim.patch @@ -0,0 +1,238 @@ +From stable-bounces@linux.kernel.org Sun Jul 30 15:52:09 2006 +Date: Mon, 31 Jul 2006 08:50:37 +1000 +To: Greg KH +Message-ID: <20060730225037.GA21685@gondor.apana.org.au> +Content-Disposition: inline +From: Herbert Xu +Cc: netdev@vger.kernel.org, stable@kernel.org, David Miller +Subject: [NET]: Update frag_list in pskb_trim + +From: Herbert Xu + +[NET]: Update frag_list in pskb_trim + +When pskb_trim has to defer to ___pksb_trim to trim the frag_list part of +the packet, the frag_list is not updated to reflect the trimming. This +will usually work fine until you hit something that uses the packet length +or tail from the frag_list. + +Examples include esp_output and ip_fragment. + +Another problem caused by this is that you can end up with a linear packet +with a frag_list attached. + +It is possible to get away with this if we audit everything to make sure +that they always consult skb->len before going down onto frag_list. In +fact we can do the samething for the paged part as well to avoid copying +the data area of the skb. For now though, let's do the conservative fix +and update frag_list. + +Many thanks to Marco Berizzi for helping me to track down this bug. + +This 4-year old bug took 3 months to track down. Marco was very patient +indeed :) + +Signed-off-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/skbuff.h | 24 +++++------ + net/core/skbuff.c | 106 ++++++++++++++++++++++++++++++++++--------------- + 2 files changed, 86 insertions(+), 44 deletions(-) + +--- linux-2.6.17.7.orig/include/linux/skbuff.h ++++ linux-2.6.17.7/include/linux/skbuff.h +@@ -967,15 +967,16 @@ static inline void skb_reserve(struct sk + #define NET_SKB_PAD 16 + #endif + +-extern int ___pskb_trim(struct sk_buff *skb, unsigned int len, int realloc); ++extern int ___pskb_trim(struct sk_buff *skb, unsigned int len); + + static inline void __skb_trim(struct sk_buff *skb, unsigned int len) + { +- if (!skb->data_len) { +- skb->len = len; +- skb->tail = skb->data + len; +- } else +- ___pskb_trim(skb, len, 0); ++ if (unlikely(skb->data_len)) { ++ WARN_ON(1); ++ return; ++ } ++ skb->len = len; ++ skb->tail = skb->data + len; + } + + /** +@@ -985,6 +986,7 @@ static inline void __skb_trim(struct sk_ + * + * Cut the length of a buffer down by removing data from the tail. If + * the buffer is already under the length specified it is not modified. ++ * The skb must be linear. + */ + static inline void skb_trim(struct sk_buff *skb, unsigned int len) + { +@@ -995,12 +997,10 @@ static inline void skb_trim(struct sk_bu + + static inline int __pskb_trim(struct sk_buff *skb, unsigned int len) + { +- if (!skb->data_len) { +- skb->len = len; +- skb->tail = skb->data+len; +- return 0; +- } +- return ___pskb_trim(skb, len, 1); ++ if (skb->data_len) ++ return ___pskb_trim(skb, len); ++ __skb_trim(skb, len); ++ return 0; + } + + static inline int pskb_trim(struct sk_buff *skb, unsigned int len) +--- linux-2.6.17.7.orig/net/core/skbuff.c ++++ linux-2.6.17.7/net/core/skbuff.c +@@ -251,11 +251,11 @@ nodata: + } + + +-static void skb_drop_fraglist(struct sk_buff *skb) ++static void skb_drop_list(struct sk_buff **listp) + { +- struct sk_buff *list = skb_shinfo(skb)->frag_list; ++ struct sk_buff *list = *listp; + +- skb_shinfo(skb)->frag_list = NULL; ++ *listp = NULL; + + do { + struct sk_buff *this = list; +@@ -264,6 +264,11 @@ static void skb_drop_fraglist(struct sk_ + } while (list); + } + ++static inline void skb_drop_fraglist(struct sk_buff *skb) ++{ ++ skb_drop_list(&skb_shinfo(skb)->frag_list); ++} ++ + static void skb_clone_fraglist(struct sk_buff *skb) + { + struct sk_buff *list; +@@ -802,49 +807,86 @@ struct sk_buff *skb_pad(struct sk_buff * + return nskb; + } + +-/* Trims skb to length len. It can change skb pointers, if "realloc" is 1. +- * If realloc==0 and trimming is impossible without change of data, +- * it is BUG(). ++/* Trims skb to length len. It can change skb pointers. + */ + +-int ___pskb_trim(struct sk_buff *skb, unsigned int len, int realloc) ++int ___pskb_trim(struct sk_buff *skb, unsigned int len) + { ++ struct sk_buff **fragp; ++ struct sk_buff *frag; + int offset = skb_headlen(skb); + int nfrags = skb_shinfo(skb)->nr_frags; + int i; ++ int err; + +- for (i = 0; i < nfrags; i++) { ++ if (skb_cloned(skb) && ++ unlikely((err = pskb_expand_head(skb, 0, 0, GFP_ATOMIC)))) ++ return err; ++ ++ i = 0; ++ if (offset >= len) ++ goto drop_pages; ++ ++ for (; i < nfrags; i++) { + int end = offset + skb_shinfo(skb)->frags[i].size; +- if (end > len) { +- if (skb_cloned(skb)) { +- BUG_ON(!realloc); +- if (pskb_expand_head(skb, 0, 0, GFP_ATOMIC)) +- return -ENOMEM; +- } +- if (len <= offset) { +- put_page(skb_shinfo(skb)->frags[i].page); +- skb_shinfo(skb)->nr_frags--; +- } else { +- skb_shinfo(skb)->frags[i].size = len - offset; +- } ++ ++ if (end < len) { ++ offset = end; ++ continue; ++ } ++ ++ skb_shinfo(skb)->frags[i++].size = len - offset; ++ ++drop_pages: ++ skb_shinfo(skb)->nr_frags = i; ++ ++ for (; i < nfrags; i++) ++ put_page(skb_shinfo(skb)->frags[i].page); ++ ++ if (skb_shinfo(skb)->frag_list) ++ skb_drop_fraglist(skb); ++ goto done; ++ } ++ ++ for (fragp = &skb_shinfo(skb)->frag_list; (frag = *fragp); ++ fragp = &frag->next) { ++ int end = offset + frag->len; ++ ++ if (skb_shared(frag)) { ++ struct sk_buff *nfrag; ++ ++ nfrag = skb_clone(frag, GFP_ATOMIC); ++ if (unlikely(!nfrag)) ++ return -ENOMEM; ++ ++ nfrag->next = frag->next; ++ kfree_skb(frag); ++ frag = nfrag; ++ *fragp = frag; + } +- offset = end; ++ ++ if (end < len) { ++ offset = end; ++ continue; ++ } ++ ++ if (end > len && ++ unlikely((err = pskb_trim(frag, len - offset)))) ++ return err; ++ ++ if (frag->next) ++ skb_drop_list(&frag->next); ++ break; + } + +- if (offset < len) { ++done: ++ if (len > skb_headlen(skb)) { + skb->data_len -= skb->len - len; + skb->len = len; + } else { +- if (len <= skb_headlen(skb)) { +- skb->len = len; +- skb->data_len = 0; +- skb->tail = skb->data + len; +- if (skb_shinfo(skb)->frag_list && !skb_cloned(skb)) +- skb_drop_fraglist(skb); +- } else { +- skb->data_len -= skb->len - len; +- skb->len = len; +- } ++ skb->len = len; ++ skb->data_len = 0; ++ skb->tail = skb->data + len; + } + + return 0; diff --git a/queue-2.6.17/vlan-state-handling-fix.patch b/queue-2.6.17/vlan-state-handling-fix.patch new file mode 100644 index 00000000000..757ebc914ee --- /dev/null +++ b/queue-2.6.17/vlan-state-handling-fix.patch @@ -0,0 +1,48 @@ +From stable-bounces@linux.kernel.org Mon Jul 24 13:54:38 2006 +Date: Mon, 24 Jul 2006 13:54:15 -0700 (PDT) +Message-Id: <20060724.135415.68158299.davem@davemloft.net> +To: stable@kernel.org +From: David Miller +Subject: VLAN state handling fix + +From: Stefan Rompf + +[VLAN]: Fix link state propagation + +When the queue of the underlying device is stopped at initialization time +or the device is marked "not present", the state will be propagated to the +vlan device and never change. Based on an analysis by Patrick McHardy. + +Signed-off-by: Stefan Rompf +ACKed-by: Patrick McHardy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/8021q/vlan.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- linux-2.6.17.7.orig/net/8021q/vlan.c ++++ linux-2.6.17.7/net/8021q/vlan.c +@@ -67,10 +67,6 @@ static struct packet_type vlan_packet_ty + .func = vlan_skb_recv, /* VLAN receive method */ + }; + +-/* Bits of netdev state that are propagated from real device to virtual */ +-#define VLAN_LINK_STATE_MASK \ +- ((1<<__LINK_STATE_PRESENT)|(1<<__LINK_STATE_NOCARRIER)|(1<<__LINK_STATE_DORMANT)) +- + /* End of global variables definitions. */ + + /* +@@ -470,7 +466,9 @@ static struct net_device *register_vlan_ + new_dev->flags = real_dev->flags; + new_dev->flags &= ~IFF_UP; + +- new_dev->state = real_dev->state & ~(1<<__LINK_STATE_START); ++ new_dev->state = (real_dev->state & ((1<<__LINK_STATE_NOCARRIER) | ++ (1<<__LINK_STATE_DORMANT))) | ++ (1<<__LINK_STATE_PRESENT); + + /* need 4 bytes for extra VLAN header info, + * hope the underlying device can handle it.