--- /dev/null
+From 26e2b0a9f7064ac9e6169a61c60e18e12a5dd0f6 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Fri, 25 Apr 2008 01:41:47 -0700
+Subject: IPSEC: Fix catch-22 with algorithm IDs above 31
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit: c5d18e984a313adf5a1a4ae69e0b1d93cf410229 ]
+
+As it stands it's impossible to use any authentication algorithms
+with an ID above 31 portably. It just happens to work on x86 but
+fails miserably on ppc64.
+
+The reason is that we're using a bit mask to check the algorithm
+ID but the mask is only 32 bits wide.
+
+After looking at how this is used in the field, I have concluded
+that in the long term we should phase out state matching by IDs
+because this is made superfluous by the reqid feature. For current
+applications, the best solution IMHO is to allow all algorithms when
+the bit masks are all ~0.
+
+The following patch does exactly that.
+
+This bug was identified by IBM when testing on the ppc64 platform
+using the NULL authentication algorithm which has an ID of 251.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/net/xfrm.h | 3 +++
+ net/key/af_key.c | 2 +-
+ net/xfrm/xfrm_policy.c | 2 +-
+ net/xfrm/xfrm_user.c | 2 ++
+ 4 files changed, 7 insertions(+), 2 deletions(-)
+
+--- a/include/net/xfrm.h
++++ b/include/net/xfrm.h
+@@ -435,6 +435,9 @@ struct xfrm_tmpl
+ /* May skip this transfomration if no SA is found */
+ __u8 optional;
+
++/* Skip aalgos/ealgos/calgos checks. */
++ __u8 allalgs;
++
+ /* Bit mask of algos allowed for acquisition */
+ __u32 aalgos;
+ __u32 ealgos;
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -1856,7 +1856,7 @@ parse_ipsecrequest(struct xfrm_policy *x
+ t->encap_family = xp->family;
+
+ /* No way to set this via kame pfkey */
+- t->aalgos = t->ealgos = t->calgos = ~0;
++ t->allalgs = 1;
+ xp->xfrm_nr++;
+ return 0;
+ }
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -1772,7 +1772,7 @@ xfrm_state_ok(struct xfrm_tmpl *tmpl, st
+ (x->id.spi == tmpl->id.spi || !tmpl->id.spi) &&
+ (x->props.reqid == tmpl->reqid || !tmpl->reqid) &&
+ x->props.mode == tmpl->mode &&
+- ((tmpl->aalgos & (1<<x->props.aalgo)) ||
++ (tmpl->allalgs || (tmpl->aalgos & (1<<x->props.aalgo)) ||
+ !(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) &&
+ !(x->props.mode != XFRM_MODE_TRANSPORT &&
+ xfrm_state_addr_cmp(tmpl, x, family));
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -975,6 +975,8 @@ static void copy_templates(struct xfrm_p
+ t->aalgos = ut->aalgos;
+ t->ealgos = ut->ealgos;
+ t->calgos = ut->calgos;
++ /* If all masks are ~0, then we allow all algorithms. */
++ t->allalgs = !~(t->aalgos & t->ealgos & t->calgos);
+ t->encap_family = ut->family;
+ }
+ }
--- /dev/null
+From 35f1735890991fb3e3e7095ffb2997c7661f4cde Mon Sep 17 00:00:00 2001
+From: Pavel Emelyanov <xemul@openvz.org>
+Date: Fri, 25 Apr 2008 01:49:48 -0700
+Subject: net: Fix wrong interpretation of some copy_to_user() results.
+
+From: Pavel Emelyanov <xemul@openvz.org>
+
+[ Upstream commit: 653252c2302cdf2dfbca66a7e177f7db783f9efa ]
+
+I found some places, that erroneously return the value obtained from
+the copy_to_user() call: if some amount of bytes were not able to get
+to the user (this is what this one returns) the proper behavior is to
+return the -EFAULT error, not that number itself.
+
+Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/can/raw.c | 3 ++-
+ net/dccp/probe.c | 2 +-
+ net/tipc/socket.c | 4 ++--
+ 3 files changed, 5 insertions(+), 4 deletions(-)
+
+--- a/net/can/raw.c
++++ b/net/can/raw.c
+@@ -573,7 +573,8 @@ static int raw_getsockopt(struct socket
+ int fsize = ro->count * sizeof(struct can_filter);
+ if (len > fsize)
+ len = fsize;
+- err = copy_to_user(optval, ro->filter, len);
++ if (copy_to_user(optval, ro->filter, len))
++ err = -EFAULT;
+ } else
+ len = 0;
+ release_sock(sk);
+--- a/net/dccp/probe.c
++++ b/net/dccp/probe.c
+@@ -145,7 +145,7 @@ static ssize_t dccpprobe_read(struct fil
+ goto out_free;
+
+ cnt = kfifo_get(dccpw.fifo, tbuf, len);
+- error = copy_to_user(buf, tbuf, cnt);
++ error = copy_to_user(buf, tbuf, cnt) ? -EFAULT : 0;
+
+ out_free:
+ vfree(tbuf);
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -1600,8 +1600,8 @@ static int getsockopt(struct socket *soc
+ else if (len < sizeof(value)) {
+ res = -EINVAL;
+ }
+- else if ((res = copy_to_user(ov, &value, sizeof(value)))) {
+- /* couldn't return value */
++ else if (copy_to_user(ov, &value, sizeof(value))) {
++ res = -EFAULT;
+ }
+ else {
+ res = put_user(sizeof(value), ol);
--- /dev/null
+From 365bb0226bc0ef101936eb080acc484f87052fa9 Mon Sep 17 00:00:00 2001
+From: Bernard Pidoux <f6bvp@amsat.org>
+Date: Fri, 25 Apr 2008 01:42:36 -0700
+Subject: rose: Socket lock was not released before returning to user space
+
+From: Bernard Pidoux <f6bvp@amsat.org>
+
+[ Upstream commit: 43837b1e6c5aef803d57009a68db18df13e64892 ]
+
+================================================
+[ BUG: lock held when returning to user space! ]
+------------------------------------------------
+xfbbd/3683 is leaving the kernel with locks still held!
+1 lock held by xfbbd/3683:
+ #0: (sk_lock-AF_ROSE){--..}, at: [<c8cd1eb3>] rose_connect+0x73/0x420 [rose]
+
+INFO: task xfbbd:3683 blocked for more than 120 seconds.
+"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+xfbbd D 00000246 0 3683 3669
+ c6965ee0 00000092 c02c5c40 00000246 c0f6b5f0 c0f6b5c0 c0f6b5f0 c0f6b5c0
+ c0f6b614 c6965f18 c024b74b ffffffff c06ba070 00000000 00000000 00000001
+ c6ab07c0 c012d450 c0f6b634 c0f6b634 c7b5bf10 c0d6004c c7b5bf10 c6965f40
+Call Trace:
+ [<c024b74b>] lock_sock_nested+0x6b/0xd0
+ [<c012d450>] ? autoremove_wake_function+0x0/0x40
+ [<c02488f1>] sock_fasync+0x41/0x150
+ [<c0249e69>] sock_close+0x19/0x40
+ [<c0175d54>] __fput+0xb4/0x170
+ [<c0176018>] fput+0x18/0x20
+ [<c017300e>] filp_close+0x3e/0x70
+ [<c01744e9>] sys_close+0x69/0xb0
+ [<c0103bda>] sysenter_past_esp+0x5f/0xa5
+ =======================
+INFO: lockdep is turned off.
+
+Signed-off-by: Bernard Pidoux <f6bvp@amsat.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/rose/af_rose.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -760,8 +760,10 @@ static int rose_connect(struct socket *s
+
+ rose->neighbour = rose_get_neigh(&addr->srose_addr, &cause,
+ &diagnostic);
+- if (!rose->neighbour)
+- return -ENETUNREACH;
++ if (!rose->neighbour) {
++ err = -ENETUNREACH;
++ goto out_release;
++ }
+
+ rose->lci = rose_new_lci(rose->neighbour);
+ if (!rose->lci) {
--- /dev/null
+From 23d71a9adb296b870970da1fd3fc1c5d4efee36e Mon Sep 17 00:00:00 2001
+From: Patrick McHardy <kaber@trash.net>
+Date: Wed, 23 Apr 2008 22:10:48 -0700
+Subject: RTNETLINK: Fix bogus ASSERT_RTNL warning
+
+From: Patrick McHardy <kaber@trash.net>
+
+[ Upstream commit: c9c1014b2bd014c7ec037bbb6f58818162fdb265 ]
+
+ASSERT_RTNL uses mutex_trylock to test whether the rtnl_mutex is
+held. This bogus warnings when running in atomic context, which
+f.e. happens when adding secondary unicast addresses through
+macvlan or vlan or when synchronizing multicast addresses from
+wireless devices.
+
+Mid-term we might want to consider moving all address updates
+to process context since the locking seems overly complicated,
+for now just fix the bogus warning by changing ASSERT_RTNL to
+use mutex_is_locked().
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/rtnetlink.h | 4 ++--
+ net/core/rtnetlink.c | 6 ++++++
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/include/linux/rtnetlink.h
++++ b/include/linux/rtnetlink.h
+@@ -740,13 +740,13 @@ extern void rtmsg_ifinfo(int type, struc
+ extern void rtnl_lock(void);
+ extern void rtnl_unlock(void);
+ extern int rtnl_trylock(void);
++extern int rtnl_is_locked(void);
+
+ extern void rtnetlink_init(void);
+ extern void __rtnl_unlock(void);
+
+ #define ASSERT_RTNL() do { \
+- if (unlikely(rtnl_trylock())) { \
+- rtnl_unlock(); \
++ if (unlikely(!rtnl_is_locked())) { \
+ printk(KERN_ERR "RTNL: assertion failed at %s (%d)\n", \
+ __FILE__, __LINE__); \
+ dump_stack(); \
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -82,6 +82,11 @@ int rtnl_trylock(void)
+ return mutex_trylock(&rtnl_mutex);
+ }
+
++int rtnl_is_locked(void)
++{
++ return mutex_is_locked(&rtnl_mutex);
++}
++
+ static struct rtnl_link *rtnl_msg_handlers[NPROTO];
+
+ static inline int rtm_msgindex(int msgtype)
+@@ -1389,6 +1394,7 @@ EXPORT_SYMBOL(rtnetlink_put_metrics);
+ EXPORT_SYMBOL(rtnl_lock);
+ EXPORT_SYMBOL(rtnl_trylock);
+ EXPORT_SYMBOL(rtnl_unlock);
++EXPORT_SYMBOL(rtnl_is_locked);
+ EXPORT_SYMBOL(rtnl_unicast);
+ EXPORT_SYMBOL(rtnl_notify);
+ EXPORT_SYMBOL(rtnl_set_sk_err);
jffs2-fix-free-space-leak-with-in-band-cleanmarkers.patch
+tg3-5701-dma-corruption-fix.patch
+tcp-tcp_probe-buffer-overflow-and-incorrect-return-value.patch
+tcp-increase-the-max_burst-threshold-from-3-to-tp-reordering.patch
+rtnetlink-fix-bogus-assert_rtnl-warning.patch
+rose-socket-lock-was-not-released-before-returning-to-user-space.patch
+net-fix-wrong-interpretation-of-some-copy_to_user-results.patch
+ipsec-fix-catch-22-with-algorithm-ids-above-31.patch
--- /dev/null
+From 3c0390e1a6d8a5d0cdae57959f0be37a236b474d Mon Sep 17 00:00:00 2001
+From: John Heffner <jheffner@napa.none>
+Date: Fri, 25 Apr 2008 01:43:57 -0700
+Subject: TCP: Increase the max_burst threshold from 3 to tp->reordering.
+
+From: John Heffner <jheffner@napa.none>
+
+[ Upstream commit: dd9e0dda66ba38a2ddd1405ac279894260dc5c36 ]
+
+This change is necessary to allow cwnd to grow during persistent
+reordering. Cwnd moderation is applied when in the disorder state
+and an ack that fills the hole comes in. If the hole was greater
+than 3 packets, but less than tp->reordering, cwnd will shrink when
+it should not have.
+
+Signed-off-by: John Heffner <jheffner@napa.none>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/net/tcp.h | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -776,11 +776,14 @@ extern void tcp_enter_cwr(struct sock *s
+ extern __u32 tcp_init_cwnd(struct tcp_sock *tp, struct dst_entry *dst);
+
+ /* Slow start with delack produces 3 packets of burst, so that
+- * it is safe "de facto".
++ * it is safe "de facto". This will be the default - same as
++ * the default reordering threshold - but if reordering increases,
++ * we must be able to allow cwnd to burst at least this much in order
++ * to not pull it back when holes are filled.
+ */
+ static __inline__ __u32 tcp_max_burst(const struct tcp_sock *tp)
+ {
+- return 3;
++ return tp->reordering;
+ }
+
+ /* Returns end sequence number of the receiver's advertised window */
--- /dev/null
+From dd66bf65f96a02b454929181360bee13ffebee52 Mon Sep 17 00:00:00 2001
+From: Tom Quetchenbach <virtualphtn@gmail.com>
+Date: Fri, 25 Apr 2008 01:45:32 -0700
+Subject: tcp: tcp_probe buffer overflow and incorrect return value
+
+From: Tom Quetchenbach <virtualphtn@gmail.com>
+
+[ Upstream commit: 8d390efd903485923419584275fd0c2aa4c94183 ]
+
+tcp_probe has a bounds-checking bug that causes many programs (less,
+python) to crash reading /proc/net/tcp_probe. When it outputs a log
+line to the reader, it only checks if that line alone will fit in the
+reader's buffer, rather than that line and all the previous lines it
+has already written.
+
+tcpprobe_read also returns the wrong value if copy_to_user fails--it
+just passes on the return value of copy_to_user (number of bytes not
+copied), which makes a failure look like a success.
+
+This patch fixes the buffer overflow and sets the return value to
+-EFAULT if copy_to_user fails.
+
+Patch is against latest net-2.6; tested briefly and seems to fix the
+crashes in less and python.
+
+Signed-off-by: Tom Quetchenbach <virtualphtn@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/tcp_probe.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/tcp_probe.c
++++ b/net/ipv4/tcp_probe.c
+@@ -190,19 +190,18 @@ static ssize_t tcpprobe_read(struct file
+
+ width = tcpprobe_sprint(tbuf, sizeof(tbuf));
+
+- if (width < len)
++ if (cnt + width < len)
+ tcp_probe.tail = (tcp_probe.tail + 1) % bufsize;
+
+ spin_unlock_bh(&tcp_probe.lock);
+
+ /* if record greater than space available
+ return partial buffer (so far) */
+- if (width >= len)
++ if (cnt + width >= len)
+ break;
+
+- error = copy_to_user(buf + cnt, tbuf, width);
+- if (error)
+- break;
++ if (copy_to_user(buf + cnt, tbuf, width))
++ return -EFAULT;
+ cnt += width;
+ }
+
--- /dev/null
+From 4bace198c4354bdd6e5e74fd0ad288d7930a943d Mon Sep 17 00:00:00 2001
+From: Matt Carlson <mcarlson@broadcom.com>
+Date: Fri, 25 Apr 2008 01:46:46 -0700
+Subject: tg3: 5701 DMA corruption fix
+
+From: Matt Carlson <mcarlson@broadcom.com>
+
+[ Upstream commit: 41588ba1ae166eaba0a70abf2d7ff064ad9331d3 ]
+
+Herbert Xu's commit fb93134dfc2a6e6fbedc7c270a31da03fce88db9, entitled
+"[TCP]: Fix size calculation in sk_stream_alloc_pskb", has triggered a
+bug in the 5701 where the 5701 DMA engine will corrupt outgoing
+packets. This problem only happens when the starting address of the
+packet matches a certain range of offsets and only when the 5701 is
+placed downstream of a particular Intel bridge.
+
+This patch detects the problematic bridge and if present, readjusts the
+starting address of the packet data to a dword aligned boundary.
+
+Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
+Signed-off-by: Michael Chan <mchan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/tg3.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++----
+ drivers/net/tg3.h | 1 +
+ 2 files changed, 49 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/tg3.c
++++ b/drivers/net/tg3.c
+@@ -64,8 +64,8 @@
+
+ #define DRV_MODULE_NAME "tg3"
+ #define PFX DRV_MODULE_NAME ": "
+-#define DRV_MODULE_VERSION "3.90"
+-#define DRV_MODULE_RELDATE "April 12, 2008"
++#define DRV_MODULE_VERSION "3.91"
++#define DRV_MODULE_RELDATE "April 18, 2008"
+
+ #define TG3_DEF_MAC_MODE 0
+ #define TG3_DEF_RX_MODE 0
+@@ -4135,11 +4135,21 @@ static int tigon3_dma_hwbug_workaround(s
+ u32 last_plus_one, u32 *start,
+ u32 base_flags, u32 mss)
+ {
+- struct sk_buff *new_skb = skb_copy(skb, GFP_ATOMIC);
++ struct sk_buff *new_skb;
+ dma_addr_t new_addr = 0;
+ u32 entry = *start;
+ int i, ret = 0;
+
++ if (GET_ASIC_REV(tp->pci_chip_rev_id) != ASIC_REV_5701)
++ new_skb = skb_copy(skb, GFP_ATOMIC);
++ else {
++ int more_headroom = 4 - ((unsigned long)skb->data & 3);
++
++ new_skb = skb_copy_expand(skb,
++ skb_headroom(skb) + more_headroom,
++ skb_tailroom(skb), GFP_ATOMIC);
++ }
++
+ if (!new_skb) {
+ ret = -1;
+ } else {
+@@ -4462,7 +4472,9 @@ static int tg3_start_xmit_dma_bug(struct
+
+ would_hit_hwbug = 0;
+
+- if (tg3_4g_overflow_test(mapping, len))
++ if (tp->tg3_flags3 & TG3_FLG3_5701_DMA_BUG)
++ would_hit_hwbug = 1;
++ else if (tg3_4g_overflow_test(mapping, len))
+ would_hit_hwbug = 1;
+
+ tg3_set_txd(tp, entry, mapping, len, base_flags,
+@@ -11339,6 +11351,38 @@ static int __devinit tg3_get_invariants(
+ }
+ }
+
++ if ((GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5701)) {
++ static struct tg3_dev_id {
++ u32 vendor;
++ u32 device;
++ } bridge_chipsets[] = {
++ { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PXH_0 },
++ { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PXH_1 },
++ { },
++ };
++ struct tg3_dev_id *pci_id = &bridge_chipsets[0];
++ struct pci_dev *bridge = NULL;
++
++ while (pci_id->vendor != 0) {
++ bridge = pci_get_device(pci_id->vendor,
++ pci_id->device,
++ bridge);
++ if (!bridge) {
++ pci_id++;
++ continue;
++ }
++ if (bridge->subordinate &&
++ (bridge->subordinate->number <=
++ tp->pdev->bus->number) &&
++ (bridge->subordinate->subordinate >=
++ tp->pdev->bus->number)) {
++ tp->tg3_flags3 |= TG3_FLG3_5701_DMA_BUG;
++ pci_dev_put(bridge);
++ break;
++ }
++ }
++ }
++
+ /* The EPB bridge inside 5714, 5715, and 5780 cannot support
+ * DMA addresses > 40-bit. This bridge may have other additional
+ * 57xx devices behind it in some 4-port NIC designs for example.
+--- a/drivers/net/tg3.h
++++ b/drivers/net/tg3.h
+@@ -2476,6 +2476,7 @@ struct tg3 {
+ #define TG3_FLG3_NO_NVRAM_ADDR_TRANS 0x00000001
+ #define TG3_FLG3_ENABLE_APE 0x00000002
+ #define TG3_FLG3_5761_5784_AX_FIXES 0x00000004
++#define TG3_FLG3_5701_DMA_BUG 0x00000008
+
+ struct timer_list timer;
+ u16 timer_counter;
projects / thirdparty / kernel / stable-queue.git / commitdiff
