[patch 00/37] -stable review

[patch 00/37] -stable review

[Greg KH]

This is the start of the stable review cycle for next 2.6.17.y release.
There are 37 patches in this series, all will be posted as a response to
this one.  If anyone has any issues with these being applied, please let
us know.  If anyone is a maintainer of the proper subsystem, and wants
to add a Signed-off-by: line to the patch, please respond with it.

These patches are sent out with a number of different people on the Cc:
line.  If you wish to be a reviewer, please email stable@kernel.org to
add your name to the list.  If you want to be off the reviewer list,
also email us.

Responses should be made by Fri Sep 8 22:00:00 UTC.  Anything received
after that time might be too late.

Full patch of this whole series is available at:
	http://www.kernel.org/pub/linux/kernel/people/gregkh/stable/patch-2.6.17.12-rc1.gz
if you wish to test it out and make sure nothing is broken on your
architecture or system.

thanks,

greg k-h

[patch 01/37] TEXTSEARCH: Fix Boyer Moore initialization bug

[Greg KH]

[-- Attachment #1: textsearch-fix-boyer-moore-initialization-bug.patch --]
[-- Type: text/plain, Size: 1678 bytes --]


-stable review patch.  If anyone has any objections, please let us know.

------------------

From: Michael Rash <mbr@cipherdyne.org>

[TEXTSEARCH]: Fix Boyer Moore initialization bug

The pattern is set after trying to compute the prefix table, which tries
to use it. Initialize it before calling compute_prefix_tbl, make
compute_prefix_tbl consistently use only the data from struct ts_bm
and remove the now unnecessary arguments.

Signed-off-by: Michael Rash <mbr@cipherdyne.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Acked-by: David Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 lib/ts_bm.c |   11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

--- linux-2.6.17.11.orig/lib/ts_bm.c
+++ linux-2.6.17.11/lib/ts_bm.c
@@ -112,15 +112,14 @@ static int subpattern(u8 *pattern, int i
 	return ret;
 }
 
-static void compute_prefix_tbl(struct ts_bm *bm, const u8 *pattern,
-			       unsigned int len)
+static void compute_prefix_tbl(struct ts_bm *bm)
 {
 	int i, j, g;
 
 	for (i = 0; i < ASIZE; i++)
-		bm->bad_shift[i] = len;
-	for (i = 0; i < len - 1; i++)
-		bm->bad_shift[pattern[i]] = len - 1 - i;
+		bm->bad_shift[i] = bm->patlen;
+	for (i = 0; i < bm->patlen - 1; i++)
+		bm->bad_shift[bm->pattern[i]] = bm->patlen - 1 - i;
 
 	/* Compute the good shift array, used to match reocurrences 
 	 * of a subpattern */
@@ -151,8 +150,8 @@ static struct ts_config *bm_init(const v
 	bm = ts_config_priv(conf);
 	bm->patlen = len;
 	bm->pattern = (u8 *) bm->good_shift + prefix_tbl_len;
-	compute_prefix_tbl(bm, pattern, len);
 	memcpy(bm->pattern, pattern, len);
+	compute_prefix_tbl(bm);
 
 	return conf;
 }

--

[patch 02/37] spectrum_cs: Fix firmware uploading errors

[Greg KH]

[-- Attachment #1: spectrum_cs-fix-firmware-uploading-errors.patch --]
[-- Type: text/plain, Size: 882 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Richard Purdie <rpurdie@rpsys.net>

This fixes firmware upload failures which prevent the driver from working.

Signed-off-by: Richard Purdie <rpurdie@rpsys.net>
Cc: Dominik Brodowski <linux@dominikbrodowski.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/net/wireless/spectrum_cs.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.17.11.orig/drivers/net/wireless/spectrum_cs.c
+++ linux-2.6.17.11/drivers/net/wireless/spectrum_cs.c
@@ -245,7 +245,7 @@ spectrum_reset(struct pcmcia_device *lin
 	u_int save_cor;
 
 	/* Doing it if hardware is gone is guaranteed crash */
-	if (pcmcia_dev_present(link))
+	if (!pcmcia_dev_present(link))
 		return -ENODEV;
 
 	/* Save original COR value */

--

[patch 03/37] Fix output framentation of paged-skbs

[Greg KH]

[-- Attachment #1: fix-output-framentation-of-paged-skbs.patch --]
[-- Type: text/plain, Size: 2669 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Herbert Xu <herbert@gondor.apana.org.au>

[INET]: Use pskb_trim_unique when trimming paged unique skbs

The IPv4/IPv6 datagram output path was using skb_trim to trim paged
packets because they know that the packet has not been cloned yet
(since the packet hasn't been given to anything else in the system).

This broke because skb_trim no longer allows paged packets to be
trimmed.  Paged packets must be given to one of the pskb_trim functions
instead.

This patch adds a new pskb_trim_unique function to cover the IPv4/IPv6
datagram output path scenario and replaces the corresponding skb_trim
calls with it.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 include/linux/skbuff.h |   15 +++++++++++++++
 net/ipv4/ip_output.c   |    4 ++--
 net/ipv6/ip6_output.c  |    2 +-
 3 files changed, 18 insertions(+), 3 deletions(-)

--- linux-2.6.17.11.orig/include/linux/skbuff.h
+++ linux-2.6.17.11/include/linux/skbuff.h
@@ -1009,6 +1009,21 @@ static inline int pskb_trim(struct sk_bu
 }
 
 /**
+ *	pskb_trim_unique - remove end from a paged unique (not cloned) buffer
+ *	@skb: buffer to alter
+ *	@len: new length
+ *
+ *	This is identical to pskb_trim except that the caller knows that
+ *	the skb is not cloned so we should never get an error due to out-
+ *	of-memory.
+ */
+static inline void pskb_trim_unique(struct sk_buff *skb, unsigned int len)
+{
+	int err = pskb_trim(skb, len);
+	BUG_ON(err);
+}
+
+/**
  *	skb_orphan - orphan a buffer
  *	@skb: buffer to orphan
  *
--- linux-2.6.17.11.orig/net/ipv4/ip_output.c
+++ linux-2.6.17.11/net/ipv4/ip_output.c
@@ -946,7 +946,7 @@ alloc_new_skb:
 				skb_prev->csum = csum_sub(skb_prev->csum,
 							  skb->csum);
 				data += fraggap;
-				skb_trim(skb_prev, maxfraglen);
+				pskb_trim_unique(skb_prev, maxfraglen);
 			}
 
 			copy = datalen - transhdrlen - fraggap;
@@ -1139,7 +1139,7 @@ ssize_t	ip_append_page(struct sock *sk, 
 					data, fraggap, 0);
 				skb_prev->csum = csum_sub(skb_prev->csum,
 							  skb->csum);
-				skb_trim(skb_prev, maxfraglen);
+				pskb_trim_unique(skb_prev, maxfraglen);
 			}
 
 			/*
--- linux-2.6.17.11.orig/net/ipv6/ip6_output.c
+++ linux-2.6.17.11/net/ipv6/ip6_output.c
@@ -1047,7 +1047,7 @@ alloc_new_skb:
 				skb_prev->csum = csum_sub(skb_prev->csum,
 							  skb->csum);
 				data += fraggap;
-				skb_trim(skb_prev, maxfraglen);
+				pskb_trim_unique(skb_prev, maxfraglen);
 			}
 			copy = datalen - transhdrlen - fraggap;
 			if (copy < 0) {

--

[patch 04/37] fix compilation error on IA64

[Greg KH]

[-- Attachment #1: fix-compilation-error-on-ia64.patch --]
[-- Type: text/plain, Size: 1874 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Fernando Vazquez <fernando@oss.ntt.co.jp>

The commit 8833ebaa3f4325820fe3338ccf6fae04f6669254 introduced a change that broke 
IA64 compilation as shown below:

  gcc -Wp,-MD,arch/ia64/kernel/.entry.o.d  -nostdinc -isystem /usr/lib/gcc/ia64-linux-gnu/4.1.2/include -D__KERNEL__ -Iinclude  -include include/linux/autoconf.h -DHAVE_WORKING_TEXT_ALIGN -DHAVE_MODEL_SMALL_ATTRIBUTE -DHAVE_SERIALIZE_DIRECTIVE -D__ASSEMBLY__   -mconstant-gp -c -o arch/ia64/kernel/entry.o arch/ia64/kernel/entry.S
include/asm/mman.h: Assembler messages:
include/asm/mman.h:13: Error: Unknown opcode `int ia64_map_check_rgn(unsigned long addr,unsigned long len,'
include/asm/mman.h:14: Error: Unknown opcode `unsigned long flags)'
make[1]: *** [arch/ia64/kernel/entry.o] Error 1
make: *** [arch/ia64/kernel] Error 2

The reason is that "asm/mman.h" is being included from entry.S indirectly through
"asm/pgtable.h" (see code snips below).

* arch/ia64/kernel/entry.S:
...
#include <asm/pgtable.h>
...

* include/asm-ia64/pgtable.h:
...
#include <asm/mman.h>
...

* include/asm-ia64/mman.h
...
#ifdef __KERNEL__
#define arch_mmap_check ia64_map_check_rgn
int ia64_map_check_rgn(unsigned long addr, unsigned long len,
                unsigned long flags);
#endif
...

Signed-off-by: Fernando Vazquez <fernando@intellilink.co.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 include/asm-ia64/mman.h |    2 ++
 1 file changed, 2 insertions(+)

--- linux-2.6.17.11.orig/include/asm-ia64/mman.h
+++ linux-2.6.17.11/include/asm-ia64/mman.h
@@ -9,10 +9,12 @@
  */
 
 #ifdef __KERNEL__
+#ifndef __ASSEMBLY__
 #define arch_mmap_check	ia64_map_check_rgn
 int ia64_map_check_rgn(unsigned long addr, unsigned long len,
 		unsigned long flags);
 #endif
+#endif
 
 #include <asm-generic/mman.h>
 

--

[patch 05/37] bridge-netfilter: dont overwrite memory outside of skb

[Greg KH]

[-- Attachment #1: bridge-netfilter-don-t-overwrite-memory-outside-of-skb.patch --]
[-- Type: text/plain, Size: 1987 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Stephen Hemminger <shemminger@osdl.org>

The bridge netfilter code needs to check for space at the
front of the skb before overwriting; otherwise if skb from
device doesn't have headroom, then it will cause random
memory corruption.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 include/linux/netfilter_bridge.h |   16 ++++++++++++----
 net/bridge/br_forward.c          |   10 +++++++---
 2 files changed, 19 insertions(+), 7 deletions(-)

--- linux-2.6.17.11.orig/include/linux/netfilter_bridge.h
+++ linux-2.6.17.11/include/linux/netfilter_bridge.h
@@ -47,18 +47,26 @@ enum nf_br_hook_priorities {
 #define BRNF_BRIDGED			0x08
 #define BRNF_NF_BRIDGE_PREROUTING	0x10
 
-
 /* Only used in br_forward.c */
-static inline
-void nf_bridge_maybe_copy_header(struct sk_buff *skb)
+static inline int nf_bridge_maybe_copy_header(struct sk_buff *skb)
 {
+	int err;
+
 	if (skb->nf_bridge) {
 		if (skb->protocol == __constant_htons(ETH_P_8021Q)) {
+			err = skb_cow(skb, 18);
+			if (err)
+				return err;
 			memcpy(skb->data - 18, skb->nf_bridge->data, 18);
 			skb_push(skb, 4);
-		} else
+		} else {
+			err = skb_cow(skb, 16);
+			if (err)
+				return err;
 			memcpy(skb->data - 16, skb->nf_bridge->data, 16);
+		}
 	}
+	return 0;
 }
 
 /* This is called by the IP fragmenting code and it ensures there is
--- linux-2.6.17.11.orig/net/bridge/br_forward.c
+++ linux-2.6.17.11/net/bridge/br_forward.c
@@ -43,11 +43,15 @@ int br_dev_queue_push_xmit(struct sk_buf
 	else {
 #ifdef CONFIG_BRIDGE_NETFILTER
 		/* ip_refrag calls ip_fragment, doesn't copy the MAC header. */
-		nf_bridge_maybe_copy_header(skb);
+		if (nf_bridge_maybe_copy_header(skb))
+			kfree_skb(skb);
+		else
 #endif
-		skb_push(skb, ETH_HLEN);
+		{
+			skb_push(skb, ETH_HLEN);
 
-		dev_queue_xmit(skb);
+			dev_queue_xmit(skb);
+		}
 	}
 
 	return 0;

--

[patch 06/37] Allow per-route window scale limiting

[Greg KH]

[-- Attachment #1: allow-per-route-window-scale-limiting.patch --]
[-- Type: text/plain, Size: 1914 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Stephen Hemminger <shemminger@osdl.org>

There are black box devices out there, routers and firewalls and
whatnot, that simply cannot grok the TCP window scaling option
correctly.

People should and do bark at the site running the device causing
the problems, but in the mean time folks do want a way to deal
with the problem.  We don't want them to turn off window scaling
completely as that hurts performance of connections that would run
just fine with window scaling enabled.

So give a way to do this on a per-route basis by limiting the
window scaling by the per-connection window clamp.  Stephen's
changelog message explains how to do this using a route metric.

[TCP]: Limit window scaling if window is clamped.

This small change allows for easy per-route workarounds for broken hosts or
middleboxes that are not compliant with TCP standards for window scaling.
Rather than having to turn off window scaling globally. This patch allows
reducing or disabling window scaling if window clamp is present.

Example: Mark Lord reported a problem with 2.6.17 kernel being unable to
access http://www.everymac.com

# ip route add 216.145.246.23/32 via 10.8.0.1 window 65535

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 net/ipv4/tcp_output.c |    1 +
 1 file changed, 1 insertion(+)

--- linux-2.6.17.11.orig/net/ipv4/tcp_output.c
+++ linux-2.6.17.11/net/ipv4/tcp_output.c
@@ -197,6 +197,7 @@ void tcp_select_initial_window(int __spa
 		 * See RFC1323 for an explanation of the limit to 14 
 		 */
 		space = max_t(u32, sysctl_tcp_rmem[2], sysctl_rmem_max);
+		space = min_t(u32, space, *window_clamp);
 		while (space > 65535 && (*rcv_wscale) < 14) {
 			space >>= 1;
 			(*rcv_wscale)++;

--

[patch 07/37] Have ext2 reject file handles with bad inode numbers early.

[Greg KH]

[-- Attachment #1: have-ext2-reject-file-handles-with-bad-inode-numbers-early.patch --]
[-- Type: text/plain, Size: 2021 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Neil Brown <neilb@suse.de>

This prevents bad inode numbers from triggering errors in
ext2_get_inode.


Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 fs/ext2/super.c |   41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

--- linux-2.6.17.11.orig/fs/ext2/super.c
+++ linux-2.6.17.11/fs/ext2/super.c
@@ -252,6 +252,46 @@ static struct super_operations ext2_sops
 #endif
 };
 
+static struct dentry *ext2_get_dentry(struct super_block *sb, void *vobjp)
+{
+	__u32 *objp = vobjp;
+	unsigned long ino = objp[0];
+	__u32 generation = objp[1];
+	struct inode *inode;
+	struct dentry *result;
+
+	if (ino != EXT2_ROOT_INO && ino < EXT2_FIRST_INO(sb))
+		return ERR_PTR(-ESTALE);
+	if (ino > le32_to_cpu(EXT2_SB(sb)->s_es->s_inodes_count))
+		return ERR_PTR(-ESTALE);
+
+	/* iget isn't really right if the inode is currently unallocated!!
+	 * ext2_read_inode currently does appropriate checks, but
+	 * it might be "neater" to call ext2_get_inode first and check
+	 * if the inode is valid.....
+	 */
+	inode = iget(sb, ino);
+	if (inode == NULL)
+		return ERR_PTR(-ENOMEM);
+	if (is_bad_inode(inode)
+	    || (generation && inode->i_generation != generation)
+		) {
+		/* we didn't find the right inode.. */
+		iput(inode);
+		return ERR_PTR(-ESTALE);
+	}
+	/* now to find a dentry.
+	 * If possible, get a well-connected one
+	 */
+	result = d_alloc_anon(inode);
+	if (!result) {
+		iput(inode);
+		return ERR_PTR(-ENOMEM);
+	}
+	return result;
+}
+
+
 /* Yes, most of these are left as NULL!!
  * A NULL value implies the default, which works with ext2-like file
  * systems, but can be improved upon.
@@ -259,6 +299,7 @@ static struct super_operations ext2_sops
  */
 static struct export_operations ext2_export_ops = {
 	.get_parent = ext2_get_parent,
+	.get_dentry = ext2_get_dentry,
 };
 
 static unsigned long get_sb_block(void **data)

--

[patch 08/37] dm snapshot: unify chunk_size

[Greg KH]

[-- Attachment #1: dm-snapshot-unify-chunk_size.patch --]
[-- Type: text/plain, Size: 6456 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------

From: Alasdair G Kergon <agk@redhat.com>

Persistent snapshots currently store a private copy of the chunk size. 
Userspace also supplies the chunk size when loading a snapshot.  Ensure
consistency by only storing the chunk_size in one place instead of two.


Currently the two sizes will differ if the chunk size supplied by userspace
does not match the chunk size an existing snapshot actually uses.  Amongst
other problems, this causes an incorrect 'percentage full' to be reported.

The patch ensures consistency by only storing the chunk_size in one place,
removing it from struct pstore.  Some initialisation is delayed until the
correct chunk_size is known.  If read_header() discovers that the wrong chunk
size was supplied, the 'area' buffer (which the header already got read into)
is reinitialised to the correct size.

[akpm: too late for 2.6.17 - suitable for 2.6.17.x after it has settled]

Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

 drivers/md/dm-exception-store.c |   65 +++++++++++++++++++++++++---------------
 drivers/md/dm-snap.c            |    6 +--
 2 files changed, 45 insertions(+), 26 deletions(-)

--- linux-2.6.17.11.orig/drivers/md/dm-exception-store.c
+++ linux-2.6.17.11/drivers/md/dm-exception-store.c
@@ -91,7 +91,6 @@ struct pstore {
 	struct dm_snapshot *snap;	/* up pointer to my snapshot */
 	int version;
 	int valid;
-	uint32_t chunk_size;
 	uint32_t exceptions_per_area;
 
 	/*
@@ -133,7 +132,7 @@ static int alloc_area(struct pstore *ps)
 	int r = -ENOMEM;
 	size_t len;
 
-	len = ps->chunk_size << SECTOR_SHIFT;
+	len = ps->snap->chunk_size << SECTOR_SHIFT;
 
 	/*
 	 * Allocate the chunk_size block of memory that will hold
@@ -160,8 +159,8 @@ static int chunk_io(struct pstore *ps, u
 	unsigned long bits;
 
 	where.bdev = ps->snap->cow->bdev;
-	where.sector = ps->chunk_size * chunk;
-	where.count = ps->chunk_size;
+	where.sector = ps->snap->chunk_size * chunk;
+	where.count = ps->snap->chunk_size;
 
 	return dm_io_sync_vm(1, &where, rw, ps->area, &bits);
 }
@@ -188,7 +187,7 @@ static int area_io(struct pstore *ps, ui
 
 static int zero_area(struct pstore *ps, uint32_t area)
 {
-	memset(ps->area, 0, ps->chunk_size << SECTOR_SHIFT);
+	memset(ps->area, 0, ps->snap->chunk_size << SECTOR_SHIFT);
 	return area_io(ps, area, WRITE);
 }
 
@@ -196,6 +195,7 @@ static int read_header(struct pstore *ps
 {
 	int r;
 	struct disk_header *dh;
+	chunk_t chunk_size;
 
 	r = chunk_io(ps, 0, READ);
 	if (r)
@@ -210,8 +210,29 @@ static int read_header(struct pstore *ps
 		*new_snapshot = 0;
 		ps->valid = le32_to_cpu(dh->valid);
 		ps->version = le32_to_cpu(dh->version);
-		ps->chunk_size = le32_to_cpu(dh->chunk_size);
-
+		chunk_size = le32_to_cpu(dh->chunk_size);
+		if (ps->snap->chunk_size != chunk_size) {
+			DMWARN("chunk size %llu in device metadata overrides "
+			       "table chunk size of %llu.",
+			       (unsigned long long)chunk_size,
+			       (unsigned long long)ps->snap->chunk_size);
+
+			/* We had a bogus chunk_size. Fix stuff up. */
+			dm_io_put(sectors_to_pages(ps->snap->chunk_size));
+			free_area(ps);
+
+			ps->snap->chunk_size = chunk_size;
+			ps->snap->chunk_mask = chunk_size - 1;
+			ps->snap->chunk_shift = ffs(chunk_size) - 1;
+
+			r = alloc_area(ps);
+			if (r)
+				return r;
+
+			r = dm_io_get(sectors_to_pages(chunk_size));
+			if (r)
+				return r;
+		}
 	} else {
 		DMWARN("Invalid/corrupt snapshot");
 		r = -ENXIO;
@@ -224,13 +245,13 @@ static int write_header(struct pstore *p
 {
 	struct disk_header *dh;
 
-	memset(ps->area, 0, ps->chunk_size << SECTOR_SHIFT);
+	memset(ps->area, 0, ps->snap->chunk_size << SECTOR_SHIFT);
 
 	dh = (struct disk_header *) ps->area;
 	dh->magic = cpu_to_le32(SNAP_MAGIC);
 	dh->valid = cpu_to_le32(ps->valid);
 	dh->version = cpu_to_le32(ps->version);
-	dh->chunk_size = cpu_to_le32(ps->chunk_size);
+	dh->chunk_size = cpu_to_le32(ps->snap->chunk_size);
 
 	return chunk_io(ps, 0, WRITE);
 }
@@ -365,7 +386,7 @@ static void persistent_destroy(struct ex
 {
 	struct pstore *ps = get_info(store);
 
-	dm_io_put(sectors_to_pages(ps->chunk_size));
+	dm_io_put(sectors_to_pages(ps->snap->chunk_size));
 	vfree(ps->callbacks);
 	free_area(ps);
 	kfree(ps);
@@ -384,6 +405,16 @@ static int persistent_read_metadata(stru
 		return r;
 
 	/*
+	 * Now we know correct chunk_size, complete the initialisation.
+	 */
+	ps->exceptions_per_area = (ps->snap->chunk_size << SECTOR_SHIFT) /
+				  sizeof(struct disk_exception);
+	ps->callbacks = dm_vcalloc(ps->exceptions_per_area,
+			sizeof(*ps->callbacks));
+	if (!ps->callbacks)
+		return -ENOMEM;
+
+	/*
 	 * Do we need to setup a new snapshot ?
 	 */
 	if (new_snapshot) {
@@ -533,9 +564,6 @@ int dm_create_persistent(struct exceptio
 	ps->snap = store->snap;
 	ps->valid = 1;
 	ps->version = SNAPSHOT_DISK_VERSION;
-	ps->chunk_size = chunk_size;
-	ps->exceptions_per_area = (chunk_size << SECTOR_SHIFT) /
-	    sizeof(struct disk_exception);
 	ps->next_free = 2;	/* skipping the header and first area */
 	ps->current_committed = 0;
 
@@ -543,18 +571,9 @@ int dm_create_persistent(struct exceptio
 	if (r)
 		goto bad;
 
-	/*
-	 * Allocate space for all the callbacks.
-	 */
 	ps->callback_count = 0;
 	atomic_set(&ps->pending_count, 0);
-	ps->callbacks = dm_vcalloc(ps->exceptions_per_area,
-				   sizeof(*ps->callbacks));
-
-	if (!ps->callbacks) {
-		r = -ENOMEM;
-		goto bad;
-	}
+	ps->callbacks = NULL;
 
 	store->destroy = persistent_destroy;
 	store->read_metadata = persistent_read_metadata;
--- linux-2.6.17.11.orig/drivers/md/dm-snap.c
+++ linux-2.6.17.11/drivers/md/dm-snap.c
@@ -530,7 +530,7 @@ static int snapshot_ctr(struct dm_target
 	}
 
 	ti->private = s;
-	ti->split_io = chunk_size;
+	ti->split_io = s->chunk_size;
 
 	return 0;
 
@@ -1204,7 +1204,7 @@ static int origin_status(struct dm_targe
 
 static struct target_type origin_target = {
 	.name    = "snapshot-origin",
-	.version = {1, 1, 0},
+	.version = {1, 4, 0},
 	.module  = THIS_MODULE,
 	.ctr     = origin_ctr,
 	.dtr     = origin_dtr,
@@ -1215,7 +1215,7 @@ static struct target_type origin_target 
 
 static struct target_type snapshot_target = {
 	.name    = "snapshot",
-	.version = {1, 1, 0},
+	.version = {1, 4, 0},
 	.module  = THIS_MODULE,
 	.ctr     = snapshot_ctr,
 	.dtr     = snapshot_dtr,

--

[patch 09/37] dm: fix idr minor allocation

[Greg KH]

[-- Attachment #1: dm-fix-idr-minor-allocation.patch --]
[-- Type: text/plain, Size: 2869 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------

From: Jeff Mahoney <jeffm@suse.com>

One part of the system can attempt to use a mapped device before another has
finished initialising it or while it is being freed.

This patch introduces a place holder value, MINOR_ALLOCED, to mark the minor
as allocated but in a state where it can't be used, such as mid-allocation or
mid-free.  At the end of the initialization, it replaces the place holder with
the pointer to the mapped_device, making it available to the rest of the dm
subsystem.

[akpm: too late for 2.6.17 - suitable for 2.6.17.x after it has settled]

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

 drivers/md/dm.c |   19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

--- linux-2.6.17.11.orig/drivers/md/dm.c
+++ linux-2.6.17.11/drivers/md/dm.c
@@ -54,6 +54,8 @@ union map_info *dm_get_mapinfo(struct bi
         return NULL;
 }
 
+#define MINOR_ALLOCED ((void *)-1)
+
 /*
  * Bits for the md->flags field.
  */
@@ -777,7 +779,7 @@ static int specific_minor(struct mapped_
 		goto out;
 	}
 
-	r = idr_get_new_above(&_minor_idr, md, minor, &m);
+	r = idr_get_new_above(&_minor_idr, MINOR_ALLOCED, minor, &m);
 	if (r) {
 		goto out;
 	}
@@ -806,7 +808,7 @@ static int next_free_minor(struct mapped
 		goto out;
 	}
 
-	r = idr_get_new(&_minor_idr, md, &m);
+	r = idr_get_new(&_minor_idr, MINOR_ALLOCED, &m);
 	if (r) {
 		goto out;
 	}
@@ -833,6 +835,7 @@ static struct mapped_device *alloc_dev(u
 {
 	int r;
 	struct mapped_device *md = kmalloc(sizeof(*md), GFP_KERNEL);
+	void *old_md;
 
 	if (!md) {
 		DMWARN("unable to allocate device, out of memory.");
@@ -888,6 +891,13 @@ static struct mapped_device *alloc_dev(u
 	init_waitqueue_head(&md->wait);
 	init_waitqueue_head(&md->eventq);
 
+	/* Populate the mapping, nobody knows we exist yet */
+	mutex_lock(&_minor_lock);
+	old_md = idr_replace(&_minor_idr, md, minor);
+	mutex_unlock(&_minor_lock);
+
+	BUG_ON(old_md != MINOR_ALLOCED);
+
 	return md;
 
  bad4:
@@ -1018,7 +1028,7 @@ static struct mapped_device *dm_find_md(
 	mutex_lock(&_minor_lock);
 
 	md = idr_find(&_minor_idr, minor);
-	if (!md || (dm_disk(md)->first_minor != minor))
+	if (md && (md == MINOR_ALLOCED || (dm_disk(md)->first_minor != minor)))
 		md = NULL;
 
 	mutex_unlock(&_minor_lock);
@@ -1057,6 +1067,9 @@ void dm_put(struct mapped_device *md)
 
 	if (atomic_dec_and_test(&md->holders)) {
 		map = dm_get_table(md);
+		mutex_lock(&_minor_lock);
+		idr_replace(&_minor_idr, MINOR_ALLOCED, dm_disk(md)->first_minor);
+		mutex_unlock(&_minor_lock);
 		if (!dm_suspended(md)) {
 			dm_table_presuspend_targets(map);
 			dm_table_postsuspend_targets(map);

--

[patch 10/37] dm: move idr_pre_get

[Greg KH]

[-- Attachment #1: dm-move-idr_pre_get.patch --]
[-- Type: text/plain, Size: 1674 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------

From: Jeff Mahoney <jeffm@suse.com>

idr_pre_get() can sleep while allocating memory.

The next patch will change _minor_lock into a spinlock, so this patch moves
idr_pre_get() outside the lock in preparation.

[akpm: too late for 2.6.17 - suitable for 2.6.17.x after it has settled]

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

 drivers/md/dm.c |   23 +++++++++--------------
 1 file changed, 9 insertions(+), 14 deletions(-)

--- linux-2.6.17.11.orig/drivers/md/dm.c
+++ linux-2.6.17.11/drivers/md/dm.c
@@ -766,6 +766,10 @@ static int specific_minor(struct mapped_
 	if (minor >= (1 << MINORBITS))
 		return -EINVAL;
 
+	r = idr_pre_get(&_minor_idr, GFP_KERNEL);
+	if (!r)
+		return -ENOMEM;
+
 	mutex_lock(&_minor_lock);
 
 	if (idr_find(&_minor_idr, minor)) {
@@ -773,16 +777,9 @@ static int specific_minor(struct mapped_
 		goto out;
 	}
 
-	r = idr_pre_get(&_minor_idr, GFP_KERNEL);
-	if (!r) {
-		r = -ENOMEM;
-		goto out;
-	}
-
 	r = idr_get_new_above(&_minor_idr, MINOR_ALLOCED, minor, &m);
-	if (r) {
+	if (r)
 		goto out;
-	}
 
 	if (m != minor) {
 		idr_remove(&_minor_idr, m);
@@ -800,13 +797,11 @@ static int next_free_minor(struct mapped
 	int r;
 	unsigned int m;
 
-	mutex_lock(&_minor_lock);
-
 	r = idr_pre_get(&_minor_idr, GFP_KERNEL);
-	if (!r) {
-		r = -ENOMEM;
-		goto out;
-	}
+	if (!r)
+		return -ENOMEM;
+
+	mutex_lock(&_minor_lock);
 
 	r = idr_get_new(&_minor_idr, MINOR_ALLOCED, &m);
 	if (r) {

--

[patch 11/37] dm: change minor_lock to spinlock

[Greg KH]

[-- Attachment #1: dm-change-minor_lock-to-spinlock.patch --]
[-- Type: text/plain, Size: 3504 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------

From: Jeff Mahoney <jeffm@suse.com>

While removing a device, another another thread might attempt to resurrect it.

This patch replaces the _minor_lock mutex with a spinlock and uses
atomic_dec_and_lock() to serialize reference counting in dm_put().

[akpm: too late for 2.6.17 - suitable for 2.6.17.x after it has settled]

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

 drivers/md/dm.c |   27 +++++++++++++--------------
 1 file changed, 13 insertions(+), 14 deletions(-)

--- linux-2.6.17.11.orig/drivers/md/dm.c
+++ linux-2.6.17.11/drivers/md/dm.c
@@ -26,6 +26,7 @@ static const char *_name = DM_NAME;
 static unsigned int major = 0;
 static unsigned int _major = 0;
 
+static DEFINE_SPINLOCK(_minor_lock);
 /*
  * One of these is allocated per bio.
  */
@@ -746,14 +747,13 @@ static int dm_any_congested(void *conges
 /*-----------------------------------------------------------------
  * An IDR is used to keep track of allocated minor numbers.
  *---------------------------------------------------------------*/
-static DEFINE_MUTEX(_minor_lock);
 static DEFINE_IDR(_minor_idr);
 
 static void free_minor(unsigned int minor)
 {
-	mutex_lock(&_minor_lock);
+	spin_lock(&_minor_lock);
 	idr_remove(&_minor_idr, minor);
-	mutex_unlock(&_minor_lock);
+	spin_unlock(&_minor_lock);
 }
 
 /*
@@ -770,7 +770,7 @@ static int specific_minor(struct mapped_
 	if (!r)
 		return -ENOMEM;
 
-	mutex_lock(&_minor_lock);
+	spin_lock(&_minor_lock);
 
 	if (idr_find(&_minor_idr, minor)) {
 		r = -EBUSY;
@@ -788,7 +788,7 @@ static int specific_minor(struct mapped_
 	}
 
 out:
-	mutex_unlock(&_minor_lock);
+	spin_unlock(&_minor_lock);
 	return r;
 }
 
@@ -801,7 +801,7 @@ static int next_free_minor(struct mapped
 	if (!r)
 		return -ENOMEM;
 
-	mutex_lock(&_minor_lock);
+	spin_lock(&_minor_lock);
 
 	r = idr_get_new(&_minor_idr, MINOR_ALLOCED, &m);
 	if (r) {
@@ -817,7 +817,7 @@ static int next_free_minor(struct mapped
 	*minor = m;
 
 out:
-	mutex_unlock(&_minor_lock);
+	spin_unlock(&_minor_lock);
 	return r;
 }
 
@@ -887,9 +887,9 @@ static struct mapped_device *alloc_dev(u
 	init_waitqueue_head(&md->eventq);
 
 	/* Populate the mapping, nobody knows we exist yet */
-	mutex_lock(&_minor_lock);
+	spin_lock(&_minor_lock);
 	old_md = idr_replace(&_minor_idr, md, minor);
-	mutex_unlock(&_minor_lock);
+	spin_unlock(&_minor_lock);
 
 	BUG_ON(old_md != MINOR_ALLOCED);
 
@@ -1020,13 +1020,13 @@ static struct mapped_device *dm_find_md(
 	if (MAJOR(dev) != _major || minor >= (1 << MINORBITS))
 		return NULL;
 
-	mutex_lock(&_minor_lock);
+	spin_lock(&_minor_lock);
 
 	md = idr_find(&_minor_idr, minor);
 	if (md && (md == MINOR_ALLOCED || (dm_disk(md)->first_minor != minor)))
 		md = NULL;
 
-	mutex_unlock(&_minor_lock);
+	spin_unlock(&_minor_lock);
 
 	return md;
 }
@@ -1060,11 +1060,10 @@ void dm_put(struct mapped_device *md)
 {
 	struct dm_table *map;
 
-	if (atomic_dec_and_test(&md->holders)) {
+	if (atomic_dec_and_lock(&md->holders, &_minor_lock)) {
 		map = dm_get_table(md);
-		mutex_lock(&_minor_lock);
 		idr_replace(&_minor_idr, MINOR_ALLOCED, dm_disk(md)->first_minor);
-		mutex_unlock(&_minor_lock);
+		spin_unlock(&_minor_lock);
 		if (!dm_suspended(md)) {
 			dm_table_presuspend_targets(map);
 			dm_table_postsuspend_targets(map);

--

[patch 12/37] dm: add DMF_FREEING

[Greg KH]

[-- Attachment #1: dm-add-dmf_freeing.patch --]
[-- Type: text/plain, Size: 2749 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------

From: Jeff Mahoney <jeffm@suse.com>

There is a chicken and egg problem between the block layer and dm in which the
gendisk associated with a mapping keeps a reference-less pointer to the
mapped_device.

This patch uses a new flag DMF_FREEING to indicate when the mapped_device is
no longer valid.  This is checked to prevent any attempt to open the device
from succeeding while the device is being destroyed.

[akpm: too late for 2.6.17 - suitable for 2.6.17.x after it has settled]

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

 drivers/md/dm.c |   32 ++++++++++++++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

--- linux-2.6.17.11.orig/drivers/md/dm.c
+++ linux-2.6.17.11/drivers/md/dm.c
@@ -63,6 +63,7 @@ union map_info *dm_get_mapinfo(struct bi
 #define DMF_BLOCK_IO 0
 #define DMF_SUSPENDED 1
 #define DMF_FROZEN 2
+#define DMF_FREEING 3
 
 struct mapped_device {
 	struct rw_semaphore io_lock;
@@ -221,9 +222,23 @@ static int dm_blk_open(struct inode *ino
 {
 	struct mapped_device *md;
 
+	spin_lock(&_minor_lock);
+
 	md = inode->i_bdev->bd_disk->private_data;
+	if (!md)
+		goto out;
+
+	if (test_bit(DMF_FREEING, &md->flags)) {
+		md = NULL;
+		goto out;
+	}
+
 	dm_get(md);
-	return 0;
+
+out:
+	spin_unlock(&_minor_lock);
+
+	return md ? 0 : -ENXIO;
 }
 
 static int dm_blk_close(struct inode *inode, struct file *file)
@@ -919,6 +934,11 @@ static void free_dev(struct mapped_devic
 	mempool_destroy(md->io_pool);
 	del_gendisk(md->disk);
 	free_minor(minor);
+
+	spin_lock(&_minor_lock);
+	md->disk->private_data = NULL;
+	spin_unlock(&_minor_lock);
+
 	put_disk(md->disk);
 	blk_cleanup_queue(md->queue);
 	kfree(md);
@@ -1023,9 +1043,14 @@ static struct mapped_device *dm_find_md(
 	spin_lock(&_minor_lock);
 
 	md = idr_find(&_minor_idr, minor);
-	if (md && (md == MINOR_ALLOCED || (dm_disk(md)->first_minor != minor)))
+	if (md && (md == MINOR_ALLOCED ||
+		   (dm_disk(md)->first_minor != minor) ||
+	           test_bit(DMF_FREEING, &md->flags))) {
 		md = NULL;
+		goto out;
+	}
 
+out:
 	spin_unlock(&_minor_lock);
 
 	return md;
@@ -1060,9 +1085,12 @@ void dm_put(struct mapped_device *md)
 {
 	struct dm_table *map;
 
+	BUG_ON(test_bit(DMF_FREEING, &md->flags));
+
 	if (atomic_dec_and_lock(&md->holders, &_minor_lock)) {
 		map = dm_get_table(md);
 		idr_replace(&_minor_idr, MINOR_ALLOCED, dm_disk(md)->first_minor);
+		set_bit(DMF_FREEING, &md->flags);
 		spin_unlock(&_minor_lock);
 		if (!dm_suspended(md)) {
 			dm_table_presuspend_targets(map);

--

[patch 13/37] dm: fix mapped device ref counting

[Greg KH]

[-- Attachment #1: dm-fix-mapped-device-ref-counting.patch --]
[-- Type: text/plain, Size: 3987 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------

From: Jeff Mahoney <jeffm@suse.com>

To avoid races, _minor_lock must be held while changing mapped device
reference counts.

There are a few paths where a mapped_device pointer is returned before a
reference is taken.  This patch fixes them.

[akpm: too late for 2.6.17 - suitable for 2.6.17.x after it has settled]

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

 drivers/md/dm-ioctl.c |   34 ++++++++++++++++++++++++----------
 1 file changed, 24 insertions(+), 10 deletions(-)

--- linux-2.6.17.11.orig/drivers/md/dm-ioctl.c
+++ linux-2.6.17.11/drivers/md/dm-ioctl.c
@@ -102,8 +102,10 @@ static struct hash_cell *__get_name_cell
 	unsigned int h = hash_str(str);
 
 	list_for_each_entry (hc, _name_buckets + h, name_list)
-		if (!strcmp(hc->name, str))
+		if (!strcmp(hc->name, str)) {
+			dm_get(hc->md);
 			return hc;
+		}
 
 	return NULL;
 }
@@ -114,8 +116,10 @@ static struct hash_cell *__get_uuid_cell
 	unsigned int h = hash_str(str);
 
 	list_for_each_entry (hc, _uuid_buckets + h, uuid_list)
-		if (!strcmp(hc->uuid, str))
+		if (!strcmp(hc->uuid, str)) {
+			dm_get(hc->md);
 			return hc;
+		}
 
 	return NULL;
 }
@@ -191,7 +195,7 @@ static int unregister_with_devfs(struct 
  */
 static int dm_hash_insert(const char *name, const char *uuid, struct mapped_device *md)
 {
-	struct hash_cell *cell;
+	struct hash_cell *cell, *hc;
 
 	/*
 	 * Allocate the new cells.
@@ -204,14 +208,19 @@ static int dm_hash_insert(const char *na
 	 * Insert the cell into both hash tables.
 	 */
 	down_write(&_hash_lock);
-	if (__get_name_cell(name))
+	hc = __get_name_cell(name);
+	if (hc) {
+		dm_put(hc->md);
 		goto bad;
+	}
 
 	list_add(&cell->name_list, _name_buckets + hash_str(name));
 
 	if (uuid) {
-		if (__get_uuid_cell(uuid)) {
+		hc = __get_uuid_cell(uuid);
+		if (hc) {
 			list_del(&cell->name_list);
+			dm_put(hc->md);
 			goto bad;
 		}
 		list_add(&cell->uuid_list, _uuid_buckets + hash_str(uuid));
@@ -289,6 +298,7 @@ static int dm_hash_rename(const char *ol
 	if (hc) {
 		DMWARN("asked to rename to an already existing name %s -> %s",
 		       old, new);
+		dm_put(hc->md);
 		up_write(&_hash_lock);
 		kfree(new_name);
 		return -EBUSY;
@@ -328,6 +338,7 @@ static int dm_hash_rename(const char *ol
 		dm_table_put(table);
 	}
 
+	dm_put(hc->md);
 	up_write(&_hash_lock);
 	kfree(old_name);
 	return 0;
@@ -611,10 +622,8 @@ static struct hash_cell *__find_device_h
 		return __get_name_cell(param->name);
 
 	md = dm_get_md(huge_decode_dev(param->dev));
-	if (md) {
+	if (md)
 		mdptr = dm_get_mdptr(md);
-		dm_put(md);
-	}
 
 	return mdptr;
 }
@@ -628,7 +637,6 @@ static struct mapped_device *find_device
 	hc = __find_device_hash_cell(param);
 	if (hc) {
 		md = hc->md;
-		dm_get(md);
 
 		/*
 		 * Sneakily write in both the name and the uuid
@@ -653,6 +661,7 @@ static struct mapped_device *find_device
 static int dev_remove(struct dm_ioctl *param, size_t param_size)
 {
 	struct hash_cell *hc;
+	struct mapped_device *md;
 
 	down_write(&_hash_lock);
 	hc = __find_device_hash_cell(param);
@@ -663,8 +672,11 @@ static int dev_remove(struct dm_ioctl *p
 		return -ENXIO;
 	}
 
+	md = hc->md;
+
 	__hash_remove(hc);
 	up_write(&_hash_lock);
+	dm_put(md);
 	param->data_size = 0;
 	return 0;
 }
@@ -790,7 +802,6 @@ static int do_resume(struct dm_ioctl *pa
 	}
 
 	md = hc->md;
-	dm_get(md);
 
 	new_map = hc->new_map;
 	hc->new_map = NULL;
@@ -1078,6 +1089,7 @@ static int table_clear(struct dm_ioctl *
 {
 	int r;
 	struct hash_cell *hc;
+	struct mapped_device *md;
 
 	down_write(&_hash_lock);
 
@@ -1096,7 +1108,9 @@ static int table_clear(struct dm_ioctl *
 	param->flags &= ~DM_INACTIVE_PRESENT_FLAG;
 
 	r = __dev_status(hc->md, param);
+	md = hc->md;
 	up_write(&_hash_lock);
+	dm_put(md);
 	return r;
 }
 

--

[patch 14/37] dm: add module ref counting

[Greg KH]

[-- Attachment #1: dm-add-module-ref-counting.patch --]
[-- Type: text/plain, Size: 1503 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------

From: Jeff Mahoney <jeffm@suse.com>

The reference counting on dm-mod is zero if no mapped devices are open.  This
is incorrect, and can lead to an oops if the module is unloaded while mapped
devices exist.

This patch claims a reference to the module whenever a device is created, and
drops it again when the device is freed.

Devices must be removed before dm-mod is unloaded.

[akpm: too late for 2.6.17 - suitable for 2.6.17.x after it has settled]

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

 drivers/md/dm.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- linux-2.6.17.11.orig/drivers/md/dm.c
+++ linux-2.6.17.11/drivers/md/dm.c
@@ -852,6 +852,9 @@ static struct mapped_device *alloc_dev(u
 		return NULL;
 	}
 
+	if (!try_module_get(THIS_MODULE))
+		goto bad0;
+
 	/* get a minor number for the dev */
 	r = persistent ? specific_minor(md, minor) : next_free_minor(md, &minor);
 	if (r < 0)
@@ -918,6 +921,8 @@ static struct mapped_device *alloc_dev(u
 	blk_cleanup_queue(md->queue);
 	free_minor(minor);
  bad1:
+	module_put(THIS_MODULE);
+ bad0:
 	kfree(md);
 	return NULL;
 }
@@ -941,6 +946,7 @@ static void free_dev(struct mapped_devic
 
 	put_disk(md->disk);
 	blk_cleanup_queue(md->queue);
+	module_put(THIS_MODULE);
 	kfree(md);
 }
 

--

[patch 15/37] dm: fix block device initialisation

[Greg KH]

[-- Attachment #1: dm-fix-block-device-initialisation.patch --]
[-- Type: text/plain, Size: 1517 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------

From: Jeff Mahoney <jeffm@suse.com>

In alloc_dev(), we register the device with the block layer and then continue
to initialize the device.  But register_disk() makes the device available to
be opened before we have completed initialising it.

This patch moves the final bits of the initialization above the disk
registration.

[akpm: too late for 2.6.17 - suitable for 2.6.17.x after it has settled]

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

 drivers/md/dm.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- linux-2.6.17.11.orig/drivers/md/dm.c
+++ linux-2.6.17.11/drivers/md/dm.c
@@ -891,6 +891,10 @@ static struct mapped_device *alloc_dev(u
 	if (!md->disk)
 		goto bad4;
 
+	atomic_set(&md->pending, 0);
+	init_waitqueue_head(&md->wait);
+	init_waitqueue_head(&md->eventq);
+
 	md->disk->major = _major;
 	md->disk->first_minor = minor;
 	md->disk->fops = &dm_blk_dops;
@@ -900,10 +904,6 @@ static struct mapped_device *alloc_dev(u
 	add_disk(md->disk);
 	format_dev_t(md->name, MKDEV(_major, minor));
 
-	atomic_set(&md->pending, 0);
-	init_waitqueue_head(&md->wait);
-	init_waitqueue_head(&md->eventq);
-
 	/* Populate the mapping, nobody knows we exist yet */
 	spin_lock(&_minor_lock);
 	old_md = idr_replace(&_minor_idr, md, minor);

--

[patch 16/37] dm: mirror sector offset fix

[Greg KH]

[-- Attachment #1: dm-mirror-sector-offset-fix.patch --]
[-- Type: text/plain, Size: 3130 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------

From: Neil Brown <neilb@suse.de>

The device-mapper core does not perform any remapping of bios before passing
them to the targets.  If a particular mapping begins part-way into a device,
targets obtain the sector relative to the start of the mapping by subtracting
ti->begin.

The dm-raid1 target didn't do this everywhere: this patch fixes it, taking
care to subtract ti->begin exactly once for each bio.

[akpm: too late for 2.6.17 - suitable for 2.6.17.x after it has settled]

Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

 drivers/md/dm-raid1.c |   63 +++++++++++++++++++++++++-------------------------
 1 file changed, 32 insertions(+), 31 deletions(-)

--- linux-2.6.17.11.orig/drivers/md/dm-raid1.c
+++ linux-2.6.17.11/drivers/md/dm-raid1.c
@@ -106,12 +106,42 @@ struct region {
 	struct bio_list delayed_bios;
 };
 
+
+/*-----------------------------------------------------------------
+ * Mirror set structures.
+ *---------------------------------------------------------------*/
+struct mirror {
+	atomic_t error_count;
+	struct dm_dev *dev;
+	sector_t offset;
+};
+
+struct mirror_set {
+	struct dm_target *ti;
+	struct list_head list;
+	struct region_hash rh;
+	struct kcopyd_client *kcopyd_client;
+
+	spinlock_t lock;	/* protects the next two lists */
+	struct bio_list reads;
+	struct bio_list writes;
+
+	/* recovery */
+	region_t nr_regions;
+	int in_sync;
+
+	struct mirror *default_mirror;	/* Default mirror */
+
+	unsigned int nr_mirrors;
+	struct mirror mirror[0];
+};
+
 /*
  * Conversion fns
  */
 static inline region_t bio_to_region(struct region_hash *rh, struct bio *bio)
 {
-	return bio->bi_sector >> rh->region_shift;
+	return (bio->bi_sector - rh->ms->ti->begin) >> rh->region_shift;
 }
 
 static inline sector_t region_to_sector(struct region_hash *rh, region_t region)
@@ -541,35 +571,6 @@ static void rh_start_recovery(struct reg
 	wake();
 }
 
-/*-----------------------------------------------------------------
- * Mirror set structures.
- *---------------------------------------------------------------*/
-struct mirror {
-	atomic_t error_count;
-	struct dm_dev *dev;
-	sector_t offset;
-};
-
-struct mirror_set {
-	struct dm_target *ti;
-	struct list_head list;
-	struct region_hash rh;
-	struct kcopyd_client *kcopyd_client;
-
-	spinlock_t lock;	/* protects the next two lists */
-	struct bio_list reads;
-	struct bio_list writes;
-
-	/* recovery */
-	region_t nr_regions;
-	int in_sync;
-
-	struct mirror *default_mirror;	/* Default mirror */
-
-	unsigned int nr_mirrors;
-	struct mirror mirror[0];
-};
-
 /*
  * Every mirror should look like this one.
  */
@@ -1115,7 +1116,7 @@ static int mirror_map(struct dm_target *
 	struct mirror *m;
 	struct mirror_set *ms = ti->private;
 
-	map_context->ll = bio->bi_sector >> ms->rh.region_shift;
+	map_context->ll = bio_to_region(&ms->rh, bio);
 
 	if (rw == WRITE) {
 		queue_bio(ms, bio, rw);

--

[patch 17/37] TG3: Disable TSO by default

[Greg KH]

[-- Attachment #1: tg3-disable-tso-by-default.patch --]
[-- Type: text/plain, Size: 2247 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------

From: Michael Chan <mchan@broadcom.com>

Disable TSO by default on some chips due to hardware errata.

Enabling TSO can lead to tx timeouts in some cases when the TSO
header size exceeds 80 bytes on the affected chips.  This limit
can be exceeded when the TCP header contains the timestamp option
plus 2 SACK blocks, for example.  A more complete workaround is
available in the next 2.6.18 kernel.

Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>


---
 drivers/net/tg3.c |   12 ++++++++----
 drivers/net/tg3.h |    1 +
 2 files changed, 9 insertions(+), 4 deletions(-)

--- linux-2.6.17.11.orig/drivers/net/tg3.c
+++ linux-2.6.17.11/drivers/net/tg3.c
@@ -69,8 +69,8 @@
 
 #define DRV_MODULE_NAME		"tg3"
 #define PFX DRV_MODULE_NAME	": "
-#define DRV_MODULE_VERSION	"3.59"
-#define DRV_MODULE_RELDATE	"June 8, 2006"
+#define DRV_MODULE_VERSION	"3.59.1"
+#define DRV_MODULE_RELDATE	"August 25, 2006"
 
 #define TG3_DEF_MAC_MODE	0
 #define TG3_DEF_RX_MODE		0
@@ -11381,11 +11381,15 @@ static int __devinit tg3_init_one(struct
 		tp->tg3_flags2 |= TG3_FLG2_TSO_CAPABLE;
 	}
 
-	/* TSO is on by default on chips that support hardware TSO.
+	/* TSO is on by default on chips that support HW_TSO_2.
+	 * Some HW_TSO_1 capable chips have bugs that can lead to
+	 * tx timeouts in some cases when TSO is enabled.
 	 * Firmware TSO on older chips gives lower performance, so it
 	 * is off by default, but can be enabled using ethtool.
 	 */
-	if (tp->tg3_flags2 & TG3_FLG2_HW_TSO)
+	if ((tp->tg3_flags2 & TG3_FLG2_HW_TSO_2) ||
+	    (GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5750 &&
+	     tp->pci_chip_rev_id >= CHIPREV_ID_5750_C2))
 		dev->features |= NETIF_F_TSO;
 
 #endif
--- linux-2.6.17.11.orig/drivers/net/tg3.h
+++ linux-2.6.17.11/drivers/net/tg3.h
@@ -125,6 +125,7 @@
 #define  CHIPREV_ID_5750_A0		 0x4000
 #define  CHIPREV_ID_5750_A1		 0x4001
 #define  CHIPREV_ID_5750_A3		 0x4003
+#define  CHIPREV_ID_5750_C2		 0x4202
 #define  CHIPREV_ID_5752_A0_HW		 0x5000
 #define  CHIPREV_ID_5752_A0		 0x6000
 #define  CHIPREV_ID_5752_A1		 0x6001

--

[patch 18/37] SPARC64: Fix X server crashes on sparc64

[Greg KH]

[-- Attachment #1: sparc64-fix-x-server-crashes-on-sparc64.patch --]
[-- Type: text/plain, Size: 1420 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: David S. Miller <davem@davemloft.net>

[SPARC64]: Fix X server hangs due to large pages.

This problem was introduced by changeset
14778d9072e53d2171f66ffd9657daff41acfaed

Unlike the hugetlb code paths, the normal fault code is not setup to
propagate PTE changes for large page sizes correctly like the ones we
make for I/O mappings in io_remap_pfn_range().

It is absolutely necessary to update all sub-ptes of a largepage
mapping on a fault.  Adding special handling for this would add
considerably complexity to tlb_batch_add().  So let's just side-step
the issue and forcefully dirty any writable PTEs created by
io_remap_pfn_range().

The only other real option would be to disable to large PTE code of
io_remap_pfn_range() and we really don't want to do that.

Much thanks to Mikael Pettersson for tracking down this problem and
testing debug patches.

Signed-off-by: David S. Miller <davem@davemloft.net>

---
 arch/sparc64/mm/generic.c |    2 ++
 1 file changed, 2 insertions(+)

--- linux-2.6.17.11.orig/arch/sparc64/mm/generic.c
+++ linux-2.6.17.11/arch/sparc64/mm/generic.c
@@ -69,6 +69,8 @@ static inline void io_remap_pte_range(st
 		} else
 			offset += PAGE_SIZE;
 
+		if (pte_write(entry))
+			entry = pte_mkdirty(entry);
 		do {
 			BUG_ON(!pte_none(*pte));
 			set_pte_at(mm, address, pte, entry);

--

[patch 19/37] SCTP: Fix sctp_primitive_ABORT() call in sctp_close().

[Greg KH]

[-- Attachment #1: sctp-fix-sctp_primitive_abort-call-in-sctp_close.patch --]
[-- Type: text/plain, Size: 1008 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Sridhar Samudrala <sri@us.ibm.com>

With the recent fix, the callers of sctp_primitive_ABORT()
need to create an ABORT chunk and pass it as an argument rather
than msghdr that was passed earlier.

Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

---
 net/sctp/socket.c |   10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

--- linux-2.6.17.11.orig/net/sctp/socket.c
+++ linux-2.6.17.11/net/sctp/socket.c
@@ -1246,9 +1246,13 @@ SCTP_STATIC void sctp_close(struct sock 
 			}
 		}
 
-		if (sock_flag(sk, SOCK_LINGER) && !sk->sk_lingertime)
-			sctp_primitive_ABORT(asoc, NULL);
-		else
+		if (sock_flag(sk, SOCK_LINGER) && !sk->sk_lingertime) {
+			struct sctp_chunk *chunk;
+
+			chunk = sctp_make_abort_user(asoc, NULL, 0);
+			if (chunk)
+				sctp_primitive_ABORT(asoc, chunk);
+		} else
 			sctp_primitive_SHUTDOWN(asoc, NULL);
 	}
 

--

[patch 20/37] IPV6 OOPSer triggerable by any user

[Greg KH]

[-- Attachment #1: ipv6-oops-er-triggerable-by-any-user.patch --]
[-- Type: text/plain, Size: 2646 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>

[IPV6]: Fix kernel OOPs when setting sticky socket options.

Bug noticed by Remi Denis-Courmont <rdenis@simphalempin.com>.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 net/ipv6/exthdrs.c |   29 ++++++++++++++++-------------
 1 file changed, 16 insertions(+), 13 deletions(-)

--- linux-2.6.17.11.orig/net/ipv6/exthdrs.c
+++ linux-2.6.17.11/net/ipv6/exthdrs.c
@@ -635,14 +635,17 @@ ipv6_renew_options(struct sock *sk, stru
 	struct ipv6_txoptions *opt2;
 	int err;
 
-	if (newtype != IPV6_HOPOPTS && opt->hopopt)
-		tot_len += CMSG_ALIGN(ipv6_optlen(opt->hopopt));
-	if (newtype != IPV6_RTHDRDSTOPTS && opt->dst0opt)
-		tot_len += CMSG_ALIGN(ipv6_optlen(opt->dst0opt));
-	if (newtype != IPV6_RTHDR && opt->srcrt)
-		tot_len += CMSG_ALIGN(ipv6_optlen(opt->srcrt));
-	if (newtype != IPV6_DSTOPTS && opt->dst1opt)
-		tot_len += CMSG_ALIGN(ipv6_optlen(opt->dst1opt));
+	if (opt) {
+		if (newtype != IPV6_HOPOPTS && opt->hopopt)
+			tot_len += CMSG_ALIGN(ipv6_optlen(opt->hopopt));
+		if (newtype != IPV6_RTHDRDSTOPTS && opt->dst0opt)
+			tot_len += CMSG_ALIGN(ipv6_optlen(opt->dst0opt));
+		if (newtype != IPV6_RTHDR && opt->srcrt)
+			tot_len += CMSG_ALIGN(ipv6_optlen(opt->srcrt));
+		if (newtype != IPV6_DSTOPTS && opt->dst1opt)
+			tot_len += CMSG_ALIGN(ipv6_optlen(opt->dst1opt));
+	}
+
 	if (newopt && newoptlen)
 		tot_len += CMSG_ALIGN(newoptlen);
 
@@ -659,25 +662,25 @@ ipv6_renew_options(struct sock *sk, stru
 	opt2->tot_len = tot_len;
 	p = (char *)(opt2 + 1);
 
-	err = ipv6_renew_option(opt->hopopt, newopt, newoptlen,
+	err = ipv6_renew_option(opt ? opt->hopopt : NULL, newopt, newoptlen,
 				newtype != IPV6_HOPOPTS,
 				&opt2->hopopt, &p);
 	if (err)
 		goto out;
 
-	err = ipv6_renew_option(opt->dst0opt, newopt, newoptlen,
+	err = ipv6_renew_option(opt ? opt->dst0opt : NULL, newopt, newoptlen,
 				newtype != IPV6_RTHDRDSTOPTS,
 				&opt2->dst0opt, &p);
 	if (err)
 		goto out;
 
-	err = ipv6_renew_option(opt->srcrt, newopt, newoptlen,
+	err = ipv6_renew_option(opt ? opt->srcrt : NULL, newopt, newoptlen,
 				newtype != IPV6_RTHDR,
-				(struct ipv6_opt_hdr **)opt2->srcrt, &p);
+				(struct ipv6_opt_hdr **)&opt2->srcrt, &p);
 	if (err)
 		goto out;
 
-	err = ipv6_renew_option(opt->dst1opt, newopt, newoptlen,
+	err = ipv6_renew_option(opt ? opt->dst1opt : NULL, newopt, newoptlen,
 				newtype != IPV6_DSTOPTS,
 				&opt2->dst1opt, &p);
 	if (err)

--

[patch 21/37] fcntl(F_SETSIG) fix

[Greg KH]

[-- Attachment #1: fcntl-fix.patch --]
[-- Type: text/plain, Size: 1233 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Trond Myklebust <trond.myklebust@fys.uio.no>

[PATCH] fcntl(F_SETSIG) fix

fcntl(F_SETSIG) no longer works on leases because
lease_release_private_callback() gets called as the lease is copied in
order to initialise it.

The problem is that lease_alloc() performs an unnecessary initialisation,
which sets the lease_manager_ops.  Avoid the problem by allocating the
target lease structure using locks_alloc_lock().

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 fs/locks.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- linux-2.6.17.11.orig/fs/locks.c
+++ linux-2.6.17.11/fs/locks.c
@@ -1389,8 +1389,9 @@ static int __setlease(struct file *filp,
 	if (!leases_enable)
 		goto out;
 
-	error = lease_alloc(filp, arg, &fl);
-	if (error)
+	error = -ENOMEM;
+	fl = locks_alloc_lock();
+	if (fl == NULL)
 		goto out;
 
 	locks_copy_lock(fl, lease);
@@ -1398,6 +1399,7 @@ static int __setlease(struct file *filp,
 	locks_insert_lock(before, fl);
 
 	*flp = fl;
+	error = 0;
 out:
 	return error;
 }

--

[patch 22/37] bug in futex unqueue_me

[Greg KH]

[-- Attachment #1: bug-in-futex-unqueue_me.patch --]
[-- Type: text/plain, Size: 4546 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Christian Borntraeger <borntrae@de.ibm.com>

This patch adds a barrier() in futex unqueue_me to avoid aliasing of two
pointers.

On my s390x system I saw the following oops:

Unable to handle kernel pointer dereference at virtual kernel address
0000000000000000
Oops: 0004 [#1]
CPU:    0    Not tainted
Process mytool (pid: 13613, task: 000000003ecb6ac0, ksp: 00000000366bdbd8)
Krnl PSW : 0704d00180000000 00000000003c9ac2 (_spin_lock+0xe/0x30)
Krnl GPRS: 00000000ffffffff 000000003ecb6ac0 0000000000000000 0700000000000000
           0000000000000000 0000000000000000 000001fe00002028 00000000000c091f
           000001fe00002054 000001fe00002054 0000000000000000 00000000366bddc0
           00000000005ef8c0 00000000003d00e8 0000000000144f91 00000000366bdcb8
Krnl Code: ba 4e 20 00 12 44 b9 16 00 3e a7 84 00 08 e3 e0 f0 88 00 04
Call Trace:
([<0000000000144f90>] unqueue_me+0x40/0xe4)
 [<0000000000145a0c>] do_futex+0x33c/0xc40
 [<000000000014643e>] sys_futex+0x12e/0x144
 [<000000000010bb00>] sysc_noemu+0x10/0x16
 [<000002000003741c>] 0x2000003741c

The code in question is:

static int unqueue_me(struct futex_q *q)
{
        int ret = 0;
        spinlock_t *lock_ptr;

        /* In the common case we don't take the spinlock, which is nice. */
 retry:
        lock_ptr = q->lock_ptr;
        if (lock_ptr != 0) {
                spin_lock(lock_ptr);
		/*
                 * q->lock_ptr can change between reading it and
                 * spin_lock(), causing us to take the wrong lock.  This
                 * corrects the race condition.
[...]

and my compiler (gcc 4.1.0) makes the following out of it:

00000000000003c8 <unqueue_me>:
     3c8:       eb bf f0 70 00 24       stmg    %r11,%r15,112(%r15)
     3ce:       c0 d0 00 00 00 00       larl    %r13,3ce <unqueue_me+0x6>
                        3d0: R_390_PC32DBL      .rodata+0x2a
     3d4:       a7 f1 1e 00             tml     %r15,7680
     3d8:       a7 84 00 01             je      3da <unqueue_me+0x12>
     3dc:       b9 04 00 ef             lgr     %r14,%r15
     3e0:       a7 fb ff d0             aghi    %r15,-48
     3e4:       b9 04 00 b2             lgr     %r11,%r2
     3e8:       e3 e0 f0 98 00 24       stg     %r14,152(%r15)
     3ee:       e3 c0 b0 28 00 04       lg      %r12,40(%r11)
		/* write q->lock_ptr in r12 */
     3f4:       b9 02 00 cc             ltgr    %r12,%r12
     3f8:       a7 84 00 4b             je      48e <unqueue_me+0xc6>
		/* if r12 is zero then jump over the code.... */
     3fc:       e3 20 b0 28 00 04       lg      %r2,40(%r11)
		/* write q->lock_ptr in r2 */
     402:       c0 e5 00 00 00 00       brasl   %r14,402 <unqueue_me+0x3a>
                        404: R_390_PC32DBL      _spin_lock+0x2
		/* use r2 as parameter for spin_lock */

So the code becomes more or less:
if (q->lock_ptr != 0) spin_lock(q->lock_ptr)
instead of
if (lock_ptr != 0) spin_lock(lock_ptr)

Which caused the oops from above.
After adding a barrier gcc creates code without this problem:
[...] (the same)
     3ee:       e3 c0 b0 28 00 04       lg      %r12,40(%r11)
     3f4:       b9 02 00 cc             ltgr    %r12,%r12
     3f8:       b9 04 00 2c             lgr     %r2,%r12
     3fc:       a7 84 00 48             je      48c <unqueue_me+0xc4>
     400:       c0 e5 00 00 00 00       brasl   %r14,400 <unqueue_me+0x38>
                        402: R_390_PC32DBL      _spin_lock+0x2

As a general note, this code of unqueue_me seems a bit fishy. The retry logic
of unqueue_me only works if we can guarantee, that the original value of
q->lock_ptr is always a spinlock (Otherwise we overwrite kernel memory). We
know that q->lock_ptr can change. I dont know what happens with the original
spinlock, as I am not an expert with the futex code.

Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Acked-by: Ingo Molnar <mingo@redhat.com>
Cc: Thomas Gleixner <tglx@timesys.com>
Signed-off-by: Christian Borntraeger <borntrae@de.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 kernel/futex.c |    1 +
 1 file changed, 1 insertion(+)

--- linux-2.6.17.11.orig/kernel/futex.c
+++ linux-2.6.17.11/kernel/futex.c
@@ -593,6 +593,7 @@ static int unqueue_me(struct futex_q *q)
 	/* In the common case we don't take the spinlock, which is nice. */
  retry:
 	lock_ptr = q->lock_ptr;
+	barrier();
 	if (lock_ptr != 0) {
 		spin_lock(lock_ptr);
 		/*

--

[patch 23/37] binfmt_elf: fix checks for bad address

[Greg KH]

[-- Attachment #1: binfmt_elf-fix-checks-for-bad-address.patch --]
[-- Type: text/plain, Size: 4473 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Ernie Petrides <petrides@redhat.com>

[PATCH] binfmt_elf: fix checks for bad address

Fix check for bad address; use macro instead of open-coding two checks.

Taken from RHEL4 kernel update.

  For background, the BAD_ADDR() macro should return TRUE if the address is
  TASK_SIZE, because that's the lowest address that is *not* valid for
  user-space mappings.  The macro was correct in binfmt_aout.c but was wrong
  for the "equal to" case in binfmt_elf.c.  There were two in-line validations
  of user-space addresses in binfmt_elf.c, which have been appropriately
  converted to use the corrected BAD_ADDR() macro in the patch you posted
  yesterday.  Note that the size checks against TASK_SIZE are okay as coded.

  The additional changes that I propose are below.  These are in the error
  paths for bad ELF entry addresses once load_elf_binary() has already
  committed to exec'ing the new image (following the tearing down of the
  task's original address space).

  The 1st hunk deals with the interp-side of the outer "if".  There were two
  problems here.  The printk() should be removed because this path can be
  triggered at will by a bogus interpreter image created and used by a
  malicious user.  Further, the error code should not be ENOEXEC, because that
  causes the loop in search_binary_handler() to continue trying other exec
  handlers (twice, in fact).  But it's too late for this to work correctly,
  because the user address space has already been torn down, and an exec()
  failure cannot be returned to the user code because the code no longer
  exists.  The only recovery is to force a SIGSEGV, but it's best to terminate
  the search loop immediately.  I somewhat arbitrarily chose EINVAL as a
  fallback error code, but any error returned by load_elf_interp() will
  override that (but this value will never be seen by user-space).

  The 2nd hunk deals with the non-interp-side of the outer "if".  There were
  two problems here as well.  The SIGSEGV needs to be forced, because a prior
  sigaction() syscall might have set the associated disposition to SIG_IGN.
  And the ENOEXEC should be changed to EINVAL as described above.

Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 fs/binfmt_elf.c |   15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

--- linux-2.6.17.11.orig/fs/binfmt_elf.c
+++ linux-2.6.17.11/fs/binfmt_elf.c
@@ -86,7 +86,7 @@ static struct linux_binfmt elf_format = 
 		.min_coredump	= ELF_EXEC_PAGESIZE
 };
 
-#define BAD_ADDR(x)	((unsigned long)(x) > TASK_SIZE)
+#define BAD_ADDR(x)	((unsigned long)(x) >= TASK_SIZE)
 
 static int set_brk(unsigned long start, unsigned long end)
 {
@@ -389,7 +389,7 @@ static unsigned long load_elf_interp(str
 	     * <= p_memsize so it is only necessary to check p_memsz.
 	     */
 	    k = load_addr + eppnt->p_vaddr;
-	    if (k > TASK_SIZE || eppnt->p_filesz > eppnt->p_memsz ||
+	    if (BAD_ADDR(k) || eppnt->p_filesz > eppnt->p_memsz ||
 		eppnt->p_memsz > TASK_SIZE || TASK_SIZE - eppnt->p_memsz < k) {
 	        error = -ENOMEM;
 		goto out_close;
@@ -876,7 +876,7 @@ static int load_elf_binary(struct linux_
 		 * allowed task size. Note that p_filesz must always be
 		 * <= p_memsz so it is only necessary to check p_memsz.
 		 */
-		if (k > TASK_SIZE || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
+		if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
 		    elf_ppnt->p_memsz > TASK_SIZE ||
 		    TASK_SIZE - elf_ppnt->p_memsz < k) {
 			/* set_brk can never work.  Avoid overflows.  */
@@ -930,10 +930,9 @@ static int load_elf_binary(struct linux_
 						    interpreter,
 						    &interp_load_addr);
 		if (BAD_ADDR(elf_entry)) {
-			printk(KERN_ERR "Unable to load interpreter %.128s\n",
-				elf_interpreter);
 			force_sig(SIGSEGV, current);
-			retval = -ENOEXEC; /* Nobody gets to see this, but.. */
+			retval = IS_ERR((void *)elf_entry) ?
+					(int)elf_entry : -EINVAL;
 			goto out_free_dentry;
 		}
 		reloc_func_desc = interp_load_addr;
@@ -944,8 +943,8 @@ static int load_elf_binary(struct linux_
 	} else {
 		elf_entry = loc->elf_ex.e_entry;
 		if (BAD_ADDR(elf_entry)) {
-			send_sig(SIGSEGV, current, 0);
-			retval = -ENOEXEC; /* Nobody gets to see this, but.. */
+			force_sig(SIGSEGV, current);
+			retval = -EINVAL;
 			goto out_free_dentry;
 		}
 	}

--

[patch 24/37] uhci-hcd: fix list access bug

[Greg KH]

[-- Attachment #1: uhci-hcd-fix-list-access-bug.patch --]
[-- Type: text/plain, Size: 999 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Alan Stern <stern@rowland.harvard.edu>

When skipping to the last TD of an URB, go to the _last_ entry in the
list instead of the _first_ entry (as780).  This fixes Bugzilla #6747 and
possibly others.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/usb/host/uhci-q.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.17.11.orig/drivers/usb/host/uhci-q.c
+++ linux-2.6.17.11/drivers/usb/host/uhci-q.c
@@ -264,7 +264,7 @@ static void uhci_fixup_toggles(struct uh
 		 * need to change any toggles in this URB */
 		td = list_entry(urbp->td_list.next, struct uhci_td, list);
 		if (toggle > 1 || uhci_toggle(td_token(td)) == toggle) {
-			td = list_entry(urbp->td_list.next, struct uhci_td,
+			td = list_entry(urbp->td_list.prev, struct uhci_td,
 					list);
 			toggle = uhci_toggle(td_token(td)) ^ 1;
 

--

[patch 25/37] Silent data corruption caused by XPC

[Greg KH]

[-- Attachment #1: silent-data-corruption-caused-by-xpc.patch --]
[-- Type: text/plain, Size: 8508 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Robin Holt <holt@sgi.com>

Jack Steiner identified a problem where XPC can cause a silent
data corruption.  On module load, the placement may cause the
xpc_remote_copy_buffer to span two physical pages.  DMA transfers are
done to the start virtual address translated to physical.

This patch changes the buffer from a statically allocated buffer to a
kmalloc'd buffer.  Dean Nelson reviewed this before posting.  I have
tested it in the configuration that was showing the memory corruption
and verified it works.  I also added a BUG_ON statement to help catch
this if a similar situation is encountered.

Signed-off-by: Robin Holt <holt@sgi.com>
Signed-off-by: Dean Nelson <dcn@sgi.com>
Signed-off-by: Jack Steiner <steiner@sgi.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 arch/ia64/sn/kernel/xpc_channel.c   |    4 ++--
 arch/ia64/sn/kernel/xpc_main.c      |   28 ++++++++++++++++------------
 arch/ia64/sn/kernel/xpc_partition.c |   24 ++++++++----------------
 include/asm-ia64/sn/xp.h            |   22 ++++++++++++++++++----
 include/asm-ia64/sn/xpc.h           |    4 +++-
 5 files changed, 47 insertions(+), 35 deletions(-)

--- linux-2.6.17.11.orig/arch/ia64/sn/kernel/xpc_channel.c
+++ linux-2.6.17.11/arch/ia64/sn/kernel/xpc_channel.c
@@ -279,8 +279,8 @@ xpc_pull_remote_cachelines(struct xpc_pa
 		return part->reason;
 	}
 
-	bte_ret = xp_bte_copy((u64) src, (u64) ia64_tpa((u64) dst),
-				(u64) cnt, (BTE_NORMAL | BTE_WACQUIRE), NULL);
+	bte_ret = xp_bte_copy((u64) src, (u64) dst, (u64) cnt,
+					(BTE_NORMAL | BTE_WACQUIRE), NULL);
 	if (bte_ret == BTE_SUCCESS) {
 		return xpcSuccess;
 	}
--- linux-2.6.17.11.orig/arch/ia64/sn/kernel/xpc_main.c
+++ linux-2.6.17.11/arch/ia64/sn/kernel/xpc_main.c
@@ -1052,6 +1052,8 @@ xpc_do_exit(enum xpc_retval reason)
 	if (xpc_sysctl) {
 		unregister_sysctl_table(xpc_sysctl);
 	}
+
+	kfree(xpc_remote_copy_buffer_base);
 }
 
 
@@ -1212,24 +1214,20 @@ xpc_init(void)
 	partid_t partid;
 	struct xpc_partition *part;
 	pid_t pid;
+	size_t buf_size;
 
 
 	if (!ia64_platform_is("sn2")) {
 		return -ENODEV;
 	}
 
-	/*
-	 * xpc_remote_copy_buffer is used as a temporary buffer for bte_copy'ng
-	 * various portions of a partition's reserved page. Its size is based
-	 * on the size of the reserved page header and part_nasids mask. So we
-	 * need to ensure that the other items will fit as well.
-	 */
-	if (XPC_RP_VARS_SIZE > XPC_RP_HEADER_SIZE + XP_NASID_MASK_BYTES) {
-		dev_err(xpc_part, "xpc_remote_copy_buffer is not big enough\n");
-		return -EPERM;
-	}
-	DBUG_ON((u64) xpc_remote_copy_buffer !=
-				L1_CACHE_ALIGN((u64) xpc_remote_copy_buffer));
+
+	buf_size = max(XPC_RP_VARS_SIZE,
+				XPC_RP_HEADER_SIZE + XP_NASID_MASK_BYTES);
+	xpc_remote_copy_buffer = xpc_kmalloc_cacheline_aligned(buf_size,
+				     GFP_KERNEL, &xpc_remote_copy_buffer_base);
+	if (xpc_remote_copy_buffer == NULL)
+		return -ENOMEM;
 
 	snprintf(xpc_part->bus_id, BUS_ID_SIZE, "part");
 	snprintf(xpc_chan->bus_id, BUS_ID_SIZE, "chan");
@@ -1293,6 +1291,8 @@ xpc_init(void)
 		if (xpc_sysctl) {
 			unregister_sysctl_table(xpc_sysctl);
 		}
+
+		kfree(xpc_remote_copy_buffer_base);
 		return -EBUSY;
 	}
 
@@ -1311,6 +1311,8 @@ xpc_init(void)
 		if (xpc_sysctl) {
 			unregister_sysctl_table(xpc_sysctl);
 		}
+
+		kfree(xpc_remote_copy_buffer_base);
 		return -EBUSY;
 	}
 
@@ -1362,6 +1364,8 @@ xpc_init(void)
 		if (xpc_sysctl) {
 			unregister_sysctl_table(xpc_sysctl);
 		}
+
+		kfree(xpc_remote_copy_buffer_base);
 		return -EBUSY;
 	}
 
--- linux-2.6.17.11.orig/arch/ia64/sn/kernel/xpc_partition.c
+++ linux-2.6.17.11/arch/ia64/sn/kernel/xpc_partition.c
@@ -71,19 +71,15 @@ struct xpc_partition xpc_partitions[XP_M
  * Generic buffer used to store a local copy of portions of a remote
  * partition's reserved page (either its header and part_nasids mask,
  * or its vars).
- *
- * xpc_discovery runs only once and is a seperate thread that is
- * very likely going to be processing in parallel with receiving
- * interrupts.
  */
-char ____cacheline_aligned xpc_remote_copy_buffer[XPC_RP_HEADER_SIZE +
-							XP_NASID_MASK_BYTES];
+char *xpc_remote_copy_buffer;
+void *xpc_remote_copy_buffer_base;
 
 
 /*
  * Guarantee that the kmalloc'd memory is cacheline aligned.
  */
-static void *
+void *
 xpc_kmalloc_cacheline_aligned(size_t size, gfp_t flags, void **base)
 {
 	/* see if kmalloc will give us cachline aligned memory by default */
@@ -148,7 +144,7 @@ xpc_get_rsvd_page_pa(int nasid)
 			}
 		}
 
-		bte_res = xp_bte_copy(rp_pa, ia64_tpa(buf), buf_len,
+		bte_res = xp_bte_copy(rp_pa, buf, buf_len,
 					(BTE_NOTIFY | BTE_WACQUIRE), NULL);
 		if (bte_res != BTE_SUCCESS) {
 			dev_dbg(xpc_part, "xp_bte_copy failed %i\n", bte_res);
@@ -447,7 +443,7 @@ xpc_check_remote_hb(void)
 
 		/* pull the remote_hb cache line */
 		bres = xp_bte_copy(part->remote_vars_pa,
-					ia64_tpa((u64) remote_vars),
+					(u64) remote_vars,
 					XPC_RP_VARS_SIZE,
 					(BTE_NOTIFY | BTE_WACQUIRE), NULL);
 		if (bres != BTE_SUCCESS) {
@@ -498,8 +494,7 @@ xpc_get_remote_rp(int nasid, u64 *discov
 
 
 	/* pull over the reserved page header and part_nasids mask */
-
-	bres = xp_bte_copy(*remote_rp_pa, ia64_tpa((u64) remote_rp),
+	bres = xp_bte_copy(*remote_rp_pa, (u64) remote_rp,
 				XPC_RP_HEADER_SIZE + xp_nasid_mask_bytes,
 				(BTE_NOTIFY | BTE_WACQUIRE), NULL);
 	if (bres != BTE_SUCCESS) {
@@ -554,11 +549,8 @@ xpc_get_remote_vars(u64 remote_vars_pa, 
 		return xpcVarsNotSet;
 	}
 
-
 	/* pull over the cross partition variables */
-
-	bres = xp_bte_copy(remote_vars_pa, ia64_tpa((u64) remote_vars),
-				XPC_RP_VARS_SIZE,
+	bres = xp_bte_copy(remote_vars_pa, (u64) remote_vars, XPC_RP_VARS_SIZE,
 				(BTE_NOTIFY | BTE_WACQUIRE), NULL);
 	if (bres != BTE_SUCCESS) {
 		return xpc_map_bte_errors(bres);
@@ -1239,7 +1231,7 @@ xpc_initiate_partid_to_nasids(partid_t p
 
 	part_nasid_pa = (u64) XPC_RP_PART_NASIDS(part->remote_rp_pa);
 
-	bte_res = xp_bte_copy(part_nasid_pa, ia64_tpa((u64) nasid_mask),
+	bte_res = xp_bte_copy(part_nasid_pa, (u64) nasid_mask,
 			xp_nasid_mask_bytes, (BTE_NOTIFY | BTE_WACQUIRE), NULL);
 
 	return xpc_map_bte_errors(bte_res);
--- linux-2.6.17.11.orig/include/asm-ia64/sn/xp.h
+++ linux-2.6.17.11/include/asm-ia64/sn/xp.h
@@ -60,23 +60,37 @@
  * the bte_copy() once in the hope that the failure was due to a temporary
  * aberration (i.e., the link going down temporarily).
  *
- * See bte_copy for definition of the input parameters.
+ * 	src - physical address of the source of the transfer.
+ *	vdst - virtual address of the destination of the transfer.
+ *	len - number of bytes to transfer from source to destination.
+ *	mode - see bte_copy() for definition.
+ *	notification - see bte_copy() for definition.
  *
  * Note: xp_bte_copy() should never be called while holding a spinlock.
  */
 static inline bte_result_t
-xp_bte_copy(u64 src, u64 dest, u64 len, u64 mode, void *notification)
+xp_bte_copy(u64 src, u64 vdst, u64 len, u64 mode, void *notification)
 {
 	bte_result_t ret;
+	u64 pdst = ia64_tpa(vdst);
 
 
-	ret = bte_copy(src, dest, len, mode, notification);
+	/*
+	 * Ensure that the physically mapped memory is contiguous.
+	 *
+	 * We do this by ensuring that the memory is from region 7 only.
+	 * If the need should arise to use memory from one of the other
+	 * regions, then modify the BUG_ON() statement to ensure that the
+	 * memory from that region is always physically contiguous.
+	 */
+	BUG_ON(REGION_NUMBER(vdst) != RGN_KERNEL);
 
+	ret = bte_copy(src, pdst, len, mode, notification);
 	if (ret != BTE_SUCCESS) {
 		if (!in_interrupt()) {
 			cond_resched();
 		}
-		ret = bte_copy(src, dest, len, mode, notification);
+		ret = bte_copy(src, pdst, len, mode, notification);
 	}
 
 	return ret;
--- linux-2.6.17.11.orig/include/asm-ia64/sn/xpc.h
+++ linux-2.6.17.11/include/asm-ia64/sn/xpc.h
@@ -684,7 +684,9 @@ extern struct xpc_vars *xpc_vars;
 extern struct xpc_rsvd_page *xpc_rsvd_page;
 extern struct xpc_vars_part *xpc_vars_part;
 extern struct xpc_partition xpc_partitions[XP_MAX_PARTITIONS + 1];
-extern char xpc_remote_copy_buffer[];
+extern char *xpc_remote_copy_buffer;
+extern void *xpc_remote_copy_buffer_base;
+extern void *xpc_kmalloc_cacheline_aligned(size_t, gfp_t, void **);
 extern struct xpc_rsvd_page *xpc_rsvd_page_init(void);
 extern void xpc_allow_IPI_ops(void);
 extern void xpc_restrict_IPI_ops(void);

--

[patch 26/37] PKTGEN: Make sure skb->{nh,h} are initialized in fill_packet_ipv6() too.

[Greg KH]

[-- Attachment #1: pktgen-make-sure-skb-nh-h-are-initialized-in-fill_packet_ipv6-too.patch --]
[-- Type: text/plain, Size: 789 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: David S. Miller <davem@sunset.davemloft.net>

[PKTGEN]: Make sure skb->{nh,h} are initialized in fill_packet_ipv6() too.

Mirror the bug fix from fill_packet_ipv4()

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 net/core/pktgen.c |    2 ++
 1 file changed, 2 insertions(+)

--- linux-2.6.17.11.orig/net/core/pktgen.c
+++ linux-2.6.17.11/net/core/pktgen.c
@@ -2460,6 +2460,8 @@ static struct sk_buff *fill_packet_ipv6(
 	skb->protocol = protocol;
 	skb->dev = odev;
 	skb->pkt_type = PACKET_HOST;
+	skb->nh.ipv6h = iph;
+	skb->h.uh = udph;
 
 	if (pkt_dev->nfrags <= 0)
 		pgh = (struct pktgen_hdr *)skb_put(skb, datalen);

--

[patch 27/37] PKTGEN: Fix oops when used with balance-tlb bonding

[Greg KH]

[-- Attachment #1: pktgen-fix-oops-when-used-with-balance-tlb-bonding.patch --]
[-- Type: text/plain, Size: 736 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Chen-Li Tien <cltien@gmail.com>

Signed-off-by: Chen-Li Tien <cltien@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>


---
 net/core/pktgen.c |    2 ++
 1 file changed, 2 insertions(+)

--- linux-2.6.17.11.orig/net/core/pktgen.c
+++ linux-2.6.17.11/net/core/pktgen.c
@@ -2149,6 +2149,8 @@ static struct sk_buff *fill_packet_ipv4(
 	skb->mac.raw = ((u8 *) iph) - 14 - pkt_dev->nr_labels*sizeof(u32);
 	skb->dev = odev;
 	skb->pkt_type = PACKET_HOST;
+	skb->nh.iph = iph;
+	skb->h.uh = udph;
 
 	if (pkt_dev->nfrags <= 0)
 		pgh = (struct pktgen_hdr *)skb_put(skb, datalen);

--

[patch 28/37] Missing PCI id update for VIA IDE

[Greg KH]

[-- Attachment #1: missing-pci-id-update-for-via-ide.patch --]
[-- Type: text/plain, Size: 1768 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Alan Cox <alan@lxorguk.ukuu.org.uk>


The following change from -mm is important to 2.6.18 (actually to 2.6.17
but its too late for that). This was contributed over three months ago
by VIA to Bartlomiej and nothing happened. As a result the new chipset
is now out and Linux won't run on it. By the time 2.6.18 is finalised
this will be the defacto standard VIA chipset so support would be a good
plan.

Tested in -mm for a while, its essentially a PCI ident update but for
the bridge chip because VIA do things in weird ways.


Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>


---
 drivers/ide/pci/via82cxxx.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- linux-2.6.17.11.orig/drivers/ide/pci/via82cxxx.c
+++ linux-2.6.17.11/drivers/ide/pci/via82cxxx.c
@@ -6,7 +6,7 @@
  *
  *   vt82c576, vt82c586, vt82c586a, vt82c586b, vt82c596a, vt82c596b,
  *   vt82c686, vt82c686a, vt82c686b, vt8231, vt8233, vt8233c, vt8233a,
- *   vt8235, vt8237
+ *   vt8235, vt8237, vt8237a
  *
  * Copyright (c) 2000-2002 Vojtech Pavlik
  *
@@ -82,6 +82,7 @@ static struct via_isa_bridge {
 	{ "vt6410",	PCI_DEVICE_ID_VIA_6410,     0x00, 0x2f, VIA_UDMA_133 | VIA_BAD_AST },
 	{ "vt8251",	PCI_DEVICE_ID_VIA_8251,     0x00, 0x2f, VIA_UDMA_133 | VIA_BAD_AST },
 	{ "vt8237",	PCI_DEVICE_ID_VIA_8237,     0x00, 0x2f, VIA_UDMA_133 | VIA_BAD_AST },
+	{ "vt8237a",	PCI_DEVICE_ID_VIA_8237A,    0x00, 0x2f, VIA_UDMA_133 | VIA_BAD_AST },
 	{ "vt8235",	PCI_DEVICE_ID_VIA_8235,     0x00, 0x2f, VIA_UDMA_133 | VIA_BAD_AST },
 	{ "vt8233a",	PCI_DEVICE_ID_VIA_8233A,    0x00, 0x2f, VIA_UDMA_133 | VIA_BAD_AST },
 	{ "vt8233c",	PCI_DEVICE_ID_VIA_8233C_0,  0x00, 0x2f, VIA_UDMA_100 },

--

[patch 29/37] dvb-core: Proper handling ULE SNDU length of 0

[Greg KH]

[-- Attachment #1: dvb-core-proper-handling-ule-sndu-length-of-0.patch --]
[-- Type: text/plain, Size: 1369 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Ang Way Chuang <wcang@nrg.cs.usm.my>

ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation
code has a bug that allows an attacker to send a malformed ULE packet
with SNDU length of 0 and bring down the receiving machine. This patch
fix the bug and has been tested on version 2.6.17.11. This bug is 100%
reproducible and the modified source code (GPL) used to produce this bug
will be posted on http://nrg.cs.usm.my/downloads.htm shortly.  The
kernel will produce a dump during CRC32 checking on faulty ULE packet.


Signed-off-by: Ang Way Chuang <wcang@nrg.cs.usm.my>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/media/dvb/dvb-core/dvb_net.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- linux-2.6.17.11.orig/drivers/media/dvb/dvb-core/dvb_net.c
+++ linux-2.6.17.11/drivers/media/dvb/dvb-core/dvb_net.c
@@ -492,7 +492,8 @@ static void dvb_net_ule( struct net_devi
 				} else
 					priv->ule_dbit = 0;
 
-				if (priv->ule_sndu_len > 32763) {
+				if (priv->ule_sndu_len > 32763 ||
+				    priv->ule_sndu_len < ((priv->ule_dbit) ? 4 : 4 + ETH_ALEN)) {
 					printk(KERN_WARNING "%lu: Invalid ULE SNDU length %u. "
 					       "Resyncing.\n", priv->ts_count, priv->ule_sndu_len);
 					priv->ule_sndu_len = 0;

--

[patch 30/37] Remove redundant up() in stop_machine()

[Greg KH]

[-- Attachment #1: remove-redundant-up-in-stop_machine.patch --]
[-- Type: text/plain, Size: 751 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: "Yingchao Zhou" <yingchao.zhou@gmail.com>

An up() is called in kernel/stop_machine.c on failure, and also in the
caller (unconditionally).

Signed-off-by: Zhou Yingchao <yingchao.zhou@gmail.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 kernel/stop_machine.c |    1 -
 1 file changed, 1 deletion(-)

--- linux-2.6.17.11.orig/kernel/stop_machine.c
+++ linux-2.6.17.11/kernel/stop_machine.c
@@ -111,7 +111,6 @@ static int stop_machine(void)
 	/* If some failed, kill them all. */
 	if (ret < 0) {
 		stopmachine_set_state(STOPMACHINE_EXIT);
-		up(&stopmachine_mutex);
 		return ret;
 	}
 

--

[patch 31/37] dm: Fix deadlock under high i/o load in raid1 setup.

[Greg KH]

[-- Attachment #1: dm-fix-deadlock-under-high-i-o-load-in-raid1-setup.patch --]
[-- Type: text/plain, Size: 2560 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Daniel Kobras <kobras@linux.de>

On an nForce4-equipped machine with two SATA disk in raid1 setup using dmraid,
we experienced frequent deadlock of the system under high i/o load.  'cat
/dev/zero > ~/zero' was the most reliable way to reproduce them: Randomly
after a few GB, 'cp' would be left in 'D' state along with kjournald and
kmirrord.  The functions cp and kjournald were blocked in did vary, but
kmirrord's wchan always pointed to 'mempool_alloc()'.  We've seen this pattern
on 2.6.15 and 2.6.17 kernels.  http://lkml.org/lkml/2005/4/20/142 indicates
that this problem has been around even before.

So much for the facts, here's my interpretation: mempool_alloc() first tries
to atomically allocate the requested memory, or falls back to hand out
preallocated chunks from the mempool.  If both fail, it puts the calling
process (kmirrord in this case) on a private waitqueue until somebody refills
the pool.  Where the only 'somebody' is kmirrord itself, so we have a
deadlock.

I worked around this problem by falling back to a (blocking) kmalloc when
before kmirrord would have ended up on the waitqueue.  This defeats part of
the benefits of using the mempool, but at least keeps the system running.  And
it could be done with a two-line change.  Note that mempool_alloc() clears the
GFP_NOIO flag internally, and only uses it to decide whether to wait or return
an error if immediate allocation fails, so the attached patch doesn't change
behaviour in the non-deadlocking case.  Path is against current git
(2.6.18-rc4), but should apply to earlier versions as well.  I've tested on
2.6.15, where this patch makes the difference between random lockup and a
stable system.

Signed-off-by: Daniel Kobras <kobras@linux.de>
Acked-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/md/dm-raid1.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- linux-2.6.17.11.orig/drivers/md/dm-raid1.c
+++ linux-2.6.17.11/drivers/md/dm-raid1.c
@@ -253,7 +253,9 @@ static struct region *__rh_alloc(struct 
 	struct region *reg, *nreg;
 
 	read_unlock(&rh->hash_lock);
-	nreg = mempool_alloc(rh->region_pool, GFP_NOIO);
+	nreg = mempool_alloc(rh->region_pool, GFP_ATOMIC);
+	if (unlikely(!nreg))
+		nreg = kmalloc(sizeof(struct region), GFP_NOIO);
 	nreg->state = rh->log->type->in_sync(rh->log, region, 1) ?
 		RH_CLEAN : RH_NOSYNC;
 	nreg->rh = rh;

--

[patch 32/37] sky2: accept flow control

[Greg KH]

[-- Attachment #1: sky2-pause-fixes.patch --]
[-- Type: text/plain, Size: 794 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Stephen Hemminger <shemminger@osdl.org>

Don't program the GMAC to reject flow control packets.
This maybe the cause of some of the transmit hangs.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/net/sky2.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.17.11.orig/drivers/net/sky2.h
+++ linux-2.6.17.11/drivers/net/sky2.h
@@ -1566,7 +1566,7 @@ enum {
 
 	GMR_FS_ANY_ERR	= GMR_FS_RX_FF_OV | GMR_FS_CRC_ERR |
 			  GMR_FS_FRAGMENT | GMR_FS_LONG_ERR |
-		  	  GMR_FS_MII_ERR | GMR_FS_BAD_FC | GMR_FS_GOOD_FC |
+		  	  GMR_FS_MII_ERR | GMR_FS_BAD_FC |
 			  GMR_FS_UN_SIZE | GMR_FS_JABBER,
 };
 

--

[patch 33/37] sky2: clear status IRQ after empty

[Greg KH]

[-- Attachment #1: sky2-status-clr.patch --]
[-- Type: text/plain, Size: 1023 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Stephen Hemminger <shemminger@osdl.org>

Don't clear status IRQ until list has been read to avoid causing
status list wraparound. Clearing IRQ forces a Transmit Status update
if it is pending.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/net/sky2.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- linux-2.6.17.11.orig/drivers/net/sky2.c
+++ linux-2.6.17.11/drivers/net/sky2.c
@@ -2016,6 +2016,9 @@ static int sky2_status_intr(struct sky2_
 		}
 	}
 
+	/* Fully processed status ring so clear irq */
+	sky2_write32(hw, STAT_CTRL, SC_STAT_CLR_IRQ);
+
 exit_loop:
 	return work_done;
 }
@@ -2218,9 +2221,6 @@ static int sky2_poll(struct net_device *
 	*budget -= work_done;
 	dev0->quota -= work_done;
 
-	if (status & Y2_IS_STAT_BMU)
-		sky2_write32(hw, STAT_CTRL, SC_STAT_CLR_IRQ);
-
 	if (sky2_more_work(hw))
 		return 1;
 

--

[patch 34/37] sky2: use dev_alloc_skb for receive buffers

[Greg KH]

[-- Attachment #1: sky2-dev-alloc.patch --]
[-- Type: text/plain, Size: 1472 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Stephen Hemminger <shemminger@osdl.org>

Several code paths assume an additional 16 bytes of header padding
on the receive path. Use dev_alloc_skb to get that padding.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/net/sky2.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- linux-2.6.17.11.orig/drivers/net/sky2.c
+++ linux-2.6.17.11/drivers/net/sky2.c
@@ -949,14 +949,14 @@ static void sky2_vlan_rx_kill_vid(struct
 /*
  * It appears the hardware has a bug in the FIFO logic that
  * cause it to hang if the FIFO gets overrun and the receive buffer
- * is not aligned. ALso alloc_skb() won't align properly if slab
+ * is not aligned. Also dev_alloc_skb() won't align properly if slab
  * debugging is enabled.
  */
 static inline struct sk_buff *sky2_alloc_skb(unsigned int size, gfp_t gfp_mask)
 {
 	struct sk_buff *skb;
 
-	skb = alloc_skb(size + RX_SKB_ALIGN, gfp_mask);
+	skb = __dev_alloc_skb(size + RX_SKB_ALIGN, gfp_mask);
 	if (likely(skb)) {
 		unsigned long p	= (unsigned long) skb->data;
 		skb_reserve(skb, ALIGN(p, RX_SKB_ALIGN) - p);
@@ -1855,7 +1855,7 @@ static struct sk_buff *sky2_receive(stru
 		goto oversize;
 
 	if (length < copybreak) {
-		skb = alloc_skb(length + 2, GFP_ATOMIC);
+		skb = dev_alloc_skb(length + 2);
 		if (!skb)
 			goto resubmit;
 

--

[patch 35/37] sky2: MSI test timing

[Greg KH]

[-- Attachment #1: sky2-post-bug.patch --]
[-- Type: text/plain, Size: 1119 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Stephen Hemminger <shemminger@osdl.org>

The test for MSI IRQ could have timing issues. The PCI write needs to be 
pushed out before waiting, and the wait queue should be initialized before
the IRQ.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/net/sky2.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- linux-2.6.17.11.orig/drivers/net/sky2.c
+++ linux-2.6.17.11/drivers/net/sky2.c
@@ -3184,6 +3184,8 @@ static int __devinit sky2_test_msi(struc
 	struct pci_dev *pdev = hw->pdev;
 	int err;
 
+	init_waitqueue_head (&hw->msi_wait);
+
 	sky2_write32(hw, B0_IMSK, Y2_IS_IRQ_SW);
 
 	err = request_irq(pdev->irq, sky2_test_intr, SA_SHIRQ, DRV_NAME, hw);
@@ -3193,10 +3195,8 @@ static int __devinit sky2_test_msi(struc
 		return err;
 	}
 
-	init_waitqueue_head (&hw->msi_wait);
-
 	sky2_write8(hw, B0_CTST, CS_ST_SW_IRQ);
-	wmb();
+	sky2_read8(hw, B0_CTST);
 
 	wait_event_timeout(hw->msi_wait, hw->msi_detected, HZ/10);
 

--

[patch 36/37] sky2: fix fiber support

[Greg KH]

[-- Attachment #1: sky2-fiber.patch --]
[-- Type: text/plain, Size: 7295 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Stephen Hemminger <shemminger@osdl.org>

Fix support for fiber based devices.  Needed to keep track of PMD type to
add workaround in setup. Add support for gigabit half duplex fiber.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/net/sky2.c |   81 ++++++++++++++++++++++++++++++++---------------------
 drivers/net/sky2.h |   15 +++++++++
 2 files changed, 63 insertions(+), 33 deletions(-)

--- linux-2.6.17.11.orig/drivers/net/sky2.c
+++ linux-2.6.17.11/drivers/net/sky2.c
@@ -321,7 +321,7 @@ static void sky2_phy_init(struct sky2_hw
 	}
 
 	ctrl = gm_phy_read(hw, port, PHY_MARV_PHY_CTRL);
-	if (hw->copper) {
+	if (sky2_is_copper(hw)) {
 		if (hw->chip_id == CHIP_ID_YUKON_FE) {
 			/* enable automatic crossover */
 			ctrl |= PHY_M_PC_MDI_XMODE(PHY_M_PC_ENA_AUTO) >> 1;
@@ -338,25 +338,37 @@ static void sky2_phy_init(struct sky2_hw
 				ctrl |= PHY_M_PC_DSC(2) | PHY_M_PC_DOWN_S_ENA;
 			}
 		}
-		gm_phy_write(hw, port, PHY_MARV_PHY_CTRL, ctrl);
 	} else {
 		/* workaround for deviation #4.88 (CRC errors) */
 		/* disable Automatic Crossover */
 
 		ctrl &= ~PHY_M_PC_MDIX_MSK;
-		gm_phy_write(hw, port, PHY_MARV_PHY_CTRL, ctrl);
+	}
 
-		if (hw->chip_id == CHIP_ID_YUKON_XL) {
-			/* Fiber: select 1000BASE-X only mode MAC Specific Ctrl Reg. */
-			gm_phy_write(hw, port, PHY_MARV_EXT_ADR, 2);
-			ctrl = gm_phy_read(hw, port, PHY_MARV_PHY_CTRL);
-			ctrl &= ~PHY_M_MAC_MD_MSK;
-			ctrl |= PHY_M_MAC_MODE_SEL(PHY_M_MAC_MD_1000BX);
-			gm_phy_write(hw, port, PHY_MARV_PHY_CTRL, ctrl);
+	gm_phy_write(hw, port, PHY_MARV_PHY_CTRL, ctrl);
+
+	/* special setup for PHY 88E1112 Fiber */
+	if (hw->chip_id == CHIP_ID_YUKON_XL && !sky2_is_copper(hw)) {
+		pg = gm_phy_read(hw, port, PHY_MARV_EXT_ADR);
 
+		/* Fiber: select 1000BASE-X only mode MAC Specific Ctrl Reg. */
+		gm_phy_write(hw, port, PHY_MARV_EXT_ADR, 2);
+		ctrl = gm_phy_read(hw, port, PHY_MARV_PHY_CTRL);
+		ctrl &= ~PHY_M_MAC_MD_MSK;
+		ctrl |= PHY_M_MAC_MODE_SEL(PHY_M_MAC_MD_1000BX);
+		gm_phy_write(hw, port, PHY_MARV_PHY_CTRL, ctrl);
+
+		if (hw->pmd_type  == 'P') {
 			/* select page 1 to access Fiber registers */
 			gm_phy_write(hw, port, PHY_MARV_EXT_ADR, 1);
+
+			/* for SFP-module set SIGDET polarity to low */
+			ctrl = gm_phy_read(hw, port, PHY_MARV_PHY_CTRL);
+			ctrl |= PHY_M_FIB_SIGD_POL;
+			gm_phy_write(hw, port, PHY_MARV_CTRL, ctrl);
 		}
+
+		gm_phy_write(hw, port, PHY_MARV_EXT_ADR, pg);
 	}
 
 	ctrl = gm_phy_read(hw, port, PHY_MARV_CTRL);
@@ -373,7 +385,7 @@ static void sky2_phy_init(struct sky2_hw
 	adv = PHY_AN_CSMA;
 
 	if (sky2->autoneg == AUTONEG_ENABLE) {
-		if (hw->copper) {
+		if (sky2_is_copper(hw)) {
 			if (sky2->advertising & ADVERTISED_1000baseT_Full)
 				ct1000 |= PHY_M_1000C_AFD;
 			if (sky2->advertising & ADVERTISED_1000baseT_Half)
@@ -386,8 +398,12 @@ static void sky2_phy_init(struct sky2_hw
 				adv |= PHY_M_AN_10_FD;
 			if (sky2->advertising & ADVERTISED_10baseT_Half)
 				adv |= PHY_M_AN_10_HD;
-		} else		/* special defines for FIBER (88E1011S only) */
-			adv |= PHY_M_AN_1000X_AHD | PHY_M_AN_1000X_AFD;
+		} else {	/* special defines for FIBER (88E1040S only) */
+			if (sky2->advertising & ADVERTISED_1000baseT_Full)
+				adv |= PHY_M_AN_1000X_AFD;
+			if (sky2->advertising & ADVERTISED_1000baseT_Half)
+				adv |= PHY_M_AN_1000X_AHD;
+		}
 
 		/* Set Flow-control capabilities */
 		if (sky2->tx_pause && sky2->rx_pause)
@@ -1497,7 +1513,7 @@ static int sky2_down(struct net_device *
 
 static u16 sky2_phy_speed(const struct sky2_hw *hw, u16 aux)
 {
-	if (!hw->copper)
+	if (!sky2_is_copper(hw))
 		return SPEED_1000;
 
 	if (hw->chip_id == CHIP_ID_YUKON_FE)
@@ -2287,7 +2303,7 @@ static inline u32 sky2_clk2us(const stru
 static int __devinit sky2_reset(struct sky2_hw *hw)
 {
 	u16 status;
-	u8 t8, pmd_type;
+	u8 t8;
 	int i;
 
 	sky2_write8(hw, B0_CTST, CS_RST_CLR);
@@ -2333,9 +2349,7 @@ static int __devinit sky2_reset(struct s
 		sky2_pci_write32(hw, PEX_UNC_ERR_STAT, 0xffffffffUL);
 
 
-	pmd_type = sky2_read8(hw, B2_PMD_TYP);
-	hw->copper = !(pmd_type == 'L' || pmd_type == 'S');
-
+	hw->pmd_type = sky2_read8(hw, B2_PMD_TYP);
 	hw->ports = 1;
 	t8 = sky2_read8(hw, B2_Y2_HW_RES);
 	if ((t8 & CFG_DUAL_MAC_MSK) == CFG_DUAL_MAC_MSK) {
@@ -2432,21 +2446,22 @@ static int __devinit sky2_reset(struct s
 
 static u32 sky2_supported_modes(const struct sky2_hw *hw)
 {
-	u32 modes;
-	if (hw->copper) {
-		modes = SUPPORTED_10baseT_Half
-		    | SUPPORTED_10baseT_Full
-		    | SUPPORTED_100baseT_Half
-		    | SUPPORTED_100baseT_Full
-		    | SUPPORTED_Autoneg | SUPPORTED_TP;
+	if (sky2_is_copper(hw)) {
+		u32 modes = SUPPORTED_10baseT_Half
+			| SUPPORTED_10baseT_Full
+			| SUPPORTED_100baseT_Half
+			| SUPPORTED_100baseT_Full
+			| SUPPORTED_Autoneg | SUPPORTED_TP;
 
 		if (hw->chip_id != CHIP_ID_YUKON_FE)
 			modes |= SUPPORTED_1000baseT_Half
-			    | SUPPORTED_1000baseT_Full;
+				| SUPPORTED_1000baseT_Full;
+		return modes;
 	} else
-		modes = SUPPORTED_1000baseT_Full | SUPPORTED_FIBRE
-		    | SUPPORTED_Autoneg;
-	return modes;
+		return  SUPPORTED_1000baseT_Half
+			| SUPPORTED_1000baseT_Full
+			| SUPPORTED_Autoneg
+			| SUPPORTED_FIBRE;
 }
 
 static int sky2_get_settings(struct net_device *dev, struct ethtool_cmd *ecmd)
@@ -2457,7 +2472,7 @@ static int sky2_get_settings(struct net_
 	ecmd->transceiver = XCVR_INTERNAL;
 	ecmd->supported = sky2_supported_modes(hw);
 	ecmd->phy_address = PHY_ADDR_MARV;
-	if (hw->copper) {
+	if (sky2_is_copper(hw)) {
 		ecmd->supported = SUPPORTED_10baseT_Half
 		    | SUPPORTED_10baseT_Full
 		    | SUPPORTED_100baseT_Half
@@ -2466,12 +2481,14 @@ static int sky2_get_settings(struct net_
 		    | SUPPORTED_1000baseT_Full
 		    | SUPPORTED_Autoneg | SUPPORTED_TP;
 		ecmd->port = PORT_TP;
-	} else
+		ecmd->speed = sky2->speed;
+	} else {
+		ecmd->speed = SPEED_1000;
 		ecmd->port = PORT_FIBRE;
+	}
 
 	ecmd->advertising = sky2->advertising;
 	ecmd->autoneg = sky2->autoneg;
-	ecmd->speed = sky2->speed;
 	ecmd->duplex = sky2->duplex;
 	return 0;
 }
--- linux-2.6.17.11.orig/drivers/net/sky2.h
+++ linux-2.6.17.11/drivers/net/sky2.h
@@ -1318,6 +1318,14 @@ enum {
 };
 
 /* for Yukon-2 Gigabit Ethernet PHY (88E1112 only) */
+/*****  PHY_MARV_PHY_CTRL (page 1)		16 bit r/w	Fiber Specific Ctrl *****/
+enum {
+	PHY_M_FIB_FORCE_LNK	= 1<<10,/* Force Link Good */
+	PHY_M_FIB_SIGD_POL	= 1<<9,	/* SIGDET Polarity */
+	PHY_M_FIB_TX_DIS	= 1<<3,	/* Transmitter Disable */
+};
+
+/* for Yukon-2 Gigabit Ethernet PHY (88E1112 only) */
 /*****  PHY_MARV_PHY_CTRL (page 2)		16 bit r/w	MAC Specific Ctrl *****/
 enum {
 	PHY_M_MAC_MD_MSK	= 7<<7, /* Bit  9.. 7: Mode Select Mask */
@@ -1879,7 +1887,7 @@ struct sky2_hw {
 	int		     pm_cap;
 	u8	     	     chip_id;
 	u8		     chip_rev;
-	u8		     copper;
+	u8		     pmd_type;
 	u8		     ports;
 
 	struct sky2_status_le *st_le;
@@ -1891,6 +1899,11 @@ struct sky2_hw {
 	wait_queue_head_t    msi_wait;
 };
 
+static inline int sky2_is_copper(const struct sky2_hw *hw)
+{
+	return !(hw->pmd_type == 'L' || hw->pmd_type == 'S' || hw->pmd_type == 'P');
+}
+
 /* Register accessor for memory mapped device */
 static inline u32 sky2_read32(const struct sky2_hw *hw, unsigned reg)
 {

--

[patch 37/37] sky2: version 1.6.1

[Greg KH]

[-- Attachment #1: sky2-dotvers.patch --]
[-- Type: text/plain, Size: 661 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Stephen Hemminger <shemminger@osdl.org>

Since this code incorporates some of the fixes from 2.6.18, change
the version number.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/net/sky2.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.17.11.orig/drivers/net/sky2.c
+++ linux-2.6.17.11/drivers/net/sky2.c
@@ -51,7 +51,7 @@
 #include "sky2.h"
 
 #define DRV_NAME		"sky2"
-#define DRV_VERSION		"1.4"
+#define DRV_VERSION		"1.6.1"
 #define PFX			DRV_NAME " "
 
 /*

--

[-stable patch] pci_ids.h: add some VIA IDE identifiers

[Adrian Bunk]

On Wed, Sep 06, 2006 at 03:57:36PM -0700, Greg KH wrote:
> -stable review patch.  If anyone has any objections, please let us know.
> 
> ------------------
> From: Alan Cox <alan@lxorguk.ukuu.org.uk>
> 
> 
> The following change from -mm is important to 2.6.18 (actually to 2.6.17
> but its too late for that). This was contributed over three months ago
> by VIA to Bartlomiej and nothing happened. As a result the new chipset
> is now out and Linux won't run on it. By the time 2.6.18 is finalised
> this will be the defacto standard VIA chipset so support would be a good
> plan.
> 
> Tested in -mm for a while, its essentially a PCI ident update but for
> the bridge chip because VIA do things in weird ways.
> 
> 
> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
> 
> 
> ---
>  drivers/ide/pci/via82cxxx.c |    3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>...

If anyone actually tries to compile this driver the patch below might 
be helpful.

cu
Adrian


<--  snip  -->


commit 47251e05f74783cc03f83f5e88016fc2cbd059f1
Author: Alan Cox <alan@redhat.com>
Date:   Wed Sep 6 19:55:17 2006 +0200

    pci_ids.h: add some VIA IDE identifiers
    
    Signed-off-by: Alan Cox <alan@redhat.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>

diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h
index 751eea5..960fb7b 100644
--- a/include/linux/pci_ids.h
+++ b/include/linux/pci_ids.h
@@ -1223,6 +1223,7 @@ #define PCI_DEVICE_ID_VIA_PT880		0x0258
 #define PCI_DEVICE_ID_VIA_PX8X0_0	0x0259
 #define PCI_DEVICE_ID_VIA_3269_0	0x0269
 #define PCI_DEVICE_ID_VIA_K8T800PRO_0	0x0282
+#define PCI_DEVICE_ID_VIA_3296_0	0x0296
 #define PCI_DEVICE_ID_VIA_8363_0	0x0305
 #define PCI_DEVICE_ID_VIA_P4M800CE	0x0314
 #define PCI_DEVICE_ID_VIA_8371_0	0x0391
@@ -1230,6 +1231,7 @@ #define PCI_DEVICE_ID_VIA_8501_0	0x0501
 #define PCI_DEVICE_ID_VIA_82C561	0x0561
 #define PCI_DEVICE_ID_VIA_82C586_1	0x0571
 #define PCI_DEVICE_ID_VIA_82C576	0x0576
+#define PCI_DEVICE_ID_VIA_SATA_EIDE	0x0581
 #define PCI_DEVICE_ID_VIA_82C586_0	0x0586
 #define PCI_DEVICE_ID_VIA_82C596	0x0596
 #define PCI_DEVICE_ID_VIA_82C597_0	0x0597
@@ -1270,10 +1272,11 @@ #define PCI_DEVICE_ID_VIA_8378_0	0x3205
 #define PCI_DEVICE_ID_VIA_8783_0	0x3208
 #define PCI_DEVICE_ID_VIA_8237		0x3227
 #define PCI_DEVICE_ID_VIA_8251		0x3287
-#define PCI_DEVICE_ID_VIA_3296_0	0x0296
+#define PCI_DEVICE_ID_VIA_8237A		0x3337
 #define PCI_DEVICE_ID_VIA_8231		0x8231
 #define PCI_DEVICE_ID_VIA_8231_4	0x8235
 #define PCI_DEVICE_ID_VIA_8365_1	0x8305
+#define PCI_DEVICE_ID_VIA_CX700		0x8324
 #define PCI_DEVICE_ID_VIA_8371_1	0x8391
 #define PCI_DEVICE_ID_VIA_82C598_1	0x8598
 #define PCI_DEVICE_ID_VIA_838X_1	0xB188

Re: [patch 00/37] -stable review

[Adrian Bunk]

On Wed, Sep 06, 2006 at 03:54:44PM -0700, Greg KH wrote:
> This is the start of the stable review cycle for next 2.6.17.y release.
> There are 37 patches in this series, all will be posted as a response to
> this one.  If anyone has any issues with these being applied, please let
> us know.  If anyone is a maintainer of the proper subsystem, and wants
> to add a Signed-off-by: line to the patch, please respond with it.
> 
> These patches are sent out with a number of different people on the Cc:
> line.  If you wish to be a reviewer, please email stable@kernel.org to
> add your name to the list.  If you want to be off the reviewer list,
> also email us.
> 
> Responses should be made by Fri Sep 8 22:00:00 UTC.  Anything received
> after that time might be too late.
> 
> Full patch of this whole series is available at:
> 	http://www.kernel.org/pub/linux/kernel/people/gregkh/stable/patch-2.6.17.12-rc1.gz
> if you wish to test it out and make sure nothing is broken on your
> architecture or system.

The patch is reversed and doesn't update the Makefile.

> thanks,
> 
> greg k-h

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Re: [patch 00/37] -stable review

[Greg KH]

On Thu, Sep 07, 2006 at 01:33:57AM +0200, Adrian Bunk wrote:
> On Wed, Sep 06, 2006 at 03:54:44PM -0700, Greg KH wrote:
> > This is the start of the stable review cycle for next 2.6.17.y release.
> > There are 37 patches in this series, all will be posted as a response to
> > this one.  If anyone has any issues with these being applied, please let
> > us know.  If anyone is a maintainer of the proper subsystem, and wants
> > to add a Signed-off-by: line to the patch, please respond with it.
> > 
> > These patches are sent out with a number of different people on the Cc:
> > line.  If you wish to be a reviewer, please email stable@kernel.org to
> > add your name to the list.  If you want to be off the reviewer list,
> > also email us.
> > 
> > Responses should be made by Fri Sep 8 22:00:00 UTC.  Anything received
> > after that time might be too late.
> > 
> > Full patch of this whole series is available at:
> > 	http://www.kernel.org/pub/linux/kernel/people/gregkh/stable/patch-2.6.17.12-rc1.gz
> > if you wish to test it out and make sure nothing is broken on your
> > architecture or system.
> 
> The patch is reversed and doesn't update the Makefile.

Doh, I need to automate this portion instead of doing it by hand all the
time...

The patch is now updated (will take a few minutes to be mirrored),
thanks for pointing it out.

greg k-h

Re: [patch 04/37] fix compilation error on IA64

[Kirill Korotaev]

Greg,

The patch from Fernando Vazquez is incomplete.
The first hunk is from Fernando's patch which fixes IA64 compilation.
But there are some archs which do not include asm-generic/mman.h
and thus will have arch_mmap_check undefined.

Signed-Off-By: Kirill Korotaev <dev@sw.ru>

--- a/include/asm-ia64/mman.h
+++ b/include/asm-ia64/mman.h
@@ -9,10 +9,12 @@
  */
 
 #ifdef __KERNEL__
+#ifndef __ASSEMBLY__
 #define arch_mmap_check	ia64_map_check_rgn
 int ia64_map_check_rgn(unsigned long addr, unsigned long len,
 		unsigned long flags);
 #endif
+#endif
 
 #include <asm-generic/mman.h>
 
diff --git a/include/asm-alpha/mman.h b/include/asm-alpha/mman.h
index 5f24c75..51cf354 100644
--- a/include/asm-alpha/mman.h
+++ b/include/asm-alpha/mman.h
@@ -52,4 +52,10 @@ #define MADV_DOFORK	11		/* do inherit ac
 #define MAP_ANON	MAP_ANONYMOUS
 #define MAP_FILE	0
 
+#ifdef __KERNEL__
+#ifndef arch_mmap_check
+#define arch_mmap_check(addr, len, flags)	(0)
+#endif
+#endif
+
 #endif /* __ALPHA_MMAN_H__ */
diff --git a/include/asm-mips/mman.h b/include/asm-mips/mman.h
index 046cf68..f19e858 100644
--- a/include/asm-mips/mman.h
+++ b/include/asm-mips/mman.h
@@ -75,4 +75,10 @@ #define MADV_DOFORK	11		/* do inherit ac
 #define MAP_ANON	MAP_ANONYMOUS
 #define MAP_FILE	0
 
+#ifdef __KERNEL__
+#ifndef arch_mmap_check
+#define arch_mmap_check(addr, len, flags)	(0)
+#endif
+#endif
+
 #endif /* _ASM_MMAN_H */
diff --git a/include/asm-parisc/mman.h b/include/asm-parisc/mman.h
index 0ef15ee..9829b31 100644
--- a/include/asm-parisc/mman.h
+++ b/include/asm-parisc/mman.h
@@ -59,4 +59,10 @@ #define MAP_ANON	MAP_ANONYMOUS
 #define MAP_FILE	0
 #define MAP_VARIABLE	0
 
+#ifdef __KERNEL__
+#ifndef arch_mmap_check
+#define arch_mmap_check(addr, len, flags)	(0)
+#endif
+#endif
+
 #endif /* __PARISC_MMAN_H__ */

Re: [patch 29/37] dvb-core: Proper handling ULE SNDU length of 0

[Marcel Holtmann]

Hi Greg,

> ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation
> code has a bug that allows an attacker to send a malformed ULE packet
> with SNDU length of 0 and bring down the receiving machine. This patch
> fix the bug and has been tested on version 2.6.17.11. This bug is 100%
> reproducible and the modified source code (GPL) used to produce this bug
> will be posted on http://nrg.cs.usm.my/downloads.htm shortly.  The
> kernel will produce a dump during CRC32 checking on faulty ULE packet.

the upstream code changed for 2.6.18. It has a different way of
addressing this issue, but it also changes a lot of other stuff in the
whole code. However it might be worth looking at it, because the
upstream code might be still vulnerable.

Regards

Marcel

Re: [stable] [patch 29/37] dvb-core: Proper handling ULE SNDU length of 0

[Greg KH]

On Thu, Sep 07, 2006 at 02:57:56PM +0200, Marcel Holtmann wrote:
> Hi Greg,
> 
> > ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation
> > code has a bug that allows an attacker to send a malformed ULE packet
> > with SNDU length of 0 and bring down the receiving machine. This patch
> > fix the bug and has been tested on version 2.6.17.11. This bug is 100%
> > reproducible and the modified source code (GPL) used to produce this bug
> > will be posted on http://nrg.cs.usm.my/downloads.htm shortly.  The
> > kernel will produce a dump during CRC32 checking on faulty ULE packet.
> 
> the upstream code changed for 2.6.18. It has a different way of
> addressing this issue, but it also changes a lot of other stuff in the
> whole code. However it might be worth looking at it, because the
> upstream code might be still vulnerable.

So we should not take this patch for 2.6.17.y?  Do you have a different
patch we should use instead?

thanks,

greg k-h

Re: [patch 37/37] sky2: version 1.6.1

[Pavel Machek]

On Wed 06-09-06 15:58:12, Greg KH wrote:
> -stable review patch.  If anyone has any objections, please let us know.
> 
> ------------------
> From: Stephen Hemminger <shemminger@osdl.org>
> 
> Since this code incorporates some of the fixes from 2.6.18, change
> the version number.
> 
> Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

Not sure, one of 'stable' criteria is 'fixes bad bug'. What bug does
this fix?

							Pavel
-- 
Thanks for all the (sleeping) penguins.

Re: [patch 37/37] sky2: version 1.6.1

[Greg KH]

On Thu, Sep 07, 2006 at 07:25:28PM +0000, Pavel Machek wrote:
> On Wed 06-09-06 15:58:12, Greg KH wrote:
> > -stable review patch.  If anyone has any objections, please let us know.
> > 
> > ------------------
> > From: Stephen Hemminger <shemminger@osdl.org>
> > 
> > Since this code incorporates some of the fixes from 2.6.18, change
> > the version number.
> > 
> > Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
> 
> Not sure, one of 'stable' criteria is 'fixes bad bug'. What bug does
> this fix?

The previous 5 patches changed this driver, so changing the version
number of it is acceptable to me.

thanks,

greg k-h

Re: [patch 37/37] sky2: version 1.6.1

[Pavel Machek]

Hi!

> > > -stable review patch.  If anyone has any objections, please let us know.
> > > 
> > > ------------------
> > > From: Stephen Hemminger <shemminger@osdl.org>
> > > 
> > > Since this code incorporates some of the fixes from 2.6.18, change
> > > the version number.
> > > 
> > > Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
> > > Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
> > 
> > Not sure, one of 'stable' criteria is 'fixes bad bug'. What bug does
> > this fix?
> 
> The previous 5 patches changed this driver, so changing the version
> number of it is acceptable to me.

Well... I agree that version change is understandable, but it will be
also surprising for the users, and stable rules were quite strict with
"must fix obvious bug"...
								Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

Re: [patch 37/37] sky2: version 1.6.1

[Stephen Hemminger]

On Thu, 7 Sep 2006 23:03:46 +0200
Pavel Machek <pavel@suse.cz> wrote:

> Hi!
> 
> > > > -stable review patch.  If anyone has any objections, please let us know.
> > > > 
> > > > ------------------
> > > > From: Stephen Hemminger <shemminger@osdl.org>
> > > > 
> > > > Since this code incorporates some of the fixes from 2.6.18, change
> > > > the version number.
> > > > 
> > > > Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
> > > > Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
> > > 
> > > Not sure, one of 'stable' criteria is 'fixes bad bug'. What bug does
> > > this fix?
> > 
> > The previous 5 patches changed this driver, so changing the version
> > number of it is acceptable to me.
> 
> Well... I agree that version change is understandable, but it will be
> also surprising for the users, and stable rules were quite strict with
> "must fix obvious bug"...
> 

I get lots of bug reports which are from distro and other kernels
that cherrypick code from stable. How am I supposed to know if it
is a new or old problem?

Re: [stable] [patch 29/37] dvb-core: Proper handling ULE SNDU length of 0

[Marcel Holtmann]

Hi Greg,

> > > ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation
> > > code has a bug that allows an attacker to send a malformed ULE packet
> > > with SNDU length of 0 and bring down the receiving machine. This patch
> > > fix the bug and has been tested on version 2.6.17.11. This bug is 100%
> > > reproducible and the modified source code (GPL) used to produce this bug
> > > will be posted on http://nrg.cs.usm.my/downloads.htm shortly.  The
> > > kernel will produce a dump during CRC32 checking on faulty ULE packet.
> > 
> > the upstream code changed for 2.6.18. It has a different way of
> > addressing this issue, but it also changes a lot of other stuff in the
> > whole code. However it might be worth looking at it, because the
> > upstream code might be still vulnerable.
> 
> So we should not take this patch for 2.6.17.y?  Do you have a different
> patch we should use instead?

I have no idea. I don't have any DVB hardware for testing at hand. The
patch looks sane and seems to fix this problem. However for upstream we
can't apply it and upstream might not be vulnerable, because of the
updated version. If upstream is not vulnerable, I would prefer we go
with the upstream version. Anyway, not my call to make.

Regards

Marcel

Re: [patch 29/37] dvb-core: Proper handling ULE SNDU length of 0

[Michael Krufky]

Greg KH wrote:
> -stable review patch.  If anyone has any objections, please let us know.

Greg,

Can we hold off on this until the 2.6.17.13 review cycle?  This patch
has not been sent to the linux-dvb mailing list, it has not been
reviewed or tested except for the Author and Marcel.

Please also add me to the cc list for the stable patches review.

DVB maintainers,

Marcel expressed some concerns about this patch on LKML, see thread:

http://lkml.org/lkml/2006/9/6/314

He says that the code in our mercurial tree, and in 2.6.18-rcX does this
in a much nicer way, but that it involves some major changes.  If this
patch seems acceptable, then we can apply it for 2.6.17.y, and the
larger, more appropriate change will be seen when 2.6.18 gets released.

I, myself, do not know enough about the internals of dvb_net ... but I
think that we should agree to this patch before it gets applied to -stable

Regards,

Mike Krufky


> 
> ------------------
> From: Ang Way Chuang <wcang@nrg.cs.usm.my>
> 
> ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation
> code has a bug that allows an attacker to send a malformed ULE packet
> with SNDU length of 0 and bring down the receiving machine. This patch
> fix the bug and has been tested on version 2.6.17.11. This bug is 100%
> reproducible and the modified source code (GPL) used to produce this bug
> will be posted on http://nrg.cs.usm.my/downloads.htm shortly.  The
> kernel will produce a dump during CRC32 checking on faulty ULE packet.
> 
> 
> Signed-off-by: Ang Way Chuang <wcang@nrg.cs.usm.my>
> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
> 
> ---
>  drivers/media/dvb/dvb-core/dvb_net.c |    3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> --- linux-2.6.17.11.orig/drivers/media/dvb/dvb-core/dvb_net.c
> +++ linux-2.6.17.11/drivers/media/dvb/dvb-core/dvb_net.c
> @@ -492,7 +492,8 @@ static void dvb_net_ule( struct net_devi
>  				} else
>  					priv->ule_dbit = 0;
>  
> -				if (priv->ule_sndu_len > 32763) {
> +				if (priv->ule_sndu_len > 32763 ||
> +				    priv->ule_sndu_len < ((priv->ule_dbit) ? 4 : 4 + ETH_ALEN)) {
>  					printk(KERN_WARNING "%lu: Invalid ULE SNDU length %u. "
>  					       "Resyncing.\n", priv->ts_count, priv->ule_sndu_len);
>  					priv->ule_sndu_len = 0;
> 
> --
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch 29/37] dvb-core: Proper handling ULE SNDU length of 0

[Ang Way Chuang]

Michael Krufky wrote:
> Greg KH wrote:
>> -stable review patch.  If anyone has any objections, please let us know.
>
> Greg,
>
> Can we hold off on this until the 2.6.17.13 review cycle?  This patch
> has not been sent to the linux-dvb mailing list, it has not been
> reviewed or tested except for the Author and Marcel.
>
> Please also add me to the cc list for the stable patches review.
>
> DVB maintainers,
>
> Marcel expressed some concerns about this patch on LKML, see thread:
>
> http://lkml.org/lkml/2006/9/6/314
>
> He says that the code in our mercurial tree, and in 2.6.18-rcX does this
> in a much nicer way, but that it involves some major changes.  If this
> patch seems acceptable, then we can apply it for 2.6.17.y, and the
> larger, more appropriate change will be seen when 2.6.18 gets released.
>
> I, myself, do not know enough about the internals of dvb_net ... but I
> think that we should agree to this patch before it gets applied to -stable
>
> Regards,
>
> Mike Krufky
>
>

Sorry for not forwarding this patch to linux-dvb mailing list in the first place.
My mistake. If this patch is okay after DVB maintainers have tested it, then
Adrian Bunk may find it useful for his 2.6.16.x tree.

Regards,
Ang Way Chuang

>>
>> ------------------
>> From: Ang Way Chuang <wcang@nrg.cs.usm.my>
>>
>> ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation
>> code has a bug that allows an attacker to send a malformed ULE packet
>> with SNDU length of 0 and bring down the receiving machine. This patch
>> fix the bug and has been tested on version 2.6.17.11. This bug is 100%
>> reproducible and the modified source code (GPL) used to produce this bug
>> will be posted on http://nrg.cs.usm.my/downloads.htm shortly.  The
>> kernel will produce a dump during CRC32 checking on faulty ULE packet.
>>
>>
>> Signed-off-by: Ang Way Chuang <wcang@nrg.cs.usm.my>
>> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
>>
>> ---
>>  drivers/media/dvb/dvb-core/dvb_net.c |    3 ++-
>>  1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> --- linux-2.6.17.11.orig/drivers/media/dvb/dvb-core/dvb_net.c
>> +++ linux-2.6.17.11/drivers/media/dvb/dvb-core/dvb_net.c
>> @@ -492,7 +492,8 @@ static void dvb_net_ule( struct net_devi
>>  				} else
>>  					priv->ule_dbit = 0;
>>
>> -				if (priv->ule_sndu_len > 32763) {
>> +				if (priv->ule_sndu_len > 32763 ||
>> +				    priv->ule_sndu_len < ((priv->ule_dbit) ? 4 : 4 + ETH_ALEN)) {
>>  					printk(KERN_WARNING "%lu: Invalid ULE SNDU length %u. "
>>  					       "Resyncing.\n", priv->ts_count, priv->ule_sndu_len);
>>  					priv->ule_sndu_len = 0;
>>
>> --
>> -
>> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>> Please read the FAQ at  http://www.tux.org/lkml/
>
>

Re: [patch 29/37] dvb-core: Proper handling ULE SNDU length of 0

[Greg KH]

On Fri, Sep 08, 2006 at 08:58:49AM -0400, Michael Krufky wrote:
> Greg KH wrote:
> > -stable review patch.  If anyone has any objections, please let us know.
> 
> Greg,
> 
> Can we hold off on this until the 2.6.17.13 review cycle?  This patch
> has not been sent to the linux-dvb mailing list, it has not been
> reviewed or tested except for the Author and Marcel.

Yes, I've now moved it, thanks.

> Please also add me to the cc list for the stable patches review.

Now added, thanks.

greg k-h

Re: [patch 29/37] dvb-core: Proper handling ULE SNDU length of 0

[Michael Krufky]

Greg KH wrote:
> On Fri, Sep 08, 2006 at 08:58:49AM -0400, Michael Krufky wrote:
>> Greg KH wrote:
>>> -stable review patch.  If anyone has any objections, please let us know.
>> Greg,
>>
>> Can we hold off on this until the 2.6.17.13 review cycle?  This patch
>> has not been sent to the linux-dvb mailing list, it has not been
>> reviewed or tested except for the Author and Marcel.
> 
> Yes, I've now moved it, thanks.

Marcel Siegert and I spoke about this today --  We are doing things a
bit differently for 2.6.18 and later, but this patch is appropriate for
2.6.17.y

Please apply it for the next -stable kernel release.

Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>

Re: [patch 29/37] dvb-core: Proper handling ULE SNDU length of 0

[Marcel Siegert]

On Friday 15 September 2006 18:11, Michael Krufky wrote:
> Greg KH wrote:
> > On Fri, Sep 08, 2006 at 08:58:49AM -0400, Michael Krufky wrote:
> >> Greg KH wrote:
> >>> -stable review patch.  If anyone has any objections, please let us know.
> >> Greg,
> >>
> >> Can we hold off on this until the 2.6.17.13 review cycle?  This patch
> >> has not been sent to the linux-dvb mailing list, it has not been
> >> reviewed or tested except for the Author and Marcel.
> > 
> > Yes, I've now moved it, thanks.
> 
> Marcel Siegert and I spoke about this today --  We are doing things a
> bit differently for 2.6.18 and later, but this patch is appropriate for
> 2.6.17.y
> 
> Please apply it for the next -stable kernel release.
> 
> Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
> 
> 
> 
Signed-off-by: Marcel Siegert <mws@linuxtv.org>

Re: [patch 29/37] dvb-core: Proper handling ULE SNDU length of 0

[Marcel Holtmann]

Hi Michael,

> >> Can we hold off on this until the 2.6.17.13 review cycle?  This patch
> >> has not been sent to the linux-dvb mailing list, it has not been
> >> reviewed or tested except for the Author and Marcel.
> > 
> > Yes, I've now moved it, thanks.
> 
> Marcel Siegert and I spoke about this today --  We are doing things a
> bit differently for 2.6.18 and later, but this patch is appropriate for
> 2.6.17.y

so this means it is fixed in 2.6.18 or is it still vulnerable. If it is
still vulnerable, then we need a fix. And we need it now.

Regards

Marcel

Re: [patch 29/37] dvb-core: Proper handling ULE SNDU length of 0

[Michael Krufky]

Marcel Holtmann wrote:
> Hi Michael,
> 
>>>> Can we hold off on this until the 2.6.17.13 review cycle?  This patch
>>>> has not been sent to the linux-dvb mailing list, it has not been
>>>> reviewed or tested except for the Author and Marcel.
>>> Yes, I've now moved it, thanks.
>> Marcel Siegert and I spoke about this today --  We are doing things a
>> bit differently for 2.6.18 and later, but this patch is appropriate for
>> 2.6.17.y
> 
> so this means it is fixed in 2.6.18 or is it still vulnerable. If it is
> still vulnerable, then we need a fix. And we need it now.

2.6.18 should not be vulnerable.  See the following changeset in Linus'
tree:

http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blobdiff;h=8859ab74f0fe4c65c8e75b9350a2a0b138615525;hp=9fd87521a1639bd3dae51dcdce48545614d41a85;hb=18232ca61b4c73b849850200a5e6ec40517f35ab;f=drivers/media/dvb/dvb-core/dvb_net.c

Quoting MWS from irc:

if the len is smaller than 4 or if dbit set smaller than 4+ealen, just
get rid of that packet and interpret as error. the 2.6.18 is not letting
them through if they are < sizeof(5), so 4 byte packets would be ignored.

Regards,

Michael Krufky

Re: [patch 29/37] dvb-core: Proper handling ULE SNDU length of 0

[Marcel Holtmann]

Hi Michael,

> >>>> Can we hold off on this until the 2.6.17.13 review cycle?  This patch
> >>>> has not been sent to the linux-dvb mailing list, it has not been
> >>>> reviewed or tested except for the Author and Marcel.
> >>> Yes, I've now moved it, thanks.
> >> Marcel Siegert and I spoke about this today --  We are doing things a
> >> bit differently for 2.6.18 and later, but this patch is appropriate for
> >> 2.6.17.y
> > 
> > so this means it is fixed in 2.6.18 or is it still vulnerable. If it is
> > still vulnerable, then we need a fix. And we need it now.
> 
> 2.6.18 should not be vulnerable.  See the following changeset in Linus'
> tree:
> 
> http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blobdiff;h=8859ab74f0fe4c65c8e75b9350a2a0b138615525;hp=9fd87521a1639bd3dae51dcdce48545614d41a85;hb=18232ca61b4c73b849850200a5e6ec40517f35ab;f=drivers/media/dvb/dvb-core/dvb_net.c
> 
> Quoting MWS from irc:
> 
> if the len is smaller than 4 or if dbit set smaller than 4+ealen, just
> get rid of that packet and interpret as error. the 2.6.18 is not letting
> them through if they are < sizeof(5), so 4 byte packets would be ignored.

I saw the changeset in the current 2.6.18-rc kernel and this was the
reason for me asking. I don't have the hardware to reproduce this, but
if you say that the final 2.6.18 kernel will not be vulnerable, then I
take your word for it.

Regards

Marcel

Re: [patch 29/37] dvb-core: Proper handling ULE SNDU length of 0

[Ang Way Chuang]

Hi Marcel,

Marcel Holtmann wrote:
> Hi Michael,
>
>> >>>> Can we hold off on this until the 2.6.17.13 review cycle?  This patch
>> >>>> has not been sent to the linux-dvb mailing list, it has not been
>> >>>> reviewed or tested except for the Author and Marcel.
>> >>> Yes, I've now moved it, thanks.
>> >> Marcel Siegert and I spoke about this today --  We are doing things a
>> >> bit differently for 2.6.18 and later, but this patch is appropriate for
>> >> 2.6.17.y
>> >
>> > so this means it is fixed in 2.6.18 or is it still vulnerable. If it is
>> > still vulnerable, then we need a fix. And we need it now.
>>
>> 2.6.18 should not be vulnerable.  See the following changeset in Linus'
>> tree:
>>
>> http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blobdiff;h=8859ab74f0fe4c65c8e75b9350a2a0b138615525;hp=9fd87521a1639bd3dae51dcdce48545614d41a85;hb=18232ca61b4c73b849850200a5e6ec40517f35ab;f=drivers/media/dvb/dvb-core/dvb_net.c
>>
>> Quoting MWS from irc:
>>
>> if the len is smaller than 4 or if dbit set smaller than 4+ealen, just
>> get rid of that packet and interpret as error. the 2.6.18 is not letting
>> them through if they are < sizeof(5), so 4 byte packets would be ignored.
>
> I saw the changeset in the current 2.6.18-rc kernel and this was the
> reason for me asking. I don't have the hardware to reproduce this, but
> if you say that the final 2.6.18 kernel will not be vulnerable, then I
> take your word for it.
>
> Regards
>
> Marcel
>
>
>

I've tested 2.6.18-rc7 and it seems there is no problem with the case
where dbit is not set. It should not be vulnerable.
Thanks

Regards,
Ang Way Chuang
-- 
May you be well and happy.