From 6f65de02f276c2cb47bb34623a308a2e76092fff Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 23 Aug 2007 14:24:59 -0700 Subject: [PATCH] more 2.6.22 patches queued up --- ..._kernel-allocation-in-atomic-context.patch | 54 +++++ .../fix-soft-fp-underflow-handling.patch | 127 ++++++++++ ...vmalloc-synchronization-for-paravirt.patch | 53 +++++ ...ile-send-sctp-data-with-ip-fragments.patch | 108 +++++++++ ...invalid-semicolon-after-if-statement.patch | 35 +++ ...-missing-rcu-unlock-in-__sock_create.patch | 36 +++ ...r-missing-kbuild-entry-for-netfilter.patch | 33 +++ queue-2.6.22/ppp-fix-ppp-buffer-sizing.patch | 41 ++++ queue-2.6.22/series | 17 ++ ...fd-fix-interaction-with-posix-timers.patch | 63 +++++ ...oup-wide-fix-posix-timers-scheduling.patch | 100 ++++++++ ...ap-fix-snap-protocol-header-accesses.patch | 64 +++++ ...sparc64-pci-config-accesses-on-sun4u.patch | 219 ++++++++++++++++++ ...parc64-fix-sparc64-task-stack-traces.patch | 79 +++++++ ...o-not-autobind-ports-for-tcp-sockets.patch | 102 ++++++++ ...dling-of-sack-in-bidirectional-flows.patch | 47 ++++ ...-rate-halving-on-bidirectional-flows.patch | 76 ++++++ ...-fix-previous-request-size-limit-fix.patch | 50 ++++ 18 files changed, 1304 insertions(+) create mode 100644 queue-2.6.22/dccp-fix-dccp-gfp_kernel-allocation-in-atomic-context.patch create mode 100644 queue-2.6.22/fix-soft-fp-underflow-handling.patch create mode 100644 queue-2.6.22/i386-fix-lazy-mode-vmalloc-synchronization-for-paravirt.patch create mode 100644 queue-2.6.22/ipv6-fix-kernel-panic-while-send-sctp-data-with-ip-fragments.patch create mode 100644 queue-2.6.22/ipv6-invalid-semicolon-after-if-statement.patch create mode 100644 queue-2.6.22/net-fix-missing-rcu-unlock-in-__sock_create.patch create mode 100644 queue-2.6.22/netfilter-missing-kbuild-entry-for-netfilter.patch create mode 100644 queue-2.6.22/ppp-fix-ppp-buffer-sizing.patch create mode 100644 queue-2.6.22/signalfd-fix-interaction-with-posix-timers.patch create mode 100644 queue-2.6.22/signalfd-make-it-group-wide-fix-posix-timers-scheduling.patch create mode 100644 queue-2.6.22/snap-fix-snap-protocol-header-accesses.patch create mode 100644 queue-2.6.22/sparc64-fix-sparc64-pci-config-accesses-on-sun4u.patch create mode 100644 queue-2.6.22/sparc64-fix-sparc64-task-stack-traces.patch create mode 100644 queue-2.6.22/tcp-do-not-autobind-ports-for-tcp-sockets.patch create mode 100644 queue-2.6.22/tcp-fix-tcp-handling-of-sack-in-bidirectional-flows.patch create mode 100644 queue-2.6.22/tcp-fix-tcp-rate-halving-on-bidirectional-flows.patch create mode 100644 queue-2.6.22/uml-fix-previous-request-size-limit-fix.patch diff --git a/queue-2.6.22/dccp-fix-dccp-gfp_kernel-allocation-in-atomic-context.patch b/queue-2.6.22/dccp-fix-dccp-gfp_kernel-allocation-in-atomic-context.patch new file mode 100644 index 00000000000..c73d592e68f --- /dev/null +++ b/queue-2.6.22/dccp-fix-dccp-gfp_kernel-allocation-in-atomic-context.patch @@ -0,0 +1,54 @@ +From stable-bounces@linux.kernel.org Tue Aug 21 20:53:33 2007 +From: Gerrit Renker +Date: Tue, 21 Aug 2007 20:53:27 -0700 (PDT) +Subject: DCCP: Fix DCCP GFP_KERNEL allocation in atomic context +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070821.205327.26278036.davem@davemloft.net> + +From: Gerrit Renker + +This fixes the following bug reported in syslog: + +[ 4039.051658] BUG: sleeping function called from invalid context at /usr/src/davem-2.6/mm/slab.c:3032 +[ 4039.051668] in_atomic():1, irqs_disabled():0 +[ 4039.051670] INFO: lockdep is turned off. +[ 4039.051674] [] show_trace_log_lvl+0x1a/0x30 +[ 4039.051687] [] show_trace+0x12/0x14 +[ 4039.051691] [] dump_stack+0x16/0x18 +[ 4039.051695] [] __might_sleep+0xaf/0xbe +[ 4039.051700] [] __kmalloc+0xb1/0xd0 +[ 4039.051706] [] ccid2_hc_tx_alloc_seq+0x35/0xc3 [dccp_ccid2] +[ 4039.051717] [] ccid2_hc_tx_packet_sent+0x27f/0x2d9 [dccp_ccid2] +[ 4039.051723] [] dccp_write_xmit+0x1eb/0x338 [dccp] +[ 4039.051741] [] dccp_sendmsg+0x113/0x18f [dccp] +[ 4039.051750] [] inet_sendmsg+0x2e/0x4c +[ 4039.051758] [] sock_aio_write+0xd5/0x107 +[ 4039.051766] [] do_sync_write+0xcd/0x11c +[ 4039.051772] [] vfs_write+0x118/0x11f +[ 4039.051840] [] sys_write+0x3d/0x64 +[ 4039.051845] [] syscall_call+0x7/0xb +[ 4039.051848] ======================= + +The problem was that GFP_KERNEL was used; fixed by using gfp_any(). + +Signed-off-by: Gerrit Renker +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/dccp/ccids/ccid2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/dccp/ccids/ccid2.c ++++ b/net/dccp/ccids/ccid2.c +@@ -298,7 +298,7 @@ static void ccid2_hc_tx_packet_sent(stru + int rc; + + ccid2_pr_debug("allocating more space in history\n"); +- rc = ccid2_hc_tx_alloc_seq(hctx, CCID2_SEQBUF_LEN, GFP_KERNEL); ++ rc = ccid2_hc_tx_alloc_seq(hctx, CCID2_SEQBUF_LEN, gfp_any()); + BUG_ON(rc); /* XXX what do we do? */ + + next = hctx->ccid2hctx_seqh->ccid2s_next; diff --git a/queue-2.6.22/fix-soft-fp-underflow-handling.patch b/queue-2.6.22/fix-soft-fp-underflow-handling.patch new file mode 100644 index 00000000000..29ec3343d58 --- /dev/null +++ b/queue-2.6.22/fix-soft-fp-underflow-handling.patch @@ -0,0 +1,127 @@ +From stable-bounces@linux.kernel.org Tue Aug 21 21:04:16 2007 +From: David Miller +Date: Tue, 21 Aug 2007 21:04:07 -0700 (PDT) +Subject: Fix soft-fp underflow handling. +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070821.210407.55726339.davem@davemloft.net> + + +From: David Miller + +The underflow exception cases were wrong. + +This is one weird area of ieee1754 handling in that the underflow +behavior changes based upon whether underflow is enabled in the trap +enable mask of the FPU control register. As a specific case the Sparc +V9 manual gives us the following description: + +-------------------- +If UFM = 0: Underflow occurs if a nonzero result is tiny and a + loss of accuracy occurs. Tininess may be detected + before or after rounding. Loss of accuracy may be + either a denormalization loss or an inexact result. + +If UFM = 1: Underflow occurs if a nonzero result is tiny. + Tininess may be detected before or after rounding. +-------------------- + +What this amounts to in the packing case is if we go subnormal, +we set underflow if any of the following are true: + +1) rounding sets inexact +2) we ended up rounding back up to normal (this is the case where + we set the exponent to 1 and set the fraction to zero), this + should set inexact too +3) underflow is set in FPU control register trap-enable mask + +The initially discovered example was "DBL_MIN / 16.0" which +incorrectly generated an underflow. It should not, unless underflow +is set in the trap-enable mask of the FPU csr. + +Another example, "0x0.0000000000001p-1022 / 16.0", should signal both +inexact and underflow. The cpu implementations and ieee1754 +literature is very clear about this. This is case #2 above. + +However, if underflow is set in the trap enable mask, only underflow +should be set and reported as a trap. That is handled properly by the +prioritization logic in + +arch/sparc{,64}/math-emu/math.c:record_exception(). + +Based upon a report and test case from Jakub Jelinek. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/asm-sparc/sfp-machine.h | 6 ++++++ + include/asm-sparc64/sfp-machine.h | 2 ++ + include/math-emu/op-common.h | 5 ++++- + include/math-emu/soft-fp.h | 7 +++++++ + 4 files changed, 19 insertions(+), 1 deletion(-) + +--- a/include/asm-sparc/sfp-machine.h ++++ b/include/asm-sparc/sfp-machine.h +@@ -203,4 +203,10 @@ extern struct task_struct *last_task_use + #define FP_INHIBIT_RESULTS ((last_task_used_math->thread.fsr >> 23) & _fex) + #endif + ++#ifdef CONFIG_SMP ++#define FP_TRAPPING_EXCEPTIONS ((current->thread.fsr >> 23) & 0x1f) ++#else ++#define FP_TRAPPING_EXCEPTIONS ((last_task_used_math->thread.fsr >> 23) & 0x1f) ++#endif ++ + #endif +--- a/include/asm-sparc64/sfp-machine.h ++++ b/include/asm-sparc64/sfp-machine.h +@@ -88,4 +88,6 @@ + + #define FP_INHIBIT_RESULTS ((current_thread_info()->xfsr[0] >> 23) & _fex) + ++#define FP_TRAPPING_EXCEPTIONS ((current_thread_info()->xfsr[0] >> 23) & 0x1f) ++ + #endif +--- a/include/math-emu/op-common.h ++++ b/include/math-emu/op-common.h +@@ -145,13 +145,16 @@ do { \ + { \ + X##_e = 1; \ + _FP_FRAC_SET_##wc(X, _FP_ZEROFRAC_##wc); \ ++ FP_SET_EXCEPTION(FP_EX_INEXACT); \ + } \ + else \ + { \ + X##_e = 0; \ + _FP_FRAC_SRL_##wc(X, _FP_WORKBITS); \ +- FP_SET_EXCEPTION(FP_EX_UNDERFLOW); \ + } \ ++ if ((FP_CUR_EXCEPTIONS & FP_EX_INEXACT) || \ ++ (FP_TRAPPING_EXCEPTIONS & FP_EX_UNDERFLOW)) \ ++ FP_SET_EXCEPTION(FP_EX_UNDERFLOW); \ + } \ + else \ + { \ +--- a/include/math-emu/soft-fp.h ++++ b/include/math-emu/soft-fp.h +@@ -97,12 +97,19 @@ + #define FP_INHIBIT_RESULTS 0 + #endif + ++#ifndef FP_TRAPPING_EXCEPTIONS ++#define FP_TRAPPING_EXCEPTIONS 0 ++#endif ++ + #define FP_SET_EXCEPTION(ex) \ + _fex |= (ex) + + #define FP_UNSET_EXCEPTION(ex) \ + _fex &= ~(ex) + ++#define FP_CUR_EXCEPTIONS \ ++ (_fex) ++ + #define FP_CLEAR_EXCEPTIONS \ + _fex = 0 + diff --git a/queue-2.6.22/i386-fix-lazy-mode-vmalloc-synchronization-for-paravirt.patch b/queue-2.6.22/i386-fix-lazy-mode-vmalloc-synchronization-for-paravirt.patch new file mode 100644 index 00000000000..df86af1d959 --- /dev/null +++ b/queue-2.6.22/i386-fix-lazy-mode-vmalloc-synchronization-for-paravirt.patch @@ -0,0 +1,53 @@ +From stable-bounces@linux.kernel.org Wed Aug 22 14:12:27 2007 +From: Zachary Amsden +Date: Wed, 22 Aug 2007 14:02:02 -0700 +Subject: i386: fix lazy mode vmalloc synchronization for paravirt +To: torvalds@linux-foundation.org +Cc: zach@vmware.com, akpm@linux-foundation.org, ak@suse.de, jeremy@goop.org, stable@kernel.org +Message-ID: <200708222102.l7ML22xn004152@imap1.linux-foundation.org> + + +From: Zachary Amsden + +Found this looping Ubuntu installs with VMI. + +If unlucky enough to hit a vmalloc sync fault during a lazy mode +operation (from an IRQ handler for a module which was not yet populated +in current page directory, or from inside copy_one_pte, which touches +swap_map, and hit in an unused 4M region), the required PDE update would +never get flushed, causing an infinite page fault loop. + +This bug affects any paravirt-ops backend which uses lazy updates, I +believe that makes it a bug in Xen, VMI and lguest. It only happens on +LOWMEM kernels. + + +Touching vmalloc memory in the middle of a lazy mode update can generate a +kernel PDE update, which must be flushed immediately. The fix is to leave +lazy mode when doing a vmalloc sync. + +Signed-off-by: Zachary Amsden +Cc: Andi Kleen +Cc: Jeremy Fitzhardinge +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + arch/i386/mm/fault.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/i386/mm/fault.c ++++ b/arch/i386/mm/fault.c +@@ -249,9 +249,10 @@ static inline pmd_t *vmalloc_sync_one(pg + pmd_k = pmd_offset(pud_k, address); + if (!pmd_present(*pmd_k)) + return NULL; +- if (!pmd_present(*pmd)) ++ if (!pmd_present(*pmd)) { + set_pmd(pmd, *pmd_k); +- else ++ arch_flush_lazy_mmu_mode(); ++ } else + BUG_ON(pmd_page(*pmd) != pmd_page(*pmd_k)); + return pmd_k; + } diff --git a/queue-2.6.22/ipv6-fix-kernel-panic-while-send-sctp-data-with-ip-fragments.patch b/queue-2.6.22/ipv6-fix-kernel-panic-while-send-sctp-data-with-ip-fragments.patch new file mode 100644 index 00000000000..6de102c2eda --- /dev/null +++ b/queue-2.6.22/ipv6-fix-kernel-panic-while-send-sctp-data-with-ip-fragments.patch @@ -0,0 +1,108 @@ +From stable-bounces@linux.kernel.org Tue Aug 21 21:01:16 2007 +From: Wei Yongjun +Date: Tue, 21 Aug 2007 21:01:01 -0700 (PDT) +Subject: IPV6: Fix kernel panic while send SCTP data with IP fragments +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070821.210101.17863194.davem@davemloft.net> + + +From: Wei Yongjun + +If ICMP6 message with "Packet Too Big" is received after send SCTP DATA, +kernel panic will occur when SCTP DATA is send again. + +This is because of a bad dest address when call to skb_copy_bits(). + +The messages sequence is like this: + +Endpoint A Endpoint B + <------- SCTP DATA (size=1432) +ICMP6 message -------> +(Packet Too Big pmtu=1280) + <------- Resend SCTP DATA (size=1432) +------------kernel panic--------------- + + printing eip: +c05be62a +*pde = 00000000 +Oops: 0002 [#1] +SMP +Modules linked in: scomm l2cap bluetooth ipv6 dm_mirror dm_mod video output sbs battery lp floppy sg i2c_piix4 i2c_core pcnet32 mii button ac parport_pc parport ide_cd cdrom serio_raw mptspi mptscsih mptbase scsi_transport_spi sd_mod scsi_mod ext3 jbd ehci_hcd ohci_hcd uhci_hcd +CPU: 0 +EIP: 0060:[] Not tainted VLI +EFLAGS: 00010282 (2.6.23-rc2 #1) +EIP is at skb_copy_bits+0x4f/0x1ef +eax: 000004d0 ebx: ce12a980 ecx: 00000134 edx: cfd5a880 +esi: c8246858 edi: 00000000 ebp: c0759b14 esp: c0759adc +ds: 007b es: 007b fs: 00d8 gs: 0000 ss: 0068 +Process swapper (pid: 0, ti=c0759000 task=c06d0340 task.ti=c0713000) +Stack: c0759b88 c0405867 ce12a980 c8bff838 c789c084 00000000 00000028 cfd5a880 + d09f1890 000005dc 0000007b ce12a980 cfd5a880 c8bff838 c0759b88 d09bc521 + 000004d0 fffff96c 00000200 00000100 c0759b50 cfd5a880 00000246 c0759bd4 +Call Trace: + [] show_trace_log_lvl+0x1a/0x2f + [] show_stack_log_lvl+0x9b/0xa3 + [] show_registers+0x1b8/0x289 + [] die+0x113/0x246 + [] do_page_fault+0x4ad/0x57e + [] error_code+0x72/0x78 + [] ip6_output+0x8e5/0xab2 [ipv6] + [] ip6_xmit+0x2ea/0x3a3 [ipv6] + [] sctp_v6_xmit+0x248/0x253 [sctp] + [] sctp_packet_transmit+0x53f/0x5ae [sctp] + [] sctp_outq_flush+0x555/0x587 [sctp] + [] sctp_retransmit+0xf8/0x10f [sctp] + [] sctp_icmp_frag_needed+0x57/0x5b [sctp] + [] sctp_v6_err+0xcd/0x148 [sctp] + [] icmpv6_notify+0xe6/0x167 [ipv6] + [] icmpv6_rcv+0x7d7/0x849 [ipv6] + [] ip6_input+0x1dc/0x310 [ipv6] + [] ipv6_rcv+0x294/0x2df [ipv6] + [] netif_receive_skb+0x2d2/0x335 + [] process_backlog+0x7f/0xd0 + [] net_rx_action+0x96/0x17e + [] __do_softirq+0x64/0xcd + [] do_softirq+0x5c/0xac + ======================= +Code: 00 00 29 ca 89 d0 2b 45 e0 89 55 ec 85 c0 7e 35 39 45 08 8b 55 e4 0f 4e 45 08 8b 75 e0 8b 7d dc 89 c1 c1 e9 02 03 b2 a0 00 00 00 a5 89 c1 83 e1 03 74 02 f3 a4 29 45 08 0f 84 7b 01 00 00 01 +EIP: [] skb_copy_bits+0x4f/0x1ef SS:ESP 0068:c0759adc +Kernel panic - not syncing: Fatal exception in interrupt + +Arnaldo says: +==================== +Thanks! I'm to blame for this one, problem was introduced in: + +b0e380b1d8a8e0aca215df97702f99815f05c094 + + /* + * Copy a block of the IP datagram. + */ +- if (skb_copy_bits(skb, ptr, frag->h.raw, len)) ++ if (skb_copy_bits(skb, ptr, skb_transport_header(skb), +len)) + BUG(); + left -= len; +==================== + +Signed-off-by: Wei Yongjun +Acked-by: YOSHIFUJI Hideaki +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/ip6_output.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -790,7 +790,7 @@ slow_path: + /* + * Copy a block of the IP datagram. + */ +- if (skb_copy_bits(skb, ptr, skb_transport_header(skb), len)) ++ if (skb_copy_bits(skb, ptr, skb_transport_header(frag), len)) + BUG(); + left -= len; + diff --git a/queue-2.6.22/ipv6-invalid-semicolon-after-if-statement.patch b/queue-2.6.22/ipv6-invalid-semicolon-after-if-statement.patch new file mode 100644 index 00000000000..a63d0da192c --- /dev/null +++ b/queue-2.6.22/ipv6-invalid-semicolon-after-if-statement.patch @@ -0,0 +1,35 @@ +From stable-bounces@linux.kernel.org Tue Aug 21 21:02:39 2007 +Author: Ilpo Järvinen +Date: Tue, 21 Aug 2007 21:02:27 -0700 (PDT) +Subject: IPv6: Invalid semicolon after if statement +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070821.210227.68041458.davem@davemloft.net> + + +Author: Ilpo Järvinen + +A similar fix to netfilter from Eric Dumazet inspired me to +look around a bit by using some grep/sed stuff as looking for +this kind of bugs seemed easy to automate. This is one of them +I found where it looks like this semicolon is not valid. + +Signed-off-by: Ilpo Järvinen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/ipv6_sockglue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/ipv6_sockglue.c ++++ b/net/ipv6/ipv6_sockglue.c +@@ -825,7 +825,7 @@ static int ipv6_getsockopt_sticky(struct + return 0; + + len = min_t(unsigned int, len, ipv6_optlen(hdr)); +- if (copy_to_user(optval, hdr, len)); ++ if (copy_to_user(optval, hdr, len)) + return -EFAULT; + return ipv6_optlen(hdr); + } diff --git a/queue-2.6.22/net-fix-missing-rcu-unlock-in-__sock_create.patch b/queue-2.6.22/net-fix-missing-rcu-unlock-in-__sock_create.patch new file mode 100644 index 00000000000..2b941d3b4d6 --- /dev/null +++ b/queue-2.6.22/net-fix-missing-rcu-unlock-in-__sock_create.patch @@ -0,0 +1,36 @@ +From stable-bounces@linux.kernel.org Tue Aug 21 21:09:22 2007 +Author: Herbert Xu +Date: Tue, 21 Aug 2007 21:09:15 -0700 (PDT) +Subject: NET: Fix missing rcu unlock in __sock_create() +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070821.210915.02298604.davem@davemloft.net> + + +From: Herbert Xu + +[NET]: Fix unbalanced rcu_read_unlock in __sock_create + +The recent RCU work created an unbalanced rcu_read_unlock +in __sock_create. This patch fixes that. Reported by +oleg 123. + +Signed-off-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/socket.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/socket.c ++++ b/net/socket.c +@@ -1169,7 +1169,7 @@ static int __sock_create(int family, int + module_put(pf->owner); + err = security_socket_post_create(sock, family, type, protocol, kern); + if (err) +- goto out_release; ++ goto out_sock_release; + *res = sock; + + return 0; diff --git a/queue-2.6.22/netfilter-missing-kbuild-entry-for-netfilter.patch b/queue-2.6.22/netfilter-missing-kbuild-entry-for-netfilter.patch new file mode 100644 index 00000000000..6e77da4b101 --- /dev/null +++ b/queue-2.6.22/netfilter-missing-kbuild-entry-for-netfilter.patch @@ -0,0 +1,33 @@ +From stable-bounces@linux.kernel.org Tue Aug 21 21:05:24 2007 +Author: Chuck Ebbert +Date: Tue, 21 Aug 2007 21:05:14 -0700 (PDT) +Subject: Netfilter: Missing Kbuild entry for netfilter +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070821.210514.10298205.davem@davemloft.net> + + +Author: Chuck Ebbert + +Add xt_statistic.h to the list of headers to install. + +Apparently needed to build newer versions of iptables. + +Signed-off-by: Chuck Ebbert +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/netfilter/Kbuild | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/linux/netfilter/Kbuild ++++ b/include/linux/netfilter/Kbuild +@@ -28,6 +28,7 @@ header-y += xt_policy.h + header-y += xt_realm.h + header-y += xt_sctp.h + header-y += xt_state.h ++header-y += xt_statistic.h + header-y += xt_string.h + header-y += xt_tcpmss.h + header-y += xt_tcpudp.h diff --git a/queue-2.6.22/ppp-fix-ppp-buffer-sizing.patch b/queue-2.6.22/ppp-fix-ppp-buffer-sizing.patch new file mode 100644 index 00000000000..7c312dca1d6 --- /dev/null +++ b/queue-2.6.22/ppp-fix-ppp-buffer-sizing.patch @@ -0,0 +1,41 @@ +From stable-bounces@linux.kernel.org Tue Aug 21 21:20:37 2007 +From: David Miller +Date: Tue, 21 Aug 2007 21:20:25 -0700 (PDT) +Subject: PPP: Fix PPP buffer sizing. +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070821.212025.107251526.davem@davemloft.net> + + +From: Konstantin Sharlaimov + +This patch addresses the issue with "osize too small" errors in mppe +encryption. The patch fixes the issue with wrong output buffer size +being passed to ppp decompression routine. + +-------------------- +As pointed out by Suresh Mahalingam, the issue addressed by +ppp-fix-osize-too-small-errors-when-decoding patch is not fully resolved yet. +The size of allocated output buffer is correct, however it size passed to +ppp->rcomp->decompress in ppp_generic.c if wrong. The patch fixes that. +-------------------- + +Signed-off-by: Konstantin Sharlaimov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ppp_generic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ppp_generic.c ++++ b/drivers/net/ppp_generic.c +@@ -1726,7 +1726,7 @@ ppp_decompress_frame(struct ppp *ppp, st + } + /* the decompressor still expects the A/C bytes in the hdr */ + len = ppp->rcomp->decompress(ppp->rc_state, skb->data - 2, +- skb->len + 2, ns->data, ppp->mru + PPP_HDRLEN); ++ skb->len + 2, ns->data, obuff_size); + if (len < 0) { + /* Pass the compressed frame to pppd as an + error indication. */ diff --git a/queue-2.6.22/series b/queue-2.6.22/series index 2a7c93b3cc9..b5edf7da581 100644 --- a/queue-2.6.22/series +++ b/queue-2.6.22/series @@ -1,3 +1,20 @@ ocfs2-fix-bad-source-start-calculation-during-kernel-writes.patch net-share-correct-feature-code-between-bridging-and-bonding.patch sky2-don-t-clear-phy-power-bits.patch +uml-fix-previous-request-size-limit-fix.patch +i386-fix-lazy-mode-vmalloc-synchronization-for-paravirt.patch +signalfd-fix-interaction-with-posix-timers.patch +signalfd-make-it-group-wide-fix-posix-timers-scheduling.patch +dccp-fix-dccp-gfp_kernel-allocation-in-atomic-context.patch +ipv6-fix-kernel-panic-while-send-sctp-data-with-ip-fragments.patch +ipv6-invalid-semicolon-after-if-statement.patch +fix-soft-fp-underflow-handling.patch +netfilter-missing-kbuild-entry-for-netfilter.patch +snap-fix-snap-protocol-header-accesses.patch +net-fix-missing-rcu-unlock-in-__sock_create.patch +sparc64-fix-sparc64-task-stack-traces.patch +sparc64-fix-sparc64-pci-config-accesses-on-sun4u.patch +tcp-do-not-autobind-ports-for-tcp-sockets.patch +tcp-fix-tcp-rate-halving-on-bidirectional-flows.patch +tcp-fix-tcp-handling-of-sack-in-bidirectional-flows.patch +ppp-fix-ppp-buffer-sizing.patch diff --git a/queue-2.6.22/signalfd-fix-interaction-with-posix-timers.patch b/queue-2.6.22/signalfd-fix-interaction-with-posix-timers.patch new file mode 100644 index 00000000000..1fa172b92ac --- /dev/null +++ b/queue-2.6.22/signalfd-fix-interaction-with-posix-timers.patch @@ -0,0 +1,63 @@ +From stable-bounces@linux.kernel.org Wed Aug 22 14:13:21 2007 +From: Oleg Nesterov +Date: Wed, 22 Aug 2007 14:01:42 -0700 +Subject: signalfd: fix interaction with posix-timers +To: torvalds@linux-foundation.org +Cc: mtk-manpages@gmx.net, benh@kernel.crashing.org, oleg@tv-sign.ru, stable@kernel.org, tglx@linutronix.de, davidel@xmailserver.org, akpm@linux-foundation.org, mingo@elte.hu, roland@redhat.com +Message-ID: <200708222101.l7ML1h3K004059@imap1.linux-foundation.org> + + +From: Oleg Nesterov + +dequeue_signal: + + if (__SI_TIMER) { + spin_unlock(&tsk->sighand->siglock); + do_schedule_next_timer(info); + spin_lock(&tsk->sighand->siglock); + } + +Unless tsk == curent, this is absolutely unsafe: nothing prevents tsk from +exiting. If signalfd was passed to another process, do_schedule_next_timer() +is just wrong. + +Add yet another "tsk == current" check into dequeue_signal(). + +This patch fixes an oopsable bug, but breaks the scheduling of posix timers +if the shared __SI_TIMER signal was fetched via signalfd attached to another +sub-thread. Mostly fixed by the next patch. + +Signed-off-by: Oleg Nesterov +Cc: Benjamin Herrenschmidt +Cc: Davide Libenzi +Cc: Ingo Molnar +Cc: Michael Kerrisk +Cc: Roland McGrath +Cc: Thomas Gleixner +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/signal.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -368,7 +368,7 @@ int dequeue_signal(struct task_struct *t + /* We only dequeue private signals from ourselves, we don't let + * signalfd steal them + */ +- if (tsk == current) ++ if (likely(tsk == current)) + signr = __dequeue_signal(&tsk->pending, mask, info); + if (!signr) { + signr = __dequeue_signal(&tsk->signal->shared_pending, +@@ -415,7 +415,7 @@ int dequeue_signal(struct task_struct *t + if (!(tsk->signal->flags & SIGNAL_GROUP_EXIT)) + tsk->signal->flags |= SIGNAL_STOP_DEQUEUED; + } +- if ( signr && ++ if (signr && likely(tsk == current) && + ((info->si_code & __SI_MASK) == __SI_TIMER) && + info->si_sys_private){ + /* diff --git a/queue-2.6.22/signalfd-make-it-group-wide-fix-posix-timers-scheduling.patch b/queue-2.6.22/signalfd-make-it-group-wide-fix-posix-timers-scheduling.patch new file mode 100644 index 00000000000..5e0d83ffacd --- /dev/null +++ b/queue-2.6.22/signalfd-make-it-group-wide-fix-posix-timers-scheduling.patch @@ -0,0 +1,100 @@ +From stable-bounces@linux.kernel.org Wed Aug 22 14:13:21 2007 +From: Oleg Nesterov +Date: Wed, 22 Aug 2007 14:01:48 -0700 +Subject: signalfd: make it group-wide, fix posix-timers scheduling +To: torvalds@linux-foundation.org +Cc: mtk-manpages@gmx.net, benh@kernel.crashing.org, oleg@tv-sign.ru, stable@kernel.org, tglx@linutronix.de, davidel@xmailserver.org, akpm@linux-foundation.org, mingo@elte.hu, roland@redhat.com +Message-ID: <200708222101.l7ML1mI3004063@imap1.linux-foundation.org> + + +From: Oleg Nesterov + +With this patch any thread can dequeue its own private signals via signalfd, +even if it was created by another sub-thread. + +To do so, we pass "current" to dequeue_signal() if the caller is from the same +thread group. This also fixes the scheduling of posix timers broken by the +previous patch. + +If the caller doesn't belong to this thread group, we can't handle __SI_TIMER +case properly anyway. Perhaps we should forbid the cross-process signalfd usage +and convert ctx->tsk to ctx->sighand. + +Signed-off-by: Oleg Nesterov +Cc: Benjamin Herrenschmidt +Cc: Davide Libenzi +Cc: Ingo Molnar +Cc: Michael Kerrisk +Cc: Roland McGrath +Cc: Thomas Gleixner +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + fs/exec.c | 9 ++------- + fs/signalfd.c | 14 ++++++++++---- + 2 files changed, 12 insertions(+), 11 deletions(-) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -586,18 +586,12 @@ static int de_thread(struct task_struct + int count; + + /* +- * Tell all the sighand listeners that this sighand has +- * been detached. The signalfd_detach() function grabs the +- * sighand lock, if signal listeners are present on the sighand. +- */ +- signalfd_detach(tsk); +- +- /* + * If we don't share sighandlers, then we aren't sharing anything + * and we can just re-use it all. + */ + if (atomic_read(&oldsighand->count) <= 1) { + BUG_ON(atomic_read(&sig->count) != 1); ++ signalfd_detach(tsk); + exit_itimers(sig); + return 0; + } +@@ -736,6 +730,7 @@ static int de_thread(struct task_struct + sig->flags = 0; + + no_thread_group: ++ signalfd_detach(tsk); + exit_itimers(sig); + if (leader) + release_task(leader); +--- a/fs/signalfd.c ++++ b/fs/signalfd.c +@@ -56,12 +56,18 @@ static int signalfd_lock(struct signalfd + sighand = lock_task_sighand(lk->tsk, &lk->flags); + rcu_read_unlock(); + +- if (sighand && !ctx->tsk) { ++ if (!sighand) ++ return 0; ++ ++ if (!ctx->tsk) { + unlock_task_sighand(lk->tsk, &lk->flags); +- sighand = NULL; ++ return 0; + } + +- return sighand != NULL; ++ if (lk->tsk->tgid == current->tgid) ++ lk->tsk = current; ++ ++ return 1; + } + + static void signalfd_unlock(struct signalfd_lockctx *lk) +@@ -331,7 +337,7 @@ asmlinkage long sys_signalfd(int ufd, si + + init_waitqueue_head(&ctx->wqh); + ctx->sigmask = sigmask; +- ctx->tsk = current; ++ ctx->tsk = current->group_leader; + + sighand = current->sighand; + /* diff --git a/queue-2.6.22/snap-fix-snap-protocol-header-accesses.patch b/queue-2.6.22/snap-fix-snap-protocol-header-accesses.patch new file mode 100644 index 00000000000..781f8cc1676 --- /dev/null +++ b/queue-2.6.22/snap-fix-snap-protocol-header-accesses.patch @@ -0,0 +1,64 @@ +From stable-bounces@linux.kernel.org Tue Aug 21 21:07:37 2007 +From: Herbert Xu +Date: Tue, 21 Aug 2007 21:07:30 -0700 (PDT) +Subject: SNAP: Fix SNAP protocol header accesses. +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070821.210730.01204785.davem@davemloft.net> + + +From: Herbert Xu + +The snap_rcv code reads 5 bytes so we should make sure that +we have 5 bytes in the head before proceeding. + +Based on diagnosis and fix by Evgeniy Polyakov, reported by +Alan J. Wylie. + +Patch also kills the skb->sk assignment before kfree_skb +since it's redundant. + +Signed-off-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/802/psnap.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/net/802/psnap.c ++++ b/net/802/psnap.c +@@ -55,6 +55,9 @@ static int snap_rcv(struct sk_buff *skb, + .type = __constant_htons(ETH_P_SNAP), + }; + ++ if (unlikely(!pskb_may_pull(skb, 5))) ++ goto drop; ++ + rcu_read_lock(); + proto = find_snap_client(skb_transport_header(skb)); + if (proto) { +@@ -62,14 +65,18 @@ static int snap_rcv(struct sk_buff *skb, + skb->transport_header += 5; + skb_pull_rcsum(skb, 5); + rc = proto->rcvfunc(skb, dev, &snap_packet_type, orig_dev); +- } else { +- skb->sk = NULL; +- kfree_skb(skb); +- rc = 1; + } +- + rcu_read_unlock(); ++ ++ if (unlikely(!proto)) ++ goto drop; ++ ++out: + return rc; ++ ++drop: ++ kfree_skb(skb); ++ goto out; + } + + /* diff --git a/queue-2.6.22/sparc64-fix-sparc64-pci-config-accesses-on-sun4u.patch b/queue-2.6.22/sparc64-fix-sparc64-pci-config-accesses-on-sun4u.patch new file mode 100644 index 00000000000..e92b8d8c38c --- /dev/null +++ b/queue-2.6.22/sparc64-fix-sparc64-pci-config-accesses-on-sun4u.patch @@ -0,0 +1,219 @@ +From stable-bounces@linux.kernel.org Tue Aug 21 21:12:39 2007 +From: David Miller +Date: Tue, 21 Aug 2007 21:12:32 -0700 (PDT) +Subject: SPARC64: Fix sparc64 PCI config accesses on sun4u +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070821.211232.27783208.davem@davemloft.net> + + +From: David Miller + +[SPARC64]: Fix sun4u PCI config space accesses on sun4u. + +Don't provide fake PCI config space for sun4u. + +Also, put back the funny host controller space handling that +at least Sabre needs. You have to read PCI host controller +registers at their nature size otherwise you get zeros instead +of correct values. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sparc64/kernel/pci.c | 15 +++- + arch/sparc64/kernel/pci_common.c | 123 ++++++++++++++++++++++++++++++++++++--- + 2 files changed, 126 insertions(+), 12 deletions(-) + +--- a/arch/sparc64/kernel/pci.c ++++ b/arch/sparc64/kernel/pci.c +@@ -422,10 +422,15 @@ struct pci_dev *of_create_pci_dev(struct + dev->multifunction = 0; /* maybe a lie? */ + + if (host_controller) { +- dev->vendor = 0x108e; +- dev->device = 0x8000; +- dev->subsystem_vendor = 0x0000; +- dev->subsystem_device = 0x0000; ++ if (tlb_type != hypervisor) { ++ pci_read_config_word(dev, PCI_VENDOR_ID, ++ &dev->vendor); ++ pci_read_config_word(dev, PCI_DEVICE_ID, ++ &dev->device); ++ } else { ++ dev->vendor = PCI_VENDOR_ID_SUN; ++ dev->device = 0x80f0; ++ } + dev->cfg_size = 256; + dev->class = PCI_CLASS_BRIDGE_HOST << 8; + sprintf(pci_name(dev), "%04x:%02x:%02x.%d", pci_domain_nr(bus), +@@ -817,7 +822,7 @@ int pci_host_bridge_read_pci_cfg(struct + { + static u8 fake_pci_config[] = { + 0x8e, 0x10, /* Vendor: 0x108e (Sun) */ +- 0x00, 0x80, /* Device: 0x8000 (PBM) */ ++ 0xf0, 0x80, /* Device: 0x80f0 (Fire) */ + 0x46, 0x01, /* Command: 0x0146 (SERR, PARITY, MASTER, MEM) */ + 0xa0, 0x22, /* Status: 0x02a0 (DEVSEL_MED, FB2B, 66MHZ) */ + 0x00, 0x00, 0x00, 0x06, /* Class: 0x06000000 host bridge */ +--- a/arch/sparc64/kernel/pci_common.c ++++ b/arch/sparc64/kernel/pci_common.c +@@ -44,6 +44,67 @@ static void *sun4u_config_mkaddr(struct + return (void *) (pbm->config_space | bus | devfn | reg); + } + ++/* At least on Sabre, it is necessary to access all PCI host controller ++ * registers at their natural size, otherwise zeros are returned. ++ * Strange but true, and I see no language in the UltraSPARC-IIi ++ * programmer's manual that mentions this even indirectly. ++ */ ++static int sun4u_read_pci_cfg_host(struct pci_pbm_info *pbm, ++ unsigned char bus, unsigned int devfn, ++ int where, int size, u32 *value) ++{ ++ u32 tmp32, *addr; ++ u16 tmp16; ++ u8 tmp8; ++ ++ addr = sun4u_config_mkaddr(pbm, bus, devfn, where); ++ if (!addr) ++ return PCIBIOS_SUCCESSFUL; ++ ++ switch (size) { ++ case 1: ++ if (where < 8) { ++ unsigned long align = (unsigned long) addr; ++ ++ align &= ~1; ++ pci_config_read16((u16 *)align, &tmp16); ++ if (where & 1) ++ *value = tmp16 >> 8; ++ else ++ *value = tmp16 & 0xff; ++ } else { ++ pci_config_read8((u8 *)addr, &tmp8); ++ *value = (u32) tmp8; ++ } ++ break; ++ ++ case 2: ++ if (where < 8) { ++ pci_config_read16((u16 *)addr, &tmp16); ++ *value = (u32) tmp16; ++ } else { ++ pci_config_read8((u8 *)addr, &tmp8); ++ *value = (u32) tmp8; ++ pci_config_read8(((u8 *)addr) + 1, &tmp8); ++ *value |= ((u32) tmp8) << 8; ++ } ++ break; ++ ++ case 4: ++ tmp32 = 0xffffffff; ++ sun4u_read_pci_cfg_host(pbm, bus, devfn, ++ where, 2, &tmp32); ++ *value = tmp32; ++ ++ tmp32 = 0xffffffff; ++ sun4u_read_pci_cfg_host(pbm, bus, devfn, ++ where + 2, 2, &tmp32); ++ *value |= tmp32 << 16; ++ break; ++ } ++ return PCIBIOS_SUCCESSFUL; ++} ++ + static int sun4u_read_pci_cfg(struct pci_bus *bus_dev, unsigned int devfn, + int where, int size, u32 *value) + { +@@ -53,10 +114,6 @@ static int sun4u_read_pci_cfg(struct pci + u16 tmp16; + u8 tmp8; + +- if (bus_dev == pbm->pci_bus && devfn == 0x00) +- return pci_host_bridge_read_pci_cfg(bus_dev, devfn, where, +- size, value); +- + switch (size) { + case 1: + *value = 0xff; +@@ -69,6 +126,10 @@ static int sun4u_read_pci_cfg(struct pci + break; + } + ++ if (!bus_dev->number && !PCI_SLOT(devfn)) ++ return sun4u_read_pci_cfg_host(pbm, bus, devfn, where, ++ size, value); ++ + addr = sun4u_config_mkaddr(pbm, bus, devfn, where); + if (!addr) + return PCIBIOS_SUCCESSFUL; +@@ -101,6 +162,53 @@ static int sun4u_read_pci_cfg(struct pci + return PCIBIOS_SUCCESSFUL; + } + ++static int sun4u_write_pci_cfg_host(struct pci_pbm_info *pbm, ++ unsigned char bus, unsigned int devfn, ++ int where, int size, u32 value) ++{ ++ u32 *addr; ++ ++ addr = sun4u_config_mkaddr(pbm, bus, devfn, where); ++ if (!addr) ++ return PCIBIOS_SUCCESSFUL; ++ ++ switch (size) { ++ case 1: ++ if (where < 8) { ++ unsigned long align = (unsigned long) addr; ++ u16 tmp16; ++ ++ align &= ~1; ++ pci_config_read16((u16 *)align, &tmp16); ++ if (where & 1) { ++ tmp16 &= 0x00ff; ++ tmp16 |= value << 8; ++ } else { ++ tmp16 &= 0xff00; ++ tmp16 |= value; ++ } ++ pci_config_write16((u16 *)align, tmp16); ++ } else ++ pci_config_write8((u8 *)addr, value); ++ break; ++ case 2: ++ if (where < 8) { ++ pci_config_write16((u16 *)addr, value); ++ } else { ++ pci_config_write8((u8 *)addr, value & 0xff); ++ pci_config_write8(((u8 *)addr) + 1, value >> 8); ++ } ++ break; ++ case 4: ++ sun4u_write_pci_cfg_host(pbm, bus, devfn, ++ where, 2, value & 0xffff); ++ sun4u_write_pci_cfg_host(pbm, bus, devfn, ++ where + 2, 2, value >> 16); ++ break; ++ } ++ return PCIBIOS_SUCCESSFUL; ++} ++ + static int sun4u_write_pci_cfg(struct pci_bus *bus_dev, unsigned int devfn, + int where, int size, u32 value) + { +@@ -108,9 +216,10 @@ static int sun4u_write_pci_cfg(struct pc + unsigned char bus = bus_dev->number; + u32 *addr; + +- if (bus_dev == pbm->pci_bus && devfn == 0x00) +- return pci_host_bridge_write_pci_cfg(bus_dev, devfn, where, +- size, value); ++ if (!bus_dev->number && !PCI_SLOT(devfn)) ++ return sun4u_write_pci_cfg_host(pbm, bus, devfn, where, ++ size, value); ++ + addr = sun4u_config_mkaddr(pbm, bus, devfn, where); + if (!addr) + return PCIBIOS_SUCCESSFUL; diff --git a/queue-2.6.22/sparc64-fix-sparc64-task-stack-traces.patch b/queue-2.6.22/sparc64-fix-sparc64-task-stack-traces.patch new file mode 100644 index 00000000000..17c3f35cd2a --- /dev/null +++ b/queue-2.6.22/sparc64-fix-sparc64-task-stack-traces.patch @@ -0,0 +1,79 @@ +From stable-bounces@linux.kernel.org Tue Aug 21 21:11:19 2007 +From: David Miller +Date: Tue, 21 Aug 2007 21:11:14 -0700 (PDT) +Subject: SPARC64: Fix sparc64 task stack traces. +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070821.211114.68156127.davem@davemloft.net> + + +From: David Miller + +It didn't handle that case at all, and now dump_stack() +can be implemented directly as show_stack(current, NULL) + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sparc64/kernel/traps.c | 18 +++++++++++------- + arch/sparc64/mm/fault.c | 5 +---- + 2 files changed, 12 insertions(+), 11 deletions(-) + +--- a/arch/sparc64/kernel/traps.c ++++ b/arch/sparc64/kernel/traps.c +@@ -2134,12 +2134,20 @@ static void user_instruction_dump (unsig + void show_stack(struct task_struct *tsk, unsigned long *_ksp) + { + unsigned long pc, fp, thread_base, ksp; +- void *tp = task_stack_page(tsk); ++ struct thread_info *tp; + struct reg_window *rw; + int count = 0; + + ksp = (unsigned long) _ksp; +- ++ if (!tsk) ++ tsk = current; ++ tp = task_thread_info(tsk); ++ if (ksp == 0UL) { ++ if (tsk == current) ++ asm("mov %%fp, %0" : "=r" (ksp)); ++ else ++ ksp = tp->ksp; ++ } + if (tp == current_thread_info()) + flushw_all(); + +@@ -2168,11 +2176,7 @@ void show_stack(struct task_struct *tsk, + + void dump_stack(void) + { +- unsigned long *ksp; +- +- __asm__ __volatile__("mov %%fp, %0" +- : "=r" (ksp)); +- show_stack(current, ksp); ++ show_stack(current, NULL); + } + + EXPORT_SYMBOL(dump_stack); +--- a/arch/sparc64/mm/fault.c ++++ b/arch/sparc64/mm/fault.c +@@ -112,15 +112,12 @@ static void __kprobes unhandled_fault(un + + static void bad_kernel_pc(struct pt_regs *regs, unsigned long vaddr) + { +- unsigned long *ksp; +- + printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n", + regs->tpc); + printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]); + print_symbol("RPC: <%s>\n", regs->u_regs[15]); + printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr); +- __asm__("mov %%sp, %0" : "=r" (ksp)); +- show_stack(current, ksp); ++ dump_stack(); + unhandled_fault(regs->tpc, current, regs); + } + diff --git a/queue-2.6.22/tcp-do-not-autobind-ports-for-tcp-sockets.patch b/queue-2.6.22/tcp-do-not-autobind-ports-for-tcp-sockets.patch new file mode 100644 index 00000000000..a0efb01441f --- /dev/null +++ b/queue-2.6.22/tcp-do-not-autobind-ports-for-tcp-sockets.patch @@ -0,0 +1,102 @@ +From stable-bounces@linux.kernel.org Tue Aug 21 21:14:48 2007 +From: David Miller +Date: Tue, 21 Aug 2007 21:14:45 -0700 (PDT) +Subject: TCP: Do not autobind ports for TCP sockets +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070821.211445.57159185.davem@davemloft.net> + +From: David Miller + +[TCP]: Invoke tcp_sendmsg() directly, do not use inet_sendmsg(). + +As discovered by Evegniy Polyakov, if we try to sendmsg after +a connection reset, we can do incredibly stupid things. + +The core issue is that inet_sendmsg() tries to autobind the +socket, but we should never do that for TCP. Instead we should +just go straight into TCP's sendmsg() code which will do all +of the necessary state and pending socket error checks. + +TCP's sendpage already directly vectors to tcp_sendpage(), so this +merely brings sendmsg() in line with that. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/tcp.h | 2 +- + net/ipv4/af_inet.c | 2 +- + net/ipv4/tcp.c | 3 ++- + net/ipv4/tcp_ipv4.c | 1 - + net/ipv6/af_inet6.c | 2 +- + net/ipv6/tcp_ipv6.c | 1 - + 6 files changed, 5 insertions(+), 6 deletions(-) + +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -281,7 +281,7 @@ extern int tcp_v4_remember_stamp(struc + + extern int tcp_v4_tw_remember_stamp(struct inet_timewait_sock *tw); + +-extern int tcp_sendmsg(struct kiocb *iocb, struct sock *sk, ++extern int tcp_sendmsg(struct kiocb *iocb, struct socket *sock, + struct msghdr *msg, size_t size); + extern ssize_t tcp_sendpage(struct socket *sock, struct page *page, int offset, size_t size, int flags); + +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -831,7 +831,7 @@ const struct proto_ops inet_stream_ops = + .shutdown = inet_shutdown, + .setsockopt = sock_common_setsockopt, + .getsockopt = sock_common_getsockopt, +- .sendmsg = inet_sendmsg, ++ .sendmsg = tcp_sendmsg, + .recvmsg = sock_common_recvmsg, + .mmap = sock_no_mmap, + .sendpage = tcp_sendpage, +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -658,9 +658,10 @@ static inline int select_size(struct soc + return tmp; + } + +-int tcp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, ++int tcp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, + size_t size) + { ++ struct sock *sk = sock->sk; + struct iovec *iov; + struct tcp_sock *tp = tcp_sk(sk); + struct sk_buff *skb; +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -2434,7 +2434,6 @@ struct proto tcp_prot = { + .shutdown = tcp_shutdown, + .setsockopt = tcp_setsockopt, + .getsockopt = tcp_getsockopt, +- .sendmsg = tcp_sendmsg, + .recvmsg = tcp_recvmsg, + .backlog_rcv = tcp_v4_do_rcv, + .hash = tcp_v4_hash, +--- a/net/ipv6/af_inet6.c ++++ b/net/ipv6/af_inet6.c +@@ -487,7 +487,7 @@ const struct proto_ops inet6_stream_ops + .shutdown = inet_shutdown, /* ok */ + .setsockopt = sock_common_setsockopt, /* ok */ + .getsockopt = sock_common_getsockopt, /* ok */ +- .sendmsg = inet_sendmsg, /* ok */ ++ .sendmsg = tcp_sendmsg, /* ok */ + .recvmsg = sock_common_recvmsg, /* ok */ + .mmap = sock_no_mmap, + .sendpage = tcp_sendpage, +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -2135,7 +2135,6 @@ struct proto tcpv6_prot = { + .shutdown = tcp_shutdown, + .setsockopt = tcp_setsockopt, + .getsockopt = tcp_getsockopt, +- .sendmsg = tcp_sendmsg, + .recvmsg = tcp_recvmsg, + .backlog_rcv = tcp_v6_do_rcv, + .hash = tcp_v6_hash, diff --git a/queue-2.6.22/tcp-fix-tcp-handling-of-sack-in-bidirectional-flows.patch b/queue-2.6.22/tcp-fix-tcp-handling-of-sack-in-bidirectional-flows.patch new file mode 100644 index 00000000000..8617402f26b --- /dev/null +++ b/queue-2.6.22/tcp-fix-tcp-handling-of-sack-in-bidirectional-flows.patch @@ -0,0 +1,47 @@ +From stable-bounces@linux.kernel.org Tue Aug 21 21:18:16 2007 +From: Ilpo Järvinen +Date: Tue, 21 Aug 2007 21:18:07 -0700 (PDT) +Subject: TCP: Fix TCP handling of SACK in bidirectional flows. +To: stable@kernel.org +Cc: bunk@stuata.de +Message-ID: <20070821.211807.35355759.davem@davemloft.net> + + +From: Ilpo Järvinen + +It's possible that new SACK blocks that should trigger new LOST +markings arrive with new data (which previously made is_dupack +false). In addition, I think this fixes a case where we get +a cumulative ACK with enough SACK blocks to trigger the fast +recovery (is_dupack would be false there too). + +I'm not completely pleased with this solution because readability +of the code is somewhat questionable as 'is_dupack' in SACK case +is no longer about dupacks only but would mean something like +'lost_marker_work_todo' too... But because of Eifel stuff done +in CA_Recovery, the FLAG_DATA_SACKED check cannot be placed to +the if statement which seems attractive solution. Nevertheless, +I didn't like adding another variable just for that either... :-) + +Signed-off-by: Ilpo Järvinen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/tcp_input.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -2112,7 +2112,10 @@ tcp_fastretrans_alert(struct sock *sk, u + { + struct inet_connection_sock *icsk = inet_csk(sk); + struct tcp_sock *tp = tcp_sk(sk); +- int is_dupack = (tp->snd_una == prior_snd_una && !(flag&FLAG_NOT_DUP)); ++ int is_dupack = (tp->snd_una == prior_snd_una && ++ (!(flag&FLAG_NOT_DUP) || ++ ((flag&FLAG_DATA_SACKED) && ++ (tp->fackets_out > tp->reordering)))); + + /* Some technical things: + * 1. Reno does not count dupacks (sacked_out) automatically. */ diff --git a/queue-2.6.22/tcp-fix-tcp-rate-halving-on-bidirectional-flows.patch b/queue-2.6.22/tcp-fix-tcp-rate-halving-on-bidirectional-flows.patch new file mode 100644 index 00000000000..4545c711db1 --- /dev/null +++ b/queue-2.6.22/tcp-fix-tcp-rate-halving-on-bidirectional-flows.patch @@ -0,0 +1,76 @@ +From stable-bounces@linux.kernel.org Tue Aug 21 21:17:09 2007 +From: Ilpo Järvinen +Date: Tue, 21 Aug 2007 21:17:03 -0700 (PDT) +Subject: TCP: Fix TCP rate-halving on bidirectional flows. +To: stable@kernel.org +Cc: bunk@stusta.de +Message-ID: <20070821.211703.107684703.davem@davemloft.net> + +From: Ilpo Järvinen + +Actually, the ratehalving seems to work too well, as cwnd is +reduced on every second ACK even though the packets in flight +remains unchanged. Recoveries in a bidirectional flows suffer +quite badly because of this, both NewReno and SACK are affected. + +After this patch, rate halving is performed for ACK only if +packets in flight was supposedly changed too. + +Signed-off-by: Ilpo Järvinen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/tcp_input.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -1851,19 +1851,22 @@ static inline u32 tcp_cwnd_min(const str + } + + /* Decrease cwnd each second ack. */ +-static void tcp_cwnd_down(struct sock *sk) ++static void tcp_cwnd_down(struct sock *sk, int flag) + { + struct tcp_sock *tp = tcp_sk(sk); + int decr = tp->snd_cwnd_cnt + 1; + +- tp->snd_cwnd_cnt = decr&1; +- decr >>= 1; ++ if ((flag&FLAG_FORWARD_PROGRESS) || ++ (IsReno(tp) && !(flag&FLAG_NOT_DUP))) { ++ tp->snd_cwnd_cnt = decr&1; ++ decr >>= 1; + +- if (decr && tp->snd_cwnd > tcp_cwnd_min(sk)) +- tp->snd_cwnd -= decr; ++ if (decr && tp->snd_cwnd > tcp_cwnd_min(sk)) ++ tp->snd_cwnd -= decr; + +- tp->snd_cwnd = min(tp->snd_cwnd, tcp_packets_in_flight(tp)+1); +- tp->snd_cwnd_stamp = tcp_time_stamp; ++ tp->snd_cwnd = min(tp->snd_cwnd, tcp_packets_in_flight(tp)+1); ++ tp->snd_cwnd_stamp = tcp_time_stamp; ++ } + } + + /* Nothing was retransmitted or returned timestamp is less +@@ -2060,7 +2063,7 @@ static void tcp_try_to_open(struct sock + } + tcp_moderate_cwnd(tp); + } else { +- tcp_cwnd_down(sk); ++ tcp_cwnd_down(sk, flag); + } + } + +@@ -2260,7 +2263,7 @@ tcp_fastretrans_alert(struct sock *sk, u + + if (is_dupack || tcp_head_timedout(sk)) + tcp_update_scoreboard(sk); +- tcp_cwnd_down(sk); ++ tcp_cwnd_down(sk, flag); + tcp_xmit_retransmit_queue(sk); + } + diff --git a/queue-2.6.22/uml-fix-previous-request-size-limit-fix.patch b/queue-2.6.22/uml-fix-previous-request-size-limit-fix.patch new file mode 100644 index 00000000000..f547655952c --- /dev/null +++ b/queue-2.6.22/uml-fix-previous-request-size-limit-fix.patch @@ -0,0 +1,50 @@ +From stable-bounces@linux.kernel.org Wed Aug 22 14:12:27 2007 +From: Jeff Dike +Date: Wed, 22 Aug 2007 14:01:53 -0700 +Subject: uml: fix previous request size limit fix +To: torvalds@linux-foundation.org +Cc: akpm@linux-foundation.org, jdike@linux.intel.com, jdike@addtoit.com, stable@kernel.org +Message-ID: <200708222101.l7ML1sQn004096@imap1.linux-foundation.org> + + +From: Jeff Dike + +The previous patch which limited the number of sectors in a single request +to a COWed device was correct in concept, but the limit was implemented in +the wrong place. + +By putting it in ubd_add, it covered the cases where the COWing was +specified on the command line. However, when the command line only has the +COW file specified, the fact that it's a COW file isn't known until it's +opened, so the limit is missed in these cases. + +This patch moves the sector limit from ubd_add to ubd_open_dev. + +Signed-off-by: Jeff Dike +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + arch/um/drivers/ubd_kern.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/um/drivers/ubd_kern.c ++++ b/arch/um/drivers/ubd_kern.c +@@ -612,6 +612,8 @@ static int ubd_open_dev(struct ubd *ubd_ + ubd_dev->fd = fd; + + if(ubd_dev->cow.file != NULL){ ++ blk_queue_max_sectors(ubd_dev->queue, 8 * sizeof(long)); ++ + err = -ENOMEM; + ubd_dev->cow.bitmap = (void *) vmalloc(ubd_dev->cow.bitmap_len); + if(ubd_dev->cow.bitmap == NULL){ +@@ -712,8 +714,6 @@ static int ubd_add(int n, char **error_o + ubd_dev->queue->queuedata = ubd_dev; + + blk_queue_max_hw_segments(ubd_dev->queue, MAX_SG); +- if(ubd_dev->cow.file != NULL) +- blk_queue_max_sectors(ubd_dev->queue, 8 * sizeof(long)); + err = ubd_disk_register(MAJOR_NR, ubd_dev->size, n, &ubd_gendisk[n]); + if(err){ + *error_out = "Failed to register device"; -- 2.47.3