commit 1edb5a2de7a29144644794208eb63abbca419430 Author: Chris Wright Date: Mon Dec 11 11:32:53 2006 -0800 Linux 2.6.19.1 commit f558fdfaa8d62e33ef47a819d1ca659a8f9e1f1a Author: David Miller Date: Fri Dec 8 17:14:38 2006 -0800 [PATCH] NETLINK: Put {IFA,IFLA}_{RTA,PAYLOAD} macros back for userspace. GLIBC uses them etc. They are guarded by ifndef __KERNEL__ so nobody will start accidently using them in the kernel again, it's just for userspace. Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 39a173632d043082157b4b002e956b3131556eea Author: Daniel Barkalow Date: Fri Dec 8 11:58:15 2006 -0500 [PATCH] forcedeth: Disable INTx when enabling MSI in forcedeth At least some nforce cards continue to send legacy interrupts when MSI is enabled, and these interrupts are treated as unhandled by the kernel. This patch disables legacy interrupts explicitly when enabling MSI mode. The correct fix is to change the MSI infrastructure to disable legacy interrupts when enabling MSI, but this is potentially risky if the device isn't PCI-2.3 or is quirky, so the correct fix is going into mainline, while patches like this one go into -stable. Legend has it that it is most correct to disable legacy interrupts before enabling MSI, but the mainline patch does it in the other order, and this patch is "obviously" the same as mainline. Signed-off-by: Daniel Barkalow Cc: Jeff Garzik Cc: Greg KH Signed-off-by: Chris Wright commit 3667bf6de29ff04c42557e31e3e8cbbbb835732c Author: Ravikiran G Thirumalai Date: Sat Dec 9 21:33:35 2006 +0100 [PATCH] x86: Fix boot hang due to nmi watchdog init code 2.6.19 stopped booting (or booted based on build/config) on our x86_64 systems due to a bug introduced in 2.6.19. check_nmi_watchdog schedules an IPI on all cpus to busy wait on a flag, but fails to set the busywait flag if NMI functionality is disabled. This causes the secondary cpus to spin in an endless loop, causing the kernel bootup to hang. Depending upon the build, the busywait flag got overwritten (stack variable) and caused the kernel to bootup on certain builds. Following patch fixes the bug by setting the busywait flag before returning from check_nmi_watchdog. I guess using a stack variable is not good here as the calling function could potentially return while the busy wait loop is still spinning on the flag. AK: I redid the patch significantly to be cleaner Signed-off-by: Ravikiran Thirumalai Signed-off-by: Shai Fultheim Signed-off-by: Andi Kleen Signed-off-by: Chris Wright commit a10457ccb7a459c86a94c46680c69afbf5608f49 Author: Hirokazu Takata Date: Fri Dec 8 02:35:54 2006 -0800 [PATCH] m32r: make userspace headers platform-independent The m32r kernel 2.6.18-rc1 or after cause build errors of "unknown isa configuration" for userspace application programs, such as glibc, gdb, etc. This is because the recent kernel do not include linux/config.h not to expose kernel headers for userspace. To fix the above compile errors, this patch fixes two headers ptrace.h and sigcontext.h for m32r and makes them platform-independent. Signed-off-by: Hirokazu Takata Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit a3956ef72c8d27e4b6a854afd45ae6cc9c6fa5e4 Author: Zachary Amsden Date: Wed Dec 6 20:39:39 2006 -0800 [PATCH] softirq: remove BUG_ONs which can incorrectly trigger It is possible to have tasklets get scheduled before softirqd has had a chance to spawn on all CPUs. This is totally harmless; after success during action CPU_UP_PREPARE, action CPU_ONLINE will be called, which immediately wakes softirqd on the appropriate CPU to process the already pending tasklets. So there is no danger of having a missed wakeup for any tasklets that were already pending. In particular, i386 is affected by this during startup, and is visible when using a very large initrd; during the time it takes for the initrd to be decompressed, a timer IRQ can come in and schedule RCU callbacks. It is also possible that resending of a hardware IRQ via a softirq triggers the same bug. Because of different timing conditions, this shows up in all emulators and virtual machines tested, including Xen, VMware, Virtual PC, and Qemu. It is also possible to trigger on native hardware with a large enough initrd, although I don't have a reliable case demonstrating that. Signed-off-by: Zachary Amsden Cc: Cc: Ingo Molnar Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit 7f803f5145613f8e32a78d07d14fed6e82c797f7 Author: Jiri Kosina Date: Wed Dec 6 20:39:38 2006 -0800 [PATCH] autofs: fix error code path in autofs_fill_sb() When kernel is compiled with old version of autofs (CONFIG_AUTOFS_FS), and new (observed at least with 5.x.x) automount deamon is started, kernel correctly reports incompatible version of kernel and userland daemon, but then screws things up instead of correct handling of the error: autofs: kernel does not match daemon version ===================================== [ BUG: bad unlock balance detected! ] ------------------------------------- automount/4199 is trying to release lock (&type->s_umount_key) at: [] get_sb_nodev+0x76/0xa4 but there are no more locks to release! other info that might help us debug this: no locks held by automount/4199. stack backtrace: [] dump_trace+0x68/0x1b2 [] show_trace_log_lvl+0x18/0x2c [] show_trace+0xf/0x11 [] dump_stack+0x12/0x14 [] print_unlock_inbalance_bug+0xe7/0xf3 [] lock_release+0x8d/0x164 [] up_write+0x14/0x27 [] get_sb_nodev+0x76/0xa4 [] vfs_kern_mount+0x83/0xf6 [] do_kern_mount+0x2d/0x3e [] do_mount+0x607/0x67a [] sys_mount+0x72/0xa4 [] sysenter_past_esp+0x5f/0x99 DWARF2 unwinder stuck at sysenter_past_esp+0x5f/0x99 Leftover inexact backtrace: ======================= and then deadlock comes. The problem: autofs_fill_super() returns EINVAL to get_sb_nodev(), but before that, it calls kill_anon_super() to destroy the superblock which won't be needed. This is however way too soon to call kill_anon_super(), because get_sb_nodev() has to perform its own cleanup of the superblock first (deactivate_super(), etc.). The correct time to call kill_anon_super() is in the autofs_kill_sb() callback, which is called by deactivate_super() at proper time, when the superblock is ready to be killed. I can see the same faulty codepath also in autofs4. This patch solves issues in both filesystems in a same way - it postpones the kill_anon_super() until the proper time is signalized by deactivate_super() calling the kill_sb() callback. [raven@themaw.net: update comment] Signed-off-by: Jiri Kosina Acked-by: Ian Kent Cc: Signed-off-by: Ian Kent Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit 1f583f6270cd7d3130b8a3b08cfef01534d588fe Author: Rafael J Wysocki Date: Wed Dec 6 20:34:47 2006 -0800 [PATCH] PM: Fix swsusp debug mode testproc The 'testproc' swsusp debug mode thaws tasks twice in a row, which is _very_ confusing. Fix that. Signed-off-by: Rafael J. Wysocki Acked-by: Pavel Machek Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit 1157f82831d3745a61b897d9f8a38886c586d09f Author: Andrey Mirkin Date: Wed Dec 6 20:31:35 2006 -0800 [PATCH] compat: skip data conversion in compat_sys_mount when data_page is NULL OpenVZ Linux kernel team has found a problem with mounting in compat mode. Simple command "mount -t smbfs ..." on Fedora Core 5 distro in 32-bit mode leads to oops: Unable to handle kernel NULL pointer dereference at 0000000000000000 RIP: [] compat_sys_mount+0xd6/0x290 PGD 34d48067 PUD 34d03067 PMD 0 Oops: 0000 [1] SMP CPU: 0 Modules linked in: iptable_nat simfs smbfs ip_nat ip_conntrack vzdquota parport_pc lp parport 8021q bridge llc vznetdev vzmon nfs lockd sunrpc vzdev iptable_filter af_packet xt_length ipt_ttl xt_tcpmss ipt_TCPMSS iptable_mangle xt_limit ipt_tos ipt_REJECT ip_tables x_tables thermal processor fan button battery asus_acpi ac uhci_hcd ehci_hcd usbcore i2c_i801 i2c_core e100 mii floppy ide_cd cdrom Pid: 14656, comm: mount RIP: 0060:[] [] compat_sys_mount+0xd6/0x290 RSP: 0000:ffff810034d31f38 EFLAGS: 00010292 RAX: 000000000000002c RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff810034c86bc0 RSI: 0000000000000096 RDI: ffffffff8061fc90 RBP: ffff810034d31f78 R08: 0000000000000000 R09: 000000000000000d R10: ffff810034d31e58 R11: 0000000000000001 R12: ffff810039dc3000 R13: 000000000805ea48 R14: 0000000000000000 R15: 00000000c0ed0000 FS: 0000000000000000(0000) GS:ffffffff80749000(0033) knlGS:00000000b7d556b0 CS: 0060 DS: 007b ES: 007b CR0: 000000008005003b CR2: 0000000000000000 CR3: 0000000034d43000 CR4: 00000000000006e0 Process mount (pid: 14656, veid=300, threadinfo ffff810034d30000, task ffff810034c86bc0) Stack: 0000000000000000 ffff810034dd0000 ffff810034e4a000 000000000805ea48 0000000000000000 0000000000000000 0000000000000000 0000000000000000 000000000805ea48 ffffffff8021e64e 0000000000000000 0000000000000000 Call Trace: [] ia32_sysret+0x0/0xa Code: 83 3b 06 0f 85 41 01 00 00 0f b7 43 0c 89 43 14 0f b7 43 0a RIP [] compat_sys_mount+0xd6/0x290 RSP CR2: 0000000000000000 The problem is that data_page pointer can be NULL, so we should skip data conversion in this case. Signed-off-by: Andrey Mirkin Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit ce9507af8c85327ac05e91a43c138591ed85b0aa Author: Andrew Morton Date: Wed Dec 6 20:31:33 2006 -0800 [PATCH] drm-sis linkage fix Fix http://bugzilla.kernel.org/show_bug.cgi?id=7606 WARNING: "drm_sman_set_manager" [drivers/char/drm/sis.ko] undefined! Cc: Cc: Dave Airlie Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit a030daed9949daa6746072ee2752217adc424252 Author: Andrew Morton Date: Wed Dec 6 20:31:30 2006 -0800 [PATCH] add bottom_half.h With CONFIG_SMP=n: drivers/input/ff-memless.c:384: warning: implicit declaration of function 'local_bh_disable' drivers/input/ff-memless.c:393: warning: implicit declaration of function 'local_bh_enable' Really linux/spinlock.h should include linux/interrupt.h. But interrupt.h includes sched.h which will need spinlock.h. So the patch breaks the _bh declarations out into a separate header and includes it in bothj interrupt.h and spinlock.h. Cc: "Randy.Dunlap" Cc: Andi Kleen Cc: Cc: Ingo Molnar Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit 04ff1391c82a403b5775da6e03c22559f86de091 Author: Thomas Graf Date: Thu Dec 7 23:49:45 2006 -0800 [PATCH] NETLINK: Restore API compatibility of address and neighbour bits Restore API compatibility due to bits moved from rtnetlink.h to separate headers. Signed-off-by: Thomas Graf Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit d58808bcc7cb732a4f62af1105d46757d3167e57 Author: Jeet Chaudhuri Date: Fri Dec 8 01:32:22 2006 +0200 [PATCH] IrDA: Incorrect TTP header reservation We must reserve SAR + MAX_HEADER bytes for IrLMP to fit in. This fixes an oops reported (and fixed) by Jeet Chaudhuri, when max_sdu_size is greater than 0. Signed-off-by: Samuel Ortiz Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 5bcd4af5fcd996bdd309bf506a60c6217810b1c6 Author: David Miller Date: Thu Dec 7 00:40:36 2006 -0800 [PATCH] IPSEC: Fix inetpeer leak in ipv4 xfrm dst entries. We grab a reference to the route's inetpeer entry but forget to release it in xfrm4_dst_destroy(). Bug discovered by Kazunori MIYAZAWA Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 53f9565904925cf3cf5d059c245cee2c974e5508 Author: Sean Young Date: Wed Dec 6 20:27:32 2006 +0000 [PATCH] USB: Fix oops in PhidgetServo The PhidgetServo causes an Oops when any of its sysfs attributes are read or written too, making the driver useless. Signed-off-by: Sean Young Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 4bcae31990d440ff1c58702b66db014f0c659fb3 Author: Patrick McHardy Date: Mon Dec 4 20:01:31 2006 -0800 [PATCH] XFRM: Use output device disable_xfrm for forwarded packets Currently the behaviour of disable_xfrm is inconsistent between locally generated and forwarded packets. For locally generated packets disable_xfrm disables the policy lookup if it is set on the output device, for forwarded traffic however it looks at the input device. This makes it impossible to disable xfrm on all devices but a dummy device and use normal routing to direct traffic to that device. Always use the output device when checking disable_xfrm. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit ad8ca99ca28aba9961395dd59fdd1adfa6ad07fd Author: David Miller Date: Mon Dec 4 19:57:11 2006 -0800 [PATCH] TOKENRING: Remote memory corruptor in ibmtr.c ip_summed changes last summer had missed that one. As the result, we have ip_summed interpreted as CHECKSUM_PARTIAL now. IOW, ->csum is interpreted as offset of checksum in the packet. net/core/* will both read and modify the value as that offset, with obvious reasons. At the very least it's a remote memory corruptor. Signed-off-by: Al Viro Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit a526d58e9f362189b49a3ca73315101ff0fc1dc1 Author: Alexey Dobriyan Date: Sat Dec 2 23:58:49 2006 +0300 [PATCH] do_coredump() and not stopping rewrite attacks? (CVE-2006-6304) On Sat, Dec 02, 2006 at 11:47:44PM +0300, Alexey Dobriyan wrote: > David Binderman compiled 2.6.19 with icc and grepped for "was set but never > used". Many warnings are on > http://coderock.org/kj/unused-2.6.19-fs Heh, the very first line: fs/exec.c(1465): remark #593: variable "flag" was set but never used fs/exec.c: 1477 /* 1478 * We cannot trust fsuid as being the "true" uid of the 1479 * process nor do we know its entire history. We only know it 1480 * was tainted so we dump it as root in mode 2. 1481 */ 1482 if (mm->dumpable == 2) { /* Setuid core dump mode */ 1483 flag = O_EXCL; /* Stop rewrite attacks */ 1484 current->fsuid = 0; /* Dump root private */ 1485 } And then filp_open follows with "flag" totally ignored. Signed-off-by: Chris Wright commit 68057dcdf944f5801af3692c63e1f193e0f1a818 Author: Michael S Tsirkin Date: Mon Dec 4 18:44:48 2006 +0200 [PATCH] IB/ucm: Fix deadlock in cleanup ib_ucm_cleanup_events() holds file_mutex while calling ib_destroy_cm_id(). This can deadlock since ib_destroy_cm_id() flushes event handlers, and ib_ucm_event_handler() needs file_mutex, too. Therefore, drop the file_mutex during the call to ib_destroy_cm_id(). Signed-off-by: Michael S. Tsirkin Signed-off-by: Roland Dreier Acked-by: Sean Hefty Signed-off-by: Chris Wright commit bed569c712c48235f355b963d41482ecda314e4f Author: Maxime Austruy Date: Sun Dec 3 10:40:01 2006 -0600 [PATCH] softmac: fix unbalanced mutex_lock/unlock in ieee80211softmac_wx_set_mlme Routine ieee80211softmac_wx_set_mlme has one return that fails to release a mutex acquired at entry. Signed-off-by: Maxime Austruy Signed-off-by: Larry Finger Signed-off-by: Chris Wright commit 721aed8126ef1b3823fdd27c3fc3b98667e80fa9 Author: Bart De Schuymer Date: Mon Dec 4 12:22:10 2006 +0100 [PATCH] NETFILTER: bridge netfilter: deal with martians correctly The attached patch resolves an issue where a IP DNATed packet with a martian source is forwarded while it's better to drop it. It also resolves messages complaining about ip forwarding being disabled while it's actually enabled. Thanks to lepton for reporting this problem. This is probably a candidate for the -stable release. Signed-off-by: Bart De Schuymer Signed-off-by: Patrick McHardy Signed-off-by: Chris Wright commit 204f62139c90f142d05372d71e58cc3e6c9780ac Author: Dmitry Mishin Date: Mon Dec 4 12:22:09 2006 +0100 [PATCH] NETFILTER: Fix iptables compat hook validation In compat mode, matches and targets valid hooks checks always successful due to not initialized e->comefrom field yet. This patch separates this checks from translation code and moves them after mark_source_chains() call, where these marks are initialized. Signed-off-by: Dmitry Mishin Signed-off-by; Patrick McHardy Signed-off-by: Chris Wright commit 9d62d3f1f0eb730d9308aa4fa427a0e682d22b5f Author: Dmitry Mishin Date: Mon Dec 4 12:22:07 2006 +0100 [PATCH] NETFILTER: Fix {ip, ip6, arp}_tables hook validation Commit 590bdf7fd2292b47c428111cb1360e312eff207e introduced a regression in match/target hook validation. mark_source_chains builds a bitmask for each rule representing the hooks it can be reached from, which is then used by the matches and targets to make sure they are only called from valid hooks. The patch moved the match/target specific validation before the mark_source_chains call, at which point the mask is always zero. This patch returns back to the old order and moves the standard checks to mark_source_chains. This allows to get rid of a special case for standard targets as a nice side-effect. Signed-off-by: Dmitry Mishin Signed-off-by: Patrick McHardy Signed-off-by: Chris Wright commit c856e3d57e3fdb74237ddfb8356e1cabee94c155 Author: Jurij Smakov Date: Sun Dec 3 19:36:32 2006 -0800 [PATCH] SUNHME: Fix for sunhme failures on x86 The following patch fixes the failure of sunhme drivers on x86 hosts due to missing pci_enable_device() and pci_set_master() calls, lost during code refactoring. It has been filed as bugzilla bug #7502 [0] and Debian bug #397460 [1]. [0] http://bugzilla.kernel.org/show_bug.cgi?id=7502 [1] http://bugs.debian.org/397460 Signed-off-by: Jurij Smakov Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 643f290e85dca25c7fdf914b0fa20f104b2c2321 Author: David Miller Date: Fri Dec 1 20:36:44 2006 -0800 [PATCH] PKT_SCHED act_gact: division by zero Not returning -EINVAL, because someone might want to use the value zero in some future gact_prob algorithm? Signed-off-by: Kim Nordlund Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 36dc46c8de3f6b4aa27622e808b35be5d7d5cf06 Author: Len Brown Date: Sat Dec 2 02:27:46 2006 -0500 [PATCH] Revert "ACPI: SCI interrupt source override" This reverts commit 281ea49b0c294649a6de47a6f8fbe5611137726b, which broke ACPI Interrupt source overrides that move the SCI from one IRQ in PIC mode to another in IOAPIC mode. If the SCI shared an interrupt line with another device, this would result in a "irq 18: nobody cared" type failure. http://bugzilla.kernel.org/show_bug.cgi?id=7601 Signed-off-by: Len Brown Signed-off-by: Chris Wright commit 3da6c899c1a015019d05c724700b992cd740687d Author: Herbert Xu Date: Sat Dec 2 14:37:27 2006 +1100 [PATCH] cryptoloop: Select CRYPTO_CBC As CBC is the default chaining method for cryptoloop, we should select it from cryptoloop to ease the transition. Signed-off-by: Herbert Xu Signed-off-by: Chris Wright commit 98178d01fce23126ffd2f71ca5c289db02ec460e Author: Patrick McHardy Date: Thu Nov 30 20:06:33 2006 -0800 [PATCH] NET_SCHED: policer: restore compatibility with old iproute binaries The tc actions increased the size of struct tc_police, which broke compatibility with old iproute binaries since both the act_police and the old NET_CLS_POLICE code check for an exact size match. Since the new members are not even used, the simple fix is to also accept the size of the old structure. Dumping is not affected since old userspace will receive a bigger structure, which is handled fine. Signed-off-by: Patrick McHardy Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit bf59e3085f0d107969c01c3c00c88b0db3a3ca82 Author: Al Viro Date: Thu Nov 30 19:47:59 2006 -0800 [PATCH] EBTABLES: Prevent wraparounds in checks for entry components' sizes. Signed-off-by: Al Viro Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit dc983545ac3c17728ebb1e0c56aadc85ae3f8daf Author: Al Viro Date: Thu Nov 30 19:47:58 2006 -0800 [PATCH] EBTABLES: Deal with the worst-case behaviour in loop checks. No need to revisit a chain we'd already finished with during the check for current hook. It's either instant loop (which we'd just detected) or a duplicate work. Signed-off-by: Al Viro Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 2066918ca75a860c085f294db4f679a397bcc9a3 Author: Al Viro Date: Thu Nov 30 19:47:56 2006 -0800 [PATCH] EBTABLES: Verify that ebt_entries have zero ->distinguisher. We need that for iterator to work; existing check had been too weak. Signed-off-by: Al Viro Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 1ebe9529ae0ea279959d6455811f6f8cfcff0485 Author: Al Viro Date: Thu Nov 30 19:47:52 2006 -0800 [PATCH] EBTABLES: Fix wraparounds in ebt_entries verification. We need to verify that a) we are not too close to the end of buffer to dereference b) next entry we'll be checking won't be _before_ our While we are at it, don't subtract unrelated pointers... Signed-off-by: Al Viro Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 80215bd7c3d16e459f0d96edbe310f0c5e0df3e8 Author: Michael Buesch Date: Wed Nov 29 18:51:12 2006 -0600 [PATCH] softmac: remove netif_tx_disable when scanning In the scan section of ieee80211softmac, network transmits are disabled. When SoftMAC re-enables transmits, it may override the wishes of a driver that may have very good reasons for disabling transmits. At least one failure in bcm43xx can be traced to this problem. In addition, several unexplained problems may arise from the unexpected enabling of transmits. Signed-off-by: Michael Buesch Signed-off-by: Larry Finger Signed-off-by: Chris Wright commit ba29705432462317d1a7b135612a9ef5b928d6c0 Author: David Miller Date: Sat Dec 2 21:04:06 2006 -0800 [PATCH] IPV6 NDISC: Calculate packet length correctly for allocation. MAX_HEADER does not include the ipv6 header length in it, so we need to add it in explicitly. With help from YOSHIFUJI Hideaki. Signed-off-by: David S. Miller Signed-off-by: Chris Wright