--- /dev/null
+From stable-bounces@linux.kernel.org Thu Sep 20 15:20:18 2007
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Thu, 20 Sep 2007 12:41:36 -0700 (PDT)
+Subject: Fix datagram recvmsg NULL iov handling regression.
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20070920.124136.34842105.davem@davemloft.net>
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit ef8aef55ce61fd0e2af798695f7386ac756ae1e7 in mainline
+
+Subject: [PATCH] [NET]: Do not dereference iov if length is zero
+
+When msg_iovlen is zero we shouldn't try to dereference
+msg_iov. Right now the only thing that tries to do so
+is skb_copy_and_csum_datagram_iovec. Since the total
+length should also be zero if msg_iovlen is zero, it's
+sufficient to check the total length there and simply
+return if it's zero.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/core/datagram.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/core/datagram.c
++++ b/net/core/datagram.c
+@@ -450,6 +450,9 @@ int skb_copy_and_csum_datagram_iovec(str
+ __wsum csum;
+ int chunk = skb->len - hlen;
+
++ if (!chunk)
++ return 0;
++
+ /* Skip filled elements.
+ * Pretty silly, look at memcpy_toiovec, though 8)
+ */
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Sep 20 12:44:40 2007
+From: Patrick McHardy <kaber@trash.net>
+Date: Thu, 20 Sep 2007 12:44:24 -0700 (PDT)
+Subject: Fix inet_diag OOPS.
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070920.124424.25158218.davem@davemloft.net>
+
+
+From: Patrick McHardy <kaber@trash.net>
+
+commit 0a9c73014415d2a84dac346c1e12169142a6ad37 in mainline
+
+[INET_DIAG]: Fix oops in netlink_rcv_skb
+
+netlink_run_queue() doesn't handle multiple processes processing the
+queue concurrently. Serialize queue processing in inet_diag to fix
+a oops in netlink_rcv_skb caused by netlink_run_queue passing a
+NULL for the skb.
+
+BUG: unable to handle kernel NULL pointer dereference at virtual address 00000054
+[349587.500454] printing eip:
+[349587.500457] c03318ae
+[349587.500459] *pde = 00000000
+[349587.500464] Oops: 0000 [#1]
+[349587.500466] PREEMPT SMP
+[349587.500474] Modules linked in: w83627hf hwmon_vid i2c_isa
+[349587.500483] CPU: 0
+[349587.500485] EIP: 0060:[<c03318ae>] Not tainted VLI
+[349587.500487] EFLAGS: 00010246 (2.6.22.3 #1)
+[349587.500499] EIP is at netlink_rcv_skb+0xa/0x7e
+[349587.500506] eax: 00000000 ebx: 00000000 ecx: c148d2a0 edx: c0398819
+[349587.500510] esi: 00000000 edi: c0398819 ebp: c7a21c8c esp: c7a21c80
+[349587.500517] ds: 007b es: 007b fs: 00d8 gs: 0033 ss: 0068
+[349587.500521] Process oidentd (pid: 17943, ti=c7a20000 task=cee231c0 task.ti=c7a20000)
+[349587.500527] Stack: 00000000 c7a21cac f7c8ba78 c7a21ca4 c0331962 c0398819 f7c8ba00 0000004c
+[349587.500542] f736f000 c7a21cb4 c03988e3 00000001 f7c8ba00 c7a21cc4 c03312a5 0000004c
+[349587.500558] f7c8ba00 c7a21cd4 c0330681 f7c8ba00 e4695280 c7a21d00 c03307c6 7fffffff
+[349587.500578] Call Trace:
+[349587.500581] [<c010361a>] show_trace_log_lvl+0x1c/0x33
+[349587.500591] [<c01036d4>] show_stack_log_lvl+0x8d/0xaa
+[349587.500595] [<c010390e>] show_registers+0x1cb/0x321
+[349587.500604] [<c0103bff>] die+0x112/0x1e1
+[349587.500607] [<c01132d2>] do_page_fault+0x229/0x565
+[349587.500618] [<c03c8d3a>] error_code+0x72/0x78
+[349587.500625] [<c0331962>] netlink_run_queue+0x40/0x76
+[349587.500632] [<c03988e3>] inet_diag_rcv+0x1f/0x2c
+[349587.500639] [<c03312a5>] netlink_data_ready+0x57/0x59
+[349587.500643] [<c0330681>] netlink_sendskb+0x24/0x45
+[349587.500651] [<c03307c6>] netlink_unicast+0x100/0x116
+[349587.500656] [<c0330f83>] netlink_sendmsg+0x1c2/0x280
+[349587.500664] [<c02fcce9>] sock_sendmsg+0xba/0xd5
+[349587.500671] [<c02fe4d1>] sys_sendmsg+0x17b/0x1e8
+[349587.500676] [<c02fe92d>] sys_socketcall+0x230/0x24d
+[349587.500684] [<c01028d2>] syscall_call+0x7/0xb
+[349587.500691] =======================
+[349587.500693] Code: f0 ff 4e 18 0f 94 c0 84 c0 0f 84 66 ff ff ff 89 f0 e8 86 e2 fc ff e9 5a ff ff ff f0 ff 40 10 eb be 55 89 e5 57 89 d7 56 89 c6 53 <8b> 50 54 83 fa 10 72 55 8b 9e 9c 00 00 00 31 c9 8b 03 83 f8 0f
+
+Reported by Athanasius <link@miggy.org>
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/inet_diag.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/ipv4/inet_diag.c
++++ b/net/ipv4/inet_diag.c
+@@ -836,12 +836,16 @@ static int inet_diag_rcv_msg(struct sk_b
+ return inet_diag_get_exact(skb, nlh);
+ }
+
++static DEFINE_MUTEX(inet_diag_mutex);
++
+ static void inet_diag_rcv(struct sock *sk, int len)
+ {
+ unsigned int qlen = 0;
+
+ do {
++ mutex_lock(&inet_diag_mutex);
+ netlink_run_queue(sk, &qlen, &inet_diag_rcv_msg);
++ mutex_unlock(&inet_diag_mutex);
+ } while (qlen);
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Sep 20 12:48:03 2007
+From: Nick Bowler <nbowler@ellipticsemi.com>
+Date: Thu, 20 Sep 2007 12:47:45 -0700 (PDT)
+Subject: Fix IPSEC AH4 options handling
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20070920.124745.58439764.davem@davemloft.net>
+
+From: Nick Bowler <nbowler@ellipticsemi.com>
+
+commit 8ee4f391831cb96916a8e8a05f04b1c1d7dd30d8 in mainline.
+
+In testing our ESP/AH offload hardware, I discovered an issue with how
+AH handles mutable fields in IPv4. RFC 4302 (AH) states the following
+on the subject:
+
+ For IPv4, the entire option is viewed as a unit; so even
+ though the type and length fields within most options are immutable
+ in transit, if an option is classified as mutable, the entire option
+ is zeroed for ICV computation purposes.
+
+The current implementation does not zero the type and length fields,
+resulting in authentication failures when communicating with hosts
+that do (i.e. FreeBSD).
+
+I have tested record route and timestamp options (ping -R and ping -T)
+on a small network involving Windows XP, FreeBSD 6.2, and Linux hosts,
+with one router. In the presence of these options, the FreeBSD and
+Linux hosts (with the patch or with the hardware) can communicate.
+The Windows XP host simply fails to accept these packets with or
+without the patch.
+
+I have also been trying to test source routing options (using
+traceroute -g), but haven't had much luck getting this option to work
+*without* AH, let alone with.
+
+Signed-off-by: Nick Bowler <nbowler@ellipticsemi.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/ah4.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/ah4.c
++++ b/net/ipv4/ah4.c
+@@ -46,7 +46,7 @@ static int ip_clear_mutable_options(stru
+ memcpy(daddr, optptr+optlen-4, 4);
+ /* Fall through */
+ default:
+- memset(optptr+2, 0, optlen-2);
++ memset(optptr, 0, optlen);
+ }
+ l -= optlen;
+ optptr += optlen;
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Sep 20 12:47:07 2007
+From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Date: Thu, 20 Sep 2007 12:46:41 -0700 (PDT)
+Subject: Fix IPV6 append OOPS.
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20070920.124641.63052146.davem@davemloft.net>
+
+From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+
+commit e1f52208bb968291f7d9142eff60b62984b4a511 in mainline.
+
+[IPv6]: Fix NULL pointer dereference in ip6_flush_pending_frames
+
+Some of skbs in sk->write_queue do not have skb->dst because
+we do not fill skb->dst when we allocate new skb in append_data().
+
+BTW, I think we may not need to (or we should not) increment some stats
+when using corking; if 100 sendmsg() (with MSG_MORE) result in 2 packets,
+how many should we increment?
+
+If 100, we should set skb->dst for every queued skbs.
+
+If 1 (or 2 (*)), we increment the stats for the first queued skb and
+we should just skip incrementing OutDiscards for the rest of queued skbs,
+adn we should also impelement this semantics in other places;
+e.g., we should increment other stats just once, not 100 times.
+
+*: depends on the place we are discarding the datagram.
+
+I guess should just increment by 1 (or 2).
+
+Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/ip6_output.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1423,8 +1423,9 @@ void ip6_flush_pending_frames(struct soc
+ struct sk_buff *skb;
+
+ while ((skb = __skb_dequeue_tail(&sk->sk_write_queue)) != NULL) {
+- IP6_INC_STATS(ip6_dst_idev(skb->dst),
+- IPSTATS_MIB_OUTDISCARDS);
++ if (skb->dst)
++ IP6_INC_STATS(ip6_dst_idev(skb->dst),
++ IPSTATS_MIB_OUTDISCARDS);
+ kfree_skb(skb);
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Sep 20 12:56:12 2007
+From: Denis V. Lunev <den@openvz.org>
+Date: Thu, 20 Sep 2007 12:55:47 -0700 (PDT)
+Subject: [stable] [PATCH]: Fix IPV6 DAD handling
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20070920.125547.35800190.davem@davemloft.net>
+
+From: Denis V. Lunev <den@openvz.org>
+
+commit 9e3be4b34364a670bd6e57d2e8c3caabdd8d89f8 in mainline
+
+addrconf_dad_failure calls addrconf_dad_stop which takes referenced address
+and drops the count. So, in6_ifa_put perrformed at out: is extra. This
+results in message: "Freeing alive inet6 address" and not released dst entries.
+
+Signed-off-by: Denis V. Lunev <den@openvz.org>
+Signed-off-by: Alexey Dobriyan <adobriyan@openvz.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/ndisc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/ndisc.c
++++ b/net/ipv6/ndisc.c
+@@ -736,7 +736,7 @@ static void ndisc_recv_ns(struct sk_buff
+ * so fail our DAD process
+ */
+ addrconf_dad_failure(ifp);
+- goto out;
++ return;
+ } else {
+ /*
+ * This is not a dad solicitation.
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Sep 20 12:54:27 2007
+From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Date: Thu, 20 Sep 2007 12:54:07 -0700 (PDT)
+Subject: Fix ipv6 double-sock-release with MSG_CONFIRM
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20070920.125407.82516702.davem@davemloft.net>
+
+From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+
+commit 3ef9d943d26dea764f4fecf3767001c90b778b0c in mainline
+
+Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/raw.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/ipv6/raw.c
++++ b/net/ipv6/raw.c
+@@ -858,11 +858,10 @@ back_from_confirm:
+ ip6_flush_pending_frames(sk);
+ else if (!(msg->msg_flags & MSG_MORE))
+ err = rawv6_push_pending_frames(sk, &fl, rp);
++ release_sock(sk);
+ }
+ done:
+ dst_release(dst);
+- if (!inet->hdrincl)
+- release_sock(sk);
+ out:
+ fl6_sock_release(flowlabel);
+ return err<0?err:len;
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Sep 20 12:57:20 2007
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Thu, 20 Sep 2007 12:56:55 -0700 (PDT)
+Subject: Fix ipv6 source address handling.
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20070920.125655.48823543.davem@davemloft.net>
+
+From: Jiri Kosina <jkosina@suse.cz>
+
+commit 6ae5f983cf8de769214d2d9e8a783c881eccd4cd in mainline
+
+The commit 95c385 broke proper source address selection for cases in which
+there is a address which is makred 'deprecated'. The commit mistakenly
+changed ifa->flags to ifa_result->flags (probably copy/paste error from a
+few lines above) in the 'Rule 3' address selection code.
+
+The patch restores the previous RFC-compliant behavior.
+
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/addrconf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -1021,7 +1021,7 @@ int ipv6_dev_get_saddr(struct net_device
+ hiscore.rule++;
+ }
+ if (ipv6_saddr_preferred(score.addr_type) ||
+- (((ifa_result->flags &
++ (((ifa->flags &
+ (IFA_F_DEPRECATED|IFA_F_OPTIMISTIC)) == 0))) {
+ score.attrs |= IPV6_SADDR_SCORE_PREFERRED;
+ if (!(hiscore.attrs & IPV6_SADDR_SCORE_PREFERRED)) {
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Sep 20 13:03:02 2007
+From: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
+Date: Thu, 20 Sep 2007 13:02:32 -0700 (PDT)
+Subject: Fix oops in vlan and bridging code
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20070920.130232.00453466.davem@davemloft.net>
+
+
+From: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
+
+commit 8c7b43a2e58baa24002fa2b266d9a5007bc52a40 in mainline
+
+I tried to preserve bridging code as it was before, but logic is quite
+strange - I think we should free skb on error, since it is already
+unshared and thus will just leak.
+
+Herbert Xu states:
+
+> + if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)
+> + goto out;
+
+If this happens it'll be a double-free on skb since we'll
+return NF_DROP which makes the caller free it too.
+
+We could return NF_STOLEN to prevent that but I'm not sure
+whether that's correct netfilter semantics. Patrick, could
+you please make a call on this?
+
+Patrick McHardy states:
+
+NF_STOLEN should work fine here.
+
+Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/8021q/vlan_dev.c | 12 +++++++++++-
+ net/bridge/br_netfilter.c | 12 +++++++-----
+ 2 files changed, 18 insertions(+), 6 deletions(-)
+
+--- a/net/8021q/vlan_dev.c
++++ b/net/8021q/vlan_dev.c
+@@ -116,12 +116,22 @@ int vlan_skb_recv(struct sk_buff *skb, s
+ struct packet_type* ptype, struct net_device *orig_dev)
+ {
+ unsigned char *rawp = NULL;
+- struct vlan_hdr *vhdr = (struct vlan_hdr *)(skb->data);
++ struct vlan_hdr *vhdr;
+ unsigned short vid;
+ struct net_device_stats *stats;
+ unsigned short vlan_TCI;
+ __be16 proto;
+
++ if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)
++ return -1;
++
++ if (unlikely(!pskb_may_pull(skb, VLAN_HLEN))) {
++ kfree_skb(skb);
++ return -1;
++ }
++
++ vhdr = (struct vlan_hdr *)(skb->data);
++
+ /* vlan_TCI = ntohs(get_unaligned(&vhdr->h_vlan_TCI)); */
+ vlan_TCI = ntohs(vhdr->h_vlan_TCI);
+
+--- a/net/bridge/br_netfilter.c
++++ b/net/bridge/br_netfilter.c
+@@ -509,8 +509,14 @@ static unsigned int br_nf_pre_routing(un
+ int (*okfn)(struct sk_buff *))
+ {
+ struct iphdr *iph;
+- __u32 len;
+ struct sk_buff *skb = *pskb;
++ __u32 len = nf_bridge_encap_header_len(skb);
++
++ if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)
++ return NF_STOLEN;
++
++ if (unlikely(!pskb_may_pull(skb, len)))
++ goto out;
+
+ if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) ||
+ IS_PPPOE_IPV6(skb)) {
+@@ -518,8 +524,6 @@ static unsigned int br_nf_pre_routing(un
+ if (!brnf_call_ip6tables)
+ return NF_ACCEPT;
+ #endif
+- if ((skb = skb_share_check(*pskb, GFP_ATOMIC)) == NULL)
+- goto out;
+ nf_bridge_pull_encap_header_rcsum(skb);
+ return br_nf_pre_routing_ipv6(hook, skb, in, out, okfn);
+ }
+@@ -532,8 +536,6 @@ static unsigned int br_nf_pre_routing(un
+ !IS_PPPOE_IP(skb))
+ return NF_ACCEPT;
+
+- if ((skb = skb_share_check(*pskb, GFP_ATOMIC)) == NULL)
+- goto out;
+ nf_bridge_pull_encap_header_rcsum(skb);
+
+ if (!pskb_may_pull(skb, sizeof(struct iphdr)))
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Sep 20 15:20:18 2007
+From: Adit Ranadive <adit.262@gmail.com>
+Date: Thu, 20 Sep 2007 12:40:03 -0700 (PDT)
+Subject: Fix pktgen src_mac handling.
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20070920.124003.90824288.davem@davemloft.net>
+
+From: Adit Ranadive <adit.262@gmail.com>
+
+commit ce5d0b47f13f83dfb9fbb8ac91adad7120747aaf in mainline
+
+Subject: [PATCH] [PKTGEN]: srcmac fix
+
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+
+---
+ net/core/pktgen.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/net/core/pktgen.c
++++ b/net/core/pktgen.c
+@@ -111,6 +111,9 @@
+ *
+ * 802.1Q/Q-in-Q support by Francesco Fondelli (FF) <francesco.fondelli@gmail.com>
+ *
++ * Fixed src_mac command to set source mac of packet to value specified in
++ * command by Adit Ranadive <adit.262@gmail.com>
++ *
+ */
+ #include <linux/sys.h>
+ #include <linux/types.h>
+@@ -1415,8 +1418,11 @@ static ssize_t pktgen_if_write(struct fi
+ }
+ if (!strcmp(name, "src_mac")) {
+ char *v = valstr;
++ unsigned char old_smac[ETH_ALEN];
+ unsigned char *m = pkt_dev->src_mac;
+
++ memcpy(old_smac, pkt_dev->src_mac, ETH_ALEN);
++
+ len = strn_len(&user_buffer[i], sizeof(valstr) - 1);
+ if (len < 0) {
+ return len;
+@@ -1445,6 +1451,10 @@ static ssize_t pktgen_if_write(struct fi
+ }
+ }
+
++ /* Set up Src MAC */
++ if (compare_ether_addr(old_smac, pkt_dev->src_mac))
++ memcpy(&(pkt_dev->hh[6]), pkt_dev->src_mac, ETH_ALEN);
++
+ sprintf(pg_result, "OK: srcmac");
+ return count;
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Sep 20 15:20:40 2007
+From: David Miller <davem@davemloft.net>
+Date: Thu, 20 Sep 2007 12:34:02 -0700 (PDT)
+Subject: Fix sparc64 v100 platform booting.
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20070920.123402.37153186.davem@davemloft.net>
+
+From: David Miller <davem@davemloft.net>
+
+commit 2cc7345ff71b27b5ac99e49ad7de39360042f601 in mainline
+
+Subject: [PATCH] [SPARC64]: Fix booting on V100 systems.
+
+On the root PCI bus, the OBP device tree lists device 3 twice.
+Once as 'pm' and once as 'lomp'.
+
+Everything goes downhill from there.
+
+Ignore the second instance to workaround this.
+
+Thanks to Kövedi_Krisztián for the bug report and
+testing the fix.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/sparc64/kernel/pci.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/arch/sparc64/kernel/pci.c
++++ b/arch/sparc64/kernel/pci.c
+@@ -751,7 +751,7 @@ static void __devinit pci_of_scan_bus(st
+ {
+ struct device_node *child;
+ const u32 *reg;
+- int reglen, devfn;
++ int reglen, devfn, prev_devfn;
+ struct pci_dev *dev;
+
+ if (ofpci_verbose)
+@@ -759,14 +759,25 @@ static void __devinit pci_of_scan_bus(st
+ node->full_name, bus->number);
+
+ child = NULL;
++ prev_devfn = -1;
+ while ((child = of_get_next_child(node, child)) != NULL) {
+ if (ofpci_verbose)
+ printk(" * %s\n", child->full_name);
+ reg = of_get_property(child, "reg", ®len);
+ if (reg == NULL || reglen < 20)
+ continue;
++
+ devfn = (reg[0] >> 8) & 0xff;
+
++ /* This is a workaround for some device trees
++ * which list PCI devices twice. On the V100
++ * for example, device number 3 is listed twice.
++ * Once as "pm" and once again as "lomp".
++ */
++ if (devfn == prev_devfn)
++ continue;
++ prev_devfn = devfn;
++
+ /* create a new pci_dev for this device */
+ dev = of_create_pci_dev(pbm, child, bus, devfn, 0);
+ if (!dev)
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Sep 20 13:04:48 2007
+From: Stephen Hemminger <shemminger@linux-foundation.org>
+Date: Thu, 20 Sep 2007 13:04:12 -0700 (PDT)
+Subject: Fix tc_ematch kbuild
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20070920.130412.22019508.davem@davemloft.net>
+
+
+From: Stephen Hemminger <shemminger@linux-foundation.org>
+
+commit 09d74cdd88a59a18f2ad7cfa0b6045ed1817b632 in mainline.
+
+Subject: [PATCH] [KBUILD]: Sanitize tc_ematch headers.
+
+The headers in tc_ematch are used by iproute2, so these headers should
+be processed.
+
+Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/Kbuild | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/linux/Kbuild
++++ b/include/linux/Kbuild
+@@ -7,6 +7,7 @@ header-y += raid/
+ header-y += spi/
+ header-y += sunrpc/
+ header-y += tc_act/
++header-y += tc_ematch/
+ header-y += netfilter/
+ header-y += netfilter_arp/
+ header-y += netfilter_bridge/
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Sep 20 13:11:27 2007
+From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+Date: Thu, 20 Sep 2007 13:11:07 -0700 (PDT)
+Subject: Fix TCP DSACK cwnd handling
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20070920.131107.91759132.davem@davemloft.net>
+
+From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+
+commit 49ff4bb4cd4c04acf8f9e3d3ec2148305a1db445 in mainline.
+
+[TCP]: DSACK signals data receival, be conservative
+
+In case a DSACK is received, it's better to lower cwnd as it's
+a sign of data receival.
+
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/tcp_input.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -103,6 +103,7 @@ int sysctl_tcp_abc __read_mostly;
+ #define FLAG_SLOWPATH 0x100 /* Do not skip RFC checks for window update.*/
+ #define FLAG_ONLY_ORIG_SACKED 0x200 /* SACKs only non-rexmit sent before RTO */
+ #define FLAG_SND_UNA_ADVANCED 0x400 /* Snd_una was changed (!= FLAG_DATA_ACKED) */
++#define FLAG_DSACKING_ACK 0x800 /* SACK blocks contained DSACK info */
+
+ #define FLAG_ACKED (FLAG_DATA_ACKED|FLAG_SYN_ACKED)
+ #define FLAG_NOT_DUP (FLAG_DATA|FLAG_WIN_UPDATE|FLAG_ACKED)
+@@ -966,12 +967,14 @@ tcp_sacktag_write_queue(struct sock *sk,
+
+ /* Check for D-SACK. */
+ if (before(ntohl(sp[0].start_seq), TCP_SKB_CB(ack_skb)->ack_seq)) {
++ flag |= FLAG_DSACKING_ACK;
+ found_dup_sack = 1;
+ tp->rx_opt.sack_ok |= 4;
+ NET_INC_STATS_BH(LINUX_MIB_TCPDSACKRECV);
+ } else if (num_sacks > 1 &&
+ !after(ntohl(sp[0].end_seq), ntohl(sp[1].end_seq)) &&
+ !before(ntohl(sp[0].start_seq), ntohl(sp[1].start_seq))) {
++ flag |= FLAG_DSACKING_ACK;
+ found_dup_sack = 1;
+ tp->rx_opt.sack_ok |= 4;
+ NET_INC_STATS_BH(LINUX_MIB_TCPDSACKOFORECV);
+@@ -1858,7 +1861,7 @@ static void tcp_cwnd_down(struct sock *s
+ struct tcp_sock *tp = tcp_sk(sk);
+ int decr = tp->snd_cwnd_cnt + 1;
+
+- if ((flag&FLAG_ANY_PROGRESS) ||
++ if ((flag&(FLAG_ANY_PROGRESS|FLAG_DSACKING_ACK)) ||
+ (IsReno(tp) && !(flag&FLAG_NOT_DUP))) {
+ tp->snd_cwnd_cnt = decr&1;
+ decr >>= 1;
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Sep 20 13:10:54 2007
+From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+Date: Thu, 20 Sep 2007 13:10:25 -0700 (PDT)
+Subject: Handle snd_una in tcp_cwnd_down()
+To: stable@kernel.org
+Cc: bunk@kernel.org
+Message-ID: <20070920.131025.26930710.davem@davemloft.net>
+
+From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+
+commit 6ee8009e38006da81d2a53da1aaa27365552553e in mainline
+
+Subject: [PATCH 1/1] [TCP]: Also handle snd_una changes in tcp_cwnd_down
+
+tcp_cwnd_down must check for it too as it should be conservative
+in case of collapse stuff and also when receiver is trying to
+lie (though it wouldn't be successful anyway).
+
+Note:
+- Separated also is_dupack and do_lost in fast_retransalert
+ * Much cleaner look-and-feel now
+ * This time it really fixes cumulative ACK + many new
+ SACK blocks recovery entry (I claimed this fixes with
+ last patch but it wasn't). TCP will now call
+ tcp_update_scoreboard regardless of is_dupack when
+ in recovery as long as there is enough fackets_out.
+- Introduce FLAG_SND_UNA_ADVANCED
+ * Some prior_snd_una arguments are unnecessary after it
+- Added helper FLAG_ANY_PROGRESS to avoid long FLAG...|FLAG...
+ constructs
+
+This is a reduced version of a mainline patch.
+
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+Cc: David Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/tcp_input.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -102,11 +102,13 @@ int sysctl_tcp_abc __read_mostly;
+ #define FLAG_DATA_LOST 0x80 /* SACK detected data lossage. */
+ #define FLAG_SLOWPATH 0x100 /* Do not skip RFC checks for window update.*/
+ #define FLAG_ONLY_ORIG_SACKED 0x200 /* SACKs only non-rexmit sent before RTO */
++#define FLAG_SND_UNA_ADVANCED 0x400 /* Snd_una was changed (!= FLAG_DATA_ACKED) */
+
+ #define FLAG_ACKED (FLAG_DATA_ACKED|FLAG_SYN_ACKED)
+ #define FLAG_NOT_DUP (FLAG_DATA|FLAG_WIN_UPDATE|FLAG_ACKED)
+ #define FLAG_CA_ALERT (FLAG_DATA_SACKED|FLAG_ECE)
+ #define FLAG_FORWARD_PROGRESS (FLAG_ACKED|FLAG_DATA_SACKED)
++#define FLAG_ANY_PROGRESS (FLAG_FORWARD_PROGRESS|FLAG_SND_UNA_ADVANCED)
+
+ #define IsReno(tp) ((tp)->rx_opt.sack_ok == 0)
+ #define IsFack(tp) ((tp)->rx_opt.sack_ok & 2)
+@@ -1856,7 +1858,7 @@ static void tcp_cwnd_down(struct sock *s
+ struct tcp_sock *tp = tcp_sk(sk);
+ int decr = tp->snd_cwnd_cnt + 1;
+
+- if ((flag&FLAG_FORWARD_PROGRESS) ||
++ if ((flag&FLAG_ANY_PROGRESS) ||
+ (IsReno(tp) && !(flag&FLAG_NOT_DUP))) {
+ tp->snd_cwnd_cnt = decr&1;
+ decr >>= 1;
+@@ -2112,10 +2114,9 @@ tcp_fastretrans_alert(struct sock *sk, u
+ {
+ struct inet_connection_sock *icsk = inet_csk(sk);
+ struct tcp_sock *tp = tcp_sk(sk);
+- int is_dupack = (tp->snd_una == prior_snd_una &&
+- (!(flag&FLAG_NOT_DUP) ||
+- ((flag&FLAG_DATA_SACKED) &&
+- (tp->fackets_out > tp->reordering))));
++ int is_dupack = !(flag&(FLAG_SND_UNA_ADVANCED|FLAG_NOT_DUP));
++ int do_lost = is_dupack || ((flag&FLAG_DATA_SACKED) &&
++ (tp->fackets_out > tp->reordering));
+
+ /* Some technical things:
+ * 1. Reno does not count dupacks (sacked_out) automatically. */
+@@ -2199,7 +2200,7 @@ tcp_fastretrans_alert(struct sock *sk, u
+ int acked = prior_packets - tp->packets_out;
+ if (IsReno(tp))
+ tcp_remove_reno_sacks(sk, acked);
+- is_dupack = tcp_try_undo_partial(sk, acked);
++ do_lost = tcp_try_undo_partial(sk, acked);
+ }
+ break;
+ case TCP_CA_Loss:
+@@ -2264,7 +2265,7 @@ tcp_fastretrans_alert(struct sock *sk, u
+ tcp_set_ca_state(sk, TCP_CA_Recovery);
+ }
+
+- if (is_dupack || tcp_head_timedout(sk))
++ if (do_lost || tcp_head_timedout(sk))
+ tcp_update_scoreboard(sk);
+ tcp_cwnd_down(sk, flag);
+ tcp_xmit_retransmit_queue(sk);
+@@ -2774,6 +2775,9 @@ static int tcp_ack(struct sock *sk, stru
+ if (before(ack, prior_snd_una))
+ goto old_ack;
+
++ if (after(ack, prior_snd_una))
++ flag |= FLAG_SND_UNA_ADVANCED;
++
+ if (sysctl_tcp_abc) {
+ if (icsk->icsk_ca_state < TCP_CA_CWR)
+ tp->bytes_acked += ack - prior_snd_una;
fix-realtek-phy-id-in-forcedeth.patch
fix-decnet-device-address-listing.patch
fix-device-address-listing-for-ipv4.patch
+fix-inet_diag-oops.patch
+fix-ipv6-append-oops.patch
+fix-ipsec-ah4-options-handling.patch
+fix-ipv6-double-sock-release-with-msg_confirm.patch
+fix-ipv6-dad-handling.patch
+fix-ipv6-source-address-handling.patch
+fix-oops-in-vlan-and-bridging-code.patch
+fix-tc_ematch-kbuild.patch
+handle-snd_una-in-tcp_cwnd_down.patch
+fix-tcp-dsack-cwnd-handling.patch
+fix-datagram-recvmsg-null-iov-handling-regression.patch
+fix-pktgen-src_mac-handling.patch
+fix-sparc64-v100-platform-booting.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
