commit 834f514019e01f87657a257dae0fbbae1006ec2a Author: Greg Kroah-Hartman Date: Mon Apr 24 10:07:37 2006 -0700 Linux 2.6.16.10 commit 1fca16492a85f69fbdd498fdd66156f7de44262d Author: Alexey Kuznetsov Date: Tue Apr 18 03:04:00 2006 +0000 [PATCH] IPC: access to unmapped vmalloc area in grow_ary() grow_ary() should not copy struct ipc_id_ary (it copies new->p, not new). Due to this, memcpy() src pointer could hit unmapped vmalloc page when near page boundary. Found during OpenVZ stress testing Signed-off-by: Alexey Kuznetsov Signed-off-by: Kirill Korotaev Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 7517f43bef6016c58c007446f882ecf98a5e287b Author: OGAWA Hirofumi Date: Wed Apr 19 23:59:40 2006 +0000 [PATCH] Add more prevent_tail_call() Those also break userland regs like following. 00000000 : 0: 0f b7 44 24 0c movzwl 0xc(%esp),%eax 5: 83 ca ff or $0xffffffff,%edx 8: 0f b7 4c 24 08 movzwl 0x8(%esp),%ecx d: 66 83 f8 ff cmp $0xffffffff,%ax 11: 0f 44 c2 cmove %edx,%eax 14: 66 83 f9 ff cmp $0xffffffff,%cx 18: 0f 45 d1 cmovne %ecx,%edx 1b: 89 44 24 0c mov %eax,0xc(%esp) 1f: 89 54 24 08 mov %edx,0x8(%esp) 23: e9 fc ff ff ff jmp 24 where the tailcall at the end overwrites the incoming stack-frame. Signed-off-by: OGAWA Hirofumi Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ccc182530680032711743be0e5533e6117e30139 Author: KAI.HSU Date: Wed Apr 19 17:01:17 2006 +0000 [PATCH] alim15x3: ULI M-1573 south Bridge support >From http://bugzilla.kernel.org/show_bug.cgi?id=6358 The alim15x3.c havn't been update for 3 years. Recently when we use this "ULI M1573" south bridge chip found that can't mount CDROM(VCD) smoothly, must waiting for a long time. After I check the "ULI M1573" south bridge datasheet, I found the reason. The reason is the "ULI M1573" version in the Linux is "0xC7" not "0xC4" anymore So I was modified the source than it was successed. Cc: Bartlomiej Zolnierkiewicz Acked-by: Alan Cox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 1ae48cacc64223063693f2a94cc264e680fb1964 Author: Samuel Thibault Date: Wed Apr 19 17:00:54 2006 +0000 [PATCH] apm: fix Armada laptops again Fix the "apm: set display: Interface not engaged" error on Armada laptops again. Jordan said: I think this is fine. It seems to me that this may be the fault of one or both of the APM solutions handling this situation in a non-standard way, but since APM is used very little on the Geode, and I have direct access to our BIOS folks, if this problem comes up with a customer again, we'll solve it from the firmware. Signed-off-by: Samuel Thibault Cc: "Jordan Crouse" Cc: Zachary Amsden Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit fd9b012814bebde59160283a13487841ccdfcce5 Author: Antonino A. Daplas Date: Wed Apr 19 17:01:21 2006 +0000 [PATCH] fbdev: Fix return error of fb_write Fix return code of fb_write(): If at least 1 byte was transferred to the device, return number of bytes, otherwise: - return -EFBIG - if file offset is past the maximum allowable offset or size is greater than framebuffer length - return -ENOSPC - if size is greater than framebuffer length - offset Signed-off-by: Antonino Daplas Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 95fb678bf90572414b1c2f239c6a44226049ba8a Author: Dipankar Sarma Date: Wed Apr 19 17:00:12 2006 +0000 [PATCH] Fix file lookup without ref There are places in the kernel where we look up files in fd tables and access the file structure without holding refereces to the file. So, we need special care to avoid the race between looking up files in the fd table and tearing down of the file in another CPU. Otherwise, one might see a NULL f_dentry or such torn down version of the file. This patch fixes those special places where such a race may happen. Signed-off-by: Dipankar Sarma Acked-by: "Paul E. McKenney" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit bd6b6027eacb8e5ef633aa0e1c2576dc5a464675 Author: David Barksdale Date: Wed Apr 19 16:59:54 2006 +0000 [PATCH] m41t00: fix bitmasks when writing to chip Fix the bitmasks used when writing to the M41T00 registers. The original code used a mask of 0x7f when writing to each register, this is incorrect and probably the result of a copy-paste error. As a result years from 1980 to 1999 will be read back as 2000 to 2019. Signed-off-by: David Barksdale Acked-by: Jean Delvare Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 3696ee36c993baee282a7be6245c7e7df5db1f83 Author: Heikki Orsila Date: Wed Apr 19 17:01:01 2006 +0000 [PATCH] Open IPMI BT overflow I was looking into random driver code and found a suspicious looking memcpy() in drivers/char/ipmi/ipmi_bt_sm.c on 2.6.17-rc1: if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH)) return -1; ... memcpy(bt->write_data + 3, data + 1, size - 1); where sizeof bt->write_data is IPMI_MAX_MSG_LENGTH. It looks like the memcpy would overflow by 2 bytes if size == IPMI_MAX_MSG_LENGTH. A patch attached to limit size to (IPMI_MAX_LENGTH - 2). Cc: Corey Minyard Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 3e5a2e956fff9e975e1b76c4de314cd077c6ec87 Author: Linus Torvalds Date: Tue Apr 18 20:59:27 2006 +0000 [PATCH] x86: be careful about tailcall breakage for sys_open[at] too x86: be careful about tailcall breakage for sys_open[at] too Came up through a quick grep for other cases similar to the ftruncate() one in commit 0a489cb3b6a7b277030cdbc97c2c65905db94536. Also, add a comment, so that people who read the code understand why we do what looks like a no-op. (Again, this won't actually matter to any sane user, since libc will save and restore the register gcc stomps on, but it's still wrong to stomp on it) Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 248c64d252a614b7d07ed85e1d714b25dd537d57 Author: Linus Torvalds Date: Tue Apr 18 20:59:26 2006 +0000 [PATCH] x86: don't allow tail-calls in sys_ftruncate[64]() x86: don't allow tail-calls in sys_ftruncate[64]() Gcc thinks it owns the incoming argument stack, but that's not true for "asmlinkage" functions, and it corrupts the caller-set-up argument stack when it pushes the third argument onto the stack. Which can result in %ebx getting corrupted in user space. Now, normally nobody sane would ever notice, since libc will save and restore %ebx anyway over the system call, but it's still wrong. I'd much rather have "asmlinkage" tell gcc directly that it doesn't own the stack, but no such attribute exists, so we're stuck with our hacky manual "prevent_tail_call()" macro once more (we've had the same issue before with sys_waitpid() and sys_wait4()). Thanks to Hans-Werner Hilse for reporting the issue and testing the fix. Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit fa39df2ff7f6102f1f37d3cf1f68243534d56253 Author: YOSHIFUJI Hideaki / 吉藤英明 Date: Wed Apr 19 11:14:23 2006 +0900 [PATCH] IPV6: XFRM: Fix decoding session with preceding extension header(s). [IPV6] XFRM: Fix decoding session with preceding extension header(s). We did not correctly decode session with preceding extension header(s). This was because we had already pulled preceding headers, skb->nh.raw + 40 + 1 - skb->data was minus, and pskb_may_pull() failed. We now have IP6CB(skb)->nhoff and skb->h.raw, and we can start parsing / decoding upper layer protocol from current position. Tracked down by Noriaki TAKAMIYA and tested by Kazunori Miyazawa . Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: Greg Kroah-Hartman commit 7f43bdca496e120844c74cafde2f5a2cdee4ac4d Author: YOSHIFUJI Hideaki / 吉藤英明 Date: Wed Apr 19 11:14:07 2006 +0900 [PATCH] IPV6: XFRM: Don't use old copy of pointer after pskb_may_pull(). [IPV6] XFRM: Don't use old copy of pointer after pskb_may_pull(). Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: Greg Kroah-Hartman commit 9c974666ab18eaa9c74eb0fb346271f343709a9d Author: YOSHIFUJI Hideaki / 吉藤英明 Date: Wed Apr 19 11:13:58 2006 +0900 [PATCH] IPV6: Ensure to have hop-by-hop options in our header of &sk_buff. [IPV6]: Ensure to have hop-by-hop options in our header of &sk_buff. Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: Greg Kroah-Hartman commit 00905d543081c11b3823577b951e22fdf3260477 Author: Ron Yorston Date: Tue Apr 18 22:21:04 2006 -0700 [PATCH] selinux: Fix MLS compatibility off-by-one bug Fix an off-by-one error in the MLS compatibility code that was causing contexts with a MLS suffix to be rejected, preventing sharing partitions between FC4 and FC5. Bug reported in https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188068 Signed-off-by: Stephen Smalley Acked-by: James Morris Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 10b324edc90922f432d67216722efdd56482abe1 Author: Guido Guenther Date: Thu Apr 20 20:59:10 2006 +0200 [PATCH] PPC: fix oops in alsa powermac driver this fixes an oops in 2.6.16.X when loading the snd_powermac module. The name of the requested module changed during the 2.6.16 development cycle from i2c-keylargo to i2c-powermac: Signed-off-by: Guido Guenther Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit f3a35610033c3fcaf77d630557d571588541afa3 Author: Adrian Bunk Date: Wed Apr 19 01:49:31 2006 +0200 [PATCH] MTD_NAND_SHARPSL and MTD_NAND_NANDSIM should be tristate's MTD_NAND=m and MTD_NAND_SHARPSL=y or MTD_NAND_NANDSIM=y are illegal combinations that mustn't be allowed. This patch fixes this bug by making MTD_NAND_SHARPSL and MTD_NAND_NANDSIM tristate's. Additionally, it fixes some whitespace damage at these options. This patch was already included in Linus' tree. Signed-off-by: Adrian Bunk Signed-off-by: Greg Kroah-Hartman commit 8b5218c3859d26c13649272074b81d4b2beb7b49 Author: Jean Delvare Date: Tue Apr 18 14:15:59 2006 +0200 [PATCH] i2c-i801: Fix resume when PEC is used Fix for bug #6395: Fail to resume on Tecra M2 with ADM1032 and Intel 82801DBM The BIOS of the Tecra M2 doesn't like it when it has to reboot or resume after the i2c-i801 driver has left the SMBus in PEC mode. I have a more complete fix for 2.6.17 but the simple approach of leaving the SMBus in non-PEC mode after every transaction should do for -stable. That's what the i2c-i801 driver was doing up to 2.6.15 (inclusive). Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 9bab38e4ffd67ba44073f8074318e32309f4debd Author: Thomas de Grenier de Latour Date: Wed Apr 19 10:22:39 2006 +0600 [PATCH] Fix hotplug race during device registration On Sun, 9 Apr 2006 21:56:59 +0400, Sergey Vlasov wrote: > However, show_address() does not output anything unless > dev->reg_state == NETREG_REGISTERED - and this state is set by > netdev_run_todo() only after netdev_register_sysfs() returns, so in > the meantime (while netdev_register_sysfs() is busy adding the > "statistics" attribute group) some process may see an empty "address" > attribute. I've tried the attached patch, suggested by Sergey Vlasov on hotplug-devel@, and as far as i can test it works just fine. Signed-off-by: Alexander Patrakov Signed-off-by: David Miller Signed-off-by: Greg Kroah-Hartman commit 5d0b6f2bdaf7e016e750cd24164a241512d968a3 Author: Herbert Xu Date: Tue Apr 18 21:43:31 2006 -0700 [PATCH] Fix truesize underflow [TCP]: Fix truesize underflow There is a problem with the TSO packet trimming code. The cause of this lies in the tcp_fragment() function. When we allocate a fragment for a completely non-linear packet the truesize is calculated for a payload length of zero. This means that truesize could in fact be less than the real payload length. When that happens the TSO packet trimming can cause truesize to become negative. This in turn can cause sk_forward_alloc to be -n * PAGE_SIZE which would trigger the warning. I've copied the code DaveM used in tso_fragment which should work here. Signed-off-by: Herbert Xu Signed-off-by: David Miller Signed-off-by: Greg Kroah-Hartman commit 9d9c917ebaf0185248e80d6b4a589b8b4d193947 Author: H. Peter Anvin Date: Fri Apr 14 17:30:24 2006 -0700 [PATCH] efficeon-agp: Add missing memory mask Original patch by Benjamin Herrenschmidt after debugging by Brian Hinz. Cc: Benjamin Herrenschmidt Cc: Brian Hinz Signed-off-by: H Peter Anvin Signed-off-by: Greg Kroah-Hartman commit c1cedaef64db3b569028fa829558bc170b05ac15 Author: adam radford Date: Tue Apr 11 11:25:09 2006 -0700 [PATCH] 3ware 9000 disable local irqs during kmap_atomic The attached patch for 2.6.17-rc2 updates the 3ware 9000 driver: - Disable local interrupts during kmap/unmap_atomic(). Signed-off-by: Adam Radford Signed-off-by: Greg Kroah-Hartman commit 1d7e3fb722af33e03840d8e93d479ad078871d61 Author: Andrew Morton Date: Fri Apr 14 14:52:14 2006 -0700 [PATCH] 3ware: kmap_atomic() fix We must disable local IRQs while holding KM_IRQ0 or KM_IRQ1. Otherwise, an IRQ handler could use those kmap slots while this code is using them, resulting in memory corruption. Thanks to Nick Orlov for reporting. Cc: Cc: James Bottomley Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman