commit d2350c2ad1463a973b586cadb49c2fa0c83089b8 Author: Greg Kroah-Hartman Date: Wed Aug 23 14:16:33 2006 -0700 Linux 2.6.17.11 commit 338341c1cea5d13428c242c1f624df644c7fb068 Author: Danny Tholen Date: Fri Aug 18 16:10:16 2006 -0700 1394: fix for recently added firewire patch that breaks things on ppc Recently a patch was added for preliminary suspend/resume handling on !PPC_PMAC. However, this broke both suspend and firewire on powerpc because it saves the pci state after the device has already been disabled. This moves the save state to before the pmac specific code. Signed-off-by: Danny Tholen Cc: Stefan Richter Cc: Benjamin Herrenschmidt Cc: Ben Collins Cc: Jody McIntyre Acked-by: Benjamin Herrenschmidt Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit dc41bfe271fee237ae41e3cbd8b4789b60da3e53 Author: NeilBrown Date: Mon Aug 21 10:05:26 2006 +1000 MD: Fix a potential NULL dereference in md/raid1 At the point where this 'atomic_add' is, rdev could be NULL, as seen by the fact that we test for this in the very next statement. Further is it is really the wrong place of the add. We could add to the count of corrected errors once the are sure it was corrected, not before trying to correct it. Signed-off-by: Neil Brown Signed-off-by: Greg Kroah-Hartman diff .prev/drivers/md/raid1.c ./drivers/md/raid1.c commit 49071b9f45d2483dbde395fd6aa11f53974e7665 Author: Rafael J. Wysocki Date: Tue Aug 15 17:19:24 2006 -0700 swsusp: Fix swap_type_of There is a bug in mm/swapfile.c#swap_type_of() that makes swsusp only be able to use the first active swap partition as the resume device. Fix it. Signed-off-by: Rafael J. Wysocki Cc: Hugh Dickins Acked-by: Pavel Machek Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit f5ce8b3e07e46f4ca1408d5e42f561028cd69719 Author: Michal Miroslaw Date: Sun Aug 13 23:24:20 2006 -0700 dm: BUG/OOPS fix Fix BUG I tripped on while testing failover and multipathing. BUG shows up on error path in multipath_ctr() when parse_priority_group() fails after returning at least once without error. The fix is to initialize m->ti early - just after alloc()ing it. BUG: unable to handle kernel NULL pointer dereference at virtual address 00000000 printing eip: c027c3d2 *pde = 00000000 Oops: 0000 [#3] Modules linked in: qla2xxx ext3 jbd mbcache sg ide_cd cdrom floppy CPU: 0 EIP: 0060:[] Not tainted VLI EFLAGS: 00010202 (2.6.17.3 #1) EIP is at dm_put_device+0xf/0x3b eax: 00000001 ebx: ee4fcac0 ecx: 00000000 edx: ee4fcac0 esi: ee4fc4e0 edi: ee4fc4e0 ebp: 00000000 esp: c5db3e78 ds: 007b es: 007b ss: 0068 Process multipathd (pid: 15912, threadinfo=c5db2000 task=ef485a90) Stack: ec4eda40 c02816bd ee4fc4c0 00000000 f7e89498 f883e0bc c02816f6 f7e89480 f7e8948c c0281801 ffffffea f7e89480 f883e080 c0281ffe 00000001 00000000 00000004 dfe9cab8 f7a693c0 f883e080 f883e0c0 ca4b99c0 c027c6ee 01400000 Call Trace: free_pgpaths+0x31/0x45 free_priority_group+0x25/0x2e free_multipath+0x35/0x67 multipath_ctr+0x123/0x12d dm_table_add_target+0x11e/0x18b populate_table+0x8a/0xaf table_load+0x52/0xf9 ctl_ioctl+0xca/0xfc table_load+0x0/0xf9 do_ioctl+0x3e/0x43 vfs_ioctl+0x16c/0x178 sys_ioctl+0x48/0x60 syscall_call+0x7/0xb Code: 97 f0 00 00 00 89 c1 83 c9 01 80 e2 01 0f 44 c1 88 43 14 8b 04 24 59 5b 5e 5f 5d c3 53 89 c1 89 d3 ff 4a 08 0f 94 c0 84 c0 74 2a <8b> 01 8b 10 89 d8 e8 f6 fb ff ff 8b 03 8b 53 04 89 50 04 89 02 EIP: [] dm_put_device+0xf/0x3b SS:ESP 0068:c5db3e78 Signed-off-by: Michal Miroslaw Acked-by: Alasdair G Kergon Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 67ce628f410668c5ddee2f4c7424a1bd8a8fc64b Author: Alexey Kuznetsov Date: Thu Aug 17 22:57:22 2006 -0700 Fix ipv4 routing locking bug [IPV4]: severe locking bug in fib_semantics.c Found in 2.4 by Yixin Pan . > When I read fib_semantics.c of Linux-2.4.32, write_lock(&fib_info_lock) = > is used in fib_release_info() instead of write_lock_bh(&fib_info_lock). = > Is the following case possible: a BH interrupts fib_release_info() while = > holding the write lock, and calls ip_check_fib_default() which calls = > read_lock(&fib_info_lock), and spin forever. Signed-off-by: Alexey Kuznetsov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8833ebaa3f4325820fe3338ccf6fae04f6669254 Author: Kirill Korotaev Date: Wed Aug 16 12:58:10 2006 +0400 IA64: local DoS with corrupted ELFs This patch prevents cross-region mappings on IA64 and SPARC which could lead to system crash. davem@ confirmed: "This looks fine to me." :) Signed-Off-By: Pavel Emelianov Signed-Off-By: Kirill Korotaev Signed-off-by: Greg Kroah-Hartman commit 0872a284963a642ba748cbd75842138dd9a3bd00 Author: Patrick McHardy Date: Fri Aug 18 07:52:57 2006 +0200 ip_tables: fix table locking in ipt_do_table [NETFILTER]: ip_tables: fix table locking in ipt_do_table table->private might change because of ruleset changes, don't use it without holding the lock. Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 21fb3eb8606821cc654ee65ee28e18f4c43d47fa Author: Daniel Ritz Date: Fri Aug 18 16:50:40 2006 +0200 PCI: fix ICH6 quirks - add the ICH6(R) LPC to the ICH6 ACPI quirks. currently only the ICH6-M is handled. [ PCI_DEVICE_ID_INTEL_ICH6_1 is the ICH6-M LPC, ICH6_0 is the ICH6(R) ] - remove the wrong quirk calling asus_hides_smbus_lpc() for ICH6. the register modified in asus_hides_smbus_lpc() has a different meaning in ICH6. Signed-off-by: Daniel Ritz Cc: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 9df256a6742e951aef286bd8ffc859dd79509ad7 Author: Olaf Hering Date: Wed Aug 16 19:53:50 2006 +0200 SERIAL: icom: select FW_LOADER The icom driver uses request_firmware() and thus needs to select FW_LOADER. Signed-off-by: maximilian attems Signed-off-by: Olaf Hering Signed-off-by: Greg Kroah-Hartman commit 024bd8b8e0a55a53422d5f6138974b2c83f0a73e Author: Kirill Korotaev Date: Sun Aug 13 23:24:23 2006 -0700 sys_getppid oopses on debug kernel sys_getppid() optimization can access a freed memory. On kernels with DEBUG_SLAB turned ON, this results in Oops. As Dave Hansen noted, this optimization is also unsafe for memory hotplug. So this patch always takes the lock to be safe. [oleg@tv-sign.ru: simplifications] Signed-off-by: Kirill Korotaev Cc: Dave Hansen Signed-off-by: Oleg Nesterov Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit bb417c4bad96b07f075b98f874fb28cf258f8065 Author: Mark Huang Date: Sat Aug 12 02:45:44 2006 +0200 ulog: fix panic on SMP kernels [NETFILTER]: ulog: fix panic on SMP kernels Fix kernel panic on various SMP machines. The culprit is a null ub->skb in ulog_send(). If ulog_timer() has already been scheduled on one CPU and is spinning on the lock, and ipt_ulog_packet() flushes the queue on another CPU by calling ulog_send() right before it exits, there will be no skbuff when ulog_timer() acquires the lock and calls ulog_send(). Cancelling the timer in ulog_send() doesn't help because it has already been scheduled and is running on the first CPU. Similar problem exists in ebt_ulog.c and nfnetlink_log.c. Signed-off-by: Mark Huang Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit f60aad27513c78d0c0e5feaeb1013f8ce6c07a7c Author: Kylene Jo Hall Date: Thu Jul 13 12:24:36 2006 -0700 tpm: interrupt clear fix Under stress testing I found that the interrupt is not always cleared. This is a bug and this patch should go into 2.6.18 and 2.6.17.x. Signed-off-by: Kylene Hall Signed-off-by: Greg Kroah-Hartman commit 5a4ceb2adfc3f7d35fa07420582f626c8402e605 Author: Stephen Hemminger Date: Mon Aug 7 16:36:02 2006 -0700 ipx: header length validation needed This patch will linearize and check there is enough data. It handles the pprop case as well as avoiding a whole audit of the routing code. Signed-off-by: Stephen Hemminger commit a80b26d5597e62094c165c26e77fde4d4ab2e37e Author: Andrew Morton Date: Sat Aug 5 12:13:47 2006 -0700 disable debugging version of write_lock() We've confirmed that the debug version of write_lock() can get stuck for long enough to cause NMI watchdog timeouts and hence a crash. We don't know why, yet. Disable it for now. Also disable the similar read_lock() code. Just in case. Thanks to Dave Olson for reporting and testing. Acked-by: Ingo Molnar Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 2fc58b11d73cc8baafa61b70e4c749d466f92b2a Author: Diego Calleja Date: Sat Aug 5 12:14:55 2006 -0700 Fix BeFS slab corruption In bugzilla #6941, Jens Kilian reported: "The function befs_utf2nls (in fs/befs/linuxvfs.c) writes a 0 byte past the end of a block of memory allocated via kmalloc(), leading to memory corruption. This happens only for filenames which are pure ASCII and a multiple of 4 bytes in length. [...] Without DEBUG_SLAB, this leads to further corruption and hard lockups; I believe this is the bug which has made kernels later than 2.6.8 unusable for me. (This must be due to changes in memory management, the bug has been in the BeFS driver since the time it was introduced (AFAICT).) Steps to reproduce: Create a directory (in BeOS, naturally :-) with files named, e.g., "1", "22", "333", "4444", ... Mount it in Linux and do an "ls" or "find"" This patch implements the suggested fix. Credits to Jens Kilian for debugging the problem and finding the right fix. Signed-off-by: Diego Calleja Cc: Jens Kilian Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 216cf62f1fd2fba890d43956a8548eb10382b658 Author: David Miller Date: Wed Aug 9 02:33:28 2006 -0700 Fix IFLA_ADDRESS handling [RTNETLINK]: Fix IFLA_ADDRESS handling. The ->set_mac_address handlers expect a pointer to a sockaddr which contains the MAC address, whereas IFLA_ADDRESS provides just the MAC address itself. So whip up a sockaddr to wrap around the netlink attribute for the ->set_mac_address call. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7e9d4f4ffd29c60abc35d5bf535d3712f662567c Author: Dmitry Mishin Date: Wed Aug 9 02:36:33 2006 -0700 Fix timer race in dst GC code [NET]: add_timer -> mod_timer() in dst_run_gc() Patch from Dmitry Mishin : Replace add_timer() by mod_timer() in dst_run_gc in order to avoid BUG message. CPU1 CPU2 dst_run_gc() entered dst_run_gc() entered spin_lock(&dst_lock) ..... del_timer(&dst_gc_timer) fail to get lock .... mod_timer() <--- puts timer back to the list add_timer(&dst_gc_timer) <--- BUG because timer is in list already. Found during OpenVZ internal testing. At first we thought that it is OpenVZ specific as we added dst_run_gc(0) call in dst_dev_event(), but as Alexey pointed to me it is possible to trigger this condition in mainstream kernel. F.e. timer has fired on CPU2, but the handler was preeempted by an irq before dst_lock is tried. Meanwhile, someone on CPU1 adds an entry to gc list and starts the timer. If CPU2 was preempted long enough, this timer can expire simultaneously with resuming timer handler on CPU1, arriving exactly to the situation described. Signed-off-by: Dmitry Mishin Signed-off-by: Kirill Korotaev Signed-off-by: Alexey Kuznetsov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b3b3410f3e2579314adcdd9366b5429ba06b07d7 Author: Kirill Korotaev Date: Wed Aug 9 02:35:21 2006 -0700 Kill HASH_HIGHMEM from route cache hash sizing [IPV4]: Limit rt cache size properly. During OpenVZ stress testing we found that UDP traffic with random src can generate too much excessive rt hash growing leading finally to OOM and kernel panics. It was found that for 4GB i686 system (having 1048576 total pages and 225280 normal zone pages) kernel allocates the following route hash: syslog: IP route cache hash table entries: 262144 (order: 8, 1048576 bytes) => ip_rt_max_size = 4194304 entries, i.e. max rt size is 4194304 * 256b = 1Gb of RAM > normal_zone Attached the patch which removes HASH_HIGHMEM flag from alloc_large_system_hash() call. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0ce4f0dbc2cb547077cbc903a53b4638ae0cac55 Author: Stephen Hemminger Date: Wed Aug 9 14:16:41 2006 -0700 sky2: phy power problem on 88e805x On the 88E805X chipsets (used in laptops), the PHY was not getting powered out of shutdown properly. The variable reg1 was getting reused incorrectly. This is probably the cause of the bug. http://bugzilla.kernel.org/show_bug.cgi?id=6471 Signed-off-by: Stephen Hemminger Signed-off-by: Greg Kroah-Hartman commit bd2a1e115cf239c708747bae1cf1c0757686af50 Author: Eric Sandeen Date: Fri Aug 4 10:35:34 2006 -0500 Have ext3 reject file handles with bad inode numbers early blatantly ripped off from Neil Brown's ext2 patch. Signed-off-by: Eric Sandeen Acked-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman