commit 23e4fef098fdc2205ab1be218f11d5b8078d9123 Author: Greg Kroah-Hartman Date: Fri Feb 8 12:05:19 2008 -0800 Linux 2.6.23.15 commit 6b2b03268d549b6446d1b148f0262f87ef737492 Author: Jens Axboe Date: Fri Feb 8 08:49:14 2008 -0800 splice: missing user pointer access verification (CVE-2008-0009/10) patch 8811930dc74a503415b35c4a79d14fb0b408a361 in mainline. vmsplice_to_user() must always check the user pointer and length with access_ok() before copying. Likewise, for the slow path of copy_from_user_mmap_sem() we need to check that we may read from the user region. Signed-off-by: Jens Axboe Cc: Wojciech Purczynski Signed-off-by: Greg Kroah-Hartman Signed-off-by: Linus Torvalds commit f70995b2044350bd966a32ecf43164c204293689 Author: Ian Abbott Date: Mon Feb 4 13:52:38 2008 +0000 PCI: Fix fakephp deadlock This patch works around a problem in the fakephp driver when a process writing "0" to a "power" sysfs file to fake removal of a PCI device ends up deadlocking itself in the sysfs code. The patch is functionally identical to the one in Linus' tree post 2.6.24: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=5c796ae7a7ebe56967ed9b9963d7c16d733635ff I have tested it on a 2.6.23 kernel. Signed-off-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman commit a1959dbf34a76f7c21f4d5c842af8dd376a904a8 Author: Len Brown Date: Mon Feb 4 00:38:13 2008 -0500 ACPI: sync blacklist w/ latest This patch is appropriate for supporting a 2.6.23-based products. Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit d57625ca789cdddf99b5f6540722dc9b77ce9845 Author: Jay Cliburn Date: Wed Jan 30 20:11:08 2008 -0600 atl1: fix frame length bug Upstream commit: 2a49128f0a6edee337174ea341c1d6d7565be350 The driver sets up the hardware to accept a frame with max length equal to MTU + Ethernet header + FCS + VLAN tag, but we neglect to add the VLAN tag size to the ingress buffer. When a VLAN-tagged frame arrives, the hardware passes it, but bad things happen because the buffer is too small. This patch fixes that. Thanks to David Harris for reporting the bug and testing the fix. Signed-off-by: Jay Cliburn Tested-by: David Harris Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit e04f1635f373f638b5f96e2b1a85f11408cc7bec Author: Ayaz Abdulla Date: Mon Jan 28 10:24:40 2008 -0500 forcedeth: mac address mcp77/79 patch 2b91213064bd882c3adf35f028c6d12fab3269ec in mainline. This patch is a critical fix for MCP77 and MCP79 devices. The feature flags were missing the define for correct mac address (DEV_HAS_CORRECT_MACADDR). Signed-off-by: Ayaz Abdulla Signed-off-by: Jeff Garzik Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f7839802980042d93ffc6ec5966e1efdb507a9a2 Author: Björn Steinbrink Date: Sun Feb 3 23:29:12 2008 +0000 Fix dirty page accounting leak with ext3 data=journal patch a2b345642f530054a92b8d2b5108436225a8093e in mainline. In 46d2277c796f9f4937bfa668c40b2e3f43e93dd0, try_to_free_buffers was changed to bail out if the page was dirty. That caused truncate_complete_page to leak massive amounts of memory, because the dirty bit was only cleared after the call to try_to_free_buffers. So the call to cancel_dirty_page was moved up to have the dirty bit cleared early in 3e67c0987d7567ad666641164a153dca9a43b11d. The problem with that fix is, that the page can be redirtied after cancel_dirty_page was called, eg. like this: truncate_complete_page() cancel_dirty_page() // PG_dirty cleared, decr. dirty pages do_invalidatepage() ext3_invalidatepage() journal_invalidatepage() journal_unmap_buffer() __dispose_buffer() __journal_unfile_buffer() __journal_temp_unlink_buffer() mark_buffer_dirty(); // PG_dirty set, incr. dirty pages And then we end up with dirty pages being wrongly accounted. In ecdfc9787fe527491baefc22dce8b2dbd5b2908d the changes to try_to_free_buffers were reverted, so the original reason for the massive memory leak is gone, so we can also revert the move of the call to cancel_dirty_page from truncate_complete_page and get the accounting right again. Signed-off-by: Björn Steinbrink Tested-by: Krzysztof Piotr Oledzki Tested-by: Zaid D. Cc: Jan Kara Cc: Nick Piggin Cc: Peter Zijlstra Cc: Thomas Osterried Cc: Kerin Millar Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 50b85eb6699dac080b5047034da19c7282c821f2 Author: Patrick McHardy Date: Tue Jan 29 19:08:28 2008 +0100 Netfilter: bridge-netfilter: fix net_device refcnt leaks [NETFILTER]: bridge-netfilter: fix net_device refcnt leaks Upstream commit 2dc2f207fb251666d2396fe1a69272b307ecc333 When packets are flood-forwarded to multiple output devices, the bridge-netfilter code reuses skb->nf_bridge for each clone to store the bridge port. When queueing packets using NFQUEUE netfilter takes a reference to skb->nf_bridge->physoutdev, which is overwritten when the packet is forwarded to the second port. This causes refcount unterflows for the first device and refcount leaks for all others. Additionally this provides incorrect data to the iptables physdev match. Unshare skb->nf_bridge by copying it if it is shared before assigning the physoutdev device. Reported, tested and based on initial patch by Jan Christoph Nordholz . Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 418b48ea165b0b03652c85436807ac6760838c21 Author: Patrick McHardy Date: Tue Jan 29 19:08:25 2008 +0100 Netfilter: bridge: fix double POST_ROUTING invocation [NETFILTER]: bridge: fix double POST_ROUTING invocation Upstream commit 2948d2ebbb98747b912ac6d0c864b4d02be8a6f5 The bridge code incorrectly causes two POST_ROUTING hook invocations for DNATed packets that end up on the same bridge device. This happens because packets with a changed destination address are passed to dst_output() to make them go through the neighbour output function again to build a new destination MAC address, before they will continue through the IP hooks simulated by bridge netfilter. The resulting hook order is: PREROUTING (bridge netfilter) POSTROUTING (dst_output -> ip_output) FORWARD (bridge netfilter) POSTROUTING (bridge netfilter) The deferred hooks used to abort the first POST_ROUTING invocation, but since the only thing bridge netfilter actually really wants is a new MAC address, we can avoid going through the IP stack completely by simply calling the neighbour output function directly. Tested, reported and lots of data provided by: Damien Thebault Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0bf056904b95fa555c36eb0cfbcee9c015747f59 Author: Karsten Keil Date: Fri Jan 25 13:42:23 2008 +0100 fix oops on rmmod capidrv patch eb36f4fc019835cecf0788907f6cab774508087b in mainline. Fix overwriting the stack with the version string (it is currently 10 bytes + zero) when unloading the capidrv module. Safeguard against overwriting it should the version string grow in the future. Should fix Kernel Bug Tracker Bug 9696. Signed-off-by: Gerd v. Egidy Acked-by: Karsten Keil Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 236dd7e3143e79b216e9f51e2488f9e3a60b4161 Author: Tejun Heo Date: Fri Jan 18 21:52:50 2008 +0900 libata: port and host should be stopped before hardware resources are released This is backport of 32ebbc0c0d5d18c0135b55d1eb0029f48c54aff0 and fixes oops on driver module unload. Port / host stop calls used to be made from ata_host_release() which is called after all hardware resources acquired after host allocation are released. This is wrong as port and host stop routines often access the hardware. Add separate devres for port / host stop which is invoked right after IRQ is released but with all other hardware resources intact. The devres is added iff ->host_stop and/or ->port_stop exist. This problem has been spotted by Mark Lord. Signed-off-by: Tejun Heo Cc: Mark Lord Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 1ce946cdae3bef836416d8ced58eab4d18c45675 Author: Kalle Valo Date: Thu Jan 24 14:00:40 2008 -0800 spi: omap2_mcspi PIO RX fix patch feed9bab7b14b77be8d796bcee95e2343fb82955 in mainline. Before transmission of the last word in PIO RX_ONLY mode rx+tx mode is enabled: /* prevent last RX_ONLY read from triggering * more word i/o: switch to rx+tx */ if (c == 0 && tx == NULL) mcspi_write_cs_reg(spi, OMAP2_MCSPI_CHCONF0, l); But because c is decremented after the test, c will never be zero and rx+tx will not be enabled. This breaks RX_ONLY mode PIO transfers. Fix it by decrementing c in the beginning of the various I/O loops. Signed-off-by: Kalle Valo Signed-off-by: David Brownell Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 03fce1f0345c212fd835bb764d161810b0e6bdd4 Author: Nigel Cunningham Date: Thu Jan 17 15:21:21 2008 -0800 Fix unbalanced helper_lock in kernel/kmod.c patch 784680336b616dcc4c17cbd25add3b49c555cdeb in mainline. call_usermodehelper_exec() has an exit path that can leave the helper_lock() call at the top of the routine unbalanced. The attached patch fixes this issue. Signed-off-by: Nigel Cunningham Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 30f7ec38c20ec15019fd9a4566391253f139843c Author: Luck, Tony Date: Wed Jan 16 11:04:16 2008 -0800 ia64: Fix unaligned handler for floating point instructions with base update commit 1a499150e4ec1299232e24389f648d059ce5617a in mainline. [IA64] Fix unaligned handler for floating point instructions with base update The compiler team did the hard work for this distilling a problem in large fortran application which showed up when applied to a 290MB input data set down to this instruction: ldfd f34=[r17],-8 Which they noticed incremented r17 by 0x10 rather than decrementing it by 8 when the value in r17 caused an unaligned data fault. I tracked it down to some bad instruction decoding in unaligned.c. The code assumes that the 'x' bit can determine whether the instruction is an "ldf" or "ldfp" ... which it is for opcode=6 (see table 4-29 on page 3:302 of the SDM). But for opcode=7 the 'x' bit is irrelevent, all variants are "ldf" instructions (see table 4-36 on page 3:306). Note also that interpreting the instruction as "ldfp" means that the "paired" floating point register (f35 in the example here) will also be corrupted. Signed-off-by: Tony Luck Signed-off-by: Greg Kroah-Hartman commit d7dc95b98ebadd96b511ca0d1155778e16543f85 Author: Mikael Pettersson Date: Wed Jan 16 10:33:00 2008 +0100 sata_promise: ASIC PRD table bug workaround patch 03116d67e0973bb493fe9307e28973a24a272bcc in mainline. Second-generation Promise SATA controllers have an ASIC bug which can trigger if the last PRD entry is larger than 164 bytes, resulting in intermittent errors and possible data corruption. Work around this by replacing calls to ata_qc_prep() with a private version that fills the PRD, checks the size of the last entry, and if necessary splits it to avoid the bug. Also reduce sg_tablesize by 1 to accommodate the new entry. Tested on the second-generation SATA300 TX4 and SATA300 TX2plus, and the first-generation PDC20378. Thanks to Alexander Sabourenkov for verifying the bug by studying the vendor driver, and for writing the initial patch upon which this one is based. Signed-off-by: Mikael Pettersson Signed-off-by: Greg Kroah-Hartman commit d4dd8e3a7287146e479c77e0456eaa315875972a Author: Nick Piggin Date: Sat Feb 2 03:08:53 2008 +0100 vm audit: add VM_DONTEXPAND to mmap for drivers that need it (CVE-2008-0007) Drivers that register a ->fault handler, but do not range-check the offset argument, must set VM_DONTEXPAND in the vm_flags in order to prevent an expanding mremap from overflowing the resource. I've audited the tree and attempted to fix these problems (usually by adding VM_DONTEXPAND where it is not obvious). Signed-off-by: Nick Piggin Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5f8d005f5ee726ec8b6b3ddd9920a3e609740320 Author: NeilBrown Date: Fri Jan 11 17:06:52 2008 -0500 knfsd: Allow NFSv2/3 WRITE calls to succeed when krb5i etc is used. patch ba67a39efde8312e386c6f603054f8945433d91f in mainline. When RPCSEC/GSS and krb5i is used, requests are padded, typically to a multiple of 8 bytes. This can make the request look slightly longer than it really is. As of f34b95689d2ce001c "The NFSv2/NFSv3 server does not handle zero length WRITE request correctly", the xdr decode routines for NFSv2 and NFSv3 reject requests that aren't the right length, so krb5i (for example) WRITE requests can get lost. This patch relaxes the appropriate test and enhances the related comment. Signed-off-by: Neil Brown Signed-off-by: J. Bruce Fields Cc: Peter Staubach Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 7b21cc0a0e0787b428948873f5b7d3f67e938ef2 Author: Dan Williams Date: Tue Jan 8 15:32:53 2008 -0800 md: fix data corruption when a degraded raid5 array is reshaped patch 0f94e87cdeaaac9f0f9a28a5dd2a5070b87cd3e8 in mainline. We currently do not wait for the block from the missing device to be computed from parity before copying data to the new stripe layout. The change in the raid6 code is not techincally needed as we don't delay data block recovery in the same way for raid6 yet. But making the change now is safer long-term. This bug exists in 2.6.23 and 2.6.24-rc Signed-off-by: Dan Williams Acked-by: Neil Brown Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0bab2ffb612cbc6b654d321848feb05c8bdbb029 Author: Eric Paris Date: Mon Nov 26 18:47:26 2007 -0500 security: protect from stack expantion into low vm addresses patch 8869477a49c3e99def1fcdadd6bbc407fea14b45 in mainline. Add security checks to make sure we are not attempting to expand the stack into memory protected by mmap_min_addr Signed-off-by: Eric Paris Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit a0209f336a1dff0363b558a972eb71eef74e0084 Author: Eric Paris Date: Wed Dec 19 13:59:32 2007 +0100 VM/Security: add security hook to do_brk (CVE-2007-6434) patch ecaf18c15aac8bb9bed7b7aa0e382fe252e275d5 in mainline. VM/Security: add security hook to do_brk Given a specifically crafted binary do_brk() can be used to get low pages available in userspace virtual memory and can thus be used to circumvent the mmap_min_addr low memory protection. Add security checks in do_brk(). Signed-off-by: Eric Paris Acked-by: Alan Cox Cc: Stephen Smalley Cc: James Morris Cc: Chris Wright Cc: maximilian attems Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f6055bdd46a2b964f09d02056a251bbf5a8ce9ef Author: Matthew Wilcox Date: Tue Dec 18 00:44:43 2007 +0100 m68k: Export cachectl.h patch e92042e5c009d84ba741ec4a978a13f260e6ee24 in mainline. m68k: Export cachectl.h libffi in GCC 4.2 needs cachectl.h to do its cache flushing. But we don't currently export it. I believe this patch should do the trick. Signed-off-by: Matthew Wilcox Cc: maximilian attems Signed-off-by: Geert Uytterhoeven Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 72754b23ef3a4b1b1982ce51a9778bf491f1bd1f Author: Steve French Date: Mon Dec 17 23:08:58 2007 +0100 CIFS: Respect umask when using POSIX mkdir patch a8cd925f74c3b1b6d1192f9e75f9d12cc2ab148a in mainline. [CIFS] Respect umask when using POSIX mkdir When making a directory with POSIX mkdir calls, cifs_mkdir does not respect the umask. This patch causes the new POSIX mkdir to create with the right mode Signed-off-by: Jeff Layton Signed-off-by: Steve French Cc: maximilian attems Signed-off-by: Greg Kroah-Hartman commit 8fdb939daf356463911a58daf8b9146e6ee7cf81 Author: Oliver Neukum Date: Fri Oct 12 14:18:40 2007 -0400 Input: fix open count handling in input interfaces patch 064450140f1eab959bd0eca0245f449993216074 in mainline. If input_open_device() fails we should not leave interfaces marked as opened. Signed-off-by: Oliver Neukum Cc: Al Viro Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 71915ded634a0a317b6f579d3c39112657e9a34d Author: Dmitry Torokhov Date: Thu Aug 30 00:22:39 2007 -0400 Input: tsdev - implement proper locking patch b9d2d110b10f7b4788d0fdd328cf57e34b767817 in mainline. Signed-off-by: Dmitry Torokhov Cc: Al Viro Signed-off-by: Greg Kroah-Hartman commit 3d85fb10f916a73a7270166b2871b4e5ad90707d Author: Dmitry Torokhov Date: Thu Aug 30 00:22:32 2007 -0400 Input: joydev - implement proper locking patch b126207ccdfe492fbc339c18d4898b1b5353fc6b in mainline. Signed-off-by: Dmitry Torokhov Cc: Al Viro Signed-off-by: Greg Kroah-Hartman commit 7689d8b7f89935ce60edbc3a41fa4e3231175c95 Author: Dmitry Torokhov Date: Thu Aug 30 00:22:24 2007 -0400 Input: mousedev - implement proper locking patch 464b241575f3700e14492e34f26bcd1794280f55 in mainline. Signed-off-by: Dmitry Torokhov Cc: Al Viro Signed-off-by: Greg Kroah-Hartman commit 9f3401684fb7213bf8d2e9e205e409fff4d0d5c5 Author: Dmitry Torokhov Date: Thu Aug 30 00:22:18 2007 -0400 Input: evdev - implement proper locking patch 6addb1d6de1968b84852f54561cc9a999909b5a9 in mainline. Signed-off-by: Dmitry Torokhov Cc: Al Viro Signed-off-by: Greg Kroah-Hartman commit 8f751a2377bffec179bc686e5dc384485bfb620e Author: Dmitry Torokhov Date: Thu Aug 30 00:22:11 2007 -0400 Input: implement proper locking in input core patch 8006479c9b75fb6594a7b746af3d7f1fbb68f18f in mainline. Also add some kerneldoc documentation to input.h Signed-off-by: Dmitry Torokhov Cc: Al Viro Signed-off-by: Greg Kroah-Hartman commit b62a69127508cc71d3f584342e119302cee04f65 Author: Divy Le Ray Date: Tue Dec 18 15:13:55 2007 -0800 cxgb: fix stats patch e0348b9ae5374f9a24424ae680bcd80724415f60 in mainline. Fix MAC stats accounting. Fix get_stats. Signed-off-by: Divy Le Ray Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit b6f3568f83d38355314f42e5159648c09b5ece87 Author: Divy Le Ray Date: Tue Dec 18 15:12:44 2007 -0800 cxgb: fix T2 GSO patch 7832ee034b6ef78aab020c9ec1348544cd65ccbd in mainline. The patch ensures that a GSO skb has enough headroom to push an encapsulating cpl_tx_pkt_lso header. Signed-off-by: Divy Le Ray Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 5213946fb2ba61721aa933f9a565b0d2ee93687d Author: Divy Le Ray Date: Tue Dec 18 15:11:52 2007 -0800 chelsio: Fix skb->dev setting patch 7de6af0f23b25df8da9719ecae1916b669d0b03d in mainline. eth_type_trans() now sets skb->dev. Access skb->def after it gets set. Signed-off-by: Divy Le Ray Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f5a76538c9608ca37248434c9e658254b99a464a Author: Christoph Lameter Date: Wed Jan 16 00:21:19 2008 +0530 quicklists: Only consider memory that can be used with GFP_KERNEL patch 96990a4ae979df9e235d01097d6175759331e88c in mainline. Quicklists calculates the size of the quicklists based on the number of free pages. This must be the number of free pages that can be allocated with GFP_KERNEL. node_page_state() includes the pages in ZONE_HIGHMEM and ZONE_MOVABLE which may lead the quicklists to become too large causing OOM. Signed-off-by: Christoph Lameter Tested-by: Dhaval Giani Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 70bcc8d502fb7fa247d4c535de665de58c3bd83d Author: Christoph Lameter Date: Sat Dec 22 14:03:23 2007 -0800 quicklists: do not release off node pages early patch ed367fc3a7349b17354c7acef551533337764859 in mainline. quicklists must keep even off node pages on the quicklists until the TLB flush has been completed. Signed-off-by: Christoph Lameter Cc: Dhaval Giani Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b3794fe0f120694d0085316346d679f481966427 Author: Ingo Molnar Date: Mon Dec 17 21:17:56 2007 +0100 vfs: coredumping fix (CVE-2007-6206) vfs: coredumping fix patch c46f739dd39db3b07ab5deb4e3ec81e1c04a91af in mainline fix: http://bugzilla.kernel.org/show_bug.cgi?id=3043 only allow coredumping to the same uid that the coredumping task runs under. Signed-off-by: Ingo Molnar Acked-by: Alan Cox Acked-by: Christoph Hellwig Acked-by: Al Viro Signed-off-by: Linus Torvalds Cc: maximilian attems Signed-off-by: Greg Kroah-Hartman commit b98ebe01754d083dbdfe7bd3cd46fa2106fad4ef Author: Rafael J. Wysocki Date: Mon Dec 17 01:03:46 2007 +0100 Freezer: Fix APM emulation breakage The APM emulation is currently broken as a result of commit 831441862956fffa17b9801db37e6ea1650b0f69 "Freezer: make kernel threads nonfreezable by default" that removed the PF_NOFREEZE annotations from apm_ioctl() without adding the appropriate freezer hooks. Fix it and remove the unnecessary variable flags from apm_ioctl(). This problem has been fixed in the mainline by commit cb43c54ca05c01533c45e4d3abfe8f99b7acf624 "Freezer: Fix APM emulation breakage". Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 78489300c39e88c1f75dbc4a360176cb0778361c Author: Thomas Gleixner Date: Thu Dec 13 09:57:17 2007 +0100 clockevents: fix reprogramming decision in oneshot broadcast patch cdc6f27d9e3c2f7ca1a3e19c6eabb1ad6a2add5d in mainline. A previous version of the code did the reprogramming of the broadcast device in the return from idle code. This was removed, but the logic in tick_handle_oneshot_broadcast() was kept the same. When a broadcast interrupt happens we signal the expiry to all CPUs which have an expired event. If none of the CPUs has an expired event, which can happen in dyntick mode, then we reprogram the broadcast device. We do not reprogram otherwise, but this is only correct if all CPUs, which are in the idle broadcast state have been woken up. The code ignores, that there might be pending not yet expired events on other CPUs, which are in the idle broadcast state. So the delivery of those events can be delayed for quite a time. Change the tick_handle_oneshot_broadcast() function to check for CPUs, which are in broadcast state and are not woken up by the current event, and enforce the rearming of the broadcast device for those CPUs. Signed-off-by: Thomas Gleixner Signed-off-by: Ingo Molnar commit 08d62c691a5417b713b02d9dcba8950f437a1287 Author: Greg Kroah-Hartman Date: Tue Jan 15 20:17:56 2008 +0100 USB: update sierra.c with latest device ids that are in 2.6.24-rc7 Signed-off-by: Greg Kroah-Hartman commit 440f51af3117a918492aa86b327de136fdd7e084 Author: Herbert Xu Date: Fri Jan 11 16:02:52 2008 +1100 CRYPTO: padlock: Fix spurious ECB page fault [CRYPTO] padlock: Fix spurious ECB page fault [ Upstream commit: d4a7dd8e637b322faaa934ffcd6dd07711af831f ] [ Upstream commit: 490fe3f05be3f7c87d7932bcb6e6e53e3db2cd9c ] The xcryptecb instruction always processes an even number of blocks so we need to ensure th existence of an extra block if we have to process an odd number of blocks. Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 5a75ac5da4c601e146fc1becb6eefb6b21d67b09 Author: Len Brown Date: Mon Jan 14 02:39:18 2008 -0500 PM: ACPI and APM must not be enabled at the same time patch 9f9adecd2d0e4f88fa0e8cb06c6ec207748df70a in mainline. ACPI and APM used "pm_active" to guarantee that they would not be simultaneously active. But pm_active was recently moved under CONFIG_PM_LEGACY, so that without CONFIG_PM_LEGACY, pm_active became a NOP -- allowing ACPI and APM to both be simultaneously enabled. This caused unpredictable results, including boot hangs. Further, the code under CONFIG_PM_LEGACY is scheduled for removal. So replace pm_active with pm_flags. pm_flags depends only on CONFIG_PM, which is present for both CONFIG_APM and CONFIG_ACPI. http://bugzilla.kernel.org/show_bug.cgi?id=9194 Signed-off-by: Len Brown Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 6920e2dd9ead7131f75f71f40fb00655e18c7320 Author: Zhao Yakui Date: Mon Jan 14 02:27:45 2008 -0500 ACPI: apply quirk_ich6_lpc_acpi to more ICH8 and ICH9 patch d1ec7298fcefd7e4d1ca612da402ce9e5d5e2c13 in mainline. It is important that these resources be reserved to avoid conflicts with well known ACPI registers. Signed-off-by: Zhao Yakui Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 3493ee1fcce90c1f59f811bd0f48963e0395cbe5 Author: Bob Moore Date: Mon Jan 14 02:23:24 2008 -0500 ACPICA: fix acpi_serialize hang regression patch 014d433f35d7f34b55dcc7b57c7635aaefc3757f in mainline. http://bugzilla.kernel.org/show_bug.cgi?id=8171 Signed-off-by: Bob Moore Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit a16d391bf3e5c7c42edd5e86d86b4f2baf003a3e Author: Alan Cox Date: Mon Jan 14 02:22:11 2008 -0500 ACPI: Not register gsi for PCI IDE controller in legacy mode patch 96c2a8766bf4fe91abac863749c11637fabcc64f in mainline. When PCI IDE controller works in legacy mode and no PRT entry is found in ACPI PRT table, OSPM will neither read the irq number from the IDE PCI configuration space nor call the function of acpi_register_gsi to register gsi. http://bugzilla.kernel.org/show_bug.cgi?id=5637 Signed-off-by: Alan Cox Signed-off-by: Zhao Yakui Signed-off-by: Zhang Rui Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 5861d7167d4bf07d0b4424d66940cd69a6d02ce0 Author: Bob Moore Date: Wed Dec 5 23:42:10 2007 -0500 ACPICA: fix acpi-cpufreq boot crash due to _PSD return-by-reference patch 152c300d007c70c4a1847dad39ecdaba22e7d457 in mainline. Changed resolution of named references in packages Fixed a problem with the Package operator where all named references were created as object references and left otherwise unresolved. According to the ACPI specification, a Package can only contain Data Objects or references to control methods. The implication is that named references to Data Objects (Integer, Buffer, String, Package, BufferField, Field) should be resolved immediately upon package creation. This is the approach taken with this change. References to all other named objects (Methods, Devices, Scopes, etc.) are all now properly created as reference objects. http://bugzilla.kernel.org/show_bug.cgi?id=5328 http://bugzilla.kernel.org/show_bug.cgi?id=9429 Signed-off-by: Bob Moore Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit abf4c0201090bf49a02340d35b4f054a4229ecc9 Author: David Miller Date: Fri Jan 11 01:28:43 2008 -0800 SPARC64: Implement pci_resource_to_user() [SPARC64]: Implement pci_resource_to_user() [ Upstream commit: bcea1db16ba1c45ccebb3bfb8441642d1342c4d5 ] This makes libpciaccess able to mmap() resources of the device properly. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7a40387d552af1cdc265827e94528149a0725b0d Author: David Miller Date: Fri Jan 11 01:27:23 2008 -0800 SPARC64: Fix OOPS in dma_sync_*_for_device() [SPARC64]: Fix OOPS in dma_sync_*_for_device() [ Upstream commit: 36bb61346d9e64b55285f27363e93a6e96f2abba ] I included these operations vector cases for situations where we never need to do anything, the entries aren't filled in by any implementation, so we OOPS trying to invoke NULL pointer functions. Really make them NOPs, to fix the bug. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b525b62619750d38b4135d39f82ae89ff89ef935 Author: David Miller Date: Fri Jan 11 01:38:38 2008 -0800 CASSINI: Set skb->truesize properly on receive packets. [ Upstream commit: d011a231675b240157a3c335dd53e9b849d7d30d ] skb->truesize was not being incremented at all to reflect the page based data added to RX SKBs. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 89a863418881cbf988823803b7bc0dd0a8f20df8 Author: David Miller Date: Fri Jan 11 01:38:38 2008 -0800 CASSINI: Revert 'dont touch page_count'. [ Upstream commit: 9de4dfb4c7176e5bb232a21cdd8df78da2b15cac ] This reverts changeset fa4f0774d7c6cccb4d1fda76b91dd8eddcb2dd6a ([CASSINI]: dont touch page_count) because it breaks the driver. The local page counting added by this changeset did not account for the asynchronous page count changes done by kfree_skb() and friends. The change adds extra atomics and on top of it all appears to be totally unnecessary as well. Signed-off-by: David S. Miller Acked-by: Nick Piggin Signed-off-by: Greg Kroah-Hartman commit a055f487401cb0525cb9548a3158c9da41dffcba Author: Al Viro Date: Fri Jan 11 01:38:38 2008 -0800 CASSINI: Fix endianness bug. [ Upstream commit: e5e025401f6e926c1d9dc3f3f2813cf98a2d8708 ] Here's proposed fix for RX checksum handling in cassini; it affects little-endian working with half-duplex gigabit, but obviously needs testing on big-endian too. The problem is, we need to convert checksum to fixed-endian *before* correcting for (unstripped) FCS. On big-endian it won't matter (conversion is no-op), on little-endian it will, but only if FCS is not stripped by hardware; i.e. in half-duplex gigabit mode when ->crc_size is set. cassini.c part is that fix, cassini.h one consists of trivial endianness annotations. With that applied the sucker is endian-clean, according to sparse. Signed-off-by: Al Viro Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3ad6d9c22738b3e162212501d4145a8999759d08 Author: Timo Teras Date: Fri Jan 11 01:30:35 2008 -0800 IPV4: ip_gre: set mac_header correctly in receive path [IPV4] ip_gre: set mac_header correctly in receive path [ Upstream commit: 1d0691674764098304ae4c63c715f5883b4d3784 ] mac_header update in ipgre_recv() was incorrectly changed to skb_reset_mac_header() when it was introduced. Signed-off-by: Timo Teras Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 02f5ff7df69ec84404907e095b6bed86417ebb03 Author: David Miller Date: Fri Jan 11 01:31:39 2008 -0800 NET: Correct two mistaken skb_reset_mac_header() conversions. [NET]: Correct two mistaken skb_reset_mac_header() conversions. [ Upstream commit: c6e6ca712b5cc06a662f900c0484d49d7334af64 ] This operation helper abstracts: skb->mac_header = skb->data; but it was done in two more places which were actually: skb->mac_header = skb->network_header; and those are corrected here. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d7ebea7d9e242d5eb968c9512d323f15c3894e20 Author: Herbert Xu Date: Fri Jan 11 01:32:51 2008 -0800 IPSEC: Avoid undefined shift operation when testing algorithm ID [IPSEC]: Avoid undefined shift operation when testing algorithm ID [ Upstream commit: f398035f2dec0a6150833b0bc105057953594edb ] The aalgos/ealgos fields are only 32 bits wide. However, af_key tries to test them with the expression 1 << id where id can be as large as 253. This produces different behaviour on different architectures. The following patch explicitly checks whether ID is greater than 31 and fails the check if that's the case. We cannot easily extend the mask to be longer than 32 bits due to exposure to user-space. Besides, this whole interface is obsolete anyway in favour of the xfrm_user interface which doesn't use this bit mask in templates (well not within the kernel anyway). Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 58cfd02363cefb05d624a30ba323c4afd1cedc4c Author: Chas Williams Date: Fri Jan 11 01:35:51 2008 -0800 ATM: [nicstar] delay irq setup until card is configured [ATM]: [nicstar] delay irq setup until card is configured [ Upstream commit: 52961955aa180959158faeb9fd6b4f8a591450f5 ] Signed-off-by: Chas Williams Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 80fab39bdffb982b7385c3c05c3beedb5b54f6f9 Author: Eric Dumazet Date: Fri Jan 11 01:42:12 2008 -0800 IPV4 ROUTE: ip_rt_dump() is unecessary slow [IPV4] ROUTE: ip_rt_dump() is unecessary slow [ Upstream commit: d8c9283089287341c85a0a69de32c2287a990e71 ] I noticed "ip route list cache x.y.z.t" can be *very* slow. While strace-ing -T it I also noticed that first part of route cache is fetched quite fast : recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202 GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3772 <0.000047> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\ 202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3736 <0.000042> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\ 202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3740 <0.000055> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\ 202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3712 <0.000043> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\ 202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3732 <0.000053> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202 GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3708 <0.000052> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202 GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3680 <0.000041> while the part at the end of the table is more expensive: recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3656 <0.003857> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3772 <0.003891> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3712 <0.003765> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3700 <0.003879> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3676 <0.003797> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3724 <0.003856> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3736 <0.003848> The following patch corrects this performance/latency problem, removing quadratic behavior. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a745dba38eb58bf95ddab73121a7f44116a9f5b3 Author: Herbert Xu Date: Fri Jan 11 01:10:42 2008 -0800 ATM: Check IP header validity in mpc_send_packet [ATM]: Check IP header validity in mpc_send_packet [ Upstream commit: 1c9b7aa1eb40ab708ef3242f74b9a61487623168 ] Al went through the ip_fast_csum callers and found this piece of code that did not validate the IP header. While root crashing the machine by sending bogus packets through raw or AF_PACKET sockets isn't that serious, it is still nice to react gracefully. This patch ensures that the skb has enough data for an IP header and that the header length field is valid. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 57a0a0d2c27d63176040b0a0f5c8a73f4f62ec99 Author: Li Zefan Date: Fri Jan 11 01:11:48 2008 -0800 CONNECTOR: Don't touch queue dev after decrement of ref count. [CONNECTOR]: Don't touch queue dev after decrement of ref count. [ Upstream commit: cf585ae8ae9ac7287a6d078425ea32f22bf7f1f7 ] cn_queue_free_callback() will touch 'dev'(i.e. cbq->pdev), so it should be called before atomic_dec(&dev->refcnt). Signed-off-by: Li Zefan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4d4522a499707f856d1c3046088abefdcf226ee9 Author: Mark McLoughlin Date: Fri Jan 11 01:13:17 2008 -0800 INET: Fix netdev renaming and inet address labels [INET]: Fix netdev renaming and inet address labels [ Upstream commit: 44344b2a85f03326c7047a8c861b0c625c674839 ] When re-naming an interface, the previous secondary address labels get lost e.g. $> brctl addbr foo $> ip addr add 192.168.0.1 dev foo $> ip addr add 192.168.0.2 dev foo label foo:00 $> ip addr show dev foo | grep inet inet 192.168.0.1/32 scope global foo inet 192.168.0.2/32 scope global foo:00 $> ip link set foo name bar $> ip addr show dev bar | grep inet inet 192.168.0.1/32 scope global bar inet 192.168.0.2/32 scope global bar:2 Turns out to be a simple thinko in inetdev_changename() - clearly we want to look at the address label, rather than the device name, for a suffix to retain. Signed-off-by: Mark McLoughlin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0d539224ff15f10f741f61a19451a92de12eb733 Author: maximilian attems Date: Fri Jan 11 01:14:17 2008 -0800 IRDA: irda_create() nuke user triggable printk [IRDA]: irda_create() nuke user triggable printk [ Upstream commit: 9e8d6f8959c356d8294d45f11231331c3e1bcae6 ] easy to trigger as user with sfuzz. irda_create() is quiet on unknown sock->type, match this behaviour for SOCK_DGRAM unknown protocol Signed-off-by: maximilian attems Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 37e82ef19ffc9d6c4f648e6b38383299de8c79b9 Author: Russ Dill Date: Fri Jan 11 01:16:28 2008 -0800 NET: kaweth was forgotten in msec switchover of usb_start_wait_urb [NET]: kaweth was forgotten in msec switchover of usb_start_wait_urb [ Upstream commit: 2b2b2e35b71e5be8bc06cc0ff38df15dfedda19b ] Back in 2.6.12-pre, usb_start_wait_urb was switched over to take milliseconds instead of jiffies. kaweth.c was never updated to match. Signed-off-by: Russ Dill Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d80f0b526695c5950ce114d2613d5d081b42f2d2 Author: Russ Dill Date: Fri Jan 11 01:19:55 2008 -0800 NET: mcs7830 passes msecs instead of jiffies to usb_control_msg [NET]: mcs7830 passes msecs instead of jiffies to usb_control_msg [ Upstream commit 1d39da3dcaad4231f0fa75024b1d6d710a2ced74 ] usb_control_msg was changed long ago (2.6.12-pre) to take milliseconds instead of jiffies. Oddly, mcs7830 wasn't added until 2.6.19-rc3. Signed-off-by: Russ Dill Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d9711c647766c3fd49d126acee34937648cd5346 Author: Julia Lawall Date: Fri Jan 11 01:26:33 2008 -0800 X25: Add missing x25_neigh_put [X25]: Add missing x25_neigh_put [ Upstream commit: 76975f8a3186dae501584d0155ea410464f62815 ] The function x25_get_neigh increments a reference count. At the point of the second goto out, the result of calling x25_get_neigh is only stored in a local variable, and thus no one outside the function will be able to decrease the reference count. Thus, x25_neigh_put should be called before the return in this case. The problem was found using the following semantic match. (http://www.emn.fr/x-info/coccinelle/) // @@ type T,T1,T2; identifier E; statement S; expression x1,x2,x3; int ret; @@ T E; ... * if ((E = x25_get_neigh(...)) == NULL) S ... when != x25_neigh_put(...,(T1)E,...) when != if (E != NULL) { ... x25_neigh_put(...,(T1)E,...); ...} when != x1 = (T1)E when != E = x3; when any if (...) { ... when != x25_neigh_put(...,(T2)E,...) when != if (E != NULL) { ... x25_neigh_put(...,(T2)E,...); ...} when != x2 = (T2)E ( * return; | * return ret; ) } // Signed-off-by: Julia Lawall Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 75ad12ba7b1897e7b8a5fa88e007244a279a1713 Author: Patrick Mansfield Date: Sun Nov 4 04:42:03 2007 +1100 POWERPC: Change fallocate to match unistd.h on powerpc patch f2205fbb5a8933514fd343cc329df631802b4543 in mainline. Fix the fallocate system call on powerpc to match its unistd.h. This implies none of these system calls are currently working with the unistd.h sys call values: fallocate signalfd timerfd eventfd sync_file_range2 Signed-off-by: Patrick Mansfield Acked-by: Anton Blanchard Signed-off-by: Paul Mackerras Signed-off-by: Greg Kroah-Hartman commit d4692a58d84fd6aa826f36ce91fc42c889772fe0 Author: Stephen Hemminger Date: Wed Dec 26 09:59:27 2007 -0800 sky2: RX lockup fix Backport commit 798fdd07fcc131f396e521febb4a7d42559bf4b5 I'm using a Marvell 88E8062 on a custom PPC64 blade and ran into RX lockups while validating the sky2 driver. The receive MAC FIFO would become stuck during testing with high traffic. One port of the 88E8062 would lockup, while the other port remained functional. Re-inserting the sky2 module would not fix the problem - only a power cycle would. I looked over Marvell's most recent sk98lin driver and it looks like they had a "workaround" for the Yukon XL that the sky2 doesn't have yet. The sk98lin driver disables the RX MAC FIFO flush feature for all revisions of the Yukon XL. According to skgeinit.c of the sk98lin driver, "Flushing must be enabled (needed for ASF see dev. #4.29), but the flushing mask should be disabled (see dev. #4.115)". Nice. I implemented this same change in the sky2 driver and verified that the RX lockup I was seeing was resolved. Signed-off-by: Peter Tyser Signed-off-by: Stephen Hemminger Signed-off-by: Greg Kroah-Hartman commit e62eb48fc190c23187e6f00b211439ddec940e2e Author: Stephen Hemminger Date: Wed Dec 26 09:59:26 2007 -0800 sky2: disable rx checksum on Yukon XL Backport of 8b31cfbcd1b54362ef06c85beb40e65a349169a2 The Marvell Yukon XL chipset appears to have a hardware glitch where it will repeat the checksum of the last packet. Of course, this is timing sensitive and only happens sometimes... More info: http://bugzilla.kernel.org/show_bug.cgi?id=9381 As a workaround just disable hardware checksumming by default on this chip version. The earlier workaround for PCIX, dual port was also on Yukon XL so don't need to disable checksumming there. Signed-off-by: Stephen Hemminger Signed-off-by: Greg Kroah-Hartman commit 4cee0d814d080df05e8f72320409b275da7f64d9 Author: Herbert Xu Date: Fri Jan 11 01:09:46 2008 -0800 IPV4 raw: Strengthen check on validity of iph->ihl [IPV4] raw: Strengthen check on validity of iph->ihl [ Upstream commit: f844c74fe07321953e2dd227fe35280075f18f60 ] We currently check that iph->ihl is bounded by the real length and that the real length is greater than the minimum IP header length. However, we did not check the caes where iph->ihl is less than the minimum IP header length. This breaks because some ip_fast_csum implementations assume that which is quite reasonable. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 447ede6587aac4fc37cce11a90cfe2f1e0031ab3 Author: Cory T. Tusar Date: Sun Dec 23 12:34:51 2007 -0800 tty: fix logic change introduced by wait_event_interruptible_timeout() patch db99247ac68fc352100090ad7704fb5efb9327b6 in mainline. Commit 5a52bd4a2dcb570333ce6fe2e16cd311650dbdc8 introduced a subtle logic change in tty_wait_until_sent(). The original version would only error out of the 'do { ... } while (timeout)' loop if signal_pending() evaluated to true; a timeout or break due to an empty buffer would fall out of the loop and into the tty->driver->wait_until_sent handling. The current implementation will error out on either a pending signal or an empty buffer, falling through to the tty->driver->wait_until_sent handling only on a timeout. The ->wait_until_sent() will not be reached if the buffer empties before timeout jiffies have elapsed. This behavior differs from that prior to commit 5a52bd4a2dcb570333ce6fe2e16cd311650dbdc8. I turned this up while using a little serial download utility to bootstrap an ARM-based eval board. The util worked fine on 2.6.22.x, but consistently failed on 2.6.23.x. Once I'd determined that, I narrowed things down with git bisect, and found the above difference in logic in tty_wait_until_sent() by inspection. This change reverts the logic flow in tty_wait_until_sent() to match that prior to the aforementioned commit. Signed-off-by: Cory T. Tusar Cc: Alan Cox Acked-by: Jiri Slaby Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 1d8782173cb23a56d624b30095dd3e0daaa821c5 Author: Pavel Emelyanov Date: Wed Dec 19 16:30:48 2007 -0800 VLAN: Lost rtnl_unlock() in vlan_ioctl() [VLAN]: Lost rtnl_unlock() in vlan_ioctl() [ Upstream commit: e35de02615f97b785dc6f73cba421cea06bcbd10 ] The SET_VLAN_NAME_TYPE_CMD command w/o CAP_NET_ADMIN capability doesn't release the rtnl lock. Signed-off-by: Pavel Emelyanov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1c8db29a2f48adf8c015e0bca16ff34f2b53a34b Author: Herbert Xu Date: Wed Dec 19 16:35:54 2007 -0800 IPSEC: Fix potential dst leak in xfrm_lookup [IPSEC]: Fix potential dst leak in xfrm_lookup [ Upstream commit: 75b8c133267053c9986a7c8db5131f0e7349e806 ] If we get an error during the actual policy lookup we don't free the original dst while the caller expects us to always free the original dst in case of error. This patch fixes that. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9f479dcdc1a6391f5bbe14a288031a5fd745a7f3 Author: David Miller Date: Wed Dec 19 16:28:57 2007 -0800 SPARC64: Fix two kernel linear mapping setup bugs. [SPARC64]: Fix two kernel linear mapping setup bugs. [ Upstream commit: 8f361453d8e9a67c85b2cf9b93c642c2d8fe0462 ] This was caught and identified by Greg Onufer. Since we setup the 256M/4M bitmap table after taking over the trap table, it's possible for some 4M mapping to get loaded in the TLB beforhand which later will be 256M mappings. This can cause illegal TLB multiple-match conditions. Fix this by setting up the bitmap before we take over the trap table. Next, __flush_tlb_all() was not doing anything on hypervisor platforms. Fix by adding sun4v_mmu_demap_all() and calling it. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 26122285ae77a1969c0de4ac472809093af20145 Author: David Miller Date: Wed Dec 19 16:27:11 2007 -0800 SPARC64: Fix memory controller register access when non-SMP. [SPARC64]: Fix memory controller register access when non-SMP. [ Upstream commit: b332b8bc9c67165eabdfc7d10b4a2e4cc9f937d0 ] get_cpu() always returns zero on non-SMP builds, but we really want the physical cpu number in this code in order to do the right thing. Based upon a non-SMP kernel boot failure report from Bernd Zeimetz. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 96cbde9a5b59660e186b0d176d0abe668b6e8546 Author: Henrique de Moraes Holschuh Date: Thu Dec 13 22:03:52 2007 -0500 ACPI: thinkpad-acpi: fix lenovo keymap for brightness upstream commit 56a185b43be05e48da7428e6a1d3e2585b232b1d Starting in 2.6.23... Several reports from X60 users complained that the default Lenovo keymap issuing EV_KEY KEY_BRIGHTNESS_UP/DOWN input events caused major issues when the proper brightness support through ACPI video.c was loaded. Therefore, remove the generation of these events by default, which is the right thing for T60, X60, R60, T61, X61 and R61 with their latest BIOSes. Distros that want to misuse these events into OSD reporting (which requires an ugly hack from hell in HAL) are welcome to set up the key map they need through HAL. That way, we don't break everyone else's systems. Signed-off-by: Henrique de Moraes Holschuh Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 8444021c69b0787dbe4dde1c4e15818ab4e42986 Author: William Lee Irwin III Date: Thu Dec 13 16:29:16 2007 -0500 ACPI: video_device_list corruption The ->cap fields of struct acpi_video_device and struct acpi_video_bus are 1B each, not 4B. The oversized memset()'s corrupted the subsequent list_head fields. This resulted in silent corruption without CONFIG_DEBUG_LIST and BUG's with it. This patch uses sizeof() to pass the proper bounds to the memset() calls and thereby correct the bugs. upstream commit 98934def70b48dac74fac3738b78ab2d1a28edda Signed-off-by: William Irwin Acked-by: Mikael Pettersson Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit b8d5ff3a2fc7f7d212a3edcf1d169e5be77ccaf4 Author: Milan Broz Date: Thu Dec 13 14:44:18 2007 +0000 dm crypt: use bio_add_page patch 91e106259214b40e992a58fb9417da46868e19b2 in mainline. Fix possible max_phys_segments violation in cloned dm-crypt bio. In write operation dm-crypt needs to allocate new bio request and run crypto operation on this clone. Cloned request has always the same size, but number of physical segments can be increased and violate max_phys_segments restriction. This can lead to data corruption and serious hardware malfunction. This was observed when using XFS over dm-crypt and at least two HBA controller drivers (arcmsr, cciss) recently. Fix it by using bio_add_page() call (which tests for other restrictions too) instead of constructing own biovec. All versions of dm-crypt are affected by this bug. Signed-off-by: Milan Broz Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 7a22cdb2f5ca86983f433d26a3aa9449c0671a2d Author: Milan Broz Date: Thu Dec 13 14:43:05 2007 +0000 dm crypt: fix write endio patch adfe47702c4726b3e045f9f83178def02833be4c in mainline. Fix BIO_UPTODATE test for write io. Signed-off-by: Milan Broz Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 3fb754b906d44263625e8bbf4e53a694af181f0a Author: Jun'ichi Nomura Date: Thu Dec 13 14:42:08 2007 +0000 dm: table detect io beyond device Patch 512875bd9661368da6f993205a61213b79ba1df0 in mainline. This patch fixes a panic on shrinking a DM device if there is outstanding I/O to the part of the device that is being removed. (Normally this doesn't happen - a filesystem would be resized first, for example.) The bug is that __clone_and_map() assumes dm_table_find_target() always returns a valid pointer. It may fail if a bio arrives from the block layer but its target sector is no longer included in the DM btree. This patch appends an empty entry to table->targets[] which will be returned by a lookup beyond the end of the device. After calling dm_table_find_target(), __clone_and_map() and target_message() check for this condition using dm_target_is_valid(). Sample test script to trigger oops: #!/bin/bash FILE=$(mktemp) LODEV=$(losetup -f) MAP=$(basename ${FILE}) SIZE=4M dd if=/dev/zero of=${FILE} bs=${SIZE} count=1 losetup ${LODEV} ${FILE} echo "0 $(blockdev --getsz ${LODEV}) linear ${LODEV} 0" |dmsetup create ${MAP} dmsetup suspend ${MAP} echo "0 1 linear ${LODEV} 0" |dmsetup load ${MAP} dd if=/dev/zero of=/dev/mapper/${MAP} bs=${SIZE} count=1 & echo "Wait til dd push some I/O" sleep 5 dmsetup resume ${MAP} Signed-off-by: Jun'ichi Nomura Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 38fa6d004744d3794407fc1bd6992007e97e2abd Author: David Miller Date: Wed Dec 19 15:50:06 2007 -0800 SPARC64: Fix sparc64 cpu cross call hangs. [SPARC64]: Fix endless loop in cheetah_xcall_deliver(). [ Upsteam commit: 0de56d1ab83323d604d95ca193dcbd28388dbabb ] We need to mask out the proper bits when testing the dispatch status register else we can see unrelated NACK bits from previous cross call sends. Signed-off-by: David S. Miller