From 692a2cbf961a44acad14753d84a3b25e428c9b92 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 23 Aug 2007 15:33:02 -0700 Subject: [PATCH] start of the 2.6.22.6 review cycle --- ..._kernel-allocation-in-atomic-context.patch | 0 .../fix-soft-fp-underflow-handling.patch | 0 ...vmalloc-synchronization-for-paravirt.patch | 0 ...ile-send-sctp-data-with-ip-fragments.patch | 0 ...invalid-semicolon-after-if-statement.patch | 0 review-2.6.22/mbox | 2851 +++++++++++++++++ ...-missing-rcu-unlock-in-__sock_create.patch | 0 ...re-code-between-bridging-and-bonding.patch | 0 ...r-missing-kbuild-entry-for-netfilter.patch | 0 ...art-calculation-during-kernel-writes.patch | 0 review-2.6.22/pci-disable-msi-on-rd580.patch | 41 + review-2.6.22/pci-disable-msi-on-rs690.patch | 42 + review-2.6.22/pci-disable-msi-on-rx790.patch | 41 + ...the-pci-hidden-behind-bridge-message.patch | 108 + .../ppp-fix-ppp-buffer-sizing.patch | 0 {queue-2.6.22 => review-2.6.22}/series | 8 + ...fd-fix-interaction-with-posix-timers.patch | 0 ...oup-wide-fix-posix-timers-scheduling.patch | 0 .../sky2-don-t-clear-phy-power-bits.patch | 0 ...ap-fix-snap-protocol-header-accesses.patch | 0 ...sparc64-pci-config-accesses-on-sun4u.patch | 0 ...parc64-fix-sparc64-task-stack-traces.patch | 0 ...o-not-autobind-ports-for-tcp-sockets.patch | 0 ...dling-of-sack-in-bidirectional-flows.patch | 0 ...-rate-halving-on-bidirectional-flows.patch | 0 ...-fix-previous-request-size-limit-fix.patch | 0 ...product-type-to-usb-interface-events.patch | 55 + ...low-retry-on-descriptor-fetch-errors.patch | 39 + ...fix-sysfs-attribute-registration-bug.patch | 39 + .../usb-fix-dos-in-pwc-usb-video-driver.patch | 126 + 30 files changed, 3350 insertions(+) rename {queue-2.6.22 => review-2.6.22}/dccp-fix-dccp-gfp_kernel-allocation-in-atomic-context.patch (100%) rename {queue-2.6.22 => review-2.6.22}/fix-soft-fp-underflow-handling.patch (100%) rename {queue-2.6.22 => review-2.6.22}/i386-fix-lazy-mode-vmalloc-synchronization-for-paravirt.patch (100%) rename {queue-2.6.22 => review-2.6.22}/ipv6-fix-kernel-panic-while-send-sctp-data-with-ip-fragments.patch (100%) rename {queue-2.6.22 => review-2.6.22}/ipv6-invalid-semicolon-after-if-statement.patch (100%) create mode 100644 review-2.6.22/mbox rename {queue-2.6.22 => review-2.6.22}/net-fix-missing-rcu-unlock-in-__sock_create.patch (100%) rename {queue-2.6.22 => review-2.6.22}/net-share-correct-feature-code-between-bridging-and-bonding.patch (100%) rename {queue-2.6.22 => review-2.6.22}/netfilter-missing-kbuild-entry-for-netfilter.patch (100%) rename {queue-2.6.22 => review-2.6.22}/ocfs2-fix-bad-source-start-calculation-during-kernel-writes.patch (100%) create mode 100644 review-2.6.22/pci-disable-msi-on-rd580.patch create mode 100644 review-2.6.22/pci-disable-msi-on-rs690.patch create mode 100644 review-2.6.22/pci-disable-msi-on-rx790.patch create mode 100644 review-2.6.22/pci-lets-kill-the-pci-hidden-behind-bridge-message.patch rename {queue-2.6.22 => review-2.6.22}/ppp-fix-ppp-buffer-sizing.patch (100%) rename {queue-2.6.22 => review-2.6.22}/series (74%) rename {queue-2.6.22 => review-2.6.22}/signalfd-fix-interaction-with-posix-timers.patch (100%) rename {queue-2.6.22 => review-2.6.22}/signalfd-make-it-group-wide-fix-posix-timers-scheduling.patch (100%) rename {queue-2.6.22 => review-2.6.22}/sky2-don-t-clear-phy-power-bits.patch (100%) rename {queue-2.6.22 => review-2.6.22}/snap-fix-snap-protocol-header-accesses.patch (100%) rename {queue-2.6.22 => review-2.6.22}/sparc64-fix-sparc64-pci-config-accesses-on-sun4u.patch (100%) rename {queue-2.6.22 => review-2.6.22}/sparc64-fix-sparc64-task-stack-traces.patch (100%) rename {queue-2.6.22 => review-2.6.22}/tcp-do-not-autobind-ports-for-tcp-sockets.patch (100%) rename {queue-2.6.22 => review-2.6.22}/tcp-fix-tcp-handling-of-sack-in-bidirectional-flows.patch (100%) rename {queue-2.6.22 => review-2.6.22}/tcp-fix-tcp-rate-halving-on-bidirectional-flows.patch (100%) rename {queue-2.6.22 => review-2.6.22}/uml-fix-previous-request-size-limit-fix.patch (100%) create mode 100644 review-2.6.22/usb-add-product-type-to-usb-interface-events.patch create mode 100644 review-2.6.22/usb-allow-retry-on-descriptor-fetch-errors.patch create mode 100644 review-2.6.22/usb-cdc-acm-fix-sysfs-attribute-registration-bug.patch create mode 100644 review-2.6.22/usb-fix-dos-in-pwc-usb-video-driver.patch diff --git a/queue-2.6.22/dccp-fix-dccp-gfp_kernel-allocation-in-atomic-context.patch b/review-2.6.22/dccp-fix-dccp-gfp_kernel-allocation-in-atomic-context.patch similarity index 100% rename from queue-2.6.22/dccp-fix-dccp-gfp_kernel-allocation-in-atomic-context.patch rename to review-2.6.22/dccp-fix-dccp-gfp_kernel-allocation-in-atomic-context.patch diff --git a/queue-2.6.22/fix-soft-fp-underflow-handling.patch b/review-2.6.22/fix-soft-fp-underflow-handling.patch similarity index 100% rename from queue-2.6.22/fix-soft-fp-underflow-handling.patch rename to review-2.6.22/fix-soft-fp-underflow-handling.patch diff --git a/queue-2.6.22/i386-fix-lazy-mode-vmalloc-synchronization-for-paravirt.patch b/review-2.6.22/i386-fix-lazy-mode-vmalloc-synchronization-for-paravirt.patch similarity index 100% rename from queue-2.6.22/i386-fix-lazy-mode-vmalloc-synchronization-for-paravirt.patch rename to review-2.6.22/i386-fix-lazy-mode-vmalloc-synchronization-for-paravirt.patch diff --git a/queue-2.6.22/ipv6-fix-kernel-panic-while-send-sctp-data-with-ip-fragments.patch b/review-2.6.22/ipv6-fix-kernel-panic-while-send-sctp-data-with-ip-fragments.patch similarity index 100% rename from queue-2.6.22/ipv6-fix-kernel-panic-while-send-sctp-data-with-ip-fragments.patch rename to review-2.6.22/ipv6-fix-kernel-panic-while-send-sctp-data-with-ip-fragments.patch diff --git a/queue-2.6.22/ipv6-invalid-semicolon-after-if-statement.patch b/review-2.6.22/ipv6-invalid-semicolon-after-if-statement.patch similarity index 100% rename from queue-2.6.22/ipv6-invalid-semicolon-after-if-statement.patch rename to review-2.6.22/ipv6-invalid-semicolon-after-if-statement.patch diff --git a/review-2.6.22/mbox b/review-2.6.22/mbox new file mode 100644 index 00000000000..001a8ea9348 --- /dev/null +++ b/review-2.6.22/mbox @@ -0,0 +1,2851 @@ +From gregkh@mini.kroah.org Thu Aug 23 15:12:51 2007 +Message-Id: <20070823221251.555802798@mini.kroah.org> +References: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:06:58 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + David Miller +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + netdev@vger.kernel.org, + Herbert Xu +Subject: [patch 02/28] NET: Share correct feature code between bridging and bonding +Content-Disposition: inline; filename=net-share-correct-feature-code-between-bridging-and-bonding.patch +Content-Length: 6749 +Lines: 201 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +[NET]: Share correct feature code between bridging and bonding + +http://bugzilla.kernel.org/show_bug.cgi?id=8797 shows that the +bonding driver may produce bogus combinations of the checksum +flags and SG/TSO. + +For example, if you bond devices with NETIF_F_HW_CSUM and +NETIF_F_IP_CSUM you'll end up with a bonding device that +has neither flag set. If both have TSO then this produces +an illegal combination. + +The bridge device on the other hand has the correct code to +deal with this. + +In fact, the same code can be used for both. So this patch +moves that logic into net/core/dev.c and uses it for both +bonding and bridging. + +In the process I've made small adjustments such as only +setting GSO_ROBUST if at least one constituent device +supports it. + +Signed-off-by: Herbert Xu +Acked-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/bonding/bond_main.c | 30 +++++++++--------------------- + include/linux/netdevice.h | 2 ++ + net/bridge/br_device.c | 3 ++- + net/bridge/br_if.c | 28 ++++------------------------ + net/core/dev.c | 38 ++++++++++++++++++++++++++++++++++++++ + 5 files changed, 55 insertions(+), 46 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1233,43 +1233,31 @@ int bond_sethwaddr(struct net_device *bo + return 0; + } + +-#define BOND_INTERSECT_FEATURES \ +- (NETIF_F_SG | NETIF_F_ALL_CSUM | NETIF_F_TSO | NETIF_F_UFO) ++#define BOND_VLAN_FEATURES \ ++ (NETIF_F_VLAN_CHALLENGED | NETIF_F_HW_VLAN_RX | NETIF_F_HW_VLAN_TX | \ ++ NETIF_F_HW_VLAN_FILTER) + + /* + * Compute the common dev->feature set available to all slaves. Some +- * feature bits are managed elsewhere, so preserve feature bits set on +- * master device that are not part of the examined set. ++ * feature bits are managed elsewhere, so preserve those feature bits ++ * on the master device. + */ + static int bond_compute_features(struct bonding *bond) + { +- unsigned long features = BOND_INTERSECT_FEATURES; + struct slave *slave; + struct net_device *bond_dev = bond->dev; ++ unsigned long features = bond_dev->features & ~BOND_VLAN_FEATURES; + unsigned short max_hard_header_len = ETH_HLEN; + int i; + + bond_for_each_slave(bond, slave, i) { +- features &= (slave->dev->features & BOND_INTERSECT_FEATURES); ++ features = netdev_compute_features(features, ++ slave->dev->features); + if (slave->dev->hard_header_len > max_hard_header_len) + max_hard_header_len = slave->dev->hard_header_len; + } + +- if ((features & NETIF_F_SG) && +- !(features & NETIF_F_ALL_CSUM)) +- features &= ~NETIF_F_SG; +- +- /* +- * features will include NETIF_F_TSO (NETIF_F_UFO) iff all +- * slave devices support NETIF_F_TSO (NETIF_F_UFO), which +- * implies that all slaves also support scatter-gather +- * (NETIF_F_SG), which implies that features also includes +- * NETIF_F_SG. So no need to check whether we have an +- * illegal combination of NETIF_F_{TSO,UFO} and +- * !NETIF_F_SG +- */ +- +- features |= (bond_dev->features & ~BOND_INTERSECT_FEATURES); ++ features |= (bond_dev->features & BOND_VLAN_FEATURES); + bond_dev->features = features; + bond_dev->hard_header_len = max_hard_header_len; + +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -1032,6 +1032,8 @@ extern void dev_seq_stop(struct seq_file + + extern void linkwatch_run_queue(void); + ++extern int netdev_compute_features(unsigned long all, unsigned long one); ++ + static inline int net_gso_ok(int features, int gso_type) + { + int feature = gso_type << NETIF_F_GSO_SHIFT; +--- a/net/bridge/br_device.c ++++ b/net/bridge/br_device.c +@@ -179,5 +179,6 @@ void br_dev_setup(struct net_device *dev + dev->priv_flags = IFF_EBRIDGE; + + dev->features = NETIF_F_SG | NETIF_F_FRAGLIST | NETIF_F_HIGHDMA | +- NETIF_F_TSO | NETIF_F_NO_CSUM | NETIF_F_GSO_ROBUST; ++ NETIF_F_GSO_SOFTWARE | NETIF_F_NO_CSUM | ++ NETIF_F_GSO_ROBUST | NETIF_F_LLTX; + } +--- a/net/bridge/br_if.c ++++ b/net/bridge/br_if.c +@@ -360,35 +360,15 @@ int br_min_mtu(const struct net_bridge * + void br_features_recompute(struct net_bridge *br) + { + struct net_bridge_port *p; +- unsigned long features, checksum; ++ unsigned long features; + +- checksum = br->feature_mask & NETIF_F_ALL_CSUM ? NETIF_F_NO_CSUM : 0; +- features = br->feature_mask & ~NETIF_F_ALL_CSUM; ++ features = br->feature_mask; + + list_for_each_entry(p, &br->port_list, list) { +- unsigned long feature = p->dev->features; +- +- if (checksum & NETIF_F_NO_CSUM && !(feature & NETIF_F_NO_CSUM)) +- checksum ^= NETIF_F_NO_CSUM | NETIF_F_HW_CSUM; +- if (checksum & NETIF_F_HW_CSUM && !(feature & NETIF_F_HW_CSUM)) +- checksum ^= NETIF_F_HW_CSUM | NETIF_F_IP_CSUM; +- if (!(feature & NETIF_F_IP_CSUM)) +- checksum = 0; +- +- if (feature & NETIF_F_GSO) +- feature |= NETIF_F_GSO_SOFTWARE; +- feature |= NETIF_F_GSO; +- +- features &= feature; ++ features = netdev_compute_features(features, p->dev->features); + } + +- if (!(checksum & NETIF_F_ALL_CSUM)) +- features &= ~NETIF_F_SG; +- if (!(features & NETIF_F_SG)) +- features &= ~NETIF_F_GSO_MASK; +- +- br->dev->features = features | checksum | NETIF_F_LLTX | +- NETIF_F_GSO_ROBUST; ++ br->dev->features = features; + } + + /* called with RTNL */ +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3635,6 +3635,44 @@ static int __init netdev_dma_register(vo + static int __init netdev_dma_register(void) { return -ENODEV; } + #endif /* CONFIG_NET_DMA */ + ++/** ++ * netdev_compute_feature - compute conjunction of two feature sets ++ * @all: first feature set ++ * @one: second feature set ++ * ++ * Computes a new feature set after adding a device with feature set ++ * @one to the master device with current feature set @all. Returns ++ * the new feature set. ++ */ ++int netdev_compute_features(unsigned long all, unsigned long one) ++{ ++ /* if device needs checksumming, downgrade to hw checksumming */ ++ if (all & NETIF_F_NO_CSUM && !(one & NETIF_F_NO_CSUM)) ++ all ^= NETIF_F_NO_CSUM | NETIF_F_HW_CSUM; ++ ++ /* if device can't do all checksum, downgrade to ipv4 */ ++ if (all & NETIF_F_HW_CSUM && !(one & NETIF_F_HW_CSUM)) ++ all ^= NETIF_F_HW_CSUM | NETIF_F_IP_CSUM; ++ ++ if (one & NETIF_F_GSO) ++ one |= NETIF_F_GSO_SOFTWARE; ++ one |= NETIF_F_GSO; ++ ++ /* If even one device supports robust GSO, enable it for all. */ ++ if (one & NETIF_F_GSO_ROBUST) ++ all |= NETIF_F_GSO_ROBUST; ++ ++ all &= one | NETIF_F_LLTX; ++ ++ if (!(all & NETIF_F_ALL_CSUM)) ++ all &= ~NETIF_F_SG; ++ if (!(all & NETIF_F_SG)) ++ all &= ~NETIF_F_GSO_MASK; ++ ++ return all; ++} ++EXPORT_SYMBOL(netdev_compute_features); ++ + /* + * Initialize the DEV module. At boot time this walks the device list and + * unhooks any devices that fail to initialise (normally hardware not + +-- + +From gregkh@mini.kroah.org Thu Aug 23 15:12:51 2007 +Message-Id: <20070823221251.708008608@mini.kroah.org> +References: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:06:59 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Stephen Hemminger +Subject: [patch 03/28] sky2: dont clear phy power bits +Content-Disposition: inline; filename=sky2-don-t-clear-phy-power-bits.patch +Content-Length: 838 +Lines: 28 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +There are special PHY settings available on Yukon EC-U chip that +should not get cleared. This should solve mysterious errors on some +motherboards (like Gigabyte DS-3). + +Signed-off-by: Stephen Hemminger +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/net/sky2.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/sky2.c ++++ b/drivers/net/sky2.c +@@ -657,8 +657,8 @@ static void sky2_mac_init(struct sky2_hw + int i; + const u8 *addr = hw->dev[port]->dev_addr; + +- sky2_write32(hw, SK_REG(port, GPHY_CTRL), GPC_RST_SET); +- sky2_write32(hw, SK_REG(port, GPHY_CTRL), GPC_RST_CLR); ++ sky2_write8(hw, SK_REG(port, GPHY_CTRL), GPC_RST_SET); ++ sky2_write8(hw, SK_REG(port, GPHY_CTRL), GPC_RST_CLR); + + sky2_write8(hw, SK_REG(port, GMAC_CTRL), GMC_RST_CLR); + + +-- + +From gregkh@mini.kroah.org Thu Aug 23 15:12:51 2007 +Message-Id: <20070823221251.861979338@mini.kroah.org> +References: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:07:00 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + torvalds@linux-foundation.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + jdike@linux.intel.com, + jdike@addtoit.com +Subject: [patch 04/28] uml: fix previous request size limit fix +Content-Disposition: inline; filename=uml-fix-previous-request-size-limit-fix.patch +Content-Length: 1534 +Lines: 44 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Jeff Dike + +The previous patch which limited the number of sectors in a single request +to a COWed device was correct in concept, but the limit was implemented in +the wrong place. + +By putting it in ubd_add, it covered the cases where the COWing was +specified on the command line. However, when the command line only has the +COW file specified, the fact that it's a COW file isn't known until it's +opened, so the limit is missed in these cases. + +This patch moves the sector limit from ubd_add to ubd_open_dev. + +Signed-off-by: Jeff Dike +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + arch/um/drivers/ubd_kern.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/um/drivers/ubd_kern.c ++++ b/arch/um/drivers/ubd_kern.c +@@ -612,6 +612,8 @@ static int ubd_open_dev(struct ubd *ubd_ + ubd_dev->fd = fd; + + if(ubd_dev->cow.file != NULL){ ++ blk_queue_max_sectors(ubd_dev->queue, 8 * sizeof(long)); ++ + err = -ENOMEM; + ubd_dev->cow.bitmap = (void *) vmalloc(ubd_dev->cow.bitmap_len); + if(ubd_dev->cow.bitmap == NULL){ +@@ -712,8 +714,6 @@ static int ubd_add(int n, char **error_o + ubd_dev->queue->queuedata = ubd_dev; + + blk_queue_max_hw_segments(ubd_dev->queue, MAX_SG); +- if(ubd_dev->cow.file != NULL) +- blk_queue_max_sectors(ubd_dev->queue, 8 * sizeof(long)); + err = ubd_disk_register(MAJOR_NR, ubd_dev->size, n, &ubd_gendisk[n]); + if(err){ + *error_out = "Failed to register device"; + +-- + +From gregkh@mini.kroah.org Thu Aug 23 15:12:52 2007 +Message-Id: <20070823221251.992381135@mini.kroah.org> +References: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:07:01 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + torvalds@linux-foundation.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + zach@vmware.com, + ak@suse.de, + jeremy@goop.org +Subject: [patch 05/28] i386: fix lazy mode vmalloc synchronization for paravirt +Content-Disposition: inline; filename=i386-fix-lazy-mode-vmalloc-synchronization-for-paravirt.patch +Content-Length: 1482 +Lines: 47 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Zachary Amsden + +Found this looping Ubuntu installs with VMI. + +If unlucky enough to hit a vmalloc sync fault during a lazy mode +operation (from an IRQ handler for a module which was not yet populated +in current page directory, or from inside copy_one_pte, which touches +swap_map, and hit in an unused 4M region), the required PDE update would +never get flushed, causing an infinite page fault loop. + +This bug affects any paravirt-ops backend which uses lazy updates, I +believe that makes it a bug in Xen, VMI and lguest. It only happens on +LOWMEM kernels. + + +Touching vmalloc memory in the middle of a lazy mode update can generate a +kernel PDE update, which must be flushed immediately. The fix is to leave +lazy mode when doing a vmalloc sync. + +Signed-off-by: Zachary Amsden +Cc: Andi Kleen +Cc: Jeremy Fitzhardinge +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + arch/i386/mm/fault.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/i386/mm/fault.c ++++ b/arch/i386/mm/fault.c +@@ -249,9 +249,10 @@ static inline pmd_t *vmalloc_sync_one(pg + pmd_k = pmd_offset(pud_k, address); + if (!pmd_present(*pmd_k)) + return NULL; +- if (!pmd_present(*pmd)) ++ if (!pmd_present(*pmd)) { + set_pmd(pmd, *pmd_k); +- else ++ arch_flush_lazy_mmu_mode(); ++ } else + BUG_ON(pmd_page(*pmd) != pmd_page(*pmd_k)); + return pmd_k; + } + +-- + +From gregkh@mini.kroah.org Thu Aug 23 15:12:52 2007 +Message-Id: <20070823221252.140724922@mini.kroah.org> +References: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:07:02 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + torvalds@linux-foundation.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + mtk-manpages@gmx.net, + benh@kernel.crashing.org, + oleg@tv-sign.ru, + tglx@linutronix.de, + davidel@xmailserver.org, + mingo@elte.hu, + roland@redhat.com +Subject: [patch 06/28] signalfd: fix interaction with posix-timers +Content-Disposition: inline; filename=signalfd-fix-interaction-with-posix-timers.patch +Content-Length: 1809 +Lines: 57 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Oleg Nesterov + +dequeue_signal: + + if (__SI_TIMER) { + spin_unlock(&tsk->sighand->siglock); + do_schedule_next_timer(info); + spin_lock(&tsk->sighand->siglock); + } + +Unless tsk == curent, this is absolutely unsafe: nothing prevents tsk from +exiting. If signalfd was passed to another process, do_schedule_next_timer() +is just wrong. + +Add yet another "tsk == current" check into dequeue_signal(). + +This patch fixes an oopsable bug, but breaks the scheduling of posix timers +if the shared __SI_TIMER signal was fetched via signalfd attached to another +sub-thread. Mostly fixed by the next patch. + +Signed-off-by: Oleg Nesterov +Cc: Benjamin Herrenschmidt +Cc: Davide Libenzi +Cc: Ingo Molnar +Cc: Michael Kerrisk +Cc: Roland McGrath +Cc: Thomas Gleixner +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/signal.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -368,7 +368,7 @@ int dequeue_signal(struct task_struct *t + /* We only dequeue private signals from ourselves, we don't let + * signalfd steal them + */ +- if (tsk == current) ++ if (likely(tsk == current)) + signr = __dequeue_signal(&tsk->pending, mask, info); + if (!signr) { + signr = __dequeue_signal(&tsk->signal->shared_pending, +@@ -415,7 +415,7 @@ int dequeue_signal(struct task_struct *t + if (!(tsk->signal->flags & SIGNAL_GROUP_EXIT)) + tsk->signal->flags |= SIGNAL_STOP_DEQUEUED; + } +- if ( signr && ++ if (signr && likely(tsk == current) && + ((info->si_code & __SI_MASK) == __SI_TIMER) && + info->si_sys_private){ + /* + +-- + +From gregkh@mini.kroah.org Thu Aug 23 15:12:52 2007 +Message-Id: <20070823221252.327586483@mini.kroah.org> +References: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:07:03 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + torvalds@linux-foundation.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + mtk-manpages@gmx.net, + benh@kernel.crashing.org, + oleg@tv-sign.ru, + tglx@linutronix.de, + davidel@xmailserver.org, + mingo@elte.hu, + roland@redhat.com +Subject: [patch 07/28] signalfd: make it group-wide, fix posix-timers scheduling +Content-Disposition: inline; filename=signalfd-make-it-group-wide-fix-posix-timers-scheduling.patch +Content-Length: 2583 +Lines: 94 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Oleg Nesterov + +With this patch any thread can dequeue its own private signals via signalfd, +even if it was created by another sub-thread. + +To do so, we pass "current" to dequeue_signal() if the caller is from the same +thread group. This also fixes the scheduling of posix timers broken by the +previous patch. + +If the caller doesn't belong to this thread group, we can't handle __SI_TIMER +case properly anyway. Perhaps we should forbid the cross-process signalfd usage +and convert ctx->tsk to ctx->sighand. + +Signed-off-by: Oleg Nesterov +Cc: Benjamin Herrenschmidt +Cc: Davide Libenzi +Cc: Ingo Molnar +Cc: Michael Kerrisk +Cc: Roland McGrath +Cc: Thomas Gleixner +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + fs/exec.c | 9 ++------- + fs/signalfd.c | 14 ++++++++++---- + 2 files changed, 12 insertions(+), 11 deletions(-) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -586,18 +586,12 @@ static int de_thread(struct task_struct + int count; + + /* +- * Tell all the sighand listeners that this sighand has +- * been detached. The signalfd_detach() function grabs the +- * sighand lock, if signal listeners are present on the sighand. +- */ +- signalfd_detach(tsk); +- +- /* + * If we don't share sighandlers, then we aren't sharing anything + * and we can just re-use it all. + */ + if (atomic_read(&oldsighand->count) <= 1) { + BUG_ON(atomic_read(&sig->count) != 1); ++ signalfd_detach(tsk); + exit_itimers(sig); + return 0; + } +@@ -736,6 +730,7 @@ static int de_thread(struct task_struct + sig->flags = 0; + + no_thread_group: ++ signalfd_detach(tsk); + exit_itimers(sig); + if (leader) + release_task(leader); +--- a/fs/signalfd.c ++++ b/fs/signalfd.c +@@ -56,12 +56,18 @@ static int signalfd_lock(struct signalfd + sighand = lock_task_sighand(lk->tsk, &lk->flags); + rcu_read_unlock(); + +- if (sighand && !ctx->tsk) { ++ if (!sighand) ++ return 0; ++ ++ if (!ctx->tsk) { + unlock_task_sighand(lk->tsk, &lk->flags); +- sighand = NULL; ++ return 0; + } + +- return sighand != NULL; ++ if (lk->tsk->tgid == current->tgid) ++ lk->tsk = current; ++ ++ return 1; + } + + static void signalfd_unlock(struct signalfd_lockctx *lk) +@@ -331,7 +337,7 @@ asmlinkage long sys_signalfd(int ufd, si + + init_waitqueue_head(&ctx->wqh); + ctx->sigmask = sigmask; +- ctx->tsk = current; ++ ctx->tsk = current->group_leader; + + sighand = current->sighand; + /* + +-- + +From gregkh@mini.kroah.org Thu Aug 23 15:12:52 2007 +Message-Id: <20070823221252.524347492@mini.kroah.org> +References: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:07:04 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@stusta.de, + Gerrit Renker , + Arnaldo Carvalho de Melo , + "David S. Miller" +Subject: [patch 08/28] DCCP: Fix DCCP GFP_KERNEL allocation in atomic context +Content-Disposition: inline; filename=dccp-fix-dccp-gfp_kernel-allocation-in-atomic-context.patch +Content-Length: 1972 +Lines: 48 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Gerrit Renker + +This fixes the following bug reported in syslog: + +[ 4039.051658] BUG: sleeping function called from invalid context at /usr/src/davem-2.6/mm/slab.c:3032 +[ 4039.051668] in_atomic():1, irqs_disabled():0 +[ 4039.051670] INFO: lockdep is turned off. +[ 4039.051674] [] show_trace_log_lvl+0x1a/0x30 +[ 4039.051687] [] show_trace+0x12/0x14 +[ 4039.051691] [] dump_stack+0x16/0x18 +[ 4039.051695] [] __might_sleep+0xaf/0xbe +[ 4039.051700] [] __kmalloc+0xb1/0xd0 +[ 4039.051706] [] ccid2_hc_tx_alloc_seq+0x35/0xc3 [dccp_ccid2] +[ 4039.051717] [] ccid2_hc_tx_packet_sent+0x27f/0x2d9 [dccp_ccid2] +[ 4039.051723] [] dccp_write_xmit+0x1eb/0x338 [dccp] +[ 4039.051741] [] dccp_sendmsg+0x113/0x18f [dccp] +[ 4039.051750] [] inet_sendmsg+0x2e/0x4c +[ 4039.051758] [] sock_aio_write+0xd5/0x107 +[ 4039.051766] [] do_sync_write+0xcd/0x11c +[ 4039.051772] [] vfs_write+0x118/0x11f +[ 4039.051840] [] sys_write+0x3d/0x64 +[ 4039.051845] [] syscall_call+0x7/0xb +[ 4039.051848] ======================= + +The problem was that GFP_KERNEL was used; fixed by using gfp_any(). + +Signed-off-by: Gerrit Renker +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/dccp/ccids/ccid2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/dccp/ccids/ccid2.c ++++ b/net/dccp/ccids/ccid2.c +@@ -298,7 +298,7 @@ static void ccid2_hc_tx_packet_sent(stru + int rc; + + ccid2_pr_debug("allocating more space in history\n"); +- rc = ccid2_hc_tx_alloc_seq(hctx, CCID2_SEQBUF_LEN, GFP_KERNEL); ++ rc = ccid2_hc_tx_alloc_seq(hctx, CCID2_SEQBUF_LEN, gfp_any()); + BUG_ON(rc); /* XXX what do we do? */ + + next = hctx->ccid2hctx_seqh->ccid2s_next; + +-- + +From gregkh@mini.kroah.org Thu Aug 23 15:12:52 2007 +Message-Id: <20070823221252.661365870@mini.kroah.org> +References: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:07:05 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@stusta.de, + Wei Yongjun , + YOSHIFUJI Hideaki , + Arnaldo Carvalho de Melo , + "David S. Miller" +Subject: [patch 09/28] IPV6: Fix kernel panic while send SCTP data with IP fragments +Content-Disposition: inline; filename=ipv6-fix-kernel-panic-while-send-sctp-data-with-ip-fragments.patch +Content-Length: 3957 +Lines: 102 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Wei Yongjun + +If ICMP6 message with "Packet Too Big" is received after send SCTP DATA, +kernel panic will occur when SCTP DATA is send again. + +This is because of a bad dest address when call to skb_copy_bits(). + +The messages sequence is like this: + +Endpoint A Endpoint B + <------- SCTP DATA (size=1432) +ICMP6 message -------> +(Packet Too Big pmtu=1280) + <------- Resend SCTP DATA (size=1432) +------------kernel panic--------------- + + printing eip: +c05be62a +*pde = 00000000 +Oops: 0002 [#1] +SMP +Modules linked in: scomm l2cap bluetooth ipv6 dm_mirror dm_mod video output sbs battery lp floppy sg i2c_piix4 i2c_core pcnet32 mii button ac parport_pc parport ide_cd cdrom serio_raw mptspi mptscsih mptbase scsi_transport_spi sd_mod scsi_mod ext3 jbd ehci_hcd ohci_hcd uhci_hcd +CPU: 0 +EIP: 0060:[] Not tainted VLI +EFLAGS: 00010282 (2.6.23-rc2 #1) +EIP is at skb_copy_bits+0x4f/0x1ef +eax: 000004d0 ebx: ce12a980 ecx: 00000134 edx: cfd5a880 +esi: c8246858 edi: 00000000 ebp: c0759b14 esp: c0759adc +ds: 007b es: 007b fs: 00d8 gs: 0000 ss: 0068 +Process swapper (pid: 0, ti=c0759000 task=c06d0340 task.ti=c0713000) +Stack: c0759b88 c0405867 ce12a980 c8bff838 c789c084 00000000 00000028 cfd5a880 + d09f1890 000005dc 0000007b ce12a980 cfd5a880 c8bff838 c0759b88 d09bc521 + 000004d0 fffff96c 00000200 00000100 c0759b50 cfd5a880 00000246 c0759bd4 +Call Trace: + [] show_trace_log_lvl+0x1a/0x2f + [] show_stack_log_lvl+0x9b/0xa3 + [] show_registers+0x1b8/0x289 + [] die+0x113/0x246 + [] do_page_fault+0x4ad/0x57e + [] error_code+0x72/0x78 + [] ip6_output+0x8e5/0xab2 [ipv6] + [] ip6_xmit+0x2ea/0x3a3 [ipv6] + [] sctp_v6_xmit+0x248/0x253 [sctp] + [] sctp_packet_transmit+0x53f/0x5ae [sctp] + [] sctp_outq_flush+0x555/0x587 [sctp] + [] sctp_retransmit+0xf8/0x10f [sctp] + [] sctp_icmp_frag_needed+0x57/0x5b [sctp] + [] sctp_v6_err+0xcd/0x148 [sctp] + [] icmpv6_notify+0xe6/0x167 [ipv6] + [] icmpv6_rcv+0x7d7/0x849 [ipv6] + [] ip6_input+0x1dc/0x310 [ipv6] + [] ipv6_rcv+0x294/0x2df [ipv6] + [] netif_receive_skb+0x2d2/0x335 + [] process_backlog+0x7f/0xd0 + [] net_rx_action+0x96/0x17e + [] __do_softirq+0x64/0xcd + [] do_softirq+0x5c/0xac + ======================= +Code: 00 00 29 ca 89 d0 2b 45 e0 89 55 ec 85 c0 7e 35 39 45 08 8b 55 e4 0f 4e 45 08 8b 75 e0 8b 7d dc 89 c1 c1 e9 02 03 b2 a0 00 00 00 a5 89 c1 83 e1 03 74 02 f3 a4 29 45 08 0f 84 7b 01 00 00 01 +EIP: [] skb_copy_bits+0x4f/0x1ef SS:ESP 0068:c0759adc +Kernel panic - not syncing: Fatal exception in interrupt + +Arnaldo says: +==================== +Thanks! I'm to blame for this one, problem was introduced in: + +b0e380b1d8a8e0aca215df97702f99815f05c094 + + /* + * Copy a block of the IP datagram. + */ +- if (skb_copy_bits(skb, ptr, frag->h.raw, len)) ++ if (skb_copy_bits(skb, ptr, skb_transport_header(skb), +len)) + BUG(); + left -= len; +==================== + +Signed-off-by: Wei Yongjun +Acked-by: YOSHIFUJI Hideaki +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/ip6_output.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -790,7 +790,7 @@ slow_path: + /* + * Copy a block of the IP datagram. + */ +- if (skb_copy_bits(skb, ptr, skb_transport_header(skb), len)) ++ if (skb_copy_bits(skb, ptr, skb_transport_header(frag), len)) + BUG(); + left -= len; + + +-- + +From gregkh@mini.kroah.org Thu Aug 23 15:12:53 2007 +Message-Id: <20070823221252.808000404@mini.kroah.org> +References: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:07:06 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@stusta.de, + =?ISO-8859-15?q?Ilpo=20J=E4rvinen?= , + "David S. Miller" +Subject: [patch 10/28] IPv6: Invalid semicolon after if statement +Content-Disposition: inline; filename=ipv6-invalid-semicolon-after-if-statement.patch +Content-Length: 866 +Lines: 29 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Ilpo Järvinen + +A similar fix to netfilter from Eric Dumazet inspired me to +look around a bit by using some grep/sed stuff as looking for +this kind of bugs seemed easy to automate. This is one of them +I found where it looks like this semicolon is not valid. + +Signed-off-by: Ilpo Järvinen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/ipv6_sockglue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/ipv6_sockglue.c ++++ b/net/ipv6/ipv6_sockglue.c +@@ -825,7 +825,7 @@ static int ipv6_getsockopt_sticky(struct + return 0; + + len = min_t(unsigned int, len, ipv6_optlen(hdr)); +- if (copy_to_user(optval, hdr, len)); ++ if (copy_to_user(optval, hdr, len)) + return -EFAULT; + return ipv6_optlen(hdr); + } + +-- + +From gregkh@mini.kroah.org Thu Aug 23 15:12:53 2007 +Message-Id: <20070823221253.021092841@mini.kroah.org> +References: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:07:07 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@stusta.de, + "David S. Miller" +Subject: [patch 11/28] Fix soft-fp underflow handling. +Content-Disposition: inline; filename=fix-soft-fp-underflow-handling.patch +Content-Length: 3842 +Lines: 121 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: David Miller + +The underflow exception cases were wrong. + +This is one weird area of ieee1754 handling in that the underflow +behavior changes based upon whether underflow is enabled in the trap +enable mask of the FPU control register. As a specific case the Sparc +V9 manual gives us the following description: + +-------------------- +If UFM = 0: Underflow occurs if a nonzero result is tiny and a + loss of accuracy occurs. Tininess may be detected + before or after rounding. Loss of accuracy may be + either a denormalization loss or an inexact result. + +If UFM = 1: Underflow occurs if a nonzero result is tiny. + Tininess may be detected before or after rounding. +-------------------- + +What this amounts to in the packing case is if we go subnormal, +we set underflow if any of the following are true: + +1) rounding sets inexact +2) we ended up rounding back up to normal (this is the case where + we set the exponent to 1 and set the fraction to zero), this + should set inexact too +3) underflow is set in FPU control register trap-enable mask + +The initially discovered example was "DBL_MIN / 16.0" which +incorrectly generated an underflow. It should not, unless underflow +is set in the trap-enable mask of the FPU csr. + +Another example, "0x0.0000000000001p-1022 / 16.0", should signal both +inexact and underflow. The cpu implementations and ieee1754 +literature is very clear about this. This is case #2 above. + +However, if underflow is set in the trap enable mask, only underflow +should be set and reported as a trap. That is handled properly by the +prioritization logic in + +arch/sparc{,64}/math-emu/math.c:record_exception(). + +Based upon a report and test case from Jakub Jelinek. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/asm-sparc/sfp-machine.h | 6 ++++++ + include/asm-sparc64/sfp-machine.h | 2 ++ + include/math-emu/op-common.h | 5 ++++- + include/math-emu/soft-fp.h | 7 +++++++ + 4 files changed, 19 insertions(+), 1 deletion(-) + +--- a/include/asm-sparc/sfp-machine.h ++++ b/include/asm-sparc/sfp-machine.h +@@ -203,4 +203,10 @@ extern struct task_struct *last_task_use + #define FP_INHIBIT_RESULTS ((last_task_used_math->thread.fsr >> 23) & _fex) + #endif + ++#ifdef CONFIG_SMP ++#define FP_TRAPPING_EXCEPTIONS ((current->thread.fsr >> 23) & 0x1f) ++#else ++#define FP_TRAPPING_EXCEPTIONS ((last_task_used_math->thread.fsr >> 23) & 0x1f) ++#endif ++ + #endif +--- a/include/asm-sparc64/sfp-machine.h ++++ b/include/asm-sparc64/sfp-machine.h +@@ -88,4 +88,6 @@ + + #define FP_INHIBIT_RESULTS ((current_thread_info()->xfsr[0] >> 23) & _fex) + ++#define FP_TRAPPING_EXCEPTIONS ((current_thread_info()->xfsr[0] >> 23) & 0x1f) ++ + #endif +--- a/include/math-emu/op-common.h ++++ b/include/math-emu/op-common.h +@@ -145,13 +145,16 @@ do { \ + { \ + X##_e = 1; \ + _FP_FRAC_SET_##wc(X, _FP_ZEROFRAC_##wc); \ ++ FP_SET_EXCEPTION(FP_EX_INEXACT); \ + } \ + else \ + { \ + X##_e = 0; \ + _FP_FRAC_SRL_##wc(X, _FP_WORKBITS); \ +- FP_SET_EXCEPTION(FP_EX_UNDERFLOW); \ + } \ ++ if ((FP_CUR_EXCEPTIONS & FP_EX_INEXACT) || \ ++ (FP_TRAPPING_EXCEPTIONS & FP_EX_UNDERFLOW)) \ ++ FP_SET_EXCEPTION(FP_EX_UNDERFLOW); \ + } \ + else \ + { \ +--- a/include/math-emu/soft-fp.h ++++ b/include/math-emu/soft-fp.h +@@ -97,12 +97,19 @@ + #define FP_INHIBIT_RESULTS 0 + #endif + ++#ifndef FP_TRAPPING_EXCEPTIONS ++#define FP_TRAPPING_EXCEPTIONS 0 ++#endif ++ + #define FP_SET_EXCEPTION(ex) \ + _fex |= (ex) + + #define FP_UNSET_EXCEPTION(ex) \ + _fex &= ~(ex) + ++#define FP_CUR_EXCEPTIONS \ ++ (_fex) ++ + #define FP_CLEAR_EXCEPTIONS \ + _fex = 0 + + +-- + +From gregkh@mini.kroah.org Thu Aug 23 15:12:53 2007 +Message-Id: <20070823221253.178103447@mini.kroah.org> +References: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:07:08 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@stusta.de, + "David S. Miller" +Subject: [patch 12/28] Netfilter: Missing Kbuild entry for netfilter +Content-Disposition: inline; filename=netfilter-missing-kbuild-entry-for-netfilter.patch +Content-Length: 682 +Lines: 27 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Chuck Ebbert + +Add xt_statistic.h to the list of headers to install. + +Apparently needed to build newer versions of iptables. + +Signed-off-by: Chuck Ebbert +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/netfilter/Kbuild | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/linux/netfilter/Kbuild ++++ b/include/linux/netfilter/Kbuild +@@ -28,6 +28,7 @@ header-y += xt_policy.h + header-y += xt_realm.h + header-y += xt_sctp.h + header-y += xt_state.h ++header-y += xt_statistic.h + header-y += xt_string.h + header-y += xt_tcpmss.h + header-y += xt_tcpudp.h + +-- + +From gregkh@mini.kroah.org Thu Aug 23 15:12:53 2007 +Message-Id: <20070823221253.315546973@mini.kroah.org> +References: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:07:09 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@stusta.de, + Herbert Xu , + "David S. Miller" +Subject: [patch 13/28] SNAP: Fix SNAP protocol header accesses. +Content-Disposition: inline; filename=snap-fix-snap-protocol-header-accesses.patch +Content-Length: 1250 +Lines: 58 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Herbert Xu + +The snap_rcv code reads 5 bytes so we should make sure that +we have 5 bytes in the head before proceeding. + +Based on diagnosis and fix by Evgeniy Polyakov, reported by +Alan J. Wylie. + +Patch also kills the skb->sk assignment before kfree_skb +since it's redundant. + +Signed-off-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/802/psnap.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/net/802/psnap.c ++++ b/net/802/psnap.c +@@ -55,6 +55,9 @@ static int snap_rcv(struct sk_buff *skb, + .type = __constant_htons(ETH_P_SNAP), + }; + ++ if (unlikely(!pskb_may_pull(skb, 5))) ++ goto drop; ++ + rcu_read_lock(); + proto = find_snap_client(skb_transport_header(skb)); + if (proto) { +@@ -62,14 +65,18 @@ static int snap_rcv(struct sk_buff *skb, + skb->transport_header += 5; + skb_pull_rcsum(skb, 5); + rc = proto->rcvfunc(skb, dev, &snap_packet_type, orig_dev); +- } else { +- skb->sk = NULL; +- kfree_skb(skb); +- rc = 1; + } +- + rcu_read_unlock(); ++ ++ if (unlikely(!proto)) ++ goto drop; ++ ++out: + return rc; ++ ++drop: ++ kfree_skb(skb); ++ goto out; + } + + /* + +-- + +From gregkh@mini.kroah.org Thu Aug 23 15:12:53 2007 +Message-Id: <20070823221253.470074859@mini.kroah.org> +References: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:07:10 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@stusta.de, + Herbert Xu , + "David S. Miller" +Subject: [patch 14/28] NET: Fix missing rcu unlock in __sock_create() +Content-Disposition: inline; filename=net-fix-missing-rcu-unlock-in-__sock_create.patch +Content-Length: 757 +Lines: 30 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Herbert Xu + +[NET]: Fix unbalanced rcu_read_unlock in __sock_create + +The recent RCU work created an unbalanced rcu_read_unlock +in __sock_create. This patch fixes that. Reported by +oleg 123. + +Signed-off-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/socket.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/socket.c ++++ b/net/socket.c +@@ -1169,7 +1169,7 @@ static int __sock_create(int family, int + module_put(pf->owner); + err = security_socket_post_create(sock, family, type, protocol, kern); + if (err) +- goto out_release; ++ goto out_sock_release; + *res = sock; + + return 0; + +-- + +From gregkh@mini.kroah.org Thu Aug 23 15:12:53 2007 +Message-Id: <20070823221253.604536062@mini.kroah.org> +References: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:07:11 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@stusta.de, + "David S. Miller" +Subject: [patch 15/28] SPARC64: Fix sparc64 task stack traces. +Content-Disposition: inline; filename=sparc64-fix-sparc64-task-stack-traces.patch +Content-Length: 1915 +Lines: 73 + + +-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: David Miller + +It didn't handle that case at all, and now dump_stack() +can be implemented directly as show_stack(current, NULL) + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sparc64/kernel/traps.c | 18 +++++++++++------- + arch/sparc64/mm/fault.c | 5 +---- + 2 files changed, 12 insertions(+), 11 deletions(-) + +--- a/arch/sparc64/kernel/traps.c ++++ b/arch/sparc64/kernel/traps.c +@@ -2134,12 +2134,20 @@ static void user_instruction_dump (unsig + void show_stack(struct task_struct *tsk, unsigned long *_ksp) + { + unsigned long pc, fp, thread_base, ksp; +- void *tp = task_stack_page(tsk); ++ struct thread_info *tp; + struct reg_window *rw; + int count = 0; + + ksp = (unsigned long) _ksp; +- ++ if (!tsk) ++ tsk = current; ++ tp = task_thread_info(tsk); ++ if (ksp == 0UL) { ++ if (tsk == current) ++ asm("mov %%fp, %0" : "=r" (ksp)); ++ else ++ ksp = tp->ksp; ++ } + if (tp == current_thread_info()) + flushw_all(); + +@@ -2168,11 +2176,7 @@ void show_stack(struct task_struct *tsk, + + void dump_stack(void) + { +- unsigned long *ksp; +- +- __asm__ __volatile__("mov %%fp, %0" +- : "=r" (ksp)); +- show_stack(current, ksp); ++ show_stack(current, NULL); + } + + EXPORT_SYMBOL(dump_stack); +--- a/arch/sparc64/mm/fault.c ++++ b/arch/sparc64/mm/fault.c +@@ -112,15 +112,12 @@ static void __kprobes unhandled_fault(un + + static void bad_kernel_pc(struct pt_regs *regs, unsigned long vaddr) + { +- unsigned long *ksp; +- + printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n", + regs->tpc); + printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]); + print_symbol("RPC: <%s>\n", regs->u_regs[15]); + printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr); +- __asm__("mov %%sp, %0" : "=r" (ksp)); +- show_stack(current, ksp); ++ dump_stack(); + unhandled_fault(regs->tpc, current, regs); + } + + +-- + +From gregkh@mini.kroah.org Thu Aug 23 15:12:53 2007 +Message-Id: <20070823221253.758601573@mini.kroah.org> +References: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:07:12 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@stusta.de, + "David S. Miller" +Subject: [patch 16/28] SPARC64: Fix sparc64 PCI config accesses on sun4u +Content-Disposition: inline; filename=sparc64-fix-sparc64-pci-config-accesses-on-sun4u.patch +Content-Length: 5943 +Lines: 213 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: David Miller + +[SPARC64]: Fix sun4u PCI config space accesses on sun4u. + +Don't provide fake PCI config space for sun4u. + +Also, put back the funny host controller space handling that +at least Sabre needs. You have to read PCI host controller +registers at their nature size otherwise you get zeros instead +of correct values. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sparc64/kernel/pci.c | 15 +++- + arch/sparc64/kernel/pci_common.c | 123 ++++++++++++++++++++++++++++++++++++--- + 2 files changed, 126 insertions(+), 12 deletions(-) + +--- a/arch/sparc64/kernel/pci.c ++++ b/arch/sparc64/kernel/pci.c +@@ -422,10 +422,15 @@ struct pci_dev *of_create_pci_dev(struct + dev->multifunction = 0; /* maybe a lie? */ + + if (host_controller) { +- dev->vendor = 0x108e; +- dev->device = 0x8000; +- dev->subsystem_vendor = 0x0000; +- dev->subsystem_device = 0x0000; ++ if (tlb_type != hypervisor) { ++ pci_read_config_word(dev, PCI_VENDOR_ID, ++ &dev->vendor); ++ pci_read_config_word(dev, PCI_DEVICE_ID, ++ &dev->device); ++ } else { ++ dev->vendor = PCI_VENDOR_ID_SUN; ++ dev->device = 0x80f0; ++ } + dev->cfg_size = 256; + dev->class = PCI_CLASS_BRIDGE_HOST << 8; + sprintf(pci_name(dev), "%04x:%02x:%02x.%d", pci_domain_nr(bus), +@@ -817,7 +822,7 @@ int pci_host_bridge_read_pci_cfg(struct + { + static u8 fake_pci_config[] = { + 0x8e, 0x10, /* Vendor: 0x108e (Sun) */ +- 0x00, 0x80, /* Device: 0x8000 (PBM) */ ++ 0xf0, 0x80, /* Device: 0x80f0 (Fire) */ + 0x46, 0x01, /* Command: 0x0146 (SERR, PARITY, MASTER, MEM) */ + 0xa0, 0x22, /* Status: 0x02a0 (DEVSEL_MED, FB2B, 66MHZ) */ + 0x00, 0x00, 0x00, 0x06, /* Class: 0x06000000 host bridge */ +--- a/arch/sparc64/kernel/pci_common.c ++++ b/arch/sparc64/kernel/pci_common.c +@@ -44,6 +44,67 @@ static void *sun4u_config_mkaddr(struct + return (void *) (pbm->config_space | bus | devfn | reg); + } + ++/* At least on Sabre, it is necessary to access all PCI host controller ++ * registers at their natural size, otherwise zeros are returned. ++ * Strange but true, and I see no language in the UltraSPARC-IIi ++ * programmer's manual that mentions this even indirectly. ++ */ ++static int sun4u_read_pci_cfg_host(struct pci_pbm_info *pbm, ++ unsigned char bus, unsigned int devfn, ++ int where, int size, u32 *value) ++{ ++ u32 tmp32, *addr; ++ u16 tmp16; ++ u8 tmp8; ++ ++ addr = sun4u_config_mkaddr(pbm, bus, devfn, where); ++ if (!addr) ++ return PCIBIOS_SUCCESSFUL; ++ ++ switch (size) { ++ case 1: ++ if (where < 8) { ++ unsigned long align = (unsigned long) addr; ++ ++ align &= ~1; ++ pci_config_read16((u16 *)align, &tmp16); ++ if (where & 1) ++ *value = tmp16 >> 8; ++ else ++ *value = tmp16 & 0xff; ++ } else { ++ pci_config_read8((u8 *)addr, &tmp8); ++ *value = (u32) tmp8; ++ } ++ break; ++ ++ case 2: ++ if (where < 8) { ++ pci_config_read16((u16 *)addr, &tmp16); ++ *value = (u32) tmp16; ++ } else { ++ pci_config_read8((u8 *)addr, &tmp8); ++ *value = (u32) tmp8; ++ pci_config_read8(((u8 *)addr) + 1, &tmp8); ++ *value |= ((u32) tmp8) << 8; ++ } ++ break; ++ ++ case 4: ++ tmp32 = 0xffffffff; ++ sun4u_read_pci_cfg_host(pbm, bus, devfn, ++ where, 2, &tmp32); ++ *value = tmp32; ++ ++ tmp32 = 0xffffffff; ++ sun4u_read_pci_cfg_host(pbm, bus, devfn, ++ where + 2, 2, &tmp32); ++ *value |= tmp32 << 16; ++ break; ++ } ++ return PCIBIOS_SUCCESSFUL; ++} ++ + static int sun4u_read_pci_cfg(struct pci_bus *bus_dev, unsigned int devfn, + int where, int size, u32 *value) + { +@@ -53,10 +114,6 @@ static int sun4u_read_pci_cfg(struct pci + u16 tmp16; + u8 tmp8; + +- if (bus_dev == pbm->pci_bus && devfn == 0x00) +- return pci_host_bridge_read_pci_cfg(bus_dev, devfn, where, +- size, value); +- + switch (size) { + case 1: + *value = 0xff; +@@ -69,6 +126,10 @@ static int sun4u_read_pci_cfg(struct pci + break; + } + ++ if (!bus_dev->number && !PCI_SLOT(devfn)) ++ return sun4u_read_pci_cfg_host(pbm, bus, devfn, where, ++ size, value); ++ + addr = sun4u_config_mkaddr(pbm, bus, devfn, where); + if (!addr) + return PCIBIOS_SUCCESSFUL; +@@ -101,6 +162,53 @@ static int sun4u_read_pci_cfg(struct pci + return PCIBIOS_SUCCESSFUL; + } + ++static int sun4u_write_pci_cfg_host(struct pci_pbm_info *pbm, ++ unsigned char bus, unsigned int devfn, ++ int where, int size, u32 value) ++{ ++ u32 *addr; ++ ++ addr = sun4u_config_mkaddr(pbm, bus, devfn, where); ++ if (!addr) ++ return PCIBIOS_SUCCESSFUL; ++ ++ switch (size) { ++ case 1: ++ if (where < 8) { ++ unsigned long align = (unsigned long) addr; ++ u16 tmp16; ++ ++ align &= ~1; ++ pci_config_read16((u16 *)align, &tmp16); ++ if (where & 1) { ++ tmp16 &= 0x00ff; ++ tmp16 |= value << 8; ++ } else { ++ tmp16 &= 0xff00; ++ tmp16 |= value; ++ } ++ pci_config_write16((u16 *)align, tmp16); ++ } else ++ pci_config_write8((u8 *)addr, value); ++ break; ++ case 2: ++ if (where < 8) { ++ pci_config_write16((u16 *)addr, value); ++ } else { ++ pci_config_write8((u8 *)addr, value & 0xff); ++ pci_config_write8(((u8 *)addr) + 1, value >> 8); ++ } ++ break; ++ case 4: ++ sun4u_write_pci_cfg_host(pbm, bus, devfn, ++ where, 2, value & 0xffff); ++ sun4u_write_pci_cfg_host(pbm, bus, devfn, ++ where + 2, 2, value >> 16); ++ break; ++ } ++ return PCIBIOS_SUCCESSFUL; ++} ++ + static int sun4u_write_pci_cfg(struct pci_bus *bus_dev, unsigned int devfn, + int where, int size, u32 value) + { +@@ -108,9 +216,10 @@ static int sun4u_write_pci_cfg(struct pc + unsigned char bus = bus_dev->number; + u32 *addr; + +- if (bus_dev == pbm->pci_bus && devfn == 0x00) +- return pci_host_bridge_write_pci_cfg(bus_dev, devfn, where, +- size, value); ++ if (!bus_dev->number && !PCI_SLOT(devfn)) ++ return sun4u_write_pci_cfg_host(pbm, bus, devfn, where, ++ size, value); ++ + addr = sun4u_config_mkaddr(pbm, bus, devfn, where); + if (!addr) + return PCIBIOS_SUCCESSFUL; + +-- + +From gregkh@mini.kroah.org Thu Aug 23 15:12:54 2007 +Message-Id: <20070823221253.903065874@mini.kroah.org> +References: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:07:13 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@stusta.de, + "David S. Miller" +Subject: [patch 17/28] TCP: Do not autobind ports for TCP sockets +Content-Disposition: inline; filename=tcp-do-not-autobind-ports-for-tcp-sockets.patch +Content-Length: 3255 +Lines: 96 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: David Miller + +[TCP]: Invoke tcp_sendmsg() directly, do not use inet_sendmsg(). + +As discovered by Evegniy Polyakov, if we try to sendmsg after +a connection reset, we can do incredibly stupid things. + +The core issue is that inet_sendmsg() tries to autobind the +socket, but we should never do that for TCP. Instead we should +just go straight into TCP's sendmsg() code which will do all +of the necessary state and pending socket error checks. + +TCP's sendpage already directly vectors to tcp_sendpage(), so this +merely brings sendmsg() in line with that. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/tcp.h | 2 +- + net/ipv4/af_inet.c | 2 +- + net/ipv4/tcp.c | 3 ++- + net/ipv4/tcp_ipv4.c | 1 - + net/ipv6/af_inet6.c | 2 +- + net/ipv6/tcp_ipv6.c | 1 - + 6 files changed, 5 insertions(+), 6 deletions(-) + +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -281,7 +281,7 @@ extern int tcp_v4_remember_stamp(struc + + extern int tcp_v4_tw_remember_stamp(struct inet_timewait_sock *tw); + +-extern int tcp_sendmsg(struct kiocb *iocb, struct sock *sk, ++extern int tcp_sendmsg(struct kiocb *iocb, struct socket *sock, + struct msghdr *msg, size_t size); + extern ssize_t tcp_sendpage(struct socket *sock, struct page *page, int offset, size_t size, int flags); + +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -831,7 +831,7 @@ const struct proto_ops inet_stream_ops = + .shutdown = inet_shutdown, + .setsockopt = sock_common_setsockopt, + .getsockopt = sock_common_getsockopt, +- .sendmsg = inet_sendmsg, ++ .sendmsg = tcp_sendmsg, + .recvmsg = sock_common_recvmsg, + .mmap = sock_no_mmap, + .sendpage = tcp_sendpage, +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -658,9 +658,10 @@ static inline int select_size(struct soc + return tmp; + } + +-int tcp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, ++int tcp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, + size_t size) + { ++ struct sock *sk = sock->sk; + struct iovec *iov; + struct tcp_sock *tp = tcp_sk(sk); + struct sk_buff *skb; +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -2434,7 +2434,6 @@ struct proto tcp_prot = { + .shutdown = tcp_shutdown, + .setsockopt = tcp_setsockopt, + .getsockopt = tcp_getsockopt, +- .sendmsg = tcp_sendmsg, + .recvmsg = tcp_recvmsg, + .backlog_rcv = tcp_v4_do_rcv, + .hash = tcp_v4_hash, +--- a/net/ipv6/af_inet6.c ++++ b/net/ipv6/af_inet6.c +@@ -487,7 +487,7 @@ const struct proto_ops inet6_stream_ops + .shutdown = inet_shutdown, /* ok */ + .setsockopt = sock_common_setsockopt, /* ok */ + .getsockopt = sock_common_getsockopt, /* ok */ +- .sendmsg = inet_sendmsg, /* ok */ ++ .sendmsg = tcp_sendmsg, /* ok */ + .recvmsg = sock_common_recvmsg, /* ok */ + .mmap = sock_no_mmap, + .sendpage = tcp_sendpage, +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -2135,7 +2135,6 @@ struct proto tcpv6_prot = { + .shutdown = tcp_shutdown, + .setsockopt = tcp_setsockopt, + .getsockopt = tcp_getsockopt, +- .sendmsg = tcp_sendmsg, + .recvmsg = tcp_recvmsg, + .backlog_rcv = tcp_v6_do_rcv, + .hash = tcp_v6_hash, + +-- + +From gregkh@mini.kroah.org Thu Aug 23 15:12:54 2007 +Message-Id: <20070823221254.036054041@mini.kroah.org> +References: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:07:14 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@stusta.de, + =?ISO-8859-15?q?Ilpo=20J=E4rvinen?= , + "David S. Miller" +Subject: [patch 18/28] TCP: Fix TCP rate-halving on bidirectional flows. +Content-Disposition: inline; filename=tcp-fix-tcp-rate-halving-on-bidirectional-flows.patch +Content-Length: 2004 +Lines: 70 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Ilpo Järvinen + +Actually, the ratehalving seems to work too well, as cwnd is +reduced on every second ACK even though the packets in flight +remains unchanged. Recoveries in a bidirectional flows suffer +quite badly because of this, both NewReno and SACK are affected. + +After this patch, rate halving is performed for ACK only if +packets in flight was supposedly changed too. + +Signed-off-by: Ilpo Järvinen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/tcp_input.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -1851,19 +1851,22 @@ static inline u32 tcp_cwnd_min(const str + } + + /* Decrease cwnd each second ack. */ +-static void tcp_cwnd_down(struct sock *sk) ++static void tcp_cwnd_down(struct sock *sk, int flag) + { + struct tcp_sock *tp = tcp_sk(sk); + int decr = tp->snd_cwnd_cnt + 1; + +- tp->snd_cwnd_cnt = decr&1; +- decr >>= 1; ++ if ((flag&FLAG_FORWARD_PROGRESS) || ++ (IsReno(tp) && !(flag&FLAG_NOT_DUP))) { ++ tp->snd_cwnd_cnt = decr&1; ++ decr >>= 1; + +- if (decr && tp->snd_cwnd > tcp_cwnd_min(sk)) +- tp->snd_cwnd -= decr; ++ if (decr && tp->snd_cwnd > tcp_cwnd_min(sk)) ++ tp->snd_cwnd -= decr; + +- tp->snd_cwnd = min(tp->snd_cwnd, tcp_packets_in_flight(tp)+1); +- tp->snd_cwnd_stamp = tcp_time_stamp; ++ tp->snd_cwnd = min(tp->snd_cwnd, tcp_packets_in_flight(tp)+1); ++ tp->snd_cwnd_stamp = tcp_time_stamp; ++ } + } + + /* Nothing was retransmitted or returned timestamp is less +@@ -2060,7 +2063,7 @@ static void tcp_try_to_open(struct sock + } + tcp_moderate_cwnd(tp); + } else { +- tcp_cwnd_down(sk); ++ tcp_cwnd_down(sk, flag); + } + } + +@@ -2260,7 +2263,7 @@ tcp_fastretrans_alert(struct sock *sk, u + + if (is_dupack || tcp_head_timedout(sk)) + tcp_update_scoreboard(sk); +- tcp_cwnd_down(sk); ++ tcp_cwnd_down(sk, flag); + tcp_xmit_retransmit_queue(sk); + } + + +-- + +From gregkh@mini.kroah.org Thu Aug 23 15:12:54 2007 +Message-Id: <20070823221254.174329494@mini.kroah.org> +References: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:07:15 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@stuata.de, + =?ISO-8859-15?q?Ilpo=20J=E4rvinen?= , + "David S. Miller" +Subject: [patch 19/28] TCP: Fix TCP handling of SACK in bidirectional flows. +Content-Disposition: inline; filename=tcp-fix-tcp-handling-of-sack-in-bidirectional-flows.patch +Content-Length: 1592 +Lines: 41 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Ilpo Järvinen + +It's possible that new SACK blocks that should trigger new LOST +markings arrive with new data (which previously made is_dupack +false). In addition, I think this fixes a case where we get +a cumulative ACK with enough SACK blocks to trigger the fast +recovery (is_dupack would be false there too). + +I'm not completely pleased with this solution because readability +of the code is somewhat questionable as 'is_dupack' in SACK case +is no longer about dupacks only but would mean something like +'lost_marker_work_todo' too... But because of Eifel stuff done +in CA_Recovery, the FLAG_DATA_SACKED check cannot be placed to +the if statement which seems attractive solution. Nevertheless, +I didn't like adding another variable just for that either... :-) + +Signed-off-by: Ilpo Järvinen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/tcp_input.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -2112,7 +2112,10 @@ tcp_fastretrans_alert(struct sock *sk, u + { + struct inet_connection_sock *icsk = inet_csk(sk); + struct tcp_sock *tp = tcp_sk(sk); +- int is_dupack = (tp->snd_una == prior_snd_una && !(flag&FLAG_NOT_DUP)); ++ int is_dupack = (tp->snd_una == prior_snd_una && ++ (!(flag&FLAG_NOT_DUP) || ++ ((flag&FLAG_DATA_SACKED) && ++ (tp->fackets_out > tp->reordering)))); + + /* Some technical things: + * 1. Reno does not count dupacks (sacked_out) automatically. */ + +-- + +From gregkh@mini.kroah.org Thu Aug 23 15:12:54 2007 +Message-Id: <20070823221254.342161924@mini.kroah.org> +References: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:07:16 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@stusta.de, + Konstantin Sharlaimov , + "David S. Miller" +Subject: [patch 20/28] PPP: Fix PPP buffer sizing. +Content-Disposition: inline; filename=ppp-fix-ppp-buffer-sizing.patch +Content-Length: 1290 +Lines: 35 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Konstantin Sharlaimov + +This patch addresses the issue with "osize too small" errors in mppe +encryption. The patch fixes the issue with wrong output buffer size +being passed to ppp decompression routine. + +-------------------- +As pointed out by Suresh Mahalingam, the issue addressed by +ppp-fix-osize-too-small-errors-when-decoding patch is not fully resolved yet. +The size of allocated output buffer is correct, however it size passed to +ppp->rcomp->decompress in ppp_generic.c if wrong. The patch fixes that. +-------------------- + +Signed-off-by: Konstantin Sharlaimov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ppp_generic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ppp_generic.c ++++ b/drivers/net/ppp_generic.c +@@ -1726,7 +1726,7 @@ ppp_decompress_frame(struct ppp *ppp, st + } + /* the decompressor still expects the A/C bytes in the hdr */ + len = ppp->rcomp->decompress(ppp->rc_state, skb->data - 2, +- skb->len + 2, ns->data, ppp->mru + PPP_HDRLEN); ++ skb->len + 2, ns->data, obuff_size); + if (len < 0) { + /* Pass the compressed frame to pppd as an + error indication. */ + +-- + +From gregkh@mini.kroah.org Thu Aug 23 15:12:54 2007 +Message-Id: <20070823221254.519685244@mini.kroah.org> +References: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:07:17 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + linux-pci@atrey.karlin.mff.cuni.cz +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk +Subject: [patch 21/28] PCI: lets kill the PCI hidden behind bridge message +Content-Disposition: inline; filename=pci-lets-kill-the-pci-hidden-behind-bridge-message.patch +Content-Length: 4123 +Lines: 102 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Bernhard Kaindl + +Adrian Bunk wrote: +> Alois NeÅ¡por wrote +>> PCI: Bus #0b (-#0e) is hidden behind transparent bridge #0a (-#0b) (try 'pci=assign-busses') +>> Please report the result to linux-kernel to fix this permanently" +>> +>> dmesg: +>> "Yenta: Raising subordinate bus# of parent bus (#0a) from #0b to #0e" +>> without pci=assign-busses and nothing with pci=assign-busses. +> +> Bernhard? + +Ok, lets kill the message. As Alois NeÅ¡por also saw, that's fixed up by Yenta, +so PCI does not have to warn about it. PCI could still warn about it if +is_cardbus is 0 in that instance of pci_scan_bridge(), but so far I have +not seen a report where this would have been the case so I think we can +spare the kernel of that check (removes ~300 lines of asm) unless debugging +is done. + +History: The whole check was added in the days before we had the fixup +for this in Yenta and pci=assign-busses was the only way to get CardBus +cards detected on many (not all) of the machines which give this warning. + +In theory, there could be cases when this warning would be triggered and +it's not cardbus, then the warning should still apply, but I think this +should only be the case when working on a completely broken PCI setup, +but one may have already enabled the debug code in drivers/pci and the +patched check would then trigger. + +I do not sign this off yet because it's completely untested so far, but +everyone is free to test it (with the #ifdef DEBUG replaced by #if 1 and +pr_debug( changed to printk(. + +We may also dump the whole check (remove everything within the #ifdef from +the source) if that's perferred. + +On Alois NeÅ¡por's machine this would then (only when debugging) this message: + +"PCI: Bus #0b (-#0e) is partially hidden behind transparent bridge #0a (-#0b)" + +"partially" should be in the message on his machine because #0b of #0b-#0e +is reachable behind #0a-#0b, but not #0c-#0e. + +But that differentiation is now moot anyway because the fixup in Yenta takes +care of it as far as I could see so far, which means that unless somebody +is debugging a totally broken PCI setup, this message is not needed anymore, +not even for debugging PCI. + + +Ok, here the patch with the following changes: + +* Refined to say that the bus is only partially hidden when the parent + bus numbers are not totally way off (outside of) the child bus range +* remove the reference to pci=assign-busses and the plea to report it + +We could add a pure source code-only comment to keep a reference to +pci=assign-busses the in case when this is triggered by someone who +is debugging the cause of this message and looking the way to solve it. + +From: Bernhard Kaindl +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/probe.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -643,20 +643,20 @@ int pci_scan_bridge(struct pci_bus *bus, + + sprintf(child->name, (is_cardbus ? "PCI CardBus #%02x" : "PCI Bus #%02x"), child->number); + ++ /* Has only triggered on CardBus, fixup is in yenta_socket */ + while (bus->parent) { + if ((child->subordinate > bus->subordinate) || + (child->number > bus->subordinate) || + (child->number < bus->number) || + (child->subordinate < bus->number)) { +- printk(KERN_WARNING "PCI: Bus #%02x (-#%02x) is " +- "hidden behind%s bridge #%02x (-#%02x)%s\n", +- child->number, child->subordinate, +- bus->self->transparent ? " transparent" : " ", +- bus->number, bus->subordinate, +- pcibios_assign_all_busses() ? " " : +- " (try 'pci=assign-busses')"); +- printk(KERN_WARNING "Please report the result to " +- "linux-kernel to fix this permanently\n"); ++ pr_debug("PCI: Bus #%02x (-#%02x) is %s" ++ "hidden behind%s bridge #%02x (-#%02x)\n", ++ child->number, child->subordinate, ++ (bus->number > child->subordinate && ++ bus->subordinate < child->number) ? ++ "wholly " : " partially", ++ bus->self->transparent ? " transparent" : " ", ++ bus->number, bus->subordinate); + } + bus = bus->parent; + } + +-- + +From gregkh@mini.kroah.org Thu Aug 23 15:12:54 2007 +Message-Id: <20070823221254.652198393@mini.kroah.org> +References: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:07:18 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + linux-pci@atrey.karlin.mff.cuni.cz +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Tejun Heo , + Henry Su +Subject: [patch 22/28] PCI: disable MSI on RS690 +Content-Disposition: inline; filename=pci-disable-msi-on-rs690.patch +Content-Length: 1398 +Lines: 36 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Tejun Heo + +RS690 can't do MSI like its predecessors. Disable MSI on RS690. + +Signed-off-by: Tejun Heo +Cc: Henry Su +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/quirks.c | 1 + + include/linux/pci_ids.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -1640,6 +1640,7 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_SE + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_SERVERWORKS, PCI_DEVICE_ID_SERVERWORKS_HT1000_PCIX, quirk_disable_all_msi); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RS400_200, quirk_disable_all_msi); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RS480, quirk_disable_all_msi); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RS690, quirk_disable_all_msi); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_VT3351, quirk_disable_all_msi); + + /* Disable MSI on chipsets that are known to not support it */ +--- a/include/linux/pci_ids.h ++++ b/include/linux/pci_ids.h +@@ -357,6 +357,7 @@ + #define PCI_DEVICE_ID_ATI_RS400_166 0x5a32 + #define PCI_DEVICE_ID_ATI_RS400_200 0x5a33 + #define PCI_DEVICE_ID_ATI_RS480 0x5950 ++#define PCI_DEVICE_ID_ATI_RS690 0x7910 + /* ATI IXP Chipset */ + #define PCI_DEVICE_ID_ATI_IXP200_IDE 0x4349 + #define PCI_DEVICE_ID_ATI_IXP200_SMBUS 0x4353 + +-- + +From gregkh@mini.kroah.org Thu Aug 23 15:12:54 2007 +Message-Id: <20070823221254.796029269@mini.kroah.org> +References: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:07:19 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + linux-pci@atrey.karlin.mff.cuni.cz +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Tejun Heo +Subject: [patch 23/28] PCI: disable MSI on RD580 +Content-Disposition: inline; filename=pci-disable-msi-on-rd580.patch +Content-Length: 1386 +Lines: 35 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Tejun Heo + +RD580 can't do MSI like its predecessors. Disable MSI on RD580. + +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/quirks.c | 1 + + include/linux/pci_ids.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -1640,6 +1640,7 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_SE + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_SERVERWORKS, PCI_DEVICE_ID_SERVERWORKS_HT1000_PCIX, quirk_disable_all_msi); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RS400_200, quirk_disable_all_msi); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RS480, quirk_disable_all_msi); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RD580, quirk_disable_all_msi); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RS690, quirk_disable_all_msi); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_VT3351, quirk_disable_all_msi); + +--- a/include/linux/pci_ids.h ++++ b/include/linux/pci_ids.h +@@ -357,6 +357,7 @@ + #define PCI_DEVICE_ID_ATI_RS400_166 0x5a32 + #define PCI_DEVICE_ID_ATI_RS400_200 0x5a33 + #define PCI_DEVICE_ID_ATI_RS480 0x5950 ++#define PCI_DEVICE_ID_ATI_RD580 0x5952 + #define PCI_DEVICE_ID_ATI_RS690 0x7910 + /* ATI IXP Chipset */ + #define PCI_DEVICE_ID_ATI_IXP200_IDE 0x4349 + +-- + +From gregkh@mini.kroah.org Thu Aug 23 15:12:55 2007 +Message-Id: <20070823221254.950697125@mini.kroah.org> +References: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:07:20 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + linux-pci@atrey.karlin.mff.cuni.cz +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Tejun Heo +Subject: [patch 24/28] PCI: disable MSI on RX790 +Content-Disposition: inline; filename=pci-disable-msi-on-rx790.patch +Content-Length: 1360 +Lines: 35 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Tejun Heo + +RX790 can't do MSI like its predecessors. Disable MSI on RX790. + +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/quirks.c | 1 + + include/linux/pci_ids.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -1641,6 +1641,7 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_SE + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RS400_200, quirk_disable_all_msi); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RS480, quirk_disable_all_msi); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RD580, quirk_disable_all_msi); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RX790, quirk_disable_all_msi); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RS690, quirk_disable_all_msi); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_VT3351, quirk_disable_all_msi); + +--- a/include/linux/pci_ids.h ++++ b/include/linux/pci_ids.h +@@ -358,6 +358,7 @@ + #define PCI_DEVICE_ID_ATI_RS400_200 0x5a33 + #define PCI_DEVICE_ID_ATI_RS480 0x5950 + #define PCI_DEVICE_ID_ATI_RD580 0x5952 ++#define PCI_DEVICE_ID_ATI_RX790 0x5957 + #define PCI_DEVICE_ID_ATI_RS690 0x7910 + /* ATI IXP Chipset */ + #define PCI_DEVICE_ID_ATI_IXP200_IDE 0x4349 + +-- + +From gregkh@mini.kroah.org Thu Aug 23 15:12:55 2007 +Message-Id: <20070823221255.088190801@mini.kroah.org> +References: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:07:21 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + linux-usb-devel@lists.sourceforge.net +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Alan Stern , + Oliver Neukum +Subject: [patch 25/28] USB: cdc-acm: fix sysfs attribute registration bug +Content-Disposition: inline; filename=usb-cdc-acm-fix-sysfs-attribute-registration-bug.patch +Content-Length: 1037 +Lines: 33 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Alan Stern + +This patch (as950) fixes a bug in the cdc-acm driver. It doesn't keep +track of which interface (control or data) the sysfs attributes get +registered for, and as a result, during disconnect it will sometimes +attempt to remove the attributes from the wrong interface. The +left-over attributes can cause a crash later on, particularly if the driver +module has been unloaded. + +Signed-off-by: Alan Stern +Acked-by: Oliver Neukum +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/cdc-acm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -900,6 +900,10 @@ next_desc: + return -ENODEV; + } + } ++ ++ /* Accept probe requests only for the control interface */ ++ if (intf != control_interface) ++ return -ENODEV; + + if (data_interface_num != call_interface_num) + dev_dbg(&intf->dev,"Seperate call control interface. That is not fully supported."); + +-- + +From gregkh@mini.kroah.org Thu Aug 23 15:12:55 2007 +Message-Id: <20070823221255.236602268@mini.kroah.org> +References: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:07:22 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + linux-usb-devel@lists.sourceforge.net +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Alan Stern +Subject: [patch 26/28] USB: allow retry on descriptor fetch errors +Content-Disposition: inline; filename=usb-allow-retry-on-descriptor-fetch-errors.patch +Content-Length: 1114 +Lines: 33 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Alan Stern + +This patch (as964) was suggested by Steffen Koepf. It makes +usb_get_descriptor() retry on all errors other than ETIMEDOUT, instead +of only on EPIPE. This helps with some devices. + +Signed-off-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/message.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -623,12 +623,12 @@ int usb_get_descriptor(struct usb_device + memset(buf,0,size); // Make sure we parse really received data + + for (i = 0; i < 3; ++i) { +- /* retry on length 0 or stall; some devices are flakey */ ++ /* retry on length 0 or error; some devices are flakey */ + result = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), + USB_REQ_GET_DESCRIPTOR, USB_DIR_IN, + (type << 8) + index, 0, buf, size, + USB_CTRL_GET_TIMEOUT); +- if (result == 0 || result == -EPIPE) ++ if (result <= 0 && result != -ETIMEDOUT) + continue; + if (result > 1 && ((u8 *)buf)[1] != type) { + result = -EPROTO; + +-- + +From gregkh@mini.kroah.org Thu Aug 23 15:12:55 2007 +Message-Id: <20070823221255.372580650@mini.kroah.org> +References: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:07:23 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + linux-usb-devel@lists.sourceforge.net +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Oliver Neukum +Subject: [patch 27/28] USB: fix DoS in pwc USB video driver +Content-Disposition: inline; filename=usb-fix-dos-in-pwc-usb-video-driver.patch +Content-Length: 3739 +Lines: 120 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Oliver Neukum + +the pwc driver has a disconnect method that waits for user space to +close the device. This opens up an opportunity for a DoS attack, +blocking the USB subsystem and making khubd's task busy wait in +kernel space. This patch shifts freeing resources to close if an opened +device is disconnected. + +Signed-off-by: Oliver Neukum +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/video/pwc/pwc-if.c | 52 ++++++++++++++++++++++++++------------- + drivers/media/video/pwc/pwc.h | 1 + 2 files changed, 36 insertions(+), 17 deletions(-) + +--- a/drivers/media/video/pwc/pwc-if.c ++++ b/drivers/media/video/pwc/pwc-if.c +@@ -1196,12 +1196,19 @@ static int pwc_video_open(struct inode * + return 0; + } + ++ ++static void pwc_cleanup(struct pwc_device *pdev) ++{ ++ pwc_remove_sysfs_files(pdev->vdev); ++ video_unregister_device(pdev->vdev); ++} ++ + /* Note that all cleanup is done in the reverse order as in _open */ + static int pwc_video_close(struct inode *inode, struct file *file) + { + struct video_device *vdev = file->private_data; + struct pwc_device *pdev; +- int i; ++ int i, hint; + + PWC_DEBUG_OPEN(">> video_close called(vdev = 0x%p).\n", vdev); + +@@ -1224,8 +1231,9 @@ static int pwc_video_close(struct inode + pwc_isoc_cleanup(pdev); + pwc_free_buffers(pdev); + ++ lock_kernel(); + /* Turn off LEDS and power down camera, but only when not unplugged */ +- if (pdev->error_status != EPIPE) { ++ if (!pdev->unplugged) { + /* Turn LEDs off */ + if (pwc_set_leds(pdev, 0, 0) < 0) + PWC_DEBUG_MODULE("Failed to set LED on/off time.\n"); +@@ -1234,9 +1242,19 @@ static int pwc_video_close(struct inode + if (i < 0) + PWC_ERROR("Failed to power down camera (%d)\n", i); + } ++ pdev->vopen--; ++ PWC_DEBUG_OPEN("<< video_close() vopen=%d\n", i); ++ } else { ++ pwc_cleanup(pdev); ++ /* Free memory (don't set pdev to 0 just yet) */ ++ kfree(pdev); ++ /* search device_hint[] table if we occupy a slot, by any chance */ ++ for (hint = 0; hint < MAX_DEV_HINTS; hint++) ++ if (device_hint[hint].pdev == pdev) ++ device_hint[hint].pdev = NULL; + } +- pdev->vopen--; +- PWC_DEBUG_OPEN("<< video_close() vopen=%d\n", pdev->vopen); ++ unlock_kernel(); ++ + return 0; + } + +@@ -1791,21 +1809,21 @@ static void usb_pwc_disconnect(struct us + /* Alert waiting processes */ + wake_up_interruptible(&pdev->frameq); + /* Wait until device is closed */ +- while (pdev->vopen) +- schedule(); +- /* Device is now closed, so we can safely unregister it */ +- PWC_DEBUG_PROBE("Unregistering video device in disconnect().\n"); +- pwc_remove_sysfs_files(pdev->vdev); +- video_unregister_device(pdev->vdev); +- +- /* Free memory (don't set pdev to 0 just yet) */ +- kfree(pdev); ++ if(pdev->vopen) { ++ pdev->unplugged = 1; ++ } else { ++ /* Device is closed, so we can safely unregister it */ ++ PWC_DEBUG_PROBE("Unregistering video device in disconnect().\n"); ++ pwc_cleanup(pdev); ++ /* Free memory (don't set pdev to 0 just yet) */ ++ kfree(pdev); + + disconnect_out: +- /* search device_hint[] table if we occupy a slot, by any chance */ +- for (hint = 0; hint < MAX_DEV_HINTS; hint++) +- if (device_hint[hint].pdev == pdev) +- device_hint[hint].pdev = NULL; ++ /* search device_hint[] table if we occupy a slot, by any chance */ ++ for (hint = 0; hint < MAX_DEV_HINTS; hint++) ++ if (device_hint[hint].pdev == pdev) ++ device_hint[hint].pdev = NULL; ++ } + + unlock_kernel(); + } +--- a/drivers/media/video/pwc/pwc.h ++++ b/drivers/media/video/pwc/pwc.h +@@ -193,6 +193,7 @@ struct pwc_device + char vsnapshot; /* snapshot mode */ + char vsync; /* used by isoc handler */ + char vmirror; /* for ToUCaM series */ ++ char unplugged; + + int cmd_len; + unsigned char cmd_buf[13]; + +-- + +From gregkh@mini.kroah.org Thu Aug 23 15:12:55 2007 +Message-Id: <20070823221255.522266234@mini.kroah.org> +References: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:07:24 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + linux-usb-devel@lists.sourceforge.net +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Kay Sievers , + Andreas Jellinghaus +Subject: [patch 28/28] usb: add PRODUCT, TYPE to usb-interface events +Content-Disposition: inline; filename=usb-add-product-type-to-usb-interface-events.patch +Content-Length: 1439 +Lines: 49 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Kay Sievers + +This fixes a regression for userspace programs that were relying on these events. + + +Signed-off-by: Kay Sievers +Cc: Andreas Jellinghaus +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/message.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -1344,6 +1344,30 @@ static int usb_if_uevent(struct device * + usb_dev = interface_to_usbdev(intf); + alt = intf->cur_altsetting; + ++#ifdef CONFIG_USB_DEVICEFS ++ if (add_uevent_var(envp, num_envp, &i, ++ buffer, buffer_size, &length, ++ "DEVICE=/proc/bus/usb/%03d/%03d", ++ usb_dev->bus->busnum, usb_dev->devnum)) ++ return -ENOMEM; ++#endif ++ ++ if (add_uevent_var(envp, num_envp, &i, ++ buffer, buffer_size, &length, ++ "PRODUCT=%x/%x/%x", ++ le16_to_cpu(usb_dev->descriptor.idVendor), ++ le16_to_cpu(usb_dev->descriptor.idProduct), ++ le16_to_cpu(usb_dev->descriptor.bcdDevice))) ++ return -ENOMEM; ++ ++ if (add_uevent_var(envp, num_envp, &i, ++ buffer, buffer_size, &length, ++ "TYPE=%d/%d/%d", ++ usb_dev->descriptor.bDeviceClass, ++ usb_dev->descriptor.bDeviceSubClass, ++ usb_dev->descriptor.bDeviceProtocol)) ++ return -ENOMEM; ++ + if (add_uevent_var(envp, num_envp, &i, + buffer, buffer_size, &length, + "INTERFACE=%d/%d/%d", + +-- + +From gregkh@mini.kroah.org Thu Aug 23 15:12:51 2007 +Message-Id: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:06:56 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk +Subject: [patch 00/28] 2.6.22-stable review cycle again +Content-Length: 714 +Lines: 17 + +This is the start of the stable review cycle for the 2.6.22.6 release. +There are 28 patches in this series, all will be posted as a response +to this one. If anyone has any issues with these being applied, please +let us know. If anyone is a maintainer of the proper subsystem, and +wants to add a Signed-off-by: line to the patch, please respond with it. + +These patches are sent out with a number of different people on the Cc: +line. If you wish to be a reviewer, please email stable@kernel.org to +add your name to the list. If you want to be off the reviewer list, +also email us. + +Responses should be made by August 25 22:00:00 UTC 2007. Anything +received after that time might be too late. + +thanks, + +greg k-h + +From gregkh@mini.kroah.org Thu Aug 23 15:12:51 2007 +Message-Id: <20070823221251.433983727@mini.kroah.org> +References: <20070823220656.101239233@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Thu, 23 Aug 2007 15:06:57 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Mark Fasheh +Subject: [patch 01/28] ocfs2: Fix bad source start calculation during kernel writes +Content-Disposition: inline; filename=ocfs2-fix-bad-source-start-calculation-during-kernel-writes.patch +Status: RO +Content-Length: 1030 +Lines: 34 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Mark Fasheh + +[PATCH] ocfs2: Fix bad source start calculation during kernel writes + +For in-kernel writes ocfs2_get_write_source() should be starting the buffer +at a page boundary as the math in ocfs2_map_and_write_user_data() will pad +it back out to the correct write offset. Instead, we were passing the raw +offset, which caused ocfs2_map_and_write_user_data() start too far into the +buffer, resulting in corruptions from nfs client writes. + +Signed-off-by: Mark Fasheh +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ocfs2/file.c ++++ b/fs/ocfs2/file.c +@@ -1353,7 +1353,7 @@ static struct page * ocfs2_get_write_sou + else + src_page = ERR_PTR(-EFAULT); + } else { +- bp->b_src_buf = buf; ++ bp->b_src_buf = (char *)((unsigned long)buf & PAGE_CACHE_MASK); + } + + return src_page; + +-- + diff --git a/queue-2.6.22/net-fix-missing-rcu-unlock-in-__sock_create.patch b/review-2.6.22/net-fix-missing-rcu-unlock-in-__sock_create.patch similarity index 100% rename from queue-2.6.22/net-fix-missing-rcu-unlock-in-__sock_create.patch rename to review-2.6.22/net-fix-missing-rcu-unlock-in-__sock_create.patch diff --git a/queue-2.6.22/net-share-correct-feature-code-between-bridging-and-bonding.patch b/review-2.6.22/net-share-correct-feature-code-between-bridging-and-bonding.patch similarity index 100% rename from queue-2.6.22/net-share-correct-feature-code-between-bridging-and-bonding.patch rename to review-2.6.22/net-share-correct-feature-code-between-bridging-and-bonding.patch diff --git a/queue-2.6.22/netfilter-missing-kbuild-entry-for-netfilter.patch b/review-2.6.22/netfilter-missing-kbuild-entry-for-netfilter.patch similarity index 100% rename from queue-2.6.22/netfilter-missing-kbuild-entry-for-netfilter.patch rename to review-2.6.22/netfilter-missing-kbuild-entry-for-netfilter.patch diff --git a/queue-2.6.22/ocfs2-fix-bad-source-start-calculation-during-kernel-writes.patch b/review-2.6.22/ocfs2-fix-bad-source-start-calculation-during-kernel-writes.patch similarity index 100% rename from queue-2.6.22/ocfs2-fix-bad-source-start-calculation-during-kernel-writes.patch rename to review-2.6.22/ocfs2-fix-bad-source-start-calculation-during-kernel-writes.patch diff --git a/review-2.6.22/pci-disable-msi-on-rd580.patch b/review-2.6.22/pci-disable-msi-on-rd580.patch new file mode 100644 index 00000000000..8bb9fafa04f --- /dev/null +++ b/review-2.6.22/pci-disable-msi-on-rd580.patch @@ -0,0 +1,41 @@ +From stable-bounces@linux.kernel.org Wed Aug 22 15:25:14 2007 +From: Tejun Heo +Date: Wed, 22 Aug 2007 15:12:54 -0700 +Subject: PCI: disable MSI on RD580 +To: linux-pci@atrey.karlin.mff.cuni.cz +Cc: Tejun Heo , Tejun Heo , stable , Greg Kroah-Hartman +Message-ID: <1187820836688-git-send-email-gregkh@suse.de> + + +From: Tejun Heo + +RD580 can't do MSI like its predecessors. Disable MSI on RD580. + +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/quirks.c | 1 + + include/linux/pci_ids.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -1640,6 +1640,7 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_SE + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_SERVERWORKS, PCI_DEVICE_ID_SERVERWORKS_HT1000_PCIX, quirk_disable_all_msi); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RS400_200, quirk_disable_all_msi); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RS480, quirk_disable_all_msi); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RD580, quirk_disable_all_msi); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RS690, quirk_disable_all_msi); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_VT3351, quirk_disable_all_msi); + +--- a/include/linux/pci_ids.h ++++ b/include/linux/pci_ids.h +@@ -357,6 +357,7 @@ + #define PCI_DEVICE_ID_ATI_RS400_166 0x5a32 + #define PCI_DEVICE_ID_ATI_RS400_200 0x5a33 + #define PCI_DEVICE_ID_ATI_RS480 0x5950 ++#define PCI_DEVICE_ID_ATI_RD580 0x5952 + #define PCI_DEVICE_ID_ATI_RS690 0x7910 + /* ATI IXP Chipset */ + #define PCI_DEVICE_ID_ATI_IXP200_IDE 0x4349 diff --git a/review-2.6.22/pci-disable-msi-on-rs690.patch b/review-2.6.22/pci-disable-msi-on-rs690.patch new file mode 100644 index 00000000000..b0b5dd9e70b --- /dev/null +++ b/review-2.6.22/pci-disable-msi-on-rs690.patch @@ -0,0 +1,42 @@ +From stable-bounces@linux.kernel.org Wed Aug 22 15:25:07 2007 +From: Tejun Heo +Date: Wed, 22 Aug 2007 15:12:53 -0700 +Subject: PCI: disable MSI on RS690 +To: linux-pci@atrey.karlin.mff.cuni.cz +Cc: Tejun Heo , Greg Kroah-Hartman , stable , Henry Su +Message-ID: <11878208283274-git-send-email-gregkh@suse.de> + + +From: Tejun Heo + +RS690 can't do MSI like its predecessors. Disable MSI on RS690. + +Signed-off-by: Tejun Heo +Cc: Henry Su +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/quirks.c | 1 + + include/linux/pci_ids.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -1640,6 +1640,7 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_SE + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_SERVERWORKS, PCI_DEVICE_ID_SERVERWORKS_HT1000_PCIX, quirk_disable_all_msi); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RS400_200, quirk_disable_all_msi); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RS480, quirk_disable_all_msi); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RS690, quirk_disable_all_msi); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_VT3351, quirk_disable_all_msi); + + /* Disable MSI on chipsets that are known to not support it */ +--- a/include/linux/pci_ids.h ++++ b/include/linux/pci_ids.h +@@ -357,6 +357,7 @@ + #define PCI_DEVICE_ID_ATI_RS400_166 0x5a32 + #define PCI_DEVICE_ID_ATI_RS400_200 0x5a33 + #define PCI_DEVICE_ID_ATI_RS480 0x5950 ++#define PCI_DEVICE_ID_ATI_RS690 0x7910 + /* ATI IXP Chipset */ + #define PCI_DEVICE_ID_ATI_IXP200_IDE 0x4349 + #define PCI_DEVICE_ID_ATI_IXP200_SMBUS 0x4353 diff --git a/review-2.6.22/pci-disable-msi-on-rx790.patch b/review-2.6.22/pci-disable-msi-on-rx790.patch new file mode 100644 index 00000000000..eab267da888 --- /dev/null +++ b/review-2.6.22/pci-disable-msi-on-rx790.patch @@ -0,0 +1,41 @@ +From stable-bounces@linux.kernel.org Wed Aug 22 15:25:28 2007 +From: Tejun Heo +Date: Wed, 22 Aug 2007 15:12:55 -0700 +Subject: PCI: disable MSI on RX790 +To: linux-pci@atrey.karlin.mff.cuni.cz +Cc: Tejun Heo , stable , Greg Kroah-Hartman +Message-ID: <11878208453988-git-send-email-gregkh@suse.de> + + +From: Tejun Heo + +RX790 can't do MSI like its predecessors. Disable MSI on RX790. + +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/quirks.c | 1 + + include/linux/pci_ids.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -1641,6 +1641,7 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_SE + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RS400_200, quirk_disable_all_msi); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RS480, quirk_disable_all_msi); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RD580, quirk_disable_all_msi); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RX790, quirk_disable_all_msi); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RS690, quirk_disable_all_msi); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_VT3351, quirk_disable_all_msi); + +--- a/include/linux/pci_ids.h ++++ b/include/linux/pci_ids.h +@@ -358,6 +358,7 @@ + #define PCI_DEVICE_ID_ATI_RS400_200 0x5a33 + #define PCI_DEVICE_ID_ATI_RS480 0x5950 + #define PCI_DEVICE_ID_ATI_RD580 0x5952 ++#define PCI_DEVICE_ID_ATI_RX790 0x5957 + #define PCI_DEVICE_ID_ATI_RS690 0x7910 + /* ATI IXP Chipset */ + #define PCI_DEVICE_ID_ATI_IXP200_IDE 0x4349 diff --git a/review-2.6.22/pci-lets-kill-the-pci-hidden-behind-bridge-message.patch b/review-2.6.22/pci-lets-kill-the-pci-hidden-behind-bridge-message.patch new file mode 100644 index 00000000000..33960a8dcef --- /dev/null +++ b/review-2.6.22/pci-lets-kill-the-pci-hidden-behind-bridge-message.patch @@ -0,0 +1,108 @@ +From stable-bounces@linux.kernel.org Wed Aug 22 15:24:49 2007 +From: Bernhard Kaindl +Date: Wed, 22 Aug 2007 15:12:51 -0700 +Subject: PCI: lets kill the 'PCI hidden behind bridge' message +To: linux-pci@atrey.karlin.mff.cuni.cz +Cc: Bernhard Kaindl , Greg Kroah-Hartman , stable +Message-ID: <11878208132552-git-send-email-gregkh@suse.de> + + +From: Bernhard Kaindl + +Adrian Bunk wrote: +> Alois NeÅ¡por wrote +>> PCI: Bus #0b (-#0e) is hidden behind transparent bridge #0a (-#0b) (try 'pci=assign-busses') +>> Please report the result to linux-kernel to fix this permanently" +>> +>> dmesg: +>> "Yenta: Raising subordinate bus# of parent bus (#0a) from #0b to #0e" +>> without pci=assign-busses and nothing with pci=assign-busses. +> +> Bernhard? + +Ok, lets kill the message. As Alois NeÅ¡por also saw, that's fixed up by Yenta, +so PCI does not have to warn about it. PCI could still warn about it if +is_cardbus is 0 in that instance of pci_scan_bridge(), but so far I have +not seen a report where this would have been the case so I think we can +spare the kernel of that check (removes ~300 lines of asm) unless debugging +is done. + +History: The whole check was added in the days before we had the fixup +for this in Yenta and pci=assign-busses was the only way to get CardBus +cards detected on many (not all) of the machines which give this warning. + +In theory, there could be cases when this warning would be triggered and +it's not cardbus, then the warning should still apply, but I think this +should only be the case when working on a completely broken PCI setup, +but one may have already enabled the debug code in drivers/pci and the +patched check would then trigger. + +I do not sign this off yet because it's completely untested so far, but +everyone is free to test it (with the #ifdef DEBUG replaced by #if 1 and +pr_debug( changed to printk(. + +We may also dump the whole check (remove everything within the #ifdef from +the source) if that's perferred. + +On Alois NeÅ¡por's machine this would then (only when debugging) this message: + +"PCI: Bus #0b (-#0e) is partially hidden behind transparent bridge #0a (-#0b)" + +"partially" should be in the message on his machine because #0b of #0b-#0e +is reachable behind #0a-#0b, but not #0c-#0e. + +But that differentiation is now moot anyway because the fixup in Yenta takes +care of it as far as I could see so far, which means that unless somebody +is debugging a totally broken PCI setup, this message is not needed anymore, +not even for debugging PCI. + + +Ok, here the patch with the following changes: + +* Refined to say that the bus is only partially hidden when the parent + bus numbers are not totally way off (outside of) the child bus range +* remove the reference to pci=assign-busses and the plea to report it + +We could add a pure source code-only comment to keep a reference to +pci=assign-busses the in case when this is triggered by someone who +is debugging the cause of this message and looking the way to solve it. + +From: Bernhard Kaindl +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/probe.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -643,20 +643,20 @@ int pci_scan_bridge(struct pci_bus *bus, + + sprintf(child->name, (is_cardbus ? "PCI CardBus #%02x" : "PCI Bus #%02x"), child->number); + ++ /* Has only triggered on CardBus, fixup is in yenta_socket */ + while (bus->parent) { + if ((child->subordinate > bus->subordinate) || + (child->number > bus->subordinate) || + (child->number < bus->number) || + (child->subordinate < bus->number)) { +- printk(KERN_WARNING "PCI: Bus #%02x (-#%02x) is " +- "hidden behind%s bridge #%02x (-#%02x)%s\n", +- child->number, child->subordinate, +- bus->self->transparent ? " transparent" : " ", +- bus->number, bus->subordinate, +- pcibios_assign_all_busses() ? " " : +- " (try 'pci=assign-busses')"); +- printk(KERN_WARNING "Please report the result to " +- "linux-kernel to fix this permanently\n"); ++ pr_debug("PCI: Bus #%02x (-#%02x) is %s" ++ "hidden behind%s bridge #%02x (-#%02x)\n", ++ child->number, child->subordinate, ++ (bus->number > child->subordinate && ++ bus->subordinate < child->number) ? ++ "wholly " : " partially", ++ bus->self->transparent ? " transparent" : " ", ++ bus->number, bus->subordinate); + } + bus = bus->parent; + } diff --git a/queue-2.6.22/ppp-fix-ppp-buffer-sizing.patch b/review-2.6.22/ppp-fix-ppp-buffer-sizing.patch similarity index 100% rename from queue-2.6.22/ppp-fix-ppp-buffer-sizing.patch rename to review-2.6.22/ppp-fix-ppp-buffer-sizing.patch diff --git a/queue-2.6.22/series b/review-2.6.22/series similarity index 74% rename from queue-2.6.22/series rename to review-2.6.22/series index b5edf7da581..05e9b6f4065 100644 --- a/queue-2.6.22/series +++ b/review-2.6.22/series @@ -18,3 +18,11 @@ tcp-do-not-autobind-ports-for-tcp-sockets.patch tcp-fix-tcp-rate-halving-on-bidirectional-flows.patch tcp-fix-tcp-handling-of-sack-in-bidirectional-flows.patch ppp-fix-ppp-buffer-sizing.patch +pci-lets-kill-the-pci-hidden-behind-bridge-message.patch +pci-disable-msi-on-rs690.patch +pci-disable-msi-on-rd580.patch +pci-disable-msi-on-rx790.patch +usb-cdc-acm-fix-sysfs-attribute-registration-bug.patch +usb-allow-retry-on-descriptor-fetch-errors.patch +usb-fix-dos-in-pwc-usb-video-driver.patch +usb-add-product-type-to-usb-interface-events.patch diff --git a/queue-2.6.22/signalfd-fix-interaction-with-posix-timers.patch b/review-2.6.22/signalfd-fix-interaction-with-posix-timers.patch similarity index 100% rename from queue-2.6.22/signalfd-fix-interaction-with-posix-timers.patch rename to review-2.6.22/signalfd-fix-interaction-with-posix-timers.patch diff --git a/queue-2.6.22/signalfd-make-it-group-wide-fix-posix-timers-scheduling.patch b/review-2.6.22/signalfd-make-it-group-wide-fix-posix-timers-scheduling.patch similarity index 100% rename from queue-2.6.22/signalfd-make-it-group-wide-fix-posix-timers-scheduling.patch rename to review-2.6.22/signalfd-make-it-group-wide-fix-posix-timers-scheduling.patch diff --git a/queue-2.6.22/sky2-don-t-clear-phy-power-bits.patch b/review-2.6.22/sky2-don-t-clear-phy-power-bits.patch similarity index 100% rename from queue-2.6.22/sky2-don-t-clear-phy-power-bits.patch rename to review-2.6.22/sky2-don-t-clear-phy-power-bits.patch diff --git a/queue-2.6.22/snap-fix-snap-protocol-header-accesses.patch b/review-2.6.22/snap-fix-snap-protocol-header-accesses.patch similarity index 100% rename from queue-2.6.22/snap-fix-snap-protocol-header-accesses.patch rename to review-2.6.22/snap-fix-snap-protocol-header-accesses.patch diff --git a/queue-2.6.22/sparc64-fix-sparc64-pci-config-accesses-on-sun4u.patch b/review-2.6.22/sparc64-fix-sparc64-pci-config-accesses-on-sun4u.patch similarity index 100% rename from queue-2.6.22/sparc64-fix-sparc64-pci-config-accesses-on-sun4u.patch rename to review-2.6.22/sparc64-fix-sparc64-pci-config-accesses-on-sun4u.patch diff --git a/queue-2.6.22/sparc64-fix-sparc64-task-stack-traces.patch b/review-2.6.22/sparc64-fix-sparc64-task-stack-traces.patch similarity index 100% rename from queue-2.6.22/sparc64-fix-sparc64-task-stack-traces.patch rename to review-2.6.22/sparc64-fix-sparc64-task-stack-traces.patch diff --git a/queue-2.6.22/tcp-do-not-autobind-ports-for-tcp-sockets.patch b/review-2.6.22/tcp-do-not-autobind-ports-for-tcp-sockets.patch similarity index 100% rename from queue-2.6.22/tcp-do-not-autobind-ports-for-tcp-sockets.patch rename to review-2.6.22/tcp-do-not-autobind-ports-for-tcp-sockets.patch diff --git a/queue-2.6.22/tcp-fix-tcp-handling-of-sack-in-bidirectional-flows.patch b/review-2.6.22/tcp-fix-tcp-handling-of-sack-in-bidirectional-flows.patch similarity index 100% rename from queue-2.6.22/tcp-fix-tcp-handling-of-sack-in-bidirectional-flows.patch rename to review-2.6.22/tcp-fix-tcp-handling-of-sack-in-bidirectional-flows.patch diff --git a/queue-2.6.22/tcp-fix-tcp-rate-halving-on-bidirectional-flows.patch b/review-2.6.22/tcp-fix-tcp-rate-halving-on-bidirectional-flows.patch similarity index 100% rename from queue-2.6.22/tcp-fix-tcp-rate-halving-on-bidirectional-flows.patch rename to review-2.6.22/tcp-fix-tcp-rate-halving-on-bidirectional-flows.patch diff --git a/queue-2.6.22/uml-fix-previous-request-size-limit-fix.patch b/review-2.6.22/uml-fix-previous-request-size-limit-fix.patch similarity index 100% rename from queue-2.6.22/uml-fix-previous-request-size-limit-fix.patch rename to review-2.6.22/uml-fix-previous-request-size-limit-fix.patch diff --git a/review-2.6.22/usb-add-product-type-to-usb-interface-events.patch b/review-2.6.22/usb-add-product-type-to-usb-interface-events.patch new file mode 100644 index 00000000000..de3dc361f8c --- /dev/null +++ b/review-2.6.22/usb-add-product-type-to-usb-interface-events.patch @@ -0,0 +1,55 @@ +From stable-bounces@linux.kernel.org Wed Aug 22 15:32:13 2007 +From: Kay Sievers +Date: Wed, 22 Aug 2007 15:15:51 -0700 +Subject: usb: add PRODUCT, TYPE to usb-interface events +To: linux-usb-devel@lists.sourceforge.net +Cc: Kay Sievers , Andreas Jellinghaus , stable , Greg Kroah-Hartman +Message-ID: <11878212542891-git-send-email-gregkh@suse.de> + + +From: Kay Sievers + +This fixes a regression for userspace programs that were relying on these events. + + +Signed-off-by: Kay Sievers +Cc: Andreas Jellinghaus +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/message.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -1344,6 +1344,30 @@ static int usb_if_uevent(struct device * + usb_dev = interface_to_usbdev(intf); + alt = intf->cur_altsetting; + ++#ifdef CONFIG_USB_DEVICEFS ++ if (add_uevent_var(envp, num_envp, &i, ++ buffer, buffer_size, &length, ++ "DEVICE=/proc/bus/usb/%03d/%03d", ++ usb_dev->bus->busnum, usb_dev->devnum)) ++ return -ENOMEM; ++#endif ++ ++ if (add_uevent_var(envp, num_envp, &i, ++ buffer, buffer_size, &length, ++ "PRODUCT=%x/%x/%x", ++ le16_to_cpu(usb_dev->descriptor.idVendor), ++ le16_to_cpu(usb_dev->descriptor.idProduct), ++ le16_to_cpu(usb_dev->descriptor.bcdDevice))) ++ return -ENOMEM; ++ ++ if (add_uevent_var(envp, num_envp, &i, ++ buffer, buffer_size, &length, ++ "TYPE=%d/%d/%d", ++ usb_dev->descriptor.bDeviceClass, ++ usb_dev->descriptor.bDeviceSubClass, ++ usb_dev->descriptor.bDeviceProtocol)) ++ return -ENOMEM; ++ + if (add_uevent_var(envp, num_envp, &i, + buffer, buffer_size, &length, + "INTERFACE=%d/%d/%d", diff --git a/review-2.6.22/usb-allow-retry-on-descriptor-fetch-errors.patch b/review-2.6.22/usb-allow-retry-on-descriptor-fetch-errors.patch new file mode 100644 index 00000000000..69980ec09bd --- /dev/null +++ b/review-2.6.22/usb-allow-retry-on-descriptor-fetch-errors.patch @@ -0,0 +1,39 @@ +From stable-bounces@linux.kernel.org Wed Aug 22 15:30:50 2007 +From: Alan Stern +Date: Wed, 22 Aug 2007 15:15:42 -0700 +Subject: USB: allow retry on descriptor fetch errors +To: linux-usb-devel@lists.sourceforge.net +Cc: Greg Kroah-Hartman , Alan Stern , stable +Message-ID: <11878211741191-git-send-email-gregkh@suse.de> + + +From: Alan Stern + +This patch (as964) was suggested by Steffen Koepf. It makes +usb_get_descriptor() retry on all errors other than ETIMEDOUT, instead +of only on EPIPE. This helps with some devices. + +Signed-off-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/message.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -623,12 +623,12 @@ int usb_get_descriptor(struct usb_device + memset(buf,0,size); // Make sure we parse really received data + + for (i = 0; i < 3; ++i) { +- /* retry on length 0 or stall; some devices are flakey */ ++ /* retry on length 0 or error; some devices are flakey */ + result = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), + USB_REQ_GET_DESCRIPTOR, USB_DIR_IN, + (type << 8) + index, 0, buf, size, + USB_CTRL_GET_TIMEOUT); +- if (result == 0 || result == -EPIPE) ++ if (result <= 0 && result != -ETIMEDOUT) + continue; + if (result > 1 && ((u8 *)buf)[1] != type) { + result = -EPROTO; diff --git a/review-2.6.22/usb-cdc-acm-fix-sysfs-attribute-registration-bug.patch b/review-2.6.22/usb-cdc-acm-fix-sysfs-attribute-registration-bug.patch new file mode 100644 index 00000000000..a9d6c5b9c77 --- /dev/null +++ b/review-2.6.22/usb-cdc-acm-fix-sysfs-attribute-registration-bug.patch @@ -0,0 +1,39 @@ +From stable-bounces@linux.kernel.org Wed Aug 22 15:27:24 2007 +From: Alan Stern +Date: Wed, 22 Aug 2007 15:15:18 -0700 +Subject: USB: cdc-acm: fix sysfs attribute registration bug +To: linux-usb-devel@lists.sourceforge.net +Cc: Greg Kroah-Hartman , Alan Stern , stable +Message-ID: <11878209593215-git-send-email-gregkh@suse.de> + + +From: Alan Stern + +This patch (as950) fixes a bug in the cdc-acm driver. It doesn't keep +track of which interface (control or data) the sysfs attributes get +registered for, and as a result, during disconnect it will sometimes +attempt to remove the attributes from the wrong interface. The +left-over attributes can cause a crash later on, particularly if the driver +module has been unloaded. + +Signed-off-by: Alan Stern +Acked-by: Oliver Neukum +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/cdc-acm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -900,6 +900,10 @@ next_desc: + return -ENODEV; + } + } ++ ++ /* Accept probe requests only for the control interface */ ++ if (intf != control_interface) ++ return -ENODEV; + + if (data_interface_num != call_interface_num) + dev_dbg(&intf->dev,"Seperate call control interface. That is not fully supported."); diff --git a/review-2.6.22/usb-fix-dos-in-pwc-usb-video-driver.patch b/review-2.6.22/usb-fix-dos-in-pwc-usb-video-driver.patch new file mode 100644 index 00000000000..dc162a8c7b6 --- /dev/null +++ b/review-2.6.22/usb-fix-dos-in-pwc-usb-video-driver.patch @@ -0,0 +1,126 @@ +From stable-bounces@linux.kernel.org Wed Aug 22 15:31:01 2007 +From: Oliver Neukum +Date: Wed, 22 Aug 2007 15:15:43 -0700 +Subject: USB: fix DoS in pwc USB video driver +To: linux-usb-devel@lists.sourceforge.net +Cc: Oliver Neukum , Greg Kroah-Hartman , stable +Message-ID: <11878211834080-git-send-email-gregkh@suse.de> + + +From: Oliver Neukum + +the pwc driver has a disconnect method that waits for user space to +close the device. This opens up an opportunity for a DoS attack, +blocking the USB subsystem and making khubd's task busy wait in +kernel space. This patch shifts freeing resources to close if an opened +device is disconnected. + +Signed-off-by: Oliver Neukum +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/video/pwc/pwc-if.c | 52 ++++++++++++++++++++++++++------------- + drivers/media/video/pwc/pwc.h | 1 + 2 files changed, 36 insertions(+), 17 deletions(-) + +--- a/drivers/media/video/pwc/pwc-if.c ++++ b/drivers/media/video/pwc/pwc-if.c +@@ -1196,12 +1196,19 @@ static int pwc_video_open(struct inode * + return 0; + } + ++ ++static void pwc_cleanup(struct pwc_device *pdev) ++{ ++ pwc_remove_sysfs_files(pdev->vdev); ++ video_unregister_device(pdev->vdev); ++} ++ + /* Note that all cleanup is done in the reverse order as in _open */ + static int pwc_video_close(struct inode *inode, struct file *file) + { + struct video_device *vdev = file->private_data; + struct pwc_device *pdev; +- int i; ++ int i, hint; + + PWC_DEBUG_OPEN(">> video_close called(vdev = 0x%p).\n", vdev); + +@@ -1224,8 +1231,9 @@ static int pwc_video_close(struct inode + pwc_isoc_cleanup(pdev); + pwc_free_buffers(pdev); + ++ lock_kernel(); + /* Turn off LEDS and power down camera, but only when not unplugged */ +- if (pdev->error_status != EPIPE) { ++ if (!pdev->unplugged) { + /* Turn LEDs off */ + if (pwc_set_leds(pdev, 0, 0) < 0) + PWC_DEBUG_MODULE("Failed to set LED on/off time.\n"); +@@ -1234,9 +1242,19 @@ static int pwc_video_close(struct inode + if (i < 0) + PWC_ERROR("Failed to power down camera (%d)\n", i); + } ++ pdev->vopen--; ++ PWC_DEBUG_OPEN("<< video_close() vopen=%d\n", i); ++ } else { ++ pwc_cleanup(pdev); ++ /* Free memory (don't set pdev to 0 just yet) */ ++ kfree(pdev); ++ /* search device_hint[] table if we occupy a slot, by any chance */ ++ for (hint = 0; hint < MAX_DEV_HINTS; hint++) ++ if (device_hint[hint].pdev == pdev) ++ device_hint[hint].pdev = NULL; + } +- pdev->vopen--; +- PWC_DEBUG_OPEN("<< video_close() vopen=%d\n", pdev->vopen); ++ unlock_kernel(); ++ + return 0; + } + +@@ -1791,21 +1809,21 @@ static void usb_pwc_disconnect(struct us + /* Alert waiting processes */ + wake_up_interruptible(&pdev->frameq); + /* Wait until device is closed */ +- while (pdev->vopen) +- schedule(); +- /* Device is now closed, so we can safely unregister it */ +- PWC_DEBUG_PROBE("Unregistering video device in disconnect().\n"); +- pwc_remove_sysfs_files(pdev->vdev); +- video_unregister_device(pdev->vdev); +- +- /* Free memory (don't set pdev to 0 just yet) */ +- kfree(pdev); ++ if(pdev->vopen) { ++ pdev->unplugged = 1; ++ } else { ++ /* Device is closed, so we can safely unregister it */ ++ PWC_DEBUG_PROBE("Unregistering video device in disconnect().\n"); ++ pwc_cleanup(pdev); ++ /* Free memory (don't set pdev to 0 just yet) */ ++ kfree(pdev); + + disconnect_out: +- /* search device_hint[] table if we occupy a slot, by any chance */ +- for (hint = 0; hint < MAX_DEV_HINTS; hint++) +- if (device_hint[hint].pdev == pdev) +- device_hint[hint].pdev = NULL; ++ /* search device_hint[] table if we occupy a slot, by any chance */ ++ for (hint = 0; hint < MAX_DEV_HINTS; hint++) ++ if (device_hint[hint].pdev == pdev) ++ device_hint[hint].pdev = NULL; ++ } + + unlock_kernel(); + } +--- a/drivers/media/video/pwc/pwc.h ++++ b/drivers/media/video/pwc/pwc.h +@@ -193,6 +193,7 @@ struct pwc_device + char vsnapshot; /* snapshot mode */ + char vsync; /* used by isoc handler */ + char vmirror; /* for ToUCaM series */ ++ char unplugged; + + int cmd_len; + unsigned char cmd_buf[13]; -- 2.47.3