commit ce484abb75977cce40dabe3fc8ed67fe4f0f7a64 Author: Chris Wright Date: Wed Mar 1 14:37:27 2006 -0800 Linux 2.6.15.5 commit bbcd4f26d39853dd7a158d20eece8c337efe6441 Author: Jack Morgenstein Date: Mon Feb 27 13:44:40 2006 -0800 [PATCH] IB/mthca: max_inline_data handling tweaks Fix a case where copying max_inline_data from a successful create_qp capabilities output to create_qp input could cause EINVAL error: mthca_set_qp_size must check max_inline_data directly against max_desc_sz; checking qp->sq.max_gs is wrong since max_inline_data depends on the qp type and does not involve max_sg. Signed-off-by: Jack Morgenstein Signed-off-by: Michael S. Tsirkin Signed-off-by: Roland Dreier Signed-off-by: Chris Wright commit 93e3d00a9f0158e522cada1088233fad23247882 Author: Trond Myklebust Date: Wed Feb 15 00:42:26 2006 -0500 [PATCH] Normal user can panic NFS client with direct I/O (CVE-2006-0555) This is CVE-2006-0555 and SGI bug 946529. A normal user can panic an NFS client and cause a local DoS with 'judicious'(?) use of O_DIRECT. Signed-off-by: Chris Wright commit 8dcd7c19f2624b7150edd60da336da0bb5291bef Author: Mike O'Connor Date: Wed Feb 15 00:17:24 2006 -0500 [PATCH] XFS ftruncate() bug could expose stale data (CVE-2006-0554) This is CVE-2006-0554 and SGI bug 942658. With certain types of ftruncate() activity on 2.6 kernels, XFS can end up exposing stale data off disk to a user, putting extents where holes should be. Signed-off-by: Chris Wright commit 6cbb463db05210e83ddc18cbd92e295f1fefa111 Author: Stefan Richter Date: Mon Feb 27 00:52:53 2006 +0100 [PATCH] sbp2: fix another deadlock after disconnection sbp2: fix another deadlock after disconnection If there were commands enqueued but not completed before an SBP-2 unit was unplugged (or an attempt to reconnect failed), knodemgrd or any process which tried to remove the device would sleep uninterruptibly in blk_execute_rq(). Therefore make sure that all commands are completed when sbp2 retreats. Signed-off-by: Stefan Richter Signed-off-by: Chris Wright commit ed26c7781107e4d8fd0c654459e61b81096c4ff4 Author: Stefan Richter Date: Mon Feb 27 00:16:10 2006 +0100 [PATCH] sd: fix memory corruption with broken mode page headers sd: fix memory corruption with broken mode page headers There's a problem in sd where we blindly believe the length of the headers and block descriptors. Some devices return insane values for these and cause our length to end up greater than the actual buffer size, so check to make sure. Signed-off-by: Al Viro Also removed the buffer size magic number (512) and added DPOFUA of zero to the defaults Signed-off-by: James Bottomley Signed-off-by: Linus Torvalds rediff for 2.6.15.x without DPOFUA bit, taken from commit 489708007785389941a89fa06aedc5ec53303c96 Signed-off-by: Stefan Richter Signed-off-by: Chris Wright commit 9809ee9916825087a8729af4713ae9b555917ad5 Author: Alexey Kuznetsov Date: Mon Feb 27 00:28:32 2006 -0800 [PATCH] Fix a severe bug netlink overrun was broken while improvement of netlink. Destination socket is used in the place where it was meant to be source socket, so that now overrun is never sent to user netlink sockets, when it should be, and it even can be set on kernel socket, which results in complete deadlock of rtnetlink. Suggested fix is to restore status quo passing source socket as additional argument to netlink_attachskb(). A little explanation: overrun is set on a socket, when it failed to receive some message and sender of this messages does not or even have no way to handle this error. This happens in two cases: 1. when kernel sends something. Kernel never retransmits and cannot wait for buffer space. 2. when user sends a broadcast and the message was not delivered to some recipients. Signed-off-by: Alexey Kuznetsov Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 5a62d3406ddd87a26d706d0b3019f4a1872713da Author: Suresh Siddha Date: Sun Feb 26 04:34:00 2006 +0100 [PATCH] x86_64: Check for bad elf entry address (CVE-2006-0741) Fixes a local DOS on Intel systems that lead to an endless recursive fault. AMD machines don't seem to be affected. Signed-off-by: Suresh Siddha Signed-off-by: Andi Kleen Signed-off-by: Chris Wright commit 94069fb3035f4e9de4ce33f5910be0dded06677c Author: Stephen Hemminger Date: Wed Feb 22 13:52:35 2006 -0800 [PATCH] skge: fix SMP race If skge is attached to a bad cable, that goes up/down. It exposes an SMP race with the management of IRQ mask Signed-off-by: Stephen Hemminger Signed-off-by: Chris Wright commit ed31b30cb77fd23f37d5cac1144fa5dddc6b7a00 Author: Stephen Hemminger Date: Wed Feb 22 13:52:34 2006 -0800 [PATCH] skge: genesis phy initialization fix The SysKonnect Genesis based board would fail on initialization with phy_read errors caused by not waiting for last phy write. Signed-off-by: Stephen Hemminger Signed-off-by: Chris Wright commit e501e04cf0b3cd2d89ebfd8ad6cd38e1a88a1a71 Author: Stephen Hemminger Date: Wed Feb 22 13:52:33 2006 -0800 [PATCH] skge: fix NAPI/irq race Fix a race in the receive NAPI, irq handling. The interrupt clear and the start need to be separated. Otherwise there is a window between the last frame received and the NAPI done level handling. Signed-off-by: Stephen Hemminger Signed-off-by: Chris Wright commit 82a0d8860dfd709ce46dc2f0c3670b9f5c52da8a Author: Stephen Hemminger Date: Wed Feb 22 13:52:32 2006 -0800 [PATCH] skge: speed setting This is a clone of John Linville's fixed for speed setting on sky2 driver. The skge driver has the same code (and bug). It would not allow manually forcing 100 and 10 mbit. Signed-off-by: Stephen Hemminger Signed-off-by: Chris Wright commit c48cc3694e1ad82407c2aa041743f2e8fb0adcde Author: Kaj-Michael Lang Date: Fri Feb 24 13:04:15 2006 -0800 [PATCH] gbefb: IP32 gbefb depth change fix The gbefb driver does not update the framebuffer layers visual setting when depth is changed with fbset, resulting in strange colors (very dark blue in 16-bit, almost black in 24-bit). Signed-off-by: Kaj-Michael Lang Signed-off-by: Martin Michlmayr Signed-off-by: Antonino Daplas Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit b9c53139e460fa93b7b20928f8b49a3cb2432b69 Author: Andrew Morton Date: Fri Feb 24 13:04:23 2006 -0800 [PATCH] ramfs: update dir mtime and ctime Phil Marek points out that ramfs forgets to update a directory's mtime and ctime when it is modified. Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit e5a78bb9935a635ebcb71c10899c53bfc99f8c7f Author: Jun'ichi Nomura Date: Fri Feb 24 13:04:25 2006 -0800 [PATCH] dm: free minor after unlink gendisk Minor number should be freed after del_gendisk(). Otherwise, there could be a window where 2 registered gendisk has same minor number. Signed-off-by: Jun'ichi Nomura Acked-by: Alasdair G Kergon Cc: Signed-off-by: Andrew Morton [chrisw: backport to 2.6.15] Signed-off-by: Chris Wright commit 2687a132e9d6e5e9249fc2b961ab37cf185dd3c8 Author: Jun'ichi Nomura Date: Fri Feb 24 13:04:24 2006 -0800 [PATCH] dm: missing bdput/thaw_bdev at removal Need to unfreeze and release bdev otherwise the bdev inode with inconsistent state is reused later and cause problem. Signed-off-by: Jun'ichi Nomura Acked-by: Alasdair G Kergon Cc: Signed-off-by: Andrew Morton [chrisw: backport to 2.6.15] Signed-off-by: Chris Wright commit 96fb1a894d71297d8abe0a803a725f7eb25910c3 Author: Martin Michlmayr Date: Fri Feb 24 13:04:16 2006 -0800 [PATCH] gbefb: Set default of FB_GBE_MEM to 4 MB Allocating more than 4 MB memory for the GBE (SGI O2) framebuffer completely breakfs gbefb support at the moment. According to comments on #mipslinux, more than 4 MB has never worked correctly in Linux. Therefore, the default should be 4 MB. Signed-off-by: Martin Michlmayr Signed-off-by: Antonino Daplas Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit 3bf8ce11c70ef5dc2298c7fff4a744c48e87b9f0 Author: Simon Vogl Date: Fri Feb 24 13:04:09 2006 -0800 [PATCH] cfi: init wait queue in chip struct Fix a kernel oops for Intel P30 flashes, where the wait queue head was not initialized for the flchip struct, which in turn caused a crash at the first read operation. Signed-off-by: Thomas Gleixner Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit b68e8ec13bcb0bb66173a5803a98602575e6b8d0 Author: Takashi Iwai Date: Fri Feb 24 13:03:52 2006 -0800 [PATCH] alsa: fix bogus snd_device_free() in opl3-oss.c Remove snd_device_free() for an opl3-oss instance which should have been released. Signed-off-by: Takashi Iwai Cc: Jaroslav Kysela Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit 46cadda8ed7d32f0435699b3c2cfe5973785b4c1 Author: Juergen Kreileder Date: Mon Feb 20 18:28:00 2006 -0800 [PATCH] Fix snd-usb-audio in 32-bit compat environment I'm getting oopses with snd-usb-audio in 32-bit compat environments: control_compat.c:get_ctl_type() doesn't initialize 'info', so 'itemlist[uinfo->value.enumerated.item]' in usbmixer.c:mixer_ctl_selector_info() might access random memory (The 'if ((int)uinfo->value.enumerated.item >= cval->max)' doesn't fix all problems because of the unsigned -> signed conversion.) Signed-off-by: Juergen Kreileder Cc: Jaroslav Kysela Acked-by: Takashi Iwai Signed-off-by: Andrew Morton Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit fd01ab8d4018937a01cbc221e7a006bcde24c87f Author: Jean Delvare Date: Sun Feb 19 15:34:03 2006 +0100 [PATCH] hwmon it87: Probe i2c 0x2d only Only scan I2C address 0x2d. This is the default address and no IT87xxF chip was ever seen on I2C at a different address. These chips are better accessed through their ISA interface anyway. This fixes bug #5889, although it doesn't address the whole class of problems. We'd need the ability to blacklist arbitrary I2C addresses on systems known to contain I2C devices which behave badly when probed. Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit a8c4e1c4d248f300c2ab6d6b5e9e1b78ebb212fd Author: Jean Delvare Date: Sun Feb 19 15:18:04 2006 +0100 [PATCH] it87: Fix oops on removal Fix an oops on it87 module removal when no supported hardware was found. Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 99e1baf86ff6a31330ff0c7bb77110338f03ddc5 Author: Chris Wright Date: Fri Feb 17 13:59:36 2006 -0800 [PATCH] sys_mbind sanity checking Make sure maxnodes is safe size before calculating nlongs in get_nodes(). Signed-off-by: Chris Wright Signed-off-by: Linus Torvalds [chrisw: fix units, pointed out by Andi] Cc: Andi Kleen Signed-off-by: Greg Kroah-Hartman commit 8fef8ea2a1f28a7611ad0b8ff7b48ceb38db9535 Author: Peter Staubach Date: Fri Feb 17 13:52:36 2006 -0800 [PATCH] fix deadlock in ext2 Fix a deadlock possible in the ext2 file system implementation. This deadlock occurs when a file is removed from an ext2 file system which was mounted with the "sync" mount option. The problem is that ext2_xattr_delete_inode() was invoking the routine, sync_dirty_buffer(), using a buffer head which was previously locked via lock_buffer(). The first thing that sync_dirty_buffer() does is to lock the buffer head that it was passed. It does this via lock_buffer(). Oops. The solution is to unlock the buffer head in ext2_xattr_delete_inode() before invoking sync_dirty_buffer(). This makes the code in ext2_xattr_delete_inode() obey the same locking rules as all other callers of sync_dirty_buffer() in the ext2 file system implementation. Signed-off-by: Peter Staubach Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 80a16577362b3eafa2f390d5e1ffb268464ccedb Author: Oleg Nesterov Date: Wed Feb 15 22:50:10 2006 +0300 [PATCH] fix zap_thread's ptrace related problems 1. The tracee can go from ptrace_stop() to do_signal_stop() after __ptrace_unlink(p). 2. It is unsafe to __ptrace_unlink(p) while p->parent may wait for tasklist_lock in ptrace_detach(). Signed-off-by: Oleg Nesterov Cc: Roland McGrath Cc: Ingo Molnar Cc: Christoph Hellwig Cc: Eric W. Biederman Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit f7cfcc72b365dc62cd01e1920f3f0b4e053f7735 Author: Adrian Drzewiecki Date: Wed Feb 15 01:47:48 2006 -0800 [PATCH] Fix deadlock in br_stp_disable_bridge Looks like somebody forgot to use the _bh spin_lock variant. We ran into a deadlock where br->hello_timer expired while br_stp_disable_br() walked br->port_list. Signed-off-by: Adrian Drzewiecki Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit c295b4b9b5b554283b15dca58d23110fdde5e9c9 Author: Dave Jones Date: Fri Feb 10 16:27:11 2006 -0500 [PATCH] Fix s390 build failure. arch/s390/kernel/compat_signal.c:199: error: conflicting types for 'do_sigaction' include/linux/sched.h:1115: error: previous declaration of 'do_sigaction' was here Signed-off-by: Dave Jones Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 2e54d30f0f8ef437723c975b76fccf649536e96e Author: Tony Luck Date: Thu Feb 9 14:41:41 2006 -0800 [PATCH] sys32_signal() forgets to initialize ->sa_mask Pointed out by Oleg Nesterov , who in turn got the hint from Linus. Signed-off-by: Tony Luck Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit d5ab647575aac6b58a3bfb1d670caf4c7c8d47c2 Author: Oleg Nesterov Date: Thu Feb 9 22:41:50 2006 +0300 [PATCH] do_sigaction: cleanup ->sa_mask manipulation Clear unblockable signals beforehand. Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 5e617b803260b4890a345f21d01790203e9dbde6 Author: Oleg Nesterov Date: Thu Feb 9 22:41:41 2006 +0300 [PATCH] sys_signal: initialize ->sa_mask Pointed out by Linus Torvalds. sys_signal() forgets to initialize ->sa_mask. ( I suspect arch/ia64/ia32/ia32_signal.c:sys32_signal() also needs this fix ) Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit f7c4f6a095e9ae25e17681ddc1f9b09d090790de Author: Kristian Slavov Date: Wed Feb 15 23:42:14 2006 +0100 [PATCH] Address autoconfiguration does not work after device down/up cycle If you set network interface down and up again, the IPv6 address autoconfiguration does not work. 'ip addr' shows that the link-local address is in tentative state. We don't even react to periodical router advertisements. During NETDEV_DOWN we clear IF_READY, and we don't set it back in NETDEV_UP. While starting to perform DAD on the link-local address, we notice that the device is not in IF_READY, and we abort autoconfiguration process (which would eventually send router solicitations). Acked-by: Juha-Matti Tapio Acked-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit dcfd28a95dc4bb4868f867f118b4de0d0ced900c Author: David S. Miller Date: Mon Feb 13 16:46:25 2006 -0800 [PATCH] Revert skb_copy_datagram_iovec() recursion elimination. Revert the following changeset: bc8dfcb93970ad7139c976356bfc99d7e251deaf Recursive SKB frag lists are really possible and disallowing them breaks things. Noticed by: Jesse Brandeburg Signed-off-by: David S. Miller Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 245fdb596bc70bb93d5941d688916e29d6824955 Author: Jeff Mahoney Date: Sun Feb 12 22:34:55 2006 -0800 [PATCH] reiserfs: disable automatic enabling of reiserfs inode attributes Unfortunately, the reiserfs_attrs_cleared bit in the superblock flag can lie. File systems have been observed with the bit set, yet still contain garbage in the stat data field, causing unpredictable results. This patch backs out the enable-by-default behavior. It eliminates the changes from: d50a5cd860ce721dbeac6a4f3c6e42abcde68cd8, and ef5e5414e7a83eb9b4295bbaba5464410b11e030. Signed-off-by: Jeff Mahoney Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 32065dc4c027c69cc03431155db36ea27f9f98f5 Author: Hugh Dickins Date: Sun Feb 12 19:26:05 2006 +0000 [PATCH] hugetlbfs mmap ENOMEM failure 2.6.15's hugepage faulting introduced huge_pages_needed accounting into hugetlbfs: to count how many pages are already in cache, for spot check on how far a new mapping may be allowed to extend the file. But it's muddled: each hugepage found covers HPAGE_SIZE, not PAGE_SIZE. Once pages were already in cache, it would overshoot, wrap its hugepages count backwards, and so fail a harmless repeat mapping with -ENOMEM. Fixes the problem found by Don Dupuis. Signed-off-by: Hugh Dickins Acked-By: Adam Litke Acked-by: William Irwin Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit bcf2887b1416a506e3461c504642a1b7fad52ddc Author: Andi Kleen Date: Mon Feb 13 10:34:30 2006 +0100 [PATCH] i386: Move phys_proc_id/early intel workaround to correct function early_cpu_detect only runs on the BP, but this code needs to run on all CPUs. This will fix problems with the powernow-k8 driver on dual core systems and general misdetection of AMD dual core. Looks like a mismerge somewhere. Also add a warning comment. Signed-off-by: Andi Kleen Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 2c16bdb60935bebd25fbcc5787e91670c5a8a4ba Author: Horms Date: Mon Feb 13 11:14:57 2006 +0900 [PATCH] netfilter missing symbol has_bridge_parent 5dce971acf2ae20c80d5e9d1f6bbf17376870911 in Linus' tree, otherwise known as bridge-netfilter-races-on-device-removal.patch in 2.5.15.4 removed has_bridge_parent, however this symbol is still called with NETFILTER_DEBUG is enabled. This patch uses the already seeded realoutdev value to detect if a parent exists, and if so, the value of the parent. Signed-Off-By: Horms Acked-by: Stephen Hemminger Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit bde2fcb4fcc69afb0a6ebd1d8c27a83e475480ed Author: KAMEZAWA Hiroyuki Date: Thu Feb 9 02:03:17 2006 -0800 [PATCH] shmdt cannot detach not-alined shm segment cleanly. sys_shmdt() can manage shm segments which are covered by multiple vmas. (This can happen when a user uses mprotect() after shmat().) This works well if shm is aligned to PAGE_SIZE, but if not, the last segment cannot be detached. It is because a comparison in sys_shmdt() (vma->vm_end - addr) < size addr == return address of shmat() size == shmsize, argments to shmget() size should be aligned to PAGE_SIZE before being compared with vma->vm_end, which is aligned. Signed-off-by: KAMEZAWA Hiroyuki Cc: Manfred Spraul Cc: Hugh Dickins Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 8bd69ca8a395caf9385b06713f34ef1562ff362c Author: Heiko Carstens Date: Wed Feb 1 11:41:10 2006 +0100 [PATCH] s390: add #ifdef __KERNEL__ to asm-s390/setup.h Based on a patch from Maximilian Attems . Nothing in asm-s390/setup.h is of interest for user space. Signed-off-by: Heiko Carstens Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit c238fdc79a3a4ea2f2cf0782ca34d36ed2e46d33 Author: Tom Rini Date: Mon Jan 30 10:43:50 2006 -0700 [PATCH] ppc32: Put cache flush routines back into .relocate_code section In 2.6.14, we had the following definition of _GLOBAL() in include/asm-ppc/processor.h: #define _GLOBAL(n)\ .stabs __stringify(n:F-1),N_FUN,0,0,n;\ .globl n;\ n: In 2.6.15, as part of the great powerpc merge, we moved this definition to include/asm-powerpc/ppc_asm.h, where it appears (to 32-bit code) as: #define _GLOBAL(n) \ .text; \ .stabs __stringify(n:F-1),N_FUN,0,0,n;\ .globl n; \ n: Mostly, this is fine. However, we also have the following, in arch/ppc/boot/common/util.S: .section ".relocate_code","xa" [...] _GLOBAL(flush_instruction_cache) [...] _GLOBAL(flush_data_cache) [...] The addition of the .text section definition in the definition of _GLOBAL overrides the .relocate_code section definition. As a result, these two functions don't end up in .relocate_code, so they don't get relocated correctly, and the boot fails. There's another suspicious-looking usage at kernel/swsusp.S:37 that someone should look into. I did not exhaustively search the source tree, though. The following is the minimal patch that fixes the immediate problem. I could easily be convinced that the _GLOBAL definition should be modified to remove the ".text;" line either instead of, or in addition to, this fix. Signed-off-by: Paul Janzen Signed-off-by: Paul Mackerras Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright