commit e947fa65e90d410219fc93d4b92c287bbc041773 Author: Greg Kroah-Hartman Date: Fri Mar 23 12:52:51 2007 -0700 Linux 2.6.20.4 commit 9c06278212e2d8f050fbd6ca9cb277836b3c523d Author: David Miller Date: Mon Mar 19 14:50:04 2007 -0700 Fix niagara memory corruption [SPARC64]: store-init needs trailing membar. The manual says that it is required and we actually have crash reports where loads see stale data due to not having membars here. In one case the networking does: memset(skb, 0, offsetof(struct sk_buff, truesize)); and then some code later checks skb->nohdr for zero, but it's still the value that was there before the memset(). Note that arch/sparc64/lib/xor.S already got this right. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ad23c76c32efdf8f633cb41c3df0ef6780f5b275 Author: Kai Makisara Date: Mon Mar 19 16:58:57 2007 -0700 st: fix Tape dies if wrong block size used, bug 7919 [SCSI] st: fix Tape dies if wrong block size used, bug 7919 On Thu, 1 Feb 2007, Andrew Morton wrote: > On Thu, 1 Feb 2007 15:34:29 -0800 > bugme-daemon@bugzilla.kernel.org wrote: > > > http://bugzilla.kernel.org/show_bug.cgi?id=7919 > > > > Summary: Tape dies if wrong block size used > > Kernel Version: 2.6.20-rc5 > > Status: NEW > > Severity: normal > > Owner: scsi_drivers-other@kernel-bugs.osdl.org > > Submitter: dmartin@sccd.ctc.edu > > > > > > Most recent kernel where this bug did *NOT* occur: 2.6.17.14 > > > > Other Kernels Tested and Results: > > > > OK 2.6.15.7 > > OK 2.6.16.37 > > OK 2.6.17.14 > > BAD 2.6.18.6 > > BAD 2.6.18-1.2869.fc6 > > BAD 2.6.19.2 + > > BAD 2.6.20-rc5 > > > > NOTE: 2.6.18-1.2869.fc6 is a Fedora modified kernel, all others are from kernel.org > > ... > > Steps to reproduce: > > Get a Adaptec AHA-2940U/UW/D / AIC-7881U card and a tape drive, > > install a recent kernel > > set the tape block size - mt setblk 4096 > > read from or write to tape using wrong block size - tar -b 7 -cvf /dev/tape foo > > Write does not trigger this bug because the driver refuses in fixed block mode writes that are not a multiple of the block size. Read does trigger it in my system. The bug is not associated with any specific HBA. st tries to do direct i/o in fixed block mode with reads that are not a multiple of tape block size. The patch in this message fixes the st problem by switching to using the driver buffer up to the next close of the device file in fixed block mode if the user asks for a read like this. I don't know why the bug has surfaced only after 2.6.17 although the st problem is old. There may be another bug in the block subsystem and this patch works around it. However, the patch fixes a problem in st and in this way it is a valid fix. This patch may also fix the bug 7900. The patch compiles and is lightly tested. Signed-off-by: Kai Makisara Cc: Andrew Morton Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 0036a32bcd53c3fa9063577705c2fc95ed45b00c Author: Dmitry Torokhov Date: Wed Mar 7 23:20:55 2007 -0500 Input: i8042 - another attempt to fix AUX delivery checks Do not assume that AUX_LOOP command is broken unless it completes successfully but returns wrong (unexpected) data. Cc: Chuck Ebbert Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit a0518e0445325892f9a92fbd19cbfdb0eecfdb3e Author: Jeff Dike Date: Mon Mar 19 16:12:50 2007 -0400 UML - arch_prctl should set thread fs x86_64 needs some TLS fixes. What was missing was remembering the child thread id during clone and stuffing it into the child during each context switch. The %fs value is stored separately in the thread structure since the host controls what effect it has on the actual register file. The host also needs to store it in its own thread struct, so we need the value kept outside the register file. arch_prctl_skas was fixed to call PTRACE_ARCH_PRCTL appropriately. There is some saving and restoring of registers in the ARCH_SET_* cases so that the correct set of registers are changed on the host and restored to the process when it runs again. Signed-off-by: Jeff Dike Signed-off-by: Greg Kroah-Hartman commit 7ac7551d5cf0d01b0a67a6653c25045e23904732 Author: Al Viro Date: Mon Mar 19 11:55:04 2007 -0400 fix deadlock in audit_log_task_context() GFP_KERNEL allocations in non-blocking context; fixed by killing an idiotic use of security_getprocattr(). Acked-by: Stephen Smalley Acked-by: James Morris Cc: Chuck Ebbert Signed-off-by: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6f09b7b3b28cd65c9a08757fcf6d9762d541ef9a Author: Dmitry Torokhov Date: Mon Mar 19 09:06:25 2007 -0400 Input: i8042 - fix AUX IRQ delivery check Input: i8042 - fix AUX IRQ delivery check On boxes that do not implement AUX LOOP command we can not verify AUX IRQ delivery and must assume that it is wired properly. Cc: Chuck Ebbert Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 8479fc42c9696c54858aa8cbb1052c26571436c5 Author: Zach Brown Date: Sun Mar 18 18:55:51 2007 -0400 dio: invalidate clean pages before dio write This patch fixes a user-triggerable oops that was reported by Leonid Ananiev as archived at http://lkml.org/lkml/2007/2/8/337. dio writes invalidate clean pages that intersect the written region so that subsequent buffered reads go to disk to read the new data. If this fails the interface tries to tell the caller that the cache is inconsistent by returning EIO. Before this patch we had the problem where this invalidation failure would clobber -EIOCBQUEUED as it made its way from fs/direct-io.c to fs/aio.c. Both fs/aio.c and bio completion call aio_complete() and we reference freed memory, usually oopsing. This patch addresses this problem by invalidating before the write so that we can cleanly return -EIO before ->direct_IO() has had a chance to return -EIOCBQUEUED. There is a compromise here. During the dio write we can fault in mmap()ed pages which intersect the written range with get_user_pages() if the user provided them for the source buffer. This is a crazy thing to do, but we can make it mostly work in most cases by trying the invalidation again. The compromise is that we won't return an error if this second invalidation fails if it's an AIO write and we have -EIOCBQUEUED. This was tested by having two processes race performing large O_DIRECT and buffered ordered writes. Within minutes ext3 would see a race between ext3_releasepage() and jbd holding a reference on ordered data buffers and would cause invalidation to fail, panicing the box. The test can be found in the 'aio_dio_bugs' test group in test.kernel.org/autotest. After this patch the test passes. Signed-off-by: Zach Brown Signed-off-by: Benjamin LaHaise Cc: Chuck Ebbert Cc: Leonid Ananiev Cc: Nick Piggin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 86fef703b93a7337ec932f12ca23ae365cb730a2 Author: Ankita Garg Date: Sun Mar 18 18:54:14 2007 -0400 oom fix: prevent oom from killing a process with children/sibling unkillable Looking at oom_kill.c, found that the intention to not kill the selected process if any of its children/siblings has OOM_DISABLE set, is not being met. Signed-off-by: Ankita Garg Cc: Chuck Ebbert Acked-by: Nick Piggin Acked-by: William Irwin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0a67204c5d11aca00fafc3ebe95be9a72447f70c Author: Takashi Iwai Date: Sun Mar 18 18:19:29 2007 -0400 hda-intel - Fix codec probe with ATI controllers [ALSA] hda-intel - Fix codec probe with ATI contorllers ATI controllers may have up to 4 codecs while ICH up to 3. Thus the earlier fix to change AZX_MAX_CODECS to 3 cause a regression on some devices that have the audio codec at bit#3. Now max codecs is defined according to the driver type, either 3 or 4. Currently 4 is set only to ATI chips. Other might need the same change, too. Cc: Chuck Ebbert Signed-off-by: Takashi Iwai Signed-off-by: Jaroslav Kysela commit c04a52befd3ae4bdb755fd1e4538d20a6711fd5b Author: Dmitry Torokhov Date: Sun Mar 18 17:41:28 2007 -0400 Input: i8042 - really suppress ACK/NAK during panic blink Input: i8042 - really suppress ACK/NAK during panic blink On some boxes panic blink procedure manages to send both bytes to keyboard contoller before getting first ACK so we need to make i8042_suppress_kbd_ack a counter instead of boolean. Cc: Chuck Ebbert Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 6c3f05964e7b82a9965fd4934ba470cf533172ed Author: Samuel Ortiz Date: Sat Mar 17 04:04:27 2007 +0200 IrDA: irttp_dup spin_lock initialisation Without this initialization one gets kernel BUG at kernel/rtmutex_common.h:80! This patch should also be included in the -stable kernel. Signed-off-by: G. Liakhovetski Signed-off-by: Samuel Ortiz Cc: David Miller Signed-off-by: Greg Kroah-Hartman commit e7afe7add33b3c467999376ac22d819fa7bcade8 Author: David Miller Date: Fri Mar 16 18:51:00 2007 -0700 Fix page allocation debugging on sparc64 [SPARC64]: Get DEBUG_PAGEALLOC working again. We have to make sure to use base-pagesize TLB entries even during the early transition period where we need TLB miss handling but don't have the kernel page tables setup yet for the linear region. Also, it is necessary therefore to not use the 4MB TSB for these translations, and instead use the normal kernel TSB. This allows us to also get rid of the 4MB tsb for debug builds which shrinks the kernel a little bit. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b5c5ded3e7922dbbb45a2f7183d500514185eab8 Author: David Miller Date: Fri Mar 16 18:49:06 2007 -0700 Fix sparc64 hugepage bugs [SPARC64]: Add missing HPAGE_MASK masks on address parameters. These pte loops all assume the passed in address is HPAGE aligned, make sure that is actually true. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 50a9fe380636f5643ccf605767208b02cbc82254 Author: Alexey Dobriyan Date: Fri Mar 16 18:32:09 2007 -0700 Copy over mac_len when cloning an skb [NET]: Copy mac_len in skb_clone() as well ANK says: "It is rarely used, that's wy it was not noticed. But in the places, where it is used, it should be disaster." Signed-off-by: Alexey Dobriyan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c92fc42fc79aa7c77c90d91c69144f2d9b94a71b Author: Masayuki Nakagawa Date: Fri Mar 16 18:31:22 2007 -0700 Fix ipv6 flow label inheritance [IPV6]: ipv6_fl_socklist is inadvertently shared. The ipv6_fl_socklist from listening socket is inadvertently shared with new socket created for connection. This leads to a variety of interesting, but fatal, bugs. For example, removing one of the sockets may lead to the other socket's encountering a page fault when the now freed list is referenced. The fix is to not share the flow label list with the new socket. Signed-off-by: Masayuki Nakagawa Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit aa2bb55bbc1e890e1c1fefe72a953c476cb867a3 Author: Robert Olsson Date: Fri Mar 16 18:30:13 2007 -0700 Fix GFP_KERNEL with preemption disabled in fib_trie [IPV4]: Do not disable preemption in trie_leaf_remove(). Hello, Just discussed this Patrick... We have two users of trie_leaf_remove, fn_trie_flush and fn_trie_delete both are holding RTNL. So there shouldn't be need for this preempt stuff. This is assumed to a leftover from an older RCU-take. > Mhh .. I think I just remembered something - me incorrectly suggesting > to add it there while we were talking about this at OLS :) IIRC the > idea was to make sure tnode_free (which at that time didn't use > call_rcu) wouldn't free memory while still in use in a rcu read-side > critical section. It should have been synchronize_rcu of course, > but with tnode_free using call_rcu it seems to be completely > unnecessary. So I guess we can simply remove it. Signed-off-by: Robert Olsson Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 380974c0843a390d460446f79c5dea3b56046e66 Author: Joy Latten Date: Fri Mar 16 18:27:51 2007 -0700 Fix extraneous IPSEC larval SA creation [XFRM]: Fix missing protocol comparison of larval SAs. I noticed that in xfrm_state_add we look for the larval SA in a few places without checking for protocol match. So when using both AH and ESP, whichever one gets added first, deletes the larval SA. It seems AH always gets added first and ESP is always the larval SA's protocol since the xfrm->tmpl has it first. Thus causing the additional km_query() Adding the check eliminates accidental double SA creation. Signed-off-by: Joy Latten Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 81b88f0a73ee3d7afa42fb44179067bf865001bc Author: Francois Romieu Date: Wed Mar 14 21:32:00 2007 +0100 r8169: fix a race between PCI probe and dev_open Initialize the timer with the rest of the private-struct. Signed-off-by: Francois Romieu Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 40277a1f2ae87275087abac86e53a0a6dcf7c58b Author: Andy Isaacson Date: Fri Mar 16 13:38:04 2007 -0800 fix read past end of array in md/linear.c When iterating through an array, one must be careful to test one's index variable rather than another similarly-named variable. The loop will read off the end of conf->disks[] in the following (pathological) case: % dd bs=1 seek=840716287 if=/dev/zero of=d1 count=1 % for i in 2 3 4; do dd if=/dev/zero of=d$i bs=1k count=$(($i+150)); done % ./vmlinux ubd0=root ubd1=d1 ubd2=d2 ubd3=d3 ubd4=d4 # mdadm -C /dev/md0 --level=linear --raid-devices=4 /dev/ubd[1234] adding some printks, I saw this: [42949374.960000] hash_spacing = 821120 [42949374.960000] cnt = 4 [42949374.960000] min_spacing = 801 [42949374.960000] j=0 size=820928 sz=820928 [42949374.960000] i=0 sz=820928 hash_spacing=820928 [42949374.960000] j=1 size=64 sz=64 [42949374.960000] j=2 size=64 sz=128 [42949374.960000] j=3 size=64 sz=192 [42949374.960000] j=4 size=1515870810 sz=1515871002 Cc: Gautham R Shenoy Acked-by: Neil Brown Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 738eef46aab0319aef1045cf136289309b396581 Author: Thomas Gleixner Date: Fri Mar 16 14:15:57 2007 -0800 fix MTIME_SEC_MAX on 32-bit The maximum seconds value we can handle on 32bit is LONG_MAX. Cc: Ingo Molnar Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 2a0347b709ffe54b6dd0a465922842d0b5b04b0a Author: Thomas Gleixner Date: Fri Mar 16 13:38:20 2007 -0800 hrtimer: prevent overrun DoS in hrtimer_forward() hrtimer_forward() does not check for the possible overflow of timer->expires. This can happen on 64 bit machines with large interval values and results currently in an endless loop in the softirq because the expiry value becomes negative and therefor the timer is expired all the time. Check for this condition and set the expiry value to the max. expiry time in the future. The fix should be applied to stable kernel series as well. Signed-off-by: Thomas Gleixner Acked-by: Ingo Molnar Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit cfbebe59ac6a56c1705388b127c5798197afc205 Author: Trond Myklebust Date: Fri Mar 16 13:38:28 2007 -0800 nfs: nfs_getattr() can't call nfs_sync_mapping_range() for non-regular files Looks like we need a check in nfs_getattr() for a regular file. It makes no sense to call nfs_sync_mapping_range() on anything else. I think that should fix your problem: it will stop the NFS client from interfering with dirty pages on that inode's mapping. Signed-off-by: Trond Myklebust Acked-by: Olof Johansson Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 120d6d2e32028348c630abb1aa4a68a83dfe6d8e Author: Ingo Molnar Date: Fri Mar 16 13:38:31 2007 -0800 futex: PI state locking fix Testing of -rt by IBM uncovered a locking bug in wake_futex_pi(): the PI state needs to be locked before we access it. Signed-off-by: Ingo Molnar Acked-by: Thomas Gleixner Cc: Chuck Ebbert Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 2e84657dbb433207cac7edfa45f755c8312fb15b Author: Zilvinas Valinskas Date: Fri Mar 16 13:38:34 2007 -0800 initialise pi_lock if CONFIG_RT_MUTEXES=N Fixes a bogus lockdep warning which causes lockdep to disable itself. Acked-by: Ingo Molnar Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 38d4f86736e5dd71a748f87b20d66a8cf2357454 Author: Alan Stern Date: Fri Mar 16 09:34:29 2007 -0400 EHCI: add delay to bus_resume before accessing ports This patch (as870) adds a delay to ehci-hcd's bus_resume routine. Apparently there are controllers and/or BIOSes out there which need such a delay to get the ports back into their correct state. This fixes Bugzilla #8190. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 522850039c6c8a7ff8df8f9b6b118141aca50d62 Author: Nick Piggin Date: Fri Mar 16 13:38:10 2007 -0800 mm: fix madvise infinine loop madvise(MADV_REMOVE) can go into an infinite loop or cause an oops if the call covers a region from the start of a vma, and extending past that vma. Signed-off-by: Nick Piggin Cc: Badari Pulavarty Acked-by: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 7639e962234c76031d1ddf436def7fd9602be560 Author: Jan Beulich Date: Tue Mar 13 14:04:11 2007 -0400 adjust legacy IDE resource setting (v2) adjust legacy IDE resource setting (v2) The change to force legacy mode IDE channels' resources to fixed non-zero values confuses (at least some versions of) X, because the values reported by the kernel and those readable from PCI config space aren't consistent anymore. Therefore, this patch arranges for the respective BARs to also get updated if possible. Signed-off-by: Jan Beulich Acked-by: Alan Cox Signed-off-by: Andrew Morton Signed-off-by: Bartlomiej Zolnierkiewicz Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit 1891665fed2eeb8c0170f9ccca8a045292ec3089 Author: KAMEZAWA Hiroyuki Date: Tue Mar 13 14:00:39 2007 -0400 IA64: fix NULL pointer in ia64/irq_chip-mask/unmask function [IA64] fix NULL pointer in ia64/irq_chip-mask/unmask function This patch fixes boot failure because irq_desc->mask() is NULL. - Added mask/unmask functions to ia64's irq desc function table. - rename hw_interrupt_type to irq_chip. hw_interrupt_type is old name. - Tony: Added same change to arch/ia64/sn/kernel/irq.c as pointed out by Eric Biederman ... mask/unmask functions there can be no-op. Signed-off-by: KAMEZAWA Hiroyuki Signed-off-by: Andrew Morton Signed-off-by: Tony Luck Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit d684641802ada3ac1b4aef27314ec960c81abd80 Author: Michal Miroslaw Date: Tue Mar 13 16:45:26 2007 +0100 NETFILTER: nfnetlink_log: fix reference counting [NETFILTER]: nfnetlink_log: fix reference counting Fix reference counting (memory leak) problem in __nfulnl_send() and callers related to packet queueing. Signed-off-by: Michal Miroslaw Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 0065572ae6662a3b53fa4f8beb4feab61114590c Author: Paul Moore Date: Mon Mar 12 09:33:12 2007 -0500 NetLabel: Verify sensitivity level has a valid CIPSO mapping The current CIPSO engine has a problem where it does not verify that the given sensitivity level has a valid CIPSO mapping when the "std" CIPSO DOI type is used. The end result is that bad packets are sent on the wire which should have never been sent in the first place. This patch corrects this problem by verifying the sensitivity level mapping similar to what is done with the category mapping. This patch also changes the returned error code in this case to -EPERM to better match what the category mapping verification code returns. Signed-off-by: Paul Moore Acked-by: James Morris Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b09bfe3601682228d9b4612a0266359df9710791 Author: Joerg Dorchain Date: Tue Mar 6 02:46:54 2007 -0800 gdth: fix oops in gdth_copy_cmd() Recent alterations to the gdth_fill_raw_cmd() path no longer set the sg_ranz field for zero transfer commands. However, this field is used lower down in the function to initialise ha->cmd_len to the size of the firmware packet. If this uninitialised field contains a bogus value, ha->cmd_len can become much larger than the actual firmware packet and end up oopsing in gdth_copy_cmd() as it tries to copy this huge packet to the device (usually because it runs into an unallocated page). The fix is to initialise the sg_ranz field to zero at the start of gdth_fill_raw_cmd(). Signed-off-by: Joerg Dorchain Acked-by: "Achim Leubner" Signed-off-by: Andrew Morton Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 1995b605df589e93a11395ca239891187b7f1bdf Author: Evgeniy Polyakov Date: Fri Mar 9 23:04:42 2007 -0800 Fix rtm_to_ifaddr() error return. [IPV4]: Fix rtm_to_ifaddr() error handling. Return negative error value (embedded in the pointer) instead of returning NULL. Signed-off-by: Evgeniy Polyakov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4cabf6ba5496bc4a5a59871693145880b240b07b Author: Olaf Kirch Date: Fri Mar 9 23:03:53 2007 -0800 Fix another NULL pointer deref in ipv6_sockglue.c [IPV6]: Fix for ipv6_setsockopt NULL dereference I came across this bug in http://bugzilla.kernel.org/show_bug.cgi?id=8155 Signed-off-by: Olaf Kirch Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman