commit e1bcbd8de4501336d6ff3760ef75fb6232bfe625 Author: Greg Kroah-Hartman Date: Sat Jun 21 22:25:26 2008 -0700 Linux 2.6.25.8 commit f8bd72872adbf6cc36f370f5c6319085c3be3ec3 Author: Thomas Gleixner Date: Thu Jun 19 16:34:26 2008 +0200 x86: disable mwait for AMD family 10H/11H CPUs back-ported from upstream commit e9623b35599fcdbc00c16535cbefbb4d5578f4ab by Vegard Nossum The previous revert of 0c07ee38c9d4eb081758f5ad14bbffa7197e1aec left out the mwait disable condition for AMD family 10H/11H CPUs. Andreas Herrman said: It depends on the CPU. For AMD CPUs that support MWAIT this is wrong. Family 0x10 and 0x11 CPUs will enter C1 on HLT. Powersavings then depend on a clock divisor and current Pstate of the core. If all cores of a processor are in halt state (C1) the processor can enter the C1E (C1 enhanced) state. If mwait is used this will never happen. Thus HLT saves more power than MWAIT here. It might be best to switch off the mwait flag for these AMD CPU families like it was introduced with commit f039b754714a422959027cb18bb33760eb8153f0 (x86: Don't use MWAIT on AMD Family 10) Re-add the AMD families 10H/11H check and disable the mwait usage for those. Signed-off-by: Thomas Gleixner Signed-off-by: Vegard Nossum Cc: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 384353364373c7c9f8134a847a35e27642cb6dae Author: Ingo Molnar Date: Thu Jun 19 16:32:14 2008 +0200 x86: remove mwait capability C-state check back-ported from upstream commit a738d897b7b03b83488ae74a9bc03d26a2875dc6 by Vegard Nossum Vegard Nossum reports: | powertop shows between 200-400 wakeups/second with the description | ": Rescheduling interrupts" when all processors have load (e.g. | I need to run two busy-loops on my 2-CPU system for this to show up). | | The bisect resulted in this commit: | | commit 0c07ee38c9d4eb081758f5ad14bbffa7197e1aec | Date: Wed Jan 30 13:33:16 2008 +0100 | | x86: use the correct cpuid method to detect MWAIT support for C states remove the functional effects of this patch and make mwait unconditional. A future patch will turn off mwait on specific CPUs where that causes power to be wasted. Bisected-by: Vegard Nossum Tested-by: Vegard Nossum Signed-off-by: Ingo Molnar Signed-off-by: Vegard Nossum Signed-off-by: Greg Kroah-Hartman commit b2e4b1cc4a1bfa05582949065a2c97ce7ab3caa3 Author: Patrick McHardy Date: Thu Jun 19 15:05:45 2008 +0200 nf_conntrack_h323: fix memory leak in module initialization error path netfilter: nf_conntrack_h323: fix memory leak in module initialization error path Upstream commit 8a548868db62422113104ebc658065e3fe976951 Properly free h323_buffer when helper registration fails. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3423e2b45ed2f50c5d419c3d93f349d04634477c Author: Patrick McHardy Date: Thu Jun 19 15:05:46 2008 +0200 nf_conntrack_h323: fix module unload crash netfilter: nf_conntrack_h323: fix module unload crash Upstream commit a56b8f81580761c65e4d8d0c04ac1cb7a788bdf1 The H.245 helper is not registered/unregistered, but assigned to connections manually from the Q.931 helper. This means on unload existing expectations and connections using the helper are not cleaned up, leading to the following oops on module unload: CPU 0 Unable to handle kernel paging request at virtual address c00a6828, epc == 802224dc, ra == 801d4e7c Oops[#1]: Cpu 0 $ 0 : 00000000 00000000 00000004 c00a67f0 $ 4 : 802a5ad0 81657e00 00000000 00000000 $ 8 : 00000008 801461c8 00000000 80570050 $12 : 819b0280 819b04b0 00000006 00000000 $16 : 802a5a60 80000000 80b46000 80321010 $20 : 00000000 00000004 802a5ad0 00000001 $24 : 00000000 802257a8 $28 : 802a4000 802a59e8 00000004 801d4e7c Hi : 0000000b Lo : 00506320 epc : 802224dc ip_conntrack_help+0x38/0x74 Tainted: P ra : 801d4e7c nf_iterate+0xbc/0x130 Status: 1000f403 KERNEL EXL IE Cause : 00800008 BadVA : c00a6828 PrId : 00019374 Modules linked in: ip_nat_pptp ip_conntrack_pptp ath_pktlog wlan_acl wlan_wep wlan_tkip wlan_ccmp wlan_xauth ath_pci ath_dev ath_dfs ath_rate_atheros wlan ath_hal ip_nat_tftp ip_conntrack_tftp ip_nat_ftp ip_conntrack_ftp pppoe ppp_async ppp_deflate ppp_mppe pppox ppp_generic slhc Process swapper (pid: 0, threadinfo=802a4000, task=802a6000) Stack : 801e7d98 00000004 802a5a60 80000000 801d4e7c 801d4e7c 802a5ad0 00000004 00000000 00000000 801e7d98 00000000 00000004 802a5ad0 00000000 00000010 801e7d98 80b46000 802a5a60 80320000 80000000 801d4f8c 802a5b00 00000002 80063834 00000000 80b46000 802a5a60 801e7d98 80000000 802ba854 00000000 81a02180 80b7e260 81a021b0 819b0000 819b0000 80570056 00000000 00000001 ... Call Trace: [<801e7d98>] ip_finish_output+0x0/0x23c [<801d4e7c>] nf_iterate+0xbc/0x130 [<801d4e7c>] nf_iterate+0xbc/0x130 [<801e7d98>] ip_finish_output+0x0/0x23c [<801e7d98>] ip_finish_output+0x0/0x23c [<801d4f8c>] nf_hook_slow+0x9c/0x1a4 One way to fix this would be to split helper cleanup from the unregistration function and invoke it for the H.245 helper, but since ctnetlink needs to be able to find the helper for synchonization purposes, a better fix is to register it normally and make sure its not assigned to connections during helper lookup. The missing l3num initialization is enough for this, this patch changes it to use AF_UNSPEC to make it more explicit though. Reported-by: liannan Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 91609120cd85afe375d4f05e8083a915aa2ebb42 Author: Patrick McHardy Date: Thu Jun 19 15:05:43 2008 +0200 nf_conntrack: fix ctnetlink related crash in nf_nat_setup_info() netfilter: nf_conntrack: fix ctnetlink related crash in nf_nat_setup_info() Upstream commit ceeff7541e5a4ba8e8d97ffbae32b3f283cb7a3f When creation of a new conntrack entry in ctnetlink fails after having set up the NAT mappings, the conntrack has an extension area allocated that is not getting properly destroyed when freeing the conntrack again. This means the NAT extension is still in the bysource hash, causing a crash when walking over the hash chain the next time: BUG: unable to handle kernel paging request at 00120fbd IP: [] nf_nat_setup_info+0x221/0x58a *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP Pid: 2795, comm: conntrackd Not tainted (2.6.26-rc5 #1) EIP: 0060:[] EFLAGS: 00010206 CPU: 1 EIP is at nf_nat_setup_info+0x221/0x58a EAX: 00120fbd EBX: 00120fbd ECX: 00000001 EDX: 00000000 ESI: 0000019e EDI: e853bbb4 EBP: e853bbc8 ESP: e853bb78 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 Process conntrackd (pid: 2795, ti=e853a000 task=f7de10f0 task.ti=e853a000) Stack: 00000000 e853bc2c e85672ec 00000008 c0561084 63c1db4a 00000000 00000000 00000000 0002e109 61d2b1c3 00000000 00000000 00000000 01114e22 61d2b1c3 00000000 00000000 f7444674 e853bc04 00000008 c038e728 0000000a f7444674 Call Trace: [] nla_parse+0x5c/0xb0 [] ctnetlink_change_status+0x190/0x1c6 [] ctnetlink_new_conntrack+0x189/0x61f [] update_curr+0x3d/0x52 [] nfnetlink_rcv_msg+0xc1/0xd8 [] nfnetlink_rcv_msg+0x18/0xd8 [] nfnetlink_rcv_msg+0x0/0xd8 [] netlink_rcv_skb+0x2d/0x71 [] nfnetlink_rcv+0x19/0x24 [] netlink_unicast+0x1b3/0x216 ... Move invocation of the extension destructors to nf_conntrack_free() to fix this problem. Fixes http://bugzilla.kernel.org/show_bug.cgi?id=10875 Reported-and-Tested-by: Krzysztof Piotr Oledzki Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c4330cd3988243eecf7dac3b495553beffc08c72 Author: James Bottomley Date: Wed Jun 18 23:15:14 2008 +0000 SCSI: sr: fix corrupt CD data after media change and delay commit: d1daeabf0da5bfa1943272ce508e2ba785730bf0 upstream Reported-by: Geert Uytterhoeven If you delay 30s or more before mounting a CD after inserting it then the kernel has the wrong value for the CD size. http://marc.info/?t=121276133000001 The problem is in sr_test_unit_ready(): the function eats unit attentions without adjusting the sdev->changed status. This means that when the CD signals changed media via unit attention, we can ignore it. Fix by making sr_test_unit_ready() adjust the changed status. Reported-by: Geert Uytterhoeven Tested-by: Geert Uytterhoeven Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 74df319e678985491d0626e590093789d38daca4 Author: Bob Moore Date: Wed Jun 18 22:11:31 2008 -0400 ACPICA: Ignore ACPI table signature for Load() operator upstream bc45b1d39a925b56796bebf8a397a0491489d85c Without this patch booting with acpi_osi="!Windows 2006" is required for several machines to function properly with cpufreq due to failure to load a Vista specific table with a bad signature. Only "SSDT" is acceptable to the ACPI spec, but tables are seen with OEMx and null sigs. Therefore, signature validation is worthless. Apparently MS ACPI accepts such signatures, ACPICA must be compatible. http://bugzilla.kernel.org/show_bug.cgi?id=9919 http://bugzilla.kernel.org/show_bug.cgi?id=10383 http://bugzilla.kernel.org/show_bug.cgi?id=10454 https://bugzilla.novell.com/show_bug.cgi?id=396311 Signed-off-by: Bob Moore Signed-off-by: Lin Ming Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 1c50ef042d1310dba9d3d9429f4b67b98ae53e8e Author: Mike Christie Date: Wed Jun 18 18:31:44 2008 -0500 scsi_host regression: fix scsi host leak The patch is upstream as commit 3ed7897242b7efe977f3a8d06d4e5a4ebe28b10e A different backport is necessary because of the class_device to device conversion post 2.6.25. commit 9c7701088a61cc0cf8a6e1c68d1e74e3cc2ee0b7 Author: Dave Young Date: Tue Jan 22 14:01:34 2008 +0800 scsi: use class iteration api Isn't a correct replacement for the original hand rolled host lookup. The problem is that class_find_child would get a reference to the host's class device which is never released. Since the host class device holds a reference to the host gendev, the host can never be freed. In 2.6.25 we started using class_find_device, and this function also gets a reference to the device, so we end up with an extra ref and the host will not get released. This patch adds a class_put_device to balance the class_find_device() get. I kept the scsi_host_get in scsi_host_lookup, because the target layer is using scsi_host_lookup and it looks like it needs the SHOST_DEL check. Signed-off-by: Mike Christie Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 38d10b5fd8eb81e10b9572359c90e627432217d1 Author: Michael Buesch Date: Sat Jun 14 22:57:55 2008 +0200 b43: Fix possible NULL pointer dereference in DMA code a cut-down version of commit 028118a5f09a9c807e6b43e2231efdff9f224c74 upstream This fixes a possible NULL pointer dereference in an error path of the DMA allocation error checking code. In case the DMA allocation address is invalid, the dev pointer is dereferenced for unmapping of the buffer. Reported-by: Miles Lane Signed-off-by: Michael Buesch Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit f9cb92ec51b8700247c3aa560b31ba9885a33e73 Author: Michael Buesch Date: Sat Jun 14 23:00:14 2008 +0200 b43: Fix noise calculation WARN_ON commit 98a3b2fe435ae76170936c14f5c9e6a87548e3ef upstream. This removes a WARN_ON that is responsible for the following koops: http://www.kerneloops.org/searchweek.php?search=b43_generate_noise_sample The comment in the patch describes why it's safe to simply remove the check. Signed-off-by: Michael Buesch Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 226028e4f78348aa948b1422bda1ede029228d2e Author: Mark McLoughlin Date: Mon Jun 16 14:41:41 2008 +1000 virtio_net: Fix skb->csum_start computation commit 23cde76d801246a702e7a84c3fe3d655b35c89a1 upstream. hdr->csum_start is the offset from the start of the ethernet header to the transport layer checksum field. skb->csum_start is the offset from skb->head. skb_partial_csum_set() assumes that skb->data points to the ethernet header - i.e. it computes skb->csum_start by adding the headroom to hdr->csum_start. Since eth_type_trans() skb_pull()s the ethernet header, skb_partial_csum_set() should be called before eth_type_trans(). (Without this patch, GSO packets from a guest to the world outside the host are corrupted). Signed-off-by: Mark McLoughlin Acked-by: Herbert Xu Signed-off-by: Rusty Russell Signed-off-by: Greg Kroah-Hartman commit 21e99a7b00b6a4b26d0f8111d9c4e3fc8f09ee52 Author: Bartlomiej Zolnierkiewicz Date: Wed Jun 18 23:56:06 2008 +0200 opti621: remove DMA support commit f361037631ba547ea88adf8d2359d810c1b2605a upstream These controllers don't support DMA. Based on a bugreport from Juergen Kosel & inspired by pata_opti.c code. Tested-by: Juergen Kosel Acked-by: Sergei Shtylyov Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Greg Kroah-Hartman commit ec5c8a8d1e8072ebfa58de23547e6843de159f5b Author: Bartlomiej Zolnierkiewicz Date: Wed Jun 18 23:54:53 2008 +0200 opti621: disable read prefetch commit 62128b2ca812c1266f4ff7bac068bf0b626c6179 upstream This fixes 2.6.25 regression (kernel.org bugzilla bug #10723) caused by: commit 912fb29a36a7269ac1c4a4df45bc0ac1d2637972 Author: Bartlomiej Zolnierkiewicz Date: Fri Oct 19 00:30:11 2007 +0200 opti621: always tune PIO ... Based on a bugreport from Juergen Kosel & inspired by pata_opti.c code. Bisected-by: Juergen Kosel Tested-by: Juergen Kosel Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Greg Kroah-Hartman commit 30bc30a080f7e3cdf74f5cf58a1d8eba5ad85cc9 Author: Alan Cox Date: Mon Apr 28 02:14:06 2008 -0700 Fix tty speed handling on 8250 commit e991a2bd4fa0b2f475b67dfe8f33e8ecbdcbb40b upstream. We try and write the correct speed back but the serial midlayer already mangles the speed on us and that means if we request B0 we report back B9600 when we should not. For now we'll hack around this in the drivers and serial code, pending a better long term solution. Signed-off-by: Alan Cox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 864f24395c72b6a6c48d13f409f986dc71a5cf4a Author: Linus Torvalds Date: Tue Jun 17 17:47:50 2008 -0700 x86-64: Fix "bytes left to copy" return value for copy_from_user() commit 42a886af728c089df8da1b0017b0e7e6c81b5335 upstream Most users by far do not care about the exact return value (they only really care about whether the copy succeeded in its entirety or not), but a few special core routines actually care deeply about exactly how many bytes were copied from user space. And the unrolled versions of the x86-64 user copy routines would sometimes report that it had copied more bytes than it actually had. Very few uses actually have partial copies to begin with, but to make this bug even harder to trigger, most x86 CPU's use the "rep string" instructions for normal user copies, and that version didn't have this issue. To make it even harder to hit, the one user of this that really cared about the return value (and used the uncached version of the copy that doesn't use the "rep string" instructions) was the generic write routine, which pre-populated its source, once more hiding the problem by avoiding the exception case that triggers the bug. In other words, very special thanks to Bron Gondwana who not only triggered this, but created a test-program to show it, and bisected the behavior down to commit 08291429cfa6258c4cd95d8833beb40f828b194e ("mm: fix pagecache write deadlocks") which changed the access pattern just enough that you can now trigger it with 'writev()' with multiple iovec's. That commit itself was not the cause of the bug, it just allowed all the stars to align just right that you could trigger the problem. [ Side note: this is just the minimal fix to make the copy routines (with __copy_from_user_inatomic_nocache as the particular version that was involved in showing this) have the right return values. We really should improve on the exceptional case further - to make the copy do a byte-accurate copy up to the exact page limit that causes it to fail. As it is, the callers have to do extra work to handle the limit case gracefully. ] Reported-by: Bron Gondwana Cc: Nick Piggin Cc: Andrew Morton Cc: Andi Kleen Cc: Al Viro Acked-by: Ingo Molnar Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman