commit ea144a8cff7622fba2c1083e760bd18605ecd6b4 Author: Chris Wright Date: Thu Jun 22 12:16:21 2006 -0700 Linux 2.6.16.22 commit 40b61cc4d9b94f28d197f52420aa73afeab33f4b Author: Anton Altaparmakov Date: Tue Jun 20 00:29:41 2006 -0700 [PATCH] NTFS: Critical bug fix (affects MIPS and possibly others) It fixes a crash in NTFS on architectures where flush_dcache_page() is a real function. I never noticed this as all my testing is done on i386 where flush_dcache_page() is NULL. http://bugzilla.kernel.org/show_bug.cgi?id=6700 Many thanks to Pauline Ng for the detailed bug report and analysis! Signed-off-by: Anton Altaparmakov Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit bb2f2dbc934bd12945074118932907a315f722ea Author: Andrew Morton Date: Sat Jun 10 18:59:23 2006 +0000 [PATCH] powernow-k8 crash workaround Work around the oops reported in http://bugzilla.kernel.org/show_bug.cgi?id=6478. Thanks to Ralf Hildebrandt for testing and reporting. Acked-by: Dave Jones Cc: "Brown, Len" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit d83d3226f92a802242e8e80d0c7206d7b39c7b49 Author: Markus Lidel Date: Sat Jun 10 09:54:14 2006 -0700 [PATCH] I2O: Bugfixes to get I2O working again - Fixed locking of struct i2o_exec_wait in Executive-OSM - Removed LCT Notify in i2o_exec_probe() which caused freeing memory and accessing freed memory during first enumeration of I2O devices - Added missing locking in i2o_exec_lct_notify() - removed put_device() of I2O controller in i2o_iop_remove() which caused the controller structure get freed to early - Fixed size of mempool in i2o_iop_alloc() - Fixed access to freed memory in i2o_msg_get() See http://bugzilla.kernel.org/show_bug.cgi?id=6561 Signed-off-by: Markus Lidel Signed-off-by: Andrew Morton Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit a4dad8b5746aa25f97c5b94c96fcf20cda9593fb Author: James Bottomley Date: Thu Jun 8 00:03:28 2006 -0400 [PATCH] scsi_lib.c: properly count the number of pages in scsi_req_map_sg() The calculation of nr_pages in scsi_req_map_sg() doesn't account for the fact that the first page could have an offset that pushes the end of the buffer onto a new page. Signed-off-by: Bryan Holty Signed-off-by: James Bottomley Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit b558f9f2cd432f2c8797098f239dad284aba1334 Author: Dave Kleikamp Date: Tue Jun 6 22:54:44 2006 -0400 [PATCH] JFS: Fix multiple errors in metapage_releasepage It looks like metapage_releasepage was making in invalid assumption that the releasepage method would not be called on a dirty page. Instead of issuing a warning and releasing the metapage, it should return 0, indicating that the private data for the page cannot be released. I also realized that metapage_releasepage had the return code all wrong. If it is successful in releasing the private data, it should return 1, otherwise it needs to return 0. Lastly, there is no need to call wait_on_page_writeback, since try_to_release_page will not call us with a page in writback state. Signed-off-by: Dave Kleikamp Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 9f631f4e9e409f76f8174e6c785056e9b2b89b42 Author: Trond Myklebust Date: Tue Jun 6 11:19:35 2006 -0400 [PATCH] fs/namei.c: Call to file_permission() under a spinlock in do_lookup_path() We're presently running lock_kernel() under fs_lock via nfs's ->permission handler. That's a ranking bug and sometimes a sleep-in-spinlock bug. This problem was introduced in the openat() patchset. We should not need to hold the current->fs->lock for a codepath that doesn't use current->fs. [vsu@altlinux.ru: fix error path] Signed-off-by: Trond Myklebust Cc: Al Viro Signed-off-by: Sergey Vlasov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 2fb0b930b535b5e7ae8a5c8880d8ba941e508421 Author: Robin H. Johnson Date: Tue Jun 13 18:06:11 2006 +0100 [PATCH] tmpfs: time granularity fix for [acm]time going backwards I noticed a strange behavior in a tmpfs file system the other day, while building packages - occasionally, and seemingly at random, make decided to rebuild a target. However, only on tmpfs. A file would be created, and if checked, it had a sub-second timestamp. However, after an utimes related call where sub-seconds should be set, they were zeroed instead. In the case that a file was created, and utimes(...,NULL) was used on it in the same second, the timestamp on the file moved backwards. After some digging, I found that this was being caused by tmpfs not having a time granularity set, thus inheriting the default 1 second granularity. Hugh adds: yes, we missed tmpfs when the s_time_gran mods went into 2.6.11. Unfortunately, the granularity of CURRENT_TIME, often used in filesystems, does not match the default granularity set by alloc_super. A few more such discrepancies have been found, but this is the most important to fix now. Signed-off-by: Robin H. Johnson Acked-by: Andi Kleen Signed-off-by: Hugh Dickins Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 0bd99264e94d5bb8f8ffeed246f4414a3191d3e6 Author: Oleg Drokin Date: Sat Mar 25 03:06:54 2006 -0800 [PATCH] Missed error checking for intent's filp in open_namei(). It seems there is error check missing in open_namei for errors returned through intent.open.file (from lookup_instantiate_filp). If there is plain open performed, then such a check done inside __path_lookup_intent_open called from path_lookup_open(), but when the open is performed with O_CREAT flag set, then __path_lookup_intent_open is only called with LOOKUP_PARENT set where no file opening can occur yet. Later on lookup_hash is called where exact opening might take place and intent.open.file may be filled. If it is filled with error value of some sort, then we get kernel attempting to dereference this error value as address (and corresponding oops) in nameidata_to_filp() called from filp_open(). While this is relatively simple to workaround in ->lookup() method by just checking lookup_instantiate_filp() return value and returning error as needed, this is not so easy in ->d_revalidate(), where we can only return "yes, dentry is valid" or "no, dentry is invalid, perform full lookup again", and just returning 0 on error would cause extra lookup (with potential extra costly RPCs). So in short, I believe that there should be no difference in error handling for opening a file and creating a file in open_namei() and propose this simple patch as a solution. Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9d8e2ed7c51a756c8b6534af4fb82c406cfe0741 Author: David Miller Date: Mon Jun 5 11:27:10 2006 -0700 [PATCH] SPARC64: Fix missing fold at end of checksums. Both csum_partial() and the csum_partial_copy*() family of routines forget to do a final fold on the computed checksum value on sparc64. So do the standard Sparc "add + set condition codes, add carry" sequence, then make sure the high 32-bits of the return value are clear. Based upon some excellent detective work and debugging done by Richard Braun and Samuel Thibault. Signed-off-by: David S. Miller Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit af948395f08691edd731bac85c1f4c334bd312ec Author: David Miller Date: Sun Jun 4 20:41:00 2006 -0700 [PATCH] SPARC64: Respect gfp_t argument to dma_alloc_coherent(). Using asm-generic/dma-mapping.h does not work because pushing the call down to pci_alloc_coherent() causes the gfp_t argument of dma_alloc_coherent() to be ignored. Fix this by implementing things directly, and adding a gfp_t argument we can use in the internal call down to the PCI DMA implementation of pci_alloc_coherent(). This fixes massive memory corruption when using the sound driver layer, which passes things like __GFP_COMP down into these routines and (correctly) expects that to work. This is a disk eater when sound is used, so it's pretty critical. Signed-off-by: David S. Miller Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 76fc2aafe67361e69c980408fc66ac4f051b17da Author: David Miller Date: Fri Jun 2 18:30:58 2006 -0700 [PATCH] SPARC64: Fix D-cache corruption in mremap If we move a mapping from one virtual address to another, and this changes the virtual color of the mapping to those pages, we can see corrupt data due to D-cache aliasing. Check for and deal with this by overriding the move_pte() macro. Set things up so that other platforms can cleanly override the move_pte() macro too. This long standing bug corrupts user memory, and in particular has been notorious for corrupting Debian package database files on sparc64 boxes. Signed-off-by: David S. Miller Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 0d9a5318df1248e63a7a528b7a8a8f23b52ac1a4 Author: Stuart MacDonald Date: Wed May 31 13:28:40 2006 -0400 [PATCH] USB: Whiteheat: fix firmware spurious errors Attached patch fixes spurious errors during firmware load. Signed-off-by: Stuart MacDonald Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright