commit 026164e704dbe989054cd189e34660aafefc9913 Author: Greg Kroah-Hartman Date: Fri Mar 9 10:58:04 2007 -0800 Linux 2.6.20.2 commit 4c9ef074b33690981d81ab0107fe2573007083ef Author: David S. Miller Date: Wed Mar 7 12:50:46 2007 -0800 IPV6: Handle np->opt being NULL in ipv6_getsockopt_sticky() [CVE-2007-1000] This fixes http://bugzilla.kernel.org/show_bug.cgi?id=8134 Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 3baa43fdc9b64646b468b92936c4842c51b9e2ed Author: Eric W. Biederman Date: Wed Mar 7 14:23:54 2007 -0500 x86-64: survive having no irq mapping for a vector Occasionally the kernel has bugs that result in no irq being found for a given cpu vector. If we acknowledge the irq the system has a good chance of continuing even though we dropped an irq message. If we continue to simply print a message and not acknowledge the irq the system is likely to become non-responsive shortly there after. AK: Fixed compilation for UP kernels Signed-off-by: Eric W. Biederman Signed-off-by: Andi Kleen Cc: "Luigi Genoni" Cc: Andi Kleen Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit 7670279989a552a7a8afd275368d55a4f3b5054b Author: Marcel Holtmann Date: Wed Mar 7 13:22:40 2007 -0500 Fix buffer overflow in Omnikey CardMan 4040 driver (CVE-2007-0005) Based on a patch from Don Howard When calling write() with a buffer larger than 512 bytes, the driver's write buffer overflows, allowing to overwrite the EIP and execute arbitrary code with kernel privileges. In read(), there exists a similar problem, but coming from the device. A malicous or buggy device sending more than 512 bytes can overflow of the driver's read buffer, with the same effects as above. Signed-off-by: Marcel Holtmann Signed-off-by: Harald Welte Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright commit 248059edc6503eac8baac39dad42e76383824720 Author: Arnaldo Carvalho de Melo Date: Wed Feb 28 11:29:33 2007 -0800 TCP: Fix minisock tcp_create_openreq_child() typo. On 2/28/07, KOVACS Krisztian wrote: > > Hi, > > While reading TCP minisock code I've found this suspiciously looking > code fragment: > > - 8< - > struct sock *tcp_create_openreq_child(struct sock *sk, struct request_sock *req, struct sk_buff *skb) > { > struct sock *newsk = inet_csk_clone(sk, req, GFP_ATOMIC); > > if (newsk != NULL) { > const struct inet_request_sock *ireq = inet_rsk(req); > struct tcp_request_sock *treq = tcp_rsk(req); > struct inet_connection_sock *newicsk = inet_csk(sk); > struct tcp_sock *newtp; > - 8< - > > The above code initializes newicsk to inet_csk(sk), isn't that supposed > to be inet_csk(newsk)? As far as I can tell this might leave > icsk_ack.last_seg_size zero even if we do have received data. Good catch! David, please apply the attached patch. Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit daed330d4e1ca96e81ed0e7fce6de4ac22d9050c Author: Josef Whiter Date: Wed Feb 21 14:37:59 2007 -0800 gfs2: fix locking mistake Fix a locking mistake in the quota code, we do a mutex_lock instead of a mutex_unlock. Signed-off-by: Josef Whiter Cc: Steven Whitehouse Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 55eb1f49d93b85b3e2c2130c4ea2aaf557996b00 Author: Zhang, Yanmin Date: Wed Feb 14 23:37:03 2007 -0800 ATA: convert GSI to irq on ia64 If an ATA drive uses legacy mode, ata driver will choose 14 and 15 as the fixed irq number. On ia64 platform, such numbers are GSI and should be converted to irq vector. Signed-off-by: Zhang Yanmin Cc: Jeff Garzik Cc: Tony Luck Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 287be53469194d65a10986023145b7b316f906e5 Author: Gerhard Dirschl Date: Mon Feb 12 21:32:43 2007 -0800 pktcdvd: Correctly set cmd_len field in pkt_generic_packet Fixes http://bugzilla.kernel.org/show_bug.cgi?id=7810 - a silly copy-paste bug introduced by the latest change. Signed-off-by: Gerhard Dirschl Cc: Peter Osterlund Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit d9202f177156d05eba30cf2a25fc15d8f5cca8b5 Author: David Miller Date: Mon Mar 5 15:53:45 2007 -0800 video/aty/mach64_ct.c: fix bogus delay loop CT based mach64 cards were reported to hang on sparc64 boxes when compiled with gcc-4.1.x and later. Looking at this piece of code, it's no surprise. A critical delay was implemented as an empty for() loop, and gcc 4.0.x and previous did not optimize it away, so we did get a delay. But gcc-4.1.x and later can optimize it away, and we get crashes. Use a real udelay() to fix this. Fix verified on SunBlade100. Signed-off-by: David S. Miller Cc: Andrew Morton Cc: "Antonino A. Daplas" Signed-off-by: Linus Torvalds commit cb1e01df3290e1806d1800a14fcd085248f48560 Author: Andrew Morton Date: Tue Mar 6 02:41:49 2007 -0800 revert "drivers/net/tulip/dmfe: support basic carrier detection" Revert 7628b0a8c01a02966d2228bdf741ddedb128e8f8. Thomas Bachler reports: Commit 7628b0a8c01a02966d2228bdf741ddedb128e8f8 (drivers/net/tulip/dmfe: support basic carrier detection) breaks networking on my Davicom DM9009. ethtool always reports there is no link. tcpdump shows incoming packets, but TX is disabled. Reverting the above patch fixes the problem. Cc: Samuel Thibault Cc: Jeff Garzik Cc: Valerie Henson Cc: Thomas Bachler Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 5b214a4e6cf6557ca118c3dd5843b809f0d2fde9 Author: Andrew Morton Date: Wed Feb 28 20:13:21 2007 -0800 throttle_vm_writeout(): don't loop on GFP_NOFS and GFP_NOIO allocations throttle_vm_writeout() is designed to wait for the dirty levels to subside. But if the caller holds IO or FS locks, we might be holding up that writeout. So change it to take a single nap to give other devices a chance to clean some memory, then return. Cc: Nick Piggin Cc: OGAWA Hirofumi Cc: Kumar Gala Cc: Pete Zaitcev Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 0ad1314a8374ed30092752d8406e9cc5940f58fa Author: Sam Ravnborg Date: Wed Feb 28 20:12:31 2007 -0800 fix section mismatch warning in lockdep lockdep_init() is marked __init but used in several places outside __init code. This causes following warnings: $ scripts/mod/modpost kernel/lockdep.o WARNING: kernel/built-in.o - Section mismatch: reference to .init.text:lockdep_init from .text.lockdep_init_map after 'lockdep_init_map' (at offset 0x105) WARNING: kernel/built-in.o - Section mismatch: reference to .init.text:lockdep_init from .text.lockdep_reset_lock after 'lockdep_reset_lock' (at offset 0x35) WARNING: kernel/built-in.o - Section mismatch: reference to .init.text:lockdep_init from .text.__lock_acquire after '__lock_acquire' (at offset 0xb2) The warnings are less obviously due to heavy inlining by gcc - this is not altered. Fix the section mismatch warnings by removing the __init marking, which seems obviously wrong. Signed-off-by: Sam Ravnborg Acked-by: Ingo Molnar Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit c8f9fa24f3b91e06a27931c908d6184c06e3119b Author: Randy Dunlap Date: Fri Feb 16 01:47:33 2007 -0800 ueagle-atm.c needs sched.h Driver needs sched.h for try_to_freeze(). Signed-off-by: Randy Dunlap Cc: Greg KH Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit df24f7b946697c965089b809b275c210ba475bc2 Author: S.Caglar Onur Date: Mon Feb 12 00:54:34 2007 -0800 kvm: Fix asm constraint for lldt instruction lldt does not accept immediate operands, which "g" allows. Signed-off-by: S.Caglar Onur Signed-off-by: Avi Kivity Cc: Ingo Molnar Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 9edec60fc58f75b70f9bbc5faf2567e5f61759b8 Author: Heiko Carstens Date: Mon Feb 12 00:52:20 2007 -0800 lockdep: forward declare struct task_struct 3117df0453828bd045c16244e6f50e5714667a8a causes this: In file included from arch/s390/kernel/early.c:13: include/linux/lockdep.h:300: warning: "struct task_struct" declared inside parameter list include/linux/lockdep.h:300: warning: its scope is only this definition or declaration, which is probably not what you want Acked-by: Ingo Molnar Cc: Martin Schwidefsky Signed-off-by: Heiko Carstens Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit e24efe9467f86d7d3e18f3078c13217ea60b63e2 Author: Jiri Slaby Date: Mon Feb 12 00:52:30 2007 -0800 Char: specialix, isr have 2 params specialix, isr have 2 params pt_regs are no longer the third parameter of isr, call sx_interrupt without it. Signed-off-by: Jiri Slaby Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 54710f60049c613cd0ae4bb0d3180f8bfb8c323c Author: Nick Piggin Date: Sat Feb 10 01:46:22 2007 -0800 buffer: memorder fix unlock_buffer(), like unlock_page(), must not clear the lock without ensuring that the critical section is closed. Mingming later sent the same patch, saying: We are running SDET benchmark and saw double free issue for ext3 extended attributes block, which complains the same xattr block already being freed (in ext3_xattr_release_block()). The problem could also been triggered by multiple threads loop untar/rm a kernel tree. The race is caused by missing a memory barrier at unlock_buffer() before the lock bit being cleared, resulting in possible concurrent h_refcounter update. That causes a reference counter leak, then later leads to the double free that we have seen. Inside unlock_buffer(), there is a memory barrier is placed *after* the lock bit is being cleared, however, there is no memory barrier *before* the bit is cleared. On some arch the h_refcount update instruction and the clear bit instruction could be reordered, thus leave the critical section re-entered. The race is like this: For example, if the h_refcount is initialized as 1, cpu 0: cpu1 commit 5556eaffcc2704d9dca81c80cf3e7cbcc869f680 Author: Mathieu Desnoyers Date: Sat Feb 10 01:43:43 2007 -0800 kernel/time/clocksource.c needs struct task_struct on m68k kernel/time/clocksource.c needs struct task_struct on m68k. Because it uses spin_unlock_irq(), which, on m68k, uses hardirq_count(), which uses preempt_count(), which needs to dereference struct task_struct, we have to include sched.h. Because it would cause a loop inclusion, we cannot include sched.h in any other of asm-m68k/system.h, linux/thread_info.h, linux/hardirq.h, which leaves this ugly include in a C file as the only simple solution. Signed-off-by: Mathieu Desnoyers Cc: Ingo Molnar Cc: Roman Zippel Cc: Thomas Gleixner Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit cffb0fa41969e3d8a10f0645cfd439572e224609 Author: Hirokazu Takata Date: Sat Feb 10 01:43:35 2007 -0800 m32r: build fix for processors without ISA_DSP_LEVEL2 Additional fixes for processors without ISA_DSP_LEVEL2. sigcontext_t does not have dummy_acc1h, dummy_acc1l members any longer. Signed-off-by: Hirokazu Takata Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 858965e60c118050c4cd25a34e78560b839ad675 Author: Ken Chen Date: Thu Feb 8 14:20:27 2007 -0800 hugetlb: preserve hugetlb pte dirty state __unmap_hugepage_range() is buggy that it does not preserve dirty state of huge_pte when unmapping hugepage range. It causes data corruption in the event of dop_caches being used by sys admin. For example, an application creates a hugetlb file, modify pages, then unmap it. While leaving the hugetlb file alive, comes along sys admin doing a "echo 3 > /proc/sys/vm/drop_caches". drop_pagecache_sb() will happily free all pages that aren't marked dirty if there are no active mapping. Later when application remaps the hugetlb file back and all data are gone, triggering catastrophic flip over on application. Not only that, the internal resv_huge_pages count will also get all messed up. Fix it up by marking page dirty appropriately. Signed-off-by: Ken Chen Cc: "Nish Aravamudan" Cc: Adam Litke Cc: David Gibson Acked-by: William Irwin Cc: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit ee3b6b5324ad82788fb051fac4765a7e6835b454 Author: Soeren Sonnenburg Date: Thu Feb 8 14:20:38 2007 -0800 enable mouse button 2+3 emulation for x86 macs As macbook/macbook pro's also have to live with a single mouse button the following patch just enables the Macintosh device drivers menu in Kconfig + adds the macintosh dir to the obj-* to make macbook* users happy (who use exactly that since months.... Signed-off-by: Soeren Sonnenburg Cc: Benjamin Herrenschmidt Cc: Paul Mackerras Cc: Dmitry Torokhov Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 6c087d85b0fffaa80ff7647bb209ed0ec8aac184 Author: Adrian Bunk Date: Thu Feb 8 14:20:38 2007 -0800 v9fs_vfs_mkdir(): fix a double free Fix a double free of "dfid" introduced by commit da977b2c7eb4d6312f063a7b486f2aad99809710 and spotted by the Coverity checker. Signed-off-by: Adrian Bunk Cc: Eric Van Hensbergen Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit a45d5cf5d2e068e533d9a80bdf2fbcd0bbadf641 Author: Evgeniy Dushistov Date: Thu Feb 8 14:20:25 2007 -0800 ufs: restore back support of openstep This is a fix of regression, which triggered by ~2.6.16. Patch with name ufs-directory-and-page-cache-from-blocks-to-pages.patch: in additional to conversation from block to page cache mechanism added new checks of directory integrity, one of them that directory entry do not across directory chunks. But some kinds of UFS: OpenStep UFS and Apple UFS (looks like these are the same filesystems) have different directory chunk size, then common UFSes(BSD and Solaris UFS). So this patch adds ability to works with variable size of directory chunks, and set it for ufstype=openstep to right size. Tested on darwin ufs. Signed-off-by: Evgeniy Dushistov Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 327da22cbc18e6c5b7e2cab04aa6315b59cbd0fa Author: Zwane Mwaikambo Date: Mon Feb 5 16:45:06 2007 -0800 Fix MTRR compat ioctl The MTRR compat code wasn't calling the lowlevel MTRR setup due to a switch block not handling the compat case. Before: (WW) I810(0): Failed to set up write-combining range (0xd0000000,0x10000000) After: reg00: base=0x00000000 ( 0MB), size=1024MB: write-back, count=1 reg01: base=0x40000000 (1024MB), size= 512MB: write-back, count=1 reg02: base=0x5f700000 (1527MB), size= 1MB: uncachable, count=1 reg03: base=0x5f800000 (1528MB), size= 8MB: uncachable, count=1 reg04: base=0xd0000000 (3328MB), size= 256MB: write-combining, count=1 Signed-off-by: Zwane Mwaikambo Cc: Andi Kleen Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 3f2464089071468e293df838c4bcec24c920f28a Author: Magnus Damm Date: Mon Feb 5 16:20:09 2007 -0800 kexec: Fix CONFIG_SMP=n compilation V2 (ia64) Kexec support for 2.6.20 on ia64 does not build properly using a config made up by CONFIG_SMP=n and CONFIG_HOTPLUG_CPU=n: CC arch/ia64/kernel/machine_kexec.o arch/ia64/kernel/machine_kexec.c: In function `machine_shutdown': arch/ia64/kernel/machine_kexec.c:77: warning: implicit declaration of function `cpu_down' AS arch/ia64/kernel/relocate_kernel.o CC arch/ia64/kernel/crash.o arch/ia64/kernel/crash.c: In function `kdump_cpu_freeze': arch/ia64/kernel/crash.c:139: warning: implicit declaration of function `ia64_jump_to_sal' arch/ia64/kernel/crash.c:139: error: `sal_boot_rendez_state' undeclared (first use in this function) arch/ia64/kernel/crash.c:139: error: (Each undeclared identifier is reported only once arch/ia64/kernel/crash.c:139: error: for each function it appears in.) arch/ia64/kernel/crash.c: At top level: arch/ia64/kernel/crash.c:84: warning: 'kdump_wait_cpu_freeze' defined but not used make[1]: *** [arch/ia64/kernel/crash.o] Error 1 make: *** [arch/ia64/kernel] Error 2 Signed-off-by: Magnus Damm Acked-by: Simon Horman Acked-by: Jay Lan Cc: Tony Luck Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 610a0848ef255175fa9552406b8582c1df7593bb Author: Trond Myklebust Date: Mon Feb 5 12:33:23 2007 -0800 NLM: Fix double free in __nlm_async_call rpc_call_async() will always call rpc_release_calldata(), so it is an error for __nlm_async_call() to do so as well. Addresses http://bugzilla.kernel.org/show_bug.cgi?id=7923 Signed-off-by: Trond Myklebust Cc: Jan "Yenya" Kasprzak Cc: Neil Brown Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit af2fec7364857f677b3f9ee3617ee9fbc849e6bd Author: Trond Myklebust Date: Mon Feb 5 12:33:22 2007 -0800 RPM: fix double free in portmapper code rpc_run_task is guaranteed to always call ->rpc_release. Signed-off-by: Trond Myklebust Cc: Neil Brown Cc: Jan "Yenya" Kasprzak Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 25239266d554a0442eb676044f03de9d43364c42 Author: Linus Torvalds Date: Wed Mar 7 07:56:00 2007 +0000 Revert "[PATCH] LOG2: Alter get_order() so that it can make use of ilog2() on a constant" Revert "[PATCH] LOG2: Alter get_order() so that it can make use of ilog2() on a constant" This reverts commit 39d61db0edb34d60b83c5e0d62d0e906578cc707. The commit was buggy in multiple ways: - the conversion to ilog2() was incorrect to begin with - it tested the wrong #defines, so on all architectures but FRV you'd never see the bug except for constant arguments. - the new "get_order()" macro used its arguments multiple times, and didn't even parenthesize them properly - despite the comments, it was not true that you could use it for constant initializers, since not all architectures even use the generic page.h header file. All of the problems are individually fixable, but it all boils down to: better just revert it, and re-do it from scratch. Cc: David Howells Cc: Benjamin Herrenschmidt Cc: Paul Mackerras Cc: Andrew Morton Cc: David Woodhouse Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 752dae420e55ca2498756e3655eabf741afa4968 Author: Thomas Renninger Date: Thu Feb 22 13:52:40 2007 +0100 Backport of psmouse suspend/shutdown cleanups This patch works back to 2.6.17 (earlier kernels seem to need up/down operations on mutex/semaphore). psmouse - properly reset mouse on shutdown/suspend Some people report that they need psmouse module unloaded for suspend to ram/disk to work properly. Let's make port cleanup behave the same way as driver unload. This fixes "bad state" problem on various HP laptops, such as nx7400. Signed-off-by: Dmitry Torokhov Signed-off-by: Thomas Renninger Signed-off-by: Greg Kroah-Hartman commit 252878df90c4b41d612f3e9170c7a691a393ab3a Author: David Brownell Date: Wed Feb 21 11:50:33 2007 -0500 USB: usbnet driver bugfix The attached fixes an oops in the usbnet driver. The same patch is in 2.6.21-rc1, but that one has many whitespace changes. This is much smaller. Signed-off-by: David Brownell Signed-off-by: Greg Kroah-Hartman commit d499ac7a3681e270074e880879d0e0a5ad0849fa Author: Ingo Molnar Date: Thu Mar 1 18:58:51 2007 -0500 sched: fix SMT scheduler bug The SMT scheduler incorrectly skips kernel threads even if they are runnable (but they are preempted by a higher-prio user-space task which got SMT-delayed by an even higher-priority task running on a sibling CPU). Fix this for now by only doing the SMT-nice optimization if the to-be-delayed task is the only runnable task. (This should cover most of the real-life cases anyway.) This bug has been in the SMT scheduler since 2.6.17 or so, but has only been noticed now by the active check in the dynticks code. Signed-off-by: Ingo Molnar Cc: Michal Piotrowski Cc: Nick Piggin Cc: Thomas Gleixner Cc: Chuck Ebbert Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 530b09160744a12450fdacb2b78779c9830a29c8 Author: Aristeu Sergio Rozanski Filho Date: Thu Mar 1 19:02:55 2007 -0500 tty_io: fix race in master pty close/slave pty close path This patch fixes a possible race that leads to double freeing an idr index. When the master begin to close, release_dev() is called and then pty_close() is called: if (tty->driver->close) tty->driver->close(tty, filp); This is done without helding any locks other than BKL. Inside pty_close(), being a master close, the devpts entry will be removed: #ifdef CONFIG_UNIX98_PTYS if (tty->driver == ptm_driver) devpts_pty_kill(tty->index); #endif But devpts_pty_kill() will call get_node() that may sleep while waiting for &devpts_root->d_inode->i_sem. When this happens and the slave is being opened, tty_open() just found the driver and index: driver = get_tty_driver(device, &index); if (!driver) { mutex_unlock(&tty_mutex); return -ENODEV; } This part of the code is already protected under tty_mute. The problem is that the slave close already got an index. Then init_dev() is called and blocks waiting for the same &devpts_root->d_inode->i_sem. When the master close resumes, it removes the devpts entry, and the relation between idr index and the tty is gone. The master then sleeps waiting for the tty_mutex on release_dev(). Slave open resumes and found no tty for that index. As result, a NULL tty is returned and init_dev() doesn't flow to fast_track: /* check whether we're reopening an existing tty */ if (driver->flags & TTY_DRIVER_DEVPTS_MEM) { tty = devpts_get_tty(idx); if (tty && driver->subtype == PTY_TYPE_MASTER) tty = tty->link; } else { tty = driver->ttys[idx]; } if (tty) goto fast_track; The result of this, is that a new tty will be created and init_dev() returns sucessfull. After returning, tty_mutex is dropped and master close may resume. Master close finds it's the only use and both sides are closing, then releases the tty and the index. At this point, the idr index is free, but slave still has it. Slave open then calls pty_open() and finds that tty->link->count is 0, because there's no master and returns error. Then tty_open() calls release_dev() which executes without any warning, as it was a case of last slave close when the master is already closed (master->count == 0, slave->count == 1). The tty is then released with the already released idr index. This normally would only issue a warning on idr_remove() but in case of a customer's critical application, it's never too simple: thread1: opens master, gets index X thread1: begin closing master thread2: begin opening slave with index X thread1: finishes closing master, index X released thread3: opens master, gets index X, just released thread2: fails opening slave, releases index X <---- thread4: opens master, gets index X, init_dev() then find an already in use and healthy tty and fails If no more indexes are released, ptmx_open() will keep failing, as the first free index available is X, and it will make init_dev() fail because you're trying to "reopen a master" which isn't valid. The patch notices when this race happens and make init_dev() fail imediately. The init_dev() function is called with tty_mutex held, so it's safe to continue with tty till the end of function because release_dev() won't make any further changes without grabbing the tty_mutex. Without the patch, on some machines it's possible get easily idr warnings like this one: idr_remove called for id=15 which is not allocated. [] idr_remove+0x139/0x170 [] release_mem+0x182/0x230 [] release_dev+0x4b7/0x700 [] tty_ldisc_enable+0x27/0x30 [] init_dev+0x254/0x580 [] check_tty_count+0x14/0xb0 [] tty_open+0x1c5/0x340 [] tty_open+0x0/0x340 [] chrdev_open+0xaf/0x180 [] open_namei+0x8c/0x760 [] chrdev_open+0x0/0x180 [] __dentry_open+0xc9/0x210 [] do_filp_open+0x5c/0x70 [] get_unused_fd+0x61/0xd0 [] do_sys_open+0x53/0x100 [] sys_open+0x27/0x30 [] syscall_call+0x7/0xb using this test application available on: http://www.ruivo.org/~aris/pty_sodomizer.c Signed-off-by: Aristeu Sergio Rozanski Filho Cc: "H. Peter Anvin" Cc: Chuck Ebbert Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5697ea0fe9673ac953cfeb2d2b80effdba1cc0c4 Author: Ayaz Abdulla Date: Thu Mar 1 19:05:16 2007 -0500 forcedeth: disable msix forcedeth: disable msix There seems to be an issue when both MSI-X is enabled and NAPI is configured. This patch disables MSI-X until the issue is root caused. Signed-off-by: Ayaz Abdulla Signed-off-by: Jeff Garzik Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit d50ff202a754e2c37979fefefc5df0f1bb898623 Author: Neil Brown Date: Fri Mar 9 10:50:27 2007 -0800 export blk_recount_segments On Monday February 12, marcm@liquid-nexus.net wrote: > > > > Thanks for the quick response Neil unfortunately the kernel doesn't build with > > this patch due to a missing symbol: > > > > WARNING: "blk_recount_segments" [drivers/md/raid456.ko] undefined! > > > > Is that in another file that needs patching or within raid5.c? Yes. I keep forgetting about that bit. Sorry. Signed-off-by: Neil Brown Signed-off-by: Greg Kroah-Hartman commit 9b1e918ac5dfc73493a2253731ab84a7f907c5be Author: Michał Mirosław Date: Fri Mar 9 10:50:27 2007 -0800 Fix reference counting (memory leak) problem in __nfulnl_send() and callers related to packet queueing. Signed-off-by: Michał Mirosław Signed-off-by: Greg Kroah-Hartman commit 9e44f708876955f49190c04ce83b9dcb712ce3ff Author: David Stevens Date: Tue Feb 27 11:14:00 2007 -0800 Fix anycast procfs device leak [IPV6]: /proc/net/anycast6 unbalanced inet6_dev refcnt From: David Stevens Reading /proc/net/anycast6 when there is no anycast address on an interface results in an ever-increasing inet6_dev reference count, as well as a reference to the netdevice you can't get rid of. From: David Stevens Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 74ba050ddee2ade5fcdad88433c26ffea7034b13 Author: Michal Wrobel Date: Tue Feb 27 11:12:45 2007 -0800 Don't add anycast reference to device multiple times [IPV6]: anycast refcnt fix This patch fixes a bug in Linux IPv6 stack which caused anycast address to be added to a device prior DAD has been completed. This led to incorrect reference count which resulted in infinite wait for unregister_netdevice completion on interface removal. Signed-off-by: Michal Wrobel Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2e8c347d749bc09d21917b2f23fa84cb375e586b Author: David Miller Date: Tue Feb 27 11:11:09 2007 -0800 Fix TCP MD5 locking. [TCP]: Fix MD5 signature pool locking. The locking calls assumed that these code paths were only invoked in software interrupt context, but that isn't true. Therefore we need to use spin_{lock,unlock}_bh() throughout. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ede6d26177a046ab7f14840e10cb2bbda6bc91df Author: David Miller Date: Tue Feb 27 11:10:07 2007 -0800 Fix %100 cpu spinning on sparc64 [SPARC64] bbc_i2c: Fix kenvctrld eating %100 cpu. Based almost entirely upon a patch by Joerg Friedrich Signed-off-by: David S. Miller commit 03670c6e904a3d9651233f08ead30f530a9a29a2 Author: Arnaldo Carvalho de Melo Date: Tue Feb 27 11:08:33 2007 -0800 Fix skb data reallocation handling in IPSEC [XFRM_TUNNEL]: Reload header pointer after pskb_may_pull/pskb_expand_head Please consider applying, this was found on your latest net-2.6 tree while playing around with that ip_hdr() + turn skb->nh/h/mac pointers as offsets on 64 bits idea :-) Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c7c5f798fc566b10c91cd436a0ffdc40b9eccd1e Author: David Miller Date: Tue Feb 27 11:04:27 2007 -0800 Fix xfrm_add_sa_expire() return value [XFRM] xfrm_user: Fix return values of xfrm_add_sa_expire. As noted by Kent Yoder, this function will always return an error. Make sure it returns zero on success. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d8bb5ffcdffc2fc48e2b8e4e336a07f4af1f1032 Author: David Miller Date: Tue Feb 27 11:01:38 2007 -0800 Fix interrupt probing on E450 sparc64 systems [SPARC64]: Fix PCI interrupts on E450 et al. When the PCI controller OBP node lacks an interrupt-map and interrupt-map-mask property, we need to form the INO by hand. The PCI swizzle logic was not doing that properly. This was a regression added by the of_device code. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 01f919ed97b0bff878b930de3971214ad3d890a5 Author: Jiri Kosina Date: Thu Mar 1 12:02:52 2007 +0100 HID: fix possible double-free on error path in hid parser HID: fix possible double-free on error path in hid parser Freeing of device->collection is properly done in hid_free_device() (as this function is supposed to free all the device resources and could be called from transport specific code, e.g. usb_hid_configure()). Remove all kfree() calls preceeding the hid_free_device() call. Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit e37713bb2cff2ed51496362e89a38ce143ea5a80 Author: Livio Soares Date: Thu Feb 22 16:13:17 2007 +1100 POWERPC: Fix performance monitor exception To the issue: some point during 2.6.20 development, Paul Mackerras introduced the "lazy IRQ disabling" patch (very cool work, BTW). In that patch, the performance monitor unit exception was marked as "maskable", in the sense that if interrupts were soft-disabled, that exception could be ignored. This broke my PowerPC profiling code. The symptom that I see is that a varying number of interrupts (from 0 to $n$, typically closer to 0) get delivered, when, in reality, it should always be very close to $n$. The issue stems from the way masking is being done. Masking in this fashion seems to work well with the decrementer and external interrupts, because they are raised again until "really" handled. For the PMU, however, this does not apply (at least on my Xserver machine with a 970FX processor). If the PMU exception is not handled, it will _not_ be re-raised (at least on my machine). The documentation states that the PMXE bit in MMCR0 is set to 0 when the PMU exception is raised. However, software must re-set the bit to re-enable PMU exceptions. If the exception is ignored (as currently) not only is that interrupt lost, but because software does not re-set PMXE, the PMU registers are "frozen" forever. [This patch means that performance monitor exceptions are taken and handled even if irqs are off, as long as some other interrupt hasn't come along and caused interrupts to be hard-disabled. In this sense the PMU exception becomes like an NMI. The oprofile code for most powerpc processors does nothing that is unsafe in an NMI context, but the Cell oprofile code does a spin_lock_irqsave. However, that turns out to be OK because Cell doesn't actually use the performance monitor exception; performance monitor interrupts come in as a regular interrupt on Cell, so will be disabled when irqs are off. -- paulus.] From: Livio Soares Signed-off-by: Paul Mackerras Signed-off-by: Greg Kroah-Hartman commit 270d0c2e09242b6096684fc2d75d01a52947d264 Author: Tejun Heo Date: Fri Mar 2 17:46:49 2007 +0900 libata: add missing CONFIG_PM in LLDs Add missing #ifdef CONFIG_PM conditionals around all PM related parts in libata LLDs. Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit 7348396ea3192a86808681d0a0d4f3006ce5378d Author: Tejun Heo Date: Fri Mar 2 17:45:30 2007 +0900 libata: add missing PM callbacks Some LLDs were missing scsi device PM callbacks while having host/port suspend support. Add missing ones. Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit afb39fa418f87b4224d6785487d84eb56cbfdb3a Author: Pavel Roskin Date: Mon Mar 5 19:28:00 2007 -0600 bcm43xx: Fix assertion failures in interrupt handler In the bcm43xx interrupt handler, sanity checks are wrongly done before the verification that the interrupt is for the bcm43xx. Signed-off-by: Pavel Roskin Signed-off-by: Larry Finger Signed-off-by: Greg Kroah-Hartman commit 1e0715b5ff1b1de98be4c0d0db80251286d2436c Author: Darren Salt Date: Tue Feb 27 02:47:18 2007 +0000 mmc: Power quirk for ENE controllers mmc: Power quirk for ENE controllers Support for these devices was broken for 2.6.18-rc1 and later by commit 146ad66eac836c0b976c98f428d73e1f6a75270d, which added voltage level support. This restores the previous behaviour for these devices by ensuring that when the voltage is changed, only one write to set the voltage is performed. It may be that both writes are needed if the voltage is being changed between two non-zero values or that it's safe to ensure that only one write is done if the hardware only supports one voltage; I don't know whether either is the case nor can I test since I have only the one SD reader (1524:0550), and it supports just the one voltage. Signed-off-by: Darren Salt Signed-off-by: Pierre Ossman Signed-off-by: Greg Kroah-Hartman commit 2f8432fcffa65ad899cee56a701fc81d460711db Author: Jeff Dike Date: Thu Feb 22 11:48:38 2007 -0500 UML - Fix 2.6.20 hang A previous cleanup misused need_poll, which had a fairly broken interface. It implemented a growable array, changing the used elements count itself, but leaving it up to the caller to fill in the actual elements, including the entire array if the array had to be reallocated. This worked because the previous users were switching between two such structures, and the elements were copied from the inactive array to the active array after making sure the active array had enough room. maybe_sigio_broken was made to use need_poll, but it was operating on a single array, so when the buffer was reallocated, the previous contents were lost. This patch makes need_poll implement more sane semantics. It merely assures that the array is of the proper size and that the contents are preserved. It is up to the caller to adjust the used elements count and to ensure that the proper elements are resent. This manifested itself as a hang in 2.6.20 as the uninitialized buffer convinced UML that one of its own file descriptors didn't support SIGIO and needed to be watched by poll in a separate thread. The result was an interrupt flood as control traffic over this descriptor sparked interrupts, which resulted in more control traffic, ad nauseum. Signed-off-by: Jeff Dike Signed-off-by: Greg Kroah-Hartman commit b007a0873c46f01030f205a0355fc027ec769c03 Author: Hugh Dickins Date: Fri Feb 23 21:53:49 2007 +0000 fix umask when noACL kernel meets extN tuned for ACLs Fix insecure default behaviour reported by Tigran Aivazian: if an ext2 or ext3 or ext4 filesystem is tuned to mount with "acl", but mounted by a kernel built without ACL support, then umask was ignored when creating inodes - though root or user has umask 022, touch creates files as 0666, and mkdir creates directories as 0777. This appears to have worked right until 2.6.11, when a fix to the default mode on symlinks (always 0777) assumed VFS applies umask: which it does, unless the mount is marked for ACLs; but ext[234] set MS_POSIXACL in s_flags according to s_mount_opt set according to def_mount_opts. We could revert to the 2.6.10 ext[234]_init_acl (adding an S_ISLNK test); but other filesystems only set MS_POSIXACL when ACLs are configured. We could fix this at another level; but it seems most robust to avoid setting the s_mount_opt flag in the first place (at the expense of more ifdefs). Likewise don't set the XATTR_USER flag when built without XATTR support. Signed-off-by: Hugh Dickins Acked-by: Andreas Gruenbacher Cc: Tigran Aivazian Signed-off-by: Greg Kroah-Hartman commit 27fa3aff7831b70b77c444aa44adac0a88e07dd6 Author: Tejun Heo Date: Sat Feb 24 22:30:36 2007 +0900 sata_sil: ignore and clear spurious IRQs while executing commands by polling sata_sil used to trigger HSM error if IRQ occurs during polling command. This didn't matter because polling wasn't used in sata_sil. However, as of 2.6.20, all IDENTIFYs are performed by polling and device detection sometimes fails due to spurious IRQ. This patch makes sata_sil ignore and clear spurious IRQ while executing commands by polling. This fixes bug#7996 and IMHO should also be included in -stable. Signed-off-by: Tejun Heo Cc: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit b5f7f3ef64f919fabc5bca0f2f7cc0adfa1ebfc5 Author: Stefan Seyfried Date: Sat Feb 24 23:06:43 2007 +0100 swsusp: Fix possible oops in userland interface Fix the Oops occuring when SNAPSHOT_PMOPS or SNAPSHOT_S2RAM ioctl is called on a system without pm_ops defined (eg. a non-ACPI kernel on x86 PC). Signed-off-by: Stefan Seyfried Signed-off-by: Rafael J. Wysocki Acked-by: Pavel Machek Signed-off-by: Greg Kroah-Hartman commit 4b5e65dedf3cde7108c9c3d6b6f970eefcd78247 Author: Thomas Gleixner Date: Thu Feb 22 01:33:29 2007 +0100 Fix posix-cpu-timer breakage caused by stale p->last_ran value Problem description at: http://bugzilla.kernel.org/show_bug.cgi?id=8048 Commit b18ec80396834497933d77b81ec0918519f4e2a7 [PATCH] sched: improve migration accuracy optimized the scheduler time calculations, but broke posix-cpu-timers. The problem is that the p->last_ran value is not updated after a context switch. So a subsequent call to current_sched_time() calculates with a stale p->last_ran value, i.e. accounts the full time, which the task was scheduled away. Signed-off-by: Thomas Gleixner Acked-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit d8effd3897c6b3feedd1dfb1bd5be38d178396fb Author: Michael Krufky Date: Sat Mar 3 09:36:15 2007 -0500 V4L: cx88-blackbird: allow usage of 376836 and 262144 sized firmware images This updates the cx88-blackbird driver to be able to use the new cx23416 firmware image released by Hauppauge Computer Works, while retaining compatibility with the older firmware images. cx2341x firmware can be downloaded at: http://dl.ivtvdriver.org/ivtv/firmware/ (cherry picked from commit af70dbd3346999570db73b3bc3d4f7b7c004f2ea) Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 943918d8b5f7fc9ca653dd87a6848d292d83b120 Author: Hans Verkuil Date: Thu Feb 15 03:40:34 2007 -0300 V4L: fix cx25840 firmware loading Due to changes in the i2c handling in 2.6.20 this cx25840 bug surfaced, causing the firmware load to fail for the ivtv driver. The correct sequence is to first attach the i2c client, then use the client's device to load the firmware. (cherry picked from commit d55c7aec666658495e5b57a6b194c8c2a1ac255f) Signed-off-by: Hans Verkuil Acked-by: Mike Isely Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit 87edb548fae703ff743bf5204147e24dc504eb84 Author: Michael Krufky Date: Sat Mar 3 09:36:09 2007 -0500 DVB: digitv: open nxt6000 i2c_gate for TDED4 tuner handling dvb-pll normally opens the i2c gate before attempting to communicate with the pll, but the code for this device is not using dvb-pll. This should be cleaned up in the future, but for now, just open the i2c gate at the appropriate place in order to fix this driver bug. (cherry picked from commit 2fe22dcdc79b8dd34e61a3f1231caffd6180a626) Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 113f20a5a431a89a2304da94add058499957516d Author: Jin-Bong lee Date: Sat Mar 3 09:36:05 2007 -0500 DVB: cxusb: fix firmware patch for big endian systems Without this patch, the device will not be detected after firmware download on big endian systems. (cherry picked from commit 1d1370a48ca285ebe197ecd3197a8d5f161bc291) Signed-off-by: Jin-Bong lee Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit f3fa2cac947f696787f4f755e78662fe7ab4d10e Author: Mike Isely Date: Sat Mar 3 09:36:02 2007 -0500 V4L: pvrusb2: Handle larger cx2341x firmware images Rework the cx23416 firmware loader so that it longer requires the firmware size to be a multiple of 8KB. Until recently all cx2341x firmware images were exactly 256KB, but newer firmware is larger than that and also appears to have arbitrary size. We still must check against a multiple of 4 bytes (because the cx23416 itself uses a 32 bit word size). This fix is already in the upstream driver source and has proven itself there; this is a backport for the 2.6.20.y kernel series. (backported from commit 90060d32ca0a941b158994f78e60d0381871c84b) Signed-off-by: Mike Isely Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit d3014508aa1de5712847fae3abfdbe9d58aa2f2c Author: Mike Isely Date: Sat Mar 3 09:35:54 2007 -0500 V4L: pvrusb2: Fix video corruption on stream start This introduces some extra cx23416 commands when streaming is started. The addition of these commands fix random sporadic video corruption that can take place when the video stream is temporarily disrupted through loss of signal (e.g. changing the channel in the RF tuner). This fix is already in the upstream driver source and has proven itself there; this is a backport for the 2.6.20.y kernel series. (backported from commit 6fe7d2c4660174110c6872cacc4fc2acb6e00acf) Signed-off-by: Mike Isely Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit cabc5dca87369ae1c751fb377c395f29bb787a1d Author: Marcel Siegert Date: Sat Mar 3 09:35:48 2007 -0500 dvbdev: fix illegal re-usage of fileoperations struct Arjan van de Ven reported an illegal re-usage of the fileoperations struct if more than one dvb device (e.g. frontend) is present. This patch fixes this issue. It allocates a new fileoperations struct each time a device is registered and copies the default template fileops. (backported from commit b61901024776b25ce7b8edc31bb1757c7382a88e) Signed-off-by: Marcel Siegert Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit 745bc0b7b058e6d420aeed5eb7c37a0e1670c8f2 Author: NeilBrown Date: Tue Feb 20 17:34:47 2007 +1100 md: Fix raid10 recovery problem. There are two errors that can lead to recovery problems with raid10 when used in 'far' more (not the default). Due to a '>' instead of '>=' the wrong block is located which would result in garbage being written to some random location, quite possible outside the range of the device, causing the newly reconstructed device to fail. The device size calculation had some rounding errors (it didn't round when it should) and so recovery would go a few blocks too far which would again cause a write to a random block address and probably a device error. The code for working with device sizes was fairly confused and spread out, so this has been tided up a bit. Signed-off-by: Neil Brown Signed-off-by: Greg Kroah-Hartman commit 810189f708eaa80cddf9e1318e98bf48af1c9361 Author: Stefano Brivio Date: Sat Feb 17 18:43:14 2007 +0100 bcm43xx: fix for 4309 BCM4309 devices aren't working properly as A PHYs aren't supported yet, but we probe 802.11a cores anyway. This fixes it, while still allowing for A PHY code to be developed in the future. Signed-off-by: Stefano Brivio Cc: Michael Buesch Signed-off-by: Greg Kroah-Hartman commit 7e3cd6f62e48e206716b3317c18eacd4a5c02efc Author: Jan Beulich Date: Sat Feb 17 13:33:31 2007 +0100 i386: Fix broken CONFIG_COMPAT_VDSO on i386 After updating several machines to 2.6.20, I can't boot anymore the single one of them that supports the NX bit and is configured as a 32-bit system. My understanding is that the VDSO changes in 2.6.20-rc7 were not fully cooked, in that with that config option enabled VDSO_SYM(x) now equals x, meaning that an address in the fixmap area is now being passed to apps via AT_SYSINFO. However, the page is mapped with PAGE_READONLY rather than PAGE_READONLY_EXEC. I'm not certain whether having app code go through the fixmap area is intended, but in case it is here is the simple patch that makes things work again. Cc: Theodore Tso Signed-off-by: Jan Beulich Signed-off-by: Andi Kleen Signed-off-by: Greg Kroah-Hartman commit 84cb9c519287d8bfeafbc060bd5cf4f25dfc9eb8 Author: Andi Kleen Date: Sat Feb 17 13:33:00 2007 +0100 x86: Don't require the vDSO for handling a.out signals x86: Don't require the vDSO for handling a.out signals and in other strange binfmts. vDSO is not necessarily mapped there. This fixes signals in a.out programs Signed-off-by: Andi Kleen Signed-off-by: Greg Kroah-Hartman commit 4c1a0698326b3eb9e4967fc91a919bbe5a36ed86 Author: Andi Kleen Date: Sat Feb 17 13:35:00 2007 +0100 x86_64: Fix wrong gcc check in bitops.h gcc 5.0 will likely not have the constraint problem Signed-off-by: Andi Kleen Signed-off-by: Greg Kroah-Hartman commit aac84df512958344a3e43651aa7063c6bb7f785b Author: Stephen Hemminger Date: Fri Feb 16 14:56:11 2007 -0800 sky2: transmit timeout deadlock The code in transmit timeout incorrectly assumed that netif_tx_lock was not set. Signed-off-by: Stephen Hemminger Signed-off-by: Greg Kroah-Hartman commit a6f04a7642b000d71ac3ff361e53af914f5dd27c Author: Stephen Hemminger Date: Fri Feb 16 14:56:10 2007 -0800 sky2: dont flush good pause frames Don't mark pause frames as errors. This problem caused transmitter not to pause and would effectively take out a gigabit switch because the it can't handle overrun. Signed-off-by: Stephen Hemminger Signed-off-by: Greg Kroah-Hartman commit 7b9ec405b19a1a6ca03a26fceb71d2a7d0a2507d Author: David Miller Date: Tue Feb 13 18:22:46 2007 -0800 Fix oops in xfrm_audit_log() [XFRM]: Fix OOPSes in xfrm_audit_log(). Make sure that this function is called correctly, and add BUG() checking to ensure the arguments are sane. Based upon a patch by Joy Latten. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d83c9fd4ac294d1daece19a736faff5f7c6c185a Author: Ilpo Järvinen Date: Tue Feb 13 12:42:11 2007 -0800 Prevent pseudo garbage in SYN's advertized window TCP may advertize up to 16-bits window in SYN packets (no window scaling allowed). At the same time, TCP may have rcv_wnd (32-bits) that does not fit to 16-bits without window scaling resulting in pseudo garbage into advertized window from the low-order bits of rcv_wnd. This can happen at least when mss <= (1< Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e8c72f47cc26dc0505dbfa9d9590b9ca988618a2 Author: Jiri Bohac Date: Tue Feb 13 18:19:47 2007 -0800 Fix IPX module unload [IPX]: Fix NULL pointer dereference on ipx unload Fixes a null pointer dereference when unloading the ipx module. On initialization of the ipx module, registering certain packet types can fail. When this happens, unloading the module later dereferences NULL pointers. This patch fixes that. Please apply. Signed-off-by: Jiri Bohac Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 26e2080a00f3efae654ce723935eade61fa0c429 Author: Herbert Xu Date: Tue Feb 13 18:12:38 2007 -0800 Clear TCP segmentation offload state in ipt_REJECT [NETFILTER]: Clear GSO bits for TCP reset packet The TCP reset packet is copied from the original. This includes all the GSO bits which do not apply to the new packet. So we should clear those bits. Spotted by Patrick McHardy. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9a78d2ae0ea43dd90e9fc60047225b9ff1601e14 Author: David Miller Date: Tue Feb 13 18:11:27 2007 -0800 Fix atmarp.h for userspace [ATM]: atmarp.h needs to always include linux/types.h To provide the __be* types, even for userspace includes. Reported by Andrew Walrond. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 07c9ab037422089d2b8baf5c14734fe2105b6629 Author: Alan Stern Date: Mon Feb 26 17:16:06 2007 -0500 UHCI: fix port resume problem This patch (as863) fixes a problem encountered sometimes when resuming a port on a UHCI controller. The hardware may turn off the Resume-Detect bit before turning off the Suspend bit, leading usbcore to think that the port is still suspended and the resume has failed. The patch makes uhci_finish_suspend() wait until both bits are safely off. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit c5f165355bdf4b813f164a64ca09f7d92ba6b20b Author: NeilBrown Date: Tue Mar 6 17:11:33 2007 +1100 Fix recently introduced problem with shutting down a busy NFS server. When the last thread of nfsd exits, it shuts down all related sockets. It currently uses svc_close_socket to do this, but that only is immediately effective if the socket is not SK_BUSY. If the socket is busy - i.e. if a request has arrived that has not yet been processes - svc_close_socket is not effective and the shutdown process spins. So create a new svc_force_close_socket which removes the SK_BUSY flag is set and then calls svc_close_socket. Also change some open-codes loops in svc_destroy to use list_for_each_entry_safe. Signed-off-by: Neil Brown Signed-off-by: Greg Kroah-Hartman commit 97f35487312eb92de7f3dc5f44779b6a2bb84e67 Author: NeilBrown Date: Tue Mar 6 17:11:29 2007 +1100 Avoid using nfsd process pools on SMP machines. process-pools have real benefits for NUMA, but on SMP machines they only work if network interface interrupts go to all CPUs (via round-robin or multiple nics). This is not always the case, so disable the pools in this case until a better solution is developped. Signed-off-by: Neil Brown Signed-off-by: Greg Kroah-Hartman diff .prev/net/sunrpc/svc.c ./net/sunrpc/svc.c commit 5edd24258c5eae0a5cadc612ea1d6e13ec54e536 Author: Alan Stern Date: Tue Feb 13 14:53:06 2007 -0500 EHCI: turn off remote wakeup during shutdown This patch (as850b) disables remote wakeup (and everything else!) on all EHCI ports when the shutdown() method is called. If remote wakeup is left active then some systems will reboot instead of powering off. This fixes Bugzilla #7828. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 849fa1fbe0247239aa774397665527fe6a1abd89 Author: YOSHIFUJI Hideaki Date: Tue Feb 13 09:48:41 2007 +0900 IPV6: HASHTABLES: Use appropriate seed for caluculating ehash index. Tetsuo Handa told me that connect(2) with TCPv6 socket almost always took a few minutes to return when we did not have any ports available in the range of net.ipv4.ip_local_port_range. The reason was that we used incorrect seed for calculating index of hash when we check established sockets in __inet6_check_established(). Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4231a5720e9a6fe342e88895e67b0f0ed4d8c1e6 Author: David Woodhouse Date: Tue Feb 13 09:56:22 2007 +1030 MTD: Fatal regression in drivers/mtd/redboot.c in 2.6.20 [MTD] Fix regression in RedBoot partition scanning This fixes a regression introduced by the attempt to handle RedBoot FIS tables which are smaller than an eraseblock, in commit 0b47d654089c5ce3f2ea26a4485db9bcead1e515 It moves the recalculation of the number of slots in the table to the correct place, and improves the heuristic for when we think we need to byte-swap what we read from the flash. Signed-off-by: David Woodhouse Cc: Rod Whitby Signed-off-by: Greg Kroah-Hartman commit 7df8c214f25f15a352326ed9e7bcf6debb2f6fa3 Author: Paolo 'Blaisorblade' Giarrusso Date: Sat Feb 10 17:45:37 2007 +0100 Kconfig: FAULT_INJECTION can be selected only if LOCKDEP is enabled. There is no prompt for STACKTRACE, so it is enabled only when 'select'ed. FAULT_INJECTION depends on it, while LOCKDEP selects it. So FAULT_INJECTION becomes visible in Kconfig only when LOCKDEP is enabled. Signed-off-by: Paolo 'Blaisorblade' Giarrusso Signed-off-by: Greg Kroah-Hartman commit c52d525a40c26d01cc876ed0bc3d9fe16e6090b7 Author: Julien BLACHE Date: Sun Feb 11 18:27:09 2007 +0100 USB HID: Fix USB vendor and product IDs endianness for USB HID devices The USB vendor and product IDs are not byteswapped appropriately, and thus come out in the wrong endianness when fetched through the evdev using ioctl() on big endian platforms. Signed-off-by: Julien BLACHE Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit af28fc09453b66e3a2c486fe4e81149537d50cd3 Author: Michael Hanselmann Date: Sat Feb 10 01:18:23 2007 +0100 Fix null pointer dereference in appledisplay driver Commit 40b20c257a13c5a526ac540bc5e43d0fdf29792a by Len Brown introduced a null pointer dereference in the appledisplay driver. This patch fixes it. Signed-off-by: Michael Hanselmann Signed-off-by: Greg Kroah-Hartman commit 9b6412dda1511fea316aea1b886cabe4b48ca5be Author: Stefan Richter Date: Sat Feb 10 00:44:44 2007 +0100 ieee1394: fix host device registering when nodemgr disabled Since my commit 8252bbb1363b7fe963a3eb6f8a36da619a6f5a65 in 2.6.20-rc1, host devices have a dummy driver attached. Alas the driver was not registered before use if ieee1394 was loaded with disable_nodemgr=1. This resulted in non-functional FireWire drivers or kernel lockup. http://bugzilla.kernel.org/show_bug.cgi?id=7942 Signed-off-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman commit 3634fe2d5fada0a5d92cc54cc5b7dcbd4794ad44 Author: David Moore Date: Sat Feb 10 00:41:28 2007 +0100 ieee1394: video1394: DMA fix This together with the phys_to_virt fix in lib/swiotlb.c::swiotlb_sync_sg fixes video1394 DMA on machines with DMA bounce buffers, especially Intel x86-64 machines with > 3GB RAM. Signed-off-by: Stefan Richter Signed-off-by: David Moore Tested-by: Nicolas Turro Signed-off-by: Greg Kroah-Hartman commit db1d08c5da99d6224dcd68ea9d69ed3b14b0dae3 Author: Rojhalat Ibrahim Date: Fri Feb 9 09:39:57 2007 -0600 Fix compile error for e500 core based processors We get the following compiler error: CC arch/ppc/kernel/ppc_ksyms.o arch/ppc/kernel/ppc_ksyms.c:275: error: '__mtdcr' undeclared here (not in a function) arch/ppc/kernel/ppc_ksyms.c:275: warning: type defaults to 'int' in declaration of '__mtdcr' arch/ppc/kernel/ppc_ksyms.c:276: error: '__mfdcr' undeclared here (not in a function) arch/ppc/kernel/ppc_ksyms.c:276: warning: type defaults to 'int' in declaration of '__mfdcr' make[1]: *** [arch/ppc/kernel/ppc_ksyms.o] Error 1 This is due to the EXPORT_SYMBOL for __mtdcr/__mfdcr not having the proper CONFIG protection Signed-off-by: Rojhalat Ibrahim Signed-off-by: Kumar Gala Signed-off-by: Greg Kroah-Hartman commit bf6c995d1541c8513876158a5550799ae7cd39fe Author: Neil Brown Date: Thu Feb 8 09:28:28 2007 +1100 md: Avoid possible BUG_ON in md bitmap handling. md/bitmap tracks how many active write requests are pending on blocks associated with each bit in the bitmap, so that it knows when it can clear the bit (when count hits zero). The counter has 14 bits of space, so if there are ever more than 16383, we cannot cope. Currently the code just calles BUG_ON as "all" drivers have request queue limits much smaller than this. However is seems that some don't. Apparently some multipath configurations can allow more than 16383 concurrent write requests. So, in this unlikely situation, instead of calling BUG_ON we now wait for the count to drop down a bit. This requires a new wait_queue_head, some waiting code, and a wakeup call. Tested by limiting the counter to 20 instead of 16383 (writes go a lot slower in that case...). Signed-off-by: Neil Brown Signed-off-by: Greg Kroah-Hartman diff .prev/drivers/md/bitmap.c ./drivers/md/bitmap.c commit c8d8a5e0f09db90f9ce46edd6c5601335d0f21ff Author: Alexey Dobriyan Date: Tue Feb 6 21:58:27 2007 -0800 Fix allocation failure handling in multicast [IPV4/IPV6] multicast: Check add_grhead() return value add_grhead() allocates memory with GFP_ATOMIC and in at least two places skb from it passed to skb_put() without checking. Signed-off-by: Alexey Dobriyan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c1689102c93ed8754c2c1c09139e90c10f59683a Author: John Heffner Date: Tue Feb 6 21:57:34 2007 -0800 Fix TCP FIN handling We can accidently spit out a huge burst of packets with TSO when the FIN back is piggybacked onto the final packet. [TCP]: Don't apply FIN exception to full TSO segments. Signed-off-by: John Heffner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 977e7e120593695d1a5ac66df5dbd44113ce49a8 Author: Daniel Walker Date: Tue Feb 6 21:56:37 2007 -0800 Fix ATM initcall ordering. [ATM]: Fix for crash in adummy_init() This was reported by Ingo Molnar here, http://lkml.org/lkml/2006/12/18/119 The problem is that adummy_init() depends on atm_init() , but adummy_init() is called first. So I put atm_init() into subsys_initcall which seems appropriate, and it will still get module_init() if it becomes a module. Interesting to note that you could crash your system here if you just load the modules in the wrong order. Signed-off-by: Daniel Walker Signed-off-by: Andrew Morton Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 789daef87cd3fe0ed77dfc8a26356982f14fa023 Author: Neil Brown Date: Wed Feb 7 10:26:56 2007 +1100 Fix various bugs with aligned reads in RAID5. Fix various bugs with aligned reads in RAID5. It is possible for raid5 to be sent a bio that is too big for an underlying device. So if it is a READ that we pass stright down to a device, it will fail and confuse RAID5. So in 'chunk_aligned_read' we check that the bio fits within the parameters for the target device and if it doesn't fit, fall back on reading through the stripe cache and making lots of one-page requests. Note that this is the earliest time we can check against the device because earlier we don't have a lock on the device, so it could change underneath us. Also, the code for handling a retry through the cache when a read fails has not been tested and was badly broken. This patch fixes that code. Signed-off-by: Neil Brown Signed-off-by: Greg Kroah-Hartman commit b7409a35e6aa29c6953645661a1f5380048e5dfa Author: Takashi Iwai Date: Tue Feb 6 19:15:26 2007 +0100 hda-intel - Don't try to probe invalid codecs [ALSA] hda-intel - Don't try to probe invalid codecs Fix the max number of codecs detected by HD-intel (and compatible) controllers to 3. Some hardware reports extra bits as if connected, and the driver gets confused to probe unexisting codecs. Signed-off-by: Takashi Iwai Signed-off-by: Jaroslav Kysela Signed-off-by: Greg Kroah-Hartman commit 7e47b465e809017debb2f7f7bb67aee9d158478e Author: Takashi Iwai Date: Tue Feb 6 19:13:31 2007 +0100 usbaudio - Fix Oops with unconventional sample rates The patch fixes the memory corruption by the support of unconventional sample rates. Also, it avoids the too restrictive constraints if any of usb descriptions contain continuous rates. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 87ab3cb35f4bff9c3eeb3dfcf499e2cede4ede10 Author: Takashi Iwai Date: Tue Feb 6 19:12:11 2007 +0100 usbaudio - Fix Oops with broken usb descriptors This is a patch for ALSA Bug #2724. Some webcams provide bogus settings with no valid rates. With this patch those are skipped. Signed-off-by: Gregor Jasny Signed-off-by: Takashi Iwai Signed-off-by: Jaroslav Kysela Signed-off-by: Greg Kroah-Hartman commit 824535fec2e5b8c8333e6b225f964da311eab481 Author: Alan Stern Date: Mon Feb 5 09:56:15 2007 -0500 USB: fix concurrent buffer access in the hub driver This patch (as849) fixes a bug in the USB hub driver. A single pre-allocated buffer is used for all port status reads, but nothing guarantees exclusive use of the buffer. A mutex is added to provide this guarantee. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit e16b67f9a0ac6d9f89f680b7f3b439abfb1dac5e Author: David Moore Date: Sun Feb 4 13:39:40 2007 -0500 Missing critical phys_to_virt in lib/swiotlb.c Missing critical phys_to_virt in lib/swiotlb.c Adds missing call to phys_to_virt() in the lib/swiotlb.c:swiotlb_sync_sg() function. Without this change, a kernel panic will always occur whenever a SWIOTLB bounce buffer from a scatter-gather list gets synced. Affected are especially Intel x86_64 machines with more than about 3 GB RAM. Signed-off-by: David Moore Signed-off-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman commit 33b440130f9965ad90f546a988e8cf1d3a3f3995 Author: Dave Jones Date: Sun Feb 4 12:18:50 2007 -0500 AGP: intel-agp bugfix On Sun, Feb 04, 2007 at 04:51:38PM +0100, Eric Piel wrote: > Hello, > > I've got a regression in 2.6.20-rc7 (-rc6 was fine) due to commit > 4b95320fc4d21b0ff2f8604305dd6c851aff6096 ([AGPGART] intel_agp: restore > graphics device's pci space early in resume). I think the key to this failure is the last line here .. > agpgart-intel 0000:00:00.0: resuming > PM: Writing back config space on device 0000:00:02.0 at offset f (was 10b, writing 0) > PM: Writing back config space on device 0000:00:02.0 at offset d (was dc, writing 0) > PM: Writing back config space on device 0000:00:02.0 at offset b (was 10161025, writing 0) > PM: Writing back config space on device 0000:00:02.0 at offset 5 (was f4000000, writing 0) > PM: Writing back config space on device 0000:00:02.0 at offset 4 (was f8000008, writing 0) > PM: Writing back config space on device 0000:00:02.0 at offset 2 (was 3000011, writing 0) > PM: Writing back config space on device 0000:00:02.0 at offset 1 (was 2b00007, writing 0) > PM: Writing back config space on device 0000:00:02.0 at offset 0 (was 11328086, writing 0) > agpgart: Unable to remap memory. This then blows up the next access to intel_i810_private.registers, which happens to be intel_i810_insert_entries. Either we need .suspend methods which unmap these regions, or we need to skip trying to map them a second time on resume. There's an ugly patch below which does the latter. Give it a try? The intel-agp suspend/resume code has really grown into something of a monster, and could use some refactoring in a big way. Dave From: Dave Jones Signed-off-by: Greg Kroah-Hartman commit 5678ae79fd4e8c1fbc48ef2e8587d2b1bf3032fa Author: Michael Buesch Date: Tue Feb 6 11:47:08 2007 -0600 bcm43xx: Fix for oops on ampdu status If bcm43xx were to process an afterburner (ampdu) status response, Linux would oops. The ampdu and intermediate status bits are properly named. Signed-off-by: Michael Buesch Signed-off-by: Larry Finger Signed-off-by: Greg Kroah-Hartman commit 86b1745b9e4d06ebcc9e18324ef9768318ebe387 Author: Larry Finger Date: Tue Feb 6 11:42:43 2007 -0600 bcm43xx: Fix for oops on resume There is a kernel oops on bcm43xx when resuming due to an overly tight timeout loop. Signed-off-by: Larry Finger Signed-off-by: Greg Kroah-Hartman commit 027fc18bba23014c8db23ad7f066ca8eaa9aa1d1 Author: Tejun Heo Date: Mon Feb 5 21:47:13 2007 +0900 ide: fix drive side 80c cable check eighty_ninty_three() had word 93 validitity check but not the 80c bit test itself (bit 12). This increases the chance of incorrect wire detection especially because host side cable detection is often unreliable and we sometimes soley depend on drive side cable detection. Fix it. Signed-off-by: Tejun Heo Acked-by: Alan Signed-off-by: Greg Kroah-Hartman commit dbd60d51abaf4c31f4c4b5e521745af301535447 Author: David Howells Date: Fri Feb 9 09:30:37 2007 -0500 Keys: Fix key serial number collision handling Fix the key serial number collision avoidance code in key_alloc_serial(). This didn't use to be so much of a problem as the key serial numbers were allocated from a simple incremental counter, and it would have to go through two billion keys before it could possibly encounter a collision. However, now that random numbers are used instead, collisions are much more likely. This is fixed by finding a hole in the rbtree where the next unused serial number ought to be and using that by going almost back to the top of the insertion routine and redoing the insertion with the new serial number rather than trying to be clever and attempting to work out the insertion point pointer directly. This fixes kernel BZ #7727. Signed-off-by: David Howells Cc: Chuck Ebbert Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b3725e12ab2cf9e0f1254506baef3f9206520d3e Author: NeilBrown Date: Wed Feb 7 11:10:26 2007 +1100 knfsd: Fix a race in closing NFSd connections. If you lose this race, it can iput a socket inode twice and you get a BUG in fs/inode.c When I added the option for user-space to close a socket, I added some cruft to svc_delete_socket so that I could call that function when closing a socket per user-space request. This was the wrong thing to do. I should have just set SK_CLOSE and let normal mechanisms do the work. Not only wrong, but buggy. The locking is all wrong and it openned up a race where-by a socket could be closed twice. So this patch: Introduces svc_close_socket which sets SK_CLOSE then either leave the close up to a thread, or calls svc_delete_socket if it can get SK_BUSY. Adds a bias to sk_busy which is removed when SK_DEAD is set, This avoid races around shutting down the socket. Changes several 'spin_lock' to 'spin_lock_bh' where the _bh was missing. Bugzilla-url: http://bugzilla.kernel.org/show_bug.cgi?id=7916 Signed-off-by: Neil Brown Signed-off-by: Greg Kroah-Hartman commit e3844c2df6b122e494e77ab507ae96553160c006 Author: Tejun Heo Date: Mon Feb 5 17:01:28 2007 +0900 pata_amd: fix an obvious bug in cable detection 80c test mask is at bits 18 and 19 of EIDE Controller Configuration not 22 and 23. Fix it. Signed-off-by: Tejun Heo Acked-by: Alan Cox commit bbf22c56d0943d4860f0bee21863708f2d3f962a Author: Dan Williams Date: Tue Feb 13 16:07:27 2007 -0500 prism54: correct assignment of DOT1XENABLE in WE-19 codepaths Correct assignment of DOT1XENABLE in WE-19 codepaths. RX_UNENCRYPTED_EAPOL = 1 really means setting DOT1XENABLE _off_, and vice versa. The original WE-19 patch erroneously reversed that. This patch fixes association with unencrypted and WEP networks when using wpa_supplicant. It also adds two missing break statements that, left out, could result in incorrect card configuration. Applies to (I think) 2.6.19 and later. Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit 85560a1e39f9a974e9c4ce5352fd330d4b8fe399 Author: Atsushi Nemoto Date: Sat Feb 3 23:16:36 2007 +0900 rtc-pcf8563: detect polarity of century bit automatically The usage of the century bit was inverted on 2.6.19 following to PCF8563's description, but it was not match to usage suggested by RTC8564's datasheet. Anyway what MO_C=1 means can vary on each platform. This patch is to detect its polarity in get_datetime routine. The default value of c_polarity is 0 (MO_C=1 means 19xx) so that this patch does not change current behavior even if get_datetime was not called before set_datetime. Signed-off-by: Atsushi Nemoto Cc: Jean-Baptiste Maneyrol Cc: David Brownell Cc: Alessandro Zummo Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 9d4b636cfc1e76ec86d6ef5c7a100195c7c12d23 Author: Paolo 'Blaisorblade' Giarrusso Date: Thu Feb 15 03:34:23 2007 +0100 x86_64: fix 2.6.18 regression - PTRACE_OLDSETOPTIONS should be accepted Also PTRACE_OLDSETOPTIONS should be accepted, as done by kernel/ptrace.c and forced by binary compatibility. UML/32bit breaks because of this - since it is wise enough to use PTRACE_OLDSETOPTIONS to be binary compatible with 2.4 host kernels. Until 2.6.17 (commit f0f2d6536e3515b5b1b7ae97dc8f176860c8c2ce) we had: default: return sys_ptrace(request, pid, addr, data); Instead here we have: case PTRACE_GET_THREAD_AREA: case ...: return sys_ptrace(request, pid, addr, data); default: return -EINVAL; This change was a style change - when a case is added, it must be explicitly tested this way. In this case, not enough testing was done. Cc: Andi Kleen Signed-off-by: Paolo 'Blaisorblade' Giarrusso Signed-off-by: Greg Kroah-Hartman commit 89417b1a154b1963d739c56585a45df42a9a9107 Author: Mark Fasheh Date: Mon Mar 5 16:34:11 2007 -0800 ocfs2: ocfs2_link() journal credits update Commit 592282cf2eaa33409c6511ddd3f3ecaa57daeaaa fixed some missing directory c/mtime updates in part by introducing a dinode update in ocfs2_add_entry(). Unfortunately, ocfs2_link() (which didn't update the directory inode before) is now missing a single journal credit. Fix this by doubling the number of inode updates expected during hard link creation. Signed-off-by: Mark Fasheh Signed-off-by: Chris Wright