commit 564292ecbfb3231bcb9a75d80341967b5b833b97 Author: Greg Kroah-Hartman Date: Fri Nov 2 08:48:19 2007 -0700 Linux 2.6.22.11 commit 8aa78d8d9e98513a529f99f12cfd577531021f9b Author: Gregory Haskins Date: Wed Oct 31 11:44:05 2007 -0400 lockdep: fix mismatched lockdep_depth/curr_chain_hash patch 3aa416b07f0adf01c090baab26fb70c35ec17623 in mainline. lockdep: fix mismatched lockdep_depth/curr_chain_hash It is possible for the current->curr_chain_key to become inconsistent with the current index if the chain fails to validate. The end result is that future lock_acquire() operations may inadvertently fail to find a hit in the cache resulting in a new node being added to the graph for every acquire. [ peterz: this might explain some of the lockdep is so _slow_ complaints. ] [ mingo: this does not impact the correctness of validation, but may slow down future operations significantly, if the chain gets very long. ] Signed-off-by: Gregory Haskins Signed-off-by: Peter Zijlstra Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 02d29bbef2858caeac240a3d6291695717845c41 Author: Kumar Gala Date: Thu Oct 11 17:07:34 2007 -0500 POWERPC: Fix handling of stfiwx math emulation patch ba02946a903015840ef672ccc9dc8620a7e83de6 in mainline Its legal for the stfiwx instruction to have RA = 0 as part of its effective address calculation. This is illegal for all other XE form instructions. Add code to compute the proper effective address for stfiwx if RA = 0 rather than treating it as illegal. Signed-off-by: Kumar Gala Signed-off-by: Greg Kroah-Hartman commit 0a0225bae6d086e1ffa8a5aa3bf265ec83b57c34 Author: Dave Airlie Date: Tue Oct 16 01:05:49 2007 +0100 i915: fix vbl swap allocation size. This is upstream as 54583bf4efda79388fc13163e35c016c8bc5de81 Oops... Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 0d5295636a1f2d9fe7d344df976a220bc92c3050 Author: Jean Delvare Date: Mon Oct 15 15:02:42 2007 +0200 hwmon/w83627hf: Don't assume bank 0 Already in Linus' tree: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d58df9cd788e6fb4962e1c8d5ba7b8b95d639a44 The bank switching code assumes that the bank selector is set to 0 when the driver is loaded. This might not be the case. This is exactly the same bug as was fixed in the w83627ehf driver two months ago: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=0956895aa6f8dc6a33210967252fd7787652537d In practice, this bug was causing the sensor thermal types to be improperly reported for my W83627THF the first time I was loading the w83627hf driver. From the driver history, I'd say that it has been broken since September 2005 (when we stopped resetting the chip by default at driver load.) Signed-off-by: Jean Delvare Signed-off-by: Mark M. Hoffman Signed-off-by: Greg Kroah-Hartman commit f5000270cfd5087ac68477766065445c5fdc343b Author: Jean Delvare Date: Mon Oct 15 14:32:27 2007 +0200 hwmon/w83627hf: Fix setting fan min right after driver load Already in Linus' tree: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c09c5184a26158da32801e89d5849d774605f0dd We need to read the fan clock dividers at initialization time, otherwise the code in store_fan_min() may use uninitialized values. That's pretty much the same bug and same fix as for the w83627ehf driver last month. Signed-off-by: Jean Delvare Signed-off-by: Mark M. Hoffman Signed-off-by: Greg Kroah-Hartman commit f3c97cd833e15aa67cf24e6ac84a81ce02a0aca0 Author: Jean Delvare Date: Mon Oct 15 14:02:36 2007 +0200 hwmon/lm87: Disable VID when it should be Already in Linus' tree: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=889af3d5d9586db795a06c619e416b4baee11da8 A stupid bit shifting bug caused the VID value to be always exported even when the hardware is configured for something different. Signed-off-by: Jean Delvare Signed-off-by: Mark M. Hoffman Signed-off-by: Greg Kroah-Hartman commit c285b5c2ac692507a1724fb1fc447b17fd3dba4f Author: Jean Delvare Date: Mon Oct 15 13:49:50 2007 +0200 hwmon/lm87: Fix a division by zero Already in Linus' tree: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=b965d4b7f614522170af6a7e450be0333792ccd2 Missing parentheses in the definition of FAN_FROM_REG cause a division by zero for a specific register value. Signed-off-by: Jean Delvare Acked-by: Hans de Goede Signed-off-by: Mark M. Hoffman Signed-off-by: Greg Kroah-Hartman commit 7d57d714006e652e420193ff114d5314661e54e4 Author: Ian Armstrong Date: Sun Oct 14 11:53:46 2007 -0400 V4L: ivtv: fix udma yuv bug Based on cb50f548c0ee9b2aac39743fc4021a7188825a98 in mainline [PATCH] V4L: ivtv: fix udma yuv bug Using udma yuv causes the driver to become locked into that mode. This prevents use of the mpeg decoder & non-udma yuv output. This patch clears the operating mode when the device is closed. Signed-off-by: Ian Armstrong Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit 2c69807c486caab74f2fe29834b53a47dee04919 Author: Peter Korsgaard Date: Fri Oct 12 14:14:02 2007 +0200 dm9601: Fix receive MTU patch f662fe5a0b144efadbfc00e8040e603ec318746e in mainline. dm9601: Fix receive MTU dm9601 didn't take the ethernet header into account when calculating RX MTU, causing packets bigger than 1486 to fail. Signed-off-by: Peter Korsgaard Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit c9a06c0099d53aab5853a52076a756c967c121a5 Author: Jeff Garzik Date: Tue Jul 17 00:01:09 2007 -0400 netdrvr: natsemi: Fix device removal bug This episode illustrates how an overused warning can train people to ignore that warning, which winds up hiding bugs. The warning drivers/net/natsemi.c: In function ‘natsemi_remove1’: drivers/net/natsemi.c:3222: warning: ignoring return value of ‘device_create_file’, declared with attribute warn_unused_result is oft-ignored, even though at close inspection one notices this occurs in the /remove/ function, not normally where creation occurs. A quick s/create/remove/ and we are fixed, with the warning gone. Signed-off-by: Jeff Garzik Cc: Karsten Keil Signed-off-by: Greg Kroah-Hartman commit d9e0dded68a8de6a831dd9c31be32a45f4b67373 Author: Stefan Richter Date: Wed Oct 10 22:37:25 2007 +0200 firewire: fix unloading of fw-ohci while devices are attached Fix panic in run_timer_softirq right after "modprobe -r firewire-ohci" if a FireWire disk was attached and firewire-sbp2 loaded. Same as commit 8a2d9ed3210464d22fccb9834970629c1c36fa36. Signed-off-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman commit 774b4c5215a40f8971ca71470f3832e0ed53a41f Author: Andy Green Date: Tue Oct 9 22:46:33 2007 -0400 Add get_unaligned to ieee80211_get_radiotap_len patch dfe6e81deaa79c85086c0cc8d85b229e444ab97f in mainline. ieee80211_get_radiotap_len() tries to dereference radiotap length without taking care that it is completely unaligned and get_unaligned() is required. Signed-off-by: Andy Green Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 8c7537c719348c8bed52f08b2d6e9a8795165290 Author: Al Viro Date: Tue Oct 9 22:46:37 2007 -0400 libertas: more endianness breakage based on patch 8362cd413e8116306fafbaf414f0419db0595142 in mainline. domain->header.len is le16 and has just been assigned cpu_to_le16(arithmetical expression). And all fields of adapter->logmsg are __le32; not a single 16-bit among them... That's incremental to the previous one Signed-off-by: Al Viro Signed-off-by: Dan Williams Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 4b8e10dc2e8ea71df455827f09a5d2b0a3d3dc6e Author: Al Viro Date: Tue Oct 9 22:46:36 2007 -0400 libertas: fix endianness breakage patch 5707708111ca6c4e9a1160acffdc98a98d95e462 in mainline. wep->keytype[] is u8 Signed-off-by: Al Viro Signed-off-by: Dan Williams Signed-off-by: John W. Linville commit 54b932c50865c707877ae954bae499e6539c37b5 Author: John W. Linville Date: Tue Oct 9 22:46:35 2007 -0400 mac80211: filter locally-originated multicast frames patch b331615722779b078822988843ddffd4eaec9f83 in mainline. In STA mode, the AP will echo our traffic. This includes multicast traffic. Receiving these frames confuses some protocols and applications, notably IPv6 Duplicate Address Detection. Signed-off-by: John W. Linville Signed-off-by: Johannes Berg Acked-by: Michael Wu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit dec0da2c0b439daf394957660e62824987f9b021 Author: Eric Dumazet Date: Wed Oct 10 03:28:33 2007 -0700 Fix TCP initial sequence number selection. changeset 162f6690a65075b49f242d3c8cdb5caaa959a060 in mainline. TCP V4 sequence numbers are 32bits, and RFC 793 assumed a 250 KHz clock. In order to follow network speed increase, we can use a faster clock, but we should limit this clock so that the delay between two rollovers is greater than MSL (TCP Maximum Segment Lifetime : 2 minutes) Choosing a 64 nsec clock should be OK, since the rollovers occur every 274 seconds. Problem spotted by Denys Fedoryshchenko [ This bug was introduced by f85958151900f9d30fa5ff941b0ce71eaa45a7de ] Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 55d0058fe82cade2896d316952341c64d7dfa7c9 Author: David Miller Date: Wed Oct 10 03:27:19 2007 -0700 Fix TCP MD5 on big-endian. changeset f8ab18d2d987a59ccbf0495032b2aef05b730037 in mainline. Based upon a report and initial patch by Peter Lieven. tcp4_md5sig_key and tcp6_md5sig_key need to start with the exact same members as tcp_md5sig_key. Because they are both cast to that type by tcp_v{4,6}_md5_do_lookup(). Unfortunately tcp{4,6}_md5sig_key use a u16 for the key length instead of a u8, which is what tcp_md5sig_key uses. This just so happens to work by accident on little-endian, but on big-endian it doesn't. Instead of casting, just place tcp_md5sig_key as the first member of the address-family specific structures, adjust the access sites, and kill off the ugly casts. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 692767dfebce10bc997073eb707a934348cdfe08 Author: Ilpo Järvinen Date: Wed Oct 10 03:25:53 2007 -0700 Fix TCP's ->fastpath_cnt_hit handling. changeset 48611c47d09023d9356e78550d1cadb8d61da9c8 in mainline. When only GSO skb was partially ACKed, no hints are reset, therefore fastpath_cnt_hint must be tweaked too or else it can corrupt fackets_out. The corruption to occur, one must have non-trivial ACK/SACK sequence, so this bug is not very often that harmful. There's a fackets_out state reset in TCP because fackets_out is known to be inaccurate and that fixes the issue eventually anyway. In case there was also at least one skb that got fully ACKed, the fastpath_skb_hint is set to NULL which causes a recount for fastpath_cnt_hint (the old value won't be accessed anymore), thus it can safely be decremented without additional checking. Reported by Cedric Le Goater Signed-off-by: Ilpo Järvinen Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e43358c5c81a6b7be8d55af6d736e05aa3d8ceb7 Author: David S. Miller Date: Wed Oct 10 03:22:30 2007 -0700 Fix sys_ipc() SEMCTL on sparc64. changeset 6536a6b331d3225921c398eb7c6e4ecedb9b05e0 from mainline Thanks to Tom Callaway for the excellent bug report and test case. sys_ipc() has several problems, most to due with semaphore call handling: 1) 'err' return should be a 'long' 2) "union semun" is passed in a register on 64-bit compared to 32-bit which provides it on the stack and therefore by reference 3) Second and third arguments to SEMCTL are swapped compared to 32-bit. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 791333baf11dbf37dd8f566909f8c1d5b939bf04 Author: David S. Miller Date: Wed Oct 10 03:21:37 2007 -0700 Fix zero length socket write() semantics. changeset e79ad711a0108475c1b3a03815527e7237020b08 from mainline. This fixes kernel bugzilla #5731 It should generate an empty packet for datagram protocols when the socket is connected, for one. The check is doubly-wrong because all that a write() can be is a sendmsg() call with a NULL msg_control and a single entry iovec. No special semantics should be assigned to it, therefore the zero length check should be removed entirely. This matches the behavior of BSD and several other systems. Alan Cox notes that SuSv3 says the behavior of a zero length write on non-files is "unspecified", but that's kind of useless since BSD has defined this behavior for a quarter century and BSD is essentially what application folks code to. Based upon a patch from Stephen Hemminger. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f7c6bfbbb4a3c06015c2ce4098000a4d037098db Author: Alexey Dobriyan Date: Wed Oct 10 03:20:01 2007 -0700 Fix ROSE module unload oops. changeset 891e6a931255238dddd08a7b306871240961a27f from mainline. Commit a3d384029aa304f8f3f5355d35f0ae274454f7cd aka "[AX.25]: Fix unchecked rose_add_loopback_neigh uses" transformed rose_loopback_neigh var into statically allocated one. However, on unload it will be kfree's which can't work. Steps to reproduce: modprobe rose rmmod rose BUG: unable to handle kernel NULL pointer dereference at virtual address 00000008 printing eip: c014c664 *pde = 00000000 Oops: 0000 [#1] PREEMPT DEBUG_PAGEALLOC Modules linked in: rose ax25 fan ufs loop usbhid rtc snd_intel8x0 snd_ac97_codec ehci_hcd ac97_bus uhci_hcd thermal usbcore button processor evdev sr_mod cdrom CPU: 0 EIP: 0060:[] Not tainted VLI EFLAGS: 00210086 (2.6.23-rc9 #3) EIP is at kfree+0x48/0xa1 eax: 00000556 ebx: c1734aa0 ecx: f6a5e000 edx: f7082000 esi: 00000000 edi: f9a55d20 ebp: 00200287 esp: f6a5ef28 ds: 007b es: 007b fs: 0000 gs: 0033 ss: 0068 Process rmmod (pid: 1823, ti=f6a5e000 task=f7082000 task.ti=f6a5e000) Stack: f9a55d20 f9a5200c 00000000 00000000 00000000 f6a5e000 f9a5200c f9a55a00 00000000 bf818cf0 f9a51f3f f9a55a00 00000000 c0132c60 65736f72 00000000 f69f9630 f69f9528 c014244a f6a4e900 00200246 f7082000 c01025e6 00000000 Call Trace: [] rose_rt_free+0x1d/0x49 [rose] [] rose_rt_free+0x1d/0x49 [rose] [] rose_exit+0x4c/0xd5 [rose] [] sys_delete_module+0x15e/0x186 [] remove_vma+0x40/0x45 [] sysenter_past_esp+0x8f/0x99 [] trace_hardirqs_on+0x118/0x13b [] sysenter_past_esp+0x5f/0x99 ======================= Code: 05 03 1d 80 db 5b c0 8b 03 25 00 40 02 00 3d 00 40 02 00 75 03 8b 5b 0c 8b 73 10 8b 44 24 18 89 44 24 04 9c 5d fa e8 77 df fd ff <8b> 56 08 89 f8 e8 84 f4 fd ff e8 bd 32 06 00 3b 5c 86 60 75 0f EIP: [] kfree+0x48/0xa1 SS:ESP 0068:f6a5ef28 Signed-off-by: Alexey Dobriyan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e483eb68a46b539c58a3a379960646ea054fafad Author: Brian Haley Date: Wed Oct 10 03:19:06 2007 -0700 Fix ipv6 redirect processing, leads to TAHI failures. changeset bf0b48dfc368c07c42b5a3a5658c8ee81b4283ac from mainline. When the ICMPv6 Target address is multicast, Linux processes the redirect instead of dropping it. The problem is in this code in ndisc_redirect_rcv(): if (ipv6_addr_equal(dest, target)) { on_link = 1; } else if (!(ipv6_addr_type(target) & IPV6_ADDR_LINKLOCAL)) { ND_PRINTK2(KERN_WARNING "ICMPv6 Redirect: target address is not link-local.\n"); return; } This second check will succeed if the Target address is, for example, FF02::1 because it has link-local scope. Instead, it should be checking if it's a unicast link-local address, as stated in RFC 2461/4861 Section 8.1: - The ICMP Target Address is either a link-local address (when redirected to a router) or the same as the ICMP Destination Address (when redirected to the on-link destination). I know this doesn't explicitly say unicast link-local address, but it's implied. This bug is preventing Linux kernels from achieving IPv6 Logo Phase II certification because of a recent error that was found in the TAHI test suite - Neighbor Disovery suite test 206 (v6LC.2.3.6_G) had the multicast address in the Destination field instead of Target field, so we were passing the test. This won't be the case anymore. The patch below fixes this problem, and also fixes ndisc_send_redirect() to not send an invalid redirect with a multicast address in the Target field. I re-ran the TAHI Neighbor Discovery section to make sure Linux passes all 245 tests now. Signed-off-by: Brian Haley Acked-by: David L Stevens Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3b3ba80b46eaf05349fb8e9337f154f8ef697ab9 Author: Mitsuru Chinen Date: Wed Oct 10 03:16:26 2007 -0700 Fix some cases of missed IPV6 DAD changeset 0fcace22d38ce9216f5ba52f929a99d284aa7e49 from mainline To judge the timing for DAD, netif_carrier_ok() is used. However, there is a possibility that dev->qdisc stays noop_qdisc even if netif_carrier_ok() returns true. In that case, DAD NS is not sent out. We need to defer the IPv6 device initialization until a valid qdisc is specified. Signed-off-by: Mitsuru Chinen Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1902ababc2188dea47d5677869fdd43c88490923 Author: John W. Linville Date: Wed Oct 10 03:12:57 2007 -0700 Fix ieee80211 handling of bogus hdrlength field changeset 04045f98e0457aba7d4e6736f37eed189c48a5f7 from mainline Reported by Chris Evans : > The summary is that an evil 80211 frame can crash out a victim's > machine. It only applies to drivers using the 80211 wireless code, and > only then to certain drivers (and even then depends on a card's > firmware not dropping a dubious packet). I must confess I'm not > keeping track of Linux wireless support, and the different protocol > stacks etc. > > Details are as follows: > > ieee80211_rx() does not explicitly check that "skb->len >= hdrlen". > There are other skb->len checks, but not enough to prevent a subtle > off-by-two error if the frame has the IEEE80211_STYPE_QOS_DATA flag > set. > > This leads to integer underflow and crash here: > > if (frag != 0) > flen -= hdrlen; > > (flen is subsequently used as a memcpy length parameter). How about this? Signed-off-by: John W. Linville Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fda485207e705c4447d450155e9b4eb85acf8062 Author: Stephen Hemminger Date: Wed Oct 10 03:10:39 2007 -0700 Fix cls_u32 error return handling. changeset bf1b803b01b00c3801e0aa373ba0305f8278e260 from mainline. Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c0d96d06ef796e7c7d2fd11333c907e81f8b047b Author: David Miller Date: Wed Oct 10 03:09:12 2007 -0700 Fix ESP host instance numbering. changeset ff4abd6cfacf0bb23a077f615d3a5cd17359db1b in mainline. The ESP scsi driver does not initialize the host controller instance early enough, so the messages in the log confuse users. Signed-off-by: David S. Miller Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit f310d0f08fdf2c9ed846ddcb958c50507c7833b9 Author: Thomas Gleixner Date: Sat Sep 22 22:29:05 2007 +0000 ACPI: disable lower idle C-states across suspend/resume changeset b04e7bdb984e3b7f62fb7f44146a529f88cc7639 from mainline. device_suspend() calls ACPI suspend functions, which seems to have undesired side effects on lower idle C-states. It took me some time to realize that especially the VAIO BIOSes (both Andrews jinxed UP and my elfstruck SMP one) show this effect. I'm quite sure that other bug reports against suspend/resume about turning the system into a brick have the same root cause. After fishing in the dark for quite some time, I realized that removing the ACPI processor module before suspend (this removes the lower C-state functionality) made the problem disappear. Interestingly enough the propability of having a bricked box is influenced by various factors (interrupts, size of the ram image, ...). Even adding a bunch of printks in the wrong places made the problem go away. The previous periodic tick implementation simply pampered over the problem, which explains why the dyntick / clockevents changes made this more prominent. We avoid complex functionality during the boot process and we have to do the same during suspend/resume. It is a similar scenario and equaly fragile. Add suspend / resume functions to the ACPI processor code and disable the lower idle C-states across suspend/resume. Fall back to the default idle implementation (halt) instead. Signed-off-by: Thomas Gleixner Tested-by: Andrew Morton Cc: Len Brown Cc: Venkatesh Pallipadi Cc: Rafael J. Wysocki Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman