r2947 - trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches
Simon Horman
horms@costa.debian.org
Fri, 08 Apr 2005 08:30:35 +0000
Author: horms
Date: 2005-04-08 08:30:35 +0000 (Fri, 08 Apr 2005)
New Revision: 2947
Added:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/kernel-futex-deadlock.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-ipv4-bic-binary-search.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-ipv4-ipsec-icmp-deadlock.dpatch
Log:
add missing patches
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/kernel-futex-deadlock.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/kernel-futex-deadlock.dpatch 2005-04-08 05:45:28 UTC (rev 2946)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/kernel-futex-deadlock.dpatch 2005-04-08 08:30:35 UTC (rev 2947)
@@ -0,0 +1,165 @@
+# origin: olof (BitKeeper)
+# cset: 1.1982.77.10 (2.6) key=421cfc11zFsK9gxvSJ2t__FCmuUd3Q
+# URL: http://linux.bkbits.net:8080/linux-2.6/cset@421cfc11zFsK9gxvSJ2t__FCmuUd3Q
+# inclusion: upstream
+# descrition: [PATCH] Fix possible futex mmap_sem deadlock
+# revision date: Tue, 05 Apr 2005 16:14:02 +0900
+#
+# S rset: ChangeSet|1.1982.77.9..1.1982.77.10
+# R rset: kernel/futex.c|1.49..1.50
+# I rset: mm/mempolicy.c|1.25..1.26
+#
+# Key:
+# S: Skipped ChangeSet file only
+# O: Original Followed by Updated
+# U: Updated Included with updated range of versions
+# I: Included Included verbatim
+# E: Excluded Excluded on request from user
+# D: Deleted Manually deleted by subsequent user edit
+# R: Revised Manually revised by subsequent user edit
+#
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/02/23 13:56:33-08:00 olof@austin.ibm.com
+# [PATCH] Fix possible futex mmap_sem deadlock
+#
+# Some futex functions do get_user calls while holding mmap_sem for
+# reading. If get_user() faults, and another thread happens to be in mmap
+# (or somewhere else holding waiting on down_write for the same
+# semaphore), then do_page_fault will deadlock. Most architectures seem
+# to be exposed to this.
+#
+# To avoid it, make sure the page is available. If not, release the
+# semaphore, fault it in and retry.
+#
+# I also found another exposure by inspection, moving some of the code
+# around avoids the possible deadlock there.
+#
+# Signed-off-by: Olof Johansson <olof@austin.ibm.com>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# mm/mempolicy.c
+# 2005/02/23 10:53:22-08:00 olof@austin.ibm.com +6 -2
+# Fix possible futex mmap_sem deadlock
+#
+# kernel/futex.c
+# 2005/02/23 11:10:16-08:00 olof@austin.ibm.com +45 -6
+# Fix possible futex mmap_sem deadlock
+#
+# Updated by Horms for Debian 2.6.8 to use __copy_from_user
+# instead of __copy_from_user_inatomic, as that was introduced
+# post 2.6.8 and seems safe enough to leave out. Its a pretty
+# big patch anyway. For reference it is at:
+# http://linux.bkbits.net:8080/linux-2.6/cset@412f705el_rtS7LwQ-7HFolCNA1UEg
+#
+#
+===== kernel/futex.c 1.49 vs 1.50 =====
+--- 1.49/kernel/futex.c 2004-11-30 10:59:39 +09:00
++++ 1.50/kernel/futex.c 2005-02-24 04:10:16 +09:00
+@@ -258,6 +258,18 @@ static void drop_key_refs(union futex_ke
+ }
+ }
+
++static inline int get_futex_value_locked(int *dest, int __user *from)
++{
++ int ret;
++
++ inc_preempt_count();
++ ret = __copy_from_user(dest, from, sizeof(int));
++ dec_preempt_count();
++ preempt_check_resched();
++
++ return ret ? -EFAULT : 0;
++}
++
+ /*
+ * The hash bucket lock must be held when this is called.
+ * Afterwards, the futex_q must not be accessed.
+@@ -329,6 +341,7 @@ static int futex_requeue(unsigned long u
+ int ret, drop_count = 0;
+ unsigned int nqueued;
+
++ retry:
+ down_read(¤t->mm->mmap_sem);
+
+ ret = get_futex_key(uaddr1, &key1);
+@@ -355,9 +368,20 @@ static int futex_requeue(unsigned long u
+ before *uaddr1. */
+ smp_mb();
+
+- if (get_user(curval, (int __user *)uaddr1) != 0) {
+- ret = -EFAULT;
+- goto out;
++ ret = get_futex_value_locked(&curval, (int __user *)uaddr1);
++
++ if (unlikely(ret)) {
++ /* If we would have faulted, release mmap_sem, fault
++ * it in and start all over again.
++ */
++ up_read(¤t->mm->mmap_sem);
++
++ ret = get_user(curval, (int __user *)uaddr1);
++
++ if (!ret)
++ goto retry;
++
++ return ret;
+ }
+ if (curval != *valp) {
+ ret = -EAGAIN;
+@@ -480,6 +504,7 @@ static int futex_wait(unsigned long uadd
+ int ret, curval;
+ struct futex_q q;
+
++ retry:
+ down_read(¤t->mm->mmap_sem);
+
+ ret = get_futex_key(uaddr, &q.key);
+@@ -508,9 +533,23 @@ static int futex_wait(unsigned long uadd
+ * We hold the mmap semaphore, so the mapping cannot have changed
+ * since we looked it up in get_futex_key.
+ */
+- if (get_user(curval, (int __user *)uaddr) != 0) {
+- ret = -EFAULT;
+- goto out_unqueue;
++
++ ret = get_futex_value_locked(&curval, (int __user *)uaddr);
++
++ if (unlikely(ret)) {
++ /* If we would have faulted, release mmap_sem, fault it in and
++ * start all over again.
++ */
++ up_read(¤t->mm->mmap_sem);
++
++ if (!unqueue_me(&q)) /* There's a chance we got woken already */
++ return 0;
++
++ ret = get_user(curval, (int __user *)uaddr);
++
++ if (!ret)
++ goto retry;
++ return ret;
+ }
+ if (curval != val) {
+ ret = -EWOULDBLOCK;
+===== mm/mempolicy.c 1.25 vs 1.26 =====
+--- 1.25/mm/mempolicy.c 2005-01-21 13:55:56 +09:00
++++ 1.26/mm/mempolicy.c 2005-02-24 03:53:22 +09:00
+@@ -524,9 +524,13 @@ asmlinkage long sys_get_mempolicy(int __
+ } else
+ pval = pol->policy;
+
+- err = -EFAULT;
++ if (vma) {
++ up_read(¤t->mm->mmap_sem);
++ vma = NULL;
++ }
++
+ if (policy && put_user(pval, policy))
+- goto out;
++ return -EFAULT;
+
+ err = 0;
+ if (nmask) {
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-ipv4-bic-binary-search.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-ipv4-bic-binary-search.dpatch 2005-04-08 05:45:28 UTC (rev 2946)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-ipv4-bic-binary-search.dpatch 2005-04-08 08:30:35 UTC (rev 2947)
@@ -0,0 +1,67 @@
+# origin: kraxel@bytesex.org (BitKeeper)
+# cset: 423319b45APysujA6dNnGY0xxK9gJg
+# URL: http://oss.sgi.com/projects/netdev/archive/2005-04/msg00241.html
+# inclusion: proposed for upstream's -stable tree
+# description: [TCP] Fix BIC congestion avoidance algorithm error
+# revision date: ue, Tue, 5 Apr 2005 09:47:59 -0700
+#
+
+#Date: Tue, 5 Apr 2005 09:47:59 -0700
+#From: Greg KH <gregkh@suse.de>
+#To: linux-kernel@vger.kernel.org, stable@kernel.org
+#Cc: davem@davemloft.net, shemminger@osdl.org, netdev@oss.sgi.com
+#Subject: [07/08] [TCP] Fix BIC congestion avoidance algorithm error
+#
+#-stable review patch. If anyone has any objections, please let us know.
+#
+#------------------
+#
+#Since BIC is the default congestion control algorithm
+#enabled in every 2.6.x kernel out there, fixing errors
+#in it becomes quite critical.
+#
+#A flaw in the loss handling caused it to not perform
+#the binary search regimen of the BIC algorithm
+#properly.
+#
+#The fix below from Stephen Hemminger has been heavily
+#verified.
+#
+#[TCP]: BIC not binary searching correctly
+#
+#While redoing BIC for the split up version, I discovered that the existing
+#2.6.11 code doesn't really do binary search. It ends up being just a slightly
+#modified version of Reno. See attached graphs to see the effect over simulated
+#1mbit environment.
+#
+#The problem is that BIC is supposed to reset the cwnd to the last loss value
+#rather than ssthresh when loss is detected. The correct code (from the BIC
+#TCP code for Web100) is in this patch.
+#
+#Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
+#Signed-off-by: David S. Miller <davem@davemloft.net>
+#Signed-off-by: Chris Wright <chrisw@osdl.org>
+#Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+# This has been updated for Debian 2.6.8 to use sysctl_tcp_bic instead
+# of tcp_is_bic() as the latter is not present in 2.6.8 and the patch
+# to add it is rather invasive. For reference it can be found at
+# http://linux.bkbits.net:8080/linux-2.6/cset@415862c36Z_C4AAEqbJR8mAMb1Np1Q
+#
+#Signed-off-by: Horms <horms@debian.org>
+
+--- 1.92/net/ipv4/tcp_input.c 2005-02-22 10:45:31 -08:00
++++ edited/net/ipv4/tcp_input.c 2005-03-23 10:55:18 -08:00
+@@ -1653,7 +1653,10 @@
+ static void tcp_undo_cwr(struct tcp_sock *tp, int undo)
+ {
+ if (tp->prior_ssthresh) {
+- tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh<<1);
++ if (sysctl_tcp_bic)
++ tp->snd_cwnd = max(tp->snd_cwnd, tp->bictcp.last_max_cwnd);
++ else
++ tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh<<1);
+
+ if (undo && tp->prior_ssthresh > tp->snd_ssthresh) {
+ tp->snd_ssthresh = tp->prior_ssthresh;
+
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-ipv4-ipsec-icmp-deadlock.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-ipv4-ipsec-icmp-deadlock.dpatch 2005-04-08 05:45:28 UTC (rev 2946)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-ipv4-ipsec-icmp-deadlock.dpatch 2005-04-08 08:30:35 UTC (rev 2947)
@@ -0,0 +1,85 @@
+# origin: kraxel@bytesex.org (BitKeeper)
+# cset: 423319b45APysujA6dNnGY0xxK9gJg
+# URL: http://oss.sgi.com/projects/netdev/archive/2005-04/msg00241.html
+# inclusion: proposed for upstream's -stable tree
+# description: [IPSEC]: Do not hold state lock while checking size
+# revision date: Tue, 5 Apr 2005 09:47:27 -0700
+#
+
+#Date: Tue, 5 Apr 2005 09:47:27 -0700
+#From: Greg KH <gregkh@suse.de>
+#To: linux-kernel@vger.kernel.org, stable@kernel.org
+#Cc: kaber@trash.net, davem@davemloft.net, netdev@oss.sgi.com
+#Subject: [05/08] [IPSEC]: Do not hold state lock while checking size
+#
+#-stable review patch. If anyone has any objections, please let us know.
+#
+#------------------
+#
+#This patch from Herbert Xu fixes a deadlock with IPsec.
+#When an ICMP frag. required is sent and the ICMP message
+#needs the same SA as the packet that caused it the state
+#will be locked twice.
+#
+#[IPSEC]: Do not hold state lock while checking size.
+#
+#This can elicit ICMP message output and thus result in a
+#deadlock.
+#
+#Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+#Signed-off-by: David S. Miller <davem@davemloft.net>
+#Signed-off-by: Chris Wright <chrisw@osdl.org>
+#Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+#
+diff -Nru a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
+--- a/net/ipv4/xfrm4_output.c 2005-03-20 16:53:05 +01:00
++++ b/net/ipv4/xfrm4_output.c 2005-03-20 16:53:05 +01:00
+@@ -103,16 +103,16 @@
+ goto error_nolock;
+ }
+
+- spin_lock_bh(&x->lock);
+- err = xfrm_state_check(x, skb);
+- if (err)
+- goto error;
+-
+ if (x->props.mode) {
+ err = xfrm4_tunnel_check_size(skb);
+ if (err)
+- goto error;
++ goto error_nolock;
+ }
++
++ spin_lock_bh(&x->lock);
++ err = xfrm_state_check(x, skb);
++ if (err)
++ goto error;
+
+ xfrm4_encap(skb);
+
+diff -Nru a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
+--- a/net/ipv6/xfrm6_output.c 2005-03-20 16:53:05 +01:00
++++ b/net/ipv6/xfrm6_output.c 2005-03-20 16:53:05 +01:00
+@@ -103,16 +103,16 @@
+ goto error_nolock;
+ }
+
+- spin_lock_bh(&x->lock);
+- err = xfrm_state_check(x, skb);
+- if (err)
+- goto error;
+-
+ if (x->props.mode) {
+ err = xfrm6_tunnel_check_size(skb);
+ if (err)
+- goto error;
++ goto error_nolock;
+ }
++
++ spin_lock_bh(&x->lock);
++ err = xfrm_state_check(x, skb);
++ if (err)
++ goto error;
+
+ xfrm6_encap(skb);
+