commit b4d854665eafe32b48e0eecadb91a73f6eea0055 Author: Chris Wright Date: Fri Nov 3 17:33:58 2006 -0800 Linux 2.6.18.2 commit 108d51a5710a51ed46353655efc7d165b4c57b60 Author: Alan Stern Date: Sat Jul 1 22:05:01 2006 -0400 [PATCH] usbfs: private mutex for open, release, and remove The usbfs code doesn't provide sufficient mutual exclusion among open, release, and remove. Release vs. remove is okay because they both acquire the device lock, but open is not exclusive with either one. All three routines modify the udev->filelist linked list, so they must not run concurrently. Apparently someone gave this a minimum amount of thought in the past by explicitly acquiring the BKL at the start of the usbdev_open routine. Oddly enough, there's a comment pointing out that locking is unnecessary because chrdev_open already has acquired the BKL. But this ignores the point that the files in /proc/bus/usb/* are not char device files; they are regular files and so they don't get any special locking. Furthermore it's necessary to acquire the same lock in the release and remove routines, which the code does not do. Yet another problem arises because the same file_operations structure is accessible through both the /proc/bus/usb/* and /dev/usb/usbdev* file nodes. Even when one of them has been removed, it's still possible for userspace to open the other. So simple locking around the individual remove routines is insufficient; we need to lock the entire usb_notify_remove_device notifier chain. Rather than rely on the BKL, this patch (as723) introduces a new private mutex for the purpose. Holding the BKL while invoking a notifier chain doesn't seem like a good idea. Cc: Dave Jones [https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212952] Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 3b076a9455026e5d736aeff6ca02a95972dff417 Author: NeilBrown Date: Tue Oct 31 12:51:45 2006 +1100 [PATCH] md: check bio address after mapping through partitions. Partitions are not limited to live within a device. So we should range check after partition mapping. Note that 'maxsector' was being used for two different things. I have split off the second usage into 'old_sector' so that maxsector can be still be used for it's primary usage later in the function. Cc: Jens Axboe Signed-off-by: Neil Brown Signed-off-by: Chris Wright commit d0239f35c7ae63dbe715b1cc66e4860c2cb33154 Author: James Morris Date: Mon Oct 30 15:11:21 2006 -0800 [PATCH] IPV6: fix lockup via /proc/net/ip6_flowlabel [CVE-2006-5619] There's a bug in the seqfile handling for /proc/net/ip6_flowlabel, where, after finding a flowlabel, the code will loop forever not finding any further flowlabels, first traversing the rest of the hash bucket then just looping. This patch fixes the problem by breaking after the hash bucket has been traversed. Note that this bug can cause lockups and oopses, and is trivially invoked by an unpriveleged user. Signed-off-by: James Morris Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit f3fcd7f6351e8a95e6f1c2b9fda79b6dbecfc6ca Author: Stephen Hemminger Date: Mon Oct 30 14:47:35 2006 -0800 [PATCH] tcp: cubic scaling error Doug Leith observed a discrepancy between the version of CUBIC described in the papers and the version in 2.6.18. A math error related to scaling causes Cubic to grow too slowly. Patch is from "Sangtae Ha" . I validated that it does fix the problems. See the following to show behavior over 500ms 100 Mbit link. Sender (2.6.19-rc3) --- Bridge (2.6.18-rt7) ------- Receiver (2.6.19-rc3) 1G [netem] 100M http://developer.osdl.org/shemminger/tcp/2.6.19-rc3/cubic-orig.png http://developer.osdl.org/shemminger/tcp/2.6.19-rc3/cubic-fix.png Signed-off-by: Stephen Hemminger Signed-off-by: Chris Wright commit a5f1d1d1849ca848c0ab49dd987070415ad2ede5 Author: Alan Cox Date: Sat Oct 28 10:38:57 2006 -0700 [PATCH] JMB 368 PATA detection The Jmicron JMB368 is PATA only so has the PATA on function zero. Don't therefore skip function zero on this device when probing Signed-off-by: Alan Cox Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright commit e17f8851e194c759c35e058d9692e81a3eec8a1e Author: Oleg Nesterov Date: Sat Oct 28 10:38:49 2006 -0700 [PATCH] fill_tgid: fix task_struct leak and possible oops 1. fill_tgid() forgets to do put_task_struct(first). 2. release_task(first) can happen after fill_tgid() drops tasklist_lock, it is unsafe to dereference first->signal. This is a temporary fix, imho the locking should be reworked. Signed-off-by: Oleg Nesterov Cc: Shailabh Nagar Cc: Balbir Singh Cc: Jay Lan Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright commit 1406fd4e987bd05a22827e8f0aa01f3335550e01 Author: Martin Bligh Date: Sat Oct 28 10:38:25 2006 -0700 [PATCH] Use min of two prio settings in calculating distress for reclaim If try_to_free_pages / balance_pgdat are called with a gfp_mask specifying GFP_IO and/or GFP_FS, they will reclaim the requisite number of pages, and the reset prev_priority to DEF_PRIORITY (or to some other high (ie: unurgent) value). However, another reclaimer without those gfp_mask flags set (say, GFP_NOIO) may still be struggling to reclaim pages. The concurrent overwrite of zone->prev_priority will cause this GFP_NOIO thread to unexpectedly cease deactivating mapped pages, thus causing reclaim difficulties. Fix this is to key the distress calculation not off zone->prev_priority, but also take into account the local caller's priority by using min(zone->prev_priority, sc->priority) Signed-off-by: Martin J. Bligh Cc: Nick Piggin Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright commit 252287f4e8e825fbced96f1a8bc7dc1dfead325c Author: Martin Bligh Date: Sat Oct 28 10:38:24 2006 -0700 [PATCH] vmscan: Fix temp_priority race The temp_priority field in zone is racy, as we can walk through a reclaim path, and just before we copy it into prev_priority, it can be overwritten (say with DEF_PRIORITY) by another reclaimer. The same bug is contained in both try_to_free_pages and balance_pgdat, but it is fixed slightly differently. In balance_pgdat, we keep a separate priority record per zone in a local array. In try_to_free_pages there is no need to do this, as the priority level is the same for all zones that we reclaim from. Impact of this bug is that temp_priority is copied into prev_priority, and setting this artificially high causes reclaimers to set distress artificially low. They then fail to reclaim mapped pages, when they are, in fact, under severe memory pressure (their priority may be as low as 0). This causes the OOM killer to fire incorrectly. From: Andrew Morton __zone_reclaim() isn't modifying zone->prev_priority. But zone->prev_priority is used in the decision whether or not to bring mapped pages onto the inactive list. Hence there's a risk here that __zone_reclaim() will fail because zone->prev_priority ir large (ie: low urgency) and lots of mapped pages end up stuck on the active list. Fix that up by decreasing (ie making more urgent) zone->prev_priority as __zone_reclaim() scans the zone's pages. This bug perhaps explains why ZONE_RECLAIM_PRIORITY was created. It should be possible to remove that now, and to just start out at DEF_PRIORITY? Cc: Nick Piggin Cc: Christoph Lameter Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright [chrisw: minor wiggle to fit -stable] commit 0f899fb74e5637b29b4c8a80ea039af137c12fec Author: Trond Myklebust Date: Tue Sep 5 12:27:44 2006 -0400 [PATCH] NFS: nfs_lookup - don't hash dentry when optimising away the lookup If the open intents tell us that a given lookup is going to result in a, exclusive create, we currently optimize away the lookup call itself. The reason is that the lookup would not be atomic with the create RPC call, so why do it in the first place? A problem occurs, however, if the VFS aborts the exclusive create operation after the lookup, but before the call to create the file/directory: in this case we will end up with a hashed negative dentry in the dcache that has never been looked up. Fix this by only actually hashing the dentry once the create operation has been successfully completed. Signed-off-by: Trond Myklebust Signed-off-by: Chris Wright commit d940c78f8aa3e60fe1681839833567b5632fe22a Author: Andy Whitcroft Date: Sat Oct 21 10:24:14 2006 -0700 [PATCH] Reintroduce NODES_SPAN_OTHER_NODES for powerpc Revert "[PATCH] Remove SPAN_OTHER_NODES config definition" This reverts commit f62859bb6871c5e4a8e591c60befc8caaf54db8c. Revert "[PATCH] mm: remove arch independent NODES_SPAN_OTHER_NODES" This reverts commit a94b3ab7eab4edcc9b2cb474b188f774c331adf7. Also update the comments to indicate that this is still required and where its used. Signed-off-by: Andy Whitcroft Cc: Paul Mackerras Cc: Mike Kravetz Cc: Benjamin Herrenschmidt Acked-by: Mel Gorman Acked-by: Will Schmidt Cc: Christoph Lameter Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright commit 53f916eb00600ed863571fe8209a02072d07e64a Author: Karsten Wiese Date: Fri Oct 20 14:45:36 2006 -0700 [PATCH] PCI: Remove quirk_via_abnormal_poweroff My K8T800 mobo resumes fine from suspend to ram with and without patch applied against 2.6.18. quirk_via_abnormal_poweroff makes some boards not boot 2.6.18, so IMO patch should go to head, 2.6.18.2 and everywhere "ACPI: ACPICA 20060623" has been applied. Remove quirk_via_abnormal_poweroff Obsoleted by "ACPI: ACPICA 20060623": Implemented support for "ignored" bits in the ACPI registers. According to the ACPI specification, these bits should be preserved when writing the registers via a read/modify/write cycle. There are 3 bits preserved in this manner: PM1_CONTROL[0] (SCI_EN), PM1_CONTROL[9], and PM1_STATUS[11]. http://bugzilla.kernel.org/show_bug.cgi?id=3691 Signed-off-by: Karsten Wiese Cc: Bob Moore Acked-by: Len Brown Acked-by: Dave Jones Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 54a177028bfc55cae90a1704f2d0731a682416e1 Author: David Miller Date: Wed Oct 18 13:38:49 2006 -0700 [PATCH] SPARC64: Fix PCI memory space root resource on Hummingbird. For Hummingbird PCI controllers, we should create the root PCI memory space resource as the full 4GB area, and then allocate the IOMMU DMA translation window out of there. The old code just assumed that the IOMMU DMA translation base to the top of the 4GB area was unusable. This is not true on many systems such as SB100 and SB150, where the IOMMU DMA translation window sits at 0xc0000000->0xdfffffff. So what would happen is that any device mapped by the firmware at the top section 0xe0000000->0xffffffff would get remapped by Linux somewhere else leading to all kinds of problems and boot failures. While we're here, report more cases of OBP resource assignment conflicts. The only truly valid ones are ROM resource conflicts. Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 97b601402b1378411467946272ad88b03c3e78ba Author: Jeff Garzik Date: Tue Oct 17 00:10:39 2006 -0700 [PATCH] ISDN: fix drivers, by handling errors thrown by ->readstat() This is a particularly ugly on-failure bug, possibly security, since the lack of error handling here is covering up another class of bug: failure to handle copy_to_user() return values. The I4L API function ->readstat() returns an integer, and by looking at several existing driver implementations, it is clear that a negative return value was meant to indicate an error. Given that several drivers already return a negative value indicating an errno-style error, the current code would blindly accept that [negative] value as a valid amount of bytes read. Obvious damage ensues. Correcting ->readstat() handling to properly notice errors fixes the existing code to work correctly on error, and enables future patches to more easily indicate errors during operation. Signed-off-by: Jeff Garzik Cc: Karsten Keil Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright commit ee8a3629526eb8cacaee6bc2ba8ef95d5a0027a6 Author: Jeff Garzik Date: Tue Oct 17 00:10:40 2006 -0700 [PATCH] ISDN: check for userspace copy faults Most of the ISDN ->readstat() implementations needed to check copy_to_user() and put_user() return values. Signed-off-by: Jeff Garzik Cc: Karsten Keil Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright commit a9258b488424e70a0f8a398aaf18d018b6a9aaef Author: Francisco Larramendi Date: Tue Oct 17 00:09:53 2006 -0700 [PATCH] rtc-max6902: month conversion fix Fix October-only BCD-to-binary conversion bug: 0x08 -> 7 0x09 -> 8 0x10 -> 15 (!) 0x11 -> 19 Fixes http://bugzilla.kernel.org/show_bug.cgi?id=7361 Cc: Raphael Assenat Cc: Alessandro Zummo Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit 9140a25cbeb75cdbc795b962ab2843c421242dcc Author: Thomas Gleixner Date: Tue Oct 17 00:09:39 2006 -0700 [PATCH] posix-cpu-timers: prevent signal delivery starvation The integer divisions in the timer accounting code can round the result down to 0. Adding 0 is without effect and the signal delivery stops. Clamp the division result to minimum 1 to avoid this. Problem was reported by Seongbae Park , who provided also an inital patch. Roland sayeth: I have had some more time to think about the problem, and to reproduce it using Toyo's test case. For the record, if my understanding of the problem is correct, this happens only in one very particular case. First, the expiry time has to be so soon that in cputime_t units (usually 1s/HZ ticks) it's < nthreads so the division yields zero. Second, it only affects each thread that is so new that its CPU time accumulation is zero so now+0 is still zero and ->it_*_expires winds up staying zero. For the VIRT and PROF clocks when cputime_t is tick granularity (or the SCHED clock on configurations where sched_clock's value only advances on clock ticks), this is not hard to arrange with new threads starting up and blocking before they accumulate a whole tick of CPU time. That's what happens in Toyo's test case. Note that in general it is fine for that division to round down to zero, and set each thread's expiry time to its "now" time. The problem only arises with thread's whose "now" value is still zero, so that now+0 winds up 0 and is interpreted as "not set" instead of ">= now". So it would be a sufficient and more precise fix to just use max(ticks, 1) inside the loop when setting each it_*_expires value. But, it does no harm to round the division up to one and always advance every thread's expiry time. If the thread didn't already fire timers for the expiry time of "now", there is no expectation that it will do so before the next tick anyway. So I followed Thomas's patch in lifting the max out of the loops. This patch also covers the reload cases, which are harder to write a test for (and I didn't try). I've tested it with Toyo's case and it fixes that. [toyoa@mvista.com: fix: min_t -> max_t] Signed-off-by: Thomas Gleixner Cc: Ingo Molnar Signed-off-by: Roland McGrath Cc: Daniel Walker Cc: Toyo Abe Cc: john stultz Cc: Roman Zippel Cc: Seongbae Park Cc: Peter Mattis Cc: Rohit Seth Cc: Martin Bligh Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit 641dd002d20760c891c3d7c3c6890e537ebddefd Author: Jan Beulich Date: Sat Oct 21 09:23:38 2006 -0700 [PATCH] fix Intel RNG detection Previously, since determination whether there was an Intel random number generator was based on a single bit, on systems with a matching bridge device but without a firmware hub, there was a 50% chance that the code would incorrectly decide that the system had an RNG. This patch adds detection of the firmware hub to better qualify the existence of an RNG. There is one issue with the patch: I was unable to determine the LPC equivalent for the PCI bridge 8086:2430 (since the old code didn't care about which of the many devices provided by the ICH/ESB it was chose to use the PCI bridge device, but the FWH settings live in the LPC device, so the device list needed to be changed). Signed-off-by: Jan Beulich Signed-off-by: Michael Buesch Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit f4a7d494bda500906e505aef6e043a4ed3d39d3c Author: Akinobu Mita Date: Sun Oct 29 22:48:49 2006 +0100 [PATCH] Watchdog: sc1200wdt - fix missing pnp_unregister_driver() [WATCHDOG] sc1200wdt.c pnp unregister fix. If no devices found or invalid parameter is specified, scl200wdt_pnp_driver is left unregistered. It breaks global list of pnp drivers. Signed-off-by: Akinobu Mita Signed-off-by: Wim Van Sebroeck Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit c8ec7067774748f29dae43682df884d329a7cb9e Author: Clemens Ladisch Date: Fri Oct 27 14:15:35 2006 +0200 [PATCH] ALSA: snd_rtctimer: handle RTC interrupts with a tasklet The calls to rtc_control() from inside the interrupt handler can deadlock the RTC code, so move our interrupt handling code to a tasklet. Signed-off-by: Clemens Ladisch Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit f3873b8c111b5042869fc8fc4ed966e2b07b07b6 Author: Paolo 'Blaisorblade' Giarrusso Date: Tue Oct 17 17:05:31 2006 +0200 [PATCH] uml: remove warnings added by previous -stable patch Add needed includes for syscall() function, also to remove warnings spit out by GCC; they were added by previous -stable patch, and at least on my system (Ubuntu x86-64) these warnings do show up. Signed-off-by: Paolo 'Blaisorblade' Giarrusso Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit f897855bd1bf3eaefd44c316bb429532630747a6 Author: Ulrich Drepper Date: Tue Oct 17 17:01:13 2006 +0200 [PATCH] uml: make Uml compile on FC6 kernel headers I need this patch to get a UML kernel to compile. This is with the kernel headers in FC6 which are automatically generated from the kernel tree. Some headers are missing but those files don't need them. At least it appears so since the resulting kernel works fine. Tested on x86-64. Signed-off-by: Ulrich Drepper Cc: Jeff Dike Cc: Paolo 'Blaisorblade' Giarrusso Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 5b44e45b5a7e3096b6665cabbe00463c1f33c676 Author: Andi Kleen Date: Sun Oct 22 00:59:04 2006 +0000 [PATCH] x86-64: Fix C3 timer test There was a typo in the C3 latency test to decide of the TSC should be used or not. It used the C2 latency threshold, not the C3 one. Fix that. This should fix the time on various dual core laptops. Acked-by: Len Brown Signed-off-by: Andi Kleen Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit cea23cd94f286008d382ccee265ca417c9ce9a58 Author: Herbert Xu Date: Sun Oct 29 23:48:51 2006 -0800 [PATCH] SCTP: Always linearise packet on input I was looking at a RHEL5 bug report involving Xen and SCTP (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212550). It turns out that SCTP wasn't written to handle skb fragments at all. The absence of any calls to skb_may_pull is testament to that. It just so happens that Xen creates fragmented packets more often than other scenarios (header & data split when going from domU to dom0). That's what caused this bug to show up. Until someone has the time sits down and audits the entire net/sctp directory, here is a conservative and safe solution that simply linearises all packets on input. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 5565a6be17231fdcbaa65e2ef41e4f67bf709a81 Author: Herbert Xu Date: Sun Oct 29 16:11:38 2006 -0800 [PATCH] NET: Fix skb_segment() handling of fully linear SKBs [NET]: Fix segmentation of linear packets skb_segment fails to segment linear packets correctly because it tries to write all linear parts of the original skb into each segment. This will always panic as each segment only contains enough space for one MSS. This was not detected earlier because linear packets should be rare for GSO. In fact it still remains to be seen what exactly created the linear packets that triggered this bug. Basically the only time this should happen is if someone enables GSO emulation on an interface that does not support SG. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 75c8aaf22867285b8c67dce0cf117fe1a0425f74 Author: Al Viro Date: Sun Oct 29 13:03:49 2006 +0100 [PATCH] fix missing ifdefs in syscall classes hookup for generic targets several targets have no ....at() family and m32r calls its only chown variant chown32(), with __NR_chown being undefined. creat(2) is also absent in some targets. Signed-off-by: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 0e1ce4461d940d122302593898632e96b72a7e4c Author: Doug Ledford Date: Sun Sep 24 04:01:16 2006 +0000 [PATCH] SCSI: aic7xxx: pause sequencer before touching SBLKCTL [SCSI] aic7xxx: pause sequencer before touching SBLKCTL Some cards need to pause the sequencer before the SBLKCTL register is touched. This fixes a PCI related oops seen on powerpc macs with this card caused by trying to ascertain the bus signalling before beginning domain validation. Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 0a898c598ecf239a60775063887317459f9e275b Author: Stephen Hemminger Date: Fri Oct 20 17:13:20 2006 -0700 [PATCH] sky2: 88E803X transmit lockup (2.6.18) The reason sky2 driver was locking up on transmit on the Yukon-FE chipset is that it was misconfiguring the internal RAM buffer so the transmitter and receiver were sharing the same space. It is a wonder it worked at all! This patch addresses this, and fixes an easily reproducible hang on Transmit. Only the Yukon-FE chip is Marvell 88E803X (10/100 only) are affected. Signed-off-by: Stephen Hemminger Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit d758e2151487a13f2b6c726d0ba3781bbddf3e18 Author: Zachary Amsden Date: Fri Oct 20 14:18:51 2006 -0700 [PATCH] Fix potential interrupts during alternative patching Interrupts must be disabled during alternative instruction patching. On systems with high timer IRQ rates, or when running in an emulator, timing differences can result in random kernel panics because of running partially patched instructions. This doesn't yet fix NMIs, which requires extricating the patch code from the late bug checking and is logically separate (and also less likely to cause problems). Signed-off-by: Zachary Amsden Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 6c7e1a3d3d1b85ebbec3c33fc9c728ad3be4846f Author: Miklos Szeredi Date: Wed Oct 18 11:08:30 2006 +0200 [PATCH] fuse: fix hang on SMP Fuse didn't always call i_size_write() with i_mutex held which caused rare hangs on SMP/32bit. This bug has been present since fuse-2.2, well before being merged into mainline. The simplest solution is to protect i_size_write() with the per-connection spinlock. Using i_mutex for this purpose would require some restructuring of the code and I'm not even sure it's always safe to acquire i_mutex in all places i_size needs to be set. Since most of vmtruncate is already duplicated for other reasons, duplicate the remaining part as well, making all i_size_write() calls internal to fuse. Using i_size_write() was unnecessary in fuse_init_inode(), since this function is only called on a newly created locked inode. Reported by a few people over the years, but special thanks to Dana Henriksen who was persistent enough in helping me debug it. Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit ebd9eb32ff883be3401baa7b231749930f3306cc Author: Arthur Kepner Date: Tue Oct 17 16:22:59 2006 -0700 [PATCH] IB/mthca: Use mmiowb after doorbell ring We discovered a problem when running IPoIB applications on multiple CPUs on an Altix system. Many messages such as: ib_mthca 0002:01:00.0: SQ 000014 full (19941644 head, 19941707 tail, 64 max, 0 nreq) appear in syslog, and the driver wedges up. Apparently this is because writes to the doorbells from different CPUs reach the device out of order. The following patch adds mmiowb() calls after doorbell rings to ensure the doorbell writes are ordered. Signed-off-by: Arthur Kepner Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit fd4c742d7c4932e37fc56914c4586327816df12e Author: Eli Cohen Date: Tue Oct 17 16:23:25 2006 -0700 [PATCH] IPoIB: Rejoin all multicast groups after a port event When ipoib_ib_dev_flush() is called because of a port event, the driver needs to rejoin all multicast groups, since the flush will call ipoib_mcast_dev_flush() (via ipoib_ib_dev_down()). Otherwise no (non-broadcast) multicast groups will be rejoined until the networking core calls ->set_multicast_list again, and so multicast reception will be broken for potentially a long time. Signed-off-by: Eli Cohen Signed-off-by: Michael S. Tsirkin Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 016c9ac429dff26bc481b53f01f0a9ac486021ff Author: James Bottomley Date: Sun Sep 24 04:01:16 2006 +0000 [PATCH] SCSI: aic7xxx: avoid checking SBLKCTL register for certain cards [SCSI] aic7xxx: avoid checking SBLKCTL register for certain cards For cards that don't support LVD, checking the SBLKCTL register to determine the bus singalling doesn't work. So, check that the card supports LVD first (AHC_ULTRA2) before checking the register. Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 02bb8f3f912d8a2048ed7502a733f64c6bf8fcfe Author: NeilBrown Date: Fri Oct 20 11:52:44 2006 +1000 [PATCH] knfsd: Fix race that can disable NFS server. This is a long standing bug that seems to have only recently become apparent, presumably due to increasing use of NFS over TCP - many distros seem to be making it the default. The SK_CONN bit gets set when a listening socket may be ready for an accept, just as SK_DATA is set when data may be available. It is entirely possible for svc_tcp_accept to be called with neither of these set. It doesn't happen often but there is a small race in svc_sock_enqueue as SK_CONN and SK_DATA are tested outside the spin_lock. They could be cleared immediately after the test and before the lock is gained. This normally shouldn't be a problem. The sockets are non-blocking so trying to read() or accept() when ther is nothing to do is not a problem. However: svc_tcp_recvfrom makes the decision "Should I accept() or should I read()" based on whether SK_CONN is set or not. This usually works but is not safe. The decision should be based on whether it is a TCP_LISTEN socket or a TCP_CONNECTED socket. Signed-off-by: Neil Brown Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 8fb3dd17ba82cf264224fc19c69efb42e4370f28 Author: NeilBrown Date: Fri Oct 20 13:25:30 2006 +1000 [PATCH] md: Fix calculation of ->degraded for multipath and raid10 Two less-used md personalities have bugs in the calculation of ->degraded (the extent to which the array is degraded). Signed-off-by: Neil Brown Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 563f2416b31884d196f194bcca580f8226b1dc4a Author: NeilBrown Date: Mon Oct 23 17:07:48 2006 +1000 [PATCH] md: Fix bug where spares don't always get rebuilt properly when they become live. If save_raid_disk is >= 0, then the device could be a device that is already in sync that is being re-added. So we need to default this value to -1. Signed-off-by: Neil Brown Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 1e4007bf4ef92fc6d2afa418c1b49921a7c7d0b3 Author: Takashi Iwai Date: Tue Oct 24 14:55:46 2006 +0200 [PATCH] ALSA: Fix re-use of va_list The va_list is designed to be used only once. The current code may pass va_list arguments multiple times and may cause Oops. Copy/release the arguments temporarily to avoid this problem. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 8354b19683679cd0f0e31e750d846d796c0b5dea Author: Michael Krufky Date: Sat Oct 28 14:53:49 2006 -0400 [PATCH] DVB: fix dvb_pll_attach for mt352/zl10353 in cx88-dvb, and nxt200x DVB: fix dvb_pll_attach for mt352/zl10353 in cx88-dvb, and nxt200x Typical wiring of MT352, ZL10353, NXT2002 and NXT2004 based tuners differ from dvb-pll's expectation that the PLL is directly accessible. On these boards, the PLL is actually hidden behind the demodulator, and as such can only be accessed via the demodulator's interface. It was failing to communicate with the PLL during an attach test and subsequently not connecting the tuner ops. By passing a NULL I2C bus handle to dvb_pll_attach, this accessibility check can be bypassed. Do this for the affected boards. Also fix a possible NULL dereference at sleep time, which would otherwise be exposed by this change. This patch has been backported to the 2.6.18.y stable kernel series from the original changesets from Chris Pascoe and Michael Krufky, already present in the upstream 2.6.19 kernel tree. Signed-off-by: Chris Pascoe Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 37f8d2f4d123433cd1fd2936e9bc726be0939ef0 Author: Michael Buesch Date: Fri Oct 27 11:16:39 2006 -0500 [PATCH] bcm43xx: fix watchdog timeouts. This fixes a netdev watchdog timeout problem. The problem is caused by a needed netif_tx_disable in the hardware calibration code and can be shown by the following timegraph. |---5secs - ~10 jiffies time---|---|OOPS ^ ^ last real TX periodic work stops netif At OOPS, the following happens: The watchdog timer triggers, because the timeout of 5secs is over. The watchdog first checks for stopped TX. _Usually_ TX is only stopped from the TX handler to indicate a full TX queue. But this is different. We need to stop TX here, regardless of the TX queue state. So the watchdog recognizes the stopped device and assumes it is stopped due to full TX queues (Which is a _wrong_ assumption in this case). It then tests how far the last TX has been in the past. If it's more than 5secs (which is the case for low or no traffic), it will fire a TX timeout. Acked-by: John W. Linville Signed-off-by: Michael Buesch Signed-off-by: Larry Finger Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 955ebc8df7709dbcb92d7bf74a2598282e1c9307 Author: David Miller Date: Wed Oct 25 23:51:07 2006 -0700 [PATCH] SPARC64: Fix memory corruption in pci_4u_free_consistent(). The second argument to free_npages() was being incorrectly calculated, which would thus access far past the end of the arena->map[] bitmap. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 59bf9f2fd5c23b6776520d75c67825a33f4fbbbc Author: David Miller Date: Wed Oct 25 23:50:12 2006 -0700 [PATCH] SPARC64: Fix central/FHC bus handling on Ex000 systems. 1) probe_other_fhcs() wants to see only non-central FHC busses, so skip FHCs that don't sit off the root 2) Like SBUS, FHC can lack the appropriate address and size cell count properties, so add an of_busses[] entry and handlers for that. 3) Central FHC irq translator probing was buggy. We were trying to use dp->child in irq_trans_init but that linkage is not setup at this point. So instead, pass in the parent of "dp" and look for the child "fhc" with parent "central". Thanks to the tireless assistence of Ben Collins in tracking down these problems and testing out these fixes. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 9b2e07b8574e21554a381e065efd7050f96eaead Author: Dave Kleikamp Date: Mon Oct 23 17:00:13 2006 +0000 [PATCH] JFS: pageno needs to be long JFS: pageno needs to be long diRead and diWrite are representing the page number as an unsigned int. This causes file system corruption on volumes larger than 16TB. Signed-off-by: Dave Kleikamp Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit b754f1bb053d9ec2d9b9fb64126543e9b8cbd3dd Author: Marcel Holtmann Date: Mon Oct 16 15:59:28 2006 +0000 [PATCH] Bluetooth: Check if DLC is still attached to the TTY [Bluetooth] Check if DLC is still attached to the TTY If the DLC device is no longer attached to the TTY device, then it makes no sense to go through with changing the termios settings. Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 4d496dde1429e99c49070190cb4ec1f3c3effbdd Author: Russell King Date: Tue Oct 17 13:26:34 2006 +0200 [PATCH] SERIAL: Fix oops when removing suspended serial port [SERIAL] Fix oops when removing suspended serial port A serial card might have been removed when the system is resumed. This results in a suspended port being shut down, which results in the ports shutdown method being called twice in a row. This causes BUGs. Avoid this by tracking the suspended state separately from the initialised state. Signed-off-by: Russell King Signed-off-by: maximilian attems Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 9b1bb2cd3271ea65aad59708d466917f368562cf Author: Russell King Date: Tue Oct 17 13:19:40 2006 +0200 [PATCH] SERIAL: Fix resume handling bug Unfortunately, pcmcia_dev_present() returns false when a device is suspended, so checking this on resume does not work too well. Omit this test. the backported patch below is already in fedora tree. -maks Signed-off-by: Russell King Signed-off-by: maximilian attems Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 3d8565debdd12b99c133ff9553fceb6bc0749051 Author: David Woodhouse Date: Fri Sep 29 17:01:11 2006 +0000 [PATCH] Fix uninitialised spinlock in via-pmu-backlight code. The uninitialised pmu_backlight_lock causes the current Fedora test kernel (which has spinlock debugging enabled) to panic on suspend. This is suboptimal, so I fixed it. Signed-off-by: David Woodhouse Acked-by: Benjamin Herrenschmidt Acked-by: Michael Hanselmann Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 01fc2a1ad09f97bfcd5b5941d66ae6e2cec4315e Author: Brian King Date: Sun Sep 24 03:59:49 2006 +0000 [PATCH] SCSI: DAC960: PCI id table fixup [SCSI] DAC960: PCI id table fixup The PCI ID table in the DAC960 driver conflicts with some devices that use the ipr driver. All ipr adapters that use this chip have an IBM subvendor ID and all DAC960 adapters that use this chip have a Mylex subvendor id. Signed-off-by: Brian King Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 9ee03a230d10a22e36f1e1fdcc2e0a92628e9ac6 Author: Paolo 'Blaisorblade' Giarrusso Date: Sun Oct 15 21:43:29 2006 +0200 [PATCH] uml: fix processor selection to exclude unsupported processors and features Makes UML compile on any possible processor choice. The two problems were: *) x86 code, when 386 is selected, checks at runtime boot_cpuflags, which we do not have. *) 3Dnow support for memcpy() et al. does not compile currently and fixing this is not trivial, so simply disable it; with this change, if one selects MK7 UML compiles (while it did not). Merged upstream. Signed-off-by: Paolo 'Blaisorblade' Giarrusso Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 1438080529620fd39f250f0b9ce11d869a288b5a Author: Stephen Hemminger Date: Mon Oct 16 14:10:16 2006 -0700 [PATCH] sky2: GMAC pause frame This reverts earlier change that attempted to fix flow control. Device needs to discard pause frames, otherwise it passes pause frames up the stack. Signed-off-by: Stephen Hemminger Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit d5d6dc53434a53022b3f033436e67523b8f23ad6 Author: Stephen Hemminger Date: Mon Oct 16 14:08:56 2006 -0700 [PATCH] sky2: accept multicast pause frames When using flow control, the PHY needs to accept multicast pause frames. Without this fix, these frames were getting discarded by the PHY before doing any flow control. Signed-off-by: Stephen Hemminger Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 45f08385d341d43927e936c69b5bdd4b07f1eb40 Author: Karsten Wiese Date: Mon Oct 16 14:46:53 2006 +0200 [PATCH] ALSA: Repair snd-usb-usx2y for usb 2.6.18 ALSA: Repair snd-usb-usx2y for usb 2.6.18 urb->start_frame rolls over beyond MAX_INT now. This is for stable kernel and stable alsa. From: Karsten Wiese Signed-off-by: Karsten Wiese Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 0e98aebf2acaa92ca16bf2968b85b3c19da35dc3 Author: Karsten Wiese Date: Mon Oct 16 14:45:14 2006 +0200 [PATCH] ALSA: Fix bug in snd-usb-usx2y's usX2Y_pcms_lock_check() Fix bug in snd-usb-usx2y's usX2Y_pcms_lock_check() substream can be NULL...... in mainline, bug was introduced by: 2006-06-22 [ALSA] Add O_APPEND flag support to PCM From: Karsten Wiese Signed-off-by: Karsten Wiese Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit e0cd3e38de139be4929fe8b18d85da585580420b Author: Florin Malita Date: Mon Oct 16 14:43:43 2006 +0200 [PATCH] ALSA: Dereference after free in snd_hwdep_release() snd_card_file_remove() may free hw->card so we can't dereference hw->card->module after that. Coverity ID 1420. This bug actually causes an Oops at usb-disconnection, especially with CONFIG_PREEMPT. From: Florin Malita Signed-off-by: Florin Malita Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 0136d6eaf1356d5c484e84664f7688de895daaf6 Author: Amol Lad Date: Mon Oct 16 14:39:03 2006 +0200 [PATCH] sound/pci/au88x0/au88x0.c: ioremap balanced with iounmap From: Amol Lad Signed-off-by: Amol Lad Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 0189ff18b9354352be1bdc9f1741ead538196adf Author: Takashi Iwai Date: Mon Oct 16 14:37:31 2006 +0200 [PATCH] ALSA: powermac - Fix Oops when conflicting with aoa driver Fixed Oops when conflictin with aoa driver due to lack of i2c initialization. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 9e3fb449a46c40b3815d53d5c749066bd436a9b1 Author: Arnaud Patard Date: Mon Oct 16 14:35:57 2006 +0200 [PATCH] ALSA: emu10k1: Fix outl() in snd_emu10k1_resume_regs() The emu10k1 driver saves the A_IOCFG and HCFG register on suspend and restores it on resumes. Unfortunately, this doesn't work as the arguments to outl() are reversed. From: Arnaud Patard Signed-off-by: Arnaud Patard Signed-off-by: Takashi Iwai Signed-off-by: Chris Wright commit 0880d4e6062e116ab02f5f40814e8938b6f58c2e Author: Stephen Hemminger Date: Thu Oct 12 15:32:42 2006 -0700 [PATCH] sky2: turn off PHY IRQ on shutdown When PHY is turned off on shutdown, it can causes the IRQ to get stuck on. Make sure and disable the IRQ first, and if IRQ occurs when device is not running, don't access PHY because that can hang. Signed-off-by: Stephen Hemminger Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit cc4b988eefa12a629ba339e2432c8669a04718fe Author: Stephen Hemminger Date: Thu Oct 12 15:34:24 2006 -0700 [PATCH] sky2: pause parameter adjustment The lower pause threshold set by the driver is too large and causes FIFO overruns. Especially on laptops running at slower clock rates. Signed-off-by: Stephen Hemminger Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 15531084fa60dbedda5c2920bdc4b9e6882b5469 Author: Stephen Hemminger Date: Thu Oct 12 15:38:11 2006 -0700 [PATCH] sky2: MSI test race and message Make sure and do PCI reads after writes in the MSI test setup code. Some motherboards don't implement MSI correctly. The driver handles this but the warning is too verbose and overly cautious. Signed-off-by: Stephen Hemminger Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit f7bc3d8e19acb53487f969c4bf2c54109a972bac Author: Suresh Siddha Date: Thu Oct 12 09:14:05 2006 -0700 [PATCH] mm: fix a race condition under SMC + COW Failing context is a multi threaded process context and the failing sequence is as follows. One thread T0 doing self modifying code on page X on processor P0 and another thread T1 doing COW (breaking the COW setup as part of just happened fork() in another thread T2) on the same page X on processor P1. T0 doing SMC can endup modifying the new page Y (allocated by the T1 doing COW on P1) but because of different I/D TLB's, P0 ITLB will not see the new mapping till the flush TLB IPI from P1 is received. During this interval, if T0 executes the code created by SMC it can result in an app error (as ITLB still points to old page X and endup executing the content in page X rather than using the content in page Y). Fix this issue by first clearing the PTE and flushing it, before updating it with new entry. Hugh sayeth: I was a bit sceptical, in the habit of thinking that Self Modifying Code must look such issues itself: but I guess there's nothing it can do to avoid this one. Fair enough, what you're changing it to is pretty much what powerpc and s390 were already doing, and is a more robust way of proceeding, consistent with how ptes are set everywhere else. The ptep_clear_flush is a bit heavy-handed (it's anxious to return the pte that was atomically cleared), but we'd have to wander through lots of arches to get the right minimal behaviour. It'd also be nice to eliminate ptep_establish completely, now only used to define other macros/inlines: it always seemed obfuscation to me, what you've got there now is clearer. Let's put those cleanups on a TODO list. Signed-off-by: Suresh Siddha Acked-by: "David S. Miller" Acked-by: Hugh Dickins Cc: Nick Piggin Cc: Peter Zijlstra Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 3bc587b9cbf2a72e16b5a960731f08df36ba97fa Author: Martin Schwidefsky Date: Thu Oct 12 14:41:07 2006 +0200 [PATCH] __div64_32 for 31 bit. The clocksource infrastructure introduced with commit ad596171ed635c51a9eef829187af100cbf8dcf7 broke 31 bit s390. The reason is that the do_div() primitive for 31 bit always had a restriction: it could only divide an unsigned 64 bit integer by an unsigned 31 bit integer. The clocksource code now uses do_div() with a base value that has the most significant bit set. The result is that clock->cycle_interval has a funny value which causes the linux time to jump around like mad. The solution is "obvious": implement a proper __div64_32 function for 31 bit s390. Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit f44a15dacc3b68d6847dba2cc45d09bcdb076867 Author: Jens Axboe Date: Thu Oct 12 07:59:47 2006 +0200 [PATCH] splice: fix pipe_to_file() ->prepare_write() error path Don't jump to the unlock+release path, we already did that. Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 5bb10961933cd8efb97e67d5cc005af9c025ee8d Author: Patrick McHardy Date: Thu Oct 12 01:49:38 2006 -0700 [PATCH] Fix sfuzz hanging on 2.6.18 Dave Jones wrote: > sfuzz D 724EF62A 2828 28717 28691 (NOTLB) > cd69fe98 00000082 0000012d 724ef62a 0001971a 00000010 00000007 df6d22b0 > dfd81080 725bbc5e 0001971a 000cc634 00000001 df6d23bc c140e260 00000202 > de1d5ba0 cd69fea0 de1d5ba0 00000000 00000000 de1d5b60 de1d5b8c de1d5ba0 > Call Trace: > [] lock_sock+0x75/0xa6 > [] dn_getname+0x18/0x5f [decnet] > [] sys_getsockname+0x5c/0xb0 > [] sys_socketcall+0xef/0x261 > [] syscall_call+0x7/0xb > DWARF2 unwinder stuck at syscall_call+0x7/0xb > > I wonder if the plethora of lockdep related changes inadvertantly broke something? Looks like unbalanced locking. Acked-by: Steven Whitehouse Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright