commit 9e6899a1fb940baef3aba7336c7e70e8e71f5559 Author: Greg Kroah-Hartman Date: Wed Sep 26 11:03:01 2007 -0700 Linux 2.6.22.9 commit 4c532d5cee25b7b1e8fb990d430c7a4b420b8bb5 Author: Larry Finger Date: Fri Sep 21 19:20:01 2007 -0500 bcm43xx: Fix cancellation of work queue crashes port of 3f7086978fc0193eff24a77d8b57ac4debc088fa from mainline. A crash upon booting that is caused by bcm43xx has been reported [1] and found to be due to a work queue being reinitialized while work on that queue is still pending. This fix modifies the shutdown of work queues and prevents periodic work from being requeued during shutdown. With this patch, no more crashes on reboot were observed by the original reporter. I do not get that particular failure on my system; however, when running a large number of ifdown/ifup sequences, my system would kernel panic with the 'caps lock' light blinking at roughly a 1 Hz rate. In addition, there were infrequent failures in the firmware that resulted in 'IRQ READY TIMEOUT' errors. With this patch, no more of the first type of failure occur, and incidence of the second type is greatly reduced. [1] http://bugzilla.kernel.org/show_bug.cgi?id=8937 Signed-off-by: Larry Finger Acked-by: Michael Buesch Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit f2727f8d5b360a161a3aeeb798df86f7b1aa7270 Author: David Miller Date: Thu Sep 20 12:34:02 2007 -0700 Fix sparc64 v100 platform booting. commit 2cc7345ff71b27b5ac99e49ad7de39360042f601 in mainline Subject: [PATCH] [SPARC64]: Fix booting on V100 systems. On the root PCI bus, the OBP device tree lists device 3 twice. Once as 'pm' and once as 'lomp'. Everything goes downhill from there. Ignore the second instance to workaround this. Thanks to Kövedi_Krisztián for the bug report and testing the fix. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 13af16119a223fdb9fa99dec8abf978f15480321 Author: Adit Ranadive Date: Thu Sep 20 12:40:03 2007 -0700 Fix pktgen src_mac handling. commit ce5d0b47f13f83dfb9fbb8ac91adad7120747aaf in mainline Subject: [PATCH] [PKTGEN]: srcmac fix Signed-off-by: Andrew Morton Signed-off-by: David S. Miller commit bbaded590e3293abbbca4d58a8fb7ad8447b2640 Author: Herbert Xu Date: Thu Sep 20 12:41:36 2007 -0700 Fix datagram recvmsg NULL iov handling regression. commit ef8aef55ce61fd0e2af798695f7386ac756ae1e7 in mainline Subject: [PATCH] [NET]: Do not dereference iov if length is zero When msg_iovlen is zero we shouldn't try to dereference msg_iov. Right now the only thing that tries to do so is skb_copy_and_csum_datagram_iovec. Since the total length should also be zero if msg_iovlen is zero, it's sufficient to check the total length there and simply return if it's zero. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6d742fb6e2b8913457e1282e1be77d6f4e45af00 Author: Ilpo Järvinen Date: Thu Sep 20 13:11:07 2007 -0700 Fix TCP DSACK cwnd handling commit 49ff4bb4cd4c04acf8f9e3d3ec2148305a1db445 in mainline. [TCP]: DSACK signals data receival, be conservative In case a DSACK is received, it's better to lower cwnd as it's a sign of data receival. Signed-off-by: Ilpo Järvinen Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit eb7bdad82e8af48e1ed1b650268dc85ca7e9ff39 Author: Ilpo Järvinen Date: Thu Sep 20 13:10:25 2007 -0700 Handle snd_una in tcp_cwnd_down() commit 6ee8009e38006da81d2a53da1aaa27365552553e in mainline Subject: [PATCH 1/1] [TCP]: Also handle snd_una changes in tcp_cwnd_down tcp_cwnd_down must check for it too as it should be conservative in case of collapse stuff and also when receiver is trying to lie (though it wouldn't be successful anyway). Note: - Separated also is_dupack and do_lost in fast_retransalert * Much cleaner look-and-feel now * This time it really fixes cumulative ACK + many new SACK blocks recovery entry (I claimed this fixes with last patch but it wasn't). TCP will now call tcp_update_scoreboard regardless of is_dupack when in recovery as long as there is enough fackets_out. - Introduce FLAG_SND_UNA_ADVANCED * Some prior_snd_una arguments are unnecessary after it - Added helper FLAG_ANY_PROGRESS to avoid long FLAG...|FLAG... constructs This is a reduced version of a mainline patch. Signed-off-by: Ilpo Järvinen Cc: David Miller Signed-off-by: Greg Kroah-Hartman commit 8f67cd4be96512bc7b415e55be2e061dcce5664a Author: Stephen Hemminger Date: Thu Sep 20 13:04:12 2007 -0700 Fix tc_ematch kbuild commit 09d74cdd88a59a18f2ad7cfa0b6045ed1817b632 in mainline. Subject: [PATCH] [KBUILD]: Sanitize tc_ematch headers. The headers in tc_ematch are used by iproute2, so these headers should be processed. Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 36e95db9b99b269b2939511a7f2afd68d771fd7a Author: Evgeniy Polyakov Date: Thu Sep 20 13:02:32 2007 -0700 Fix oops in vlan and bridging code commit 8c7b43a2e58baa24002fa2b266d9a5007bc52a40 in mainline I tried to preserve bridging code as it was before, but logic is quite strange - I think we should free skb on error, since it is already unshared and thus will just leak. Herbert Xu states: > + if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL) > + goto out; If this happens it'll be a double-free on skb since we'll return NF_DROP which makes the caller free it too. We could return NF_STOLEN to prevent that but I'm not sure whether that's correct netfilter semantics. Patrick, could you please make a call on this? Patrick McHardy states: NF_STOLEN should work fine here. Signed-off-by: Evgeniy Polyakov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 29a2edbba56b39d5a3c268bae58c62234432846f Author: Jiri Kosina Date: Thu Sep 20 12:56:55 2007 -0700 Fix ipv6 source address handling. commit 6ae5f983cf8de769214d2d9e8a783c881eccd4cd in mainline The commit 95c385 broke proper source address selection for cases in which there is a address which is makred 'deprecated'. The commit mistakenly changed ifa->flags to ifa_result->flags (probably copy/paste error from a few lines above) in the 'Rule 3' address selection code. The patch restores the previous RFC-compliant behavior. Signed-off-by: Jiri Kosina Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7556e40bae766944a136b44252118737331513ca Author: Denis V. Lunev Date: Thu Sep 20 12:55:47 2007 -0700 Fix IPV6 DAD handling commit 9e3be4b34364a670bd6e57d2e8c3caabdd8d89f8 in mainline addrconf_dad_failure calls addrconf_dad_stop which takes referenced address and drops the count. So, in6_ifa_put perrformed at out: is extra. This results in message: "Freeing alive inet6 address" and not released dst entries. Signed-off-by: Denis V. Lunev Signed-off-by: Alexey Dobriyan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 781514c16542c6fa307fced47db9bd5d7b49734a Author: YOSHIFUJI Hideaki Date: Thu Sep 20 12:54:07 2007 -0700 Fix ipv6 double-sock-release with MSG_CONFIRM commit 3ef9d943d26dea764f4fecf3767001c90b778b0c in mainline Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 770961c871460ecba0be96b73a973eaf2c172302 Author: Nick Bowler Date: Thu Sep 20 12:47:45 2007 -0700 Fix IPSEC AH4 options handling commit 8ee4f391831cb96916a8e8a05f04b1c1d7dd30d8 in mainline. In testing our ESP/AH offload hardware, I discovered an issue with how AH handles mutable fields in IPv4. RFC 4302 (AH) states the following on the subject: For IPv4, the entire option is viewed as a unit; so even though the type and length fields within most options are immutable in transit, if an option is classified as mutable, the entire option is zeroed for ICV computation purposes. The current implementation does not zero the type and length fields, resulting in authentication failures when communicating with hosts that do (i.e. FreeBSD). I have tested record route and timestamp options (ping -R and ping -T) on a small network involving Windows XP, FreeBSD 6.2, and Linux hosts, with one router. In the presence of these options, the FreeBSD and Linux hosts (with the patch or with the hardware) can communicate. The Windows XP host simply fails to accept these packets with or without the patch. I have also been trying to test source routing options (using traceroute -g), but haven't had much luck getting this option to work *without* AH, let alone with. Signed-off-by: Nick Bowler Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4674cae0ca5e8e84f416a206116b61217d60c6e3 Author: YOSHIFUJI Hideaki Date: Thu Sep 20 12:46:41 2007 -0700 Fix IPV6 append OOPS. commit e1f52208bb968291f7d9142eff60b62984b4a511 in mainline. [IPv6]: Fix NULL pointer dereference in ip6_flush_pending_frames Some of skbs in sk->write_queue do not have skb->dst because we do not fill skb->dst when we allocate new skb in append_data(). BTW, I think we may not need to (or we should not) increment some stats when using corking; if 100 sendmsg() (with MSG_MORE) result in 2 packets, how many should we increment? If 100, we should set skb->dst for every queued skbs. If 1 (or 2 (*)), we increment the stats for the first queued skb and we should just skip incrementing OutDiscards for the rest of queued skbs, adn we should also impelement this semantics in other places; e.g., we should increment other stats just once, not 100 times. *: depends on the place we are discarding the datagram. I guess should just increment by 1 (or 2). Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6a43c15d6a04391383a51f66f9cc8c406ddafa29 Author: Patrick McHardy Date: Thu Sep 20 12:44:24 2007 -0700 Fix inet_diag OOPS. commit 0a9c73014415d2a84dac346c1e12169142a6ad37 in mainline [INET_DIAG]: Fix oops in netlink_rcv_skb netlink_run_queue() doesn't handle multiple processes processing the queue concurrently. Serialize queue processing in inet_diag to fix a oops in netlink_rcv_skb caused by netlink_run_queue passing a NULL for the skb. BUG: unable to handle kernel NULL pointer dereference at virtual address 00000054 [349587.500454] printing eip: [349587.500457] c03318ae [349587.500459] *pde = 00000000 [349587.500464] Oops: 0000 [#1] [349587.500466] PREEMPT SMP [349587.500474] Modules linked in: w83627hf hwmon_vid i2c_isa [349587.500483] CPU: 0 [349587.500485] EIP: 0060:[] Not tainted VLI [349587.500487] EFLAGS: 00010246 (2.6.22.3 #1) [349587.500499] EIP is at netlink_rcv_skb+0xa/0x7e [349587.500506] eax: 00000000 ebx: 00000000 ecx: c148d2a0 edx: c0398819 [349587.500510] esi: 00000000 edi: c0398819 ebp: c7a21c8c esp: c7a21c80 [349587.500517] ds: 007b es: 007b fs: 00d8 gs: 0033 ss: 0068 [349587.500521] Process oidentd (pid: 17943, ti=c7a20000 task=cee231c0 task.ti=c7a20000) [349587.500527] Stack: 00000000 c7a21cac f7c8ba78 c7a21ca4 c0331962 c0398819 f7c8ba00 0000004c [349587.500542] f736f000 c7a21cb4 c03988e3 00000001 f7c8ba00 c7a21cc4 c03312a5 0000004c [349587.500558] f7c8ba00 c7a21cd4 c0330681 f7c8ba00 e4695280 c7a21d00 c03307c6 7fffffff [349587.500578] Call Trace: [349587.500581] [] show_trace_log_lvl+0x1c/0x33 [349587.500591] [] show_stack_log_lvl+0x8d/0xaa [349587.500595] [] show_registers+0x1cb/0x321 [349587.500604] [] die+0x112/0x1e1 [349587.500607] [] do_page_fault+0x229/0x565 [349587.500618] [] error_code+0x72/0x78 [349587.500625] [] netlink_run_queue+0x40/0x76 [349587.500632] [] inet_diag_rcv+0x1f/0x2c [349587.500639] [] netlink_data_ready+0x57/0x59 [349587.500643] [] netlink_sendskb+0x24/0x45 [349587.500651] [] netlink_unicast+0x100/0x116 [349587.500656] [] netlink_sendmsg+0x1c2/0x280 [349587.500664] [] sock_sendmsg+0xba/0xd5 [349587.500671] [] sys_sendmsg+0x17b/0x1e8 [349587.500676] [] sys_socketcall+0x230/0x24d [349587.500684] [] syscall_call+0x7/0xb [349587.500691] ======================= [349587.500693] Code: f0 ff 4e 18 0f 94 c0 84 c0 0f 84 66 ff ff ff 89 f0 e8 86 e2 fc ff e9 5a ff ff ff f0 ff 40 10 eb be 55 89 e5 57 89 d7 56 89 c6 53 <8b> 50 54 83 fa 10 72 55 8b 9e 9c 00 00 00 31 c9 8b 03 83 f8 0f Reported by Athanasius Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ae305630391b73d55aa331f9ee03f5d9bfeba5b0 Author: Stephen Hemminger Date: Thu Sep 20 12:31:22 2007 -0700 Fix device address listing for ipv4. commit 596e41509550447b030f7b16adaeb0138ab585a8 in mainline Bug: http://bugzilla.kernel.org/show_bug.cgi?id=8876 Not all ips are shown by "ip addr show" command when IPs number assigned to an interface is more than 60-80 (in fact it depends on broadcast/label etc presence on each address). Steps to reproduce: It's terribly simple to reproduce: # for i in $(seq 1 100); do ip ad add 10.0.$i.1/24 dev eth10 ; done # ip addr show this will _not_ show all IPs. Looks like the problem is in netlink/ipv4 message processing. This is fix from bug submitter, it looks correct. Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5702223b18e7cf6632aa1b6e8d85c28878db526d Author: Patrick McHardy Date: Thu Sep 20 12:32:09 2007 -0700 Fix decnet device address listing. commit a2221f308dabb95abb914ad858d36c2462705558 in mainline. Not all are listed, same as the IPV4 devinet bug. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c8c258a7118d750ae29d541b0422a1162324e0b4 Author: Willy Tarreau Date: Thu Aug 23 21:35:41 2007 +0200 fix realtek phy id in forcedeth commit ba685fb2abd71162bea6895a99449c1071b01402 in mainline. As noticed by Chuck Ebbert, commit c5e3ae8823693b260ce1f217adca8add1bc0b3de introduced a copy-paste typo, as realtek phy is 0x732 and not 0x1c1. Obvious fix below suggested by Ayaz Abdulla. Signed-off-by: Willy Tarreau Cc: Ayaz Abdulla Cc: Chuck Ebbert Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 01add92dd4be6b4641219ea616bc31e6337cbd6c Author: Herbert Xu Date: Tue Sep 11 10:31:59 2007 +0800 crypto: blkcipher_get_spot() handling of buffer at end of page This corresponds to upstream changesets e4630f9fd8cdc14eb1caa08dafe649eb5ae09985 and 32528d0fbda1093eeeaa7d0a2c498bbb5154099d. [CRYPTO] blkcipher: Fix handling of kmalloc page straddling The function blkcipher_get_spot tries to return a buffer of the specified length that does not straddle a page. It has an off-by-one bug so it may advance a page unnecessarily. What's worse, one of its callers doesn't provide a buffer that's sufficiently long for this operation. This patch fixes both problems. Thanks to Bob Gilligan for diagnosing this problem and providing a fix. Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit d2f7a9bf48930c25bbd293c28641a8f251c44474 Author: Jens Axboe Date: Fri Sep 14 09:57:54 2007 +0200 Fix race with shared tag queue maps The commit in Linus upstream git tree is f3da54ba140c6427fa4a32913e1bf406f41b5dda. Fix race with shared tag queue maps There's a race condition in blk_queue_end_tag() for shared tag maps, users include stex (promise supertrak thingy) and qla2xxx. The former at least has reported bugs in this area, not sure why we haven't seen any for the latter. It could be because the window is narrow and that other conditions in the qla2xxx code hide this. It's a real bug, though, as the stex smp users can attest. We need to ensure two things - the tag bit clearing needs to happen AFTER we cleared the tag pointer, as the tag bit clearing/setting is what protects this map. Secondly, we need to ensure that the visibility of the tag pointer and tag bit clear are ordered properly. [ I removed the SMP barriers - "test_and_clear_bit()" already implies all the required barriers. -- Linus ] Also see http://bugzilla.kernel.org/show_bug.cgi?id=7842 Signed-off-by: Jens Axboe Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 7eafb2d538dd87b658593b0e7b4429544f866abe Author: Neil Brown Date: Fri Sep 14 10:28:08 2007 -0400 Correctly close old nfsd/lockd sockets. commit 7a1fa065a0264f6b3d3003ba5635289f6583c478 in mainline. Commit aaf68cfbf2241d24d46583423f6bff5c47e088b3 added a bias to sk_inuse, so this test for an unused socket now fails. So no sockets get closed because they are old (they might get closed if the client closed them). This bug has existed since 2.6.21-rc1. Thanks to Wolfgang Walter for finding and reporting the bug. Cc: Wolfgang Walter Signed-off-by: Neil Brown Signed-off-by: J. Bruce Fields Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 7cd5471bea6f4e7f97e28ff71a30bb2c7656e1c2 Author: Stefan Richter Date: Fri Sep 21 08:11:08 2007 +0200 ieee1394: ohci1394: fix initialization if built non-modular Initialization of ohci1394 was broken according to one reporter if the driver was statically linked, i.e. not built as loadable module. Dmesg: PCI: Device 0000:02:07.0 not available because of resource collisions ohci1394: Failed to enable OHCI hardware. This was reported for a Toshiba Satellite 5100-503. The cause is commit 8df4083c5291b3647e0381d3c69ab2196f5dd3b7 in Linux 2.6.19-rc1 which only served purposes of early remote debugging via FireWire. This functionality is better provided by the currently out-of-tree driver ohci1394_earlyinit. Reversal of the commit was OK'd by Andi Kleen. Same as pre-2.6.23 commit be7963b7e7f08a149e247c0bf29a4abd174e0929. Signed-off-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman commit ef0f3948e965f20af7426a4f3dca2512578cd379 Author: Eric Sandeen Date: Tue Sep 18 22:46:38 2007 -0700 dir_index: error out instead of BUG on corrupt dx dirs commit 3d82abae9523c33d4a16fdfdfd2bdde316d7b56a in mainline. Convert asserts (BUGs) in dx_probe from bad on-disk data to recoverable errors with helpful warnings. With help catching other asserts from Duane Griffin Signed-off-by: Eric Sandeen Acked-by: Duane Griffin Acked-by: Theodore Ts'o Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c82b7176931d2461731e71c4824ed4d7156afc89 Author: Alexey Dobriyan Date: Tue Sep 18 22:46:40 2007 -0700 nfs: fix oops re sysctls and V4 support commit 49af7ee181f4f516ac99eba85d3f70ed42cabe76 in mainline. NFS unregisters sysctls only if V4 support is compiled in. However, sysctl table is not V4 specific, so unregister it always. Steps to reproduce: [build nfs.ko with CONFIG_NFS_V4=n] modrobe nfs rmmod nfs ls /proc/sys Unable to handle kernel paging request at ffffffff880661c0 RIP: [] proc_sys_readdir+0xd3/0x350 PGD 203067 PUD 207063 PMD 7e216067 PTE 0 Oops: 0000 [1] SMP CPU 1 Modules linked in: lockd nfs_acl sunrpc Pid: 3335, comm: ls Not tainted 2.6.23-rc3-bloat #2 RIP: 0010:[] [] proc_sys_readdir+0xd3/0x350 RSP: 0018:ffff81007fd93e78 EFLAGS: 00010286 RAX: ffffffff880661c0 RBX: ffffffff80466370 RCX: ffffffff880661c0 RDX: 00000000000014c0 RSI: ffff81007f3ad020 RDI: ffff81007efd8b40 RBP: 0000000000000018 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: ffffffff802a8570 R12: ffffffff880661c0 R13: ffff81007e219640 R14: ffff81007efd8b40 R15: ffff81007ded7280 FS: 00002ba25ef03060(0000) GS:ffff81007ff81258(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: ffffffff880661c0 CR3: 000000007dfaf000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process ls (pid: 3335, threadinfo ffff81007fd92000, task ffff81007d8a0000) Stack: ffff81007f3ad150 ffffffff80283f30 ffff81007fd93f48 ffff81007efd8b40 ffff81007ee00440 0000000422222222 0000000200035593 ffffffff88037e9a 2222222222222222 ffffffff80466500 ffff81007e416400 ffff81007e219640 Call Trace: [] filldir+0x0/0xf0 [] filldir+0x0/0xf0 [] vfs_readdir+0xa7/0xc0 [] sys_getdents+0x96/0xe0 [] system_call+0x7e/0x83 Code: 41 8b 14 24 85 d2 74 dc 49 8b 44 24 08 48 85 c0 74 e7 49 3b RIP [] proc_sys_readdir+0xd3/0x350 RSP CR2: ffffffff880661c0 Kernel panic - not syncing: Fatal exception Signed-off-by: Alexey Dobriyan Acked-by: Trond Myklebust Cc: "J. Bruce Fields" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f36dab894e29637bae9a58a6fb43fa66e8a94f85 Author: Eric Sandeen Date: Tue Sep 18 22:46:42 2007 -0700 ext34: ensure do_split leaves enough free space in both blocks commit ef2b02d3e617cb0400eedf2668f86215e1b0e6af in mainline. The do_split() function for htree dir blocks is intended to split a leaf block to make room for a new entry. It sorts the entries in the original block by hash value, then moves the last half of the entries to the new block - without accounting for how much space this actually moves. (IOW, it moves half of the entry *count* not half of the entry *space*). If by chance we have both large & small entries, and we move only the smallest entries, and we have a large new entry to insert, we may not have created enough space for it. The patch below stores each record size when calculating the dx_map, and then walks the hash-sorted dx_map, calculating how many entries must be moved to more evenly split the existing entries between the old block and the new block, guaranteeing enough space for the new entry. The dx_map "offs" member is reduced to u16 so that the overall map size does not change - it is temporarily stored at the end of the new block, and if it grows too large it may be overwritten. By making offs and size both u16, we won't grow the map size. Also add a few comments to the functions involved. This fixes the testcase reported by hooanon05@yahoo.co.jp on the linux-ext4 list, "ext3 dir_index causes an error" Thanks to Andreas Dilger for discussing the problem & solution with me. Signed-off-by: Eric Sandeen Signed-off-by: Andreas Dilger Tested-by: Junjiro Okajima Cc: Theodore Ts'o Cc: ext4 Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit cb67b06fd170b6b429f7ade84e2e1d428ae34548 Author: Pavel Emelyanov Date: Tue Sep 11 15:24:01 2007 -0700 Leases can be hidden by flocks commit 0e2f6db88a6900bc9db576d6b478b12ee60d61f7 in mainline. The inode->i_flock list contains the leases, flocks and posix locks in the specified order. However, the flocks are added in the head of this list thus hiding the leases from F_GETLEASE command, from time_out_leases() and other code that expects the leases to come first. The following example will demonstrate this: #define _GNU_SOURCE #include #include #include #include static void show_lease(int fd) { int res; res = fcntl(fd, F_GETLEASE); switch (res) { case F_RDLCK: printf("Read lease\n"); break; case F_WRLCK: printf("Write lease\n"); break; case F_UNLCK: printf("No leases\n"); break; default: printf("Some shit\n"); break; } } int main(int argc, char **argv) { int fd, res; fd = open(argv[1], O_RDONLY); if (fd == -1) { perror("Can't open file"); return 1; } res = fcntl(fd, F_SETLEASE, F_WRLCK); if (res == -1) { perror("Can't set lease"); return 1; } show_lease(fd); if (flock(fd, LOCK_SH) == -1) { perror("Can't flock shared"); return 1; } show_lease(fd); return 0; } The first call to show_lease() will show the write lease set, but the second will show no leases. Fix the flock adding so that the leases always stay in the head of this list. Found during making the flocks pid-namespaces aware. Signed-off-by: Pavel Emelyanov Acked-by: "J. Bruce Fields" Cc: Trond Myklebust Cc: Andrew Morton Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 360a8cf493412bd03e5e24714f4d497d3f901926 Author: Arnd Bergmann Date: Tue Sep 11 15:23:49 2007 -0700 futex_compat: fix list traversal bugs commit 179c85ea53bef807621f335767e41e23f86f01df in mainline. The futex list traversal on the compat side appears to have a bug. It's loop termination condition compares: while (compat_ptr(uentry) != &head->list) But that can't be right because "uentry" has the special "pi" indicator bit still potentially set at bit 0. This is cleared by fetch_robust_entry() into the "entry" return value. What this seems to mean is that the list won't terminate when list iteration gets back to the the head. And we'll also process the list head like a normal entry, which could cause all kinds of problems. So we should check for equality with "entry". That pointer is of the non-compat type so we have to do a little casting to keep the compiler and sparse happy. The same problem can in theory occur with the 'pending' variable, although that has not been reported from users so far. Based on the original patch from David Miller. Acked-by: Ingo Molnar Cc: Thomas Gleixner Cc: David Miller Signed-off-by: Arnd Bergmann Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 406d6c2a1515d7c38325cdfa4159319e3374a599 Author: Stefan Richter Date: Tue Sep 11 14:59:17 2007 +0200 firewire: fw-ohci: ignore failure of pci_set_power_state (fix suspend regression) Minor regression since 2.6.22-rc1: If the experimental firewire-ohci driver instead of ohci1394 was loaded, iBook G3 and older PowerBooks refused to suspend. Same as commit 5511142870046a7bed947d51ec9b320856ee120a plus format string touch-ups from 8a8cea2734808522f02941ea16125810ee42c9c7, "firewire: missing newline in printk". Original patch description: Fixes (papers over) "Sleep problems with kernels >= 2.6.21 on powerpc", http://lkml.org/lkml/2007/8/25/155. The issue is that the FireWire controller's pci_dev.current_state of iBook G3 and presumably older PowerBooks is still in PCI_UNKNOWN instead of PCI_D0 when the firewire driver's .suspend method is called. Like it was suggested earlier in http://lkml.org/lkml/2006/10/24/13, we do not fail .suspend anymore if pci_set_power_state failed. Signed-off-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman commit d35d77999e8609d8d8f9fddb379e70bdf24624c8 Author: Andrew Morton Date: Tue Sep 18 22:46:19 2007 -0700 Fix "Fix DAC960 driver on machines which don't support 64-bit DMA" commit 3558c9b3232b5f0fd9f32043a191eca20fca64c6 in mainline. sparc32: drivers/block/DAC960.c: In function 'DAC960_V1_EnableMemoryMailboxInterface': drivers/block/DAC960.c:1168: error: 'DMA_32BIT_MASK' undeclared (first use in this function) drivers/block/DAC960.c:1168: error: (Each undeclared identifier is reported only Cc: Cc: Alessandro Polverini Cc: Jeff Garzik Cc: Matthew Wilcox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9911e1d2a2e4d3e0188a95222a7cc2a8eb691bc2 Author: Matthew Wilcox Date: Tue Sep 11 15:23:38 2007 -0700 Fix DAC960 driver on machines which don't support 64-bit DMA commit 868047fcbb85dbb44ddd98c336fef83236a2c06a in mainline. Addresses http://bugzilla.kernel.org/show_bug.cgi?id=8942 Use PCI_DMA_* constants instead of own private definitions Fall back to 32-bit DMA mask if a 64-bit one fails Signed-off-by: Matthew Wilcox Acked-by: Jeff Garzik Tested-by: Lars Cc: Alessandro Polverini Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 92e72da15356e2a103c212c02ac4a9479d31015a Author: Andreas Gruenbacher Date: Tue Sep 11 15:23:37 2007 -0700 afs: mntput called before dput commit 1a1a1a758bf0107d1f78ff1d622f45987803d894 in mainline. dput must be called before mntput here. Signed-off-by: Andreas Gruenbacher Acked-By: David Howells Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 2deebbe120da494289773612c72a8bbdb4678242 Author: Andrew Morton Date: Tue Sep 18 22:46:41 2007 -0700 disable sys_timerfd() commit e42601973b1bce1d2987f82159c1ebeaccc6b310 in mainline. There is still some confusion and disagreement over what this interface should actually do. So it is best that we disable it in 2.6.23 until we get that fully sorted out. (sys_timerfd() was present in 2.6.22 but it was apparently broken, so here we assume that nobody is using it yet). Cc: Michael Kerrisk Cc: Davide Libenzi Acked-by: Linus Torvalds Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d41c6d512f41caaa510800c4efbd855ffc169e65 Author: Wolfgang Walter Date: Thu Sep 20 15:51:46 2007 -0400 rpc: fix garbage in printk in svc_tcp_accept() commit 9db619e66503494e41159de3c76fafabe80d016b in mainline. we upgraded the kernel of a nfs-server from 2.6.17.11 to 2.6.22.6. Since then we get the message lockd: too many open TCP sockets, consider increasing the number of nfsd threads lockd: last TCP connect from ^\\236^\É^D These random characters in the second line are caused by a bug in svc_tcp_accept. (Note: there are two previous __svc_print_addr(sin, buf, sizeof(buf)) calls in this function, either of which would initialize buf correctly; but both are inside "if"'s and are not necessarily executed. This is less obvious in the second case, which is inside a dprintk(), which is a macro which expands to an if statement.) Signed-off-by: Wolfgang Walter Signed-off-by: J. Bruce Fields Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 88bf3e2706e93abe55e7c0c95b9433e7a3f0b15b Author: Jens Axboe Date: Thu Sep 20 13:36:30 2007 +0200 splice: fix direct splice error handling This is a splice patch for 2.6.22 and 2.6.21 (and earlier, I did not check. Let me know if you still maintain older stable trees!). It fixes an infinite loop in do_splice_direct(), when there's either nothing to read or nothing to write and blocking doesn't help. It could be things like running out of disk space. We need to exit both for failure and zero return, or we could be going around forever. This got fixed in 2.6.23-git with commit 51a92c0f6ce8fa85fa0e18ecda1d847e606e8066 Herbert Poetzl noticed this bug in 2.6.22, and has verified that this minimal fix works. Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit a3a066bffd7754e6d40c48972e698352f6cd6c4e Author: Jean Delvare Date: Thu Sep 20 14:16:00 2007 +0200 Fix debug regression in video/pwc Commit 85237f202d46d55c1bffe0c5b1aa3ddc0f1dce4d introduced the following warning: drivers/media/video/pwc/pwc-if.c: In function "pwc_video_close": drivers/media/video/pwc/pwc-if.c:1211: warning: "i" may be used uninitialized in this function This is true, and can cause a broken debug message to be logged. Here's a fix. Fix is already in Linus' tree for 2.6.23: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=7b9fbc3e30f785412a26819aa4daf0b6c27f6c53 Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit e98ca97405f73dbe50548c31ec46f1158e3af89e Author: Jean Delvare Date: Thu Sep 20 14:13:14 2007 +0200 hwmon: End of I/O region off-by-one Fix an off-by-one error in the I/O region declaration of two hardware monitoring drivers (lm78 and w83781d.) We were requesting one extra port at the end of the region. This is a regression in 2.6.22 and could prevent other drivers from loading properly. Already applied to Linus' tree for 2.6.23: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=15bde2f1a8e819213f54314505a5a0509673109b Signed-off-by: Jean Delvare Signed-off-by: Mark M. Hoffman Signed-off-by: Greg Kroah-Hartman commit 5f9ce2fc33a51fb6ff9e6e484d4673329c935aba Author: Steven Toth Date: Sat Sep 15 12:28:26 2007 -0400 V4L: cx88: Avoid a NULL pointer dereference during mpeg_open() (cherry picked from commit 48200baeab95fd39a7f4c4f3536c7142a64ac335) [PATCH] V4L: cx88: Avoid a NULL pointer dereference during mpeg_open() Bug: With a hardware encoder board installed as cx88[1] and a non-encoder boards installed as cx88[0], an OOPS is generated during cx8802_get_device() called from mpeg_open(). Signed-off-by: Steven Toth Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit 1d82390f570340d517c4e8f2b7a63f8dfeb9a4ff Author: Jason Lunz Date: Sat Sep 1 12:06:03 2007 -0700 JFFS2: fix write deadlock regression Changeset fc0e01974ccccc7530b7634a63ee3fcc57b845ea from mainline. I've bisected the deadlock when many small appends are done on jffs2 down to this commit: commit 6fe6900e1e5b6fa9e5c59aa5061f244fe3f467e2 Author: Nick Piggin Date: Sun May 6 14:49:04 2007 -0700 mm: make read_cache_page synchronous Ensure pages are uptodate after returning from read_cache_page, which allows us to cut out most of the filesystem-internal PageUptodate calls. I didn't have a great look down the call chains, but this appears to fixes 7 possible use-before uptodate in hfs, 2 in hfsplus, 1 in jfs, a few in ecryptfs, 1 in jffs2, and a possible cleared data overwritten with readpage in block2mtd. All depending on whether the filler is async and/or can return with a !uptodate page. It introduced a wait to read_cache_page, as well as a read_cache_page_async function equivalent to the old read_cache_page without any callers. Switching jffs2_gc_fetch_page to read_cache_page_async for the old behavior makes the deadlocks go away, but maybe reintroduces the use-before-uptodate problem? I don't understand the mm/fs interaction well enough to say. [It's fine. dwmw2.] Signed-off-by: Jason Lunz Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit 0716eb76801642489421f4ca13b1b7a34e02adec Author: David Howells Date: Thu Aug 30 17:21:19 2007 +0100 MTD: Initialise s_flags in get_sb_mtd_aux() changeset 48440e893d700fb8f0de95fa7d748b711d290365 from mainline. Initialise s_flags in get_sb_mtd_aux() from the flags parameter. Signed-off-by: David Howells Signed-off-by: David Woodhouse Cc: Jason Lunz Signed-off-by: Greg Kroah-Hartman commit 8bffb995c871af1791c114cfcc188d6ea3caa087 Author: Adam Radford Date: Wed Aug 29 12:19:21 2007 -0400 3w-9xxx: Fix dma mask setting [SCSI] 3w-9xxx: Fix dma mask setting Extracted from commit 0e78d158b67fba3977f577f293c323359d80dd0e The attached patch updates the 3ware 9000 driver: - Fix dma mask setting to fallback to 32-bit if 64-bit fails. Signed-off-by: Adam Radford Signed-off-by: James Bottomley Signed-off-by: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit fee40b38d938f8fc5dae006ed25259456c2cd7bc Author: Kumar Gala Date: Tue Aug 28 21:15:53 2007 -0500 POWERPC: Flush registers to proper task context commit 0ee6c15e7ba7b36a217cdadb292eeaf32a057a59 in mainline. When we flush register state for FP, Altivec, or SPE in flush_*_to_thread we need to respect the task_struct that the caller has passed to us. Most cases we are called with current, however sometimes (ptrace) we may be passed a different task_struct. This showed up when using gdbserver debugging a simple program that used floating point. When gdb tried to show the FP regs they all showed up as 0, because the child's FP registers were never properly flushed to memory. Signed-off-by: Kumar Gala Signed-off-by: Greg Kroah-Hartman commit 51718d505589b59a4bb4dc2a6de5ae2402972a17 Author: Zhao Yakui Date: Fri Aug 24 16:18:16 2007 +0800 ACPI: Validate XSDT, use RSDT if XSDT fails commit 9f3119b70cf189530f1b46a006a052e171a1622f in mainline. ACPI 1.0 used an RSDT with 32-bit physical addresses. ACPI 2.0 adds an XSDT with 32-bit physical addresses. An ACPI 2.0 aware OS is supposed to use the XSDT (when present) instead of the RSDT. However, several systems have failed because the XSDT contains NULL entries -- while it is missing pointers to needed tables, such as SSDTs. When we find an XSDT with NULL entries, discard it and use the ACPI 1.0 RSDT instead. http://bugzilla.kernel.org/show_bug.cgi?id=8630 Signed-off-by: Zhao Yakui Cc: Vincet Fortier Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 0e22438a5adfdf32b3bb1c75c81c01a29fba9770 Author: Nathael Pajani Date: Tue Sep 11 09:46:48 2007 -0700 USB: fix linked list insertion bugfix for usb core commit e5dd01154c1e9ca2400f4682602d1a4fa54c25dd in mainline. This patch fixes the order of list_add_tail() arguments in usb_store_new_id() so the list can have more than one single element. Signed-off-by: Nathael Pajani Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit a43e325240b453083aee4d2d11f378d224098f80 Author: Satyam Sharma Date: Wed Sep 5 04:40:52 2007 +0530 MTD: Makefile fix for mtdsuper commit bec494775600b1cd7c144d31a09e1f46df9c6324 in mainline. We want drivers/mtd/{mtdcore, mtdsuper, mtdpart}.c to be built and linked into the same mtd.ko module. Fix the Makefile to ensure this, and remove duplicate MODULE_ declarations in mtdpart.c, as mtdcore.c already has them. Signed-off-by: Satyam Sharma Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit bf3bc19248f00e6939a37e2d5bddde48505e0dda Author: Roman Zippel Date: Sat Sep 1 08:29:40 2007 +0200 kconfig: oldconfig shall not set symbols if it does not need to commit f82f3f9422d4da1eeec6f6cf3e64c6c34c4fe19b in mainline. Avoid setting the value if the symbol doesn't need to be changed or can't be changed. Later choices may change the dependencies and thus the possible input range. make oldconfig from a 2.6.22 .config with CONFIG_HOTPLUG_CPU not set was in some configurations setting CONFIG_HOTPLUG_CPU=y without asking, even when there was no actual requirement for CONFIG_HOTPLUG_CPU. This was triggered by SUSPEND_SMP that does a select HOTPLUG_CPU. Signed-off-by: Roman Zippel Tested-by: Hugh Dickins Signed-off-by: Sam Ravnborg Signed-off-by: Greg Kroah-Hartman commit 05d1e31ad2d5e3b6c20c0d9d63d511f0d89e4b3f Author: Oleg Nesterov Date: Thu Aug 30 23:56:35 2007 -0700 sigqueue_free: fix the race with collect_signal() commit 60187d2708caa870f0825d753df1612ea688eb9e in mainline. Spotted by taoyue and Jeremy Katz . collect_signal: sigqueue_free: list_del_init(&first->list); if (!list_empty(&q->list)) { // not taken } q->flags &= ~SIGQUEUE_PREALLOC; __sigqueue_free(first); __sigqueue_free(q); Now, __sigqueue_free() is called twice on the same "struct sigqueue" with the obviously bad implications. In particular, this double free breaks the array_cache->avail logic, so the same sigqueue could be "allocated" twice, and the bug can manifest itself via the "impossible" BUG_ON(!SIGQUEUE_PREALLOC) in sigqueue_free/send_sigqueue. Hopefully this can explain these mysterious bug-reports, see http://marc.info/?t=118766926500003 http://marc.info/?t=118466273000005 Alexey Dobriyan reports this patch makes the difference for the testcase, but nobody has an access to the application which opened the problems originally. Also, this patch removes tasklist lock/unlock, ->siglock is enough. Signed-off-by: Oleg Nesterov Cc: taoyue Cc: Jeremy Katz Cc: Sukadev Bhattiprolu Cc: Alexey Dobriyan Cc: Ingo Molnar Cc: Thomas Gleixner Cc: Roland McGrath Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 019f3a3f5f02958ec81e41e03f8d7c6e44ca73f9 Author: Oleg Nesterov Date: Thu Aug 30 23:56:27 2007 -0700 setpgid(child) fails if the child was forked by sub-thread commit b07e35f94a7b6a059f889b904529ee907dc0634d in mainline tree Spotted by Marcin Kowalczyk . sys_setpgid(child) fails if the child was forked by sub-thread. Fix the "is it our child" check. The previous commit ee0acf90d320c29916ba8c5c1b2e908d81f5057d was not complete. (this patch asks for the new same_thread_group() helper, but mainline doesn't have it yet). Signed-off-by: Oleg Nesterov Acked-by: Roland McGrath Tested-by: "Marcin 'Qrczak' Kowalczyk" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 3a76a44ae920ef21d127e0488cb026d4f9772406 Author: Trent Piepho Date: Fri Aug 24 07:51:50 2007 -0400 DVB: b2c2-flexcop: fix Airstar HD5000 tuning regression cherry picked from commit 6175e487e314385e37f06448847e4c46c20edb44 b2c2-flexcop: fix Airstar HD5000 tuning regression Git changeset 6bdcc6e6dbab8daffd05e5026486f34ba41a6c72 dropped the stand-alone lgh06xf module, whose functionality was absorbed into the dvb-pll module. However, there was a minor difference between the code in lgh06xf and dvb-pll, which caused a regression in b2c2-flexcop devices using the LG-H06xF NIM. dvb-pll will probe for the presence of an i2c pll chip by performing a single byte read, the lgh06xf driver did not do this. Unfortunately, the code in flexcop-i2c.c does not currently support 1 byte or 0 byte reads as a probe. Such probes with the current code will always fail. In order to work around this problem, and restore proper functionality of the Airstar HD5000 device, this hack was created to make the probe appear to succeed. The single byte read in dvb_pll_attach is the only place where such a probe would ever occur, so this change is safe, and will not affect any other devices. Of course, if one knew how to actually perform the read operation, it would be better to go that route. In the meantime, however, we must apply this workaround, in order to prevent the regression that causes tuning to fail on the Airstar HD5000 ATSC device. Thanks to Jarod Wilson, who had originally reported this regression, and to Geoffrey Hausheer, whose original workaround patch led us to find the actual cause of the problem. Signed-off-by: Trent Piepho Cc: Geoffrey Hausheer Acked-by: Jarod Wilson Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit b1652a718740a84873d85ad3413e9a927b6bfcc3 Author: Andreas Arens Date: Fri Aug 24 07:51:49 2007 -0400 DVB: get_dvb_firmware: update script for new location of tda10046 firmware cherry picked from commit c545d6adbcacd296f7457bd992556feb055379de Update get_dvb_firmware script for the new location of the tda10046 firmware. The old location doesn't work anymore. Signed-off-by: Andreas Arens Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 2c071bcc3cc1dcf2fbd88afdf68b2ba326f43e4a Author: Michael Krufky Date: Fri Aug 24 07:51:47 2007 -0400 DVB: get_dvb_firmware: update script for new location of sp8870 firmware cherry picked from commit 302170a4b47e869372974abd885dd11d5536b64a get_dvb_firmware: update script for new location of sp8870 firmware This url is no longer valid: http://www.technotrend.de/new/217g/tt_Premium_217g.zip Replace with: http://www.softwarepatch.pl/9999ccd06a4813cb827dbb0005071c71/tt_Premium_217g.zip Thanks-to: Tobias Stoeber Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit ff5b2e7e826231316e7cfeb6b50448a57b67dc4a Author: Hans Verkuil Date: Fri Aug 24 07:51:45 2007 -0400 V4L: ivtv: fix VIDIOC_S_FBUF: new OSD values were never set cherry picked from commit c3624f99a8c06cfe75e0b06f23a7f7cea9d2d5ff ivtv: fix VIDIOC_S_FBUF support: new OSD values were never actually set. The values set with VIDIOC_S_FBUF were not actually used until the next VIDIOC_S_FMT. Fixed. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman