commit d8447b287c252e02f135618ed4a8781fd3b8797f Author: Greg Kroah-Hartman Date: Fri May 9 21:48:50 2008 -0700 Linux 2.6.25.3 commit 1be05a5eda841014c1151cb0f8dc791862bd40a5 Author: David S. Miller Date: Thu May 8 23:40:26 2008 -0700 sit: Add missing kfree_skb() on pskb_may_pull() failure. [ Upstream commit: 36ca34cc3b8335eb1fe8bd9a1d0a2592980c3f02 ] Noticed by Paul Marks . Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a864928f5e50a872735e58ff5de483625e3608ee Author: David S. Miller Date: Wed May 7 02:24:28 2008 -0700 sparc: Fix mmap VA span checking. [ Upstream commit: 5816339310b2d9623cf413d33e538b45e815da5d ] We should not conditionalize VA range checks on MAP_FIXED. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d020055f5217be264e0bac9cd09ffc04233b9682 Author: Herbert Xu Date: Tue May 6 14:01:24 2008 +0800 CRYPTO: eseqiv: Fix off-by-one encryption [CRYPTO] eseqiv: Fix off-by-one encryption [ Upstream commit: 46f8153cc59384eb09a426d044668d4801f818ce ] After attaching the IV to the head during encryption, eseqiv does not increase the encryption length by that amount. As such the last block of the actual plain text will be left unencrypted. Fortunately the only user of this code hifn currently crashes so this shouldn't affect anyone :) Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 054640e012028f0c10d7e7ed7a601016c9251ca5 Author: Patrick McHardy Date: Tue May 6 14:01:22 2008 +0800 CRYPTO: authenc: Fix async crypto crash in crypto_authenc_genicv() [CRYPTO] authenc: Fix async crypto crash in crypto_authenc_genicv() [ Upstream commit: 161613293fd4b7d5ceb1faab788f47e688e07a67 ] crypto_authenc_givencrypt_done uses req->data as struct aead_givcrypt_request, while it really points to a struct aead_request, causing this crash: BUG: unable to handle kernel paging request at 6b6b6b6b IP: [] :authenc:crypto_authenc_genicv+0x23/0x109 *pde = 00000000 Oops: 0000 [#1] PREEMPT DEBUG_PAGEALLOC Modules linked in: hifn_795x authenc esp4 aead xfrm4_mode_tunnel sha1_generic hmac crypto_hash] Pid: 3074, comm: ping Not tainted (2.6.25 #4) EIP: 0060:[] EFLAGS: 00010296 CPU: 0 EIP is at crypto_authenc_genicv+0x23/0x109 [authenc] EAX: daa04690 EBX: daa046e0 ECX: dab0a100 EDX: daa046b0 ESI: 6b6b6b6b EDI: dc872054 EBP: c033ff60 ESP: c033ff0c DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068 Process ping (pid: 3074, ti=c033f000 task=db883a80 task.ti=dab6c000) Stack: 00000000 daa046b0 c0215a3e daa04690 dab0a100 00000000 ffffffff db9fd7f0 dba208c0 dbbb1720 00000001 daa04720 00000001 c033ff54 c0119ca9 dc852a75 c033ff60 c033ff60 daa046e0 00000000 00000001 c033ff6c dc87527b 00000001 Call Trace: [] ? dev_alloc_skb+0x14/0x29 [] ? printk+0x15/0x17 [] ? crypto_authenc_givencrypt_done+0x1a/0x27 [authenc] [] ? hifn_process_ready+0x34a/0x352 [hifn_795x] [] ? rhine_napipoll+0x3f2/0x3fd [via_rhine] [] ? hifn_check_for_completion+0x4d/0xa6 [hifn_795x] [] ? hifn_tasklet_callback+0xa/0xc [hifn_795x] [] ? tasklet_action+0x3f/0x66 [] ? __do_softirq+0x38/0x7a [] ? do_softirq+0x3e/0x71 [] ? irq_exit+0x2c/0x65 [] ? smp_apic_timer_interrupt+0x5f/0x6a [] ? apic_timer_interrupt+0x28/0x30 [] ? hifn_handle_req+0x44a/0x50d [hifn_795x] ... Signed-off-by: Patrick McHardy Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 84c82441c5bd034bf6a1e863eb8b51006c4cfe8c Author: Julia Lawall Date: Tue May 6 14:01:25 2008 +0800 CRYPTO: cryptd: Correct kzalloc error test [CRYPTO] cryptd: Correct kzalloc error test [ Upstream commit: b1145ce395f7785487c128fe8faf8624e6586d84 ] Normally, kzalloc returns NULL or a valid pointer value, not a value to be tested using IS_ERR. Signed-off-by: Julia Lawall Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit f69af5c3a887b65da440726968d7c68218a347d6 Author: Herbert Xu Date: Tue May 6 14:01:23 2008 +0800 CRYPTO: api: Fix scatterwalk_sg_chain [CRYPTO] api: Fix scatterwalk_sg_chain [ Upstream commit: 8ec970d8561abb5645d4602433b772e268c96d05 ] When I backed out of using the generic sg chaining (as it isn't currently portable) and introduced scatterwalk_sg_chain/scatterwalk_sg_next I left out the sg_is_last check in the latter. This causes it to potentially dereference beyond the end of the sg array. As most uses of scatterwalk_sg_next are bound by an overall length, this only affected the chaining code in authenc and eseqiv. Thanks to Patrick McHardy for identifying this problem. This patch also clears the "last" bit on the head of the chained list as it's no longer last. This also went missing in scatterwalk_sg_chain and is present in sg_chain. Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 215f6f246d56d0bbaecc8aadaa630a3c0bd5ac2e Author: Yinghai Lu Date: Mon May 5 21:59:58 2008 -0500 x86 PCI: call dmi_check_pciprobe() This is a backport of the noted commit which is in 2.6.26-rc1 now. This is necessary to enable pci=bfsort automatically on a number of Dell and HP servers, as well as pci=assign-busses for a few other systems, which was broken between 2.6.22 and 2.6.23. commit 0df18ff366853cdf31e5238764ec5c63e6b5a398 upstream x86 PCI: call dmi_check_pciprobe() this change: | commit 08f1c192c3c32797068bfe97738babb3295bbf42 | Author: Muli Ben-Yehuda | Date: Sun Jul 22 00:23:39 2007 +0300 | | x86-64: introduce struct pci_sysdata to facilitate sharing of ->sysdata | | This patch introduces struct pci_sysdata to x86 and x86-64, and | converts the existing two users (NUMA, Calgary) to use it. | | This lays the groundwork for having other users of sysdata, such as | the PCI domains work. | | The Calgary bits are tested, the NUMA bits just look ok. replaces pcibios_scan_root with pci_scan_bus_parented... but in pcibios_scan_root we have a DMI check: dmi_check_system(pciprobe_dmi_table); when when have several peer root buses this could be called multiple times (which is bad), so move that call to pci_access_init(). Signed-off-by: Yinghai Lu Signed-off-by: Ingo Molnar Signed-off-by: Thomas Gleixner Signed-off-by: Jesse Barnes Signed-off-by: Matt Domsch Signed-off-by: Greg Kroah-Hartman commit adb811eb6554bcc6ec46916a295f6ecd234d27cf Author: Michael Buesch Date: Fri May 2 12:19:57 2008 +0200 b43: Fix some TX/RX locking issues commit 21a75d7788f4e29b6c6d28e08f9f0310c4de828d upstream. This fixes some TX/RX related locking issues. With this patch applied, some of the PHY transmission errors are fixed. Signed-off-by: Michael Buesch Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit ac5b631e8ffc2f63b3f23a5c03c13186b21b4a08 Author: Lennert Buytenhek Date: Thu May 1 11:04:55 2008 -0400 kprobes/arm: fix decoding of arithmetic immediate instructions The ARM kprobes arithmetic immediate instruction decoder (space_cccc_001x()) was accidentally zero'ing out not only the Rn and Rd arguments, but the lower nibble of the immediate argument as well -- this patch fixes this. Mainline commit: a3fd133c24e16d430ba21f3d9f5c0b8faeeb37fe Signed-off-by: Lennert Buytenhek Acked-by: Nicolas Pitre Signed-off-by: Greg Kroah-Hartman commit 6d45756316559c7ee0e68b2541305a8867d8ef6f Author: Nicolas Pitre Date: Thu May 1 11:03:13 2008 -0400 kprobes/arm: fix cache flush address for instruction stub It is more useful to flush the cache with the actual buffer address rather than the address containing a pointer to the buffer. Mainline commit: 8f79ff0cb5330a92032c30ff586745d3016b34ca Signed-off-by: Nicolas Pitre Acked-by: Lennert Buytenhek Signed-off-by: Greg Kroah-Hartman commit a315960a1eadf634004607f981412981c8b2fc9a Author: Michael Buesch Date: Thu May 1 12:31:44 2008 +0200 b43: Fix dual-PHY devices commit 2e35af143a1380173ba292e48e9b4913ef16b4ee upstream This fixes operation of dual-PHY (A/B/G) devices. Do not anounce the A-PHY to mac80211, as that's not supported, yet. Signed-off-by: Michael Buesch Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 6981f54bdc1416f5172aa42db8cf8f83cc251c8a Author: Grant Likely Date: Tue May 6 08:41:44 2008 -0600 POWERPC: mpc5200: Fix unterminated of_device_id table commit bc775eac63c16dbcfabc4c6e949c0228edf3e11f upstream If CONFIG_PPC_MPC5121 is not set, then the of_device_id table for the mpc5200 serial driver will not get terminated with a NULL entry. Signed-off-by: Grant Likely Signed-off-by: Greg Kroah-Hartman commit d5d70ec0dca55f84071354c10fbb1162023fab0a Author: Jan Kara Date: Mon May 5 13:42:12 2008 +0200 reiserfs: Unpack tails on quota files commit d5dee5c395062a55236318ac4eec1f4ebb9de6db upstream Quota files cannot have tails because quota_write and quota_read functions do not support them. So far when quota files did have tail, we just refused to turn quotas on it. Sadly this check has been wrong and so there are now plenty installations where quota files don't have NOTAIL flag set and so now after fixing the check, they suddently fail to turn quotas on. Since it's easy to unpack the tail from kernel, do this from reiserfs_quota_on() which solves the problem and is generally nicer to users anyway. Signed-off-by: Jan Kara Reported-by: Cc: Jeff Mahoney Cc: Chris Mason Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 980e8ec0c4ab54164725f1a71545c439a755e918 Author: Peter Zijlstra Date: Tue May 6 03:05:15 2008 +0000 sched: fix hrtick_start_fair and CPU-Hotplug commit: b328ca182f01c2a04b85e0ee8a410720b104fbcc upstream Gautham R Shenoy reported: > While running the usual CPU-Hotplug stress tests on linux-2.6.25, > I noticed the following in the console logs. > > This is a wee bit difficult to reproduce. In the past 10 runs I hit this > only once. > > ------------[ cut here ]------------ > > WARNING: at kernel/sched.c:962 hrtick+0x2e/0x65() > > Just wondering if we are doing a good job at handling the cancellation > of any per-cpu scheduler timers during CPU-Hotplug. This looks like its indeed not cancelled at all and migrates the it to another cpu. Fix it via a proper hotplug notifier mechanism. Reported-by: Gautham R Shenoy Signed-off-by: Peter Zijlstra Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit f9dfda1ad0637a89a64d001cf81478bd8d9b6306 Author: Miklos Szeredi Date: Thu May 1 18:45:34 2008 +0000 vfs: fix permission checking in sys_utimensat commit: 02c6be615f1fcd37ac5ed93a3ad6692ad8991cd9 upstream If utimensat() is called with both times set to UTIME_NOW or one of them to UTIME_NOW and the other to UTIME_OMIT, then it will update the file time without any permission checking. I don't think this can be used for anything other than a local DoS, but could be quite bewildering at that (e.g. "Why was that large source tree rebuilt when I didn't modify anything???") This affects all kernels from 2.6.22, when the utimensat() syscall was introduced. Fix by doing the same permission checking as for the "times == NULL" case. Thanks to Michael Kerrisk, whose utimensat-non-conformances-and-fixes.patch in -mm also fixes this (and breaks other stuff), only he didn't realize the security implications of this bug. Signed-off-by: Miklos Szeredi Cc: Ulrich Drepper Cc: Michael Kerrisk Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9bd2c7ca75b0ebe05b0c67852d050720119983e7 Author: Dan Williams Date: Wed Apr 30 18:55:30 2008 +0000 md: fix use after free when removing rdev via sysfs commit: 6a51830e14529063cb2685921e1177d9af50e49a upstream rdev->mddev is no longer valid upon return from entry->store() when the 'remove' command is given. Signed-off-by: Dan Williams Signed-off-by: Neil Brown Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 30e525eb19e64ded33f84529314f0dc82766553a Author: KAMEZAWA Hiroyuki Date: Tue Apr 29 17:25:19 2008 +0000 mm: fix usemap initialization commit: 86051ca5eaf5e560113ec7673462804c54284456 upstream usemap must be initialized only when pfn is within zone. If not, it corrupts memory. And this patch also reduces the number of calls to set_pageblock_migratetype() from (pfn & (pageblock_nr_pages -1) to !(pfn & (pageblock_nr_pages-1) it should be called once per pageblock. Signed-off-by: KAMEZAWA Hiroyuki Acked-by: Mel Gorman Cc: Hugh Dickins Cc: Shi Weihua Cc: Balbir Singh Cc: Pavel Emelyanov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f8f82be93ff5b04a494141f707066fc902bd6e54 Author: Venkatesh Pallipadi Date: Wed Apr 9 21:31:46 2008 -0400 2.6.25 regression: powertop says 120K wakeups/sec commit 0fda6b403f0eca66ad8a7c946b3996e359100443 upstream Patch to fix huge number of wakeups reported due to recent changes in processor_idle.c. The problem was that the entry_method determination was broken due to one of the recent commits (bc71bec91f987) causing C1 entry to not to go to halt. http://lkml.org/lkml/2008/3/22/124 Signed-off-by: Venkatesh Pallipadi Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman