2006-09-06 23:14:48

by Greg KH

[permalink] [raw]
Subject: [patch 00/37] -stable review

This is the start of the stable review cycle for next 2.6.17.y release.
There are 37 patches in this series, all will be posted as a response to
this one. If anyone has any issues with these being applied, please let
us know. If anyone is a maintainer of the proper subsystem, and wants
to add a Signed-off-by: line to the patch, please respond with it.

These patches are sent out with a number of different people on the Cc:
line. If you wish to be a reviewer, please email [email protected] to
add your name to the list. If you want to be off the reviewer list,
also email us.

Responses should be made by Fri Sep 8 22:00:00 UTC. Anything received
after that time might be too late.

Full patch of this whole series is available at:
http://www.kernel.org/pub/linux/kernel/people/gregkh/stable/patch-2.6.17.12-rc1.gz
if you wish to test it out and make sure nothing is broken on your
architecture or system.

thanks,

greg k-h


2006-09-06 23:00:53

by Greg KH

[permalink] [raw]
Subject: [patch 10/37] dm: move idr_pre_get

-stable review patch. If anyone has any objections, please let us know.

------------------

From: Jeff Mahoney <[email protected]>

idr_pre_get() can sleep while allocating memory.

The next patch will change _minor_lock into a spinlock, so this patch moves
idr_pre_get() outside the lock in preparation.

[akpm: too late for 2.6.17 - suitable for 2.6.17.x after it has settled]

Signed-off-by: Jeff Mahoney <[email protected]>
Signed-off-by: Alasdair G Kergon <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---

drivers/md/dm.c | 23 +++++++++--------------
1 file changed, 9 insertions(+), 14 deletions(-)

--- linux-2.6.17.11.orig/drivers/md/dm.c
+++ linux-2.6.17.11/drivers/md/dm.c
@@ -766,6 +766,10 @@ static int specific_minor(struct mapped_
if (minor >= (1 << MINORBITS))
return -EINVAL;

+ r = idr_pre_get(&_minor_idr, GFP_KERNEL);
+ if (!r)
+ return -ENOMEM;
+
mutex_lock(&_minor_lock);

if (idr_find(&_minor_idr, minor)) {
@@ -773,16 +777,9 @@ static int specific_minor(struct mapped_
goto out;
}

- r = idr_pre_get(&_minor_idr, GFP_KERNEL);
- if (!r) {
- r = -ENOMEM;
- goto out;
- }
-
r = idr_get_new_above(&_minor_idr, MINOR_ALLOCED, minor, &m);
- if (r) {
+ if (r)
goto out;
- }

if (m != minor) {
idr_remove(&_minor_idr, m);
@@ -800,13 +797,11 @@ static int next_free_minor(struct mapped
int r;
unsigned int m;

- mutex_lock(&_minor_lock);
-
r = idr_pre_get(&_minor_idr, GFP_KERNEL);
- if (!r) {
- r = -ENOMEM;
- goto out;
- }
+ if (!r)
+ return -ENOMEM;
+
+ mutex_lock(&_minor_lock);

r = idr_get_new(&_minor_idr, MINOR_ALLOCED, &m);
if (r) {

--

2006-09-06 23:01:20

by Greg KH

[permalink] [raw]
Subject: [patch 05/37] bridge-netfilter: dont overwrite memory outside of skb

-stable review patch. If anyone has any objections, please let us know.

------------------
From: Stephen Hemminger <[email protected]>

The bridge netfilter code needs to check for space at the
front of the skb before overwriting; otherwise if skb from
device doesn't have headroom, then it will cause random
memory corruption.

Signed-off-by: Stephen Hemminger <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
include/linux/netfilter_bridge.h | 16 ++++++++++++----
net/bridge/br_forward.c | 10 +++++++---
2 files changed, 19 insertions(+), 7 deletions(-)

--- linux-2.6.17.11.orig/include/linux/netfilter_bridge.h
+++ linux-2.6.17.11/include/linux/netfilter_bridge.h
@@ -47,18 +47,26 @@ enum nf_br_hook_priorities {
#define BRNF_BRIDGED 0x08
#define BRNF_NF_BRIDGE_PREROUTING 0x10

-
/* Only used in br_forward.c */
-static inline
-void nf_bridge_maybe_copy_header(struct sk_buff *skb)
+static inline int nf_bridge_maybe_copy_header(struct sk_buff *skb)
{
+ int err;
+
if (skb->nf_bridge) {
if (skb->protocol == __constant_htons(ETH_P_8021Q)) {
+ err = skb_cow(skb, 18);
+ if (err)
+ return err;
memcpy(skb->data - 18, skb->nf_bridge->data, 18);
skb_push(skb, 4);
- } else
+ } else {
+ err = skb_cow(skb, 16);
+ if (err)
+ return err;
memcpy(skb->data - 16, skb->nf_bridge->data, 16);
+ }
}
+ return 0;
}

/* This is called by the IP fragmenting code and it ensures there is
--- linux-2.6.17.11.orig/net/bridge/br_forward.c
+++ linux-2.6.17.11/net/bridge/br_forward.c
@@ -43,11 +43,15 @@ int br_dev_queue_push_xmit(struct sk_buf
else {
#ifdef CONFIG_BRIDGE_NETFILTER
/* ip_refrag calls ip_fragment, doesn't copy the MAC header. */
- nf_bridge_maybe_copy_header(skb);
+ if (nf_bridge_maybe_copy_header(skb))
+ kfree_skb(skb);
+ else
#endif
- skb_push(skb, ETH_HLEN);
+ {
+ skb_push(skb, ETH_HLEN);

- dev_queue_xmit(skb);
+ dev_queue_xmit(skb);
+ }
}

return 0;

--

2006-09-06 23:00:54

by Greg KH

[permalink] [raw]
Subject: [patch 11/37] dm: change minor_lock to spinlock

-stable review patch. If anyone has any objections, please let us know.

------------------

From: Jeff Mahoney <[email protected]>

While removing a device, another another thread might attempt to resurrect it.

This patch replaces the _minor_lock mutex with a spinlock and uses
atomic_dec_and_lock() to serialize reference counting in dm_put().

[akpm: too late for 2.6.17 - suitable for 2.6.17.x after it has settled]

Signed-off-by: Jeff Mahoney <[email protected]>
Signed-off-by: Alasdair G Kergon <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---

drivers/md/dm.c | 27 +++++++++++++--------------
1 file changed, 13 insertions(+), 14 deletions(-)

--- linux-2.6.17.11.orig/drivers/md/dm.c
+++ linux-2.6.17.11/drivers/md/dm.c
@@ -26,6 +26,7 @@ static const char *_name = DM_NAME;
static unsigned int major = 0;
static unsigned int _major = 0;

+static DEFINE_SPINLOCK(_minor_lock);
/*
* One of these is allocated per bio.
*/
@@ -746,14 +747,13 @@ static int dm_any_congested(void *conges
/*-----------------------------------------------------------------
* An IDR is used to keep track of allocated minor numbers.
*---------------------------------------------------------------*/
-static DEFINE_MUTEX(_minor_lock);
static DEFINE_IDR(_minor_idr);

static void free_minor(unsigned int minor)
{
- mutex_lock(&_minor_lock);
+ spin_lock(&_minor_lock);
idr_remove(&_minor_idr, minor);
- mutex_unlock(&_minor_lock);
+ spin_unlock(&_minor_lock);
}

/*
@@ -770,7 +770,7 @@ static int specific_minor(struct mapped_
if (!r)
return -ENOMEM;

- mutex_lock(&_minor_lock);
+ spin_lock(&_minor_lock);

if (idr_find(&_minor_idr, minor)) {
r = -EBUSY;
@@ -788,7 +788,7 @@ static int specific_minor(struct mapped_
}

out:
- mutex_unlock(&_minor_lock);
+ spin_unlock(&_minor_lock);
return r;
}

@@ -801,7 +801,7 @@ static int next_free_minor(struct mapped
if (!r)
return -ENOMEM;

- mutex_lock(&_minor_lock);
+ spin_lock(&_minor_lock);

r = idr_get_new(&_minor_idr, MINOR_ALLOCED, &m);
if (r) {
@@ -817,7 +817,7 @@ static int next_free_minor(struct mapped
*minor = m;

out:
- mutex_unlock(&_minor_lock);
+ spin_unlock(&_minor_lock);
return r;
}

@@ -887,9 +887,9 @@ static struct mapped_device *alloc_dev(u
init_waitqueue_head(&md->eventq);

/* Populate the mapping, nobody knows we exist yet */
- mutex_lock(&_minor_lock);
+ spin_lock(&_minor_lock);
old_md = idr_replace(&_minor_idr, md, minor);
- mutex_unlock(&_minor_lock);
+ spin_unlock(&_minor_lock);

BUG_ON(old_md != MINOR_ALLOCED);

@@ -1020,13 +1020,13 @@ static struct mapped_device *dm_find_md(
if (MAJOR(dev) != _major || minor >= (1 << MINORBITS))
return NULL;

- mutex_lock(&_minor_lock);
+ spin_lock(&_minor_lock);

md = idr_find(&_minor_idr, minor);
if (md && (md == MINOR_ALLOCED || (dm_disk(md)->first_minor != minor)))
md = NULL;

- mutex_unlock(&_minor_lock);
+ spin_unlock(&_minor_lock);

return md;
}
@@ -1060,11 +1060,10 @@ void dm_put(struct mapped_device *md)
{
struct dm_table *map;

- if (atomic_dec_and_test(&md->holders)) {
+ if (atomic_dec_and_lock(&md->holders, &_minor_lock)) {
map = dm_get_table(md);
- mutex_lock(&_minor_lock);
idr_replace(&_minor_idr, MINOR_ALLOCED, dm_disk(md)->first_minor);
- mutex_unlock(&_minor_lock);
+ spin_unlock(&_minor_lock);
if (!dm_suspended(md)) {
dm_table_presuspend_targets(map);
dm_table_postsuspend_targets(map);

--

2006-09-06 23:01:33

by Greg KH

[permalink] [raw]
Subject: [patch 04/37] fix compilation error on IA64

-stable review patch. If anyone has any objections, please let us know.

------------------
From: Fernando Vazquez <[email protected]>

The commit 8833ebaa3f4325820fe3338ccf6fae04f6669254 introduced a change that broke
IA64 compilation as shown below:

gcc -Wp,-MD,arch/ia64/kernel/.entry.o.d -nostdinc -isystem /usr/lib/gcc/ia64-linux-gnu/4.1.2/include -D__KERNEL__ -Iinclude -include include/linux/autoconf.h -DHAVE_WORKING_TEXT_ALIGN -DHAVE_MODEL_SMALL_ATTRIBUTE -DHAVE_SERIALIZE_DIRECTIVE -D__ASSEMBLY__ -mconstant-gp -c -o arch/ia64/kernel/entry.o arch/ia64/kernel/entry.S
include/asm/mman.h: Assembler messages:
include/asm/mman.h:13: Error: Unknown opcode `int ia64_map_check_rgn(unsigned long addr,unsigned long len,'
include/asm/mman.h:14: Error: Unknown opcode `unsigned long flags)'
make[1]: *** [arch/ia64/kernel/entry.o] Error 1
make: *** [arch/ia64/kernel] Error 2

The reason is that "asm/mman.h" is being included from entry.S indirectly through
"asm/pgtable.h" (see code snips below).

* arch/ia64/kernel/entry.S:
...
#include <asm/pgtable.h>
...

* include/asm-ia64/pgtable.h:
...
#include <asm/mman.h>
...

* include/asm-ia64/mman.h
...
#ifdef __KERNEL__
#define arch_mmap_check ia64_map_check_rgn
int ia64_map_check_rgn(unsigned long addr, unsigned long len,
unsigned long flags);
#endif
...

Signed-off-by: Fernando Vazquez <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
include/asm-ia64/mman.h | 2 ++
1 file changed, 2 insertions(+)

--- linux-2.6.17.11.orig/include/asm-ia64/mman.h
+++ linux-2.6.17.11/include/asm-ia64/mman.h
@@ -9,10 +9,12 @@
*/

#ifdef __KERNEL__
+#ifndef __ASSEMBLY__
#define arch_mmap_check ia64_map_check_rgn
int ia64_map_check_rgn(unsigned long addr, unsigned long len,
unsigned long flags);
#endif
+#endif

#include <asm-generic/mman.h>


--

2006-09-06 23:03:35

by Greg KH

[permalink] [raw]
Subject: [patch 37/37] sky2: version 1.6.1

-stable review patch. If anyone has any objections, please let us know.

------------------
From: Stephen Hemminger <[email protected]>

Since this code incorporates some of the fixes from 2.6.18, change
the version number.

Signed-off-by: Stephen Hemminger <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/net/sky2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.17.11.orig/drivers/net/sky2.c
+++ linux-2.6.17.11/drivers/net/sky2.c
@@ -51,7 +51,7 @@
#include "sky2.h"

#define DRV_NAME "sky2"
-#define DRV_VERSION "1.4"
+#define DRV_VERSION "1.6.1"
#define PFX DRV_NAME " "

/*

--

2006-09-06 23:02:47

by Greg KH

[permalink] [raw]
Subject: [patch 23/37] binfmt_elf: fix checks for bad address

-stable review patch. If anyone has any objections, please let us know.

------------------
From: Ernie Petrides <[email protected]>

[PATCH] binfmt_elf: fix checks for bad address

Fix check for bad address; use macro instead of open-coding two checks.

Taken from RHEL4 kernel update.

For background, the BAD_ADDR() macro should return TRUE if the address is
TASK_SIZE, because that's the lowest address that is *not* valid for
user-space mappings. The macro was correct in binfmt_aout.c but was wrong
for the "equal to" case in binfmt_elf.c. There were two in-line validations
of user-space addresses in binfmt_elf.c, which have been appropriately
converted to use the corrected BAD_ADDR() macro in the patch you posted
yesterday. Note that the size checks against TASK_SIZE are okay as coded.

The additional changes that I propose are below. These are in the error
paths for bad ELF entry addresses once load_elf_binary() has already
committed to exec'ing the new image (following the tearing down of the
task's original address space).

The 1st hunk deals with the interp-side of the outer "if". There were two
problems here. The printk() should be removed because this path can be
triggered at will by a bogus interpreter image created and used by a
malicious user. Further, the error code should not be ENOEXEC, because that
causes the loop in search_binary_handler() to continue trying other exec
handlers (twice, in fact). But it's too late for this to work correctly,
because the user address space has already been torn down, and an exec()
failure cannot be returned to the user code because the code no longer
exists. The only recovery is to force a SIGSEGV, but it's best to terminate
the search loop immediately. I somewhat arbitrarily chose EINVAL as a
fallback error code, but any error returned by load_elf_interp() will
override that (but this value will never be seen by user-space).

The 2nd hunk deals with the non-interp-side of the outer "if". There were
two problems here as well. The SIGSEGV needs to be forced, because a prior
sigaction() syscall might have set the associated disposition to SIG_IGN.
And the ENOEXEC should be changed to EINVAL as described above.

Signed-off-by: Chuck Ebbert <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
fs/binfmt_elf.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)

--- linux-2.6.17.11.orig/fs/binfmt_elf.c
+++ linux-2.6.17.11/fs/binfmt_elf.c
@@ -86,7 +86,7 @@ static struct linux_binfmt elf_format =
.min_coredump = ELF_EXEC_PAGESIZE
};

-#define BAD_ADDR(x) ((unsigned long)(x) > TASK_SIZE)
+#define BAD_ADDR(x) ((unsigned long)(x) >= TASK_SIZE)

static int set_brk(unsigned long start, unsigned long end)
{
@@ -389,7 +389,7 @@ static unsigned long load_elf_interp(str
* <= p_memsize so it is only necessary to check p_memsz.
*/
k = load_addr + eppnt->p_vaddr;
- if (k > TASK_SIZE || eppnt->p_filesz > eppnt->p_memsz ||
+ if (BAD_ADDR(k) || eppnt->p_filesz > eppnt->p_memsz ||
eppnt->p_memsz > TASK_SIZE || TASK_SIZE - eppnt->p_memsz < k) {
error = -ENOMEM;
goto out_close;
@@ -876,7 +876,7 @@ static int load_elf_binary(struct linux_
* allowed task size. Note that p_filesz must always be
* <= p_memsz so it is only necessary to check p_memsz.
*/
- if (k > TASK_SIZE || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
+ if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
elf_ppnt->p_memsz > TASK_SIZE ||
TASK_SIZE - elf_ppnt->p_memsz < k) {
/* set_brk can never work. Avoid overflows. */
@@ -930,10 +930,9 @@ static int load_elf_binary(struct linux_
interpreter,
&interp_load_addr);
if (BAD_ADDR(elf_entry)) {
- printk(KERN_ERR "Unable to load interpreter %.128s\n",
- elf_interpreter);
force_sig(SIGSEGV, current);
- retval = -ENOEXEC; /* Nobody gets to see this, but.. */
+ retval = IS_ERR((void *)elf_entry) ?
+ (int)elf_entry : -EINVAL;
goto out_free_dentry;
}
reloc_func_desc = interp_load_addr;
@@ -944,8 +943,8 @@ static int load_elf_binary(struct linux_
} else {
elf_entry = loc->elf_ex.e_entry;
if (BAD_ADDR(elf_entry)) {
- send_sig(SIGSEGV, current, 0);
- retval = -ENOEXEC; /* Nobody gets to see this, but.. */
+ force_sig(SIGSEGV, current);
+ retval = -EINVAL;
goto out_free_dentry;
}
}

--

2006-09-06 23:01:33

by Greg KH

[permalink] [raw]
Subject: [patch 12/37] dm: add DMF_FREEING

-stable review patch. If anyone has any objections, please let us know.

------------------

From: Jeff Mahoney <[email protected]>

There is a chicken and egg problem between the block layer and dm in which the
gendisk associated with a mapping keeps a reference-less pointer to the
mapped_device.

This patch uses a new flag DMF_FREEING to indicate when the mapped_device is
no longer valid. This is checked to prevent any attempt to open the device
from succeeding while the device is being destroyed.

[akpm: too late for 2.6.17 - suitable for 2.6.17.x after it has settled]

Signed-off-by: Jeff Mahoney <[email protected]>
Signed-off-by: Alasdair G Kergon <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---

drivers/md/dm.c | 32 ++++++++++++++++++++++++++++++--
1 file changed, 30 insertions(+), 2 deletions(-)

--- linux-2.6.17.11.orig/drivers/md/dm.c
+++ linux-2.6.17.11/drivers/md/dm.c
@@ -63,6 +63,7 @@ union map_info *dm_get_mapinfo(struct bi
#define DMF_BLOCK_IO 0
#define DMF_SUSPENDED 1
#define DMF_FROZEN 2
+#define DMF_FREEING 3

struct mapped_device {
struct rw_semaphore io_lock;
@@ -221,9 +222,23 @@ static int dm_blk_open(struct inode *ino
{
struct mapped_device *md;

+ spin_lock(&_minor_lock);
+
md = inode->i_bdev->bd_disk->private_data;
+ if (!md)
+ goto out;
+
+ if (test_bit(DMF_FREEING, &md->flags)) {
+ md = NULL;
+ goto out;
+ }
+
dm_get(md);
- return 0;
+
+out:
+ spin_unlock(&_minor_lock);
+
+ return md ? 0 : -ENXIO;
}

static int dm_blk_close(struct inode *inode, struct file *file)
@@ -919,6 +934,11 @@ static void free_dev(struct mapped_devic
mempool_destroy(md->io_pool);
del_gendisk(md->disk);
free_minor(minor);
+
+ spin_lock(&_minor_lock);
+ md->disk->private_data = NULL;
+ spin_unlock(&_minor_lock);
+
put_disk(md->disk);
blk_cleanup_queue(md->queue);
kfree(md);
@@ -1023,9 +1043,14 @@ static struct mapped_device *dm_find_md(
spin_lock(&_minor_lock);

md = idr_find(&_minor_idr, minor);
- if (md && (md == MINOR_ALLOCED || (dm_disk(md)->first_minor != minor)))
+ if (md && (md == MINOR_ALLOCED ||
+ (dm_disk(md)->first_minor != minor) ||
+ test_bit(DMF_FREEING, &md->flags))) {
md = NULL;
+ goto out;
+ }

+out:
spin_unlock(&_minor_lock);

return md;
@@ -1060,9 +1085,12 @@ void dm_put(struct mapped_device *md)
{
struct dm_table *map;

+ BUG_ON(test_bit(DMF_FREEING, &md->flags));
+
if (atomic_dec_and_lock(&md->holders, &_minor_lock)) {
map = dm_get_table(md);
idr_replace(&_minor_idr, MINOR_ALLOCED, dm_disk(md)->first_minor);
+ set_bit(DMF_FREEING, &md->flags);
spin_unlock(&_minor_lock);
if (!dm_suspended(md)) {
dm_table_presuspend_targets(map);

--

2006-09-06 23:01:34

by Greg KH

[permalink] [raw]
Subject: [patch 08/37] dm snapshot: unify chunk_size

-stable review patch. If anyone has any objections, please let us know.

------------------

From: Alasdair G Kergon <[email protected]>

Persistent snapshots currently store a private copy of the chunk size.
Userspace also supplies the chunk size when loading a snapshot. Ensure
consistency by only storing the chunk_size in one place instead of two.


Currently the two sizes will differ if the chunk size supplied by userspace
does not match the chunk size an existing snapshot actually uses. Amongst
other problems, this causes an incorrect 'percentage full' to be reported.

The patch ensures consistency by only storing the chunk_size in one place,
removing it from struct pstore. Some initialisation is delayed until the
correct chunk_size is known. If read_header() discovers that the wrong chunk
size was supplied, the 'area' buffer (which the header already got read into)
is reinitialised to the correct size.

[akpm: too late for 2.6.17 - suitable for 2.6.17.x after it has settled]

Signed-off-by: Alasdair G Kergon <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---

drivers/md/dm-exception-store.c | 65 +++++++++++++++++++++++++---------------
drivers/md/dm-snap.c | 6 +--
2 files changed, 45 insertions(+), 26 deletions(-)

--- linux-2.6.17.11.orig/drivers/md/dm-exception-store.c
+++ linux-2.6.17.11/drivers/md/dm-exception-store.c
@@ -91,7 +91,6 @@ struct pstore {
struct dm_snapshot *snap; /* up pointer to my snapshot */
int version;
int valid;
- uint32_t chunk_size;
uint32_t exceptions_per_area;

/*
@@ -133,7 +132,7 @@ static int alloc_area(struct pstore *ps)
int r = -ENOMEM;
size_t len;

- len = ps->chunk_size << SECTOR_SHIFT;
+ len = ps->snap->chunk_size << SECTOR_SHIFT;

/*
* Allocate the chunk_size block of memory that will hold
@@ -160,8 +159,8 @@ static int chunk_io(struct pstore *ps, u
unsigned long bits;

where.bdev = ps->snap->cow->bdev;
- where.sector = ps->chunk_size * chunk;
- where.count = ps->chunk_size;
+ where.sector = ps->snap->chunk_size * chunk;
+ where.count = ps->snap->chunk_size;

return dm_io_sync_vm(1, &where, rw, ps->area, &bits);
}
@@ -188,7 +187,7 @@ static int area_io(struct pstore *ps, ui

static int zero_area(struct pstore *ps, uint32_t area)
{
- memset(ps->area, 0, ps->chunk_size << SECTOR_SHIFT);
+ memset(ps->area, 0, ps->snap->chunk_size << SECTOR_SHIFT);
return area_io(ps, area, WRITE);
}

@@ -196,6 +195,7 @@ static int read_header(struct pstore *ps
{
int r;
struct disk_header *dh;
+ chunk_t chunk_size;

r = chunk_io(ps, 0, READ);
if (r)
@@ -210,8 +210,29 @@ static int read_header(struct pstore *ps
*new_snapshot = 0;
ps->valid = le32_to_cpu(dh->valid);
ps->version = le32_to_cpu(dh->version);
- ps->chunk_size = le32_to_cpu(dh->chunk_size);
-
+ chunk_size = le32_to_cpu(dh->chunk_size);
+ if (ps->snap->chunk_size != chunk_size) {
+ DMWARN("chunk size %llu in device metadata overrides "
+ "table chunk size of %llu.",
+ (unsigned long long)chunk_size,
+ (unsigned long long)ps->snap->chunk_size);
+
+ /* We had a bogus chunk_size. Fix stuff up. */
+ dm_io_put(sectors_to_pages(ps->snap->chunk_size));
+ free_area(ps);
+
+ ps->snap->chunk_size = chunk_size;
+ ps->snap->chunk_mask = chunk_size - 1;
+ ps->snap->chunk_shift = ffs(chunk_size) - 1;
+
+ r = alloc_area(ps);
+ if (r)
+ return r;
+
+ r = dm_io_get(sectors_to_pages(chunk_size));
+ if (r)
+ return r;
+ }
} else {
DMWARN("Invalid/corrupt snapshot");
r = -ENXIO;
@@ -224,13 +245,13 @@ static int write_header(struct pstore *p
{
struct disk_header *dh;

- memset(ps->area, 0, ps->chunk_size << SECTOR_SHIFT);
+ memset(ps->area, 0, ps->snap->chunk_size << SECTOR_SHIFT);

dh = (struct disk_header *) ps->area;
dh->magic = cpu_to_le32(SNAP_MAGIC);
dh->valid = cpu_to_le32(ps->valid);
dh->version = cpu_to_le32(ps->version);
- dh->chunk_size = cpu_to_le32(ps->chunk_size);
+ dh->chunk_size = cpu_to_le32(ps->snap->chunk_size);

return chunk_io(ps, 0, WRITE);
}
@@ -365,7 +386,7 @@ static void persistent_destroy(struct ex
{
struct pstore *ps = get_info(store);

- dm_io_put(sectors_to_pages(ps->chunk_size));
+ dm_io_put(sectors_to_pages(ps->snap->chunk_size));
vfree(ps->callbacks);
free_area(ps);
kfree(ps);
@@ -384,6 +405,16 @@ static int persistent_read_metadata(stru
return r;

/*
+ * Now we know correct chunk_size, complete the initialisation.
+ */
+ ps->exceptions_per_area = (ps->snap->chunk_size << SECTOR_SHIFT) /
+ sizeof(struct disk_exception);
+ ps->callbacks = dm_vcalloc(ps->exceptions_per_area,
+ sizeof(*ps->callbacks));
+ if (!ps->callbacks)
+ return -ENOMEM;
+
+ /*
* Do we need to setup a new snapshot ?
*/
if (new_snapshot) {
@@ -533,9 +564,6 @@ int dm_create_persistent(struct exceptio
ps->snap = store->snap;
ps->valid = 1;
ps->version = SNAPSHOT_DISK_VERSION;
- ps->chunk_size = chunk_size;
- ps->exceptions_per_area = (chunk_size << SECTOR_SHIFT) /
- sizeof(struct disk_exception);
ps->next_free = 2; /* skipping the header and first area */
ps->current_committed = 0;

@@ -543,18 +571,9 @@ int dm_create_persistent(struct exceptio
if (r)
goto bad;

- /*
- * Allocate space for all the callbacks.
- */
ps->callback_count = 0;
atomic_set(&ps->pending_count, 0);
- ps->callbacks = dm_vcalloc(ps->exceptions_per_area,
- sizeof(*ps->callbacks));
-
- if (!ps->callbacks) {
- r = -ENOMEM;
- goto bad;
- }
+ ps->callbacks = NULL;

store->destroy = persistent_destroy;
store->read_metadata = persistent_read_metadata;
--- linux-2.6.17.11.orig/drivers/md/dm-snap.c
+++ linux-2.6.17.11/drivers/md/dm-snap.c
@@ -530,7 +530,7 @@ static int snapshot_ctr(struct dm_target
}

ti->private = s;
- ti->split_io = chunk_size;
+ ti->split_io = s->chunk_size;

return 0;

@@ -1204,7 +1204,7 @@ static int origin_status(struct dm_targe

static struct target_type origin_target = {
.name = "snapshot-origin",
- .version = {1, 1, 0},
+ .version = {1, 4, 0},
.module = THIS_MODULE,
.ctr = origin_ctr,
.dtr = origin_dtr,
@@ -1215,7 +1215,7 @@ static struct target_type origin_target

static struct target_type snapshot_target = {
.name = "snapshot",
- .version = {1, 1, 0},
+ .version = {1, 4, 0},
.module = THIS_MODULE,
.ctr = snapshot_ctr,
.dtr = snapshot_dtr,

--

2006-09-06 23:02:48

by Greg KH

[permalink] [raw]
Subject: [patch 20/37] IPV6 OOPSer triggerable by any user

-stable review patch. If anyone has any objections, please let us know.

------------------
From: YOSHIFUJI Hideaki <[email protected]>

[IPV6]: Fix kernel OOPs when setting sticky socket options.

Bug noticed by Remi Denis-Courmont <[email protected]>.

Signed-off-by: YOSHIFUJI Hideaki <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
net/ipv6/exthdrs.c | 29 ++++++++++++++++-------------
1 file changed, 16 insertions(+), 13 deletions(-)

--- linux-2.6.17.11.orig/net/ipv6/exthdrs.c
+++ linux-2.6.17.11/net/ipv6/exthdrs.c
@@ -635,14 +635,17 @@ ipv6_renew_options(struct sock *sk, stru
struct ipv6_txoptions *opt2;
int err;

- if (newtype != IPV6_HOPOPTS && opt->hopopt)
- tot_len += CMSG_ALIGN(ipv6_optlen(opt->hopopt));
- if (newtype != IPV6_RTHDRDSTOPTS && opt->dst0opt)
- tot_len += CMSG_ALIGN(ipv6_optlen(opt->dst0opt));
- if (newtype != IPV6_RTHDR && opt->srcrt)
- tot_len += CMSG_ALIGN(ipv6_optlen(opt->srcrt));
- if (newtype != IPV6_DSTOPTS && opt->dst1opt)
- tot_len += CMSG_ALIGN(ipv6_optlen(opt->dst1opt));
+ if (opt) {
+ if (newtype != IPV6_HOPOPTS && opt->hopopt)
+ tot_len += CMSG_ALIGN(ipv6_optlen(opt->hopopt));
+ if (newtype != IPV6_RTHDRDSTOPTS && opt->dst0opt)
+ tot_len += CMSG_ALIGN(ipv6_optlen(opt->dst0opt));
+ if (newtype != IPV6_RTHDR && opt->srcrt)
+ tot_len += CMSG_ALIGN(ipv6_optlen(opt->srcrt));
+ if (newtype != IPV6_DSTOPTS && opt->dst1opt)
+ tot_len += CMSG_ALIGN(ipv6_optlen(opt->dst1opt));
+ }
+
if (newopt && newoptlen)
tot_len += CMSG_ALIGN(newoptlen);

@@ -659,25 +662,25 @@ ipv6_renew_options(struct sock *sk, stru
opt2->tot_len = tot_len;
p = (char *)(opt2 + 1);

- err = ipv6_renew_option(opt->hopopt, newopt, newoptlen,
+ err = ipv6_renew_option(opt ? opt->hopopt : NULL, newopt, newoptlen,
newtype != IPV6_HOPOPTS,
&opt2->hopopt, &p);
if (err)
goto out;

- err = ipv6_renew_option(opt->dst0opt, newopt, newoptlen,
+ err = ipv6_renew_option(opt ? opt->dst0opt : NULL, newopt, newoptlen,
newtype != IPV6_RTHDRDSTOPTS,
&opt2->dst0opt, &p);
if (err)
goto out;

- err = ipv6_renew_option(opt->srcrt, newopt, newoptlen,
+ err = ipv6_renew_option(opt ? opt->srcrt : NULL, newopt, newoptlen,
newtype != IPV6_RTHDR,
- (struct ipv6_opt_hdr **)opt2->srcrt, &p);
+ (struct ipv6_opt_hdr **)&opt2->srcrt, &p);
if (err)
goto out;

- err = ipv6_renew_option(opt->dst1opt, newopt, newoptlen,
+ err = ipv6_renew_option(opt ? opt->dst1opt : NULL, newopt, newoptlen,
newtype != IPV6_DSTOPTS,
&opt2->dst1opt, &p);
if (err)

--

2006-09-06 23:03:41

by Greg KH

[permalink] [raw]
Subject: [patch 31/37] dm: Fix deadlock under high i/o load in raid1 setup.

-stable review patch. If anyone has any objections, please let us know.

------------------
From: Daniel Kobras <[email protected]>

On an nForce4-equipped machine with two SATA disk in raid1 setup using dmraid,
we experienced frequent deadlock of the system under high i/o load. 'cat
/dev/zero > ~/zero' was the most reliable way to reproduce them: Randomly
after a few GB, 'cp' would be left in 'D' state along with kjournald and
kmirrord. The functions cp and kjournald were blocked in did vary, but
kmirrord's wchan always pointed to 'mempool_alloc()'. We've seen this pattern
on 2.6.15 and 2.6.17 kernels. http://lkml.org/lkml/2005/4/20/142 indicates
that this problem has been around even before.

So much for the facts, here's my interpretation: mempool_alloc() first tries
to atomically allocate the requested memory, or falls back to hand out
preallocated chunks from the mempool. If both fail, it puts the calling
process (kmirrord in this case) on a private waitqueue until somebody refills
the pool. Where the only 'somebody' is kmirrord itself, so we have a
deadlock.

I worked around this problem by falling back to a (blocking) kmalloc when
before kmirrord would have ended up on the waitqueue. This defeats part of
the benefits of using the mempool, but at least keeps the system running. And
it could be done with a two-line change. Note that mempool_alloc() clears the
GFP_NOIO flag internally, and only uses it to decide whether to wait or return
an error if immediate allocation fails, so the attached patch doesn't change
behaviour in the non-deadlocking case. Path is against current git
(2.6.18-rc4), but should apply to earlier versions as well. I've tested on
2.6.15, where this patch makes the difference between random lockup and a
stable system.

Signed-off-by: Daniel Kobras <[email protected]>
Acked-by: Alasdair G Kergon <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/md/dm-raid1.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

--- linux-2.6.17.11.orig/drivers/md/dm-raid1.c
+++ linux-2.6.17.11/drivers/md/dm-raid1.c
@@ -253,7 +253,9 @@ static struct region *__rh_alloc(struct
struct region *reg, *nreg;

read_unlock(&rh->hash_lock);
- nreg = mempool_alloc(rh->region_pool, GFP_NOIO);
+ nreg = mempool_alloc(rh->region_pool, GFP_ATOMIC);
+ if (unlikely(!nreg))
+ nreg = kmalloc(sizeof(struct region), GFP_NOIO);
nreg->state = rh->log->type->in_sync(rh->log, region, 1) ?
RH_CLEAN : RH_NOSYNC;
nreg->rh = rh;

--

2006-09-06 23:03:31

by Greg KH

[permalink] [raw]
Subject: [patch 35/37] sky2: MSI test timing

-stable review patch. If anyone has any objections, please let us know.

------------------
From: Stephen Hemminger <[email protected]>

The test for MSI IRQ could have timing issues. The PCI write needs to be
pushed out before waiting, and the wait queue should be initialized before
the IRQ.

Signed-off-by: Stephen Hemminger <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/net/sky2.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

--- linux-2.6.17.11.orig/drivers/net/sky2.c
+++ linux-2.6.17.11/drivers/net/sky2.c
@@ -3184,6 +3184,8 @@ static int __devinit sky2_test_msi(struc
struct pci_dev *pdev = hw->pdev;
int err;

+ init_waitqueue_head (&hw->msi_wait);
+
sky2_write32(hw, B0_IMSK, Y2_IS_IRQ_SW);

err = request_irq(pdev->irq, sky2_test_intr, SA_SHIRQ, DRV_NAME, hw);
@@ -3193,10 +3195,8 @@ static int __devinit sky2_test_msi(struc
return err;
}

- init_waitqueue_head (&hw->msi_wait);
-
sky2_write8(hw, B0_CTST, CS_ST_SW_IRQ);
- wmb();
+ sky2_read8(hw, B0_CTST);

wait_event_timeout(hw->msi_wait, hw->msi_detected, HZ/10);


--

2006-09-06 23:03:36

by Greg KH

[permalink] [raw]
Subject: [patch 28/37] Missing PCI id update for VIA IDE

-stable review patch. If anyone has any objections, please let us know.

------------------
From: Alan Cox <[email protected]>


The following change from -mm is important to 2.6.18 (actually to 2.6.17
but its too late for that). This was contributed over three months ago
by VIA to Bartlomiej and nothing happened. As a result the new chipset
is now out and Linux won't run on it. By the time 2.6.18 is finalised
this will be the defacto standard VIA chipset so support would be a good
plan.

Tested in -mm for a while, its essentially a PCI ident update but for
the bridge chip because VIA do things in weird ways.


Signed-off-by: Greg Kroah-Hartman <[email protected]>


---
drivers/ide/pci/via82cxxx.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- linux-2.6.17.11.orig/drivers/ide/pci/via82cxxx.c
+++ linux-2.6.17.11/drivers/ide/pci/via82cxxx.c
@@ -6,7 +6,7 @@
*
* vt82c576, vt82c586, vt82c586a, vt82c586b, vt82c596a, vt82c596b,
* vt82c686, vt82c686a, vt82c686b, vt8231, vt8233, vt8233c, vt8233a,
- * vt8235, vt8237
+ * vt8235, vt8237, vt8237a
*
* Copyright (c) 2000-2002 Vojtech Pavlik
*
@@ -82,6 +82,7 @@ static struct via_isa_bridge {
{ "vt6410", PCI_DEVICE_ID_VIA_6410, 0x00, 0x2f, VIA_UDMA_133 | VIA_BAD_AST },
{ "vt8251", PCI_DEVICE_ID_VIA_8251, 0x00, 0x2f, VIA_UDMA_133 | VIA_BAD_AST },
{ "vt8237", PCI_DEVICE_ID_VIA_8237, 0x00, 0x2f, VIA_UDMA_133 | VIA_BAD_AST },
+ { "vt8237a", PCI_DEVICE_ID_VIA_8237A, 0x00, 0x2f, VIA_UDMA_133 | VIA_BAD_AST },
{ "vt8235", PCI_DEVICE_ID_VIA_8235, 0x00, 0x2f, VIA_UDMA_133 | VIA_BAD_AST },
{ "vt8233a", PCI_DEVICE_ID_VIA_8233A, 0x00, 0x2f, VIA_UDMA_133 | VIA_BAD_AST },
{ "vt8233c", PCI_DEVICE_ID_VIA_8233C_0, 0x00, 0x2f, VIA_UDMA_100 },

--

2006-09-06 23:03:41

by Greg KH

[permalink] [raw]
Subject: [patch 25/37] Silent data corruption caused by XPC

-stable review patch. If anyone has any objections, please let us know.

------------------
From: Robin Holt <[email protected]>

Jack Steiner identified a problem where XPC can cause a silent
data corruption. On module load, the placement may cause the
xpc_remote_copy_buffer to span two physical pages. DMA transfers are
done to the start virtual address translated to physical.

This patch changes the buffer from a statically allocated buffer to a
kmalloc'd buffer. Dean Nelson reviewed this before posting. I have
tested it in the configuration that was showing the memory corruption
and verified it works. I also added a BUG_ON statement to help catch
this if a similar situation is encountered.

Signed-off-by: Robin Holt <[email protected]>
Signed-off-by: Dean Nelson <[email protected]>
Signed-off-by: Jack Steiner <[email protected]>
Signed-off-by: Tony Luck <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
arch/ia64/sn/kernel/xpc_channel.c | 4 ++--
arch/ia64/sn/kernel/xpc_main.c | 28 ++++++++++++++++------------
arch/ia64/sn/kernel/xpc_partition.c | 24 ++++++++----------------
include/asm-ia64/sn/xp.h | 22 ++++++++++++++++++----
include/asm-ia64/sn/xpc.h | 4 +++-
5 files changed, 47 insertions(+), 35 deletions(-)

--- linux-2.6.17.11.orig/arch/ia64/sn/kernel/xpc_channel.c
+++ linux-2.6.17.11/arch/ia64/sn/kernel/xpc_channel.c
@@ -279,8 +279,8 @@ xpc_pull_remote_cachelines(struct xpc_pa
return part->reason;
}

- bte_ret = xp_bte_copy((u64) src, (u64) ia64_tpa((u64) dst),
- (u64) cnt, (BTE_NORMAL | BTE_WACQUIRE), NULL);
+ bte_ret = xp_bte_copy((u64) src, (u64) dst, (u64) cnt,
+ (BTE_NORMAL | BTE_WACQUIRE), NULL);
if (bte_ret == BTE_SUCCESS) {
return xpcSuccess;
}
--- linux-2.6.17.11.orig/arch/ia64/sn/kernel/xpc_main.c
+++ linux-2.6.17.11/arch/ia64/sn/kernel/xpc_main.c
@@ -1052,6 +1052,8 @@ xpc_do_exit(enum xpc_retval reason)
if (xpc_sysctl) {
unregister_sysctl_table(xpc_sysctl);
}
+
+ kfree(xpc_remote_copy_buffer_base);
}


@@ -1212,24 +1214,20 @@ xpc_init(void)
partid_t partid;
struct xpc_partition *part;
pid_t pid;
+ size_t buf_size;


if (!ia64_platform_is("sn2")) {
return -ENODEV;
}

- /*
- * xpc_remote_copy_buffer is used as a temporary buffer for bte_copy'ng
- * various portions of a partition's reserved page. Its size is based
- * on the size of the reserved page header and part_nasids mask. So we
- * need to ensure that the other items will fit as well.
- */
- if (XPC_RP_VARS_SIZE > XPC_RP_HEADER_SIZE + XP_NASID_MASK_BYTES) {
- dev_err(xpc_part, "xpc_remote_copy_buffer is not big enough\n");
- return -EPERM;
- }
- DBUG_ON((u64) xpc_remote_copy_buffer !=
- L1_CACHE_ALIGN((u64) xpc_remote_copy_buffer));
+
+ buf_size = max(XPC_RP_VARS_SIZE,
+ XPC_RP_HEADER_SIZE + XP_NASID_MASK_BYTES);
+ xpc_remote_copy_buffer = xpc_kmalloc_cacheline_aligned(buf_size,
+ GFP_KERNEL, &xpc_remote_copy_buffer_base);
+ if (xpc_remote_copy_buffer == NULL)
+ return -ENOMEM;

snprintf(xpc_part->bus_id, BUS_ID_SIZE, "part");
snprintf(xpc_chan->bus_id, BUS_ID_SIZE, "chan");
@@ -1293,6 +1291,8 @@ xpc_init(void)
if (xpc_sysctl) {
unregister_sysctl_table(xpc_sysctl);
}
+
+ kfree(xpc_remote_copy_buffer_base);
return -EBUSY;
}

@@ -1311,6 +1311,8 @@ xpc_init(void)
if (xpc_sysctl) {
unregister_sysctl_table(xpc_sysctl);
}
+
+ kfree(xpc_remote_copy_buffer_base);
return -EBUSY;
}

@@ -1362,6 +1364,8 @@ xpc_init(void)
if (xpc_sysctl) {
unregister_sysctl_table(xpc_sysctl);
}
+
+ kfree(xpc_remote_copy_buffer_base);
return -EBUSY;
}

--- linux-2.6.17.11.orig/arch/ia64/sn/kernel/xpc_partition.c
+++ linux-2.6.17.11/arch/ia64/sn/kernel/xpc_partition.c
@@ -71,19 +71,15 @@ struct xpc_partition xpc_partitions[XP_M
* Generic buffer used to store a local copy of portions of a remote
* partition's reserved page (either its header and part_nasids mask,
* or its vars).
- *
- * xpc_discovery runs only once and is a seperate thread that is
- * very likely going to be processing in parallel with receiving
- * interrupts.
*/
-char ____cacheline_aligned xpc_remote_copy_buffer[XPC_RP_HEADER_SIZE +
- XP_NASID_MASK_BYTES];
+char *xpc_remote_copy_buffer;
+void *xpc_remote_copy_buffer_base;


/*
* Guarantee that the kmalloc'd memory is cacheline aligned.
*/
-static void *
+void *
xpc_kmalloc_cacheline_aligned(size_t size, gfp_t flags, void **base)
{
/* see if kmalloc will give us cachline aligned memory by default */
@@ -148,7 +144,7 @@ xpc_get_rsvd_page_pa(int nasid)
}
}

- bte_res = xp_bte_copy(rp_pa, ia64_tpa(buf), buf_len,
+ bte_res = xp_bte_copy(rp_pa, buf, buf_len,
(BTE_NOTIFY | BTE_WACQUIRE), NULL);
if (bte_res != BTE_SUCCESS) {
dev_dbg(xpc_part, "xp_bte_copy failed %i\n", bte_res);
@@ -447,7 +443,7 @@ xpc_check_remote_hb(void)

/* pull the remote_hb cache line */
bres = xp_bte_copy(part->remote_vars_pa,
- ia64_tpa((u64) remote_vars),
+ (u64) remote_vars,
XPC_RP_VARS_SIZE,
(BTE_NOTIFY | BTE_WACQUIRE), NULL);
if (bres != BTE_SUCCESS) {
@@ -498,8 +494,7 @@ xpc_get_remote_rp(int nasid, u64 *discov


/* pull over the reserved page header and part_nasids mask */
-
- bres = xp_bte_copy(*remote_rp_pa, ia64_tpa((u64) remote_rp),
+ bres = xp_bte_copy(*remote_rp_pa, (u64) remote_rp,
XPC_RP_HEADER_SIZE + xp_nasid_mask_bytes,
(BTE_NOTIFY | BTE_WACQUIRE), NULL);
if (bres != BTE_SUCCESS) {
@@ -554,11 +549,8 @@ xpc_get_remote_vars(u64 remote_vars_pa,
return xpcVarsNotSet;
}

-
/* pull over the cross partition variables */
-
- bres = xp_bte_copy(remote_vars_pa, ia64_tpa((u64) remote_vars),
- XPC_RP_VARS_SIZE,
+ bres = xp_bte_copy(remote_vars_pa, (u64) remote_vars, XPC_RP_VARS_SIZE,
(BTE_NOTIFY | BTE_WACQUIRE), NULL);
if (bres != BTE_SUCCESS) {
return xpc_map_bte_errors(bres);
@@ -1239,7 +1231,7 @@ xpc_initiate_partid_to_nasids(partid_t p

part_nasid_pa = (u64) XPC_RP_PART_NASIDS(part->remote_rp_pa);

- bte_res = xp_bte_copy(part_nasid_pa, ia64_tpa((u64) nasid_mask),
+ bte_res = xp_bte_copy(part_nasid_pa, (u64) nasid_mask,
xp_nasid_mask_bytes, (BTE_NOTIFY | BTE_WACQUIRE), NULL);

return xpc_map_bte_errors(bte_res);
--- linux-2.6.17.11.orig/include/asm-ia64/sn/xp.h
+++ linux-2.6.17.11/include/asm-ia64/sn/xp.h
@@ -60,23 +60,37 @@
* the bte_copy() once in the hope that the failure was due to a temporary
* aberration (i.e., the link going down temporarily).
*
- * See bte_copy for definition of the input parameters.
+ * src - physical address of the source of the transfer.
+ * vdst - virtual address of the destination of the transfer.
+ * len - number of bytes to transfer from source to destination.
+ * mode - see bte_copy() for definition.
+ * notification - see bte_copy() for definition.
*
* Note: xp_bte_copy() should never be called while holding a spinlock.
*/
static inline bte_result_t
-xp_bte_copy(u64 src, u64 dest, u64 len, u64 mode, void *notification)
+xp_bte_copy(u64 src, u64 vdst, u64 len, u64 mode, void *notification)
{
bte_result_t ret;
+ u64 pdst = ia64_tpa(vdst);


- ret = bte_copy(src, dest, len, mode, notification);
+ /*
+ * Ensure that the physically mapped memory is contiguous.
+ *
+ * We do this by ensuring that the memory is from region 7 only.
+ * If the need should arise to use memory from one of the other
+ * regions, then modify the BUG_ON() statement to ensure that the
+ * memory from that region is always physically contiguous.
+ */
+ BUG_ON(REGION_NUMBER(vdst) != RGN_KERNEL);

+ ret = bte_copy(src, pdst, len, mode, notification);
if (ret != BTE_SUCCESS) {
if (!in_interrupt()) {
cond_resched();
}
- ret = bte_copy(src, dest, len, mode, notification);
+ ret = bte_copy(src, pdst, len, mode, notification);
}

return ret;
--- linux-2.6.17.11.orig/include/asm-ia64/sn/xpc.h
+++ linux-2.6.17.11/include/asm-ia64/sn/xpc.h
@@ -684,7 +684,9 @@ extern struct xpc_vars *xpc_vars;
extern struct xpc_rsvd_page *xpc_rsvd_page;
extern struct xpc_vars_part *xpc_vars_part;
extern struct xpc_partition xpc_partitions[XP_MAX_PARTITIONS + 1];
-extern char xpc_remote_copy_buffer[];
+extern char *xpc_remote_copy_buffer;
+extern void *xpc_remote_copy_buffer_base;
+extern void *xpc_kmalloc_cacheline_aligned(size_t, gfp_t, void **);
extern struct xpc_rsvd_page *xpc_rsvd_page_init(void);
extern void xpc_allow_IPI_ops(void);
extern void xpc_restrict_IPI_ops(void);

--

2006-09-06 23:05:55

by Greg KH

[permalink] [raw]
Subject: [patch 30/37] Remove redundant up() in stop_machine()

-stable review patch. If anyone has any objections, please let us know.

------------------
From: "Yingchao Zhou" <[email protected]>

An up() is called in kernel/stop_machine.c on failure, and also in the
caller (unconditionally).

Signed-off-by: Zhou Yingchao <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
kernel/stop_machine.c | 1 -
1 file changed, 1 deletion(-)

--- linux-2.6.17.11.orig/kernel/stop_machine.c
+++ linux-2.6.17.11/kernel/stop_machine.c
@@ -111,7 +111,6 @@ static int stop_machine(void)
/* If some failed, kill them all. */
if (ret < 0) {
stopmachine_set_state(STOPMACHINE_EXIT);
- up(&stopmachine_mutex);
return ret;
}


--

2006-09-06 23:05:54

by Greg KH

[permalink] [raw]
Subject: [patch 34/37] sky2: use dev_alloc_skb for receive buffers

-stable review patch. If anyone has any objections, please let us know.

------------------
From: Stephen Hemminger <[email protected]>

Several code paths assume an additional 16 bytes of header padding
on the receive path. Use dev_alloc_skb to get that padding.

Signed-off-by: Stephen Hemminger <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/net/sky2.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

--- linux-2.6.17.11.orig/drivers/net/sky2.c
+++ linux-2.6.17.11/drivers/net/sky2.c
@@ -949,14 +949,14 @@ static void sky2_vlan_rx_kill_vid(struct
/*
* It appears the hardware has a bug in the FIFO logic that
* cause it to hang if the FIFO gets overrun and the receive buffer
- * is not aligned. ALso alloc_skb() won't align properly if slab
+ * is not aligned. Also dev_alloc_skb() won't align properly if slab
* debugging is enabled.
*/
static inline struct sk_buff *sky2_alloc_skb(unsigned int size, gfp_t gfp_mask)
{
struct sk_buff *skb;

- skb = alloc_skb(size + RX_SKB_ALIGN, gfp_mask);
+ skb = __dev_alloc_skb(size + RX_SKB_ALIGN, gfp_mask);
if (likely(skb)) {
unsigned long p = (unsigned long) skb->data;
skb_reserve(skb, ALIGN(p, RX_SKB_ALIGN) - p);
@@ -1855,7 +1855,7 @@ static struct sk_buff *sky2_receive(stru
goto oversize;

if (length < copybreak) {
- skb = alloc_skb(length + 2, GFP_ATOMIC);
+ skb = dev_alloc_skb(length + 2);
if (!skb)
goto resubmit;


--

2006-09-06 23:06:28

by Greg KH

[permalink] [raw]
Subject: [patch 27/37] PKTGEN: Fix oops when used with balance-tlb bonding

-stable review patch. If anyone has any objections, please let us know.

------------------
From: Chen-Li Tien <[email protected]>

Signed-off-by: Chen-Li Tien <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Adrian Bunk <[email protected]>


---
net/core/pktgen.c | 2 ++
1 file changed, 2 insertions(+)

--- linux-2.6.17.11.orig/net/core/pktgen.c
+++ linux-2.6.17.11/net/core/pktgen.c
@@ -2149,6 +2149,8 @@ static struct sk_buff *fill_packet_ipv4(
skb->mac.raw = ((u8 *) iph) - 14 - pkt_dev->nr_labels*sizeof(u32);
skb->dev = odev;
skb->pkt_type = PACKET_HOST;
+ skb->nh.iph = iph;
+ skb->h.uh = udph;

if (pkt_dev->nfrags <= 0)
pgh = (struct pktgen_hdr *)skb_put(skb, datalen);

--

2006-09-06 23:07:16

by Greg KH

[permalink] [raw]
Subject: [patch 29/37] dvb-core: Proper handling ULE SNDU length of 0

-stable review patch. If anyone has any objections, please let us know.

------------------
From: Ang Way Chuang <[email protected]>

ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation
code has a bug that allows an attacker to send a malformed ULE packet
with SNDU length of 0 and bring down the receiving machine. This patch
fix the bug and has been tested on version 2.6.17.11. This bug is 100%
reproducible and the modified source code (GPL) used to produce this bug
will be posted on http://nrg.cs.usm.my/downloads.htm shortly. The
kernel will produce a dump during CRC32 checking on faulty ULE packet.


Signed-off-by: Ang Way Chuang <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/media/dvb/dvb-core/dvb_net.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- linux-2.6.17.11.orig/drivers/media/dvb/dvb-core/dvb_net.c
+++ linux-2.6.17.11/drivers/media/dvb/dvb-core/dvb_net.c
@@ -492,7 +492,8 @@ static void dvb_net_ule( struct net_devi
} else
priv->ule_dbit = 0;

- if (priv->ule_sndu_len > 32763) {
+ if (priv->ule_sndu_len > 32763 ||
+ priv->ule_sndu_len < ((priv->ule_dbit) ? 4 : 4 + ETH_ALEN)) {
printk(KERN_WARNING "%lu: Invalid ULE SNDU length %u. "
"Resyncing.\n", priv->ts_count, priv->ule_sndu_len);
priv->ule_sndu_len = 0;

--

2006-09-06 23:05:46

by Greg KH

[permalink] [raw]
Subject: [patch 15/37] dm: fix block device initialisation

-stable review patch. If anyone has any objections, please let us know.

------------------

From: Jeff Mahoney <[email protected]>

In alloc_dev(), we register the device with the block layer and then continue
to initialize the device. But register_disk() makes the device available to
be opened before we have completed initialising it.

This patch moves the final bits of the initialization above the disk
registration.

[akpm: too late for 2.6.17 - suitable for 2.6.17.x after it has settled]

Signed-off-by: Jeff Mahoney <[email protected]>
Signed-off-by: Alasdair G Kergon <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---

drivers/md/dm.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

--- linux-2.6.17.11.orig/drivers/md/dm.c
+++ linux-2.6.17.11/drivers/md/dm.c
@@ -891,6 +891,10 @@ static struct mapped_device *alloc_dev(u
if (!md->disk)
goto bad4;

+ atomic_set(&md->pending, 0);
+ init_waitqueue_head(&md->wait);
+ init_waitqueue_head(&md->eventq);
+
md->disk->major = _major;
md->disk->first_minor = minor;
md->disk->fops = &dm_blk_dops;
@@ -900,10 +904,6 @@ static struct mapped_device *alloc_dev(u
add_disk(md->disk);
format_dev_t(md->name, MKDEV(_major, minor));

- atomic_set(&md->pending, 0);
- init_waitqueue_head(&md->wait);
- init_waitqueue_head(&md->eventq);
-
/* Populate the mapping, nobody knows we exist yet */
spin_lock(&_minor_lock);
old_md = idr_replace(&_minor_idr, md, minor);

--

2006-09-06 23:09:40

by Greg KH

[permalink] [raw]
Subject: [patch 36/37] sky2: fix fiber support

-stable review patch. If anyone has any objections, please let us know.

------------------
From: Stephen Hemminger <[email protected]>

Fix support for fiber based devices. Needed to keep track of PMD type to
add workaround in setup. Add support for gigabit half duplex fiber.

Signed-off-by: Stephen Hemminger <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/net/sky2.c | 81 ++++++++++++++++++++++++++++++++---------------------
drivers/net/sky2.h | 15 +++++++++
2 files changed, 63 insertions(+), 33 deletions(-)

--- linux-2.6.17.11.orig/drivers/net/sky2.c
+++ linux-2.6.17.11/drivers/net/sky2.c
@@ -321,7 +321,7 @@ static void sky2_phy_init(struct sky2_hw
}

ctrl = gm_phy_read(hw, port, PHY_MARV_PHY_CTRL);
- if (hw->copper) {
+ if (sky2_is_copper(hw)) {
if (hw->chip_id == CHIP_ID_YUKON_FE) {
/* enable automatic crossover */
ctrl |= PHY_M_PC_MDI_XMODE(PHY_M_PC_ENA_AUTO) >> 1;
@@ -338,25 +338,37 @@ static void sky2_phy_init(struct sky2_hw
ctrl |= PHY_M_PC_DSC(2) | PHY_M_PC_DOWN_S_ENA;
}
}
- gm_phy_write(hw, port, PHY_MARV_PHY_CTRL, ctrl);
} else {
/* workaround for deviation #4.88 (CRC errors) */
/* disable Automatic Crossover */

ctrl &= ~PHY_M_PC_MDIX_MSK;
- gm_phy_write(hw, port, PHY_MARV_PHY_CTRL, ctrl);
+ }

- if (hw->chip_id == CHIP_ID_YUKON_XL) {
- /* Fiber: select 1000BASE-X only mode MAC Specific Ctrl Reg. */
- gm_phy_write(hw, port, PHY_MARV_EXT_ADR, 2);
- ctrl = gm_phy_read(hw, port, PHY_MARV_PHY_CTRL);
- ctrl &= ~PHY_M_MAC_MD_MSK;
- ctrl |= PHY_M_MAC_MODE_SEL(PHY_M_MAC_MD_1000BX);
- gm_phy_write(hw, port, PHY_MARV_PHY_CTRL, ctrl);
+ gm_phy_write(hw, port, PHY_MARV_PHY_CTRL, ctrl);
+
+ /* special setup for PHY 88E1112 Fiber */
+ if (hw->chip_id == CHIP_ID_YUKON_XL && !sky2_is_copper(hw)) {
+ pg = gm_phy_read(hw, port, PHY_MARV_EXT_ADR);

+ /* Fiber: select 1000BASE-X only mode MAC Specific Ctrl Reg. */
+ gm_phy_write(hw, port, PHY_MARV_EXT_ADR, 2);
+ ctrl = gm_phy_read(hw, port, PHY_MARV_PHY_CTRL);
+ ctrl &= ~PHY_M_MAC_MD_MSK;
+ ctrl |= PHY_M_MAC_MODE_SEL(PHY_M_MAC_MD_1000BX);
+ gm_phy_write(hw, port, PHY_MARV_PHY_CTRL, ctrl);
+
+ if (hw->pmd_type == 'P') {
/* select page 1 to access Fiber registers */
gm_phy_write(hw, port, PHY_MARV_EXT_ADR, 1);
+
+ /* for SFP-module set SIGDET polarity to low */
+ ctrl = gm_phy_read(hw, port, PHY_MARV_PHY_CTRL);
+ ctrl |= PHY_M_FIB_SIGD_POL;
+ gm_phy_write(hw, port, PHY_MARV_CTRL, ctrl);
}
+
+ gm_phy_write(hw, port, PHY_MARV_EXT_ADR, pg);
}

ctrl = gm_phy_read(hw, port, PHY_MARV_CTRL);
@@ -373,7 +385,7 @@ static void sky2_phy_init(struct sky2_hw
adv = PHY_AN_CSMA;

if (sky2->autoneg == AUTONEG_ENABLE) {
- if (hw->copper) {
+ if (sky2_is_copper(hw)) {
if (sky2->advertising & ADVERTISED_1000baseT_Full)
ct1000 |= PHY_M_1000C_AFD;
if (sky2->advertising & ADVERTISED_1000baseT_Half)
@@ -386,8 +398,12 @@ static void sky2_phy_init(struct sky2_hw
adv |= PHY_M_AN_10_FD;
if (sky2->advertising & ADVERTISED_10baseT_Half)
adv |= PHY_M_AN_10_HD;
- } else /* special defines for FIBER (88E1011S only) */
- adv |= PHY_M_AN_1000X_AHD | PHY_M_AN_1000X_AFD;
+ } else { /* special defines for FIBER (88E1040S only) */
+ if (sky2->advertising & ADVERTISED_1000baseT_Full)
+ adv |= PHY_M_AN_1000X_AFD;
+ if (sky2->advertising & ADVERTISED_1000baseT_Half)
+ adv |= PHY_M_AN_1000X_AHD;
+ }

/* Set Flow-control capabilities */
if (sky2->tx_pause && sky2->rx_pause)
@@ -1497,7 +1513,7 @@ static int sky2_down(struct net_device *

static u16 sky2_phy_speed(const struct sky2_hw *hw, u16 aux)
{
- if (!hw->copper)
+ if (!sky2_is_copper(hw))
return SPEED_1000;

if (hw->chip_id == CHIP_ID_YUKON_FE)
@@ -2287,7 +2303,7 @@ static inline u32 sky2_clk2us(const stru
static int __devinit sky2_reset(struct sky2_hw *hw)
{
u16 status;
- u8 t8, pmd_type;
+ u8 t8;
int i;

sky2_write8(hw, B0_CTST, CS_RST_CLR);
@@ -2333,9 +2349,7 @@ static int __devinit sky2_reset(struct s
sky2_pci_write32(hw, PEX_UNC_ERR_STAT, 0xffffffffUL);


- pmd_type = sky2_read8(hw, B2_PMD_TYP);
- hw->copper = !(pmd_type == 'L' || pmd_type == 'S');
-
+ hw->pmd_type = sky2_read8(hw, B2_PMD_TYP);
hw->ports = 1;
t8 = sky2_read8(hw, B2_Y2_HW_RES);
if ((t8 & CFG_DUAL_MAC_MSK) == CFG_DUAL_MAC_MSK) {
@@ -2432,21 +2446,22 @@ static int __devinit sky2_reset(struct s

static u32 sky2_supported_modes(const struct sky2_hw *hw)
{
- u32 modes;
- if (hw->copper) {
- modes = SUPPORTED_10baseT_Half
- | SUPPORTED_10baseT_Full
- | SUPPORTED_100baseT_Half
- | SUPPORTED_100baseT_Full
- | SUPPORTED_Autoneg | SUPPORTED_TP;
+ if (sky2_is_copper(hw)) {
+ u32 modes = SUPPORTED_10baseT_Half
+ | SUPPORTED_10baseT_Full
+ | SUPPORTED_100baseT_Half
+ | SUPPORTED_100baseT_Full
+ | SUPPORTED_Autoneg | SUPPORTED_TP;

if (hw->chip_id != CHIP_ID_YUKON_FE)
modes |= SUPPORTED_1000baseT_Half
- | SUPPORTED_1000baseT_Full;
+ | SUPPORTED_1000baseT_Full;
+ return modes;
} else
- modes = SUPPORTED_1000baseT_Full | SUPPORTED_FIBRE
- | SUPPORTED_Autoneg;
- return modes;
+ return SUPPORTED_1000baseT_Half
+ | SUPPORTED_1000baseT_Full
+ | SUPPORTED_Autoneg
+ | SUPPORTED_FIBRE;
}

static int sky2_get_settings(struct net_device *dev, struct ethtool_cmd *ecmd)
@@ -2457,7 +2472,7 @@ static int sky2_get_settings(struct net_
ecmd->transceiver = XCVR_INTERNAL;
ecmd->supported = sky2_supported_modes(hw);
ecmd->phy_address = PHY_ADDR_MARV;
- if (hw->copper) {
+ if (sky2_is_copper(hw)) {
ecmd->supported = SUPPORTED_10baseT_Half
| SUPPORTED_10baseT_Full
| SUPPORTED_100baseT_Half
@@ -2466,12 +2481,14 @@ static int sky2_get_settings(struct net_
| SUPPORTED_1000baseT_Full
| SUPPORTED_Autoneg | SUPPORTED_TP;
ecmd->port = PORT_TP;
- } else
+ ecmd->speed = sky2->speed;
+ } else {
+ ecmd->speed = SPEED_1000;
ecmd->port = PORT_FIBRE;
+ }

ecmd->advertising = sky2->advertising;
ecmd->autoneg = sky2->autoneg;
- ecmd->speed = sky2->speed;
ecmd->duplex = sky2->duplex;
return 0;
}
--- linux-2.6.17.11.orig/drivers/net/sky2.h
+++ linux-2.6.17.11/drivers/net/sky2.h
@@ -1318,6 +1318,14 @@ enum {
};

/* for Yukon-2 Gigabit Ethernet PHY (88E1112 only) */
+/***** PHY_MARV_PHY_CTRL (page 1) 16 bit r/w Fiber Specific Ctrl *****/
+enum {
+ PHY_M_FIB_FORCE_LNK = 1<<10,/* Force Link Good */
+ PHY_M_FIB_SIGD_POL = 1<<9, /* SIGDET Polarity */
+ PHY_M_FIB_TX_DIS = 1<<3, /* Transmitter Disable */
+};
+
+/* for Yukon-2 Gigabit Ethernet PHY (88E1112 only) */
/***** PHY_MARV_PHY_CTRL (page 2) 16 bit r/w MAC Specific Ctrl *****/
enum {
PHY_M_MAC_MD_MSK = 7<<7, /* Bit 9.. 7: Mode Select Mask */
@@ -1879,7 +1887,7 @@ struct sky2_hw {
int pm_cap;
u8 chip_id;
u8 chip_rev;
- u8 copper;
+ u8 pmd_type;
u8 ports;

struct sky2_status_le *st_le;
@@ -1891,6 +1899,11 @@ struct sky2_hw {
wait_queue_head_t msi_wait;
};

+static inline int sky2_is_copper(const struct sky2_hw *hw)
+{
+ return !(hw->pmd_type == 'L' || hw->pmd_type == 'S' || hw->pmd_type == 'P');
+}
+
/* Register accessor for memory mapped device */
static inline u32 sky2_read32(const struct sky2_hw *hw, unsigned reg)
{

--

2006-09-06 23:09:41

by Greg KH

[permalink] [raw]
Subject: [patch 24/37] uhci-hcd: fix list access bug

-stable review patch. If anyone has any objections, please let us know.

------------------
From: Alan Stern <[email protected]>

When skipping to the last TD of an URB, go to the _last_ entry in the
list instead of the _first_ entry (as780). This fixes Bugzilla #6747 and
possibly others.

Signed-off-by: Alan Stern <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/usb/host/uhci-q.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.17.11.orig/drivers/usb/host/uhci-q.c
+++ linux-2.6.17.11/drivers/usb/host/uhci-q.c
@@ -264,7 +264,7 @@ static void uhci_fixup_toggles(struct uh
* need to change any toggles in this URB */
td = list_entry(urbp->td_list.next, struct uhci_td, list);
if (toggle > 1 || uhci_toggle(td_token(td)) == toggle) {
- td = list_entry(urbp->td_list.next, struct uhci_td,
+ td = list_entry(urbp->td_list.prev, struct uhci_td,
list);
toggle = uhci_toggle(td_token(td)) ^ 1;


--

2006-09-06 23:08:54

by Greg KH

[permalink] [raw]
Subject: [patch 19/37] SCTP: Fix sctp_primitive_ABORT() call in sctp_close().

-stable review patch. If anyone has any objections, please let us know.

------------------
From: Sridhar Samudrala <[email protected]>

With the recent fix, the callers of sctp_primitive_ABORT()
need to create an ABORT chunk and pass it as an argument rather
than msghdr that was passed earlier.

Signed-off-by: Sridhar Samudrala <[email protected]>
Signed-off-by: David S. Miller <[email protected]>

---
net/sctp/socket.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)

--- linux-2.6.17.11.orig/net/sctp/socket.c
+++ linux-2.6.17.11/net/sctp/socket.c
@@ -1246,9 +1246,13 @@ SCTP_STATIC void sctp_close(struct sock
}
}

- if (sock_flag(sk, SOCK_LINGER) && !sk->sk_lingertime)
- sctp_primitive_ABORT(asoc, NULL);
- else
+ if (sock_flag(sk, SOCK_LINGER) && !sk->sk_lingertime) {
+ struct sctp_chunk *chunk;
+
+ chunk = sctp_make_abort_user(asoc, NULL, 0);
+ if (chunk)
+ sctp_primitive_ABORT(asoc, chunk);
+ } else
sctp_primitive_SHUTDOWN(asoc, NULL);
}


--

2006-09-06 23:08:52

by Greg KH

[permalink] [raw]
Subject: [patch 18/37] SPARC64: Fix X server crashes on sparc64

-stable review patch. If anyone has any objections, please let us know.

------------------
From: David S. Miller <[email protected]>

[SPARC64]: Fix X server hangs due to large pages.

This problem was introduced by changeset
14778d9072e53d2171f66ffd9657daff41acfaed

Unlike the hugetlb code paths, the normal fault code is not setup to
propagate PTE changes for large page sizes correctly like the ones we
make for I/O mappings in io_remap_pfn_range().

It is absolutely necessary to update all sub-ptes of a largepage
mapping on a fault. Adding special handling for this would add
considerably complexity to tlb_batch_add(). So let's just side-step
the issue and forcefully dirty any writable PTEs created by
io_remap_pfn_range().

The only other real option would be to disable to large PTE code of
io_remap_pfn_range() and we really don't want to do that.

Much thanks to Mikael Pettersson for tracking down this problem and
testing debug patches.

Signed-off-by: David S. Miller <[email protected]>

---
arch/sparc64/mm/generic.c | 2 ++
1 file changed, 2 insertions(+)

--- linux-2.6.17.11.orig/arch/sparc64/mm/generic.c
+++ linux-2.6.17.11/arch/sparc64/mm/generic.c
@@ -69,6 +69,8 @@ static inline void io_remap_pte_range(st
} else
offset += PAGE_SIZE;

+ if (pte_write(entry))
+ entry = pte_mkdirty(entry);
do {
BUG_ON(!pte_none(*pte));
set_pte_at(mm, address, pte, entry);

--

2006-09-06 23:10:13

by Greg KH

[permalink] [raw]
Subject: [patch 33/37] sky2: clear status IRQ after empty

-stable review patch. If anyone has any objections, please let us know.

------------------
From: Stephen Hemminger <[email protected]>

Don't clear status IRQ until list has been read to avoid causing
status list wraparound. Clearing IRQ forces a Transmit Status update
if it is pending.

Signed-off-by: Stephen Hemminger <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/net/sky2.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

--- linux-2.6.17.11.orig/drivers/net/sky2.c
+++ linux-2.6.17.11/drivers/net/sky2.c
@@ -2016,6 +2016,9 @@ static int sky2_status_intr(struct sky2_
}
}

+ /* Fully processed status ring so clear irq */
+ sky2_write32(hw, STAT_CTRL, SC_STAT_CLR_IRQ);
+
exit_loop:
return work_done;
}
@@ -2218,9 +2221,6 @@ static int sky2_poll(struct net_device *
*budget -= work_done;
dev0->quota -= work_done;

- if (status & Y2_IS_STAT_BMU)
- sky2_write32(hw, STAT_CTRL, SC_STAT_CLR_IRQ);
-
if (sky2_more_work(hw))
return 1;


--

2006-09-06 23:11:20

by Greg KH

[permalink] [raw]
Subject: [patch 17/37] TG3: Disable TSO by default

-stable review patch. If anyone has any objections, please let us know.

------------------

From: Michael Chan <[email protected]>

Disable TSO by default on some chips due to hardware errata.

Enabling TSO can lead to tx timeouts in some cases when the TSO
header size exceeds 80 bytes on the affected chips. This limit
can be exceeded when the TCP header contains the timestamp option
plus 2 SACK blocks, for example. A more complete workaround is
available in the next 2.6.18 kernel.

Signed-off-by: Michael Chan <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>


---
drivers/net/tg3.c | 12 ++++++++----
drivers/net/tg3.h | 1 +
2 files changed, 9 insertions(+), 4 deletions(-)

--- linux-2.6.17.11.orig/drivers/net/tg3.c
+++ linux-2.6.17.11/drivers/net/tg3.c
@@ -69,8 +69,8 @@

#define DRV_MODULE_NAME "tg3"
#define PFX DRV_MODULE_NAME ": "
-#define DRV_MODULE_VERSION "3.59"
-#define DRV_MODULE_RELDATE "June 8, 2006"
+#define DRV_MODULE_VERSION "3.59.1"
+#define DRV_MODULE_RELDATE "August 25, 2006"

#define TG3_DEF_MAC_MODE 0
#define TG3_DEF_RX_MODE 0
@@ -11381,11 +11381,15 @@ static int __devinit tg3_init_one(struct
tp->tg3_flags2 |= TG3_FLG2_TSO_CAPABLE;
}

- /* TSO is on by default on chips that support hardware TSO.
+ /* TSO is on by default on chips that support HW_TSO_2.
+ * Some HW_TSO_1 capable chips have bugs that can lead to
+ * tx timeouts in some cases when TSO is enabled.
* Firmware TSO on older chips gives lower performance, so it
* is off by default, but can be enabled using ethtool.
*/
- if (tp->tg3_flags2 & TG3_FLG2_HW_TSO)
+ if ((tp->tg3_flags2 & TG3_FLG2_HW_TSO_2) ||
+ (GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5750 &&
+ tp->pci_chip_rev_id >= CHIPREV_ID_5750_C2))
dev->features |= NETIF_F_TSO;

#endif
--- linux-2.6.17.11.orig/drivers/net/tg3.h
+++ linux-2.6.17.11/drivers/net/tg3.h
@@ -125,6 +125,7 @@
#define CHIPREV_ID_5750_A0 0x4000
#define CHIPREV_ID_5750_A1 0x4001
#define CHIPREV_ID_5750_A3 0x4003
+#define CHIPREV_ID_5750_C2 0x4202
#define CHIPREV_ID_5752_A0_HW 0x5000
#define CHIPREV_ID_5752_A0 0x6000
#define CHIPREV_ID_5752_A1 0x6001

--

2006-09-06 23:08:54

by Greg KH

[permalink] [raw]
Subject: [patch 32/37] sky2: accept flow control

-stable review patch. If anyone has any objections, please let us know.

------------------
From: Stephen Hemminger <[email protected]>

Don't program the GMAC to reject flow control packets.
This maybe the cause of some of the transmit hangs.

Signed-off-by: Stephen Hemminger <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/net/sky2.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.17.11.orig/drivers/net/sky2.h
+++ linux-2.6.17.11/drivers/net/sky2.h
@@ -1566,7 +1566,7 @@ enum {

GMR_FS_ANY_ERR = GMR_FS_RX_FF_OV | GMR_FS_CRC_ERR |
GMR_FS_FRAGMENT | GMR_FS_LONG_ERR |
- GMR_FS_MII_ERR | GMR_FS_BAD_FC | GMR_FS_GOOD_FC |
+ GMR_FS_MII_ERR | GMR_FS_BAD_FC |
GMR_FS_UN_SIZE | GMR_FS_JABBER,
};


--

2006-09-06 23:10:34

by Greg KH

[permalink] [raw]
Subject: [patch 26/37] PKTGEN: Make sure skb->{nh,h} are initialized in fill_packet_ipv6() too.

-stable review patch. If anyone has any objections, please let us know.

------------------
From: David S. Miller <[email protected]>

[PKTGEN]: Make sure skb->{nh,h} are initialized in fill_packet_ipv6() too.

Mirror the bug fix from fill_packet_ipv4()

Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
net/core/pktgen.c | 2 ++
1 file changed, 2 insertions(+)

--- linux-2.6.17.11.orig/net/core/pktgen.c
+++ linux-2.6.17.11/net/core/pktgen.c
@@ -2460,6 +2460,8 @@ static struct sk_buff *fill_packet_ipv6(
skb->protocol = protocol;
skb->dev = odev;
skb->pkt_type = PACKET_HOST;
+ skb->nh.ipv6h = iph;
+ skb->h.uh = udph;

if (pkt_dev->nfrags <= 0)
pgh = (struct pktgen_hdr *)skb_put(skb, datalen);

--

2006-09-06 23:11:21

by Greg KH

[permalink] [raw]
Subject: [patch 16/37] dm: mirror sector offset fix

-stable review patch. If anyone has any objections, please let us know.

------------------

From: Neil Brown <[email protected]>

The device-mapper core does not perform any remapping of bios before passing
them to the targets. If a particular mapping begins part-way into a device,
targets obtain the sector relative to the start of the mapping by subtracting
ti->begin.

The dm-raid1 target didn't do this everywhere: this patch fixes it, taking
care to subtract ti->begin exactly once for each bio.

[akpm: too late for 2.6.17 - suitable for 2.6.17.x after it has settled]

Signed-off-by: Neil Brown <[email protected]>
Signed-off-by: Alasdair G Kergon <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---

drivers/md/dm-raid1.c | 63 +++++++++++++++++++++++++-------------------------
1 file changed, 32 insertions(+), 31 deletions(-)

--- linux-2.6.17.11.orig/drivers/md/dm-raid1.c
+++ linux-2.6.17.11/drivers/md/dm-raid1.c
@@ -106,12 +106,42 @@ struct region {
struct bio_list delayed_bios;
};

+
+/*-----------------------------------------------------------------
+ * Mirror set structures.
+ *---------------------------------------------------------------*/
+struct mirror {
+ atomic_t error_count;
+ struct dm_dev *dev;
+ sector_t offset;
+};
+
+struct mirror_set {
+ struct dm_target *ti;
+ struct list_head list;
+ struct region_hash rh;
+ struct kcopyd_client *kcopyd_client;
+
+ spinlock_t lock; /* protects the next two lists */
+ struct bio_list reads;
+ struct bio_list writes;
+
+ /* recovery */
+ region_t nr_regions;
+ int in_sync;
+
+ struct mirror *default_mirror; /* Default mirror */
+
+ unsigned int nr_mirrors;
+ struct mirror mirror[0];
+};
+
/*
* Conversion fns
*/
static inline region_t bio_to_region(struct region_hash *rh, struct bio *bio)
{
- return bio->bi_sector >> rh->region_shift;
+ return (bio->bi_sector - rh->ms->ti->begin) >> rh->region_shift;
}

static inline sector_t region_to_sector(struct region_hash *rh, region_t region)
@@ -541,35 +571,6 @@ static void rh_start_recovery(struct reg
wake();
}

-/*-----------------------------------------------------------------
- * Mirror set structures.
- *---------------------------------------------------------------*/
-struct mirror {
- atomic_t error_count;
- struct dm_dev *dev;
- sector_t offset;
-};
-
-struct mirror_set {
- struct dm_target *ti;
- struct list_head list;
- struct region_hash rh;
- struct kcopyd_client *kcopyd_client;
-
- spinlock_t lock; /* protects the next two lists */
- struct bio_list reads;
- struct bio_list writes;
-
- /* recovery */
- region_t nr_regions;
- int in_sync;
-
- struct mirror *default_mirror; /* Default mirror */
-
- unsigned int nr_mirrors;
- struct mirror mirror[0];
-};
-
/*
* Every mirror should look like this one.
*/
@@ -1115,7 +1116,7 @@ static int mirror_map(struct dm_target *
struct mirror *m;
struct mirror_set *ms = ti->private;

- map_context->ll = bio->bi_sector >> ms->rh.region_shift;
+ map_context->ll = bio_to_region(&ms->rh, bio);

if (rw == WRITE) {
queue_bio(ms, bio, rw);

--

2006-09-06 23:12:23

by Greg KH

[permalink] [raw]
Subject: [patch 21/37] fcntl(F_SETSIG) fix

-stable review patch. If anyone has any objections, please let us know.

------------------
From: Trond Myklebust <[email protected]>

[PATCH] fcntl(F_SETSIG) fix

fcntl(F_SETSIG) no longer works on leases because
lease_release_private_callback() gets called as the lease is copied in
order to initialise it.

The problem is that lease_alloc() performs an unnecessary initialisation,
which sets the lease_manager_ops. Avoid the problem by allocating the
target lease structure using locks_alloc_lock().

Signed-off-by: Trond Myklebust <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
fs/locks.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

--- linux-2.6.17.11.orig/fs/locks.c
+++ linux-2.6.17.11/fs/locks.c
@@ -1389,8 +1389,9 @@ static int __setlease(struct file *filp,
if (!leases_enable)
goto out;

- error = lease_alloc(filp, arg, &fl);
- if (error)
+ error = -ENOMEM;
+ fl = locks_alloc_lock();
+ if (fl == NULL)
goto out;

locks_copy_lock(fl, lease);
@@ -1398,6 +1399,7 @@ static int __setlease(struct file *filp,
locks_insert_lock(before, fl);

*flp = fl;
+ error = 0;
out:
return error;
}

--

2006-09-06 23:12:24

by Greg KH

[permalink] [raw]
Subject: [patch 14/37] dm: add module ref counting

-stable review patch. If anyone has any objections, please let us know.

------------------

From: Jeff Mahoney <[email protected]>

The reference counting on dm-mod is zero if no mapped devices are open. This
is incorrect, and can lead to an oops if the module is unloaded while mapped
devices exist.

This patch claims a reference to the module whenever a device is created, and
drops it again when the device is freed.

Devices must be removed before dm-mod is unloaded.

[akpm: too late for 2.6.17 - suitable for 2.6.17.x after it has settled]

Signed-off-by: Jeff Mahoney <[email protected]>
Signed-off-by: Alasdair G Kergon <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---

drivers/md/dm.c | 6 ++++++
1 file changed, 6 insertions(+)

--- linux-2.6.17.11.orig/drivers/md/dm.c
+++ linux-2.6.17.11/drivers/md/dm.c
@@ -852,6 +852,9 @@ static struct mapped_device *alloc_dev(u
return NULL;
}

+ if (!try_module_get(THIS_MODULE))
+ goto bad0;
+
/* get a minor number for the dev */
r = persistent ? specific_minor(md, minor) : next_free_minor(md, &minor);
if (r < 0)
@@ -918,6 +921,8 @@ static struct mapped_device *alloc_dev(u
blk_cleanup_queue(md->queue);
free_minor(minor);
bad1:
+ module_put(THIS_MODULE);
+ bad0:
kfree(md);
return NULL;
}
@@ -941,6 +946,7 @@ static void free_dev(struct mapped_devic

put_disk(md->disk);
blk_cleanup_queue(md->queue);
+ module_put(THIS_MODULE);
kfree(md);
}


--

2006-09-06 23:11:21

by Greg KH

[permalink] [raw]
Subject: [patch 13/37] dm: fix mapped device ref counting

-stable review patch. If anyone has any objections, please let us know.

------------------

From: Jeff Mahoney <[email protected]>

To avoid races, _minor_lock must be held while changing mapped device
reference counts.

There are a few paths where a mapped_device pointer is returned before a
reference is taken. This patch fixes them.

[akpm: too late for 2.6.17 - suitable for 2.6.17.x after it has settled]

Signed-off-by: Jeff Mahoney <[email protected]>
Signed-off-by: Alasdair G Kergon <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---

drivers/md/dm-ioctl.c | 34 ++++++++++++++++++++++++----------
1 file changed, 24 insertions(+), 10 deletions(-)

--- linux-2.6.17.11.orig/drivers/md/dm-ioctl.c
+++ linux-2.6.17.11/drivers/md/dm-ioctl.c
@@ -102,8 +102,10 @@ static struct hash_cell *__get_name_cell
unsigned int h = hash_str(str);

list_for_each_entry (hc, _name_buckets + h, name_list)
- if (!strcmp(hc->name, str))
+ if (!strcmp(hc->name, str)) {
+ dm_get(hc->md);
return hc;
+ }

return NULL;
}
@@ -114,8 +116,10 @@ static struct hash_cell *__get_uuid_cell
unsigned int h = hash_str(str);

list_for_each_entry (hc, _uuid_buckets + h, uuid_list)
- if (!strcmp(hc->uuid, str))
+ if (!strcmp(hc->uuid, str)) {
+ dm_get(hc->md);
return hc;
+ }

return NULL;
}
@@ -191,7 +195,7 @@ static int unregister_with_devfs(struct
*/
static int dm_hash_insert(const char *name, const char *uuid, struct mapped_device *md)
{
- struct hash_cell *cell;
+ struct hash_cell *cell, *hc;

/*
* Allocate the new cells.
@@ -204,14 +208,19 @@ static int dm_hash_insert(const char *na
* Insert the cell into both hash tables.
*/
down_write(&_hash_lock);
- if (__get_name_cell(name))
+ hc = __get_name_cell(name);
+ if (hc) {
+ dm_put(hc->md);
goto bad;
+ }

list_add(&cell->name_list, _name_buckets + hash_str(name));

if (uuid) {
- if (__get_uuid_cell(uuid)) {
+ hc = __get_uuid_cell(uuid);
+ if (hc) {
list_del(&cell->name_list);
+ dm_put(hc->md);
goto bad;
}
list_add(&cell->uuid_list, _uuid_buckets + hash_str(uuid));
@@ -289,6 +298,7 @@ static int dm_hash_rename(const char *ol
if (hc) {
DMWARN("asked to rename to an already existing name %s -> %s",
old, new);
+ dm_put(hc->md);
up_write(&_hash_lock);
kfree(new_name);
return -EBUSY;
@@ -328,6 +338,7 @@ static int dm_hash_rename(const char *ol
dm_table_put(table);
}

+ dm_put(hc->md);
up_write(&_hash_lock);
kfree(old_name);
return 0;
@@ -611,10 +622,8 @@ static struct hash_cell *__find_device_h
return __get_name_cell(param->name);

md = dm_get_md(huge_decode_dev(param->dev));
- if (md) {
+ if (md)
mdptr = dm_get_mdptr(md);
- dm_put(md);
- }

return mdptr;
}
@@ -628,7 +637,6 @@ static struct mapped_device *find_device
hc = __find_device_hash_cell(param);
if (hc) {
md = hc->md;
- dm_get(md);

/*
* Sneakily write in both the name and the uuid
@@ -653,6 +661,7 @@ static struct mapped_device *find_device
static int dev_remove(struct dm_ioctl *param, size_t param_size)
{
struct hash_cell *hc;
+ struct mapped_device *md;

down_write(&_hash_lock);
hc = __find_device_hash_cell(param);
@@ -663,8 +672,11 @@ static int dev_remove(struct dm_ioctl *p
return -ENXIO;
}

+ md = hc->md;
+
__hash_remove(hc);
up_write(&_hash_lock);
+ dm_put(md);
param->data_size = 0;
return 0;
}
@@ -790,7 +802,6 @@ static int do_resume(struct dm_ioctl *pa
}

md = hc->md;
- dm_get(md);

new_map = hc->new_map;
hc->new_map = NULL;
@@ -1078,6 +1089,7 @@ static int table_clear(struct dm_ioctl *
{
int r;
struct hash_cell *hc;
+ struct mapped_device *md;

down_write(&_hash_lock);

@@ -1096,7 +1108,9 @@ static int table_clear(struct dm_ioctl *
param->flags &= ~DM_INACTIVE_PRESENT_FLAG;

r = __dev_status(hc->md, param);
+ md = hc->md;
up_write(&_hash_lock);
+ dm_put(md);
return r;
}


--

2006-09-06 23:13:16

by Greg KH

[permalink] [raw]
Subject: [patch 09/37] dm: fix idr minor allocation

-stable review patch. If anyone has any objections, please let us know.

------------------

From: Jeff Mahoney <[email protected]>

One part of the system can attempt to use a mapped device before another has
finished initialising it or while it is being freed.

This patch introduces a place holder value, MINOR_ALLOCED, to mark the minor
as allocated but in a state where it can't be used, such as mid-allocation or
mid-free. At the end of the initialization, it replaces the place holder with
the pointer to the mapped_device, making it available to the rest of the dm
subsystem.

[akpm: too late for 2.6.17 - suitable for 2.6.17.x after it has settled]

Signed-off-by: Jeff Mahoney <[email protected]>
Signed-off-by: Alasdair G Kergon <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---

drivers/md/dm.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)

--- linux-2.6.17.11.orig/drivers/md/dm.c
+++ linux-2.6.17.11/drivers/md/dm.c
@@ -54,6 +54,8 @@ union map_info *dm_get_mapinfo(struct bi
return NULL;
}

+#define MINOR_ALLOCED ((void *)-1)
+
/*
* Bits for the md->flags field.
*/
@@ -777,7 +779,7 @@ static int specific_minor(struct mapped_
goto out;
}

- r = idr_get_new_above(&_minor_idr, md, minor, &m);
+ r = idr_get_new_above(&_minor_idr, MINOR_ALLOCED, minor, &m);
if (r) {
goto out;
}
@@ -806,7 +808,7 @@ static int next_free_minor(struct mapped
goto out;
}

- r = idr_get_new(&_minor_idr, md, &m);
+ r = idr_get_new(&_minor_idr, MINOR_ALLOCED, &m);
if (r) {
goto out;
}
@@ -833,6 +835,7 @@ static struct mapped_device *alloc_dev(u
{
int r;
struct mapped_device *md = kmalloc(sizeof(*md), GFP_KERNEL);
+ void *old_md;

if (!md) {
DMWARN("unable to allocate device, out of memory.");
@@ -888,6 +891,13 @@ static struct mapped_device *alloc_dev(u
init_waitqueue_head(&md->wait);
init_waitqueue_head(&md->eventq);

+ /* Populate the mapping, nobody knows we exist yet */
+ mutex_lock(&_minor_lock);
+ old_md = idr_replace(&_minor_idr, md, minor);
+ mutex_unlock(&_minor_lock);
+
+ BUG_ON(old_md != MINOR_ALLOCED);
+
return md;

bad4:
@@ -1018,7 +1028,7 @@ static struct mapped_device *dm_find_md(
mutex_lock(&_minor_lock);

md = idr_find(&_minor_idr, minor);
- if (!md || (dm_disk(md)->first_minor != minor))
+ if (md && (md == MINOR_ALLOCED || (dm_disk(md)->first_minor != minor)))
md = NULL;

mutex_unlock(&_minor_lock);
@@ -1057,6 +1067,9 @@ void dm_put(struct mapped_device *md)

if (atomic_dec_and_test(&md->holders)) {
map = dm_get_table(md);
+ mutex_lock(&_minor_lock);
+ idr_replace(&_minor_idr, MINOR_ALLOCED, dm_disk(md)->first_minor);
+ mutex_unlock(&_minor_lock);
if (!dm_suspended(md)) {
dm_table_presuspend_targets(map);
dm_table_postsuspend_targets(map);

--

2006-09-06 23:13:46

by Greg KH

[permalink] [raw]
Subject: [patch 22/37] bug in futex unqueue_me

-stable review patch. If anyone has any objections, please let us know.

------------------
From: Christian Borntraeger <[email protected]>

This patch adds a barrier() in futex unqueue_me to avoid aliasing of two
pointers.

On my s390x system I saw the following oops:

Unable to handle kernel pointer dereference at virtual kernel address
0000000000000000
Oops: 0004 [#1]
CPU: 0 Not tainted
Process mytool (pid: 13613, task: 000000003ecb6ac0, ksp: 00000000366bdbd8)
Krnl PSW : 0704d00180000000 00000000003c9ac2 (_spin_lock+0xe/0x30)
Krnl GPRS: 00000000ffffffff 000000003ecb6ac0 0000000000000000 0700000000000000
0000000000000000 0000000000000000 000001fe00002028 00000000000c091f
000001fe00002054 000001fe00002054 0000000000000000 00000000366bddc0
00000000005ef8c0 00000000003d00e8 0000000000144f91 00000000366bdcb8
Krnl Code: ba 4e 20 00 12 44 b9 16 00 3e a7 84 00 08 e3 e0 f0 88 00 04
Call Trace:
([<0000000000144f90>] unqueue_me+0x40/0xe4)
[<0000000000145a0c>] do_futex+0x33c/0xc40
[<000000000014643e>] sys_futex+0x12e/0x144
[<000000000010bb00>] sysc_noemu+0x10/0x16
[<000002000003741c>] 0x2000003741c

The code in question is:

static int unqueue_me(struct futex_q *q)
{
int ret = 0;
spinlock_t *lock_ptr;

/* In the common case we don't take the spinlock, which is nice. */
retry:
lock_ptr = q->lock_ptr;
if (lock_ptr != 0) {
spin_lock(lock_ptr);
/*
* q->lock_ptr can change between reading it and
* spin_lock(), causing us to take the wrong lock. This
* corrects the race condition.
[...]

and my compiler (gcc 4.1.0) makes the following out of it:

00000000000003c8 <unqueue_me>:
3c8: eb bf f0 70 00 24 stmg %r11,%r15,112(%r15)
3ce: c0 d0 00 00 00 00 larl %r13,3ce <unqueue_me+0x6>
3d0: R_390_PC32DBL .rodata+0x2a
3d4: a7 f1 1e 00 tml %r15,7680
3d8: a7 84 00 01 je 3da <unqueue_me+0x12>
3dc: b9 04 00 ef lgr %r14,%r15
3e0: a7 fb ff d0 aghi %r15,-48
3e4: b9 04 00 b2 lgr %r11,%r2
3e8: e3 e0 f0 98 00 24 stg %r14,152(%r15)
3ee: e3 c0 b0 28 00 04 lg %r12,40(%r11)
/* write q->lock_ptr in r12 */
3f4: b9 02 00 cc ltgr %r12,%r12
3f8: a7 84 00 4b je 48e <unqueue_me+0xc6>
/* if r12 is zero then jump over the code.... */
3fc: e3 20 b0 28 00 04 lg %r2,40(%r11)
/* write q->lock_ptr in r2 */
402: c0 e5 00 00 00 00 brasl %r14,402 <unqueue_me+0x3a>
404: R_390_PC32DBL _spin_lock+0x2
/* use r2 as parameter for spin_lock */

So the code becomes more or less:
if (q->lock_ptr != 0) spin_lock(q->lock_ptr)
instead of
if (lock_ptr != 0) spin_lock(lock_ptr)

Which caused the oops from above.
After adding a barrier gcc creates code without this problem:
[...] (the same)
3ee: e3 c0 b0 28 00 04 lg %r12,40(%r11)
3f4: b9 02 00 cc ltgr %r12,%r12
3f8: b9 04 00 2c lgr %r2,%r12
3fc: a7 84 00 48 je 48c <unqueue_me+0xc4>
400: c0 e5 00 00 00 00 brasl %r14,400 <unqueue_me+0x38>
402: R_390_PC32DBL _spin_lock+0x2

As a general note, this code of unqueue_me seems a bit fishy. The retry logic
of unqueue_me only works if we can guarantee, that the original value of
q->lock_ptr is always a spinlock (Otherwise we overwrite kernel memory). We
know that q->lock_ptr can change. I dont know what happens with the original
spinlock, as I am not an expert with the futex code.

Cc: Martin Schwidefsky <[email protected]>
Cc: Rusty Russell <[email protected]>
Acked-by: Ingo Molnar <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Signed-off-by: Christian Borntraeger <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
kernel/futex.c | 1 +
1 file changed, 1 insertion(+)

--- linux-2.6.17.11.orig/kernel/futex.c
+++ linux-2.6.17.11/kernel/futex.c
@@ -593,6 +593,7 @@ static int unqueue_me(struct futex_q *q)
/* In the common case we don't take the spinlock, which is nice. */
retry:
lock_ptr = q->lock_ptr;
+ barrier();
if (lock_ptr != 0) {
spin_lock(lock_ptr);
/*

--

2006-09-06 23:01:21

by Greg KH

[permalink] [raw]
Subject: [patch 03/37] Fix output framentation of paged-skbs

-stable review patch. If anyone has any objections, please let us know.

------------------
From: Herbert Xu <[email protected]>

[INET]: Use pskb_trim_unique when trimming paged unique skbs

The IPv4/IPv6 datagram output path was using skb_trim to trim paged
packets because they know that the packet has not been cloned yet
(since the packet hasn't been given to anything else in the system).

This broke because skb_trim no longer allows paged packets to be
trimmed. Paged packets must be given to one of the pskb_trim functions
instead.

This patch adds a new pskb_trim_unique function to cover the IPv4/IPv6
datagram output path scenario and replaces the corresponding skb_trim
calls with it.

Signed-off-by: Herbert Xu <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
include/linux/skbuff.h | 15 +++++++++++++++
net/ipv4/ip_output.c | 4 ++--
net/ipv6/ip6_output.c | 2 +-
3 files changed, 18 insertions(+), 3 deletions(-)

--- linux-2.6.17.11.orig/include/linux/skbuff.h
+++ linux-2.6.17.11/include/linux/skbuff.h
@@ -1009,6 +1009,21 @@ static inline int pskb_trim(struct sk_bu
}

/**
+ * pskb_trim_unique - remove end from a paged unique (not cloned) buffer
+ * @skb: buffer to alter
+ * @len: new length
+ *
+ * This is identical to pskb_trim except that the caller knows that
+ * the skb is not cloned so we should never get an error due to out-
+ * of-memory.
+ */
+static inline void pskb_trim_unique(struct sk_buff *skb, unsigned int len)
+{
+ int err = pskb_trim(skb, len);
+ BUG_ON(err);
+}
+
+/**
* skb_orphan - orphan a buffer
* @skb: buffer to orphan
*
--- linux-2.6.17.11.orig/net/ipv4/ip_output.c
+++ linux-2.6.17.11/net/ipv4/ip_output.c
@@ -946,7 +946,7 @@ alloc_new_skb:
skb_prev->csum = csum_sub(skb_prev->csum,
skb->csum);
data += fraggap;
- skb_trim(skb_prev, maxfraglen);
+ pskb_trim_unique(skb_prev, maxfraglen);
}

copy = datalen - transhdrlen - fraggap;
@@ -1139,7 +1139,7 @@ ssize_t ip_append_page(struct sock *sk,
data, fraggap, 0);
skb_prev->csum = csum_sub(skb_prev->csum,
skb->csum);
- skb_trim(skb_prev, maxfraglen);
+ pskb_trim_unique(skb_prev, maxfraglen);
}

/*
--- linux-2.6.17.11.orig/net/ipv6/ip6_output.c
+++ linux-2.6.17.11/net/ipv6/ip6_output.c
@@ -1047,7 +1047,7 @@ alloc_new_skb:
skb_prev->csum = csum_sub(skb_prev->csum,
skb->csum);
data += fraggap;
- skb_trim(skb_prev, maxfraglen);
+ pskb_trim_unique(skb_prev, maxfraglen);
}
copy = datalen - transhdrlen - fraggap;
if (copy < 0) {

--

2006-09-06 23:13:58

by Greg KH

[permalink] [raw]
Subject: [patch 07/37] Have ext2 reject file handles with bad inode numbers early.

-stable review patch. If anyone has any objections, please let us know.

------------------
From: Neil Brown <[email protected]>

This prevents bad inode numbers from triggering errors in
ext2_get_inode.


Signed-off-by: Neil Brown <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
fs/ext2/super.c | 41 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)

--- linux-2.6.17.11.orig/fs/ext2/super.c
+++ linux-2.6.17.11/fs/ext2/super.c
@@ -252,6 +252,46 @@ static struct super_operations ext2_sops
#endif
};

+static struct dentry *ext2_get_dentry(struct super_block *sb, void *vobjp)
+{
+ __u32 *objp = vobjp;
+ unsigned long ino = objp[0];
+ __u32 generation = objp[1];
+ struct inode *inode;
+ struct dentry *result;
+
+ if (ino != EXT2_ROOT_INO && ino < EXT2_FIRST_INO(sb))
+ return ERR_PTR(-ESTALE);
+ if (ino > le32_to_cpu(EXT2_SB(sb)->s_es->s_inodes_count))
+ return ERR_PTR(-ESTALE);
+
+ /* iget isn't really right if the inode is currently unallocated!!
+ * ext2_read_inode currently does appropriate checks, but
+ * it might be "neater" to call ext2_get_inode first and check
+ * if the inode is valid.....
+ */
+ inode = iget(sb, ino);
+ if (inode == NULL)
+ return ERR_PTR(-ENOMEM);
+ if (is_bad_inode(inode)
+ || (generation && inode->i_generation != generation)
+ ) {
+ /* we didn't find the right inode.. */
+ iput(inode);
+ return ERR_PTR(-ESTALE);
+ }
+ /* now to find a dentry.
+ * If possible, get a well-connected one
+ */
+ result = d_alloc_anon(inode);
+ if (!result) {
+ iput(inode);
+ return ERR_PTR(-ENOMEM);
+ }
+ return result;
+}
+
+
/* Yes, most of these are left as NULL!!
* A NULL value implies the default, which works with ext2-like file
* systems, but can be improved upon.
@@ -259,6 +299,7 @@ static struct super_operations ext2_sops
*/
static struct export_operations ext2_export_ops = {
.get_parent = ext2_get_parent,
+ .get_dentry = ext2_get_dentry,
};

static unsigned long get_sb_block(void **data)

--

2006-09-06 23:15:40

by Greg KH

[permalink] [raw]
Subject: [patch 06/37] Allow per-route window scale limiting

-stable review patch. If anyone has any objections, please let us know.

------------------
From: Stephen Hemminger <[email protected]>

There are black box devices out there, routers and firewalls and
whatnot, that simply cannot grok the TCP window scaling option
correctly.

People should and do bark at the site running the device causing
the problems, but in the mean time folks do want a way to deal
with the problem. We don't want them to turn off window scaling
completely as that hurts performance of connections that would run
just fine with window scaling enabled.

So give a way to do this on a per-route basis by limiting the
window scaling by the per-connection window clamp. Stephen's
changelog message explains how to do this using a route metric.

[TCP]: Limit window scaling if window is clamped.

This small change allows for easy per-route workarounds for broken hosts or
middleboxes that are not compliant with TCP standards for window scaling.
Rather than having to turn off window scaling globally. This patch allows
reducing or disabling window scaling if window clamp is present.

Example: Mark Lord reported a problem with 2.6.17 kernel being unable to
access http://www.everymac.com

# ip route add 216.145.246.23/32 via 10.8.0.1 window 65535

Signed-off-by: Stephen Hemminger <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
net/ipv4/tcp_output.c | 1 +
1 file changed, 1 insertion(+)

--- linux-2.6.17.11.orig/net/ipv4/tcp_output.c
+++ linux-2.6.17.11/net/ipv4/tcp_output.c
@@ -197,6 +197,7 @@ void tcp_select_initial_window(int __spa
* See RFC1323 for an explanation of the limit to 14
*/
space = max_t(u32, sysctl_tcp_rmem[2], sysctl_rmem_max);
+ space = min_t(u32, space, *window_clamp);
while (space > 65535 && (*rcv_wscale) < 14) {
space >>= 1;
(*rcv_wscale)++;

--

2006-09-06 23:14:43

by Greg KH

[permalink] [raw]
Subject: [patch 01/37] TEXTSEARCH: Fix Boyer Moore initialization bug


-stable review patch. If anyone has any objections, please let us know.

------------------

From: Michael Rash <[email protected]>

[TEXTSEARCH]: Fix Boyer Moore initialization bug

The pattern is set after trying to compute the prefix table, which tries
to use it. Initialize it before calling compute_prefix_tbl, make
compute_prefix_tbl consistently use only the data from struct ts_bm
and remove the now unnecessary arguments.

Signed-off-by: Michael Rash <[email protected]>
Signed-off-by: Patrick McHardy <[email protected]>
Acked-by: David Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
lib/ts_bm.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)

--- linux-2.6.17.11.orig/lib/ts_bm.c
+++ linux-2.6.17.11/lib/ts_bm.c
@@ -112,15 +112,14 @@ static int subpattern(u8 *pattern, int i
return ret;
}

-static void compute_prefix_tbl(struct ts_bm *bm, const u8 *pattern,
- unsigned int len)
+static void compute_prefix_tbl(struct ts_bm *bm)
{
int i, j, g;

for (i = 0; i < ASIZE; i++)
- bm->bad_shift[i] = len;
- for (i = 0; i < len - 1; i++)
- bm->bad_shift[pattern[i]] = len - 1 - i;
+ bm->bad_shift[i] = bm->patlen;
+ for (i = 0; i < bm->patlen - 1; i++)
+ bm->bad_shift[bm->pattern[i]] = bm->patlen - 1 - i;

/* Compute the good shift array, used to match reocurrences
* of a subpattern */
@@ -151,8 +150,8 @@ static struct ts_config *bm_init(const v
bm = ts_config_priv(conf);
bm->patlen = len;
bm->pattern = (u8 *) bm->good_shift + prefix_tbl_len;
- compute_prefix_tbl(bm, pattern, len);
memcpy(bm->pattern, pattern, len);
+ compute_prefix_tbl(bm);

return conf;
}

--

2006-09-06 23:15:58

by Greg KH

[permalink] [raw]
Subject: [patch 02/37] spectrum_cs: Fix firmware uploading errors

-stable review patch. If anyone has any objections, please let us know.

------------------
From: Richard Purdie <[email protected]>

This fixes firmware upload failures which prevent the driver from working.

Signed-off-by: Richard Purdie <[email protected]>
Cc: Dominik Brodowski <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/net/wireless/spectrum_cs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.17.11.orig/drivers/net/wireless/spectrum_cs.c
+++ linux-2.6.17.11/drivers/net/wireless/spectrum_cs.c
@@ -245,7 +245,7 @@ spectrum_reset(struct pcmcia_device *lin
u_int save_cor;

/* Doing it if hardware is gone is guaranteed crash */
- if (pcmcia_dev_present(link))
+ if (!pcmcia_dev_present(link))
return -ENODEV;

/* Save original COR value */

--

2006-09-06 23:33:10

by Adrian Bunk

[permalink] [raw]
Subject: [-stable patch] pci_ids.h: add some VIA IDE identifiers

On Wed, Sep 06, 2006 at 03:57:36PM -0700, Greg KH wrote:
> -stable review patch. If anyone has any objections, please let us know.
>
> ------------------
> From: Alan Cox <[email protected]>
>
>
> The following change from -mm is important to 2.6.18 (actually to 2.6.17
> but its too late for that). This was contributed over three months ago
> by VIA to Bartlomiej and nothing happened. As a result the new chipset
> is now out and Linux won't run on it. By the time 2.6.18 is finalised
> this will be the defacto standard VIA chipset so support would be a good
> plan.
>
> Tested in -mm for a while, its essentially a PCI ident update but for
> the bridge chip because VIA do things in weird ways.
>
>
> Signed-off-by: Greg Kroah-Hartman <[email protected]>
>
>
> ---
> drivers/ide/pci/via82cxxx.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>...

If anyone actually tries to compile this driver the patch below might
be helpful.

cu
Adrian


<-- snip -->


commit 47251e05f74783cc03f83f5e88016fc2cbd059f1
Author: Alan Cox <[email protected]>
Date: Wed Sep 6 19:55:17 2006 +0200

pci_ids.h: add some VIA IDE identifiers

Signed-off-by: Alan Cox <[email protected]>
Signed-off-by: Adrian Bunk <[email protected]>

diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h
index 751eea5..960fb7b 100644
--- a/include/linux/pci_ids.h
+++ b/include/linux/pci_ids.h
@@ -1223,6 +1223,7 @@ #define PCI_DEVICE_ID_VIA_PT880 0x0258
#define PCI_DEVICE_ID_VIA_PX8X0_0 0x0259
#define PCI_DEVICE_ID_VIA_3269_0 0x0269
#define PCI_DEVICE_ID_VIA_K8T800PRO_0 0x0282
+#define PCI_DEVICE_ID_VIA_3296_0 0x0296
#define PCI_DEVICE_ID_VIA_8363_0 0x0305
#define PCI_DEVICE_ID_VIA_P4M800CE 0x0314
#define PCI_DEVICE_ID_VIA_8371_0 0x0391
@@ -1230,6 +1231,7 @@ #define PCI_DEVICE_ID_VIA_8501_0 0x0501
#define PCI_DEVICE_ID_VIA_82C561 0x0561
#define PCI_DEVICE_ID_VIA_82C586_1 0x0571
#define PCI_DEVICE_ID_VIA_82C576 0x0576
+#define PCI_DEVICE_ID_VIA_SATA_EIDE 0x0581
#define PCI_DEVICE_ID_VIA_82C586_0 0x0586
#define PCI_DEVICE_ID_VIA_82C596 0x0596
#define PCI_DEVICE_ID_VIA_82C597_0 0x0597
@@ -1270,10 +1272,11 @@ #define PCI_DEVICE_ID_VIA_8378_0 0x3205
#define PCI_DEVICE_ID_VIA_8783_0 0x3208
#define PCI_DEVICE_ID_VIA_8237 0x3227
#define PCI_DEVICE_ID_VIA_8251 0x3287
-#define PCI_DEVICE_ID_VIA_3296_0 0x0296
+#define PCI_DEVICE_ID_VIA_8237A 0x3337
#define PCI_DEVICE_ID_VIA_8231 0x8231
#define PCI_DEVICE_ID_VIA_8231_4 0x8235
#define PCI_DEVICE_ID_VIA_8365_1 0x8305
+#define PCI_DEVICE_ID_VIA_CX700 0x8324
#define PCI_DEVICE_ID_VIA_8371_1 0x8391
#define PCI_DEVICE_ID_VIA_82C598_1 0x8598
#define PCI_DEVICE_ID_VIA_838X_1 0xB188

2006-09-06 23:34:00

by Adrian Bunk

[permalink] [raw]
Subject: Re: [patch 00/37] -stable review

On Wed, Sep 06, 2006 at 03:54:44PM -0700, Greg KH wrote:
> This is the start of the stable review cycle for next 2.6.17.y release.
> There are 37 patches in this series, all will be posted as a response to
> this one. If anyone has any issues with these being applied, please let
> us know. If anyone is a maintainer of the proper subsystem, and wants
> to add a Signed-off-by: line to the patch, please respond with it.
>
> These patches are sent out with a number of different people on the Cc:
> line. If you wish to be a reviewer, please email [email protected] to
> add your name to the list. If you want to be off the reviewer list,
> also email us.
>
> Responses should be made by Fri Sep 8 22:00:00 UTC. Anything received
> after that time might be too late.
>
> Full patch of this whole series is available at:
> http://www.kernel.org/pub/linux/kernel/people/gregkh/stable/patch-2.6.17.12-rc1.gz
> if you wish to test it out and make sure nothing is broken on your
> architecture or system.

The patch is reversed and doesn't update the Makefile.

> thanks,
>
> greg k-h

cu
Adrian

--

"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed

2006-09-07 02:08:38

by Greg KH

[permalink] [raw]
Subject: Re: [patch 00/37] -stable review

On Thu, Sep 07, 2006 at 01:33:57AM +0200, Adrian Bunk wrote:
> On Wed, Sep 06, 2006 at 03:54:44PM -0700, Greg KH wrote:
> > This is the start of the stable review cycle for next 2.6.17.y release.
> > There are 37 patches in this series, all will be posted as a response to
> > this one. If anyone has any issues with these being applied, please let
> > us know. If anyone is a maintainer of the proper subsystem, and wants
> > to add a Signed-off-by: line to the patch, please respond with it.
> >
> > These patches are sent out with a number of different people on the Cc:
> > line. If you wish to be a reviewer, please email [email protected] to
> > add your name to the list. If you want to be off the reviewer list,
> > also email us.
> >
> > Responses should be made by Fri Sep 8 22:00:00 UTC. Anything received
> > after that time might be too late.
> >
> > Full patch of this whole series is available at:
> > http://www.kernel.org/pub/linux/kernel/people/gregkh/stable/patch-2.6.17.12-rc1.gz
> > if you wish to test it out and make sure nothing is broken on your
> > architecture or system.
>
> The patch is reversed and doesn't update the Makefile.

Doh, I need to automate this portion instead of doing it by hand all the
time...

The patch is now updated (will take a few minutes to be mirrored),
thanks for pointing it out.

greg k-h

2006-09-07 08:44:08

by Kirill Korotaev

[permalink] [raw]
Subject: Re: [patch 04/37] fix compilation error on IA64

Greg,

The patch from Fernando Vazquez is incomplete.
The first hunk is from Fernando's patch which fixes IA64 compilation.
But there are some archs which do not include asm-generic/mman.h
and thus will have arch_mmap_check undefined.

Signed-Off-By: Kirill Korotaev <[email protected]>

--- a/include/asm-ia64/mman.h
+++ b/include/asm-ia64/mman.h
@@ -9,10 +9,12 @@
*/

#ifdef __KERNEL__
+#ifndef __ASSEMBLY__
#define arch_mmap_check ia64_map_check_rgn
int ia64_map_check_rgn(unsigned long addr, unsigned long len,
unsigned long flags);
#endif
+#endif

#include <asm-generic/mman.h>

diff --git a/include/asm-alpha/mman.h b/include/asm-alpha/mman.h
index 5f24c75..51cf354 100644
--- a/include/asm-alpha/mman.h
+++ b/include/asm-alpha/mman.h
@@ -52,4 +52,10 @@ #define MADV_DOFORK 11 /* do inherit ac
#define MAP_ANON MAP_ANONYMOUS
#define MAP_FILE 0

+#ifdef __KERNEL__
+#ifndef arch_mmap_check
+#define arch_mmap_check(addr, len, flags) (0)
+#endif
+#endif
+
#endif /* __ALPHA_MMAN_H__ */
diff --git a/include/asm-mips/mman.h b/include/asm-mips/mman.h
index 046cf68..f19e858 100644
--- a/include/asm-mips/mman.h
+++ b/include/asm-mips/mman.h
@@ -75,4 +75,10 @@ #define MADV_DOFORK 11 /* do inherit ac
#define MAP_ANON MAP_ANONYMOUS
#define MAP_FILE 0

+#ifdef __KERNEL__
+#ifndef arch_mmap_check
+#define arch_mmap_check(addr, len, flags) (0)
+#endif
+#endif
+
#endif /* _ASM_MMAN_H */
diff --git a/include/asm-parisc/mman.h b/include/asm-parisc/mman.h
index 0ef15ee..9829b31 100644
--- a/include/asm-parisc/mman.h
+++ b/include/asm-parisc/mman.h
@@ -59,4 +59,10 @@ #define MAP_ANON MAP_ANONYMOUS
#define MAP_FILE 0
#define MAP_VARIABLE 0

+#ifdef __KERNEL__
+#ifndef arch_mmap_check
+#define arch_mmap_check(addr, len, flags) (0)
+#endif
+#endif
+
#endif /* __PARISC_MMAN_H__ */


2006-09-07 11:06:09

by Marcel Holtmann

[permalink] [raw]
Subject: Re: [patch 29/37] dvb-core: Proper handling ULE SNDU length of 0

Hi Greg,

> ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation
> code has a bug that allows an attacker to send a malformed ULE packet
> with SNDU length of 0 and bring down the receiving machine. This patch
> fix the bug and has been tested on version 2.6.17.11. This bug is 100%
> reproducible and the modified source code (GPL) used to produce this bug
> will be posted on http://nrg.cs.usm.my/downloads.htm shortly. The
> kernel will produce a dump during CRC32 checking on faulty ULE packet.

the upstream code changed for 2.6.18. It has a different way of
addressing this issue, but it also changes a lot of other stuff in the
whole code. However it might be worth looking at it, because the
upstream code might be still vulnerable.

Regards

Marcel


2006-09-07 15:40:14

by Greg KH

[permalink] [raw]
Subject: Re: [stable] [patch 29/37] dvb-core: Proper handling ULE SNDU length of 0

On Thu, Sep 07, 2006 at 02:57:56PM +0200, Marcel Holtmann wrote:
> Hi Greg,
>
> > ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation
> > code has a bug that allows an attacker to send a malformed ULE packet
> > with SNDU length of 0 and bring down the receiving machine. This patch
> > fix the bug and has been tested on version 2.6.17.11. This bug is 100%
> > reproducible and the modified source code (GPL) used to produce this bug
> > will be posted on http://nrg.cs.usm.my/downloads.htm shortly. The
> > kernel will produce a dump during CRC32 checking on faulty ULE packet.
>
> the upstream code changed for 2.6.18. It has a different way of
> addressing this issue, but it also changes a lot of other stuff in the
> whole code. However it might be worth looking at it, because the
> upstream code might be still vulnerable.

So we should not take this patch for 2.6.17.y? Do you have a different
patch we should use instead?

thanks,

greg k-h

2006-09-07 19:26:25

by Pavel Machek

[permalink] [raw]
Subject: Re: [patch 37/37] sky2: version 1.6.1

On Wed 06-09-06 15:58:12, Greg KH wrote:
> -stable review patch. If anyone has any objections, please let us know.
>
> ------------------
> From: Stephen Hemminger <[email protected]>
>
> Since this code incorporates some of the fixes from 2.6.18, change
> the version number.
>
> Signed-off-by: Stephen Hemminger <[email protected]>
> Signed-off-by: Greg Kroah-Hartman <[email protected]>

Not sure, one of 'stable' criteria is 'fixes bad bug'. What bug does
this fix?

Pavel
--
Thanks for all the (sleeping) penguins.

2006-09-07 20:35:05

by Greg KH

[permalink] [raw]
Subject: Re: [patch 37/37] sky2: version 1.6.1

On Thu, Sep 07, 2006 at 07:25:28PM +0000, Pavel Machek wrote:
> On Wed 06-09-06 15:58:12, Greg KH wrote:
> > -stable review patch. If anyone has any objections, please let us know.
> >
> > ------------------
> > From: Stephen Hemminger <[email protected]>
> >
> > Since this code incorporates some of the fixes from 2.6.18, change
> > the version number.
> >
> > Signed-off-by: Stephen Hemminger <[email protected]>
> > Signed-off-by: Greg Kroah-Hartman <[email protected]>
>
> Not sure, one of 'stable' criteria is 'fixes bad bug'. What bug does
> this fix?

The previous 5 patches changed this driver, so changing the version
number of it is acceptable to me.

thanks,

greg k-h

2006-09-07 21:04:10

by Pavel Machek

[permalink] [raw]
Subject: Re: [patch 37/37] sky2: version 1.6.1

Hi!

> > > -stable review patch. If anyone has any objections, please let us know.
> > >
> > > ------------------
> > > From: Stephen Hemminger <[email protected]>
> > >
> > > Since this code incorporates some of the fixes from 2.6.18, change
> > > the version number.
> > >
> > > Signed-off-by: Stephen Hemminger <[email protected]>
> > > Signed-off-by: Greg Kroah-Hartman <[email protected]>
> >
> > Not sure, one of 'stable' criteria is 'fixes bad bug'. What bug does
> > this fix?
>
> The previous 5 patches changed this driver, so changing the version
> number of it is acceptable to me.

Well... I agree that version change is understandable, but it will be
also surprising for the users, and stable rules were quite strict with
"must fix obvious bug"...
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

2006-09-07 21:53:39

by Stephen Hemminger

[permalink] [raw]
Subject: Re: [patch 37/37] sky2: version 1.6.1

On Thu, 7 Sep 2006 23:03:46 +0200
Pavel Machek <[email protected]> wrote:

> Hi!
>
> > > > -stable review patch. If anyone has any objections, please let us know.
> > > >
> > > > ------------------
> > > > From: Stephen Hemminger <[email protected]>
> > > >
> > > > Since this code incorporates some of the fixes from 2.6.18, change
> > > > the version number.
> > > >
> > > > Signed-off-by: Stephen Hemminger <[email protected]>
> > > > Signed-off-by: Greg Kroah-Hartman <[email protected]>
> > >
> > > Not sure, one of 'stable' criteria is 'fixes bad bug'. What bug does
> > > this fix?
> >
> > The previous 5 patches changed this driver, so changing the version
> > number of it is acceptable to me.
>
> Well... I agree that version change is understandable, but it will be
> also surprising for the users, and stable rules were quite strict with
> "must fix obvious bug"...
>

I get lots of bug reports which are from distro and other kernels
that cherrypick code from stable. How am I supposed to know if it
is a new or old problem?

2006-09-08 09:35:27

by Marcel Holtmann

[permalink] [raw]
Subject: Re: [stable] [patch 29/37] dvb-core: Proper handling ULE SNDU length of 0

Hi Greg,

> > > ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation
> > > code has a bug that allows an attacker to send a malformed ULE packet
> > > with SNDU length of 0 and bring down the receiving machine. This patch
> > > fix the bug and has been tested on version 2.6.17.11. This bug is 100%
> > > reproducible and the modified source code (GPL) used to produce this bug
> > > will be posted on http://nrg.cs.usm.my/downloads.htm shortly. The
> > > kernel will produce a dump during CRC32 checking on faulty ULE packet.
> >
> > the upstream code changed for 2.6.18. It has a different way of
> > addressing this issue, but it also changes a lot of other stuff in the
> > whole code. However it might be worth looking at it, because the
> > upstream code might be still vulnerable.
>
> So we should not take this patch for 2.6.17.y? Do you have a different
> patch we should use instead?

I have no idea. I don't have any DVB hardware for testing at hand. The
patch looks sane and seems to fix this problem. However for upstream we
can't apply it and upstream might not be vulnerable, because of the
updated version. If upstream is not vulnerable, I would prefer we go
with the upstream version. Anyway, not my call to make.

Regards

Marcel


2006-09-08 12:59:01

by Michael Ira Krufky

[permalink] [raw]
Subject: Re: [patch 29/37] dvb-core: Proper handling ULE SNDU length of 0

Greg KH wrote:
> -stable review patch. If anyone has any objections, please let us know.

Greg,

Can we hold off on this until the 2.6.17.13 review cycle? This patch
has not been sent to the linux-dvb mailing list, it has not been
reviewed or tested except for the Author and Marcel.

Please also add me to the cc list for the stable patches review.

DVB maintainers,

Marcel expressed some concerns about this patch on LKML, see thread:

http://lkml.org/lkml/2006/9/6/314

He says that the code in our mercurial tree, and in 2.6.18-rcX does this
in a much nicer way, but that it involves some major changes. If this
patch seems acceptable, then we can apply it for 2.6.17.y, and the
larger, more appropriate change will be seen when 2.6.18 gets released.

I, myself, do not know enough about the internals of dvb_net ... but I
think that we should agree to this patch before it gets applied to -stable

Regards,

Mike Krufky


>
> ------------------
> From: Ang Way Chuang <[email protected]>
>
> ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation
> code has a bug that allows an attacker to send a malformed ULE packet
> with SNDU length of 0 and bring down the receiving machine. This patch
> fix the bug and has been tested on version 2.6.17.11. This bug is 100%
> reproducible and the modified source code (GPL) used to produce this bug
> will be posted on http://nrg.cs.usm.my/downloads.htm shortly. The
> kernel will produce a dump during CRC32 checking on faulty ULE packet.
>
>
> Signed-off-by: Ang Way Chuang <[email protected]>
> Signed-off-by: Greg Kroah-Hartman <[email protected]>
>
> ---
> drivers/media/dvb/dvb-core/dvb_net.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> --- linux-2.6.17.11.orig/drivers/media/dvb/dvb-core/dvb_net.c
> +++ linux-2.6.17.11/drivers/media/dvb/dvb-core/dvb_net.c
> @@ -492,7 +492,8 @@ static void dvb_net_ule( struct net_devi
> } else
> priv->ule_dbit = 0;
>
> - if (priv->ule_sndu_len > 32763) {
> + if (priv->ule_sndu_len > 32763 ||
> + priv->ule_sndu_len < ((priv->ule_dbit) ? 4 : 4 + ETH_ALEN)) {
> printk(KERN_WARNING "%lu: Invalid ULE SNDU length %u. "
> "Resyncing.\n", priv->ts_count, priv->ule_sndu_len);
> priv->ule_sndu_len = 0;
>
> --
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/

2006-09-08 13:11:18

by Ang Way Chuang

[permalink] [raw]
Subject: Re: [patch 29/37] dvb-core: Proper handling ULE SNDU length of 0


Michael Krufky wrote:
> Greg KH wrote:
>> -stable review patch. If anyone has any objections, please let us know.
>
> Greg,
>
> Can we hold off on this until the 2.6.17.13 review cycle? This patch
> has not been sent to the linux-dvb mailing list, it has not been
> reviewed or tested except for the Author and Marcel.
>
> Please also add me to the cc list for the stable patches review.
>
> DVB maintainers,
>
> Marcel expressed some concerns about this patch on LKML, see thread:
>
> http://lkml.org/lkml/2006/9/6/314
>
> He says that the code in our mercurial tree, and in 2.6.18-rcX does this
> in a much nicer way, but that it involves some major changes. If this
> patch seems acceptable, then we can apply it for 2.6.17.y, and the
> larger, more appropriate change will be seen when 2.6.18 gets released.
>
> I, myself, do not know enough about the internals of dvb_net ... but I
> think that we should agree to this patch before it gets applied to -stable
>
> Regards,
>
> Mike Krufky
>
>

Sorry for not forwarding this patch to linux-dvb mailing list in the first place.
My mistake. If this patch is okay after DVB maintainers have tested it, then
Adrian Bunk may find it useful for his 2.6.16.x tree.

Regards,
Ang Way Chuang

>>
>> ------------------
>> From: Ang Way Chuang <[email protected]>
>>
>> ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation
>> code has a bug that allows an attacker to send a malformed ULE packet
>> with SNDU length of 0 and bring down the receiving machine. This patch
>> fix the bug and has been tested on version 2.6.17.11. This bug is 100%
>> reproducible and the modified source code (GPL) used to produce this bug
>> will be posted on http://nrg.cs.usm.my/downloads.htm shortly. The
>> kernel will produce a dump during CRC32 checking on faulty ULE packet.
>>
>>
>> Signed-off-by: Ang Way Chuang <[email protected]>
>> Signed-off-by: Greg Kroah-Hartman <[email protected]>
>>
>> ---
>> drivers/media/dvb/dvb-core/dvb_net.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> --- linux-2.6.17.11.orig/drivers/media/dvb/dvb-core/dvb_net.c
>> +++ linux-2.6.17.11/drivers/media/dvb/dvb-core/dvb_net.c
>> @@ -492,7 +492,8 @@ static void dvb_net_ule( struct net_devi
>> } else
>> priv->ule_dbit = 0;
>>
>> - if (priv->ule_sndu_len > 32763) {
>> + if (priv->ule_sndu_len > 32763 ||
>> + priv->ule_sndu_len < ((priv->ule_dbit) ? 4 : 4 + ETH_ALEN)) {
>> printk(KERN_WARNING "%lu: Invalid ULE SNDU length %u. "
>> "Resyncing.\n", priv->ts_count, priv->ule_sndu_len);
>> priv->ule_sndu_len = 0;
>>
>> --
>> -
>> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>> the body of a message to [email protected]
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>> Please read the FAQ at http://www.tux.org/lkml/
>
>


2006-09-08 17:30:43

by Greg KH

[permalink] [raw]
Subject: Re: [patch 29/37] dvb-core: Proper handling ULE SNDU length of 0

On Fri, Sep 08, 2006 at 08:58:49AM -0400, Michael Krufky wrote:
> Greg KH wrote:
> > -stable review patch. If anyone has any objections, please let us know.
>
> Greg,
>
> Can we hold off on this until the 2.6.17.13 review cycle? This patch
> has not been sent to the linux-dvb mailing list, it has not been
> reviewed or tested except for the Author and Marcel.

Yes, I've now moved it, thanks.

> Please also add me to the cc list for the stable patches review.

Now added, thanks.

greg k-h

2006-09-15 16:15:09

by Michael Ira Krufky

[permalink] [raw]
Subject: Re: [patch 29/37] dvb-core: Proper handling ULE SNDU length of 0

Greg KH wrote:
> On Fri, Sep 08, 2006 at 08:58:49AM -0400, Michael Krufky wrote:
>> Greg KH wrote:
>>> -stable review patch. If anyone has any objections, please let us know.
>> Greg,
>>
>> Can we hold off on this until the 2.6.17.13 review cycle? This patch
>> has not been sent to the linux-dvb mailing list, it has not been
>> reviewed or tested except for the Author and Marcel.
>
> Yes, I've now moved it, thanks.

Marcel Siegert and I spoke about this today -- We are doing things a
bit differently for 2.6.18 and later, but this patch is appropriate for
2.6.17.y

Please apply it for the next -stable kernel release.

Signed-off-by: Michael Krufky <[email protected]>


2006-09-15 16:15:59

by Marcel Siegert

[permalink] [raw]
Subject: Re: [patch 29/37] dvb-core: Proper handling ULE SNDU length of 0

On Friday 15 September 2006 18:11, Michael Krufky wrote:
> Greg KH wrote:
> > On Fri, Sep 08, 2006 at 08:58:49AM -0400, Michael Krufky wrote:
> >> Greg KH wrote:
> >>> -stable review patch. If anyone has any objections, please let us know.
> >> Greg,
> >>
> >> Can we hold off on this until the 2.6.17.13 review cycle? This patch
> >> has not been sent to the linux-dvb mailing list, it has not been
> >> reviewed or tested except for the Author and Marcel.
> >
> > Yes, I've now moved it, thanks.
>
> Marcel Siegert and I spoke about this today -- We are doing things a
> bit differently for 2.6.18 and later, but this patch is appropriate for
> 2.6.17.y
>
> Please apply it for the next -stable kernel release.
>
> Signed-off-by: Michael Krufky <[email protected]>
>
>
>
Signed-off-by: Marcel Siegert <[email protected]>

2006-09-15 16:38:33

by Marcel Holtmann

[permalink] [raw]
Subject: Re: [patch 29/37] dvb-core: Proper handling ULE SNDU length of 0

Hi Michael,

> >> Can we hold off on this until the 2.6.17.13 review cycle? This patch
> >> has not been sent to the linux-dvb mailing list, it has not been
> >> reviewed or tested except for the Author and Marcel.
> >
> > Yes, I've now moved it, thanks.
>
> Marcel Siegert and I spoke about this today -- We are doing things a
> bit differently for 2.6.18 and later, but this patch is appropriate for
> 2.6.17.y

so this means it is fixed in 2.6.18 or is it still vulnerable. If it is
still vulnerable, then we need a fix. And we need it now.

Regards

Marcel


2006-09-15 18:10:29

by Michael Ira Krufky

[permalink] [raw]
Subject: Re: [patch 29/37] dvb-core: Proper handling ULE SNDU length of 0

Marcel Holtmann wrote:
> Hi Michael,
>
>>>> Can we hold off on this until the 2.6.17.13 review cycle? This patch
>>>> has not been sent to the linux-dvb mailing list, it has not been
>>>> reviewed or tested except for the Author and Marcel.
>>> Yes, I've now moved it, thanks.
>> Marcel Siegert and I spoke about this today -- We are doing things a
>> bit differently for 2.6.18 and later, but this patch is appropriate for
>> 2.6.17.y
>
> so this means it is fixed in 2.6.18 or is it still vulnerable. If it is
> still vulnerable, then we need a fix. And we need it now.

2.6.18 should not be vulnerable. See the following changeset in Linus'
tree:

http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blobdiff;h=8859ab74f0fe4c65c8e75b9350a2a0b138615525;hp=9fd87521a1639bd3dae51dcdce48545614d41a85;hb=18232ca61b4c73b849850200a5e6ec40517f35ab;f=drivers/media/dvb/dvb-core/dvb_net.c

Quoting MWS from irc:

if the len is smaller than 4 or if dbit set smaller than 4+ealen, just
get rid of that packet and interpret as error. the 2.6.18 is not letting
them through if they are < sizeof(5), so 4 byte packets would be ignored.

Regards,

Michael Krufky

2006-09-15 18:21:17

by Marcel Holtmann

[permalink] [raw]
Subject: Re: [patch 29/37] dvb-core: Proper handling ULE SNDU length of 0

Hi Michael,

> >>>> Can we hold off on this until the 2.6.17.13 review cycle? This patch
> >>>> has not been sent to the linux-dvb mailing list, it has not been
> >>>> reviewed or tested except for the Author and Marcel.
> >>> Yes, I've now moved it, thanks.
> >> Marcel Siegert and I spoke about this today -- We are doing things a
> >> bit differently for 2.6.18 and later, but this patch is appropriate for
> >> 2.6.17.y
> >
> > so this means it is fixed in 2.6.18 or is it still vulnerable. If it is
> > still vulnerable, then we need a fix. And we need it now.
>
> 2.6.18 should not be vulnerable. See the following changeset in Linus'
> tree:
>
> http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blobdiff;h=8859ab74f0fe4c65c8e75b9350a2a0b138615525;hp=9fd87521a1639bd3dae51dcdce48545614d41a85;hb=18232ca61b4c73b849850200a5e6ec40517f35ab;f=drivers/media/dvb/dvb-core/dvb_net.c
>
> Quoting MWS from irc:
>
> if the len is smaller than 4 or if dbit set smaller than 4+ealen, just
> get rid of that packet and interpret as error. the 2.6.18 is not letting
> them through if they are < sizeof(5), so 4 byte packets would be ignored.

I saw the changeset in the current 2.6.18-rc kernel and this was the
reason for me asking. I don't have the hardware to reproduce this, but
if you say that the final 2.6.18 kernel will not be vulnerable, then I
take your word for it.

Regards

Marcel


2006-09-20 09:38:32

by Ang Way Chuang

[permalink] [raw]
Subject: Re: [patch 29/37] dvb-core: Proper handling ULE SNDU length of 0

Hi Marcel,

Marcel Holtmann wrote:
> Hi Michael,
>
>> >>>> Can we hold off on this until the 2.6.17.13 review cycle? This patch
>> >>>> has not been sent to the linux-dvb mailing list, it has not been
>> >>>> reviewed or tested except for the Author and Marcel.
>> >>> Yes, I've now moved it, thanks.
>> >> Marcel Siegert and I spoke about this today -- We are doing things a
>> >> bit differently for 2.6.18 and later, but this patch is appropriate for
>> >> 2.6.17.y
>> >
>> > so this means it is fixed in 2.6.18 or is it still vulnerable. If it is
>> > still vulnerable, then we need a fix. And we need it now.
>>
>> 2.6.18 should not be vulnerable. See the following changeset in Linus'
>> tree:
>>
>> http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blobdiff;h=8859ab74f0fe4c65c8e75b9350a2a0b138615525;hp=9fd87521a1639bd3dae51dcdce48545614d41a85;hb=18232ca61b4c73b849850200a5e6ec40517f35ab;f=drivers/media/dvb/dvb-core/dvb_net.c
>>
>> Quoting MWS from irc:
>>
>> if the len is smaller than 4 or if dbit set smaller than 4+ealen, just
>> get rid of that packet and interpret as error. the 2.6.18 is not letting
>> them through if they are < sizeof(5), so 4 byte packets would be ignored.
>
> I saw the changeset in the current 2.6.18-rc kernel and this was the
> reason for me asking. I don't have the hardware to reproduce this, but
> if you say that the final 2.6.18 kernel will not be vulnerable, then I
> take your word for it.
>
> Regards
>
> Marcel
>
>
>

I've tested 2.6.18-rc7 and it seems there is no problem with the case
where dbit is not set. It should not be vulnerable.
Thanks

Regards,
Ang Way Chuang
--
May you be well and happy.