From: Greg Kroah-Hartman Date: Thu, 13 Dec 2007 06:36:25 +0000 (-0800) Subject: start 2.6.22.15 review cycle X-Git-Tag: v2.6.23.10~3 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=43c73a99f20e44bba3fc8d6c96c622430fd515ea;p=thirdparty%2Fkernel%2Fstable-queue.git start 2.6.22.15 review cycle --- diff --git a/queue-2.6.22/atl1-disable-broken-64-bit-dma.patch b/review-2.6.22/atl1-disable-broken-64-bit-dma.patch similarity index 100% rename from queue-2.6.22/atl1-disable-broken-64-bit-dma.patch rename to review-2.6.22/atl1-disable-broken-64-bit-dma.patch diff --git a/queue-2.6.22/atm-initialize-lock-and-tasklet-earlier.patch b/review-2.6.22/atm-initialize-lock-and-tasklet-earlier.patch similarity index 100% rename from queue-2.6.22/atm-initialize-lock-and-tasklet-earlier.patch rename to review-2.6.22/atm-initialize-lock-and-tasklet-earlier.patch diff --git a/queue-2.6.22/bridge-lost-call-to-br_fdb_fini-in-br_init-error-path.patch b/review-2.6.22/bridge-lost-call-to-br_fdb_fini-in-br_init-error-path.patch similarity index 100% rename from queue-2.6.22/bridge-lost-call-to-br_fdb_fini-in-br_init-error-path.patch rename to review-2.6.22/bridge-lost-call-to-br_fdb_fini-in-br_init-error-path.patch diff --git a/queue-2.6.22/bridge-properly-dereference-the-br_should_route_hook.patch b/review-2.6.22/bridge-properly-dereference-the-br_should_route_hook.patch similarity index 100% rename from queue-2.6.22/bridge-properly-dereference-the-br_should_route_hook.patch rename to review-2.6.22/bridge-properly-dereference-the-br_should_route_hook.patch diff --git a/queue-2.6.22/crypto-api-fix-potential-race-in-crypto_remove_spawn.patch b/review-2.6.22/crypto-api-fix-potential-race-in-crypto_remove_spawn.patch similarity index 100% rename from queue-2.6.22/crypto-api-fix-potential-race-in-crypto_remove_spawn.patch rename to review-2.6.22/crypto-api-fix-potential-race-in-crypto_remove_spawn.patch diff --git a/queue-2.6.22/decnet-dn_nl_deladdr-almost-always-returns-no-error.patch b/review-2.6.22/decnet-dn_nl_deladdr-almost-always-returns-no-error.patch similarity index 100% rename from queue-2.6.22/decnet-dn_nl_deladdr-almost-always-returns-no-error.patch rename to review-2.6.22/decnet-dn_nl_deladdr-almost-always-returns-no-error.patch diff --git a/queue-2.6.22/fb_ddc-fix-ddc-lines-quirk.patch b/review-2.6.22/fb_ddc-fix-ddc-lines-quirk.patch similarity index 100% rename from queue-2.6.22/fb_ddc-fix-ddc-lines-quirk.patch rename to review-2.6.22/fb_ddc-fix-ddc-lines-quirk.patch diff --git a/queue-2.6.22/forcedeth-boot-delay-fix.patch b/review-2.6.22/forcedeth-boot-delay-fix.patch similarity index 100% rename from queue-2.6.22/forcedeth-boot-delay-fix.patch rename to review-2.6.22/forcedeth-boot-delay-fix.patch diff --git a/queue-2.6.22/forcedeth-new-mcp79-pci-ids.patch b/review-2.6.22/forcedeth-new-mcp79-pci-ids.patch similarity index 100% rename from queue-2.6.22/forcedeth-new-mcp79-pci-ids.patch rename to review-2.6.22/forcedeth-new-mcp79-pci-ids.patch diff --git a/queue-2.6.22/futex-fix-for-futex_wait-signal-stack-corruption.patch b/review-2.6.22/futex-fix-for-futex_wait-signal-stack-corruption.patch similarity index 100% rename from queue-2.6.22/futex-fix-for-futex_wait-signal-stack-corruption.patch rename to review-2.6.22/futex-fix-for-futex_wait-signal-stack-corruption.patch diff --git a/queue-2.6.22/hrtimers-avoid-overflow-for-large-relative-timeouts.patch b/review-2.6.22/hrtimers-avoid-overflow-for-large-relative-timeouts.patch similarity index 100% rename from queue-2.6.22/hrtimers-avoid-overflow-for-large-relative-timeouts.patch rename to review-2.6.22/hrtimers-avoid-overflow-for-large-relative-timeouts.patch diff --git a/queue-2.6.22/i4l-fix-isdn_ioctl-memory-overrun-vulnerability.patch b/review-2.6.22/i4l-fix-isdn_ioctl-memory-overrun-vulnerability.patch similarity index 100% rename from queue-2.6.22/i4l-fix-isdn_ioctl-memory-overrun-vulnerability.patch rename to review-2.6.22/i4l-fix-isdn_ioctl-memory-overrun-vulnerability.patch diff --git a/queue-2.6.22/ipv4-remove-bogus-ifdef-mess-in-arp_process.patch b/review-2.6.22/ipv4-remove-bogus-ifdef-mess-in-arp_process.patch similarity index 100% rename from queue-2.6.22/ipv4-remove-bogus-ifdef-mess-in-arp_process.patch rename to review-2.6.22/ipv4-remove-bogus-ifdef-mess-in-arp_process.patch diff --git a/queue-2.6.22/ipv6-restore-ipv6-when-mtu-is-big-enough.patch b/review-2.6.22/ipv6-restore-ipv6-when-mtu-is-big-enough.patch similarity index 100% rename from queue-2.6.22/ipv6-restore-ipv6-when-mtu-is-big-enough.patch rename to review-2.6.22/ipv6-restore-ipv6-when-mtu-is-big-enough.patch diff --git a/queue-2.6.22/isdn-avoid-copying-overly-long-strings.patch b/review-2.6.22/isdn-avoid-copying-overly-long-strings.patch similarity index 100% rename from queue-2.6.22/isdn-avoid-copying-overly-long-strings.patch rename to review-2.6.22/isdn-avoid-copying-overly-long-strings.patch diff --git a/queue-2.6.22/knfsd-validate-filehandle-type-in-fsid_source.patch b/review-2.6.22/knfsd-validate-filehandle-type-in-fsid_source.patch similarity index 100% rename from queue-2.6.22/knfsd-validate-filehandle-type-in-fsid_source.patch rename to review-2.6.22/knfsd-validate-filehandle-type-in-fsid_source.patch diff --git a/queue-2.6.22/libata-kill-spurious-ncq-completion-detection.patch b/review-2.6.22/libata-kill-spurious-ncq-completion-detection.patch similarity index 100% rename from queue-2.6.22/libata-kill-spurious-ncq-completion-detection.patch rename to review-2.6.22/libata-kill-spurious-ncq-completion-detection.patch diff --git a/queue-2.6.22/libcrc32c-keep-intermediate-crc-state-in-cpu-order.patch b/review-2.6.22/libcrc32c-keep-intermediate-crc-state-in-cpu-order.patch similarity index 100% rename from queue-2.6.22/libcrc32c-keep-intermediate-crc-state-in-cpu-order.patch rename to review-2.6.22/libcrc32c-keep-intermediate-crc-state-in-cpu-order.patch diff --git a/review-2.6.22/mbox b/review-2.6.22/mbox new file mode 100644 index 00000000000..e9cbe7aec89 --- /dev/null +++ b/review-2.6.22/mbox @@ -0,0 +1,3387 @@ +From gregkh@mini.kroah.org Wed Dec 12 22:28:35 2007 +Message-Id: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:11 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk +Subject: [patch 00/36] 2.6.22-stable review +Content-Length: 715 +Lines: 17 + +This is the start of the stable review cycle for the 2.6.22.15 release. +There are 36 patches in this series, all will be posted as a response to +this one. If anyone has any issues with these being applied, please let +us know. If anyone is a maintainer of the proper subsystem, and wants +to add a Signed-off-by: line to the patch, please respond with it. + +These patches are sent out with a number of different people on the Cc: +line. If you wish to be a reviewer, please email stable@kernel.org to +add your name to the list. If you want to be off the reviewer list, +also email us. + +Responses should be made by Friday, Dec 14 20:00:00 UTC. Anything +received after that time might be too late. + +thanks, + +greg k-h + +From gregkh@mini.kroah.org Wed Dec 12 22:28:35 2007 +Message-Id: <20071213062835.422342274@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:12 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + greg@kroah.com, + chrisw@sous-sol.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + csnook@redhat.com, + kronos.it@gmail.com, + Jay Cliburn , + Jeff Garzik +Subject: [patch 01/36] atl1: disable broken 64-bit DMA +Content-Disposition: inline; filename=atl1-disable-broken-64-bit-dma.patch +Content-Length: 2706 +Lines: 86 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: Luca Tettamanti + +atl1: disable broken 64-bit DMA + +[ Upstream commit: 5f08e46b621a769e52a9545a23ab1d5fb2aec1d4 ] + +The L1 network chip can DMA to 64-bit addresses, but multiple descriptor +rings share a single register for the high 32 bits of their address, so +only a single, aligned, 4 GB physical address range can be used at a time. +As a result, we need to confine the driver to a 32-bit DMA mask, otherwise +we see occasional data corruption errors in systems containing 4 or more +gigabytes of RAM. + +Signed-off-by: Luca Tettamanti +Signed-off-by: Jay Cliburn +Acked-by: Chris Snook +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/net/atl1/atl1_main.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +--- a/drivers/net/atl1/atl1_main.c ++++ b/drivers/net/atl1/atl1_main.c +@@ -2097,21 +2097,26 @@ static int __devinit atl1_probe(struct p + struct net_device *netdev; + struct atl1_adapter *adapter; + static int cards_found = 0; +- bool pci_using_64 = true; + int err; + + err = pci_enable_device(pdev); + if (err) + return err; + +- err = pci_set_dma_mask(pdev, DMA_64BIT_MASK); ++ /* ++ * The atl1 chip can DMA to 64-bit addresses, but it uses a single ++ * shared register for the high 32 bits, so only a single, aligned, ++ * 4 GB physical address range can be used at a time. ++ * ++ * Supporting 64-bit DMA on this hardware is more trouble than it's ++ * worth. It is far easier to limit to 32-bit DMA than update ++ * various kernel subsystems to support the mechanics required by a ++ * fixed-high-32-bit system. ++ */ ++ err = pci_set_dma_mask(pdev, DMA_32BIT_MASK); + if (err) { +- err = pci_set_dma_mask(pdev, DMA_32BIT_MASK); +- if (err) { +- dev_err(&pdev->dev, "no usable DMA configuration\n"); +- goto err_dma; +- } +- pci_using_64 = false; ++ dev_err(&pdev->dev, "no usable DMA configuration\n"); ++ goto err_dma; + } + /* Mark all PCI regions associated with PCI device + * pdev as being reserved by owner atl1_driver_name +@@ -2176,7 +2181,6 @@ static int __devinit atl1_probe(struct p + + netdev->ethtool_ops = &atl1_ethtool_ops; + adapter->bd_number = cards_found; +- adapter->pci_using_64 = pci_using_64; + + /* setup the private structure */ + err = atl1_sw_init(adapter); +@@ -2193,9 +2197,6 @@ static int __devinit atl1_probe(struct p + */ + /* netdev->features |= NETIF_F_TSO; */ + +- if (pci_using_64) +- netdev->features |= NETIF_F_HIGHDMA; +- + netdev->features |= NETIF_F_LLTX; + + /* + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:35 2007 +Message-Id: <20071213062835.578344453@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:13 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Christian Borntraeger , + Jan Kara , + Nick Piggin , + "Eric W. Biederman" +Subject: [patch 02/36] rd: fix data corruption on memory pressure Future of Linux 2.6.22.y series +Content-Disposition: inline; filename=rd-fix-data-corruption-on-memory-pressure.patch +Content-Length: 2552 +Lines: 70 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: Christian Borntraeger + +commit 5d0360ee96a5ef953dbea45873c2a8c87e77d59b upstream. + +We have seen ramdisk based install systems, where some pages of mapped +libraries and programs were suddendly zeroed under memory pressure. This +should not happen, as the ramdisk avoids freeing its pages by keeping +them dirty all the time. + +It turns out that there is a case, where the VM makes a ramdisk page +clean, without telling the ramdisk driver. On memory pressure +shrink_zone runs and it starts to run shrink_active_list. There is a +check for buffer_heads_over_limit, and if true, pagevec_strip is called. +pagevec_strip calls try_to_release_page. If the mapping has no +releasepage callback, try_to_free_buffers is called. try_to_free_buffers +has now a special logic for some file systems to make a dirty page +clean, if all buffers are clean. Thats what happened in our test case. + +The simplest solution is to provide a noop-releasepage callback for the +ramdisk driver. This avoids try_to_free_buffers for ramdisk pages. + +Signed-off-by: Christian Borntraeger +Signed-off-by: Jan Kara +Acked-by: Nick Piggin +Cc: "Eric W. Biederman" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/block/rd.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/block/rd.c ++++ b/drivers/block/rd.c +@@ -189,6 +189,18 @@ static int ramdisk_set_page_dirty(struct + return 0; + } + ++/* ++ * releasepage is called by pagevec_strip/try_to_release_page if ++ * buffers_heads_over_limit is true. Without a releasepage function ++ * try_to_free_buffers is called instead. That can unset the dirty ++ * bit of our ram disk pages, which will be eventually freed, even ++ * if the page is still in use. ++ */ ++static int ramdisk_releasepage(struct page *page, gfp_t dummy) ++{ ++ return 0; ++} ++ + static const struct address_space_operations ramdisk_aops = { + .readpage = ramdisk_readpage, + .prepare_write = ramdisk_prepare_write, +@@ -196,6 +208,7 @@ static const struct address_space_operat + .writepage = ramdisk_writepage, + .set_page_dirty = ramdisk_set_page_dirty, + .writepages = ramdisk_writepages, ++ .releasepage = ramdisk_releasepage, + }; + + static int rd_blkdev_pagecache_IO(int rw, struct bio_vec *vec, sector_t sector, + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:35 2007 +Message-Id: <20071213062835.735409189@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:14 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + torvalds@linux-foundation.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + oleg@tv-sign.ru, + roland@redhat.com, + scott@ubuntu.com +Subject: [patch 03/36] wait_task_stopped(): pass correct exit_code to wait_noreap_copyout() +Content-Disposition: inline; filename=wait_task_stopped-pass-correct-exit_code-to-wait_noreap_copyout.patch +Content-Length: 1464 +Lines: 46 + + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: Scott James Remnant + +patch e6ceb32aa25fc33f21af84cc7a32fe289b3e860c in mainline. + +In wait_task_stopped() exit_code already contains the right value for the +si_status member of siginfo, and this is simply set in the non WNOWAIT +case. + +If you call waitid() with a stopped or traced process, you'll get the signal +in siginfo.si_status as expected -- however if you call waitid(WNOWAIT) at the +same time, you'll get the signal << 8 | 0x7f + +Pass it unchanged to wait_noreap_copyout(); we would only need to shift it +and add 0x7f if we were returning it in the user status field and that +isn't used for any function that permits WNOWAIT. + +Signed-off-by: Scott James Remnant +Signed-off-by: Oleg Nesterov +Cc: Roland McGrath +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/exit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -1339,7 +1339,7 @@ static int wait_task_stopped(struct task + if (unlikely(!exit_code) || unlikely(p->exit_state)) + goto bail_ref; + return wait_noreap_copyout(p, pid, uid, +- why, (exit_code << 8) | 0x7f, ++ why, exit_code, + infop, ru); + } + + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:36 2007 +Message-Id: <20071213062835.897732365@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:15 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + linux-usb@vger.kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Oliver Neukum +Subject: [patch 04/36] USB: make the microtek driver and HAL cooperate +Content-Disposition: inline; filename=usb-make-the-microtek-driver-and-hal-cooperate.patch +Content-Length: 833 +Lines: 33 + + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: Oliver Neukum + +patch 5cf1973a44bd298e3cfce6f6af8faa8c9d0a6d55 in mainline + +to make HAL like the microtek driver's devices the parent must be +correctly set. + +Signed-off-by: Oliver Neukum +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/image/microtek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/image/microtek.c ++++ b/drivers/usb/image/microtek.c +@@ -823,7 +823,7 @@ static int mts_usb_probe(struct usb_inte + goto out_kfree2; + + new_desc->host->hostdata[0] = (unsigned long)new_desc; +- if (scsi_add_host(new_desc->host, NULL)) { ++ if (scsi_add_host(new_desc->host, &dev->dev)) { + err_retval = -EIO; + goto out_host_put; + } + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:36 2007 +Message-Id: <20071213062836.054576319@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:16 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + linux-usb@vger.kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + David Brownell , + Dave Miller , + Dely Sy , + Alan Stern +Subject: [patch 05/36] USB: fix up EHCI startup synchronization +Content-Disposition: inline; filename=usb-fix-up-ehci-startup-synchronization.patch +Content-Length: 1757 +Lines: 47 + + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: David Brownell + +patch 1cb52658b4f5b10a9e91f8e1c21ca2bcc1b9a3ca in mainline. + +A recent patch added software synchronization during EHCI startup, +so ports aren't switched away from the companion controllers after +resets have started. This patch adds a short delay letting hardware +finish that port switching before any new resets begin ... so both +ends of that hardware race window are closed. + +Signed-off-by: David Brownell +Cc: Dave Miller +Cc: Dely Sy +Cc: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ehci-hcd.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/ehci-hcd.c ++++ b/drivers/usb/host/ehci-hcd.c +@@ -571,12 +571,15 @@ static int ehci_run (struct usb_hcd *hcd + * from the companions to the EHCI controller. If any of the + * companions are in the middle of a port reset at the time, it + * could cause trouble. Write-locking ehci_cf_port_reset_rwsem +- * guarantees that no resets are in progress. ++ * guarantees that no resets are in progress. After we set CF, ++ * a short delay lets the hardware catch up; new resets shouldn't ++ * be started before the port switching actions could complete. + */ + down_write(&ehci_cf_port_reset_rwsem); + hcd->state = HC_STATE_RUNNING; + ehci_writel(ehci, FLAG_CF, &ehci->regs->configured_flag); + ehci_readl(ehci, &ehci->regs->command); /* unblock posted writes */ ++ msleep(5); + up_write(&ehci_cf_port_reset_rwsem); + + temp = HC_VERSION(ehci_readl(ehci, &ehci->caps->hc_capbase)); + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:36 2007 +Message-Id: <20071213062836.207109355@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:17 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + Linus Torvalds +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Adrian Bunk , + Willy Tarreau , + Hugh Dickins +Subject: [patch 06/36] tmpfs: restore missing clear_highpage +Content-Disposition: inline; filename=tmpfs-restore-missing-clear_highpage.patch +Content-Length: 1455 +Lines: 51 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: Hugh Dickins + +patch e84e2e132c9c66d8498e7710d4ea532d1feaaac5 in mainline + +tmpfs was misconverted to __GFP_ZERO in 2.6.11. There's an unusual case in +which shmem_getpage receives the page from its caller instead of allocating. +We must cover this case by clear_highpage before SetPageUptodate, as before. + +Signed-off-by: Hugh Dickins +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/shmem.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -1066,7 +1066,7 @@ shmem_alloc_page(gfp_t gfp, struct shmem + pvma.vm_policy = mpol_shared_policy_lookup(&info->policy, idx); + pvma.vm_pgoff = idx; + pvma.vm_end = PAGE_SIZE; +- page = alloc_page_vma(gfp | __GFP_ZERO, &pvma, 0); ++ page = alloc_page_vma(gfp, &pvma, 0); + mpol_free(pvma.vm_policy); + return page; + } +@@ -1086,7 +1086,7 @@ shmem_swapin(struct shmem_inode_info *in + static inline struct page * + shmem_alloc_page(gfp_t gfp,struct shmem_inode_info *info, unsigned long idx) + { +- return alloc_page(gfp | __GFP_ZERO); ++ return alloc_page(gfp); + } + #endif + +@@ -1295,6 +1295,7 @@ repeat: + + info->alloced++; + spin_unlock(&info->lock); ++ clear_highpage(filepage); + flush_dcache_page(filepage); + SetPageUptodate(filepage); + } + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:36 2007 +Message-Id: <20071213062836.364735088@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:18 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Netfilter Development Mailinglist , + "David S. Miller" , + Li Zefan , + Patrick McHardy +Subject: [patch 07/36] nf_nat: fix memset error +Content-Disposition: inline; filename=nf_nat-fix-memset-error.patch +Content-Length: 1155 +Lines: 42 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: Li Zefan + +This patch fixes an incorrect memset in the NAT code, causing +misbehaviour when unloading and reloading the NAT module. +Applies to stable-2.6.22 and stable-2.6.23. + +Please apply, thanks. +[NETFILTER]: nf_nat: fix memset error + +Upstream commit e0bf9cf15fc30d300b7fbd821c6bc975531fab44 + +The size passing to memset is the size of a pointer. Fixes +misbehaviour when unloading and reloading the NAT module. + +Signed-off-by: Li Zefan +Signed-off-by: Patrick McHardy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + + +--- + net/ipv4/netfilter/nf_nat_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/netfilter/nf_nat_core.c ++++ b/net/ipv4/netfilter/nf_nat_core.c +@@ -633,7 +633,7 @@ static int clean_nat(struct nf_conn *i, + + if (!nat) + return 0; +- memset(nat, 0, sizeof(nat)); ++ memset(nat, 0, sizeof(*nat)); + i->status &= ~(IPS_NAT_MASK | IPS_NAT_DONE_MASK | IPS_SEQ_ADJUST); + return 0; + } + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:36 2007 +Message-Id: <20071213062836.518921151@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:19 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + Greg KH +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Benny Halevy , + Herbert Xu +Subject: [patch 08/36] libcrc32c: keep intermediate crc state in cpu order +Content-Disposition: inline; filename=libcrc32c-keep-intermediate-crc-state-in-cpu-order.patch +Content-Length: 1483 +Lines: 55 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: Herbert Xu + +It's upstream changeset ef19454bd437b2ba14c9cda1de85debd9f383484. + +[LIB] crc32c: Keep intermediate crc state in cpu order + +crypto/crc32.c:chksum_final() is computing the digest as +*(__le32 *)out = ~cpu_to_le32(mctx->crc); +so the low-level crc32c_le routines should just keep +the crc in cpu order, otherwise it is getting swabbed +one too many times on big-endian machines. + +Signed-off-by: Benny Halevy +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + lib/libcrc32c.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/lib/libcrc32c.c ++++ b/lib/libcrc32c.c +@@ -33,7 +33,6 @@ + #include + #include + #include +-#include + + MODULE_AUTHOR("Clay Haapala "); + MODULE_DESCRIPTION("CRC32c (Castagnoli) calculations"); +@@ -161,15 +160,13 @@ static const u32 crc32c_table[256] = { + */ + + u32 __attribute_pure__ +-crc32c_le(u32 seed, unsigned char const *data, size_t length) ++crc32c_le(u32 crc, unsigned char const *data, size_t length) + { +- u32 crc = __cpu_to_le32(seed); +- + while (length--) + crc = + crc32c_table[(crc ^ *data++) & 0xFFL] ^ (crc >> 8); + +- return __le32_to_cpu(crc); ++ return crc; + } + + #endif /* CRC_LE_BITS == 8 */ + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:36 2007 +Message-Id: <20071213062836.671868648@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:20 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Karsten Keil +Subject: [patch 09/36] isdn: avoid copying overly-long strings +Content-Disposition: inline; filename=isdn-avoid-copying-overly-long-strings.patch +Content-Length: 1772 +Lines: 60 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: Karsten Keil + +patch 0f13864e5b24d9cbe18d125d41bfa4b726a82e40 in mainline. + +Addresses http://bugzilla.kernel.org/show_bug.cgi?id=9416 + +Signed-off-by: Karsten Keil +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/isdn/i4l/isdn_net.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/isdn/i4l/isdn_net.c ++++ b/drivers/isdn/i4l/isdn_net.c +@@ -2126,7 +2126,7 @@ isdn_net_find_icall(int di, int ch, int + u_long flags; + isdn_net_dev *p; + isdn_net_phone *n; +- char nr[32]; ++ char nr[ISDN_MSNLEN]; + char *my_eaz; + + /* Search name in netdev-chain */ +@@ -2135,7 +2135,7 @@ isdn_net_find_icall(int di, int ch, int + nr[1] = '\0'; + printk(KERN_INFO "isdn_net: Incoming call without OAD, assuming '0'\n"); + } else +- strcpy(nr, setup->phone); ++ strlcpy(nr, setup->phone, ISDN_MSNLEN); + si1 = (int) setup->si1; + si2 = (int) setup->si2; + if (!setup->eazmsn[0]) { +@@ -2802,7 +2802,7 @@ isdn_net_setcfg(isdn_net_ioctl_cfg * cfg + chidx = -1; + } + } +- strcpy(lp->msn, cfg->eaz); ++ strlcpy(lp->msn, cfg->eaz, sizeof(lp->msn)); + lp->pre_device = drvidx; + lp->pre_channel = chidx; + lp->onhtime = cfg->onhtime; +@@ -2951,7 +2951,7 @@ isdn_net_addphone(isdn_net_ioctl_phone * + if (p) { + if (!(n = kmalloc(sizeof(isdn_net_phone), GFP_KERNEL))) + return -ENOMEM; +- strcpy(n->num, phone->phone); ++ strlcpy(n->num, phone->phone, sizeof(n->num)); + n->next = p->local->phone[phone->outgoing & 1]; + p->local->phone[phone->outgoing & 1] = n; + return 0; + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:36 2007 +Message-Id: <20071213062836.825564188@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:21 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + torvalds@linux-foundation.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + adlab@venustech.com.cn, + kkeil@suse.de +Subject: [patch 10/36] I4L: fix isdn_ioctl memory overrun vulnerability +Content-Disposition: inline; filename=i4l-fix-isdn_ioctl-memory-overrun-vulnerability.patch +Content-Length: 1995 +Lines: 60 + + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: Karsten Keil + +patch eafe1aa37e6ec2d56f14732b5240c4dd09f0613a in mainline. + +Fix possible memory overrun issue in the isdn ioctl code. Found by ADLAB + + +Signed-off-by: Karsten Keil +Cc: ADLAB +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/isdn/i4l/isdn_common.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/isdn/i4l/isdn_common.c ++++ b/drivers/isdn/i4l/isdn_common.c +@@ -1514,6 +1514,7 @@ isdn_ioctl(struct inode *inode, struct f + if (copy_from_user(&iocts, argp, + sizeof(isdn_ioctl_struct))) + return -EFAULT; ++ iocts.drvid[sizeof(iocts.drvid)-1] = 0; + if (strlen(iocts.drvid)) { + if ((p = strchr(iocts.drvid, ','))) + *p = 0; +@@ -1598,6 +1599,7 @@ isdn_ioctl(struct inode *inode, struct f + if (copy_from_user(&iocts, argp, + sizeof(isdn_ioctl_struct))) + return -EFAULT; ++ iocts.drvid[sizeof(iocts.drvid)-1] = 0; + if (strlen(iocts.drvid)) { + drvidx = -1; + for (i = 0; i < ISDN_MAX_DRIVERS; i++) +@@ -1642,7 +1644,7 @@ isdn_ioctl(struct inode *inode, struct f + } else { + p = (char __user *) iocts.arg; + for (i = 0; i < 10; i++) { +- sprintf(bname, "%s%s", ++ snprintf(bname, sizeof(bname), "%s%s", + strlen(dev->drv[drvidx]->msn2eaz[i]) ? + dev->drv[drvidx]->msn2eaz[i] : "_", + (i < 9) ? "," : "\0"); +@@ -1672,6 +1674,7 @@ isdn_ioctl(struct inode *inode, struct f + char *p; + if (copy_from_user(&iocts, argp, sizeof(isdn_ioctl_struct))) + return -EFAULT; ++ iocts.drvid[sizeof(iocts.drvid)-1] = 0; + if (strlen(iocts.drvid)) { + if ((p = strchr(iocts.drvid, ','))) + *p = 0; + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:37 2007 +Message-Id: <20071213062836.979784685@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:22 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Thomas Gleixner , + Ingo Molnar +Subject: [patch 11/36] hrtimers: avoid overflow for large relative timeouts (CVE-2007-5966) +Content-Disposition: inline; filename=hrtimers-avoid-overflow-for-large-relative-timeouts.patch +Content-Length: 1517 +Lines: 49 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: Thomas Gleixner + +patch 62f0f61e6673e67151a7c8c0f9a09c7ea43fe2b5 in mainline + +Relative hrtimers with a large timeout value might end up as negative +timer values, when the current time is added in hrtimer_start(). + +This in turn is causing the clockevents_set_next() function to set an +huge timeout and sleep for quite a long time when we have a clock +source which is capable of long sleeps like HPET. With PIT this almost +goes unnoticed as the maximum delta is ~27ms. The non-hrt/nohz code +sorts this out in the next timer interrupt, so we never noticed that +problem which has been there since the first day of hrtimers. + +This bug became more apparent in 2.6.24 which activates HPET on more +hardware. + +Signed-off-by: Thomas Gleixner +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/hrtimer.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/kernel/hrtimer.c ++++ b/kernel/hrtimer.c +@@ -825,6 +825,14 @@ hrtimer_start(struct hrtimer *timer, kti + #ifdef CONFIG_TIME_LOW_RES + tim = ktime_add(tim, base->resolution); + #endif ++ /* ++ * Careful here: User space might have asked for a ++ * very long sleep, so the add above might result in a ++ * negative number, which enqueues the timer in front ++ * of the queue. ++ */ ++ if (tim.tv64 < 0) ++ tim.tv64 = KTIME_MAX; + } + timer->expires = tim; + + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:37 2007 +Message-Id: <20071213062837.133569907@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:23 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Steven Rostedt , + Ingo Molnar , + Thomas Gleixner +Subject: [patch 12/36] futex: fix for futex_wait signal stack corruption +Content-Disposition: inline; filename=futex-fix-for-futex_wait-signal-stack-corruption.patch +Content-Length: 7326 +Lines: 218 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: Steven Rostedt + +patch ce6bd420f43b28038a2c6e8fbb86ad24014727b6 in mainline. + +David Holmes found a bug in the -rt tree with respect to +pthread_cond_timedwait. After trying his test program on the latest git +from mainline, I found the bug was there too. The bug he was seeing +that his test program showed, was that if one were to do a "Ctrl-Z" on a +process that was in the pthread_cond_timedwait, and then did a "bg" on +that process, it would return with a "-ETIMEDOUT" but early. That is, +the timer would go off early. + +Looking into this, I found the source of the problem. And it is a rather +nasty bug at that. + +Here's the relevant code from kernel/futex.c: (not in order in the file) + +[...] +smlinkage long sys_futex(u32 __user *uaddr, int op, u32 val, + struct timespec __user *utime, u32 __user *uaddr2, + u32 val3) +{ + struct timespec ts; + ktime_t t, *tp = NULL; + u32 val2 = 0; + int cmd = op & FUTEX_CMD_MASK; + + if (utime && (cmd == FUTEX_WAIT || cmd == FUTEX_LOCK_PI)) { + if (copy_from_user(&ts, utime, sizeof(ts)) != 0) + return -EFAULT; + if (!timespec_valid(&ts)) + return -EINVAL; + + t = timespec_to_ktime(ts); + if (cmd == FUTEX_WAIT) + t = ktime_add(ktime_get(), t); + tp = &t; + } +[...] + return do_futex(uaddr, op, val, tp, uaddr2, val2, val3); +} + +[...] + +long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout, + u32 __user *uaddr2, u32 val2, u32 val3) +{ + int ret; + int cmd = op & FUTEX_CMD_MASK; + struct rw_semaphore *fshared = NULL; + + if (!(op & FUTEX_PRIVATE_FLAG)) + fshared = ¤t->mm->mmap_sem; + + switch (cmd) { + case FUTEX_WAIT: + ret = futex_wait(uaddr, fshared, val, timeout); + +[...] + +static int futex_wait(u32 __user *uaddr, struct rw_semaphore *fshared, + u32 val, ktime_t *abs_time) +{ +[...] + struct restart_block *restart; + restart = ¤t_thread_info()->restart_block; + restart->fn = futex_wait_restart; + restart->arg0 = (unsigned long)uaddr; + restart->arg1 = (unsigned long)val; + restart->arg2 = (unsigned long)abs_time; + restart->arg3 = 0; + if (fshared) + restart->arg3 |= ARG3_SHARED; + return -ERESTART_RESTARTBLOCK; +[...] + +static long futex_wait_restart(struct restart_block *restart) +{ + u32 __user *uaddr = (u32 __user *)restart->arg0; + u32 val = (u32)restart->arg1; + ktime_t *abs_time = (ktime_t *)restart->arg2; + struct rw_semaphore *fshared = NULL; + + restart->fn = do_no_restart_syscall; + if (restart->arg3 & ARG3_SHARED) + fshared = ¤t->mm->mmap_sem; + return (long)futex_wait(uaddr, fshared, val, abs_time); +} + +So when the futex_wait is interrupt by a signal we break out of the +hrtimer code and set up or return from signal. This code does not return +back to userspace, so we set up a RESTARTBLOCK. The bug here is that we +save the "abs_time" which is a pointer to the stack variable "ktime_t t" +from sys_futex. + +This returns and unwinds the stack before we get to call our signal. On +return from the signal we go to futex_wait_restart, where we update all +the parameters for futex_wait and call it. But here we have a problem +where abs_time is no longer valid. + +I verified this with print statements, and sure enough, what abs_time +was set to ends up being garbage when we get to futex_wait_restart. + +The solution I did to solve this (with input from Linus Torvalds) +was to add unions to the restart_block to allow system calls to +use the restart with specific parameters. This way the futex code now +saves the time in a 64bit value in the restart block instead of storing +it on the stack. + +Note: I'm a bit nervious to add "linux/types.h" and use u32 and u64 +in thread_info.h, when there's a #ifdef __KERNEL__ just below that. +Not sure what that is there for. If this turns out to be a problem, I've +tested this with using "unsigned int" for u32 and "unsigned long long" for +u64 and it worked just the same. I'm using u32 and u64 just to be +consistent with what the futex code uses. + +Signed-off-by: Steven Rostedt +Signed-off-by: Ingo Molnar +Signed-off-by: Thomas Gleixner +Acked-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/thread_info.h | 17 +++++++++++++++-- + kernel/futex.c | 25 +++++++++++++------------ + 2 files changed, 28 insertions(+), 14 deletions(-) + +--- a/include/linux/thread_info.h ++++ b/include/linux/thread_info.h +@@ -7,12 +7,25 @@ + #ifndef _LINUX_THREAD_INFO_H + #define _LINUX_THREAD_INFO_H + ++#include ++ + /* +- * System call restart block. ++ * System call restart block. + */ + struct restart_block { + long (*fn)(struct restart_block *); +- unsigned long arg0, arg1, arg2, arg3; ++ union { ++ struct { ++ unsigned long arg0, arg1, arg2, arg3; ++ }; ++ /* For futex_wait */ ++ struct { ++ u32 *uaddr; ++ u32 val; ++ u32 flags; ++ u64 time; ++ } futex; ++ }; + }; + + extern long do_no_restart_syscall(struct restart_block *parm); +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -1129,9 +1129,9 @@ static int fixup_pi_state_owner(u32 __us + + /* + * In case we must use restart_block to restart a futex_wait, +- * we encode in the 'arg3' shared capability ++ * we encode in the 'flags' shared capability + */ +-#define ARG3_SHARED 1 ++#define FLAGS_SHARED 1 + + static long futex_wait_restart(struct restart_block *restart); + static int futex_wait(u32 __user *uaddr, struct rw_semaphore *fshared, +@@ -1272,12 +1272,13 @@ static int futex_wait(u32 __user *uaddr, + struct restart_block *restart; + restart = ¤t_thread_info()->restart_block; + restart->fn = futex_wait_restart; +- restart->arg0 = (unsigned long)uaddr; +- restart->arg1 = (unsigned long)val; +- restart->arg2 = (unsigned long)abs_time; +- restart->arg3 = 0; ++ restart->futex.uaddr = (u32 *)uaddr; ++ restart->futex.val = val; ++ restart->futex.time = abs_time->tv64; ++ restart->futex.flags = 0; ++ + if (fshared) +- restart->arg3 |= ARG3_SHARED; ++ restart->futex.flags |= FLAGS_SHARED; + return -ERESTART_RESTARTBLOCK; + } + +@@ -1293,15 +1294,15 @@ static int futex_wait(u32 __user *uaddr, + + static long futex_wait_restart(struct restart_block *restart) + { +- u32 __user *uaddr = (u32 __user *)restart->arg0; +- u32 val = (u32)restart->arg1; +- ktime_t *abs_time = (ktime_t *)restart->arg2; ++ u32 __user *uaddr = (u32 __user *)restart->futex.uaddr; + struct rw_semaphore *fshared = NULL; ++ ktime_t t; + ++ t.tv64 = restart->futex.time; + restart->fn = do_no_restart_syscall; +- if (restart->arg3 & ARG3_SHARED) ++ if (restart->futex.flags & FLAGS_SHARED) + fshared = ¤t->mm->mmap_sem; +- return (long)futex_wait(uaddr, fshared, val, abs_time); ++ return (long)futex_wait(uaddr, fshared, restart->futex.val, &t); + } + + + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:37 2007 +Message-Id: <20071213062837.292845035@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:24 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Ayaz Abdulla , + Jeff Garzik +Subject: [patch 13/36] forcedeth: new mcp79 pci ids +Content-Disposition: inline; filename=forcedeth-new-mcp79-pci-ids.patch +Content-Length: 2850 +Lines: 62 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: Ayaz Abdulla + +patch 490dde8990c55662596a4be71b5070bd7d382d4a in mainline. + +This patch adds new device ids and features for mcp79 devices into the +forcedeth driver. + +Signed-off-by: Ayaz Abdulla +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +index 92ce2e3..f9ba0ac 100644 +--- + drivers/net/forcedeth.c | 16 ++++++++++++++++ + include/linux/pci_ids.h | 4 ++++ + 2 files changed, 20 insertions(+) + +--- a/drivers/net/forcedeth.c ++++ b/drivers/net/forcedeth.c +@@ -5553,6 +5553,22 @@ static struct pci_device_id pci_tbl[] = + PCI_DEVICE(PCI_VENDOR_ID_NVIDIA, PCI_DEVICE_ID_NVIDIA_NVENET_27), + .driver_data = DEV_NEED_TIMERIRQ|DEV_NEED_LINKTIMER|DEV_HAS_HIGH_DMA|DEV_HAS_POWER_CNTRL|DEV_HAS_MSI|DEV_HAS_PAUSEFRAME_TX|DEV_HAS_STATISTICS_V2|DEV_HAS_TEST_EXTENDED|DEV_HAS_MGMT_UNIT, + }, ++ { /* MCP79 Ethernet Controller */ ++ PCI_DEVICE(PCI_VENDOR_ID_NVIDIA, PCI_DEVICE_ID_NVIDIA_NVENET_36), ++ .driver_data = DEV_NEED_TIMERIRQ|DEV_NEED_LINKTIMER|DEV_HAS_CHECKSUM|DEV_HAS_HIGH_DMA|DEV_HAS_MSI|DEV_HAS_POWER_CNTRL|DEV_HAS_PAUSEFRAME_TX|DEV_HAS_STATISTICS_V2|DEV_HAS_TEST_EXTENDED|DEV_HAS_MGMT_UNIT, ++ }, ++ { /* MCP79 Ethernet Controller */ ++ PCI_DEVICE(PCI_VENDOR_ID_NVIDIA, PCI_DEVICE_ID_NVIDIA_NVENET_37), ++ .driver_data = DEV_NEED_TIMERIRQ|DEV_NEED_LINKTIMER|DEV_HAS_CHECKSUM|DEV_HAS_HIGH_DMA|DEV_HAS_MSI|DEV_HAS_POWER_CNTRL|DEV_HAS_PAUSEFRAME_TX|DEV_HAS_STATISTICS_V2|DEV_HAS_TEST_EXTENDED|DEV_HAS_MGMT_UNIT, ++ }, ++ { /* MCP79 Ethernet Controller */ ++ PCI_DEVICE(PCI_VENDOR_ID_NVIDIA, PCI_DEVICE_ID_NVIDIA_NVENET_38), ++ .driver_data = DEV_NEED_TIMERIRQ|DEV_NEED_LINKTIMER|DEV_HAS_CHECKSUM|DEV_HAS_HIGH_DMA|DEV_HAS_MSI|DEV_HAS_POWER_CNTRL|DEV_HAS_PAUSEFRAME_TX|DEV_HAS_STATISTICS_V2|DEV_HAS_TEST_EXTENDED|DEV_HAS_MGMT_UNIT, ++ }, ++ { /* MCP79 Ethernet Controller */ ++ PCI_DEVICE(PCI_VENDOR_ID_NVIDIA, PCI_DEVICE_ID_NVIDIA_NVENET_39), ++ .driver_data = DEV_NEED_TIMERIRQ|DEV_NEED_LINKTIMER|DEV_HAS_CHECKSUM|DEV_HAS_HIGH_DMA|DEV_HAS_MSI|DEV_HAS_POWER_CNTRL|DEV_HAS_PAUSEFRAME_TX|DEV_HAS_STATISTICS_V2|DEV_HAS_TEST_EXTENDED|DEV_HAS_MGMT_UNIT, ++ }, + {0,}, + }; + +--- a/include/linux/pci_ids.h ++++ b/include/linux/pci_ids.h +@@ -1239,6 +1239,10 @@ + #define PCI_DEVICE_ID_NVIDIA_NFORCE_MCP67_IDE 0x0560 + #define PCI_DEVICE_ID_NVIDIA_NFORCE_MCP73_IDE 0x056C + #define PCI_DEVICE_ID_NVIDIA_NFORCE_MCP77_IDE 0x0759 ++#define PCI_DEVICE_ID_NVIDIA_NVENET_36 0x0AB0 ++#define PCI_DEVICE_ID_NVIDIA_NVENET_37 0x0AB1 ++#define PCI_DEVICE_ID_NVIDIA_NVENET_38 0x0AB2 ++#define PCI_DEVICE_ID_NVIDIA_NVENET_39 0x0AB3 + + #define PCI_VENDOR_ID_IMS 0x10e0 + #define PCI_DEVICE_ID_IMS_TT128 0x9128 + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:37 2007 +Message-Id: <20071213062837.446550912@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:25 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Ayaz Abdulla , + Alex Howells , + Jeff Garzik +Subject: [patch 14/36] forcedeth boot delay fix +Content-Disposition: inline; filename=forcedeth-boot-delay-fix.patch +Content-Length: 2162 +Lines: 58 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Ayaz Abdulla + +patch 9e555930bd873d238f5f7b9d76d3bf31e6e3ce93 in mainline. + +Fix a long boot delay in the forcedeth driver. During initialization, the +timeout for the handshake between mgmt unit and driver can be very long. +The patch reduces the timeout by eliminating a extra loop around the +timeout logic. + +Addresses http://bugzilla.kernel.org/show_bug.cgi?id=9308 + +Signed-off-by: Ayaz Abdulla +Cc: Alex Howells +Signed-off-by: Andrew Morton +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/forcedeth.c | 22 +++++++++------------- + 1 file changed, 9 insertions(+), 13 deletions(-) + +--- a/drivers/net/forcedeth.c ++++ b/drivers/net/forcedeth.c +@@ -5283,19 +5283,15 @@ static int __devinit nv_probe(struct pci + if (readl(base + NvRegTransmitterControl) & NVREG_XMITCTL_SYNC_PHY_INIT) { + np->mac_in_use = readl(base + NvRegTransmitterControl) & NVREG_XMITCTL_MGMT_ST; + dprintk(KERN_INFO "%s: mgmt unit is running. mac in use %x.\n", pci_name(pci_dev), np->mac_in_use); +- for (i = 0; i < 5000; i++) { +- msleep(1); +- if (nv_mgmt_acquire_sema(dev)) { +- /* management unit setup the phy already? */ +- if ((readl(base + NvRegTransmitterControl) & NVREG_XMITCTL_SYNC_MASK) == +- NVREG_XMITCTL_SYNC_PHY_INIT) { +- /* phy is inited by mgmt unit */ +- phyinitialized = 1; +- dprintk(KERN_INFO "%s: Phy already initialized by mgmt unit.\n", pci_name(pci_dev)); +- } else { +- /* we need to init the phy */ +- } +- break; ++ if (nv_mgmt_acquire_sema(dev)) { ++ /* management unit setup the phy already? */ ++ if ((readl(base + NvRegTransmitterControl) & NVREG_XMITCTL_SYNC_MASK) == ++ NVREG_XMITCTL_SYNC_PHY_INIT) { ++ /* phy is inited by mgmt unit */ ++ phyinitialized = 1; ++ dprintk(KERN_INFO "%s: Phy already initialized by mgmt unit.\n", pci_name(pci_dev)); ++ } else { ++ /* we need to init the phy */ + } + } + } + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:37 2007 +Message-Id: <20071213062837.600240865@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:26 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + torvalds@linux-foundation.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + rleigh@whinlatter.ukfsn.org, + benh@kernel.crashing.org, + mb@bu3sch.de, + khali@linux-fr.org, + adaplas@pol.net +Subject: [patch 15/36] fb_ddc: fix DDC lines quirk +Content-Disposition: inline; filename=fb_ddc-fix-ddc-lines-quirk.patch +Content-Length: 3258 +Lines: 90 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: Jean Delvare + +patch b64d70825abbf706bbe80be1b11b09514b71f45e in mainline. + +The code in fb_ddc_read() is said to be based on the implementation of the +radeon driver: +http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=fc5891c8a3ba284f13994d7bc1f1bfa8283982de + +However, comparing the old radeon driver code with the new fb_ddc code +reveals some differences. Most notably, the I2C bus lines are held at the +end of the function, while the original code was releasing them (as the +comment above correctly says.) + +There are a few other differences, which appear to be responsible for read +failures on my system. While tracing low-level I2C code in i2c-algo-bit, I +noticed that the initial attempt to read the EDID always failed. It takes +one retry for the read to succeed. As we are about to remove this +automatic retry property from i2c-algo-bit, reading the EDID would really +fail. + +As a summary, the I2C lines quirk which is supposedly needed to read EDID +on some older monitors is currently breaking the (first) read on all other +monitors (and might not even work with older ones - did anyone try since +October 2006?) + +After applying the patch below, which makes the code in fb_ddc_read() +really similar to what the radeon driver used to have, the first EDID read +succeeds again. + +On top of that, as it appears that this code has been broken for one year +now and nobody seems to have complained, I'm curious if it makes sense to +keep this quirk in place. It makes the code more complex and slower just +for the sake of monitors which I guess nobody uses anymore. Can't we just +get rid of it? + +Signed-off-by: Jean Delvare +Acked-by: Benjamin Herrenschmidt +Tested-by: Roger Leigh +Tested-by: Michael Buesch +Cc: "Antonino A. Daplas" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fb_ddc.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/video/fb_ddc.c ++++ b/drivers/video/fb_ddc.c +@@ -56,13 +56,12 @@ unsigned char *fb_ddc_read(struct i2c_ad + int i, j; + + algo_data->setscl(algo_data->data, 1); +- algo_data->setscl(algo_data->data, 0); + + for (i = 0; i < 3; i++) { + /* For some old monitors we need the + * following process to initialize/stop DDC + */ +- algo_data->setsda(algo_data->data, 0); ++ algo_data->setsda(algo_data->data, 1); + msleep(13); + + algo_data->setscl(algo_data->data, 1); +@@ -97,14 +96,15 @@ unsigned char *fb_ddc_read(struct i2c_ad + algo_data->setsda(algo_data->data, 1); + msleep(15); + algo_data->setscl(algo_data->data, 0); ++ algo_data->setsda(algo_data->data, 0); + if (edid) + break; + } + /* Release the DDC lines when done or the Apple Cinema HD display + * will switch off + */ +- algo_data->setsda(algo_data->data, 0); +- algo_data->setscl(algo_data->data, 0); ++ algo_data->setsda(algo_data->data, 1); ++ algo_data->setscl(algo_data->data, 1); + + return edid; + } + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:37 2007 +Message-Id: <20071213062837.755857149@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:27 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + davem@davemloft.net +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Herbert Xu +Subject: [patch 16/36] TCP: Problem bug with sysctl_tcp_congestion_control function +Content-Disposition: inline; filename=tcp-problem-bug-with-sysctl_tcp_congestion_control-function.patch +Content-Length: 1900 +Lines: 50 + + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ + + +From: Sam Jansen + +[TCP]: Problem bug with sysctl_tcp_congestion_control function + +[ Upstream commit: 5487796f0c9475586277a0a7a91211ce5746fa6a ] + +sysctl_tcp_congestion_control seems to have a bug that prevents it +from actually calling the tcp_set_default_congestion_control +function. This is not so apparent because it does not return an error +and generally the /proc interface is used to configure the default TCP +congestion control algorithm. This is present in 2.6.18 onwards and +probably earlier, though I have not inspected 2.6.15--2.6.17. + +sysctl_tcp_congestion_control calls sysctl_string and expects a successful +return code of 0. In such a case it actually sets the congestion control +algorithm with tcp_set_default_congestion_control. Otherwise, it returns the +value returned by sysctl_string. This was correct in 2.6.14, as sysctl_string +returned 0 on success. However, sysctl_string was updated to return 1 on +success around about 2.6.15 and sysctl_tcp_congestion_control was not updated. +Even though sysctl_tcp_congestion_control returns 1, do_sysctl_strategy +converts this return code to '0', so the caller never notices the error. + +Signed-off-by: David S. Miller +Cc: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/sysctl_net_ipv4.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -121,7 +121,7 @@ static int sysctl_tcp_congestion_control + + tcp_get_default_congestion_control(val); + ret = sysctl_string(&tbl, name, nlen, oldval, oldlenp, newval, newlen); +- if (ret == 0 && newval && newlen) ++ if (ret == 1 && newval && newlen) + ret = tcp_set_default_congestion_control(val); + return ret; + } + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:38 2007 +Message-Id: <20071213062837.910712959@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:28 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + davem@davemloft.net +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + =?ISO-8859-15?q?Ilpo=20J=E4rvinen?= , + Herbert Xu +Subject: [patch 17/36] TCP: MTUprobe: fix potential sk_send_head corruption +Content-Disposition: inline; filename=tcp-mtuprobe-fix-potential-sk_send_head-corruption.patch +Content-Length: 1540 +Lines: 50 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Ilpo Järvinen + +[TCP] MTUprobe: fix potential sk_send_head corruption + +[ Upstream commit: 6e42141009ff18297fe19d19296738b742f861db ] + +When the abstraction functions got added, conversion here was +made incorrectly. As a result, the skb may end up pointing +to skb which got included to the probe skb and then was freed. +For it to trigger, however, skb_transmit must fail sending as +well. + +Signed-off-by: Ilpo Järvinen +Signed-off-by: David S. Miller +Cc: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/tcp.h | 3 +++ + net/ipv4/tcp_output.c | 1 - + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1258,6 +1258,9 @@ static inline void tcp_insert_write_queu + struct sock *sk) + { + __skb_insert(new, skb->prev, skb, &sk->sk_write_queue); ++ ++ if (sk->sk_send_head == skb) ++ sk->sk_send_head = new; + } + + static inline void tcp_unlink_write_queue(struct sk_buff *skb, struct sock *sk) +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -1279,7 +1279,6 @@ static int tcp_mtu_probe(struct sock *sk + + skb = tcp_send_head(sk); + tcp_insert_write_queue_before(nskb, skb, sk); +- tcp_advance_send_head(sk, skb); + + TCP_SKB_CB(nskb)->seq = TCP_SKB_CB(skb)->seq; + TCP_SKB_CB(nskb)->end_seq = TCP_SKB_CB(skb)->seq + probe_size; + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:38 2007 +Message-Id: <20071213062838.062753166@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:29 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + bunk@kernel.org, + +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Herbert Xu +Subject: [patch 18/36] PFKEY: Sending an SADB_GET responds with an SADB_GET +Content-Disposition: inline; filename=pfkey-sending-an-sadb_get-responds-with-an-sadb_get.patch +Content-Length: 1026 +Lines: 35 + + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Charles Hardin + +[PFKEY]: Sending an SADB_GET responds with an SADB_GET + +[ Upstream commit: 435000bebd94aae3a7a50078d142d11683d3b193 ] + +Kernel needs to respond to an SADB_GET with the same message type to +conform to the RFC 2367 Section 3.1.5 + +Signed-off-by: Andrew Morton +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + net/key/af_key.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -1543,7 +1543,7 @@ static int pfkey_get(struct sock *sk, st + + out_hdr = (struct sadb_msg *) out_skb->data; + out_hdr->sadb_msg_version = hdr->sadb_msg_version; +- out_hdr->sadb_msg_type = SADB_DUMP; ++ out_hdr->sadb_msg_type = SADB_GET; + out_hdr->sadb_msg_satype = pfkey_proto2satype(proto); + out_hdr->sadb_msg_errno = 0; + out_hdr->sadb_msg_reserved = 0; + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:38 2007 +Message-Id: <20071213062838.216760984@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:30 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + davem@davemloft.net +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Eric Dumazet , + Herbert Xu +Subject: [patch 19/36] NET: Corrects a bug in ip_rt_acct_read() +Content-Disposition: inline; filename=net-corrects-a-bug-in-ip_rt_acct_read.patch +Content-Length: 1391 +Lines: 50 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Eric Dumazet + +[NET]: Corrects a bug in ip_rt_acct_read() + +[ Upstream commit: 483b23ffa3a5f44767038b0a676d757e0668437e ] + +It seems that stats of cpu 0 are counted twice, since +for_each_possible_cpu() is looping on all possible cpus, including 0 + +Before percpu conversion of ip_rt_acct, we should also remove the +assumption that CPU 0 is online (or even possible) + +Signed-off-by: Eric Dumazet +Cc: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/route.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -3150,18 +3150,14 @@ static int ip_rt_acct_read(char *buffer, + offset /= sizeof(u32); + + if (length > 0) { +- u32 *src = ((u32 *) IP_RT_ACCT_CPU(0)) + offset; + u32 *dst = (u32 *) buffer; + +- /* Copy first cpu. */ + *start = buffer; +- memcpy(dst, src, length); ++ memset(dst, 0, length); + +- /* Add the other cpus in, one int at a time */ + for_each_possible_cpu(i) { + unsigned int j; +- +- src = ((u32 *) IP_RT_ACCT_CPU(i)) + offset; ++ u32 *src = ((u32 *) IP_RT_ACCT_CPU(i)) + offset; + + for (j = 0; j < length/4; j++) + dst[j] += src[j]; + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:38 2007 +Message-Id: <20071213062838.372004924@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:31 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + bunk@kernel.org, + davem@davemloft.net +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Herbert Xu +Subject: [patch 20/36] IPV4: Remove bogus ifdef mess in arp_process +Content-Disposition: inline; filename=ipv4-remove-bogus-ifdef-mess-in-arp_process.patch +Content-Length: 2438 +Lines: 89 + + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Adrian Bunk + +[IPV4]: Remove bogus ifdef mess in arp_process + +[ Upstream commit: 3660019e5f96fd9a8b7d4214a96523c0bf7b676d ] + +The #ifdef's in arp_process() were not only a mess, they were also wrong +in the CONFIG_NET_ETHERNET=n and (CONFIG_NETDEV_1000=y or +CONFIG_NETDEV_10000=y) cases. + +Since they are not required this patch removes them. + +Also removed are some #ifdef's around #include's that caused compile +errors after this change. + +Signed-off-by: Adrian Bunk +Signed-off-by: Herbert Xu +Cc: David Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/arp.c | 19 ------------------- + 1 file changed, 19 deletions(-) + +--- a/net/ipv4/arp.c ++++ b/net/ipv4/arp.c +@@ -110,12 +110,8 @@ + #include + #include + #include +-#if defined(CONFIG_AX25) || defined(CONFIG_AX25_MODULE) + #include +-#if defined(CONFIG_NETROM) || defined(CONFIG_NETROM_MODULE) + #include +-#endif +-#endif + #if defined(CONFIG_ATM_CLIP) || defined(CONFIG_ATM_CLIP_MODULE) + #include + struct neigh_table *clip_tbl_hook; +@@ -729,20 +725,10 @@ static int arp_process(struct sk_buff *s + htons(dev_type) != arp->ar_hrd) + goto out; + break; +-#ifdef CONFIG_NET_ETHERNET + case ARPHRD_ETHER: +-#endif +-#ifdef CONFIG_TR + case ARPHRD_IEEE802_TR: +-#endif +-#ifdef CONFIG_FDDI + case ARPHRD_FDDI: +-#endif +-#ifdef CONFIG_NET_FC + case ARPHRD_IEEE802: +-#endif +-#if defined(CONFIG_NET_ETHERNET) || defined(CONFIG_TR) || \ +- defined(CONFIG_FDDI) || defined(CONFIG_NET_FC) + /* + * ETHERNET, Token Ring and Fibre Channel (which are IEEE 802 + * devices, according to RFC 2625) devices will accept ARP +@@ -757,21 +743,16 @@ static int arp_process(struct sk_buff *s + arp->ar_pro != htons(ETH_P_IP)) + goto out; + break; +-#endif +-#if defined(CONFIG_AX25) || defined(CONFIG_AX25_MODULE) + case ARPHRD_AX25: + if (arp->ar_pro != htons(AX25_P_IP) || + arp->ar_hrd != htons(ARPHRD_AX25)) + goto out; + break; +-#if defined(CONFIG_NETROM) || defined(CONFIG_NETROM_MODULE) + case ARPHRD_NETROM: + if (arp->ar_pro != htons(AX25_P_IP) || + arp->ar_hrd != htons(ARPHRD_NETROM)) + goto out; + break; +-#endif +-#endif + } + + /* Understand only these message types */ + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:38 2007 +Message-Id: <20071213062838.526590921@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:32 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + davem@davemloft.net +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Herbert Xu +Subject: [patch 21/36] CRYPTO api: Fix potential race in crypto_remove_spawn +Content-Disposition: inline; filename=crypto-api-fix-potential-race-in-crypto_remove_spawn.patch +Content-Length: 1328 +Lines: 50 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Herbert Xu + +[CRYPTO] api: Fix potential race in crypto_remove_spawn + +[ Upstream commit: 38cb2419f544ad413c7f7aa8c17fd7377610cdd8 ] + +As it is crypto_remove_spawn may try to unregister an instance which is +yet to be registered. This patch fixes this by checking whether the +instance has been registered before attempting to remove it. + +It also removes a bogus cra_destroy check in crypto_register_instance as +1) it's outside the mutex; +2) we have a check in __crypto_register_alg already. + +Signed-off-by: Herbert Xu +Cc: David Miller +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/algapi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/crypto/algapi.c ++++ b/crypto/algapi.c +@@ -98,6 +98,9 @@ static void crypto_remove_spawn(struct c + return; + + inst->alg.cra_flags |= CRYPTO_ALG_DEAD; ++ if (hlist_unhashed(&inst->list)) ++ return; ++ + if (!tmpl || !crypto_tmpl_get(tmpl)) + return; + +@@ -333,9 +336,6 @@ int crypto_register_instance(struct cryp + LIST_HEAD(list); + int err = -EINVAL; + +- if (inst->alg.cra_destroy) +- goto err; +- + err = crypto_check_alg(&inst->alg); + if (err) + goto err; + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:38 2007 +Message-Id: <20071213062838.682746481@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:33 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + bunk@kernel.org, + davem@davemloft.net +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + chas williams , + Herbert Xu +Subject: [patch 22/36] ATM: initialize lock and tasklet earlier +Content-Disposition: inline; filename=atm-initialize-lock-and-tasklet-earlier.patch +Content-Length: 1513 +Lines: 52 + + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: chas williams + +[ATM]: [he] initialize lock and tasklet earlier + +[ Upstream commit: 8a8037ac9dbe4eb20ce50aa20244faf77444f4a3 ] + +if you are lucky (unlucky?) enough to have shared interrupts, the +interrupt handler can be called before the tasklet and lock are ready +for use. + +Signed-off-by: chas williams +Signed-off-by: Herbert Xu +Cc: David Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/atm/he.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/atm/he.c ++++ b/drivers/atm/he.c +@@ -394,6 +394,11 @@ he_init_one(struct pci_dev *pci_dev, con + he_dev->atm_dev->dev_data = he_dev; + atm_dev->dev_data = he_dev; + he_dev->number = atm_dev->number; ++#ifdef USE_TASKLET ++ tasklet_init(&he_dev->tasklet, he_tasklet, (unsigned long) he_dev); ++#endif ++ spin_lock_init(&he_dev->global_lock); ++ + if (he_start(atm_dev)) { + he_stop(he_dev); + err = -ENODEV; +@@ -1173,11 +1178,6 @@ he_start(struct atm_dev *dev) + if ((err = he_init_irq(he_dev)) != 0) + return err; + +-#ifdef USE_TASKLET +- tasklet_init(&he_dev->tasklet, he_tasklet, (unsigned long) he_dev); +-#endif +- spin_lock_init(&he_dev->global_lock); +- + /* 4.11 enable pci bus controller state machines */ + host_cntl |= (OUTFF_ENB | CMDFF_ENB | + QUICK_RD_RETRY | QUICK_WR_RETRY | PERR_INT_ENB); + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:38 2007 +Message-Id: <20071213062838.836059269@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:34 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + bunk@kernel.org, + +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Florian Zumbiehl , + Herbert Xu +Subject: [patch 23/36] UNIX: EOF on non-blocking SOCK_SEQPACKET +Content-Disposition: inline; filename=unix-eof-on-non-blocking-sock_seqpacket.patch +Content-Length: 2413 +Lines: 86 + + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Florian Zumbiehl + +[UNIX]: EOF on non-blocking SOCK_SEQPACKET + +[ Upstream commit: 0a11225887fe6cbccd882404dc36ddc50f47daf9 ] + +I am not absolutely sure whether this actually is a bug (as in: I've got +no clue what the standards say or what other implementations do), but at +least I was pretty surprised when I noticed that a recv() on a +non-blocking unix domain socket of type SOCK_SEQPACKET (which is connection +oriented, after all) where the remote end has closed the connection +returned -1 (EAGAIN) rather than 0 to indicate end of file. + +This is a test case: + +| #include +| #include +| #include +| #include +| #include +| #include +| #include +| +| int main(){ +| int sock; +| struct sockaddr_un addr; +| char buf[4096]; +| int pfds[2]; +| +| pipe(pfds); +| sock=socket(PF_UNIX,SOCK_SEQPACKET,0); +| addr.sun_family=AF_UNIX; +| strcpy(addr.sun_path,"/tmp/foobar_testsock"); +| bind(sock,(struct sockaddr *)&addr,sizeof(addr)); +| listen(sock,1); +| if(fork()){ +| close(sock); +| sock=socket(PF_UNIX,SOCK_SEQPACKET,0); +| connect(sock,(struct sockaddr *)&addr,sizeof(addr)); +| fcntl(sock,F_SETFL,fcntl(sock,F_GETFL)|O_NONBLOCK); +| close(pfds[1]); +| read(pfds[0],buf,sizeof(buf)); +| recv(sock,buf,sizeof(buf),0); // <-- this one +| }else accept(sock,NULL,NULL); +| exit(0); +| } + +If you try it, make sure /tmp/foobar_testsock doesn't exist. + +The marked recv() returns -1 (EAGAIN) on 2.6.23.9. Below you find a +patch that fixes that. + +Signed-off-by: Florian Zumbiehl +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + net/unix/af_unix.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -1608,8 +1608,15 @@ static int unix_dgram_recvmsg(struct kio + mutex_lock(&u->readlock); + + skb = skb_recv_datagram(sk, flags, noblock, &err); +- if (!skb) ++ if (!skb) { ++ unix_state_lock(sk); ++ /* Signal EOF on disconnected non-blocking SEQPACKET socket. */ ++ if (sk->sk_type == SOCK_SEQPACKET && err == -EAGAIN && ++ (sk->sk_shutdown & RCV_SHUTDOWN)) ++ err = 0; ++ unix_state_unlock(sk); + goto out_unlock; ++ } + + wake_up_interruptible(&u->peer_wait); + + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:39 2007 +Message-Id: <20071213062838.997507703@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:35 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Pablo Neira Ayuso , + Patrick McHardy , + Herbert Xu +Subject: [patch 24/36] TEXTSEARCH: Do not allow zero length patterns in the textsearch infrastructure +Content-Disposition: inline; filename=textsearch-do-not-allow-zero-length-patterns-in-the-textsearch-infrastructure.patch +Content-Length: 1726 +Lines: 56 + + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Pablo Neira Ayuso + +[TEXTSEARCH]: Do not allow zero length patterns in the textsearch infrastructure + +[ Upstream commit: e03ba84adb62fbc6049325a5bc00ef6932fa5e39 ] + +If a zero length pattern is passed then return EINVAL. +Avoids infinite loops (bm) or invalid memory accesses (kmp). + +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Patrick McHardy +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + lib/textsearch.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/lib/textsearch.c ++++ b/lib/textsearch.c +@@ -7,7 +7,7 @@ + * 2 of the License, or (at your option) any later version. + * + * Authors: Thomas Graf +- * Pablo Neira Ayuso ++ * Pablo Neira Ayuso + * + * ========================================================================== + * +@@ -250,7 +250,8 @@ unsigned int textsearch_find_continuous( + * the various search algorithms. + * + * Returns a new textsearch configuration according to the specified +- * parameters or a ERR_PTR(). ++ * parameters or a ERR_PTR(). If a zero length pattern is passed, this ++ * function returns EINVAL. + */ + struct ts_config *textsearch_prepare(const char *algo, const void *pattern, + unsigned int len, gfp_t gfp_mask, int flags) +@@ -259,6 +260,9 @@ struct ts_config *textsearch_prepare(con + struct ts_config *conf; + struct ts_ops *ops; + ++ if (len == 0) ++ return ERR_PTR(-EINVAL); ++ + ops = lookup_ts_algo(algo); + #ifdef CONFIG_KMOD + /* + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:39 2007 +Message-Id: <20071213062839.153662355@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:36 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Stephen Hemminger , + Herbert Xu +Subject: [patch 25/36] TCP: illinois: Incorrect beta usage +Content-Disposition: inline; filename=tcp-illinois-incorrect-beta-usage.patch +Content-Length: 1344 +Lines: 44 + + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Stephen Hemminger + +[TCP] illinois: Incorrect beta usage + +[ Upstream commit: a357dde9df33f28611e6a3d4f88265e39bcc8880 ] + +Lachlan Andrew observed that my TCP-Illinois implementation uses the +beta value incorrectly: +The parameter beta in the paper specifies the amount to decrease +*by*: that is, on loss, + W <- W - beta*W +but in tcp_illinois_ssthresh() uses beta as the amount +to decrease *to*: W <- beta*W + +This bug makes the Linux TCP-Illinois get less-aggressive on uncongested network, +hurting performance. Note: since the base beta value is .5, it has no +impact on a congested network. + +Signed-off-by: Stephen Hemminger +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/tcp_illinois.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/tcp_illinois.c ++++ b/net/ipv4/tcp_illinois.c +@@ -300,7 +300,7 @@ static u32 tcp_illinois_ssthresh(struct + struct illinois *ca = inet_csk_ca(sk); + + /* Multiplicative decrease */ +- return max((tp->snd_cwnd * ca->beta) >> BETA_SHIFT, 2U); ++ return max(tp->snd_cwnd - ((tp->snd_cwnd * ca->beta) >> BETA_SHIFT), 2U); + } + + + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:39 2007 +Message-Id: <20071213062839.307852191@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:37 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + David Howells , + Herbert Xu +Subject: [patch 26/36] RXRPC: Add missing select on CRYPTO +Content-Disposition: inline; filename=rxrpc-add-missing-select-on-crypto.patch +Content-Length: 806 +Lines: 33 + + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: David Howells + +[RXRPC]: Add missing select on CRYPTO + +[ Upstream commit: d5a784b3719ae364f49ecff12a0248f6e4252720 ] + +AF_RXRPC uses the crypto services, so should depend on or select CRYPTO. + +Signed-off-by: David Howells +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + net/rxrpc/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/rxrpc/Kconfig ++++ b/net/rxrpc/Kconfig +@@ -5,6 +5,7 @@ + config AF_RXRPC + tristate "RxRPC session sockets" + depends on INET && EXPERIMENTAL ++ select CRYPTO + select KEYS + help + Say Y or M here to include support for RxRPC session sockets (just + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:39 2007 +Message-Id: <20071213062839.461340151@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:38 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + bunk@kernel.org, + +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Evgeniy Polyakov , + Herbert Xu +Subject: [patch 27/36] IPV6: Restore IPv6 when MTU is big enough +Content-Disposition: inline; filename=ipv6-restore-ipv6-when-mtu-is-big-enough.patch +Content-Length: 1632 +Lines: 64 + + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Evgeniy Polyakov + +[IPV6]: Restore IPv6 when MTU is big enough + +[ Upstream commit: d31c7b8fa303eb81311f27b80595b8d2cbeef950 ] + +Avaid provided test application, so bug got fixed. + +IPv6 addrconf removes ipv6 inner device from netdev each time cmu +changes and new value is less than IPV6_MIN_MTU (1280 bytes). +When mtu is changed and new value is greater than IPV6_MIN_MTU, +it does not add ipv6 addresses and inner device bac. + +This patch fixes that. + +Tested with Avaid's application, which works ok now. + +Signed-off-by: Evgeniy Polyakov +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/addrconf.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -2285,6 +2285,9 @@ static int addrconf_notify(struct notifi + break; + } + ++ if (!idev && dev->mtu >= IPV6_MIN_MTU) ++ idev = ipv6_add_dev(dev); ++ + if (idev) + idev->if_flags |= IF_READY; + } else { +@@ -2349,12 +2352,18 @@ static int addrconf_notify(struct notifi + break; + + case NETDEV_CHANGEMTU: +- if ( idev && dev->mtu >= IPV6_MIN_MTU) { ++ if (idev && dev->mtu >= IPV6_MIN_MTU) { + rt6_mtu_change(dev, dev->mtu); + idev->cnf.mtu6 = dev->mtu; + break; + } + ++ if (!idev && dev->mtu >= IPV6_MIN_MTU) { ++ idev = ipv6_add_dev(dev); ++ if (idev) ++ break; ++ } ++ + /* MTU falled under IPV6_MIN_MTU. Stop IPv6 on this interface. */ + + case NETDEV_DOWN: + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:39 2007 +Message-Id: <20071213062839.617781517@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:39 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Pavel Emelyanov , + Steven Whitehouse , + Herbert Xu +Subject: [patch 28/36] DECNET: dn_nl_deladdr() almost always returns no error +Content-Disposition: inline; filename=decnet-dn_nl_deladdr-almost-always-returns-no-error.patch +Content-Length: 1451 +Lines: 51 + + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Pavel Emelyanov + +[DECNET]: dn_nl_deladdr() almost always returns no error + +[ Upstream commit: 3ccd86241b277249d5ac08e91eddfade47184520 ] + +As far as I see from the err variable initialization +the dn_nl_deladdr() routine was designed to report errors +like "EADDRNOTAVAIL" and probaby "ENODEV". + +But the code sets this err to 0 after the first nlmsg_parse +and goes on, returning this 0 in any case. + +Signed-off-by: Pavel Emelyanov +Acked-by: Steven Whitehouse +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + net/decnet/dn_dev.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/decnet/dn_dev.c ++++ b/net/decnet/dn_dev.c +@@ -651,16 +651,18 @@ static int dn_nl_deladdr(struct sk_buff + struct dn_dev *dn_db; + struct ifaddrmsg *ifm; + struct dn_ifaddr *ifa, **ifap; +- int err = -EADDRNOTAVAIL; ++ int err; + + err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, dn_ifa_policy); + if (err < 0) + goto errout; + ++ err = -ENODEV; + ifm = nlmsg_data(nlh); + if ((dn_db = dn_dev_by_index(ifm->ifa_index)) == NULL) + goto errout; + ++ err = -EADDRNOTAVAIL; + for (ifap = &dn_db->ifa_list; (ifa = *ifap); ifap = &ifa->ifa_next) { + if (tb[IFA_LOCAL] && + nla_memcmp(tb[IFA_LOCAL], &ifa->ifa_local, 2)) + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:39 2007 +Message-Id: <20071213062839.773513326@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:40 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + bunk@kernel.org, + +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Pavel Emelyanov , + Herbert Xu +Subject: [patch 29/36] BRIDGE: Lost call to br_fdb_fini() in br_init() error path +Content-Disposition: inline; filename=bridge-lost-call-to-br_fdb_fini-in-br_init-error-path.patch +Content-Length: 1026 +Lines: 45 + + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Pavel Emelyanov + +[BRIDGE]: Lost call to br_fdb_fini() in br_init() error path + +[ Upstream commit: 17efdd45755c0eb8d1418a1368ef7c7ebbe98c6e ] + +In case the br_netfilter_init() (or any subsequent call) +fails, the br_fdb_fini() must be called to free the allocated +in br_fdb_init() br_fdb_cache kmem cache. + +Signed-off-by: Pavel Emelyanov +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + net/bridge/br.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/bridge/br.c ++++ b/net/bridge/br.c +@@ -39,7 +39,7 @@ static int __init br_init(void) + + err = br_fdb_init(); + if (err) +- goto err_out1; ++ goto err_out; + + err = br_netfilter_init(); + if (err) +@@ -65,6 +65,8 @@ err_out3: + err_out2: + br_netfilter_fini(); + err_out1: ++ br_fdb_fini(); ++err_out: + llc_sap_put(br_stp_sap); + return err; + } + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:40 2007 +Message-Id: <20071213062839.928355516@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:41 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Neil Brown , + "Luiz Fernando N. Capitulino" , + "J. Bruce Fields" , + Oliver Pintr +Subject: [patch 30/36] knfsd: Validate filehandle type in fsid_source +Content-Disposition: inline; filename=knfsd-validate-filehandle-type-in-fsid_source.patch +Content-Length: 1747 +Lines: 62 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Neil Brown + +patch b8da0d1c27f144bce999c653467106f3f0d5a308 in mainline. + +fsid_source decided where to get the 'fsid' number to +return for a GETATTR based on the type of filehandle. +It can be from the device, from the fsid, or from the +UUID. + +It is possible for the filehandle to be inconsistent +with the export information, so make sure the export information +actually has the info implied by the value returned by +fsid_source. + +Signed-off-by: Neil Brown +Cc: "Luiz Fernando N. Capitulino" +Signed-off-by: "J. Bruce Fields" +Signed-off-by: Linus Torvalds +Cc: Oliver Pintr +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfsfh.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +--- a/fs/nfsd/nfsfh.c ++++ b/fs/nfsd/nfsfh.c +@@ -565,13 +565,23 @@ enum fsid_source fsid_source(struct svc_ + case FSID_DEV: + case FSID_ENCODE_DEV: + case FSID_MAJOR_MINOR: +- return FSIDSOURCE_DEV; ++ if (fhp->fh_export->ex_dentry->d_inode->i_sb->s_type->fs_flags ++ & FS_REQUIRES_DEV) ++ return FSIDSOURCE_DEV; ++ break; + case FSID_NUM: +- return FSIDSOURCE_FSID; +- default: + if (fhp->fh_export->ex_flags & NFSEXP_FSID) + return FSIDSOURCE_FSID; +- else +- return FSIDSOURCE_UUID; ++ break; ++ default: ++ break; + } ++ /* either a UUID type filehandle, or the filehandle doesn't ++ * match the export. ++ */ ++ if (fhp->fh_export->ex_flags & NFSEXP_FSID) ++ return FSIDSOURCE_FSID; ++ if (fhp->fh_export->ex_uuid) ++ return FSIDSOURCE_UUID; ++ return FSIDSOURCE_DEV; + } + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:40 2007 +Message-Id: <20071213062840.081499488@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:42 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk +Subject: [patch 31/36] Revert "Fix SMP poweroff hangs" +Content-Disposition: inline; filename=revert-fix-smp-poweroff-hangs.patch +Content-Length: 1551 +Lines: 55 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Greg Kroah-Hartman + +This reverts the following changeset in 2.6.22.10 that caused a lot of +reported problems. + + From: Mark Lord + + commit 4047727e5ae33f9b8d2b7766d1994ea6e5ec2991 from upstream + + We need to disable all CPUs other than the boot CPU (usually 0) before + attempting to power-off modern SMP machines. This fixes the + hang-on-poweroff issue on my MythTV SMP box, and also on Thomas Gleixner's + new toybox. + + Signed-off-by: Mark Lord + Acked-by: Thomas Gleixner + Cc: "Rafael J. Wysocki" + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + Signed-off-by: Greg Kroah-Hartman + +There still is a remaining shutdown problem in 2.6.22 with old APM based +systems, but this fix is not the correct one + +Signed-off-by: Greg Kroah-Hartman + + +--- + kernel/sys.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -31,7 +31,6 @@ + #include + #include + #include +-#include + + #include + #include +@@ -866,7 +865,6 @@ EXPORT_SYMBOL_GPL(kernel_halt); + void kernel_power_off(void) + { + kernel_shutdown_prepare(SYSTEM_POWER_OFF); +- disable_nonboot_cpus(); + printk(KERN_EMERG "Power down.\n"); + machine_power_off(); + } + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:40 2007 +Message-Id: <20071213062840.238415313@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:43 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + "Rafael J. Wysocki" , + David Chinner , + Lachlan McIlroy , + Oliver Pintr +Subject: [patch 32/36] XFS: Make xfsbufd threads freezable +Content-Disposition: inline; filename=xfs-make-xfsbufd-threads-freezable.patch +Content-Length: 980 +Lines: 38 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Rafael J. Wysocki + +patch 978c7b2ff49597ab76ff7529a933bd366941ac25 in mainline + +Fix breakage caused by commit 831441862956fffa17b9801db37e6ea1650b0f69 +that did not introduce the necessary call to set_freezable() in +xfs/linux-2.6/xfs_buf.c . + +SGI-PV: 974224 +SGI-Modid: xfs-linux-melb:xfs-kern:30203a + +Signed-off-by: Rafael J. Wysocki +Signed-off-by: David Chinner +Signed-off-by: Lachlan McIlroy +Cc: Oliver Pintr +Signed-off-by: Greg Kroah-Hartman + +--- + fs/xfs/linux-2.6/xfs_buf.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/xfs/linux-2.6/xfs_buf.c ++++ b/fs/xfs/linux-2.6/xfs_buf.c +@@ -1733,6 +1733,8 @@ xfsbufd( + + current->flags |= PF_MEMALLOC; + ++ set_freezable(); ++ + do { + if (unlikely(freezing(current))) { + set_bit(XBT_FORCE_SLEEP, &target->bt_flags); + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:40 2007 +Message-Id: <20071213062840.397252791@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:44 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + davem@davemloft.net +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Patrick McHardy , + Herbert Xu +Subject: [patch 33/36] XFRM: Fix leak of expired xfrm_states +Content-Disposition: inline; filename=xfrm-fix-leak-of-expired-xfrm_states.patch +Content-Length: 1124 +Lines: 38 + + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Patrick McHardy + +[XFRM]: Fix leak of expired xfrm_states + +[ Upstream commit: 5dba4797115c8fa05c1a4d12927a6ae0b33ffc41 ] + +The xfrm_timer calls __xfrm_state_delete, which drops the final reference +manually without triggering destruction of the state. Change it to use +xfrm_state_put to add the state to the gc list when we're dropping the +last reference. The timer function may still continue to use the state +safely since the final destruction does a del_timer_sync(). + +Signed-off-by: Patrick McHardy +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + net/xfrm/xfrm_state.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -371,7 +371,7 @@ int __xfrm_state_delete(struct xfrm_stat + * The xfrm_state_alloc call gives a reference, and that + * is what we are dropping here. + */ +- __xfrm_state_put(x); ++ xfrm_state_put(x); + err = 0; + } + + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:40 2007 +Message-Id: <20071213062840.558793002@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:45 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + Greg KH +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + , + Patrick McHardy , + Herbert Xu +Subject: [patch 34/36] NETFILTER: xt_TCPMSS: remove network triggerable WARN_ON +Content-Disposition: inline; filename=netfilter-xt_tcpmss-remove-network-triggerable-warn_on.patch +Content-Length: 1004 +Lines: 37 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Patrick McHardy + +[NETFILTER]: xt_TCPMSS: remove network triggerable WARN_ON + +[ Upstream commit: 9dc0564e862b1b9a4677dec2c736b12169e03e99 ] + +ipv6_skip_exthdr() returns -1 for invalid packets. don't WARN_ON +that. + +Signed-off-by: Patrick McHardy +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/xt_TCPMSS.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/net/netfilter/xt_TCPMSS.c ++++ b/net/netfilter/xt_TCPMSS.c +@@ -178,10 +178,8 @@ xt_tcpmss_target6(struct sk_buff **pskb, + + nexthdr = ipv6h->nexthdr; + tcphoff = ipv6_skip_exthdr(*pskb, sizeof(*ipv6h), &nexthdr); +- if (tcphoff < 0) { +- WARN_ON(1); ++ if (tcphoff < 0) + return NF_DROP; +- } + ret = tcpmss_mangle_packet(pskb, targinfo, tcphoff, + sizeof(*ipv6h) + sizeof(struct tcphdr)); + if (ret < 0) + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:40 2007 +Message-Id: <20071213062840.713714047@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:46 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + IDE/ATA development list +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Michael Tokarev , + Jeff Garzik , + Diego Torres , + Tejun Heo +Subject: [patch 35/36] libata: kill spurious NCQ completion detection +Content-Disposition: inline; filename=libata-kill-spurious-ncq-completion-detection.patch +Content-Length: 5851 +Lines: 168 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Tejun Heo + +patch 459ad68893a84fb0881e57919340b97edbbc3dc7 in mainline. + +Spurious NCQ completion detection implemented in ahci was incorrect. +On AHCI receving and processing FISes and raising interrupts are not +interlocked and spurious interrupts are expected. + +For example, if an interrupt occurs while interrupt handler is running +and the running interrupt handler handles the event the new IRQ +indicated, after IRQ handler finishes, it will be executed again +because IRQ pending bit is set by the new interrupt but there won't be +anything to process. + +Please read the following message for more information. + + http://article.gmane.org/gmane.linux.ide/26012 + +This patch... + +* Removes all spurious IRQ whining from ahci. Spurious NCQ completion + detection was completely wrong. Spurious D2H Register FIS taught us + that some early drives send spurious D2H Register FIS with I bit set + while NCQ commands are in progress but none of recent drives does + that and even the ones which show such behavior can do NCQ fine. + +* Kills all NCQ blacklist entries which were added because of spurious + NCQ completions. I tracked down each commit and verified all + removed ones are actually added because of spurious completions. + + WD740ADFD-00NLR1 wasn't deleted but moved upward because the drive + not only had spurious NCQ completions but also is slow on sequential + data transfers if NCQ is enabled. + + Maxtor 7V300F0 was added by 0e3dbc01d53940fe10e5a5cfec15ede3e929c918 + from Alan Cox. I can only find evidences that the drive only had + troubles with spuruious completions by searching the mailing list. + This entry needs to be verified and removed if it doesn't have other + NCQ related problems. + +Signed-off-by: Tejun Heo +Cc: Alan Cox +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/ahci.c | 65 ---------------------------------------------- + drivers/ata/libata-core.c | 10 ------- + 2 files changed, 2 insertions(+), 73 deletions(-) + +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -1241,7 +1241,7 @@ static void ahci_host_intr(struct ata_po + struct ata_eh_info *ehi = &ap->eh_info; + struct ahci_port_priv *pp = ap->private_data; + u32 status, qc_active; +- int rc, known_irq = 0; ++ int rc; + + status = readl(port_mmio + PORT_IRQ_STAT); + writel(status, port_mmio + PORT_IRQ_STAT); +@@ -1257,74 +1257,11 @@ static void ahci_host_intr(struct ata_po + qc_active = readl(port_mmio + PORT_CMD_ISSUE); + + rc = ata_qc_complete_multiple(ap, qc_active, NULL); +- if (rc > 0) +- return; + if (rc < 0) { + ehi->err_mask |= AC_ERR_HSM; + ehi->action |= ATA_EH_SOFTRESET; + ata_port_freeze(ap); +- return; +- } +- +- /* hmmm... a spurious interupt */ +- +- /* if !NCQ, ignore. No modern ATA device has broken HSM +- * implementation for non-NCQ commands. +- */ +- if (!ap->sactive) +- return; +- +- if (status & PORT_IRQ_D2H_REG_FIS) { +- if (!pp->ncq_saw_d2h) +- ata_port_printk(ap, KERN_INFO, +- "D2H reg with I during NCQ, " +- "this message won't be printed again\n"); +- pp->ncq_saw_d2h = 1; +- known_irq = 1; +- } +- +- if (status & PORT_IRQ_DMAS_FIS) { +- if (!pp->ncq_saw_dmas) +- ata_port_printk(ap, KERN_INFO, +- "DMAS FIS during NCQ, " +- "this message won't be printed again\n"); +- pp->ncq_saw_dmas = 1; +- known_irq = 1; +- } +- +- if (status & PORT_IRQ_SDB_FIS) { +- const __le32 *f = pp->rx_fis + RX_FIS_SDB; +- +- if (le32_to_cpu(f[1])) { +- /* SDB FIS containing spurious completions +- * might be dangerous, whine and fail commands +- * with HSM violation. EH will turn off NCQ +- * after several such failures. +- */ +- ata_ehi_push_desc(ehi, +- "spurious completions during NCQ " +- "issue=0x%x SAct=0x%x FIS=%08x:%08x", +- readl(port_mmio + PORT_CMD_ISSUE), +- readl(port_mmio + PORT_SCR_ACT), +- le32_to_cpu(f[0]), le32_to_cpu(f[1])); +- ehi->err_mask |= AC_ERR_HSM; +- ehi->action |= ATA_EH_SOFTRESET; +- ata_port_freeze(ap); +- } else { +- if (!pp->ncq_saw_sdb) +- ata_port_printk(ap, KERN_INFO, +- "spurious SDB FIS %08x:%08x during NCQ, " +- "this message won't be printed again\n", +- le32_to_cpu(f[0]), le32_to_cpu(f[1])); +- pp->ncq_saw_sdb = 1; +- } +- known_irq = 1; + } +- +- if (!known_irq) +- ata_port_printk(ap, KERN_INFO, "spurious interrupt " +- "(irq_stat 0x%x active_tag 0x%x sactive 0x%x)\n", +- status, ap->active_tag, ap->sactive); + } + + static void ahci_irq_clear(struct ata_port *ap) +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -3785,6 +3785,7 @@ static const struct ata_blacklist_entry + /* Devices where NCQ should be avoided */ + /* NCQ is slow */ + { "WDC WD740ADFD-00", NULL, ATA_HORKAGE_NONCQ }, ++ { "WDC WD740ADFD-00NLR1", NULL, ATA_HORKAGE_NONCQ, }, + /* http://thread.gmane.org/gmane.linux.ide/14907 */ + { "FUJITSU MHT2060BH", NULL, ATA_HORKAGE_NONCQ }, + /* NCQ is broken */ +@@ -3803,15 +3804,6 @@ static const struct ata_blacklist_entry + { "HTS541060G9SA00", "MB3OC60D", ATA_HORKAGE_NONCQ, }, + { "HTS541080G9SA00", "MB4OC60D", ATA_HORKAGE_NONCQ, }, + { "HTS541010G9SA00", "MBZOC60D", ATA_HORKAGE_NONCQ, }, +- /* Drives which do spurious command completion */ +- { "HTS541680J9SA00", "SB2IC7EP", ATA_HORKAGE_NONCQ, }, +- { "HTS541612J9SA00", "SBDIC7JP", ATA_HORKAGE_NONCQ, }, +- { "Hitachi HTS541616J9SA00", "SB4OC70P", ATA_HORKAGE_NONCQ, }, +- { "WDC WD740ADFD-00NLR1", NULL, ATA_HORKAGE_NONCQ, }, +- { "FUJITSU MHV2080BH", "00840028", ATA_HORKAGE_NONCQ, }, +- { "ST9160821AS", "3.CLF", ATA_HORKAGE_NONCQ, }, +- { "ST3160812AS", "3.AD", ATA_HORKAGE_NONCQ, }, +- { "SAMSUNG HD401LJ", "ZZ100-15", ATA_HORKAGE_NONCQ, }, + + /* End Marker */ + { } + +-- + +From gregkh@mini.kroah.org Wed Dec 12 22:28:41 2007 +Message-Id: <20071213062840.869269426@mini.kroah.org> +References: <20071213062511.265908583@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 12 Dec 2007 22:25:47 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + Greg KH +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@kernel.org, + , + Pavel Emelyanov , + Herbert Xu +Subject: [patch 36/36] BRIDGE: Properly dereference the br_should_route_hook +Content-Disposition: inline; filename=bridge-properly-dereference-the-br_should_route_hook.patch +Content-Length: 2038 +Lines: 74 + + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Pavel Emelyanov + +[BRIDGE]: Properly dereference the br_should_route_hook + +[ Upstream commit: 82de382ce8e1c7645984616728dc7aaa057821e4 ] + +This hook is protected with the RCU, so simple + +if (br_should_route_hook) + br_should_route_hook(...) + +is not enough on some architectures. + +Use the rcu_dereference/rcu_assign_pointer in this case. + +Fixed Stephen's comment concerning using the typeof(). + +Signed-off-by: Pavel Emelyanov +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + net/bridge/br_input.c | 7 ++++--- + net/bridge/netfilter/ebtable_broute.c | 4 ++-- + 2 files changed, 6 insertions(+), 5 deletions(-) + +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -127,6 +127,7 @@ static inline int is_link_local(const un + struct sk_buff *br_handle_frame(struct net_bridge_port *p, struct sk_buff *skb) + { + const unsigned char *dest = eth_hdr(skb)->h_dest; ++ int (*rhook)(struct sk_buff **pskb); + + if (!is_valid_ether_addr(eth_hdr(skb)->h_source)) + goto drop; +@@ -148,9 +149,9 @@ struct sk_buff *br_handle_frame(struct n + + switch (p->state) { + case BR_STATE_FORWARDING: +- +- if (br_should_route_hook) { +- if (br_should_route_hook(&skb)) ++ rhook = rcu_dereference(br_should_route_hook); ++ if (rhook != NULL) { ++ if (rhook(&skb)) + return skb; + dest = eth_hdr(skb)->h_dest; + } +--- a/net/bridge/netfilter/ebtable_broute.c ++++ b/net/bridge/netfilter/ebtable_broute.c +@@ -70,13 +70,13 @@ static int __init ebtable_broute_init(vo + if (ret < 0) + return ret; + /* see br_input.c */ +- br_should_route_hook = ebt_broute; ++ rcu_assign_pointer(br_should_route_hook, ebt_broute); + return ret; + } + + static void __exit ebtable_broute_fini(void) + { +- br_should_route_hook = NULL; ++ rcu_assign_pointer(br_should_route_hook, NULL); + synchronize_net(); + ebt_unregister_table(&broute_table); + } + +-- + diff --git a/queue-2.6.22/net-corrects-a-bug-in-ip_rt_acct_read.patch b/review-2.6.22/net-corrects-a-bug-in-ip_rt_acct_read.patch similarity index 100% rename from queue-2.6.22/net-corrects-a-bug-in-ip_rt_acct_read.patch rename to review-2.6.22/net-corrects-a-bug-in-ip_rt_acct_read.patch diff --git a/queue-2.6.22/netfilter-xt_tcpmss-remove-network-triggerable-warn_on.patch b/review-2.6.22/netfilter-xt_tcpmss-remove-network-triggerable-warn_on.patch similarity index 100% rename from queue-2.6.22/netfilter-xt_tcpmss-remove-network-triggerable-warn_on.patch rename to review-2.6.22/netfilter-xt_tcpmss-remove-network-triggerable-warn_on.patch diff --git a/queue-2.6.22/nf_nat-fix-memset-error.patch b/review-2.6.22/nf_nat-fix-memset-error.patch similarity index 100% rename from queue-2.6.22/nf_nat-fix-memset-error.patch rename to review-2.6.22/nf_nat-fix-memset-error.patch diff --git a/queue-2.6.22/pfkey-sending-an-sadb_get-responds-with-an-sadb_get.patch b/review-2.6.22/pfkey-sending-an-sadb_get-responds-with-an-sadb_get.patch similarity index 100% rename from queue-2.6.22/pfkey-sending-an-sadb_get-responds-with-an-sadb_get.patch rename to review-2.6.22/pfkey-sending-an-sadb_get-responds-with-an-sadb_get.patch diff --git a/queue-2.6.22/rd-fix-data-corruption-on-memory-pressure.patch b/review-2.6.22/rd-fix-data-corruption-on-memory-pressure.patch similarity index 100% rename from queue-2.6.22/rd-fix-data-corruption-on-memory-pressure.patch rename to review-2.6.22/rd-fix-data-corruption-on-memory-pressure.patch diff --git a/queue-2.6.22/revert-fix-smp-poweroff-hangs.patch b/review-2.6.22/revert-fix-smp-poweroff-hangs.patch similarity index 100% rename from queue-2.6.22/revert-fix-smp-poweroff-hangs.patch rename to review-2.6.22/revert-fix-smp-poweroff-hangs.patch diff --git a/queue-2.6.22/rxrpc-add-missing-select-on-crypto.patch b/review-2.6.22/rxrpc-add-missing-select-on-crypto.patch similarity index 100% rename from queue-2.6.22/rxrpc-add-missing-select-on-crypto.patch rename to review-2.6.22/rxrpc-add-missing-select-on-crypto.patch diff --git a/queue-2.6.22/series b/review-2.6.22/series similarity index 100% rename from queue-2.6.22/series rename to review-2.6.22/series diff --git a/queue-2.6.22/tcp-illinois-incorrect-beta-usage.patch b/review-2.6.22/tcp-illinois-incorrect-beta-usage.patch similarity index 100% rename from queue-2.6.22/tcp-illinois-incorrect-beta-usage.patch rename to review-2.6.22/tcp-illinois-incorrect-beta-usage.patch diff --git a/queue-2.6.22/tcp-mtuprobe-fix-potential-sk_send_head-corruption.patch b/review-2.6.22/tcp-mtuprobe-fix-potential-sk_send_head-corruption.patch similarity index 100% rename from queue-2.6.22/tcp-mtuprobe-fix-potential-sk_send_head-corruption.patch rename to review-2.6.22/tcp-mtuprobe-fix-potential-sk_send_head-corruption.patch diff --git a/queue-2.6.22/tcp-problem-bug-with-sysctl_tcp_congestion_control-function.patch b/review-2.6.22/tcp-problem-bug-with-sysctl_tcp_congestion_control-function.patch similarity index 100% rename from queue-2.6.22/tcp-problem-bug-with-sysctl_tcp_congestion_control-function.patch rename to review-2.6.22/tcp-problem-bug-with-sysctl_tcp_congestion_control-function.patch diff --git a/queue-2.6.22/textsearch-do-not-allow-zero-length-patterns-in-the-textsearch-infrastructure.patch b/review-2.6.22/textsearch-do-not-allow-zero-length-patterns-in-the-textsearch-infrastructure.patch similarity index 100% rename from queue-2.6.22/textsearch-do-not-allow-zero-length-patterns-in-the-textsearch-infrastructure.patch rename to review-2.6.22/textsearch-do-not-allow-zero-length-patterns-in-the-textsearch-infrastructure.patch diff --git a/queue-2.6.22/tmpfs-restore-missing-clear_highpage.patch b/review-2.6.22/tmpfs-restore-missing-clear_highpage.patch similarity index 100% rename from queue-2.6.22/tmpfs-restore-missing-clear_highpage.patch rename to review-2.6.22/tmpfs-restore-missing-clear_highpage.patch diff --git a/queue-2.6.22/unix-eof-on-non-blocking-sock_seqpacket.patch b/review-2.6.22/unix-eof-on-non-blocking-sock_seqpacket.patch similarity index 100% rename from queue-2.6.22/unix-eof-on-non-blocking-sock_seqpacket.patch rename to review-2.6.22/unix-eof-on-non-blocking-sock_seqpacket.patch diff --git a/queue-2.6.22/usb-fix-up-ehci-startup-synchronization.patch b/review-2.6.22/usb-fix-up-ehci-startup-synchronization.patch similarity index 100% rename from queue-2.6.22/usb-fix-up-ehci-startup-synchronization.patch rename to review-2.6.22/usb-fix-up-ehci-startup-synchronization.patch diff --git a/queue-2.6.22/usb-make-the-microtek-driver-and-hal-cooperate.patch b/review-2.6.22/usb-make-the-microtek-driver-and-hal-cooperate.patch similarity index 100% rename from queue-2.6.22/usb-make-the-microtek-driver-and-hal-cooperate.patch rename to review-2.6.22/usb-make-the-microtek-driver-and-hal-cooperate.patch diff --git a/queue-2.6.22/wait_task_stopped-pass-correct-exit_code-to-wait_noreap_copyout.patch b/review-2.6.22/wait_task_stopped-pass-correct-exit_code-to-wait_noreap_copyout.patch similarity index 100% rename from queue-2.6.22/wait_task_stopped-pass-correct-exit_code-to-wait_noreap_copyout.patch rename to review-2.6.22/wait_task_stopped-pass-correct-exit_code-to-wait_noreap_copyout.patch diff --git a/queue-2.6.22/xfrm-fix-leak-of-expired-xfrm_states.patch b/review-2.6.22/xfrm-fix-leak-of-expired-xfrm_states.patch similarity index 100% rename from queue-2.6.22/xfrm-fix-leak-of-expired-xfrm_states.patch rename to review-2.6.22/xfrm-fix-leak-of-expired-xfrm_states.patch diff --git a/queue-2.6.22/xfs-make-xfsbufd-threads-freezable.patch b/review-2.6.22/xfs-make-xfsbufd-threads-freezable.patch similarity index 100% rename from queue-2.6.22/xfs-make-xfsbufd-threads-freezable.patch rename to review-2.6.22/xfs-make-xfsbufd-threads-freezable.patch