commit c1259fc7cf7c172b984039213b792c08b1891c27 Author: Greg Kroah-Hartman Date: Fri Aug 1 15:58:24 2008 -0700 Linux 2.6.26.1 commit a6b79bb88e6682d2739aa5b4db7184038bbb32ce Author: Linus Torvalds Date: Wed Jul 30 22:20:18 2008 +0000 Fix off-by-one error in iov_iter_advance() commit 94ad374a0751f40d25e22e036c37f7263569d24c upstream The iov_iter_advance() function would look at the iov->iov_len entry even though it might have iterated over the whole array, and iov was pointing past the end. This would cause DEBUG_PAGEALLOC to trigger a kernel page fault if the allocation was at the end of a page, and the next page was unallocated. The quick fix is to just change the order of the tests: check that there is any iovec data left before we check the iov entry itself. Thanks to Alexey Dobriyan for finding this case, and testing the fix. Reported-and-tested-by: Alexey Dobriyan Cc: Nick Piggin Cc: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 293f49dd74ffd6a9c453f73f01e812bd4e3d9357 Author: Pavel Roskin Date: Wed Jul 30 18:20:14 2008 +0000 ath5k: don't enable MSI, we cannot handle it yet commit 256b152b005e319f985f50f2a910a75ba0def74f upstream MSI is a nice thing, but we cannot enable it without changing the interrupt handler. If we do it, we break MSI capable hardware, specifically AR5006 chipset. Signed-off-by: Pavel Roskin Acked-by: Nick Kossifidis Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 00b289bb9a03f0550f6015efdbf00807e3056b8a Author: Julia Lawall Date: Wed Jul 30 18:20:12 2008 +0000 b43legacy: Release mutex in error handling code commit 4104863fb4a724723d1d5f3cba9d3c5084087e45 upstream The mutex is released on a successful return, so it would seem that it should be released on an error return as well. The semantic patch finds this problem is as follows: (http://www.emn.fr/x-info/coccinelle/) // @@ expression l; @@ mutex_lock(l); .. when != mutex_unlock(l) when any when strict ( if (...) { ... when != mutex_unlock(l) + mutex_unlock(l); return ...; } | mutex_unlock(l); ) // Signed-off-by: Julia Lawall Signed-off-by: Michael Buesch Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 04f496871e8af87a1e40c504371a206fd7389193 Author: Thomas Renninger Date: Wed Jul 30 18:20:10 2008 +0000 cpufreq acpi: only call _PPC after cpufreq ACPI init funcs got called already commit a1531acd43310a7e4571d52e8846640667f4c74b upstream Ingo Molnar provided a fix to not call _PPC at processor driver initialization time in "[PATCH] ACPI: fix cpufreq regression" (git commit e4233dec749a3519069d9390561b5636a75c7579) But it can still happen that _PPC is called at processor driver initialization time. This patch should make sure that this is not possible anymore. Signed-off-by: Thomas Renninger Cc: Andi Kleen Cc: Len Brown Cc: Dave Jones Cc: Ingo Molnar Cc: Venkatesh Pallipadi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4281b61fbd503a5ebe821e155dbe9294d56d3e05 Author: Alex Nixon Date: Wed Jul 30 18:20:08 2008 +0000 VFS: increase pseudo-filesystem block size to PAGE_SIZE commit 3971e1a917548977cff71418a7c3575ffbc9571f upstream This commit: commit ba52de123d454b57369f291348266d86f4b35070 Author: Theodore Ts'o Date: Wed Sep 27 01:50:49 2006 -0700 [PATCH] inode-diet: Eliminate i_blksize from the inode structure caused the block size used by pseudo-filesystems to decrease from PAGE_SIZE to 1024 leading to a doubling of the number of context switches during a kernbench run. Signed-off-by: Alex Nixon Cc: Andi Kleen Cc: Jeremy Fitzhardinge Cc: Peter Zijlstra Cc: Ingo Molnar Cc: Ian Campbell Cc: "Theodore Ts'o" Cc: Alexander Viro Cc: Hugh Dickins Cc: Jens Axboe Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 30812f838cde7347071b8119667ea9bb8623ee78 Author: Mathieu Desnoyers Date: Wed Jul 30 18:20:05 2008 +0000 markers: fix markers read barrier for multiple probes commit 5def9a3a22e09c99717f41ab7f07ec9e1a1f3ec8 upstream Paul pointed out two incorrect read barriers in the marker handler code in the path where multiple probes are connected. Those are ordering reads of "ptype" (single or multi probe marker), "multi" array pointer, and "multi" array data access. It should be ordered like this : read ptype smp_rmb() read multi array pointer smp_read_barrier_depends() access data referenced by multi array pointer The code with a single probe connected (optimized case, does not have to allocate an array) has correct memory ordering. It applies to kernel 2.6.26.x, 2.6.25.x and linux-next. Signed-off-by: Mathieu Desnoyers Cc: Paul E. McKenney Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a3676137382ae2dbc6a469ead4cd37ccf970aede Author: Hugh Dickins Date: Tue Jul 29 02:50:18 2008 +0000 tmpfs: fix kernel BUG in shmem_delete_inode commit 14fcc23fdc78e9d32372553ccf21758a9bd56fa1 upstream SuSE's insserve initscript ordering program hits kernel BUG at mm/shmem.c:814 on 2.6.26. It's using posix_fadvise on directories, and the shmem_readpage method added in 2.6.23 is letting POSIX_FADV_WILLNEED allocate useless pages to a tmpfs directory, incrementing i_blocks count but never decrementing it. Fix this by assigning shmem_aops (pointing to readpage and writepage and set_page_dirty) only when it's needed, on a regular file or a long symlink. Many thanks to Kel for outstanding bugreport and steps to reproduce it. Reported-by: Kel Modderman Tested-by: Kel Modderman Signed-off-by: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9bbba9277a48a49ae9212558ee7656e6016bca4d Author: Luotao Fu Date: Tue Jul 29 02:50:14 2008 +0000 mpc52xx_psc_spi: fix block transfer commit 9a7867e1b34c3575e7e76a05c0c54c6edbdae2a4 upstream The block transfer routine in the mpc52xx psc spi driver misinterpret the datasheet. According to the processor datasheet the chipselect is held as long as the EOF is not written. Theoretically blocks of any sizes can be transferred in this way. The old routine however writes an EOF after every word, which has the size of size_of_word. This makes the transfer slow. Also fixed some duplicate code. Signed-off-by: Luotao Fu Signed-off-by: David Brownell Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 804dc20d0fa5763a25b7bef61a1547a3d1be470c Author: Jesse Brandeburg Date: Fri Jul 11 17:34:58 2008 -0700 ixgbe: remove device ID for unsupported device commit bb5d10ac8cc315d53306963001fe650d88a1cbb2 upstream The ixgbe driver was untested with device ID 8086:10c8 but still advertises support. Currently if this device is present in the system when the driver is loaded, the system will panic. Remove this device ID until full support can be tested with available hardware. This patch is necessary for 2.6.24, 2.6.25 and 2.6.26 Signed-off-by: Jesse Brandeburg Signed-off-by: Jeff Kirsher Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 65b48a80bac37cae86a7eb92f79b64caa066c437 Author: Jeff Dike Date: Wed Jul 23 11:46:50 2008 -0400 UML - Fix boot crash commit 7c1fed03b9fa32d4323d5caa6a9c7dcdd7eba767 upstream My copying of linux/init.h didn't go far enough. The definition of __used singled out gcc minor version 3, but didn't care what the major version was. This broke when unit-at-a-time was added and gcc started throwing out initcalls. This results in an early boot crash when ptrace tries to initialize a process with an empty, uninitialized register set. Signed-off-by: Jeff Dike Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 45ff7b34de5199730b9191e976b29008e676fc2f Author: Eric Sandeen Date: Tue Jul 29 02:50:12 2008 +0000 eCryptfs: use page_alloc not kmalloc to get a page of memory commit 7fcba054373d5dfc43d26e243a5c9b92069972ee upstream Date: Mon, 28 Jul 2008 15:46:39 -0700 Subject: eCryptfs: use page_alloc not kmalloc to get a page of memory With SLUB debugging turned on in 2.6.26, I was getting memory corruption when testing eCryptfs. The root cause turned out to be that eCryptfs was doing kmalloc(PAGE_CACHE_SIZE); virt_to_page() and treating that as a nice page-aligned chunk of memory. But at least with SLUB debugging on, this is not always true, and the page we get from virt_to_page does not necessarily match the PAGE_CACHE_SIZE worth of memory we got from kmalloc. My simple testcase was 2 loops doing "rm -f fileX; cp /tmp/fileX ." for 2 different multi-megabyte files. With this change I no longer see the corruption. Signed-off-by: Eric Sandeen Acked-by: Michael Halcrow Acked-by: Rik van Riel Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 2c679441bc5724cee72d19ad786c03236ad6c68d Author: Ingo Molnar Date: Sun Jul 20 17:24:03 2008 +0200 x86: fix kernel_physical_mapping_init() for large x86 systems based on e22146e610bb7aed63282148740ab1d1b91e1d90 upstream Fix bug in kernel_physical_mapping_init() that causes kernel page table to be built incorrectly for systems with greater than 512GB of memory. Signed-off-by: Jack Steiner Cc: linux-mm@kvack.org Signed-off-by: Ingo Molnar Cc: Oliver Pinter Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 36f11ab7531b470393fee7f4f8be6035c3a75d7b Author: Steven Toth Date: Mon Jul 28 22:01:40 2008 -0400 DVB: cx23885: SRAM changes for the 885 and 887 silicon parts (cherry picked from commit 7e994302ed3fc6d209ce247ad5b6d9c2499bf7c2) DVB: cx23885: SRAM changes for the 885 and 887 silicon parts In a previous patch I merged both memory maps into a single struct, believing that they could be combined. We've since found problems with streaming multiple channels on the 885. I'm restoring the multiple memory map structs - in line with the windows driver. Signed-off-by: Steven Toth Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit a4401924329d5ff3e696d3de00e9277633a28769 Author: Steven Toth Date: Mon Jul 28 22:01:38 2008 -0400 DVB: cx23885: Reallocated the sram to avoid concurrent VIDB/C issues (cherry picked from commit d8d12b4367e2e759f65c5f9dcb94d21ec237bbc5) DVB: cx23885: Reallocated the sram to avoid concurrent VIDB/C issues This may be cx23885 chip specific and may not work on the cx23887. Analog and mpeg encoder streaming are still to be tested. Signed-off-by: Steven Toth Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit 21eaee6a33f810ae48d643de0a183cce5c07dffa Author: Steven Toth Date: Mon Jul 28 22:01:37 2008 -0400 DVB: cx23885: DVB Transport cards using DVB port VIDB/TS1 did not stream (cherry picked from commit 52ce27bfc4d302a3e28267a5820a8b031ceccee9) DVB: cx23885: DVB Transport cards using DVB port VIDB/TS1 did not stream Certain DVB cards that have demodulators on TS1/VIDB were not streaming packets. This ensure the pin directions on PAD_CTRL are set correctly, solving the issue. Signed-off-by: Steven Toth Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit d44fda9d047d4b293646b4cb3a0f448a6f07c018 Author: Steven Toth Date: Mon Jul 28 22:01:35 2008 -0400 DVB: cx23885: Ensure PAD_CTRL is always reset to a sensible default (cherry picked from commit ecda5966c90746a044ff68e78b1062adcddd9664) DVB: cx23885: Ensure PAD_CTRL is always reset to a sensible default PAD_CTRL controls TS1 and TS2 input and output states, if the register became corrupt the driver was never able to recover. Signed-off-by: Steven Toth Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit 307137407be8d4a593f9bebc51693d340969dd46 Author: Steven Toth Date: Mon Jul 28 22:01:33 2008 -0400 V4L: cx23885: Bugfix for concurrent use of /dev/video0 and /dev/video1 (cherry picked from commit 28901ab621bb56cd2aa9670dc7ce016ba80ec45c) V4L: cx23885: Bugfix for concurrent use of /dev/video0 and /dev/video1 With the HVR1800, trying to use video0 and video1 simultaneously caused buffer corruption in the PCIe bridge. This fix reallocates video1 buffer locations to avoid the issue. Signed-off-by: Steven Toth Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit b0c31e8936d72641893663c1f16a49d9a34c6d06 Author: Simon Arlott Date: Mon Jul 28 22:01:31 2008 -0400 V4L: saa7134: Copy tuner data earlier to avoid overwriting manual tuner type V4L: saa7134: Copy tuner data earlier to avoid overwriting manual tuner type (cherry picked from commit d53687d1d22c3204394658a31654de2f1efb0e8f) Copy tuner data earlier in init to avoid overwriting manual tuner type When saa7134_board_init2 runs, it immediately overwrites the current value (set earlier from module parameter) of tuner_type with the static values, and then does autodetection. This patch moves the tuner_addr copy to earlier in saa7134_initdev and removes the tuner_type copy from saa7134_board_init2. Autodetection could still potentially change to the wrong tuner type, but it is now possible to override the default type for the card again. My card's tuner is configured with autodetection from eeprom, so I don't need to manually set the tuner. I've checked that the autodetection still works for my card. Signed-off-by: Simon Arlott Reviewed-by: Hermann Pitton Cc: Brian Marete Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit aed3f31c8c19d66ccc0fc91561a170cb95fc7d19 Author: Laurent Pinchart Date: Mon Jul 21 21:53:49 2008 -0400 V4L: uvcvideo: Add support for Medion Akoya Mini E1210 integrated webcam (cherry picked from commit bdf2fe4a0b9d23e69c77eaec76212216c9a957ef) V4L: uvcvideo: Add support for Medion Akoya Mini E1210 integrated webcam Signed-off-by: Tim Gardner Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit dcdc61d2c15e9121550928a1a7dc0cf1616b83fc Author: Laurent Pinchart Date: Mon Jul 21 22:07:22 2008 -0400 V4L: uvcvideo: Make input device support optional (cherry picked from commit 6833c917b4de1757febdbf946d709ece6dc7a86f) V4L: uvcvideo: Make input device support optional UVC devices can report button events. The uvcvideo driver depends on CONFIG_INPUT to report events to the input layer. This patch removes the hard dependency by introducing a new CONFIG_USB_VIDEO_CLASS_INPUT_EVDEV option. Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit 9dfab57400864516e63f2c811a194ca78fd01155 Author: Laurent Pinchart Date: Mon Jul 21 21:53:47 2008 -0400 V4L: uvcvideo: Don't free URB buffers on suspend (cherry picked from commit e01117c81676dc9897f567e32cdc13a26e85280b) V4L: uvcvideo: Don't free URB buffers on suspend. All submitted URBs must be killed at suspend time, but URB buffers don't have to be freed. Avoiding a free on suspend/reallocate on resume lowers the pressure on system memory. Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit 6c91c4e1fa5e7064de4d7fa0d06eab447078a0e6 Author: Laurent Pinchart Date: Mon Jul 21 21:53:46 2008 -0400 V4L: uvcvideo: Use GFP_NOIO when allocating memory during resume (cherry picked from commit 291358785cde5536d98a4f3cae77efd8ca626486) V4L: uvcvideo: Use GFP_NOIO when allocating memory during resume The swap device might still be asleep, so memory allocated in the resume handler must use GFP_NOIO. Thanks to Oliver Neukum for catching and reporting this bug. Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit 3b778ebff0050c61a25279f239c20f77b1b1f3fa Author: Laurent Pinchart Date: Mon Jul 21 21:53:45 2008 -0400 V4L: uvcvideo: Fix a buffer overflow in format descriptor parsing (cherry picked from commit 233548a2fd934a0220db8b1521c0bc88c82e5e53) V4L: uvcvideo: Fix a buffer overflow in format descriptor parsing Thanks to Oliver Neukum for catching and reporting this bug. Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit a5cfcdb0c23b817d430d2778332927d8686931d2 Author: Michael Krufky Date: Mon Jul 21 21:53:44 2008 -0400 DVB: dib0700: add support for Hauppauge Nova-TD Stick 52009 (cherry picked from commit d01eb2dc7d5265ec3bee9ec1b8ab79155e1310d6) DVB: dib0700: add support for Hauppauge Nova-TD Stick 52009 Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 6c3fe3070af40eec455410623632a9070c7931ab Author: Hans Verkuil Date: Mon Jul 21 21:53:43 2008 -0400 V4L: cx18: Upgrade to newer firmware & update documentation (cherry picked from commit 1a3932e0ed9ca46db2b76ce067e4ebaf04d91ea1) V4L: cx18: Upgrade to newer firmware & update cx18 documentation Conexant graciously gave us permission to redistribute the firmware. Update the documentation where the firmware can be downloaded. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit 4c9d5d1d231ba0436b95becba6b0ef5d8bced4a2 Author: Pierre Ossman Date: Fri Jul 18 19:04:27 2008 -0400 ALSA: trident - pause s/pdif output Commit 981bcead3f2279a1ec6fb5f2c57aff79ed61a700 upstream. Stop the S/PDIF DMA engine and output when the device is told to pause. It will keep on looping the current buffer contents if this isn't done. Signed-off-by: Pierre Ossman Tested-by: Rene Herman Signed-off-by: Takashi Iwai Signed-off-by: Jaroslav Kysela Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit 552e0bfaac56608f37b497db013e9a6d38df1b11 Author: Brice Goglin Date: Wed Jul 23 10:16:13 2008 +0200 myri10ge: do not use mgp->max_intr_slots before loading the firmware part of commit 0dcffac1a329be69bab0ac604bf7283737108e68 upstream (the upstream multislice patch contains this fix within a large rework of the code since there is one rx_done ring per slice. The old allocating is replaced by a call to myri10ge_probe_slices()) Allocating the rx_done ring requires mgp->max_intr_slots to be valid, which requires that we already loaded the firmware we are going to use with this ring. So move the allocating after myri10ge_load_firmware() (but keep it before myri10ge_reset() which already needs the rx_done ring). If fixedsa regression where loading the driver would not appear to do anything. Regression introduced in 2.6.26-rc3 by commit 014377a1df693ff30a9e8b69f0bbb0a38e601f75 Reported and patch tested by Lukas Hejtmanek at http://lkml.org/lkml/2008/7/22/305 Reproduced and patch tested also by me. Signed-off-by: Brice Goglin Signed-off-by: Greg Kroah-Hartman commit af30bd03def39b9b9d26780c37ba32d51cad2772 Author: Brice Goglin Date: Thu Jul 24 17:53:28 2008 +0200 myri10ge: do not forget to setup the single slice pointers part of commit 0dcffac1a329be69bab0ac604bf7283737108e68 upstream (the upstream multislice patch contains the same fix within myri10ge_alloc_slices() which does this for every slice) Even if we don't have multiple slices in myri10ge in 2.6.26, we already use some multislice-aware routines that need the slice state pointers to mgp and dev to be valid. This patch fixes a regression where configuring the interface up would oops in myri10ge_allocate_rings() when using ss->mgp (and later when using ss->dev). Oops reported and patch tested by Lukas Hejtmanek at http://lkml.org/lkml/2008/7/23/101 Signed-off-by: Brice Goglin Signed-off-by: Greg Kroah-Hartman commit e6fb1df0f6abf3d4aceb5af89c817903bc7f09c6 Author: Kay Sievers Date: Wed Jul 23 19:10:09 2008 +0000 iop-adma: fix platform driver hotplug/coldplug commit ebabe2762607147d28aa395ea6df2a0ee7f795a1 Since 43cc71eed1250755986da4c0f9898f9a635cb3bf, the platform modalias is prefixed with "platform:". Add MODULE_ALIAS() to most of the hotpluggable platform drivers, to re-enable auto loading. Signed-off-by: Kay Sievers Signed-off-by: David Brownell Signed-off-by: Andrew Morton Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit ff7cd39223eb9ce6e668535fcad851ab0ea5876c Author: David S. Miller Date: Mon Jul 21 13:17:38 2008 -0700 sparc64: Do not define BIO_VMERGE_BOUNDARY. [ Upstream commit 74988bd85d1cb97987534fd7ffbc570e81145418 ] The IOMMU code and the block layer can split things up using different rules, so this can't work reliably. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 548da331d07cc879c529b11f82ecd6d4efea5e73 Author: David S. Miller Date: Wed Jul 23 16:21:07 2008 -0700 sparc64: Fix cpufreq notifier registry. [ Upstream commit 7ae93f51d7fa8b9130d47e0b7d17979a165c5bc3 ] Based upon a report by Daniel Smolik. We do it too early, which triggers a BUG in cpufreq_register_notifier(). Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cbbe97a516566c1e8fde1adc035f443c26606d39 Author: David S. Miller Date: Tue Jul 22 22:34:29 2008 -0700 sparc64: Fix lockdep issues in LDC protocol layer. [ Upstream commit b7c2a75725dee9b5643a0aae3a4cb47f52e00a49 ] We're calling request_irq() with a IRQs disabled. No straightforward fix exists because we want to enable these IRQs and setup state atomically before getting into the IRQ handler the first time. What happens now is that we mark the VIRQ to not be automatically enabled by request_irq(). Then we make explicit enable_irq() calls when we grab the LDC channel. This way we don't need to call request_irq() illegally under the LDC channel lock any more. Bump LDC version and release date. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 311fe3736a975517e1e25fa3e5f8625c27afb5f2 Author: David S. Miller Date: Fri Jul 25 16:53:38 2008 -0700 tcp: Clear probes_out more aggressively in tcp_ack(). [ Upstream commit 4b53fb67e385b856a991d402096379dab462170a ] This is based upon an excellent bug report from Eric Dumazet. tcp_ack() should clear ->icsk_probes_out even if there are packets outstanding. Otherwise if we get a sequence of ACKs while we do have packets outstanding over and over again, we'll never clear the probes_out value and eventually think the connection is too sick and we'll reset it. This appears to be some "optimization" added to tcp_ack() in the 2.4.x timeframe. In 2.2.x, probes_out is pretty much always cleared by tcp_ack(). Here is Eric's original report: ---------------------------------------- Apparently, we can in some situations reset TCP connections in a couple of seconds when some frames are lost. In order to reproduce the problem, please try the following program on linux-2.6.25.* Setup some iptables rules to allow two frames per second sent on loopback interface to tcp destination port 12000 iptables -N SLOWLO iptables -A SLOWLO -m hashlimit --hashlimit 2 --hashlimit-burst 1 --hashlimit-mode dstip --hashlimit-name slow2 -j ACCEPT iptables -A SLOWLO -j DROP iptables -A OUTPUT -o lo -p tcp --dport 12000 -j SLOWLO Then run the attached program and see the output : # ./loop State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 40 127.0.0.1:54455 127.0.0.1:12000 timer:(persist,200ms,1) State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 40 127.0.0.1:54455 127.0.0.1:12000 timer:(persist,200ms,3) State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 40 127.0.0.1:54455 127.0.0.1:12000 timer:(persist,200ms,5) State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 40 127.0.0.1:54455 127.0.0.1:12000 timer:(persist,200ms,7) State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 40 127.0.0.1:54455 127.0.0.1:12000 timer:(persist,200ms,9) State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 40 127.0.0.1:54455 127.0.0.1:12000 timer:(persist,200ms,11) State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 40 127.0.0.1:54455 127.0.0.1:12000 timer:(persist,201ms,13) State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 40 127.0.0.1:54455 127.0.0.1:12000 timer:(persist,188ms,15) write(): Connection timed out wrote 890 bytes but was interrupted after 9 seconds ESTAB 0 0 127.0.0.1:12000 127.0.0.1:54455 Exiting read() because no data available (4000 ms timeout). read 860 bytes While this tcp session makes progress (sending frames with 50 bytes of payload, every 500ms), linux tcp stack decides to reset it, when tcp_retries 2 is reached (default value : 15) tcpdump : 15:30:28.856695 IP 127.0.0.1.56554 > 127.0.0.1.12000: S 33788768:33788768(0) win 32792 15:30:28.856711 IP 127.0.0.1.12000 > 127.0.0.1.56554: S 33899253:33899253(0) ack 33788769 win 32792 15:30:29.356947 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 1:61(60) ack 1 win 257 15:30:29.356966 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 61 win 257 15:30:29.866415 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 61:111(50) ack 1 win 257 15:30:29.866427 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 111 win 257 15:30:30.366516 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 111:161(50) ack 1 win 257 15:30:30.366527 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 161 win 257 15:30:30.876196 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 161:211(50) ack 1 win 257 15:30:30.876207 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 211 win 257 15:30:31.376282 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 211:261(50) ack 1 win 257 15:30:31.376290 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 261 win 257 15:30:31.885619 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 261:311(50) ack 1 win 257 15:30:31.885631 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 311 win 257 15:30:32.385705 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 311:361(50) ack 1 win 257 15:30:32.385715 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 361 win 257 15:30:32.895249 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 361:411(50) ack 1 win 257 15:30:32.895266 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 411 win 257 15:30:33.395341 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 411:461(50) ack 1 win 257 15:30:33.395351 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 461 win 257 15:30:33.918085 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 461:511(50) ack 1 win 257 15:30:33.918096 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 511 win 257 15:30:34.418163 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 511:561(50) ack 1 win 257 15:30:34.418172 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 561 win 257 15:30:34.927685 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 561:611(50) ack 1 win 257 15:30:34.927698 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 611 win 257 15:30:35.427757 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 611:661(50) ack 1 win 257 15:30:35.427766 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 661 win 257 15:30:35.937359 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 661:711(50) ack 1 win 257 15:30:35.937376 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 711 win 257 15:30:36.437451 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 711:761(50) ack 1 win 257 15:30:36.437464 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 761 win 257 15:30:36.947022 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 761:811(50) ack 1 win 257 15:30:36.947039 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 811 win 257 15:30:37.447135 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 811:861(50) ack 1 win 257 15:30:37.447203 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 861 win 257 15:30:41.448171 IP 127.0.0.1.12000 > 127.0.0.1.56554: F 1:1(0) ack 861 win 257 15:30:41.448189 IP 127.0.0.1.56554 > 127.0.0.1.12000: R 33789629:33789629(0) win 0 Source of program : /* * small producer/consumer program. * setup a listener on 127.0.0.1:12000 * Forks a child * child connect to 127.0.0.1, and sends 10 bytes on this tcp socket every 100 ms * Father accepts connection, and read all data */ #include #include #include #include #include #include #include int port = 12000; char buffer[4096]; int main(int argc, char *argv[]) { int lfd = socket(AF_INET, SOCK_STREAM, 0); struct sockaddr_in socket_address; time_t t0, t1; int on = 1, sfd, res; unsigned long total = 0; socklen_t alen = sizeof(socket_address); pid_t pid; time(&t0); socket_address.sin_family = AF_INET; socket_address.sin_port = htons(port); socket_address.sin_addr.s_addr = htonl(INADDR_LOOPBACK); if (lfd == -1) { perror("socket()"); return 1; } setsockopt(lfd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(int)); if (bind(lfd, (struct sockaddr *)&socket_address, sizeof(socket_address)) == -1) { perror("bind"); close(lfd); return 1; } if (listen(lfd, 1) == -1) { perror("listen()"); close(lfd); return 1; } pid = fork(); if (pid == 0) { int i, cfd = socket(AF_INET, SOCK_STREAM, 0); close(lfd); if (connect(cfd, (struct sockaddr *)&socket_address, sizeof(socket_address)) == -1) { perror("connect()"); return 1; } for (i = 0 ; ;) { res = write(cfd, "blablabla\n", 10); if (res > 0) total += res; else if (res == -1) { perror("write()"); break; } else break; usleep(100000); if (++i == 10) { system("ss -on dst 127.0.0.1:12000"); i = 0; } } time(&t1); fprintf(stderr, "wrote %lu bytes but was interrupted after %g seconds\n", total, difftime(t1, t0)); system("ss -on | grep 127.0.0.1:12000"); close(cfd); return 0; } sfd = accept(lfd, (struct sockaddr *)&socket_address, &alen); if (sfd == -1) { perror("accept"); return 1; } close(lfd); while (1) { struct pollfd pfd[1]; pfd[0].fd = sfd; pfd[0].events = POLLIN; if (poll(pfd, 1, 4000) == 0) { fprintf(stderr, "Exiting read() because no data available (4000 ms timeout).\n"); break; } res = read(sfd, buffer, sizeof(buffer)); if (res > 0) total += res; else if (res == 0) break; else perror("read()"); } fprintf(stderr, "read %lu bytes\n", total); close(sfd); return 0; } ---------------------------------------- Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a1ef23ea987127946c23dd8e81594492aa86ab1b Author: Andrew Morton Date: Sun Jul 27 23:55:02 2008 +0000 ARM: fix fls() for 64-bit arguments commit 0c65f459ce6c8bd873a61b3ae1e57858ab1debf3 upstream arm's fls() is implemented as a macro, causing it to misbehave when passed 64-bit arguments. Fix. Cc: Nickolay Vinogradov Tested-by: Krzysztof Halasa Signed-off-by: Andrew Morton Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit e79ef8526042738548f883717faa34bc7ea96077 Author: Jan Beulich Date: Sun Jul 27 17:30:04 2008 +0000 vmlinux.lds: move __attribute__((__cold__)) functions back into final .text section commit fb5e2b379732e1a6ea32392980bb42e0212db842 upstream Due to the addition of __attribute__((__cold__)) to a few symbols without adjusting the linker scripts, those symbols currently may end up outside the [_stext,_etext) range, as they get placed in .text.unlikely by (at least) gcc 4.3.0. This may confuse code not only outside of the kernel, symbol_put_addr()'s BUG() could also trigger. Hence we need to add .text.unlikely (and for future uses of __attribute__((__hot__)) also .text.hot) to the TEXT_TEXT() macro. Issue observed by Lukas Lipavsky. Signed-off-by: Jan Beulich Tested-by: Lukas Lipavsky Signed-off-by: Sam Ravnborg Signed-off-by: Greg Kroah-Hartman commit 4e0567d4e581c6193525e0e1c5576e602267614e Author: David Brownell Date: Thu Jul 24 22:05:26 2008 +0000 rtc-at91rm9200: avoid spurious irqs commit 449321b39f6c6ebfa15d6da24f134240bd51db29 upstream This fixes kernel http://bugzilla.kernel.org/show_bug.cgi?id=11112 (bogus RTC update IRQs reported) for rtc-at91rm9200 by scrubbing old IRQ status before enabling IRQs. It also removes nonfunctional periodic IRQ support from this driver; only update IRQs are reported, or provided by the hardware. I suspect some other RTCs probably have versions of #11112; it's easy to overlook, since most non-RTC drivers don't care about spurious IRQs: they're not reported to userspace. Signed-off-by: David Brownell Report-by: W Unruh Cc: Andrew Victor Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4dd29fcba54bc036c8b702756713e25c089ba07c Author: Jens Axboe Date: Thu Jul 24 22:05:15 2008 +0000 ide-cd: fix oops when using growisofs commit e8e7b9eb11c34ee18bde8b7011af41938d1ad667 upstream cdrom_read_capacity() will blindly return the capacity from the device without sanity-checking it. This later causes code in fs/buffer.c to oops. Fix this by checking that the device is telling us sensible things. From: Jens Axboe Cc: Michael Buesch Cc: Jan Kara Cc: Arnd Bergmann Cc: Borislav Petkov Signed-off-by: Andrew Morton [bart: print device name instead of driver name] Signed-off-by: Bartlomiej Zolnierkiewicz [harvey: blocklen is a big-endian value] Signed-off-by: Harvey Harrison Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Greg Kroah-Hartman commit 3ce75c55b46c23df8faeba4ad2c2e14dc94ffb16 Author: Jan Kratochvil Date: Tue Jul 22 20:55:04 2008 +0000 x86: fix crash due to missing debugctlmsr on AMD K6-3 commit d536b1f86591fb081c7a56eab04e711eb4dab951 upstream currently if you use PTRACE_SINGLEBLOCK on AMD K6-3 (i586) it will crash. Kernel now wrongly assumes existing DEBUGCTLMSR MSR register there. Removed the assumption also for some other non-K6 CPUs but I am not sure there (but it can only bring small inefficiency there if my assumption is wrong). Based on info from Roland McGrath, Chuck Ebbert and Mikulas Patocka. More info at: https://bugzilla.redhat.com/show_bug.cgi?id=456175 Signed-off-by: Jan Kratochvil Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit d4f3865285ebc54998c341c57498de96f8daf4d0 Author: Miao Xie Date: Tue Jul 22 20:05:21 2008 +0000 cpusets: fix wrong domain attr updates commit 91cd4d6ef0abb1f65e81f8fe37e7d3c10344e38c upstream Fix wrong domain attr updates, or we will always update the first sched domain attr. Signed-off-by: Miao Xie Cc: Hidetoshi Seto Cc: Paul Jackson Cc: Nick Piggin Cc: Ingo Molnar Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 81952a2391da91d8ff35c96b31f051f5242dfc1b Author: Alexey Dobriyan Date: Tue Jul 22 20:05:19 2008 +0000 proc: fix /proc/*/pagemap some more commit ee1e6ab6056a8b9c19377257002da98b83819531 upstream struct pagemap_walk was placed on stack, some hooks are initialized, the rest (->pgd_entry, ->pud_entry, ->pte_entry) are valid but junk. Reported-by: Eric Sesterhenn Signed-off-by: Alexey Dobriyan Cc: "Vegard Nossum" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 12b47b11e2cc0fae5ff87d63e455a76d0844fa55 Author: Atsushi Nemoto Date: Tue Jul 22 20:05:17 2008 +0000 Fix build on COMPAT platforms when CONFIG_EPOLL is disabled commit 5f17156fc55abac476d180e480bedb0f07f01b14 upstream Add missing cond_syscall() entry for compat_sys_epoll_pwait. Signed-off-by: Atsushi Nemoto Cc: Davide Libenzi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6fa4cd9a0ac7d49e525b6941dcf236232bd928dd Author: Mathieu Desnoyers Date: Tue Jul 22 20:05:14 2008 +0000 markers: fix duplicate modpost entry commit: d35cb360c29956510b2fe1a953bd4968536f7216 When a kernel was rebuilt, the previous Module.markers was not cleared. It caused markers with different format strings to appear as duplicates when a markers was changed. This problem is present since scripts/mod/modpost.c started to generate Module.markers, commit b2e3e658b344c6bcfb8fb694100ab2f2b5b2edb0 It therefore applies to 2.6.25, 2.6.26 and linux-next. I merely merged the patches from Roland, Wenji and Takashi here. Credits to Roland McGrath Wenji Huang and Takashi Nishiie for providing the individual fixes. - Changelog : - Integrated Takashi's Makefile modification to clear Module.markers upon make clean. Signed-off-by: Mathieu Desnoyers Cc: Roland McGrath Cc: Wenji Huang Cc: Takashi Nishiie Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 94b73c6791f70cdedd584552d1f2121afee6662d Author: H. Peter Anvin Date: Wed Jul 16 00:55:04 2008 +0200 x86, suspend, acpi: enter Big Real Mode Commit 3bf2e77453a87c22eb57ed4926760ac131c84459 upstream x86, suspend, acpi: enter Big Real Mode The explanation for recent video BIOS suspend quirk failures is that the VESA BIOS expects to be entered in Big Real Mode (*.limit = 0xffffffff) instead of ordinary Real Mode (*.limit = 0xffff). This patch changes the segment descriptors to Big Real Mode instead. The segment descriptor registers (what Intel calls "segment cache") is always active. The only thing that changes based on CR0.PE is how it is *loaded* and the interpretation of the CS flags. The segment descriptor registers contain of the following sub-registers: selector (the "visible" part), base, limit and flags. In protected mode or long mode, they are loaded from descriptors (or fs.base or gs.base can be manipulated directly in long mode.) In real mode, the only thing changed by a segment register load is the selector and the base, where the base <- selector << 4. In particular, *the limit and the flags are not changed*. As far as the handling of the CS flags: a code segment cannot be writable in protected mode, whereas it is "just another segment" in real mode, so there is some kind of quirk that kicks in for this when CR0.PE <- 0. I'm not sure if this is accomplished by actually changing the cs.flags register or just changing the interpretation; it might be something that is CPU-specific. In particular, the Transmeta CPUs had an explicit "CS is writable if you're in real mode" override, so even if you had loaded CS with an execute-only segment it'd be writable (but not readable!) on return to real mode. I'm not at all sure if that is how other CPUs behave. Signed-off-by: "H. Peter Anvin" Signed-off-by: Ingo Molnar commit d10b263f8e62cda0c3daefa2ebe7e05169d5b7ec Author: Oliver Neukum Date: Mon Jul 21 23:05:03 2008 +0000 USB: fix usb serial pm counter decrement for disconnected interfaces commit 62ad296b6ca78bd123864c138814c0a597873693 upstream usb serial decrements the pm counter even if an interface has been disconnected. If it was a logical disconnect the interface may belong already to another driver. This patch introduces a check for disconnected interfaces. Signed-off-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman commit d114d08c5c122f1394692dbfabe9dd34fc249107 Author: Ingo Molnar Date: Mon Jul 21 18:30:15 2008 +0000 x86 reboot quirks: add Dell Precision WorkStation T5400 commit fab3b58d3b242b5903f78d60d86803a8aecdf6de upstream as reported in: "reboot=bios is mandatory on Dell T5400 server." http://bugzilla.kernel.org/show_bug.cgi?id=11108 add a DMI reboot quirk. Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit f26eb5b7962376661e7ddd5c8e7ba3da692b7122 Author: Herton Ronaldo Krzesinski Date: Mon Jul 21 18:30:12 2008 +0000 Fix typos from signal_32/64.h merge commit 723edb5060855ef36ddeca51a070784b0e0d16df upstream Fallout from commit 33185c504f8e521b398536b5a8d415779a24593c ("x86: merge signal_32/64.h") Thanks to Dick Streefland who provided an useful testcase on http://lkml.org/lkml/2008/3/17/205 (only applicable to 2.6.24.x), that helped a lot as a deterministic way to bisect an issue that leaded to this fix. Signed-off-by: Herton Ronaldo Krzesinski Signed-off-by: Luiz Fernando N. Capitulino Cc: Roland McGrath Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 6c6748b28299ab09172b387c98bb7204e8d043b0 Author: Paul E. McKenney Date: Tue Jul 15 21:30:31 2008 +0000 rcu: fix rcu_try_flip_waitack_needed() to prevent grace-period stall commit d7c0651390b6a03ad53f99faec0ba88109d7191d upstream The comment was correct -- need to make the code match the comment. Without this patch, if a CPU goes dynticks idle (and stays there forever) in just the right phase of preemptible-RCU grace-period processing, grace periods stall. The offending sequence of events (courtesy of Promela/spin, at least after I got the liveness criterion coded correctly...) is as follows: o CPU 0 is in dynticks-idle mode. Its dynticks_progress_counter is (say) 10. o CPU 0 takes an interrupt, so rcu_irq_enter() increments CPU 0's dynticks_progress_counter to 11. o CPU 1 is doing RCU grace-period processing in rcu_try_flip_idle(), sees rcu_pending(), so invokes dyntick_save_progress_counter(), which in turn takes a snapshot of CPU 0's dynticks_progress_counter into CPU 0's rcu_dyntick_snapshot -- now set to 11. CPU 1 then updates the RCU grace-period state to rcu_try_flip_waitack(). o CPU 0 returns from its interrupt, so rcu_irq_exit() increments CPU 0's dynticks_progress_counter to 12. o CPU 1 later invokes rcu_try_flip_waitack(), which notices that CPU 0 has not yet responded, and hence in turn invokes rcu_try_flip_waitack_needed(). This function examines the state of CPU 0's dynticks_progress_counter and rcu_dyntick_snapshot variables, which it copies to curr (== 12) and snap (== 11), respectively. Because curr!=snap, the first condition fails. Because curr-snap is only 1 and snap is odd, the second condition fails. rcu_try_flip_waitack_needed() therefore incorrectly concludes that it must wait for CPU 0 to explicitly acknowledge the counter flip. o CPU 0 remains forever in dynticks-idle mode, never taking any more hardware interrupts or any NMIs, and never running any more tasks. (Of course, -something- will usually eventually happen, which might be why we haven't seen this one in the wild. Still should be fixed!) Therefore the grace period never ends. Fix is to make the code match the comment, as shown below. With this fix, the above scenario would be satisfied with curr being even, and allow the grace period to proceed. Signed-off-by: Paul E. McKenney Cc: Peter Zijlstra Cc: Josh Triplett Cc: Dipankar Sarma Signed-off-by: Andrew Morton Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit a6f625f6615eb006810ec6ab8c836da5123c2002 Author: Roland McGrath Date: Mon Jul 14 21:05:12 2008 +0000 Patch Upstream: x86 ptrace: fix PTRACE_GETFPXREGS error commit 45fdc3a7624a4a48185a04ae0abab5f9793d8952 upstream ptrace has always returned only -EIO for all failures to access registers. The user_regset calls are allowed to return a more meaningful variety of errors. The REGSET_XFP calls use -ENODEV for !cpu_has_fxsr hardware. Make ptrace return the traditional -EIO instead of the error code from the user_regset call. Signed-off-by: Roland McGrath Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 8c5a4a12d8d5bf025a09a576a0b5c62e0167423c Author: Avi Kivity Date: Wed Jul 23 11:43:43 2008 +0300 KVM: MMU: Fix potential race setting upper shadow ptes on nonpae hosts Original-Commit-Hash: c23a6fe17abf8562e675465f8d55ba1a551d314d The direct mapped shadow code (used for real mode and two dimensional paging) sets upper-level ptes using direct assignment rather than calling set_shadow_pte(). A nonpae host will split this into two writes, which opens up a race if another vcpu accesses the same memory area. Fix by calling set_shadow_pte() instead of assigning directly. Noticed by Izik Eidus. Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit c857ebba6025350232c87d89e459338f139a50ab Author: Marcelo Tosatti Date: Wed Jul 23 11:43:42 2008 +0300 KVM: MMU: nuke shadowed pgtable pages and ptes on memslot destruction Original-Commit-Hash: 3cc312f03e06a8fa39ecb4cc0189efc2bd888899 Flush the shadow mmu before removing regions to avoid stale entries. Signed-off-by: Marcelo Tosatti Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 205cb93409b6c0d6e66cce8fdf5eef8744d687eb Author: Mohammed Gamal Date: Wed Jul 23 11:43:41 2008 +0300 KVM: x86 emulator: Fix HLT instruction Original-Commit-Hash: bcc542267538e9ba933d08b4cd4ebd796e03a3d7 This patch fixes issue encountered with HLT instruction under FreeDOS's HIMEM XMS Driver. The HLT instruction jumped directly to the done label and skips updating the EIP value, therefore causing the guest to spin endlessly on the same instruction. The patch changes the instruction so that it writes back the updated EIP value. Signed-off-by: Mohammed Gamal Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 5c9e0efda1c7a7a96614cffa9a5ba33f21ac7599 Author: Sheng Yang Date: Wed Jul 23 11:43:40 2008 +0300 KVM: VMX: Add ept_sync_context in flush_tlb Original-Commit-Hash: 73f785350b92e1a3af945340f7d10f3978193cba Fix a potention issue caused by kvm_mmu_slot_remove_write_access(). The old behavior don't sync EPT TLB with modified EPT entry, which result in inconsistent content of EPT TLB and EPT table. Signed-off-by: Sheng Yang Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit b1e0349e2d6a5cb63467ea848ae4f1df095b79d0 Author: Marcelo Tosatti Date: Wed Jul 23 11:43:39 2008 +0300 KVM: mmu_shrink: kvm_mmu_zap_page requires slots_lock to be held Original-Commit-Hash: 64f6a0c041bd8fc100a0d655058bdbc31feda03c kvm_mmu_zap_page() needs slots lock held (rmap_remove->gfn_to_memslot, for example). Since kvm_lock spinlock is held in mmu_shrink(), do a non-blocking down_read_trylock(). Untested. Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 88532fcf5415e2a895587f3330a4abbbc81e4c00 Author: Joerg Roedel Date: Wed Jul 23 11:43:38 2008 +0300 KVM: SVM: fix suspend/resume support Original-Commit-Hash: ab6267b708bec563891294488f2e854be404bdaf On suspend the svm_hardware_disable function is called which frees all svm_data variables. On resume they are not re-allocated. This patch removes the deallocation of svm_data from the hardware_disable function to the hardware_unsetup function which is not called on suspend. Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 82506d9bdf48fd15af526cc5c5518d9a1cda117e Author: Sheng Yang Date: Wed Jul 23 11:43:37 2008 +0300 KVM: VMX: Fix a wrong usage of vmcs_config Original-Commit-Hash: 406046a9638a455876b030853862e576a4378d29 The function ept_update_paging_mode_cr0() write to CPU_BASED_VM_EXEC_CONTROL based on vmcs_config.cpu_based_exec_ctrl. That's wrong because the variable may not consistent with the content in the CPU_BASE_VM_EXEC_CONTROL MSR. Signed-off-by: Sheng Yang Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit c7cc70b61a1cabaf4c51b0324638042f706665d6 Author: Adam Greenblatt Date: Fri Jul 25 18:15:11 2008 +0000 isofs: fix minor filesystem corruption commit c0a1633b6201ef79e31b7da464d44fdf5953054d upstream Some iso9660 images contain files with rockridge data that is either incorrect or incompletely parsed. Prior to commit f2966632a134e865db3c819346a1dc7d96e05309 ("[PATCH] rock: handle directory overflows") (included with kernel 2.6.13) the kernel ignored the rockridge data for these files, while still allowing the files to be accessed under their non-rockridge names. That commit inadvertently changed things so that files with invalid rockridge data could not be accessed at all. (I ran across the problem when comparing some old CDs with hard disk copies I had made long ago under kernel 2.4: a few of the files on the hard disk copies were no longer visible on the CDs.) This change reverts to the pre-2.6.13 behavior. Signed-off-by: Adam Greenblatt Reviewed-by: Pekka Enberg Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6b918773965623828a8662cba0305e8f58010f03 Author: Jan Kara Date: Fri Jul 25 18:15:07 2008 +0000 quota: fix possible infinite loop in quota code commit b48d380541f634663b71766005838edbb7261685 upstream When quota structure is going to be dropped and it is dirty, quota code tries to write it. If the write fails for some reason (e. g. transaction cannot be started because the journal is aborted), we try writing again and again and again... Fix the problem by clearing the dirty bit even if the write failed. (akpm: for 2.6.27, 2.6.26.x and 2.6.25.x) Signed-off-by: Jan Kara Reviewed-by: dingdinghua Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5f817e2b6d8d2dd972f4746faf20191fef7b08c6 Author: Micah Dowty Date: Wed Jul 23 23:46:31 2008 -0700 hdlcdrv: Fix CRC calculation. [ Upstream commit ae6134bdf3197206fba95563d755d2fa50d90ddd ] This is a trivial patch against the hdlcdrv module that fixes its CRC calculation. The finished CRC was overwriting the first two bytes of each packet rather than being appended to the end. I've tested this with 2.6.8 and 2.6.10-rc1, but hdlcdrv hasn't changed much recently so it should work with many other kernel versions. Signed-off-by: Micah Dowty Acked-by: Thomas Sailer Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 75a3a96582f61c294fe18baffde575972ebdc24b Author: David S. Miller Date: Wed Jul 23 23:49:26 2008 -0700 ipv6: __KERNEL__ ifdef struct ipv6_devconf [ Upstream commit ebb36a978131810c98e7198b1187090c697cf99f ] Based upon a report by Olaf Hering. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 579effcc0cdade7a32e85e3ab92f16622bf5b625 Author: Stephen Hemminger Date: Thu Jul 24 00:28:07 2008 -0700 ipv6: use timer pending [ Upstream commit 847499ce71bdcc8fc542062df6ebed3e596608dd ] This fixes the bridge reference count problem and cleanups ipv6 FIB timer management. Don't use expires field, because it is not a proper way to test, instead use timer_pending(). Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5844cdf899519b1d9eff33fea3a9fe6d06f6d0b5 Author: Gerrit Renker Date: Thu Jul 24 00:11:56 2008 -0700 udplite: Protection against coverage value wrap-around [ Upstream commit 47112e25da41d9059626033986dc3353e101f815 ] This patch clamps the cscov setsockopt values to a maximum of 0xFFFF. Setsockopt values greater than 0xffff can cause an unwanted wrap-around. Further, IPv6 jumbograms are not supported (RFC 3838, 3.5), so that values greater than 0xffff are not even useful. Further changes: fixed a typo in the documentation. Signed-off-by: Gerrit Renker Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a51ea045643d14c24aebc817e54c61ebd53c35f9 Author: Karl Beldan Date: Wed Jul 16 18:29:11 2008 +0200 pxamci: trivial fix of DMA alignment register bit clearing commit 4fe16897c59882420d66f2d503106653d026ed6c upstream Signed-off-by: Karl Beldan Acked-by: Eric Miao Signed-off-by: Pierre Ossman Signed-off-by: Greg Kroah-Hartman