more 2.6.22 patches

diff --git a/queue-2.6.22/cciss-fix-memory-leak.patch b/queue-2.6.22/cciss-fix-memory-leak.patch
new file mode 100644 (file)
index 0000000..bd47d5c
--- /dev/null
+++ b/queue-2.6.22/cciss-fix-memory-leak.patch
@@ -0,0 +1,49 @@
+From stable-bounces@linux.kernel.org Thu Feb  7 12:04:00 2008
+From: Jesper Juhl <jesper.juhl@gmail.com>
+Date: Thu, 7 Feb 2008 21:03:11 +0100
+Subject: cciss: fix memory leak
+Message-ID: <6101e8c40802071203r5d56f6d6m330a4d7a15e4642b@mail.gmail.com>
+Content-Disposition: inline
+
+From: Jesper Juhl <jesper.juhl@gmail.com>
+
+mainline: f2912a1223c0917a7b4e054f18086209137891ea
+
+There's a memory leak in the cciss driver.
+
+in alloc_cciss_hba() we may leak sizeof(ctlr_info_t) bytes if a
+call to alloc_disk(1 << NWD_SHIFT) fails.
+This patch should fix the issue.
+
+Spotted by the Coverity checker.
+
+Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
+Acked-by: Mike Miller <mike.miller@hp.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Oliver Pinter <oliver.pntr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/block/cciss.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/cciss.c
++++ b/drivers/block/cciss.c
+@@ -3225,12 +3225,15 @@ static int alloc_cciss_hba(void)
+       for (i = 0; i < MAX_CTLR; i++) {
+               if (!hba[i]) {
+                       ctlr_info_t *p;
++
+                       p = kzalloc(sizeof(ctlr_info_t), GFP_KERNEL);
+                       if (!p)
+                               goto Enomem;
+                       p->gendisk[0] = alloc_disk(1 << NWD_SHIFT);
+-                      if (!p->gendisk[0])
++                      if (!p->gendisk[0]) {
++                              kfree(p);
+                               goto Enomem;
++                      }
+                       hba[i] = p;
+                       return i;
+               }

diff --git a/queue-2.6.22/cciss-panic-in-blk_rq_map_sg-from-cciss-driver.patch b/queue-2.6.22/cciss-panic-in-blk_rq_map_sg-from-cciss-driver.patch
new file mode 100644 (file)
index 0000000..e1be32e
--- /dev/null
+++ b/queue-2.6.22/cciss-panic-in-blk_rq_map_sg-from-cciss-driver.patch
@@ -0,0 +1,88 @@
+From stable-bounces@linux.kernel.org Thu Feb  7 12:04:11 2008
+From: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
+Date: Thu, 7 Feb 2008 21:03:14 +0100
+Subject: cciss: Panic in blk_rq_map_sg() from CCISS driver
+Message-ID: <6101e8c40802071203t29fcb4fk11ff1e7169bafdbd@mail.gmail.com>
+Content-Disposition: inline
+
+
+From: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
+
+mainline: a683d652d334a546be9175b894f42dbd8e399536
+
+New scatter/gather list chaining [sg_next()] treats 'page' member of
+struct scatterlist with low bit set [0x01] as a chain pointer to
+another struct scatterlist [array].  The CCISS driver request function
+passes an uninitialized, temporary, on-stack scatterlist array to
+blk_rq_map_sq().  sg_next() interprets random data on the stack as a
+chain pointer and eventually tries to de-reference an invalid pointer,
+resulting in:
+
+[<ffffffff8031dd70>] blk_rq_map_sg+0x70/0x170
+PGD 6090c3067 PUD 0
+Oops: 0000 [1] SMP
+last sysfs file: /block/cciss!c0d0/cciss!c0d0p1/dev
+CPU 6
+Modules linked in: ehci_hcd ohci_hcd uhci_hcd
+Pid: 1, comm: init Not tainted 2.6.23-rc6-mm1 #3
+RIP: 0010:[<ffffffff8031dd70>] [<ffffffff8031dd70>] blk_rq_map_sg+0x70/0x170
+RSP: 0018:ffff81060901f768 EFLAGS: 00010206
+RAX: 000000040b161000 RBX: ffff81060901f7d8 RCX: 000000040b162c00
+RDX: 0000000000000000 RSI: ffff81060b13a260 RDI: ffff81060b139600
+RBP: 0000000000001400 R08: 00000000fffffffe R09: 0000000000000400
+R10: 0000000000000000 R11: 000000040b163000 R12: ffff810102fe0000
+R13: 0000000000000001 R14: 0000000000000001 R15: 00001e0000000000
+FS: 00000000026108f0(0063) GS:ffff810409000b80(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+CR2: 000000010000001e CR3: 00000006090c6000 CR4: 00000000000006e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+Process init (pid: 1, threadinfo ffff81060901e000, task ffff810409020800)
+last branch before last exception/interrupt
+from [<ffffffff8031de0a>] blk_rq_map_sg+0x10a/0x170
+to [<ffffffff8031dd70>] blk_rq_map_sg+0x70/0x170
+Stack: 000000018068ea00 ffff810102fe0000 0000000000000000 ffff810011400000
+0000000000000002 0000000000000000 ffff81040b172000 ffffffff803acd3d
+0000000000003ec1 ffff8106090d5000 ffff8106090d5000 ffff810102fe0000
+Call Trace:
+[<ffffffff803acd3d>] do_cciss_request+0x15d/0x4c0
+[<ffffffff80298968>] new_slab+0x1c8/0x270
+[<ffffffff80298ffd>] __slab_alloc+0x22d/0x470
+[<ffffffff8027327b>] mempool_alloc+0x4b/0x130
+[<ffffffff8032b21e>] cfq_set_request+0xee/0x380
+[<ffffffff8027327b>] mempool_alloc+0x4b/0x130
+[<ffffffff8031ff98>] get_request+0x168/0x360
+[<ffffffff80331b0d>] rb_insert_color+0x8d/0x110
+[<ffffffff8031cfd8>] elv_rb_add+0x58/0x60
+[<ffffffff8032a329>] cfq_add_rq_rb+0x69/0xa0
+[<ffffffff8031c1ab>] elv_merged_request+0x5b/0x60
+[<ffffffff803224fd>] __make_request+0x23d/0x650
+[<ffffffff80298ffd>] __slab_alloc+0x22d/0x470
+[<ffffffff80270000>] generic_write_checks+0x140/0x190
+[<ffffffff8031f012>] generic_make_request+0x1c2/0x3a0
+<etc>
+Kernel panic - not syncing: Attempted to kill init!
+
+This patch initializes the tmp_sg array to zeroes.  Perhaps not the ultimate
+fix, but an effective work-around.  I can now boot 23-rc6-mm1 on an HP
+Proliant x86_64 with CCISS boot disk.
+
+Signed-off-by:  Lee Schermerhorn <lee.schermerhorn@hp.com>
+CC: Oliver Pinter <oliver.pntr@gmail.com>
+Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/block/cciss.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/block/cciss.c
++++ b/drivers/block/cciss.c
+@@ -2568,6 +2568,7 @@ static void do_cciss_request(request_que
+              (int)creq->nr_sectors);
+ #endif                                /* CCISS_DEBUG */
+ 
++      memset(tmp_sg, 0, sizeof(tmp_sg));
+       seg = blk_rq_map_sg(q, creq, tmp_sg);
+ 
+       /* get the DMA records for the setup */

diff --git a/queue-2.6.22/handle-bogus-cs-selector-in-single-step-instruction-decoding.patch b/queue-2.6.22/handle-bogus-cs-selector-in-single-step-instruction-decoding.patch
new file mode 100644 (file)
index 0000000..1e62eff
--- /dev/null
+++ b/queue-2.6.22/handle-bogus-cs-selector-in-single-step-instruction-decoding.patch
@@ -0,0 +1,95 @@
+From stable-bounces@linux.kernel.org Thu Feb  7 12:04:33 2008
+From: Roland McGrath <roland@redhat.com>
+Date: Thu, 7 Feb 2008 21:03:16 +0100
+Subject: Handle bogus %cs selector in single-step instruction decoding (CVE-2007-3731)
+Message-ID: <6101e8c40802071203i132e678s8e7f30484f5854c5@mail.gmail.com>
+Content-Disposition: inline
+
+
+From: Roland McGrath <roland@redhat.com>
+
+Handle bogus %cs selector in single-step instruction decoding
+
+mainline: 29eb51101c02df517ca64ec472d7501127ad1da8
+
+The code for LDT segment selectors was not robust in the face of a bogus
+selector set in %cs via ptrace before the single-step was done.
+
+Signed-off-by: Roland McGrath <roland@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Jeff Mahoney <jeffm@suse.com>
+CC: Oliver Pinter <oliver.pntr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/i386/kernel/ptrace.c   |   22 +++++++++++++++-------
+ arch/x86_64/kernel/ptrace.c |   23 ++++++++++++++++-------
+ 2 files changed, 31 insertions(+), 14 deletions(-)
+
+--- a/arch/i386/kernel/ptrace.c
++++ b/arch/i386/kernel/ptrace.c
+@@ -164,14 +164,22 @@ static unsigned long convert_eip_to_line
+               u32 *desc;
+               unsigned long base;
+ 
+-              down(&child->mm->context.sem);
+-              desc = child->mm->context.ldt + (seg & ~7);
+-              base = (desc[0] >> 16) | ((desc[1] & 0xff) << 16) | (desc[1] & 0xff000000);
++              seg &= ~7UL;
+ 
+-              /* 16-bit code segment? */
+-              if (!((desc[1] >> 22) & 1))
+-                      addr &= 0xffff;
+-              addr += base;
++              down(&child->mm->context.sem);
++              if (unlikely((seg >> 3) >= child->mm->context.size))
++                      addr = -1L; /* bogus selector, access would fault */
++              else {
++                      desc = child->mm->context.ldt + seg;
++                      base = ((desc[0] >> 16) |
++                              ((desc[1] & 0xff) << 16) |
++                              (desc[1] & 0xff000000));
++
++                      /* 16-bit code segment? */
++                      if (!((desc[1] >> 22) & 1))
++                              addr &= 0xffff;
++                      addr += base;
++              }
+               up(&child->mm->context.sem);
+       }
+       return addr;
+--- a/arch/x86_64/kernel/ptrace.c
++++ b/arch/x86_64/kernel/ptrace.c
+@@ -102,16 +102,25 @@ unsigned long convert_rip_to_linear(stru
+               u32 *desc;
+               unsigned long base;
+ 
+-              down(&child->mm->context.sem);
+-              desc = child->mm->context.ldt + (seg & ~7);
+-              base = (desc[0] >> 16) | ((desc[1] & 0xff) << 16) | (desc[1] & 0xff000000);
++              seg &= ~7UL;
+ 
+-              /* 16-bit code segment? */
+-              if (!((desc[1] >> 22) & 1))
+-                      addr &= 0xffff;
+-              addr += base;
++              down(&child->mm->context.sem);
++              if (unlikely((seg >> 3) >= child->mm->context.size))
++                      addr = -1L; /* bogus selector, access would fault */
++              else {
++                      desc = child->mm->context.ldt + seg;
++                      base = ((desc[0] >> 16) |
++                              ((desc[1] & 0xff) << 16) |
++                              (desc[1] & 0xff000000));
++
++                      /* 16-bit code segment? */
++                      if (!((desc[1] >> 22) & 1))
++                              addr &= 0xffff;
++                      addr += base;
++              }
+               up(&child->mm->context.sem);
+       }
++
+       return addr;
+ }
+ 

diff --git a/queue-2.6.22/i386-fixup-trace_irq-breakage.patch b/queue-2.6.22/i386-fixup-trace_irq-breakage.patch
new file mode 100644 (file)
index 0000000..576478d
--- /dev/null
+++ b/queue-2.6.22/i386-fixup-trace_irq-breakage.patch
@@ -0,0 +1,71 @@
+From stable-bounces@linux.kernel.org Thu Feb  7 12:03:51 2008
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Thu, 7 Feb 2008 21:03:18 +0100
+Subject: i386: fixup TRACE_IRQ breakage (CVE-2007-3731)
+Message-ID: <6101e8c40802071203x444c7a2by599b6e07b27193f1@mail.gmail.com>
+Content-Disposition: inline
+
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+mainline: a10d9a71bafd3a283da240d2868e71346d2aef6f
+
+The TRACE_IRQS_ON function in iret_exc: calls a C function without
+ensuring that the segments are set properly. Move the trace function and
+the enabling of interrupt into the C stub.
+
+Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Jeff Mahoney <jeffm@suse.com>
+CC: Oliver Pinter <oliver.pntr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/i386/kernel/entry.S |    2 --
+ arch/i386/kernel/traps.c |   10 ++++++----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/i386/kernel/entry.S
++++ b/arch/i386/kernel/entry.S
+@@ -409,8 +409,6 @@ restore_nocheck_notrace:
+ 1:    INTERRUPT_RETURN
+ .section .fixup,"ax"
+ iret_exc:
+-      TRACE_IRQS_ON
+-      ENABLE_INTERRUPTS(CLBR_NONE)
+       pushl $0                        # no error code
+       pushl $do_iret_error
+       jmp error_code
+--- a/arch/i386/kernel/traps.c
++++ b/arch/i386/kernel/traps.c
+@@ -517,10 +517,12 @@ fastcall void do_##name(struct pt_regs *
+       do_trap(trapnr, signr, str, 0, regs, error_code, NULL); \
+ }
+ 
+-#define DO_ERROR_INFO(trapnr, signr, str, name, sicode, siaddr) \
++#define DO_ERROR_INFO(trapnr, signr, str, name, sicode, siaddr, irq) \
+ fastcall void do_##name(struct pt_regs * regs, long error_code) \
+ { \
+       siginfo_t info; \
++      if (irq) \
++              local_irq_enable(); \
+       info.si_signo = signr; \
+       info.si_errno = 0; \
+       info.si_code = sicode; \
+@@ -560,13 +562,13 @@ DO_VM86_ERROR( 3, SIGTRAP, "int3", int3)
+ #endif
+ DO_VM86_ERROR( 4, SIGSEGV, "overflow", overflow)
+ DO_VM86_ERROR( 5, SIGSEGV, "bounds", bounds)
+-DO_ERROR_INFO( 6, SIGILL,  "invalid opcode", invalid_op, ILL_ILLOPN, regs->eip)
++DO_ERROR_INFO( 6, SIGILL,  "invalid opcode", invalid_op, ILL_ILLOPN, regs->eip, 0)
+ DO_ERROR( 9, SIGFPE,  "coprocessor segment overrun", coprocessor_segment_overrun)
+ DO_ERROR(10, SIGSEGV, "invalid TSS", invalid_TSS)
+ DO_ERROR(11, SIGBUS,  "segment not present", segment_not_present)
+ DO_ERROR(12, SIGBUS,  "stack segment", stack_segment)
+-DO_ERROR_INFO(17, SIGBUS, "alignment check", alignment_check, BUS_ADRALN, 0)
+-DO_ERROR_INFO(32, SIGSEGV, "iret exception", iret_error, ILL_BADSTK, 0)
++DO_ERROR_INFO(17, SIGBUS, "alignment check", alignment_check, BUS_ADRALN, 0, 0)
++DO_ERROR_INFO(32, SIGSEGV, "iret exception", iret_error, ILL_BADSTK, 0, 1)
+ 
+ fastcall void __kprobes do_general_protection(struct pt_regs * regs,
+                                             long error_code)

diff --git a/queue-2.6.22/intel_agp-really-fix-945-965gme.patch b/queue-2.6.22/intel_agp-really-fix-945-965gme.patch
new file mode 100644 (file)
index 0000000..1fececc
--- /dev/null
+++ b/queue-2.6.22/intel_agp-really-fix-945-965gme.patch
@@ -0,0 +1,100 @@
+From stable-bounces@linux.kernel.org Thu Feb  7 12:03:38 2008
+From: Wang Zhenyu <zhenyu.z.wang@intel.com>
+Date: Thu, 7 Feb 2008 21:03:21 +0100
+Subject: Intel_agp: really fix 945/965GME
+Message-ID: <6101e8c40802071203q762a977k5cdbe28ef356efa8@mail.gmail.com>
+Content-Disposition: inline
+
+From: Wang Zhenyu <zhenyu.z.wang@intel.com>
+
+mainline: dde4787642ee3cb85aef80bdade04b6f8ddc3df8
+
+Fix some missing places to check with device id info, which
+should probe the device gart correctly.
+
+Signed-off-by: Wang Zhenyu <zhenyu.z.wang@intel.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+CC: Oliver Pinter <oliver.pntr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/char/agp/intel-agp.c |   17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/drivers/char/agp/intel-agp.c
++++ b/drivers/char/agp/intel-agp.c
+@@ -20,7 +20,9 @@
+ #define PCI_DEVICE_ID_INTEL_82965G_IG       0x29A2
+ #define PCI_DEVICE_ID_INTEL_82965GM_HB      0x2A00
+ #define PCI_DEVICE_ID_INTEL_82965GM_IG      0x2A02
++#define PCI_DEVICE_ID_INTEL_82965GME_HB     0x2A10
+ #define PCI_DEVICE_ID_INTEL_82965GME_IG     0x2A12
++#define PCI_DEVICE_ID_INTEL_82945GME_HB     0x27AC
+ #define PCI_DEVICE_ID_INTEL_82945GME_IG     0x27AE
+ #define PCI_DEVICE_ID_INTEL_G33_HB          0x29C0
+ #define PCI_DEVICE_ID_INTEL_G33_IG          0x29C2
+@@ -33,7 +35,8 @@
+                  agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82965G_1_HB || \
+                  agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82965Q_HB || \
+                  agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82965G_HB || \
+-                 agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82965GM_HB)
++                 agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82965GM_HB || \
++                 agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82965GME_HB)
+ 
+ #define IS_G33 (agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_G33_HB || \
+               agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_Q35_HB || \
+@@ -527,6 +530,7 @@ static void intel_i830_init_gtt_entries(
+                           agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82915GM_HB ||
+                           agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82945G_HB ||
+                           agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82945GM_HB ||
++                          agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82945GME_HB ||
+                           IS_I965 || IS_G33)
+                               gtt_entries = MB(48) - KB(size);
+                       else
+@@ -538,6 +542,7 @@ static void intel_i830_init_gtt_entries(
+                           agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82915GM_HB ||
+                           agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82945G_HB ||
+                           agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82945GM_HB ||
++                          agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82945GME_HB ||
+                           IS_I965 || IS_G33)
+                               gtt_entries = MB(64) - KB(size);
+                       else
+@@ -1848,9 +1853,9 @@ static const struct intel_driver_descrip
+               NULL, &intel_915_driver },
+       { PCI_DEVICE_ID_INTEL_82945G_HB, PCI_DEVICE_ID_INTEL_82945G_IG, 0, "945G",
+               NULL, &intel_915_driver },
+-      { PCI_DEVICE_ID_INTEL_82945GM_HB, PCI_DEVICE_ID_INTEL_82945GM_IG, 1, "945GM",
++      { PCI_DEVICE_ID_INTEL_82945GM_HB, PCI_DEVICE_ID_INTEL_82945GM_IG, 0, "945GM",
+               NULL, &intel_915_driver },
+-      { PCI_DEVICE_ID_INTEL_82945GM_HB, PCI_DEVICE_ID_INTEL_82945GME_IG, 0, "945GME",
++      { PCI_DEVICE_ID_INTEL_82945GME_HB, PCI_DEVICE_ID_INTEL_82945GME_IG, 0, "945GME",
+               NULL, &intel_915_driver },
+       { PCI_DEVICE_ID_INTEL_82946GZ_HB, PCI_DEVICE_ID_INTEL_82946GZ_IG, 0, "946GZ",
+               NULL, &intel_i965_driver },
+@@ -1860,9 +1865,9 @@ static const struct intel_driver_descrip
+               NULL, &intel_i965_driver },
+       { PCI_DEVICE_ID_INTEL_82965G_HB, PCI_DEVICE_ID_INTEL_82965G_IG, 0, "965G",
+               NULL, &intel_i965_driver },
+-      { PCI_DEVICE_ID_INTEL_82965GM_HB, PCI_DEVICE_ID_INTEL_82965GM_IG, 1, "965GM",
++      { PCI_DEVICE_ID_INTEL_82965GM_HB, PCI_DEVICE_ID_INTEL_82965GM_IG, 0, "965GM",
+               NULL, &intel_i965_driver },
+-      { PCI_DEVICE_ID_INTEL_82965GM_HB, PCI_DEVICE_ID_INTEL_82965GME_IG, 0, "965GME/GLE",
++      { PCI_DEVICE_ID_INTEL_82965GME_HB, PCI_DEVICE_ID_INTEL_82965GME_IG, 0, "965GME/GLE",
+               NULL, &intel_i965_driver },
+       { PCI_DEVICE_ID_INTEL_7505_0, 0, 0, "E7505", &intel_7505_driver, NULL },
+       { PCI_DEVICE_ID_INTEL_7205_0, 0, 0, "E7205", &intel_7505_driver, NULL },
+@@ -2051,11 +2056,13 @@ static struct pci_device_id agp_intel_pc
+       ID(PCI_DEVICE_ID_INTEL_82915GM_HB),
+       ID(PCI_DEVICE_ID_INTEL_82945G_HB),
+       ID(PCI_DEVICE_ID_INTEL_82945GM_HB),
++      ID(PCI_DEVICE_ID_INTEL_82945GME_HB),
+       ID(PCI_DEVICE_ID_INTEL_82946GZ_HB),
+       ID(PCI_DEVICE_ID_INTEL_82965G_1_HB),
+       ID(PCI_DEVICE_ID_INTEL_82965Q_HB),
+       ID(PCI_DEVICE_ID_INTEL_82965G_HB),
+       ID(PCI_DEVICE_ID_INTEL_82965GM_HB),
++      ID(PCI_DEVICE_ID_INTEL_82965GME_HB),
+       ID(PCI_DEVICE_ID_INTEL_G33_HB),
+       ID(PCI_DEVICE_ID_INTEL_Q35_HB),
+       ID(PCI_DEVICE_ID_INTEL_Q33_HB),

diff --git a/queue-2.6.22/knfsd-fix-spurious-einval-errors-on-first-access-of-new-filesystem.patch b/queue-2.6.22/knfsd-fix-spurious-einval-errors-on-first-access-of-new-filesystem.patch
new file mode 100644 (file)
index 0000000..f6df0a5
--- /dev/null
+++ b/queue-2.6.22/knfsd-fix-spurious-einval-errors-on-first-access-of-new-filesystem.patch
@@ -0,0 +1,55 @@
+From stable-bounces@linux.kernel.org Thu Feb  7 12:04:43 2008
+From: J. Bruce Fields <bfields@citi.umich.edu>
+Date: Thu, 7 Feb 2008 21:03:41 +0100
+Subject: knfsd: fix spurious EINVAL errors on first access of new filesystem
+Message-ID: <6101e8c40802071203t53a5a88cseb39c4f8aa61e832@mail.gmail.com>
+Content-Disposition: inline
+
+
+From: J. Bruce Fields <bfields@citi.umich.edu>
+
+mainline: ac8587dcb58e40dd336d99d60f852041e06cc3dd
+
+The v2/v3 acl code in nfsd is translating any return from fh_verify() to
+nfserr_inval.  This is particularly unfortunate in the case of an
+nfserr_dropit return, which is an internal error meant to indicate to
+callers that this request has been deferred and should just be dropped
+pending the results of an upcall to mountd.
+
+Thanks to Roland <devzero@web.de> for bug report and data collection.
+
+Cc: Roland <devzero@web.de>
+Acked-by: Andreas Gruenbacher <agruen@suse.de>
+Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
+Reviewed-By: NeilBrown <neilb@suse.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+CC: Oliver Pinter <oliver.pntr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfsd/nfs2acl.c |    2 +-
+ fs/nfsd/nfs3acl.c |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/nfsd/nfs2acl.c
++++ b/fs/nfsd/nfs2acl.c
+@@ -41,7 +41,7 @@ static __be32 nfsacld_proc_getacl(struct
+ 
+       fh = fh_copy(&resp->fh, &argp->fh);
+       if ((nfserr = fh_verify(rqstp, &resp->fh, 0, MAY_NOP)))
+-              RETURN_STATUS(nfserr_inval);
++              RETURN_STATUS(nfserr);
+ 
+       if (argp->mask & ~(NFS_ACL|NFS_ACLCNT|NFS_DFACL|NFS_DFACLCNT))
+               RETURN_STATUS(nfserr_inval);
+--- a/fs/nfsd/nfs3acl.c
++++ b/fs/nfsd/nfs3acl.c
+@@ -37,7 +37,7 @@ static __be32 nfsd3_proc_getacl(struct s
+ 
+       fh = fh_copy(&resp->fh, &argp->fh);
+       if ((nfserr = fh_verify(rqstp, &resp->fh, 0, MAY_NOP)))
+-              RETURN_STATUS(nfserr_inval);
++              RETURN_STATUS(nfserr);
+ 
+       if (argp->mask & ~(NFS_ACL|NFS_ACLCNT|NFS_DFACL|NFS_DFACLCNT))
+               RETURN_STATUS(nfserr_inval);

diff --git a/queue-2.6.22/nfs-fix-nfs_reval_fsid.patch b/queue-2.6.22/nfs-fix-nfs_reval_fsid.patch
new file mode 100644 (file)
index 0000000..f29c47c
--- /dev/null
+++ b/queue-2.6.22/nfs-fix-nfs_reval_fsid.patch
@@ -0,0 +1,67 @@
+From stable-bounces@linux.kernel.org Thu Feb  7 12:04:43 2008
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Thu, 7 Feb 2008 21:03:45 +0100
+Subject: NFS: Fix nfs_reval_fsid()
+Message-ID: <6101e8c40802071203n78a10d40ycb414e0b03ce2545@mail.gmail.com>
+Content-Disposition: inline
+
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+mainline: a0356862bcbeb20acf64bc1a82d28a4c5bb957a7
+
+We don't need to revalidate the fsid on the root directory. It suffices to
+revalidate it on the current directory.
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Acked-by: Neil Brown <neilb@suse.de>
+CC: Oliver Pinter <oliver.pntr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfs/dir.c   |    9 ++++-----
+ fs/nfs/inode.c |    4 ++--
+ 2 files changed, 6 insertions(+), 7 deletions(-)
+
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -897,14 +897,13 @@ int nfs_is_exclusive_create(struct inode
+       return (nd->intent.open.flags & O_EXCL) != 0;
+ }
+ 
+-static inline int nfs_reval_fsid(struct vfsmount *mnt, struct inode *dir,
+-                               struct nfs_fh *fh, struct nfs_fattr *fattr)
++static inline int nfs_reval_fsid(struct inode *dir, const struct nfs_fattr *fattr)
+ {
+       struct nfs_server *server = NFS_SERVER(dir);
+ 
+       if (!nfs_fsid_equal(&server->fsid, &fattr->fsid))
+-              /* Revalidate fsid on root dir */
+-              return __nfs_revalidate_inode(server, mnt->mnt_root->d_inode);
++              /* Revalidate fsid using the parent directory */
++              return __nfs_revalidate_inode(server, dir);
+       return 0;
+ }
+ 
+@@ -946,7 +945,7 @@ static struct dentry *nfs_lookup(struct 
+               res = ERR_PTR(error);
+               goto out_unlock;
+       }
+-      error = nfs_reval_fsid(nd->mnt, dir, &fhandle, &fattr);
++      error = nfs_reval_fsid(dir, &fattr);
+       if (error < 0) {
+               res = ERR_PTR(error);
+               goto out_unlock;
+--- a/fs/nfs/inode.c
++++ b/fs/nfs/inode.c
+@@ -961,8 +961,8 @@ static int nfs_update_inode(struct inode
+               goto out_changed;
+ 
+       server = NFS_SERVER(inode);
+-      /* Update the fsid if and only if this is the root directory */
+-      if (inode == inode->i_sb->s_root->d_inode
++      /* Update the fsid? */
++      if (S_ISDIR(inode->i_mode)
+                       && !nfs_fsid_equal(&server->fsid, &fattr->fsid))
+               server->fsid = fattr->fsid;
+ 

diff --git a/queue-2.6.22/nfsv2-v3-fix-a-memory-leak-when-using-onolock.patch b/queue-2.6.22/nfsv2-v3-fix-a-memory-leak-when-using-onolock.patch
new file mode 100644 (file)
index 0000000..af79987
--- /dev/null
+++ b/queue-2.6.22/nfsv2-v3-fix-a-memory-leak-when-using-onolock.patch
@@ -0,0 +1,64 @@
+From stable-bounces@linux.kernel.org Thu Feb  7 12:04:53 2008
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Thu, 7 Feb 2008 21:03:52 +0100
+Subject: NFSv2/v3: Fix a memory leak when using -onolock
+Message-ID: <6101e8c40802071203o1b32c2c2md53859623228463@mail.gmail.com>
+Content-Disposition: inline
+
+
+aka: nfs-unmount-leak.patch
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+
+mainline: 5cef338b30c110daf547fb13d99f0c77f2a79fbc
+
+    Neil Brown said:
+    > Hi Trond,
+    >
+    > We found that a machine which made moderately heavy use of
+    > 'automount' was leaking some nfs data structures - particularly the
+    > 4K allocated by rpc_alloc_iostats.
+    > It turns out that this only happens with filesystems with -onolock
+    > set.
+
+    > The problem is that if NFS_MOUNT_NONLM is set, nfs_start_lockd doesn't
+    > set server->destroy, so when the filesystem is unmounted, the
+    > ->client_acl is not shutdown, and so several resources are still
+    > held.  Multiple mount/umount cycles will slowly eat away memory
+    > several pages at a time.
+
+    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+Acked-by: Neil Brown <neilb@suse.de>
+Signed-off-by: Neil Brown <neilb@suse.de>
+CC: Oliver Pinter <oliver.pntr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ fs/nfs/client.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/nfs/client.c
++++ b/fs/nfs/client.c
+@@ -433,9 +433,6 @@ static int nfs_create_rpc_client(struct 
+  */
+ static void nfs_destroy_server(struct nfs_server *server)
+ {
+-      if (!IS_ERR(server->client_acl))
+-              rpc_shutdown_client(server->client_acl);
+-
+       if (!(server->flags & NFS_MOUNT_NONLM))
+               lockd_down();   /* release rpc.lockd */
+ }
+@@ -781,6 +778,9 @@ void nfs_free_server(struct nfs_server *
+ 
+       if (server->destroy != NULL)
+               server->destroy(server);
++
++      if (!IS_ERR(server->client_acl))
++              rpc_shutdown_client(server->client_acl);
+       if (!IS_ERR(server->client))
+               rpc_shutdown_client(server->client);
+ 

diff --git a/queue-2.6.22/pci-fix-fakephp-deadlock.patch b/queue-2.6.22/pci-fix-fakephp-deadlock.patch
index 6fe26fc1f7e0d124495c9809bd585686e0a8e0d9..010010b1690107f997fb716774cd307188d04f63 100644 (file)
--- a/queue-2.6.22/pci-fix-fakephp-deadlock.patch
+++ b/queue-2.6.22/pci-fix-fakephp-deadlock.patch
@@ -3,7 +3,6 @@ From: Ian Abbott <abbotti@mev.co.uk>
 Date: Mon, 04 Feb 2008 13:56:36 +0000
 Subject: PCI: Fix fakephp deadlock
 To: stable@kernel.org
-Cc: linux-pci@atrey.karlin.mff.cuni.cz, linux-kernel@vger.kernel.org
 Message-ID: <47A71994.3050409@mev.co.uk>
 
 From: Ian Abbott <abbotti@mev.co.uk>

diff --git a/queue-2.6.22/pci-fix-unterminated-pci_device_id-lists.patch b/queue-2.6.22/pci-fix-unterminated-pci_device_id-lists.patch
new file mode 100644 (file)
index 0000000..80bd595
--- /dev/null
+++ b/queue-2.6.22/pci-fix-unterminated-pci_device_id-lists.patch
@@ -0,0 +1,69 @@
+From stable-bounces@linux.kernel.org Thu Feb  7 12:04:22 2008
+From: Kees Cook <kees@ubuntu.com>
+Date: Thu, 7 Feb 2008 21:03:26 +0100
+Subject: pci: fix unterminated pci_device_id lists
+Message-ID: <6101e8c40802071203q71cf9401v6b84a589d69cf8dd@mail.gmail.com>
+Content-Disposition: inline
+
+From: Kees Cook <kees@ubuntu.com>
+
+mainline: 248bdd5efca5a113cbf443a993c69e53d370236b
+
+Fix a couple drivers that do not correctly terminate their pci_device_id
+lists.  This results in garbage being spewed into modules.pcimap when the
+module happens to not have 28 NULL bytes following the table, and/or the
+last PCI ID is actually truncated from the table when calculating the
+modules.alias PCI aliases, cause those unfortunate device IDs to not
+auto-load.
+
+Signed-off-by: Kees Cook <kees@ubuntu.com>
+Acked-by: Corey Minyard <minyard@acm.org>
+Cc: David Woodhouse <dwmw2@infradead.org>
+Acked-by: Jeff Garzik <jeff@garzik.org>
+Cc: Greg KH <greg@kroah.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Jeff Mahoney <jeffm@suse.com>
+CC: Oliver Pinter <oliver.pntr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/char/ipmi/ipmi_si_intf.c                |    3 ++-
+ drivers/media/video/usbvision/usbvision-cards.c |    1 +
+ drivers/mtd/nand/cafe_nand.c                    |    3 ++-
+ 3 files changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/ipmi/ipmi_si_intf.c
++++ b/drivers/char/ipmi/ipmi_si_intf.c
+@@ -2214,7 +2214,8 @@ static int ipmi_pci_resume(struct pci_de
+ 
+ static struct pci_device_id ipmi_pci_devices[] = {
+       { PCI_DEVICE(PCI_HP_VENDOR_ID, PCI_MMC_DEVICE_ID) },
+-      { PCI_DEVICE_CLASS(PCI_ERMC_CLASSCODE, PCI_ERMC_CLASSCODE_MASK) }
++      { PCI_DEVICE_CLASS(PCI_ERMC_CLASSCODE, PCI_ERMC_CLASSCODE_MASK) },
++      { 0, }
+ };
+ MODULE_DEVICE_TABLE(pci, ipmi_pci_devices);
+ 
+--- a/drivers/media/video/usbvision/usbvision-cards.c
++++ b/drivers/media/video/usbvision/usbvision-cards.c
+@@ -1081,6 +1081,7 @@ struct usb_device_id usbvision_table [] 
+       { USB_DEVICE(0x2304, 0x0301), .driver_info=PINNA_LINX_VD_IN_CAB_PAL },
+       { USB_DEVICE(0x2304, 0x0419), .driver_info=PINNA_PCTV_BUNGEE_PAL_FM },
+       { USB_DEVICE(0x2400, 0x4200), .driver_info=HPG_WINTV },
++      { },    /* terminate list */
+ };
+ 
+ MODULE_DEVICE_TABLE (usb, usbvision_table);
+--- a/drivers/mtd/nand/cafe_nand.c
++++ b/drivers/mtd/nand/cafe_nand.c
+@@ -816,7 +816,8 @@ static void __devexit cafe_nand_remove(s
+ }
+ 
+ static struct pci_device_id cafe_nand_tbl[] = {
+-      { 0x11ab, 0x4100, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_MEMORY_FLASH << 8, 0xFFFF0 }
++      { 0x11ab, 0x4100, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_MEMORY_FLASH << 8, 0xFFFF0 },
++      { 0, }
+ };
+ 
+ MODULE_DEVICE_TABLE(pci, cafe_nand_tbl);

diff --git a/queue-2.6.22/series b/queue-2.6.22/series
index eb8fde41582f3d8f34ba1175000dd9e8d11d5827..b1617b76c05fa18fb1b86e4ff1fae73442c7ae72 100644 (file)
--- a/queue-2.6.22/series
+++ b/queue-2.6.22/series
@@ -1,5 +1,17 @@
+cciss-fix-memory-leak.patch
 sata_promise-fasttrack-tx4200-is-a-second-generation-chip.patch
 sata_promise-asic-prd-table-bug-workaround.patch
 pci-fix-fakephp-deadlock.patch
 quicklists-do-not-release-off-node-pages-early.patch
 nfs-fix-a-potential-file-corruption-issue-when-writing.patch
+cciss-panic-in-blk_rq_map_sg-from-cciss-driver.patch
+handle-bogus-cs-selector-in-single-step-instruction-decoding.patch
+i386-fixup-trace_irq-breakage.patch
+intel_agp-really-fix-945-965gme.patch
+pci-fix-unterminated-pci_device_id-lists.patch
+sony-laptop-call-sonypi_compat_init-earlier.patch
+via_velocity-don-t-oops-on-mtu-change.patch
+via-velocity-don-t-oops-on-mtu-change.patch
+knfsd-fix-spurious-einval-errors-on-first-access-of-new-filesystem.patch
+nfs-fix-nfs_reval_fsid.patch
+nfsv2-v3-fix-a-memory-leak-when-using-onolock.patch

diff --git a/queue-2.6.22/sony-laptop-call-sonypi_compat_init-earlier.patch b/queue-2.6.22/sony-laptop-call-sonypi_compat_init-earlier.patch
new file mode 100644 (file)
index 0000000..47bb1e9
--- /dev/null
+++ b/queue-2.6.22/sony-laptop-call-sonypi_compat_init-earlier.patch
@@ -0,0 +1,84 @@
+From stable-bounces@linux.kernel.org Thu Feb  7 12:04:11 2008
+From: Mattia Dongili <malattia@linux.it>
+Date: Thu, 7 Feb 2008 21:03:29 +0100
+Subject: sony-laptop: call sonypi_compat_init earlier
+Message-ID: <6101e8c40802071203w14fadb44m6732cc551d5613df@mail.gmail.com>
+Content-Disposition: inline
+
+From: Mattia Dongili <malattia@linux.it>
+
+mainline: 015a916fbbf105bb15f4bbfd80c3b9b2f2e0d7db
+
+sonypi_compat uses a kfifo that needs to be present before _SRS is
+called to be able to cope with the IRQs triggered when setting
+resources.
+
+Signed-off-by: Mattia Dongili <malattia@linux.it>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Acked-by: Jeff Mahoney <jeffm@suse.com>
+CC: Oliver Pinter <oliver.pntr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/misc/sony-laptop.c |   15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/drivers/misc/sony-laptop.c
++++ b/drivers/misc/sony-laptop.c
+@@ -2056,8 +2056,6 @@ static int sony_pic_remove(struct acpi_d
+       struct sony_pic_ioport *io, *tmp_io;
+       struct sony_pic_irq *irq, *tmp_irq;
+ 
+-      sonypi_compat_exit();
+-
+       if (sony_pic_disable(device)) {
+               printk(KERN_ERR DRV_PFX "Couldn't disable device.\n");
+               return -ENXIO;
+@@ -2067,6 +2065,8 @@ static int sony_pic_remove(struct acpi_d
+       release_region(spic_dev.cur_ioport->io.minimum,
+                       spic_dev.cur_ioport->io.address_length);
+ 
++      sonypi_compat_exit();
++
+       sony_laptop_remove_input();
+ 
+       /* pf attrs */
+@@ -2132,6 +2132,9 @@ static int sony_pic_add(struct acpi_devi
+               goto err_free_resources;
+       }
+ 
++      if (sonypi_compat_init())
++              goto err_remove_input;
++
+       /* request io port */
+       list_for_each_entry(io, &spic_dev.ioports, list) {
+               if (request_region(io->io.minimum, io->io.address_length,
+@@ -2146,7 +2149,7 @@ static int sony_pic_add(struct acpi_devi
+       if (!spic_dev.cur_ioport) {
+               printk(KERN_ERR DRV_PFX "Failed to request_region.\n");
+               result = -ENODEV;
+-              goto err_remove_input;
++              goto err_remove_compat;
+       }
+ 
+       /* request IRQ */
+@@ -2186,9 +2189,6 @@ static int sony_pic_add(struct acpi_devi
+       if (result)
+               goto err_remove_pf;
+ 
+-      if (sonypi_compat_init())
+-              goto err_remove_pf;
+-
+       return 0;
+ 
+ err_remove_pf:
+@@ -2204,6 +2204,9 @@ err_release_region:
+       release_region(spic_dev.cur_ioport->io.minimum,
+                       spic_dev.cur_ioport->io.address_length);
+ 
++err_remove_compat:
++      sonypi_compat_exit();
++
+ err_remove_input:
+       sony_laptop_remove_input();
+ 

diff --git a/queue-2.6.22/via-velocity-don-t-oops-on-mtu-change.patch b/queue-2.6.22/via-velocity-don-t-oops-on-mtu-change.patch
new file mode 100644 (file)
index 0000000..a356749
--- /dev/null
+++ b/queue-2.6.22/via-velocity-don-t-oops-on-mtu-change.patch
@@ -0,0 +1,61 @@
+From stable-bounces@linux.kernel.org Thu Feb  7 12:04:33 2008
+From: Stephen Hemminger <shemminger@linux-foundation.org>
+Date: Thu, 7 Feb 2008 21:03:38 +0100
+Subject: via-velocity: don't oops on MTU change (resend)
+Message-ID: <6101e8c40802071203kee22a19rc24c0f8657160d46@mail.gmail.com>
+Content-Disposition: inline
+
+
+From: Stephen Hemminger <shemminger@linux-foundation.org>
+
+mainline: 48f6b053613b62fed7a2fe3255e5568260a8d615
+
+The VIA veloicty driver needs the following to allow changing MTU when down.
+The buffer size needs to be computed when device is brought up, not when
+device is initialized.  This also fixes a bug where the buffer size was
+computed differently on change_mtu versus initial setting.
+
+Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
+Signed-off-by: Jeff Garzik <jeff@garzik.org>
+Acked-by: Jeff Mahoney <jeffm@suse.com>
+CC: Oliver Pinter <oliver.pntr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/via-velocity.c |   11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/via-velocity.c
++++ b/drivers/net/via-velocity.c
+@@ -1075,6 +1075,9 @@ static int velocity_init_rd_ring(struct 
+       int ret = -ENOMEM;
+       unsigned int rsize = sizeof(struct velocity_rd_info) *
+                                       vptr->options.numrx;
++      int mtu = vptr->dev->mtu;
++
++      vptr->rx_buf_sz = (mtu <= ETH_DATA_LEN) ? PKT_BUF_SZ : mtu + 32;
+ 
+       vptr->rd_info = kmalloc(rsize, GFP_KERNEL);
+       if(vptr->rd_info == NULL)
+@@ -1733,8 +1736,6 @@ static int velocity_open(struct net_devi
+       struct velocity_info *vptr = netdev_priv(dev);
+       int ret;
+ 
+-      vptr->rx_buf_sz = (dev->mtu <= 1504 ? PKT_BUF_SZ : dev->mtu + 32);
+-
+       ret = velocity_init_rings(vptr);
+       if (ret < 0)
+               goto out;
+@@ -1813,12 +1814,6 @@ static int velocity_change_mtu(struct ne
+               velocity_free_rd_ring(vptr);
+ 
+               dev->mtu = new_mtu;
+-              if (new_mtu > 8192)
+-                      vptr->rx_buf_sz = 9 * 1024;
+-              else if (new_mtu > 4096)
+-                      vptr->rx_buf_sz = 8192;
+-              else
+-                      vptr->rx_buf_sz = 4 * 1024;
+ 
+               ret = velocity_init_rd_ring(vptr);
+               if (ret < 0)

diff --git a/queue-2.6.22/via_velocity-don-t-oops-on-mtu-change.patch b/queue-2.6.22/via_velocity-don-t-oops-on-mtu-change.patch
new file mode 100644 (file)
index 0000000..b720a0a
--- /dev/null
+++ b/queue-2.6.22/via_velocity-don-t-oops-on-mtu-change.patch
@@ -0,0 +1,38 @@
+From stable-bounces@linux.kernel.org Thu Feb  7 12:04:22 2008
+From: Stephen Hemminger <shemminger@linux-foundation.org>
+Date: Thu, 7 Feb 2008 21:03:34 +0100
+Subject: VIA_VELOCITY: Don't oops on MTU change.
+Message-ID: <6101e8c40802071203o2877ffc0q9e8c4681fe130648@mail.gmail.com>
+Content-Disposition: inline
+
+From: Stephen Hemminger <shemminger@linux-foundation.org>
+
+mainline: bd7b3f34198071d8bec05180530c362f1800ba46
+
+Simple mtu change when device is down.
+Fix http://bugzilla.kernel.org/show_bug.cgi?id=9382.
+
+Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Jeff Mahoney <jeffm@suse.com>
+CC: Oliver Pinter <oliver.pntr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/via-velocity.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/via-velocity.c
++++ b/drivers/net/via-velocity.c
+@@ -1798,6 +1798,11 @@ static int velocity_change_mtu(struct ne
+               return -EINVAL;
+       }
+ 
++      if (!netif_running(dev)) {
++              dev->mtu = new_mtu;
++              return 0;
++      }
++
+       if (new_mtu != oldmtu) {
+               spin_lock_irqsave(&vptr->lock, flags);
+