Commit: 5c60e8012f908840952eaff716070eb66a92d2ac Author: Adrian Bunk Mon, 04 Dec 2006 19:45:53 +0100 Linux 2.6.16.35-rc1 Commit: e0d34fea66c5dbe70116acac6f4d722564810dca Author: Chris Wright Mon, 04 Dec 2006 19:44:59 +0100 bridge: fix possible overflow in get_fdb_entries (CVE-2006-5751) Make sure to properly clamp maxnum to avoid overflow (CVE-2006-5751). Signed-off-by: Chris Wright Acked-by: Stephen Hemminger Acked-by: David Miller Signed-off-by: Adrian Bunk Commit: 25e1dd8a73c6661c03104f53199b501be489888d Author: Trond Myklebust Mon, 04 Dec 2006 19:43:11 +0100 fcntl(F_SETSIG) fix fcntl(F_SETSIG) no longer works on leases because lease_release_private_callback() gets called as the lease is copied in order to initialise it. The problem is that lease_alloc() performs an unnecessary initialisation, which sets the lease_manager_ops. Avoid the problem by allocating the target lease structure using locks_alloc_lock(). Signed-off-by: Trond Myklebust Signed-off-by: Adrian Bunk Commit: ba6c35f8887b3c483d8f63639f3959c163f05e72 Author: Jens Axboe Mon, 04 Dec 2006 14:30:27 +0100 cciss: fix iostat cciss needs to call disk_stat_add() for iostat to work. Signed-off-by: Jens Axboe Signed-off-by: Adrian Bunk Commit: f131f70efa075828d573d1200abb8ebe3d8997f0 Author: Jens Axboe Mon, 04 Dec 2006 14:29:45 +0100 cpqarray: fix iostat cpqarray needs to call disk_stat_add() for iostat to work. Signed-off-by: Jens Axboe Signed-off-by: Adrian Bunk Commit: 6d46c48302238d397a6ebf055983aa09fac3b6b1 Author: Michael De Backer Mon, 04 Dec 2006 14:24:41 +0100 alim15x3.c: M5229 (rev c8) support for DMA cd-writer Configuration bits are not set properly for DMA on some chipset revisions. It has already been corrected for M5229 (rev c7) but not for M5229 (rev c8). This leads to the bug described at http://bugzilla.kernel.org/show_bug.cgi?id=5786 (lost interrupt + ide bus hangs). Signed-off-by: Michael De Backer Signed-off-by: Adrian Bunk Commit: c375b5b95d0f4498bdef8b8f3edd2672120d4f01 Author: Fernando J. Pereda Mon, 04 Dec 2006 14:21:29 +0100 alpha: Fix ALPHA_EV56 dependencies typo There appears to be a typo in the EV56 config option. NORITAKE and PRIMO are be able to set a variation of either. Signed-off-by: Daniel Drake Signed-off-by: Adrian Bunk Commit: 407e973fcc4bf33964851f2f01817c1958479868 Author: Jiri Slaby Mon, 04 Dec 2006 14:06:36 +0100 Char: isicom, fix close bug port is dereferenced even if it is NULL. Dereference it _after_ the check if (!port)... Thanks Eric for reporting this. This fixes http://bugzilla.kernel.org/show_bug.cgi?id=7527 Signed-off-by: Jiri Slaby Signed-off-by: Adrian Bunk Commit: 2491185f7a9a5592dba42547ffff1f56bf5af66f Author: Roberto Castagnola Mon, 04 Dec 2006 14:02:47 +0100 Input: logips2pp - fix button mapping for MX300 MX300 does not have an EXTRA_BTN - it is a simple wheel mouse with an additional task-switcher button, which is reported as side button (and not task button). Signed-off-by: Daniel Drake Signed-off-by: Dmitry Torokhov Signed-off-by: Adrian Bunk Commit: 7ac0b0a2cb35e666019d584abcdb2ed3b406821d Author: Zbigniew Luszpinski Mon, 04 Dec 2006 14:01:50 +0100 Input: psmouse - add detection of Logitech TrackMan Wheel trackball Signed-off-by: Dmitry Torokhov Signed-off-by: Adrian Bunk Commit: 4c3b882b6efbf091fdc0109a952844668d431e6a Author: Zhou Yingchao Mon, 04 Dec 2006 13:58:06 +0100 Remove redundant up() in stop_machine() An up() is called in kernel/stop_machine.c on failure, and also in the caller (unconditionally). Signed-off-by: Zhou Yingchao Signed-off-by: Adrian Bunk Commit: dbb4a0ecfe7dc4c989985a23288c98b2e3c8ee0d Author: Al Viro Mon, 04 Dec 2006 13:13:23 +0100 [EBTABLES]: Prevent wraparounds in checks for entry components' sizes. Signed-off-by: Al Viro Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: e4a7da4a76137dab99b98ce126ec2837dd53f638 Author: Al Viro Mon, 04 Dec 2006 13:12:43 +0100 [EBTABLES]: Deal with the worst-case behaviour in loop checks. No need to revisit a chain we'd already finished with during the check for current hook. It's either instant loop (which we'd just detected) or a duplicate work. Signed-off-by: Al Viro Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: f1f7d270d4a610222efe9920b8443d807355bfca Author: Al Viro Mon, 04 Dec 2006 13:12:06 +0100 [EBTABLES]: Verify that ebt_entries have zero ->distinguisher. We need that for iterator to work; existing check had been too weak. Signed-off-by: Al Viro Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: d559dd79b58829f1ebb7996698e6354600e79b14 Author: Al Viro Mon, 04 Dec 2006 13:11:24 +0100 [EBTABLES]: Fix wraparounds in ebt_entries verification. We need to verify that a) we are not too close to the end of buffer to dereference b) next entry we'll be checking won't be _before_ our While we are at it, don't subtract unrelated pointers... Signed-off-by: Al Viro Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: b00b3fe3f00962fc9faa7d34c28f5a20074c728b Author: Patrick McHardy Mon, 04 Dec 2006 12:46:48 +0100 [NET_SCHED]: policer: restore compatibility with old iproute binaries The tc actions increased the size of struct tc_police, which broke compatibility with old iproute binaries since both the act_police and the old NET_CLS_POLICE code check for an exact size match. Since the new members are not even used, the simple fix is to also accept the size of the old structure. Dumping is not affected since old userspace will receive a bigger structure, which is handled fine. Signed-off-by: Patrick McHardy Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: e6e129777f0fb6619e6a845cfd7a87b7fcd736a0 Author: Kim Nordlund Mon, 04 Dec 2006 12:44:22 +0100 [PKT_SCHED] act_gact: division by zero Not returning -EINVAL, because someone might want to use the value zero in some future gact_prob algorithm? Signed-off-by: Kim Nordlund Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: a7c850eb8180674fdd2957fb5f2e6dd5070fcc29 Author: Dave Kleikamp Mon, 04 Dec 2006 12:40:56 +0100 JFS: pageno needs to be long diRead and diWrite are representing the page number as an unsigned int. This causes file system corruption on volumes larger than 16TB. Signed-off-by: Dave Kleikamp Signed-off-by: Adrian Bunk Commit: b3d413d405f1b25d0ed98000f285394cf12a2c99 Author: YOSHIFUJI Hideaki Mon, 04 Dec 2006 12:20:41 +0100 [IPV6]: Fix address/interface handling in UDP and DCCP, according to the scoping architecture. TCP and RAW do not have this issue. Closes Bug #7432. Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 8cf6005296c61ff46afcc1f08b1791b4aa2e9ba5 Author: Adrian Bunk Mon, 04 Dec 2006 12:18:43 +0100 remove garbage the sneaked into the ext3 fix Spotted by Thomas Voegtle. Signed-off-by: Adrian Bunk Commit: 8e0a9377e5f04b0f2982b8f6afc38c80d828c250 Author: Josh Triplett Wed, 29 Nov 2006 14:26:18 +0100 freevxfs: Add missing lock_kernel() to vxfs_readdir Commit 7b2fd697427e73c81d5fa659efd91bd07d303b0e in the historical GIT tree stopped calling the readdir member of a file_operations struct with the big kernel lock held, and fixed up all the readdir functions to do their own locking. However, that change added calls to unlock_kernel() in vxfs_readdir, but no call to lock_kernel(). Fix this by adding a call to lock_kernel(). Signed-off-by: Josh Triplett Signed-off-by: Adrian Bunk Commit: e2d1cbdc705c8b9d66831c1b81cea8c2cfabca10 Author: Kyle McMartin Wed, 29 Nov 2006 14:24:16 +0100 Fix incorrent type of flags in Signed-off-by: Kyle McMartin Signed-off-by: Adrian Bunk Commit: 190492c8f861547c94109175186bf83d89898e42 Author: Jeremy Higdon Wed, 29 Nov 2006 14:22:11 +0100 sgiioc4: Disable module unload This patch removes a module_exit function that sgiioc4 should not have had. It seems that the IDE layer doesn't support submodule unloading. sgiioc4 was the only driver in drivers/ide/pci that had an exit function. After an unload, the devices would stay around and the next attempt to reference would crash... Signed-off-by: Jeremy Higdon Signed-off-by: Adrian Bunk Commit: 82ae0fbafe0b80627b7f10e2436ee86578faf065 Author: Alexey Dobriyan Wed, 29 Nov 2006 14:17:58 +0100 proper flags type of spin_lock_irqsave() Convert various spin_lock_irqsave() callers to correctly use `unsigned long' Signed-off-by: Alexey Dobriyan Signed-off-by: Adrian Bunk Commit: 15c47f32ea7d544396e9dda63e3cfd275e669084 Author: Adrian Bunk Wed, 29 Nov 2006 14:15:25 +0100 drivers/usb/input/ati_remote.c: fix cut'n'paste error Backported from a patch by Mariusz Kozlowski in 2.6.19. Signed-off-by: Adrian Bunk Commit: b46d1f7bcd9db417ce46463de3bbbb095fe8013a Author: Vasily Tarasov Wed, 29 Nov 2006 14:04:14 +0100 block layer: elv_iosched_show should get elv_list_lock elv_iosched_show function iterates other elv_list, hence elv_list_lock should be got. Also the question is: in elv_iosched_show, elv_iosched_store q->elevator->elevator_type construction is used without locking q->queue_lock. Is it expected?.. Signed-off-by: Vasily Tarasov Acked-by: Jens Axboe Signed-off-by: Adrian Bunk Commit: 18ff15828e2912b6d68a0481e01cd1ec34eb19e6 Author: Jens Axboe Wed, 29 Nov 2006 14:01:40 +0100 block: Fix bad data direction in SG_IO Contrary to what the name misleads you to believe, SG_DXFER_TO_FROM_DEV is really just a normal read seen from the device side. This patch fixes http://lkml.org/lkml/2006/10/13/100 Signed-off-by: Jens Axboe Signed-off-by: Adrian Bunk Commit: feeddb339e1e9670e436f5f6328d958941727875 Author: Oliver Neukum Wed, 29 Nov 2006 12:45:29 +0100 USB: failure in usblp's error path if urb submission fails due to a transient error here eg. ENOMEM, the driver is dead. This fixes it. Signed-off-by: Oliver Neukum Signed-off-by: Adrian Bunk Commit: 193d2e39e134fb04211b77e0eb0ac3f8315a5967 Author: Nathan Lynch Wed, 29 Nov 2006 12:17:37 +0100 nvidiafb: fix unreachable code in nv10GetConfig Fix binary/logical operator typo which leads to unreachable code. Noticed while looking at other issues; I don't have the relevant hardware to test this. Signed-off-by: Nathan Lynch Signed-off-by: Adrian Bunk Commit: f6cbbf0f530efde11ef77f03d9e47b993e128965 Author: Wink Saville Wed, 29 Nov 2006 12:15:49 +0100 Fix divide by zero error for nvidia 7600 pci-express card The following patch resolves the divide by zero error I encountered on my system: http://marc.10east.com/?l=linux-fbdev-devel&m=116058257024413&w=2 I accomplished this by merging what I thought was appropriate from: http://webcvs.freedesktop.org/xorg/driver/xf86-video-nv/src/ Signed-off-by: Adrian Bunk Commit: e5b30aebbfdd1279c31fd64841a141079ccb881b Author: Pierre Ossman Wed, 29 Nov 2006 12:10:52 +0100 MMC: Always use a sector size of 512 bytes Both MMC and SD specifications specify (although a bit unclearly in the MMC case) that a sector size of 512 bytes must always be supported by the card. Cards can report larger "native" size than this, and cards >= 2 GB even must do so. Most other readers use 512 bytes even for these cards. We should do the same to be compatible. Signed-off-by: Pierre Ossman Signed-off-by: Adrian Bunk Commit: 540218dd286964e2c4ee2ee2b6259fd89bf5035e Author: Herbert Xu Wed, 29 Nov 2006 12:06:04 +0100 SCTP: Always linearise packet on input I was looking at a RHEL5 bug report involving Xen and SCTP (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212550). It turns out that SCTP wasn't written to handle skb fragments at all. The absence of any calls to skb_may_pull is testament to that. It just so happens that Xen creates fragmented packets more often than other scenarios (header & data split when going from domU to dom0). That's what caused this bug to show up. Until someone has the time sits down and audits the entire net/sctp directory, here is a conservative and safe solution that simply linearises all packets on input. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 82182ed2ce8df69635bcfed4baad8bbfae842bc8 Author: Al Viro Wed, 29 Nov 2006 11:40:22 +0100 add forgotten ->b_data in memcpy() call in ext3/resize.c (oopsable) sbi->s_group_desc is an array of pointers to buffer_head. memcpy() of buffer size from address of buffer_head is a bad idea - it will generate junk in any case, may oops if buffer_head is close to the end of slab page and next page is not mapped and isn't what was intended there. IOW, ->b_data is missing in that call. Fortunately, result doesn't go into the primary on-disk data structures, so only backup ones get crap written to them; that had allowed this bug to remain unnoticed until now. Signed-off-by: Al Viro Signed-off-by: Adrian Bunk Commit: cf76a4a8bd6b14d9fc09e2d050253dc70312c273 Author: Jean Delvare Wed, 29 Nov 2006 11:00:25 +0100 Fix a masking bug in the 6pack driver. Looks like a broken masking to me, binary not is used where bitwise not was intended. Signed-off-by: Jean Delvare Signed-off-by: Ralf Baechle Signed-off-by: Adrian Bunk Commit: 08d93ba55b770a3230f6b66447f9c7699c9b0650 Author: Olaf Kirch Wed, 29 Nov 2006 10:59:22 +0100 [UDP]: Make udp_encap_rcv use pskb_may_pull Make udp_encap_rcv use pskb_may_pull IPsec with NAT-T breaks on some notebooks using the latest e1000 chipset, when header split is enabled. When receiving sufficiently large packets, the driver puts everything up to and including the UDP header into the header portion of the skb, and the rest goes into the paged part. udp_encap_rcv forgets to use pskb_may_pull, and fails to decapsulate it. Instead, it passes it up it to the IKE daemon. Signed-off-by: Olaf Kirch Signed-off-by: Jean Delvare Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk