From 87005f38f5a5c8f23dee834b59666295c403584b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 11 Dec 2007 16:31:37 -0800 Subject: [PATCH] 2.6.22 patches added --- queue-2.6.22/fb_ddc-fix-ddc-lines-quirk.patch | 92 ++++++++ queue-2.6.22/forcedeth-boot-delay-fix.patch | 57 +++++ .../forcedeth-new-mcp79-pci-ids.patch | 60 +++++ ...r-futex_wait-signal-stack-corruption.patch | 216 ++++++++++++++++++ ...overflow-for-large-relative-timeouts.patch | 47 ++++ ...n_ioctl-memory-overrun-vulnerability.patch | 61 +++++ ...dn-avoid-copying-overly-long-strings.patch | 59 +++++ ...-intermediate-crc-state-in-cpu-order.patch | 57 +++++ queue-2.6.22/nf_nat-fix-memset-error.patch | 43 ++++ queue-2.6.22/series | 13 ++ ...tmpfs-restore-missing-clear_highpage.patch | 52 +++++ ...-fix-up-ehci-startup-synchronization.patch | 48 ++++ ...he-microtek-driver-and-hal-cooperate.patch | 34 +++ ...ect-exit_code-to-wait_noreap_copyout.patch | 47 ++++ 14 files changed, 886 insertions(+) create mode 100644 queue-2.6.22/fb_ddc-fix-ddc-lines-quirk.patch create mode 100644 queue-2.6.22/forcedeth-boot-delay-fix.patch create mode 100644 queue-2.6.22/forcedeth-new-mcp79-pci-ids.patch create mode 100644 queue-2.6.22/futex-fix-for-futex_wait-signal-stack-corruption.patch create mode 100644 queue-2.6.22/hrtimers-avoid-overflow-for-large-relative-timeouts.patch create mode 100644 queue-2.6.22/i4l-fix-isdn_ioctl-memory-overrun-vulnerability.patch create mode 100644 queue-2.6.22/isdn-avoid-copying-overly-long-strings.patch create mode 100644 queue-2.6.22/libcrc32c-keep-intermediate-crc-state-in-cpu-order.patch create mode 100644 queue-2.6.22/nf_nat-fix-memset-error.patch create mode 100644 queue-2.6.22/tmpfs-restore-missing-clear_highpage.patch create mode 100644 queue-2.6.22/usb-fix-up-ehci-startup-synchronization.patch create mode 100644 queue-2.6.22/usb-make-the-microtek-driver-and-hal-cooperate.patch create mode 100644 queue-2.6.22/wait_task_stopped-pass-correct-exit_code-to-wait_noreap_copyout.patch diff --git a/queue-2.6.22/fb_ddc-fix-ddc-lines-quirk.patch b/queue-2.6.22/fb_ddc-fix-ddc-lines-quirk.patch new file mode 100644 index 00000000000..d92e47554db --- /dev/null +++ b/queue-2.6.22/fb_ddc-fix-ddc-lines-quirk.patch @@ -0,0 +1,92 @@ +From stable-bounces@linux.kernel.org Wed Nov 28 16:28:03 2007 +From: Jean Delvare +Date: Wed, 28 Nov 2007 16:21:35 -0800 +Subject: fb_ddc: fix DDC lines quirk +To: torvalds@linux-foundation.org +Cc: rleigh@whinlatter.ukfsn.org, benh@kernel.crashing.org, mb@bu3sch.de, khali@linux-fr.org, adaplas@pol.net, akpm@linux-foundation.org, stable@kernel.org +Message-ID: <200711290021.lAT0LZgT026655@imap1.linux-foundation.org> + + +From: Jean Delvare + +patch b64d70825abbf706bbe80be1b11b09514b71f45e in mainline. + +The code in fb_ddc_read() is said to be based on the implementation of the +radeon driver: +http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=fc5891c8a3ba284f13994d7bc1f1bfa8283982de + +However, comparing the old radeon driver code with the new fb_ddc code +reveals some differences. Most notably, the I2C bus lines are held at the +end of the function, while the original code was releasing them (as the +comment above correctly says.) + +There are a few other differences, which appear to be responsible for read +failures on my system. While tracing low-level I2C code in i2c-algo-bit, I +noticed that the initial attempt to read the EDID always failed. It takes +one retry for the read to succeed. As we are about to remove this +automatic retry property from i2c-algo-bit, reading the EDID would really +fail. + +As a summary, the I2C lines quirk which is supposedly needed to read EDID +on some older monitors is currently breaking the (first) read on all other +monitors (and might not even work with older ones - did anyone try since +October 2006?) + +After applying the patch below, which makes the code in fb_ddc_read() +really similar to what the radeon driver used to have, the first EDID read +succeeds again. + +On top of that, as it appears that this code has been broken for one year +now and nobody seems to have complained, I'm curious if it makes sense to +keep this quirk in place. It makes the code more complex and slower just +for the sake of monitors which I guess nobody uses anymore. Can't we just +get rid of it? + +Signed-off-by: Jean Delvare +Acked-by: Benjamin Herrenschmidt +Tested-by: Roger Leigh +Tested-by: Michael Buesch +Cc: "Antonino A. Daplas" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fb_ddc.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/video/fb_ddc.c ++++ b/drivers/video/fb_ddc.c +@@ -56,13 +56,12 @@ unsigned char *fb_ddc_read(struct i2c_ad + int i, j; + + algo_data->setscl(algo_data->data, 1); +- algo_data->setscl(algo_data->data, 0); + + for (i = 0; i < 3; i++) { + /* For some old monitors we need the + * following process to initialize/stop DDC + */ +- algo_data->setsda(algo_data->data, 0); ++ algo_data->setsda(algo_data->data, 1); + msleep(13); + + algo_data->setscl(algo_data->data, 1); +@@ -97,14 +96,15 @@ unsigned char *fb_ddc_read(struct i2c_ad + algo_data->setsda(algo_data->data, 1); + msleep(15); + algo_data->setscl(algo_data->data, 0); ++ algo_data->setsda(algo_data->data, 0); + if (edid) + break; + } + /* Release the DDC lines when done or the Apple Cinema HD display + * will switch off + */ +- algo_data->setsda(algo_data->data, 0); +- algo_data->setscl(algo_data->data, 0); ++ algo_data->setsda(algo_data->data, 1); ++ algo_data->setscl(algo_data->data, 1); + + return edid; + } diff --git a/queue-2.6.22/forcedeth-boot-delay-fix.patch b/queue-2.6.22/forcedeth-boot-delay-fix.patch new file mode 100644 index 00000000000..0eeffa9ad1d --- /dev/null +++ b/queue-2.6.22/forcedeth-boot-delay-fix.patch @@ -0,0 +1,57 @@ +From 9e555930bd873d238f5f7b9d76d3bf31e6e3ce93 Mon Sep 17 00:00:00 2001 +From: Ayaz Abdulla +Date: Wed, 21 Nov 2007 15:02:58 -0800 +Subject: forcedeth boot delay fix + +From: Ayaz Abdulla + +patch 9e555930bd873d238f5f7b9d76d3bf31e6e3ce93 in mainline. + +Fix a long boot delay in the forcedeth driver. During initialization, the +timeout for the handshake between mgmt unit and driver can be very long. +The patch reduces the timeout by eliminating a extra loop around the +timeout logic. + +Addresses http://bugzilla.kernel.org/show_bug.cgi?id=9308 + +Signed-off-by: Ayaz Abdulla +Cc: Alex Howells +Signed-off-by: Andrew Morton +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/forcedeth.c | 22 +++++++++------------- + 1 file changed, 9 insertions(+), 13 deletions(-) + +--- a/drivers/net/forcedeth.c ++++ b/drivers/net/forcedeth.c +@@ -5283,19 +5283,15 @@ static int __devinit nv_probe(struct pci + if (readl(base + NvRegTransmitterControl) & NVREG_XMITCTL_SYNC_PHY_INIT) { + np->mac_in_use = readl(base + NvRegTransmitterControl) & NVREG_XMITCTL_MGMT_ST; + dprintk(KERN_INFO "%s: mgmt unit is running. mac in use %x.\n", pci_name(pci_dev), np->mac_in_use); +- for (i = 0; i < 5000; i++) { +- msleep(1); +- if (nv_mgmt_acquire_sema(dev)) { +- /* management unit setup the phy already? */ +- if ((readl(base + NvRegTransmitterControl) & NVREG_XMITCTL_SYNC_MASK) == +- NVREG_XMITCTL_SYNC_PHY_INIT) { +- /* phy is inited by mgmt unit */ +- phyinitialized = 1; +- dprintk(KERN_INFO "%s: Phy already initialized by mgmt unit.\n", pci_name(pci_dev)); +- } else { +- /* we need to init the phy */ +- } +- break; ++ if (nv_mgmt_acquire_sema(dev)) { ++ /* management unit setup the phy already? */ ++ if ((readl(base + NvRegTransmitterControl) & NVREG_XMITCTL_SYNC_MASK) == ++ NVREG_XMITCTL_SYNC_PHY_INIT) { ++ /* phy is inited by mgmt unit */ ++ phyinitialized = 1; ++ dprintk(KERN_INFO "%s: Phy already initialized by mgmt unit.\n", pci_name(pci_dev)); ++ } else { ++ /* we need to init the phy */ + } + } + } diff --git a/queue-2.6.22/forcedeth-new-mcp79-pci-ids.patch b/queue-2.6.22/forcedeth-new-mcp79-pci-ids.patch new file mode 100644 index 00000000000..d394ffecd20 --- /dev/null +++ b/queue-2.6.22/forcedeth-new-mcp79-pci-ids.patch @@ -0,0 +1,60 @@ +From 490dde8990c55662596a4be71b5070bd7d382d4a Mon Sep 17 00:00:00 2001 +From: Ayaz Abdulla +Date: Fri, 23 Nov 2007 20:54:01 -0500 +Subject: forcedeth: new mcp79 pci ids + +From: Ayaz Abdulla + +patch 490dde8990c55662596a4be71b5070bd7d382d4a in mainline. + +This patch adds new device ids and features for mcp79 devices into the +forcedeth driver. + +Signed-off-by: Ayaz Abdulla +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +index 92ce2e3..f9ba0ac 100644 +--- + drivers/net/forcedeth.c | 16 ++++++++++++++++ + include/linux/pci_ids.h | 4 ++++ + 2 files changed, 20 insertions(+) + +--- a/drivers/net/forcedeth.c ++++ b/drivers/net/forcedeth.c +@@ -5553,6 +5553,22 @@ static struct pci_device_id pci_tbl[] = + PCI_DEVICE(PCI_VENDOR_ID_NVIDIA, PCI_DEVICE_ID_NVIDIA_NVENET_27), + .driver_data = DEV_NEED_TIMERIRQ|DEV_NEED_LINKTIMER|DEV_HAS_HIGH_DMA|DEV_HAS_POWER_CNTRL|DEV_HAS_MSI|DEV_HAS_PAUSEFRAME_TX|DEV_HAS_STATISTICS_V2|DEV_HAS_TEST_EXTENDED|DEV_HAS_MGMT_UNIT, + }, ++ { /* MCP79 Ethernet Controller */ ++ PCI_DEVICE(PCI_VENDOR_ID_NVIDIA, PCI_DEVICE_ID_NVIDIA_NVENET_36), ++ .driver_data = DEV_NEED_TIMERIRQ|DEV_NEED_LINKTIMER|DEV_HAS_CHECKSUM|DEV_HAS_HIGH_DMA|DEV_HAS_MSI|DEV_HAS_POWER_CNTRL|DEV_HAS_PAUSEFRAME_TX|DEV_HAS_STATISTICS_V2|DEV_HAS_TEST_EXTENDED|DEV_HAS_MGMT_UNIT, ++ }, ++ { /* MCP79 Ethernet Controller */ ++ PCI_DEVICE(PCI_VENDOR_ID_NVIDIA, PCI_DEVICE_ID_NVIDIA_NVENET_37), ++ .driver_data = DEV_NEED_TIMERIRQ|DEV_NEED_LINKTIMER|DEV_HAS_CHECKSUM|DEV_HAS_HIGH_DMA|DEV_HAS_MSI|DEV_HAS_POWER_CNTRL|DEV_HAS_PAUSEFRAME_TX|DEV_HAS_STATISTICS_V2|DEV_HAS_TEST_EXTENDED|DEV_HAS_MGMT_UNIT, ++ }, ++ { /* MCP79 Ethernet Controller */ ++ PCI_DEVICE(PCI_VENDOR_ID_NVIDIA, PCI_DEVICE_ID_NVIDIA_NVENET_38), ++ .driver_data = DEV_NEED_TIMERIRQ|DEV_NEED_LINKTIMER|DEV_HAS_CHECKSUM|DEV_HAS_HIGH_DMA|DEV_HAS_MSI|DEV_HAS_POWER_CNTRL|DEV_HAS_PAUSEFRAME_TX|DEV_HAS_STATISTICS_V2|DEV_HAS_TEST_EXTENDED|DEV_HAS_MGMT_UNIT, ++ }, ++ { /* MCP79 Ethernet Controller */ ++ PCI_DEVICE(PCI_VENDOR_ID_NVIDIA, PCI_DEVICE_ID_NVIDIA_NVENET_39), ++ .driver_data = DEV_NEED_TIMERIRQ|DEV_NEED_LINKTIMER|DEV_HAS_CHECKSUM|DEV_HAS_HIGH_DMA|DEV_HAS_MSI|DEV_HAS_POWER_CNTRL|DEV_HAS_PAUSEFRAME_TX|DEV_HAS_STATISTICS_V2|DEV_HAS_TEST_EXTENDED|DEV_HAS_MGMT_UNIT, ++ }, + {0,}, + }; + +--- a/include/linux/pci_ids.h ++++ b/include/linux/pci_ids.h +@@ -1239,6 +1239,10 @@ + #define PCI_DEVICE_ID_NVIDIA_NFORCE_MCP67_IDE 0x0560 + #define PCI_DEVICE_ID_NVIDIA_NFORCE_MCP73_IDE 0x056C + #define PCI_DEVICE_ID_NVIDIA_NFORCE_MCP77_IDE 0x0759 ++#define PCI_DEVICE_ID_NVIDIA_NVENET_36 0x0AB0 ++#define PCI_DEVICE_ID_NVIDIA_NVENET_37 0x0AB1 ++#define PCI_DEVICE_ID_NVIDIA_NVENET_38 0x0AB2 ++#define PCI_DEVICE_ID_NVIDIA_NVENET_39 0x0AB3 + + #define PCI_VENDOR_ID_IMS 0x10e0 + #define PCI_DEVICE_ID_IMS_TT128 0x9128 diff --git a/queue-2.6.22/futex-fix-for-futex_wait-signal-stack-corruption.patch b/queue-2.6.22/futex-fix-for-futex_wait-signal-stack-corruption.patch new file mode 100644 index 00000000000..cf3ace67c15 --- /dev/null +++ b/queue-2.6.22/futex-fix-for-futex_wait-signal-stack-corruption.patch @@ -0,0 +1,216 @@ +From ce6bd420f43b28038a2c6e8fbb86ad24014727b6 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Wed, 5 Dec 2007 15:46:09 +0100 +Subject: [PATCH] futex: fix for futex_wait signal stack corruption + +From Steven Rostedt + +patch ce6bd420f43b28038a2c6e8fbb86ad24014727b6 in mainline. + +David Holmes found a bug in the -rt tree with respect to +pthread_cond_timedwait. After trying his test program on the latest git +from mainline, I found the bug was there too. The bug he was seeing +that his test program showed, was that if one were to do a "Ctrl-Z" on a +process that was in the pthread_cond_timedwait, and then did a "bg" on +that process, it would return with a "-ETIMEDOUT" but early. That is, +the timer would go off early. + +Looking into this, I found the source of the problem. And it is a rather +nasty bug at that. + +Here's the relevant code from kernel/futex.c: (not in order in the file) + +[...] +smlinkage long sys_futex(u32 __user *uaddr, int op, u32 val, + struct timespec __user *utime, u32 __user *uaddr2, + u32 val3) +{ + struct timespec ts; + ktime_t t, *tp = NULL; + u32 val2 = 0; + int cmd = op & FUTEX_CMD_MASK; + + if (utime && (cmd == FUTEX_WAIT || cmd == FUTEX_LOCK_PI)) { + if (copy_from_user(&ts, utime, sizeof(ts)) != 0) + return -EFAULT; + if (!timespec_valid(&ts)) + return -EINVAL; + + t = timespec_to_ktime(ts); + if (cmd == FUTEX_WAIT) + t = ktime_add(ktime_get(), t); + tp = &t; + } +[...] + return do_futex(uaddr, op, val, tp, uaddr2, val2, val3); +} + +[...] + +long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout, + u32 __user *uaddr2, u32 val2, u32 val3) +{ + int ret; + int cmd = op & FUTEX_CMD_MASK; + struct rw_semaphore *fshared = NULL; + + if (!(op & FUTEX_PRIVATE_FLAG)) + fshared = ¤t->mm->mmap_sem; + + switch (cmd) { + case FUTEX_WAIT: + ret = futex_wait(uaddr, fshared, val, timeout); + +[...] + +static int futex_wait(u32 __user *uaddr, struct rw_semaphore *fshared, + u32 val, ktime_t *abs_time) +{ +[...] + struct restart_block *restart; + restart = ¤t_thread_info()->restart_block; + restart->fn = futex_wait_restart; + restart->arg0 = (unsigned long)uaddr; + restart->arg1 = (unsigned long)val; + restart->arg2 = (unsigned long)abs_time; + restart->arg3 = 0; + if (fshared) + restart->arg3 |= ARG3_SHARED; + return -ERESTART_RESTARTBLOCK; +[...] + +static long futex_wait_restart(struct restart_block *restart) +{ + u32 __user *uaddr = (u32 __user *)restart->arg0; + u32 val = (u32)restart->arg1; + ktime_t *abs_time = (ktime_t *)restart->arg2; + struct rw_semaphore *fshared = NULL; + + restart->fn = do_no_restart_syscall; + if (restart->arg3 & ARG3_SHARED) + fshared = ¤t->mm->mmap_sem; + return (long)futex_wait(uaddr, fshared, val, abs_time); +} + +So when the futex_wait is interrupt by a signal we break out of the +hrtimer code and set up or return from signal. This code does not return +back to userspace, so we set up a RESTARTBLOCK. The bug here is that we +save the "abs_time" which is a pointer to the stack variable "ktime_t t" +from sys_futex. + +This returns and unwinds the stack before we get to call our signal. On +return from the signal we go to futex_wait_restart, where we update all +the parameters for futex_wait and call it. But here we have a problem +where abs_time is no longer valid. + +I verified this with print statements, and sure enough, what abs_time +was set to ends up being garbage when we get to futex_wait_restart. + +The solution I did to solve this (with input from Linus Torvalds) +was to add unions to the restart_block to allow system calls to +use the restart with specific parameters. This way the futex code now +saves the time in a 64bit value in the restart block instead of storing +it on the stack. + +Note: I'm a bit nervious to add "linux/types.h" and use u32 and u64 +in thread_info.h, when there's a #ifdef __KERNEL__ just below that. +Not sure what that is there for. If this turns out to be a problem, I've +tested this with using "unsigned int" for u32 and "unsigned long long" for +u64 and it worked just the same. I'm using u32 and u64 just to be +consistent with what the futex code uses. + +Signed-off-by: Steven Rostedt +Signed-off-by: Ingo Molnar +Signed-off-by: Thomas Gleixner +Acked-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/thread_info.h | 17 +++++++++++++++-- + kernel/futex.c | 25 +++++++++++++------------ + 2 files changed, 28 insertions(+), 14 deletions(-) + +--- a/include/linux/thread_info.h ++++ b/include/linux/thread_info.h +@@ -7,12 +7,25 @@ + #ifndef _LINUX_THREAD_INFO_H + #define _LINUX_THREAD_INFO_H + ++#include ++ + /* +- * System call restart block. ++ * System call restart block. + */ + struct restart_block { + long (*fn)(struct restart_block *); +- unsigned long arg0, arg1, arg2, arg3; ++ union { ++ struct { ++ unsigned long arg0, arg1, arg2, arg3; ++ }; ++ /* For futex_wait */ ++ struct { ++ u32 *uaddr; ++ u32 val; ++ u32 flags; ++ u64 time; ++ } futex; ++ }; + }; + + extern long do_no_restart_syscall(struct restart_block *parm); +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -1129,9 +1129,9 @@ static int fixup_pi_state_owner(u32 __us + + /* + * In case we must use restart_block to restart a futex_wait, +- * we encode in the 'arg3' shared capability ++ * we encode in the 'flags' shared capability + */ +-#define ARG3_SHARED 1 ++#define FLAGS_SHARED 1 + + static long futex_wait_restart(struct restart_block *restart); + static int futex_wait(u32 __user *uaddr, struct rw_semaphore *fshared, +@@ -1272,12 +1272,13 @@ static int futex_wait(u32 __user *uaddr, + struct restart_block *restart; + restart = ¤t_thread_info()->restart_block; + restart->fn = futex_wait_restart; +- restart->arg0 = (unsigned long)uaddr; +- restart->arg1 = (unsigned long)val; +- restart->arg2 = (unsigned long)abs_time; +- restart->arg3 = 0; ++ restart->futex.uaddr = (u32 *)uaddr; ++ restart->futex.val = val; ++ restart->futex.time = abs_time->tv64; ++ restart->futex.flags = 0; ++ + if (fshared) +- restart->arg3 |= ARG3_SHARED; ++ restart->futex.flags |= FLAGS_SHARED; + return -ERESTART_RESTARTBLOCK; + } + +@@ -1293,15 +1294,15 @@ static int futex_wait(u32 __user *uaddr, + + static long futex_wait_restart(struct restart_block *restart) + { +- u32 __user *uaddr = (u32 __user *)restart->arg0; +- u32 val = (u32)restart->arg1; +- ktime_t *abs_time = (ktime_t *)restart->arg2; ++ u32 __user *uaddr = (u32 __user *)restart->futex.uaddr; + struct rw_semaphore *fshared = NULL; ++ ktime_t t; + ++ t.tv64 = restart->futex.time; + restart->fn = do_no_restart_syscall; +- if (restart->arg3 & ARG3_SHARED) ++ if (restart->futex.flags & FLAGS_SHARED) + fshared = ¤t->mm->mmap_sem; +- return (long)futex_wait(uaddr, fshared, val, abs_time); ++ return (long)futex_wait(uaddr, fshared, restart->futex.val, &t); + } + + diff --git a/queue-2.6.22/hrtimers-avoid-overflow-for-large-relative-timeouts.patch b/queue-2.6.22/hrtimers-avoid-overflow-for-large-relative-timeouts.patch new file mode 100644 index 00000000000..43be51d0505 --- /dev/null +++ b/queue-2.6.22/hrtimers-avoid-overflow-for-large-relative-timeouts.patch @@ -0,0 +1,47 @@ +From 62f0f61e6673e67151a7c8c0f9a09c7ea43fe2b5 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Fri, 7 Dec 2007 19:16:17 +0100 +Subject: hrtimers: avoid overflow for large relative timeouts (CVE-2007-5966) + +From: Thomas Gleixner + +patch 62f0f61e6673e67151a7c8c0f9a09c7ea43fe2b5 in mainline + +Relative hrtimers with a large timeout value might end up as negative +timer values, when the current time is added in hrtimer_start(). + +This in turn is causing the clockevents_set_next() function to set an +huge timeout and sleep for quite a long time when we have a clock +source which is capable of long sleeps like HPET. With PIT this almost +goes unnoticed as the maximum delta is ~27ms. The non-hrt/nohz code +sorts this out in the next timer interrupt, so we never noticed that +problem which has been there since the first day of hrtimers. + +This bug became more apparent in 2.6.24 which activates HPET on more +hardware. + +Signed-off-by: Thomas Gleixner +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/hrtimer.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/kernel/hrtimer.c ++++ b/kernel/hrtimer.c +@@ -825,6 +825,14 @@ hrtimer_start(struct hrtimer *timer, kti + #ifdef CONFIG_TIME_LOW_RES + tim = ktime_add(tim, base->resolution); + #endif ++ /* ++ * Careful here: User space might have asked for a ++ * very long sleep, so the add above might result in a ++ * negative number, which enqueues the timer in front ++ * of the queue. ++ */ ++ if (tim.tv64 < 0) ++ tim.tv64 = KTIME_MAX; + } + timer->expires = tim; + diff --git a/queue-2.6.22/i4l-fix-isdn_ioctl-memory-overrun-vulnerability.patch b/queue-2.6.22/i4l-fix-isdn_ioctl-memory-overrun-vulnerability.patch new file mode 100644 index 00000000000..de70161524e --- /dev/null +++ b/queue-2.6.22/i4l-fix-isdn_ioctl-memory-overrun-vulnerability.patch @@ -0,0 +1,61 @@ +From stable-bounces@linux.kernel.org Sat Dec 1 12:17:01 2007 +From: akpm@linux-foundation.org +Date: Sat, 01 Dec 2007 12:16:15 -0800 +Subject: I4L: fix isdn_ioctl memory overrun vulnerability +To: torvalds@linux-foundation.org +Cc: akpm@linux-foundation.org, adlab@venustech.com.cn, kkeil@suse.de, stable@kernel.org +Message-ID: <200712012016.lB1KGFmF005739@imap1.linux-foundation.org> + + +From: Karsten Keil + +patch eafe1aa37e6ec2d56f14732b5240c4dd09f0613a in mainline. + +Fix possible memory overrun issue in the isdn ioctl code. Found by ADLAB + + +Signed-off-by: Karsten Keil +Cc: ADLAB +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/isdn/i4l/isdn_common.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/isdn/i4l/isdn_common.c ++++ b/drivers/isdn/i4l/isdn_common.c +@@ -1514,6 +1514,7 @@ isdn_ioctl(struct inode *inode, struct f + if (copy_from_user(&iocts, argp, + sizeof(isdn_ioctl_struct))) + return -EFAULT; ++ iocts.drvid[sizeof(iocts.drvid)-1] = 0; + if (strlen(iocts.drvid)) { + if ((p = strchr(iocts.drvid, ','))) + *p = 0; +@@ -1598,6 +1599,7 @@ isdn_ioctl(struct inode *inode, struct f + if (copy_from_user(&iocts, argp, + sizeof(isdn_ioctl_struct))) + return -EFAULT; ++ iocts.drvid[sizeof(iocts.drvid)-1] = 0; + if (strlen(iocts.drvid)) { + drvidx = -1; + for (i = 0; i < ISDN_MAX_DRIVERS; i++) +@@ -1642,7 +1644,7 @@ isdn_ioctl(struct inode *inode, struct f + } else { + p = (char __user *) iocts.arg; + for (i = 0; i < 10; i++) { +- sprintf(bname, "%s%s", ++ snprintf(bname, sizeof(bname), "%s%s", + strlen(dev->drv[drvidx]->msn2eaz[i]) ? + dev->drv[drvidx]->msn2eaz[i] : "_", + (i < 9) ? "," : "\0"); +@@ -1672,6 +1674,7 @@ isdn_ioctl(struct inode *inode, struct f + char *p; + if (copy_from_user(&iocts, argp, sizeof(isdn_ioctl_struct))) + return -EFAULT; ++ iocts.drvid[sizeof(iocts.drvid)-1] = 0; + if (strlen(iocts.drvid)) { + if ((p = strchr(iocts.drvid, ','))) + *p = 0; diff --git a/queue-2.6.22/isdn-avoid-copying-overly-long-strings.patch b/queue-2.6.22/isdn-avoid-copying-overly-long-strings.patch new file mode 100644 index 00000000000..80ef79114c6 --- /dev/null +++ b/queue-2.6.22/isdn-avoid-copying-overly-long-strings.patch @@ -0,0 +1,59 @@ +From 0f13864e5b24d9cbe18d125d41bfa4b726a82e40 Mon Sep 17 00:00:00 2001 +From: Karsten Keil +Date: Thu, 22 Nov 2007 12:43:13 +0100 +Subject: isdn: avoid copying overly-long strings +Message-ID: <20071122120142.GA2407@pingi.kke.suse.de> + +From: Karsten Keil + +patch 0f13864e5b24d9cbe18d125d41bfa4b726a82e40 in mainline. + +Addresses http://bugzilla.kernel.org/show_bug.cgi?id=9416 + +Signed-off-by: Karsten Keil +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/isdn/i4l/isdn_net.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/isdn/i4l/isdn_net.c ++++ b/drivers/isdn/i4l/isdn_net.c +@@ -2126,7 +2126,7 @@ isdn_net_find_icall(int di, int ch, int + u_long flags; + isdn_net_dev *p; + isdn_net_phone *n; +- char nr[32]; ++ char nr[ISDN_MSNLEN]; + char *my_eaz; + + /* Search name in netdev-chain */ +@@ -2135,7 +2135,7 @@ isdn_net_find_icall(int di, int ch, int + nr[1] = '\0'; + printk(KERN_INFO "isdn_net: Incoming call without OAD, assuming '0'\n"); + } else +- strcpy(nr, setup->phone); ++ strlcpy(nr, setup->phone, ISDN_MSNLEN); + si1 = (int) setup->si1; + si2 = (int) setup->si2; + if (!setup->eazmsn[0]) { +@@ -2802,7 +2802,7 @@ isdn_net_setcfg(isdn_net_ioctl_cfg * cfg + chidx = -1; + } + } +- strcpy(lp->msn, cfg->eaz); ++ strlcpy(lp->msn, cfg->eaz, sizeof(lp->msn)); + lp->pre_device = drvidx; + lp->pre_channel = chidx; + lp->onhtime = cfg->onhtime; +@@ -2951,7 +2951,7 @@ isdn_net_addphone(isdn_net_ioctl_phone * + if (p) { + if (!(n = kmalloc(sizeof(isdn_net_phone), GFP_KERNEL))) + return -ENOMEM; +- strcpy(n->num, phone->phone); ++ strlcpy(n->num, phone->phone, sizeof(n->num)); + n->next = p->local->phone[phone->outgoing & 1]; + p->local->phone[phone->outgoing & 1] = n; + return 0; diff --git a/queue-2.6.22/libcrc32c-keep-intermediate-crc-state-in-cpu-order.patch b/queue-2.6.22/libcrc32c-keep-intermediate-crc-state-in-cpu-order.patch new file mode 100644 index 00000000000..99354cb1cbc --- /dev/null +++ b/queue-2.6.22/libcrc32c-keep-intermediate-crc-state-in-cpu-order.patch @@ -0,0 +1,57 @@ +From herbert@gondor.apana.org.au Wed Nov 14 17:07:36 2007 +From: Herbert Xu +Date: Thu, 15 Nov 2007 09:07:23 +0800 +Subject: libcrc32c: keep intermediate crc state in cpu order +To: Greg KH +Cc: stable@kernel.org +Message-ID: <20071115010723.GA20904@gondor.apana.org.au> +Content-Disposition: inline + +From: Herbert Xu + +It's upstream changeset ef19454bd437b2ba14c9cda1de85debd9f383484. + +[LIB] crc32c: Keep intermediate crc state in cpu order + +crypto/crc32.c:chksum_final() is computing the digest as +*(__le32 *)out = ~cpu_to_le32(mctx->crc); +so the low-level crc32c_le routines should just keep +the crc in cpu order, otherwise it is getting swabbed +one too many times on big-endian machines. + +Signed-off-by: Benny Halevy +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + lib/libcrc32c.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/lib/libcrc32c.c ++++ b/lib/libcrc32c.c +@@ -33,7 +33,6 @@ + #include + #include + #include +-#include + + MODULE_AUTHOR("Clay Haapala "); + MODULE_DESCRIPTION("CRC32c (Castagnoli) calculations"); +@@ -161,15 +160,13 @@ static const u32 crc32c_table[256] = { + */ + + u32 __attribute_pure__ +-crc32c_le(u32 seed, unsigned char const *data, size_t length) ++crc32c_le(u32 crc, unsigned char const *data, size_t length) + { +- u32 crc = __cpu_to_le32(seed); +- + while (length--) + crc = + crc32c_table[(crc ^ *data++) & 0xFFL] ^ (crc >> 8); + +- return __le32_to_cpu(crc); ++ return crc; + } + + #endif /* CRC_LE_BITS == 8 */ diff --git a/queue-2.6.22/nf_nat-fix-memset-error.patch b/queue-2.6.22/nf_nat-fix-memset-error.patch new file mode 100644 index 00000000000..37312d5eb90 --- /dev/null +++ b/queue-2.6.22/nf_nat-fix-memset-error.patch @@ -0,0 +1,43 @@ +From stable-bounces@linux.kernel.org Wed Nov 28 00:56:55 2007 +From: Li Zefan +Date: Wed, 28 Nov 2007 09:56:27 +0100 +Subject: nf_nat: fix memset error +To: stable@kernel.org +Cc: Netfilter Development Mailinglist , "David S. Miller" +Message-ID: <474D2D3B.5030909@trash.net> + +From: Li Zefan + +This patch fixes an incorrect memset in the NAT code, causing +misbehaviour when unloading and reloading the NAT module. +Applies to stable-2.6.22 and stable-2.6.23. + +Please apply, thanks. +[NETFILTER]: nf_nat: fix memset error + +Upstream commit e0bf9cf15fc30d300b7fbd821c6bc975531fab44 + +The size passing to memset is the size of a pointer. Fixes +misbehaviour when unloading and reloading the NAT module. + +Signed-off-by: Li Zefan +Signed-off-by: Patrick McHardy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + + +--- + net/ipv4/netfilter/nf_nat_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/netfilter/nf_nat_core.c ++++ b/net/ipv4/netfilter/nf_nat_core.c +@@ -633,7 +633,7 @@ static int clean_nat(struct nf_conn *i, + + if (!nat) + return 0; +- memset(nat, 0, sizeof(nat)); ++ memset(nat, 0, sizeof(*nat)); + i->status &= ~(IPS_NAT_MASK | IPS_NAT_DONE_MASK | IPS_SEQ_ADJUST); + return 0; + } diff --git a/queue-2.6.22/series b/queue-2.6.22/series index ad601d18993..dce9123ccdd 100644 --- a/queue-2.6.22/series +++ b/queue-2.6.22/series @@ -1,2 +1,15 @@ atl1-disable-broken-64-bit-dma.patch rd-fix-data-corruption-on-memory-pressure.patch +wait_task_stopped-pass-correct-exit_code-to-wait_noreap_copyout.patch +usb-make-the-microtek-driver-and-hal-cooperate.patch +usb-fix-up-ehci-startup-synchronization.patch +tmpfs-restore-missing-clear_highpage.patch +nf_nat-fix-memset-error.patch +libcrc32c-keep-intermediate-crc-state-in-cpu-order.patch +isdn-avoid-copying-overly-long-strings.patch +i4l-fix-isdn_ioctl-memory-overrun-vulnerability.patch +hrtimers-avoid-overflow-for-large-relative-timeouts.patch +futex-fix-for-futex_wait-signal-stack-corruption.patch +forcedeth-new-mcp79-pci-ids.patch +forcedeth-boot-delay-fix.patch +fb_ddc-fix-ddc-lines-quirk.patch diff --git a/queue-2.6.22/tmpfs-restore-missing-clear_highpage.patch b/queue-2.6.22/tmpfs-restore-missing-clear_highpage.patch new file mode 100644 index 00000000000..baf36eb7a72 --- /dev/null +++ b/queue-2.6.22/tmpfs-restore-missing-clear_highpage.patch @@ -0,0 +1,52 @@ +From stable-bounces@linux.kernel.org Wed Nov 28 10:56:26 2007 +From: Hugh Dickins +Date: Wed, 28 Nov 2007 18:55:10 +0000 (GMT) +Subject: tmpfs: restore missing clear_highpage +To: Linus Torvalds +Cc: linux-kernel@vger.kernel.org, Andrew Morton , Adrian Bunk , Willy Tarreau , stable@kernel.org +Message-ID: + +From: Hugh Dickins + +patch e84e2e132c9c66d8498e7710d4ea532d1feaaac5 in mainline + +tmpfs was misconverted to __GFP_ZERO in 2.6.11. There's an unusual case in +which shmem_getpage receives the page from its caller instead of allocating. +We must cover this case by clear_highpage before SetPageUptodate, as before. + +Signed-off-by: Hugh Dickins +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/shmem.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -1066,7 +1066,7 @@ shmem_alloc_page(gfp_t gfp, struct shmem + pvma.vm_policy = mpol_shared_policy_lookup(&info->policy, idx); + pvma.vm_pgoff = idx; + pvma.vm_end = PAGE_SIZE; +- page = alloc_page_vma(gfp | __GFP_ZERO, &pvma, 0); ++ page = alloc_page_vma(gfp, &pvma, 0); + mpol_free(pvma.vm_policy); + return page; + } +@@ -1086,7 +1086,7 @@ shmem_swapin(struct shmem_inode_info *in + static inline struct page * + shmem_alloc_page(gfp_t gfp,struct shmem_inode_info *info, unsigned long idx) + { +- return alloc_page(gfp | __GFP_ZERO); ++ return alloc_page(gfp); + } + #endif + +@@ -1295,6 +1295,7 @@ repeat: + + info->alloced++; + spin_unlock(&info->lock); ++ clear_highpage(filepage); + flush_dcache_page(filepage); + SetPageUptodate(filepage); + } diff --git a/queue-2.6.22/usb-fix-up-ehci-startup-synchronization.patch b/queue-2.6.22/usb-fix-up-ehci-startup-synchronization.patch new file mode 100644 index 00000000000..48bb06a2dcf --- /dev/null +++ b/queue-2.6.22/usb-fix-up-ehci-startup-synchronization.patch @@ -0,0 +1,48 @@ +From stable-bounces@linux.kernel.org Wed Nov 28 14:52:46 2007 +From: David Brownell +Date: Wed, 28 Nov 2007 14:50:03 -0800 +Subject: USB: fix up EHCI startup synchronization +To: linux-usb@vger.kernel.org +Cc: David Brownell , Greg Kroah-Hartman , stable , David Brownell , Alan Stern , Dely Sy , Dave Miller +Message-ID: <1196290207-28564-21-git-send-email-gregkh@suse.de> + + +From: David Brownell + +patch 1cb52658b4f5b10a9e91f8e1c21ca2bcc1b9a3ca in mainline. + +A recent patch added software synchronization during EHCI startup, +so ports aren't switched away from the companion controllers after +resets have started. This patch adds a short delay letting hardware +finish that port switching before any new resets begin ... so both +ends of that hardware race window are closed. + +Signed-off-by: David Brownell +Cc: Dave Miller +Cc: Dely Sy +Cc: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ehci-hcd.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/ehci-hcd.c ++++ b/drivers/usb/host/ehci-hcd.c +@@ -571,12 +571,15 @@ static int ehci_run (struct usb_hcd *hcd + * from the companions to the EHCI controller. If any of the + * companions are in the middle of a port reset at the time, it + * could cause trouble. Write-locking ehci_cf_port_reset_rwsem +- * guarantees that no resets are in progress. ++ * guarantees that no resets are in progress. After we set CF, ++ * a short delay lets the hardware catch up; new resets shouldn't ++ * be started before the port switching actions could complete. + */ + down_write(&ehci_cf_port_reset_rwsem); + hcd->state = HC_STATE_RUNNING; + ehci_writel(ehci, FLAG_CF, &ehci->regs->configured_flag); + ehci_readl(ehci, &ehci->regs->command); /* unblock posted writes */ ++ msleep(5); + up_write(&ehci_cf_port_reset_rwsem); + + temp = HC_VERSION(ehci_readl(ehci, &ehci->caps->hc_capbase)); diff --git a/queue-2.6.22/usb-make-the-microtek-driver-and-hal-cooperate.patch b/queue-2.6.22/usb-make-the-microtek-driver-and-hal-cooperate.patch new file mode 100644 index 00000000000..d9e4c8902b5 --- /dev/null +++ b/queue-2.6.22/usb-make-the-microtek-driver-and-hal-cooperate.patch @@ -0,0 +1,34 @@ +From stable-bounces@linux.kernel.org Wed Nov 28 14:52:43 2007 +From: Oliver Neukum +Date: Wed, 28 Nov 2007 14:50:02 -0800 +Subject: USB: make the microtek driver and HAL cooperate +To: linux-usb@vger.kernel.org +Cc: Oliver Neukum , Oliver Neukum , stable , Greg Kroah-Hartman +Message-ID: <1196290207-28564-20-git-send-email-gregkh@suse.de> + + +From: Oliver Neukum + +patch 5cf1973a44bd298e3cfce6f6af8faa8c9d0a6d55 in mainline + +to make HAL like the microtek driver's devices the parent must be +correctly set. + +Signed-off-by: Oliver Neukum +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/image/microtek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/image/microtek.c ++++ b/drivers/usb/image/microtek.c +@@ -823,7 +823,7 @@ static int mts_usb_probe(struct usb_inte + goto out_kfree2; + + new_desc->host->hostdata[0] = (unsigned long)new_desc; +- if (scsi_add_host(new_desc->host, NULL)) { ++ if (scsi_add_host(new_desc->host, &dev->dev)) { + err_retval = -EIO; + goto out_host_put; + } diff --git a/queue-2.6.22/wait_task_stopped-pass-correct-exit_code-to-wait_noreap_copyout.patch b/queue-2.6.22/wait_task_stopped-pass-correct-exit_code-to-wait_noreap_copyout.patch new file mode 100644 index 00000000000..25abcf72f9d --- /dev/null +++ b/queue-2.6.22/wait_task_stopped-pass-correct-exit_code-to-wait_noreap_copyout.patch @@ -0,0 +1,47 @@ +From stable-bounces@linux.kernel.org Wed Nov 28 16:27:42 2007 +From: Scott James Remnant +Date: Wed, 28 Nov 2007 16:22:07 -0800 +Subject: wait_task_stopped(): pass correct exit_code to wait_noreap_copyout() +To: torvalds@linux-foundation.org +Cc: stable@kernel.org, akpm@linux-foundation.org, oleg@tv-sign.ru, roland@redhat.com, scott@ubuntu.com +Message-ID: <200711290022.lAT0M7kw026781@imap1.linux-foundation.org> + + +From: Scott James Remnant + +patch e6ceb32aa25fc33f21af84cc7a32fe289b3e860c in mainline. + +In wait_task_stopped() exit_code already contains the right value for the +si_status member of siginfo, and this is simply set in the non WNOWAIT +case. + +If you call waitid() with a stopped or traced process, you'll get the signal +in siginfo.si_status as expected -- however if you call waitid(WNOWAIT) at the +same time, you'll get the signal << 8 | 0x7f + +Pass it unchanged to wait_noreap_copyout(); we would only need to shift it +and add 0x7f if we were returning it in the user status field and that +isn't used for any function that permits WNOWAIT. + +Signed-off-by: Scott James Remnant +Signed-off-by: Oleg Nesterov +Cc: Roland McGrath +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/exit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -1339,7 +1339,7 @@ static int wait_task_stopped(struct task + if (unlikely(!exit_code) || unlikely(p->exit_state)) + goto bail_ref; + return wait_noreap_copyout(p, pid, uid, +- why, (exit_code << 8) | 0x7f, ++ why, exit_code, + infop, ru); + } + -- 2.47.3