commit 1ffe5e06461f72b9b6a2569c441483ddb361cf4a Author: Greg Kroah-Hartman Date: Mon Mar 27 22:49:02 2006 -0800 Linux 2.6.16.1 commit 5e48e1d6331d9a5f8ca50998c4c229b297215948 Author: Andrew Morton Date: Fri Mar 24 19:40:37 2006 -0800 [PATCH] Fix speedstep-smi assembly bug in speedstep_smi_ownership Fix bug identified by Linus Torvalds : the `out' instruction depends upon the state of memory_data[], so we need to tell gcc that before executing it. (The opcode, not gcc). Fixes http://bugzilla.kernel.org/show_bug.cgi?id=5553 Thanks to Antonio Ospite for testing. Cc: Dave Jones Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 74c34e68ec7ac4383ee49b2e8b8a7a2efa8e1012 Author: Andrey Panin Date: Fri Mar 24 13:18:52 2006 -0800 [PATCH] DMI: fix DMI onboard device discovery Attached patch fixes invalid pointer arithmetic in DMI code to make onboard device discovery working again. akpm: bug has been present since dmi_find_device() was added in 2.6.14. Affects ipmi only (I think) - the symptoms weren't described. akpm: changed to use pointer arithmetic rather than open-coded sizeof. Signed-off-by: Andrey Panin Cc: Corey Minyard Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit a0049f933fdbab3d483d0d4d865a505126dbcbf4 Author: Patrick McHardy Date: Thu Mar 23 02:59:24 2006 -0800 [PATCH] cciss: fix use-after-free in cciss_init_one free_hba() sets hba[i] to NULL, the dereference afterwards results in this crash. Setting busy_initializing to 0 actually looks unnecessary, but I'm not entirely sure, which is why I left it in. cciss: controller appears to be disabled Unable to handle kernel NULL pointer dereference at virtual address 00000370 printing eip: c1114d53 *pde = 00000000 Oops: 0002 [#1] Modules linked in: CPU: 0 EIP: 0060:[] Not tainted VLI EFLAGS: 00010286 (2.6.16 #1) EIP is at cciss_init_one+0x4e9/0x4fe eax: 00000000 ebx: c132cd60 ecx: c13154e4 edx: c27d3c00 esi: 00000000 edi: c2748800 ebp: c2536ee4 esp: c2536eb8 ds: 007b es: 007b ss: 0068 Process swapper (pid: 1, threadinfo=c2536000 task=c2535a30) Stack: <0>00000000 00000000 00000000 c13fdba0 c2536ee8 c13159c0 c2536f38 f7c74740 c132cd60 c132cd60 ffffffed c2536ef0 c10c1d51 c2748800 c2536f04 c10c1d85 c132cd60 c2748800 c132cd8c c2536f14 c10c1db8 c2748848 00000000 c2536f28 Call Trace: [] show_stack_log_lvl+0xa8/0xb0 [] show_registers+0x102/0x16a [] die+0xc1/0x13c [] do_page_fault+0x38a/0x525 [] error_code+0x4f/0x54 [] pci_call_probe+0xd/0x10 [] __pci_device_probe+0x31/0x43 [] pci_device_probe+0x21/0x34 [] driver_probe_device+0x44/0x99 [] __driver_attach+0x39/0x5d [] bus_for_each_dev+0x35/0x5a [] driver_attach+0x14/0x16 [] bus_add_driver+0x5c/0x8f [] driver_register+0x73/0x78 [] __pci_register_driver+0x5f/0x71 [] cciss_init+0x1a/0x1c [] do_initcalls+0x4c/0x96 [] do_basic_setup+0x1c/0x1e [] init+0x35/0x118 [] kernel_thread_helper+0x5/0xb Code: 04 b5 e0 de 40 c1 8d 50 04 8b 40 34 e8 3f b7 f9 ff 8b 04 b5 e0 de 40 c1 e8 aa f3 ff ff 89 f0 e8 e8 fa ff ff 8b 04 b5 e0 de 40 c1 80 70 03 00 00 00 00 00 00 83 c8 ff 8d 65 f4 5b 5e 5f 5d c3 <0>Kernel panic - not syncing: Attempted to kill init! Signed-off-by: Patrick McHardy Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 23921dff54d531f7d834d8366085acf6afd9bf4b Author: Neil Brown Date: Thu Mar 23 02:59:22 2006 -0800 [PATCH] DM: Fix bug: BIO_RW_BARRIER requests to md/raid1 hang. Both R1BIO_Barrier and R1BIO_Returned are 4 !!!! This means that barrier requests don't get returned (i.e. b_endio called) because it looks like they already have been. Signed-off-by: Neil Brown Signed-off-by: Andrew Morton Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 4ceb2fc75f15f1a8d4d791e4398b2e06f4f34f47 Author: Anton Blanchard Date: Thu Mar 23 02:59:20 2006 -0800 [PATCH] fix scheduler deadlock We have noticed lockups during boot when stress testing kexec on ppc64. Two cpus would deadlock in scheduler code trying to grab already taken spinlocks. The double_rq_lock code uses the address of the runqueue to order the taking of multiple locks. This address is a per cpu variable: if (rq1 < rq2) { spin_lock(&rq1->lock); spin_lock(&rq2->lock); } else { spin_lock(&rq2->lock); spin_lock(&rq1->lock); } On the other hand, the code in wake_sleeping_dependent uses the cpu id order to grab locks: for_each_cpu_mask(i, sibling_map) spin_lock(&cpu_rq(i)->lock); This means we rely on the address of per cpu data increasing as cpu ids increase. While this will be true for the generic percpu implementation it may not be true for arch specific implementations. One way to solve this is to always take runqueues in cpu id order. To do this we add a cpu variable to the runqueue and check it in the double runqueue locking functions. Signed-off-by: Anton Blanchard Acked-by: Ingo Molnar Signed-off-by: Andrew Morton Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 375dcda41ce22c756ae9535c133875495c859be3 Author: Neil Horman Date: Thu Mar 23 02:59:19 2006 -0800 [PATCH] proc: fix duplicate line in /proc/devices Fix a duplicate block device line printed after the "Block device" header in /proc/devices. Signed-off-by: Neil Horman Signed-off-by: Andrew Morton Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 370d27825aec5480166be7df6bd203f242252c5a Author: Joe Korty Date: Wed Mar 22 00:07:43 2006 -0800 [PATCH] rtc.h broke strace(1) builds Git patch 52dfa9a64cfb3dd01fa1ee1150d589481e54e28e [PATCH] move rtc_interrupt() prototype to rtc.h broke strace(1) builds. The below moves the kernel-only additions lower, under the already provided #ifdef __KERNEL__ statement. Signed-off-by: Andrew Morton Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 0f73ea05d9c95cdf483c3f51f65979a8a752744e Author: Alasdair G Kergon Date: Wed Mar 22 00:07:42 2006 -0800 [PATCH] dm: bio split bvec fix The code that handles bios that span table target boundaries by breaking them up into smaller bios will not split an individual struct bio_vec into more than two pieces. Sometimes more than that are required. This patch adds a loop to break the second piece up into as many pieces as are necessary. Cc: "Abhishek Gupta" Cc: Dan Smith Signed-off-by: Alasdair G Kergon Signed-off-by: Andrew Morton Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit e699844c7b6621f8307ac088735becc3d827ca24 Author: Latchesar Ionkov Date: Wed Mar 22 00:07:37 2006 -0800 [PATCH] v9fs: assign dentry ops to negative dentries If a file is not found in v9fs_vfs_lookup, the function creates negative dentry, but doesn't assign any dentry ops. This leaves the negative entry in the cache (there is no d_delete to mark it for removal). If the file is created outside of the mounted v9fs filesystem, the file shows up in the directory with weird permissions. This patch assigns the default v9fs dentry ops to the negative dentry. Signed-off-by: Latchesar Ionkov Signed-off-by: Eric Van Hensbergen Signed-off-by: Andrew Morton Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 4cb9ff3bdbe7e14dcc2752e5e67ee2e324a03cd5 Author: Antonino A. Daplas Date: Wed Mar 22 00:07:36 2006 -0800 [PATCH] i810fb_cursor(): use GFP_ATOMIC The console cursor can be called in atomic context. Change memory allocation to use the GFP_ATOMIC flag in i810fb_cursor(). Signed-off-by: Antonino Daplas Signed-off-by: Andrew Morton Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit d4852ff21818a906e603815c5951d0ef382cd851 Author: David S. Miller Date: Thu Mar 23 22:54:18 2006 -0800 [PATCH] NET: Ensure device name passed to SO_BINDTODEVICE is NULL terminated. The user can pass us arbitrary garbage so we should ensure the string they give us is null terminated before we pass it on to dev_get_by_index() et al. Found by Solar Designer. Signed-off-by: David S. Miller Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 9620554ca94a95059466e7e9cd6298bf78a09a09 Author: Nathan Scott Date: Fri Mar 24 14:46:22 2006 +1100 [PATCH] XFS writeout fix [XFS] Check that a page has dirty buffers before finding it acceptable for rewrite clustering. This prevents writing excessive amounts of clean data when doing random rewrites of a cached file. Signed-off-by: David Chinner Signed-off-by: Nathan Scott Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 8513187b93ba2092688c99d529ff85864359b729 Author: Greg Kroah-Hartman Date: Thu Mar 16 15:44:26 2006 -0800 [PATCH] sysfs: fix a kobject leak in sysfs_add_link on the error path As pointed out by Oliver Neukum. Cc: Maneesh Soni Cc: Oliver Neukum Signed-off-by: Greg Kroah-Hartman commit 4dea21b262ea05825bffade2180e560b0141fd85 Author: Andrew Morton Date: Tue Mar 7 23:53:25 2006 -0800 [PATCH] get_cpu_sysdev() signedness fix Doing (int < NR_CPUS) doesn't dtrt if it's negative.. Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 048eb7e760ef41bcfef09bbd223f18379d260c2c Author: Jeff Moyer Date: Mon Feb 13 14:52:38 2006 -0800 [PATCH] firmware: fix BUG: in fw_realloc_buffer The fw_realloc_buffer routine does not handle an increase in buffer size of more than 4k. It's not clear to me why it expects that it will only get an extra 4k of data. The attached patch modifies fw_realloc_buffer to vmalloc as much memory as is requested, instead of what we previously had + 4k. I've tested this on my laptop, which would crash occaisionally on boot without the patch. With the patch, it hasn't crashed, but I can't be certain that this code path is exercised. Signed-off-by: Jeff Moyer Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit a15dee13761dd8521e5410a942574afa4375f6c6 Author: Greg Kroah-Hartman Date: Thu Mar 16 15:44:26 2006 -0800 [PATCH] sysfs: sysfs_remove_dir() needs to invalidate the dentry When calling sysfs_remove_dir() don't allow any further sysfs functions to work for this kobject anymore. This fixes a nasty USB cdc-acm oops on disconnect. Many thanks to Bob Copeland and Paul Fulghum for taking the time to track this down. Cc: Bob Copeland Cc: Paul Fulghum Cc: Maneesh Soni Signed-off-by: Greg Kroah-Hartman commit 6f78133bf7a06845afee5bcdff7c276bbceaaf55 Author: Alexey Kuznetsov Date: Wed Mar 22 14:34:42 2006 -0800 [PATCH] TCP: Do not use inet->id of global tcp_socket when sending RST (CVE-2006-1242) The problem is in ip_push_pending_frames(), which uses: if (!df) { __ip_select_ident(iph, &rt->u.dst, 0); } else { iph->id = htons(inet->id++); } instead of ip_select_ident(). Right now I think the code is a nonsense. Most likely, I copied it from old ip_build_xmit(), where it was really special, we had to decide whether to generate unique ID when generating the first (well, the last) fragment. In ip_push_pending_frames() it does not make sense, it should use plain ip_select_ident() instead. Signed-off-by: Alexey Kuznetsov Signed-off-by: David S. Miller Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 65851bbf2ab375b4c00f4571dfb5c1003625c12f Author: Mark Lord Date: Tue Mar 21 21:05:32 2006 -0500 [PATCH] 2.6.xx: sata_mv: another critical fix This patch addresses a number of weird behaviours observed for the sata_mv driver, by fixing an "off by one" bug in processing of the EDMA response queue. Basically, sata_mv was looking in the wrong place for command results, and this produced a lot of unpredictable behaviour. Signed-off-by: Mark Lord Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 6079ca923de842e173b943b96c2fa3034826c68f Author: Michael Krufky Date: Mon Mar 20 22:34:58 2006 -0500 [PATCH] Kconfig: VIDEO_DECODER must select FW_LOADER The cx25840 module requires external firmware in order to function, so it must select FW_LOADER, but saa7115 and saa7129 do not require it. Signed-off-by: Michael Krufky Cc: Mauro Carvalho Chehab Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 6e30bf3c59c6a4de812e92f49e8dbd067030d308 Author: Hans Verkuil Date: Mon Mar 20 22:34:54 2006 -0500 [PATCH] V4L/DVB (3324): Fix Samsung tuner frequency ranges Forgot to take the NTSC frequency offset into account. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 1dd6f008de5a04251d9cbe4c1cf67e4c708f9fe9 Author: Jeff Garzik Date: Mon Mar 20 19:57:57 2006 -0500 [PATCH] sata_mv: fix irq port status usage Interrupt handler did not properly initialize a variable on a per-port basis, leading to incorrect behavior on ports other than port 0. Bug caught and fixed by Mark Lord. Signed-off-by: Jeff Garzik Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman