commit 3d4f61b2f111e894534710e2c668410316339dee Author: Greg Kroah-Hartman Date: Fri Dec 14 10:01:59 2007 -0800 Linux 2.6.23.10 commit d112668e7fc0e25e33c774e33c66b4de02c85282 Author: Rafael J. Wysocki Date: Fri Dec 7 14:09:02 2007 +1100 XFS: Make xfsbufd threads freezable patch 978c7b2ff49597ab76ff7529a933bd366941ac25 in mainline Fix breakage caused by commit 831441862956fffa17b9801db37e6ea1650b0f69 that did not introduce the necessary call to set_freezable() in xfs/linux-2.6/xfs_buf.c . SGI-PV: 974224 SGI-Modid: xfs-linux-melb:xfs-kern:30203a Signed-off-by: Rafael J. Wysocki Signed-off-by: David Chinner Signed-off-by: Lachlan McIlroy Cc: Oliver Pintr Signed-off-by: Greg Kroah-Hartman commit 3f69a38c97c5864e6e01a584e6389eb4aa637706 Author: Pavel Emelyanov Date: Thu Dec 13 12:57:24 2007 +0800 BRIDGE: Properly dereference the br_should_route_hook [BRIDGE]: Properly dereference the br_should_route_hook [ Upstream commit: 82de382ce8e1c7645984616728dc7aaa057821e4 ] This hook is protected with the RCU, so simple if (br_should_route_hook) br_should_route_hook(...) is not enough on some architectures. Use the rcu_dereference/rcu_assign_pointer in this case. Fixed Stephen's comment concerning using the typeof(). Signed-off-by: Pavel Emelyanov Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 5de724036762b8a4c03c4979f19b01a98529a601 Author: Patrick McHardy Date: Thu Dec 13 12:42:34 2007 +0800 NETFILTER: xt_TCPMSS: remove network triggerable WARN_ON [NETFILTER]: xt_TCPMSS: remove network triggerable WARN_ON [ Upstream commit: 9dc0564e862b1b9a4677dec2c736b12169e03e99 ] ipv6_skip_exthdr() returns -1 for invalid packets. don't WARN_ON that. Signed-off-by: Patrick McHardy Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 9aa67118c51d60af7b048be6e4a8b8bad2191555 Author: Patrick McHardy Date: Thu Nov 29 23:07:57 2007 +1100 XFRM: Fix leak of expired xfrm_states [XFRM]: Fix leak of expired xfrm_states [ Upstream commit: 5dba4797115c8fa05c1a4d12927a6ae0b33ffc41 ] The xfrm_timer calls __xfrm_state_delete, which drops the final reference manually without triggering destruction of the state. Change it to use xfrm_state_put to add the state to the gc list when we're dropping the last reference. The timer function may still continue to use the state safely since the final destruction does a del_timer_sync(). Signed-off-by: Patrick McHardy Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 9ee303ef4e582f2f8b4f08e58ced6ba44debfb64 Author: Tejun Heo Date: Sat Dec 8 09:25:31 2007 +0900 libata: kill spurious NCQ completion detection patch 459ad68893a84fb0881e57919340b97edbbc3dc7 in mainline. Spurious NCQ completion detection implemented in ahci was incorrect. On AHCI receving and processing FISes and raising interrupts are not interlocked and spurious interrupts are expected. For example, if an interrupt occurs while interrupt handler is running and the running interrupt handler handles the event the new IRQ indicated, after IRQ handler finishes, it will be executed again because IRQ pending bit is set by the new interrupt but there won't be anything to process. Please read the following message for more information. http://article.gmane.org/gmane.linux.ide/26012 This patch... * Removes all spurious IRQ whining from ahci. Spurious NCQ completion detection was completely wrong. Spurious D2H Register FIS taught us that some early drives send spurious D2H Register FIS with I bit set while NCQ commands are in progress but none of recent drives does that and even the ones which show such behavior can do NCQ fine. * Kills all NCQ blacklist entries which were added because of spurious NCQ completions. I tracked down each commit and verified all removed ones are actually added because of spurious completions. WD740ADFD-00NLR1 wasn't deleted but moved upward because the drive not only had spurious NCQ completions but also is slow on sequential data transfers if NCQ is enabled. Maxtor 7V300F0 was added by 0e3dbc01d53940fe10e5a5cfec15ede3e929c918 from Alan Cox. I can only find evidences that the drive only had troubles with spuruious completions by searching the mailing list. This entry needs to be verified and removed if it doesn't have other NCQ related problems. Signed-off-by: Tejun Heo Cc: Alan Cox Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 3e3deae8d7a9e5b73804dca55252bcf3aea19504 Author: Jan Engelhardt Date: Tue Dec 11 09:39:40 2007 +0800 NETFILTER: fix forgotten module release in xt_CONNMARK and xt_CONNSECMARK [NETFILTER]: fix forgotten module release in xt_CONNMARK and xt_CONNSECMARK [ Upstream commit: 67b4af297033f5f65999885542f95ba7b562848a ] Fix forgotten module release in xt_CONNMARK and xt_CONNSECMARK When xt_CONNMARK is used outside the mangle table and the user specified "--restore-mark", the connmark_tg_check() function will (correctly) error out, but (incorrectly) forgets to release the L3 conntrack module. Same for xt_CONNSECMARK. Fix is to move the call to acquire the L3 module after the basic constraint checks. Signed-off-by: Jan Engelhardt Signed-off-by: Patrick McHardy Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 5b5581b721cdc76fe1fe8f89f22ae613198acdbd Author: Florian Zumbiehl Date: Tue Dec 11 09:39:39 2007 +0800 UNIX: EOF on non-blocking SOCK_SEQPACKET [UNIX]: EOF on non-blocking SOCK_SEQPACKET [ Upstream commit: 0a11225887fe6cbccd882404dc36ddc50f47daf9 ] I am not absolutely sure whether this actually is a bug (as in: I've got no clue what the standards say or what other implementations do), but at least I was pretty surprised when I noticed that a recv() on a non-blocking unix domain socket of type SOCK_SEQPACKET (which is connection oriented, after all) where the remote end has closed the connection returned -1 (EAGAIN) rather than 0 to indicate end of file. This is a test case: | #include | #include | #include | #include | #include | #include | #include | | int main(){ | int sock; | struct sockaddr_un addr; | char buf[4096]; | int pfds[2]; | | pipe(pfds); | sock=socket(PF_UNIX,SOCK_SEQPACKET,0); | addr.sun_family=AF_UNIX; | strcpy(addr.sun_path,"/tmp/foobar_testsock"); | bind(sock,(struct sockaddr *)&addr,sizeof(addr)); | listen(sock,1); | if(fork()){ | close(sock); | sock=socket(PF_UNIX,SOCK_SEQPACKET,0); | connect(sock,(struct sockaddr *)&addr,sizeof(addr)); | fcntl(sock,F_SETFL,fcntl(sock,F_GETFL)|O_NONBLOCK); | close(pfds[1]); | read(pfds[0],buf,sizeof(buf)); | recv(sock,buf,sizeof(buf),0); // <-- this one | }else accept(sock,NULL,NULL); | exit(0); | } If you try it, make sure /tmp/foobar_testsock doesn't exist. The marked recv() returns -1 (EAGAIN) on 2.6.23.9. Below you find a patch that fixes that. Signed-off-by: Florian Zumbiehl Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 931c8cbed400a72c0da0756594154504b4634a2a Author: Stephen Hemminger Date: Tue Dec 11 09:39:37 2007 +0800 TCP: illinois: Incorrect beta usage [TCP] illinois: Incorrect beta usage [ Upstream commit: a357dde9df33f28611e6a3d4f88265e39bcc8880 ] Lachlan Andrew observed that my TCP-Illinois implementation uses the beta value incorrectly: The parameter beta in the paper specifies the amount to decrease *by*: that is, on loss, W <- W - beta*W but in tcp_illinois_ssthresh() uses beta as the amount to decrease *to*: W <- beta*W This bug makes the Linux TCP-Illinois get less-aggressive on uncongested network, hurting performance. Note: since the base beta value is .5, it has no impact on a congested network. Signed-off-by: Stephen Hemminger Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 978cf44ec452e8fa359b2562a98977d0f76a5b6a Author: Evgeniy Polyakov Date: Tue Dec 11 09:39:34 2007 +0800 IPV6: Restore IPv6 when MTU is big enough [IPV6]: Restore IPv6 when MTU is big enough [ Upstream commit: d31c7b8fa303eb81311f27b80595b8d2cbeef950 ] Avaid provided test application, so bug got fixed. IPv6 addrconf removes ipv6 inner device from netdev each time cmu changes and new value is less than IPV6_MIN_MTU (1280 bytes). When mtu is changed and new value is greater than IPV6_MIN_MTU, it does not add ipv6 addresses and inner device bac. This patch fixes that. Tested with Avaid's application, which works ok now. Signed-off-by: Evgeniy Polyakov Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit da027ec9500791ee49b3301d8ed7f12011d535e2 Author: Pavel Emelyanov Date: Tue Dec 11 09:39:32 2007 +0800 DECNET: dn_nl_deladdr() almost always returns no error [DECNET]: dn_nl_deladdr() almost always returns no error [ Upstream commit: 3ccd86241b277249d5ac08e91eddfade47184520 ] As far as I see from the err variable initialization the dn_nl_deladdr() routine was designed to report errors like "EADDRNOTAVAIL" and probaby "ENODEV". But the code sets this err to 0 after the first nlmsg_parse and goes on, returning this 0 in any case. Signed-off-by: Pavel Emelyanov Acked-by: Steven Whitehouse Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit c8ddbf107012e54c432ba85192d18e873b8af1e5 Author: Joonwoo Park Date: Tue Dec 11 09:39:35 2007 +0800 VLAN: Fix nested VLAN transmit bug [VLAN]: Fix nested VLAN transmit bug [ Upstream commit: 6ab3b487db77fa98a24560f11a5a8e744b98d877 ] Fix misbehavior of vlan_dev_hard_start_xmit() for recursive encapsulations. Signed-off-by: Joonwoo Park Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit aa53617cb1a0083372b4b6440587ca703e4dddaf Author: Pablo Neira Ayuso Date: Tue Dec 11 09:39:38 2007 +0800 TEXTSEARCH: Do not allow zero length patterns in the textsearch infrastructure [TEXTSEARCH]: Do not allow zero length patterns in the textsearch infrastructure [ Upstream commit: e03ba84adb62fbc6049325a5bc00ef6932fa5e39 ] If a zero length pattern is passed then return EINVAL. Avoids infinite loops (bm) or invalid memory accesses (kmp). Signed-off-by: Pablo Neira Ayuso Signed-off-by: Patrick McHardy Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 7f6f99bcb122a89b29e927f9209836d492adbd63 Author: David Howells Date: Tue Dec 11 09:39:36 2007 +0800 RXRPC: Add missing select on CRYPTO [RXRPC]: Add missing select on CRYPTO [ Upstream commit: d5a784b3719ae364f49ecff12a0248f6e4252720 ] AF_RXRPC uses the crypto services, so should depend on or select CRYPTO. Signed-off-by: David Howells Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 5bd7fb00a5e973f741274f37628b9da21811c565 Author: Pavel Emelyanov Date: Tue Dec 11 09:39:30 2007 +0800 BRIDGE: Lost call to br_fdb_fini() in br_init() error path [BRIDGE]: Lost call to br_fdb_fini() in br_init() error path [ Upstream commit: 17efdd45755c0eb8d1418a1368ef7c7ebbe98c6e ] In case the br_netfilter_init() (or any subsequent call) fails, the br_fdb_fini() must be called to free the allocated in br_fdb_init() br_fdb_cache kmem cache. Signed-off-by: Pavel Emelyanov Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 193e74df1d41817112df6d97ba447a4841378b2d Author: Charles Hardin Date: Thu Nov 29 23:07:57 2007 +1100 PFKEY: Sending an SADB_GET responds with an SADB_GET [PFKEY]: Sending an SADB_GET responds with an SADB_GET [ Upstream commit: 435000bebd94aae3a7a50078d142d11683d3b193 ] Kernel needs to respond to an SADB_GET with the same message type to conform to the RFC 2367 Section 3.1.5 Signed-off-by: Andrew Morton Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 5fb62a184b2f0ea0e3aa2baeed2a01b71844368d Author: Ilpo Järvinen Date: Thu Nov 29 23:07:58 2007 +1100 TCP: MTUprobe: fix potential sk_send_head corruption [TCP] MTUprobe: fix potential sk_send_head corruption [ Upstream commit: 6e42141009ff18297fe19d19296738b742f861db ] When the abstraction functions got added, conversion here was made incorrectly. As a result, the skb may end up pointing to skb which got included to the probe skb and then was freed. For it to trigger, however, skb_transmit must fail sending as well. Signed-off-by: Ilpo Järvinen Signed-off-by: David S. Miller Cc: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 593b85eff26bc1c33c54be8632ac181b6cc1b5a4 Author: Herbert Xu Date: Thu Nov 29 23:07:58 2007 +1100 TCP: Fix TCP header misalignment [TCP]: Fix TCP header misalignment [ Upstream commit: 21df56c6e2372e09c916111efb6c14c372a5ab2e ] Indeed my previous change to alloc_pskb has made it possible for the TCP header to be misaligned iff the MTU is not a multiple of 4 (and less than a page). So I suspect the optimised IPsec MTU calculation is giving you just such an MTU :) This patch fixes it by changing alloc_pskb to make sure that the size is at least 32-bit aligned. This does not cause the problem fixed by the previous patch because max_header is always 32-bit aligned which means that in the SG/NOTSO case this will be a no-op. I thought about putting this in the callers but all the current callers are from TCP. If and when we get a non-TCP caller we can always create a TCP wrapper for this function and move the alignment over there. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit df70b187c9908155ba646b57797c2c6e7b426733 Author: Herbert Xu Date: Thu Nov 29 23:07:57 2007 +1100 CRYPTO api: Fix potential race in crypto_remove_spawn [CRYPTO] api: Fix potential race in crypto_remove_spawn [ Upstream commit: 38cb2419f544ad413c7f7aa8c17fd7377610cdd8 ] As it is crypto_remove_spawn may try to unregister an instance which is yet to be registered. This patch fixes this by checking whether the instance has been registered before attempting to remove it. It also removes a bogus cra_destroy check in crypto_register_instance as 1) it's outside the mutex; 2) we have a check in __crypto_register_alg already. Signed-off-by: Herbert Xu Cc: David Miller Signed-off-by: Greg Kroah-Hartman commit 470678d9f4e37380e89999b5a4f223985cf186e1 Author: Sam Jansen Date: Thu Nov 29 23:07:57 2007 +1100 TCP: Problem bug with sysctl_tcp_congestion_control function [TCP]: Problem bug with sysctl_tcp_congestion_control function [ Upstream commit: 5487796f0c9475586277a0a7a91211ce5746fa6a ] sysctl_tcp_congestion_control seems to have a bug that prevents it from actually calling the tcp_set_default_congestion_control function. This is not so apparent because it does not return an error and generally the /proc interface is used to configure the default TCP congestion control algorithm. This is present in 2.6.18 onwards and probably earlier, though I have not inspected 2.6.15--2.6.17. sysctl_tcp_congestion_control calls sysctl_string and expects a successful return code of 0. In such a case it actually sets the congestion control algorithm with tcp_set_default_congestion_control. Otherwise, it returns the value returned by sysctl_string. This was correct in 2.6.14, as sysctl_string returned 0 on success. However, sysctl_string was updated to return 1 on success around about 2.6.15 and sysctl_tcp_congestion_control was not updated. Even though sysctl_tcp_congestion_control returns 1, do_sysctl_strategy converts this return code to '0', so the caller never notices the error. Signed-off-by: David S. Miller Cc: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit c996090b7a28d89cf1f2365688dad715b2ae7bd6 Author: chas williams Date: Thu Nov 29 23:07:57 2007 +1100 ATM: [he] initialize lock and tasklet earlier [ATM]: [he] initialize lock and tasklet earlier [ Upstream commit: 8a8037ac9dbe4eb20ce50aa20244faf77444f4a3 ] if you are lucky (unlucky?) enough to have shared interrupts, the interrupt handler can be called before the tasklet and lock are ready for use. Signed-off-by: chas williams Signed-off-by: Herbert Xu Cc: David Miller Signed-off-by: Greg Kroah-Hartman commit a9a88eb292818f5ff9ba6c0fabc17fa663c6a278 Author: Adrian Bunk Date: Thu Nov 29 23:07:57 2007 +1100 IPV4: Remove bogus ifdef mess in arp_process [IPV4]: Remove bogus ifdef mess in arp_process [ Upstream commit: 3660019e5f96fd9a8b7d4214a96523c0bf7b676d ] The #ifdef's in arp_process() were not only a mess, they were also wrong in the CONFIG_NET_ETHERNET=n and (CONFIG_NETDEV_1000=y or CONFIG_NETDEV_10000=y) cases. Since they are not required this patch removes them. Also removed are some #ifdef's around #include's that caused compile errors after this change. Signed-off-by: Adrian Bunk Signed-off-by: Herbert Xu Cc: David Miller Signed-off-by: Greg Kroah-Hartman commit c2f1eef5597779c7111747f51aa9d76945a8cee0 Author: Eric Dumazet Date: Thu Nov 29 23:07:57 2007 +1100 NET: Corrects a bug in ip_rt_acct_read() [NET]: Corrects a bug in ip_rt_acct_read() [ Upstream commit: 483b23ffa3a5f44767038b0a676d757e0668437e ] It seems that stats of cpu 0 are counted twice, since for_each_possible_cpu() is looping on all possible cpus, including 0 Before percpu conversion of ip_rt_acct, we should also remove the assumption that CPU 0 is online (or even possible) Signed-off-by: Eric Dumazet Cc: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 823bf28de362bbb396c652988a5cf4b3bc31ea85 Author: Daniel Drake Date: Wed Nov 28 14:52:16 2007 -0800 create /sys/.../power when CONFIG_PM is set patch dec13c15445fec29ca9087890895718450e80b95 in mainline. The CONFIG_SUSPEND changes in 2.6.23 caused a regression under certain configuration conditions (SUSPEND=n, USB_AUTOSUSPEND=y) where all USB device attributes in sysfs (idVendor, idProduct, ...) silently disappeared, causing udev breakage and more. The cause of this is that the /sys/.../power subdirectory is now only created when CONFIG_PM_SLEEP is set, however, it should be created whenever CONFIG_PM is set to handle the above situation. The following patch fixes the regression. Signed-off-by: Daniel Drake Acked-by: Rafael J. Wysocki Cc: Alan Stern Cc: Kay Sievers Cc: stable Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 0a16fc9e08ffcf546cd06e651d7d73fea8646fc5 Author: Evgeniy Polyakov Date: Wed Nov 28 09:56:54 2007 +0100 netfilter: Fix kernel panic with REDIRECT target. This patch fixes a NAT regression in 2.6.23, resulting in a crash when a connection is NATed and matches a conntrack helper after NAT. Please apply, thanks. [NETFILTER]: Fix kernel panic with REDIRECT target. Upstream commit 1f305323ff5b9ddc1a4346d36072bcdb58f3f68a When connection tracking entry (nf_conn) is about to copy itself it can have some of its extension users (like nat) as being already freed and thus not required to be copied. Actually looking at this function I suspect it was copied from nf_nat_setup_info() and thus bug was introduced. Report and testing from David . [ Patrick McHardy states: I now understand whats happening: - new connection is allocated without helper - connection is REDIRECTed to localhost - nf_nat_setup_info adds NAT extension, but doesn't initialize it yet - nf_conntrack_alter_reply performs a helper lookup based on the new tuple, finds the SIP helper and allocates a helper extension, causing reallocation because of too little space - nf_nat_move_storage is called with the uninitialized nat extension So your fix is entirely correct, thanks a lot :) ] Signed-off-by: Evgeniy Polyakov Acked-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1aa640f72f0275f30cba9ed8456e07824dd730ad Author: Li Zefan Date: Wed Nov 28 09:56:27 2007 +0100 nf_nat: fix memset error This patch fixes an incorrect memset in the NAT code, causing misbehaviour when unloading and reloading the NAT module. Applies to stable-2.6.22 and stable-2.6.23. Please apply, thanks. [NETFILTER]: nf_nat: fix memset error Upstream commit e0bf9cf15fc30d300b7fbd821c6bc975531fab44 The size passing to memset is the size of a pointer. Fixes misbehaviour when unloading and reloading the NAT module. Signed-off-by: Li Zefan Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 79aa197996fd187b0935e6c3369e8f73edf2cd9f Author: Maciej W. Rozycki Date: Mon Dec 10 15:49:31 2007 -0800 esp_scsi: fix reset cleanup spinlock recursion patch 522939d45c293388e6a360210905f9230298df16 in mainline. The esp_reset_cleanup() function is called with the host lock held and invokes starget_for_each_device() which wants to take it too. Here is a fix along the lines of shost_for_each_device()/__shost_for_each_device() adding a __starget_for_each_device() counterpart which assumes the lock has already been taken. Eventually, I think the driver should get modified so that more work is done as a softirq rather than in the interrupt context, but for now it fixes a bug that causes the spinlock debugger to fire. While at it, it fixes a small number of cosmetic problems with starget_for_each_device() too. Signed-off-by: Maciej W. Rozycki Acked-by: David S. Miller Cc: James Bottomley Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 401c53c765a5e12ab9c31cb9e22b0da52ebb7fec Author: Andrew Morton Date: Mon Dec 10 15:49:20 2007 -0800 revert "dpt_i2o: convert to SCSI hotplug model" patch 24601bbcacb3356657747f2e64317923feb7a1a2 in mainline. revert commit 55d9fcf57ba5ec427544fca7abc335cf3da78160 Author: Matthew Wilcox Date: Mon Jul 30 15:19:18 2007 -0600 [SCSI] dpt_i2o: convert to SCSI hotplug model - Delete refereces to HOSTS_C - Switch to module_init/module_exit instead of detect/release - Don't pass around the host template and rename it to adpt_template - Switch from scsi_register/scsi_unregister to scsi_host_alloc, scsi_add_host, scsi_scan_host and scsi_host_put. Because it caused (for unknown reasons) Andres' all-data-reads-as-zeroes problem, reported at http://groups.google.com/group/fa.linux.kernel/msg/083a9acff0330234 Cc: Matthew Wilcox Cc: Mark Salyzyn Cc: James Bottomley Acked-by: FUJITA Tomonori Cc: Anders Henke Signed-off-by: Andrew Morton Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 14c74a9cf8bf9827731f1ffcbd5586a06dc7e4e7 Author: Jean Delvare Date: Wed Nov 28 16:21:35 2007 -0800 fb_ddc: fix DDC lines quirk patch b64d70825abbf706bbe80be1b11b09514b71f45e in mainline. The code in fb_ddc_read() is said to be based on the implementation of the radeon driver: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=fc5891c8a3ba284f13994d7bc1f1bfa8283982de However, comparing the old radeon driver code with the new fb_ddc code reveals some differences. Most notably, the I2C bus lines are held at the end of the function, while the original code was releasing them (as the comment above correctly says.) There are a few other differences, which appear to be responsible for read failures on my system. While tracing low-level I2C code in i2c-algo-bit, I noticed that the initial attempt to read the EDID always failed. It takes one retry for the read to succeed. As we are about to remove this automatic retry property from i2c-algo-bit, reading the EDID would really fail. As a summary, the I2C lines quirk which is supposedly needed to read EDID on some older monitors is currently breaking the (first) read on all other monitors (and might not even work with older ones - did anyone try since October 2006?) After applying the patch below, which makes the code in fb_ddc_read() really similar to what the radeon driver used to have, the first EDID read succeeds again. On top of that, as it appears that this code has been broken for one year now and nobody seems to have complained, I'm curious if it makes sense to keep this quirk in place. It makes the code more complex and slower just for the sake of monitors which I guess nobody uses anymore. Can't we just get rid of it? Signed-off-by: Jean Delvare Acked-by: Benjamin Herrenschmidt Tested-by: Roger Leigh Tested-by: Michael Buesch Cc: "Antonino A. Daplas" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f2df5ee1b37017bb7a14ef2b512fd695197782f7 Author: Scott James Remnant Date: Wed Nov 28 16:22:07 2007 -0800 wait_task_stopped(): pass correct exit_code to wait_noreap_copyout() patch e6ceb32aa25fc33f21af84cc7a32fe289b3e860c in mainline. In wait_task_stopped() exit_code already contains the right value for the si_status member of siginfo, and this is simply set in the non WNOWAIT case. If you call waitid() with a stopped or traced process, you'll get the signal in siginfo.si_status as expected -- however if you call waitid(WNOWAIT) at the same time, you'll get the signal << 8 | 0x7f Pass it unchanged to wait_noreap_copyout(); we would only need to shift it and add 0x7f if we were returning it in the user status field and that isn't used for any function that permits WNOWAIT. Signed-off-by: Scott James Remnant Signed-off-by: Oleg Nesterov Cc: Roland McGrath Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit fc175adc1c935ea8679d76a78d7a58df34af16eb Author: Zhao Yakui Date: Wed Nov 28 16:21:21 2007 -0800 PNP: increase the maximum number of resources patch a7839e960675b549f06209d18283d5cee2ce9261 in mainline. On some systems the number of resources(IO,MEM) returnedy by PNP device is greater than the PNP constant, for example motherboard devices. It brings that some resources can't be reserved and resource confilicts. This will cause PCI resources are assigned wrongly in some systems, and cause hang. This is a regression since we deleted ACPI motherboard driver and use PNP system driver. [akpm@linux-foundation.org: fix text and coding-style a bit] Signed-off-by: Li Shaohua Signed-off-by: Zhao Yakui Cc: Bjorn Helgaas Cc: Thomas Renninger Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a6eda373a0fe1c4d169d0ec081518d68323428ab Author: Rafael J. Wysocki Date: Wed Nov 21 02:53:14 2007 +0100 Freezer: Fix APM emulation breakage patch cb43c54ca05c01533c45e4d3abfe8f99b7acf624 in mainline. The APM emulation is currently broken as a result of commit 831441862956fffa17b9801db37e6ea1650b0f69 "Freezer: make kernel threads nonfreezable by default" that removed the PF_NOFREEZE annotations from apm_ioctl() without adding the appropriate freezer hooks. Fix it and remove the unnecessary variable flags from apm_ioctl(). Special thanks to Franck Bui-Huu for pointing out the problem. Signed-off-by: Rafael J. Wysocki Cc: Pavel Machek Cc: Franck Bui-Huu Cc: Nigel Cunningham Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 89bdb3683f1fcc65e3ac150995f3c11c5e6e9ba6 Author: Steven Rostedt Date: Wed Dec 5 15:46:09 2007 +0100 futex: fix for futex_wait signal stack corruption From Steven Rostedt patch ce6bd420f43b28038a2c6e8fbb86ad24014727b6 in mainline. David Holmes found a bug in the -rt tree with respect to pthread_cond_timedwait. After trying his test program on the latest git from mainline, I found the bug was there too. The bug he was seeing that his test program showed, was that if one were to do a "Ctrl-Z" on a process that was in the pthread_cond_timedwait, and then did a "bg" on that process, it would return with a "-ETIMEDOUT" but early. That is, the timer would go off early. Looking into this, I found the source of the problem. And it is a rather nasty bug at that. Here's the relevant code from kernel/futex.c: (not in order in the file) [...] smlinkage long sys_futex(u32 __user *uaddr, int op, u32 val, struct timespec __user *utime, u32 __user *uaddr2, u32 val3) { struct timespec ts; ktime_t t, *tp = NULL; u32 val2 = 0; int cmd = op & FUTEX_CMD_MASK; if (utime && (cmd == FUTEX_WAIT || cmd == FUTEX_LOCK_PI)) { if (copy_from_user(&ts, utime, sizeof(ts)) != 0) return -EFAULT; if (!timespec_valid(&ts)) return -EINVAL; t = timespec_to_ktime(ts); if (cmd == FUTEX_WAIT) t = ktime_add(ktime_get(), t); tp = &t; } [...] return do_futex(uaddr, op, val, tp, uaddr2, val2, val3); } [...] long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout, u32 __user *uaddr2, u32 val2, u32 val3) { int ret; int cmd = op & FUTEX_CMD_MASK; struct rw_semaphore *fshared = NULL; if (!(op & FUTEX_PRIVATE_FLAG)) fshared = ¤t->mm->mmap_sem; switch (cmd) { case FUTEX_WAIT: ret = futex_wait(uaddr, fshared, val, timeout); [...] static int futex_wait(u32 __user *uaddr, struct rw_semaphore *fshared, u32 val, ktime_t *abs_time) { [...] struct restart_block *restart; restart = ¤t_thread_info()->restart_block; restart->fn = futex_wait_restart; restart->arg0 = (unsigned long)uaddr; restart->arg1 = (unsigned long)val; restart->arg2 = (unsigned long)abs_time; restart->arg3 = 0; if (fshared) restart->arg3 |= ARG3_SHARED; return -ERESTART_RESTARTBLOCK; [...] static long futex_wait_restart(struct restart_block *restart) { u32 __user *uaddr = (u32 __user *)restart->arg0; u32 val = (u32)restart->arg1; ktime_t *abs_time = (ktime_t *)restart->arg2; struct rw_semaphore *fshared = NULL; restart->fn = do_no_restart_syscall; if (restart->arg3 & ARG3_SHARED) fshared = ¤t->mm->mmap_sem; return (long)futex_wait(uaddr, fshared, val, abs_time); } So when the futex_wait is interrupt by a signal we break out of the hrtimer code and set up or return from signal. This code does not return back to userspace, so we set up a RESTARTBLOCK. The bug here is that we save the "abs_time" which is a pointer to the stack variable "ktime_t t" from sys_futex. This returns and unwinds the stack before we get to call our signal. On return from the signal we go to futex_wait_restart, where we update all the parameters for futex_wait and call it. But here we have a problem where abs_time is no longer valid. I verified this with print statements, and sure enough, what abs_time was set to ends up being garbage when we get to futex_wait_restart. The solution I did to solve this (with input from Linus Torvalds) was to add unions to the restart_block to allow system calls to use the restart with specific parameters. This way the futex code now saves the time in a 64bit value in the restart block instead of storing it on the stack. Note: I'm a bit nervious to add "linux/types.h" and use u32 and u64 in thread_info.h, when there's a #ifdef __KERNEL__ just below that. Not sure what that is there for. If this turns out to be a problem, I've tested this with using "unsigned int" for u32 and "unsigned long long" for u64 and it worked just the same. I'm using u32 and u64 just to be consistent with what the futex code uses. Signed-off-by: Steven Rostedt Signed-off-by: Ingo Molnar Signed-off-by: Thomas Gleixner Acked-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit dbb2b0298b8a54c20906f8ea68743858ce08e836 Author: Karsten Keil Date: Thu Nov 22 12:43:13 2007 +0100 isdn: avoid copying overly-long strings patch 0f13864e5b24d9cbe18d125d41bfa4b726a82e40 in mainline. Addresses http://bugzilla.kernel.org/show_bug.cgi?id=9416 Signed-off-by: Karsten Keil Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit dcab9753b799bd92a5701106f1861b825c7eef74 Author: H. Peter Anvin Date: Sun Nov 4 17:50:12 2007 -0800 x86 setup: add a near jump to serialize %cr0 on 386/486 patch 7ed192906a2144ebc8ca2925a85d27b9c5355668 in mainline. The 386 and 486 needs a jump immediately after setting %cr0 in order to serialize the pipeline. Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 0fe8f9b280a5f7a65aebc51ab6b5200a8bf05e13 Author: Eddie Dong Date: Sun Dec 2 13:18:47 2007 +0200 KVM: VMX: Reset mmu context when entering real mode patch 8668a3c468ed55d19514117a5a959d91d3d03823 in mainline. Resetting an SMP guest will force AP enter real mode (RESET) with paging enabled in protected mode. While current enter_rmode() can only handle mode switch from nonpaging mode to real mode which leads to SMP reboot failure. Fix by reloading the mmu context on entering real mode. Signed-off-by: Yaozu (Eddie) Dong Signed-off-by: Qing He Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 9ec0e2f614c0b29e87ff0b451aa1201498309bd7 Author: Avi Kivity Date: Sun Dec 2 13:18:46 2007 +0200 KVM: VMX: Force vm86 mode if setting flags during real mode patch 78f7826868da8e27d097802139a3fec39f47f3b8 in mainline. When resetting from userspace, we need to handle the flags being cleared even after we are in real mode. Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit e86704982a2c88a3bb2d4571de928928d5f9e574 Author: Avi Kivity Date: Sun Dec 2 13:18:45 2007 +0200 KVM: Skip pio instruction when it is emulated, not executed patch 0967b7bf1c22b55777aba46ff616547feed0b141 in mainline. If we defer updating rip until pio instructions are executed, we have a problem with reset: a pio reset updates rip, and when the instruction completes we skip the emulated instruction, pointing rip somewhere completely unrelated. Fix by updating rip when we see decode the instruction, not after emulation. Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit c5c1366253addd6691d620f18f7e660c4e11b08d Author: Amit Shah Date: Sun Dec 2 13:18:44 2007 +0200 KVM: SVM: Fix FPU leak while emulating clts patch 404fb881b82cf0cf6981832f8d31a7484e4dee81 in mainline. The clts code didn't use set_cr0 properly, so our lazy FPU processing wasn't being done by the clts instruction at all. (this isn't called on Intel as the hardware does the decode for us) Signed-off-by: Amit Shah Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 86a1b7f0192d2f66a302a681fd76ce701f711953 Author: Marko Kohtala Date: Sun Dec 2 13:18:43 2007 +0200 KVM: Fix hang on uniprocessor This is not in mainline, as it was fixed differently in that tree. first_cpu(cpus) returns the only CPU when NR_CPUS is 1 regardless of the cpus mask. Therefore we avoid a kernel hang in KVM_SET_MEMORY_REGION ioctl on uniprocessor by not entering the loop at all. Signed-off-by: Marko Kohtala Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit e124b02477867e05ba4bc12a1a22b17a537028a8 Author: Amit Shah Date: Sun Dec 2 13:18:42 2007 +0200 KVM: x86 emulator: Use emulator_write_emulated and not emulator_write_std patch 00b2ef475d4728ca53a2bc788c7978042907e354 in mainline. emulator_write_std() is not implemented, and calling write_emulated should work just as well in place of write_std. Fixes emulator failures with the push r/m instruction. Signed-off-by: Amit Shah Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 3945c4161ccb0423757e331145144835b3e85b57 Author: Avi Kivity Date: Sun Dec 2 13:18:41 2007 +0200 KVM: SVM: Intercept the 'invd' and 'wbinvd' instructions patch cf5a94d1331b411b84414c13e43f578260942d6b in mainline. 'invd' can destroy host data, and 'wbinvd' allows the guest to induce long (milliseconds) latencies. Noted by Ben Serebrin. Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 141f41dddb9835dd9e4020f7f35b1041a087000c Author: Avi Kivity Date: Sun Dec 2 13:18:40 2007 +0200 KVM: x86 emulator: invd instruction patch 651a3e29b3d19418d7a8a9787906061f9be7cc5f in mainline. Emulate the 'invd' instruction (opcode 0f 08). Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit fb2fc4cf555e1a5eb4f061ca7c76adf667407f9c Author: Aurelien Jarno Date: Sun Dec 2 13:18:39 2007 +0200 KVM: x86 emulator: fix access registers for instructions with ModR/M byte and Mod = 3 patch 4e62417bf317504c0b85e0d7abd236f334f54eaf in mainline. The patch belows changes the access type to register from memory for instructions that are declared as SrcMem or DstMem, but have a ModR/M byte with Mod = 3. It fixes (at least) the lmsw and smsw instructions on an AMD64 CPU, which are needed for FreeBSD. Signed-off-by: Aurelien Jarno Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 117b22fffff1989cd9e2d90720f05dd438cea2f1 Author: Sheng Yang Date: Sun Dec 2 13:18:38 2007 +0200 KVM: x86 emulator: implement 'movnti mem, reg' patch a012e65aee48379a7a87eadafa74f878b61522b9 in mainline. Implement emulation of instruction: movnti m32/m64, r32/r64 opcode: 0x0f 0xc3 Needed to support Linux 2.6.16 as guest (used for mmio). Signed-off-by: Sheng Yang Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit ee6abc255172063680e6663d308810cef0fc7ff3 Author: Thomas Gleixner Date: Fri Dec 7 19:16:17 2007 +0100 hrtimers: avoid overflow for large relative timeouts (CVE-2007-5966) patch 62f0f61e6673e67151a7c8c0f9a09c7ea43fe2b5 in mainline Relative hrtimers with a large timeout value might end up as negative timer values, when the current time is added in hrtimer_start(). This in turn is causing the clockevents_set_next() function to set an huge timeout and sleep for quite a long time when we have a clock source which is capable of long sleeps like HPET. With PIT this almost goes unnoticed as the maximum delta is ~27ms. The non-hrt/nohz code sorts this out in the next timer interrupt, so we never noticed that problem which has been there since the first day of hrtimers. This bug became more apparent in 2.6.24 which activates HPET on more hardware. Signed-off-by: Thomas Gleixner Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 8d88a7d70fee421a290730ebd58a15230d609617 Author: Ayaz Abdulla Date: Wed Nov 21 15:02:58 2007 -0800 forcedeth boot delay fix patch 9e555930bd873d238f5f7b9d76d3bf31e6e3ce93 in mainline. Fix a long boot delay in the forcedeth driver. During initialization, the timeout for the handshake between mgmt unit and driver can be very long. The patch reduces the timeout by eliminating a extra loop around the timeout logic. Addresses http://bugzilla.kernel.org/show_bug.cgi?id=9308 Signed-off-by: Ayaz Abdulla Cc: Alex Howells Signed-off-by: Andrew Morton Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 2cf220bb5b30a922aebdd5841a7975e02a70ce59 Author: Ayaz Abdulla Date: Fri Nov 23 20:54:01 2007 -0500 forcedeth: new mcp79 pci ids patch 490dde8990c55662596a4be71b5070bd7d382d4a in mainline. This patch adds new device ids and features for mcp79 devices into the forcedeth driver. Signed-off-by: Ayaz Abdulla Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman index 92ce2e3..f9ba0ac 100644 commit 27b396672af95abad9591d9123e62d6ab4b655da Author: Karsten Keil Date: Sat Dec 1 12:16:15 2007 -0800 I4L: fix isdn_ioctl memory overrun vulnerability patch eafe1aa37e6ec2d56f14732b5240c4dd09f0613a in mainline. Fix possible memory overrun issue in the isdn ioctl code. Found by ADLAB Signed-off-by: Karsten Keil Cc: ADLAB Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 831ac1f2cd32ee3271cca477705f823947233ec3 Author: Hugh Dickins Date: Wed Nov 28 18:55:10 2007 +0000 tmpfs: restore missing clear_highpage patch e84e2e132c9c66d8498e7710d4ea532d1feaaac5 in mainline tmpfs was misconverted to __GFP_ZERO in 2.6.11. There's an unusual case in which shmem_getpage receives the page from its caller instead of allocating. We must cover this case by clear_highpage before SetPageUptodate, as before. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d57b4ae3d48871e50eef320a12bd3698a67f4eed Author: David Brownell Date: Wed Nov 28 14:50:03 2007 -0800 USB: fix up EHCI startup synchronization patch 1cb52658b4f5b10a9e91f8e1c21ca2bcc1b9a3ca in mainline. A recent patch added software synchronization during EHCI startup, so ports aren't switched away from the companion controllers after resets have started. This patch adds a short delay letting hardware finish that port switching before any new resets begin ... so both ends of that hardware race window are closed. Signed-off-by: David Brownell Cc: Dave Miller Cc: Dely Sy Cc: Alan Stern Signed-off-by: Greg Kroah-Hartman commit dd5cca4e50d4619ebc19b8defa5e38ec50f3615d Author: Oliver Neukum Date: Wed Nov 28 14:50:02 2007 -0800 USB: make the microtek driver and HAL cooperate patch 5cf1973a44bd298e3cfce6f6af8faa8c9d0a6d55 in mainline to make HAL like the microtek driver's devices the parent must be correctly set. Signed-off-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman commit 955ab48db7fb9e3d74dc770cca9aa6b194e53025 Author: William Pettersson Date: Wed Nov 21 17:11:07 2007 -0500 Input: ALPS - add support for model found in Dell Vostro 1400 changeset dac4ae0daa1be36ab015973ed9e9dc04a2684395 in mainline. Input: ALPS - add support for model found in Dell Vostro 1400 Signed-off-by: William Pettersson Signed-off-by: Dmitry Torokhov Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit bedda54e2848df514fd1e045de652700e284d787 Author: Herbert Xu Date: Wed Nov 21 17:09:39 2007 -0500 Fix synchronize_irq races with IRQ handler patch a98ce5c6feead6bfedefabd46cb3d7f5be148d9a in mainline. Fix synchronize_irq races with IRQ handler As it is some callers of synchronize_irq rely on memory barriers to provide synchronisation against the IRQ handlers. For example, the tg3 driver does tp->irq_sync = 1; smp_mb(); synchronize_irq(); and then in the IRQ handler: if (!tp->irq_sync) netif_rx_schedule(dev, &tp->napi); Unfortunately memory barriers only work well when they come in pairs. Because we don't actually have memory barriers on the IRQ path, the memory barrier before the synchronize_irq() doesn't actually protect us. In particular, synchronize_irq() may return followed by the result of netif_rx_schedule being made visible. This patch (mostly written by Linus) fixes this by using spin locks instead of memory barries on the synchronize_irq() path. Signed-off-by: Herbert Xu Acked-by: Benjamin Herrenschmidt Signed-off-by: Linus Torvalds Cc: Chuck Ebbert Cc: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 96219ec9d6b461e7587a51280ab5336a78234f86 Author: Peter P Waskiewicz Jr Date: Wed Nov 21 20:32:57 2007 +0800 PKT_SCHED: Check subqueue status before calling hard_start_xmit [PKT_SCHED]: Check subqueue status before calling hard_start_xmit [ Upstream commit: 5f1a485d5905aa641f33009019b3699076666a4c ] The only qdiscs that check subqueue state before dequeue'ing are PRIO and RR. The other qdiscs, including the default pfifo_fast qdisc, will allow traffic bound for subqueue 0 through to hard_start_xmit. The check for netif_queue_stopped() is done above in pkt_sched.h, so it is unnecessary for qdisc_restart(). However, if the underlying driver is multiqueue capable, and only sets queue states on subqueues, this will allow packets to enter the driver when it's currently unable to process packets, resulting in expensive requeues and driver entries. This patch re-adds the check for the subqueue status before calling hard_start_xmit, so we can try and avoid the driver entry when the queues are stopped. Signed-off-by: Peter P Waskiewicz Jr Signed-off-by: David S. Miller Cc: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit ca21e46bf2d766d22be57595a96a7683870fe125 Author: Zou Nan hai Date: Mon Oct 15 17:00:14 2007 +0200 sched: some proc entries are missed in sched_domain sys_ctl debug code patch ace8b3d633f93da8535921bf3e3679db3c619578 in mainline. cache_nice_tries and flags entry do not appear in proc fs sched_domain directory, because ctl_table entry is skipped. This patch fixes the issue. Signed-off-by: Zou Nan hai Signed-off-by: Andrew Morton Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 5ade3f9f5b59d86f1cf86bdfaee0f6a1515e3126 Author: Christian Borntraeger Date: Tue Nov 6 12:26:15 2007 +0100 Future of Linux 2.6.22.y series commit 5d0360ee96a5ef953dbea45873c2a8c87e77d59b upstream. We have seen ramdisk based install systems, where some pages of mapped libraries and programs were suddendly zeroed under memory pressure. This should not happen, as the ramdisk avoids freeing its pages by keeping them dirty all the time. It turns out that there is a case, where the VM makes a ramdisk page clean, without telling the ramdisk driver. On memory pressure shrink_zone runs and it starts to run shrink_active_list. There is a check for buffer_heads_over_limit, and if true, pagevec_strip is called. pagevec_strip calls try_to_release_page. If the mapping has no releasepage callback, try_to_free_buffers is called. try_to_free_buffers has now a special logic for some file systems to make a dirty page clean, if all buffers are clean. Thats what happened in our test case. The simplest solution is to provide a noop-releasepage callback for the ramdisk driver. This avoids try_to_free_buffers for ramdisk pages. Signed-off-by: Christian Borntraeger Signed-off-by: Jan Kara Acked-by: Nick Piggin Cc: "Eric W. Biederman" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 992a69a7fd52ea2dda4127bbcaea138d0c327c9e Author: Evgeniy Polyakov Date: Wed Nov 21 20:32:56 2007 +0800 NETFILTER: Fix NULL pointer dereference in nf_nat_move_storage() [NETFILTER]: Fix NULL pointer dereference in nf_nat_move_storage() [ Upstream commit: 7799652557d966e49512479f4d3b9079bbc01fff ] Reported by Chuck Ebbert as: https://bugzilla.redhat.com/show_bug.cgi?id=259501#c14 This routine is called each time hash should be replaced, nf_conn has extension list which contains pointers to connection tracking users (like nat, which is right now the only such user), so when replace takes place it should copy own extensions. Loop above checks for own extension, but tries to move higer-layer one, which can lead to above oops. Signed-off-by: Evgeniy Polyakov Signed-off-by: David S. Miller Cc: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 671369b670d81bbf26766e0fd723821616f76b1a Author: Eric Dumazet Date: Wed Nov 21 20:32:55 2007 +0800 NET: random : secure_tcp_sequence_number should not assume CONFIG_KTIME_SCALAR [NET] random : secure_tcp_sequence_number should not assume CONFIG_KTIME_SCALAR [ Upstream commit: 6dd10a62353a50b30b30e0c18653650975b29c71 ] All 32 bits machines but i386 dont have CONFIG_KTIME_SCALAR. On these machines, ktime.tv64 is more than 4 times the (correct) result given by ktime_to_ns() Again on these machines, using ktime_get_real().tv64 >> 6 give a 32bits rollover every 64 seconds, which is not wanted (less than the 120 s MSL) Using ktime_to_ns() is the portable way to get nsecs from a ktime, and have correct code. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Cc: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 857c440ad2a392ec43d35727b5ac5144d0dc6dfa Author: Marcelo Tosatti Date: Tue Nov 20 13:54:52 2007 -0500 libertas: properly account for queue commands patch 29f5f2a19b055feabfcc6f92e1d40ec092c373ea in mainline. Properly account for queue commands, this fixes a problem reported by Holger Schurig when using the debugfs interface. Signed-off-by: Marcelo Tosatti Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman