commit 30944b3a446917d34e559c354586c023d9829ac0 Author: Greg Kroah-Hartman Date: Fri Apr 6 03:44:59 2007 -0700 Linux 2.6.20.5 commit f8c08c340b8308ca0afb19d62f71b2b39ccfc9e0 Author: Jean Delvare Date: Wed Apr 4 23:52:46 2007 -0700 APPLETALK: Fix a remotely triggerable crash When we receive an AppleTalk frame shorter than what its header says, we still attempt to verify its checksum, and trip on the BUG_ON() at the end of function atalk_sum_skb() because of the length mismatch. This has security implications because this can be triggered by simply sending a specially crafted ethernet frame to a target victim, effectively crashing that host. Thus this qualifies, I think, as a remote DoS. Here is the frame I used to trigger the crash, in npg format: { # Ethernet header ----- XX XX XX XX XX XX # Destination MAC 00 00 00 00 00 00 # Source MAC 00 1D # Length # LLC header ----- AA AA 03 08 00 07 80 9B # Appletalk # Appletalk header ----- 00 1B # Packet length (invalid) 00 01 # Fake checksum 00 00 00 00 # Destination and source networks 00 00 00 00 # Destination and source nodes and ports # Payload ----- 0C 0D 0E 0F 10 11 12 13 14 } The destination MAC address must be set to those of the victim. The severity is mitigated by two requirements: * The target host must have the appletalk kernel module loaded. I suspect this isn't so frequent. * AppleTalk frames are non-IP, thus I guess they can only travel on local networks. I am no network expert though, maybe it is possible to somehow encapsulate AppleTalk packets over IP. The bug has been reported back in June 2004: http://bugzilla.kernel.org/show_bug.cgi?id=2979 But it wasn't investigated, and was closed in July 2006 as both reporters had vanished meanwhile. This code was new in kernel 2.6.0-test5: http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=7ab442d7e0a76402c12553ee256f756097cae2d2 And not modified since then, so we can assume that vanilla kernels 2.6.0-test5 and later, and distribution kernels based thereon, are affected. Note that I still do not know for sure what triggered the bug in the real-world cases. The frame could have been corrupted by the kernel if we have a bug hiding somewhere. But more likely, we are receiving the faulty frame from the network. Signed-off-by: Jean Delvare Signed-off-by: David S. Miller Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit ef1ad177623878299bd49cf42a7974309b0c6435 Author: Daniel Drake Date: Mon Mar 26 21:32:15 2007 -0800 generic_serial: fix decoding of baud rate Commit d720bc4b8fc5d6d179ef094908d4fbb5e436ffad partially removed a private implementation of baud speed decoding. However it doesn't seem to be complete: after the speed is decoded, it is still being used as an index to a local speed table (array overrun, no doubt). This was found by Graham Murray who noticed it caused a 2.6.19 regression with the SX driver: https://bugs.gentoo.org/170554 Signed-off-by: Daniel Drake Acked-by: Alan Cox Cc: Russell King Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 5031b2a0cab077864d7147ed4ad00199fe3ba9e1 Author: Jeff Garzik Date: Wed Mar 28 18:39:22 2007 -0400 libata: sata_mv: Fix 50xx irq mask [libata] sata_mv: Fix 50xx irq mask IRQ mask bits assumed a 60xx or newer generation chip, which is very wrong for the 50xx series. Luckily both generations shared the per-port interrupt mask bits, leaving only the "misc chip features" bits to be completely mismatched. Fix 50xx by ensuring we only program bits that exist. Cc: Chuck Ebbert Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 234b52fa61f364f339b1c285ad7bdc70886992d7 Author: Jeff Garzik Date: Wed Mar 28 18:38:16 2007 -0400 libata: sata_mv: don't touch reserved bits in EDMA config register [libata] sata_mv: don't touch reserved bits in EDMA config register The code in mv_edma_cfg() reflected its 60xx origins, by doing things [slightly] incorrectly on the older 50xx and newer 6042/7042 chips. Clean up the EDMA configuration setup such that, each chip family carefully initializes its own EDMA setup. Cc: Chuck Ebbert Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 66478673825757e8ef8ab3d1ceaa4115274d1b57 Author: Mark Lord Date: Wed Mar 28 18:35:21 2007 -0400 libata bugfix: HDIO_DRIVE_TASK libata bugfix: HDIO_DRIVE_TASK I was trying to use HDIO_DRIVE_TASK for something today, and discovered that the libata implementation does not copy over the upper four LBA bits from args[6]. This is serious, as any tools using this ioctl would have their commands applied to the wrong sectors on the drive, possibly resulting in disk corruption. Ideally, newer apps should use SG_IO/ATA_16 directly, avoiding this bug. But with libata poised to displace drivers/ide, better compatibility here is a must. This patch fixes libata to use the upper four LBA bits passed in from the ioctl. The original drivers/ide implementation copies over all bits except for the master/slave select bit. With this patch, libata will copy only the four high-order LBA bits, just in case there are assumptions elsewhere in libata (?). Signed-off-by: Mark Lord Cc: Chuck Ebbert Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 59e23e6198366f057ea49127f810098424d3417c Author: Tejun Heo Date: Wed Mar 28 18:33:39 2007 -0400 libata: clear TF before IDENTIFYing libata: clear TF before IDENTIFYing Some devices chock if Feature is not clear when IDENTIFY is issued. Set ATA_TFLAG_ISADDR | ATA_TFLAG_DEVICE for IDENTIFY such that whole TF is cleared when reading ID data. Kudos to Art Haas for testing various futile patches over several months and Mark Lord for pointing out the fix. Signed-off-by: Tejun Heo Cc: Art Haas Cc: Mark Lord Cc: Chuck Ebbert Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 46113c80a92c0bd9ccc7be765e3d487e3e86dac0 Author: J. Bruce Fields Date: Wed Mar 28 17:50:11 2007 -0400 CRYPTO: api: scatterwalk_copychunks() fails to advance through scatterlist [CRYPTO] api: scatterwalk_copychunks() fails to advance through scatterlist In the loop in scatterwalk_copychunks(), if walk->offset is zero, then scatterwalk_pagedone rounds that up to the nearest page boundary: walk->offset += PAGE_SIZE - 1; walk->offset &= PAGE_MASK; which is a no-op in this case, so we don't advance to the next element of the scatterlist array: if (walk->offset >= walk->sg->offset + walk->sg->length) scatterwalk_start(walk, sg_next(walk->sg)); and we end up copying the same data twice. It appears that other callers of scatterwalk_{page}done first advance walk->offset, so I believe that's the correct thing to do here. This caused a bug in NFS when run with krb5p security, which would cause some writes to fail with permissions errors--for example, writes of less than 8 bytes (the des blocksize) at the start of a file. A git-bisect shows the bug was originally introduced by 5c64097aa0f6dc4f27718ef47ca9a12538d62860, first in 2.6.19-rc1. Cc: Chuck Ebbert Signed-off-by: J. Bruce Fields Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit a59c449be72f920b795385fd8a3b5a1cec0b9f48 Author: Alan Tyson Date: Wed Mar 28 17:40:35 2007 -0400 CIFS: reset mode when client notices that ATTR_READONLY is no longer set [CIFS] reset mode when client notices that ATTR_READONLY is no longer set [: removed changelog part of patch] Cc: Chuck Ebbert Signed-off-by: Alan Tyso Signed-off-by: Jeff Layton Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit e21c656f7bc1b580dafeb194010f01f11a6caf88 Author: Steve French Date: Wed Mar 28 17:40:03 2007 -0400 CIFS: Allow reset of file to ATTR_NORMAL when archive bit not set [CIFS] Allow reset of file to ATTR_NORMAL when archive bit not set When a file had a dos attribute of 0x1 (readonly - but dos attribute of archive was not set) - doing chmod 0777 or equivalent would try to set a dos attribute of 0 (which some servers ignore) rather than ATTR_NORMAL (0x20) which most servers accept. Does not affect servers which support the CIFS Unix Extensions. [: removed changelog part of patch] Cc: Chuck Ebbert Acked-by: Prasad Potluri Acked-by: Shirish Pargaonkar Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 8e76199aa2df59083a6e1dccbc76871f45b6eaad Author: Bartlomiej Zolnierkiewicz Date: Wed Mar 28 15:11:13 2007 -0400 ide: revert "ide: fix drive side 80c cable check, take 2" for now "ide: fix drive side 80c cable check, take 2" patch from Tejun Heo (commit fab59375b9543f84d1714f7dd00f5d11e531bd3e) fixed 80c bit test (bit13 of word93) but we also need to fix master/slave IDENTIFY order (slave device should be probed first in order to make it release PDIAG- signal) and we should also check for pre-ATA3 slave devices (which may not release PDIAG- signal). Unfortunately the fact that IDE driver doesn't reset devices itself helps only a bit as it seems that some BIOS-es reset ATA devices after programming the chipset, some BIOS-es can be set to not probe/configure selected devices, there may be no BIOS in case of add-on cards etc. Since we are quite late in the release cycle and the required changes will affect a lot of systems just revert the fix for now. [ Please also see libata commit f31f0cc2f0b7527072d94d02da332d9bb8d7d94c. ] Cc: Chuck Ebbert Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Greg Kroah-Hartman commit b2c3c20bcd086eb6bf9fdf5e920f916d76556e72 Author: Vasily Averin Date: Wed Mar 28 12:35:29 2007 -0400 i2o: block IO errors on i2o disk I2O subsystem has been broken in mainstream several months ago (after 2.6.18). Commit 4aff5e2333c9a1609662f2091f55c3f6fffdad36 from Jens Axboe split struct request ->flags into two parts: cmd_type and cmd_flags. In i2o layer this patch has replaced flag REQ_SPECIAL by the according cmd_type. However i2o has used REQ_SPECIAL not as command type but as driver-specific flag for the debug purposes. As result all i2o requests have type "special" now, are not processed to the hardware and fail with I/O error: i2o/hda:<3>Buffer I/O error on device i2o/hda, logical block 0 Buffer I/O error on device i2o/hda, logical block 0 Buffer I/O error on device i2o/hda, logical block 0 unable to read partition table block-osm: device added (TID: 207): i2o/hda The following patch removes the extra debug checks without any drawbacks and restores the normal driver's work. Signed-off-by: Vasily Averin Acked-by: Markus Lidel Cc: Jens Axboe From: Chuck Ebbert Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 979c3d5113c97bdf7f94a24de86b83d8c79e18c6 Author: Tejun Heo Date: Wed Mar 28 12:31:53 2007 -0400 jmicron: make ide jmicron driver play nice with libata ones jmicron: make ide jmicron driver play nice with libata ones When libata is configured, the device is configured such that SATA and PATA ports live in separate functions with different programming interfaces. pata_jmicron and ide jmicron drivers can drive only the PATA part. This patch makes jmicron match PCI class code such that it doesn't attach itself to the SATA part preventing the proper ahci driver from attaching. This change is suggested by Bartlomiej. Signed-off-by: Tejun Heo Cc: Jeff Garzik Cc: justin@jmicron.com Cc: Chuck Ebbert Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Greg Kroah-Hartman commit 1d9f5f2cf993fad1cdb64ada83d469fe4df40865 Author: Oliver Endriss Date: Wed Mar 28 21:22:42 2007 -0400 V4L: saa7146: Fix allocation of clipping memory V4L: saa7146: Fix allocation of clipping memory Olaf Hering pointed out that SAA7146_CLIPPING_MEM would become very large for PAGE_SIZE > 4K. In fact, the number of clipping windows is limited to 16, and calculate_clipping_registers_rect() does not use more than 256 bytes. SAA7146_CLIPPING_MEM adjusted accordingly. (cherry picked from commit 7a7cd1920969dd9da4e0d99aab573b3eba24c799) Thanks-to: Olaf Hering Acked-by: Michael Hunold Signed-off-by: Oliver Endriss Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit 5e37b8eb6d8f4caa1150a1f3666e08f69798ed31 Author: Simon Arlott Date: Wed Mar 28 21:22:40 2007 -0400 dvb-core: fix several locking related problems dvb-core: fix several locking related problems Fix several instances of dvb-core functions using mutex_lock_interruptible and returning -ERESTARTSYS where the calling function will either never retry or never check the return value. These cause a race condition with dvb_dmxdev_filter_free and dvb_dvr_release, both of which are filesystem release functions whose return value is ignored and will never be retried. When this happens it becomes impossible to open dvr0 again (-EBUSY) since it has not been released properly. (cherry picked from commit c278850206fd9df0bb62a72ca0b277fe20c5a452) Signed-off-by: Simon Arlott Signed-off-by: Andrew Morton Acked-By: Johannes Stezenbach Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit 69e329bf0268ac4ac74e87636b1c745373d4ed65 Author: Thomas Viehweger Date: Wed Mar 28 21:22:37 2007 -0400 DVB: isl6421: don't reference freed memory DVB: isl6421: don't reference freed memory After freeing a block there should be no reference to this block. (cherry picked from commit 09d4895488d4df5c58b739573846f514ceabc911) Signed-off-by: Thomas Viehweger Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 693efbebbbb946eda32023bf9822c6b577ad29c0 Author: Hans Verkuil Date: Wed Mar 28 21:22:35 2007 -0400 V4L: msp_attach must return 0 if no msp3400 was found. V4L: msp_attach must return 0 if no msp3400 was found. Returning -1 causes the probe to stop, but it should just continue instead. This patch fixes an annoying 'i2c_adapter i2c-7: Client creation failed at 0x44 (-1)' kernel message that appeared in 2.6.20 (cherry picked from commit 3284b4e077cb2322754ea7455b8f8af7ce3777b8) Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit 965b112793da04616630a96f22b97afbd4ff25c0 Author: Mauro Carvalho Chehab Date: Wed Mar 28 21:22:32 2007 -0400 V4L: Fix SECAM handling on saa7115 V4L: Fix SECAM handling on saa7115 (cherry picked from commit a9aaec4e83e687d23b78b38e331bbd6a10b96380) Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit 1fe8f720eb5eb8d89af9b24575ac3c949526743b Author: Trent Piepho Date: Wed Mar 28 21:22:28 2007 -0400 V4L: radio: Fix error in Kbuild file V4L: radio: Fix error in Kbuild file All the radio drivers need video_dev, but they were depending on VIDEO_DEV!=n. That meant that one could try to compile the driver into the kernel when VIDEO_DEV=m, which will not work. If video_dev is a module, then the radio drivers must be modules too. (cherry picked from commit b10fece583fdfdb3d2f29b0da3896ec58b8fe122) Signed-off-by: Trent Piepho Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit 80e8196248a8945739759e36fece6227ba670993 Author: Michael Krufky Date: Wed Mar 28 21:22:16 2007 -0400 DVB: fix nxt200x rf input switching DVB: fix nxt200x rf input switching After dvb tuner refactoring, the pll buffer has been altered such that the pll address is now stored in buf[0]. Instead of sending buf to set_pll_input, we should send buf+1. (cherry picked from commit f5ae29e284b328e0976789d5c199bbbe80e4b005) Signed-off-by: Michael Krufky Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 88a214c46c49d1bd82716c370f3c289f2ca2324e Author: Thomas Graf Date: Thu Mar 29 12:34:13 2007 -0700 NET: Fix FIB rules compatability [NET]: Fix fib_rules compatibility breakage Based upon a patch from Patrick McHardy. The fib_rules netlink attribute policy introduced in 2.6.19 broke userspace compatibilty. When specifying a rule with "from all" or "to all", iproute adds a zero byte long netlink attribute, but the policy requires all addresses to have a size equal to sizeof(struct in_addr)/sizeof(struct in6_addr), resulting in a validation error. Check attribute length of FRA_SRC/FRA_DST in the generic framework by letting the family specific rules implementation provide the length of an address. Report an error if address length is non zero but no address attribute is provided. Fix actual bug by checking address length for non-zero instead of relying on availability of attribute. Signed-off-by: Thomas Graf Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit bf3e77ef911c791ad77a137c76194d341ed364c3 Author: Al Viro Date: Thu Mar 29 12:32:48 2007 -0700 FRA_{DST,SRC} are le16 for decnet Signed-off-by: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f85ca20ed89e288f560b43ccaf5e80f2f6a15895 Author: Mikael Pettersson Date: Thu Mar 29 12:25:38 2007 -0700 SPARC: Fix sparc builds with gcc-4.2.x [SPARC]: sparc64 gcc-4.2.0 20070317 -Werror failure Compiling 2.6.21-rc5 with gcc-4.2.0 20070317 (prerelease) for sparc64 fails as follows: gcc -Wp,-MD,arch/sparc64/kernel/.time.o.d -nostdinc -isystem /home/mikpe/pkgs/linux-sparc64/gcc-4.2.0/lib/gcc/sparc64-unknown-linux-gnu/4.2.0/include -D__KERNEL__ -Iinclude -include include/linux/autoconf.h -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -Os -m64 -pipe -mno-fpu -mcpu=ultrasparc -mcmodel=medlow -ffixed-g4 -ffixed-g5 -fcall-used-g7 -Wno-sign-compare -Wa,--undeclared-regs -fomit-frame-pointer -fno-stack-protector -Wdeclaration-after-statement -Wno-pointer-sign -Werror -D"KBUILD_STR(s)=#s" -D"KBUILD_BASENAME=KBUILD_STR(time)" -D"KBUILD_MODNAME=KBUILD_STR(time)" -c -o arch/sparc64/kernel/time.o arch/sparc64/kernel/time.c cc1: warnings being treated as errors arch/sparc64/kernel/time.c: In function 'kick_start_clock': arch/sparc64/kernel/time.c:559: warning: overflow in implicit constant conversion make[1]: *** [arch/sparc64/kernel/time.o] Error 1 make: *** [arch/sparc64/kernel] Error 2 gcc gets unhappy when the MSTK_SET macro's u8 __val variable is updated with &= ~0xff (MSTK_YEAR_MASK). Making the constant unsigned fixes the problem. [ I fixed up the sparc32 side as well -DaveM ] Signed-off-by: Mikael Pettersson Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4870b7bf2ed1ffb316bd57ed8172e384ab186d6a Author: Alexey Dobriyan Date: Thu Mar 29 12:22:40 2007 -0700 NET: Fix sock_attach_fd() failure in sys_accept() [NET]: Correct accept(2) recovery after sock_attach_fd() * d_alloc() in sock_attach_fd() fails leaving ->f_dentry of new file NULL * bail out to out_fd label, doing fput()/__fput() on new file * but __fput() assumes valid ->f_dentry and dereferences it Signed-off-by: Alexey Dobriyan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cb8b4fce39de35071349352c004d930bf9266624 Author: David Miller Date: Thu Mar 29 12:16:27 2007 -0700 VIDEO: Fix FFB DAC revision probing [VIDEO] ffb: Fix two DAC handling bugs. The determination of whether the DAC has inverted cursor logic is broken, import the version checks the X.org driver uses to fix this. Next, when we change the timing generator, borrow code from X.org that does 10 NOP reads of the timing generator register afterwards to make sure the video-enable transition occurs cleanly. Finally, use macros for the DAC registers and fields in order to provide documentation for the next person who reads this code. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4eb3dd593742225da375596564aca6aca2470999 Author: Arnaldo Carvalho de Melo Date: Thu Mar 29 11:57:36 2007 -0700 DCCP: Fix exploitable hole in DCCP socket options [DCCP] getsockopt: Fix DCCP_SOCKOPT_[SEND,RECV]_CSCOV We were only checking if there was enough space to put the int, but left len as specified by the (malicious) user, sigh, fix it by setting len to sizeof(val) and transfering just one int worth of data, the one asked for. Also check for negative len values. Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6fcc93a729a1830abfee7ce3065a4dd750c1c6b1 Author: G. Liakhovetski Date: Mon Mar 26 19:07:40 2007 -0700 PPP: Fix PPP skb leak [PPP]: Don't leak an sk_buff on interface destruction. Signed-off-by: G. Liakhovetski Acked-by: Paul Mackerras Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 00d3a8023ed6cb6c91004b38b50758a542fac645 Author: David Miller Date: Mon Mar 26 18:56:59 2007 -0700 IPV6: Fix ipv6 round-robin locking. [IPV6]: Fix routing round-robin locking. As per RFC2461, section 6.3.6, item #2, when no routers on the matching list are known to be reachable or probably reachable we do round robin on those available routes so that we make sure to probe as many of them as possible to detect when one becomes reachable faster. Each routing table has a rwlock protecting the tree and the linked list of routes at each leaf. The round robin code executes during lookup and thus with the rwlock taken as a reader. A small local spinlock tries to provide protection but this does not work at all for two reasons: 1) The round-robin list manipulation, as coded, goes like this (with read lock held): walk routes finding head and tail spin_lock(); rotate list using head and tail spin_unlock(); While one thread is rotating the list, another thread can end up with stale values of head and tail and then proceed to corrupt the list when it gets the lock. This ends up causing the OOPS in fib6_add() later onthat many people have been hitting. 2) All the other code paths that run with the rwlock held as a reader do not expect the list to change on them, they expect it to remain completely fixed while they hold the lock in that way. So, simply stated, it is impossible to implement this correctly using a manipulation of the list without violating the rwlock locking semantics. Reimplement using a per-fib6_node round-robin pointer. This way we don't need to manipulate the list at all, and since the round-robin pointer can only ever point to real existing entries we don't need to perform any locking on the changing of the round-robin pointer itself. We only need to reset the round-robin pointer to NULL when the entry it is pointing to is removed. The idea is from Thomas Graf and it is very similar to how this was implemented before the advanced router selection code when in. Signed-off-by: David S. Miller commit 5d50dceccd79e5890d08adb40a538f1ac6dfe89d Author: Patrick McHardy Date: Mon Mar 26 18:15:37 2007 -0700 NET_SCHED: Fix ingress qdisc locking. [NET_SCHED]: Fix ingress locking Ingress queueing uses a seperate lock for serializing enqueue operations, but fails to properly protect itself against concurrent changes to the qdisc tree. Use queue_lock for now since the real fix it quite intrusive. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller commit 04301ff6f261dc9230aaf4e2a6a503312dc547bb Author: Patrick McHardy Date: Mon Mar 26 18:13:51 2007 -0700 NET: Fix packet classidier NULL pointer OOPS [NET_SCHED]: cls_basic: fix NULL pointer dereference cls_basic doesn't allocate tp->root before it is linked into the active classifier list, resulting in a NULL pointer dereference when packets hit the classifier before its ->change function is called. Reported by Chris Madden Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 041172896309634d3a2065d69f3534de9d111ddd Author: Stefan Richter Date: Sun Mar 25 21:24:43 2007 +0200 ieee1394: dv1394: fix CardBus card ejection Fix NULL pointer dereference on hot ejection of a FireWire card while dv1394 was loaded. http://bugzilla.kernel.org/show_bug.cgi?id=7121 I did not test card ejection with open /dev/dv1394 files yet. Signed-off-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman commit 16ad6a9070a33c1a624ace8880dd92803228a73d Author: Paolo 'Blaisorblade' Giarrusso Date: Thu Mar 29 01:26:11 2007 +0200 uml: fix unreasonably long udelay Currently we have a confused udelay implementation. * __const_udelay does not accept usecs but xloops in i386 and x86_64 * our implementation requires usecs as arg * it gets a xloops count when called by asm/arch/delay.h Bugs related to this (extremely long shutdown times) where reported by some x86_64 users, especially using Device Mapper. To hit this bug, a compile-time constant time parameter must be passed - that's why UML seems to work most times. Fix this with a simple udelay implementation. Signed-off-by: Paolo 'Blaisorblade' Giarrusso Signed-off-by: Greg Kroah-Hartman commit 93420eaf5b7ef59dc1de112419f854741d06bc66 Author: Jeff Dike Date: Sun Mar 25 13:01:44 2007 -0400 UML - use correct register file size everywhere This patch uses MAX_REG_NR consistently to refer to the register file size. FRAME_SIZE isn't sufficient because on x86_64, it is smaller than the ptrace register file size. MAX_REG_NR was introduced as a consistent way to get the number of registers, but wasn't used everywhere it should be. When this causes a problem, it makes PTRACE_SETREGS fail on x86_64 because of a corrupted segment register value in the known-good register file. The patch also adds a register dump at that point in case there are any future problems here. Signed-off-by: Jeff Dike Signed-off-by: Greg Kroah-Hartman commit b40b478e9972ec14cf144f1a03f88918789cbfe0 Author: Jeff Dike Date: Sun Mar 25 12:54:32 2007 -0400 UML - Fix static linking During a static link, ld has started putting a .note section in the .uml.setup.init section. This has the result that the UML setups begin with 32 bytes of garbage and UML crashes immediately on boot. This patch creates a specific .note section for ld to drop this stuff into. Signed-off-by: Jeff Dike Signed-off-by: Greg Kroah-Hartman commit 6f6017090339ddb751b3c71840c214282214f6bc Author: Jeff Dike Date: Fri Mar 23 15:37:30 2007 -0400 UML - host VDSO fix This fixes a problem seen by a number of people running UML on newer host kernels. init would hang with an infinite segfault loop. It turns out that the host kernel was providing a AT_SYSINFO_EHDR of 0xffffe000, which faked UML into believing that the host VDSO page could be reused. However, AT_SYSINFO pointed into the middle of the address space, and was unmapped as a result. Because UML was providing AT_SYSINFO_EHDR and AT_SYSINFO to its own processes, these would branch to nowhere when trying to use the VDSO. The fix is to also check the location of AT_SYSINFO when deciding whether to use the host's VDSO. Signed-off-by: Jeff Dike Signed-off-by: Greg Kroah-Hartman commit edfcf73f3005c29f7f28f4fcd47cfbfc06af10bb Author: Jeff Dike Date: Fri Mar 23 14:18:17 2007 -0400 UML - fix epoll UML/x86_64 needs the same packing of struct epoll_event as x86_64. Signed-off-by: Jeff Dike Signed-off-by: Greg Kroah-Hartman commit 83b72f1c7cc4bfdb0958a2c1709c5a17ea10c7dd Author: Robert Hancock Date: Thu Mar 22 12:39:04 2007 -0400 sata_nv: delay on switching between NCQ and non-NCQ commands sata_nv: delay on switching between NCQ and non-NCQ commands This patch appears to solve some problems with commands timing out in cases where an NCQ command is immediately followed by a non-NCQ command (or possibly vice versa). This is a rather ugly solution, but until we know more about why this is needed, this is about all we can do. [backport to 2.6.20 by Chuck Ebbert ] Signed-off-by: Robert Hancock Cc: Chuck Ebbert Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 9f6a92b47b7580d35170712933f4eaab63d72238 Author: Albert Lee Date: Wed Mar 21 16:08:49 2007 -0400 ide: remove clearing bmdma status from cdrom_decode_status() (rev #4) ide: remove clearing bmdma status from cdrom_decode_status() (rev #4) patch 2/2: Remove clearing bmdma status from cdrom_decode_status() since ATA devices might need it as well. (http://lkml.org/lkml/2006/12/4/201 and http://lkml.org/lkml/2006/11/15/94) Signed-off-by: Albert Lee Cc: Sergei Shtylyov Cc: Alan Cox Cc: "Adam W. Hawks" Cc: Chuck Ebbert Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Greg Kroah-Hartman commit 9757c1a00e0494b5bb19383c9cba2906b471464e Author: Albert Lee Date: Wed Mar 21 16:08:08 2007 -0400 ide: clear bmdma status in ide_intr() for ICHx controllers (revised #4) ide: clear bmdma status in ide_intr() for ICHx controllers (revised #4) patch 1/2 (revised): - Fix drive->waiting_for_dma to work with CDB-intr devices. - Do the dma status clearing in ide_intr() and add a new hwif->ide_dma_clear_irq for Intel ICHx controllers. Revised per Alan, Sergei and Bart's advice. Patch against 2.6.20-rc6. Tested ok on my ICH4 and pdc20275 adapters. Please review/apply, thanks. Signed-off-by: Albert Lee Cc: Sergei Shtylyov Cc: Alan Cox Cc: Adam Hawks Cc: Chuck Ebbert Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Greg Kroah-Hartman