commit 03739b5cc1b86536d662b89ce935b0ee68977e23 Author: Chris Wright Date: Sat Dec 16 16:21:00 2006 -0800 Linux 2.6.18.6 commit e4a835d383dc58212a9648ef905cb8087e0c4ab2 Author: Arjan van de Ven Date: Mon Dec 11 21:45:01 2006 +0100 [PATCH] x86-64: Mark rdtsc as sync only for netburst, not for core2 On the Core2 cpus, the rdtsc instruction is not serializing (as defined in the architecture reference since rdtsc exists) and due to the deep speculation of these cores, it's possible that you can observe time go backwards between cores due to this speculation. Since the kernel already deals with this with the SYNC_RDTSC flag, the solution is simple, only assume that the instruction is serializing on family 15... The price one pays for this is a slightly slower gettimeofday (by a dozen or two cycles), but that increase is quite small to pay for a really-going-forward tsc counter. Signed-off-by: Arjan van de Ven Signed-off-by: Andi Kleen [chrisw: backported to 2.6.18] Signed-off-by: Chris Wright commit 1dca7c280661c5741ac2eeb4b5386c1a566bf0b1 Author: Marcel Holtmann Date: Mon Dec 11 15:18:24 2006 +0100 [PATCH] Bluetooth: Add packet size checks for CAPI messages (CVE-2006-6106) With malformed packets it might be possible to overwrite internal CMTP and CAPI data structures. This patch adds additional length checks to prevent these kinds of remote attacks. Signed-off-by: Marcel Holtmann Signed-off-by: Chris Wright commit 8dc0b54bc7e4d14efdd0314a9d9e3960a230d527 Author: Daniel Barkalow Date: Fri Dec 8 11:58:15 2006 -0500 [PATCH] forcedeth: Disable INTx when enabling MSI in forcedeth At least some nforce cards continue to send legacy interrupts when MSI is enabled, and these interrupts are treated as unhandled by the kernel. This patch disables legacy interrupts explicitly when enabling MSI mode. The correct fix is to change the MSI infrastructure to disable legacy interrupts when enabling MSI, but this is potentially risky if the device isn't PCI-2.3 or is quirky, so the correct fix is going into mainline, while patches like this one go into -stable. Legend has it that it is most correct to disable legacy interrupts before enabling MSI, but the mainline patch does it in the other order, and this patch is "obviously" the same as mainline. Signed-off-by: Daniel Barkalow Signed-off-by: Chris Wright commit cf2b74ef76841402f4567fbc82bd7f93415b3cd7 Author: Hirokazu Takata Date: Fri Dec 8 02:35:54 2006 -0800 [PATCH] m32r: make userspace headers platform-independent The m32r kernel 2.6.18-rc1 or after cause build errors of "unknown isa configuration" for userspace application programs, such as glibc, gdb, etc. This is because the recent kernel do not include linux/config.h not to expose kernel headers for userspace. To fix the above compile errors, this patch fixes two headers ptrace.h and sigcontext.h for m32r and makes them platform-independent. Signed-off-by: Hirokazu Takata Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit da9aa2f4fdc179d71961b6f1562a2375998ce9d5 Author: Zachary Amsden Date: Wed Dec 6 20:39:39 2006 -0800 [PATCH] softirq: remove BUG_ONs which can incorrectly trigger It is possible to have tasklets get scheduled before softirqd has had a chance to spawn on all CPUs. This is totally harmless; after success during action CPU_UP_PREPARE, action CPU_ONLINE will be called, which immediately wakes softirqd on the appropriate CPU to process the already pending tasklets. So there is no danger of having a missed wakeup for any tasklets that were already pending. In particular, i386 is affected by this during startup, and is visible when using a very large initrd; during the time it takes for the initrd to be decompressed, a timer IRQ can come in and schedule RCU callbacks. It is also possible that resending of a hardware IRQ via a softirq triggers the same bug. Because of different timing conditions, this shows up in all emulators and virtual machines tested, including Xen, VMware, Virtual PC, and Qemu. It is also possible to trigger on native hardware with a large enough initrd, although I don't have a reliable case demonstrating that. Signed-off-by: Zachary Amsden Cc: Cc: Ingo Molnar Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit 80dc4d3acce8103ad87e14ca8ae6b10a2785c5e5 Author: Andrey Mirkin Date: Wed Dec 6 20:31:35 2006 -0800 [PATCH] skip data conversion in compat_sys_mount when data_page is NULL OpenVZ Linux kernel team has found a problem with mounting in compat mode. Simple command "mount -t smbfs ..." on Fedora Core 5 distro in 32-bit mode leads to oops: Unable to handle kernel NULL pointer dereference at 0000000000000000 RIP: [] compat_sys_mount+0xd6/0x290 PGD 34d48067 PUD 34d03067 PMD 0 Oops: 0000 [1] SMP CPU: 0 Modules linked in: iptable_nat simfs smbfs ip_nat ip_conntrack vzdquota parport_pc lp parport 8021q bridge llc vznetdev vzmon nfs lockd sunrpc vzdev iptable_filter af_packet xt_length ipt_ttl xt_tcpmss ipt_TCPMSS iptable_mangle xt_limit ipt_tos ipt_REJECT ip_tables x_tables thermal processor fan button battery asus_acpi ac uhci_hcd ehci_hcd usbcore i2c_i801 i2c_core e100 mii floppy ide_cd cdrom Pid: 14656, comm: mount RIP: 0060:[] [] compat_sys_mount+0xd6/0x290 RSP: 0000:ffff810034d31f38 EFLAGS: 00010292 RAX: 000000000000002c RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff810034c86bc0 RSI: 0000000000000096 RDI: ffffffff8061fc90 RBP: ffff810034d31f78 R08: 0000000000000000 R09: 000000000000000d R10: ffff810034d31e58 R11: 0000000000000001 R12: ffff810039dc3000 R13: 000000000805ea48 R14: 0000000000000000 R15: 00000000c0ed0000 FS: 0000000000000000(0000) GS:ffffffff80749000(0033) knlGS:00000000b7d556b0 CS: 0060 DS: 007b ES: 007b CR0: 000000008005003b CR2: 0000000000000000 CR3: 0000000034d43000 CR4: 00000000000006e0 Process mount (pid: 14656, veid=300, threadinfo ffff810034d30000, task ffff810034c86bc0) Stack: 0000000000000000 ffff810034dd0000 ffff810034e4a000 000000000805ea48 0000000000000000 0000000000000000 0000000000000000 0000000000000000 000000000805ea48 ffffffff8021e64e 0000000000000000 0000000000000000 Call Trace: [] ia32_sysret+0x0/0xa Code: 83 3b 06 0f 85 41 01 00 00 0f b7 43 0c 89 43 14 0f b7 43 0a RIP [] compat_sys_mount+0xd6/0x290 RSP CR2: 0000000000000000 The problem is that data_page pointer can be NULL, so we should skip data conversion in this case. Signed-off-by: Andrey Mirkin Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit 26e6a249a64f9bdf4d8553d8ccc5cc3680e53c07 Author: Russell King Date: Wed Dec 13 14:12:15 2006 +0000 [PATCH] ARM: Add sys_*at syscalls Later glibc requires the *at syscalls. Add them. Signed-off-by: Russell King Signed-off-by: Chris Wright commit 44ad470075f19907c6d92ee837e75db1724b0f46 Author: Stefan Richter Date: Tue Dec 12 23:00:16 2006 -0500 [PATCH] ieee1394: ohci1394: add PPC_PMAC platform code to driver probe Fixes http://bugzilla.kernel.org/show_bug.cgi?id=7431 iBook G3 threw a machine check exception and put the display backlight to full brightness after ohci1394 was unloaded and reloaded. Signed-off-by: Stefan Richter [dsd@gentoo.org: also added missing if condition, commit 63cca59e89892497e95e1e9c7156d3345fb7e2e8] Signed-off-by: Daniel Drake Acked-by: Stefan Richter Signed-off-by: Chris Wright commit 250c26f60da65f76e561522238b1ceeac673686b Author: Hans Verkuil Date: Tue Dec 12 00:36:39 2006 -0500 [PATCH] V4L: Fix broken TUNER_LG_NTSC_TAPE radio support The TUNER_LG_NTSC_TAPE is identical in all respects to the TUNER_PHILIPS_FM1236_MK3. So use the params struct for the Philips tuner. Also add this LG_NTSC_TAPE tuner to the switches where radio specific parameters are set so it behaves like a TUNER_PHILIPS_FM1236_MK3. This change fixes the radio support for this tuner (the wrong bandswitch byte was used). Thanks to Andy Walls for finding this bug. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Chris Wright commit 5252ec9f76aa29c4bb1ab171d5f497c2baeb5657 Author: Michael Krufky Date: Tue Dec 12 00:34:27 2006 -0500 [PATCH] DVB: lgdt330x: fix signal / lock status detection bug In some cases when using VSB, the AGC status register has been known to falsely report "no signal" when in fact there is a carrier lock. The datasheet labels these status flags as QAM only, yet the lgdt330x module is using these flags for both QAM and VSB. This patch allows for the carrier recovery lock status register to be tested, even if the agc signal status register falsely reports no signal. Thanks to jcrews from #linuxtv in irc, for initially reporting this bug. Signed-off-by: Michael Krufky Signed-off-by: Chris Wright commit 198a9f8d9c6f6260b69e9f68bbc063cecba222b0 Author: Andy Gospodarek Date: Tue Nov 21 11:46:44 2006 -0500 [PATCH] bonding: incorrect bonding state reported via ioctl This is a small fix-up to finish out the work done by Jay Vosburgh to add carrier-state support for bonding devices. The output in /proc/net/bonding/bondX was correct, but when collecting the same info via an iotcl it could still be incorrect. Signed-off-by: Andy Gospodarek Cc: Jeff Garzik Cc: Stephen Hemminger Signed-off-by: Andrew Morton Signed-off-by: Jeff Garzik Signed-off-by: Chris Wright commit 6cfea1e1f15cb5eb76bb80e9e8310fde254b8792 Author: Jeet Chaudhuri Date: Fri Dec 8 01:32:22 2006 +0200 [PATCH] IrDA: Incorrect TTP header reservation We must reserve SAR + MAX_HEADER bytes for IrLMP to fit in. This fixes an oops reported (and fixed) by Jeet Chaudhuri, when max_sdu_size is greater than 0. Signed-off-by: Samuel Ortiz Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 0b427874213aae83d3a93b48c667e6946e331772 Author: David Miller Date: Thu Dec 7 00:40:36 2006 -0800 [PATCH] IPSEC: Fix inetpeer leak in ipv4 xfrm dst entries. We grab a reference to the route's inetpeer entry but forget to release it in xfrm4_dst_destroy(). Bug discovered by Kazunori MIYAZAWA Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 2b64e22fdbc35b4a0e7c1cbda590daaced401c35 Author: Milan Broz Date: Tue Dec 5 16:11:18 2006 +0100 [PATCH] dm snapshot: fix freeing pending exception Fix oops when removing full snapshot kernel bugzilla bug 7040 If a snapshot became invalid (full) while there is outstanding pending_exception, pending_complete() forgets to remove the corresponding exception from its exception table before freeing it. Already fixed in 2.6.19. Signed-off-by: Milan Broz Signed-off-by: Chris Wright commit 6e28fa8b0390dcbb883994f3c634c1f56fe4f93a Author: David Miller Date: Mon Dec 4 20:01:31 2006 -0800 [PATCH] XFRM: Use output device disable_xfrm for forwarded packets Currently the behaviour of disable_xfrm is inconsistent between locally generated and forwarded packets. For locally generated packets disable_xfrm disables the policy lookup if it is set on the output device, for forwarded traffic however it looks at the input device. This makes it impossible to disable xfrm on all devices but a dummy device and use normal routing to direct traffic to that device. Always use the output device when checking disable_xfrm. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit b501bcbbb21d2222fa4f0a11d89dffa9fa508be3 Author: Jurij Smakov Date: Sun Dec 3 19:36:32 2006 -0800 [PATCH] SUNHME: Fix for sunhme failures on x86 The following patch fixes the failure of sunhme drivers on x86 hosts due to missing pci_enable_device() and pci_set_master() calls, lost during code refactoring. It has been filed as bugzilla bug #7502 [0] and Debian bug #397460 [1]. [0] http://bugzilla.kernel.org/show_bug.cgi?id=7502 [1] http://bugs.debian.org/397460 Signed-off-by: Jurij Smakov Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 69ba0bfa9c9b97a0dfdfd1b631dec02883aa2b75 Author: David Miller Date: Fri Dec 1 20:36:44 2006 -0800 [PATCH] PKT_SCHED act_gact: division by zero Not returning -EINVAL, because someone might want to use the value zero in some future gact_prob algorithm? Signed-off-by: Kim Nordlund Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit cf9a7875e65098f049b410faea454b2041ba7fd3 Author: Patrick McHardy Date: Fri Dec 1 20:14:55 2006 -0800 [PATCH] NETFILTER: ip_tables: revision support for compat code Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 43e5eb5c8cd3194f747c0a82b9939bfc48f352c5 Author: Christophe Saout Date: Sat Dec 2 03:27:56 2006 +0100 [PATCH] dm crypt: Fix data corruption with dm-crypt over RAID5 Fix corruption issue with dm-crypt on top of software raid5. Cancelled readahead bio's that report no error, just have BIO_UPTODATE cleared were reported as successful reads to the higher layers (and leaving random content in the buffer cache). Already fixed in 2.6.19. Signed-off-by: Christophe Saout Signed-off-by: Chris Wright commit 8a4ab56748c87f71e6090e741150bd3f7b8995e1 Author: Patrick McHardy Date: Thu Nov 30 20:06:33 2006 -0800 [PATCH] NET_SCHED: policer: restore compatibility with old iproute binaries The tc actions increased the size of struct tc_police, which broke compatibility with old iproute binaries since both the act_police and the old NET_CLS_POLICE code check for an exact size match. Since the new members are not even used, the simple fix is to also accept the size of the old structure. Dumping is not affected since old userspace will receive a bigger structure, which is handled fine. Signed-off-by: Patrick McHardy Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 6ed412d5056d4246a7fc7ecf8408007fe60d2567 Author: Al Viro Date: Thu Nov 30 19:47:59 2006 -0800 [PATCH] EBTABLES: Prevent wraparounds in checks for entry components' sizes. Signed-off-by: Al Viro Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 6fe7624b306c7db201c07434ac511ab6fc7f0b2c Author: Al Viro Date: Thu Nov 30 19:47:58 2006 -0800 [PATCH] EBTABLES: Deal with the worst-case behaviour in loop checks. No need to revisit a chain we'd already finished with during the check for current hook. It's either instant loop (which we'd just detected) or a duplicate work. Signed-off-by: Al Viro Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 83b44db22cc477cb2f9f6e96d07812245cd060db Author: Al Viro Date: Thu Nov 30 19:47:56 2006 -0800 [PATCH] EBTABLES: Verify that ebt_entries have zero ->distinguisher. We need that for iterator to work; existing check had been too weak. Signed-off-by: Al Viro Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit b967e13584aca829627eaf17d19a69edd3fadb40 Author: Al Viro Date: Thu Nov 30 19:47:52 2006 -0800 [PATCH] EBTABLES: Fix wraparounds in ebt_entries verification. We need to verify that a) we are not too close to the end of buffer to dereference b) next entry we'll be checking won't be _before_ our While we are at it, don't subtract unrelated pointers... Signed-off-by: Al Viro Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 8aa01bd451fafa853eed8a10fe413230bea547ac Author: Michael Buesch Date: Wed Nov 29 18:51:12 2006 -0600 [PATCH] softmac: remove netif_tx_disable when scanning In the scan section of ieee80211softmac, network transmits are disabled. When SoftMAC re-enables transmits, it may override the wishes of a driver that may have very good reasons for disabling transmits. At least one failure in bcm43xx can be traced to this problem. In addition, several unexplained problems may arise from the unexpected enabling of transmits. Signed-off-by: Michael Buesch Signed-off-by: Larry Finger Signed-off-by: Chris Wright