From 5297d7893333774e00b1075162995aa7549ec92f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 13 Feb 2009 14:35:57 -0800 Subject: [PATCH] .28 patches --- ...s-net-skfp-if-capable-inverted-logic.patch | 33 +++ ...-thinko-causing-berkeley-db-slowdown.patch | 53 ++++ ...fix-infinite-retry-loop-in-ip-config.patch | 39 +++ ...copy-cork-options-in-ip6_append_data.patch | 119 +++++++++ ...w-rediculious-flowlabel-option-sizes.patch | 47 ++++ ...l-doc-fix-syscall-wrapper-processing.patch | 109 ++++++++ ...in-lockd-s-handling-of-blocked-locks.patch | 59 +++++ ...o-ap-in-outgoing-interface-heuristic.patch | 34 +++ ...mmap-to-unlock-before-arch_exit_mmap.patch | 80 ++++++ ...bd-fix-i-o-hang-on-disconnected-nbds.patch | 66 +++++ ...sclosure-in-so_bsdcompat-gsopt-try-2.patch | 48 ++++ ...x-frag_list-handling-in-skb_seq_read.patch | 52 ++++ .../net-fix-oops-in-skb_seq_read.patch | 85 +++++++ ...land-breakage-wrt.-linux-if_tunnel.h.patch | 61 +++++ ...acket-socket-packet_lookup_frame-fix.patch | 44 ++++ ...cket-avoid-lock_sock-in-mmap-handler.patch | 86 +++++++ ...rt_serial-don-t-bind-netmos-ibm-0299.patch | 38 +++ ...mapping-functions-to-use-phys_addr_t.patch | 55 ++++ ...tx-timer-on-new-packet-transmissions.patch | 43 ++++ ...32c-calculations-on-big-endian-arhes.patch | 33 +++ ...utgoing-data-chunks-for-rtx-purposes.patch | 60 +++++ queue-2.6.28/series | 39 +++ ...with-netconsoling-and-iface-going-up.patch | 43 ++++ ...c-enable-syscall-wrappers-for-64-bit.patch | 30 +++ ...ecific-syscalls-with-syscall_definex.patch | 236 ++++++++++++++++++ ...ra-ac200-when-switching-interface-up.patch | 71 ++++++ .../syscall-define-fix-uml-compile-bug.patch | 89 +++++++ ..._data_recv-passes-to-skb_splice_bits.patch | 47 ++++ ...-as-many-packets-as-possible-at-once.patch | 72 ++++++ ...issing-tun-compat-ioctl-translations.patch | 52 ++++ .../tun-fix-unicast-filter-overflow.patch | 49 ++++ ...-fix-udp-short-packet-false-positive.patch | 44 ++++ ...ents-sk_drops-in-__udp_queue_rcv_skb.patch | 39 +++ ...x_packet_len-to-support-802.1q-vlans.patch | 43 ++++ .../w1-w1-temp-calculation-overflow-fix.patch | 38 +++ .../write-back-fix-nr_to_write-counter.patch | 70 ++++++ .../writeback-fix-break-condition.patch | 66 +++++ ...ing-paravirt_release_pmd-in-pgd_dtor.patch | 61 +++++ ...dding-0ace-0xa211-as-a-zd1211-device.patch | 33 +++ ...-as-uw2453_rf-for-tp-link-wn322-422g.patch | 37 +++ 40 files changed, 2403 insertions(+) create mode 100644 queue-2.6.28/drivers-net-skfp-if-capable-inverted-logic.patch create mode 100644 queue-2.6.28/fix-page-writeback-thinko-causing-berkeley-db-slowdown.patch create mode 100644 queue-2.6.28/ipv4-fix-infinite-retry-loop-in-ip-config.patch create mode 100644 queue-2.6.28/ipv6-copy-cork-options-in-ip6_append_data.patch create mode 100644 queue-2.6.28/ipv6-disallow-rediculious-flowlabel-option-sizes.patch create mode 100644 queue-2.6.28/kernel-doc-fix-syscall-wrapper-processing.patch create mode 100644 queue-2.6.28/lockd-fix-regression-in-lockd-s-handling-of-blocked-locks.patch create mode 100644 queue-2.6.28/mac80211-restrict-to-ap-in-outgoing-interface-heuristic.patch create mode 100644 queue-2.6.28/mm-rearrange-exit_mmap-to-unlock-before-arch_exit_mmap.patch create mode 100644 queue-2.6.28/nbd-fix-i-o-hang-on-disconnected-nbds.patch create mode 100644 queue-2.6.28/net-4-bytes-kernel-memory-disclosure-in-so_bsdcompat-gsopt-try-2.patch create mode 100644 queue-2.6.28/net-fix-frag_list-handling-in-skb_seq_read.patch create mode 100644 queue-2.6.28/net-fix-oops-in-skb_seq_read.patch create mode 100644 queue-2.6.28/net-fix-userland-breakage-wrt.-linux-if_tunnel.h.patch create mode 100644 queue-2.6.28/net-packet-socket-packet_lookup_frame-fix.patch create mode 100644 queue-2.6.28/packet-avoid-lock_sock-in-mmap-handler.patch create mode 100644 queue-2.6.28/parport-parport_serial-don-t-bind-netmos-ibm-0299.patch create mode 100644 queue-2.6.28/powerpc-fsl-booke-fix-mapping-functions-to-use-phys_addr_t.patch create mode 100644 queue-2.6.28/sctp-correctly-start-rtx-timer-on-new-packet-transmissions.patch create mode 100644 queue-2.6.28/sctp-fix-crc32c-calculations-on-big-endian-arhes.patch create mode 100644 queue-2.6.28/sctp-properly-timestamp-outgoing-data-chunks-for-rtx-purposes.patch create mode 100644 queue-2.6.28/series create mode 100644 queue-2.6.28/sky2-fix-hard-hang-with-netconsoling-and-iface-going-up.patch create mode 100644 queue-2.6.28/sparc-enable-syscall-wrappers-for-64-bit.patch create mode 100644 queue-2.6.28/sparc64-annotate-sparc64-specific-syscalls-with-syscall_definex.patch create mode 100644 queue-2.6.28/sungem-soft-lockup-in-sungem-on-netra-ac200-when-switching-interface-up.patch create mode 100644 queue-2.6.28/syscall-define-fix-uml-compile-bug.patch create mode 100644 queue-2.6.28/tcp-fix-length-tcp_splice_data_recv-passes-to-skb_splice_bits.patch create mode 100644 queue-2.6.28/tcp-splice-as-many-packets-as-possible-at-once.patch create mode 100644 queue-2.6.28/tun-add-some-missing-tun-compat-ioctl-translations.patch create mode 100644 queue-2.6.28/tun-fix-unicast-filter-overflow.patch create mode 100644 queue-2.6.28/udp-fix-udp-short-packet-false-positive.patch create mode 100644 queue-2.6.28/udp-increments-sk_drops-in-__udp_queue_rcv_skb.patch create mode 100644 queue-2.6.28/virtio_net-fix-max_packet_len-to-support-802.1q-vlans.patch create mode 100644 queue-2.6.28/w1-w1-temp-calculation-overflow-fix.patch create mode 100644 queue-2.6.28/write-back-fix-nr_to_write-counter.patch create mode 100644 queue-2.6.28/writeback-fix-break-condition.patch create mode 100644 queue-2.6.28/x86-vmi-put-a-missing-paravirt_release_pmd-in-pgd_dtor.patch create mode 100644 queue-2.6.28/zd1211rw-adding-0ace-0xa211-as-a-zd1211-device.patch create mode 100644 queue-2.6.28/zd1211rw-treat-maxim_new_rf-as-uw2453_rf-for-tp-link-wn322-422g.patch diff --git a/queue-2.6.28/drivers-net-skfp-if-capable-inverted-logic.patch b/queue-2.6.28/drivers-net-skfp-if-capable-inverted-logic.patch new file mode 100644 index 00000000000..70200c4ef84 --- /dev/null +++ b/queue-2.6.28/drivers-net-skfp-if-capable-inverted-logic.patch @@ -0,0 +1,33 @@ +From 5d76cf411cb7eb4bb419ec77ddbb528127d3d906 Mon Sep 17 00:00:00 2001 +From: Roel Kluin +Date: Thu, 29 Jan 2009 17:32:20 -0800 +Subject: drivers/net/skfp: if !capable(CAP_NET_ADMIN): inverted logic + +From: Roel Kluin + +[ Upstream commit c25b9abbc2c2c0da88e180c3933d6e773245815a ] + +Fix inverted logic + +Signed-off-by: Roel Kluin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/skfp/skfddi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/skfp/skfddi.c ++++ b/drivers/net/skfp/skfddi.c +@@ -998,9 +998,9 @@ static int skfp_ioctl(struct net_device + break; + case SKFP_CLR_STATS: /* Zero out the driver statistics */ + if (!capable(CAP_NET_ADMIN)) { +- memset(&lp->MacStat, 0, sizeof(lp->MacStat)); +- } else { + status = -EPERM; ++ } else { ++ memset(&lp->MacStat, 0, sizeof(lp->MacStat)); + } + break; + default: diff --git a/queue-2.6.28/fix-page-writeback-thinko-causing-berkeley-db-slowdown.patch b/queue-2.6.28/fix-page-writeback-thinko-causing-berkeley-db-slowdown.patch new file mode 100644 index 00000000000..4c9cdd80d1e --- /dev/null +++ b/queue-2.6.28/fix-page-writeback-thinko-causing-berkeley-db-slowdown.patch @@ -0,0 +1,53 @@ +From 3a4c6800f31ea8395628af5e7e490270ee5d0585 Mon Sep 17 00:00:00 2001 +From: Nick Piggin +Date: Thu, 12 Feb 2009 04:34:23 +0100 +Subject: Fix page writeback thinko, causing Berkeley DB slowdown + +From: Nick Piggin + +commit 3a4c6800f31ea8395628af5e7e490270ee5d0585 upstream. + +A bug was introduced into write_cache_pages cyclic writeout by commit +31a12666d8f0c22235297e1c1575f82061480029 ("mm: write_cache_pages cyclic +fix"). The intention (and comments) is that we should cycle back and +look for more dirty pages at the beginning of the file if there is no +more work to be done. + +But the !done condition was dropped from the test. This means that any +time the page writeout loop breaks (eg. due to nr_to_write == 0), we +will set index to 0, then goto again. This will set done_index to +index, then find done is set, so will proceed to the end of the +function. When updating mapping->writeback_index for cyclic writeout, +we now use done_index == 0, so we're always cycling back to 0. + +This seemed to be causing random mmap writes (slapadd and iozone) to +start writing more pages from the LRU and writeout would slowdown, and +caused bugzilla entry + + http://bugzilla.kernel.org/show_bug.cgi?id=12604 + +about Berkeley DB slowing down dramatically. + +With this patch, iozone random write performance is increased nearly +5x on my system (iozone -B -r 4k -s 64k -s 512m -s 1200m on ext2). + +Signed-off-by: Nick Piggin +Reported-and-tested-by: Jan Kara +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/page-writeback.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/page-writeback.c ++++ b/mm/page-writeback.c +@@ -997,7 +997,7 @@ continue_unlock: + pagevec_release(&pvec); + cond_resched(); + } +- if (!cycled) { ++ if (!cycled && !done) { + /* + * range_cyclic: + * We hit the last page and there is more work to be done: wrap diff --git a/queue-2.6.28/ipv4-fix-infinite-retry-loop-in-ip-config.patch b/queue-2.6.28/ipv4-fix-infinite-retry-loop-in-ip-config.patch new file mode 100644 index 00000000000..769a842c64a --- /dev/null +++ b/queue-2.6.28/ipv4-fix-infinite-retry-loop-in-ip-config.patch @@ -0,0 +1,39 @@ +From 6ae4f7efc741daa77ce6a84dce8963e07aabdc65 Mon Sep 17 00:00:00 2001 +From: Benjamin Zores +Date: Thu, 29 Jan 2009 16:19:13 -0800 +Subject: ipv4: fix infinite retry loop in IP-Config + +From: Benjamin Zores + +[ Upstream commit 9d8dba6c979fa99c96938c869611b9a23b73efa9 ] + +Signed-off-by: Benjamin Zores +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/ipconfig.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/ipv4/ipconfig.c ++++ b/net/ipv4/ipconfig.c +@@ -1272,6 +1272,9 @@ __be32 __init root_nfs_parse_addr(char * + static int __init ip_auto_config(void) + { + __be32 addr; ++#ifdef IPCONFIG_DYNAMIC ++ int retries = CONF_OPEN_RETRIES; ++#endif + + #ifdef CONFIG_PROC_FS + proc_net_fops_create(&init_net, "pnp", S_IRUGO, &pnp_seq_fops); +@@ -1308,9 +1311,6 @@ static int __init ip_auto_config(void) + #endif + ic_first_dev->next) { + #ifdef IPCONFIG_DYNAMIC +- +- int retries = CONF_OPEN_RETRIES; +- + if (ic_dynamic() < 0) { + ic_close_devs(); + diff --git a/queue-2.6.28/ipv6-copy-cork-options-in-ip6_append_data.patch b/queue-2.6.28/ipv6-copy-cork-options-in-ip6_append_data.patch new file mode 100644 index 00000000000..035817a2053 --- /dev/null +++ b/queue-2.6.28/ipv6-copy-cork-options-in-ip6_append_data.patch @@ -0,0 +1,119 @@ +From 262c04a7231abf2df257db43ab3e800bf260b6a6 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Thu, 5 Feb 2009 15:15:50 -0800 +Subject: ipv6: Copy cork options in ip6_append_data + +From: Herbert Xu + +[ Upstream commit 0178b695fd6b40a62a215cbeb03dd51ada3bb5e0 ] + +As the options passed to ip6_append_data may be ephemeral, we need +to duplicate it for corking. This patch applies the simplest fix +which is to memdup all the relevant bits. + +Signed-off-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/ip6_output.c | 67 ++++++++++++++++++++++++++++++++++++++------------ + 1 file changed, 52 insertions(+), 15 deletions(-) + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1104,6 +1104,18 @@ static inline int ip6_ufo_append_data(st + return err; + } + ++static inline struct ipv6_opt_hdr *ip6_opt_dup(struct ipv6_opt_hdr *src, ++ gfp_t gfp) ++{ ++ return src ? kmemdup(src, (src->hdrlen + 1) * 8, gfp) : NULL; ++} ++ ++static inline struct ipv6_rt_hdr *ip6_rthdr_dup(struct ipv6_rt_hdr *src, ++ gfp_t gfp) ++{ ++ return src ? kmemdup(src, (src->hdrlen + 1) * 8, gfp) : NULL; ++} ++ + int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, + int offset, int len, int odd, struct sk_buff *skb), + void *from, int length, int transhdrlen, +@@ -1129,17 +1141,37 @@ int ip6_append_data(struct sock *sk, int + * setup for corking + */ + if (opt) { +- if (np->cork.opt == NULL) { +- np->cork.opt = kmalloc(opt->tot_len, +- sk->sk_allocation); +- if (unlikely(np->cork.opt == NULL)) +- return -ENOBUFS; +- } else if (np->cork.opt->tot_len < opt->tot_len) { +- printk(KERN_DEBUG "ip6_append_data: invalid option length\n"); ++ if (WARN_ON(np->cork.opt)) + return -EINVAL; +- } +- memcpy(np->cork.opt, opt, opt->tot_len); +- inet->cork.flags |= IPCORK_OPT; ++ ++ np->cork.opt = kmalloc(opt->tot_len, sk->sk_allocation); ++ if (unlikely(np->cork.opt == NULL)) ++ return -ENOBUFS; ++ ++ np->cork.opt->tot_len = opt->tot_len; ++ np->cork.opt->opt_flen = opt->opt_flen; ++ np->cork.opt->opt_nflen = opt->opt_nflen; ++ ++ np->cork.opt->dst0opt = ip6_opt_dup(opt->dst0opt, ++ sk->sk_allocation); ++ if (opt->dst0opt && !np->cork.opt->dst0opt) ++ return -ENOBUFS; ++ ++ np->cork.opt->dst1opt = ip6_opt_dup(opt->dst1opt, ++ sk->sk_allocation); ++ if (opt->dst1opt && !np->cork.opt->dst1opt) ++ return -ENOBUFS; ++ ++ np->cork.opt->hopopt = ip6_opt_dup(opt->hopopt, ++ sk->sk_allocation); ++ if (opt->hopopt && !np->cork.opt->hopopt) ++ return -ENOBUFS; ++ ++ np->cork.opt->srcrt = ip6_rthdr_dup(opt->srcrt, ++ sk->sk_allocation); ++ if (opt->srcrt && !np->cork.opt->srcrt) ++ return -ENOBUFS; ++ + /* need source address above miyazawa*/ + } + dst_hold(&rt->u.dst); +@@ -1166,8 +1198,7 @@ int ip6_append_data(struct sock *sk, int + } else { + rt = (struct rt6_info *)inet->cork.dst; + fl = &inet->cork.fl; +- if (inet->cork.flags & IPCORK_OPT) +- opt = np->cork.opt; ++ opt = np->cork.opt; + transhdrlen = 0; + exthdrlen = 0; + mtu = inet->cork.fragsize; +@@ -1406,9 +1437,15 @@ error: + + static void ip6_cork_release(struct inet_sock *inet, struct ipv6_pinfo *np) + { +- inet->cork.flags &= ~IPCORK_OPT; +- kfree(np->cork.opt); +- np->cork.opt = NULL; ++ if (np->cork.opt) { ++ kfree(np->cork.opt->dst0opt); ++ kfree(np->cork.opt->dst1opt); ++ kfree(np->cork.opt->hopopt); ++ kfree(np->cork.opt->srcrt); ++ kfree(np->cork.opt); ++ np->cork.opt = NULL; ++ } ++ + if (inet->cork.dst) { + dst_release(inet->cork.dst); + inet->cork.dst = NULL; diff --git a/queue-2.6.28/ipv6-disallow-rediculious-flowlabel-option-sizes.patch b/queue-2.6.28/ipv6-disallow-rediculious-flowlabel-option-sizes.patch new file mode 100644 index 00000000000..c5deb25ec4b --- /dev/null +++ b/queue-2.6.28/ipv6-disallow-rediculious-flowlabel-option-sizes.patch @@ -0,0 +1,47 @@ +From 04417e3c6b3b2c98be1f472e0de6eefe24e9ef2f Mon Sep 17 00:00:00 2001 +From: David S. Miller +Date: Fri, 6 Feb 2009 00:49:55 -0800 +Subject: ipv6: Disallow rediculious flowlabel option sizes. + +From: David S. Miller + +[ Upstream commit 684de409acff8b1fe8bf188d75ff2f99c624387d ] + +Just like PKTINFO, limit the options area to 64K. + +Based upon report by Eric Sesterhenn and analysis by +Roland Dreier. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/ip6_flowlabel.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/ipv6/ip6_flowlabel.c ++++ b/net/ipv6/ip6_flowlabel.c +@@ -323,17 +323,21 @@ static struct ip6_flowlabel * + fl_create(struct net *net, struct in6_flowlabel_req *freq, char __user *optval, + int optlen, int *err_p) + { +- struct ip6_flowlabel *fl; ++ struct ip6_flowlabel *fl = NULL; + int olen; + int addr_type; + int err; + ++ olen = optlen - CMSG_ALIGN(sizeof(*freq)); ++ err = -EINVAL; ++ if (olen > 64 * 1024) ++ goto done; ++ + err = -ENOMEM; + fl = kzalloc(sizeof(*fl), GFP_KERNEL); + if (fl == NULL) + goto done; + +- olen = optlen - CMSG_ALIGN(sizeof(*freq)); + if (olen > 0) { + struct msghdr msg; + struct flowi flowi; diff --git a/queue-2.6.28/kernel-doc-fix-syscall-wrapper-processing.patch b/queue-2.6.28/kernel-doc-fix-syscall-wrapper-processing.patch new file mode 100644 index 00000000000..920df164b31 --- /dev/null +++ b/queue-2.6.28/kernel-doc-fix-syscall-wrapper-processing.patch @@ -0,0 +1,109 @@ +From b4870bc5ee8c7a37541a3eb1208b5c76c13a078a Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Wed, 11 Feb 2009 13:04:33 -0800 +Subject: kernel-doc: fix syscall wrapper processing + +From: Randy Dunlap + +commit b4870bc5ee8c7a37541a3eb1208b5c76c13a078a upstream. + +Fix kernel-doc processing of SYSCALL wrappers. + +The SYSCALL wrapper patches played havoc with kernel-doc for +syscalls. Syscalls that were scanned for DocBook processing +reported warnings like this one, for sys_tgkill: + +Warning(kernel/signal.c:2285): No description found for parameter 'tgkill' +Warning(kernel/signal.c:2285): No description found for parameter 'pid_t' +Warning(kernel/signal.c:2285): No description found for parameter 'int' + +because the macro parameters all "look like" function parameters, +although they are not: + +/** + * sys_tgkill - send signal to one specific thread + * @tgid: the thread group ID of the thread + * @pid: the PID of the thread + * @sig: signal to be sent + * + * This syscall also checks the @tgid and returns -ESRCH even if the PID + * exists but it's not belonging to the target process anymore. This + * method solves the problem of threads exiting and PIDs getting reused. + */ +SYSCALL_DEFINE3(tgkill, pid_t, tgid, pid_t, pid, int, sig) +{ +... + +This patch special-cases the handling SYSCALL_DEFINE* function +prototypes by expanding them to + long sys_foobar(type1 arg1, type1 arg2, ...) + +Signed-off-by: Randy Dunlap +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/kernel-doc | 40 +++++++++++++++++++++++++++++++++++++++- + 1 file changed, 39 insertions(+), 1 deletion(-) + +--- a/scripts/kernel-doc ++++ b/scripts/kernel-doc +@@ -1762,6 +1762,40 @@ sub reset_state { + $state = 0; + } + ++sub syscall_munge() { ++ my $void = 0; ++ ++ $prototype =~ s@[\r\n\t]+@ @gos; # strip newlines/CR's/tabs ++## if ($prototype =~ m/SYSCALL_DEFINE0\s*\(\s*(a-zA-Z0-9_)*\s*\)/) { ++ if ($prototype =~ m/SYSCALL_DEFINE0/) { ++ $void = 1; ++## $prototype = "long sys_$1(void)"; ++ } ++ ++ $prototype =~ s/SYSCALL_DEFINE.*\(/long sys_/; # fix return type & func name ++ if ($prototype =~ m/long (sys_.*?),/) { ++ $prototype =~ s/,/\(/; ++ } elsif ($void) { ++ $prototype =~ s/\)/\(void\)/; ++ } ++ ++ # now delete all of the odd-number commas in $prototype ++ # so that arg types & arg names don't have a comma between them ++ my $count = 0; ++ my $len = length($prototype); ++ if ($void) { ++ $len = 0; # skip the for-loop ++ } ++ for (my $ix = 0; $ix < $len; $ix++) { ++ if (substr($prototype, $ix, 1) eq ',') { ++ $count++; ++ if ($count % 2 == 1) { ++ substr($prototype, $ix, 1) = ' '; ++ } ++ } ++ } ++} ++ + sub process_state3_function($$) { + my $x = shift; + my $file = shift; +@@ -1774,11 +1808,15 @@ sub process_state3_function($$) { + elsif ($x =~ /([^\{]*)/) { + $prototype .= $1; + } ++ + if (($x =~ /\{/) || ($x =~ /\#\s*define/) || ($x =~ /;/)) { + $prototype =~ s@/\*.*?\*/@@gos; # strip comments. + $prototype =~ s@[\r\n]+@ @gos; # strip newlines/cr's. + $prototype =~ s@^\s+@@gos; # strip leading spaces +- dump_function($prototype,$file); ++ if ($prototype =~ /SYSCALL_DEFINE/) { ++ syscall_munge(); ++ } ++ dump_function($prototype, $file); + reset_state(); + } + } diff --git a/queue-2.6.28/lockd-fix-regression-in-lockd-s-handling-of-blocked-locks.patch b/queue-2.6.28/lockd-fix-regression-in-lockd-s-handling-of-blocked-locks.patch new file mode 100644 index 00000000000..3d4ef5d353c --- /dev/null +++ b/queue-2.6.28/lockd-fix-regression-in-lockd-s-handling-of-blocked-locks.patch @@ -0,0 +1,59 @@ +From 9d9b87c1218be78ddecbc85ec3bb91c79c1d56ab Mon Sep 17 00:00:00 2001 +From: J. Bruce Fields +Date: Wed, 4 Feb 2009 17:35:38 -0500 +Subject: lockd: fix regression in lockd's handling of blocked locks + +From: J. Bruce Fields + +commit 9d9b87c1218be78ddecbc85ec3bb91c79c1d56ab upstream. + +If a client requests a blocking lock, is denied, then requests it again, +then here in nlmsvc_lock() we will call vfs_lock_file() without FL_SLEEP +set, because we've already queued a block and don't need the locks code +to do it again. + +But that means vfs_lock_file() will return -EAGAIN instead of +FILE_LOCK_DENIED. So we still need to translate that -EAGAIN return +into a nlm_lck_blocked error in this case, and put ourselves back on +lockd's block list. + +The bug was introduced by bde74e4bc64415b1 "locks: add special return +value for asynchronous locks". + +Thanks to Frank van Maarseveen for the report; his original test +case was essentially + + for i in `seq 30`; do flock /nfsmount/foo sleep 10 & done + +Tested-by: Frank van Maarseveen +Reported-by: Frank van Maarseveen +Cc: Miklos Szeredi +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/lockd/svclock.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/lockd/svclock.c ++++ b/fs/lockd/svclock.c +@@ -427,7 +427,7 @@ nlmsvc_lock(struct svc_rqst *rqstp, stru + goto out; + case -EAGAIN: + ret = nlm_lck_denied; +- goto out; ++ break; + case FILE_LOCK_DEFERRED: + if (wait) + break; +@@ -443,6 +443,10 @@ nlmsvc_lock(struct svc_rqst *rqstp, stru + goto out; + } + ++ ret = nlm_lck_denied; ++ if (!wait) ++ goto out; ++ + ret = nlm_lck_blocked; + + /* Append to list of blocked */ diff --git a/queue-2.6.28/mac80211-restrict-to-ap-in-outgoing-interface-heuristic.patch b/queue-2.6.28/mac80211-restrict-to-ap-in-outgoing-interface-heuristic.patch new file mode 100644 index 00000000000..25f9b1a4121 --- /dev/null +++ b/queue-2.6.28/mac80211-restrict-to-ap-in-outgoing-interface-heuristic.patch @@ -0,0 +1,34 @@ +From f1b33cb1c25ac476cbf22783f9ca2016f99648ed Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 6 Feb 2009 00:27:32 +0100 +Subject: mac80211: restrict to AP in outgoing interface heuristic + +From: Johannes Berg + +commit f1b33cb1c25ac476cbf22783f9ca2016f99648ed upstream. + +We try to find the correct outgoing interface for injected frames +based on the TA, but since this is a hack for hostapd 11w, restrict +the heuristic to AP mode interfaces. At some point we'll add the +ability to give an interface index in radiotap or so and just +remove this heuristic again. + +Signed-off-by: Johannes Berg +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/tx.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -1335,6 +1335,8 @@ int ieee80211_master_start_xmit(struct s + list) { + if (!netif_running(sdata->dev)) + continue; ++ if (sdata->vif.type != NL80211_IFTYPE_AP) ++ continue; + if (compare_ether_addr(sdata->dev->dev_addr, + hdr->addr2)) { + dev_hold(sdata->dev); diff --git a/queue-2.6.28/mm-rearrange-exit_mmap-to-unlock-before-arch_exit_mmap.patch b/queue-2.6.28/mm-rearrange-exit_mmap-to-unlock-before-arch_exit_mmap.patch new file mode 100644 index 00000000000..530e0d30f3b --- /dev/null +++ b/queue-2.6.28/mm-rearrange-exit_mmap-to-unlock-before-arch_exit_mmap.patch @@ -0,0 +1,80 @@ +From 9480c53e9b2aa13a06283ffb96bb8f1873ac4e9a Mon Sep 17 00:00:00 2001 +From: Jeremy Fitzhardinge +Date: Wed, 11 Feb 2009 13:04:41 -0800 +Subject: mm: rearrange exit_mmap() to unlock before arch_exit_mmap + +From: Jeremy Fitzhardinge + +commit 9480c53e9b2aa13a06283ffb96bb8f1873ac4e9a upstream. + +Christophe Saout reported [in precursor to: +http://marc.info/?l=linux-kernel&m=123209902707347&w=4]: + +> Note that I also some a different issue with CONFIG_UNEVICTABLE_LRU. +> Seems like Xen tears down current->mm early on process termination, so +> that __get_user_pages in exit_mmap causes nasty messages when the +> process had any mlocked pages. (in fact, it somehow manages to get into +> the swapping code and produces a null pointer dereference trying to get +> a swap token) + +Jeremy explained: + +Yes. In the normal case under Xen, an in-use pagetable is "pinned", +meaning that it is RO to the kernel, and all updates must go via hypercall +(or writes are trapped and emulated, which is much the same thing). An +unpinned pagetable is not currently in use by any process, and can be +directly accessed as normal RW pages. + +As an optimisation at process exit time, we unpin the pagetable as early +as possible (switching the process to init_mm), so that all the normal +pagetable teardown can happen with direct memory accesses. + +This happens in exit_mmap() -> arch_exit_mmap(). The munlocking happens +a few lines below. The obvious thing to do would be to move +arch_exit_mmap() to below the munlock code, but I think we'd want to +call it even if mm->mmap is NULL, just to be on the safe side. + +Thus, this patch: + +exit_mmap() needs to unlock any locked vmas before calling arch_exit_mmap, +as the latter may switch the current mm to init_mm, which would cause the +former to fail. + +Signed-off-by: Jeremy Fitzhardinge +Signed-off-by: Lee Schermerhorn +Cc: Christophe Saout +Cc: Keir Fraser +Cc: Christophe Saout +Cc: Alex Williamson +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/mmap.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -2093,7 +2093,6 @@ void exit_mmap(struct mm_struct *mm) + unsigned long end; + + /* mm's last user has gone, and its about to be pulled down */ +- arch_exit_mmap(mm); + mmu_notifier_release(mm); + + if (mm->locked_vm) { +@@ -2104,7 +2103,13 @@ void exit_mmap(struct mm_struct *mm) + vma = vma->vm_next; + } + } ++ ++ arch_exit_mmap(mm); ++ + vma = mm->mmap; ++ if (!vma) /* Can happen if dup_mmap() received an OOM */ ++ return; ++ + lru_add_drain(); + flush_cache_mm(mm); + tlb = tlb_gather_mmu(mm, 1); diff --git a/queue-2.6.28/nbd-fix-i-o-hang-on-disconnected-nbds.patch b/queue-2.6.28/nbd-fix-i-o-hang-on-disconnected-nbds.patch new file mode 100644 index 00000000000..b6fc81256a0 --- /dev/null +++ b/queue-2.6.28/nbd-fix-i-o-hang-on-disconnected-nbds.patch @@ -0,0 +1,66 @@ +From 4d48a542b42747c36a5937447d9c3de7c897ea50 Mon Sep 17 00:00:00 2001 +From: Paul Clements +Date: Wed, 11 Feb 2009 13:04:45 -0800 +Subject: nbd: fix I/O hang on disconnected nbds + +From: Paul Clements + +commit 4d48a542b42747c36a5937447d9c3de7c897ea50 upstream. + +Fix a problem that causes I/O to a disconnected (or partially initialized) +nbd device to hang indefinitely. To reproduce: + +# ioctl NBD_SET_SIZE_BLOCKS /dev/nbd23 514048 +# dd if=/dev/nbd23 of=/dev/null bs=4096 count=1 + +...hangs... + +This can also occur when an nbd device loses its nbd-client/server +connection. Although we clear the queue of any outstanding I/Os after the +client/server connection fails, any additional I/Os that get queued later +will hang. + +This bug may also be the problem reported in this bug report: +http://bugzilla.kernel.org/show_bug.cgi?id=12277 + +Testing would need to be performed to determine if the two issues are the +same. + +This problem was introduced by the new request handling thread code ("NBD: +allow nbd to be used locally", 3/2008), which entered into mainline around +2.6.25. + +The fix, which is fairly simple, is to restore the check for lo->sock +being NULL in do_nbd_request. This causes I/O to an uninitialized nbd to +immediately fail with an I/O error, as it did prior to the introduction of +this bug. + +Signed-off-by: Paul Clements +Reported-by: Jon Nelson +Acked-by: Pavel Machek +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/nbd.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -549,6 +549,15 @@ static void do_nbd_request(struct reques + + BUG_ON(lo->magic != LO_MAGIC); + ++ if (unlikely(!lo->sock)) { ++ printk(KERN_ERR "%s: Attempted send on closed socket\n", ++ lo->disk->disk_name); ++ req->errors++; ++ nbd_end_request(req); ++ spin_lock_irq(q->queue_lock); ++ continue; ++ } ++ + spin_lock_irq(&lo->queue_lock); + list_add_tail(&req->queuelist, &lo->waiting_queue); + spin_unlock_irq(&lo->queue_lock); diff --git a/queue-2.6.28/net-4-bytes-kernel-memory-disclosure-in-so_bsdcompat-gsopt-try-2.patch b/queue-2.6.28/net-4-bytes-kernel-memory-disclosure-in-so_bsdcompat-gsopt-try-2.patch new file mode 100644 index 00000000000..2f8127253bb --- /dev/null +++ b/queue-2.6.28/net-4-bytes-kernel-memory-disclosure-in-so_bsdcompat-gsopt-try-2.patch @@ -0,0 +1,48 @@ +From 0fc3e3f9d9a09d4b79b662f2ff8493b73d690b00 Mon Sep 17 00:00:00 2001 +From: Clément Lecigne +Date: Thu, 12 Feb 2009 16:59:09 -0800 +Subject: net: 4 bytes kernel memory disclosure in SO_BSDCOMPAT gsopt try #2 + +From: Clément Lecigne + +[ Upstream commit df0bca049d01c0ee94afb7cd5dfd959541e6c8da ] + +In function sock_getsockopt() located in net/core/sock.c, optval v.val +is not correctly initialized and directly returned in userland in case +we have SO_BSDCOMPAT option set. + +This dummy code should trigger the bug: + +int main(void) +{ + unsigned char buf[4] = { 0, 0, 0, 0 }; + int len; + int sock; + sock = socket(33, 2, 2); + getsockopt(sock, 1, SO_BSDCOMPAT, &buf, &len); + printf("%x%x%x%x\n", buf[0], buf[1], buf[2], buf[3]); + close(sock); +} + +Here is a patch that fix this bug by initalizing v.val just after its +declaration. + +Signed-off-by: Clément Lecigne +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/sock.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -696,6 +696,8 @@ int sock_getsockopt(struct socket *sock, + if (len < 0) + return -EINVAL; + ++ v.val = 0; ++ + switch(optname) { + case SO_DEBUG: + v.val = sock_flag(sk, SOCK_DBG); diff --git a/queue-2.6.28/net-fix-frag_list-handling-in-skb_seq_read.patch b/queue-2.6.28/net-fix-frag_list-handling-in-skb_seq_read.patch new file mode 100644 index 00000000000..7927711c978 --- /dev/null +++ b/queue-2.6.28/net-fix-frag_list-handling-in-skb_seq_read.patch @@ -0,0 +1,52 @@ +From 0d9f5eaa9dd48804aaebcba85e5ec55a26337976 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Thu, 29 Jan 2009 16:07:52 -0800 +Subject: net: Fix frag_list handling in skb_seq_read + +From: Herbert Xu + +[ Upstream commit 95e3b24cfb4ec0479d2c42f7a1780d68063a542a ] + +The frag_list handling was broken in skb_seq_read: + +1) We didn't add the stepped offset when looking at the head +are of fragments other than the first. + +2) We didn't take the stepped offset away when setting the data +pointer in the head area. + +3) The frag index wasn't reset. + +This patch fixes both issues. + +Signed-off-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/skbuff.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -2072,10 +2072,10 @@ unsigned int skb_seq_read(unsigned int c + return 0; + + next_skb: +- block_limit = skb_headlen(st->cur_skb); ++ block_limit = skb_headlen(st->cur_skb) + st->stepped_offset; + + if (abs_offset < block_limit) { +- *data = st->cur_skb->data + abs_offset; ++ *data = st->cur_skb->data + (abs_offset - st->stepped_offset); + return block_limit - abs_offset; + } + +@@ -2117,6 +2117,7 @@ next_skb: + } else if (st->root_skb == st->cur_skb && + skb_shinfo(st->root_skb)->frag_list) { + st->cur_skb = skb_shinfo(st->root_skb)->frag_list; ++ st->frag_idx = 0; + goto next_skb; + } + diff --git a/queue-2.6.28/net-fix-oops-in-skb_seq_read.patch b/queue-2.6.28/net-fix-oops-in-skb_seq_read.patch new file mode 100644 index 00000000000..19985f003dd --- /dev/null +++ b/queue-2.6.28/net-fix-oops-in-skb_seq_read.patch @@ -0,0 +1,85 @@ +From 08e91648b2b61db8f42e285285fe41571dd8dac3 Mon Sep 17 00:00:00 2001 +From: Shyam Iyer +Date: Thu, 29 Jan 2009 16:12:42 -0800 +Subject: net: Fix OOPS in skb_seq_read(). + +From: Shyam Iyer + +[ Upstream commit 71b3346d182355f19509fadb8fe45114a35cc499 ] + +It oopsd for me in skb_seq_read. addr2line said it was +linux-2.6/net/core/skbuff.c:2228, which is this line: + + while (st->frag_idx < skb_shinfo(st->cur_skb)->nr_frags) { + +I added some printks in there and it looks like we hit this: + + } else if (st->root_skb == st->cur_skb && + skb_shinfo(st->root_skb)->frag_list) { + st->cur_skb = skb_shinfo(st->root_skb)->frag_list; + st->frag_idx = 0; + goto next_skb; + } + +Actually I did some testing and added a few printks and found that the +st->cur_skb->data was 0 and hence the ptr used by iscsi_tcp was null. +This caused the kernel panic. + + if (abs_offset < block_limit) { +- *data = st->cur_skb->data + abs_offset; ++ *data = st->cur_skb->data + (abs_offset - st->stepped_offset); + +I enabled the debug_tcp and with a few printks found that the code did +not go to the next_skb label and could find that the sequence being +followed was this - + +It hit this if condition - + + if (st->cur_skb->next) { + st->cur_skb = st->cur_skb->next; + st->frag_idx = 0; + goto next_skb; + +And so, now the st pointer is shifted to the next skb whereas actually +it should have hit the second else if first since the data is in the +frag_list. + + else if (st->root_skb == st->cur_skb && + skb_shinfo(st->root_skb)->frag_list) { + st->cur_skb = skb_shinfo(st->root_skb)->frag_list; + goto next_skb; + } + +Reversing the two conditions the attached patch fixes the issue for me +on top of Herbert's patches. + +Signed-off-by: Shyam Iyer +Signed-off-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/skbuff.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -2110,13 +2110,13 @@ next_skb: + st->frag_data = NULL; + } + +- if (st->cur_skb->next) { +- st->cur_skb = st->cur_skb->next; ++ if (st->root_skb == st->cur_skb && ++ skb_shinfo(st->root_skb)->frag_list) { ++ st->cur_skb = skb_shinfo(st->root_skb)->frag_list; + st->frag_idx = 0; + goto next_skb; +- } else if (st->root_skb == st->cur_skb && +- skb_shinfo(st->root_skb)->frag_list) { +- st->cur_skb = skb_shinfo(st->root_skb)->frag_list; ++ } else if (st->cur_skb->next) { ++ st->cur_skb = st->cur_skb->next; + st->frag_idx = 0; + goto next_skb; + } diff --git a/queue-2.6.28/net-fix-userland-breakage-wrt.-linux-if_tunnel.h.patch b/queue-2.6.28/net-fix-userland-breakage-wrt.-linux-if_tunnel.h.patch new file mode 100644 index 00000000000..ee312bfb77a --- /dev/null +++ b/queue-2.6.28/net-fix-userland-breakage-wrt.-linux-if_tunnel.h.patch @@ -0,0 +1,61 @@ +From 5ab332248846509501dc82025f7024eae3851818 Mon Sep 17 00:00:00 2001 +From: David S. Miller +Date: Mon, 2 Feb 2009 13:27:44 -0800 +Subject: net: Fix userland breakage wrt. linux/if_tunnel.h + +From: David S. Miller + +[ Upstream commit 0afd4a21ba7d75e93fa79cf05d7a21774e149c0f ] + +Reported by Andrew Walrond + +Changeset c19e654ddbe3831252f61e76a74d661e1a755530 +("gre: Add netlink interface") added an include +of linux/ip.h to linux/if_tunnel.h + +We can't really let that get exposed to userspace +because this conflicts with types defined in netinet/ip.h +which userland is almost certainly going to have included +either explicitly or implicitly. + +So guard this include with a __KERNEL__ ifdef. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/Kbuild | 2 +- + include/linux/if_tunnel.h | 3 +++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/include/linux/if_tunnel.h ++++ b/include/linux/if_tunnel.h +@@ -2,7 +2,10 @@ + #define _IF_TUNNEL_H_ + + #include ++ ++#ifdef __KERNEL__ + #include ++#endif + + #define SIOCGETTUNNEL (SIOCDEVPRIVATE + 0) + #define SIOCADDTUNNEL (SIOCDEVPRIVATE + 1) +--- a/include/linux/Kbuild ++++ b/include/linux/Kbuild +@@ -92,7 +92,6 @@ header-y += if_ppp.h + header-y += if_slip.h + header-y += if_strip.h + header-y += if_tun.h +-header-y += if_tunnel.h + header-y += in_route.h + header-y += ioctl.h + header-y += ip6_tunnel.h +@@ -241,6 +240,7 @@ unifdef-y += if_phonet.h + unifdef-y += if_pppol2tp.h + unifdef-y += if_pppox.h + unifdef-y += if_tr.h ++unifdef-y += if_tunnel.h + unifdef-y += if_vlan.h + unifdef-y += igmp.h + unifdef-y += inet_diag.h diff --git a/queue-2.6.28/net-packet-socket-packet_lookup_frame-fix.patch b/queue-2.6.28/net-packet-socket-packet_lookup_frame-fix.patch new file mode 100644 index 00000000000..1d5aeee8bed --- /dev/null +++ b/queue-2.6.28/net-packet-socket-packet_lookup_frame-fix.patch @@ -0,0 +1,44 @@ +From 43f0342d2c6907fc842e28341fae2673808fd800 Mon Sep 17 00:00:00 2001 +From: Sebastiano Di Paola +Date: Fri, 30 Jan 2009 23:37:17 +0000 +Subject: net: packet socket packet_lookup_frame fix + +From: Sebastiano Di Paola + +[ Upstream commit f9e6934502e46c363100245f137ddf0f4b1cb574 ] + +packet_lookup_frames() fails to get user frame if current frame header +status contains extra flags. +This is due to the wrong assumption on the operators precedence during +frame status tests. +Fixed by forcing the right operators precedence order with explicit brackets. + +Signed-off-by: Paolo Abeni +Signed-off-by: Sebastiano Di Paola +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/packet/af_packet.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -220,13 +220,13 @@ static void *packet_lookup_frame(struct + h.raw = po->pg_vec[pg_vec_pos] + (frame_offset * po->frame_size); + switch (po->tp_version) { + case TPACKET_V1: +- if (status != h.h1->tp_status ? TP_STATUS_USER : +- TP_STATUS_KERNEL) ++ if (status != (h.h1->tp_status ? TP_STATUS_USER : ++ TP_STATUS_KERNEL)) + return NULL; + break; + case TPACKET_V2: +- if (status != h.h2->tp_status ? TP_STATUS_USER : +- TP_STATUS_KERNEL) ++ if (status != (h.h2->tp_status ? TP_STATUS_USER : ++ TP_STATUS_KERNEL)) + return NULL; + break; + } diff --git a/queue-2.6.28/packet-avoid-lock_sock-in-mmap-handler.patch b/queue-2.6.28/packet-avoid-lock_sock-in-mmap-handler.patch new file mode 100644 index 00000000000..fbe02d975bf --- /dev/null +++ b/queue-2.6.28/packet-avoid-lock_sock-in-mmap-handler.patch @@ -0,0 +1,86 @@ +From 8defbc406ce43e232a749ce593917cbc266db475 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Fri, 30 Jan 2009 14:12:06 -0800 +Subject: packet: Avoid lock_sock in mmap handler + +From: Herbert Xu + +[ Upstream commit 905db44087855e3c1709f538ecdc22fd149cadd8 ] + +As the mmap handler gets called under mmap_sem, and we may grab +mmap_sem elsewhere under the socket lock to access user data, we +should avoid grabbing the socket lock in the mmap handler. + +Since the only thing we care about in the mmap handler is for +pg_vec* to be invariant, i.e., to exclude packet_set_ring, we +can achieve this by simply using a new mutex. + +Signed-off-by: Herbert Xu +Tested-by: Martin MOKREJÅ  +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/packet/af_packet.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -77,6 +77,7 @@ + #include + #include + #include ++#include + + #ifdef CONFIG_INET + #include +@@ -175,6 +176,7 @@ struct packet_sock { + #endif + struct packet_type prot_hook; + spinlock_t bind_lock; ++ struct mutex pg_vec_lock; + unsigned int running:1, /* prot_hook is attached*/ + auxdata:1, + origdev:1; +@@ -1068,6 +1070,7 @@ static int packet_create(struct net *net + */ + + spin_lock_init(&po->bind_lock); ++ mutex_init(&po->pg_vec_lock); + po->prot_hook.func = packet_rcv; + + if (sock->type == SOCK_PACKET) +@@ -1863,6 +1866,7 @@ static int packet_set_ring(struct sock * + synchronize_net(); + + err = -EBUSY; ++ mutex_lock(&po->pg_vec_lock); + if (closing || atomic_read(&po->mapped) == 0) { + err = 0; + #define XC(a, b) ({ __typeof__ ((a)) __t; __t = (a); (a) = (b); __t; }) +@@ -1884,6 +1888,7 @@ static int packet_set_ring(struct sock * + if (atomic_read(&po->mapped)) + printk(KERN_DEBUG "packet_mmap: vma is busy: %d\n", atomic_read(&po->mapped)); + } ++ mutex_unlock(&po->pg_vec_lock); + + spin_lock(&po->bind_lock); + if (was_running && !po->running) { +@@ -1916,7 +1921,7 @@ static int packet_mmap(struct file *file + + size = vma->vm_end - vma->vm_start; + +- lock_sock(sk); ++ mutex_lock(&po->pg_vec_lock); + if (po->pg_vec == NULL) + goto out; + if (size != po->pg_vec_len*po->pg_vec_pages*PAGE_SIZE) +@@ -1939,7 +1944,7 @@ static int packet_mmap(struct file *file + err = 0; + + out: +- release_sock(sk); ++ mutex_unlock(&po->pg_vec_lock); + return err; + } + #endif diff --git a/queue-2.6.28/parport-parport_serial-don-t-bind-netmos-ibm-0299.patch b/queue-2.6.28/parport-parport_serial-don-t-bind-netmos-ibm-0299.patch new file mode 100644 index 00000000000..5cd4a25cc67 --- /dev/null +++ b/queue-2.6.28/parport-parport_serial-don-t-bind-netmos-ibm-0299.patch @@ -0,0 +1,38 @@ +From 3abdbf90a3ffb006108c831c56b092e35483b6ec Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Wed, 11 Feb 2009 13:04:40 -0800 +Subject: parport: parport_serial, don't bind netmos ibm 0299 + +From: Jiri Slaby + +commit 3abdbf90a3ffb006108c831c56b092e35483b6ec upstream. + +Since netmos 9835 with subids 0x1014(IBM):0x0299 is now bound with +serial/8250_pci, because it has no parallel ports and subdevice id isn't +in the expected form, return -ENODEV from probe function. + +This is performed in netmos preinit_hook. + +Signed-off-by: Jiri Slaby +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/parport/parport_serial.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/parport/parport_serial.c ++++ b/drivers/parport/parport_serial.c +@@ -64,6 +64,11 @@ struct parport_pc_pci { + + static int __devinit netmos_parallel_init(struct pci_dev *dev, struct parport_pc_pci *card, int autoirq, int autodma) + { ++ /* the rule described below doesn't hold for this device */ ++ if (dev->device == PCI_DEVICE_ID_NETMOS_9835 && ++ dev->subsystem_vendor == PCI_VENDOR_ID_IBM && ++ dev->subsystem_device == 0x0299) ++ return -ENODEV; + /* + * Netmos uses the subdevice ID to indicate the number of parallel + * and serial ports. The form is 0x00PS, where

is the number of diff --git a/queue-2.6.28/powerpc-fsl-booke-fix-mapping-functions-to-use-phys_addr_t.patch b/queue-2.6.28/powerpc-fsl-booke-fix-mapping-functions-to-use-phys_addr_t.patch new file mode 100644 index 00000000000..383b79d91c3 --- /dev/null +++ b/queue-2.6.28/powerpc-fsl-booke-fix-mapping-functions-to-use-phys_addr_t.patch @@ -0,0 +1,55 @@ +From 6c24b17453c8dc444a746e45b8a404498fc9fcf7 Mon Sep 17 00:00:00 2001 +From: Kumar Gala +Date: Mon, 9 Feb 2009 21:08:07 -0600 +Subject: powerpc/fsl-booke: Fix mapping functions to use phys_addr_t + +From: Kumar Gala + +commit 6c24b17453c8dc444a746e45b8a404498fc9fcf7 upstream. + +Fixed v_mapped_by_tlbcam() and p_mapped_by_tlbcam() to use phys_addr_t +instead of unsigned long. In 36-bit physical mode we really need these +functions to deal with phys_addr_t when trying to match a physical +address or when returning one. + +Signed-off-by: Kumar Gala +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/fsl_booke_mmu.c | 4 ++-- + arch/powerpc/mm/pgtable_32.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/powerpc/mm/fsl_booke_mmu.c ++++ b/arch/powerpc/mm/fsl_booke_mmu.c +@@ -80,7 +80,7 @@ extern unsigned int tlbcam_index; + /* + * Return PA for this VA if it is mapped by a CAM, or 0 + */ +-unsigned long v_mapped_by_tlbcam(unsigned long va) ++phys_addr_t v_mapped_by_tlbcam(unsigned long va) + { + int b; + for (b = 0; b < tlbcam_index; ++b) +@@ -92,7 +92,7 @@ unsigned long v_mapped_by_tlbcam(unsigne + /* + * Return VA for a given PA or 0 if not mapped + */ +-unsigned long p_mapped_by_tlbcam(unsigned long pa) ++unsigned long p_mapped_by_tlbcam(phys_addr_t pa) + { + int b; + for (b = 0; b < tlbcam_index; ++b) +--- a/arch/powerpc/mm/pgtable_32.c ++++ b/arch/powerpc/mm/pgtable_32.c +@@ -65,8 +65,8 @@ void setbat(int index, unsigned long vir + + #ifdef HAVE_TLBCAM + extern unsigned int tlbcam_index; +-extern unsigned long v_mapped_by_tlbcam(unsigned long va); +-extern unsigned long p_mapped_by_tlbcam(unsigned long pa); ++extern phys_addr_t v_mapped_by_tlbcam(unsigned long va); ++extern unsigned long p_mapped_by_tlbcam(phys_addr_t pa); + #else /* !HAVE_TLBCAM */ + #define v_mapped_by_tlbcam(x) (0UL) + #define p_mapped_by_tlbcam(x) (0UL) diff --git a/queue-2.6.28/sctp-correctly-start-rtx-timer-on-new-packet-transmissions.patch b/queue-2.6.28/sctp-correctly-start-rtx-timer-on-new-packet-transmissions.patch new file mode 100644 index 00000000000..f4fe13733f2 --- /dev/null +++ b/queue-2.6.28/sctp-correctly-start-rtx-timer-on-new-packet-transmissions.patch @@ -0,0 +1,43 @@ +From ad1d2d7ea3005dda363612c8ee7642f0a8970fe5 Mon Sep 17 00:00:00 2001 +From: Vlad Yasevich +Date: Thu, 22 Jan 2009 14:52:43 -0800 +Subject: sctp: Correctly start rtx timer on new packet transmissions. + +From: Vlad Yasevich + +[ Upstream commit 6574df9a89f9f7da3a4e5cee7633d430319d3350 ] + +Commit 62aeaff5ccd96462b7077046357a6d7886175a57 +(sctp: Start T3-RTX timer when fast retransmitting lowest TSN) +introduced a regression where it was possible to forcibly +restart the sctp retransmit timer at the transmission of any +new chunk. This resulted in much longer timeout times and +sometimes hung sctp connections. + +Signed-off-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/sctp/outqueue.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/sctp/outqueue.c ++++ b/net/sctp/outqueue.c +@@ -929,7 +929,6 @@ static int sctp_outq_flush(struct sctp_o + } + + /* Finally, transmit new packets. */ +- start_timer = 0; + while ((chunk = sctp_outq_dequeue_data(q)) != NULL) { + /* RFC 2960 6.5 Every DATA chunk MUST carry a valid + * stream identifier. +@@ -1028,7 +1027,7 @@ static int sctp_outq_flush(struct sctp_o + list_add_tail(&chunk->transmitted_list, + &transport->transmitted); + +- sctp_transport_reset_timers(transport, start_timer-1); ++ sctp_transport_reset_timers(transport, 0); + + q->empty = 0; + diff --git a/queue-2.6.28/sctp-fix-crc32c-calculations-on-big-endian-arhes.patch b/queue-2.6.28/sctp-fix-crc32c-calculations-on-big-endian-arhes.patch new file mode 100644 index 00000000000..2a1baf7c91c --- /dev/null +++ b/queue-2.6.28/sctp-fix-crc32c-calculations-on-big-endian-arhes.patch @@ -0,0 +1,33 @@ +From 18a053fe69e712d13c89dfc71fcd6ed4a60957bf Mon Sep 17 00:00:00 2001 +From: Vlad Yasevich +Date: Thu, 22 Jan 2009 14:52:23 -0800 +Subject: sctp: Fix crc32c calculations on big-endian arhes. + +From: Vlad Yasevich + +[ Upstream commit 9c5ff5f75d0d0a1c7928ecfae3f38418b51a88e3 ] + +crc32c algorithm provides a byteswaped result. On little-endian +arches, the result ends up in big-endian/network byte order. +On big-endinan arches, the result ends up in little-endian +order and needs to be byte swapped again. Thus calling cpu_to_le32 +gives the right output. + +Tested-by: Jukka Taimisto +Signed-off-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/sctp/checksum.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/sctp/checksum.h ++++ b/include/net/sctp/checksum.h +@@ -79,5 +79,5 @@ static inline __be32 sctp_update_cksum(_ + + static inline __be32 sctp_end_cksum(__be32 crc32) + { +- return ~crc32; ++ return (__force __be32)~cpu_to_le32((__force u32)crc32); + } diff --git a/queue-2.6.28/sctp-properly-timestamp-outgoing-data-chunks-for-rtx-purposes.patch b/queue-2.6.28/sctp-properly-timestamp-outgoing-data-chunks-for-rtx-purposes.patch new file mode 100644 index 00000000000..1c620e923f8 --- /dev/null +++ b/queue-2.6.28/sctp-properly-timestamp-outgoing-data-chunks-for-rtx-purposes.patch @@ -0,0 +1,60 @@ +From 3e85145187a4c52c38b3fcb1fe73d273b9e3bd55 Mon Sep 17 00:00:00 2001 +From: Vlad Yasevich +Date: Thu, 22 Jan 2009 14:53:01 -0800 +Subject: sctp: Properly timestamp outgoing data chunks for rtx purposes + +From: Vlad Yasevich + +[ Upstream commit 759af00ebef858015eb68876ac1f383bcb6a1774 ] + +Recent changes to the retransmit code exposed a long standing +bug where it was possible for a chunk to be time stamped +after the retransmit timer was reset. This caused a rare +situation where the retrnamist timer has expired, but +nothing was marked for retrnasmission because all of +timesamps on data were less then 1 rto ago. As result, +the timer was never restarted since nothing was retransmitted, +and this resulted in a hung association that did couldn't +complete the data transfer. The solution is to timestamp +the chunk when it's added to the packet for transmission +purposes. After the packet is trsnmitted the rtx timer +is restarted. This guarantees that when the timer expires, +there will be data to retransmit. + +Signed-off-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/sctp/output.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/net/sctp/output.c ++++ b/net/sctp/output.c +@@ -324,14 +324,16 @@ append: + switch (chunk->chunk_hdr->type) { + case SCTP_CID_DATA: + retval = sctp_packet_append_data(packet, chunk); ++ if (SCTP_XMIT_OK != retval) ++ goto finish; + /* Disallow SACK bundling after DATA. */ + packet->has_sack = 1; + /* Disallow AUTH bundling after DATA */ + packet->has_auth = 1; + /* Let it be knows that packet has DATA in it */ + packet->has_data = 1; +- if (SCTP_XMIT_OK != retval) +- goto finish; ++ /* timestamp the chunk for rtx purposes */ ++ chunk->sent_at = jiffies; + break; + case SCTP_CID_COOKIE_ECHO: + packet->has_cookie_echo = 1; +@@ -470,7 +472,6 @@ int sctp_packet_transmit(struct sctp_pac + } else + chunk->resent = 1; + +- chunk->sent_at = jiffies; + has_data = 1; + } + diff --git a/queue-2.6.28/series b/queue-2.6.28/series new file mode 100644 index 00000000000..41b3c132d51 --- /dev/null +++ b/queue-2.6.28/series @@ -0,0 +1,39 @@ +x86-vmi-put-a-missing-paravirt_release_pmd-in-pgd_dtor.patch +nbd-fix-i-o-hang-on-disconnected-nbds.patch +mac80211-restrict-to-ap-in-outgoing-interface-heuristic.patch +w1-w1-temp-calculation-overflow-fix.patch +zd1211rw-adding-0ace-0xa211-as-a-zd1211-device.patch +zd1211rw-treat-maxim_new_rf-as-uw2453_rf-for-tp-link-wn322-422g.patch +parport-parport_serial-don-t-bind-netmos-ibm-0299.patch +syscall-define-fix-uml-compile-bug.patch +kernel-doc-fix-syscall-wrapper-processing.patch +fix-page-writeback-thinko-causing-berkeley-db-slowdown.patch +write-back-fix-nr_to_write-counter.patch +writeback-fix-break-condition.patch +mm-rearrange-exit_mmap-to-unlock-before-arch_exit_mmap.patch +powerpc-fsl-booke-fix-mapping-functions-to-use-phys_addr_t.patch +lockd-fix-regression-in-lockd-s-handling-of-blocked-locks.patch +sctp-fix-crc32c-calculations-on-big-endian-arhes.patch +sctp-correctly-start-rtx-timer-on-new-packet-transmissions.patch +sctp-properly-timestamp-outgoing-data-chunks-for-rtx-purposes.patch +net-fix-frag_list-handling-in-skb_seq_read.patch +net-fix-oops-in-skb_seq_read.patch +drivers-net-skfp-if-capable-inverted-logic.patch +ipv4-fix-infinite-retry-loop-in-ip-config.patch +net-fix-userland-breakage-wrt.-linux-if_tunnel.h.patch +net-packet-socket-packet_lookup_frame-fix.patch +packet-avoid-lock_sock-in-mmap-handler.patch +sungem-soft-lockup-in-sungem-on-netra-ac200-when-switching-interface-up.patch +udp-fix-udp-short-packet-false-positive.patch +udp-increments-sk_drops-in-__udp_queue_rcv_skb.patch +ipv6-disallow-rediculious-flowlabel-option-sizes.patch +ipv6-copy-cork-options-in-ip6_append_data.patch +net-4-bytes-kernel-memory-disclosure-in-so_bsdcompat-gsopt-try-2.patch +sky2-fix-hard-hang-with-netconsoling-and-iface-going-up.patch +tun-add-some-missing-tun-compat-ioctl-translations.patch +tun-fix-unicast-filter-overflow.patch +virtio_net-fix-max_packet_len-to-support-802.1q-vlans.patch +tcp-splice-as-many-packets-as-possible-at-once.patch +tcp-fix-length-tcp_splice_data_recv-passes-to-skb_splice_bits.patch +sparc-enable-syscall-wrappers-for-64-bit.patch +sparc64-annotate-sparc64-specific-syscalls-with-syscall_definex.patch diff --git a/queue-2.6.28/sky2-fix-hard-hang-with-netconsoling-and-iface-going-up.patch b/queue-2.6.28/sky2-fix-hard-hang-with-netconsoling-and-iface-going-up.patch new file mode 100644 index 00000000000..d1e8a1ee229 --- /dev/null +++ b/queue-2.6.28/sky2-fix-hard-hang-with-netconsoling-and-iface-going-up.patch @@ -0,0 +1,43 @@ +From e10e3ce9793b1511c0deb4081d0ecb2fa6872614 Mon Sep 17 00:00:00 2001 +From: Alexey Dobriyan +Date: Fri, 30 Jan 2009 13:45:31 -0800 +Subject: sky2: fix hard hang with netconsoling and iface going up + +From: Alexey Dobriyan + +[ Upstream commit a11da890e4c9850411303efcf6514f048ca880ee ] + +Printing anything over netconsole before hw is up and running is, +of course, not going to work. + +Signed-off-by: Alexey Dobriyan +Acked-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/sky2.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/sky2.c ++++ b/drivers/net/sky2.c +@@ -1403,9 +1403,6 @@ static int sky2_up(struct net_device *de + + } + +- if (netif_msg_ifup(sky2)) +- printk(KERN_INFO PFX "%s: enabling interface\n", dev->name); +- + netif_carrier_off(dev); + + /* must be power of 2 */ +@@ -1484,6 +1481,9 @@ static int sky2_up(struct net_device *de + sky2_write32(hw, B0_IMSK, imask); + + sky2_set_multicast(dev); ++ ++ if (netif_msg_ifup(sky2)) ++ printk(KERN_INFO PFX "%s: enabling interface\n", dev->name); + return 0; + + err_out: diff --git a/queue-2.6.28/sparc-enable-syscall-wrappers-for-64-bit.patch b/queue-2.6.28/sparc-enable-syscall-wrappers-for-64-bit.patch new file mode 100644 index 00000000000..9ddbed489d7 --- /dev/null +++ b/queue-2.6.28/sparc-enable-syscall-wrappers-for-64-bit.patch @@ -0,0 +1,30 @@ +From 1caf71c29f3df0e070042e3c6be1699007882789 Mon Sep 17 00:00:00 2001 +From: Christian Borntraeger +Date: Fri, 13 Feb 2009 00:25:10 -0800 +Subject: sparc: Enable syscall wrappers for 64-bit (CVE-2009-0029) + +From: Christian Borntraeger + +[ Upstream commit 67605d6812691bbd2158d2f60259e0407611bc1b ] + +sparc64 needs sign-extended function parameters. We have to enable +the system call wrappers. + +Signed-off-by: Christian Borntraeger +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sparc64/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/sparc64/Kconfig ++++ b/arch/sparc64/Kconfig +@@ -14,6 +14,7 @@ config SPARC64 + select HAVE_FUNCTION_TRACER + select HAVE_IDE + select HAVE_LMB ++ select HAVE_SYSCALL_WRAPPERS + select HAVE_ARCH_KGDB + select USE_GENERIC_SMP_HELPERS if SMP + select HAVE_ARCH_TRACEHOOK diff --git a/queue-2.6.28/sparc64-annotate-sparc64-specific-syscalls-with-syscall_definex.patch b/queue-2.6.28/sparc64-annotate-sparc64-specific-syscalls-with-syscall_definex.patch new file mode 100644 index 00000000000..a1539e4f2dc --- /dev/null +++ b/queue-2.6.28/sparc64-annotate-sparc64-specific-syscalls-with-syscall_definex.patch @@ -0,0 +1,236 @@ +From 17bb1acd4db2206779676b1641272cdc818059ae Mon Sep 17 00:00:00 2001 +From: David S. Miller +Date: Fri, 13 Feb 2009 00:26:00 -0800 +Subject: sparc64: Annotate sparc64 specific syscalls with SYSCALL_DEFINEx() + +From: David S. Miller + +[ Upstream commit e42650196df34789c825fa83f8bb37a5d5e52c14 ] + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sparc64/kernel/sys_sparc.c | 48 +++++++++++++++++++--------------------- + arch/sparc64/kernel/syscalls.S | 2 - + arch/sparc64/kernel/systbls.S | 16 ++++++------- + arch/sparc64/kernel/systbls.h | 3 -- + 4 files changed, 32 insertions(+), 37 deletions(-) + +--- a/arch/sparc64/kernel/syscalls.S ++++ b/arch/sparc64/kernel/syscalls.S +@@ -21,7 +21,7 @@ execve_merge: + + .align 32 + sys_sparc_pipe: +- ba,pt %xcc, sparc_pipe ++ ba,pt %xcc, sys_sparc_pipe_real + add %sp, PTREGS_OFF, %o0 + sys_nis_syscall: + ba,pt %xcc, c_sys_nis_syscall +--- a/arch/sparc64/kernel/sys_sparc.c ++++ b/arch/sparc64/kernel/sys_sparc.c +@@ -397,7 +397,7 @@ void arch_pick_mmap_layout(struct mm_str + } + } + +-asmlinkage unsigned long sparc_brk(unsigned long brk) ++SYSCALL_DEFINE1(sparc_brk, unsigned long, brk) + { + /* People could try to be nasty and use ta 0x6d in 32bit programs */ + if (test_thread_flag(TIF_32BIT) && brk >= STACK_TOP32) +@@ -413,7 +413,7 @@ asmlinkage unsigned long sparc_brk(unsig + * sys_pipe() is the normal C calling standard for creating + * a pipe. It's not the way unix traditionally does this, though. + */ +-asmlinkage long sparc_pipe(struct pt_regs *regs) ++SYSCALL_DEFINE1(sparc_pipe_real, struct pt_regs *, regs) + { + int fd[2]; + int error; +@@ -433,8 +433,8 @@ out: + * This is really horribly ugly. + */ + +-asmlinkage long sys_ipc(unsigned int call, int first, unsigned long second, +- unsigned long third, void __user *ptr, long fifth) ++SYSCALL_DEFINE6(ipc, unsigned int, call, int, first, unsigned long, second, ++ unsigned long, third, void __user *, ptr, long, fifth) + { + long err; + +@@ -517,7 +517,7 @@ out: + return err; + } + +-asmlinkage long sparc64_newuname(struct new_utsname __user *name) ++SYSCALL_DEFINE1(sparc64_newuname, struct new_utsname __user *, name) + { + int ret = sys_newuname(name); + +@@ -528,7 +528,7 @@ asmlinkage long sparc64_newuname(struct + return ret; + } + +-asmlinkage long sparc64_personality(unsigned long personality) ++SYSCALL_DEFINE1(sparc64_personality, unsigned long, personality) + { + int ret; + +@@ -562,9 +562,9 @@ int sparc_mmap_check(unsigned long addr, + } + + /* Linux version of mmap */ +-asmlinkage unsigned long sys_mmap(unsigned long addr, unsigned long len, +- unsigned long prot, unsigned long flags, unsigned long fd, +- unsigned long off) ++SYSCALL_DEFINE6(mmap, unsigned long, addr, unsigned long, len, ++ unsigned long, prot, unsigned long, flags, unsigned long, fd, ++ unsigned long, off) + { + struct file * file = NULL; + unsigned long retval = -EBADF; +@@ -587,7 +587,7 @@ out: + return retval; + } + +-asmlinkage long sys64_munmap(unsigned long addr, size_t len) ++SYSCALL_DEFINE2(64_munmap, unsigned long, addr, size_t, len) + { + long ret; + +@@ -604,9 +604,9 @@ extern unsigned long do_mremap(unsigned + unsigned long old_len, unsigned long new_len, + unsigned long flags, unsigned long new_addr); + +-asmlinkage unsigned long sys64_mremap(unsigned long addr, +- unsigned long old_len, unsigned long new_len, +- unsigned long flags, unsigned long new_addr) ++SYSCALL_DEFINE5(64_mremap, unsigned long, addr, unsigned long, old_len, ++ unsigned long, new_len, unsigned long, flags, ++ unsigned long, new_addr) + { + unsigned long ret = -EINVAL; + +@@ -669,7 +669,7 @@ asmlinkage void sparc_breakpoint(struct + + extern void check_pending(int signum); + +-asmlinkage long sys_getdomainname(char __user *name, int len) ++SYSCALL_DEFINE2(getdomainname, char __user *, name, int, len) + { + int nlen, err; + +@@ -692,11 +692,10 @@ out: + return err; + } + +-asmlinkage long sys_utrap_install(utrap_entry_t type, +- utrap_handler_t new_p, +- utrap_handler_t new_d, +- utrap_handler_t __user *old_p, +- utrap_handler_t __user *old_d) ++SYSCALL_DEFINE5(utrap_install, utrap_entry_t, type, ++ utrap_handler_t, new_p, utrap_handler_t, new_d, ++ utrap_handler_t __user *, old_p, ++ utrap_handler_t __user *, old_d) + { + if (type < UT_INSTRUCTION_EXCEPTION || type > UT_TRAP_INSTRUCTION_31) + return -EINVAL; +@@ -762,11 +761,9 @@ asmlinkage long sparc_memory_ordering(un + return 0; + } + +-asmlinkage long sys_rt_sigaction(int sig, +- const struct sigaction __user *act, +- struct sigaction __user *oact, +- void __user *restorer, +- size_t sigsetsize) ++SYSCALL_DEFINE5(rt_sigaction, int, sig, const struct sigaction __user *, act, ++ struct sigaction __user *, oact, void __user *, restorer, ++ size_t, sigsetsize) + { + struct k_sigaction new_ka, old_ka; + int ret; +@@ -806,7 +803,8 @@ asmlinkage void update_perfctrs(void) + reset_pic(); + } + +-asmlinkage long sys_perfctr(int opcode, unsigned long arg0, unsigned long arg1, unsigned long arg2) ++SYSCALL_DEFINE4(perfctr, int, opcode, unsigned long, arg0, ++ unsigned long, arg1, unsigned long, arg2) + { + int err = 0; + +--- a/arch/sparc64/kernel/systbls.h ++++ b/arch/sparc64/kernel/systbls.h +@@ -16,9 +16,6 @@ extern asmlinkage long sys_ipc(unsigned + void __user *ptr, long fifth); + extern asmlinkage long sparc64_newuname(struct new_utsname __user *name); + extern asmlinkage long sparc64_personality(unsigned long personality); +-extern asmlinkage unsigned long sys_mmap(unsigned long addr, unsigned long len, +- unsigned long prot, unsigned long flags, +- unsigned long fd, unsigned long off); + extern asmlinkage long sys64_munmap(unsigned long addr, size_t len); + extern asmlinkage unsigned long sys64_mremap(unsigned long addr, + unsigned long old_len, +--- a/arch/sparc64/kernel/systbls.S ++++ b/arch/sparc64/kernel/systbls.S +@@ -21,7 +21,7 @@ sys_call_table32: + /*0*/ .word sys_restart_syscall, sys32_exit, sys_fork, sys_read, sys_write + /*5*/ .word sys32_open, sys_close, sys32_wait4, sys32_creat, sys_link + /*10*/ .word sys_unlink, sunos_execv, sys_chdir, sys_chown16, sys32_mknod +-/*15*/ .word sys_chmod, sys_lchown16, sparc_brk, sys32_perfctr, sys32_lseek ++/*15*/ .word sys_chmod, sys_lchown16, sys_sparc_brk, sys32_perfctr, sys32_lseek + /*20*/ .word sys_getpid, sys_capget, sys_capset, sys_setuid16, sys_getuid16 + /*25*/ .word sys32_vmsplice, compat_sys_ptrace, sys_alarm, sys32_sigaltstack, sys_pause + /*30*/ .word compat_sys_utime, sys_lchown, sys_fchown, sys32_access, sys32_nice +@@ -55,8 +55,8 @@ sys_call_table32: + /*170*/ .word sys32_lsetxattr, sys32_fsetxattr, sys_getxattr, sys_lgetxattr, compat_sys_getdents + .word sys_setsid, sys_fchdir, sys32_fgetxattr, sys_listxattr, sys_llistxattr + /*180*/ .word sys32_flistxattr, sys_removexattr, sys_lremovexattr, compat_sys_sigpending, sys_ni_syscall +- .word sys32_setpgid, sys32_fremovexattr, sys32_tkill, sys32_exit_group, sparc64_newuname +-/*190*/ .word sys32_init_module, sparc64_personality, sys_remap_file_pages, sys32_epoll_create, sys32_epoll_ctl ++ .word sys32_setpgid, sys32_fremovexattr, sys32_tkill, sys32_exit_group, sys_sparc64_newuname ++/*190*/ .word sys32_init_module, sys_sparc64_personality, sys_remap_file_pages, sys32_epoll_create, sys32_epoll_ctl + .word sys32_epoll_wait, sys32_ioprio_set, sys_getppid, sys32_sigaction, sys_sgetmask + /*200*/ .word sys32_ssetmask, sys_sigsuspend, compat_sys_newlstat, sys_uselib, compat_sys_old_readdir + .word sys32_readahead, sys32_socketcall, sys32_syslog, sys32_lookup_dcookie, sys32_fadvise64 +@@ -95,7 +95,7 @@ sys_call_table: + /*0*/ .word sys_restart_syscall, sparc_exit, sys_fork, sys_read, sys_write + /*5*/ .word sys_open, sys_close, sys_wait4, sys_creat, sys_link + /*10*/ .word sys_unlink, sys_nis_syscall, sys_chdir, sys_chown, sys_mknod +-/*15*/ .word sys_chmod, sys_lchown, sparc_brk, sys_perfctr, sys_lseek ++/*15*/ .word sys_chmod, sys_lchown, sys_sparc_brk, sys_perfctr, sys_lseek + /*20*/ .word sys_getpid, sys_capget, sys_capset, sys_setuid, sys_getuid + /*25*/ .word sys_vmsplice, sys_ptrace, sys_alarm, sys_sigaltstack, sys_nis_syscall + /*30*/ .word sys_utime, sys_nis_syscall, sys_nis_syscall, sys_access, sys_nice +@@ -106,7 +106,7 @@ sys_call_table: + .word sys_reboot, sys_nis_syscall, sys_symlink, sys_readlink, sys_execve + /*60*/ .word sys_umask, sys_chroot, sys_newfstat, sys_fstat64, sys_getpagesize + .word sys_msync, sys_vfork, sys_pread64, sys_pwrite64, sys_nis_syscall +-/*70*/ .word sys_nis_syscall, sys_mmap, sys_nis_syscall, sys64_munmap, sys_mprotect ++/*70*/ .word sys_nis_syscall, sys_mmap, sys_nis_syscall, sys_64_munmap, sys_mprotect + .word sys_madvise, sys_vhangup, sys_nis_syscall, sys_mincore, sys_getgroups + /*80*/ .word sys_setgroups, sys_getpgrp, sys_nis_syscall, sys_setitimer, sys_nis_syscall + .word sys_swapon, sys_getitimer, sys_nis_syscall, sys_sethostname, sys_nis_syscall +@@ -129,8 +129,8 @@ sys_call_table: + /*170*/ .word sys_lsetxattr, sys_fsetxattr, sys_getxattr, sys_lgetxattr, sys_getdents + .word sys_setsid, sys_fchdir, sys_fgetxattr, sys_listxattr, sys_llistxattr + /*180*/ .word sys_flistxattr, sys_removexattr, sys_lremovexattr, sys_nis_syscall, sys_ni_syscall +- .word sys_setpgid, sys_fremovexattr, sys_tkill, sys_exit_group, sparc64_newuname +-/*190*/ .word sys_init_module, sparc64_personality, sys_remap_file_pages, sys_epoll_create, sys_epoll_ctl ++ .word sys_setpgid, sys_fremovexattr, sys_tkill, sys_exit_group, sys_sparc64_newuname ++/*190*/ .word sys_init_module, sys_sparc64_personality, sys_remap_file_pages, sys_epoll_create, sys_epoll_ctl + .word sys_epoll_wait, sys_ioprio_set, sys_getppid, sys_nis_syscall, sys_sgetmask + /*200*/ .word sys_ssetmask, sys_nis_syscall, sys_newlstat, sys_uselib, sys_nis_syscall + .word sys_readahead, sys_socketcall, sys_syslog, sys_lookup_dcookie, sys_fadvise64 +@@ -142,7 +142,7 @@ sys_call_table: + .word sys_fstatfs64, sys_llseek, sys_mlock, sys_munlock, sys_mlockall + /*240*/ .word sys_munlockall, sys_sched_setparam, sys_sched_getparam, sys_sched_setscheduler, sys_sched_getscheduler + .word sys_sched_yield, sys_sched_get_priority_max, sys_sched_get_priority_min, sys_sched_rr_get_interval, sys_nanosleep +-/*250*/ .word sys64_mremap, sys_sysctl, sys_getsid, sys_fdatasync, sys_nfsservctl ++/*250*/ .word sys_64_mremap, sys_sysctl, sys_getsid, sys_fdatasync, sys_nfsservctl + .word sys_sync_file_range, sys_clock_settime, sys_clock_gettime, sys_clock_getres, sys_clock_nanosleep + /*260*/ .word sys_sched_getaffinity, sys_sched_setaffinity, sys_timer_settime, sys_timer_gettime, sys_timer_getoverrun + .word sys_timer_delete, sys_timer_create, sys_ni_syscall, sys_io_setup, sys_io_destroy diff --git a/queue-2.6.28/sungem-soft-lockup-in-sungem-on-netra-ac200-when-switching-interface-up.patch b/queue-2.6.28/sungem-soft-lockup-in-sungem-on-netra-ac200-when-switching-interface-up.patch new file mode 100644 index 00000000000..e503015c006 --- /dev/null +++ b/queue-2.6.28/sungem-soft-lockup-in-sungem-on-netra-ac200-when-switching-interface-up.patch @@ -0,0 +1,71 @@ +From 07a2a2f9314f6e61d9c544d6ada9892fb65cef00 Mon Sep 17 00:00:00 2001 +From: Ilkka Virta +Date: Fri, 6 Feb 2009 22:00:36 -0800 +Subject: sungem: Soft lockup in sungem on Netra AC200 when switching interface up + +From: Ilkka Virta + +[ Upstream commit 71822faa3bc0af5dbf5e333a2d085f1ed7cd809f ] + +From: Ilkka Virta + +In the lockup situation the driver seems to go off in an eternal storm +of interrupts right after calling request_irq(). It doesn't actually +do anything interesting in the interrupt handler. Since connecting the link +afterwards works, something later in initialization must fix this. + +Looking at gem_do_start() and gem_open(), it seems that the only thing +done while opening the device after the request_irq(), is a call to +napi_enable(). + +I don't know what the ordering requirements are for the +initialization, but I boldly tried to move the napi_enable() call +inside gem_do_start() before the link state is checked and interrupts +subsequently enabled, and it seems to work for me. Doesn't even break +anything too obvious... + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/sungem.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/sungem.c ++++ b/drivers/net/sungem.c +@@ -2222,6 +2222,8 @@ static int gem_do_start(struct net_devic + + gp->running = 1; + ++ napi_enable(&gp->napi); ++ + if (gp->lstate == link_up) { + netif_carrier_on(gp->dev); + gem_set_link_modes(gp); +@@ -2239,6 +2241,8 @@ static int gem_do_start(struct net_devic + spin_lock_irqsave(&gp->lock, flags); + spin_lock(&gp->tx_lock); + ++ napi_disable(&gp->napi); ++ + gp->running = 0; + gem_reset(gp); + gem_clean_rings(gp); +@@ -2339,8 +2343,6 @@ static int gem_open(struct net_device *d + if (!gp->asleep) + rc = gem_do_start(dev); + gp->opened = (rc == 0); +- if (gp->opened) +- napi_enable(&gp->napi); + + mutex_unlock(&gp->pm_mutex); + +@@ -2477,8 +2479,6 @@ static int gem_resume(struct pci_dev *pd + + /* Re-attach net device */ + netif_device_attach(dev); +- +- napi_enable(&gp->napi); + } + + spin_lock_irqsave(&gp->lock, flags); diff --git a/queue-2.6.28/syscall-define-fix-uml-compile-bug.patch b/queue-2.6.28/syscall-define-fix-uml-compile-bug.patch new file mode 100644 index 00000000000..404682aaffd --- /dev/null +++ b/queue-2.6.28/syscall-define-fix-uml-compile-bug.patch @@ -0,0 +1,89 @@ +From 6c5979631b4b03c9288776562c18036765e398c1 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Wed, 11 Feb 2009 13:04:38 -0800 +Subject: syscall define: fix uml compile bug + +From: Heiko Carstens + +commit 6c5979631b4b03c9288776562c18036765e398c1 upstream. + +With the new system call defines we get this on uml: + +arch/um/sys-i386/built-in.o: In function `sys_call_table': +(.rodata+0x308): undefined reference to `sys_sigprocmask' + +Reason for this is that uml passes the preprocessor option +-Dsigprocmask=kernel_sigprocmask to gcc when compiling the kernel. +This causes SYSCALL_DEFINE3(sigprocmask, ...) to be expanded to +SYSCALL_DEFINEx(3, kernel_sigprocmask, ...) and finally to a system +call named sys_kernel_sigprocmask. However sys_sigprocmask is missing +because of this. + +To avoid macro expansion for the system call name just concatenate the +name at first define instead of carrying it through severel levels. +This was pointed out by Al Viro. + +Signed-off-by: Heiko Carstens +Cc: Geert Uytterhoeven +Cc: Al Viro +Reviewed-by: WANG Cong +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/syscalls.h | 28 ++++++++++++++-------------- + 1 file changed, 14 insertions(+), 14 deletions(-) + +--- a/include/linux/syscalls.h ++++ b/include/linux/syscalls.h +@@ -95,13 +95,13 @@ struct old_linux_dirent; + #define __SC_TEST5(t5, a5, ...) __SC_TEST(t5); __SC_TEST4(__VA_ARGS__) + #define __SC_TEST6(t6, a6, ...) __SC_TEST(t6); __SC_TEST5(__VA_ARGS__) + +-#define SYSCALL_DEFINE0(name) asmlinkage long sys_##name(void) +-#define SYSCALL_DEFINE1(...) SYSCALL_DEFINEx(1, __VA_ARGS__) +-#define SYSCALL_DEFINE2(...) SYSCALL_DEFINEx(2, __VA_ARGS__) +-#define SYSCALL_DEFINE3(...) SYSCALL_DEFINEx(3, __VA_ARGS__) +-#define SYSCALL_DEFINE4(...) SYSCALL_DEFINEx(4, __VA_ARGS__) +-#define SYSCALL_DEFINE5(...) SYSCALL_DEFINEx(5, __VA_ARGS__) +-#define SYSCALL_DEFINE6(...) SYSCALL_DEFINEx(6, __VA_ARGS__) ++#define SYSCALL_DEFINE0(name) asmlinkage long sys_##name(void) ++#define SYSCALL_DEFINE1(name, ...) SYSCALL_DEFINEx(1, _##name, __VA_ARGS__) ++#define SYSCALL_DEFINE2(name, ...) SYSCALL_DEFINEx(2, _##name, __VA_ARGS__) ++#define SYSCALL_DEFINE3(name, ...) SYSCALL_DEFINEx(3, _##name, __VA_ARGS__) ++#define SYSCALL_DEFINE4(name, ...) SYSCALL_DEFINEx(4, _##name, __VA_ARGS__) ++#define SYSCALL_DEFINE5(name, ...) SYSCALL_DEFINEx(5, _##name, __VA_ARGS__) ++#define SYSCALL_DEFINE6(name, ...) SYSCALL_DEFINEx(6, _##name, __VA_ARGS__) + + #ifdef CONFIG_PPC64 + #define SYSCALL_ALIAS(alias, name) \ +@@ -116,21 +116,21 @@ struct old_linux_dirent; + + #define SYSCALL_DEFINE(name) static inline long SYSC_##name + #define SYSCALL_DEFINEx(x, name, ...) \ +- asmlinkage long sys_##name(__SC_DECL##x(__VA_ARGS__)); \ +- static inline long SYSC_##name(__SC_DECL##x(__VA_ARGS__)); \ +- asmlinkage long SyS_##name(__SC_LONG##x(__VA_ARGS__)) \ ++ asmlinkage long sys##name(__SC_DECL##x(__VA_ARGS__)); \ ++ static inline long SYSC##name(__SC_DECL##x(__VA_ARGS__)); \ ++ asmlinkage long SyS##name(__SC_LONG##x(__VA_ARGS__)) \ + { \ + __SC_TEST##x(__VA_ARGS__); \ +- return (long) SYSC_##name(__SC_CAST##x(__VA_ARGS__)); \ ++ return (long) SYSC##name(__SC_CAST##x(__VA_ARGS__)); \ + } \ +- SYSCALL_ALIAS(sys_##name, SyS_##name); \ +- static inline long SYSC_##name(__SC_DECL##x(__VA_ARGS__)) ++ SYSCALL_ALIAS(sys##name, SyS##name); \ ++ static inline long SYSC##name(__SC_DECL##x(__VA_ARGS__)) + + #else /* CONFIG_HAVE_SYSCALL_WRAPPERS */ + + #define SYSCALL_DEFINE(name) asmlinkage long sys_##name + #define SYSCALL_DEFINEx(x, name, ...) \ +- asmlinkage long sys_##name(__SC_DECL##x(__VA_ARGS__)) ++ asmlinkage long sys##name(__SC_DECL##x(__VA_ARGS__)) + + #endif /* CONFIG_HAVE_SYSCALL_WRAPPERS */ + diff --git a/queue-2.6.28/tcp-fix-length-tcp_splice_data_recv-passes-to-skb_splice_bits.patch b/queue-2.6.28/tcp-fix-length-tcp_splice_data_recv-passes-to-skb_splice_bits.patch new file mode 100644 index 00000000000..8bdf0e28f4a --- /dev/null +++ b/queue-2.6.28/tcp-fix-length-tcp_splice_data_recv-passes-to-skb_splice_bits.patch @@ -0,0 +1,47 @@ +From 422fdbf8d7a4cb686a70d174f06555a821d06216 Mon Sep 17 00:00:00 2001 +From: Dimitris Michailidis +Date: Mon, 26 Jan 2009 22:15:31 -0800 +Subject: tcp: Fix length tcp_splice_data_recv passes to skb_splice_bits. + +From: Dimitris Michailidis + +[ Upstream commit 9fa5fdf291c9b58b1cb8b4bb2a0ee57efa21d635 ] + +tcp_splice_data_recv has two lengths to consider: the len parameter it +gets from tcp_read_sock, which specifies the amount of data in the skb, +and rd_desc->count, which is the amount of data the splice caller still +wants. Currently it passes just the latter to skb_splice_bits, which then +splices min(rd_desc->count, skb->len - offset) bytes. + +Most of the time this is fine, except when the skb contains urgent data. +In that case len goes only up to the urgent byte and is less than +skb->len - offset. By ignoring len tcp_splice_data_recv may a) splice +data tcp_read_sock told it not to, b) return to tcp_read_sock a value > len. + +Now, tcp_read_sock doesn't handle used > len and leaves the socket in a +bad state (both sk_receive_queue and copied_seq are bad at that point) +resulting in duplicated data and corruption. + +Fix by passing min(rd_desc->count, len) to skb_splice_bits. + +Signed-off-by: Dimitris Michailidis +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/tcp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -522,7 +522,8 @@ static int tcp_splice_data_recv(read_des + struct tcp_splice_state *tss = rd_desc->arg.data; + int ret; + +- ret = skb_splice_bits(skb, offset, tss->pipe, rd_desc->count, tss->flags); ++ ret = skb_splice_bits(skb, offset, tss->pipe, min(rd_desc->count, len), ++ tss->flags); + if (ret > 0) + rd_desc->count -= ret; + return ret; diff --git a/queue-2.6.28/tcp-splice-as-many-packets-as-possible-at-once.patch b/queue-2.6.28/tcp-splice-as-many-packets-as-possible-at-once.patch new file mode 100644 index 00000000000..a43ec21b6c2 --- /dev/null +++ b/queue-2.6.28/tcp-splice-as-many-packets-as-possible-at-once.patch @@ -0,0 +1,72 @@ +From e1037dab62346300c370b6017ea5083c0c1c5366 Mon Sep 17 00:00:00 2001 +From: Willy Tarreau +Date: Tue, 13 Jan 2009 16:04:36 -0800 +Subject: tcp: splice as many packets as possible at once + +From: Willy Tarreau + +[ Upstream commit 33966dd0e2f68f26943cd9ee93ec6abbc6547a8e ] + +As spotted by Willy Tarreau, current splice() from tcp socket to pipe is not +optimal. It processes at most one segment per call. +This results in low performance and very high overhead due to syscall rate +when splicing from interfaces which do not support LRO. + +Willy provided a patch inside tcp_splice_read(), but a better fix +is to let tcp_read_sock() process as many segments as possible, so +that tcp_rcv_space_adjust() and tcp_cleanup_rbuf() are called less +often. + +With this change, splice() behaves like tcp_recvmsg(), being able +to consume many skbs in one system call. With typical 1460 bytes +of payload per frame, that means splice(SPLICE_F_NONBLOCK) can return +16*1460 = 23360 bytes. + +Signed-off-by: Willy Tarreau +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/tcp.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -520,8 +520,12 @@ static int tcp_splice_data_recv(read_des + unsigned int offset, size_t len) + { + struct tcp_splice_state *tss = rd_desc->arg.data; ++ int ret; + +- return skb_splice_bits(skb, offset, tss->pipe, tss->len, tss->flags); ++ ret = skb_splice_bits(skb, offset, tss->pipe, rd_desc->count, tss->flags); ++ if (ret > 0) ++ rd_desc->count -= ret; ++ return ret; + } + + static int __tcp_splice_read(struct sock *sk, struct tcp_splice_state *tss) +@@ -529,6 +533,7 @@ static int __tcp_splice_read(struct sock + /* Store TCP splice context information in read_descriptor_t. */ + read_descriptor_t rd_desc = { + .arg.data = tss, ++ .count = tss->len, + }; + + return tcp_read_sock(sk, &rd_desc, tcp_splice_data_recv); +@@ -613,11 +618,13 @@ ssize_t tcp_splice_read(struct socket *s + tss.len -= ret; + spliced += ret; + ++ if (!timeo) ++ break; + release_sock(sk); + lock_sock(sk); + + if (sk->sk_err || sk->sk_state == TCP_CLOSE || +- (sk->sk_shutdown & RCV_SHUTDOWN) || !timeo || ++ (sk->sk_shutdown & RCV_SHUTDOWN) || + signal_pending(current)) + break; + } diff --git a/queue-2.6.28/tun-add-some-missing-tun-compat-ioctl-translations.patch b/queue-2.6.28/tun-add-some-missing-tun-compat-ioctl-translations.patch new file mode 100644 index 00000000000..575066ebed0 --- /dev/null +++ b/queue-2.6.28/tun-add-some-missing-tun-compat-ioctl-translations.patch @@ -0,0 +1,52 @@ +From f25e709c3968c8a8ab5c9bcf54005437e6de20ec Mon Sep 17 00:00:00 2001 +From: David S. Miller +Date: Thu, 29 Jan 2009 16:53:35 -0800 +Subject: tun: Add some missing TUN compat ioctl translations. + +From: David S. Miller + +[ Upstream commit df1c46b2b6876d0a1b1b4740f009fa69d95ebbc9 ] + +Based upon a report from Michael Tokarev : + + Just saw in dmesg: + + ioctl32(kvm:4408): Unknown cmd fd(9) cmd(800454cf){t:'T';sz:4} arg(ffc668e4) on /dev/net/tun + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + fs/compat_ioctl.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/compat_ioctl.c ++++ b/fs/compat_ioctl.c +@@ -538,6 +538,7 @@ static int dev_ifsioc(unsigned int fd, u + * cannot be fixed without breaking all existing apps. + */ + case TUNSETIFF: ++ case TUNGETIFF: + case SIOCGIFFLAGS: + case SIOCGIFMETRIC: + case SIOCGIFMTU: +@@ -1982,6 +1983,11 @@ COMPATIBLE_IOCTL(TUNSETNOCSUM) + COMPATIBLE_IOCTL(TUNSETDEBUG) + COMPATIBLE_IOCTL(TUNSETPERSIST) + COMPATIBLE_IOCTL(TUNSETOWNER) ++COMPATIBLE_IOCTL(TUNSETLINK) ++COMPATIBLE_IOCTL(TUNSETGROUP) ++COMPATIBLE_IOCTL(TUNGETFEATURES) ++COMPATIBLE_IOCTL(TUNSETOFFLOAD) ++COMPATIBLE_IOCTL(TUNSETTXFILTER) + /* Big V */ + COMPATIBLE_IOCTL(VT_SETMODE) + COMPATIBLE_IOCTL(VT_GETMODE) +@@ -2573,6 +2579,7 @@ HANDLE_IOCTL(SIOCGIFPFLAGS, dev_ifsioc) + HANDLE_IOCTL(SIOCGIFTXQLEN, dev_ifsioc) + HANDLE_IOCTL(SIOCSIFTXQLEN, dev_ifsioc) + HANDLE_IOCTL(TUNSETIFF, dev_ifsioc) ++HANDLE_IOCTL(TUNGETIFF, dev_ifsioc) + HANDLE_IOCTL(SIOCETHTOOL, ethtool_ioctl) + HANDLE_IOCTL(SIOCBONDENSLAVE, bond_ioctl) + HANDLE_IOCTL(SIOCBONDRELEASE, bond_ioctl) diff --git a/queue-2.6.28/tun-fix-unicast-filter-overflow.patch b/queue-2.6.28/tun-fix-unicast-filter-overflow.patch new file mode 100644 index 00000000000..de4547c6280 --- /dev/null +++ b/queue-2.6.28/tun-fix-unicast-filter-overflow.patch @@ -0,0 +1,49 @@ +From 5fcfe132d54414cc4c4df456bccce29a383c1d25 Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Sun, 8 Feb 2009 17:49:17 -0800 +Subject: tun: Fix unicast filter overflow + +From: Alex Williamson + +[ Upstream commit cfbf84fcbcda98bb91ada683a8dc8e6901a83ebd ] + +Tap devices can make use of a small MAC filter set via the +TUNSETTXFILTER ioctl. The filter has a set of exact matches +plus a hash for imperfect filtering of additional multicast +addresses. The current code is unbalanced, adding unicast +addresses to the multicast hash, but only checking the hash +against multicast addresses. This results in the filter +dropping unicast addresses that overflow the exact filter. +The fix is simply to disable the filter by leaving count set +to zero if we find non-multicast addresses after the exact +match table is filled. + +Signed-off-by: Alex Williamson +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/tun.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -157,10 +157,16 @@ static int update_filter(struct tap_filt + + nexact = n; + +- /* The rest is hashed */ ++ /* Remaining multicast addresses are hashed, ++ * unicast will leave the filter disabled. */ + memset(filter->mask, 0, sizeof(filter->mask)); +- for (; n < uf.count; n++) ++ for (; n < uf.count; n++) { ++ if (!is_multicast_ether_addr(addr[n].u)) { ++ err = 0; /* no filter */ ++ goto done; ++ } + addr_hash_set(filter->mask, addr[n].u); ++ } + + /* For ALLMULTI just set the mask to all ones. + * This overrides the mask populated above. */ diff --git a/queue-2.6.28/udp-fix-udp-short-packet-false-positive.patch b/queue-2.6.28/udp-fix-udp-short-packet-false-positive.patch new file mode 100644 index 00000000000..c89e0b71963 --- /dev/null +++ b/queue-2.6.28/udp-fix-udp-short-packet-false-positive.patch @@ -0,0 +1,44 @@ +From 287465ec54f475979395aa2a3b0781b72c1c9667 Mon Sep 17 00:00:00 2001 +From: Jesper Dangaard Brouer +Date: Thu, 5 Feb 2009 15:05:45 -0800 +Subject: udp: Fix UDP short packet false positive + +From: Jesper Dangaard Brouer + +[ Upstream commit 7b5e56f9d635643ad54f2f42e69ad16b80a2cff1 ] + +The UDP header pointer assignment must happen after calling +pskb_may_pull(). As pskb_may_pull() can potentially alter the SKB +buffer. + +This was exposted by running multicast traffic through the NIU driver, +as it won't prepull the protocol headers into the linear area on +receive. + +Signed-off-by: Jesper Dangaard Brouer +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/udp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1155,7 +1155,7 @@ int __udp4_lib_rcv(struct sk_buff *skb, + int proto) + { + struct sock *sk; +- struct udphdr *uh = udp_hdr(skb); ++ struct udphdr *uh; + unsigned short ulen; + struct rtable *rt = (struct rtable*)skb->dst; + __be32 saddr = ip_hdr(skb)->saddr; +@@ -1168,6 +1168,7 @@ int __udp4_lib_rcv(struct sk_buff *skb, + if (!pskb_may_pull(skb, sizeof(struct udphdr))) + goto drop; /* No space for header. */ + ++ uh = udp_hdr(skb); + ulen = ntohs(uh->len); + if (ulen > skb->len) + goto short_packet; diff --git a/queue-2.6.28/udp-increments-sk_drops-in-__udp_queue_rcv_skb.patch b/queue-2.6.28/udp-increments-sk_drops-in-__udp_queue_rcv_skb.patch new file mode 100644 index 00000000000..93ffa15eff4 --- /dev/null +++ b/queue-2.6.28/udp-increments-sk_drops-in-__udp_queue_rcv_skb.patch @@ -0,0 +1,39 @@ +From d6d7578f048f4cd98bc47d7235fdc558c587292b Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 2 Feb 2009 13:41:57 -0800 +Subject: udp: increments sk_drops in __udp_queue_rcv_skb() + +From: Eric Dumazet + +[ Upstream commit e408b8dcb5ce42243a902205005208e590f28454 ] + +Commit 93821778def10ec1e69aa3ac10adee975dad4ff3 (udp: Fix rcv socket +locking) accidentally removed sk_drops increments for UDP IPV4 +sockets. + +This field can be used to detect incorrect sizing of socket receive +buffers. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/udp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -942,9 +942,11 @@ static int __udp_queue_rcv_skb(struct so + + if ((rc = sock_queue_rcv_skb(sk, skb)) < 0) { + /* Note that an ENOMEM error is charged twice */ +- if (rc == -ENOMEM) ++ if (rc == -ENOMEM) { + UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS, + is_udplite); ++ atomic_inc(&sk->sk_drops); ++ } + goto drop; + } + diff --git a/queue-2.6.28/virtio_net-fix-max_packet_len-to-support-802.1q-vlans.patch b/queue-2.6.28/virtio_net-fix-max_packet_len-to-support-802.1q-vlans.patch new file mode 100644 index 00000000000..a92466a296d --- /dev/null +++ b/queue-2.6.28/virtio_net-fix-max_packet_len-to-support-802.1q-vlans.patch @@ -0,0 +1,43 @@ +From 1d9a6e1f77cdc3e34f1033df3ffecbc63fd6123e Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Fri, 13 Feb 2009 00:06:29 -0800 +Subject: virtio_net: Fix MAX_PACKET_LEN to support 802.1Q VLANs + +From: Alex Williamson + +[ Upstream commit e918085aaff34086e265f825dd469926b1aec4a4 ] + +802.1Q expanded the maximum ethernet frame size by 4 bytes for the +VLAN tag. We're not taking this into account in virtio_net, which +means the buffers we provide to the backend in the virtqueue RX ring +aren't big enough to hold a full MTU VLAN packet. For QEMU/KVM, +this results in the backend exiting with a packet truncation error. + +Signed-off-by: Alex Williamson +Acked-by: Mark McLoughlin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/virtio_net.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + + static int napi_weight = 128; + module_param(napi_weight, int, 0444); +@@ -33,7 +34,7 @@ module_param(csum, bool, 0444); + module_param(gso, bool, 0444); + + /* FIXME: MTU in config. */ +-#define MAX_PACKET_LEN (ETH_HLEN+ETH_DATA_LEN) ++#define MAX_PACKET_LEN (ETH_HLEN + VLAN_HLEN + ETH_DATA_LEN) + + struct virtnet_info + { diff --git a/queue-2.6.28/w1-w1-temp-calculation-overflow-fix.patch b/queue-2.6.28/w1-w1-temp-calculation-overflow-fix.patch new file mode 100644 index 00000000000..f50f443650f --- /dev/null +++ b/queue-2.6.28/w1-w1-temp-calculation-overflow-fix.patch @@ -0,0 +1,38 @@ +From 507e2fbaaacb6f164b4125b87c5002f95143174b Mon Sep 17 00:00:00 2001 +From: Ian Dall +Date: Wed, 11 Feb 2009 13:04:46 -0800 +Subject: w1: w1 temp calculation overflow fix + +From: Ian Dall + +commit 507e2fbaaacb6f164b4125b87c5002f95143174b upstream. + +Addresses http://bugzilla.kernel.org/show_bug.cgi?id=12646 + +When the temperature exceeds 32767 milli-degrees the temperature overflows +to -32768 millidegrees. These are bothe well within the -55 - +125 degree +range for the sensor. + +Fix overflow in left-shift of a u8. + +Signed-off-by: Ian Dall +Signed-off-by: Evgeniy Polyakov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/w1/slaves/w1_therm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/w1/slaves/w1_therm.c ++++ b/drivers/w1/slaves/w1_therm.c +@@ -115,7 +115,7 @@ static struct w1_therm_family_converter + + static inline int w1_DS18B20_convert_temp(u8 rom[9]) + { +- s16 t = (rom[1] << 8) | rom[0]; ++ int t = ((s16)rom[1] << 8) | rom[0]; + t = t*1000/16; + return t; + } diff --git a/queue-2.6.28/write-back-fix-nr_to_write-counter.patch b/queue-2.6.28/write-back-fix-nr_to_write-counter.patch new file mode 100644 index 00000000000..b6a6dc44e2d --- /dev/null +++ b/queue-2.6.28/write-back-fix-nr_to_write-counter.patch @@ -0,0 +1,70 @@ +From dcf6a79dda5cc2a2bec183e50d829030c0972aaa Mon Sep 17 00:00:00 2001 +From: Artem Bityutskiy +Date: Mon, 2 Feb 2009 18:33:49 +0200 +Subject: write-back: fix nr_to_write counter + +From: Artem Bityutskiy + +commit dcf6a79dda5cc2a2bec183e50d829030c0972aaa upstream. + +Commit 05fe478dd04e02fa230c305ab9b5616669821dd3 introduced some +@wbc->nr_to_write breakage. + +It made the following changes: + 1. Decrement wbc->nr_to_write instead of nr_to_write + 2. Decrement wbc->nr_to_write _only_ if wbc->sync_mode == WB_SYNC_NONE + 3. If synced nr_to_write pages, stop only if if wbc->sync_mode == + WB_SYNC_NONE, otherwise keep going. + +However, according to the commit message, the intention was to only make +change 3. Change 1 is a bug. Change 2 does not seem to be necessary, +and it breaks UBIFS expectations, so if needed, it should be done +separately later. And change 2 does not seem to be documented in the +commit message. + +This patch does the following: + 1. Undo changes 1 and 2 + 2. Add a comment explaining change 3 (it very useful to have comments + in _code_, not only in the commit). + +Signed-off-by: Artem Bityutskiy +Acked-by: Nick Piggin +Cc: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/page-writeback.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +--- a/mm/page-writeback.c ++++ b/mm/page-writeback.c +@@ -981,13 +981,22 @@ continue_unlock: + } + } + +- if (wbc->sync_mode == WB_SYNC_NONE) { +- wbc->nr_to_write--; +- if (wbc->nr_to_write <= 0) { +- done = 1; +- break; +- } ++ if (nr_to_write > 0) ++ nr_to_write--; ++ else if (wbc->sync_mode == WB_SYNC_NONE) { ++ /* ++ * We stop writing back only if we are not ++ * doing integrity sync. In case of integrity ++ * sync we have to keep going because someone ++ * may be concurrently dirtying pages, and we ++ * might have synced a lot of newly appeared ++ * dirty pages, but have not synced all of the ++ * old dirty pages. ++ */ ++ done = 1; ++ break; + } ++ + if (wbc->nonblocking && bdi_write_congested(bdi)) { + wbc->encountered_congestion = 1; + done = 1; diff --git a/queue-2.6.28/writeback-fix-break-condition.patch b/queue-2.6.28/writeback-fix-break-condition.patch new file mode 100644 index 00000000000..21a69696eb8 --- /dev/null +++ b/queue-2.6.28/writeback-fix-break-condition.patch @@ -0,0 +1,66 @@ +From 89e1219004b3657cc014521663eeef0744f1c99d Mon Sep 17 00:00:00 2001 +From: Federico Cuello +Date: Wed, 11 Feb 2009 13:04:39 -0800 +Subject: writeback: fix break condition + +From: Federico Cuello + +commit 89e1219004b3657cc014521663eeef0744f1c99d upstream. + +Commit dcf6a79dda5cc2a2bec183e50d829030c0972aaa ("write-back: fix +nr_to_write counter") fixed nr_to_write counter, but didn't set the break +condition properly. + +If nr_to_write == 0 after being decremented it will loop one more time +before setting done = 1 and breaking the loop. + +[akpm@linux-foundation.org: coding-style fixes] +Cc: Artem Bityutskiy +Acked-by: Nick Piggin +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/page-writeback.c | 29 ++++++++++++++++------------- + 1 file changed, 16 insertions(+), 13 deletions(-) + +--- a/mm/page-writeback.c ++++ b/mm/page-writeback.c +@@ -981,20 +981,23 @@ continue_unlock: + } + } + +- if (nr_to_write > 0) ++ if (nr_to_write > 0) { + nr_to_write--; +- else if (wbc->sync_mode == WB_SYNC_NONE) { +- /* +- * We stop writing back only if we are not +- * doing integrity sync. In case of integrity +- * sync we have to keep going because someone +- * may be concurrently dirtying pages, and we +- * might have synced a lot of newly appeared +- * dirty pages, but have not synced all of the +- * old dirty pages. +- */ +- done = 1; +- break; ++ if (nr_to_write == 0 && ++ wbc->sync_mode == WB_SYNC_NONE) { ++ /* ++ * We stop writing back only if we are ++ * not doing integrity sync. In case of ++ * integrity sync we have to keep going ++ * because someone may be concurrently ++ * dirtying pages, and we might have ++ * synced a lot of newly appeared dirty ++ * pages, but have not synced all of the ++ * old dirty pages. ++ */ ++ done = 1; ++ break; ++ } + } + + if (wbc->nonblocking && bdi_write_congested(bdi)) { diff --git a/queue-2.6.28/x86-vmi-put-a-missing-paravirt_release_pmd-in-pgd_dtor.patch b/queue-2.6.28/x86-vmi-put-a-missing-paravirt_release_pmd-in-pgd_dtor.patch new file mode 100644 index 00000000000..5724859bad5 --- /dev/null +++ b/queue-2.6.28/x86-vmi-put-a-missing-paravirt_release_pmd-in-pgd_dtor.patch @@ -0,0 +1,61 @@ +From 55a8ba4b7f76bebd7e8ce3f74c04b140627a1bad Mon Sep 17 00:00:00 2001 +From: Alok Kataria +Date: Fri, 6 Feb 2009 10:29:35 -0800 +Subject: x86, vmi: put a missing paravirt_release_pmd in pgd_dtor + +From: Alok Kataria + +commit 55a8ba4b7f76bebd7e8ce3f74c04b140627a1bad upstream. + +Commit 6194ba6ff6ccf8d5c54c857600843c67aa82c407 ("x86: don't special-case +pmd allocations as much") made changes to the way we handle pmd allocations, +and while doing that it dropped a call to paravirt_release_pd on the +pgd page from the pgd_dtor code path. + +As a result of this missing release, the hypervisor is now unaware of the +pgd page being freed, and as a result it ends up tracking this page as a +page table page. + +After this the guest may start using the same page for other purposes, and +depending on what use the page is put to, it may result in various performance +and/or functional issues ( hangs, reboots). + +Since this release is only required for VMI, I now release the pgd page from +the (vmi)_pgd_free hook. + +Signed-off-by: Alok N Kataria +Acked-by: Jeremy Fitzhardinge +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/vmi_32.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/arch/x86/kernel/vmi_32.c ++++ b/arch/x86/kernel/vmi_32.c +@@ -430,6 +430,16 @@ static void vmi_release_pmd(unsigned lon + } + + /* ++ * We use the pgd_free hook for releasing the pgd page: ++ */ ++static void vmi_pgd_free(struct mm_struct *mm, pgd_t *pgd) ++{ ++ unsigned long pfn = __pa(pgd) >> PAGE_SHIFT; ++ ++ vmi_ops.release_page(pfn, VMI_PAGE_L2); ++} ++ ++/* + * Helper macros for MMU update flags. We can defer updates until a flush + * or page invalidation only if the update is to the current address space + * (otherwise, there is no flush). We must check against init_mm, since +@@ -881,6 +891,7 @@ static inline int __init activate_vmi(vo + if (vmi_ops.release_page) { + pv_mmu_ops.release_pte = vmi_release_pte; + pv_mmu_ops.release_pmd = vmi_release_pmd; ++ pv_mmu_ops.pgd_free = vmi_pgd_free; + } + + /* Set linear is needed in all cases */ diff --git a/queue-2.6.28/zd1211rw-adding-0ace-0xa211-as-a-zd1211-device.patch b/queue-2.6.28/zd1211rw-adding-0ace-0xa211-as-a-zd1211-device.patch new file mode 100644 index 00000000000..b16984e5396 --- /dev/null +++ b/queue-2.6.28/zd1211rw-adding-0ace-0xa211-as-a-zd1211-device.patch @@ -0,0 +1,33 @@ +From 14990c69b5f51dd57b4e0e2373de50239ac861e2 Mon Sep 17 00:00:00 2001 +From: Hin-Tak Leung +Date: Sun, 8 Feb 2009 02:13:56 +0000 +Subject: zd1211rw: adding 0ace:0xa211 as a ZD1211 device + +From: Hin-Tak Leung + +commit 14990c69b5f51dd57b4e0e2373de50239ac861e2 upstream. + +Christoph Biedl reported success +in the sourceforge zd1211 mailing list on this addition. This product ID +was supported by the vendor driver ZD1211LnxDrv 2.22.0.0 (and possibly +earlier) and it probably should have been added earlier. + +Signed-off-by: Hin-Tak Leung +Tested-by: Christoph Biedl +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/zd1211rw/zd_usb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/zd1211rw/zd_usb.c ++++ b/drivers/net/wireless/zd1211rw/zd_usb.c +@@ -37,6 +37,7 @@ + static struct usb_device_id usb_ids[] = { + /* ZD1211 */ + { USB_DEVICE(0x0ace, 0x1211), .driver_info = DEVICE_ZD1211 }, ++ { USB_DEVICE(0x0ace, 0xa211), .driver_info = DEVICE_ZD1211 }, + { USB_DEVICE(0x07b8, 0x6001), .driver_info = DEVICE_ZD1211 }, + { USB_DEVICE(0x126f, 0xa006), .driver_info = DEVICE_ZD1211 }, + { USB_DEVICE(0x6891, 0xa727), .driver_info = DEVICE_ZD1211 }, diff --git a/queue-2.6.28/zd1211rw-treat-maxim_new_rf-as-uw2453_rf-for-tp-link-wn322-422g.patch b/queue-2.6.28/zd1211rw-treat-maxim_new_rf-as-uw2453_rf-for-tp-link-wn322-422g.patch new file mode 100644 index 00000000000..37f140b1d60 --- /dev/null +++ b/queue-2.6.28/zd1211rw-treat-maxim_new_rf-as-uw2453_rf-for-tp-link-wn322-422g.patch @@ -0,0 +1,37 @@ +From efb43f4b2ccf8066abc3920a0e6858e4350a65c7 Mon Sep 17 00:00:00 2001 +From: Hin-Tak Leung +Date: Wed, 4 Feb 2009 23:40:43 +0000 +Subject: zd1211rw: treat MAXIM_NEW_RF(0x08) as UW2453_RF(0x09) for TP-Link WN322/422G + +From: Hin-Tak Leung + +commit efb43f4b2ccf8066abc3920a0e6858e4350a65c7 upstream. + +Three people (Petr Mensik +["si" should be U+0161 U+00ED], Stephen Ho +on zd1211-devs and Ismael Ojeda Perez +on linux-wireless) reported success in getting TP-Link WN322G/WN422G +working by treating MAXIM_NEW_RF(0x08) as UW2453_RF(0x09) for rf +chip hardware initialization. + +Signed-off-by: Hin-Tak Leung +Tested-by: Petr Mensik +Tested-by: Stephen Ho +Tested-by: Ismael Ojeda Perez +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/zd1211rw/zd_rf.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/zd1211rw/zd_rf.c ++++ b/drivers/net/wireless/zd1211rw/zd_rf.c +@@ -86,6 +86,7 @@ int zd_rf_init_hw(struct zd_rf *rf, u8 t + case AL7230B_RF: + r = zd_rf_init_al7230b(rf); + break; ++ case MAXIM_NEW_RF: + case UW2453_RF: + r = zd_rf_init_uw2453(rf); + break; -- 2.47.3