commit 8f31afa8fcc9eb76ff502f2208f4931ae2b07c66 Author: Greg Kroah-Hartman Date: Tue Feb 17 09:29:27 2009 -0800 Linux 2.6.28.6 commit 813fa24255a5de93ef3fc4c2efff3ee31a2545b6 Author: Jarek Poplawski Date: Mon Jan 19 17:03:56 2009 -0800 net: Fix data corruption when splicing from sockets. [ Upstream commit 8b9d3728977760f6bd1317c4420890f73695354e ] The trick in socket splicing where we try to convert the skb->data into a page based reference using virt_to_page() does not work so well. The idea is to pass the virt_to_page() reference via the pipe buffer, and refcount the buffer using a SKB reference. But if we are splicing from a socket to a socket (via sendpage) this doesn't work. The from side processing will grab the page (and SKB) references. The sendpage() calls will grab page references only, return, and then the from side processing completes and drops the SKB ref. The page based reference to skb->data is not enough to keep the kmalloc() buffer backing it from being reused. Yet, that is all that the socket send side has at this point. This leads to data corruption if the skb->data buffer is reused by SLAB before the send side socket actually gets the TX packet out to the device. The fix employed here is to simply allocate a page and copy the skb->data bytes into that page. This will hurt performance, but there is no clear way to fix this properly without a copy at the present time, and it is important to get rid of the data corruption. With fixes from Herbert Xu. Tested-by: Willy Tarreau Foreseen-by: Changli Gao Diagnosed-by: Willy Tarreau Reported-by: Willy Tarreau Fixed-by: Jens Axboe Signed-off-by: Jarek Poplawski Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cfc7f11699d572ed0cba07f3560258c2216b7ef0 Author: Borislav Petkov Date: Mon Feb 2 20:12:21 2009 +0100 ide-cd: fix DMA for non bio-backed requests commit 9e772d0135a5b5f8355320be429efa339700d52d upstream. This one fixes http://bugzilla.kernel.org/show_bug.cgi?id=12320. Signed-off-by: Borislav Petkov Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Greg Kroah-Hartman commit b1e533029763785a869206ac87d71bab8a34cf07 Author: Andreas Herrmann Date: Tue Dec 16 19:07:47 2008 +0100 x86: microcode_amd: fix wrong handling of equivalent CPU id commit 3c763fd77e66e55d029052da31df0abd9920cb1e upstream. Impact: fix bug resulting in non-loaded AMD microcode mc_header->processor_rev_id is a 2 byte value. Similar is true for equiv_cpu in an equiv_cpu_entry -- only 2 bytes are of interest. Signed-off-by: Andreas Herrmann Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 73a368388224240a18cf7810c401d3f3aca2c4ca Author: Qu Haoran Date: Thu Feb 12 08:07:38 2009 +0100 netfilter: xt_sctp: sctp chunk mapping doesn't work netfilter: xt_sctp: sctp chunk mapping doesn't work Upstream commit: d4e2675a When user tries to map all chunks given in argument, kernel works on a copy of the chunkmap, but at the end it doesn't check the copy, but the orginal one. Signed-off-by: Qu Haoran Signed-off-by: Nicolas Dichtel Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit a04ce10376ed47a4eeb4120269c5dfaf9d3e0e51 Author: Eric Leblond Date: Thu Feb 12 08:07:37 2009 +0100 netfilter: fix tuple inversion for Node information request netfilter: fix tuple inversion for Node information request Upstream commit: a51f42f3c The patch fixes a typo in the inverse mapping of Node Information request. Following draft-ietf-ipngwg-icmp-name-lookups-09, "Querier" sends a type 139 (ICMPV6_NI_QUERY) packet to "Responder" which answer with a type 140 (ICMPV6_NI_REPLY) packet. Signed-off-by: Eric Leblond Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 1d40aaebcbcac89b609841425eb0018488dc24fe Author: Tejun Heo Date: Thu Jan 29 20:31:29 2009 +0900 libata: fix EH device failure handling commit d89293abd95bfd7dd9229087d6c30c1464c5ac83 upstream. The dev->pio_mode > XFER_PIO_0 test is there to avoid unnecessary speed down warning messages but it accidentally disabled SATA link spd down during configuration phase after reset where PIO mode is always zero. This patch fixes the problem by moving the test where it belongs. This makes libata probing sequence behave better when the connection is flaky at higher link speeds which isn't too uncommon for eSATA devices. Signed-off-by: Tejun Heo Signed-off-by: Jeff Garzik Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit aac6302fdc26d37d77ca7b01ef0976d6cf1d5e5f Author: Sergei Shtylyov Date: Sun Feb 1 20:46:39 2009 +0400 ide/libata: fix ata_id_is_cfa() (take 4) commit 2999b58b795ad81f10e34bdbbfd2742172f247e4 upstream. When checking for the CFA feature set support, ata_id_is_cfa() tests bit 2 in word 82 of the identify data instead the word 83; it also checks the ATA/PI version support in the word 80 (which the CompactFlash specifications have as reserved), this having no slightest chance to work on the modern CF cards that don't have 0x848A in the word 0... Signed-off-by: Sergei Shtylyov Signed-off-by: Jeff Garzik Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit 50a84ef86b69250c49819491de60358097d9ca29 Author: Jiri Kosina Date: Wed Jan 14 03:03:21 2009 +0100 HID: adjust report descriptor fixup for MS 1028 receiver commit 0fb21de0799a985d2da3da14ae5625d724256638 upstream. Report descriptor fixup for MS 1028 receiver changes also values for Keyboard and Consumer, which incorrectly trims the range, causing correct events being thrown away before passing to userspace. We need to keep the GenDesk usage fixup though, as it reports totally bogus values about axis. Reported-by: Lucas Gadani Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit b9c2ffe4ccafdc6991fe7fd1d3a75f0ce7d5a259 Author: Takashi Iwai Date: Thu Feb 12 00:06:42 2009 +0100 ALSA: mtpav - Fix initial value for input hwport commit 32cf9a16f4af01573ddec1eb073111fc20a9d7d4 upstream. Fix the initial value for input hwport. The old value (-1) may cause Oops when an realtime MIDI byte is received before the input port is explicitly given. Instead, now it's set to the broadcasting as default. Tested-by: Holger Dehnhardt Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 7a7856eddb9603da697d54d5d3340c020a717364 Author: Takashi Iwai Date: Fri Feb 13 11:37:08 2009 +0100 ALSA: hda - Add missing terminator in slave dig-out array commit 3a08e30de2facffe8e1a25bf4fa62cbc920fbaf6 upstream. Added the missing terminator for ad1989b_slave_dig_outs[]. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit e27ccb282947e4554b43346cadd543bc1b8ad18c Author: David S. Miller Date: Fri Feb 13 00:26:00 2009 -0800 sparc64: Annotate sparc64 specific syscalls with SYSCALL_DEFINEx() [ Upstream commit e42650196df34789c825fa83f8bb37a5d5e52c14 ] Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ac422cd8edcc6cd1c6c58acc136354b4d25d804f Author: Christian Borntraeger Date: Fri Feb 13 00:25:10 2009 -0800 sparc: Enable syscall wrappers for 64-bit (CVE-2009-0029) [ Upstream commit 67605d6812691bbd2158d2f60259e0407611bc1b ] sparc64 needs sign-extended function parameters. We have to enable the system call wrappers. Signed-off-by: Christian Borntraeger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c9d7113773e1a37eea07a34a792fb224980eba11 Author: Dimitris Michailidis Date: Mon Jan 26 22:15:31 2009 -0800 tcp: Fix length tcp_splice_data_recv passes to skb_splice_bits. [ Upstream commit 9fa5fdf291c9b58b1cb8b4bb2a0ee57efa21d635 ] tcp_splice_data_recv has two lengths to consider: the len parameter it gets from tcp_read_sock, which specifies the amount of data in the skb, and rd_desc->count, which is the amount of data the splice caller still wants. Currently it passes just the latter to skb_splice_bits, which then splices min(rd_desc->count, skb->len - offset) bytes. Most of the time this is fine, except when the skb contains urgent data. In that case len goes only up to the urgent byte and is less than skb->len - offset. By ignoring len tcp_splice_data_recv may a) splice data tcp_read_sock told it not to, b) return to tcp_read_sock a value > len. Now, tcp_read_sock doesn't handle used > len and leaves the socket in a bad state (both sk_receive_queue and copied_seq are bad at that point) resulting in duplicated data and corruption. Fix by passing min(rd_desc->count, len) to skb_splice_bits. Signed-off-by: Dimitris Michailidis Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b1b038456a0dc218a7a45bc39d316c55ad71e09a Author: Willy Tarreau Date: Tue Jan 13 16:04:36 2009 -0800 tcp: splice as many packets as possible at once [ Upstream commit 33966dd0e2f68f26943cd9ee93ec6abbc6547a8e ] As spotted by Willy Tarreau, current splice() from tcp socket to pipe is not optimal. It processes at most one segment per call. This results in low performance and very high overhead due to syscall rate when splicing from interfaces which do not support LRO. Willy provided a patch inside tcp_splice_read(), but a better fix is to let tcp_read_sock() process as many segments as possible, so that tcp_rcv_space_adjust() and tcp_cleanup_rbuf() are called less often. With this change, splice() behaves like tcp_recvmsg(), being able to consume many skbs in one system call. With typical 1460 bytes of payload per frame, that means splice(SPLICE_F_NONBLOCK) can return 16*1460 = 23360 bytes. Signed-off-by: Willy Tarreau Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cb8de065c36dafcc7e40104f6311b6b2d0d37596 Author: Alex Williamson Date: Fri Feb 13 00:06:29 2009 -0800 virtio_net: Fix MAX_PACKET_LEN to support 802.1Q VLANs [ Upstream commit e918085aaff34086e265f825dd469926b1aec4a4 ] 802.1Q expanded the maximum ethernet frame size by 4 bytes for the VLAN tag. We're not taking this into account in virtio_net, which means the buffers we provide to the backend in the virtqueue RX ring aren't big enough to hold a full MTU VLAN packet. For QEMU/KVM, this results in the backend exiting with a packet truncation error. Signed-off-by: Alex Williamson Acked-by: Mark McLoughlin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9ac2dfbf36bfd3913267be078f756e0806b3694f Author: Alex Williamson Date: Sun Feb 8 17:49:17 2009 -0800 tun: Fix unicast filter overflow [ Upstream commit cfbf84fcbcda98bb91ada683a8dc8e6901a83ebd ] Tap devices can make use of a small MAC filter set via the TUNSETTXFILTER ioctl. The filter has a set of exact matches plus a hash for imperfect filtering of additional multicast addresses. The current code is unbalanced, adding unicast addresses to the multicast hash, but only checking the hash against multicast addresses. This results in the filter dropping unicast addresses that overflow the exact filter. The fix is simply to disable the filter by leaving count set to zero if we find non-multicast addresses after the exact match table is filled. Signed-off-by: Alex Williamson Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0ae6310e3fcaf33209b676333ae3aa7451ebd394 Author: David S. Miller Date: Thu Jan 29 16:53:35 2009 -0800 tun: Add some missing TUN compat ioctl translations. [ Upstream commit df1c46b2b6876d0a1b1b4740f009fa69d95ebbc9 ] Based upon a report from Michael Tokarev : Just saw in dmesg: ioctl32(kvm:4408): Unknown cmd fd(9) cmd(800454cf){t:'T';sz:4} arg(ffc668e4) on /dev/net/tun Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 33bd6c2d14e38380b020c48ddd3c358928502592 Author: Alexey Dobriyan Date: Fri Jan 30 13:45:31 2009 -0800 sky2: fix hard hang with netconsoling and iface going up [ Upstream commit a11da890e4c9850411303efcf6514f048ca880ee ] Printing anything over netconsole before hw is up and running is, of course, not going to work. Signed-off-by: Alexey Dobriyan Acked-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9540bf5c89f8e329dab7638001c79e079714fd5c Author: Clément Lecigne Date: Thu Feb 12 16:59:09 2009 -0800 net: 4 bytes kernel memory disclosure in SO_BSDCOMPAT gsopt try #2 [ Upstream commit df0bca049d01c0ee94afb7cd5dfd959541e6c8da ] In function sock_getsockopt() located in net/core/sock.c, optval v.val is not correctly initialized and directly returned in userland in case we have SO_BSDCOMPAT option set. This dummy code should trigger the bug: int main(void) { unsigned char buf[4] = { 0, 0, 0, 0 }; int len; int sock; sock = socket(33, 2, 2); getsockopt(sock, 1, SO_BSDCOMPAT, &buf, &len); printf("%x%x%x%x\n", buf[0], buf[1], buf[2], buf[3]); close(sock); } Here is a patch that fix this bug by initalizing v.val just after its declaration. Signed-off-by: Clément Lecigne Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 34a4aa0f5a4b67070651dcbabda7fdcac4647ecd Author: Herbert Xu Date: Thu Feb 5 15:15:50 2009 -0800 ipv6: Copy cork options in ip6_append_data [ Upstream commit 0178b695fd6b40a62a215cbeb03dd51ada3bb5e0 ] As the options passed to ip6_append_data may be ephemeral, we need to duplicate it for corking. This patch applies the simplest fix which is to memdup all the relevant bits. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3e534af176b548b90c38a086a5d6940f0ab2be9f Author: David S. Miller Date: Fri Feb 6 00:49:55 2009 -0800 ipv6: Disallow rediculious flowlabel option sizes. [ Upstream commit 684de409acff8b1fe8bf188d75ff2f99c624387d ] Just like PKTINFO, limit the options area to 64K. Based upon report by Eric Sesterhenn and analysis by Roland Dreier. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f3c21d60f14e68ef5e3b792e6e1c00a12c94c110 Author: Eric Dumazet Date: Mon Feb 2 13:41:57 2009 -0800 udp: increments sk_drops in __udp_queue_rcv_skb() [ Upstream commit e408b8dcb5ce42243a902205005208e590f28454 ] Commit 93821778def10ec1e69aa3ac10adee975dad4ff3 (udp: Fix rcv socket locking) accidentally removed sk_drops increments for UDP IPV4 sockets. This field can be used to detect incorrect sizing of socket receive buffers. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1888776132257cf5e0d806dd5c0665f436738644 Author: Jesper Dangaard Brouer Date: Thu Feb 5 15:05:45 2009 -0800 udp: Fix UDP short packet false positive [ Upstream commit 7b5e56f9d635643ad54f2f42e69ad16b80a2cff1 ] The UDP header pointer assignment must happen after calling pskb_may_pull(). As pskb_may_pull() can potentially alter the SKB buffer. This was exposted by running multicast traffic through the NIU driver, as it won't prepull the protocol headers into the linear area on receive. Signed-off-by: Jesper Dangaard Brouer Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8527040ae52a767037fe3faec6aeeed474b48104 Author: Ilkka Virta Date: Fri Feb 6 22:00:36 2009 -0800 sungem: Soft lockup in sungem on Netra AC200 when switching interface up [ Upstream commit 71822faa3bc0af5dbf5e333a2d085f1ed7cd809f ] From: Ilkka Virta In the lockup situation the driver seems to go off in an eternal storm of interrupts right after calling request_irq(). It doesn't actually do anything interesting in the interrupt handler. Since connecting the link afterwards works, something later in initialization must fix this. Looking at gem_do_start() and gem_open(), it seems that the only thing done while opening the device after the request_irq(), is a call to napi_enable(). I don't know what the ordering requirements are for the initialization, but I boldly tried to move the napi_enable() call inside gem_do_start() before the link state is checked and interrupts subsequently enabled, and it seems to work for me. Doesn't even break anything too obvious... Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b5934d35aceba7534aca1e37000753d74919d867 Author: Herbert Xu Date: Fri Jan 30 14:12:06 2009 -0800 packet: Avoid lock_sock in mmap handler [ Upstream commit 905db44087855e3c1709f538ecdc22fd149cadd8 ] As the mmap handler gets called under mmap_sem, and we may grab mmap_sem elsewhere under the socket lock to access user data, we should avoid grabbing the socket lock in the mmap handler. Since the only thing we care about in the mmap handler is for pg_vec* to be invariant, i.e., to exclude packet_set_ring, we can achieve this by simply using a new mutex. Signed-off-by: Herbert Xu Tested-by: Martin MOKREJŠ Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3cb569832d1b79a60b5df1b510c1712aa76e7cdd Author: Sebastiano Di Paola Date: Fri Jan 30 23:37:17 2009 +0000 net: packet socket packet_lookup_frame fix [ Upstream commit f9e6934502e46c363100245f137ddf0f4b1cb574 ] packet_lookup_frames() fails to get user frame if current frame header status contains extra flags. This is due to the wrong assumption on the operators precedence during frame status tests. Fixed by forcing the right operators precedence order with explicit brackets. Signed-off-by: Paolo Abeni Signed-off-by: Sebastiano Di Paola Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d6283a8094509991b9d72ec8cdea1d6236dd09c6 Author: David S. Miller Date: Mon Feb 2 13:27:44 2009 -0800 net: Fix userland breakage wrt. linux/if_tunnel.h [ Upstream commit 0afd4a21ba7d75e93fa79cf05d7a21774e149c0f ] Reported by Andrew Walrond Changeset c19e654ddbe3831252f61e76a74d661e1a755530 ("gre: Add netlink interface") added an include of linux/ip.h to linux/if_tunnel.h We can't really let that get exposed to userspace because this conflicts with types defined in netinet/ip.h which userland is almost certainly going to have included either explicitly or implicitly. So guard this include with a __KERNEL__ ifdef. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a027928cd7b8a16bdbfb3fc42f3eecf469d3249b Author: Benjamin Zores Date: Thu Jan 29 16:19:13 2009 -0800 ipv4: fix infinite retry loop in IP-Config [ Upstream commit 9d8dba6c979fa99c96938c869611b9a23b73efa9 ] Signed-off-by: Benjamin Zores Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c572a7072873729d308f034e1e1017780f0c48b3 Author: Roel Kluin Date: Thu Jan 29 17:32:20 2009 -0800 drivers/net/skfp: if !capable(CAP_NET_ADMIN): inverted logic [ Upstream commit c25b9abbc2c2c0da88e180c3933d6e773245815a ] Fix inverted logic Signed-off-by: Roel Kluin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f8bda152d6f738b3ff24d61a3a69f69e6faec5e1 Author: Shyam Iyer Date: Thu Jan 29 16:12:42 2009 -0800 net: Fix OOPS in skb_seq_read(). [ Upstream commit 71b3346d182355f19509fadb8fe45114a35cc499 ] It oopsd for me in skb_seq_read. addr2line said it was linux-2.6/net/core/skbuff.c:2228, which is this line: while (st->frag_idx < skb_shinfo(st->cur_skb)->nr_frags) { I added some printks in there and it looks like we hit this: } else if (st->root_skb == st->cur_skb && skb_shinfo(st->root_skb)->frag_list) { st->cur_skb = skb_shinfo(st->root_skb)->frag_list; st->frag_idx = 0; goto next_skb; } Actually I did some testing and added a few printks and found that the st->cur_skb->data was 0 and hence the ptr used by iscsi_tcp was null. This caused the kernel panic. if (abs_offset < block_limit) { - *data = st->cur_skb->data + abs_offset; + *data = st->cur_skb->data + (abs_offset - st->stepped_offset); I enabled the debug_tcp and with a few printks found that the code did not go to the next_skb label and could find that the sequence being followed was this - It hit this if condition - if (st->cur_skb->next) { st->cur_skb = st->cur_skb->next; st->frag_idx = 0; goto next_skb; And so, now the st pointer is shifted to the next skb whereas actually it should have hit the second else if first since the data is in the frag_list. else if (st->root_skb == st->cur_skb && skb_shinfo(st->root_skb)->frag_list) { st->cur_skb = skb_shinfo(st->root_skb)->frag_list; goto next_skb; } Reversing the two conditions the attached patch fixes the issue for me on top of Herbert's patches. Signed-off-by: Shyam Iyer Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a4c71b6b6fff146093cada694a1dde02f455da58 Author: Herbert Xu Date: Thu Jan 29 16:07:52 2009 -0800 net: Fix frag_list handling in skb_seq_read [ Upstream commit 95e3b24cfb4ec0479d2c42f7a1780d68063a542a ] The frag_list handling was broken in skb_seq_read: 1) We didn't add the stepped offset when looking at the head are of fragments other than the first. 2) We didn't take the stepped offset away when setting the data pointer in the head area. 3) The frag index wasn't reset. This patch fixes both issues. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b1694c2beef9f38397762410d03ae6e38e91f8b7 Author: Vlad Yasevich Date: Thu Jan 22 14:53:01 2009 -0800 sctp: Properly timestamp outgoing data chunks for rtx purposes [ Upstream commit 759af00ebef858015eb68876ac1f383bcb6a1774 ] Recent changes to the retransmit code exposed a long standing bug where it was possible for a chunk to be time stamped after the retransmit timer was reset. This caused a rare situation where the retrnamist timer has expired, but nothing was marked for retrnasmission because all of timesamps on data were less then 1 rto ago. As result, the timer was never restarted since nothing was retransmitted, and this resulted in a hung association that did couldn't complete the data transfer. The solution is to timestamp the chunk when it's added to the packet for transmission purposes. After the packet is trsnmitted the rtx timer is restarted. This guarantees that when the timer expires, there will be data to retransmit. Signed-off-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a79f3f862de3975e01ebcb3bba53e0c3fd3ab0fd Author: Vlad Yasevich Date: Thu Jan 22 14:52:43 2009 -0800 sctp: Correctly start rtx timer on new packet transmissions. [ Upstream commit 6574df9a89f9f7da3a4e5cee7633d430319d3350 ] Commit 62aeaff5ccd96462b7077046357a6d7886175a57 (sctp: Start T3-RTX timer when fast retransmitting lowest TSN) introduced a regression where it was possible to forcibly restart the sctp retransmit timer at the transmission of any new chunk. This resulted in much longer timeout times and sometimes hung sctp connections. Signed-off-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3d137641bbf5fcd5f45ceba31ea9f7d6f01fb22d Author: Vlad Yasevich Date: Thu Jan 22 14:52:23 2009 -0800 sctp: Fix crc32c calculations on big-endian arhes. [ Upstream commit 9c5ff5f75d0d0a1c7928ecfae3f38418b51a88e3 ] crc32c algorithm provides a byteswaped result. On little-endian arches, the result ends up in big-endian/network byte order. On big-endinan arches, the result ends up in little-endian order and needs to be byte swapped again. Thus calling cpu_to_le32 gives the right output. Tested-by: Jukka Taimisto Signed-off-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 489a11f8d0e81f0422752bddf3826543d243952e Author: J. Bruce Fields Date: Wed Feb 4 17:35:38 2009 -0500 lockd: fix regression in lockd's handling of blocked locks commit 9d9b87c1218be78ddecbc85ec3bb91c79c1d56ab upstream. If a client requests a blocking lock, is denied, then requests it again, then here in nlmsvc_lock() we will call vfs_lock_file() without FL_SLEEP set, because we've already queued a block and don't need the locks code to do it again. But that means vfs_lock_file() will return -EAGAIN instead of FILE_LOCK_DENIED. So we still need to translate that -EAGAIN return into a nlm_lck_blocked error in this case, and put ourselves back on lockd's block list. The bug was introduced by bde74e4bc64415b1 "locks: add special return value for asynchronous locks". Thanks to Frank van Maarseveen for the report; his original test case was essentially for i in `seq 30`; do flock /nfsmount/foo sleep 10 & done Tested-by: Frank van Maarseveen Reported-by: Frank van Maarseveen Cc: Miklos Szeredi Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 253fbe94bfb517a756fab5bffa903405570d9220 Author: Kumar Gala Date: Mon Feb 9 21:08:07 2009 -0600 powerpc/fsl-booke: Fix mapping functions to use phys_addr_t commit 6c24b17453c8dc444a746e45b8a404498fc9fcf7 upstream. Fixed v_mapped_by_tlbcam() and p_mapped_by_tlbcam() to use phys_addr_t instead of unsigned long. In 36-bit physical mode we really need these functions to deal with phys_addr_t when trying to match a physical address or when returning one. Signed-off-by: Kumar Gala Signed-off-by: Greg Kroah-Hartman commit 65a4554e3ec4f21c1178594560c46f19404fafc4 Author: Jeremy Fitzhardinge Date: Wed Feb 11 13:04:41 2009 -0800 mm: rearrange exit_mmap() to unlock before arch_exit_mmap commit 9480c53e9b2aa13a06283ffb96bb8f1873ac4e9a upstream. Christophe Saout reported [in precursor to: http://marc.info/?l=linux-kernel&m=123209902707347&w=4]: > Note that I also some a different issue with CONFIG_UNEVICTABLE_LRU. > Seems like Xen tears down current->mm early on process termination, so > that __get_user_pages in exit_mmap causes nasty messages when the > process had any mlocked pages. (in fact, it somehow manages to get into > the swapping code and produces a null pointer dereference trying to get > a swap token) Jeremy explained: Yes. In the normal case under Xen, an in-use pagetable is "pinned", meaning that it is RO to the kernel, and all updates must go via hypercall (or writes are trapped and emulated, which is much the same thing). An unpinned pagetable is not currently in use by any process, and can be directly accessed as normal RW pages. As an optimisation at process exit time, we unpin the pagetable as early as possible (switching the process to init_mm), so that all the normal pagetable teardown can happen with direct memory accesses. This happens in exit_mmap() -> arch_exit_mmap(). The munlocking happens a few lines below. The obvious thing to do would be to move arch_exit_mmap() to below the munlock code, but I think we'd want to call it even if mm->mmap is NULL, just to be on the safe side. Thus, this patch: exit_mmap() needs to unlock any locked vmas before calling arch_exit_mmap, as the latter may switch the current mm to init_mm, which would cause the former to fail. Signed-off-by: Jeremy Fitzhardinge Signed-off-by: Lee Schermerhorn Cc: Christophe Saout Cc: Keir Fraser Cc: Christophe Saout Cc: Alex Williamson Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 65fb1622e4714a7fdb3cbef2607660664e765586 Author: Federico Cuello Date: Wed Feb 11 13:04:39 2009 -0800 writeback: fix break condition commit 89e1219004b3657cc014521663eeef0744f1c99d upstream. Commit dcf6a79dda5cc2a2bec183e50d829030c0972aaa ("write-back: fix nr_to_write counter") fixed nr_to_write counter, but didn't set the break condition properly. If nr_to_write == 0 after being decremented it will loop one more time before setting done = 1 and breaking the loop. [akpm@linux-foundation.org: coding-style fixes] Cc: Artem Bityutskiy Acked-by: Nick Piggin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 66c85494570396661479ba51e17964b2c82b6f39 Author: Artem Bityutskiy Date: Mon Feb 2 18:33:49 2009 +0200 write-back: fix nr_to_write counter commit dcf6a79dda5cc2a2bec183e50d829030c0972aaa upstream. Commit 05fe478dd04e02fa230c305ab9b5616669821dd3 introduced some @wbc->nr_to_write breakage. It made the following changes: 1. Decrement wbc->nr_to_write instead of nr_to_write 2. Decrement wbc->nr_to_write _only_ if wbc->sync_mode == WB_SYNC_NONE 3. If synced nr_to_write pages, stop only if if wbc->sync_mode == WB_SYNC_NONE, otherwise keep going. However, according to the commit message, the intention was to only make change 3. Change 1 is a bug. Change 2 does not seem to be necessary, and it breaks UBIFS expectations, so if needed, it should be done separately later. And change 2 does not seem to be documented in the commit message. This patch does the following: 1. Undo changes 1 and 2 2. Add a comment explaining change 3 (it very useful to have comments in _code_, not only in the commit). Signed-off-by: Artem Bityutskiy Acked-by: Nick Piggin Cc: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit fa76ac6cbeb58256cf7de97a75d5d7f838a80b32 Author: Nick Piggin Date: Thu Feb 12 04:34:23 2009 +0100 Fix page writeback thinko, causing Berkeley DB slowdown commit 3a4c6800f31ea8395628af5e7e490270ee5d0585 upstream. A bug was introduced into write_cache_pages cyclic writeout by commit 31a12666d8f0c22235297e1c1575f82061480029 ("mm: write_cache_pages cyclic fix"). The intention (and comments) is that we should cycle back and look for more dirty pages at the beginning of the file if there is no more work to be done. But the !done condition was dropped from the test. This means that any time the page writeout loop breaks (eg. due to nr_to_write == 0), we will set index to 0, then goto again. This will set done_index to index, then find done is set, so will proceed to the end of the function. When updating mapping->writeback_index for cyclic writeout, we now use done_index == 0, so we're always cycling back to 0. This seemed to be causing random mmap writes (slapadd and iozone) to start writing more pages from the LRU and writeout would slowdown, and caused bugzilla entry http://bugzilla.kernel.org/show_bug.cgi?id=12604 about Berkeley DB slowing down dramatically. With this patch, iozone random write performance is increased nearly 5x on my system (iozone -B -r 4k -s 64k -s 512m -s 1200m on ext2). Signed-off-by: Nick Piggin Reported-and-tested-by: Jan Kara Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 703c888fbf2e2e2f2b97bf75ffe5126da3008abb Author: Randy Dunlap Date: Wed Feb 11 13:04:33 2009 -0800 kernel-doc: fix syscall wrapper processing commit b4870bc5ee8c7a37541a3eb1208b5c76c13a078a upstream. Fix kernel-doc processing of SYSCALL wrappers. The SYSCALL wrapper patches played havoc with kernel-doc for syscalls. Syscalls that were scanned for DocBook processing reported warnings like this one, for sys_tgkill: Warning(kernel/signal.c:2285): No description found for parameter 'tgkill' Warning(kernel/signal.c:2285): No description found for parameter 'pid_t' Warning(kernel/signal.c:2285): No description found for parameter 'int' because the macro parameters all "look like" function parameters, although they are not: /** * sys_tgkill - send signal to one specific thread * @tgid: the thread group ID of the thread * @pid: the PID of the thread * @sig: signal to be sent * * This syscall also checks the @tgid and returns -ESRCH even if the PID * exists but it's not belonging to the target process anymore. This * method solves the problem of threads exiting and PIDs getting reused. */ SYSCALL_DEFINE3(tgkill, pid_t, tgid, pid_t, pid, int, sig) { ... This patch special-cases the handling SYSCALL_DEFINE* function prototypes by expanding them to long sys_foobar(type1 arg1, type1 arg2, ...) Signed-off-by: Randy Dunlap Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 454fb02244523f5ac8bed133baeead64037a3031 Author: Heiko Carstens Date: Wed Feb 11 13:04:38 2009 -0800 syscall define: fix uml compile bug commit 6c5979631b4b03c9288776562c18036765e398c1 upstream. With the new system call defines we get this on uml: arch/um/sys-i386/built-in.o: In function `sys_call_table': (.rodata+0x308): undefined reference to `sys_sigprocmask' Reason for this is that uml passes the preprocessor option -Dsigprocmask=kernel_sigprocmask to gcc when compiling the kernel. This causes SYSCALL_DEFINE3(sigprocmask, ...) to be expanded to SYSCALL_DEFINEx(3, kernel_sigprocmask, ...) and finally to a system call named sys_kernel_sigprocmask. However sys_sigprocmask is missing because of this. To avoid macro expansion for the system call name just concatenate the name at first define instead of carrying it through severel levels. This was pointed out by Al Viro. Signed-off-by: Heiko Carstens Cc: Geert Uytterhoeven Cc: Al Viro Reviewed-by: WANG Cong Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 898f09e0b81b78acfe42e5b1713a0f2aa5e2e73d Author: Jiri Slaby Date: Wed Feb 11 13:04:40 2009 -0800 parport: parport_serial, don't bind netmos ibm 0299 commit 3abdbf90a3ffb006108c831c56b092e35483b6ec upstream. Since netmos 9835 with subids 0x1014(IBM):0x0299 is now bound with serial/8250_pci, because it has no parallel ports and subdevice id isn't in the expected form, return -ENODEV from probe function. This is performed in netmos preinit_hook. Signed-off-by: Jiri Slaby Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 1124f855be1abd0a605fec7f3d1d6c1eb21f9354 Author: Hin-Tak Leung Date: Wed Feb 4 23:40:43 2009 +0000 zd1211rw: treat MAXIM_NEW_RF(0x08) as UW2453_RF(0x09) for TP-Link WN322/422G commit efb43f4b2ccf8066abc3920a0e6858e4350a65c7 upstream. Three people (Petr Mensik ["si" should be U+0161 U+00ED], Stephen Ho on zd1211-devs and Ismael Ojeda Perez on linux-wireless) reported success in getting TP-Link WN322G/WN422G working by treating MAXIM_NEW_RF(0x08) as UW2453_RF(0x09) for rf chip hardware initialization. Signed-off-by: Hin-Tak Leung Tested-by: Petr Mensik Tested-by: Stephen Ho Tested-by: Ismael Ojeda Perez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit d86f84dcf23f923c68cb87f57d36c0d86cc1d956 Author: Hin-Tak Leung Date: Sun Feb 8 02:13:56 2009 +0000 zd1211rw: adding 0ace:0xa211 as a ZD1211 device commit 14990c69b5f51dd57b4e0e2373de50239ac861e2 upstream. Christoph Biedl reported success in the sourceforge zd1211 mailing list on this addition. This product ID was supported by the vendor driver ZD1211LnxDrv 2.22.0.0 (and possibly earlier) and it probably should have been added earlier. Signed-off-by: Hin-Tak Leung Tested-by: Christoph Biedl Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 523669a7d56b5e2ee2575c6b5db2d504fa8b1c24 Author: Ian Dall Date: Wed Feb 11 13:04:46 2009 -0800 w1: w1 temp calculation overflow fix commit 507e2fbaaacb6f164b4125b87c5002f95143174b upstream. Addresses http://bugzilla.kernel.org/show_bug.cgi?id=12646 When the temperature exceeds 32767 milli-degrees the temperature overflows to -32768 millidegrees. These are bothe well within the -55 - +125 degree range for the sensor. Fix overflow in left-shift of a u8. Signed-off-by: Ian Dall Signed-off-by: Evgeniy Polyakov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d371ac207cde70ea31332b60dcbe52db77a76604 Author: Johannes Berg Date: Fri Feb 6 00:27:32 2009 +0100 mac80211: restrict to AP in outgoing interface heuristic commit f1b33cb1c25ac476cbf22783f9ca2016f99648ed upstream. We try to find the correct outgoing interface for injected frames based on the TA, but since this is a hack for hostapd 11w, restrict the heuristic to AP mode interfaces. At some point we'll add the ability to give an interface index in radiotap or so and just remove this heuristic again. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 7218ee2be8d92df31042f6dd0775ecddb0611145 Author: Paul Clements Date: Wed Feb 11 13:04:45 2009 -0800 nbd: fix I/O hang on disconnected nbds commit 4d48a542b42747c36a5937447d9c3de7c897ea50 upstream. Fix a problem that causes I/O to a disconnected (or partially initialized) nbd device to hang indefinitely. To reproduce: # ioctl NBD_SET_SIZE_BLOCKS /dev/nbd23 514048 # dd if=/dev/nbd23 of=/dev/null bs=4096 count=1 ...hangs... This can also occur when an nbd device loses its nbd-client/server connection. Although we clear the queue of any outstanding I/Os after the client/server connection fails, any additional I/Os that get queued later will hang. This bug may also be the problem reported in this bug report: http://bugzilla.kernel.org/show_bug.cgi?id=12277 Testing would need to be performed to determine if the two issues are the same. This problem was introduced by the new request handling thread code ("NBD: allow nbd to be used locally", 3/2008), which entered into mainline around 2.6.25. The fix, which is fairly simple, is to restore the check for lo->sock being NULL in do_nbd_request. This causes I/O to an uninitialized nbd to immediately fail with an I/O error, as it did prior to the introduction of this bug. Signed-off-by: Paul Clements Reported-by: Jon Nelson Acked-by: Pavel Machek Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 890f5fa0b9e31ee2ebc3dc47a3e4a2426d593d43 Author: Alok Kataria Date: Fri Feb 6 10:29:35 2009 -0800 x86, vmi: put a missing paravirt_release_pmd in pgd_dtor commit 55a8ba4b7f76bebd7e8ce3f74c04b140627a1bad upstream. Commit 6194ba6ff6ccf8d5c54c857600843c67aa82c407 ("x86: don't special-case pmd allocations as much") made changes to the way we handle pmd allocations, and while doing that it dropped a call to paravirt_release_pd on the pgd page from the pgd_dtor code path. As a result of this missing release, the hypervisor is now unaware of the pgd page being freed, and as a result it ends up tracking this page as a page table page. After this the guest may start using the same page for other purposes, and depending on what use the page is put to, it may result in various performance and/or functional issues ( hangs, reboots). Since this release is only required for VMI, I now release the pgd page from the (vmi)_pgd_free hook. Signed-off-by: Alok N Kataria Acked-by: Jeremy Fitzhardinge Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman