commit 42a46c74c4520174b82a60ac44c15b5525cdf238 Author: Greg Kroah-Hartman Date: Mon May 1 12:14:26 2006 -0700 Linux 2.6.16.12 commit 6584014ec33ed34c5bf6c5af20a0951069bea7a9 Author: Chuck Ebbert <76306.1226@compuserve.com> Date: Sat Apr 29 14:07:49 2006 -0400 [PATCH] i386: fix broken FP exception handling The FXSAVE information leak patch introduced a bug in FP exception handling: it clears FP exceptions only when there are already none outstanding. Mikael Pettersson reported that causes problems with the Erlang runtime and has tested this fix. Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com> Acked-by: Mikael Pettersson Signed-off-by: Greg Kroah-Hartman commit a5ddce5373218e73fbd58c20a96edd730048529d Author: Win Treese Date: Thu Apr 27 00:00:04 2006 +0100 [PATCH] MIPS: Fix branch emulation for floating-point exceptions. In the branch emulation for floating-point exceptions, __compute_return_epc must determine for bc1f et al which condition code bit to test. This is based on bits <4:2> of the rt field. The switch statement to distinguish bc1f et al needs to use only the two low bits of rt, but the old code tests on the whole rt field. This patch masks off the proper bits. Signed-off-by: Win Treese Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit 2d3b5e296167443bf42c1c962a0cb7ebde9b016b Author: Atsushi Nemoto Date: Thu Apr 27 00:00:03 2006 +0100 [PATCH] MIPS: Fix tx49_blast_icache32_page_indexed. Fix the cache index value in tx49_blast_icache32_page_indexed(). This is damage by de62893bc0725f8b5f0445250577cd7a10b2d8f8 commit. Signed-off-by: Atsushi Nemoto Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit ce0bd8e0b232fdf2da9390ad280286f45c5f3a89 Author: Ralf Baechle Date: Thu Apr 27 00:00:02 2006 +0100 [PATCH] MIPS: R2 build fixes for gcc < 3.4. Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit 97644aa31cb72ce0e9ebfae27042bc56db672dee Author: Ralf Baechle Date: Thu Apr 27 00:00:01 2006 +0100 [PATCH] MIPS: Use "R" constraint for cache_op. Gcc might emit an absolute address for the the "m" constraint which gas unfortunately does not permit. Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit c34250c9922f0e00f14db99c6892b81cc77083e8 Author: Auke Kok Date: Tue Apr 25 23:16:29 2006 -0700 [PATCH] NET: e1000: Update truesize with the length of the packet for packet split Update skb with the real packet size. Signed-off-by: Jesse Brandeburg Signed-off-by: Auke Kok Signed-off-by: John Ronciak Signed-off-by: Greg Kroah-Hartman commit b00f098c1467ee11260b5178d08ed793c720fc0c Author: Zachary Amsden Date: Thu Apr 27 20:01:39 2006 +0000 [PATCH] x86/PAE: Fix pte_clear for the >4GB RAM case Proposed fix for ptep_get_and_clear_full PAE bug. Pte_clear had the same bug, so use the same fix for both. Turns out pmd_clear had it as well, but pgds are not affected. The problem is rather intricate. Page table entries in PAE mode are 64-bits wide, but the only atomic 8-byte write operation available in 32-bit mode is cmpxchg8b, which is expensive (at least on P4), and thus avoided. But it can happen that the processor may prefetch entries into the TLB in the middle of an operation which clears a page table entry. So one must always clear the P-bit in the low word of the page table entry first when clearing it. Since the sequence *ptep = __pte(0) leaves the order of the write dependent on the compiler, it must be coded explicitly as a clear of the low word followed by a clear of the high word. Further, there must be a write memory barrier here to enforce proper ordering by the compiler (and, in the future, by the processor as well). On > 4GB memory machines, the implementation of pte_clear for PAE was clearly deficient, as it could leave virtual mappings of physical memory above 4GB aliased to memory below 4GB in the TLB. The implementation of ptep_get_and_clear_full has a similar bug, although not nearly as likely to occur, since the mappings being cleared are in the process of being destroyed, and should never be dereferenced again. But, as luck would have it, it is possible to trigger bugs even without ever dereferencing these bogus TLB mappings, even if the clear is followed fairly soon after with a TLB flush or invalidation. The problem is that memory above 4GB may now be aliased into the first 4GB of memory, and in fact, may hit a region of memory with non-memory semantics. These regions include AGP and PCI space. As such, these memory regions are not cached by the processor. This introduces the bug. The processor can speculate memory operations, including memory writes, as long as they are committed with the proper ordering. Speculating a memory write to a linear address that has a bogus TLB mapping is possible. Normally, the speculation is harmless. But for cached memory, it does leave the falsely speculated cacheline unmodified, but in a dirty state. This cache line will be eventually written back. If this cacheline happens to intersect a region of memory that is not protected by the cache coherency protocol, it can corrupt data in I/O memory, which is generally a very bad thing to do, and can cause total system failure or just plain undefined behavior. These bugs are extremely unlikely, but the severity is of such magnitude, and the fix so simple that I think fixing them immediately is justified. Also, they are nearly impossible to debug. Signed-off-by: Zachary Amsden Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9120b4470e2e57f196a0e470898ae628725fb4c2 Author: James Morris Date: Wed Apr 26 15:11:00 2006 +0000 [PATCH] LSM: add missing hook to do_compat_readv_writev() This patch addresses a flaw in LSM, where there is no mediation of readv() and writev() in for 32-bit compatible apps using a 64-bit kernel. This bug was discovered and fixed initially in the native readv/writev code [1], but was not fixed in the compat code. Thanks to Al for spotting this one. [1] http://lwn.net/Articles/154282/ Signed-off-by: James Morris Signed-off-by: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 41fd2d35389e0fc809d696f352d7c44850d5a67b Author: Ivan Kokshaysky Date: Tue Apr 25 14:59:34 2006 +0000 [PATCH] Alpha: strncpy() fix As it turned out after recent SCSI changes, strncpy() was broken - it mixed up the return values from __stxncpy() in registers $24 and $27. Thanks to Mathieu Chouquet-Stringer for tracking down the problem and providing an excellent test case. Signed-off-by: Ivan Kokshaysky Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 1f6ad287e84a7215de43bd9702be387f604bf051 Author: Greg Howard Date: Sun Apr 23 17:10:42 2006 +0000 [PATCH] Altix snsc: duplicate kobject fix Fix Altix system controller (snsc) device names to include the slot number of the blade whose associated system controller is the target of the device interface. Including the slot number avoids a problem we're currently having where slots within the same enclosure are attempting to create multiple kobjects with identical names. Signed-off-by: Greg Howard Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 89d4fdf423aa5d02e0d5f79ceba238a35bf23aff Author: Jan Kara Date: Sun Apr 23 17:10:44 2006 +0000 [PATCH] Fix reiserfs deadlock reiserfs_cache_default_acl() should return whether we successfully found the acl or not. We have to return correct value even if reiserfs_get_acl() returns error code and not just 0. Otherwise callers such as reiserfs_mkdir() can unnecessarily lock the xattrs and later functions such as reiserfs_new_inode() fail to notice that we have already taken the lock and try to take it again with obvious consequences. Signed-off-by: Jan Kara Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 692c0509fd0719406f8f781d9a9f2e19aa6b7c0a Author: Andrew Morton Date: Fri Apr 21 01:51:36 2006 -0700 [PATCH] Simplify proc/devices and fix early termination regression Repair /proc/devices early-termination regression. 2.6.16 broke /proc/devices. An application often gets an EOF before the end of data is reached, if that application uses a series of short read(2)s to access the data. I have used read buffers of varying sizes with varying degrees of unsuccess (larger sizes get further into the data than smaller sizes, following a simple pattern). It appears that the only safe way to get the data is to use a single read buffer larger than all the data in /proc/devices. The following example demonstates the problem: # dd if=/proc/devices bs=1 Character devices: 1 mem 27+0 records in 27+0 records out This patch is a backport of the fix recently accepted to Linus's tree: commit 68eef3b4791572ecb70249c7fb145bb3742dd899 [PATCH] Simplify proc/devices and fix early termination regression It replaces the complex, state-machine algorithm introduced in 2.6.16 with a simple algorithm, modeled on the implementation of /proc/interrupts. [akpm@osdl.org: cleanups, simplifications] Signed-off-by: Joe Korty Signed-off-by: Greg Kroah-Hartman commit ebea8457d4b94864a818ae3e6a95655602244935 Author: Jun'ichi Nomura Date: Mon Mar 27 01:17:51 2006 -0800 [PATCH] dm flush queue EINTR If dm_suspend() is cancelled, bios already added to the deferred list need to be submitted. Otherwise they remain 'in limbo' until there's a dm_resume(). Signed-off-by: Jun'ichi Nomura Signed-off-by: Alasdair G Kergon Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f6a731290ca18b31fd447989319eb913d9c308d8 Author: Alasdair G Kergon Date: Mon Apr 24 13:36:06 2006 -0700 [PATCH] dm snapshot: fix kcopyd destructor Before removing a snapshot, wait for the completion of any kcopyd jobs using it. Do this by maintaining a count (nr_jobs) of how many outstanding jobs each kcopyd_client has. The snapshot destructor first unregisters the snapshot so that no new kcopyd jobs (created by writes to the origin) will reference that particular snapshot. kcopyd_client_destroy() is now run next to wait for the completion of any outstanding jobs before the snapshot exception structures (that those jobs reference) are freed. Signed-off-by: Alasdair G Kergon Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5667cc6c6ddf816527a04ea9b0c6fc9bee6f8ed3 Author: Michael Krufky Date: Sat Apr 22 03:35:50 2006 -0400 [PATCH] cxusb-bluebird: bug-fix: power down corrupts frontend This patch prevents a bug where the frontend is unable to tune after waking from powered down state. Now, the device remains powered on until it is disconnected, just like the windows driver. It seems that the bluebird firmware is unable to successfully handle tuning after a powered down state. This patch fixes all of the FusionHDTV Bluebird USB2 devices. The Medion MD95700 will still behave as before, since it was unaffected by this bug. Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit f5d195f1c98ec76606522daeb49bb7d2eb8065e4 Author: Jose Alberto Reguero Date: Sat Apr 22 03:35:45 2006 -0400 [PATCH] fix saa7129 support in saa7127 module for pvr350 tv out This patch fixes tv-out support for the newer model of the pvr350, which has a saa7129 instead of a saa7127 video encoder. Signed-off-by: Jose Alberto Reguero Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Hans Verkuil Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit 45b001d0168593243bfd1005f8e9256c0ec3a912 Author: Andrew Morton Date: Mon Apr 24 01:49:59 2006 -0700 [PATCH] for_each_possible_cpu Backport for_each_possible_cpu() into 2.6.16. Fixes the alpha build, and any future occurrences. Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 6c3b9da475a0a62cb5eb9ed458004b8d6d1d330e Author: Michael Krufky Date: Sun Apr 23 02:16:42 2006 -0400 [PATCH] get_dvb_firmware: download nxt2002 firmware from new driver location BBTI has updated their driver, and removed the old one from their website. This patch updates the get_dvb_firmware script to download the firmware from the new driver location. Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit 7bd85bfa69293bf17511491d6ee3438956c0d1f9 Author: Daniel Drake Date: Sun Apr 23 15:43:59 2006 -0700 [PATCH] tipar oops fix If compiled into the kernel, parport_register_driver() is called before the parport driver has been initalised. This means that it is expected that tp_count is 0 after the parport_register_driver() call() - tipar's attach function will not be called until later during bootup. Signed-off-by: Daniel Drake Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 5e8273250e73d3e2c4e67d0480dcb54e972f5023 Author: Eric Sesterhenn Date: Sun Apr 23 22:52:28 2006 +0200 [PATCH] USB: fix array overrun in drivers/usb/serial/option.c since the arrays are declared as in_urbs[N_IN_URB] and out_urbs[N_OUT_URB] both for loops, go one over the end of the array. This fixes coverity id #555 This patch was already included in Linus' tree. Signed-off-by: Eric Sesterhenn Signed-off-by: Adrian Bunk Signed-off-by: Greg Kroah-Hartman commit c89ce82c2d942daacc7d7f5d3efafe7dba70bd23 Author: Mike Waychison Date: Fri Apr 21 09:43:25 2006 +0200 [PATCH] x86_64: Fix a race in the free_iommu path. We do this by removing a micro-optimization that tries to avoid grabbing the iommu_bitmap_lock spinlock and using a bus-locked operation. This still races with other simultaneous alloc_iommu or free_iommu(size > 1) which both use bus-unlocked operations. The end result of this race is eventually ending up with an iommu_gart_bitmap that has bits errornously set all over, making large contiguous iommu space allocations fail with 'PCI-DMA: Out of IOMMU space'. Signed-off-by: Mike Waychison Signed-off-by: Andi Kleen Signed-off-by: Greg Kroah-Hartman commit 355bd3d4ea761a66880088ac2d0c5c95866df4a6 Author: Andi Kleen Date: Fri Apr 21 09:43:22 2006 +0200 [PATCH] x86_64: Pass -32 to the assembler when compiling the 32bit vsyscall pages This quietens warnings and actually fixes a bug. The unwind tables would come out wrong without -32, causing pthread cancellation during them to crash in the gcc runtime. The problem seems to only happen with newer binutils (it doesn't happen with 2.16.91.0.2 but happens wit 2.16.91.0.5) Thanks to Brian Baker @ HP for test case and initial analysis. Cc: brian.b@hp.com Signed-off-by: Andi Kleen Signed-off-by: Greg Kroah-Hartman commit f38f300d4a0698791bb11294903702ddb1c4e9d8 Author: Jason Baron Date: Tue Jan 31 16:56:28 2006 -0500 [PATCH] make vm86 call audit_syscall_exit hi, The motivation behind the patch below was to address messages in /var/log/messages such as: Jan 31 10:54:15 mets kernel: audit(:0): major=252 name_count=0: freeing multiple contexts (1) Jan 31 10:54:15 mets kernel: audit(:0): major=113 name_count=0: freeing multiple contexts (2) I can reproduce by running 'get-edid' from: http://john.fremlin.de/programs/linux/read-edid/. These messages come about in the log b/c the vm86 calls do not exit via the normal system call exit paths and thus do not call 'audit_syscall_exit'. The next system call will then free the context for itself and for the vm86 context, thus generating the above messages. This patch addresses the issue by simply adding a call to 'audit_syscall_exit' from the vm86 code. Besides fixing the above error messages the patch also now allows vm86 system calls to become auditable. This is useful since strace does not appear to properly record the return values from sys_vm86. I think this patch is also a step in the right direction in terms of cleaning up some core auditing code. If we can correct any other paths that do not properly call the audit exit and entries points, then we can also eliminate the notion of context chaining. I've tested this patch by verifying that the log messages no longer appear, and that the audit records for sys_vm86 appear to be correct. Also, 'read_edid' produces itentical output. thanks, -Jason Signed-off-by: Jason Baron Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit f1e64a332ce7e00d5e5fa25e505e54dff3049ddc Author: Thayumanavar Sachithanantham Date: Thu Apr 20 16:00:56 2006 +0000 [PATCH] cs5535_gpio.c: call cdev_del() during module_exit to unmap kobject references and other cleanups During module unloading, cdev_del() must be called to unmap cdev related kobject references and other cleanups(such as inode->i_cdev being set to NULL) which prevents the OOPS upon subsequent loading, usage and unloading of modules(as seen in the mail thread http://marc.theaimsgroup.com/?l=linux-kernel&m=114533640609018&w=2). Also, remove unneeded test of gpio_base. Signed-off-by: Thayumanavar Sachithanantham Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e3c7674c8c029d59b060ce1e41e40f3efec49a85 Author: Arnaud MAZIN Date: Thu Apr 20 16:01:02 2006 +0000 [PATCH] sonypi: correct detection of new ICH7-based laptops Add a test to detect the ICH7 based Core Duo SONY laptops (such as the SZ1) as type3 models. Signed-off-by: Arnaud MAZIN Acked-by: Stelian Pop Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman