commit 927684b414dae48568ab82939ea2f55a10188e94 Author: Greg Kroah-Hartman Date: Mon Feb 25 16:20:20 2008 -0800 Linux 2.6.24.3 commit 7a0fd2e6b0190e5dd2bfe71a0b4f10826811418e Author: Ingo Molnar Date: Fri Feb 15 20:59:33 2008 +0100 x86_64: CPA, fix cache attribute inconsistency bug (no matching git id as the upstream code is rewritten) fix CPA cache attribute bug in v2.6.24. When phys_base is nonzero (when CONFIG_RELOCATABLE=y) then change_page_attr_addr() miscalculates the secondary alias address by -14 MB (depending on the configured offset). The default 64-bit kernels of Fedora and Ubuntu are affected: $ grep RELOCA /boot/config-2.6.23.9-85.fc8 CONFIG_RELOCATABLE=y $ grep RELOC /boot/config-2.6.22-14-generic CONFIG_RELOCATABLE=y and probably on many other distros as well. the bug affects all pages in the first 40 MB of physical RAM that are allocated by some subsystem that does ioremap_nocache() on them: if (__pa(address) < KERNEL_TEXT_SIZE) { Hence we might leave page table entries with inconsistent cache attributes around (pages mapped at both UnCacheable and Write-Back), and we can also set the wrong kernel text pages to UnCacheable. the effects of this bug can be random slowdowns and other misbehavior. If for example AGP allocates its aperture pages into the first 40 MB of physical RAM, then the -14 MB bug might mark random kernel texto pages as uncacheable, slowing down a random portion of the 64-bit kernel until the AGP driver is unloaded. Signed-off-by: Ingo Molnar Acked-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit f7e1b66a194e38f9fa41f8144aa34b782fb4f53a Author: Jay Vosburgh Date: Fri Feb 15 10:00:41 2008 -0800 bonding: fix NULL pointer deref in startup processing patch 4fe4763cd8cacd81d892193efb48b99c99c15323 in mainline. Fix the "are we creating a duplicate" check to not compare the name if the name is NULL (meaning that the system should select a name). Bug reported by Benny Amorsen . Signed-off-by: Jay Vosburgh Signed-off-by: Jeff Garzik Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a3b89e6d7396b874b8e7ec25378bb479418ef2d5 Author: Olaf Hering Date: Thu Feb 21 19:41:44 2008 -0500 POWERPC: Revert chrp_pci_fixup_vt8231_ata devinit to fix libata on pegasos Commit: 092ca5bd61da6344f3b249754b337f2d48dfe08d [POWERPC] Revert chrp_pci_fixup_vt8231_ata devinit to fix libata on pegasos Commit 6d98bda79bea0e1be26c0767d0e9923ad3b72f2e changed the init order for chrp_pci_fixup_vt8231_ata(). It can not work anymore because either the irq is not yet set to 14 or pci_get_device() returns nothing. At least the printk() in chrp_pci_fixup_vt8231_ata() does not trigger anymore. pata_via works again on Pegasos with the change below. Signed-off-by: Olaf Hering Signed-off-by: Paul Mackerras Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit 80e9255328f9f1c2a6aa7422be1f0a87a4a9cb7b Author: Chuck Ebbert Date: Thu Feb 21 19:33:00 2008 -0500 PCMCIA: Fix station address detection in smc Commit: a1a98b72dbd17e53cd92b8e78f404525ebcfd981 Fix station address detection in smc Megahertz EM1144 PCMCIA ethernet adapter needs special handling because it has two VERS_1 tuples and the station address is in the second one. Conversion to generic handling of these fields broke it. Reverting that fixes the device. https://bugzilla.redhat.com/show_bug.cgi?id=233255 Thanks go to Jon Stanley for not giving up on this one until the problem was found. Signed-off-by: Chuck Ebbert Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 4cf87f7ef5c892c0a3d21a14724fcae1bb9ec8d6 Author: Boaz Harrosh Date: Thu Feb 14 21:15:08 2008 +0000 SCSI: gdth: scan for scsi devices commit: 61c92814dc324b541391757062ff02fbf3b08086 The patch: "gdth: switch to modern scsi host registration" missed one simple fact when moving a way from scsi_module.c. That is to call scsi_scan_host() on the probed host. With this the gdth driver from 2.6.24 is again able to see drives and boot. Signed-off-by: Boaz Harrosh Tested-by: Joerg Dorchain Tested-by: Stefan Priebe Tested-by: Jon Chelton Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 8b0ccb03f068cf8561efd51e88cbdf3f345163b9 Author: Oliver Neukum Date: Fri Feb 22 00:35:05 2008 +0000 USB: fix pm counter leak in usblp commit 1902869019918411c148c18cc3a22aade569ac9a upstream if you fail in open() you must decrement the pm counter again. Signed-off-by: Oliver Neukum Signed-off-by: Pete Zaitcev Signed-off-by: Greg Kroah-Hartman commit 365b073075ef23cfdd8ba68720e7de3b4dbe4f1b Author: Heiko Carstens Date: Tue Feb 19 17:20:11 2008 +0000 S390: Fix futex_atomic_cmpxchg_std inline assembly. commit: d5b02b3ff1d9a2e1074f559c84ed378cfa6fc3c0 upstream Add missing exception table entry so that the kernel can handle proctection exceptions as well on the cs instruction. Currently only specification exceptions are handled correctly. The missing entry allows user space to crash the kernel. Signed-off-by: Heiko Carstens Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit 0466e6b39901c5af878300cf43485ae581b252cb Author: Thomas Gleixner Date: Wed Feb 20 00:29:02 2008 +0100 genirq: do not leave interupts enabled on free_irq commit 89d694b9dbe769ca1004e01db0ca43964806a611 The default_disable() function was changed in commit: 76d2160147f43f982dfe881404cfde9fd0a9da21 genirq: do not mask interrupts by default It removed the mask function in favour of the default delayed interrupt disabling. Unfortunately this also broke the shutdown in free_irq() when the last handler is removed from the interrupt for those architectures which rely on the default implementations. Now we can end up with a enabled interrupt line after the last handler was removed, which can result in spurious interrupts. Fix this by adding a default_shutdown function, which is only installed, when the irqchip implementation does provide neither a shutdown nor a disable function. Pointed-out-by: Michael Hennerich Signed-off-by: Thomas Gleixner Acked-by: Ingo Molnar Tested-by: Michael Hennerich Signed-off-by: Greg Kroah-Hartman commit 4813a83f2665f7276f1e4eee9cffe45116cf3824 Author: Thomas Gleixner Date: Wed Feb 20 01:04:56 2008 +0100 hrtimer: catch expired CLOCK_REALTIME timers early commit 63070a79ba482c274bad10ac8c4b587a3e011f2c A CLOCK_REALTIME timer, which has an absolute expiry time less than the clock realtime offset calls with a negative delta into the clock events code and triggers the WARN_ON() there. This is a false positive and needs to be prevented. Check the result of timer->expires - timer->base->offset right away and return -ETIME right away. Thanks to Frans Pop, who reported the problem and tested the fixes. Signed-off-by: Thomas Gleixner Tested-by: Frans Pop Signed-off-by: Greg Kroah-Hartman commit 85d1617924607c1311962546bb55367b9edb4ca6 Author: Thomas Gleixner Date: Wed Feb 20 01:03:00 2008 +0100 hrtimer: check relative timeouts for overflow commit: 5a7780e725d1bb4c3094fcc12f1c5c5faea1e988 Various user space callers ask for relative timeouts. While we fixed that overflow issue in hrtimer_start(), the sites which convert relative user space values to absolute timeouts themself were uncovered. Instead of putting overflow checks into each place add a function which does the sanity checking and convert all affected callers to use it. Thanks to Frans Pop, who reported the problem and tested the fixes. Signed-off-by: Thomas Gleixner Acked-by: Ingo Molnar Tested-by: Frans Pop Signed-off-by: Greg Kroah-Hartman commit 227db665f6f946d376d48785b08d2b0cd1f21aad Author: Christoph Lameter Date: Thu Feb 7 17:47:41 2008 -0800 SLUB: Deal with annoying gcc warning on kfree() patch 5bb983b0cce9b7b281af15730f7019116dd42568 in mainline. gcc 4.2 spits out an annoying warning if one casts a const void * pointer to a void * pointer. No warning is generated if the conversion is done through an assignment. Signed-off-by: Christoph Lameter Signed-off-by: Greg Kroah-Hartman commit 5214a170d6c2f1ff99c0aa9b8ed4be56d55f4ee4 Author: Oleg Nesterov Date: Wed Feb 20 00:48:53 2008 +0100 hrtimer: fix *rmtp/restarts handling in compat_sys_nanosleep() commit 416529374b4793ba2d2e97e736d108a2e0f3ef07 Spotted by Pavel Emelyanov and Alexey Dobriyan. compat_sys_nanosleep() implicitly uses hrtimer_nanosleep_restart(), this can't work. Make a suitable compat_nanosleep_restart() helper. Introduced by commit c70878b4e0b6cf8d2f1e46319e48e821ef4a8aba hrtimer: hook compat_sys_nanosleep up to high res timer code Also, set ->addr_limit = KERNEL_DS before doing hrtimer_nanosleep(), this func was changed by the previous patch and now takes the "__user *" parameter. Thanks to Ingo Molnar for fixing the bug in this patch. Signed-off-by: Oleg Nesterov Cc: Andrew Morton Cc: Alexey Dobriyan Cc: Pavel Emelyanov Cc: Peter Zijlstra Cc: Toyo Abe Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit ab23ae27f48ee940397f7e9bc21c4d3e4eb8391e Author: Oleg Nesterov Date: Wed Feb 20 00:48:06 2008 +0100 hrtimer: fix *rmtp handling in hrtimer_nanosleep() commit 080344b98805553f9b01de0f59a41b1533036d8d Spotted by Pavel Emelyanov and Alexey Dobriyan. hrtimer_nanosleep() sets restart_block->arg1 = rmtp, but this rmtp points to the local variable which lives in the caller's stack frame. This means that if sys_restart_syscall() actually happens and it is interrupted as well, we don't update the user-space variable, but write into the already dead stack frame. Introduced by commit 04c227140fed77587432667a574b14736a06dd7f hrtimer: Rework hrtimer_nanosleep to make sys_compat_nanosleep easier Change the callers to pass "__user *rmtp" to hrtimer_nanosleep(), and change hrtimer_nanosleep() to use copy_to_user() to actually update *rmtp. Small problem remains. man 2 nanosleep states that *rtmp should be written if nanosleep() was interrupted (it says nothing whether it is OK to update *rmtp if nanosleep returns 0), but (with or without this patch) we can dirty *rem even if nanosleep() returns 0. NOTE: this patch doesn't change compat_sys_nanosleep(), because it has other bugs. Fixed by the next patch. Signed-off-by: Oleg Nesterov Cc: Alexey Dobriyan Cc: Michael Kerrisk Cc: Pavel Emelyanov Cc: Peter Zijlstra Cc: Toyo Abe Cc: Andrew Morton Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 5ef76ae0cc433e1e5927e964ad3320842ee94106 Author: Benjamin Herrenschmidt Date: Thu Feb 7 14:29:43 2008 +1100 Disable G5 NAP mode during SMU commands on U3 patch 592a607bbc053bc6f614a0e619326009f4b3829e in mainline. It appears that with the U3 northbridge, if the processor is in NAP mode the whole time while waiting for an SMU command to complete, then the SMU will fail. It could be related to the weird backward mechanism the SMU uses to get to system memory via i2c to the northbridge that doesn't operate properly when the said bridge is in napping along with the CPU. That is on U3 at least, U4 doesn't seem to be affected. This didn't show before NO_HZ as the timer wakeup was enough to make it work it seems, but that is no longer the case. This fixes it by disabling NAP mode on those machines while an SMU command is in flight. Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Paul Mackerras Signed-off-by: Greg Kroah-Hartman commit 58e6cf1df821c76f245a45da05f4ac8f880e3296 Author: Jonathan Corbet Date: Mon Feb 11 16:17:33 2008 -0700 Be more robust about bad arguments in get_user_pages() patch 900cf086fd2fbad07f72f4575449e0d0958f860f in mainline. So I spent a while pounding my head against my monitor trying to figure out the vmsplice() vulnerability - how could a failure to check for *read* access turn into a root exploit? It turns out that it's a buffer overflow problem which is made easy by the way get_user_pages() is coded. In particular, "len" is a signed int, and it is only checked at the *end* of a do {} while() loop. So, if it is passed in as zero, the loop will execute once and decrement len to -1. At that point, the loop will proceed until the next invalid address is found; in the process, it will likely overflow the pages array passed in to get_user_pages(). I think that, if get_user_pages() has been asked to grab zero pages, that's what it should do. Thus this patch; it is, among other things, enough to block the (already fixed) root exploit and any others which might be lurking in similar code. I also think that the number of pages should be unsigned, but changing the prototype of this function probably requires some more careful review. Signed-off-by: Jonathan Corbet Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5e10c4208a7b87b4bc0e42622109a6d9e8453419 Author: Herbert Xu Date: Fri Feb 15 01:32:40 2008 -0800 AUDIT: Increase skb->truesize in audit_expand Upstream commit: 406a1d868001423c85a3165288e566e65f424fe6 The recent UDP patch exposed this bug in the audit code. It was calling pskb_expand_head without increasing skb->truesize. The caller of pskb_expand_head needs to do so because that function is designed to be called in places where truesize is already fixed and therefore it doesn't update its value. Because the audit system is using it in a place where the truesize has not yet been fixed, it needs to update its value manually. Signed-off-by: Herbert Xu Acked-by: James Morris Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 47b66fe95afa8400cefaea06263ab8948d8465ba Author: Dave Young Date: Fri Feb 15 01:34:03 2008 -0800 BLUETOOTH: Add conn add/del workqueues to avoid connection fail. Upstream commit: b6c0632105f7d7548f1d642ba830088478d4f2b0 The bluetooth hci_conn sysfs add/del executed in the default workqueue. If the del_conn is executed after the new add_conn with same target, add_conn will failed with warning of "same kobject name". Here add btaddconn & btdelconn workqueues, flush the btdelconn workqueue in the add_conn function to avoid the issue. Signed-off-by: Dave Young Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8f08540f032d07a7fb8f7576140ca426c55396f3 Author: Herbert Xu Date: Fri Feb 15 01:55:06 2008 -0800 INET: Prevent out-of-sync truesize on ip_fragment slow path Upstream commit: 29ffe1a5c52dae13b6efead97aab9b058f38fce4 When ip_fragment has to hit the slow path the value of skb->truesize may go out of sync because we would have updated it without changing the packet length. This violates the constraints on truesize. This patch postpones the update of skb->truesize to prevent this. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4450ae03346faceb80a45b4d696c15f981080916 Author: Arnaldo Carvalho de Melo Date: Fri Feb 15 01:41:34 2008 -0800 INET_DIAG: Fix inet_diag_lock_handler error path. Upstream commit: 8cf8e5a67fb07f583aac94482ba51a7930dab493 Fixes: http://bugzilla.kernel.org/show_bug.cgi?id=9825 The inet_diag_lock_handler function uses ERR_PTR to encode errors but its callers were testing against NULL. This only happens when the only inet_diag modular user, DCCP, is not built into the kernel or available as a module. Also there was a problem with not dropping the mutex lock when a handler was not found, also fixed in this patch. This caused an OOPS and ss would then hang on subsequent calls, as &inet_diag_table_mutex was being left locked. Thanks to spike at ml.yaroslavl.ru for report it after trying 'ss -d' on a kernel that doesn't have DCCP available. This bug was introduced in cset d523a328fb0271e1a763e985a21f2488fd816e7e ("Fix inet_diag dead-lock regression"), after 2.6.24-rc3, so just 2.6.24 seems to be affected. Signed-off-by: Arnaldo Carvalho de Melo Acked-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 363c11d7e1c2b2cc30e33416a518cea5ef9e0cc8 Author: Herbert Xu Date: Fri Feb 15 01:44:03 2008 -0800 IPCOMP: Fetch nexthdr before ipch is destroyed Upstream commit: 2614fa59fa805cd488083c5602eb48533cdbc018 When I moved the nexthdr setting out of IPComp I accidently moved the reading of ipch->nexthdr after the decompression. Unfortunately this means that we'd be reading from a stale ipch pointer which doesn't work very well. This patch moves the reading up so that we get the correct nexthdr value. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cefe34bea77e194fd6b6a7a062e1620af2eef69f Author: Herbert Xu Date: Fri Feb 15 01:42:57 2008 -0800 IPCOMP: Fix reception of incompressible packets Upstream commit: b1641064a3f4a58644bc2e8edf40c025c58473b4 I made a silly typo by entering IPPROTO_IP (== 0) instead of IPPROTO_IPIP (== 4). This broke the reception of incompressible packets. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f52a4f4ea2c5ea3dc17561d32d839a3051e47b0c Author: Julian Anastasov Date: Fri Feb 15 01:38:53 2008 -0800 IPV4: fib: fix route replacement, fib_info is shared Upstream commit: c18865f39276435abb9286f9a816cb5b66c99a00 fib_info can be shared by many route prefixes but we don't want duplicate alternative routes for a prefix+tos+priority. Last change was not correct to check fib_treeref because it accounts usage from other prefixes. Additionally, avoid replacement without error if new route is same, as Joonwoo Park suggests. Signed-off-by: Julian Anastasov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3eb4493a1c64bb9c63979f73d471eba255cfa78c Author: Julian Anastasov Date: Fri Feb 15 01:39:42 2008 -0800 IPV4: fib_trie: apply fixes from fib_hash Upstream commit: 936f6f8e1bc46834bbb3e3fa3ac13ab44f1e7ba6 Update fib_trie with some fib_hash fixes: - check for duplicate alternative routes for prefix+tos+priority when replacing route - properly insert by matching tos together with priority - fix alias walking to use list_for_each_entry_continue for insertion and deletion when fa_head is not NULL - copy state from fa to new_fa on replace (not a problem for now) - additionally, avoid replacement without error if new route is same, as Joonwoo Park suggests. Signed-off-by: Julian Anastasov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5fb7ba76544d95bfa05199f7394a442de5660be7 Author: Stephen Hemminger Date: Fri Feb 15 01:31:32 2008 -0800 NET: Add if_addrlabel.h to sanitized headers. Upstream commit: dded91611a728d65721cdab3dd41d801a356fa15 if_addrlabel.h is needed for iproute2 usage. Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e2a0956c9d1c9eebd51849c58fcbc7477c618a19 Author: Stephen Hemminger Date: Fri Feb 15 01:36:36 2008 -0800 PKT_SCHED: ematch: oops from uninitialized variable (resend) Upstream commit: 268bcca1e7b0d244afd07ea89cda672e61b0fc4a Setting up a meta match causes a kernel OOPS because of uninitialized elements in tree. [ 37.322381] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 [ 37.322381] IP: [] :em_meta:em_meta_destroy+0x17/0x80 [ 37.322381] Call Trace: [ 37.322381] [] tcf_em_tree_destroy+0x2d/0xa0 [ 37.322381] [] tcf_em_tree_validate+0x2dc/0x4a0 [ 37.322381] [] nla_parse+0x92/0xe0 [ 37.322381] [] :cls_basic:basic_change+0x202/0x3c0 [ 37.322381] [] kmem_cache_alloc+0x67/0xa0 [ 37.322381] [] tc_ctl_tfilter+0x3b1/0x580 [ 37.322381] [] rtnetlink_rcv_msg+0x0/0x260 [ 37.322381] [] netlink_rcv_skb+0x74/0xa0 [ 37.322381] [] rtnetlink_rcv+0x18/0x20 [ 37.322381] [] netlink_unicast+0x263/0x290 [ 37.322381] [] __alloc_skb+0x96/0x160 [ 37.322381] [] netlink_sendmsg+0x274/0x340 [ 37.322381] [] sock_sendmsg+0x12b/0x140 [ 37.322381] [] autoremove_wake_function+0x0/0x30 [ 37.322381] [] autoremove_wake_function+0x0/0x30 [ 37.322381] [] sock_sendmsg+0x12b/0x140 [ 37.322381] [] zone_statistics+0xb1/0xc0 [ 37.322381] [] sys_sendmsg+0x20e/0x360 [ 37.322381] [] sockfd_lookup_light+0x41/0x80 [ 37.322381] [] handle_mm_fault+0x3eb/0x7f0 [ 37.322381] [] system_call_after_swapgs+0x7b/0x80 Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 07e6e223bed8c3d387f92f92a4706ff6d601b285 Author: Paul Moore Date: Fri Feb 15 01:46:10 2008 -0800 SELinux: Fix double free in selinux_netlbl_sock_setsid() Upstream commit: e1770d97a730ff4c3aa1775d98f4d0558390607f As pointed out by Adrian Bunk, commit 45c950e0f839fded922ebc0bfd59b1081cc71b70 ("fix memory leak in netlabel code") caused a double-free when security_netlbl_sid_to_secattr() fails. This patch fixes this by removing the netlbl_secattr_destroy() call from that function since we are already releasing the secattr memory in selinux_netlbl_sock_setsid(). Signed-off-by: Paul Moore Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 79a25f70244c66402c99d9b32d19204dfded85d0 Author: Stephen Hemminger Date: Fri Feb 15 01:37:49 2008 -0800 TC: oops in em_meta Upstream commit: 04f217aca4d803fe72c2c54fe460d68f5233ce52 If userspace passes a unknown match index into em_meta, then em_meta_change will return an error and the data for the match will not be set. This then causes an null pointer dereference when the cleanup is done in the error path via tcf_em_tree_destroy. Since the tree structure comes kzalloc, it is initialized to NULL. Discovered when testing a new version of tc command against an accidental older kernel. Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5531e217653acba748a687e949e9e2f39462c969 Author: Shan Wei Date: Fri Feb 15 01:48:20 2008 -0800 TCP: Fix a bug in strategy_allowed_congestion_control Upstream commit: 16ca3f913001efdb6171a2781ef41c77474e3895 In strategy_allowed_congestion_control of the 2.6.24 kernel, when sysctl_string return 1 on success,it should call tcp_set_allowed_congestion_control to set the allowed congestion control.But, it don't. the sysctl_string return 1 on success, otherwise return negative, never return 0.The patch fix the problem. Signed-off-by: Shan Wei Acked-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c5ae77d37bde1e9b2db48026f6a483a7fd08c076 Author: James Bottomley Date: Sat Feb 2 16:06:23 2008 -0600 SCSI: sd: handle bad lba in sense information patch 366c246de9cec909c5eba4f784c92d1e75b4dc38 in mainline. Some devices report medium error locations incorrectly. Add guards to make sure the reported bad lba is actually in the request that caused it. Additionally remove the large case statment for sector sizes and replace it with the proper u64 divisions. Tested-by: Mike Snitzer Cc: Stable Tree Cc: Tony Battersby Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 0a2395cc34d5d170a6597c41435de9199f187437 Author: Al Viro Date: Fri Feb 1 07:05:44 2008 +0000 Fix dl2k constants patch 9c52fab2f187636b39afb0dcf562872ed42ab608 in mainline. The MSSR constants didn't match the reality - bitfield declarations used to be correct (1000BT_FD - bit 11, 1000BT_HD - bit 10), but enum had them the other way round. Went unnoticed until the switch from the bitfields use to the explicit arithmetics and I hadn't caught that one when verifying correctness of change... Signed-off-by: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 311fd5af55d60bea90c25ac314ba648e9415fd1f Author: David Chinner Date: Wed Feb 6 10:52:15 2008 +1100 XFS: Fix oops in xfs_file_readdir() patch 450790a2c51e6d9d47ed30dbdcf486656b8e186f in mainline. Several occurrences of oops in xfs_file_readdir() on ia32 have been reported since 2.6.24 was released. This is a regression introduced in 2.6.24 and is relatively easy to hit. The patch below fixes the problem. Signed-off-by: Dave Chinner Signed-off-by: Lachlan McIlroy Signed-off-by: Greg Kroah-Hartman commit 091a61f602b7db7f4d1fdcb41e6ff9a97a6e0cce Author: Nishanth Aravamudan Date: Fri Feb 8 04:18:18 2008 -0800 hugetlb: add locking for overcommit sysctl patch a3d0c6aa1bb342b9b2c7b123b52ac2f48a4d4d0a in mainline. When I replaced hugetlb_dynamic_pool with nr_overcommit_hugepages I used proc_doulongvec_minmax() directly. However, hugetlb.c's locking rules require that all counter modifications occur under the hugetlb_lock. Add a callback into the hugetlb code similar to the one for nr_hugepages. Grab the lock around the manipulation of nr_overcommit_hugepages in proc_doulongvec_minmax(). Signed-off-by: Nishanth Aravamudan Acked-by: Adam Litke Cc: David Gibson Cc: William Lee Irwin III Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0cc3ec3d1add90d860786382dc5abe7ca94d242e Author: Ulisses Furquim Date: Fri Feb 8 04:18:16 2008 -0800 inotify: fix check for one-shot watches before destroying them patch ac74c00e499ed276a965e5b5600667d5dc04a84a in mainline. As the IN_ONESHOT bit is never set when an event is sent we must check it in the watch's mask and not in the event's mask. Signed-off-by: Ulisses Furquim Reported-by: "Clem Taylor" Tested-by: "Clem Taylor" Cc: Amy Griffis Cc: Robert Love Cc: John McCutchan Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a1a0d79533b9698b3a40d0091fe69a86386d44bb Author: Trond Myklebust Date: Fri Feb 8 14:01:02 2008 -0500 NFS: Fix a potential file corruption issue when writing patch 5d47a35600270e7115061cb1320ee60ae9bcb6b8 in mainline. If the inode is flagged as having an invalid mapping, then we can't rely on the PageUptodate() flag. Ensure that we don't use the "anti-fragmentation" write optimisation in nfs_updatepage(), since that will cause NFS to write out areas of the page that are no longer guaranteed to be up to date. A potential corruption could occur in the following scenario: client 1 client 2 =============== =============== fd=open("f",O_CREAT|O_WRONLY,0644); write(fd,"fubar\n",6); // cache last page close(fd); fd=open("f",O_WRONLY|O_APPEND); write(fd,"foo\n",4); close(fd); fd=open("f",O_WRONLY|O_APPEND); write(fd,"bar\n",4); close(fd); ----- The bug may lead to the file "f" reading 'fubar\n\0\0\0\nbar\n' because client 2 does not update the cached page after re-opening the file for write. Instead it keeps it marked as PageUptodate() until someone calls invalidate_inode_pages2() (typically by calling read()). The bug was introduced by commit 44b11874ff583b6e766a05856b04f3c492c32b84 "NFS: Separate metadata and page cache revalidation mechanisms" Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit c17ebea7bec9333f4208ba25d8ebe3ccc2bb8598 Author: Jozsef Kadlecsik Date: Tue Feb 19 16:24:01 2008 +0100 NETFILTER: nf_conntrack_tcp: conntrack reopening fix [NETFILTER]: nf_conntrack_tcp: conntrack reopening fix [Upstream commits b2155e7f + d0c1fd7a] TCP connection tracking in netfilter did not handle TCP reopening properly: active close was taken into account for one side only and not for any side, which is fixed now. The patch includes more comments to explain the logic how the different cases are handled. The bug was discovered by Jeff Chua. Signed-off-by: Jozsef Kadlecsik Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 9884948ab9d3ff59a1d77fd24c2d93af7686225f Author: David Miller Date: Fri Feb 15 02:05:53 2008 -0800 SPARC/SPARC64: Fix usage of .section .sched.text in assembler code. [SPARC/SPARC64]: Fix usage of .section .sched.text in assembler code. Upstream commit: c6d64c16bb193c8ca2ccc0b3c556a4574a02408b ld will generate an unique named section when assembler do not use "ax" but gcc does. Add the missing annotation. Signed-off-by: Sam Ravnborg Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman