--- /dev/null
+From stable-bounces@linux.kernel.org Fri Jan 11 01:11:11 2008
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Fri, 11 Jan 2008 01:10:42 -0800 (PST)
+Subject: ATM: Check IP header validity in mpc_send_packet
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20080111.011042.53950451.davem@davemloft.net>
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ATM]: Check IP header validity in mpc_send_packet
+
+[ Upstream commit: 1c9b7aa1eb40ab708ef3242f74b9a61487623168 ]
+
+Al went through the ip_fast_csum callers and found this piece of code
+that did not validate the IP header. While root crashing the machine
+by sending bogus packets through raw or AF_PACKET sockets isn't that
+serious, it is still nice to react gracefully.
+
+This patch ensures that the skb has enough data for an IP header and
+that the header length field is valid.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/atm/mpc.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/atm/mpc.c
++++ b/net/atm/mpc.c
+@@ -542,6 +542,13 @@ static int mpc_send_packet(struct sk_buf
+ if (eth->h_proto != htons(ETH_P_IP))
+ goto non_ip; /* Multi-Protocol Over ATM :-) */
+
++ /* Weed out funny packets (e.g., AF_PACKET or raw). */
++ if (skb->len < ETH_HLEN + sizeof(struct iphdr))
++ goto non_ip;
++ skb_set_network_header(skb, ETH_HLEN);
++ if (skb->len < ETH_HLEN + ip_hdr(skb)->ihl * 4 || ip_hdr(skb)->ihl < 5)
++ goto non_ip;
++
+ while (i < mpc->number_of_mps_macs) {
+ if (!compare_ether_addr(eth->h_dest, (mpc->mps_macs + i*ETH_ALEN)))
+ if ( send_via_shortcut(skb, mpc) == 0 ) /* try shortcut */
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Jan 11 01:36:14 2008
+From: Chas Williams <chas@cmf.nrl.navy.mil>
+Date: Fri, 11 Jan 2008 01:35:51 -0800 (PST)
+Subject: ATM: [nicstar] delay irq setup until card is configured
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20080111.013551.151177889.davem@davemloft.net>
+
+From: Chas Williams <chas@cmf.nrl.navy.mil>
+
+[ATM]: [nicstar] delay irq setup until card is configured
+
+[ Upstream commit: 52961955aa180959158faeb9fd6b4f8a591450f5 ]
+
+Signed-off-by: Chas Williams <chas@cmf.nrl.navy.mil>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/atm/nicstar.c | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+--- a/drivers/atm/nicstar.c
++++ b/drivers/atm/nicstar.c
+@@ -625,14 +625,6 @@ static int __devinit ns_init_card(int i,
+ if (mac[i] == NULL)
+ nicstar_init_eprom(card->membase);
+
+- if (request_irq(pcidev->irq, &ns_irq_handler, IRQF_DISABLED | IRQF_SHARED, "nicstar", card) != 0)
+- {
+- printk("nicstar%d: can't allocate IRQ %d.\n", i, pcidev->irq);
+- error = 9;
+- ns_init_card_error(card, error);
+- return error;
+- }
+-
+ /* Set the VPI/VCI MSb mask to zero so we can receive OAM cells */
+ writel(0x00000000, card->membase + VPM);
+
+@@ -858,8 +850,6 @@ static int __devinit ns_init_card(int i,
+ card->iovpool.count++;
+ }
+
+- card->intcnt = 0;
+-
+ /* Configure NICStAR */
+ if (card->rct_size == 4096)
+ ns_cfg_rctsize = NS_CFG_RCTSIZE_4096_ENTRIES;
+@@ -868,6 +858,15 @@ static int __devinit ns_init_card(int i,
+
+ card->efbie = 1;
+
++ card->intcnt = 0;
++ if (request_irq(pcidev->irq, &ns_irq_handler, IRQF_DISABLED | IRQF_SHARED, "nicstar", card) != 0)
++ {
++ printk("nicstar%d: can't allocate IRQ %d.\n", i, pcidev->irq);
++ error = 9;
++ ns_init_card_error(card, error);
++ return error;
++ }
++
+ /* Register device */
+ card->atmdev = atm_dev_register("nicstar", &atm_ops, -1, NULL);
+ if (card->atmdev == NULL)
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Jan 11 01:12:18 2008
+From: Li Zefan <lizf@cn.fujitsu.com>
+Date: Fri, 11 Jan 2008 01:11:48 -0800 (PST)
+Subject: CONNECTOR: Don't touch queue dev after decrement of ref count.
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20080111.011148.195698099.davem@davemloft.net>
+
+From: Li Zefan <lizf@cn.fujitsu.com>
+
+[CONNECTOR]: Don't touch queue dev after decrement of ref count.
+
+[ Upstream commit: cf585ae8ae9ac7287a6d078425ea32f22bf7f1f7 ]
+
+cn_queue_free_callback() will touch 'dev'(i.e. cbq->pdev), so it
+should be called before atomic_dec(&dev->refcnt).
+
+Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/connector/cn_queue.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/connector/cn_queue.c
++++ b/drivers/connector/cn_queue.c
+@@ -99,8 +99,8 @@ int cn_queue_add_callback(struct cn_queu
+ spin_unlock_bh(&dev->queue_lock);
+
+ if (found) {
+- atomic_dec(&dev->refcnt);
+ cn_queue_free_callback(cbq);
++ atomic_dec(&dev->refcnt);
+ return -EINVAL;
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Dec 19 15:50:31 2007
+From: David Miller <davem@davemloft.net>
+Date: Wed, 19 Dec 2007 15:50:06 -0800 (PST)
+Subject: [stable] [PATCH]: Fix sparc64 cpu cross call hangs.
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20071219.155006.86794054.davem@davemloft.net>
+
+
+
+Adrian, this patch needs a little bit of backporting for
+2.6.16, which I will send to you in the next email.
+
+Please add to -stable, this fits both 2.6.22 and 2.6.23
+and I think since it hangs people's systems it is
+appropriate for both :-)
+
+Thanks!
+
+[SPARC64]: Fix endless loop in cheetah_xcall_deliver().
+
+[ Upsteam commit: 0de56d1ab83323d604d95ca193dcbd28388dbabb ]
+
+We need to mask out the proper bits when testing the dispatch status
+register else we can see unrelated NACK bits from previous cross call
+sends.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ arch/sparc64/kernel/smp.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+--- a/arch/sparc64/kernel/smp.c
++++ b/arch/sparc64/kernel/smp.c
+@@ -403,7 +403,7 @@ static __inline__ void spitfire_xcall_de
+ */
+ static void cheetah_xcall_deliver(u64 data0, u64 data1, u64 data2, cpumask_t mask)
+ {
+- u64 pstate, ver;
++ u64 pstate, ver, busy_mask;
+ int nack_busy_id, is_jbus, need_more;
+
+ if (cpus_empty(mask))
+@@ -435,14 +435,20 @@ retry:
+ "i" (ASI_INTR_W));
+
+ nack_busy_id = 0;
++ busy_mask = 0;
+ {
+ int i;
+
+ for_each_cpu_mask(i, mask) {
+ u64 target = (i << 14) | 0x70;
+
+- if (!is_jbus)
++ if (is_jbus) {
++ busy_mask |= (0x1UL << (i * 2));
++ } else {
+ target |= (nack_busy_id << 24);
++ busy_mask |= (0x1UL <<
++ (nack_busy_id * 2));
++ }
+ __asm__ __volatile__(
+ "stxa %%g0, [%0] %1\n\t"
+ "membar #Sync\n\t"
+@@ -458,15 +464,16 @@ retry:
+
+ /* Now, poll for completion. */
+ {
+- u64 dispatch_stat;
++ u64 dispatch_stat, nack_mask;
+ long stuck;
+
+ stuck = 100000 * nack_busy_id;
++ nack_mask = busy_mask << 1;
+ do {
+ __asm__ __volatile__("ldxa [%%g0] %1, %0"
+ : "=r" (dispatch_stat)
+ : "i" (ASI_INTR_DISPATCH_STAT));
+- if (dispatch_stat == 0UL) {
++ if (!(dispatch_stat & (busy_mask | nack_mask))) {
+ __asm__ __volatile__("wrpr %0, 0x0, %%pstate"
+ : : "r" (pstate));
+ if (unlikely(need_more)) {
+@@ -483,12 +490,12 @@ retry:
+ }
+ if (!--stuck)
+ break;
+- } while (dispatch_stat & 0x5555555555555555UL);
++ } while (dispatch_stat & busy_mask);
+
+ __asm__ __volatile__("wrpr %0, 0x0, %%pstate"
+ : : "r" (pstate));
+
+- if ((dispatch_stat & ~(0x5555555555555555UL)) == 0) {
++ if (dispatch_stat & busy_mask) {
+ /* Busy bits will not clear, continue instead
+ * of freezing up on this cpu.
+ */
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Jan 11 01:13:43 2008
+From: Mark McLoughlin <markmc@redhat.com>
+Date: Fri, 11 Jan 2008 01:13:17 -0800 (PST)
+Subject: INET: Fix netdev renaming and inet address labels
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20080111.011317.218129613.davem@davemloft.net>
+
+From: Mark McLoughlin <markmc@redhat.com>
+
+[INET]: Fix netdev renaming and inet address labels
+
+[ Upstream commit: 44344b2a85f03326c7047a8c861b0c625c674839 ]
+
+When re-naming an interface, the previous secondary address
+labels get lost e.g.
+
+ $> brctl addbr foo
+ $> ip addr add 192.168.0.1 dev foo
+ $> ip addr add 192.168.0.2 dev foo label foo:00
+ $> ip addr show dev foo | grep inet
+ inet 192.168.0.1/32 scope global foo
+ inet 192.168.0.2/32 scope global foo:00
+ $> ip link set foo name bar
+ $> ip addr show dev bar | grep inet
+ inet 192.168.0.1/32 scope global bar
+ inet 192.168.0.2/32 scope global bar:2
+
+Turns out to be a simple thinko in inetdev_changename() - clearly we
+want to look at the address label, rather than the device name, for
+a suffix to retain.
+
+Signed-off-by: Mark McLoughlin <markmc@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/devinet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -1030,7 +1030,7 @@ static void inetdev_changename(struct ne
+ memcpy(ifa->ifa_label, dev->name, IFNAMSIZ);
+ if (named++ == 0)
+ continue;
+- dot = strchr(ifa->ifa_label, ':');
++ dot = strchr(old, ':');
+ if (dot == NULL) {
+ sprintf(old, ":%d", named);
+ dot = old;
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Jan 11 01:33:13 2008
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Fri, 11 Jan 2008 01:32:51 -0800 (PST)
+Subject: IPSEC: Avoid undefined shift operation when testing algorithm ID
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20080111.013251.29376420.davem@davemloft.net>
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[IPSEC]: Avoid undefined shift operation when testing algorithm ID
+
+[ Upstream commit: f398035f2dec0a6150833b0bc105057953594edb ]
+
+The aalgos/ealgos fields are only 32 bits wide. However, af_key tries
+to test them with the expression 1 << id where id can be as large as
+253. This produces different behaviour on different architectures.
+
+The following patch explicitly checks whether ID is greater than 31
+and fails the check if that's the case.
+
+We cannot easily extend the mask to be longer than 32 bits due to
+exposure to user-space. Besides, this whole interface is obsolete
+anyway in favour of the xfrm_user interface which doesn't use this
+bit mask in templates (well not within the kernel anyway).
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/key/af_key.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -2777,12 +2777,22 @@ static struct sadb_msg *pfkey_get_base_m
+
+ static inline int aalg_tmpl_set(struct xfrm_tmpl *t, struct xfrm_algo_desc *d)
+ {
+- return t->aalgos & (1 << d->desc.sadb_alg_id);
++ unsigned int id = d->desc.sadb_alg_id;
++
++ if (id >= sizeof(t->aalgos) * 8)
++ return 0;
++
++ return (t->aalgos >> id) & 1;
+ }
+
+ static inline int ealg_tmpl_set(struct xfrm_tmpl *t, struct xfrm_algo_desc *d)
+ {
+- return t->ealgos & (1 << d->desc.sadb_alg_id);
++ unsigned int id = d->desc.sadb_alg_id;
++
++ if (id >= sizeof(t->ealgos) * 8)
++ return 0;
++
++ return (t->ealgos >> id) & 1;
+ }
+
+ static int count_ah_combs(struct xfrm_tmpl *t)
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Dec 19 16:36:18 2007
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Wed, 19 Dec 2007 16:35:54 -0800 (PST)
+Subject: IPSEC: Fix potential dst leak in xfrm_lookup
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20071219.163554.93686534.davem@davemloft.net>
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[IPSEC]: Fix potential dst leak in xfrm_lookup
+
+[ Upstream commit: 75b8c133267053c9986a7c8db5131f0e7349e806 ]
+
+If we get an error during the actual policy lookup we don't free the
+original dst while the caller expects us to always free the original
+dst in case of error.
+
+This patch fixes that.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/xfrm/xfrm_policy.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -1479,8 +1479,9 @@ restart:
+
+ if (sk && sk->sk_policy[1]) {
+ policy = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl);
++ err = PTR_ERR(policy);
+ if (IS_ERR(policy))
+- return PTR_ERR(policy);
++ goto dropdst;
+ }
+
+ if (!policy) {
+@@ -1491,8 +1492,9 @@ restart:
+
+ policy = flow_cache_lookup(fl, dst_orig->ops->family,
+ dir, xfrm_policy_lookup);
++ err = PTR_ERR(policy);
+ if (IS_ERR(policy))
+- return PTR_ERR(policy);
++ goto dropdst;
+ }
+
+ if (!policy)
+@@ -1661,8 +1663,9 @@ restart:
+ return 0;
+
+ error:
+- dst_release(dst_orig);
+ xfrm_pols_put(pols, npols);
++dropdst:
++ dst_release(dst_orig);
+ *dst_p = NULL;
+ return err;
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Jan 11 01:31:00 2008
+From: David Miller <davem@davemloft.net>
+Date: Fri, 11 Jan 2008 01:30:35 -0800 (PST)
+Subject: IPV4: ip_gre: set mac_header correctly in receive path
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20080111.013035.68144987.davem@davemloft.net>
+
+From: Timo Teras <timo.teras@iki.fi>
+
+[IPV4] ip_gre: set mac_header correctly in receive path
+
+[ Upstream commit: 1d0691674764098304ae4c63c715f5883b4d3784 ]
+
+mac_header update in ipgre_recv() was incorrectly changed to
+skb_reset_mac_header() when it was introduced.
+
+Signed-off-by: Timo Teras <timo.teras@iki.fi>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/ip_gre.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -613,7 +613,7 @@ static int ipgre_rcv(struct sk_buff *skb
+ offset += 4;
+ }
+
+- skb_reset_mac_header(skb);
++ skb->mac_header = skb->network_header;
+ __pskb_pull(skb, offset);
+ skb_reset_network_header(skb);
+ skb_postpull_rcsum(skb, skb_transport_header(skb), offset);
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Jan 11 01:42:36 2008
+From: Eric Dumazet <dada1@cosmosbay.com>
+Date: Fri, 11 Jan 2008 01:42:12 -0800 (PST)
+Subject: IPV4 ROUTE: ip_rt_dump() is unecessary slow
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20080111.014212.243382375.davem@davemloft.net>
+
+From: Eric Dumazet <dada1@cosmosbay.com>
+
+[IPV4] ROUTE: ip_rt_dump() is unecessary slow
+
+[ Upstream commit: d8c9283089287341c85a0a69de32c2287a990e71 ]
+
+I noticed "ip route list cache x.y.z.t" can be *very* slow.
+
+While strace-ing -T it I also noticed that first part of route cache
+is fetched quite fast :
+
+recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202
+GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3772 <0.000047>
+recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\
+202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3736 <0.000042>
+recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\
+202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3740 <0.000055>
+recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\
+202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3712 <0.000043>
+recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\
+202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3732 <0.000053>
+recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202
+GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3708 <0.000052>
+recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202
+GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3680 <0.000041>
+
+while the part at the end of the table is more expensive:
+
+recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3656 <0.003857>
+recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3772 <0.003891>
+recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3712 <0.003765>
+recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3700 <0.003879>
+recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3676 <0.003797>
+recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3724 <0.003856>
+recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3736 <0.003848>
+
+The following patch corrects this performance/latency problem,
+removing quadratic behavior.
+
+Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/route.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -2885,11 +2885,10 @@ int ip_rt_dump(struct sk_buff *skb, str
+ int idx, s_idx;
+
+ s_h = cb->args[0];
++ if (s_h < 0)
++ s_h = 0;
+ s_idx = idx = cb->args[1];
+- for (h = 0; h <= rt_hash_mask; h++) {
+- if (h < s_h) continue;
+- if (h > s_h)
+- s_idx = 0;
++ for (h = s_h; h <= rt_hash_mask; h++) {
+ rcu_read_lock_bh();
+ for (rt = rcu_dereference(rt_hash_table[h].chain), idx = 0; rt;
+ rt = rcu_dereference(rt->u.dst.rt_next), idx++) {
+@@ -2906,6 +2905,7 @@ int ip_rt_dump(struct sk_buff *skb, str
+ dst_release(xchg(&skb->dst, NULL));
+ }
+ rcu_read_unlock_bh();
++ s_idx = 0;
+ }
+
+ done:
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Jan 11 01:14:39 2008
+From: maximilian attems <max@stro.at>
+Date: Fri, 11 Jan 2008 01:14:17 -0800 (PST)
+Subject: IRDA: irda_create() nuke user triggable printk
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20080111.011417.59885591.davem@davemloft.net>
+
+From: maximilian attems <max@stro.at>
+
+[IRDA]: irda_create() nuke user triggable printk
+
+[ Upstream commit: 9e8d6f8959c356d8294d45f11231331c3e1bcae6 ]
+
+easy to trigger as user with sfuzz.
+
+irda_create() is quiet on unknown sock->type,
+match this behaviour for SOCK_DGRAM unknown protocol
+
+Signed-off-by: maximilian attems <max@stro.at>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/irda/af_irda.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -1115,8 +1115,6 @@ static int irda_create(struct socket *so
+ self->max_sdu_size_rx = TTP_SAR_UNBOUND;
+ break;
+ default:
+- IRDA_ERROR("%s: protocol not supported!\n",
+- __FUNCTION__);
+ return -ESOCKTNOSUPPORT;
+ }
+ break;
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Jan 11 01:32:06 2008
+From: David Miller <davem@davemloft.net>
+Date: Fri, 11 Jan 2008 01:31:39 -0800 (PST)
+Subject: NET: Correct two mistaken skb_reset_mac_header() conversions.
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20080111.013139.213061588.davem@davemloft.net>
+
+From: David Miller <davem@davemloft.net>
+
+[NET]: Correct two mistaken skb_reset_mac_header() conversions.
+
+[ Upstream commit: c6e6ca712b5cc06a662f900c0484d49d7334af64 ]
+
+This operation helper abstracts:
+
+ skb->mac_header = skb->data;
+
+but it was done in two more places which were actually:
+
+ skb->mac_header = skb->network_header;
+
+and those are corrected here.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ax25/ax25_in.c | 2 +-
+ net/netrom/nr_dev.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ax25/ax25_in.c
++++ b/net/ax25/ax25_in.c
+@@ -124,7 +124,7 @@ int ax25_rx_iframe(ax25_cb *ax25, struct
+ }
+
+ skb_pull(skb, 1); /* Remove PID */
+- skb_reset_mac_header(skb);
++ skb->mac_header = skb->network_header;
+ skb_reset_network_header(skb);
+ skb->dev = ax25->ax25_dev->dev;
+ skb->pkt_type = PACKET_HOST;
+--- a/net/netrom/nr_dev.c
++++ b/net/netrom/nr_dev.c
+@@ -56,7 +56,7 @@ int nr_rx_ip(struct sk_buff *skb, struct
+
+ /* Spoof incoming device */
+ skb->dev = dev;
+- skb_reset_mac_header(skb);
++ skb->mac_header = skb->network_header;
+ skb_reset_network_header(skb);
+ skb->pkt_type = PACKET_HOST;
+
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Jan 11 01:16:53 2008
+From: Russ Dill <Russ.Dill@asu.edu>
+Date: Fri, 11 Jan 2008 01:16:28 -0800 (PST)
+Subject: NET: kaweth was forgotten in msec switchover of usb_start_wait_urb
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20080111.011628.29710158.davem@davemloft.net>
+
+From: Russ Dill <Russ.Dill@asu.edu>
+
+[NET]: kaweth was forgotten in msec switchover of usb_start_wait_urb
+
+[ Upstream commit: 2b2b2e35b71e5be8bc06cc0ff38df15dfedda19b ]
+
+Back in 2.6.12-pre, usb_start_wait_urb was switched over to take
+milliseconds instead of jiffies. kaweth.c was never updated to match.
+
+Signed-off-by: Russ Dill <Russ.Dill@asu.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/usb/kaweth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/usb/kaweth.c
++++ b/drivers/net/usb/kaweth.c
+@@ -70,7 +70,7 @@
+ #define KAWETH_TX_TIMEOUT (5 * HZ)
+ #define KAWETH_SCRATCH_SIZE 32
+ #define KAWETH_FIRMWARE_BUF_SIZE 4096
+-#define KAWETH_CONTROL_TIMEOUT (30 * HZ)
++#define KAWETH_CONTROL_TIMEOUT (30000)
+
+ #define KAWETH_STATUS_BROKEN 0x0000001
+ #define KAWETH_STATUS_CLOSING 0x0000002
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Jan 11 01:20:18 2008
+From: Russ Dill <Russ.Dill@asu.edu>
+Date: Fri, 11 Jan 2008 01:19:55 -0800 (PST)
+Subject: NET: mcs7830 passes msecs instead of jiffies to usb_control_msg
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20080111.011955.239033978.davem@davemloft.net>
+
+From: Russ Dill <Russ.Dill@asu.edu>
+
+[NET]: mcs7830 passes msecs instead of jiffies to usb_control_msg
+
+[ Upstream commit 1d39da3dcaad4231f0fa75024b1d6d710a2ced74 ]
+
+usb_control_msg was changed long ago (2.6.12-pre) to take milliseconds
+instead of jiffies. Oddly, mcs7830 wasn't added until 2.6.19-rc3.
+
+Signed-off-by: Russ Dill <Russ.Dill@asu.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/usb/mcs7830.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/usb/mcs7830.c
++++ b/drivers/net/usb/mcs7830.c
+@@ -94,7 +94,7 @@ static int mcs7830_get_reg(struct usbnet
+
+ ret = usb_control_msg(xdev, usb_rcvctrlpipe(xdev, 0), MCS7830_RD_BREQ,
+ MCS7830_RD_BMREQ, 0x0000, index, data,
+- size, msecs_to_jiffies(MCS7830_CTRL_TIMEOUT));
++ size, MCS7830_CTRL_TIMEOUT);
+ return ret;
+ }
+
+@@ -105,7 +105,7 @@ static int mcs7830_set_reg(struct usbnet
+
+ ret = usb_control_msg(xdev, usb_sndctrlpipe(xdev, 0), MCS7830_WR_BREQ,
+ MCS7830_WR_BMREQ, 0x0000, index, data,
+- size, msecs_to_jiffies(MCS7830_CTRL_TIMEOUT));
++ size, MCS7830_CTRL_TIMEOUT);
+ return ret;
+ }
+
--- /dev/null
+x25-add-missing-x25_neigh_put.patch
+sparc64-fix-two-kernel-linear-mapping-setup-bugs.patch
+sparc64-fix-memory-controller-register-access-when-non-smp.patch
+net-mcs7830-passes-msecs-instead-of-jiffies-to-usb_control_msg.patch
+net-kaweth-was-forgotten-in-msec-switchover-of-usb_start_wait_urb.patch
+net-correct-two-mistaken-skb_reset_mac_header-conversions.patch
+irda-irda_create-nuke-user-triggable-printk.patch
+ipv4-route-ip_rt_dump-is-unecessary-slow.patch
+ipv4-ip_gre-set-mac_header-correctly-in-receive-path.patch
+ipsec-fix-potential-dst-leak-in-xfrm_lookup.patch
+ipsec-avoid-undefined-shift-operation-when-testing-algorithm-id.patch
+inet-fix-netdev-renaming-and-inet-address-labels.patch
+fix-sparc64-cpu-cross-call-hangs.patch
+connector-don-t-touch-queue-dev-after-decrement-of-ref-count.patch
+atm-delay-irq-setup-until-card-is-configured.patch
+atm-check-ip-header-validity-in-mpc_send_packet.patch
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Dec 19 16:27:31 2007
+From: David Miller <davem@davemloft.net>
+Date: Wed, 19 Dec 2007 16:27:11 -0800 (PST)
+Subject: SPARC64: Fix memory controller register access when non-SMP.
+To: stable@kernel.org
+Cc: bunk@stable.org
+Message-ID: <20071219.162711.06329560.davem@davemloft.net>
+
+
+From: David Miller <davem@davemloft.net>
+
+[SPARC64]: Fix memory controller register access when non-SMP.
+
+[ Upstream commit: b332b8bc9c67165eabdfc7d10b4a2e4cc9f937d0 ]
+
+get_cpu() always returns zero on non-SMP builds, but we
+really want the physical cpu number in this code in order
+to do the right thing.
+
+Based upon a non-SMP kernel boot failure report from Bernd Zeimetz.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/sparc64/kernel/chmc.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/arch/sparc64/kernel/chmc.c
++++ b/arch/sparc64/kernel/chmc.c
+@@ -1,7 +1,6 @@
+-/* $Id: chmc.c,v 1.4 2002/01/08 16:00:14 davem Exp $
+- * memctrlr.c: Driver for UltraSPARC-III memory controller.
++/* memctrlr.c: Driver for UltraSPARC-III memory controller.
+ *
+- * Copyright (C) 2001 David S. Miller (davem@redhat.com)
++ * Copyright (C) 2001, 2007 David S. Miller (davem@davemloft.net)
+ */
+
+ #include <linux/module.h>
+@@ -16,6 +15,7 @@
+ #include <linux/init.h>
+ #include <asm/spitfire.h>
+ #include <asm/chmctrl.h>
++#include <asm/cpudata.h>
+ #include <asm/oplib.h>
+ #include <asm/prom.h>
+ #include <asm/io.h>
+@@ -242,8 +242,11 @@ int chmc_getunumber(int syndrome_code,
+ */
+ static u64 read_mcreg(struct mctrl_info *mp, unsigned long offset)
+ {
+- unsigned long ret;
+- int this_cpu = get_cpu();
++ unsigned long ret, this_cpu;
++
++ preempt_disable();
++
++ this_cpu = real_hard_smp_processor_id();
+
+ if (mp->portid == this_cpu) {
+ __asm__ __volatile__("ldxa [%1] %2, %0"
+@@ -255,7 +258,8 @@ static u64 read_mcreg(struct mctrl_info
+ : "r" (mp->regs + offset),
+ "i" (ASI_PHYS_BYPASS_EC_E));
+ }
+- put_cpu();
++
++ preempt_enable();
+
+ return ret;
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Dec 19 16:29:22 2007
+From: David Miller <davem@davemloft.net>
+Date: Wed, 19 Dec 2007 16:28:57 -0800 (PST)
+Subject: SPARC64: Fix two kernel linear mapping setup bugs.
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20071219.162857.239562660.davem@davemloft.net>
+
+From: David Miller <davem@davemloft.net>
+
+[SPARC64]: Fix two kernel linear mapping setup bugs.
+
+[ Upstream commit: 8f361453d8e9a67c85b2cf9b93c642c2d8fe0462 ]
+
+This was caught and identified by Greg Onufer.
+
+Since we setup the 256M/4M bitmap table after taking over the trap
+table, it's possible for some 4M mapping to get loaded in the TLB
+beforhand which later will be 256M mappings.
+
+This can cause illegal TLB multiple-match conditions. Fix this by
+setting up the bitmap before we take over the trap table.
+
+Next, __flush_tlb_all() was not doing anything on hypervisor
+platforms. Fix by adding sun4v_mmu_demap_all() and calling it.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/sparc64/kernel/entry.S | 12 ++++++++++++
+ arch/sparc64/mm/init.c | 29 ++++++++++++++++++++---------
+ include/asm-sparc64/hypervisor.h | 4 ++++
+ 3 files changed, 36 insertions(+), 9 deletions(-)
+
+--- a/arch/sparc64/kernel/entry.S
++++ b/arch/sparc64/kernel/entry.S
+@@ -2593,3 +2593,15 @@ sun4v_mmustat_info:
+ retl
+ nop
+ .size sun4v_mmustat_info, .-sun4v_mmustat_info
++
++ .globl sun4v_mmu_demap_all
++ .type sun4v_mmu_demap_all,#function
++sun4v_mmu_demap_all:
++ clr %o0
++ clr %o1
++ mov HV_MMU_ALL, %o2
++ mov HV_FAST_MMU_DEMAP_ALL, %o5
++ ta HV_FAST_TRAP
++ retl
++ nop
++ .size sun4v_mmu_demap_all, .-sun4v_mmu_demap_all
+--- a/arch/sparc64/mm/init.c
++++ b/arch/sparc64/mm/init.c
+@@ -1135,14 +1135,9 @@ static void __init mark_kpte_bitmap(unsi
+ }
+ }
+
+-static void __init kernel_physical_mapping_init(void)
++static void __init init_kpte_bitmap(void)
+ {
+ unsigned long i;
+-#ifdef CONFIG_DEBUG_PAGEALLOC
+- unsigned long mem_alloced = 0UL;
+-#endif
+-
+- read_obp_memory("reg", &pall[0], &pall_ents);
+
+ for (i = 0; i < pall_ents; i++) {
+ unsigned long phys_start, phys_end;
+@@ -1151,14 +1146,24 @@ static void __init kernel_physical_mappi
+ phys_end = phys_start + pall[i].reg_size;
+
+ mark_kpte_bitmap(phys_start, phys_end);
++ }
++}
+
++static void __init kernel_physical_mapping_init(void)
++{
+ #ifdef CONFIG_DEBUG_PAGEALLOC
++ unsigned long i, mem_alloced = 0UL;
++
++ for (i = 0; i < pall_ents; i++) {
++ unsigned long phys_start, phys_end;
++
++ phys_start = pall[i].phys_addr;
++ phys_end = phys_start + pall[i].reg_size;
++
+ mem_alloced += kernel_map_range(phys_start, phys_end,
+ PAGE_KERNEL);
+-#endif
+ }
+
+-#ifdef CONFIG_DEBUG_PAGEALLOC
+ printk("Allocated %ld bytes for kernel page tables.\n",
+ mem_alloced);
+
+@@ -1400,6 +1405,10 @@ void __init paging_init(void)
+
+ inherit_prom_mappings();
+
++ read_obp_memory("reg", &pall[0], &pall_ents);
++
++ init_kpte_bitmap();
++
+ /* Ok, we can use our TLB miss and window trap handlers safely. */
+ setup_tba();
+
+@@ -1854,7 +1863,9 @@ void __flush_tlb_all(void)
+ "wrpr %0, %1, %%pstate"
+ : "=r" (pstate)
+ : "i" (PSTATE_IE));
+- if (tlb_type == spitfire) {
++ if (tlb_type == hypervisor) {
++ sun4v_mmu_demap_all();
++ } else if (tlb_type == spitfire) {
+ for (i = 0; i < 64; i++) {
+ /* Spitfire Errata #32 workaround */
+ /* NOTE: Always runs on spitfire, so no
+--- a/include/asm-sparc64/hypervisor.h
++++ b/include/asm-sparc64/hypervisor.h
+@@ -709,6 +709,10 @@ extern unsigned long sun4v_mmu_tsb_ctx0(
+ */
+ #define HV_FAST_MMU_DEMAP_ALL 0x24
+
++#ifndef __ASSEMBLY__
++extern void sun4v_mmu_demap_all(void);
++#endif
++
+ /* mmu_map_perm_addr()
+ * TRAP: HV_FAST_TRAP
+ * FUNCTION: HV_FAST_MMU_MAP_PERM_ADDR
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Jan 11 01:26:59 2008
+From: Julia Lawall <julia@diku.dk>
+Date: Fri, 11 Jan 2008 01:26:33 -0800 (PST)
+Subject: X25: Add missing x25_neigh_put
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20080111.012633.207825024.davem@davemloft.net>
+
+From: Julia Lawall <julia@diku.dk>
+
+[X25]: Add missing x25_neigh_put
+
+[ Upstream commit: 76975f8a3186dae501584d0155ea410464f62815 ]
+
+The function x25_get_neigh increments a reference count. At the point of
+the second goto out, the result of calling x25_get_neigh is only stored in
+a local variable, and thus no one outside the function will be able to
+decrease the reference count. Thus, x25_neigh_put should be called before
+the return in this case.
+
+The problem was found using the following semantic match.
+(http://www.emn.fr/x-info/coccinelle/)
+
+// <smpl>
+
+@@
+type T,T1,T2;
+identifier E;
+statement S;
+expression x1,x2,x3;
+int ret;
+@@
+
+ T E;
+ ...
+* if ((E = x25_get_neigh(...)) == NULL)
+ S
+ ... when != x25_neigh_put(...,(T1)E,...)
+ when != if (E != NULL) { ... x25_neigh_put(...,(T1)E,...); ...}
+ when != x1 = (T1)E
+ when != E = x3;
+ when any
+ if (...) {
+ ... when != x25_neigh_put(...,(T2)E,...)
+ when != if (E != NULL) { ... x25_neigh_put(...,(T2)E,...); ...}
+ when != x2 = (T2)E
+(
+* return;
+|
+* return ret;
+)
+ }
+// </smpl>
+
+Signed-off-by: Julia Lawall <julia@diku.dk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/x25/x25_forward.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/x25/x25_forward.c
++++ b/net/x25/x25_forward.c
+@@ -118,13 +118,14 @@ int x25_forward_data(int lci, struct x25
+ goto out;
+
+ if ( (skbn = pskb_copy(skb, GFP_ATOMIC)) == NULL){
+- goto out;
++ goto output;
+
+ }
+ x25_transmit_link(skbn, nb);
+
+- x25_neigh_put(nb);
+ rc = 1;
++output:
++ x25_neigh_put(nb);
+ out:
+ return rc;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
