From: Greg Kroah-Hartman Date: Fri, 21 Sep 2007 23:41:11 +0000 (-0700) Subject: more 2.6.22 patches added X-Git-Tag: v2.6.22.7~5 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7919945f3d1d9a672d7eebbfa2a2cbb477a53c2a;p=thirdparty%2Fkernel%2Fstable-queue.git more 2.6.22 patches added --- diff --git a/queue-2.6.22/fix-datagram-recvmsg-null-iov-handling-regression.patch b/queue-2.6.22/fix-datagram-recvmsg-null-iov-handling-regression.patch new file mode 100644 index 00000000000..e793cab67f7 --- /dev/null +++ b/queue-2.6.22/fix-datagram-recvmsg-null-iov-handling-regression.patch @@ -0,0 +1,41 @@ +From stable-bounces@linux.kernel.org Thu Sep 20 15:20:18 2007 +From: Herbert Xu +Date: Thu, 20 Sep 2007 12:41:36 -0700 (PDT) +Subject: Fix datagram recvmsg NULL iov handling regression. +To: stable@kernel.org +Cc: bunk@kernel.org +Message-ID: <20070920.124136.34842105.davem@davemloft.net> + +From: Herbert Xu + +commit ef8aef55ce61fd0e2af798695f7386ac756ae1e7 in mainline + +Subject: [PATCH] [NET]: Do not dereference iov if length is zero + +When msg_iovlen is zero we shouldn't try to dereference +msg_iov. Right now the only thing that tries to do so +is skb_copy_and_csum_datagram_iovec. Since the total +length should also be zero if msg_iovlen is zero, it's +sufficient to check the total length there and simply +return if it's zero. + +Signed-off-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/datagram.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/core/datagram.c ++++ b/net/core/datagram.c +@@ -450,6 +450,9 @@ int skb_copy_and_csum_datagram_iovec(str + __wsum csum; + int chunk = skb->len - hlen; + ++ if (!chunk) ++ return 0; ++ + /* Skip filled elements. + * Pretty silly, look at memcpy_toiovec, though 8) + */ diff --git a/queue-2.6.22/fix-inet_diag-oops.patch b/queue-2.6.22/fix-inet_diag-oops.patch new file mode 100644 index 00000000000..06098440cde --- /dev/null +++ b/queue-2.6.22/fix-inet_diag-oops.patch @@ -0,0 +1,87 @@ +From stable-bounces@linux.kernel.org Thu Sep 20 12:44:40 2007 +From: Patrick McHardy +Date: Thu, 20 Sep 2007 12:44:24 -0700 (PDT) +Subject: Fix inet_diag OOPS. +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070920.124424.25158218.davem@davemloft.net> + + +From: Patrick McHardy + +commit 0a9c73014415d2a84dac346c1e12169142a6ad37 in mainline + +[INET_DIAG]: Fix oops in netlink_rcv_skb + +netlink_run_queue() doesn't handle multiple processes processing the +queue concurrently. Serialize queue processing in inet_diag to fix +a oops in netlink_rcv_skb caused by netlink_run_queue passing a +NULL for the skb. + +BUG: unable to handle kernel NULL pointer dereference at virtual address 00000054 +[349587.500454] printing eip: +[349587.500457] c03318ae +[349587.500459] *pde = 00000000 +[349587.500464] Oops: 0000 [#1] +[349587.500466] PREEMPT SMP +[349587.500474] Modules linked in: w83627hf hwmon_vid i2c_isa +[349587.500483] CPU: 0 +[349587.500485] EIP: 0060:[] Not tainted VLI +[349587.500487] EFLAGS: 00010246 (2.6.22.3 #1) +[349587.500499] EIP is at netlink_rcv_skb+0xa/0x7e +[349587.500506] eax: 00000000 ebx: 00000000 ecx: c148d2a0 edx: c0398819 +[349587.500510] esi: 00000000 edi: c0398819 ebp: c7a21c8c esp: c7a21c80 +[349587.500517] ds: 007b es: 007b fs: 00d8 gs: 0033 ss: 0068 +[349587.500521] Process oidentd (pid: 17943, ti=c7a20000 task=cee231c0 task.ti=c7a20000) +[349587.500527] Stack: 00000000 c7a21cac f7c8ba78 c7a21ca4 c0331962 c0398819 f7c8ba00 0000004c +[349587.500542] f736f000 c7a21cb4 c03988e3 00000001 f7c8ba00 c7a21cc4 c03312a5 0000004c +[349587.500558] f7c8ba00 c7a21cd4 c0330681 f7c8ba00 e4695280 c7a21d00 c03307c6 7fffffff +[349587.500578] Call Trace: +[349587.500581] [] show_trace_log_lvl+0x1c/0x33 +[349587.500591] [] show_stack_log_lvl+0x8d/0xaa +[349587.500595] [] show_registers+0x1cb/0x321 +[349587.500604] [] die+0x112/0x1e1 +[349587.500607] [] do_page_fault+0x229/0x565 +[349587.500618] [] error_code+0x72/0x78 +[349587.500625] [] netlink_run_queue+0x40/0x76 +[349587.500632] [] inet_diag_rcv+0x1f/0x2c +[349587.500639] [] netlink_data_ready+0x57/0x59 +[349587.500643] [] netlink_sendskb+0x24/0x45 +[349587.500651] [] netlink_unicast+0x100/0x116 +[349587.500656] [] netlink_sendmsg+0x1c2/0x280 +[349587.500664] [] sock_sendmsg+0xba/0xd5 +[349587.500671] [] sys_sendmsg+0x17b/0x1e8 +[349587.500676] [] sys_socketcall+0x230/0x24d +[349587.500684] [] syscall_call+0x7/0xb +[349587.500691] ======================= +[349587.500693] Code: f0 ff 4e 18 0f 94 c0 84 c0 0f 84 66 ff ff ff 89 f0 e8 86 e2 fc ff e9 5a ff ff ff f0 ff 40 10 eb be 55 89 e5 57 89 d7 56 89 c6 53 <8b> 50 54 83 fa 10 72 55 8b 9e 9c 00 00 00 31 c9 8b 03 83 f8 0f + +Reported by Athanasius + +Signed-off-by: Patrick McHardy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/inet_diag.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/ipv4/inet_diag.c ++++ b/net/ipv4/inet_diag.c +@@ -836,12 +836,16 @@ static int inet_diag_rcv_msg(struct sk_b + return inet_diag_get_exact(skb, nlh); + } + ++static DEFINE_MUTEX(inet_diag_mutex); ++ + static void inet_diag_rcv(struct sock *sk, int len) + { + unsigned int qlen = 0; + + do { ++ mutex_lock(&inet_diag_mutex); + netlink_run_queue(sk, &qlen, &inet_diag_rcv_msg); ++ mutex_unlock(&inet_diag_mutex); + } while (qlen); + } + diff --git a/queue-2.6.22/fix-ipsec-ah4-options-handling.patch b/queue-2.6.22/fix-ipsec-ah4-options-handling.patch new file mode 100644 index 00000000000..4ba92cb1af6 --- /dev/null +++ b/queue-2.6.22/fix-ipsec-ah4-options-handling.patch @@ -0,0 +1,55 @@ +From stable-bounces@linux.kernel.org Thu Sep 20 12:48:03 2007 +From: Nick Bowler +Date: Thu, 20 Sep 2007 12:47:45 -0700 (PDT) +Subject: Fix IPSEC AH4 options handling +To: stable@kernel.org +Cc: bunk@kernel.org +Message-ID: <20070920.124745.58439764.davem@davemloft.net> + +From: Nick Bowler + +commit 8ee4f391831cb96916a8e8a05f04b1c1d7dd30d8 in mainline. + +In testing our ESP/AH offload hardware, I discovered an issue with how +AH handles mutable fields in IPv4. RFC 4302 (AH) states the following +on the subject: + + For IPv4, the entire option is viewed as a unit; so even + though the type and length fields within most options are immutable + in transit, if an option is classified as mutable, the entire option + is zeroed for ICV computation purposes. + +The current implementation does not zero the type and length fields, +resulting in authentication failures when communicating with hosts +that do (i.e. FreeBSD). + +I have tested record route and timestamp options (ping -R and ping -T) +on a small network involving Windows XP, FreeBSD 6.2, and Linux hosts, +with one router. In the presence of these options, the FreeBSD and +Linux hosts (with the patch or with the hardware) can communicate. +The Windows XP host simply fails to accept these packets with or +without the patch. + +I have also been trying to test source routing options (using +traceroute -g), but haven't had much luck getting this option to work +*without* AH, let alone with. + +Signed-off-by: Nick Bowler +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/ah4.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/ah4.c ++++ b/net/ipv4/ah4.c +@@ -46,7 +46,7 @@ static int ip_clear_mutable_options(stru + memcpy(daddr, optptr+optlen-4, 4); + /* Fall through */ + default: +- memset(optptr+2, 0, optlen-2); ++ memset(optptr, 0, optlen); + } + l -= optlen; + optptr += optlen; diff --git a/queue-2.6.22/fix-ipv6-append-oops.patch b/queue-2.6.22/fix-ipv6-append-oops.patch new file mode 100644 index 00000000000..e84ab976678 --- /dev/null +++ b/queue-2.6.22/fix-ipv6-append-oops.patch @@ -0,0 +1,54 @@ +From stable-bounces@linux.kernel.org Thu Sep 20 12:47:07 2007 +From: YOSHIFUJI Hideaki +Date: Thu, 20 Sep 2007 12:46:41 -0700 (PDT) +Subject: Fix IPV6 append OOPS. +To: stable@kernel.org +Cc: bunk@kernel.org +Message-ID: <20070920.124641.63052146.davem@davemloft.net> + +From: YOSHIFUJI Hideaki + +commit e1f52208bb968291f7d9142eff60b62984b4a511 in mainline. + +[IPv6]: Fix NULL pointer dereference in ip6_flush_pending_frames + +Some of skbs in sk->write_queue do not have skb->dst because +we do not fill skb->dst when we allocate new skb in append_data(). + +BTW, I think we may not need to (or we should not) increment some stats +when using corking; if 100 sendmsg() (with MSG_MORE) result in 2 packets, +how many should we increment? + +If 100, we should set skb->dst for every queued skbs. + +If 1 (or 2 (*)), we increment the stats for the first queued skb and +we should just skip incrementing OutDiscards for the rest of queued skbs, +adn we should also impelement this semantics in other places; +e.g., we should increment other stats just once, not 100 times. + +*: depends on the place we are discarding the datagram. + +I guess should just increment by 1 (or 2). + +Signed-off-by: YOSHIFUJI Hideaki +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/ip6_output.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1423,8 +1423,9 @@ void ip6_flush_pending_frames(struct soc + struct sk_buff *skb; + + while ((skb = __skb_dequeue_tail(&sk->sk_write_queue)) != NULL) { +- IP6_INC_STATS(ip6_dst_idev(skb->dst), +- IPSTATS_MIB_OUTDISCARDS); ++ if (skb->dst) ++ IP6_INC_STATS(ip6_dst_idev(skb->dst), ++ IPSTATS_MIB_OUTDISCARDS); + kfree_skb(skb); + } + diff --git a/queue-2.6.22/fix-ipv6-dad-handling.patch b/queue-2.6.22/fix-ipv6-dad-handling.patch new file mode 100644 index 00000000000..cbacbc76f60 --- /dev/null +++ b/queue-2.6.22/fix-ipv6-dad-handling.patch @@ -0,0 +1,36 @@ +From stable-bounces@linux.kernel.org Thu Sep 20 12:56:12 2007 +From: Denis V. Lunev +Date: Thu, 20 Sep 2007 12:55:47 -0700 (PDT) +Subject: [stable] [PATCH]: Fix IPV6 DAD handling +To: stable@kernel.org +Cc: bunk@kernel.org +Message-ID: <20070920.125547.35800190.davem@davemloft.net> + +From: Denis V. Lunev + +commit 9e3be4b34364a670bd6e57d2e8c3caabdd8d89f8 in mainline + +addrconf_dad_failure calls addrconf_dad_stop which takes referenced address +and drops the count. So, in6_ifa_put perrformed at out: is extra. This +results in message: "Freeing alive inet6 address" and not released dst entries. + +Signed-off-by: Denis V. Lunev +Signed-off-by: Alexey Dobriyan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/ndisc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -736,7 +736,7 @@ static void ndisc_recv_ns(struct sk_buff + * so fail our DAD process + */ + addrconf_dad_failure(ifp); +- goto out; ++ return; + } else { + /* + * This is not a dad solicitation. diff --git a/queue-2.6.22/fix-ipv6-double-sock-release-with-msg_confirm.patch b/queue-2.6.22/fix-ipv6-double-sock-release-with-msg_confirm.patch new file mode 100644 index 00000000000..80e5fefeb52 --- /dev/null +++ b/queue-2.6.22/fix-ipv6-double-sock-release-with-msg_confirm.patch @@ -0,0 +1,35 @@ +From stable-bounces@linux.kernel.org Thu Sep 20 12:54:27 2007 +From: YOSHIFUJI Hideaki +Date: Thu, 20 Sep 2007 12:54:07 -0700 (PDT) +Subject: Fix ipv6 double-sock-release with MSG_CONFIRM +To: stable@kernel.org +Cc: bunk@kernel.org +Message-ID: <20070920.125407.82516702.davem@davemloft.net> + +From: YOSHIFUJI Hideaki + +commit 3ef9d943d26dea764f4fecf3767001c90b778b0c in mainline + +Signed-off-by: YOSHIFUJI Hideaki +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/raw.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/ipv6/raw.c ++++ b/net/ipv6/raw.c +@@ -858,11 +858,10 @@ back_from_confirm: + ip6_flush_pending_frames(sk); + else if (!(msg->msg_flags & MSG_MORE)) + err = rawv6_push_pending_frames(sk, &fl, rp); ++ release_sock(sk); + } + done: + dst_release(dst); +- if (!inet->hdrincl) +- release_sock(sk); + out: + fl6_sock_release(flowlabel); + return err<0?err:len; diff --git a/queue-2.6.22/fix-ipv6-source-address-handling.patch b/queue-2.6.22/fix-ipv6-source-address-handling.patch new file mode 100644 index 00000000000..e0bc7f54e0b --- /dev/null +++ b/queue-2.6.22/fix-ipv6-source-address-handling.patch @@ -0,0 +1,38 @@ +From stable-bounces@linux.kernel.org Thu Sep 20 12:57:20 2007 +From: Jiri Kosina +Date: Thu, 20 Sep 2007 12:56:55 -0700 (PDT) +Subject: Fix ipv6 source address handling. +To: stable@kernel.org +Cc: bunk@kernel.org +Message-ID: <20070920.125655.48823543.davem@davemloft.net> + +From: Jiri Kosina + +commit 6ae5f983cf8de769214d2d9e8a783c881eccd4cd in mainline + +The commit 95c385 broke proper source address selection for cases in which +there is a address which is makred 'deprecated'. The commit mistakenly +changed ifa->flags to ifa_result->flags (probably copy/paste error from a +few lines above) in the 'Rule 3' address selection code. + +The patch restores the previous RFC-compliant behavior. + +Signed-off-by: Jiri Kosina +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/addrconf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -1021,7 +1021,7 @@ int ipv6_dev_get_saddr(struct net_device + hiscore.rule++; + } + if (ipv6_saddr_preferred(score.addr_type) || +- (((ifa_result->flags & ++ (((ifa->flags & + (IFA_F_DEPRECATED|IFA_F_OPTIMISTIC)) == 0))) { + score.attrs |= IPV6_SADDR_SCORE_PREFERRED; + if (!(hiscore.attrs & IPV6_SADDR_SCORE_PREFERRED)) { diff --git a/queue-2.6.22/fix-oops-in-vlan-and-bridging-code.patch b/queue-2.6.22/fix-oops-in-vlan-and-bridging-code.patch new file mode 100644 index 00000000000..460d34dea19 --- /dev/null +++ b/queue-2.6.22/fix-oops-in-vlan-and-bridging-code.patch @@ -0,0 +1,104 @@ +From stable-bounces@linux.kernel.org Thu Sep 20 13:03:02 2007 +From: Evgeniy Polyakov +Date: Thu, 20 Sep 2007 13:02:32 -0700 (PDT) +Subject: Fix oops in vlan and bridging code +To: stable@kernel.org +Cc: bunk@kernel.org +Message-ID: <20070920.130232.00453466.davem@davemloft.net> + + +From: Evgeniy Polyakov + +commit 8c7b43a2e58baa24002fa2b266d9a5007bc52a40 in mainline + +I tried to preserve bridging code as it was before, but logic is quite +strange - I think we should free skb on error, since it is already +unshared and thus will just leak. + +Herbert Xu states: + +> + if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL) +> + goto out; + +If this happens it'll be a double-free on skb since we'll +return NF_DROP which makes the caller free it too. + +We could return NF_STOLEN to prevent that but I'm not sure +whether that's correct netfilter semantics. Patrick, could +you please make a call on this? + +Patrick McHardy states: + +NF_STOLEN should work fine here. + +Signed-off-by: Evgeniy Polyakov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/8021q/vlan_dev.c | 12 +++++++++++- + net/bridge/br_netfilter.c | 12 +++++++----- + 2 files changed, 18 insertions(+), 6 deletions(-) + +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -116,12 +116,22 @@ int vlan_skb_recv(struct sk_buff *skb, s + struct packet_type* ptype, struct net_device *orig_dev) + { + unsigned char *rawp = NULL; +- struct vlan_hdr *vhdr = (struct vlan_hdr *)(skb->data); ++ struct vlan_hdr *vhdr; + unsigned short vid; + struct net_device_stats *stats; + unsigned short vlan_TCI; + __be16 proto; + ++ if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL) ++ return -1; ++ ++ if (unlikely(!pskb_may_pull(skb, VLAN_HLEN))) { ++ kfree_skb(skb); ++ return -1; ++ } ++ ++ vhdr = (struct vlan_hdr *)(skb->data); ++ + /* vlan_TCI = ntohs(get_unaligned(&vhdr->h_vlan_TCI)); */ + vlan_TCI = ntohs(vhdr->h_vlan_TCI); + +--- a/net/bridge/br_netfilter.c ++++ b/net/bridge/br_netfilter.c +@@ -509,8 +509,14 @@ static unsigned int br_nf_pre_routing(un + int (*okfn)(struct sk_buff *)) + { + struct iphdr *iph; +- __u32 len; + struct sk_buff *skb = *pskb; ++ __u32 len = nf_bridge_encap_header_len(skb); ++ ++ if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL) ++ return NF_STOLEN; ++ ++ if (unlikely(!pskb_may_pull(skb, len))) ++ goto out; + + if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) || + IS_PPPOE_IPV6(skb)) { +@@ -518,8 +524,6 @@ static unsigned int br_nf_pre_routing(un + if (!brnf_call_ip6tables) + return NF_ACCEPT; + #endif +- if ((skb = skb_share_check(*pskb, GFP_ATOMIC)) == NULL) +- goto out; + nf_bridge_pull_encap_header_rcsum(skb); + return br_nf_pre_routing_ipv6(hook, skb, in, out, okfn); + } +@@ -532,8 +536,6 @@ static unsigned int br_nf_pre_routing(un + !IS_PPPOE_IP(skb)) + return NF_ACCEPT; + +- if ((skb = skb_share_check(*pskb, GFP_ATOMIC)) == NULL) +- goto out; + nf_bridge_pull_encap_header_rcsum(skb); + + if (!pskb_may_pull(skb, sizeof(struct iphdr))) diff --git a/queue-2.6.22/fix-pktgen-src_mac-handling.patch b/queue-2.6.22/fix-pktgen-src_mac-handling.patch new file mode 100644 index 00000000000..a587dca10b4 --- /dev/null +++ b/queue-2.6.22/fix-pktgen-src_mac-handling.patch @@ -0,0 +1,56 @@ +From stable-bounces@linux.kernel.org Thu Sep 20 15:20:18 2007 +From: Adit Ranadive +Date: Thu, 20 Sep 2007 12:40:03 -0700 (PDT) +Subject: Fix pktgen src_mac handling. +To: stable@kernel.org +Cc: bunk@kernel.org +Message-ID: <20070920.124003.90824288.davem@davemloft.net> + +From: Adit Ranadive + +commit ce5d0b47f13f83dfb9fbb8ac91adad7120747aaf in mainline + +Subject: [PATCH] [PKTGEN]: srcmac fix + +Signed-off-by: Andrew Morton +Signed-off-by: David S. Miller + +--- + net/core/pktgen.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/net/core/pktgen.c ++++ b/net/core/pktgen.c +@@ -111,6 +111,9 @@ + * + * 802.1Q/Q-in-Q support by Francesco Fondelli (FF) + * ++ * Fixed src_mac command to set source mac of packet to value specified in ++ * command by Adit Ranadive ++ * + */ + #include + #include +@@ -1415,8 +1418,11 @@ static ssize_t pktgen_if_write(struct fi + } + if (!strcmp(name, "src_mac")) { + char *v = valstr; ++ unsigned char old_smac[ETH_ALEN]; + unsigned char *m = pkt_dev->src_mac; + ++ memcpy(old_smac, pkt_dev->src_mac, ETH_ALEN); ++ + len = strn_len(&user_buffer[i], sizeof(valstr) - 1); + if (len < 0) { + return len; +@@ -1445,6 +1451,10 @@ static ssize_t pktgen_if_write(struct fi + } + } + ++ /* Set up Src MAC */ ++ if (compare_ether_addr(old_smac, pkt_dev->src_mac)) ++ memcpy(&(pkt_dev->hh[6]), pkt_dev->src_mac, ETH_ALEN); ++ + sprintf(pg_result, "OK: srcmac"); + return count; + } diff --git a/queue-2.6.22/fix-sparc64-v100-platform-booting.patch b/queue-2.6.22/fix-sparc64-v100-platform-booting.patch new file mode 100644 index 00000000000..7346f4a6efc --- /dev/null +++ b/queue-2.6.22/fix-sparc64-v100-platform-booting.patch @@ -0,0 +1,68 @@ +From stable-bounces@linux.kernel.org Thu Sep 20 15:20:40 2007 +From: David Miller +Date: Thu, 20 Sep 2007 12:34:02 -0700 (PDT) +Subject: Fix sparc64 v100 platform booting. +To: stable@kernel.org +Cc: bunk@kernel.org +Message-ID: <20070920.123402.37153186.davem@davemloft.net> + +From: David Miller + +commit 2cc7345ff71b27b5ac99e49ad7de39360042f601 in mainline + +Subject: [PATCH] [SPARC64]: Fix booting on V100 systems. + +On the root PCI bus, the OBP device tree lists device 3 twice. +Once as 'pm' and once as 'lomp'. + +Everything goes downhill from there. + +Ignore the second instance to workaround this. + +Thanks to Kövedi_Krisztián for the bug report and +testing the fix. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sparc64/kernel/pci.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/arch/sparc64/kernel/pci.c ++++ b/arch/sparc64/kernel/pci.c +@@ -751,7 +751,7 @@ static void __devinit pci_of_scan_bus(st + { + struct device_node *child; + const u32 *reg; +- int reglen, devfn; ++ int reglen, devfn, prev_devfn; + struct pci_dev *dev; + + if (ofpci_verbose) +@@ -759,14 +759,25 @@ static void __devinit pci_of_scan_bus(st + node->full_name, bus->number); + + child = NULL; ++ prev_devfn = -1; + while ((child = of_get_next_child(node, child)) != NULL) { + if (ofpci_verbose) + printk(" * %s\n", child->full_name); + reg = of_get_property(child, "reg", ®len); + if (reg == NULL || reglen < 20) + continue; ++ + devfn = (reg[0] >> 8) & 0xff; + ++ /* This is a workaround for some device trees ++ * which list PCI devices twice. On the V100 ++ * for example, device number 3 is listed twice. ++ * Once as "pm" and once again as "lomp". ++ */ ++ if (devfn == prev_devfn) ++ continue; ++ prev_devfn = devfn; ++ + /* create a new pci_dev for this device */ + dev = of_create_pci_dev(pbm, child, bus, devfn, 0); + if (!dev) diff --git a/queue-2.6.22/fix-tc_ematch-kbuild.patch b/queue-2.6.22/fix-tc_ematch-kbuild.patch new file mode 100644 index 00000000000..e7e4eb8b4cd --- /dev/null +++ b/queue-2.6.22/fix-tc_ematch-kbuild.patch @@ -0,0 +1,36 @@ +From stable-bounces@linux.kernel.org Thu Sep 20 13:04:48 2007 +From: Stephen Hemminger +Date: Thu, 20 Sep 2007 13:04:12 -0700 (PDT) +Subject: Fix tc_ematch kbuild +To: stable@kernel.org +Cc: bunk@kernel.org +Message-ID: <20070920.130412.22019508.davem@davemloft.net> + + +From: Stephen Hemminger + +commit 09d74cdd88a59a18f2ad7cfa0b6045ed1817b632 in mainline. + +Subject: [PATCH] [KBUILD]: Sanitize tc_ematch headers. + +The headers in tc_ematch are used by iproute2, so these headers should +be processed. + +Signed-off-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/Kbuild | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/linux/Kbuild ++++ b/include/linux/Kbuild +@@ -7,6 +7,7 @@ header-y += raid/ + header-y += spi/ + header-y += sunrpc/ + header-y += tc_act/ ++header-y += tc_ematch/ + header-y += netfilter/ + header-y += netfilter_arp/ + header-y += netfilter_bridge/ diff --git a/queue-2.6.22/fix-tcp-dsack-cwnd-handling.patch b/queue-2.6.22/fix-tcp-dsack-cwnd-handling.patch new file mode 100644 index 00000000000..1add66345a4 --- /dev/null +++ b/queue-2.6.22/fix-tcp-dsack-cwnd-handling.patch @@ -0,0 +1,59 @@ +From stable-bounces@linux.kernel.org Thu Sep 20 13:11:27 2007 +From: Ilpo Järvinen +Date: Thu, 20 Sep 2007 13:11:07 -0700 (PDT) +Subject: Fix TCP DSACK cwnd handling +To: stable@kernel.org +Cc: bunk@kernel.org +Message-ID: <20070920.131107.91759132.davem@davemloft.net> + +From: Ilpo Järvinen + +commit 49ff4bb4cd4c04acf8f9e3d3ec2148305a1db445 in mainline. + +[TCP]: DSACK signals data receival, be conservative + +In case a DSACK is received, it's better to lower cwnd as it's +a sign of data receival. + +Signed-off-by: Ilpo Järvinen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/tcp_input.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -103,6 +103,7 @@ int sysctl_tcp_abc __read_mostly; + #define FLAG_SLOWPATH 0x100 /* Do not skip RFC checks for window update.*/ + #define FLAG_ONLY_ORIG_SACKED 0x200 /* SACKs only non-rexmit sent before RTO */ + #define FLAG_SND_UNA_ADVANCED 0x400 /* Snd_una was changed (!= FLAG_DATA_ACKED) */ ++#define FLAG_DSACKING_ACK 0x800 /* SACK blocks contained DSACK info */ + + #define FLAG_ACKED (FLAG_DATA_ACKED|FLAG_SYN_ACKED) + #define FLAG_NOT_DUP (FLAG_DATA|FLAG_WIN_UPDATE|FLAG_ACKED) +@@ -966,12 +967,14 @@ tcp_sacktag_write_queue(struct sock *sk, + + /* Check for D-SACK. */ + if (before(ntohl(sp[0].start_seq), TCP_SKB_CB(ack_skb)->ack_seq)) { ++ flag |= FLAG_DSACKING_ACK; + found_dup_sack = 1; + tp->rx_opt.sack_ok |= 4; + NET_INC_STATS_BH(LINUX_MIB_TCPDSACKRECV); + } else if (num_sacks > 1 && + !after(ntohl(sp[0].end_seq), ntohl(sp[1].end_seq)) && + !before(ntohl(sp[0].start_seq), ntohl(sp[1].start_seq))) { ++ flag |= FLAG_DSACKING_ACK; + found_dup_sack = 1; + tp->rx_opt.sack_ok |= 4; + NET_INC_STATS_BH(LINUX_MIB_TCPDSACKOFORECV); +@@ -1858,7 +1861,7 @@ static void tcp_cwnd_down(struct sock *s + struct tcp_sock *tp = tcp_sk(sk); + int decr = tp->snd_cwnd_cnt + 1; + +- if ((flag&FLAG_ANY_PROGRESS) || ++ if ((flag&(FLAG_ANY_PROGRESS|FLAG_DSACKING_ACK)) || + (IsReno(tp) && !(flag&FLAG_NOT_DUP))) { + tp->snd_cwnd_cnt = decr&1; + decr >>= 1; diff --git a/queue-2.6.22/handle-snd_una-in-tcp_cwnd_down.patch b/queue-2.6.22/handle-snd_una-in-tcp_cwnd_down.patch new file mode 100644 index 00000000000..74fae7bcadb --- /dev/null +++ b/queue-2.6.22/handle-snd_una-in-tcp_cwnd_down.patch @@ -0,0 +1,108 @@ +From stable-bounces@linux.kernel.org Thu Sep 20 13:10:54 2007 +From: Ilpo Järvinen +Date: Thu, 20 Sep 2007 13:10:25 -0700 (PDT) +Subject: Handle snd_una in tcp_cwnd_down() +To: stable@kernel.org +Cc: bunk@kernel.org +Message-ID: <20070920.131025.26930710.davem@davemloft.net> + +From: Ilpo Järvinen + +commit 6ee8009e38006da81d2a53da1aaa27365552553e in mainline + +Subject: [PATCH 1/1] [TCP]: Also handle snd_una changes in tcp_cwnd_down + +tcp_cwnd_down must check for it too as it should be conservative +in case of collapse stuff and also when receiver is trying to +lie (though it wouldn't be successful anyway). + +Note: +- Separated also is_dupack and do_lost in fast_retransalert + * Much cleaner look-and-feel now + * This time it really fixes cumulative ACK + many new + SACK blocks recovery entry (I claimed this fixes with + last patch but it wasn't). TCP will now call + tcp_update_scoreboard regardless of is_dupack when + in recovery as long as there is enough fackets_out. +- Introduce FLAG_SND_UNA_ADVANCED + * Some prior_snd_una arguments are unnecessary after it +- Added helper FLAG_ANY_PROGRESS to avoid long FLAG...|FLAG... + constructs + +This is a reduced version of a mainline patch. + +Signed-off-by: Ilpo Järvinen +Cc: David Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/tcp_input.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -102,11 +102,13 @@ int sysctl_tcp_abc __read_mostly; + #define FLAG_DATA_LOST 0x80 /* SACK detected data lossage. */ + #define FLAG_SLOWPATH 0x100 /* Do not skip RFC checks for window update.*/ + #define FLAG_ONLY_ORIG_SACKED 0x200 /* SACKs only non-rexmit sent before RTO */ ++#define FLAG_SND_UNA_ADVANCED 0x400 /* Snd_una was changed (!= FLAG_DATA_ACKED) */ + + #define FLAG_ACKED (FLAG_DATA_ACKED|FLAG_SYN_ACKED) + #define FLAG_NOT_DUP (FLAG_DATA|FLAG_WIN_UPDATE|FLAG_ACKED) + #define FLAG_CA_ALERT (FLAG_DATA_SACKED|FLAG_ECE) + #define FLAG_FORWARD_PROGRESS (FLAG_ACKED|FLAG_DATA_SACKED) ++#define FLAG_ANY_PROGRESS (FLAG_FORWARD_PROGRESS|FLAG_SND_UNA_ADVANCED) + + #define IsReno(tp) ((tp)->rx_opt.sack_ok == 0) + #define IsFack(tp) ((tp)->rx_opt.sack_ok & 2) +@@ -1856,7 +1858,7 @@ static void tcp_cwnd_down(struct sock *s + struct tcp_sock *tp = tcp_sk(sk); + int decr = tp->snd_cwnd_cnt + 1; + +- if ((flag&FLAG_FORWARD_PROGRESS) || ++ if ((flag&FLAG_ANY_PROGRESS) || + (IsReno(tp) && !(flag&FLAG_NOT_DUP))) { + tp->snd_cwnd_cnt = decr&1; + decr >>= 1; +@@ -2112,10 +2114,9 @@ tcp_fastretrans_alert(struct sock *sk, u + { + struct inet_connection_sock *icsk = inet_csk(sk); + struct tcp_sock *tp = tcp_sk(sk); +- int is_dupack = (tp->snd_una == prior_snd_una && +- (!(flag&FLAG_NOT_DUP) || +- ((flag&FLAG_DATA_SACKED) && +- (tp->fackets_out > tp->reordering)))); ++ int is_dupack = !(flag&(FLAG_SND_UNA_ADVANCED|FLAG_NOT_DUP)); ++ int do_lost = is_dupack || ((flag&FLAG_DATA_SACKED) && ++ (tp->fackets_out > tp->reordering)); + + /* Some technical things: + * 1. Reno does not count dupacks (sacked_out) automatically. */ +@@ -2199,7 +2200,7 @@ tcp_fastretrans_alert(struct sock *sk, u + int acked = prior_packets - tp->packets_out; + if (IsReno(tp)) + tcp_remove_reno_sacks(sk, acked); +- is_dupack = tcp_try_undo_partial(sk, acked); ++ do_lost = tcp_try_undo_partial(sk, acked); + } + break; + case TCP_CA_Loss: +@@ -2264,7 +2265,7 @@ tcp_fastretrans_alert(struct sock *sk, u + tcp_set_ca_state(sk, TCP_CA_Recovery); + } + +- if (is_dupack || tcp_head_timedout(sk)) ++ if (do_lost || tcp_head_timedout(sk)) + tcp_update_scoreboard(sk); + tcp_cwnd_down(sk, flag); + tcp_xmit_retransmit_queue(sk); +@@ -2774,6 +2775,9 @@ static int tcp_ack(struct sock *sk, stru + if (before(ack, prior_snd_una)) + goto old_ack; + ++ if (after(ack, prior_snd_una)) ++ flag |= FLAG_SND_UNA_ADVANCED; ++ + if (sysctl_tcp_abc) { + if (icsk->icsk_ca_state < TCP_CA_CWR) + tp->bytes_acked += ack - prior_snd_una; diff --git a/queue-2.6.22/series b/queue-2.6.22/series index 4e185dc7c44..7994026dcd7 100644 --- a/queue-2.6.22/series +++ b/queue-2.6.22/series @@ -34,3 +34,16 @@ crypto-blkcipher_get_spot-handling-of-buffer-at-end-of-page.patch fix-realtek-phy-id-in-forcedeth.patch fix-decnet-device-address-listing.patch fix-device-address-listing-for-ipv4.patch +fix-inet_diag-oops.patch +fix-ipv6-append-oops.patch +fix-ipsec-ah4-options-handling.patch +fix-ipv6-double-sock-release-with-msg_confirm.patch +fix-ipv6-dad-handling.patch +fix-ipv6-source-address-handling.patch +fix-oops-in-vlan-and-bridging-code.patch +fix-tc_ematch-kbuild.patch +handle-snd_una-in-tcp_cwnd_down.patch +fix-tcp-dsack-cwnd-handling.patch +fix-datagram-recvmsg-null-iov-handling-regression.patch +fix-pktgen-src_mac-handling.patch +fix-sparc64-v100-platform-booting.patch