commit dbb676d1214c181e6cde4ce67b7bf012d071f1ed Author: Greg Kroah-Hartman Date: Fri Apr 7 09:56:47 2006 -0700 Linux 2.6.16.2 commit 72ecdfb827a267b5fb5b20016175be21b0b0f953 Author: Vivek Goyal Date: Mon Apr 3 16:38:11 2006 -0700 [PATCH] kdump proc vmcore size oveflow fix A couple of /proc/vmcore data structures overflow with 32bit systems having memory more than 4G. This patch fixes those. Signed-off-by: Ken'ichi Ohmichi Signed-off-by: Vivek Goyal Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 01ede1fd9200b73b2ec4f906fb6af94e93577504 Author: NeilBrown Date: Wed Mar 29 22:01:15 2006 -0800 [PATCH] knfsd: Correct reserved reply space for read requests. NFSd makes sure there is enough space to hold the maximum possible reply before accepting a request. The units for this maximum is (4byte) words. However in three places, particularly for read request, the number given is a number of bytes. This means too much space is reserved which is slightly wasteful. This is the sort of patch that could uncover a deeper bug, and it is not critical, so it would be best for it to spend a while in -mm before going in to mainline. (akpm: target 2.6.17-rc2, 2.6.16.3 (approx)) Discovered-by: "Eivind Sarto" Signed-off-by: Neil Brown Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 1cce602f07cbc7e9f543cc5c4c98da011a671e03 Author: Jouni Malinen Date: Fri Mar 24 21:24:55 2006 -0800 [PATCH] hostap: Fix EAPOL frame encryption Fixed encrypted of EAPOL frames from wlan#ap interface (hostapd). This was broken when moving to use new frame control field defines in net/ieee80211.h. hostapd uses Protected flag, not protocol version (which was cleared in this function anyway). This fixes WPA group key handshake and re-authentication. http://hostap.epitest.fi/bugz/show_bug.cgi?id=126 Signed-off-by: Jouni Malinen commit 798e8df74101880b40a57acebb3e95b83ed9222f Author: Takashi Iwai Date: Sat Mar 25 22:07:28 2006 +0100 [PATCH] Add default entry for CTL Travel Master U553W Added the default entry of ALC880 configuration table for CTL Travel Master U553W. This patch was already included in Linus' tree. Signed-off-by: Takashi Iwai Signed-off-by: Adrian Bunk Signed-off-by: Greg Kroah-Hartman commit c0e7ba91759b66981cb2ad5c91054506d1ccc239 Author: Adrian Bunk Date: Sat Mar 25 19:22:27 2006 +0100 [PATCH] AIRO{,_CS} <-> CRYPTO fixes CRYPTO is a helper variable, and to make it easier for users, it should therefore select'ed and not be listed in the dependencies. drivers/net/wireless/airo.c requires CONFIG_CRYPTO for compilations. Therefore, AIRO_CS also has to select CRYPTO. Signed-off-by: Adrian Bunk Signed-off-by: Greg Kroah-Hartman commit 781fe700a871a2fd4efd2e4beaba8c16e19d3e3b Author: Christoph Lameter Date: Mon Apr 3 20:11:57 2006 +1000 [PATCH] Fix NULL pointer dereference in node_read_numastat() Fix NULL pointer dereference in node_read_numastat() zone_pcp() only returns valid values if the processor is online. Change node_read_numastat() to only scan online processors. Signed-off-by: Christoph Lameter Signed-off-by: Greg Kroah-Hartman commit 9f45b01aa6885323f18fe56e3fe19a6df5b7f1e9 Author: Adrian Bunk Date: Sat Mar 25 22:07:32 2006 +0100 [PATCH] drivers/net/wireless/ipw2200.c: fix an array overun This patch fixes a big array overun found by the Coverity checker. This was already fixed in Linus' tree. Signed-off-by: Adrian Bunk Signed-off-by: Greg Kroah-Hartman commit ecb5414cdc6725b3e287af6412afe3adb0c6c07b Author: Antonino A. Daplas Date: Mon Mar 27 21:11:44 2006 +0800 [PATCH] fbcon: Fix big-endian bogosity in slow_imageblit() The monochrome->color expansion routine that handles bitmaps which have (widths % 8) != 0 (slow_imageblit) produces corrupt characters in big-endian. This is caused by a bogus bit test in slow_imageblit(). Fix. Signed-off-by: Antonino Daplas Acked-by: Herbert Poetzl Signed-off-by: Greg Kroah-Hartman commit 41ccbdde2b1ee3f69def6ec3b3a416abae95c25a Author: David S. Miller Date: Tue Apr 4 13:26:50 2006 -0700 [PATCH] fib_trie.c node freeing fix Please apply to 2.6.{14,15,16} -stable, thanks a lot. From: Robert Olsson [FIB_TRIE]: Fix leaf freeing. Seems like leaf (end-nodes) has been freed by __tnode_free_rcu and not by __leaf_free_rcu. This fixes the problem. Only tnode_free is now used which checks for appropriate node type. free_leaf can be removed. Signed-off-by: Robert Olsson Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 097189fd249125617092ae9b57e36b7d87a5c1bf Author: Sergey Vlasov Date: Sat Mar 25 18:36:37 2006 +0100 [PATCH] Fix module refcount leak in __set_personality() If the change of personality does not lead to change of exec domain, __set_personality() returned without releasing the module reference acquired by lookup_exec_domain(). This patch was already included in Linus' tree. Signed-off-by: Sergey Vlasov Cc: Christoph Hellwig Signed-off-by: Andrew Morton Signed-off-by: Adrian Bunk Signed-off-by: Greg Kroah-Hartman commit 6f9d7d9822f3448cd5794306ccd6bde9a6c5dd8e Author: Venkatesh Pallipadi Date: Sat Mar 25 17:20:41 2006 +0000 [PATCH] Fix the p4-clockmod N60 errata workaround. [CPUFREQ] Fix the p4-clockmod N60 errata workaround. Fix the code to disable freqs less than 2GHz in N60 errata. Signed-off-by: Venkatesh Pallipadi Signed-off-by: Dave Jones Signed-off-by: Greg Kroah-Hartman commit 4575a939b95321a62ddf8ecfefd3c7852091bcc5 Author: Kirill Korotaev Date: Sat Apr 1 16:06:50 2006 -0800 [PATCH] wrong error path in dup_fd() leading to oopses in RCU Wrong error path in dup_fd() - it should return NULL on error, not an address of already freed memory :/ Triggered by OpenVZ stress test suite. What is interesting is that it was causing different oopses in RCU like below: Call Trace: [] rcu_do_batch+0x2c/0x80 [] rcu_process_callbacks+0x3d/0x70 [] tasklet_action+0x73/0xe0 [] __do_softirq+0x10a/0x130 [] do_softirq+0x4f/0x60 ======================= [] smp_apic_timer_interrupt+0x77/0x110 [] apic_timer_interrupt+0x1c/0x24 Code: Bad EIP value. <0>Kernel panic - not syncing: Fatal exception in interrupt Signed-Off-By: Pavel Emelianov Signed-Off-By: Dmitry Mishin Signed-Off-By: Kirill Korotaev Signed-Off-By: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 334ed376d2b23896061520648dc7113c5c4ffb0b Author: Martin Josefsson Date: Mon Apr 3 10:47:48 2006 +0200 [PATCH] {ip, nf}_conntrack_netlink: fix expectation notifier unregistration [NETFILTER]: {ip,nf}_conntrack_netlink: fix expectation notifier unregistration This patch fixes expectation notifier unregistration on module unload to use ip_conntrack_expect_unregister_notifier(). This bug causes a soft lockup at the first expectation created after a rmmod ; insmod of this module. Should go into -stable as well. Signed-off-by: Martin Josefsson Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fa76a59a0c178b54e6a58644d9e5c1bded1aea5e Author: maximilian attems Date: Fri Mar 31 23:09:03 2006 +0200 [PATCH] isicom must select FW_LOADER The isicom driver uses request_firmware() and thus needs to select FW_LOADER. This patch was already included in Linus' tree. Signed-off-by: maximilian attems Signed-off-by: Adrian Bunk Signed-off-by: Greg Kroah-Hartman commit 006939167ee07cb4ea69a67969c5893c3c416035 Author: Dave Jones Date: Sat Mar 25 17:20:42 2006 +0000 [PATCH] Mark longhaul driver as broken. [CPUFREQ] Mark longhaul driver as broken. This seems to work for a short period of time, but when used in conjunction with a userspace governor that changes the frequency regularly, it's only a matter of time before everything just locks up. Signed-off-by: Dave Jones Signed-off-by: Greg Kroah-Hartman commit a78639c736815c6a210abc6a992b8a14f9144c04 Author: Takashi Iwai Date: Sat Mar 25 19:49:42 2006 +0100 [PATCH] opti9x - Fix compile without CONFIG_PNP Modules: Opti9xx drivers Fix compile errors without CONFIG_PNP. This patch was already included in Linus' tree. Signed-off-by: Takashi Iwai Signed-off-by: Adrian Bunk Signed-off-by: Greg Kroah-Hartman commit 33ac640f711b869c7e57505fa7c01310d10477ab Author: Janos Farkas Date: Tue Apr 4 10:12:43 2006 +0200 [PATCH] pcmcia: permit single-character-identifiers For some time, the core pcmcia drivers seem not to think single character prod_ids are valid, thus preventing the "cleverly" named "D" "Link DWL-650 11Mbps WLAN Card" Before (as in 2.6.16): PRODID_1="" PRODID_2="Link DWL-650 11Mbps WLAN Card" PRODID_3="Version 01.02" PRODID_4="" MANFID=0156,0002 FUNCID=6 After (with the patch) PRODID_1="D" PRODID_2="Link DWL-650 11Mbps WLAN Card" PRODID_3="Version 01.02" PRODID_4="" MANFID=0156,0002 FUNCID=6 Signed-off-by: Janos Farkas Signed-off-by: Dominik Brodowski Signed-off-by: Greg Kroah-Hartman commit ec2849262d7f37fca2fd62ccff6e7be3ef2e4e7a Author: Adrian Bunk Date: Fri Mar 31 18:33:45 2006 +0200 [PATCH] PCMCIA_SPECTRUM must select FW_LOADER PCMCIA_SPECTRUM must select FW_LOADER. Reported by "Alexander E. Patrakov" . This patch was already included in Linus' tree. Signed-off-by: Adrian Bunk Signed-off-by: Greg Kroah-Hartman commit 201e59e8f1437244e6203bfda5b8946f054d993e Author: Stephen Rothwell Date: Mon Apr 3 22:23:15 2006 +1000 [PATCH] powerpc: make ISA floppies work again We used to assume that a DMA mapping request with a NULL dev was for ISA DMA. This assumption was broken at some point. Now we explicitly pass the detected ISA PCI device in the floppy setup. Signed-off-by: Stephen Rothwell Signed-off-by: Greg Kroah-Hartman commit 366c3af0db2665c2930c6b99e97aa4bdd12e05e2 Author: Stefan Richter Date: Sat Apr 1 21:11:41 2006 +0200 [PATCH] sbp2: fix spinlock recursion sbp2util_mark_command_completed takes a lock which was already taken by sbp2scsi_complete_all_commands. This is a regression in Linux 2.6.15. Reported by Kristian Harms at https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187394 Signed-off-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman commit 91a4ee3e0485c82e45d9e0bf09681528b9dc20da Author: Horst Schirmeier Date: Sat Mar 25 19:13:13 2006 +0100 [PATCH] USB: usbcore: usb_set_configuration oops (NULL ptr dereference) When trying to deconfigure a device via usb_set_configuration(dev, 0), 2.6.16-rc kernels after 55c527187c9d78f840b284d596a0b298bc1493af oops with "Unable to handle NULL pointer dereference at...". This is due to an unchecked dereference of cp in the power budget part. This patch was already included in Linus' tree. Signed-off-by: Horst Schirmeier Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman Signed-off-by: Adrian Bunk commit 6d2b571d10d30548e3602fe6f52a558e13b5341e Author: Clemens Ladisch Date: Fri Jan 20 13:49:10 2006 -0800 [PATCH] USB: EHCI full speed ISO bugfixes This patch replaces the split ISO raw_mask calculation code in the iso_stream_init() function that computed incorrect numbers of high speed transactions for both input and output transfers. In the output case, it added a superfluous start-split transaction for all maxmimum packet sizes that are a multiple of 188. In the input case, it forgot to add complete-split transactions for all microframes covered by the full speed transaction, and the additional complete-split transaction needed for the case when full speed data starts arriving near the end of a microframe. These changes don't affect the lack of full speed bandwidth, but at least it removes the MMF errors that the HC raised with some input streams. Signed-off-by: Clemens Ladisch Signed-off-by: David Brownell Signed-off-by: Greg Kroah-Hartman commit 4a80b29d91bc7a598a7d65b2500493a9fc3cb322 Author: Greg Kroah-Hartman Date: Fri Mar 31 15:37:06 2006 -0800 [PATCH] sysfs: zero terminate sysfs write buffers (CVE-2006-1055) No one should be writing a PAGE_SIZE worth of data to a normal sysfs file, so properly terminate the buffer. Thanks to Al Viro for pointing out my stupidity here. CVE-2006-1055 has been assigned for this. Signed-off-by: Greg Kroah-Hartman commit 91011e696c0483c778a1c07a77eb92d0d95aed7c Author: Eugene Teo Date: Wed Mar 15 14:57:19 2006 -0800 [PATCH] USB: Fix irda-usb use after use Don't read from free'd memory after calling netif_rx(). docopy is used as a boolean (0 and 1) so unsigned int is sufficient. Coverity bug #928 Signed-off-by: Eugene Teo Cc: "David S. Miller" Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 8c1e395226ec061b99cadddb5f0a7c5cc0dc1512 Author: Andrew Morton Date: Fri Mar 24 21:29:13 2006 -0800 [PATCH] tlclk: fix handling of device major tlclk calls register_chrdev() and permits register_chrdev() to allocate the major, but it promptly forgets what that major was. So if there's no hardware present you still get "telco_clock" appearing in /proc/devices and, I assume, an oops reading /proc/devices if tlclk was a module. Fix. Mark, I'd suggest that that we not call register_chrdev() until _after_ we've established that the hardware is present. Cc: Mark Gross Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman