Commit: 090d13fcbb9318a68236c7e98d524f812d2957b2 Author: Adrian Bunk Thu, 01 Nov 2007 03:23:29 +0100 Linux 2.6.16.56 Commit: 400737bf7a8dcc0c84bf7b01d5637db6db0e1678 Author: Adrian Bunk Sun, 28 Oct 2007 22:33:36 +0100 Linux 2.6.16.56-rc2 Commit: 63419d8efa745ed9a9b7e91a324b9b933dfdbb34 Author: Hugh Dickins Sun, 28 Oct 2007 22:32:04 +0100 hugetlb: fix size=4G parsing On 32-bit machines, mount -t hugetlbfs -o size=4G gave a 0GB filesystem, size=5G gave a 1GB filesystem etc: there's no point in masking size with HPAGE_MASK just before shifting its lower bits away, and since HPAGE_MASK is a UL, that removed all the higher bits of the unsigned long long size. Signed-off-by: Hugh Dickins Signed-off-by: Adrian Bunk Commit: 255189a700d809000157d5eed1a3ede9e6426f68 Author: Hugh Dickins Sun, 28 Oct 2007 22:22:25 +0100 hugetlb: fix error return for brk() entering a hugepage region The lats commit causes the wrong return value. is_hugepage_only_range() is a boolean, so we should return -EINVAL rather than 1. Also - we can use "mm" instead of looking up "current->mm" again. Signed-off-by: Hugh Dickins Signed-off-by: Adrian Bunk Commit: 6a93b22bc8569315b2e0ce07297b73673882925a Author: David Gibson Sun, 28 Oct 2007 22:20:34 +0100 hugetlb: check for brk() entering a hugepage region Unlike mmap(), the codepath for brk() creates a vma without first checking that it doesn't touch a region exclusively reserved for hugepages. On powerpc, this can allow it to create a normal page vma in a hugepage region, causing oopses and other badness. Add a test to prevent this. With this patch, brk() will simply fail if it attempts to move the break into a hugepage reserved region. Signed-off-by: David Gibson Signed-off-by: Adrian Bunk Commit: 42ea9d4b9da1bb26d519f91c9464fd093c7a56a2 Author: Ken Chen Sun, 28 Oct 2007 21:40:41 +0100 [IA64] fix ia64 is_hugepage_only_range fix is_hugepage_only_range() definition to be "overlaps" instead of "within architectural restricted hugetlb address range". Simplify the ia64 specific code that used to use is_hugepage_only_range() to just check which region the address is in. Signed-off-by: Ken Chen Signed-off-by: Tony Luck Signed-off-by: Adrian Bunk Commit: bd5dd01bad40e1702c3933e2f9a46be89834715b Author: Adrian Bunk Fri, 19 Oct 2007 19:15:19 +0200 Linux 2.6.16.56-rc1 Commit: 2c70c535915f621fe51508076804b4575171a23d Author: Adam Litke Fri, 19 Oct 2007 19:05:10 +0200 Don't allow the stack to grow into hugetlb reserved regions (CVE-2007-3739) When expanding the stack, we don't currently check if the VMA will cross into an area of the address space that is reserved for hugetlb pages. Subsequent faults on the expanded portion of such a VMA will confuse the low-level MMU code, resulting in an OOPS. Check for this. Signed-off-by: Adam Litke Signed-off-by: Adrian Bunk Commit: c19b3d848a376abb057d6c80788f424e4c565223 Author: Adrian Bunk Fri, 19 Oct 2007 18:51:07 +0200 drivers/video/macmodes.c:mac_find_mode() mustn't be __init If it's EXPORT_SYMBOL'ed it can't be __devinit. Reported by Mikael Pettersson. Signed-off-by: Adrian Bunk Commit: ec2cb473e3bb0fe1538874cf7773638c235e5b45 Author: Hugh Dickins Fri, 19 Oct 2007 14:30:18 +0200 hugetlb: fix prio_tree unit (CVE-2007-4133) hugetlb_vmtruncate_list was misconverted to prio_tree: its prio_tree is in units of PAGE_SIZE (PAGE_CACHE_SIZE) like any other, not HPAGE_SIZE (whereas its radix_tree is kept in units of HPAGE_SIZE, otherwise slots would be absurdly sparse). At first I thought the error benign, just calling __unmap_hugepage_range on more vmas than necessary; but on 32-bit machines, when the prio_tree is searched correctly, it happens to ensure the v_offset calculation won't overflow. As it stood, when truncating at or beyond 4GB, it was liable to discard pages COWed from lower offsets; or even to clear pmd entries of preceding vmas, triggering exit_mmap's BUG_ON(nr_ptes). Signed-off-by: Hugh Dickins Signed-off-by: Adrian Bunk Commit: 79d2ce4bb1adf75b471824a13d2443748cb48db3 Author: Arthur Othieno Fri, 19 Oct 2007 02:04:58 +0200 hugetlbfs: add Kconfig help text In kernel bugzilla #6248 (http://bugzilla.kernel.org/show_bug.cgi?id=6248), Adrian Bunk notes that CONFIG_HUGETLBFS is missing Kconfig help text. Signed-off-by: Arthur Othieno Signed-off-by: Adrian Bunk Commit: d9e8843e2ddab65876c08874c4f3f7dd938e2ba5 Author: Randy Dunlap Fri, 19 Oct 2007 02:03:58 +0200 hugetlbfs doc. update Fix typos, spelling, etc., in Doc/vm/hugetlbpage.txt. Signed-off-by: Randy Dunlap Signed-off-by: Adrian Bunk Commit: a5cfb0763d650c4d5b801338136ea64746d807f8 Author: Ken Chen Fri, 19 Oct 2007 01:59:17 +0200 x86: HUGETLBFS and DEBUG_PAGEALLOC are incompatible DEBUG_PAGEALLOC is not compatible with hugetlb page support. That debug option turns off PSE. Once it is turned off in CR4, the cpu will ignore pse bit in the pmd and causing infinite page-not- present faults. So disable DEBUG_PAGEALLOC if the user selected hugetlbfs. Signed-off-by: Ken Chen Signed-off-by: Adrian Bunk Commit: f7ce644b409f1b28648ac457dd9545f93bff37f7 Author: Zhang Yanmin Fri, 19 Oct 2007 01:52:21 +0200 [IA64] lazy_mmu_prot_update needs to be aware of huge pages Function lazy_mmu_prot_update is also used on huge pages when it is called by set_huge_ptep_writable, but it isn't aware of huge pages. Signed-off-by: Zhang Yanmin Acked-by: Ken Chen Signed-off-by: Tony Luck Signed-off-by: Adrian Bunk Commit: d289a630aa101eb5d168f054c96298c87673408e Author: Stephen Smalley Fri, 19 Oct 2007 01:27:51 +0200 SELinux: clear parent death signal on SID transitions Clear parent death signal on SID transitions to prevent unauthorized signaling between SIDs. Signed-off-by: Stephen Smalley Acked-by: Eric Paris Signed-off-by: James Morris Signed-off-by: Adrian Bunk Commit: b1deecae30b54772fc6d114396dbce85a1c8a5b1 Author: Ulrich Drepper Thu, 18 Oct 2007 23:46:58 +0200 make UML compile (FC6/x86-64) I need this patch to get a UML kernel to compile. This is with the kernel headers in FC6 which are automatically generated from the kernel tree. Some headers are missing but those files don't need them. At least it appears so since the resuling kernel works fine. Tested on x86-64. Signed-off-by: Ulrich Drepper Signed-off-by: Adrian Bunk Commit: da1d9511a88097a7bcfcd9ddd89185c15d6f7e4b Author: Andreas Arens Thu, 18 Oct 2007 22:44:28 +0200 DVB: get_dvb_firmware: update script for new location of tda10046 firmware cherry picked from commit c545d6adbcacd296f7457bd992556feb055379de Update get_dvb_firmware script for the new location of the tda10046 firmware. The old location doesn't work anymore. Signed-off-by: Andreas Arens Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Adrian Bunk Commit: b9b2e30e9a4957ecc3aaa81110fc38d0d91ad705 Author: Michael Krufky Thu, 18 Oct 2007 22:43:30 +0200 DVB: get_dvb_firmware: update script for new location of sp8870 firmware cherry picked from commit 302170a4b47e869372974abd885dd11d5536b64a get_dvb_firmware: update script for new location of sp8870 firmware This url is no longer valid: http://www.technotrend.de/new/217g/tt_Premium_217g.zip Replace with: http://www.softwarepatch.pl/9999ccd06a4813cb827dbb0005071c71/tt_Premium_217g.zip Thanks-to: Tobias Stoeber Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Adrian Bunk Commit: 9a21af2fb957a0f3150443c742f5c9c952a65af3 Author: Mike Frysinger Thu, 18 Oct 2007 21:30:46 +0200 alpha: fix epoll syscall enumerations We went and named them __NR_sys_foo instead of __NR_foo. It may be too late to change this, but we can at least add the proper names now. Signed-off-by: Mike Frysinger Signed-off-by: Adrian Bunk Commit: 056fef9a187614b679c297cf7c22cd9f96fa9fb3 Author: Jan Altenberg Thu, 18 Oct 2007 19:21:38 +0200 m68knommu: ptrace.h typo fix Signed-off-by: Jan Altenberg Signed-off-by: Adrian Bunk Commit: cbff46726c3215667ec7a2f52229d100cc909ba6 Author: Ilpo Järvinen Thu, 18 Oct 2007 18:55:43 +0200 [TCP]: Fix fastpath_cnt_hint when GSO skb is partially ACKed When only GSO skb was partially ACKed, no hints are reset, therefore fastpath_cnt_hint must be tweaked too or else it can corrupt fackets_out. The corruption to occur, one must have non-trivial ACK/SACK sequence, so this bug is not very often that harmful. There's a fackets_out state reset in TCP because fackets_out is known to be inaccurate and that fixes the issue eventually anyway. In case there was also at least one skb that got fully ACKed, the fastpath_skb_hint is set to NULL which causes a recount for fastpath_cnt_hint (the old value won't be accessed anymore), thus it can safely be decremented without additional checking. Reported by Cedric Le Goater Signed-off-by: Ilpo Järvinen Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: ecd7e9d89a57343c5fb687b9651f1fc1adab1dde Author: David S. Miller Thu, 18 Oct 2007 18:48:42 +0200 [SPARC64]: Fix bugs in SYSV IPC handling in 64-bit processes. Thanks to Tom Callaway for the excellent bug report and test case. sys_ipc() has several problems, most to due with semaphore call handling: 1) 'err' return should be a 'long' 2) "union semun" is passed in a register on 64-bit compared to 32-bit which provides it on the stack and therefore by reference 3) Second and third arguments to SEMCTL are swapped compared to 32-bit. Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 43f903ce5f313983fca91a96f786730cf8c8c645 Author: David S. Miller Thu, 18 Oct 2007 18:47:05 +0200 [NET]: Zero length write() on socket should not simply return 0. This fixes kernel bugzilla #5731 It should generate an empty packet for datagram protocols when the socket is connected, for one. The check is doubly-wrong because all that a write() can be is a sendmsg() call with a NULL msg_control and a single entry iovec. No special semantics should be assigned to it, therefore the zero length check should be removed entirely. This matches the behavior of BSD and several other systems. Alan Cox notes that SuSv3 says the behavior of a zero length write on non-files is "unspecified", but that's kind of useless since BSD has defined this behavior for a quarter century and BSD is essentially what application folks code to. Based upon a patch from Stephen Hemminger. Adrian Bunk: Backported to 2.6.16. Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 9bae2c81c89bed8ddf1334cc3b11ca65385163c0 Author: Stephen Hemminger Thu, 18 Oct 2007 18:31:51 +0200 [PKT_SCHED] cls_u32: error code isn't been propogated properly Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: f772dcde07136d67393ad32b7572fdd7e180e556 Author: Kumar Gala Thu, 18 Oct 2007 18:00:21 +0200 [POWERPC] Fix handling of stfiwx math emulation Its legal for the stfiwx instruction to have RA = 0 as part of its effective address calculation. This is illegal for all other XE form instructions. Add code to compute the proper effective address for stfiwx if RA = 0 rather than treating it as illegal. Adrian Bunk: Backported to 2.6.16. Signed-off-by: Kumar Gala Signed-off-by: Adrian Bunk Commit: c94861ff9759f5f73b49fb4f0fe0c000b82c703a Author: Ilpo Järvinen Thu, 18 Oct 2007 17:56:27 +0200 [PKT_SCHED] RED: Fix overflow in calculation of queue average Overflow can occur very easily with 32 bits, e.g., with 1 second us_idle is approx. 2^20, which leaves only 11-Wlog bits for queue length. Since the EWMA exponent is typically around 9, queue lengths larger than 2^2 cause overflow. Whether the affected branch is taken when us_idle is as high as 1 second, depends on Scell_log, but with rather reasonable configuration Scell_log is large enough to cause p->Stab to have zero index, which always results zero shift (typically also few other small indices result in zero shift). Signed-off-by: Ilpo Järvinen Signed-off-by: Adrian Bunk