From: Greg Kroah-Hartman Date: Tue, 29 Apr 2008 18:51:08 +0000 (-0700) Subject: start 2.6.24 review cycle X-Git-Tag: v2.6.25.1~3 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=75d5d102be039d3e54fda2bb3b8446d5334cbeec;p=thirdparty%2Fkernel%2Fstable-queue.git start 2.6.24 review cycle --- diff --git a/queue-2.6.24/fix-oops-on-rmmod-capidrv.patch b/review-2.6.24/fix-oops-on-rmmod-capidrv.patch similarity index 100% rename from queue-2.6.24/fix-oops-on-rmmod-capidrv.patch rename to review-2.6.24/fix-oops-on-rmmod-capidrv.patch diff --git a/queue-2.6.24/increase-the-max_burst-threshold-from-3-to-tp-reordering.patch b/review-2.6.24/increase-the-max_burst-threshold-from-3-to-tp-reordering.patch similarity index 91% rename from queue-2.6.24/increase-the-max_burst-threshold-from-3-to-tp-reordering.patch rename to review-2.6.24/increase-the-max_burst-threshold-from-3-to-tp-reordering.patch index f2d0af40799..02aaf7e411a 100644 --- a/queue-2.6.24/increase-the-max_burst-threshold-from-3-to-tp-reordering.patch +++ b/review-2.6.24/increase-the-max_burst-threshold-from-3-to-tp-reordering.patch @@ -1,9 +1,9 @@ From 3c0390e1a6d8a5d0cdae57959f0be37a236b474d Mon Sep 17 00:00:00 2001 -From: John Heffner +From: John Heffner Date: Fri, 25 Apr 2008 01:43:57 -0700 Subject: [PATCH] [TCP]: Increase the max_burst threshold from 3 to tp->reordering. -From: John Heffner +From: John Heffner [ Upstream commit: dd9e0dda66ba38a2ddd1405ac279894260dc5c36 ] @@ -13,7 +13,7 @@ and an ack that fills the hole comes in. If the hole was greater than 3 packets, but less than tp->reordering, cwnd will shrink when it should not have. -Signed-off-by: John Heffner +Signed-off-by: John Heffner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman diff --git a/queue-2.6.24/isdn-do-not-validate-isdn-net-device-address-prior-to-interface-up.patch b/review-2.6.24/isdn-do-not-validate-isdn-net-device-address-prior-to-interface-up.patch similarity index 100% rename from queue-2.6.24/isdn-do-not-validate-isdn-net-device-address-prior-to-interface-up.patch rename to review-2.6.24/isdn-do-not-validate-isdn-net-device-address-prior-to-interface-up.patch diff --git a/queue-2.6.24/jffs2-fix-free-space-leak-with-in-band-cleanmarkers.patch b/review-2.6.24/jffs2-fix-free-space-leak-with-in-band-cleanmarkers.patch similarity index 100% rename from queue-2.6.24/jffs2-fix-free-space-leak-with-in-band-cleanmarkers.patch rename to review-2.6.24/jffs2-fix-free-space-leak-with-in-band-cleanmarkers.patch diff --git a/review-2.6.24/mbox b/review-2.6.24/mbox new file mode 100644 index 00000000000..3e25e236839 --- /dev/null +++ b/review-2.6.24/mbox @@ -0,0 +1,948 @@ +From gregkh@mini.kroah.org Tue Apr 29 11:46:55 2008 +Message-Id: <20080429184543.308594866@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 11:45:43 -0700 +Subject: [00/12] 2.6.24-stable review +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk +Content-Length: 1608 +Lines: 39 + +This is the start of the stable review cycle for the 2.6.24-stable release. +There are 12 patches in this series, all will be posted as a response +to this one. If anyone has any issues with these being applied, please +let us know. If anyone is a maintainer of the proper subsystem, and +wants to add a Signed-off-by: line to the patch, please respond with it. + +These patches are sent out with a number of different people on the +Cc: line. If you wish to be a reviewer, please email stable@kernel.org +to add your name to the list. If you want to be off the reviewer list, +also email us. + +Responses should be made by Thursday, May 1 16:00:00 UTC. Anything +received after that time might be too late. + +The whole patch series can be found in one patch at: + kernel.org/pub/linux/kernel/v2.6/stable-review/patch-2.6.24.6-rc1.gz +and the diffstat can be found below. + + +thanks, + +the -stable release team + + +------------------------ + + Makefile | 2 +- + arch/x86/kernel/io_apic_32.c | 1 + + drivers/isdn/capi/capidrv.c | 9 +++++---- + drivers/isdn/i4l/isdn_net.c | 1 + + drivers/media/video/cx88/cx88-cards.c | 4 ++++ + drivers/media/video/ivtv/ivtv-ioctl.c | 3 ++- + drivers/net/tehuti.c | 15 +++++++++++++++ + drivers/usb/gadget/ether.c | 1 + + drivers/usb/serial/usb-serial.c | 2 ++ + fs/jffs2/erase.c | 18 ++++++++---------- + fs/splice.c | 2 +- + include/net/tcp.h | 7 +++++-- + 12 files changed, 46 insertions(+), 19 deletions(-) + +From gregkh@mini.kroah.org Tue Apr 29 11:46:55 2008 +Message-Id: <20080429184655.516666423@mini.kroah.org> +References: <20080429184543.308594866@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 11:45:44 -0700 +Subject: [01/12] splice: use mapping_gfp_mask +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Hugh Dickins , + Jens Axboe , + Chris Wright +Content-Disposition: inline; filename=splice-use-mapping_gfp_mask.patch +Status: RO +Content-Length: 1079 +Lines: 34 + +2.6.24-stable review patch. If anyone has any objections, please let us know. + +------------------ + + +upstream commit: 4cd13504652d28e16bf186c6bb2bbb3725369383 + +The loop block driver is careful to mask __GFP_IO|__GFP_FS out of its +mapping_gfp_mask, to avoid hangs under memory pressure. But nowadays +it uses splice, usually going through __generic_file_splice_read. That +must use mapping_gfp_mask instead of GFP_KERNEL to avoid those hangs. + +Signed-off-by: Hugh Dickins +Cc: Jens Axboe +Cc: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +--- + fs/splice.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/splice.c ++++ b/fs/splice.c +@@ -314,7 +314,7 @@ __generic_file_splice_read(struct file * + break; + + error = add_to_page_cache_lru(page, mapping, index, +- GFP_KERNEL); ++ mapping_gfp_mask(mapping)); + if (unlikely(error)) { + page_cache_release(page); + if (error == -EEXIST) + +-- + +From gregkh@mini.kroah.org Tue Apr 29 11:46:55 2008 +Message-Id: <20080429184655.679543479@mini.kroah.org> +References: <20080429184543.308594866@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 11:45:45 -0700 +Subject: [02/12] fix oops on rmmod capidrv +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + "Gerd v. Egidy" , + Karsten Keil +Content-Disposition: inline; filename=fix-oops-on-rmmod-capidrv.patch +Content-Length: 1224 +Lines: 48 + +2.6.24-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: Karsten Keil + +commit eb36f4fc019835cecf0788907f6cab774508087b upstream. + +Fix overwriting the stack with the version string +(it is currently 10 bytes + zero) when unloading the +capidrv module. Safeguard against overwriting it +should the version string grow in the future. + +Should fix Kernel Bug Tracker Bug 9696. + +Signed-off-by: Gerd v. Egidy +Acked-by: Karsten Keil +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/isdn/capi/capidrv.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/isdn/capi/capidrv.c ++++ b/drivers/isdn/capi/capidrv.c +@@ -2332,13 +2332,14 @@ static int __init capidrv_init(void) + + static void __exit capidrv_exit(void) + { +- char rev[10]; ++ char rev[32]; + char *p; + + if ((p = strchr(revision, ':')) != 0) { +- strcpy(rev, p + 1); +- p = strchr(rev, '$'); +- *p = 0; ++ strncpy(rev, p + 1, sizeof(rev)); ++ rev[sizeof(rev)-1] = 0; ++ if ((p = strchr(rev, '$')) != 0) ++ *p = 0; + } else { + strcpy(rev, " ??? "); + } + +-- + +From gregkh@mini.kroah.org Tue Apr 29 11:46:56 2008 +Message-Id: <20080429184655.838367645@mini.kroah.org> +References: <20080429184543.308594866@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 11:45:46 -0700 +Subject: [03/12] x86: Fix 32-bit x86 MSI-X allocation leakage +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + netdev@vger.kernel.org, + Peter P Waskiewicz Jr +Content-Disposition: inline; filename=x86-fix-32-bit-x86-msi-x-allocation-leakage.patch +Content-Length: 1278 +Lines: 39 + +2.6.24-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: PJ Waskiewicz + +commit 9d9ad4b51d2b29b5bbeb4011f5e76f7538119cf9 upstream + +This bug was introduced in the 2.6.24 i386/x86_64 tree merge, where +MSI-X vector allocation will eventually fail. The cause is the new +bit array tracking used vectors is not getting cleared properly on +IRQ destruction on the 32-bit APIC code. + +This can be seen easily using the ixgbe 10 GbE driver on multi-core +systems by simply loading and unloading the driver a few times. +Depending on the number of available vectors on the host system, the +MSI-X allocation will eventually fail, and the driver will only be +able to use legacy interrupts. + +Signed-off-by: Peter P Waskiewicz Jr +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/io_apic_32.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kernel/io_apic_32.c ++++ b/arch/x86/kernel/io_apic_32.c +@@ -2478,6 +2478,7 @@ void destroy_irq(unsigned int irq) + dynamic_irq_cleanup(irq); + + spin_lock_irqsave(&vector_lock, flags); ++ clear_bit(irq_vector[irq], used_vectors); + irq_vector[irq] = 0; + spin_unlock_irqrestore(&vector_lock, flags); + } + +-- + +From gregkh@mini.kroah.org Tue Apr 29 11:46:56 2008 +Message-Id: <20080429184656.026614266@mini.kroah.org> +References: <20080429184543.308594866@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 11:45:47 -0700 +Subject: [04/12] tehuti: check register size (CVE-2008-1675) +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Francois Romieu , + Jeff Garzik +Content-Disposition: inline; filename=tehuti-check-register-size.patch +Content-Length: 1457 +Lines: 54 + +2.6.24-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: Francois Romieu + +Signed-off-by: Francois Romieu +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/tehuti.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/net/tehuti.c ++++ b/drivers/net/tehuti.c +@@ -625,6 +625,12 @@ static void __init bdx_firmware_endianes + s_firmLoad[i] = CPU_CHIP_SWAP32(s_firmLoad[i]); + } + ++static int bdx_range_check(struct bdx_priv *priv, u32 offset) ++{ ++ return (offset > (u32) (BDX_REGS_SIZE / priv->nic->port_num)) ? ++ -EINVAL : 0; ++} ++ + static int bdx_ioctl_priv(struct net_device *ndev, struct ifreq *ifr, int cmd) + { + struct bdx_priv *priv = ndev->priv; +@@ -646,6 +652,9 @@ static int bdx_ioctl_priv(struct net_dev + switch (data[0]) { + + case BDX_OP_READ: ++ error = bdx_range_check(priv, data[1]); ++ if (error < 0) ++ return error; + data[2] = READ_REG(priv, data[1]); + DBG("read_reg(0x%x)=0x%x (dec %d)\n", data[1], data[2], + data[2]); +@@ -655,6 +664,11 @@ static int bdx_ioctl_priv(struct net_dev + break; + + case BDX_OP_WRITE: ++ if (!capable(CAP_NET_ADMIN)) ++ return -EPERM; ++ error = bdx_range_check(priv, data[1]); ++ if (error < 0) ++ return error; + WRITE_REG(priv, data[1], data[2]); + DBG("write_reg(0x%x, 0x%x)\n", data[1], data[2]); + break; + +-- + +From gregkh@mini.kroah.org Tue Apr 29 11:46:56 2008 +Message-Id: <20080429184656.186128254@mini.kroah.org> +References: <20080429184543.308594866@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 11:45:48 -0700 +Subject: [05/12] tehuti: move ioctl perm check closer to function start (CVE-2008-1675) +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Jeff Garzik +Content-Disposition: inline; filename=tehuti-move-ioctl-perm-check-closer-to-function-start.patch +Content-Length: 900 +Lines: 41 + +2.6.24-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: Jeff Garzik + +Commit f946dffed6334f08da065a89ed65026ebf8b33b4 upstream + +Noticed by davem. + +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/tehuti.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/tehuti.c ++++ b/drivers/net/tehuti.c +@@ -649,6 +649,9 @@ static int bdx_ioctl_priv(struct net_dev + DBG("%d 0x%x 0x%x\n", data[0], data[1], data[2]); + } + ++ if (!capable(CAP_NET_ADMIN)) ++ return -EPERM; ++ + switch (data[0]) { + + case BDX_OP_READ: +@@ -664,8 +667,6 @@ static int bdx_ioctl_priv(struct net_dev + break; + + case BDX_OP_WRITE: +- if (!capable(CAP_NET_ADMIN)) +- return -EPERM; + error = bdx_range_check(priv, data[1]); + if (error < 0) + return error; + +-- + +From gregkh@mini.kroah.org Tue Apr 29 11:46:56 2008 +Message-Id: <20080429184656.348887278@mini.kroah.org> +References: <20080429184543.308594866@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 11:45:49 -0700 +Subject: [06/12] USB: gadget: queue usb USB_CDC_GET_ENCAPSULATED_RESPONSE message +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Benedikt Spranger , + Jan Altenberg , + David Brownell , + Vernon Sauder +Content-Disposition: inline; filename=usb-gadget-queue-usb-usb_cdc_get_encapsulated_response-message.patch +Content-Length: 1100 +Lines: 36 + +2.6.24-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: Jan Altenberg + +backport of 41566bcf35a8b23ce4715dadb5acfd1098c1d3e4 + +commit 0cf4f2de0a0f4100795f38ef894d4910678c74f8 introduced a bug, which +prevents sending an USB_CDC_GET_ENCAPSULATED_RESPONSE message. This +breaks the RNDIS initialization (especially / only Windoze machines +dislike this behavior...). + +Signed-off-by: Benedikt Spranger +Signed-off-by: Jan Altenberg +Acked-by: David Brownell +Cc: Vernon Sauder +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/ether.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/gadget/ether.c ++++ b/drivers/usb/gadget/ether.c +@@ -1561,6 +1561,7 @@ done_set_intf: + memcpy(req->buf, buf, n); + req->complete = rndis_response_complete; + rndis_free_response(dev->rndis_config, buf); ++ value = n; + } + /* else stalls ... spec says to avoid that */ + } + +-- + +From gregkh@mini.kroah.org Tue Apr 29 11:46:56 2008 +Message-Id: <20080429184656.512140010@mini.kroah.org> +References: <20080429184543.308594866@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 11:45:50 -0700 +Subject: [07/12] JFFS2: Fix free space leak with in-band cleanmarkers +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Martin Creutziger , + Damir Shayhutdinov , + linux-mtd , + David Woodhouse +Content-Disposition: inline; filename=jffs2-fix-free-space-leak-with-in-band-cleanmarkers.patch +Content-Length: 2445 +Lines: 74 + +2.6.24-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: David Woodhouse + +We were accounting for the cleanmarker by calling jffs2_link_node_ref() +(without locking!), which adjusted both superblock and per-eraseblock +accounting, subtracting the size of the cleanmarker from {jeb,c}->free_size +and adding it to {jeb,c}->used_size. + +But only _then_ were we adding the size of the newly-erased block back +to the superblock counts, and we were adding each of jeb->{free,used}_size +to the corresponding superblock counts. Thus, the size of the cleanmarker +was effectively subtracted from the superblock's free_size _twice_. + +Fix this, by always adding a full eraseblock size to c->free_size when +we've erased a block. And call jffs2_link_node_ref() under the proper +lock, while we're at it. + +Thanks to Alexander Yurchenko and/or Damir Shayhutdinov for (almost) +pinpointing the problem. + +[Backport of commit 014b164e1392a166fe96e003d2f0e7ad2e2a0bb7] + +Signed-off-by: David Woodhouse +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jffs2/erase.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +--- a/fs/jffs2/erase.c ++++ b/fs/jffs2/erase.c +@@ -419,9 +419,6 @@ static void jffs2_mark_erased_block(stru + if (jffs2_write_nand_cleanmarker(c, jeb)) + goto filebad; + } +- +- /* Everything else got zeroed before the erase */ +- jeb->free_size = c->sector_size; + } else { + + struct kvec vecs[1]; +@@ -449,18 +446,19 @@ static void jffs2_mark_erased_block(stru + + goto filebad; + } +- +- /* Everything else got zeroed before the erase */ +- jeb->free_size = c->sector_size; +- /* FIXME Special case for cleanmarker in empty block */ +- jffs2_link_node_ref(c, jeb, jeb->offset | REF_NORMAL, c->cleanmarker_size, NULL); + } ++ /* Everything else got zeroed before the erase */ ++ jeb->free_size = c->sector_size; + + down(&c->erase_free_sem); + spin_lock(&c->erase_completion_lock); ++ + c->erasing_size -= c->sector_size; +- c->free_size += jeb->free_size; +- c->used_size += jeb->used_size; ++ c->free_size += c->sector_size; ++ ++ /* Account for cleanmarker now, if it's in-band */ ++ if (c->cleanmarker_size && !jffs2_cleanmarker_oob(c)) ++ jffs2_link_node_ref(c, jeb, jeb->offset | REF_NORMAL, c->cleanmarker_size, NULL); + + jffs2_dbg_acct_sanity_check_nolock(c,jeb); + jffs2_dbg_acct_paranoia_check_nolock(c, jeb); + +-- + +From gregkh@mini.kroah.org Tue Apr 29 11:46:56 2008 +Message-Id: <20080429184656.677085904@mini.kroah.org> +References: <20080429184543.308594866@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 11:45:51 -0700 +Subject: [08/12] : Increase the max_burst threshold from 3 to tp->reordering. +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + John Heffner , + "David S. Miller" +Content-Disposition: inline; filename=increase-the-max_burst-threshold-from-3-to-tp-reordering.patch +Status: RO +Content-Length: 1457 +Lines: 44 + +2.6.24-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: John Heffner + +[ Upstream commit: dd9e0dda66ba38a2ddd1405ac279894260dc5c36 ] + +This change is necessary to allow cwnd to grow during persistent +reordering. Cwnd moderation is applied when in the disorder state +and an ack that fills the hole comes in. If the hole was greater +than 3 packets, but less than tp->reordering, cwnd will shrink when +it should not have. + +Signed-off-by: John Heffner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/tcp.h | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -775,11 +775,14 @@ extern void tcp_enter_cwr(struct sock *s + extern __u32 tcp_init_cwnd(struct tcp_sock *tp, struct dst_entry *dst); + + /* Slow start with delack produces 3 packets of burst, so that +- * it is safe "de facto". ++ * it is safe "de facto". This will be the default - same as ++ * the default reordering threshold - but if reordering increases, ++ * we must be able to allow cwnd to burst at least this much in order ++ * to not pull it back when holes are filled. + */ + static __inline__ __u32 tcp_max_burst(const struct tcp_sock *tp) + { +- return 3; ++ return tp->reordering; + } + + /* RFC2861 Check whether we are limited by application or congestion window + +-- + +From gregkh@mini.kroah.org Tue Apr 29 11:46:57 2008 +Message-Id: <20080429184656.908968098@mini.kroah.org> +References: <20080429184543.308594866@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 11:45:52 -0700 +Subject: [09/12] USB: remove broken usb-serial num_endpoints check +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + jejb@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Oliver Neukum +Content-Disposition: inline; filename=usb-remove-broken-usb-serial-num_endpoints-check.patch +Content-Length: 1363 +Lines: 46 + +2.6.24-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: Greg Kroah-Hartman + +commit: 07c3b1a1001614442c665570942a3107a722c314 + +The num_interrupt_in, num_bulk_in, and other checks in the usb-serial +code are just wrong, there are too many different devices out there with +different numbers of endpoints. We need to just be sticking with the +device ids instead of trying to catch this kind of thing. It broke too +many different devices. + +This fixes a large number of usb-serial devices to get them working +properly again. + + +Cc: Oliver Neukum +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/usb-serial.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/usb-serial.c ++++ b/drivers/usb/serial/usb-serial.c +@@ -844,6 +844,7 @@ int usb_serial_probe(struct usb_interfac + serial->num_interrupt_in = num_interrupt_in; + serial->num_interrupt_out = num_interrupt_out; + ++#if 0 + /* check that the device meets the driver's requirements */ + if ((type->num_interrupt_in != NUM_DONT_CARE && + type->num_interrupt_in != num_interrupt_in) +@@ -857,6 +858,7 @@ int usb_serial_probe(struct usb_interfac + kfree(serial); + return -EIO; + } ++#endif + + /* found all that we need */ + dev_info(&interface->dev, "%s converter detected\n", + +-- + +From gregkh@mini.kroah.org Tue Apr 29 11:46:57 2008 +Message-Id: <20080429184657.099551818@mini.kroah.org> +References: <20080429184543.308594866@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 11:45:53 -0700 +Subject: [10/12] V4L: Fix VIDIOCGAP corruption in ivtv +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Alan Cox , + Hans Verkuil , + v4l-dvb maintainer list , + Mauro Carvalho Chehab +Content-Disposition: inline; filename=v4l-fix-vidiocgap-corruption-in-ivtv.patch +Content-Length: 1548 +Lines: 42 + + +2.6.24-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: Alan Cox + +Frank Bennett reported that ivtv was causing skype to crash. With help +from one of their developers he showed it was a kernel problem. +VIDIOCGCAP copies a name into a fixed length buffer - ivtv uses names +that are too long and does not truncate them so corrupts a few bytes of +the app data area. + +Possibly the names also want trimming but for now this should fix the +corruption case. + +Signed-off-by: Alan Cox +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Michael Krufky +(cherry picked from commit d2b213f7b76f187c4391079c7581d3a08b940133) +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/video/ivtv/ivtv-ioctl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/video/ivtv/ivtv-ioctl.c ++++ b/drivers/media/video/ivtv/ivtv-ioctl.c +@@ -727,7 +727,8 @@ int ivtv_v4l2_ioctls(struct ivtv *itv, s + + memset(vcap, 0, sizeof(*vcap)); + strcpy(vcap->driver, IVTV_DRIVER_NAME); /* driver name */ +- strcpy(vcap->card, itv->card_name); /* card type */ ++ strncpy(vcap->card, itv->card_name, ++ sizeof(vcap->card)-1); /* card type */ + strcpy(vcap->bus_info, pci_name(itv->dev)); /* bus info... */ + vcap->version = IVTV_DRIVER_VERSION; /* version */ + vcap->capabilities = itv->v4l2_cap; /* capabilities */ + +-- + +From gregkh@mini.kroah.org Tue Apr 29 11:46:57 2008 +Message-Id: <20080429184657.272630449@mini.kroah.org> +References: <20080429184543.308594866@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 11:45:54 -0700 +Subject: [11/12] V4L: cx88: enable radio GPIO correctly +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Steven Toth , + v4l-dvb maintainer list , + Mauro Carvalho Chehab +Content-Disposition: inline; filename=v4l-cx88-enable-radio-gpio-correctly.patch +Content-Length: 1242 +Lines: 40 + + +2.6.24-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: Steven Toth + +This patch fixes an issue on the HVR1300, where GPIO is blown away due to +the radio input being undefined, breaking the functionality of the DVB +demodulator and MPEG2 encoder used on the cx8802 mpeg TS port. + +This is a minimal patch for 2.6.26 and the -stable series. This must be +fixed a better way for 2.6.27. + +Signed-off-by: Steven Toth +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Michael Krufky +(cherry picked from commit 6b92b3bd7ac91b7e255541f4be9bfd55b12dae41) +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/video/cx88/cx88-cards.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/media/video/cx88/cx88-cards.c ++++ b/drivers/media/video/cx88/cx88-cards.c +@@ -1349,6 +1349,10 @@ static const struct cx88_board cx88_boar + }}, + /* fixme: Add radio support */ + .mpeg = CX88_MPEG_DVB | CX88_MPEG_BLACKBIRD, ++ .radio = { ++ .type = CX88_RADIO, ++ .gpio0 = 0xe780, ++ }, + }, + [CX88_BOARD_ADSTECH_PTV_390] = { + .name = "ADS Tech Instant Video PCI", + +-- + +From gregkh@mini.kroah.org Tue Apr 29 11:46:57 2008 +Message-Id: <20080429184657.430059955@mini.kroah.org> +References: <20080429184543.308594866@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 11:45:55 -0700 +Subject: [12/12] ISDN: Do not validate ISDN net device address prior to interface-up +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Paul Bolle , + "David S. Miller" +Content-Disposition: inline; filename=isdn-do-not-validate-isdn-net-device-address-prior-to-interface-up.patch +Content-Length: 947 +Lines: 29 + +2.6.24-stable review patch. If anyone has any objections, please let us know. + +------------------ + +Commit bada339 (Validate device addr prior to interface-up) caused a regression +in the ISDN network code, see: http://bugzilla.kernel.org/show_bug.cgi?id=9923 +The trivial fix is to remove the pointer to eth_validate_addr() in the +net_device struct in isdn_net_init(). + +Signed-off-by: Paul Bolle +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/isdn/i4l/isdn_net.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/isdn/i4l/isdn_net.c ++++ b/drivers/isdn/i4l/isdn_net.c +@@ -2010,6 +2010,7 @@ isdn_net_init(struct net_device *ndev) + ndev->flags = IFF_NOARP|IFF_POINTOPOINT; + ndev->type = ARPHRD_ETHER; + ndev->addr_len = ETH_ALEN; ++ ndev->validate_addr = NULL; + + /* for clients with MPPP maybe higher values better */ + ndev->tx_queue_len = 30; + +-- + diff --git a/queue-2.6.24/series b/review-2.6.24/series similarity index 100% rename from queue-2.6.24/series rename to review-2.6.24/series diff --git a/queue-2.6.24/splice-use-mapping_gfp_mask.patch b/review-2.6.24/splice-use-mapping_gfp_mask.patch similarity index 100% rename from queue-2.6.24/splice-use-mapping_gfp_mask.patch rename to review-2.6.24/splice-use-mapping_gfp_mask.patch diff --git a/queue-2.6.24/tehuti-check-register-size.patch b/review-2.6.24/tehuti-check-register-size.patch similarity index 100% rename from queue-2.6.24/tehuti-check-register-size.patch rename to review-2.6.24/tehuti-check-register-size.patch diff --git a/queue-2.6.24/tehuti-move-ioctl-perm-check-closer-to-function-start.patch b/review-2.6.24/tehuti-move-ioctl-perm-check-closer-to-function-start.patch similarity index 100% rename from queue-2.6.24/tehuti-move-ioctl-perm-check-closer-to-function-start.patch rename to review-2.6.24/tehuti-move-ioctl-perm-check-closer-to-function-start.patch diff --git a/queue-2.6.24/usb-gadget-queue-usb-usb_cdc_get_encapsulated_response-message.patch b/review-2.6.24/usb-gadget-queue-usb-usb_cdc_get_encapsulated_response-message.patch similarity index 100% rename from queue-2.6.24/usb-gadget-queue-usb-usb_cdc_get_encapsulated_response-message.patch rename to review-2.6.24/usb-gadget-queue-usb-usb_cdc_get_encapsulated_response-message.patch diff --git a/queue-2.6.24/usb-remove-broken-usb-serial-num_endpoints-check.patch b/review-2.6.24/usb-remove-broken-usb-serial-num_endpoints-check.patch similarity index 100% rename from queue-2.6.24/usb-remove-broken-usb-serial-num_endpoints-check.patch rename to review-2.6.24/usb-remove-broken-usb-serial-num_endpoints-check.patch diff --git a/queue-2.6.24/v4l-cx88-enable-radio-gpio-correctly.patch b/review-2.6.24/v4l-cx88-enable-radio-gpio-correctly.patch similarity index 100% rename from queue-2.6.24/v4l-cx88-enable-radio-gpio-correctly.patch rename to review-2.6.24/v4l-cx88-enable-radio-gpio-correctly.patch diff --git a/queue-2.6.24/v4l-fix-vidiocgap-corruption-in-ivtv.patch b/review-2.6.24/v4l-fix-vidiocgap-corruption-in-ivtv.patch similarity index 100% rename from queue-2.6.24/v4l-fix-vidiocgap-corruption-in-ivtv.patch rename to review-2.6.24/v4l-fix-vidiocgap-corruption-in-ivtv.patch diff --git a/queue-2.6.24/x86-fix-32-bit-x86-msi-x-allocation-leakage.patch b/review-2.6.24/x86-fix-32-bit-x86-msi-x-allocation-leakage.patch similarity index 100% rename from queue-2.6.24/x86-fix-32-bit-x86-msi-x-allocation-leakage.patch rename to review-2.6.24/x86-fix-32-bit-x86-msi-x-allocation-leakage.patch