commit 1420f09c0b8a88f9df2034e6ba04fcc4c3f6925e Author: Greg Kroah-Hartman Date: Thu May 1 14:45:25 2008 -0700 Linux 2.6.25.1 commit 9a6ec895392ed38549a94c855f045f3a83cb89af Author: Al Viro Date: Thu May 1 03:52:22 2008 +0100 Fix dnotify/close race (CVE-2008-1375) commit 214b7049a7929f03bbd2786aaef04b8b79db34e2 upstream. We have a race between fcntl() and close() that can lead to dnotify_struct inserted into inode's list *after* the last descriptor had been gone from current->files. Since that's the only point where dnotify_struct gets evicted, we are screwed - it will stick around indefinitely. Even after struct file in question is gone and freed. Worse, we can trigger send_sigio() on it at any later point, which allows to send an arbitrary signal to arbitrary process if we manage to apply enough memory pressure to get the page that used to host that struct file and fill it with the right pattern... Signed-off-by: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b0cc38c177802742d847469e0a06f4ad31d011cc Author: Linus Torvalds Date: Tue Apr 29 11:45:16 2008 -0700 drivers/net/tehuti: use proper capability check for raw IO access commit 6203554207728f43cfb9fd48585cd6500da73d42 in mainline. Yeah, in practice they both mean "root", but Alan correctly points out that anybody who gets to do raw IO space accesses should really be using CAP_SYS_RAWIO rather than CAP_NET_ADMIN. Pointed-out-by: Alan Cox Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f5f5e084959d9c22c43c235b206b2e2fe2971e7f Author: Thomas Gleixner Date: Tue Apr 29 01:15:10 2008 +0000 hrtimer: raise softirq unlocked to avoid circular lock dependency commit 0c96c5979a522c3323c30a078a70120e29b5bdbc upstream The scheduler hrtimer bits in 2.6.25 introduced a circular lock dependency in a rare code path: ======================================================= [ INFO: possible circular locking dependency detected ] 2.6.25-sched-devel.git-x86-latest.git #19 ------------------------------------------------------- X/2980 is trying to acquire lock: (&rq->rq_lock_key#2){++..}, at: [] task_rq_lock+0x56/0xa0 but task is already holding lock: (&cpu_base->lock){++..}, at: [] lock_hrtimer_base+0x31/0x60 which lock already depends on the new lock. The scenario which leads to this is: posix-timer signal is delivered -> posix-timer is rearmed timer is already expired in hrtimer_enqueue() -> softirq is raised To prevent this we need to move the raise of the softirq out of the base->lock protected code path. Signed-off-by: Thomas Gleixner Acked-by: Peter Zijlstra Signed-off-by: Greg Kroah-Hartman commit fa455bcd0a6460ef6543ebb212940fedf9f3170f Author: PJ Waskiewicz Date: Mon Apr 28 11:56:22 2008 -0700 x86: Fix 32-bit x86 MSI-X allocation leakage commit 9d9ad4b51d2b29b5bbeb4011f5e76f7538119cf9 upstream This bug was introduced in the 2.6.24 lguest merge, where MSI-X vector allocation will eventually fail. The cause is the new bit array tracking used vectors is not getting cleared properly on IRQ destruction on the 32-bit APIC code. This can be seen easily using the ixgbe 10 GbE driver on multi-core systems by simply loading and unloading the driver a few times. Depending on the number of available vectors on the host system, the MSI-X allocation will eventually fail, and the driver will only be able to use legacy interrupts. Signed-off-by: Peter P Waskiewicz Jr Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6ba675d46b278f478a22639b1c25b1476afcc351 Author: Ivan Kokshaysky Date: Thu Apr 24 16:54:50 2008 +0400 alpha: unbreak OSF/1 (a.out) binaries commit 2444e56b0c08e6f3e3877583841a1213e3263d98 upstream OSF/1 brk(2) was broken by following one-liner in sys_brk() (commit 4cc6028d4040f95cdb590a87db478b42b8be0508): - if (brk < mm->end_code) + if (brk < mm->start_brk) goto out; The problem is that osf_set_program_attributes() does update mm->end_code, but not mm->start_brk, which still contains inappropriate value left from binary loader, so brk() always fails. Signed-off-by: Ivan Kokshaysky Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d4aa5e3e3e76f3f8c54c7ab1259feabbd4b7da32 Author: Andrew Vasquez Date: Sun Apr 27 18:35:08 2008 +0000 SCSI: qla2xxx: Correct regression in relogin code. commit: 666301e673e192c87a40e07a8357d6996b57b70f upstream Commit 63a8651f2548c6bb5132c0b4e7dad4f57a9274db ([SCSI] qla2xxx: Correct infinite-login-retry issue.) introduced a small regression where a successful relogin would result in an fcport's loop_id to be incorrectly reset to FC_NO_LOOP_ID. Only clear-out loopid, if retries have been 'truly' exhausted. Signed-off-by: Andrew Vasquez Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit a45a6e6cd8a526bbd4b4fad99a276ec6329c810c Author: Chien Tung Date: Sun Apr 27 18:35:11 2008 +0000 RDMA/nes: Fix adapter reset after PXE boot commit: bc5698f3ecc9587e1edb343a2878f8d228c49e0e upstream After PXE boot, the iw_nes driver does a full reset to ensure the card is in a clean state. However, it doesn't wait for firmware to complete its work before issuing a port reset to enable the ports, which leads to problems bringing up the ports. The solution is to wait for firmware to complete its work before proceeding with port reset. This bug was flagged by Roland Dreier . Signed-off-by: Chien Tung Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit 59c5775ada913643998fd78d8a5b1a76ba57515f Author: Bodo Stroesser Date: Mon Apr 28 17:15:50 2008 +0000 hrtimer: timeout too long when using HRTIMER_CB_SOFTIRQ commit d7b41a24bfb5d7fa02f7b49be1293d468814e424 upstream When using hrtimer with timer->cb_mode == HRTIMER_CB_SOFTIRQ in some cases the clockevent is not programmed. This happens, if: - a timer is rearmed while it's state is HRTIMER_STATE_CALLBACK - hrtimer_reprogram() returns -ETIME, when it is called after CALLBACK is finished. This occurs if the new timer->expires is in the past when CALLBACK is done. In this case, the timer needs to be removed from the tree and put onto the pending list again. The patch is against 2.6.22.5, but AFAICS, it is relevant for 2.6.25 also (in run_hrtimer_pending()). Signed-off-by: Bodo Stroesser Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit de15f7b048a6fe9df998a4fd854a0ac9eb87b80f Author: Johannes Weiner Date: Mon Apr 28 17:15:47 2008 +0000 mm: fix possible off-by-one in walk_pte_range() commit 556637cdabcd5918c7d4a1a2679b8f86fc81e891 upstream After the loop in walk_pte_range() pte might point to the first address after the pmd it walks. The pte_unmap() is then applied to something bad. Spotted by Roel Kluin and Andreas Schwab. Signed-off-by: Johannes Weiner Cc: Roel Kluin <12o3l@tiscali.nl> Cc: Andreas Schwab Acked-by: Matt Mackall Acked-by: Mikael Pettersson Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 35a398abdc1b5111b62bca9174bc5ccf973ab6dc Author: Roel Kluin <12o3l@tiscali.nl> Date: Mon Apr 28 17:15:41 2008 +0000 dz: test after postfix decrement fails in dz_console_putchar() commit 1ecf0d0cd28a4bfed3009f752061998e52d14db2 upstream When loops reaches 0 the postfix decrement still subtracts, so the subsequent test fails. Signed-off-by: Roel Kluin <12o3l@tiscali.nl> Acked-by: Maciej W. Rozycki Cc: Johannes Weiner Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f2645293d3aa4ecde52a3f5e6982b43d60171f36 Author: David Brownell Date: Mon Apr 28 17:15:29 2008 +0000 rtc-pcf8583 build fix commit 77459b059b02c16b2c8cbc39b524941a576ad36e upstream Fix bogus #include in rtc-pcf8583, so it compiles on platforms that don't support PC clone RTCs. (Original issue noted by Adrian Bunk.) Signed-off-by: David Brownell Cc: Adrian Bunk Acked-by: Alessandro Zummo Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit bcf2286df0f605a6e44212a494eafa95b8f6c64e Author: Jeff Moyer Date: Mon Apr 28 17:15:24 2008 +0000 aio: io_getevents() should return if io_destroy() is invoked commit e92adcba261fd391591bb63c1703185a04a41554 upstream This patch wakes up a thread waiting in io_getevents if another thread destroys the context. This was tested using a small program that spawns a thread to wait in io_getevents while the parent thread destroys the io context and then waits for the getevents thread to exit. Without this patch, the program hangs indefinitely. With the patch, the program exits as expected. Signed-off-by: Jeff Moyer Cc: Zach Brown Cc: Christopher Smith Cc: Benjamin LaHaise Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 71d27b2ed5191a1c5b32e360e74f32fe513d6ed2 Author: Jeff Garzik Date: Fri Apr 25 03:11:31 2008 -0400 tehuti: move ioctl perm check closer to function start (CVE-2008-1675) Commit f946dffed6334f08da065a89ed65026ebf8b33b4 upstream Noticed by davem. Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 492d59860bd9a36deac6c3189ba98af355108324 Author: Francois Romieu Date: Sun Apr 20 19:32:34 2008 +0200 tehuti: check register size (CVE-2008-1675) commit 6131a2601f42cd7fdbac0e960713396fe68af59f upstream Signed-off-by: Francois Romieu Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit bc7f6557b7d084a64236ec7fbe64383e89d94602 Author: Michael Buesch Date: Thu Apr 24 20:06:11 2008 +0200 b43: Workaround DMA quirks commit 1033b3ea11820ea1fb1b877207bd6724e9aaedc3 upstream Some mainboards/CPUs don't allow DMA masks bigger than a certain limit. Some VIA crap^h^h^h^hdevices have an upper limit of 0xFFFFFFFF. So in this case a 64-bit b43 device would always fail to acquire the mask. Implement a workaround to fallback to lower DMA mask, as we can always also support a lower mask. Signed-off-by: Michael Buesch Signed-off-by: John W. Linville commit 952bfae3bf0b692dabc625231faa80ce467b99b2 Author: Michael Buesch Date: Thu Apr 24 20:04:38 2008 +0200 b43: Add more btcoexist workarounds commit 9fc38458355525f801cd2ab403ac89850489a05e upstream This adds more workarounds for devices with broken BT bits. Signed-off-by: Michael Buesch Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 402ccf6d6694ecf758cfa5337b546c87aca2c823 Author: Michael Buesch Date: Thu Apr 24 20:02:41 2008 +0200 b43: Workaround invalid bluetooth settings commit 1855ba7812dbd294fcfc083dc7d3b14d3b1f38db upstream. This adds a workaround for invalid bluetooth SPROM settings on ASUS PCI cards. This will stop the microcode from poking with the BT GPIO line. This fixes data transmission on this device, as the BT GPIO line is used for something TX related on this device (probably the power amplifier or the radio). This also adds a modparam knob to help debugging this in the future, as more devices with this bug may show up. Signed-off-by: Michael Buesch Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit ad99c57f6a6bd8e820a05deec8bd7a3d6ce744fd Author: Larry Finger Date: Thu Apr 24 20:00:45 2008 +0200 ssb: Fix all-ones boardflags commit 4503183aa32e6886400d82282292934fa64a81b0 upstream In the SSB SPROM a field set to all ones means the value is not defined in the SPROM. In case of the boardflags, we need to set them to zero to avoid confusing drivers. Drivers will only check the flags by ANDing. Signed-off-by: Larry Finger Signed-off-by: Gabor Stefanik Signed-off-by: Michael Buesch Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 0e04319ce5090269eeb94cc13d85247ed214e95b Author: Björn Steinbrink Date: Mon Mar 31 04:22:53 2008 +0200 x86, pci: fix off-by-one errors in some pirq warnings commit 223ac2f42d49dd0324ca02ea15897ead1a2f5133 upstream. fix bogus pirq warnings reported in: http://bugzilla.kernel.org/show_bug.cgi?id=10366 safe to be backported to v2.6.25 and earlier. Signed-off-by: Björn Steinbrink Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit bbb3f67ee46679d6b18373b029723aae199ab7e8 Author: Eric Paris Date: Mon Apr 21 16:24:11 2008 -0400 SELinux: no BUG_ON(!ss_initialized) in selinux_clone_mnt_opts commit 0f5e64200f20fc8f5b759c4010082f577ab0af3f upstream The Fedora installer actually makes multiple NFS mounts before it loads selinux policy. The code in selinux_clone_mnt_opts() assumed that the init process would always be loading policy before NFS was up and running. It might be possible to hit this in a diskless environment as well, I'm not sure. There is no need to BUG_ON() in this situation since we can safely continue given the circumstances. Signed-off-by: Eric Paris Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 050aa73d317bb6f8182c1ee8d4850c3aee873d7a Author: Sreenivasa Honnur Date: Fri Apr 25 13:22:41 2008 -0400 S2io: Version update for memory leak fix during free_tx_buffers commit 10371b5e6ba22173425877ea6a7040619b005fa1 upstream - Updated version number. Signed-off-by: Santosh Rastapur Signed-off-by: Ramkrishna Vepa Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit d7380f30c886bf78319f721a13fd61b3fd094849 Author: Sreenivasa Honnur Date: Fri Apr 25 13:21:40 2008 -0400 S2io: Fix memory leak during free_tx_buffers commit b35b3b49fc6750806964048b31799c8782980ef9 upstream - Fix the memory leak during free_tx_buffers. Signed-off-by: Santosh Rastapur Signed-off-by: Ramkrishna Vepa Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit dcbfddf29347e68493d959d9592e5fea654fd624 Author: Steven Toth Date: Thu Apr 24 20:52:40 2008 -0400 V4L: cx88: enable radio GPIO correctly (cherry picked from commit 6b92b3bd7ac91b7e255541f4be9bfd55b12dae41) This patch fixes an issue on the HVR1300, where GPIO is blown away due to the radio input being undefined, breaking the functionality of the DVB demodulator and MPEG2 encoder used on the cx8802 mpeg TS port. This is a minimal patch for 2.6.26 and the -stable series. This must be fixed a better way for 2.6.27. Signed-off-by: Steven Toth Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit 9d7b4f5b64ffaf423a1a92d330f7fe78fc3c8a81 Author: Mauro Carvalho Chehab Date: Thu Apr 24 20:52:33 2008 -0400 V4L: tea5761: bugzilla #10462: tea5761 autodetection code were broken (cherry picked from commit 867e835f4db4eba6d49072382cc05fc210c4ed1c) Fix bugzilla #10462: "tea5761 autodetection code were broken" Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit e0a632072b86e0a1c00d29678c0f91ea2a89466b Author: Alan Cox Date: Thu Apr 24 20:52:24 2008 -0400 V4L: Fix VIDIOCGAP corruption in ivtv (cherry picked from commit d2b213f7b76f187c4391079c7581d3a08b940133) Frank Bennett reported that ivtv was causing skype to crash. With help from one of their developers he showed it was a kernel problem. VIDIOCGCAP copies a name into a fixed length buffer - ivtv uses names that are too long and does not truncate them so corrupts a few bytes of the app data area. Possibly the names also want trimming but for now this should fix the corruption case. Signed-off-by: Alan Cox Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit 2bef74464c8f5b9da0cb489c9867cf88bd5a735a Author: Roland Dreier Date: Fri Apr 18 16:25:17 2008 +0000 RDMA/nes: Free IRQ before killing tasklet commit: 4cd1e5eb3cbe6e0cc934959770b4c60eac6ecf66 Move the free_irq() call in nes_remove() to before the tasklet_kill(); otherwise there is a window after tasklet_kill() where a new interrupt can be handled and reschedule the tasklet, leading to a use-after-free crash. Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit bc657c218dc4f0d8fbb5fb9c746c0dd9736e128a Author: Li Zefan Date: Fri Apr 18 16:25:10 2008 +0000 cgroup: fix a race condition in manipulating tsk->cg_list commit: 0e04388f0189fa1f6812a8e1cb6172136eada87e When I ran a test program to fork mass processes and at the same time 'cat /cgroup/tasks', I got the following oops: ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:72! invalid opcode: 0000 [#1] SMP Pid: 4178, comm: a.out Not tainted (2.6.25-rc9 #72) ... Call Trace: [] ? cgroup_exit+0x55/0x94 [] ? do_exit+0x217/0x5ba [] ? do_group_exit+0.65/0x7c [] ? sys_exit_group+0xf/0x11 [] ? syscall_call+0x7/0xb [] ? init_cyrix+0x2fa/0x479 ... EIP: [] list_del+0x35/0x53 SS:ESP 0068:ebc7df4 ---[ end trace caffb7332252612b ]--- Fixing recursive fault but reboot is needed! After digging into the code and debugging, I finlly found out a race situation: do_exit() ->cgroup_exit() ->if (!list_empty(&tsk->cg_list)) list_del(&tsk->cg_list); cgroup_iter_start() ->cgroup_enable_task_cg_list() ->list_add(&tsk->cg_list, ..); In this case the list won't be deleted though the process has exited. We got two bug reports in the past, which seem to be the same bug as this one: http://lkml.org/lkml/2008/3/5/332 http://lkml.org/lkml/2007/10/17/224 Actually sometimes I got oops on list_del, sometimes oops on list_add. And I can change my test program a bit to trigger other oops. The patch has been tested both on x86_32 and x86_64. Signed-off-by: Li Zefan Acked-by: Paul Menage Cc: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e7606a8778abd6e7458e923cfbc045382c24dd03 Author: Mikulas Patocka Date: Fri Apr 25 20:05:39 2008 +0000 dm snapshot: fix chunksize sector conversion commit: 924362629bf5645aee5f49f8a0d0d5b193e65997 If a snapshot has a smaller chunksize than the page size the conversion to pages currently returns 0 instead of 1, causing: kernel BUG in mempool_resize. Signed-off-by: Mikulas Patocka Signed-off-by: Milan Broz Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 6608b478c7ddc1122582fc94879e6998b895a096 Author: Alan Stern Date: Fri Apr 25 20:05:46 2008 +0000 USB: OHCI: fix bug in controller resume commit: 0d22f65515307c878ddd20b1305cce925ca9516c This patch (as1063) fixes a bug in the way ohci-hcd resumes its controllers. It leaves the Master Interrupt Enable bit turned off. If the root hub is resumed immediately this won't matter. But if the root hub is suspended (say because no devices are plugged in), it won't ever wake up by itself. Signed-off-by: Alan Stern CC: David Brownell Signed-off-by: Greg Kroah-Hartman commit ec6c4d0ac90344251c631a58493ac680a19eca8a Author: Herbert Xu Date: Fri Apr 25 01:41:47 2008 -0700 IPSEC: Fix catch-22 with algorithm IDs above 31 [ Upstream commit: c5d18e984a313adf5a1a4ae69e0b1d93cf410229 ] As it stands it's impossible to use any authentication algorithms with an ID above 31 portably. It just happens to work on x86 but fails miserably on ppc64. The reason is that we're using a bit mask to check the algorithm ID but the mask is only 32 bits wide. After looking at how this is used in the field, I have concluded that in the long term we should phase out state matching by IDs because this is made superfluous by the reqid feature. For current applications, the best solution IMHO is to allow all algorithms when the bit masks are all ~0. The following patch does exactly that. This bug was identified by IBM when testing on the ppc64 platform using the NULL authentication algorithm which has an ID of 251. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit dc2ee1a436bee6ada5afeedb62dc015ed5553f3d Author: Pavel Emelyanov Date: Fri Apr 25 01:49:48 2008 -0700 net: Fix wrong interpretation of some copy_to_user() results. [ Upstream commit: 653252c2302cdf2dfbca66a7e177f7db783f9efa ] I found some places, that erroneously return the value obtained from the copy_to_user() call: if some amount of bytes were not able to get to the user (this is what this one returns) the proper behavior is to return the -EFAULT error, not that number itself. Signed-off-by: Pavel Emelyanov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 75e109ad447b0bded3f0e2b2def52bce4fa9a1ea Author: Bernard Pidoux Date: Fri Apr 25 01:42:36 2008 -0700 rose: Socket lock was not released before returning to user space [ Upstream commit: 43837b1e6c5aef803d57009a68db18df13e64892 ] ================================================ [ BUG: lock held when returning to user space! ] ------------------------------------------------ xfbbd/3683 is leaving the kernel with locks still held! 1 lock held by xfbbd/3683: #0: (sk_lock-AF_ROSE){--..}, at: [] rose_connect+0x73/0x420 [rose] INFO: task xfbbd:3683 blocked for more than 120 seconds. "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. xfbbd D 00000246 0 3683 3669 c6965ee0 00000092 c02c5c40 00000246 c0f6b5f0 c0f6b5c0 c0f6b5f0 c0f6b5c0 c0f6b614 c6965f18 c024b74b ffffffff c06ba070 00000000 00000000 00000001 c6ab07c0 c012d450 c0f6b634 c0f6b634 c7b5bf10 c0d6004c c7b5bf10 c6965f40 Call Trace: [] lock_sock_nested+0x6b/0xd0 [] ? autoremove_wake_function+0x0/0x40 [] sock_fasync+0x41/0x150 [] sock_close+0x19/0x40 [] __fput+0xb4/0x170 [] fput+0x18/0x20 [] filp_close+0x3e/0x70 [] sys_close+0x69/0xb0 [] sysenter_past_esp+0x5f/0xa5 ======================= INFO: lockdep is turned off. Signed-off-by: Bernard Pidoux Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7b6f7f4d0fe48c84a499292947cc1bfcb74e6fc5 Author: Patrick McHardy Date: Wed Apr 23 22:10:48 2008 -0700 RTNETLINK: Fix bogus ASSERT_RTNL warning [ Upstream commit: c9c1014b2bd014c7ec037bbb6f58818162fdb265 ] ASSERT_RTNL uses mutex_trylock to test whether the rtnl_mutex is held. This bogus warnings when running in atomic context, which f.e. happens when adding secondary unicast addresses through macvlan or vlan or when synchronizing multicast addresses from wireless devices. Mid-term we might want to consider moving all address updates to process context since the locking seems overly complicated, for now just fix the bogus warning by changing ASSERT_RTNL to use mutex_is_locked(). Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e8a8637fe11a48ca358a8839bbe8ddb871cd30e1 Author: John Heffner Date: Fri Apr 25 01:43:57 2008 -0700 TCP: Increase the max_burst threshold from 3 to tp->reordering. [ Upstream commit: dd9e0dda66ba38a2ddd1405ac279894260dc5c36 ] This change is necessary to allow cwnd to grow during persistent reordering. Cwnd moderation is applied when in the disorder state and an ack that fills the hole comes in. If the hole was greater than 3 packets, but less than tp->reordering, cwnd will shrink when it should not have. Signed-off-by: John Heffner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 36b9699b534c7fa75258426ea137c23f4dca9bc0 Author: Tom Quetchenbach Date: Fri Apr 25 01:45:32 2008 -0700 tcp: tcp_probe buffer overflow and incorrect return value [ Upstream commit: 8d390efd903485923419584275fd0c2aa4c94183 ] tcp_probe has a bounds-checking bug that causes many programs (less, python) to crash reading /proc/net/tcp_probe. When it outputs a log line to the reader, it only checks if that line alone will fit in the reader's buffer, rather than that line and all the previous lines it has already written. tcpprobe_read also returns the wrong value if copy_to_user fails--it just passes on the return value of copy_to_user (number of bytes not copied), which makes a failure look like a success. This patch fixes the buffer overflow and sets the return value to -EFAULT if copy_to_user fails. Patch is against latest net-2.6; tested briefly and seems to fix the crashes in less and python. Signed-off-by: Tom Quetchenbach Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9287ef4c9e3f3d0d9f412f910207b8b77a1e51eb Author: Matt Carlson Date: Fri Apr 25 01:46:46 2008 -0700 tg3: 5701 DMA corruption fix [ Upstream commit: 41588ba1ae166eaba0a70abf2d7ff064ad9331d3 ] Herbert Xu's commit fb93134dfc2a6e6fbedc7c270a31da03fce88db9, entitled "[TCP]: Fix size calculation in sk_stream_alloc_pskb", has triggered a bug in the 5701 where the 5701 DMA engine will corrupt outgoing packets. This problem only happens when the starting address of the packet matches a certain range of offsets and only when the 5701 is placed downstream of a particular Intel bridge. This patch detects the problematic bridge and if present, readjusts the starting address of the packet data to a dword aligned boundary. Signed-off-by: Matt Carlson Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a889712794ce774eee7b4649136fecf3a8bf76ee Author: David Woodhouse Date: Wed Apr 23 11:15:35 2008 +0100 JFFS2: Fix free space leak with in-band cleanmarkers We were accounting for the cleanmarker by calling jffs2_link_node_ref() (without locking!), which adjusted both superblock and per-eraseblock accounting, subtracting the size of the cleanmarker from {jeb,c}->free_size and adding it to {jeb,c}->used_size. But only _then_ were we adding the size of the newly-erased block back to the superblock counts, and we were adding each of jeb->{free,used}_size to the corresponding superblock counts. Thus, the size of the cleanmarker was effectively subtracted from the superblock's free_size _twice_. Fix this, by always adding a full eraseblock size to c->free_size when we've erased a block. And call jffs2_link_node_ref() under the proper lock, while we're at it. Thanks to Alexander Yurchenko and/or Damir Shayhutdinov for (almost) pinpointing the problem. [Backport of commit 014b164e1392a166fe96e003d2f0e7ad2e2a0bb7] Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit 8b58c03a6088fd1da72de671a5aed786bdb442d5 Author: Stefan Seyfried Date: Fri Apr 25 20:05:51 2008 +0000 USB: Add HP hs2300 Broadband Wireless Module to sierra.c commit 8f7f85e9f9561507b009d26395c53e70758695ec upstream Add the HP hs2300 Broadband Wireless Module (relabeled MC8775) USB IDs Signed-off-by: Stefan Seyfried Signed-off-by: Greg Kroah-Hartman commit f8ca3fefa9367f2080e6bb6ad293a9376e837be4 Author: Alan Stern Date: Fri Apr 25 20:05:44 2008 +0000 USB: log an error message when USB enumeration fails commit: 6427f7995338387ddded92f98adec19ddbf0ae5e This patch (as1077) logs an error message whenever the kernel is unable to enumerate a new USB device. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman