commit 0565dc16555165fbca080c2121bec74ec79f1fc5 Author: Greg Kroah-Hartman Date: Thu Aug 9 14:28:15 2007 -0700 Linux 2.6.22.2 commit c1684d41f2ef06cd9dc5adcd960df3a5136553af Author: Jeff Dike Date: Tue Jul 10 12:49:04 2007 -0400 UML: exports for hostfs Add some exports for hostfs that are required after Alberto Bertogli's fixes for accessing unlinked host files. Also did some style cleanups while I was here. Signed-off-by: Jeff Dike Signed-off-by: Greg Kroah-Hartman commit e9a96a1885017b4af9b74b40a0fbe9c721bc420b Author: Jiri Slaby Date: Tue Jul 10 17:22:25 2007 -0700 sx: switch subven and subid values sx.c is failing to locate Graham's card. Signed-off-by: Jiri Slaby Cc: Graham Murray Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit ac548fa4cb98b948b1e3802c62859cebef21d3b1 Author: Oliver Neukum Date: Mon Jul 2 16:20:25 2007 +0200 USB: fix for ftdi_sio quirk handling this one fixes an oops with quirky ftdi_sio devices. As it fixes a regression, I propose that it be included in 2.6.22 Signed-off-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman commit 36466b3d9baf45b77bda5c09f174816ab763f100 Author: Patrick McHardy Date: Wed Jul 25 17:00:15 2007 +0200 Netfilter: Fix logging regression [NETFILTER]: Fix logging regression Loading one of the LOG target fails if a different target has already registered itself as backend for the same family. This can affect the ipt_LOG and ipt_ULOG modules when both are loaded. Reported and tested by: Upstream-commit: 7e2acc7e Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 93ffc3e3671046c3fc641987832628aa8d2edca3 Author: YOSHIFUJI Hideaki Date: Thu Jul 12 22:24:52 2007 -0700 sysfs: release mutex when kmalloc() failed in sysfs_open_file(). Signed-off-by: Greg Kroah-Hartman commit 05b1ed7990f79388573430faf4f28c31eeaf377b Author: David Stevens Date: Mon Feb 26 16:28:56 2007 -0800 IPV6: /proc/net/anycast6 unbalanced inet6_dev refcnt Reading /proc/net/anycast6 when there is no anycast address on an interface results in an ever-increasing inet6_dev reference count, as well as a reference to the netdevice you can't get rid of. Signed-off-by: David S. Miller Cc: Marcus Meissner Signed-off-by: Greg Kroah-Hartman commit 6b870a3938061b49a19b2e76ae1ddec967e6fb0f Author: Yasuyuki Kozakai Date: Tue Jul 17 17:25:10 2007 +0200 nf_conntrack: don't track locally generated special ICMP error [NETFILTER]: nf_conntrack: don't track locally generated special ICMP error The conntrack assigned to locally generated ICMP error is usually the one assigned to the original packet which has caused the error. But if the original packet is handled as invalid by nf_conntrack, no conntrack is assigned to the original packet. Then nf_ct_attach() cannot assign any conntrack to the ICMP error packet. In that case the current nf_conntrack_icmp assigns appropriate conntrack to it. But the current code mistakes the direction of the packet. As a result, NAT code mistakes the address to be mangled. To fix the bug, this changes nf_conntrack_icmp not to assign conntrack to such ICMP error. Actually no address is necessary to be mangled in this case. Spotted by Jordan Russell. Signed-off-by: Yasuyuki Kozakai Upstream commit ID: 130e7a83d7ec8c5c673225e0fa8ea37b1ed507a5 Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit b3c5cf79540eb7c65047c917897a1a69ba6aed3e Author: Ville Tervo Date: Wed Jul 11 09:23:41 2007 +0200 Keep rfcomm_dev on the list until it is freed This patch changes the RFCOMM TTY release process so that the TTY is kept on the list until it is really freed. A new device flag is used to keep track of released TTYs. Signed-off-by: Ville Tervo Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman commit 772aa8b19ac7c8965ea896c3f8ea0bec8f6b6ee7 Author: Mikko Rapeli Date: Wed Jul 11 09:18:15 2007 +0200 Hangup TTY before releasing rfcomm_dev The core problem is that RFCOMM socket layer ioctl can release rfcomm_dev struct while RFCOMM TTY layer is still actively using it. Calling tty_vhangup() is needed for a synchronous hangup before rfcomm_dev is freed. Addresses the oops at http://bugzilla.kernel.org/show_bug.cgi?id=7509 Acked-by: Alan Cox Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman commit 2547c387c41e5dda43f7a484a46b40ae0b491aef Author: Chuck Ebbert Date: Tue Aug 7 11:27:41 2007 -0400 ACPI: dock: fix opps after dock driver fails to initialize ACPI: dock: fix opps after dock driver fails to initialize The driver tests the dock_station pointer for nonnull to check whether it has initialized properly. But in some cases dock_station will be non-null after being freed when driver init fails. Fix by zeroing the pointer after freeing. Signed-off-by: Chuck Ebbert Signed-off-by: Kristen Carlson Accardi Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 749de926ff8a21e94a6771ad02fff49d99dc2a90 Author: Jesper Juhl Date: Fri Jul 20 00:31:47 2007 -0700 cr_backlight_probe() allocates too little storage for struct cr_panel The Coverity checker noticed that we allocate too little storage for "struct cr_panel *crp" in cr_backlight_probe(). Signed-off-by: Jesper Juhl Cc: Thomas Hellstrom Cc: Alan Hourihane Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit b308574d183b5a91f52918bda2c0129b64527756 Author: Stefan Bader Date: Thu Jul 12 17:28:33 2007 +0100 dm: disable barriers This patch causes device-mapper to reject any barrier requests. This is done since most of the targets won't handle this correctly anyway. So until the situation improves it is better to reject these requests at the first place. Since barrier requests won't get to the targets, the checks there can be removed. Signed-off-by: Stefan Bader Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 7afcfb0745af9fc90146c37565cd6998eaefc37f Author: Milan Broz Date: Thu Jul 12 17:28:13 2007 +0100 dm snapshot: permit invalid activation Allow invalid snapshots to be activated instead of failing. This allows userspace to reinstate any given snapshot state - for example after an unscheduled reboot - and clean up the invalid snapshot at its leisure. Signed-off-by: Milan Broz Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 3bca2f557175e72b20f76d7489695f4c76ca0bf4 Author: Jun'ichi Nomura Date: Thu Jul 12 17:27:45 2007 +0100 dm io: fix another panic on large request bio_alloc_bioset() will return NULL if 'num_vecs' is too large. Use bio_get_nr_vecs() to get estimation of maximum number. Signed-off-by: Junichi Nomura Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 74ff092c258313747791da5d82054027167d1a79 Author: Milan Broz Date: Thu Jul 12 17:27:24 2007 +0100 dm raid1: fix status Fix mirror status line broken in dm-log-report-fault-status.patch: - space missing between two words - placeholder ("0") required for compatibility with a subsequent patch - incorrect offset parameter Signed-off-by: Milan Broz Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit ab2a4f10820d87685caad4da016b6b8b3953bb8e Author: J. Bruce Fields Date: Mon Jul 23 18:43:52 2007 -0700 nfsd: fix possible oops on re-insertion of rpcsec_gss modules The handling of the re-registration case is wrong here; the "test" that was returned from auth_domain_lookup will not be used again, so that reference should be put. And auth_domain_lookup never did anything with "new" in this case, so we should just clean it up ourself. Thanks to Akinobu Mita for bug report, analysis, and testing. Cc: Akinobu Mita Signed-off-by: "J. Bruce Fields" Cc: Neil Brown Cc: Trond Myklebust Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 5823d303986dcad51048d94a523216dd65276424 Author: Stefan Richter Date: Sat Aug 4 18:39:34 2007 +0200 ieee1394: revert "sbp2: enforce 32bit DMA mapping" Revert commit 0555659d63c285ceb7ead3115532e1b71b0f27a7 from 2.6.22-rc1. The dma_set_mask call somehow failed on a PowerMac G5, PPC64: http://lkml.org/lkml/2007/8/1/344 Should there ever occur a DMA mapping beyond the physical DMA range, a proper SBP-2 firmware will report transport errors. So let's leave it at that. Same as commit a9c2f18800753c82c45fc13b27bdc148849bdbb2. Signed-off-by: Stefan Richter Tested-by: Olaf Hering Signed-off-by: Greg Kroah-Hartman commit d1901fd4f996b18045de60d44b934ce097f699c0 Author: Tejun Heo Date: Tue Jul 10 16:16:18 2007 +0900 libata: add FUJITSU MHV2080BH to NCQ blacklist Please warmly welcome the first member from FUJITSU to the prestigious NCQ spurious completion club. This is reported by Serge Van Thillo in bugzilla bug 8730. http://bugzilla.kernel.org/show_bug.cgi?id=8730 Signed-off-by: Tejun Heo Cc: Serge van Thillo Cc: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 2c658236a4e1005185668ef58463c40db7ef642e Author: Jens Axboe Date: Tue Jul 10 22:11:00 2007 +0200 cfq-iosched: fix async queue behaviour With the cfq_queue hash removal, we inadvertently got rid of the async queue sharing. This was not intentional, in fact CFQ purposely shares the async queue per priority level to get good merging for async writes. So put some logic in cfq_get_queue() to track the shared queues. Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit cba95c85a95333df7f7875ef15fd24fcd797348a Author: Adrian Bunk Date: Tue Jul 17 04:05:53 2007 -0700 drivers/video/macmodes.c:mac_find_mode() mustn't be __devinit If it's EXPORT_SYMBOL'ed it can't be __devinit. Reported by Mikael Pettersson. Signed-off-by: Adrian Bunk Cc: "Antonino A. Daplas" Cc: Michal Piotrowski Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 0b9a58a713f276833943528792844808ccc3e4ae Author: Oleg Nesterov Date: Tue Jul 17 04:03:55 2007 -0700 destroy_workqueue() can livelock Pointed out by Michal Schmidt . The bug was introduced in 2.6.22 by me. cleanup_workqueue_thread() does flush_cpu_workqueue(cwq) in a loop until ->worklist becomes empty. This is live-lockable, a re-niced caller can get CPU after wake_up() and insert a new barrier before the lower-priority cwq->thread has a chance to clear ->current_work. Change cleanup_workqueue_thread() to do flush_cpu_workqueue(cwq) only once. We can rely on the fact that run_workqueue() won't return until it flushes all works. So it is safe to call kthread_stop() after that, the "should stop" request won't be noticed until run_workqueue() returns. Signed-off-by: Oleg Nesterov Cc: Michal Schmidt Cc: Srivatsa Vaddagiri Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 7553b617208a627281cd764ec6b08070e56a4dcb Author: Mattia Dongili Date: Mon Jul 16 02:44:58 2007 +0900 sony-laptop: fix bug in event handling The rewritten event reading code from sonypi was absolutely wrong, this patche makes things functional for type2 and type1 models. Cc: Andrei Paskevich Signed-off-by: Mattia Dongili Signed-off-by: Greg Kroah-Hartman commit 37ed1c7082cb0af655d9f7ab5aca8c97c5150609 Author: Jeff Dike Date: Sun Jul 15 23:38:58 2007 -0700 uml: limit request size on COWed devices COWed devices can't handle more than 32 (64 on x86_64) sectors in one request due to the size of the bitmap being carried around in the io_thread_req. Enforce that by telling the block layer not to put too many sectors in requests to COWed devices. Signed-off-by: Jeff Dike Cc: Paolo 'Blaisorblade' Giarrusso Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit ed173ab97b4faeeb2809a81c2fa0e6e4f979d5bb Author: Herbert van den Bergh Date: Sun Jul 15 23:38:25 2007 -0700 do not limit locked memory when RLIMIT_MEMLOCK is RLIM_INFINITY Fix a bug in mm/mlock.c on 32-bit architectures that prevents a user from locking more than 4GB of shared memory, or allocating more than 4GB of shared memory in hugepages, when rlim[RLIMIT_MEMLOCK] is set to RLIM_INFINITY. Signed-off-by: Herbert van den Bergh Acked-by: Chris Mason Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 88656e13bea01b02f02a1dfcd3ba75a83e708648 Author: Joe Jin Date: Sun Jul 15 23:38:12 2007 -0700 hugetlb: fix race in alloc_fresh_huge_page() That static `nid' index needs locking. Without it we can end up calling alloc_pages_node() with an illegal node ID and the kernel crashes. Acked-by: Gurudas Pai Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit b970e6468dcade5652f0ae02c99189efe1eefec6 Author: Jan Kara Date: Sun Jul 15 23:37:20 2007 -0700 jbd2 commit: fix transaction dropping We have to check that also the second checkpoint list is non-empty before dropping the transaction. Signed-off-by: Jan Kara Cc: Chuck Ebbert Cc: Kirill Korotaev Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 33a8a50080fd91f66bea001fc2828a007cd2f359 Author: Jan Kara Date: Sun Jul 15 23:37:18 2007 -0700 jbd commit: fix transaction dropping We have to check that also the second checkpoint list is non-empty before dropping the transaction. Signed-off-by: Jan Kara Cc: Chuck Ebbert Cc: Kirill Korotaev Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 5f170d5e5e4c497d89ae758408db0f202d446968 Author: Venki Pallipadi Date: Mon Jul 16 16:57:38 2007 -0400 acpi-cpufreq: Proper ReadModifyWrite of PERF_CTL MSR [CPUFREQ] acpi-cpufreq: Proper ReadModifyWrite of PERF_CTL MSR During recent acpi-cpufreq changes, writing to PERF_CTL msr changed from RMW of entire 64 bit to RMW of low 32 bit and clearing of upper 32 bit. Fix it back to do a proper RMW of the MSR. Signed-off-by: Venkatesh Pallipadi Signed-off-by: Dave Jones Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit f91ff4269eb0617b126779f7cb82e11cb0a74bd5 Author: Ayaz Abdulla Date: Mon Jul 16 09:50:24 2007 -0400 forcedeth bug fix: realtek phy This patch contains errata fixes for the realtek phy. It only renamed the defines to be phy specific. Signed-off-by: Ayaz Abdulla Signed-off-by: Greg Kroah-Hartman commit e275253a0877f90cbee3c799843ada2aa493eebd Author: Ayaz Abdulla Date: Mon Jul 16 09:50:01 2007 -0400 forcedeth bug fix: vitesse phy This patch contains errata fixes for the vitesse phy. It only renamed the defines to be phy specific. Signed-off-by: Ayaz Abdulla Signed-off-by: Greg Kroah-Hartman commit 3b150e5385caff233227e235a37c2b910b3a2145 Author: Ayaz Abdulla Date: Mon Jul 16 09:49:51 2007 -0400 forcedeth bug fix: cicada phy This patch contains errata fixes for the cicada phy. It only renamed the defines to be phy specific. Signed-off-by: Ayaz Abdulla Signed-off-by: Greg Kroah-Hartman commit b3b590287ca3c36e0a3fa28d626f126dd5226fc4 Author: Mariusz Kozlowski Date: Thu Jul 19 17:27:22 2007 -0700 fs: 9p/conv.c error path fix When buf_check_overflow() returns != 0 we will hit kfree(ERR_PTR(err)) and it will not be happy about it. Signed-off-by: Mariusz Kozlowski Cc: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 608fe2dd0715bc40d43e9b0c0fb7343e4fd7d719 Author: Fengguang Wu Date: Thu Jul 19 01:47:58 2007 -0700 readahead: MIN_RA_PAGES/MAX_RA_PAGES macros Define two convenient macros for read-ahead: - MAX_RA_PAGES: rounded down counterpart of VM_MAX_READAHEAD - MIN_RA_PAGES: rounded _up_ counterpart of VM_MIN_READAHEAD Note that the rounded up MIN_RA_PAGES will work flawlessly with _large_ page sizes like 64k. Signed-off-by: Fengguang Wu Cc: Steven Pratt Cc: Ram Pai Cc: Rusty Russell Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 38148d7300c4352c9b47f66a2ec3b7269df39ff9 Author: J. Bruce Fields Date: Thu Jul 19 01:49:18 2007 -0700 nfsd: fix possible read-ahead cache and export table corruption The value of nperbucket calculated here is too small--we should be rounding up instead of down--with the result that the index j in the following loop can overflow the raparm_hash array. At least in my case, the next thing in memory turns out to be export_table, so the symptoms I see are crashes caused by the appearance of four zeroed-out export entries in the first bucket of the hash table of exports (which were actually entries in the readahead cache, a pointer to which had been written to the export table in this initialization code). It looks like the bug was probably introduced with commit fce1456a19f5c08b688c29f00ef90fdfa074c79b ("knfsd: make the readahead params cache SMP-friendly"). Cc: Greg Banks Signed-off-by: "J. Bruce Fields" Acked-by: NeilBrown Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 34d85f595af946a9ab05d509160a3cb6015db42a Author: Michael Halcrow Date: Thu Jul 19 01:47:54 2007 -0700 eCryptfs: ecryptfs_setattr() bugfix There is another bug recently introduced into the ecryptfs_setattr() function in 2.6.22. eCryptfs will attempt to treat special files like regular eCryptfs files on chmod, chown, and so forth. This leads to a NULL pointer dereference. This patch validates that the file is a regular file before proceeding with operations related to the inode's crypt_stat. Thanks to Ryusuke Konishi for finding this bug and suggesting the fix. Signed-off-by: Michael Halcrow Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit ab257af4cb8140bd117c8ab44506bc657f713cb9 Author: Jean Tourrilhes Date: Tue Jul 17 10:46:33 2007 -0500 softmac: Fix ESSID problem Victor Porton reported that the SoftMAC layer had random problem when setting the ESSID : http://bugzilla.kernel.org/show_bug.cgi?id=8686 After investigation, it turned out to be worse, the SoftMAC layer is left in an inconsistent state. The fix is pretty trivial. Signed-off-by: Jean Tourrilhes Acked-by: Michael Buesch Acked-by: Larry Finger Acked-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit b336114c8eab95d6892efd325247d2d5860d3ae0 Author: Stefan Richter Date: Thu Jul 19 09:28:42 2007 +0200 firewire: fix memory leak of fw_request instances Found and debugged by Jay Fenlason . The bug was especially noticeable with direct I/O over fw-sbp2. Same as commit 9c9bdf4d50730fd04b06077e22d7a83b585f26b5. Signed-off-by: Stefan Richter Signed-off-by: Kristian Høgsberg Signed-off-by: Greg Kroah-Hartman commit 717bb45a019dd5e298f261a316cdf3b9298b4544 Author: Stefan Richter Date: Thu Jul 19 09:27:37 2007 +0200 fw-ohci: fix "scheduling while atomic" context_stop is called by bus_reset_tasklet, among else. Fixes http://bugzilla.kernel.org/show_bug.cgi?id=8735. Same as commit b980f5a224f3df6c884dbf5ae48797ce352ba139. Signed-off-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman commit 3ee3cf9d25b563e1adb4e6515cb5c337b54e88fb Author: Thomas Gleixner Date: Sat Jul 21 17:11:12 2007 +0200 i386: HPET, check if the counter works Some systems have a HPET which is not incrementing, which leads to a complete hang. Detect it during HPET setup. Signed-off-by: Thomas Gleixner Signed-off-by: Andi Kleen Cc: john stultz Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 2d68c23353ff6e72ca62a4d355f09332382d6796 Author: Milan Broz Date: Sat Jul 21 04:37:27 2007 -0700 dm io: fix panic on large request Flush workqueue before releasing bioset and mopools in dm-crypt. There can be finished but not yet released request. Call chain causing oops: run workqueue dec_pending bio_endio(...); mempool_free(io, cc->io_pool); This usually happens when cryptsetup create temporary luks mapping in the beggining of crypt device activation. When dm-core calls destructor crypt_dtr, no new request are possible. Signed-off-by: Milan Broz Cc: Chuck Ebbert Cc: Patrick McHardy Acked-by: Alasdair G Kergon Cc: Christophe Saout Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 3f1c4345489aa376a251ced66927a04946255726 Author: Herton Ronaldo Krzesinski Date: Tue Jul 31 00:38:52 2007 -0700 Include serial_reg.h with userspace headers As reported by Gustavo de Nardin , while trying to compile xosview (http://xosview.sourceforge.net/) with upstream kernel headers being used you get the following errors: serialmeter.cc:48:30: error: linux/serial_reg.h: No such file or directory serialmeter.cc: In member function 'virtual void SerialMeter::checkResources()': serialmeter.cc:71: error: 'UART_LSR' was not declared in this scope serialmeter.cc:71: error: 'UART_MSR' was not declared in this scope ... Signed-off-by: Herton Ronaldo Krzesinski Cc: Gustavo de Nardin Cc: David Woodhouse Cc: Russell King Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit e2b5b2ab31b585fd67faab69db3bfe2e3c993ec7 Author: Mingming Cao Date: Tue Jul 31 00:37:46 2007 -0700 "ext4_ext_put_in_cache" uses __u32 to receive physical block number Yan Zheng wrote: > I think I found a bug in ext4/extents.c, "ext4_ext_put_in_cache" uses > "__u32" to receive physical block number. "ext4_ext_put_in_cache" is > used in "ext4_ext_get_blocks", it sets ext4 inode's extent cache > according most recently tree lookup (higher 16 bits of saved physical > block number are always zero). when serving a mapping request, > "ext4_ext_get_blocks" first check whether the logical block is in > inode's extent cache. if the logical block is in the cache and the > cached region isn't a gap, "ext4_ext_get_blocks" gets physical block > number by using cached region's physical block number and offset in > the cached region. as described above, "ext4_ext_get_blocks" may > return wrong result when there are physical block numbers bigger than > 0xffffffff. > You are right. Thanks for reporting this! Signed-off-by: Mingming Cao Cc: Yan Zheng Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 04a603a7e20124d3f2fed85a4dfda07cf2216268 Author: Andreas Schwab Date: Tue Jul 31 00:38:51 2007 -0700 futex: pass nr_wake2 to futex_wake_op The fourth argument of sys_futex is ignored when op == FUTEX_WAKE_OP, but futex_wake_op expects it as its nr_wake2 parameter. The only user of this operation in glibc is always passing 1, so this bug had no consequences so far. Signed-off-by: Andreas Schwab Cc: Ingo Molnar Signed-off-by: Ulrich Drepper Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 6c264a326f471cad27ee7e275f1b425a307c55f0 Author: Alexey Dobriyan Date: Tue Jul 31 00:38:50 2007 -0700 Fix leaks on /proc/{*/sched, sched_debug, timer_list, timer_stats} On every open/close one struct seq_operations leaks. Kudos to /proc/slab_allocators. Signed-off-by: Alexey Dobriyan Acked-by: Ingo Molnar Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit ab166e04a66c550664ab6b3b3cea03402580d681 Author: Daniel Ritz Date: Tue Jul 31 00:38:08 2007 -0700 pcmcia: give socket time to power down Give sockets up to 100ms of additional time to power down. otherwise we might generate false warnings with KERN_ERR priority (like in bug #8262). Signed-off-by: Daniel Ritz Cc: Nils Neumann Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 058bfc1cc6700c210024dd9fd391ea8fbbb6c91a Author: Maik Hampel Date: Tue Jul 31 00:37:57 2007 -0700 md: raid10: fix use-after-free of bio In case of read errors raid10d tries to print a nice error message, unfortunately using data from an already put bio. Signed-off-by: Maik Hampel Acked-By: NeilBrown Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 1eb34652551146be64def511d34a02178d9b00cd Author: Arne Redlich Date: Tue Jul 31 00:37:57 2007 -0700 md: handle writes to broken raid10 arrays gracefully When writing to a broken array, raid10 currently happily emits empty bio lists. IOW, the master bio will never be completed, sending writers to UNINTERRUPTIBLE_SLEEP forever. Signed-off-by: Arne Redlich Acked-by: Neil Brown Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 68a0460bbcc7571753b57b83f21e8c1c5029a46a Author: Pavel Emelianov Date: Tue Jul 31 00:38:48 2007 -0700 Fix user struct leakage with locked IPC shem segment When user locks an ipc shmem segmant with SHM_LOCK ctl and the segment is already locked the shmem_lock() function returns 0. After this the subsequent code leaks the existing user struct: == ipc/shm.c: sys_shmctl() == ... err = shmem_lock(shp->shm_file, 1, user); if (!err) { shp->shm_perm.mode |= SHM_LOCKED; shp->mlock_user = user; } ... == Other results of this are: 1. the new shp->mlock_user is not get-ed and will point to freed memory when the task dies. 2. the RLIMIT_MEMLOCK is screwed on both user structs. The exploit looks like this: == id = shmget(...); setresuid(uid, 0, 0); shmctl(id, SHM_LOCK, NULL); setresuid(uid + 1, 0, 0); shmctl(id, SHM_LOCK, NULL); == My solution is to return 0 to the userspace and do not change the segment's user. Signed-off-by: Pavel Emelianov Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit df358e1bad63f47ef3d399f8193bdc5a59d3d747 Author: Ulrich Drepper Date: Tue Jul 31 00:38:16 2007 -0700 CPU online file permission Is there a reason why the "online" file in the subdirectories for the CPUs in /sys/devices/system isn't world-readable? I cannot imagine it to be security relevant especially now that a getcpu() syscall can be used to determine what CPUa thread runs on. The file is useful to correctly implement the sysconf() function to return the number of online CPUs. In the presence of hotplug we currently cannot provide this information. The patch below should to it. Signed-off-by: Ulrich Drepper Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit e71139fd0da506636c1a78765f7eaed178a97a34 Author: Alexey Dobriyan Date: Tue Jul 31 00:38:50 2007 -0700 Fix leak on /proc/lockdep_stats Signed-off-by: Alexey Dobriyan Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 397f3076fdeb9f71d67c6376b8366dfddeaae4ed Author: Dave Airlie Date: Tue Aug 7 09:09:51 2007 +1000 drm/i915: Fix i965 secured batchbuffer usage (CVE-2007-3851) This 965G and above chipsets moved the batch buffer non-secure bits to another place. This means that previous drm's allowed in-secure batchbuffers to be submitted to the hardware from non-privileged users who are logged into X and and have access to direct rendering. Signed-off-by: Dave Airlie Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 36e1ed699210fd0173dfe0a8b2cde8a6b648ba3f Author: Jens Axboe Date: Fri Jul 20 15:21:36 2007 +0200 splice: fix double page unlock If add_to_page_cache_lru() fails, the page will not be locked. But splice jumps to an error path that does a page release and unlock, causing a BUG() in unlock_page(). Fix this by adding one more label that just releases the page. This bug was actually triggered on EL5 by gurudas pai using fio. Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 6b6c21263e3fe3f036c1bb04a65d032394167e64 Author: Dmitry Torokhov Date: Fri Jul 20 00:37:30 2007 -0400 Input: lifebook - fix an oops on Panasonic CF-18 Input: lifebook - fix an oops on Panasonic CF-18 Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 69461034216f4966525a269b2dfc1d64718df10e Author: Hans Verkuil Date: Tue Jul 24 08:07:43 2007 -0400 V4L: wm8775/wm8739: Fix memory leak when unloading module State struct was never freed. (cherry picked from commit 1b2232ab879993fcf5b9391c3febf6ab5d78201e) Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit e4d697881eb3e13efb8ff68d12edfe0c09124d09 Author: Hans Verkuil Date: Tue Jul 24 08:07:40 2007 -0400 V4L: ivtv: Add locking to ensure stream setup is atomic Starting an MPEG and VBI capture simultaneously caused errors in the VBI setup: this setup was done twice when it should be done only for the first stream that is opened. Added a mutex to prevent this from happening. (cherry picked from commit f885969196da6ae905162c0d1c5f0553de12cb40) Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky commit 53a8e6e303cd55242bdfc5a1c898d21ce2805ac7 Author: Hans Verkuil Date: Tue Jul 24 08:07:33 2007 -0400 V4L: ivtv: fix DMA timeout when capturing VBI + another stream The VBI DMA is handled in a special way and is marked with a bit. However, that bit was set at the wrong time and could be cleared by mistake if a PCM (or other) DMA request would arrive before the VBI DMA was completed. So on completion of the VBI DMA the driver no longer knew that that DMA transfer was for VBI data. And this in turn caused havoc with the card's DMA engine. (cherry picked from commit dd1e729d63f74a0b6290ca417bafd3fd8665db50) Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit 77157ba22f856f303d243d0093a88bac469c7a9c Author: Hans Verkuil Date: Tue Jul 24 08:07:28 2007 -0400 V4L: ivtv: fix broken VBI output support The old service_set_out setting was still tested, even though it no longer was ever set and was in fact obsolete. This meant that everything that was written to /dev/vbi16 was ignored. Removed the service_set_out variable altogether and now it works again. (cherry picked from commit 47fd3ba9fc62d23a985f4969719c3091438d21c5) Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit 5efb6c65a028869fb9a1eae729a21585be8569cd Author: Hans Verkuil Date: Tue Jul 24 08:07:17 2007 -0400 V4L: Add check for valid control ID to v4l2_ctrl_next If v4l2_ctrl_next is called without the V4L2_CTRL_FLAG_NEXT_CTRL then it should check whether the passed control ID is valid and return 0 if it isn't. Otherwise a for-loop over the control IDs will never end. (cherry picked from commit a46c5fbc6912c4e34cb7ded314249b639dc244a6) Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit 32b49ec23649cc3e59d8c1963919f159eacd1167 Author: Davide Libenzi Date: Thu Jul 26 10:41:07 2007 -0700 make timerfd return a u64 and fix the __put_user Davi fixed a missing cast in the __put_user(), that was making timerfd return a single byte instead of the full value. Talking with Michael about the timerfd man page, we think it'd be better to use a u64 for the returned value, to align it with the eventfd implementation. This is an ABI change. The timerfd code is new in 2.6.22 and if we merge this into 2.6.23 then we should also merge it into 2.6.22.x. That will leave a few early 2.6.22 kernels out in the wild which might misbehave when a future timerfd-enabled glibc is run on them. mtk says: The difference would be that read() will only return 4 bytes, while the application will expect 8. If the application is checking the size of returned value, as it should, then it will be able to detect the problem (it could even be sophisticated enough to know that if this is a 4-byte return, then it is running on an old 2.6.22 kernel). If the application is not checking the return from read(), then its 8-byte buffer will not be filled -- the contents of the last 4 bytes will be undefined, so the u64 value as a whole will be junk. When I wrote up that description above, I forgot a crucial detail. The above description described the difference between the new behavior implemented by the patch, and the current (i.e., 2.6.22) *intended* behavior. However, as I originally remarked to Davide, the 2.6.22 read() behavior is broken: it should return 4 bytes on a read(), but as originally implemented, only the least significant byte contained valid information. (In other words, the top 3 bytes of overrun information were simply being discarded.) So the patch both fixes a bug in the originally intended behavior, and changes the intended behavior (to return 8 bytes from a read() instead of 4). Signed-off-by: Davide Libenzi Cc: Michael Kerrisk Cc: Davi Arnaut Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 76525808fce1f652a6d8472db5a84d28b0951c90 Author: Stefan Richter Date: Sat Aug 4 18:38:32 2007 +0200 firewire: fw-sbp2: set correct maximum payload (fixes CardBus adapters) As far as I know, all CardBus FireWire 400 adapters have a maximum payload of 1024 bytes which is less than the speed-dependent limit of 2048 bytes. Fw-sbp2 has to take the host adapter's limit into account. This apparently fixes Juju's incompatibility with my CardBus cards, a NEC based card and a VIA based card. Backport of commit 25659f7183376c6b37661da6141d5eaa21479061. Signed-off-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman commit 33aff30ab29fa997b8d146d2416e32fd9600b217 Author: Alan Cox Date: Mon Jul 23 14:51:05 2007 +0100 aacraid: fix security hole On the SCSI layer ioctl path there is no implicit permissions check for ioctls (and indeed other drivers implement unprivileged ioctls). aacraid however allows all sorts of very admin only things to be done so should check. Signed-off-by: Alan Cox Acked-by: Mark Salyzyn Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 08fa53b31d792ca70fa2ed7d59c835dc98f9ce2a Author: Petr Vandrovec Date: Fri Jul 20 07:44:44 2007 -0400 Fix reported task file values in sense data ata_tf_read was setting HOB bit when lba48 command was submitted, but was not clearing it before reading "normal" data. As it is only place which sets HOB bit in control register, and register reads should not be affected by other bits, let's just clear it when we are done with reading upper bytes so non-48bit commands do not have to touch ctl at all. pata_scc suffered from same problem... Signed-off-by: Petr Vandrovec Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 71c6f9d72d14eae82fee670d621d05b09082b551 Author: Adam Kropelin Date: Mon Jul 30 15:09:07 2007 -0700 usb-serial: Fix edgeport regression on non-EPiC devices Fix serious regression on non-EPiC edgeport usb-serial devices. Baud rate and MCR/LCR registers are not being written on these models due to apparent copy-n-paste errors introduced with EPiC support. Failure reported by Nick Pasich . Signed-off-by: Adam Kropelin Signed-off-by: Greg Kroah-Hartman commit 5242d7efa822a1b20f0c51d438fbe2e47958400a Author: Alan Stern Date: Thu Jul 19 20:44:51 2007 -0700 USB: fix warning caused by autosuspend counter going negative This patch (as937) fixes a minor bug in the autosuspend usage-counting code. Each hub's usage counter keeps track of the number of unsuspended children. However the current driver increments the counter after registering a new child, by which time the child may already have been suspended and caused the counter to go negative. The obvious solution is to increment the counter before registering the child. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit fa10a71942870a670113152f1d948393636d3c4a Author: Joerg Roedel Date: Wed Jul 18 19:51:36 2007 +0300 KVM: SVM: Reliably detect if SVM was disabled by BIOS This patch adds an implementation to the svm is_disabled function to detect reliably if the BIOS disabled the SVM feature in the CPU. This fixes the issues with kernel panics when loading the kvm-amd module on machines where SVM is available but disabled. Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 668df9fe157abbc90efc0ca054048300afb5937c Author: YOSHIFUJI Hideaki Date: Tue Jul 24 21:47:05 2007 -0700 Fix TCP IPV6 MD5 bug. [TCPv6] MD5SIG: Ensure to reset allocation count to avoid panic. After clearing all passwords for IPv6 peers, we need to set allocation count to zero as well as we free the storage. Otherwise, we panic when a user trys to (re)add a password. Discovered and fixed by MIYAJIMA Mitsuharu . Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit dffc659ff8b135a29b36c8cc45e9f67f8c5dbfa7 Author: Mark Fortescue Date: Tue Jul 24 21:45:44 2007 -0700 Fix sparc32 udelay() rounding errors. [SPARC32]: Fix rounding errors in ndelay/udelay implementation. __ndelay and __udelay have not been delayung >= specified time. The problem with __ndelay has been tacked down to the rounding of the multiplier constant. By changing this, delays > app 18us are correctly calculated. The problem with __udelay has also been tracked down to rounding issues. Changing the multiplier constant (to match that used in sparc64) corrects for large delays and adding in a rounding constant corrects for trunctaion errors in the claculations. Many short delays will return without looping. This is not an error as there is the fixed delay of doing all the maths to calculate the loop count. Signed-off-by: Mark Fortescue Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 499d853ced11bb3c93d542871ab4c84ae5713c60 Author: Alexander Shmelev Date: Tue Jul 24 21:44:48 2007 -0700 Fix sparc32 memset() [SPARC32]: Fix bug in sparc optimized memset. Sparc optimized memset (arch/sparc/lib/memset.S) does not fill last byte of the memory area, if area size is less than 8 bytes and start address is not word (4-bytes) aligned. Here is code chunk where bug located: /* %o0 - memory address, %o1 - size, %g3 - value */ 8: add %o0, 1, %o0 subcc %o1, 1, %o1 bne,a 8b stb %g3, [%o0 - 1] This code should write byte every loop iteration, but last time delay instruction stb is not executed because branch instruction sets "annul" bit. Patch replaces bne,a by bne instruction. Error can be reproduced by simple kernel module: -------------------- #include #include #include #include #include static void do_memset(void **p, int size) { memset(p, 0x00, size); } static int __init memset_test_init(void) { char fooc[8]; int *fooi; memset(fooc, 0xba, sizeof(fooc)); do_memset((void**)(fooc + 3), 1); fooi = (int*) fooc; printk("%08X %08X\n", fooi[0], fooi[1]); return -1; } static void __exit memset_test_cleanup(void) { return; } module_init(memset_test_init); module_exit(memset_test_cleanup); MODULE_LICENSE("GPL"); EXPORT_NO_SYMBOLS; ------------------------ Signed-off-by: Alexander Shmelev Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4d0d0b81642f5fdc0e33c59bb15e373785d28997 Author: Al Viro Date: Tue Jul 24 21:43:58 2007 -0700 Fix ipv6 tunnel endianness bug. [IPV6]: endianness bug in ip6_tunnel Signed-off-by: Al Viro Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0d39262fedaa763555b524edea2eedc548520048 Author: David S. Miller Date: Thu Jul 19 22:06:09 2007 -0700 Sparc64 bootup assembler bug [SPARC64]: Fix two year old bug in early bootup asm. We try to fetch the CIF entry pointer from %o4, but that can get clobbered by the early OBP calls. It is saved in %l7 already, so actually this "mov %o4, %l7" can just be completely removed with no other changes. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit acad36f93ea2afec9a73fb54283cbc359d1abf27 Author: Satyam Sharma Date: Wed Jul 18 02:54:19 2007 -0700 Netpoll leak [NETPOLL]: Fix a leak-n-bug in netpoll_cleanup() 93ec2c723e3f8a216dde2899aeb85c648672bc6b applied excessive duct tape to the netpoll beast's netpoll_cleanup(), thus substituting one leak with another, and opening up a little buglet :-) net_device->npinfo (netpoll_info) is a shared and refcounted object and cannot simply be set NULL the first time netpoll_cleanup() is called. Otherwise, further netpoll_cleanup()'s see np->dev->npinfo == NULL and become no-ops, thus leaking. And it's a bug too: the first call to netpoll_cleanup() would thus (annoyingly) "disable" other (still alive) netpolls too. Maybe nobody noticed this because netconsole (only user of netpoll) never supported multiple netpoll objects earlier. This is a trivial and obvious one-line fixlet. Signed-off-by: Satyam Sharma Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7e2d130b1da457858791d8f8b00b17c821db039f Author: Vlad Yasevich Date: Wed Jul 18 02:52:33 2007 -0700 Fix ipv6 link down handling. [IPV6]: Call inet6addr_chain notifiers on link down Currently if the link is brought down via ip link or ifconfig down, the inet6addr_chain notifiers are not called even though all the addresses are removed from the interface. This caused SCTP to add duplicate addresses to it's list. Signed-off-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c709631f917050fd9633c7dde8ef7d7d31f1ecd9 Author: Dmitry Butskoy Date: Wed Jul 18 02:51:17 2007 -0700 Fix error queue socket lookup in ipv6 [IPV6]: MSG_ERRQUEUE messages do not pass to connected raw sockets From: Dmitry Butskoy Taken from http://bugzilla.kernel.org/show_bug.cgi?id=8747 Problem Description: It is related to the possibility to obtain MSG_ERRQUEUE messages from the udp and raw sockets, both connected and unconnected. There is a little typo in net/ipv6/icmp.c code, which prevents such messages to be delivered to the errqueue of the correspond raw socket, when the socket is CONNECTED. The typo is due to swap of local/remote addresses. Consider __raw_v6_lookup() function from net/ipv6/raw.c. When a raw socket is looked up usual way, it is something like: sk = __raw_v6_lookup(sk, nexthdr, daddr, saddr, IP6CB(skb)->iif); where "daddr" is a destination address of the incoming packet (IOW our local address), "saddr" is a source address of the incoming packet (the remote end). But when the raw socket is looked up for some icmp error report, in net/ipv6/icmp.c:icmpv6_notify() , daddr/saddr are obtained from the echoed fragment of the "bad" packet, i.e. "daddr" is the original destination address of that packet, "saddr" is our local address. Hence, for icmpv6_notify() must use "saddr, daddr" in its arguments, not "daddr, saddr" ... Steps to reproduce: Create some raw socket, connect it to an address, and cause some error situation: f.e. set ttl=1 where the remote address is more than 1 hop to reach. Set IPV6_RECVERR . Then send something and wait for the error (f.e. poll() with POLLERR|POLLIN). You should receive "time exceeded" icmp message (because of "ttl=1"), but the socket do not receive it. If you do not connect your raw socket, you will receive MSG_ERRQUEUE successfully. (The reason is that for unconnected socket there are no actual checks for local/remote addresses). Signed-off-by: Andrew Morton Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8a1c1646795c03edc0c4f18d3ad97e18e56f888c Author: Ranko Zivojnovic Date: Wed Jul 18 02:49:48 2007 -0700 gen estimator deadlock fix [NET]: gen_estimator deadlock fix -Fixes ABBA deadlock noted by Patrick McHardy : > There is at least one ABBA deadlock, est_timer() does: > read_lock(&est_lock) > spin_lock(e->stats_lock) (which is dev->queue_lock) > > and qdisc_destroy calls htb_destroy under dev->queue_lock, which > calls htb_destroy_class, then gen_kill_estimator and this > write_locks est_lock. To fix the ABBA deadlock the rate estimators are now kept on an rcu list. -The est_lock changes the use from protecting the list to protecting the update to the 'bstat' pointer in order to avoid NULL dereferencing. -The 'interval' member of the gen_estimator structure removed as it is not needed. Signed-off-by: Ranko Zivojnovic Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2e9d3cf88b10374bc7a863f4ad9906245d29d2b3 Author: Patrick McHardy Date: Wed Jul 18 02:48:43 2007 -0700 gen estimator timer unload race [NET]: Fix gen_estimator timer removal race As noticed by Jarek Poplawski , the timer removal in gen_kill_estimator races with the timer function rearming the timer. Check whether the timer list is empty before rearming the timer in the timer function to fix this. Signed-off-by: Patrick McHardy Acked-by: Jarek Poplawski Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 360737d98a12b98d95aa3ebc2c4fbbf68a6a9280 Author: Ingo Molnar Date: Wed Jul 18 02:45:14 2007 -0700 Fix rfkill IRQ flags. [RFKILL]: fix net/rfkill/rfkill-input.c bug on 64-bit systems Subject: [patch] net/input: fix net/rfkill/rfkill-input.c bug on 64-bit systems this recent commit: commit cf4328cd949c2086091c62c5685f1580fe9b55e4 Author: Ivo van Doorn Date: Mon May 7 00:34:20 2007 -0700 [NET]: rfkill: add support for input key to control wireless radio added this 64-bit bug: .... unsigned int flags; spin_lock_irqsave(&task->lock, flags); .... irq 'flags' must be unsigned long, not unsigned int. The -rt tree has strict checks about this on 64-bit so this triggered a build failure. Signed-off-by: Ingo Molnar Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9bff1948de46273efed6801db7e6b822b88b6f9a Author: Vlad Yasevich Date: Wed Jul 18 02:44:12 2007 -0700 SCTP scope_id handling fix SCTP: Add scope_id validation for link-local binds SCTP currently permits users to bind to link-local addresses, but doesn't verify that the scope id specified at bind matches the interface that the address is configured on. It was report that this can hang a system. Signed-off-by: Vlad Yasevich Signed-off-by: Greg Kroah-Hartman commit 420eb87364de03770d377007ea1173e0ffb1cb21 Author: Adrian Bunk Date: Wed Jul 18 02:37:05 2007 -0700 Missing header include in ipt_iprange.h [NETFILTER]: ipt_iprange.h must #include ipt_iprange.h must #include since it uses __be32. This patch fixes kernel Bugzilla #7604. Signed-off-by: Adrian Bunk Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a03cf181b9c19b4e95d847cd394c7ffaf5109d06 Author: Christian Lamparter Date: Thu Aug 2 15:36:50 2007 +0900 Add a PCI ID for santa rosa's PATA controller. This is commit c1e6f28cc5de37dcd113b9668a185c0b9334ba8a which is merged during 23-rc1 window. Considering the popularity of these chips, I think including it in -stable release would be good idea. Signed-off-by: Christian Lamparter Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 64be2d2b176e1e5c2fa10e7df7fdd87480c08971 Author: David S. Miller Date: Wed Jul 18 02:34:05 2007 -0700 Fix console write locking in sparc drivers. Mirror the logic in 8250 for proper console write locking when SYSRQ is triggered or an OOPS is in progress. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3ee0edac473755afa68715acd1d0e569044bae39 Author: Patrick McHardy Date: Wed Jul 18 02:26:27 2007 -0700 Fix IPCOMP crashes. [XFRM]: Fix crash introduced by struct dst_entry reordering XFRM expects xfrm_dst->u.next to be same pointer as dst->next, which was broken by the dst_entry reordering in commit 1e19e02c~, causing an oops in xfrm_bundle_ok when walking the bundle upwards. Kill xfrm_dst->u.next and change the only user to use dst->next instead. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c1bb818242296c121ff574cb1fec2bc0127d6b31 Author: Patrick McHardy Date: Wed Jul 18 02:32:39 2007 -0700 Fix TC deadlock. [NET_SCHED]: Revert "avoid transmit softirq on watchdog wakeup" optimization As noticed by Ranko Zivojnovic , calling qdisc_run from the timer handler can result in deadlock: > CPU#0 > > qdisc_watchdog() fires and gets dev->queue_lock > qdisc_run()...qdisc_restart()... > -> releases dev->queue_lock and enters dev_hard_start_xmit() > > CPU#1 > > tc del qdisc dev ... > qdisc_graft()...dev_graft_qdisc()...dev_deactivate()... > -> grabs dev->queue_lock ... > > qdisc_reset()...{cbq,hfsc,htb,netem,tbf}_reset()...qdisc_watchdog_cancel()... > -> hrtimer_cancel() - waiting for the qdisc_watchdog() to exit, while still > holding dev->queue_lock > > CPU#0 > > dev_hard_start_xmit() returns ... > -> wants to get dev->queue_lock(!) > > DEADLOCK! The entire optimization is a bit questionable IMO, it moves potentially large parts of NET_TX_SOFTIRQ work to TIMER_SOFTIRQ/HRTIMER_SOFTIRQ, which kind of defeats the separation of them. Signed-off-by: Patrick McHardy Acked-by: Ranko Zivojnovic Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2c92c72b750cb92566b7e6031f84bc9a35699e73 Author: Ilpo Järvinen Date: Wed Jul 18 02:30:41 2007 -0700 TCP FRTO retransmit bug fix [TCP]: Verify the presence of RETRANS bit when leaving FRTO For yet unknown reason, something cleared SACKED_RETRANS bit underneath FRTO. Signed-off-by: Ilpo Järvinen Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6b30a4e1c357410a78d7bcb831743b0e99bab4ad Author: Alan Stern Date: Thu Aug 2 13:29:10 2007 -0400 USB: cdc-acm: fix sysfs attribute registration bug This patch (as950) fixes a bug in the cdc-acm driver. It doesn't keep track of which interface (control or data) the sysfs attributes get registered for, and as a result, during disconnect it will sometimes attempt to remove the attributes from the wrong interface. The left-over attributes can cause a crash later on, particularly if the driver module has been unloaded. Signed-off-by: Alan Stern CC: Oliver Neukum Signed-off-by: Greg Kroah-Hartman