commit 5a608116a56a9d8aee95a14856c8ff82b730e78f Author: Greg Kroah-Hartman Date: Mon Sep 8 04:44:46 2008 -0700 Linux 2.6.26.4 commit a52f94cf0b2a82420921257f97674756adb9c760 Author: Tejun Heo Date: Wed Aug 13 20:24:16 2008 +0900 sata_mv: don't issue two DMA commands concurrently commit 4bdee6c5103696a2729d3db2f235d202191788e4 upstream sata_mv allowed issuing two DMA commands concurrently which the hardware allows. Unfortunately, libata core layer isn't ready for this yet and spews ugly warning message and malfunctions on this. Don't allow concurrent DMA commands for now. Signed-off-by: Tejun Heo Signed-off-by: Jeff Garzik Cc: Martin Michlmayr Cc: Mark Lord Cc: Artem Bokhan Signed-off-by: Greg Kroah-Hartman commit b6908a04c2ad87725659a1df481921891e3516bc Author: Avi Kivity Date: Tue Aug 26 11:05:28 2008 +0300 KVM: MMU: Fix torn shadow pte (cherry picked from commit cd5998ebfbc9e6cb44408efa217c15d7eea13675) The shadow code assigns a pte directly in one place, which is nonatomic on i386 can can cause random memory references. Fix by using an atomic setter. Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 06a27e265d6be92db8ef6e4abbef33c45453b2cb Author: Ingo Molnar Date: Tue Sep 2 17:54:10 2008 -0700 x86: work around MTRR mask setting, v2 commit 9754a5b840a209bc1f192d59f63e81b698a55ac8 upstream x86: work around MTRR mask setting, v2 improve the debug printout: - make it actually display something - print it only once would be nice to have a WARN_ONCE() facility, to feed such things to kerneloops.org. Signed-off-by: Ingo Molnar Cc: Yinghai Lu Signed-off-by: Greg Kroah-Hartman commit ee69675af511022b8a324c4a208a91f901f0a6c4 Author: J. Bruce Fields Date: Mon Sep 1 14:51:02 2008 -0400 nfsd: fix buffer overrun decoding NFSv4 acl commit 91b80969ba466ba4b915a4a1d03add8c297add3f upstream The array we kmalloc() here is not large enough. Thanks to Johann Dahm and David Richter for bug report and testing. Signed-off-by: J. Bruce Fields Cc: David Richter Tested-by: Johann Dahm Signed-off-by: Greg Kroah-Hartman commit 94d5272a13ad73b0960826c61f3944cf7eb7286a Author: Cyrill Gorcunov Date: Mon Sep 1 14:51:01 2008 -0400 sunrpc: fix possible overrun on read of /proc/sys/sunrpc/transports commit 27df6f25ff218072e0e879a96beeb398a79cdbc8 upstream Vegard Nossum reported ---------------------- > I noticed that something weird is going on with /proc/sys/sunrpc/transports. > This file is generated in net/sunrpc/sysctl.c, function proc_do_xprt(). When > I "cat" this file, I get the expected output: > $ cat /proc/sys/sunrpc/transports > tcp 1048576 > udp 32768 > But I think that it does not check the length of the buffer supplied by > userspace to read(). With my original program, I found that the stack was > being overwritten by the characters above, even when the length given to > read() was just 1. David Wagner added (among other things) that copy_to_user could be probably used here. Ingo Oeser suggested to use simple_read_from_buffer() here. The conclusion is that proc_do_xprt doesn't check for userside buffer size indeed so fix this by using Ingo's suggestion. Reported-by: Vegard Nossum Signed-off-by: Cyrill Gorcunov CC: Ingo Oeser Cc: Neil Brown Cc: Chuck Lever Cc: Greg Banks Cc: Tom Tucker Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit b815a62f9cc72aeda7c49187451bcfbb7800c067 Author: Francois Romieu Date: Thu Aug 28 22:55:33 2008 +0200 r8169: balance pci_map / pci_unmap pair commit a866bbf6aacf95f849810079442a20be118ce905 upstream The leak hurts with swiotlb and jumbo frames. Fix http://bugzilla.kernel.org/show_bug.cgi?id=9468. Heavily hinted by Ilpo Järvinen . Signed-off-by: Francois Romieu Tested-by: Alistair John Strachan Tested-by: Timothy J Fontaine Cc: Edward Hsu Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit a5096008726d745ff5b85bc9cc9b7e14c83d9be7 Author: Matt Carlson Date: Fri Aug 15 14:10:04 2008 -0700 tg3: Fix firmware event timeouts patch 4ba526ced990f4d61ee8d65fe8a6f0745e8e455c upstream The git commit 7c5026aa9b81dd45df8d3f4e0be73e485976a8b6 ("tg3: Add link state reporting to UMP firmware") introduced code that waits for previous firmware events to be serviced before attempting to submit a new event. Unfortunately that patch contained a bug that cause the driver to wait 2.5 seconds, rather than 2.5 milliseconds as intended. This patch fixes that bug. This bug revealed that not all firmware versions service driver events though. Since we do not know which versions of the firmware do and don't service these events, the driver needs some way to minimize the effects of the delay. This patch solves the problem by recording a jiffies timestamp when it submits an event to the hardware. If the jiffies counter shows that 2.5 milliseconds have already passed, a wait is not needed and the driver can proceed to submit a new event. Signed-off-by: Matt Carlson Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 78ecd7a96dbacf8a2a2b1fbf336507886d025a3d Author: Herbert Xu Date: Sat Aug 23 09:36:17 2008 +1000 crypto: authenc - Avoid using clobbered request pointer crypto: authenc - Avoid using clobbered request pointer [ Upstream commit: a697690bece75d4ba424c1318eb25c37d41d5829 ] Authenc works in two stages for encryption, it first encrypts and then computes an ICV. The context memory of the request is used by both operations. The problem is that when an asynchronous encryption completes, we will compute the ICV and then reread the context memory of the encryption to get the original request. It just happens that we have a buffer of 16 bytes in front of the request pointer, so ICVs of 16 bytes (such as SHA1) do not trigger the bug. However, any attempt to uses a larger ICV instantly kills the machine when the first asynchronous encryption is completed. This patch fixes this by saving the request pointer before we start the ICV computation. Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit c5b15cb1787f1dfb3741396779986d5653400eba Author: David S. Miller Date: Wed Sep 3 01:21:23 2008 -0700 sparc64: Fix cmdline_memory_size handling bugs. [ Upstream commit f2b6079464fc73cf12f08248180a618f05033a70 ] First, lmb_enforce_memory_limit() interprets it's argument (mostly, heh) as a size limit not an address limit. So pass the raw cmdline_memory_size value into it. And we don't need to check it against zero, lmb_enforce_memory_limit() does that for us. Next, free_initmem() needs special handling when the kernel command line trims the available memory. The problem case is if the trimmed out memory is where the kernel image itself resides. When that memory is trimmed out, we don't add those physical ram areas to the sparsemem active ranges, amongst other things. Which means that this free_initmem() code will free up invalid page structs, resulting in either crashes or hangs. Just quick fix this by not freeing initmem at all if "mem=" was given on the boot command line. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5d77cfb999845251dd6271b0e3ccf89eba26b3e2 Author: David S. Miller Date: Wed Sep 3 01:20:37 2008 -0700 sparc64: Fix overshoot in nid_range(). [ Upstream commit c918dcce92f76bb9903e4d049f4780bad384c207 ] If 'start' does not begin on a page boundary, we can overshoot past 'end'. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 464f8f4932d128a3e80402ec85d7c40c1f5e6899 Author: David S. Miller Date: Wed Sep 3 01:03:39 2008 -0700 ipsec: Fix deadlock in xfrm_state management. [ Upstream commit 37b08e34a98c664bea86e3fae718ac45a46b7276 ] Ever since commit 4c563f7669c10a12354b72b518c2287ffc6ebfb3 ("[XFRM]: Speed up xfrm_policy and xfrm_state walking") it is illegal to call __xfrm_state_destroy (and thus xfrm_state_put()) with xfrm_state_lock held. If we do, we'll deadlock since we have the lock already and __xfrm_state_destroy() tries to take it again. Fix this by pushing the xfrm_state_put() calls after the lock is dropped. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ff134d489673b3d678d313e8dddae24c05eb0291 Author: Vlad Yasevich Date: Wed Sep 3 01:02:37 2008 -0700 sctp: fix random memory dereference with SCTP_HMAC_IDENT option. [ Upstream commit d97240552cd98c4b07322f30f66fd9c3ba4171de ] The number of identifiers needs to be checked against the option length. Also, the identifier index provided needs to be verified to make sure that it doesn't exceed the bounds of the array. Signed-off-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 53144b419e176e51157f6b9fc651ab9e733cb000 Author: Vlad Yasevich Date: Wed Sep 3 01:02:19 2008 -0700 sctp: correct bounds check in sctp_setsockopt_auth_key [ Upstream commit 328fc47ea0bcc27d9afa69c3ad6e52431cadd76c ] The bonds check to prevent buffer overlflow was not exactly right. It still allowed overflow of up to 8 bytes which is sizeof(struct sctp_authkey). Since optlen is already checked against the size of that struct, we are guaranteed not to cause interger overflow either. Signed-off-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 97348238e1f470b200d4b810becaaa4147c6db51 Author: David S. Miller Date: Wed Sep 3 01:01:01 2008 -0700 net: Unbreak userspace which includes linux/mroute.h [ Upstream commit 7c19a3d280297d43ef5ff7c6b205dc208a16d3d1 ] This essentially reverts two commits: 1) 2e8046271f68198dd37451017c1a4a2432e4ec68 ("[IPV4] MROUTE: Move PIM definitions to .") and 2) 80a9492a33dd7d852465625022d56ff76d62174d ("[IPV4] MROUTE: Adjust include files for user-space.") which broke userpsace, in particular the XORP build as reported by Jose Calhariz, the debain package maintainer for XORP. Nothing originally in linux/mroute.h was exported to userspace ever, but some of this stuff started to be when it was moved into this new linux/pim.h, and that was wrong. If we didn't provide these definitions for 10 years we can reasonable expect that applications defined this stuff locally or used GLIBC headers providing the protocol definitions. And as such the only result of this can be conflict and userland build breakage. The commit #1 had such a short and terse commit message, that we cannot even know why such a move and set of new userland exports were even made. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cb09de4542ad75cc3b66d0cf1a86217bf5633416 Author: Thomas Graf Date: Wed Sep 3 01:00:02 2008 -0700 sch_prio: Fix nla_parse_nested_compat() regression [ No upstream commit, this is fixing code no longer in 2.6.27 ] nla_parse_nested_compat() was used to parse two different message formats in the netem and prio qdisc, when it was "fixed" to work with netem, it broke the multi queue support in the prio qdisc. Since the prio qdisc code in question is already removed in the development tree, this patch only fixes the regression in the stable tree. Based on original patch from Alexander H Duyck Signed-off-by: Thomas Graf Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e2ab3da38b46f4f1389f18c7cd4a9a71ceac0bc6 Author: Vlad Yasevich Date: Wed Aug 27 22:41:52 2008 -0700 sctp: add verification checks to SCTP_AUTH_KEY option [ Upstream commit 30c2235cbc477d4629983d440cdc4f496fec9246 ] The structure used for SCTP_AUTH_KEY option contains a length that needs to be verfied to prevent buffer overflow conditions. Spoted by Eugene Teo . Signed-off-by: Vlad Yasevich Signed-off-by: David S. Miller Acked-by: Eugene Teo Signed-off-by: Greg Kroah-Hartman commit be9467bd75b522a3db0369c12db739f797cfec6a Author: Vlad Yasevich Date: Wed Aug 27 22:41:00 2008 -0700 sctp: fix potential panics in the SCTP-AUTH API. [ Upstream commit 5e739d1752aca4e8f3e794d431503bfca3162df4 ] All of the SCTP-AUTH socket options could cause a panic if the extension is disabled and the API is envoked. Additionally, there were some additional assumptions that certain pointers would always be valid which may not always be the case. This patch hardens the API and address all of the crash scenarios. Signed-off-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d01885e51bf577745ba935c70b55fe1405d6b632 Author: Herbert Xu Date: Wed Aug 27 22:40:04 2008 -0700 udp: Drop socket lock for encapsulated packets [ Upstream commit d97106ea52aa57e63ff40d04479016836bbb5a4e ] The socket lock is there to protect the normal UDP receive path. Encapsulation UDP sockets don't need that protection. In fact the locking is deadly for them as they may contain another UDP packet within, possibly with the same addresses. Also the nested bit was copied from TCP. TCP needs it because of accept(2) spawning sockets. This simply doesn't apply to UDP so I've removed it. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4cd12f888ddb3a535ca34104593a0a62724ab104 Author: Jamal Hadi Salim Date: Wed Aug 27 22:38:11 2008 -0700 pkt_sched: Fix actions referencing [ Upstream commit 76aab2c1eae491a5d73ac83deec97dd28ebac584 ] When an action is added several times with the same exact index it gets deleted on every even-numbered attempt. This fixes that issue. Signed-off-by: Jamal Hadi Salim Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 685f605a498b73759cbcbc816089e804710fcc48 Author: David S. Miller Date: Wed Aug 27 22:35:56 2008 -0700 pkt_sched: Fix return value corruption in HTB and TBF. [ Upstream commit 69747650c814a8a79fef412c7416adf823293a3e ] Based upon a bug report by Josip Rodin. Packet schedulers should only return NET_XMIT_DROP iff the packet really was dropped. If the packet does reach the device after we return NET_XMIT_DROP then TCP can crash because it depends upon the enqueue path return values being accurate. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7b29aece66858d8ee1fb10ca413fda072bfa74b6 Author: Brian Haley Date: Wed Aug 27 22:30:52 2008 -0700 netns: Add network namespace argument to rt6_fill_node() and ipv6_dev_get_saddr() [ Upstream commit 191cd582500f49b32a63040fedeebb0168c720af ] ipv6_dev_get_saddr() blindly de-references dst_dev to get the network namespace, but some callers might pass NULL. Change callers to pass a namespace pointer instead. Signed-off-by: Brian Haley Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2b02f3dddb2b9df4aed0758f36729d0a5c3bcede Author: Brian Haley Date: Wed Aug 27 22:30:08 2008 -0700 ipv6: Fix OOPS, ip -f inet6 route get fec0::1, linux-2.6.26, ip6_route_output, rt6_fill_node+0x175 [ Upstream commit 5e0115e500fe9dd2ca11e6f92db9123204f1327a ] Alexey Dobriyan wrote: > On Thu, Aug 07, 2008 at 07:00:56PM +0200, John Gumb wrote: >> Scenario: no ipv6 default route set. > >> # ip -f inet6 route get fec0::1 >> >> BUG: unable to handle kernel NULL pointer dereference at 00000000 >> IP: [] rt6_fill_node+0x175/0x3b0 >> EIP is at rt6_fill_node+0x175/0x3b0 > > 0xffffffff80424dd3 is in rt6_fill_node (net/ipv6/route.c:2191). > 2186 } else > 2187 #endif > 2188 NLA_PUT_U32(skb, RTA_IIF, iif); > 2189 } else if (dst) { > 2190 struct in6_addr saddr_buf; > 2191 ====> if (ipv6_dev_get_saddr(ip6_dst_idev(&rt->u.dst)->dev, > ^^^^^^^^^^^^^^^^^^^^^^^^ > NULL > > 2192 dst, 0, &saddr_buf) == 0) > 2193 NLA_PUT(skb, RTA_PREFSRC, 16, &saddr_buf); > 2194 } The commit that changed this can't be reverted easily, but the patch below works for me. Fix NULL de-reference in rt6_fill_node() when there's no IPv6 input device present in the dst entry. Signed-off-by: Brian Haley Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e7ac1b6acc86edf3b0d78647a452636aa2e77f41 Author: Ralf Baechle Date: Wed Aug 27 22:28:53 2008 -0700 AX.25: Fix sysctl registration if !CONFIG_AX25_DAMA_SLAVE [ Upstream commit ffb208479bd62ab26c29a242faeb1de1c6d5fcdc ] Since 49ffcf8f99e8d33ec8afb450956804af518fd788 ("sysctl: update sysctl_check_table") setting struct ctl_table.procname = NULL does no longer work as it used to the way the AX.25 code is expecting it to resulting in the AX.25 sysctl registration code to break if CONFIG_AX25_DAMA_SLAVE was not set as in some distribution kernels. Kernel releases from 2.6.24 are affected. Signed-off-by: Ralf Baechle Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6fcf36152391ff2efe2d8ed84769090a0bb0d432 Author: Adam Litke Date: Wed Sep 3 02:35:08 2008 +0000 mm: make setup_zone_migrate_reserve() aware of overlapping nodes commit 344c790e3821dac37eb742ddd0b611a300f78b9a upstream I have gotten to the root cause of the hugetlb badness I reported back on August 15th. My system has the following memory topology (note the overlapping node): Node 0 Memory: 0x8000000-0x44000000 Node 1 Memory: 0x0-0x8000000 0x44000000-0x80000000 setup_zone_migrate_reserve() scans the address range 0x0-0x8000000 looking for a pageblock to move onto the MIGRATE_RESERVE list. Finding no candidates, it happily continues the scan into 0x8000000-0x44000000. When a pageblock is found, the pages are moved to the MIGRATE_RESERVE list on the wrong zone. Oops. setup_zone_migrate_reserve() should skip pageblocks in overlapping nodes. Signed-off-by: Adam Litke Acked-by: Mel Gorman Cc: Dave Hansen Cc: Nishanth Aravamudan Cc: Andy Whitcroft Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit da924e49a005cdb4bac9a958f3edff958b770069 Author: Will Newton Date: Wed Sep 3 02:35:06 2008 +0000 8250: improve workaround for UARTs that don't re-assert THRE correctly commit 363f66fe06c75270b669c88e321e6b354ba0201e upstream Recent changes to tighten the check for UARTs that don't correctly re-assert THRE (01c194d9278efc15d4785ff205643e9c0bdcef53: "serial 8250: tighten test for using backup timer") caused problems when such a UART was opened for the second time - the bug could only successfully be detected at first initialization. For users of this version of this particular UART IP it is fatal. This patch stores the information about the bug in the bugs field of the port structure when the port is first started up so subsequent opens can check this bit even if the test for the bug fails. David Brownell: "My own exposure to this is that the UART on DaVinci hardware, which TI allegedly derived from its original 16550 logic, has periodically gone from working to unusable with the mainline 8250.c ... and back and forth a bunch. Currently it's "unusable", a regression from some previous versions. With this patch from Will, it's usable." Signed-off-by: Will Newton Acked-by: Alex Williamson Cc: Alan Cox Cc: David Brownell Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit cd9295c8b95d690c47f5f0000e3128960de8cd8b Author: Jan Altenberg Date: Wed Sep 3 02:35:04 2008 +0000 rtc_time_to_tm: fix signed/unsigned arithmetic commit 73442daf2ea85e2a779396b76b1a39b10188ecb5 upstream commit 945185a69daa457c4c5e46e47f4afad7dcea734f ("rtc: rtc_time_to_tm: use unsigned arithmetic") changed the some types in rtc_time_to_tm() to unsigned: void rtc_time_to_tm(unsigned long time, struct rtc_time *tm) { - register int days, month, year; + unsigned int days, month, year; This doesn't work for all cases, because days is checked for < 0 later on: if (days < 0) { year -= 1; days += 365 + LEAP_YEAR(year); } I think the correct fix would be to keep days signed and do an appropriate cast later on. Signed-off-by: Jan Altenberg Cc: Maciej W. Rozycki Cc: Alessandro Zummo Cc: David Brownell Cc: Dmitri Vorobiev Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b6cdf4eeaf022b84c7d41cc8c1e20c2a0be7100d Author: Andrew Morton Date: Wed Sep 3 02:35:02 2008 +0000 drivers/char/random.c: fix a race which can lead to a bogus BUG() commit 8b76f46a2db29407fed66cf4aca19d61b3dcb3e1 upstream Fix a bug reported by and diagnosed by Aaron Straus. This is a regression intruduced into 2.6.26 by commit adc782dae6c4c0f6fb679a48a544cfbcd79ae3dc Author: Matt Mackall Date: Tue Apr 29 01:03:07 2008 -0700 random: simplify and rename credit_entropy_store credit_entropy_bits() does: spin_lock_irqsave(&r->lock, flags); ... if (r->entropy_count > r->poolinfo->POOLBITS) r->entropy_count = r->poolinfo->POOLBITS; so there is a time window in which this BUG_ON(): static size_t account(struct entropy_store *r, size_t nbytes, int min, int reserved) { unsigned long flags; BUG_ON(r->entropy_count > r->poolinfo->POOLBITS); /* Hold lock while accounting */ spin_lock_irqsave(&r->lock, flags); can trigger. We could fix this by moving the assertion inside the lock, but it seems safer and saner to revert to the old behaviour wherein entropy_store.entropy_count at no time exceeds entropy_store.poolinfo->POOLBITS. Reported-by: Aaron Straus Cc: Matt Mackall Cc: Theodore Ts'o Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit db809e440eda6cc9a7e6633420668ea14c16ce6a Author: Jeff Layton Date: Tue Sep 2 19:25:05 2008 +0000 cifs: fix O_APPEND on directio mounts commit 838726c4756813576078203eb7e1e219db0da870 upstream The direct I/O write codepath for CIFS is done through cifs_user_write(). That function does not currently call generic_write_checks() so the file position isn't being properly set when the file is opened with O_APPEND. It's also not doing the other "normal" checks that should be done for a write call. The problem is currently that when you open a file with O_APPEND on a mount with the directio mount option, the file position is set to the beginning of the file. This makes any subsequent writes clobber the data in the file starting at the beginning. This seems to fix the problem in cursory testing. It is, however important to note that NFS disallows the combination of (O_DIRECT|O_APPEND). If my understanding is correct, the concern is races with multiple clients appending to a file clobbering each others' data. Since the write model for CIFS and NFS is pretty similar in this regard, CIFS is probably subject to the same sort of races. What's unclear to me is why this is a particular problem with O_DIRECT and not with buffered writes... Regardless, disallowing O_APPEND on an entire mount is probably not reasonable, so we'll probably just have to deal with it and reevaluate this flag combination when we get proper support for O_DIRECT. In the meantime this patch at least fixes the existing problem. Signed-off-by: Jeff Layton Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 89b4ddf3d058613b3377e5f56f99d3e20dc95017 Author: Jay Cliburn Date: Thu Aug 28 19:40:05 2008 +0000 atl1: disable TSO by default commit 82c26a9d117f0178b8c1b33429014b6d99c470f6 upstream The atl1 driver is causing stalled connections and file corruption whenever TSO is enabled. Two examples are here: http://lkml.org/lkml/2008/7/15/325 http://lkml.org/lkml/2008/8/18/543 Disable TSO by default until we can determine the source of the problem. Signed-off-by: Jay Cliburn Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit d584a416f04eb2916d3b3dbd88a05d5210276e55 Author: Ayaz Abdulla Date: Thu Aug 28 19:40:03 2008 +0000 forcedeth: fix checksum flag commit edcfe5f7e307846e578fb88d69fa27051fded0ab upstream Fix the checksum feature advertised in device flags. The hardware support TCP/UDP over IPv4 and TCP/UDP over IPv6 (without IPv6 extension headers). However, the kernel feature flags do not distinguish IPv6 with/without extension headers. Therefore, the driver needs to use NETIF_F_IP_CSUM instead of NETIF_F_HW_CSUM since the latter includes all IPv6 packets. A future patch can be created to check for extension headers and perform software checksum calculation. Signed-off-by: Ayaz Abdulla Cc: Jeff Garzik Cc: Manfred Spraul Signed-off-by: Andrew Morton Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit d53ff904c039b2bb6e9645ca276def571993e387 Author: FUJITA Tomonori Date: Wed Aug 27 22:25:47 2008 +0000 bio: fix bio_copy_kern() handling of bio->bv_len commit 76029ff37f31dad64641489c610d98955217bb68 upstream The commit 68154e90c9d1492d570671ae181d9a8f8530da55 introduced bio_copy_kern() to add bounce support to blk_rq_map_kern. bio_copy_kern() uses bio->bv_len to copy data for READ commands after the completion but it doesn't work with a request that partially completed. SCSI always completes a PC request as a whole but seems some don't. This patch fixes bio_copy_kern to handle the above case. As bio_copy_user does, bio_copy_kern uses struct bio_map_data to store struct bio_vec. Signed-off-by: FUJITA Tomonori Reported-by: Nix Tested-by: Nix Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit b9db91ffefa1922e9d9fc1c5407b2fcfa13d16bc Author: FUJITA Tomonori Date: Wed Aug 27 22:25:36 2008 +0000 bio: fix __bio_copy_iov() handling of bio->bv_len commit aefcc28a3a63ac33a298777aa50ba43641c75241 upstream The commit c5dec1c3034f1ae3503efbf641ff3b0273b64797 introduced __bio_copy_iov() to add bounce support to blk_rq_map_user_iov. __bio_copy_iov() uses bio->bv_len to copy data for READ commands after the completion but it doesn't work with a request that partially completed. SCSI always completes a PC request as a whole but seems some don't. Signed-off-by: FUJITA Tomonori Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 752e95e66704fe0b158dde2a01c9aee3babbd832 Author: Clemens Ladisch Date: Tue Aug 26 18:05:03 2008 +0000 ALSA: oxygen: prevent muting of nonexistent AC97 controls commit 3d839e5b87a70effc629c1cdbf77d837ef141919 upstream Date: Tue, 26 Aug 2008 11:06:26 +0200 Subject: ALSA: oxygen: prevent muting of nonexistent AC97 controls The Xonar DX does not have CD Capture controls, so we have to check that a control actually exists before muting it. Signed-off-by: Clemens Ladisch Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit a87a91ca57d61754926b25f06b0b36dcfbee6ae4 Author: Stefan Weinhuber Date: Fri Aug 22 17:40:08 2008 +0000 S390 dasd: fix data size for PSF/PRSSD command commit 49fd38bdaa96f093fcad3176a781a4d0de8f8602 upstream The Perform Subsystem Function/Prepare for Read Subsystem Data command requires 12 bytes of parameter data, but the respective data structure dasd_psf_prssd_data has a length of 16 bytes. Current storage servers ignore the obsolete bytes, but older models fail to execute the command and report an incorrect length error. This causes the device initilization for these devices to fail. To fix this problem we need to correct the dasd_psf_prssd_data structure and shorten it to the correct length. Reported-by: Ivan Warren Reviewed-by: Ivan Warren Tested-by: Ivan Warren Signed-off-by: Stefan Weinhuber Signed-off-by: Greg Kroah-Hartman commit 04df0a8eff17f98785c43138e14fdf60f080a378 Author: Samuel Sieb Date: Fri Aug 22 17:40:12 2008 +0000 x86: fix "kernel won't boot on a Cyrix MediaGXm (Geode)" commit c6744955d0ec0cb485c28c51eeb7185e260f6172 upstream Cyrix MediaGXm/Cx5530 Unicorn Revision 1.19.3B has stopped booting starting at v2.6.22. The reason is this commit: > commit f25f64ed5bd3c2932493681bdfdb483ea707da0a > Author: Juergen Beisert > Date: Sun Jul 22 11:12:38 2007 +0200 > > x86: Replace NSC/Cyrix specific chipset access macros by inlined functions. this commit activated a macro which was dormant before due to (buggy) macro side-effects. I've looked through various datasheets and found that the GXm and GXLV Geode processors don't have an incrementor. Remove the incrementor setup entirely. As the incrementor value differs according to clock speed and we would hope that the BIOS configures it correctly, it is probably the right solution. Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit cc3522eab9938bc25105b6deecddd05a3e5dc299 Author: Yinghai Lu Date: Fri Aug 22 17:40:05 2008 +0000 x86: work around MTRR mask setting commit 38cc1c3df77c1bb739a4766788eb9fa49f16ffdf upstream Joshua Hoblitt reported that only 3 GB of his 16 GB of RAM is usable. Booting with mtrr_show showed us the BIOS-initialized MTRR settings - which are all wrong. So the root cause is that the BIOS has not set the mask correctly: > [ 0.429971] MSR00000200: 00000000d0000000 > [ 0.433305] MSR00000201: 0000000ff0000800 > should be ==> [ 0.433305] MSR00000201: 0000003ff0000800 > > [ 0.436638] MSR00000202: 00000000e0000000 > [ 0.439971] MSR00000203: 0000000fe0000800 > should be ==> [ 0.439971] MSR00000203: 0000003fe0000800 > > [ 0.443304] MSR00000204: 0000000000000006 > [ 0.446637] MSR00000205: 0000000c00000800 > should be ==> [ 0.446637] MSR00000205: 0000003c00000800 > > [ 0.449970] MSR00000206: 0000000400000006 > [ 0.453303] MSR00000207: 0000000fe0000800 > should be ==> [ 0.453303] MSR00000207: 0000003fe0000800 > > [ 0.456636] MSR00000208: 0000000420000006 > [ 0.459970] MSR00000209: 0000000ff0000800 > should be ==> [ 0.459970] MSR00000209: 0000003ff0000800 So detect this borkage and add the prefix 111. Signed-off-by: Yinghai Lu Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 13f3b97af2f88fab1e36adbc6372b184315fdda3 Author: Alexey Dobriyan Date: Fri Aug 22 17:40:10 2008 +0000 USB: cdc-acm: don't unlock acm->mutex on error path commit 74573ee7096a4ffc2f098108d21c85801b9c7434 upstream On Wed, Jul 23, 2008 at 03:52:36PM +0300, Andrei Popa wrote: > I installed gnokii-0.6.22-r2 and gave the command "gnokii --identify" > and the kernel oopsed: > > BUG: unable to handle kernel NULL pointer dereference at 00000458 > IP: [] mutex_unlock+0x0/0xb > [] acm_tty_open+0x4c/0x214 Signed-off-by: Alexey Dobriyan Tested-by: Andrei Popa Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 5d70bbc8780b474371b555cd6eeaaafdea82efe9 Author: Pavel Emelyanov Date: Wed Aug 20 22:50:13 2008 +0000 binfmt_misc: fix false -ENOEXEC when coupled with other binary handlers commit ff9bc512f198eb47204f55b24c6fe3d36ed89592 upstream Date: Wed, 20 Aug 2008 14:09:10 -0700 Subject: binfmt_misc: fix false -ENOEXEC when coupled with other binary handlers In case the binfmt_misc binary handler is registered *before* the e.g. script one (when for example being compiled as a module) the following situation may occur: 1. user launches a script, whose interpreter is a misc binary; 2. the load_misc_binary sets the misc_bang and returns -ENOEVEC, since the binary is a script; 3. the load_script_binary loads one and calls for search_binary_hander to run the interpreter; 4. the load_misc_binary is called again, but refuses to load the binary due to misc_bang bit set. The fix is to move the misc_bang setting lower - prior to the actual call to the search_binary_handler. Caused by the commit 3a2e7f47 (binfmt_misc.c: avoid potential kernel stack overflow) Signed-off-by: Pavel Emelyanov Reported-by: Kirill A. Shutemov Tested-by: Kirill A. Shutemov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit daf46c105cfe2a00c2594231baa83d3c2bfb3333 Author: Ian Campbell Date: Wed Aug 20 22:50:11 2008 +0000 fbdefio: add set_page_dirty handler to deferred IO FB commit d847471d063663b9f36927d265c66a270c0cfaab upstream Fixes kernel BUG at lib/radix-tree.c:473. Previously the handler was incidentally provided by tmpfs but this was removed with: commit 14fcc23fdc78e9d32372553ccf21758a9bd56fa1 Author: Hugh Dickins Date: Mon Jul 28 15:46:19 2008 -0700 tmpfs: fix kernel BUG in shmem_delete_inode relying on this behaviour was incorrect in any case and the BUG also appeared when the device node was on an ext3 filesystem. v2: override a_ops at open() time rather than mmap() time to minimise races per AKPM's concerns. Signed-off-by: Ian Campbell Cc: Jaya Kumar Cc: Nick Piggin Cc: Peter Zijlstra Cc: Hugh Dickins Cc: Johannes Weiner Cc: Jeremy Fitzhardinge Cc: Kel Modderman Cc: Markus Armbruster Cc: Krzysztof Helt Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e76d1b317c210f0d9508f2b0bf3204b6849d3da6 Author: Matthew Garrett Date: Wed Aug 20 22:50:16 2008 +0000 eeepc-laptop: fix use after free commit f14413184b1de4dcbd5ec3e7c129c3ce2079f543 upstream Date: Wed, 20 Aug 2008 14:08:57 -0700 Subject: eeepc-laptop: fix use after free eeepc-laptop uses the hwmon struct after unregistering the device, causing an oops on module unload. Flip the ordering to fix. Signed-off-by: Matthew Garrett Cc: Henrique de Moraes Holschuh Cc: Corentin Chary Cc: Karol Kozimor Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 045eff1504ce63a080b79f931ec3d8e136fb65cd Author: Greg Kroah-Hartman Date: Mon Aug 25 20:05:06 2008 +0000 PCI: fix reference leak in pci_get_dev_by_id() commit ebca4f1bce1eb7b91a63c515db66316db9391221 upstream Alex Chiang and Matthew Wilcox pointed out that pci_get_dev_by_id() does not properly decrement the reference on the from pointer if it is present, like the documentation for the function states it will. It fixes a pretty bad leak in the hotplug core (we were leaking an entire struct pci_dev for each function of each offlined card, the first time around; subsequent onlines/offlines were ok). Cc: Matthew Wilcox Tested-by: Alex Chiang Acked-by: Alex Chiang Signed-off-by: Greg Kroah-Hartman Signed-off-by: Jesse Barnes commit 363875f5551b029ae63b5b1a3f3ccd72b9460339 Author: Al Viro Date: Wed Aug 20 22:50:04 2008 +0000 cramfs: fix named-pipe handling commit 82d63fc9e30687c055b97928942b8893ea65b0bb upstream After commit a97c9bf33f4612e2aed6f000f6b1d268b6814f3c (fix cramfs making duplicate entries in inode cache) in kernel 2.6.14, named-pipe on cramfs does not work properly. It seems the commit make all named-pipe on cramfs share their inode (and named-pipe buffer). Make ..._test() refuse to merge inodes with ->i_ino == 1, take inode setup back to get_cramfs_inode() and make ->drop_inode() evict ones with ->i_ino == 1 immediately. Reported-by: Atsushi Nemoto Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman