From 4420518ba7b21f2b5f0d2040c1d9333e05cc15d2 Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Sun, 26 Aug 2007 21:21:59 +0000 Subject: Rename our early tags to match the new naming scheme svn path=/patches/; revision=31 --- .../README | 42 ++++++++++ .../appletalk-length-mismatch.patch | 93 ++++++++++++++++++++++ .../cm4040-buffer-overflow.patch | 44 ++++++++++ .../core-dump-unreadable-PT_INTERP.patch | 70 ++++++++++++++++ .../ipv6_fl_socklist-no-share.patch | 32 ++++++++ .../ipv6_getsockopt_sticky-null-opt.patch | 42 ++++++++++ .../keys-serial-num-collision.patch | 92 +++++++++++++++++++++ .../netlink-infinite-recursion.patch | 65 +++++++++++++++ .../nf_conntrack-set-nfctinfo.patch | 35 ++++++++ .../nfnetlink_log-null-deref.patch | 37 +++++++++ .../nl_fib_lookup-oops.patch | 34 ++++++++ .../README | 42 ---------- .../appletalk-length-mismatch.patch | 93 ---------------------- .../cm4040-buffer-overflow.patch | 44 ---------- .../core-dump-unreadable-PT_INTERP.patch | 70 ---------------- .../ipv6_fl_socklist-no-share.patch | 32 -------- .../ipv6_getsockopt_sticky-null-opt.patch | 42 ---------- .../keys-serial-num-collision.patch | 92 --------------------- .../netlink-infinite-recursion.patch | 65 --------------- .../nf_conntrack-set-nfctinfo.patch | 35 -------- .../nfnetlink_log-null-deref.patch | 37 --------- .../nl_fib_lookup-oops.patch | 34 -------- ...nux-2.6-xen-x86_64-silence-up-apic-errors.patch | 13 +++ .../0956-linux-2.6-fix-x86_64-smp.patch | 19 +++++ .../0957-linux-2.6-fix-x86_64-vgetcpu.patch | 65 +++++++++++++++ ...-linux-2.6-xen-iscsi-x86_64-no_iommu_init.patch | 46 +++++++++++ ...0959-linux-2.6-xen-fix-nosegneg-detection.patch | 29 +++++++ ...nux-2.6-xen-x86_64-silence-up-apic-errors.patch | 13 +++ .../0956-linux-2.6-fix-x86_64-smp.patch | 19 +++++ .../0957-linux-2.6-fix-x86_64-vgetcpu.patch | 65 +++++++++++++++ ...-linux-2.6-xen-iscsi-x86_64-no_iommu_init.patch | 46 +++++++++++ ...0959-linux-2.6-xen-fix-nosegneg-detection.patch | 29 +++++++ .../0960-linux-2.6-xen-blkfront-wait-add.patch | 85 ++++++++++++++++++++ .../1665-linux-2.6-disable-netback-checksum.patch | 37 +++++++++ .../3000-linux-2.6-acpi-config_pm-poweroff.patch | 38 +++++++++ ...nux-2.6-xen-x86_64-silence-up-apic-errors.patch | 13 --- .../0956-linux-2.6-fix-x86_64-smp.patch | 19 ----- .../0957-linux-2.6-fix-x86_64-vgetcpu.patch | 65 --------------- ...-linux-2.6-xen-iscsi-x86_64-no_iommu_init.patch | 46 ----------- ...0959-linux-2.6-xen-fix-nosegneg-detection.patch | 29 ------- ...nux-2.6-xen-x86_64-silence-up-apic-errors.patch | 13 --- .../0956-linux-2.6-fix-x86_64-smp.patch | 19 ----- .../0957-linux-2.6-fix-x86_64-vgetcpu.patch | 65 --------------- ...-linux-2.6-xen-iscsi-x86_64-no_iommu_init.patch | 46 ----------- ...0959-linux-2.6-xen-fix-nosegneg-detection.patch | 29 ------- .../0960-linux-2.6-xen-blkfront-wait-add.patch | 85 -------------------- .../1665-linux-2.6-disable-netback-checksum.patch | 37 --------- .../3000-linux-2.6-acpi-config_pm-poweroff.patch | 38 --------- 48 files changed, 1090 insertions(+), 1090 deletions(-) create mode 100644 tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/README create mode 100644 tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/appletalk-length-mismatch.patch create mode 100644 tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/cm4040-buffer-overflow.patch create mode 100644 tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/core-dump-unreadable-PT_INTERP.patch create mode 100644 tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/ipv6_fl_socklist-no-share.patch create mode 100644 tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/ipv6_getsockopt_sticky-null-opt.patch create mode 100644 tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/keys-serial-num-collision.patch create mode 100644 tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/netlink-infinite-recursion.patch create mode 100644 tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/nf_conntrack-set-nfctinfo.patch create mode 100644 tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/nfnetlink_log-null-deref.patch create mode 100644 tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/nl_fib_lookup-oops.patch delete mode 100644 tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/README delete mode 100644 tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/appletalk-length-mismatch.patch delete mode 100644 tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/cm4040-buffer-overflow.patch delete mode 100644 tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/core-dump-unreadable-PT_INTERP.patch delete mode 100644 tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/ipv6_fl_socklist-no-share.patch delete mode 100644 tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/ipv6_getsockopt_sticky-null-opt.patch delete mode 100644 tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/keys-serial-num-collision.patch delete mode 100644 tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/netlink-infinite-recursion.patch delete mode 100644 tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nf_conntrack-set-nfctinfo.patch delete mode 100644 tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nfnetlink_log-null-deref.patch delete mode 100644 tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nl_fib_lookup-oops.patch create mode 100644 tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.11.fc7/0952-linux-2.6-xen-x86_64-silence-up-apic-errors.patch create mode 100644 tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.11.fc7/0956-linux-2.6-fix-x86_64-smp.patch create mode 100644 tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.11.fc7/0957-linux-2.6-fix-x86_64-vgetcpu.patch create mode 100644 tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.11.fc7/0958-linux-2.6-xen-iscsi-x86_64-no_iommu_init.patch create mode 100644 tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.11.fc7/0959-linux-2.6-xen-fix-nosegneg-detection.patch create mode 100644 tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/0952-linux-2.6-xen-x86_64-silence-up-apic-errors.patch create mode 100644 tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/0956-linux-2.6-fix-x86_64-smp.patch create mode 100644 tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/0957-linux-2.6-fix-x86_64-vgetcpu.patch create mode 100644 tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/0958-linux-2.6-xen-iscsi-x86_64-no_iommu_init.patch create mode 100644 tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/0959-linux-2.6-xen-fix-nosegneg-detection.patch create mode 100644 tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/0960-linux-2.6-xen-blkfront-wait-add.patch create mode 100644 tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/1665-linux-2.6-disable-netback-checksum.patch create mode 100644 tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/3000-linux-2.6-acpi-config_pm-poweroff.patch delete mode 100644 tags/2.6.20/fedora-xen-patches-2.6.20-2925.11.fc7/0952-linux-2.6-xen-x86_64-silence-up-apic-errors.patch delete mode 100644 tags/2.6.20/fedora-xen-patches-2.6.20-2925.11.fc7/0956-linux-2.6-fix-x86_64-smp.patch delete mode 100644 tags/2.6.20/fedora-xen-patches-2.6.20-2925.11.fc7/0957-linux-2.6-fix-x86_64-vgetcpu.patch delete mode 100644 tags/2.6.20/fedora-xen-patches-2.6.20-2925.11.fc7/0958-linux-2.6-xen-iscsi-x86_64-no_iommu_init.patch delete mode 100644 tags/2.6.20/fedora-xen-patches-2.6.20-2925.11.fc7/0959-linux-2.6-xen-fix-nosegneg-detection.patch delete mode 100644 tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/0952-linux-2.6-xen-x86_64-silence-up-apic-errors.patch delete mode 100644 tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/0956-linux-2.6-fix-x86_64-smp.patch delete mode 100644 tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/0957-linux-2.6-fix-x86_64-vgetcpu.patch delete mode 100644 tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/0958-linux-2.6-xen-iscsi-x86_64-no_iommu_init.patch delete mode 100644 tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/0959-linux-2.6-xen-fix-nosegneg-detection.patch delete mode 100644 tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/0960-linux-2.6-xen-blkfront-wait-add.patch delete mode 100644 tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/1665-linux-2.6-disable-netback-checksum.patch delete mode 100644 tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/3000-linux-2.6-acpi-config_pm-poweroff.patch diff --git a/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/README b/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/README new file mode 100644 index 0000000..4cce70c --- /dev/null +++ b/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/README @@ -0,0 +1,42 @@ + * bugfix/nfnetlink_log-null-deref.patch + [SECURITY] Fix remotely exploitable NULL pointer dereference in + nfulnl_recv_config() + See CVE-2007-1496 + * bugfix/nf_conntrack-set-nfctinfo.patch + [SECURITY] Fix incorrect classification of IPv6 fragments as ESTABLISHED, + which allows remote attackers to bypass certain rulesets + See CVE-2007-1497 + * bugfix/netlink-infinite-recursion.patch + [SECURITY] Fix infinite recursion bug in netlink + See CVE-2007-1861 + * bugfix/nl_fib_lookup-oops.patch + Add fix for oops bug added by previous patch + * bugfix/core-dump-unreadable-PT_INTERP.patch + [SECURITY] Fix a vulnerability that allows local users to read + otherwise unreadable (but executable) files by triggering a core dump. + See CVE-2007-0958 + * bugfix/appletalk-length-mismatch.patch + [SECURITY] Fix a remote DoS (crash) in appletalk + Depends upon bugfix/appletalk-endianness-annotations.patch + See CVE-2007-1357 + * bugfix/cm4040-buffer-overflow.patch + [SECURITY] Fix a buffer overflow in the Omnikey CardMan 4040 driver + See CVE-2007-0005 + * bugfix/ipv6_fl_socklist-no-share.patch + [SECURITY] Fix local DoS vulnerability caused by inadvertently sharing + ipv6_fl_socklist between the listening socket and the socket created + for connection. + See CVE-2007-1592 + * bugfix/keys-serial-num-collision.patch + [SECURITY] Fix the key serial number collision avoidance code in + key_alloc_serial() that could lead to a local DoS (oops). + (closes: #398470) + See CVE-2007-0006 + * bugfix/ipv6_getsockopt_sticky-null-opt.patch + [SECURITY] Fix NULL dereference in ipv6_setsockopt that could lead + to a local DoS (oops). + See CVE-2007-1388 + * bugfix/ipv6_getsockopt_sticky-null-opt.patch + [SECURITY] Fix kernel memory leak vulnerability in + ipv6_getsockopt_sticky() which can be triggered by passing a len < 0. + See CVE-2007-1000 diff --git a/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/appletalk-length-mismatch.patch b/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/appletalk-length-mismatch.patch new file mode 100644 index 0000000..b82c4fe --- /dev/null +++ b/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/appletalk-length-mismatch.patch @@ -0,0 +1,93 @@ +From: Jean Delvare +Date: Thu, 5 Apr 2007 06:52:46 +0000 (-0700) +Subject: [APPLETALK]: Fix a remotely triggerable crash +X-Git-Tag: v2.6.21-rc6~3 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=75559c167bddc1254db5bcff032ad5eed8bd6f4a + +[APPLETALK]: Fix a remotely triggerable crash + +When we receive an AppleTalk frame shorter than what its header says, +we still attempt to verify its checksum, and trip on the BUG_ON() at +the end of function atalk_sum_skb() because of the length mismatch. + +This has security implications because this can be triggered by simply +sending a specially crafted ethernet frame to a target victim, +effectively crashing that host. Thus this qualifies, I think, as a +remote DoS. Here is the frame I used to trigger the crash, in npg +format: + + +{ +# Ethernet header ----- + + XX XX XX XX XX XX # Destination MAC + 00 00 00 00 00 00 # Source MAC + 00 1D # Length + +# LLC header ----- + + AA AA 03 + 08 00 07 80 9B # Appletalk + +# Appletalk header ----- + + 00 1B # Packet length (invalid) + 00 01 # Fake checksum + 00 00 00 00 # Destination and source networks + 00 00 00 00 # Destination and source nodes and ports + +# Payload ----- + + 0C 0D 0E 0F 10 11 12 13 + 14 +} + +The destination MAC address must be set to those of the victim. + +The severity is mitigated by two requirements: +* The target host must have the appletalk kernel module loaded. I + suspect this isn't so frequent. +* AppleTalk frames are non-IP, thus I guess they can only travel on + local networks. I am no network expert though, maybe it is possible + to somehow encapsulate AppleTalk packets over IP. + +The bug has been reported back in June 2004: + http://bugzilla.kernel.org/show_bug.cgi?id=2979 +But it wasn't investigated, and was closed in July 2006 as both +reporters had vanished meanwhile. + +This code was new in kernel 2.6.0-test5: + http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=7ab442d7e0a76402c12553ee256f756097cae2d2 +And not modified since then, so we can assume that vanilla kernels +2.6.0-test5 and later, and distribution kernels based thereon, are +affected. + +Note that I still do not know for sure what triggered the bug in the +real-world cases. The frame could have been corrupted by the kernel if +we have a bug hiding somewhere. But more likely, we are receiving the +faulty frame from the network. + +Signed-off-by: Jean Delvare +Signed-off-by: David S. Miller +--- + +diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c +index 113c175..c8b7dc2 100644 +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -1417,10 +1417,13 @@ static int atalk_rcv(struct sk_buff *skb, struct net_device *dev, + /* + * Size check to see if ddp->deh_len was crap + * (Otherwise we'll detonate most spectacularly +- * in the middle of recvmsg()). ++ * in the middle of atalk_checksum() or recvmsg()). + */ +- if (skb->len < sizeof(*ddp)) ++ if (skb->len < sizeof(*ddp) || skb->len < (len_hops & 1023)) { ++ pr_debug("AppleTalk: dropping corrupted frame (deh_len=%u, " ++ "skb->len=%u)\n", len_hops & 1023, skb->len); + goto freeit; ++ } + + /* + * Any checksums. Note we don't do htons() on this == is assumed to be diff --git a/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/cm4040-buffer-overflow.patch b/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/cm4040-buffer-overflow.patch new file mode 100644 index 0000000..3047ff6 --- /dev/null +++ b/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/cm4040-buffer-overflow.patch @@ -0,0 +1,44 @@ +From: Marcel Holtmann +Date: Tue, 6 Mar 2007 21:12:00 +0000 (+0100) +Subject: [PATCH] Fix buffer overflow in Omnikey CardMan 4040 driver (CVE-2007-0005) +X-Git-Tag: v2.6.21-rc3~17 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=059819a41d4331316dd8ddcf977a24ab338f4300 + +[PATCH] Fix buffer overflow in Omnikey CardMan 4040 driver (CVE-2007-0005) + +Based on a patch from Don Howard + +When calling write() with a buffer larger than 512 bytes, the +driver's write buffer overflows, allowing to overwrite the EIP and +execute arbitrary code with kernel privileges. + +In read(), there exists a similar problem, but coming from the device. +A malicous or buggy device sending more than 512 bytes can overflow +of the driver's read buffer, with the same effects as above. + +Signed-off-by: Marcel Holtmann +Signed-off-by: Harald Welte +Signed-off-by: Linus Torvalds +--- + +diff --git a/drivers/char/pcmcia/cm4040_cs.c b/drivers/char/pcmcia/cm4040_cs.c +index 0e82968..f2e4ec4 100644 +--- a/drivers/char/pcmcia/cm4040_cs.c ++++ b/drivers/char/pcmcia/cm4040_cs.c +@@ -273,6 +273,7 @@ static ssize_t cm4040_read(struct file *filp, char __user *buf, + DEBUGP(6, dev, "BytesToRead=%lu\n", bytes_to_read); + + min_bytes_to_read = min(count, bytes_to_read + 5); ++ min_bytes_to_read = min_t(size_t, min_bytes_to_read, READ_WRITE_BUFFER_SIZE); + + DEBUGP(6, dev, "Min=%lu\n", min_bytes_to_read); + +@@ -340,7 +341,7 @@ static ssize_t cm4040_write(struct file *filp, const char __user *buf, + return 0; + } + +- if (count < 5) { ++ if ((count < 5) || (count > READ_WRITE_BUFFER_SIZE)) { + DEBUGP(2, dev, "<- cm4040_write buffersize=%Zd < 5\n", count); + return -EIO; + } diff --git a/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/core-dump-unreadable-PT_INTERP.patch b/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/core-dump-unreadable-PT_INTERP.patch new file mode 100644 index 0000000..33c7c4f --- /dev/null +++ b/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/core-dump-unreadable-PT_INTERP.patch @@ -0,0 +1,70 @@ +From: Alexey Dobriyan +Date: Fri, 26 Jan 2007 08:57:16 +0000 (-0800) +Subject: [PATCH] core-dumping unreadable binaries via PT_INTERP +X-Git-Tag: v2.6.20-rc7^0~60 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=1fb844961818ce94e782acf6a96b92dc2303553b + +[PATCH] core-dumping unreadable binaries via PT_INTERP + +Proposed patch to fix #5 in +http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt +aka +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1073 + +To reproduce, do +* grab poc at the end of advisory. +* add line "eph.p_memsz = 4096;" after "eph.p_filesz = 4096;" + where first "4096" is something equal to or greater than 4096. +* ./poc /usr/bin/sudo && ls -l + +Here I get with 2.6.20-rc5: + + -rw------- 1 ad ad 102400 2007-01-15 19:17 core + ---s--x--x 2 root root 101820 2007-01-15 19:15 /usr/bin/sudo + +Check for MAY_READ like binfmt_misc.c does. + +Signed-off-by: Alexey Dobriyan +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +--- + +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c +index 90461f4..669dbe5 100644 +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -682,6 +682,15 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) + retval = PTR_ERR(interpreter); + if (IS_ERR(interpreter)) + goto out_free_interp; ++ ++ /* ++ * If the binary is not readable then enforce ++ * mm->dumpable = 0 regardless of the interpreter's ++ * permissions. ++ */ ++ if (file_permission(interpreter, MAY_READ) < 0) ++ bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP; ++ + retval = kernel_read(interpreter, 0, bprm->buf, + BINPRM_BUF_SIZE); + if (retval != BINPRM_BUF_SIZE) { +diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c +index 6e6d456..a4d933a 100644 +--- a/fs/binfmt_elf_fdpic.c ++++ b/fs/binfmt_elf_fdpic.c +@@ -234,6 +234,14 @@ static int load_elf_fdpic_binary(struct linux_binprm *bprm, + goto error; + } + ++ /* ++ * If the binary is not readable then enforce ++ * mm->dumpable = 0 regardless of the interpreter's ++ * permissions. ++ */ ++ if (file_permission(interpreter, MAY_READ) < 0) ++ bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP; ++ + retval = kernel_read(interpreter, 0, bprm->buf, + BINPRM_BUF_SIZE); + if (retval < 0) diff --git a/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/ipv6_fl_socklist-no-share.patch b/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/ipv6_fl_socklist-no-share.patch new file mode 100644 index 0000000..8749435 --- /dev/null +++ b/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/ipv6_fl_socklist-no-share.patch @@ -0,0 +1,32 @@ +From: Masayuki Nakagawa +Date: Fri, 16 Mar 2007 23:14:03 +0000 (-0700) +Subject: [IPV6]: ipv6_fl_socklist is inadvertently shared. +X-Git-Tag: v2.6.21-rc5~72^2 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=d35690beda1429544d46c8eb34b2e3a8c37ab299 + +[IPV6]: ipv6_fl_socklist is inadvertently shared. + +The ipv6_fl_socklist from listening socket is inadvertently shared +with new socket created for connection. This leads to a variety of +interesting, but fatal, bugs. For example, removing one of the +sockets may lead to the other socket's encountering a page fault +when the now freed list is referenced. + +The fix is to not share the flow label list with the new socket. + +Signed-off-by: Masayuki Nakagawa +Signed-off-by: David S. Miller +--- + +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index f57a9ba..92f9992 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1453,6 +1453,7 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb, + First: no IPv4 options. + */ + newinet->opt = NULL; ++ newnp->ipv6_fl_list = NULL; + + /* Clone RX bits */ + newnp->rxopt.all = np->rxopt.all; diff --git a/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/ipv6_getsockopt_sticky-null-opt.patch b/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/ipv6_getsockopt_sticky-null-opt.patch new file mode 100644 index 0000000..1a124c2 --- /dev/null +++ b/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/ipv6_getsockopt_sticky-null-opt.patch @@ -0,0 +1,42 @@ +From: David S. Miller +Date: Wed, 7 Mar 2007 20:50:46 +0000 (-0800) +Subject: [IPV6]: Handle np->opt being NULL in ipv6_getsockopt_sticky(). +X-Git-Tag: v2.6.21-rc4~99^2~7 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=286930797d74b2c9a5beae84836044f6a836235f + +[IPV6]: Handle np->opt being NULL in ipv6_getsockopt_sticky(). + +Signed-off-by: David S. Miller +--- + +diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c +index 286c867..4e0561a 100644 +--- a/net/ipv6/ipv6_sockglue.c ++++ b/net/ipv6/ipv6_sockglue.c +@@ -795,11 +795,15 @@ int compat_ipv6_setsockopt(struct sock *sk, int level, int optname, + EXPORT_SYMBOL(compat_ipv6_setsockopt); + #endif + +-static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_opt_hdr *hdr, ++static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_txoptions *opt, + char __user *optval, int len) + { +- if (!hdr) ++ struct ipv6_opt_hdr *hdr; ++ ++ if (!opt || !opt->hopopt) + return 0; ++ hdr = opt->hopopt; ++ + len = min_t(int, len, ipv6_optlen(hdr)); + if (copy_to_user(optval, hdr, ipv6_optlen(hdr))) + return -EFAULT; +@@ -940,7 +944,7 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname, + { + + lock_sock(sk); +- len = ipv6_getsockopt_sticky(sk, np->opt->hopopt, ++ len = ipv6_getsockopt_sticky(sk, np->opt, + optval, len); + release_sock(sk); + return put_user(len, optlen); diff --git a/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/keys-serial-num-collision.patch b/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/keys-serial-num-collision.patch new file mode 100644 index 0000000..9875900 --- /dev/null +++ b/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/keys-serial-num-collision.patch @@ -0,0 +1,92 @@ +From: David Howells +Date: Tue, 6 Feb 2007 13:45:51 +0000 (+0000) +Subject: [PATCH] Keys: Fix key serial number collision handling +X-Git-Tag: v2.6.21-rc2~42^2~22 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9ad0830f307bcd8dc285cfae58998d43b21727f4 + +[PATCH] Keys: Fix key serial number collision handling + +Fix the key serial number collision avoidance code in key_alloc_serial(). + +This didn't use to be so much of a problem as the key serial numbers were +allocated from a simple incremental counter, and it would have to go through +two billion keys before it could possibly encounter a collision. However, now +that random numbers are used instead, collisions are much more likely. + +This is fixed by finding a hole in the rbtree where the next unused serial +number ought to be and using that by going almost back to the top of the +insertion routine and redoing the insertion with the new serial number rather +than trying to be clever and attempting to work out the insertion point +pointer directly. + +This fixes kernel BZ #7727. + +Signed-off-by: David Howells +Signed-off-by: Linus Torvalds +--- + +diff --git a/security/keys/key.c b/security/keys/key.c +index ac9326c..700400d 100644 +--- a/security/keys/key.c ++++ b/security/keys/key.c +@@ -188,6 +188,7 @@ static inline void key_alloc_serial(struct key *key) + + spin_lock(&key_serial_lock); + ++attempt_insertion: + parent = NULL; + p = &key_serial_tree.rb_node; + +@@ -202,39 +203,33 @@ static inline void key_alloc_serial(struct key *key) + else + goto serial_exists; + } +- goto insert_here; ++ ++ /* we've found a suitable hole - arrange for this key to occupy it */ ++ rb_link_node(&key->serial_node, parent, p); ++ rb_insert_color(&key->serial_node, &key_serial_tree); ++ ++ spin_unlock(&key_serial_lock); ++ return; + + /* we found a key with the proposed serial number - walk the tree from + * that point looking for the next unused serial number */ + serial_exists: + for (;;) { + key->serial++; +- if (key->serial < 2) +- key->serial = 2; +- +- if (!rb_parent(parent)) +- p = &key_serial_tree.rb_node; +- else if (rb_parent(parent)->rb_left == parent) +- p = &(rb_parent(parent)->rb_left); +- else +- p = &(rb_parent(parent)->rb_right); ++ if (key->serial < 3) { ++ key->serial = 3; ++ goto attempt_insertion; ++ } + + parent = rb_next(parent); + if (!parent) +- break; ++ goto attempt_insertion; + + xkey = rb_entry(parent, struct key, serial_node); + if (key->serial < xkey->serial) +- goto insert_here; ++ goto attempt_insertion; + } + +- /* we've found a suitable hole - arrange for this key to occupy it */ +-insert_here: +- rb_link_node(&key->serial_node, parent, p); +- rb_insert_color(&key->serial_node, &key_serial_tree); +- +- spin_unlock(&key_serial_lock); +- + } /* end key_alloc_serial() */ + + /*****************************************************************************/ diff --git a/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/netlink-infinite-recursion.patch b/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/netlink-infinite-recursion.patch new file mode 100644 index 0000000..df76325 --- /dev/null +++ b/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/netlink-infinite-recursion.patch @@ -0,0 +1,65 @@ +From: Alexey Kuznetsov +Date: Wed, 25 Apr 2007 20:59:03 +0000 (+0000) +Subject: [PATCH] NETLINK: Infinite recursion in netlink. +X-Git-Tag: v2.6.20.8~1 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=9bc1779885f4ce1a4257c5640c70b75d2ae124ad + +[PATCH] NETLINK: Infinite recursion in netlink. + +[NETLINK]: Infinite recursion in netlink. + +Reply to NETLINK_FIB_LOOKUP messages were misrouted back to kernel, +which resulted in infinite recursion and stack overflow. + +The bug is present in all kernel versions since the feature appeared. + +The patch also makes some minimal cleanup: + +1. Return something consistent (-ENOENT) when fib table is missing +2. Do not crash when queue is empty (does not happen, but yet) +3. Put result of lookup + +Signed-off-by: Alexey Kuznetsov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + +diff -urN linux-source-2.6.18.orig/net/ipv4/fib_frontend.c linux-source-2.6.18/net/ipv4/fib_frontend.c +--- linux-source-2.6.18.orig/net/ipv4/fib_frontend.c 2006-09-19 21:42:06.000000000 -0600 ++++ linux-source-2.6.18/net/ipv4/fib_frontend.c 2007-05-01 15:21:37.000000000 -0600 +@@ -524,6 +524,8 @@ + .fwmark = frn->fl_fwmark, + .tos = frn->fl_tos, + .scope = frn->fl_scope } } }; ++ ++ frn->err = -ENOENT; + if (tb) { + local_bh_disable(); + +@@ -535,6 +537,7 @@ + frn->nh_sel = res.nh_sel; + frn->type = res.type; + frn->scope = res.scope; ++ fib_res_put(&res); + } + local_bh_enable(); + } +@@ -549,6 +552,9 @@ + struct fib_table *tb; + + skb = skb_dequeue(&sk->sk_receive_queue); ++ if (skb == NULL) ++ return; ++ + nlh = (struct nlmsghdr *)skb->data; + if (skb->len < NLMSG_SPACE(0) || skb->len < nlh->nlmsg_len || + nlh->nlmsg_len < NLMSG_LENGTH(sizeof(*frn))) { +@@ -561,7 +567,7 @@ + + nl_fib_lookup(frn, tb); + +- pid = nlh->nlmsg_pid; /*pid of sending process */ ++ pid = NETLINK_CB(skb).pid; /* pid of sending process */ + NETLINK_CB(skb).pid = 0; /* from kernel */ + NETLINK_CB(skb).dst_pid = pid; + NETLINK_CB(skb).dst_group = 0; /* unicast */ diff --git a/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/nf_conntrack-set-nfctinfo.patch b/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/nf_conntrack-set-nfctinfo.patch new file mode 100644 index 0000000..f540a67 --- /dev/null +++ b/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/nf_conntrack-set-nfctinfo.patch @@ -0,0 +1,35 @@ +From: Patrick McHardy +Date: Wed, 7 Mar 2007 21:34:42 +0000 (+0100) +Subject: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED +X-Git-Tag: v2.6.20.3~11 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=868f0120e0f93d070ea7f3e969c09dbab8ad7bc7 + +nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED + +[NETFILTER]: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED + +The individual fragments of a packet reassembled by conntrack have the +conntrack reference from the reassembled packet attached, but nfctinfo +is not copied. This leaves it initialized to 0, which unfortunately is +the value of IP_CT_ESTABLISHED. + +The result is that all IPv6 fragments are tracked as ESTABLISHED, +allowing them to bypass a usual ruleset which accepts ESTABLISHED +packets early. + +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman +--- + +diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c +index a20615f..6155b80 100644 +--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c ++++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c +@@ -257,6 +257,7 @@ static unsigned int ipv6_conntrack_in(unsigned int hooknum, + } + nf_conntrack_get(reasm->nfct); + (*pskb)->nfct = reasm->nfct; ++ (*pskb)->nfctinfo = reasm->nfctinfo; + return NF_ACCEPT; + } + diff --git a/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/nfnetlink_log-null-deref.patch b/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/nfnetlink_log-null-deref.patch new file mode 100644 index 0000000..b86a409 --- /dev/null +++ b/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/nfnetlink_log-null-deref.patch @@ -0,0 +1,37 @@ +From: Michal Miroslaw +Date: Sun, 4 Mar 2007 23:59:20 +0000 (-0800) +Subject: [NETFILTER]: nfnetlink_log: fix possible NULL pointer dereference +X-Git-Tag: v2.6.21~469^2~10 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=dd16704eba171b32ef0cded3a4f562b33b911066 + +[NETFILTER]: nfnetlink_log: fix possible NULL pointer dereference + +Eliminate possible NULL pointer dereference in nfulnl_recv_config(). + +Signed-off-by: Michal Miroslaw +Signed-off-by: Patrick McHardy +Signed-off-by: David S. Miller +--- + +diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c +index 1b94051..b669db5 100644 +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -858,6 +858,9 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb, + ret = -EINVAL; + break; + } ++ ++ if (!inst) ++ goto out; + } else { + if (!inst) { + UDEBUG("no config command, and no instance for " +@@ -911,6 +914,7 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb, + + out_put: + instance_put(inst); ++out: + return ret; + } + diff --git a/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/nl_fib_lookup-oops.patch b/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/nl_fib_lookup-oops.patch new file mode 100644 index 0000000..c0547fa --- /dev/null +++ b/tags/2.6.18-0/debian-security-patches-2.6.18.1-12etch2/nl_fib_lookup-oops.patch @@ -0,0 +1,34 @@ +From: Sergey Vlasov +Date: Fri, 27 Apr 2007 09:18:35 +0000 (-0700) +Subject: IPV4: Fix OOPS'er added to netlink fib. +X-Git-Tag: v2.6.20.10~2 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=6af3412cff50b9a7b12b7b9cf6f01b34fbae4624 + +IPV4: Fix OOPS'er added to netlink fib. + +[IPV4] nl_fib_lookup: Initialise res.r before fib_res_put(&res) + +When CONFIG_IP_MULTIPLE_TABLES is enabled, the code in nl_fib_lookup() +needs to initialize the res.r field before fib_res_put(&res) - unlike +fib_lookup(), a direct call to ->tb_lookup does not set this field. + +Signed-off-by: Sergey Vlasov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c +index fa2cb8c..30aae76 100644 +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -773,6 +773,10 @@ static void nl_fib_lookup(struct fib_result_nl *frn, struct fib_table *tb ) + .tos = frn->fl_tos, + .scope = frn->fl_scope } } }; + ++#ifdef CONFIG_IP_MULTIPLE_TABLES ++ res.r = NULL; ++#endif ++ + frn->err = -ENOENT; + if (tb) { + local_bh_disable(); diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/README b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/README deleted file mode 100644 index 4cce70c..0000000 --- a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/README +++ /dev/null @@ -1,42 +0,0 @@ - * bugfix/nfnetlink_log-null-deref.patch - [SECURITY] Fix remotely exploitable NULL pointer dereference in - nfulnl_recv_config() - See CVE-2007-1496 - * bugfix/nf_conntrack-set-nfctinfo.patch - [SECURITY] Fix incorrect classification of IPv6 fragments as ESTABLISHED, - which allows remote attackers to bypass certain rulesets - See CVE-2007-1497 - * bugfix/netlink-infinite-recursion.patch - [SECURITY] Fix infinite recursion bug in netlink - See CVE-2007-1861 - * bugfix/nl_fib_lookup-oops.patch - Add fix for oops bug added by previous patch - * bugfix/core-dump-unreadable-PT_INTERP.patch - [SECURITY] Fix a vulnerability that allows local users to read - otherwise unreadable (but executable) files by triggering a core dump. - See CVE-2007-0958 - * bugfix/appletalk-length-mismatch.patch - [SECURITY] Fix a remote DoS (crash) in appletalk - Depends upon bugfix/appletalk-endianness-annotations.patch - See CVE-2007-1357 - * bugfix/cm4040-buffer-overflow.patch - [SECURITY] Fix a buffer overflow in the Omnikey CardMan 4040 driver - See CVE-2007-0005 - * bugfix/ipv6_fl_socklist-no-share.patch - [SECURITY] Fix local DoS vulnerability caused by inadvertently sharing - ipv6_fl_socklist between the listening socket and the socket created - for connection. - See CVE-2007-1592 - * bugfix/keys-serial-num-collision.patch - [SECURITY] Fix the key serial number collision avoidance code in - key_alloc_serial() that could lead to a local DoS (oops). - (closes: #398470) - See CVE-2007-0006 - * bugfix/ipv6_getsockopt_sticky-null-opt.patch - [SECURITY] Fix NULL dereference in ipv6_setsockopt that could lead - to a local DoS (oops). - See CVE-2007-1388 - * bugfix/ipv6_getsockopt_sticky-null-opt.patch - [SECURITY] Fix kernel memory leak vulnerability in - ipv6_getsockopt_sticky() which can be triggered by passing a len < 0. - See CVE-2007-1000 diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/appletalk-length-mismatch.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/appletalk-length-mismatch.patch deleted file mode 100644 index b82c4fe..0000000 --- a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/appletalk-length-mismatch.patch +++ /dev/null @@ -1,93 +0,0 @@ -From: Jean Delvare -Date: Thu, 5 Apr 2007 06:52:46 +0000 (-0700) -Subject: [APPLETALK]: Fix a remotely triggerable crash -X-Git-Tag: v2.6.21-rc6~3 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=75559c167bddc1254db5bcff032ad5eed8bd6f4a - -[APPLETALK]: Fix a remotely triggerable crash - -When we receive an AppleTalk frame shorter than what its header says, -we still attempt to verify its checksum, and trip on the BUG_ON() at -the end of function atalk_sum_skb() because of the length mismatch. - -This has security implications because this can be triggered by simply -sending a specially crafted ethernet frame to a target victim, -effectively crashing that host. Thus this qualifies, I think, as a -remote DoS. Here is the frame I used to trigger the crash, in npg -format: - - -{ -# Ethernet header ----- - - XX XX XX XX XX XX # Destination MAC - 00 00 00 00 00 00 # Source MAC - 00 1D # Length - -# LLC header ----- - - AA AA 03 - 08 00 07 80 9B # Appletalk - -# Appletalk header ----- - - 00 1B # Packet length (invalid) - 00 01 # Fake checksum - 00 00 00 00 # Destination and source networks - 00 00 00 00 # Destination and source nodes and ports - -# Payload ----- - - 0C 0D 0E 0F 10 11 12 13 - 14 -} - -The destination MAC address must be set to those of the victim. - -The severity is mitigated by two requirements: -* The target host must have the appletalk kernel module loaded. I - suspect this isn't so frequent. -* AppleTalk frames are non-IP, thus I guess they can only travel on - local networks. I am no network expert though, maybe it is possible - to somehow encapsulate AppleTalk packets over IP. - -The bug has been reported back in June 2004: - http://bugzilla.kernel.org/show_bug.cgi?id=2979 -But it wasn't investigated, and was closed in July 2006 as both -reporters had vanished meanwhile. - -This code was new in kernel 2.6.0-test5: - http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=7ab442d7e0a76402c12553ee256f756097cae2d2 -And not modified since then, so we can assume that vanilla kernels -2.6.0-test5 and later, and distribution kernels based thereon, are -affected. - -Note that I still do not know for sure what triggered the bug in the -real-world cases. The frame could have been corrupted by the kernel if -we have a bug hiding somewhere. But more likely, we are receiving the -faulty frame from the network. - -Signed-off-by: Jean Delvare -Signed-off-by: David S. Miller ---- - -diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c -index 113c175..c8b7dc2 100644 ---- a/net/appletalk/ddp.c -+++ b/net/appletalk/ddp.c -@@ -1417,10 +1417,13 @@ static int atalk_rcv(struct sk_buff *skb, struct net_device *dev, - /* - * Size check to see if ddp->deh_len was crap - * (Otherwise we'll detonate most spectacularly -- * in the middle of recvmsg()). -+ * in the middle of atalk_checksum() or recvmsg()). - */ -- if (skb->len < sizeof(*ddp)) -+ if (skb->len < sizeof(*ddp) || skb->len < (len_hops & 1023)) { -+ pr_debug("AppleTalk: dropping corrupted frame (deh_len=%u, " -+ "skb->len=%u)\n", len_hops & 1023, skb->len); - goto freeit; -+ } - - /* - * Any checksums. Note we don't do htons() on this == is assumed to be diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/cm4040-buffer-overflow.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/cm4040-buffer-overflow.patch deleted file mode 100644 index 3047ff6..0000000 --- a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/cm4040-buffer-overflow.patch +++ /dev/null @@ -1,44 +0,0 @@ -From: Marcel Holtmann -Date: Tue, 6 Mar 2007 21:12:00 +0000 (+0100) -Subject: [PATCH] Fix buffer overflow in Omnikey CardMan 4040 driver (CVE-2007-0005) -X-Git-Tag: v2.6.21-rc3~17 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=059819a41d4331316dd8ddcf977a24ab338f4300 - -[PATCH] Fix buffer overflow in Omnikey CardMan 4040 driver (CVE-2007-0005) - -Based on a patch from Don Howard - -When calling write() with a buffer larger than 512 bytes, the -driver's write buffer overflows, allowing to overwrite the EIP and -execute arbitrary code with kernel privileges. - -In read(), there exists a similar problem, but coming from the device. -A malicous or buggy device sending more than 512 bytes can overflow -of the driver's read buffer, with the same effects as above. - -Signed-off-by: Marcel Holtmann -Signed-off-by: Harald Welte -Signed-off-by: Linus Torvalds ---- - -diff --git a/drivers/char/pcmcia/cm4040_cs.c b/drivers/char/pcmcia/cm4040_cs.c -index 0e82968..f2e4ec4 100644 ---- a/drivers/char/pcmcia/cm4040_cs.c -+++ b/drivers/char/pcmcia/cm4040_cs.c -@@ -273,6 +273,7 @@ static ssize_t cm4040_read(struct file *filp, char __user *buf, - DEBUGP(6, dev, "BytesToRead=%lu\n", bytes_to_read); - - min_bytes_to_read = min(count, bytes_to_read + 5); -+ min_bytes_to_read = min_t(size_t, min_bytes_to_read, READ_WRITE_BUFFER_SIZE); - - DEBUGP(6, dev, "Min=%lu\n", min_bytes_to_read); - -@@ -340,7 +341,7 @@ static ssize_t cm4040_write(struct file *filp, const char __user *buf, - return 0; - } - -- if (count < 5) { -+ if ((count < 5) || (count > READ_WRITE_BUFFER_SIZE)) { - DEBUGP(2, dev, "<- cm4040_write buffersize=%Zd < 5\n", count); - return -EIO; - } diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/core-dump-unreadable-PT_INTERP.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/core-dump-unreadable-PT_INTERP.patch deleted file mode 100644 index 33c7c4f..0000000 --- a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/core-dump-unreadable-PT_INTERP.patch +++ /dev/null @@ -1,70 +0,0 @@ -From: Alexey Dobriyan -Date: Fri, 26 Jan 2007 08:57:16 +0000 (-0800) -Subject: [PATCH] core-dumping unreadable binaries via PT_INTERP -X-Git-Tag: v2.6.20-rc7^0~60 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=1fb844961818ce94e782acf6a96b92dc2303553b - -[PATCH] core-dumping unreadable binaries via PT_INTERP - -Proposed patch to fix #5 in -http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt -aka -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1073 - -To reproduce, do -* grab poc at the end of advisory. -* add line "eph.p_memsz = 4096;" after "eph.p_filesz = 4096;" - where first "4096" is something equal to or greater than 4096. -* ./poc /usr/bin/sudo && ls -l - -Here I get with 2.6.20-rc5: - - -rw------- 1 ad ad 102400 2007-01-15 19:17 core - ---s--x--x 2 root root 101820 2007-01-15 19:15 /usr/bin/sudo - -Check for MAY_READ like binfmt_misc.c does. - -Signed-off-by: Alexey Dobriyan -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds ---- - -diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c -index 90461f4..669dbe5 100644 ---- a/fs/binfmt_elf.c -+++ b/fs/binfmt_elf.c -@@ -682,6 +682,15 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) - retval = PTR_ERR(interpreter); - if (IS_ERR(interpreter)) - goto out_free_interp; -+ -+ /* -+ * If the binary is not readable then enforce -+ * mm->dumpable = 0 regardless of the interpreter's -+ * permissions. -+ */ -+ if (file_permission(interpreter, MAY_READ) < 0) -+ bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP; -+ - retval = kernel_read(interpreter, 0, bprm->buf, - BINPRM_BUF_SIZE); - if (retval != BINPRM_BUF_SIZE) { -diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c -index 6e6d456..a4d933a 100644 ---- a/fs/binfmt_elf_fdpic.c -+++ b/fs/binfmt_elf_fdpic.c -@@ -234,6 +234,14 @@ static int load_elf_fdpic_binary(struct linux_binprm *bprm, - goto error; - } - -+ /* -+ * If the binary is not readable then enforce -+ * mm->dumpable = 0 regardless of the interpreter's -+ * permissions. -+ */ -+ if (file_permission(interpreter, MAY_READ) < 0) -+ bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP; -+ - retval = kernel_read(interpreter, 0, bprm->buf, - BINPRM_BUF_SIZE); - if (retval < 0) diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/ipv6_fl_socklist-no-share.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/ipv6_fl_socklist-no-share.patch deleted file mode 100644 index 8749435..0000000 --- a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/ipv6_fl_socklist-no-share.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Masayuki Nakagawa -Date: Fri, 16 Mar 2007 23:14:03 +0000 (-0700) -Subject: [IPV6]: ipv6_fl_socklist is inadvertently shared. -X-Git-Tag: v2.6.21-rc5~72^2 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=d35690beda1429544d46c8eb34b2e3a8c37ab299 - -[IPV6]: ipv6_fl_socklist is inadvertently shared. - -The ipv6_fl_socklist from listening socket is inadvertently shared -with new socket created for connection. This leads to a variety of -interesting, but fatal, bugs. For example, removing one of the -sockets may lead to the other socket's encountering a page fault -when the now freed list is referenced. - -The fix is to not share the flow label list with the new socket. - -Signed-off-by: Masayuki Nakagawa -Signed-off-by: David S. Miller ---- - -diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c -index f57a9ba..92f9992 100644 ---- a/net/ipv6/tcp_ipv6.c -+++ b/net/ipv6/tcp_ipv6.c -@@ -1453,6 +1453,7 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb, - First: no IPv4 options. - */ - newinet->opt = NULL; -+ newnp->ipv6_fl_list = NULL; - - /* Clone RX bits */ - newnp->rxopt.all = np->rxopt.all; diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/ipv6_getsockopt_sticky-null-opt.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/ipv6_getsockopt_sticky-null-opt.patch deleted file mode 100644 index 1a124c2..0000000 --- a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/ipv6_getsockopt_sticky-null-opt.patch +++ /dev/null @@ -1,42 +0,0 @@ -From: David S. Miller -Date: Wed, 7 Mar 2007 20:50:46 +0000 (-0800) -Subject: [IPV6]: Handle np->opt being NULL in ipv6_getsockopt_sticky(). -X-Git-Tag: v2.6.21-rc4~99^2~7 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=286930797d74b2c9a5beae84836044f6a836235f - -[IPV6]: Handle np->opt being NULL in ipv6_getsockopt_sticky(). - -Signed-off-by: David S. Miller ---- - -diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c -index 286c867..4e0561a 100644 ---- a/net/ipv6/ipv6_sockglue.c -+++ b/net/ipv6/ipv6_sockglue.c -@@ -795,11 +795,15 @@ int compat_ipv6_setsockopt(struct sock *sk, int level, int optname, - EXPORT_SYMBOL(compat_ipv6_setsockopt); - #endif - --static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_opt_hdr *hdr, -+static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_txoptions *opt, - char __user *optval, int len) - { -- if (!hdr) -+ struct ipv6_opt_hdr *hdr; -+ -+ if (!opt || !opt->hopopt) - return 0; -+ hdr = opt->hopopt; -+ - len = min_t(int, len, ipv6_optlen(hdr)); - if (copy_to_user(optval, hdr, ipv6_optlen(hdr))) - return -EFAULT; -@@ -940,7 +944,7 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname, - { - - lock_sock(sk); -- len = ipv6_getsockopt_sticky(sk, np->opt->hopopt, -+ len = ipv6_getsockopt_sticky(sk, np->opt, - optval, len); - release_sock(sk); - return put_user(len, optlen); diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/keys-serial-num-collision.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/keys-serial-num-collision.patch deleted file mode 100644 index 9875900..0000000 --- a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/keys-serial-num-collision.patch +++ /dev/null @@ -1,92 +0,0 @@ -From: David Howells -Date: Tue, 6 Feb 2007 13:45:51 +0000 (+0000) -Subject: [PATCH] Keys: Fix key serial number collision handling -X-Git-Tag: v2.6.21-rc2~42^2~22 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9ad0830f307bcd8dc285cfae58998d43b21727f4 - -[PATCH] Keys: Fix key serial number collision handling - -Fix the key serial number collision avoidance code in key_alloc_serial(). - -This didn't use to be so much of a problem as the key serial numbers were -allocated from a simple incremental counter, and it would have to go through -two billion keys before it could possibly encounter a collision. However, now -that random numbers are used instead, collisions are much more likely. - -This is fixed by finding a hole in the rbtree where the next unused serial -number ought to be and using that by going almost back to the top of the -insertion routine and redoing the insertion with the new serial number rather -than trying to be clever and attempting to work out the insertion point -pointer directly. - -This fixes kernel BZ #7727. - -Signed-off-by: David Howells -Signed-off-by: Linus Torvalds ---- - -diff --git a/security/keys/key.c b/security/keys/key.c -index ac9326c..700400d 100644 ---- a/security/keys/key.c -+++ b/security/keys/key.c -@@ -188,6 +188,7 @@ static inline void key_alloc_serial(struct key *key) - - spin_lock(&key_serial_lock); - -+attempt_insertion: - parent = NULL; - p = &key_serial_tree.rb_node; - -@@ -202,39 +203,33 @@ static inline void key_alloc_serial(struct key *key) - else - goto serial_exists; - } -- goto insert_here; -+ -+ /* we've found a suitable hole - arrange for this key to occupy it */ -+ rb_link_node(&key->serial_node, parent, p); -+ rb_insert_color(&key->serial_node, &key_serial_tree); -+ -+ spin_unlock(&key_serial_lock); -+ return; - - /* we found a key with the proposed serial number - walk the tree from - * that point looking for the next unused serial number */ - serial_exists: - for (;;) { - key->serial++; -- if (key->serial < 2) -- key->serial = 2; -- -- if (!rb_parent(parent)) -- p = &key_serial_tree.rb_node; -- else if (rb_parent(parent)->rb_left == parent) -- p = &(rb_parent(parent)->rb_left); -- else -- p = &(rb_parent(parent)->rb_right); -+ if (key->serial < 3) { -+ key->serial = 3; -+ goto attempt_insertion; -+ } - - parent = rb_next(parent); - if (!parent) -- break; -+ goto attempt_insertion; - - xkey = rb_entry(parent, struct key, serial_node); - if (key->serial < xkey->serial) -- goto insert_here; -+ goto attempt_insertion; - } - -- /* we've found a suitable hole - arrange for this key to occupy it */ --insert_here: -- rb_link_node(&key->serial_node, parent, p); -- rb_insert_color(&key->serial_node, &key_serial_tree); -- -- spin_unlock(&key_serial_lock); -- - } /* end key_alloc_serial() */ - - /*****************************************************************************/ diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/netlink-infinite-recursion.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/netlink-infinite-recursion.patch deleted file mode 100644 index df76325..0000000 --- a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/netlink-infinite-recursion.patch +++ /dev/null @@ -1,65 +0,0 @@ -From: Alexey Kuznetsov -Date: Wed, 25 Apr 2007 20:59:03 +0000 (+0000) -Subject: [PATCH] NETLINK: Infinite recursion in netlink. -X-Git-Tag: v2.6.20.8~1 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=9bc1779885f4ce1a4257c5640c70b75d2ae124ad - -[PATCH] NETLINK: Infinite recursion in netlink. - -[NETLINK]: Infinite recursion in netlink. - -Reply to NETLINK_FIB_LOOKUP messages were misrouted back to kernel, -which resulted in infinite recursion and stack overflow. - -The bug is present in all kernel versions since the feature appeared. - -The patch also makes some minimal cleanup: - -1. Return something consistent (-ENOENT) when fib table is missing -2. Do not crash when queue is empty (does not happen, but yet) -3. Put result of lookup - -Signed-off-by: Alexey Kuznetsov -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - -diff -urN linux-source-2.6.18.orig/net/ipv4/fib_frontend.c linux-source-2.6.18/net/ipv4/fib_frontend.c ---- linux-source-2.6.18.orig/net/ipv4/fib_frontend.c 2006-09-19 21:42:06.000000000 -0600 -+++ linux-source-2.6.18/net/ipv4/fib_frontend.c 2007-05-01 15:21:37.000000000 -0600 -@@ -524,6 +524,8 @@ - .fwmark = frn->fl_fwmark, - .tos = frn->fl_tos, - .scope = frn->fl_scope } } }; -+ -+ frn->err = -ENOENT; - if (tb) { - local_bh_disable(); - -@@ -535,6 +537,7 @@ - frn->nh_sel = res.nh_sel; - frn->type = res.type; - frn->scope = res.scope; -+ fib_res_put(&res); - } - local_bh_enable(); - } -@@ -549,6 +552,9 @@ - struct fib_table *tb; - - skb = skb_dequeue(&sk->sk_receive_queue); -+ if (skb == NULL) -+ return; -+ - nlh = (struct nlmsghdr *)skb->data; - if (skb->len < NLMSG_SPACE(0) || skb->len < nlh->nlmsg_len || - nlh->nlmsg_len < NLMSG_LENGTH(sizeof(*frn))) { -@@ -561,7 +567,7 @@ - - nl_fib_lookup(frn, tb); - -- pid = nlh->nlmsg_pid; /*pid of sending process */ -+ pid = NETLINK_CB(skb).pid; /* pid of sending process */ - NETLINK_CB(skb).pid = 0; /* from kernel */ - NETLINK_CB(skb).dst_pid = pid; - NETLINK_CB(skb).dst_group = 0; /* unicast */ diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nf_conntrack-set-nfctinfo.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nf_conntrack-set-nfctinfo.patch deleted file mode 100644 index f540a67..0000000 --- a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nf_conntrack-set-nfctinfo.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: Patrick McHardy -Date: Wed, 7 Mar 2007 21:34:42 +0000 (+0100) -Subject: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED -X-Git-Tag: v2.6.20.3~11 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=868f0120e0f93d070ea7f3e969c09dbab8ad7bc7 - -nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED - -[NETFILTER]: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED - -The individual fragments of a packet reassembled by conntrack have the -conntrack reference from the reassembled packet attached, but nfctinfo -is not copied. This leaves it initialized to 0, which unfortunately is -the value of IP_CT_ESTABLISHED. - -The result is that all IPv6 fragments are tracked as ESTABLISHED, -allowing them to bypass a usual ruleset which accepts ESTABLISHED -packets early. - -Signed-off-by: Patrick McHardy -Signed-off-by: Greg Kroah-Hartman ---- - -diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c -index a20615f..6155b80 100644 ---- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c -+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c -@@ -257,6 +257,7 @@ static unsigned int ipv6_conntrack_in(unsigned int hooknum, - } - nf_conntrack_get(reasm->nfct); - (*pskb)->nfct = reasm->nfct; -+ (*pskb)->nfctinfo = reasm->nfctinfo; - return NF_ACCEPT; - } - diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nfnetlink_log-null-deref.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nfnetlink_log-null-deref.patch deleted file mode 100644 index b86a409..0000000 --- a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nfnetlink_log-null-deref.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Michal Miroslaw -Date: Sun, 4 Mar 2007 23:59:20 +0000 (-0800) -Subject: [NETFILTER]: nfnetlink_log: fix possible NULL pointer dereference -X-Git-Tag: v2.6.21~469^2~10 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=dd16704eba171b32ef0cded3a4f562b33b911066 - -[NETFILTER]: nfnetlink_log: fix possible NULL pointer dereference - -Eliminate possible NULL pointer dereference in nfulnl_recv_config(). - -Signed-off-by: Michal Miroslaw -Signed-off-by: Patrick McHardy -Signed-off-by: David S. Miller ---- - -diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c -index 1b94051..b669db5 100644 ---- a/net/netfilter/nfnetlink_log.c -+++ b/net/netfilter/nfnetlink_log.c -@@ -858,6 +858,9 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb, - ret = -EINVAL; - break; - } -+ -+ if (!inst) -+ goto out; - } else { - if (!inst) { - UDEBUG("no config command, and no instance for " -@@ -911,6 +914,7 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb, - - out_put: - instance_put(inst); -+out: - return ret; - } - diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nl_fib_lookup-oops.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nl_fib_lookup-oops.patch deleted file mode 100644 index c0547fa..0000000 --- a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nl_fib_lookup-oops.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Sergey Vlasov -Date: Fri, 27 Apr 2007 09:18:35 +0000 (-0700) -Subject: IPV4: Fix OOPS'er added to netlink fib. -X-Git-Tag: v2.6.20.10~2 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=6af3412cff50b9a7b12b7b9cf6f01b34fbae4624 - -IPV4: Fix OOPS'er added to netlink fib. - -[IPV4] nl_fib_lookup: Initialise res.r before fib_res_put(&res) - -When CONFIG_IP_MULTIPLE_TABLES is enabled, the code in nl_fib_lookup() -needs to initialize the res.r field before fib_res_put(&res) - unlike -fib_lookup(), a direct call to ->tb_lookup does not set this field. - -Signed-off-by: Sergey Vlasov -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - -diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c -index fa2cb8c..30aae76 100644 ---- a/net/ipv4/fib_frontend.c -+++ b/net/ipv4/fib_frontend.c -@@ -773,6 +773,10 @@ static void nl_fib_lookup(struct fib_result_nl *frn, struct fib_table *tb ) - .tos = frn->fl_tos, - .scope = frn->fl_scope } } }; - -+#ifdef CONFIG_IP_MULTIPLE_TABLES -+ res.r = NULL; -+#endif -+ - frn->err = -ENOENT; - if (tb) { - local_bh_disable(); diff --git a/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.11.fc7/0952-linux-2.6-xen-x86_64-silence-up-apic-errors.patch b/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.11.fc7/0952-linux-2.6-xen-x86_64-silence-up-apic-errors.patch new file mode 100644 index 0000000..788af81 --- /dev/null +++ b/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.11.fc7/0952-linux-2.6-xen-x86_64-silence-up-apic-errors.patch @@ -0,0 +1,13 @@ +diff -r 00cc4568f10f arch/x86_64/kernel/apic-xen.c +--- a/arch/x86_64/kernel/apic-xen.c Tue Jul 25 21:07:37 2006 +0200 ++++ b/arch/x86_64/kernel/apic-xen.c Tue Jul 25 21:17:54 2006 +0200 +@@ -174,7 +174,8 @@ asmlinkage void smp_error_interrupt(void + 6: Received illegal vector + 7: Illegal register address + */ +- printk (KERN_DEBUG "APIC error on CPU%d: %02x(%02x)\n", ++ if (num_online_cpus() > 1) ++ printk (KERN_DEBUG "APIC error on CPU%d: %02x(%02x)\n", + smp_processor_id(), v , v1); + irq_exit(); + } diff --git a/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.11.fc7/0956-linux-2.6-fix-x86_64-smp.patch b/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.11.fc7/0956-linux-2.6-fix-x86_64-smp.patch new file mode 100644 index 0000000..24796a5 --- /dev/null +++ b/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.11.fc7/0956-linux-2.6-fix-x86_64-smp.patch @@ -0,0 +1,19 @@ +--- linux-2.6.20.noarch/arch/x86_64/kernel/time-xen.c~orig 2007-04-26 02:05:31.000000000 -0700 ++++ linux-2.6.20.noarch/arch/x86_64/kernel/time-xen.c 2007-04-26 02:02:27.000000000 -0700 +@@ -985,7 +985,7 @@ void time_resume(void) + #ifdef CONFIG_SMP + static char timer_name[NR_CPUS][15]; + +-void local_setup_timer(unsigned int cpu) ++int local_setup_timer(unsigned int cpu) + { + int seq; + +@@ -1009,6 +1009,7 @@ void local_setup_timer(unsigned int cpu) + timer_name[cpu], + NULL); + BUG_ON(per_cpu(timer_irq, cpu) < 0); ++ return 0; + } + + void local_teardown_timer(unsigned int cpu) diff --git a/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.11.fc7/0957-linux-2.6-fix-x86_64-vgetcpu.patch b/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.11.fc7/0957-linux-2.6-fix-x86_64-vgetcpu.patch new file mode 100644 index 0000000..17e0247 --- /dev/null +++ b/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.11.fc7/0957-linux-2.6-fix-x86_64-vgetcpu.patch @@ -0,0 +1,65 @@ +--- linux-2.6.20.noarch/arch/x86_64/kernel/vsyscall.c~orig 2007-04-26 02:05:31.000000000 -0700 ++++ linux-2.6.20.noarch/arch/x86_64/kernel/vsyscall.c 2007-04-26 15:11:02.000000000 -0700 +@@ -40,6 +40,9 @@ + #include + #include + #include ++#ifdef CONFIG_XEN ++#include ++#endif + + #define __vsyscall(nr) __attribute__ ((unused,__section__(".vsyscall_" #nr))) + #define __syscall_clobber "r11","rcx","memory" +@@ -246,12 +249,11 @@ + + #endif + +-#ifndef CONFIG_XEN + /* Assume __initcall executes before all user space. Hopefully kmod + doesn't violate that. We'll find out if it does. */ + static void __cpuinit vsyscall_set_cpu(int cpu) + { +- unsigned long *d; ++ unsigned long *d, n; + unsigned long node = 0; + #ifdef CONFIG_NUMA + node = cpu_to_node[cpu]; +@@ -263,10 +265,15 @@ + in user space in vgetcpu. + 12 bits for the CPU and 8 bits for the node. */ + d = (unsigned long *)(cpu_gdt(cpu) + GDT_ENTRY_PER_CPU); +- *d = 0x0f40000000000ULL; +- *d |= cpu; +- *d |= (node & 0xf) << 12; +- *d |= (node >> 4) << 48; ++ n = 0x0f40000000000ULL; ++ n |= cpu; ++ n |= (node & 0xf) << 12; ++ n |= (node >> 4) << 48; ++#ifndef CONFIG_XEN ++ *d = n; ++#else ++ HYPERVISOR_update_descriptor(virt_to_machine(d), n); ++#endif + } + + static void __cpuinit cpu_vsyscall_init(void *arg) +@@ -283,7 +290,6 @@ + smp_call_function_single(cpu, cpu_vsyscall_init, NULL, 0, 1); + return NOTIFY_DONE; + } +-#endif + + static void __init map_vsyscall(void) + { +@@ -320,10 +326,8 @@ + #ifdef CONFIG_SYSCTL + register_sysctl_table(kernel_root_table2, 0); + #endif +-#ifndef CONFIG_XEN + on_each_cpu(cpu_vsyscall_init, NULL, 0, 1); + hotcpu_notifier(cpu_vsyscall_notifier, 0); +-#endif + return 0; + } + diff --git a/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.11.fc7/0958-linux-2.6-xen-iscsi-x86_64-no_iommu_init.patch b/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.11.fc7/0958-linux-2.6-xen-iscsi-x86_64-no_iommu_init.patch new file mode 100644 index 0000000..e46e657 --- /dev/null +++ b/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.11.fc7/0958-linux-2.6-xen-iscsi-x86_64-no_iommu_init.patch @@ -0,0 +1,46 @@ +# HG changeset patch +# User chrisw@sous-sol.org +# Date Tue Oct 03 13:44:38 2006 -0400 +# Node ID e5a7f30e1db3f1084f6789d21ea2a6fdaafdb96d +# parent: 6cd0fae5d84c4a4b15546ceaade74b7d7f044404 +Make sure no_iommu_init is called when needed on x86_64. Thanks +to Mark McLoughlin for spotting the issue and +proposing a fix. + +Index: linux-2.6.20.i386/arch/i386/kernel/pci-dma-xen.c +=================================================================== +--- linux-2.6.20.i386.orig/arch/i386/kernel/pci-dma-xen.c ++++ linux-2.6.20.i386/arch/i386/kernel/pci-dma-xen.c +@@ -21,6 +21,9 @@ + #include + + #ifdef __x86_64__ ++#include ++#include ++ + int iommu_merge __read_mostly = 0; + EXPORT_SYMBOL(iommu_merge); + +@@ -69,6 +72,22 @@ void __init pci_iommu_alloc(void) + #endif + } + ++static int __init pci_iommu_init(void) ++{ ++#ifdef CONFIG_CALGARY_IOMMU ++ calgary_iommu_init(); ++#endif ++ ++#ifdef CONFIG_IOMMU ++ gart_iommu_init(); ++#endif ++ ++ no_iommu_init(); ++ return 0; ++} ++ ++/* Must execute after PCI subsystem */ ++fs_initcall(pci_iommu_init); + #endif + + struct dma_coherent_mem { diff --git a/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.11.fc7/0959-linux-2.6-xen-fix-nosegneg-detection.patch b/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.11.fc7/0959-linux-2.6-xen-fix-nosegneg-detection.patch new file mode 100644 index 0000000..915b84a --- /dev/null +++ b/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.11.fc7/0959-linux-2.6-xen-fix-nosegneg-detection.patch @@ -0,0 +1,29 @@ +From: Rik van Riel +Subject: [PATCH][RHEL5] fix nosegneg detection +Date: Wed, 03 Jan 2007 12:59:10 -0500 +Bugzilla: 220675 +Message-Id: <459BEEEE.2060006@redhat.com> +Changelog: xen: fix nosegneg detection + + +The attached patch fixes bug 220675, by placing the nosegneg flag +exactly where glibc expects it to be. I swear I fixed this bug +before once or twice, but the fix must have gotten lost somewhere. + +Please apply. + +-- +Politics is the struggle between those who want to make their country +the best in the world, and those who believe it already is. Each group +calls the other unpatriotic. + +--- linux-2.6.18.x86_64/arch/i386/kernel/vsyscall-note-xen.S.220675 2007-01-03 12:56:38.000000000 -0500 ++++ linux-2.6.18.x86_64/arch/i386/kernel/vsyscall-note-xen.S 2007-01-03 12:56:47.000000000 -0500 +@@ -28,5 +28,5 @@ + #define NOTE_KERNELCAP_END ASM_ELF_NOTE_END + + NOTE_KERNELCAP_BEGIN(1, 1) +-NOTE_KERNELCAP(1, "nosegneg") /* Change 1 back to 0 when glibc is fixed! */ ++NOTE_KERNELCAP(0, "nosegneg") + NOTE_KERNELCAP_END + diff --git a/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/0952-linux-2.6-xen-x86_64-silence-up-apic-errors.patch b/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/0952-linux-2.6-xen-x86_64-silence-up-apic-errors.patch new file mode 100644 index 0000000..788af81 --- /dev/null +++ b/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/0952-linux-2.6-xen-x86_64-silence-up-apic-errors.patch @@ -0,0 +1,13 @@ +diff -r 00cc4568f10f arch/x86_64/kernel/apic-xen.c +--- a/arch/x86_64/kernel/apic-xen.c Tue Jul 25 21:07:37 2006 +0200 ++++ b/arch/x86_64/kernel/apic-xen.c Tue Jul 25 21:17:54 2006 +0200 +@@ -174,7 +174,8 @@ asmlinkage void smp_error_interrupt(void + 6: Received illegal vector + 7: Illegal register address + */ +- printk (KERN_DEBUG "APIC error on CPU%d: %02x(%02x)\n", ++ if (num_online_cpus() > 1) ++ printk (KERN_DEBUG "APIC error on CPU%d: %02x(%02x)\n", + smp_processor_id(), v , v1); + irq_exit(); + } diff --git a/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/0956-linux-2.6-fix-x86_64-smp.patch b/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/0956-linux-2.6-fix-x86_64-smp.patch new file mode 100644 index 0000000..24796a5 --- /dev/null +++ b/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/0956-linux-2.6-fix-x86_64-smp.patch @@ -0,0 +1,19 @@ +--- linux-2.6.20.noarch/arch/x86_64/kernel/time-xen.c~orig 2007-04-26 02:05:31.000000000 -0700 ++++ linux-2.6.20.noarch/arch/x86_64/kernel/time-xen.c 2007-04-26 02:02:27.000000000 -0700 +@@ -985,7 +985,7 @@ void time_resume(void) + #ifdef CONFIG_SMP + static char timer_name[NR_CPUS][15]; + +-void local_setup_timer(unsigned int cpu) ++int local_setup_timer(unsigned int cpu) + { + int seq; + +@@ -1009,6 +1009,7 @@ void local_setup_timer(unsigned int cpu) + timer_name[cpu], + NULL); + BUG_ON(per_cpu(timer_irq, cpu) < 0); ++ return 0; + } + + void local_teardown_timer(unsigned int cpu) diff --git a/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/0957-linux-2.6-fix-x86_64-vgetcpu.patch b/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/0957-linux-2.6-fix-x86_64-vgetcpu.patch new file mode 100644 index 0000000..17e0247 --- /dev/null +++ b/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/0957-linux-2.6-fix-x86_64-vgetcpu.patch @@ -0,0 +1,65 @@ +--- linux-2.6.20.noarch/arch/x86_64/kernel/vsyscall.c~orig 2007-04-26 02:05:31.000000000 -0700 ++++ linux-2.6.20.noarch/arch/x86_64/kernel/vsyscall.c 2007-04-26 15:11:02.000000000 -0700 +@@ -40,6 +40,9 @@ + #include + #include + #include ++#ifdef CONFIG_XEN ++#include ++#endif + + #define __vsyscall(nr) __attribute__ ((unused,__section__(".vsyscall_" #nr))) + #define __syscall_clobber "r11","rcx","memory" +@@ -246,12 +249,11 @@ + + #endif + +-#ifndef CONFIG_XEN + /* Assume __initcall executes before all user space. Hopefully kmod + doesn't violate that. We'll find out if it does. */ + static void __cpuinit vsyscall_set_cpu(int cpu) + { +- unsigned long *d; ++ unsigned long *d, n; + unsigned long node = 0; + #ifdef CONFIG_NUMA + node = cpu_to_node[cpu]; +@@ -263,10 +265,15 @@ + in user space in vgetcpu. + 12 bits for the CPU and 8 bits for the node. */ + d = (unsigned long *)(cpu_gdt(cpu) + GDT_ENTRY_PER_CPU); +- *d = 0x0f40000000000ULL; +- *d |= cpu; +- *d |= (node & 0xf) << 12; +- *d |= (node >> 4) << 48; ++ n = 0x0f40000000000ULL; ++ n |= cpu; ++ n |= (node & 0xf) << 12; ++ n |= (node >> 4) << 48; ++#ifndef CONFIG_XEN ++ *d = n; ++#else ++ HYPERVISOR_update_descriptor(virt_to_machine(d), n); ++#endif + } + + static void __cpuinit cpu_vsyscall_init(void *arg) +@@ -283,7 +290,6 @@ + smp_call_function_single(cpu, cpu_vsyscall_init, NULL, 0, 1); + return NOTIFY_DONE; + } +-#endif + + static void __init map_vsyscall(void) + { +@@ -320,10 +326,8 @@ + #ifdef CONFIG_SYSCTL + register_sysctl_table(kernel_root_table2, 0); + #endif +-#ifndef CONFIG_XEN + on_each_cpu(cpu_vsyscall_init, NULL, 0, 1); + hotcpu_notifier(cpu_vsyscall_notifier, 0); +-#endif + return 0; + } + diff --git a/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/0958-linux-2.6-xen-iscsi-x86_64-no_iommu_init.patch b/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/0958-linux-2.6-xen-iscsi-x86_64-no_iommu_init.patch new file mode 100644 index 0000000..e46e657 --- /dev/null +++ b/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/0958-linux-2.6-xen-iscsi-x86_64-no_iommu_init.patch @@ -0,0 +1,46 @@ +# HG changeset patch +# User chrisw@sous-sol.org +# Date Tue Oct 03 13:44:38 2006 -0400 +# Node ID e5a7f30e1db3f1084f6789d21ea2a6fdaafdb96d +# parent: 6cd0fae5d84c4a4b15546ceaade74b7d7f044404 +Make sure no_iommu_init is called when needed on x86_64. Thanks +to Mark McLoughlin for spotting the issue and +proposing a fix. + +Index: linux-2.6.20.i386/arch/i386/kernel/pci-dma-xen.c +=================================================================== +--- linux-2.6.20.i386.orig/arch/i386/kernel/pci-dma-xen.c ++++ linux-2.6.20.i386/arch/i386/kernel/pci-dma-xen.c +@@ -21,6 +21,9 @@ + #include + + #ifdef __x86_64__ ++#include ++#include ++ + int iommu_merge __read_mostly = 0; + EXPORT_SYMBOL(iommu_merge); + +@@ -69,6 +72,22 @@ void __init pci_iommu_alloc(void) + #endif + } + ++static int __init pci_iommu_init(void) ++{ ++#ifdef CONFIG_CALGARY_IOMMU ++ calgary_iommu_init(); ++#endif ++ ++#ifdef CONFIG_IOMMU ++ gart_iommu_init(); ++#endif ++ ++ no_iommu_init(); ++ return 0; ++} ++ ++/* Must execute after PCI subsystem */ ++fs_initcall(pci_iommu_init); + #endif + + struct dma_coherent_mem { diff --git a/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/0959-linux-2.6-xen-fix-nosegneg-detection.patch b/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/0959-linux-2.6-xen-fix-nosegneg-detection.patch new file mode 100644 index 0000000..915b84a --- /dev/null +++ b/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/0959-linux-2.6-xen-fix-nosegneg-detection.patch @@ -0,0 +1,29 @@ +From: Rik van Riel +Subject: [PATCH][RHEL5] fix nosegneg detection +Date: Wed, 03 Jan 2007 12:59:10 -0500 +Bugzilla: 220675 +Message-Id: <459BEEEE.2060006@redhat.com> +Changelog: xen: fix nosegneg detection + + +The attached patch fixes bug 220675, by placing the nosegneg flag +exactly where glibc expects it to be. I swear I fixed this bug +before once or twice, but the fix must have gotten lost somewhere. + +Please apply. + +-- +Politics is the struggle between those who want to make their country +the best in the world, and those who believe it already is. Each group +calls the other unpatriotic. + +--- linux-2.6.18.x86_64/arch/i386/kernel/vsyscall-note-xen.S.220675 2007-01-03 12:56:38.000000000 -0500 ++++ linux-2.6.18.x86_64/arch/i386/kernel/vsyscall-note-xen.S 2007-01-03 12:56:47.000000000 -0500 +@@ -28,5 +28,5 @@ + #define NOTE_KERNELCAP_END ASM_ELF_NOTE_END + + NOTE_KERNELCAP_BEGIN(1, 1) +-NOTE_KERNELCAP(1, "nosegneg") /* Change 1 back to 0 when glibc is fixed! */ ++NOTE_KERNELCAP(0, "nosegneg") + NOTE_KERNELCAP_END + diff --git a/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/0960-linux-2.6-xen-blkfront-wait-add.patch b/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/0960-linux-2.6-xen-blkfront-wait-add.patch new file mode 100644 index 0000000..e17438b --- /dev/null +++ b/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/0960-linux-2.6-xen-blkfront-wait-add.patch @@ -0,0 +1,85 @@ +Make xenblk wait to the disk to be added +See http://bugzilla.redhat.com/248462 + +Index: linux-2.6.20.i386/drivers/xen/blkfront/blkfront.c +=================================================================== +--- linux-2.6.20.i386.orig/drivers/xen/blkfront/blkfront.c ++++ linux-2.6.20.i386/drivers/xen/blkfront/blkfront.c +@@ -343,6 +343,8 @@ static void connect(struct blkfront_info + spin_unlock_irq(&blkif_io_lock); + + add_disk(info->gd); ++ ++ info->is_ready = 1; + } + + /** +@@ -852,6 +854,13 @@ static void blkif_recover(struct blkfron + spin_unlock_irq(&blkif_io_lock); + } + ++int blkfront_is_ready(struct xenbus_device *dev) ++{ ++ struct blkfront_info *info = dev->dev.driver_data; ++ ++ return info->is_ready; ++} ++ + + /* ** Driver Registration ** */ + +@@ -870,6 +879,7 @@ static struct xenbus_driver blkfront = { + .remove = blkfront_remove, + .resume = blkfront_resume, + .otherend_changed = backend_changed, ++ .is_ready = blkfront_is_ready, + }; + + +Index: linux-2.6.20.i386/drivers/xen/blkfront/block.h +=================================================================== +--- linux-2.6.20.i386.orig/drivers/xen/blkfront/block.h ++++ linux-2.6.20.i386/drivers/xen/blkfront/block.h +@@ -125,6 +125,7 @@ struct blkfront_info + struct blk_shadow shadow[BLK_RING_SIZE]; + unsigned long shadow_free; + int feature_barrier; ++ int is_ready; + + /** + * The number of people holding this device open. We won't allow a +Index: linux-2.6.20.i386/drivers/xen/xenbus/xenbus_probe.c +=================================================================== +--- linux-2.6.20.i386.orig/drivers/xen/xenbus/xenbus_probe.c ++++ linux-2.6.20.i386/drivers/xen/xenbus/xenbus_probe.c +@@ -940,6 +940,7 @@ static int is_disconnected_device(struct + { + struct xenbus_device *xendev = to_xenbus_device(dev); + struct device_driver *drv = data; ++ struct xenbus_driver *xendrv; + + /* + * A device with no driver will never connect. We care only about +@@ -952,7 +953,9 @@ static int is_disconnected_device(struct + if (drv && (dev->driver != drv)) + return 0; + +- return (xendev->state != XenbusStateConnected); ++ xendrv = to_xenbus_driver(dev->driver); ++ return (xendev->state != XenbusStateConnected || ++ (xendrv->is_ready && !xendrv->is_ready(xendev))); + } + + static int exists_disconnected_device(struct device_driver *drv) +Index: linux-2.6.20.i386/include/xen/xenbus.h +=================================================================== +--- linux-2.6.20.i386.orig/include/xen/xenbus.h ++++ linux-2.6.20.i386/include/xen/xenbus.h +@@ -105,6 +105,7 @@ struct xenbus_driver { + int (*uevent)(struct xenbus_device *, char **, int, char *, int); + struct device_driver driver; + int (*read_otherend_details)(struct xenbus_device *dev); ++ int (*is_ready)(struct xenbus_device *dev); + }; + + static inline struct xenbus_driver *to_xenbus_driver(struct device_driver *drv) diff --git a/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/1665-linux-2.6-disable-netback-checksum.patch b/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/1665-linux-2.6-disable-netback-checksum.patch new file mode 100644 index 0000000..18b4dae --- /dev/null +++ b/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/1665-linux-2.6-disable-netback-checksum.patch @@ -0,0 +1,37 @@ +From: Herbert Xu +Subject: Re: Final resolution for the checksum problems + + +Daniel P. Berrange wrote: +> +>> > Alternatively we could just make netback default tx checksums to off +>> > which should have a similar effect as disabling it on virbr0. +>> +>> This seems like a simpler path than introducing new infrastructure for +>> scripts to run every time the interface is brought up/down. And then +>> it's even easier to remove the "trigger" when we get the functionality +>> in the kernel +> +> I agree - this would be even simpler. + +Here is a patch which does just that. + +Cheers, +-- +Visit Openswan at http://www.openswan.org/ +Email: Herbert Xu ~{PmV>HI~} +Home Page: http://gondor.apana.org.au/~herbert/ +PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt +-- +--- a/drivers/xen/netback/interface.c 2007-04-28 11:57:31.000000000 +1000 ++++ b/drivers/xen/netback/interface.c 2007-05-02 19:58:16.000000000 +1000 +@@ -161,7 +161,6 @@ + dev->open = net_open; + dev->stop = net_close; + dev->change_mtu = netbk_change_mtu; +- dev->features = NETIF_F_IP_CSUM; + + SET_ETHTOOL_OPS(dev, &network_ethtool_ops); + + + diff --git a/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/3000-linux-2.6-acpi-config_pm-poweroff.patch b/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/3000-linux-2.6-acpi-config_pm-poweroff.patch new file mode 100644 index 0000000..e925785 --- /dev/null +++ b/tags/2.6.20-0/fedora-xen-patches-2.6.20-2925.13.fc7/3000-linux-2.6-acpi-config_pm-poweroff.patch @@ -0,0 +1,38 @@ +See http://bugzilla.redhat.com/241381 + +From b7da11fc422b5d06ab6ed5444a1f01ac0e805c74 Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Tue, 10 Jul 2007 19:02:14 -0300 +Subject: [PATCH] Remove #ifdef CONFIG_PM from ACPI power-off code + +The ACPI poweroff code is inside a #ifdef CONFIG_PM, that was added on +commit b35c67a46b025e8dc320b59fbe5c283094e1d7f5. It is not necessary +because the poweroff code compiles and works even with CONFIG_PM disabled. + +Signed-off-by: Eduardo Habkost +--- + drivers/acpi/sleep/poweroff.c | 4 ---- + 1 files changed, 0 insertions(+), 4 deletions(-) + +diff --git a/drivers/acpi/sleep/poweroff.c b/drivers/acpi/sleep/poweroff.c +index d9801ef..5d6ba10 100644 +--- a/drivers/acpi/sleep/poweroff.c ++++ b/drivers/acpi/sleep/poweroff.c +@@ -37,8 +37,6 @@ #endif + return 0; + } + +-#ifdef CONFIG_PM +- + void acpi_power_off(void) + { + /* acpi_sleep_prepare(ACPI_STATE_S5) should have already been called */ +@@ -94,5 +92,3 @@ static int acpi_poweroff_init(void) + } + + late_initcall(acpi_poweroff_init); +- +-#endif /* CONFIG_PM */ +-- +silverbrick.install.2006.08.14-dirty + diff --git a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11.fc7/0952-linux-2.6-xen-x86_64-silence-up-apic-errors.patch b/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11.fc7/0952-linux-2.6-xen-x86_64-silence-up-apic-errors.patch deleted file mode 100644 index 788af81..0000000 --- a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11.fc7/0952-linux-2.6-xen-x86_64-silence-up-apic-errors.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -r 00cc4568f10f arch/x86_64/kernel/apic-xen.c ---- a/arch/x86_64/kernel/apic-xen.c Tue Jul 25 21:07:37 2006 +0200 -+++ b/arch/x86_64/kernel/apic-xen.c Tue Jul 25 21:17:54 2006 +0200 -@@ -174,7 +174,8 @@ asmlinkage void smp_error_interrupt(void - 6: Received illegal vector - 7: Illegal register address - */ -- printk (KERN_DEBUG "APIC error on CPU%d: %02x(%02x)\n", -+ if (num_online_cpus() > 1) -+ printk (KERN_DEBUG "APIC error on CPU%d: %02x(%02x)\n", - smp_processor_id(), v , v1); - irq_exit(); - } diff --git a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11.fc7/0956-linux-2.6-fix-x86_64-smp.patch b/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11.fc7/0956-linux-2.6-fix-x86_64-smp.patch deleted file mode 100644 index 24796a5..0000000 --- a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11.fc7/0956-linux-2.6-fix-x86_64-smp.patch +++ /dev/null @@ -1,19 +0,0 @@ ---- linux-2.6.20.noarch/arch/x86_64/kernel/time-xen.c~orig 2007-04-26 02:05:31.000000000 -0700 -+++ linux-2.6.20.noarch/arch/x86_64/kernel/time-xen.c 2007-04-26 02:02:27.000000000 -0700 -@@ -985,7 +985,7 @@ void time_resume(void) - #ifdef CONFIG_SMP - static char timer_name[NR_CPUS][15]; - --void local_setup_timer(unsigned int cpu) -+int local_setup_timer(unsigned int cpu) - { - int seq; - -@@ -1009,6 +1009,7 @@ void local_setup_timer(unsigned int cpu) - timer_name[cpu], - NULL); - BUG_ON(per_cpu(timer_irq, cpu) < 0); -+ return 0; - } - - void local_teardown_timer(unsigned int cpu) diff --git a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11.fc7/0957-linux-2.6-fix-x86_64-vgetcpu.patch b/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11.fc7/0957-linux-2.6-fix-x86_64-vgetcpu.patch deleted file mode 100644 index 17e0247..0000000 --- a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11.fc7/0957-linux-2.6-fix-x86_64-vgetcpu.patch +++ /dev/null @@ -1,65 +0,0 @@ ---- linux-2.6.20.noarch/arch/x86_64/kernel/vsyscall.c~orig 2007-04-26 02:05:31.000000000 -0700 -+++ linux-2.6.20.noarch/arch/x86_64/kernel/vsyscall.c 2007-04-26 15:11:02.000000000 -0700 -@@ -40,6 +40,9 @@ - #include - #include - #include -+#ifdef CONFIG_XEN -+#include -+#endif - - #define __vsyscall(nr) __attribute__ ((unused,__section__(".vsyscall_" #nr))) - #define __syscall_clobber "r11","rcx","memory" -@@ -246,12 +249,11 @@ - - #endif - --#ifndef CONFIG_XEN - /* Assume __initcall executes before all user space. Hopefully kmod - doesn't violate that. We'll find out if it does. */ - static void __cpuinit vsyscall_set_cpu(int cpu) - { -- unsigned long *d; -+ unsigned long *d, n; - unsigned long node = 0; - #ifdef CONFIG_NUMA - node = cpu_to_node[cpu]; -@@ -263,10 +265,15 @@ - in user space in vgetcpu. - 12 bits for the CPU and 8 bits for the node. */ - d = (unsigned long *)(cpu_gdt(cpu) + GDT_ENTRY_PER_CPU); -- *d = 0x0f40000000000ULL; -- *d |= cpu; -- *d |= (node & 0xf) << 12; -- *d |= (node >> 4) << 48; -+ n = 0x0f40000000000ULL; -+ n |= cpu; -+ n |= (node & 0xf) << 12; -+ n |= (node >> 4) << 48; -+#ifndef CONFIG_XEN -+ *d = n; -+#else -+ HYPERVISOR_update_descriptor(virt_to_machine(d), n); -+#endif - } - - static void __cpuinit cpu_vsyscall_init(void *arg) -@@ -283,7 +290,6 @@ - smp_call_function_single(cpu, cpu_vsyscall_init, NULL, 0, 1); - return NOTIFY_DONE; - } --#endif - - static void __init map_vsyscall(void) - { -@@ -320,10 +326,8 @@ - #ifdef CONFIG_SYSCTL - register_sysctl_table(kernel_root_table2, 0); - #endif --#ifndef CONFIG_XEN - on_each_cpu(cpu_vsyscall_init, NULL, 0, 1); - hotcpu_notifier(cpu_vsyscall_notifier, 0); --#endif - return 0; - } - diff --git a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11.fc7/0958-linux-2.6-xen-iscsi-x86_64-no_iommu_init.patch b/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11.fc7/0958-linux-2.6-xen-iscsi-x86_64-no_iommu_init.patch deleted file mode 100644 index e46e657..0000000 --- a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11.fc7/0958-linux-2.6-xen-iscsi-x86_64-no_iommu_init.patch +++ /dev/null @@ -1,46 +0,0 @@ -# HG changeset patch -# User chrisw@sous-sol.org -# Date Tue Oct 03 13:44:38 2006 -0400 -# Node ID e5a7f30e1db3f1084f6789d21ea2a6fdaafdb96d -# parent: 6cd0fae5d84c4a4b15546ceaade74b7d7f044404 -Make sure no_iommu_init is called when needed on x86_64. Thanks -to Mark McLoughlin for spotting the issue and -proposing a fix. - -Index: linux-2.6.20.i386/arch/i386/kernel/pci-dma-xen.c -=================================================================== ---- linux-2.6.20.i386.orig/arch/i386/kernel/pci-dma-xen.c -+++ linux-2.6.20.i386/arch/i386/kernel/pci-dma-xen.c -@@ -21,6 +21,9 @@ - #include - - #ifdef __x86_64__ -+#include -+#include -+ - int iommu_merge __read_mostly = 0; - EXPORT_SYMBOL(iommu_merge); - -@@ -69,6 +72,22 @@ void __init pci_iommu_alloc(void) - #endif - } - -+static int __init pci_iommu_init(void) -+{ -+#ifdef CONFIG_CALGARY_IOMMU -+ calgary_iommu_init(); -+#endif -+ -+#ifdef CONFIG_IOMMU -+ gart_iommu_init(); -+#endif -+ -+ no_iommu_init(); -+ return 0; -+} -+ -+/* Must execute after PCI subsystem */ -+fs_initcall(pci_iommu_init); - #endif - - struct dma_coherent_mem { diff --git a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11.fc7/0959-linux-2.6-xen-fix-nosegneg-detection.patch b/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11.fc7/0959-linux-2.6-xen-fix-nosegneg-detection.patch deleted file mode 100644 index 915b84a..0000000 --- a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11.fc7/0959-linux-2.6-xen-fix-nosegneg-detection.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Rik van Riel -Subject: [PATCH][RHEL5] fix nosegneg detection -Date: Wed, 03 Jan 2007 12:59:10 -0500 -Bugzilla: 220675 -Message-Id: <459BEEEE.2060006@redhat.com> -Changelog: xen: fix nosegneg detection - - -The attached patch fixes bug 220675, by placing the nosegneg flag -exactly where glibc expects it to be. I swear I fixed this bug -before once or twice, but the fix must have gotten lost somewhere. - -Please apply. - --- -Politics is the struggle between those who want to make their country -the best in the world, and those who believe it already is. Each group -calls the other unpatriotic. - ---- linux-2.6.18.x86_64/arch/i386/kernel/vsyscall-note-xen.S.220675 2007-01-03 12:56:38.000000000 -0500 -+++ linux-2.6.18.x86_64/arch/i386/kernel/vsyscall-note-xen.S 2007-01-03 12:56:47.000000000 -0500 -@@ -28,5 +28,5 @@ - #define NOTE_KERNELCAP_END ASM_ELF_NOTE_END - - NOTE_KERNELCAP_BEGIN(1, 1) --NOTE_KERNELCAP(1, "nosegneg") /* Change 1 back to 0 when glibc is fixed! */ -+NOTE_KERNELCAP(0, "nosegneg") - NOTE_KERNELCAP_END - diff --git a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/0952-linux-2.6-xen-x86_64-silence-up-apic-errors.patch b/tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/0952-linux-2.6-xen-x86_64-silence-up-apic-errors.patch deleted file mode 100644 index 788af81..0000000 --- a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/0952-linux-2.6-xen-x86_64-silence-up-apic-errors.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -r 00cc4568f10f arch/x86_64/kernel/apic-xen.c ---- a/arch/x86_64/kernel/apic-xen.c Tue Jul 25 21:07:37 2006 +0200 -+++ b/arch/x86_64/kernel/apic-xen.c Tue Jul 25 21:17:54 2006 +0200 -@@ -174,7 +174,8 @@ asmlinkage void smp_error_interrupt(void - 6: Received illegal vector - 7: Illegal register address - */ -- printk (KERN_DEBUG "APIC error on CPU%d: %02x(%02x)\n", -+ if (num_online_cpus() > 1) -+ printk (KERN_DEBUG "APIC error on CPU%d: %02x(%02x)\n", - smp_processor_id(), v , v1); - irq_exit(); - } diff --git a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/0956-linux-2.6-fix-x86_64-smp.patch b/tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/0956-linux-2.6-fix-x86_64-smp.patch deleted file mode 100644 index 24796a5..0000000 --- a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/0956-linux-2.6-fix-x86_64-smp.patch +++ /dev/null @@ -1,19 +0,0 @@ ---- linux-2.6.20.noarch/arch/x86_64/kernel/time-xen.c~orig 2007-04-26 02:05:31.000000000 -0700 -+++ linux-2.6.20.noarch/arch/x86_64/kernel/time-xen.c 2007-04-26 02:02:27.000000000 -0700 -@@ -985,7 +985,7 @@ void time_resume(void) - #ifdef CONFIG_SMP - static char timer_name[NR_CPUS][15]; - --void local_setup_timer(unsigned int cpu) -+int local_setup_timer(unsigned int cpu) - { - int seq; - -@@ -1009,6 +1009,7 @@ void local_setup_timer(unsigned int cpu) - timer_name[cpu], - NULL); - BUG_ON(per_cpu(timer_irq, cpu) < 0); -+ return 0; - } - - void local_teardown_timer(unsigned int cpu) diff --git a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/0957-linux-2.6-fix-x86_64-vgetcpu.patch b/tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/0957-linux-2.6-fix-x86_64-vgetcpu.patch deleted file mode 100644 index 17e0247..0000000 --- a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/0957-linux-2.6-fix-x86_64-vgetcpu.patch +++ /dev/null @@ -1,65 +0,0 @@ ---- linux-2.6.20.noarch/arch/x86_64/kernel/vsyscall.c~orig 2007-04-26 02:05:31.000000000 -0700 -+++ linux-2.6.20.noarch/arch/x86_64/kernel/vsyscall.c 2007-04-26 15:11:02.000000000 -0700 -@@ -40,6 +40,9 @@ - #include - #include - #include -+#ifdef CONFIG_XEN -+#include -+#endif - - #define __vsyscall(nr) __attribute__ ((unused,__section__(".vsyscall_" #nr))) - #define __syscall_clobber "r11","rcx","memory" -@@ -246,12 +249,11 @@ - - #endif - --#ifndef CONFIG_XEN - /* Assume __initcall executes before all user space. Hopefully kmod - doesn't violate that. We'll find out if it does. */ - static void __cpuinit vsyscall_set_cpu(int cpu) - { -- unsigned long *d; -+ unsigned long *d, n; - unsigned long node = 0; - #ifdef CONFIG_NUMA - node = cpu_to_node[cpu]; -@@ -263,10 +265,15 @@ - in user space in vgetcpu. - 12 bits for the CPU and 8 bits for the node. */ - d = (unsigned long *)(cpu_gdt(cpu) + GDT_ENTRY_PER_CPU); -- *d = 0x0f40000000000ULL; -- *d |= cpu; -- *d |= (node & 0xf) << 12; -- *d |= (node >> 4) << 48; -+ n = 0x0f40000000000ULL; -+ n |= cpu; -+ n |= (node & 0xf) << 12; -+ n |= (node >> 4) << 48; -+#ifndef CONFIG_XEN -+ *d = n; -+#else -+ HYPERVISOR_update_descriptor(virt_to_machine(d), n); -+#endif - } - - static void __cpuinit cpu_vsyscall_init(void *arg) -@@ -283,7 +290,6 @@ - smp_call_function_single(cpu, cpu_vsyscall_init, NULL, 0, 1); - return NOTIFY_DONE; - } --#endif - - static void __init map_vsyscall(void) - { -@@ -320,10 +326,8 @@ - #ifdef CONFIG_SYSCTL - register_sysctl_table(kernel_root_table2, 0); - #endif --#ifndef CONFIG_XEN - on_each_cpu(cpu_vsyscall_init, NULL, 0, 1); - hotcpu_notifier(cpu_vsyscall_notifier, 0); --#endif - return 0; - } - diff --git a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/0958-linux-2.6-xen-iscsi-x86_64-no_iommu_init.patch b/tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/0958-linux-2.6-xen-iscsi-x86_64-no_iommu_init.patch deleted file mode 100644 index e46e657..0000000 --- a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/0958-linux-2.6-xen-iscsi-x86_64-no_iommu_init.patch +++ /dev/null @@ -1,46 +0,0 @@ -# HG changeset patch -# User chrisw@sous-sol.org -# Date Tue Oct 03 13:44:38 2006 -0400 -# Node ID e5a7f30e1db3f1084f6789d21ea2a6fdaafdb96d -# parent: 6cd0fae5d84c4a4b15546ceaade74b7d7f044404 -Make sure no_iommu_init is called when needed on x86_64. Thanks -to Mark McLoughlin for spotting the issue and -proposing a fix. - -Index: linux-2.6.20.i386/arch/i386/kernel/pci-dma-xen.c -=================================================================== ---- linux-2.6.20.i386.orig/arch/i386/kernel/pci-dma-xen.c -+++ linux-2.6.20.i386/arch/i386/kernel/pci-dma-xen.c -@@ -21,6 +21,9 @@ - #include - - #ifdef __x86_64__ -+#include -+#include -+ - int iommu_merge __read_mostly = 0; - EXPORT_SYMBOL(iommu_merge); - -@@ -69,6 +72,22 @@ void __init pci_iommu_alloc(void) - #endif - } - -+static int __init pci_iommu_init(void) -+{ -+#ifdef CONFIG_CALGARY_IOMMU -+ calgary_iommu_init(); -+#endif -+ -+#ifdef CONFIG_IOMMU -+ gart_iommu_init(); -+#endif -+ -+ no_iommu_init(); -+ return 0; -+} -+ -+/* Must execute after PCI subsystem */ -+fs_initcall(pci_iommu_init); - #endif - - struct dma_coherent_mem { diff --git a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/0959-linux-2.6-xen-fix-nosegneg-detection.patch b/tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/0959-linux-2.6-xen-fix-nosegneg-detection.patch deleted file mode 100644 index 915b84a..0000000 --- a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/0959-linux-2.6-xen-fix-nosegneg-detection.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Rik van Riel -Subject: [PATCH][RHEL5] fix nosegneg detection -Date: Wed, 03 Jan 2007 12:59:10 -0500 -Bugzilla: 220675 -Message-Id: <459BEEEE.2060006@redhat.com> -Changelog: xen: fix nosegneg detection - - -The attached patch fixes bug 220675, by placing the nosegneg flag -exactly where glibc expects it to be. I swear I fixed this bug -before once or twice, but the fix must have gotten lost somewhere. - -Please apply. - --- -Politics is the struggle between those who want to make their country -the best in the world, and those who believe it already is. Each group -calls the other unpatriotic. - ---- linux-2.6.18.x86_64/arch/i386/kernel/vsyscall-note-xen.S.220675 2007-01-03 12:56:38.000000000 -0500 -+++ linux-2.6.18.x86_64/arch/i386/kernel/vsyscall-note-xen.S 2007-01-03 12:56:47.000000000 -0500 -@@ -28,5 +28,5 @@ - #define NOTE_KERNELCAP_END ASM_ELF_NOTE_END - - NOTE_KERNELCAP_BEGIN(1, 1) --NOTE_KERNELCAP(1, "nosegneg") /* Change 1 back to 0 when glibc is fixed! */ -+NOTE_KERNELCAP(0, "nosegneg") - NOTE_KERNELCAP_END - diff --git a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/0960-linux-2.6-xen-blkfront-wait-add.patch b/tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/0960-linux-2.6-xen-blkfront-wait-add.patch deleted file mode 100644 index e17438b..0000000 --- a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/0960-linux-2.6-xen-blkfront-wait-add.patch +++ /dev/null @@ -1,85 +0,0 @@ -Make xenblk wait to the disk to be added -See http://bugzilla.redhat.com/248462 - -Index: linux-2.6.20.i386/drivers/xen/blkfront/blkfront.c -=================================================================== ---- linux-2.6.20.i386.orig/drivers/xen/blkfront/blkfront.c -+++ linux-2.6.20.i386/drivers/xen/blkfront/blkfront.c -@@ -343,6 +343,8 @@ static void connect(struct blkfront_info - spin_unlock_irq(&blkif_io_lock); - - add_disk(info->gd); -+ -+ info->is_ready = 1; - } - - /** -@@ -852,6 +854,13 @@ static void blkif_recover(struct blkfron - spin_unlock_irq(&blkif_io_lock); - } - -+int blkfront_is_ready(struct xenbus_device *dev) -+{ -+ struct blkfront_info *info = dev->dev.driver_data; -+ -+ return info->is_ready; -+} -+ - - /* ** Driver Registration ** */ - -@@ -870,6 +879,7 @@ static struct xenbus_driver blkfront = { - .remove = blkfront_remove, - .resume = blkfront_resume, - .otherend_changed = backend_changed, -+ .is_ready = blkfront_is_ready, - }; - - -Index: linux-2.6.20.i386/drivers/xen/blkfront/block.h -=================================================================== ---- linux-2.6.20.i386.orig/drivers/xen/blkfront/block.h -+++ linux-2.6.20.i386/drivers/xen/blkfront/block.h -@@ -125,6 +125,7 @@ struct blkfront_info - struct blk_shadow shadow[BLK_RING_SIZE]; - unsigned long shadow_free; - int feature_barrier; -+ int is_ready; - - /** - * The number of people holding this device open. We won't allow a -Index: linux-2.6.20.i386/drivers/xen/xenbus/xenbus_probe.c -=================================================================== ---- linux-2.6.20.i386.orig/drivers/xen/xenbus/xenbus_probe.c -+++ linux-2.6.20.i386/drivers/xen/xenbus/xenbus_probe.c -@@ -940,6 +940,7 @@ static int is_disconnected_device(struct - { - struct xenbus_device *xendev = to_xenbus_device(dev); - struct device_driver *drv = data; -+ struct xenbus_driver *xendrv; - - /* - * A device with no driver will never connect. We care only about -@@ -952,7 +953,9 @@ static int is_disconnected_device(struct - if (drv && (dev->driver != drv)) - return 0; - -- return (xendev->state != XenbusStateConnected); -+ xendrv = to_xenbus_driver(dev->driver); -+ return (xendev->state != XenbusStateConnected || -+ (xendrv->is_ready && !xendrv->is_ready(xendev))); - } - - static int exists_disconnected_device(struct device_driver *drv) -Index: linux-2.6.20.i386/include/xen/xenbus.h -=================================================================== ---- linux-2.6.20.i386.orig/include/xen/xenbus.h -+++ linux-2.6.20.i386/include/xen/xenbus.h -@@ -105,6 +105,7 @@ struct xenbus_driver { - int (*uevent)(struct xenbus_device *, char **, int, char *, int); - struct device_driver driver; - int (*read_otherend_details)(struct xenbus_device *dev); -+ int (*is_ready)(struct xenbus_device *dev); - }; - - static inline struct xenbus_driver *to_xenbus_driver(struct device_driver *drv) diff --git a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/1665-linux-2.6-disable-netback-checksum.patch b/tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/1665-linux-2.6-disable-netback-checksum.patch deleted file mode 100644 index 18b4dae..0000000 --- a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/1665-linux-2.6-disable-netback-checksum.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Herbert Xu -Subject: Re: Final resolution for the checksum problems - - -Daniel P. Berrange wrote: -> ->> > Alternatively we could just make netback default tx checksums to off ->> > which should have a similar effect as disabling it on virbr0. ->> ->> This seems like a simpler path than introducing new infrastructure for ->> scripts to run every time the interface is brought up/down. And then ->> it's even easier to remove the "trigger" when we get the functionality ->> in the kernel -> -> I agree - this would be even simpler. - -Here is a patch which does just that. - -Cheers, --- -Visit Openswan at http://www.openswan.org/ -Email: Herbert Xu ~{PmV>HI~} -Home Page: http://gondor.apana.org.au/~herbert/ -PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt --- ---- a/drivers/xen/netback/interface.c 2007-04-28 11:57:31.000000000 +1000 -+++ b/drivers/xen/netback/interface.c 2007-05-02 19:58:16.000000000 +1000 -@@ -161,7 +161,6 @@ - dev->open = net_open; - dev->stop = net_close; - dev->change_mtu = netbk_change_mtu; -- dev->features = NETIF_F_IP_CSUM; - - SET_ETHTOOL_OPS(dev, &network_ethtool_ops); - - - diff --git a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/3000-linux-2.6-acpi-config_pm-poweroff.patch b/tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/3000-linux-2.6-acpi-config_pm-poweroff.patch deleted file mode 100644 index e925785..0000000 --- a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.13.fc7/3000-linux-2.6-acpi-config_pm-poweroff.patch +++ /dev/null @@ -1,38 +0,0 @@ -See http://bugzilla.redhat.com/241381 - -From b7da11fc422b5d06ab6ed5444a1f01ac0e805c74 Mon Sep 17 00:00:00 2001 -From: Eduardo Habkost -Date: Tue, 10 Jul 2007 19:02:14 -0300 -Subject: [PATCH] Remove #ifdef CONFIG_PM from ACPI power-off code - -The ACPI poweroff code is inside a #ifdef CONFIG_PM, that was added on -commit b35c67a46b025e8dc320b59fbe5c283094e1d7f5. It is not necessary -because the poweroff code compiles and works even with CONFIG_PM disabled. - -Signed-off-by: Eduardo Habkost ---- - drivers/acpi/sleep/poweroff.c | 4 ---- - 1 files changed, 0 insertions(+), 4 deletions(-) - -diff --git a/drivers/acpi/sleep/poweroff.c b/drivers/acpi/sleep/poweroff.c -index d9801ef..5d6ba10 100644 ---- a/drivers/acpi/sleep/poweroff.c -+++ b/drivers/acpi/sleep/poweroff.c -@@ -37,8 +37,6 @@ #endif - return 0; - } - --#ifdef CONFIG_PM -- - void acpi_power_off(void) - { - /* acpi_sleep_prepare(ACPI_STATE_S5) should have already been called */ -@@ -94,5 +92,3 @@ static int acpi_poweroff_init(void) - } - - late_initcall(acpi_poweroff_init); -- --#endif /* CONFIG_PM */ --- -silverbrick.install.2006.08.14-dirty - -- cgit v1.2.3-65-gdbad