commit 7c77d3f9d78acdf8897e22afe6aaa3a01253bd4c Author: Greg Kroah-Hartman Date: Mon Jun 15 09:44:45 2009 -0700 Linux 2.6.29.5 commit 288aae5dc647d969724e2a2cb5ce3f6d5f18567c Author: Theodore Ts'o Date: Tue Jun 2 08:07:59 2009 -0400 ext4: Fix race in ext4_inode_info.i_cached_extent (cherry picked from commit 2ec0ae3acec47f628179ee95fe2c4da01b5e9fc4) If two CPU's simultaneously call ext4_ext_get_blocks() at the same time, there is nothing protecting the i_cached_extent structure from being used and updated at the same time. This could potentially cause the wrong location on disk to be read or written to, including potentially causing the corruption of the block group descriptors and/or inode table. This bug has been in the ext4 code since almost the very beginning of ext4's development. Fortunately once the data is stored in the page cache cache, ext4_get_blocks() doesn't need to be called, so trying to replicate this problem to the point where we could identify its root cause was *extremely* difficult. Many thanks to Kevin Shanahan for working over several months to be able to reproduce this easily so we could finally nail down the cause of the corruption. Signed-off-by: "Theodore Ts'o" Reviewed-by: "Aneesh Kumar K.V" Signed-off-by: Greg Kroah-Hartman commit 85d74145f2ad27963cb2ab6fcbafcc1a172c7a7a Author: Aneesh Kumar K.V Date: Tue Jun 2 08:07:58 2009 -0400 ext4: Clear the unwritten buffer_head flag after the extent is initialized (cherry picked from commit 2a8964d63d50dd2d65d71d342bc7fb6ef4117614) The BH_Unwritten flag indicates that the buffer is allocated on disk but has not been written; that is, the disk was part of a persistent preallocation area. That flag should only be set when a get_blocks() function is looking up a inode's logical to physical block mapping. When ext4_get_blocks_wrap() is called with create=1, the uninitialized extent is converted into an initialized one, so the BH_Unwritten flag is no longer appropriate. Hence, we need to make sure the BH_Unwritten is not left set, since the combination of BH_Mapped and BH_Unwritten is not allowed; among other things, it will result ext4's get_block() to be called over and over again during the write_begin phase of write(2). Signed-off-by: Aneesh Kumar K.V Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 9cb18641b3fd86309735fc4e2df14aaf9c50469c Author: Aneesh Kumar K.V Date: Tue Jun 2 08:07:57 2009 -0400 ext4: Use a fake block number for delayed new buffer_head (cherry picked from commit 33b9817e2ae097c7b8d256e3510ac6c54fc6d9d0) Use a very large unsigned number (~0xffff) as as the fake block number for the delayed new buffer. The VFS should never try to write out this number, but if it does, this will make it obvious. Signed-off-by: Aneesh Kumar K.V Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit b0b1dd413d407ba6879e8286a10c5781f2f2ec5e Author: Aneesh Kumar K.V Date: Tue Jun 2 08:07:56 2009 -0400 ext4: Fix sub-block zeroing for writes into preallocated extents (cherry picked from commit 9c1ee184a30394e54165fa4c15923cabd952c106) We need to mark the buffer_head mapping preallocated space as new during write_begin. Otherwise we don't zero out the page cache content properly for a partial write. This will cause file corruption with preallocation. Now that we mark the buffer_head new we also need to have a valid buffer_head blocknr so that unmap_underlying_metadata() unmaps the correct block. Signed-off-by: Aneesh Kumar K.V Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit c3cde774f78f1519cf07c2ca2aee9e13e3185220 Author: Theodore Ts'o Date: Tue Jun 2 08:07:55 2009 -0400 ext4: Ignore i_file_acl_high unless EXT4_FEATURE_INCOMPAT_64BIT is present (cherry picked from commit a9e817425dc0baede8ebe5fbc9984a640257432b) Don't try to look at i_file_acl_high unless the INCOMPAT_64BIT feature bit is set. The field is normally zero, but older versions of e2fsck didn't automatically check to make sure of this, so in the spirit of "be liberal in what you accept", don't look at i_file_acl_high unless we are using a 64-bit filesystem. Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 8c30ec0c2f7a507e960bba4113e59f31fa4a42fc Author: Theodore Ts'o Date: Tue Jun 2 08:07:54 2009 -0400 ext4: Fix softlockup caused by illegal i_file_acl value in on-disk inode (cherry picked from commit 485c26ec70f823f2a9cf45982b724893e53a859e) If the block containing external extended attributes (which is stored in i_file_acl and i_file_acl_high) is larger than the on-disk filesystem, the process which tried to access the extended attributes will endlessly issue kernel printks complaining that "__find_get_block_slow() failed", locking up that CPU until the system is forcibly rebooted. So when we read in the inode, make sure the i_file_acl value is legal, and if not, flag the filesystem as being corrupted. Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 54eefd82c70ebe77f72b7891b7e1538284948c33 Author: Chuck Ebbert Date: Tue Jun 2 08:07:53 2009 -0400 ext4: really print the find_group_flex fallback warning only once (cherry picked from commit 6b82f3cb2d480b7714eb0ff61aee99c22160389e) Missing braces caused the warning to print more than once. Signed-Off-By: Chuck Ebbert Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit d0df1b653152d0b502b00cc04623b7950626e5d6 Author: Jan Kara Date: Tue Jun 2 08:07:52 2009 -0400 jbd2: Update locking coments (cherry picked from commit 86db97c87f744364d5889ca8a4134ca2048b8f83) Update information about locking in JBD2 revoke code. Inconsistency in comments found by Lin Tan CC: Lin Tan Signed-off-by: Jan Kara Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 126cb774c1508c707243d4a971607e84fedc0db1 Author: Theodore Ts'o Date: Tue Jun 2 08:07:51 2009 -0400 ext4: Check for an valid i_mode when reading the inode from disk (cherry picked from commit 563bdd61fe4dbd6b58cf7eb06f8d8f14479ae1dc) Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit b1ed60477aaa7fefbfa109220e7d709577418bf0 Author: Theodore Ts'o Date: Tue Jun 2 08:07:50 2009 -0400 ext4: Add auto_da_alloc mount option (cherry picked from commit afd4672dc7610b7feef5190168aa917cc2e417e4) Add a mount option which allows the user to disable automatic allocation of blocks whose allocation by delayed allocation when the file was originally truncated or when the file is renamed over an existing file. This feature is intended to save users from the effects of naive application writers, but it reduces the effectiveness of the delayed allocation code. This mount option disables this safety feature, which may be desirable for prodcutions systems where the risk of unclean shutdowns or unexpected system crashes is low. Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit ffe15619ef5a2e9108d13d822a9b475afb044155 Author: Aneesh Kumar K.V Date: Tue Jun 2 08:07:49 2009 -0400 ext4: Fix discard of inode prealloc space with delayed allocation. (cherry picked from commit d6014301b5599fba395c42a1e96a7fe86f7d0b2d) With delayed allocation we should not/cannot discard inode prealloc space during file close. We would still have dirty pages for which we haven't allocated blocks yet. With this fix after each get_blocks request we check whether we have zero reserved blocks and if yes and we don't have any writers on the file we discard inode prealloc space. Signed-off-by: Aneesh Kumar K.V Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit f8d9f45f2368d85328f784c84854ca2cec8e38ea Author: Theodore Ts'o Date: Tue Jun 2 08:07:48 2009 -0400 ext4: Automatically allocate delay allocated blocks on rename (cherry picked from commit 8750c6d5fcbd3342b3d908d157f81d345c5325a7) When renaming a file such that a link to another inode is overwritten, force any delay allocated blocks that to be allocated so that if the filesystem is mounted with data=ordered, the data blocks will be pushed out to disk along with the journal commit. Many application programs expect this, so we do this to avoid zero length files if the system crashes unexpectedly. Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 23ae18d466ab83fc4b9829b331ee82899bccdeff Author: Theodore Ts'o Date: Tue Jun 2 08:07:47 2009 -0400 ext4: Automatically allocate delay allocated blocks on close (cherry picked from commit 7d8f9f7d150dded7b68e61ca6403a1f166fb4edf) When closing a file that had been previously truncated, force any delay allocated blocks that to be allocated so that if the filesystem is mounted with data=ordered, the data blocks will be pushed out to disk along with the journal commit. Many application programs expect this, so we do this to avoid zero length files if the system crashes unexpectedly. Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 9dc84851a33e1dda83cfecfee130e26c92c8a3bb Author: Theodore Ts'o Date: Tue Jun 2 08:07:46 2009 -0400 ext4: add EXT4_IOC_ALLOC_DA_BLKS ioctl (cherry picked from commit ccd2506bd43113659aa904d5bea5d1300605e2a6) Add an ioctl which forces all of the delay allocated blocks to be allocated. This also provides a function ext4_alloc_da_blocks() which will be used by the following commits to force files to be fully allocated to preserve application-expected ext3 behaviour. Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 52afcdee3a1478d082fef2e1fddd7e0550d40b18 Author: Theodore Ts'o Date: Tue Jun 2 08:07:45 2009 -0400 ext4: Add fine print for the 32000 subdirectory limit (cherry picked from commit 722bde6875bfb49a0c84e5601eb82dd7ac02d27c) Some poeple are reading the ext4 feature list too literally and create dubious test cases involving very long filenames and 1k blocksize and then complain when they run into an htree-imposed limit. So add fine print to the "fix 32000 subdirectory limit" ext4 feature. Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 12fbaee2875dc57270194aec4b1d3d9224879c2f Author: Bryan Donlan Date: Tue Jun 2 08:07:44 2009 -0400 ext4: return -EIO not -ESTALE on directory traversal through deleted inode (cherry picked from commit e6f009b0b45220c004672d41a58865e94946104d) ext4_iget() returns -ESTALE if invoked on a deleted inode, in order to report errors to NFS properly. However, in ext4_lookup(), this -ESTALE can be propagated to userspace if the filesystem is corrupted such that a directory entry references a deleted inode. This leads to a misleading error message - "Stale NFS file handle" - and confusion on the part of the admin. The bug can be easily reproduced by creating a new filesystem, making a link to an unused inode using debugfs, then mounting and attempting to ls -l said link. This patch thus changes ext4_lookup to return -EIO if it receives -ESTALE from ext4_iget(), as ext4 does for other filesystem metadata corruption; and also invokes the appropriate ext*_error functions when this case is detected. Signed-off-by: Bryan Donlan Cc: Signed-off-by: Andrew Morton Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 31e8c0f55ae1a41eb8e7a92b6ec39ae445045230 Author: Duane Griffin Date: Tue Jun 2 08:07:43 2009 -0400 ext4: tighten restrictions on inode flags (cherry picked from commit 2dc6b0d48ca0599837df21b14bb8393d0804af57) At the moment there are few restrictions on which flags may be set on which inodes. Specifically DIRSYNC may only be set on directories and IMMUTABLE and APPEND may not be set on links. Tighten that to disallow TOPDIR being set on non-directories and only NODUMP and NOATIME to be set on non-regular file, non-directories. Introduces a flags masking function which masks flags based on mode and use it during inode creation and when flags are set via the ioctl to facilitate future consistency. Signed-off-by: Duane Griffin Acked-by: Andreas Dilger Cc: Signed-off-by: Andrew Morton Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit b1afbf95c28f22ca2c52a8535a42717b0f8eff30 Author: Duane Griffin Date: Tue Jun 2 08:07:42 2009 -0400 ext4: don't inherit inappropriate inode flags from parent (cherry picked from commit 8fa43a81b97853fc69417bb6054182e78f95cbeb) At present INDEX and EXTENTS are the only flags that new ext4 inodes do NOT inherit from their parent. In addition prevent the flags DIRTY, ECOMPR, IMAGIC, TOPDIR, HUGE_FILE and EXT_MIGRATE from being inherited. List inheritable flags explicitly to prevent future flags from accidentally being inherited. This fixes the TOPDIR flag inheritance bug reported at http://bugzilla.kernel.org/show_bug.cgi?id=9866. Signed-off-by: Duane Griffin Acked-by: Andreas Dilger Cc: Signed-off-by: Andrew Morton Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 42c8b89f855f88d83b409f122b9a1b7a3c54e2ae Author: Andreas Herrmann Date: Tue Apr 21 20:00:37 2009 +0200 x86: hpet: fix periodic mode programming on AMD 81xx commit 7a6f9cbb37120c745fc187083fb5c3de4dca4f97 upstream. (See http://bugzilla.kernel.org/show_bug.cgi?id=12961) It partially reverts commit c23e253e67c9d8a91a0ffa33c1f571a17f0a2403 (x86: hpet: stop HPET_COUNTER when programming periodic mode) HPET on AMD 81xx chipset needs a second write (with HPET_TN_SETVAL cleared) to T0_CMP register to set the period in periodic mode. With this patch HPET_COUNTER is still stopped but not reset when HPET is programmed in periodic mode. This should help to avoid races when HPET is programmed in periodic mode and fixes a boot time hang that I've observed on a machine when using 1000HZ. [ Impact: fix boot time hang on machines with AMD 81xx chipset ] Reported-by: Jeff Mahoney Signed-off-by: Andreas Herrmann Tested-by: Jeff Mahoney LKML-Reference: <20090421180037.GA2763@alberich.amd.com> Signed-off-by: Ingo Molnar Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit 5beb01f947a1607c094f053d6575b4f647b7016c Author: Andreas Herrmann Date: Fri May 29 17:35:14 2009 -0400 x86: hpet: stop HPET_COUNTER when programming periodic mode commit c23e253e67c9d8a91a0ffa33c1f571a17f0a2403 upstream x86: hpet: stop HPET_COUNTER when programming periodic mode Impact: fix system hang on some systems operating with HZ_1000 On a system that stalled with HZ_1000, the first value written to T0_CMP (when the main counter was not stopped) did not trigger an interrupt. Instead after the main counter wrapped around (after several minutes) an interrupt was triggered and afterwards the periodic interrupt took effect. This can be fixed by implementing HPET spec recommendation for programming the periodic mode (i.e. stopping the main counter). [cebbert@redhat.com: backport to 2.6.29] Signed-off-by: Andreas Herrmann Cc: Mark Hounschell Cc: Borislav Petkov Signed-off-by: Ingo Molnar Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit 8c68c89bc518df5fb21112be68c94fcd25b8b2de Author: Andreas Herrmann Date: Sat Feb 21 00:10:44 2009 +0100 x86: hpet: provide separate functions to stop and start the counter commit 8d6f0c8214928f7c5083dd54ecb69c5d615b516e upstream. By splitting up existing hpet_start_counter function. Signed-off-by: Andreas Herrmann Cc: Mark Hounschell Cc: Borislav Petkov Signed-off-by: Ingo Molnar Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit 8842593368490116911712ea5aaf6ea9dd2db7bb Author: Oleg Nesterov Date: Thu Apr 2 16:58:14 2009 -0700 ptrace: fix possible zombie leak on PTRACE_DETACH commit 4576145c1ecdaaea9ef8976a48335206aa1ebf91 upstream. When ptrace_detach() takes tasklist, the tracee can be SIGKILL'ed. If it has already passed exit_notify() we can leak a zombie, because a) ptracing disables the auto-reaping logic, and b) ->real_parent was not notified about the child's death. ptrace_detach() should follow the ptrace_exit's logic, change the code accordingly. Signed-off-by: Oleg Nesterov Cc: Jerome Marchand Cc: Roland McGrath Tested-by: Denys Vlasenko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 64cd4669da13c829635f0b668a6bd546ee472e01 Author: Oleg Nesterov Date: Thu Apr 2 16:58:13 2009 -0700 ptrace: reintroduce __ptrace_detach() as a callee of ptrace_exit() commit b1b4c6799fb59e710454bfe0ab477cb8523a8667 upstream. No functional changes, preparation for the next patch. Move the "should we release this child" logic into the separate handler, __ptrace_detach(). Signed-off-by: Oleg Nesterov Cc: Jerome Marchand Cc: Roland McGrath Cc: Denys Vlasenko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 07325c8e8ed1eedb283941860cafb64fd60b46cd Author: Oleg Nesterov Date: Thu Apr 2 16:58:12 2009 -0700 ptrace: simplify ptrace_exit()->ignoring_children() path commit 6d69cb87f05eef3b02370b2f7bae608ad2301a00 upstream. ignoring_children() takes parent->sighand->siglock and checks k_sigaction[SIGCHLD] atomically. But this buys nothing, we can't get the "really" wrong result even if we race with sigaction(SIGCHLD). If we read the "stale" sa_handler/sa_flags we can pretend it was changed right after the check. Remove spin_lock(->siglock), and kill "int ign" which caches the result of ignoring_children() which becomes rather trivial. Perhaps it makes sense to export this helper, do_notify_parent() can use it too. Signed-off-by: Oleg Nesterov Cc: Jerome Marchand Cc: Roland McGrath Cc: Denys Vlasenko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 887832b0dc724dec5d0fe7a0e58e035294ce1008 Author: Oleg Nesterov Date: Thu Apr 2 16:58:11 2009 -0700 ptrace: kill __ptrace_detach(), fix ->exit_state check commit 95c3eb76dc07fd81289888ffc42948196b34b444 upstream. Move the code from __ptrace_detach() to its single caller and kill this helper. Also, fix the ->exit_state check, we shouldn't wake up EXIT_DEAD tasks. Actually, I think task_is_stopped_or_traced() makes more sense, but this needs another patch. Signed-off-by: Oleg Nesterov Cc: Jerome Marchand Cc: Roland McGrath Cc: Denys Vlasenko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d1e765382f287bd9707b95600b6424eea2c4326b Author: Herbert Xu Date: Tue Apr 21 13:27:16 2009 +0800 crypto: api - Fix algorithm module auto-loading commit 37fc334cc8eb84f5fe0a5a1cbe6a6a68049e142a upstream. The commit a760a6656e6f00bb0144a42a048cf0266646e22c (crypto: api - Fix module load deadlock with fallback algorithms) broke the auto-loading of algorithms that require fallbacks. The problem is that the fallback mask check is missing an and which cauess bits that should be considered to interfere with the result. Reported-by: Chuck Ebbert Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 8d21b16b57f4cc8551145da6e6b8177fbedebf1c Author: Herbert Xu Date: Tue Apr 21 13:55:20 2009 +0800 crypto: padlock - Revert aes-all alias to aes commit acd246b7494c629aa617da49716409566cf52149 upstream. Since the padlock-aes driver doesn't require a fallback (it's only padlock-sha that does), it should use the aes alias rather than aes-all so that ones that do need a fallback can use it. Signed-off-by: Herbert Xu Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit cdd7149543f4b9df682be9dca0f4a4a4f2097519 Author: David Howells Date: Thu Apr 9 17:14:05 2009 +0100 keys: Handle there being no fallback destination keyring for request_key() commit 34574dd10b6d0697b86703388d6d6af9cbf4bb48 upstream. When request_key() is called, without there being any standard process keyrings on which to fall back if a destination keyring is not specified, an oops is liable to occur when construct_alloc_key() calls down_write() on dest_keyring's semaphore. Due to function inlining this may be seen as an oops in down_write() as called from request_key_and_link(). This situation crops up during boot, where request_key() is called from within the kernel (such as in CIFS mounts) where nobody is actually logged in, and so PAM has not had a chance to create a session keyring and user keyrings to act as the fallback. To fix this, make construct_alloc_key() not attempt to cache a key if there is no fallback key if no destination keyring is given specifically. Signed-off-by: David Howells Tested-by: Jeff Layton Signed-off-by: Linus Torvalds Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit fb6fda072d7ef219039cc0b0e8218e5f465ef02e Author: Alan Cox Date: Tue Apr 14 14:57:36 2009 +0100 cdc-acm: Fix long standing abuse of tty->low_latency commit 7a9a65ced11ece416b730d6f21040a18e62d78a8 upstream. ACM sets the low latency flag but calls the flip buffer routines from IRQ context which isn't permitted (and as of 2.6.29 causes a warning hence this one was caught) Fortunatelt ACM doesn't need to set this flag in the first place as it only set it to work around problems in ancient (pre tty flip rewrite) kernels. Reported-by: Chuck Ebbert Signed-off-by: Alan Cox Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f71cf2a2181aef25513272991f54148799ddc1f0 Author: Adam Williamson Date: Thu May 21 18:32:59 2009 -0400 ALSA: hda - fix audio on HP TX25xx series notebooks commit 87488957a68293357a94c8142de7d0ae17914912 upstream. Fixes https://bugtrack.alsa-project.org/alsa-bug/view.php?id=4121 Taken from https://bugzilla.redhat.com/show_bug.cgi?id=498060 Signed-off-by: Adam Williamson Signed-off-by: Takashi Iwai Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit e5a2c03e61c8bc05e573b05e424dc545894f18ff Author: Tejun Heo Date: Sun Apr 19 07:00:41 2009 +0900 ide-tape: remove back-to-back REQUEST_SENSE detection commit 36999a5af1b6c5379e59f0ddf434db08d03c19e4 upstream. Impact: fix an oops which always triggers ide_tape_issue_pc() assumed drive->pc isn't NULL on invocation when checking for back-to-back request sense issues but drive->pc can be NULL and even when it's not NULL, it's not safe to dereference it once the previous command is complete because pc could have been freed or was on stack. Kill back-to-back REQUEST_SENSE detection. Signed-off-by: Tejun Heo Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Greg Kroah-Hartman commit 1e4f26e2ab78b52720c3ef2b3c5fb015b11c4867 Author: Stephen Rothwell Date: Thu Apr 23 22:56:11 2009 +1000 powerpc: fix for long standing bug noticed by gcc 4.4.0 commit b62c31ae401c6df25c61b206681a6e904ef97169 upstream. Previous gcc versions didn't notice this because one of the preceding #ifs always evaluated to true. gcc 4.4.0 produced this error: arch/powerpc/mm/tlb_nohash_low.S:206:6: error: #elif with no expression Signed-off-by: Stephen Rothwell Acked-by: Josh Boyer Signed-off-by: Kumar Gala Signed-off-by: Greg Kroah-Hartman commit 05a0478d956820a6f168ed9f65c00da688cc5751 Author: adam radford Date: Mon May 11 14:55:55 2009 -0700 3w-xxxx: scsi_dma_unmap fix commit 7b14f58ad65f9d74e4273fb45360cfea824495aa upstream. This patch fixes the following regression that occurred during the scsi_dma_map()/unmap() changes when compiling with CONFIG_DMA_API_DEBUG=y : WARNING: at lib/dma-debug.c:496 check_unmap+0x142/0x542() Hardware name: 3w-xxxx 0000:02:02.0: DMA-API: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=36 bytes] Signed-off-by: Adam Radford Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 8905d71b7486fbe10423a08353bf484afdc09f9e Author: Zoltan Karcagi Date: Wed May 6 16:30:21 2009 +0200 HID: fix dropped device-specific quirks commit f5208997087e6eb2096532b5a313eeb236535bdc upstream. Device-specific quirks are set up correctly in their respective vendor-specific driver, then get overwritten in usbhid_parse(). This is only issue for device-specific NOGET quirks being set by driver for a few devices out there. Signed-off-by: Zoltan Karcagi Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 1e40bb56bb4d69f889377d39a9998285396043c9 Author: Linus Torvalds Date: Tue May 19 11:25:35 2009 -0700 Avoid ICE in get_random_int() with gcc-3.4.5 commit 26a9a418237c0b06528941bca693c49c8d97edbe upstream. Martin Knoblauch reports that trying to build 2.6.30-rc6-git3 with RHEL4.3 userspace (gcc (GCC) 3.4.5 20051201 (Red Hat 3.4.5-2)) causes an internal compiler error (ICE): drivers/char/random.c: In function `get_random_int': drivers/char/random.c:1672: error: unrecognizable insn: (insn 202 148 150 0 /scratch/build/linux-2.6.30-rc6-git3/arch/x86/include/asm/tsc.h:23 (set (reg:SI 0 ax [91]) (subreg:SI (plus:DI (plus:DI (reg:DI 0 ax [88]) (subreg:DI (reg:SI 6 bp) 0)) (const_int -4 [0xfffffffffffffffc])) 0)) -1 (nil) (nil)) drivers/char/random.c:1672: internal compiler error: in extract_insn, at recog.c:2083 and after some debugging it turns out that it's due to the code trying to figure out the rough value of the current stack pointer by taking an address of an uninitialized variable and casting that to an integer. This is clearly a compiler bug, but it's not worth fighting - while the current stack kernel pointer might be somewhat hard to predict in user space, it's also not generally going to change for a lot of the call chains for a particular process. So just drop it, and mumble some incoherent curses at the compiler. Tested-by: Martin Knoblauch Cc: Matt Mackall Cc: Ingo Molnar Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6188dc11e308cba7590bf523ccb6fb53b8b13b30 Author: Linus Torvalds Date: Tue May 5 08:17:43 2009 -0700 random: make get_random_int() more random commit 8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02 upstream. It's a really simple patch that basically just open-codes the current "secure_ip_id()" call, but when open-coding it we now use a _static_ hashing area, so that it gets updated every time. And to make sure somebody can't just start from the same original seed of all-zeroes, and then do the "half_md4_transform()" over and over until they get the same sequence as the kernel has, each iteration also mixes in the same old "current->pid + jiffies" we used - so we should now have a regular strong pseudo-number generator, but we also have one that doesn't have a single seed. Note: the "pid + jiffies" is just meant to be a tiny tiny bit of noise. It has no real meaning. It could be anything. I just picked the previous seed, it's just that now we keep the state in between calls and that will feed into the next result, and that should make all the difference. I made that hash be a per-cpu data just to avoid cache-line ping-pong: having multiple CPU's write to the same data would be fine for randomness, and add yet another layer of chaos to it, but since get_random_int() is supposed to be a fast interface I did it that way instead. I considered using "__raw_get_cpu_var()" to avoid any preemption overhead while still getting the hash be _mostly_ ping-pong free, but in the end good taste won out. Signed-off-by: Ingo Molnar Signed-off-by: Linus Torvalds Cc: Jake Edge Signed-off-by: Greg Kroah-Hartman commit c31ee0b36f2f808870d52f2ad5ad0dbb21786f4d Author: Michael Chan Date: Wed May 6 16:46:47 2009 -0700 bnx2: Fix panic in bnx2_poll_work(). commit 581daf7e00c5e766f26aff80a61a860a17b0d75a upstream. Add barrier() to bnx2_get_hw_{tx|rx}_cons() to fix this issue: http://bugzilla.kernel.org/show_bug.cgi?id=12698 This issue was reported by multiple i386 users. Without barrier(), the compiled code looks like the following where %eax contains the address of the tx_cons or rx_cons in the DMA status block. The status block contents can change between the cmpb and the movzwl instruction. The driver would crash if the value was not 0xff during the cmpb instruction, but changed to 0xff during the movzwl instruction. 6828: 80 38 ff cmpb $0xff,(%eax) 682b: 0f b7 10 movzwl (%eax),%edx With the added barrier(), the compiled code now looks correct: 683d: 0f b7 10 movzwl (%eax),%edx 6840: 0f b6 c2 movzbl %dl,%eax 6843: 3d ff 00 00 00 cmp $0xff,%eax Thanks to Pascal de Bruijn for reporting the problem and Holger Noefer for patiently testing test patches for us. [greg - took out version change] Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 56009774704b0cf6052466b82300b4cdd5ccc855 Author: John W. Linville Date: Tue May 5 15:18:26 2009 -0400 mac80211: avoid NULL ptr deref when finding max_rates in PID and minstrel commit 621ad7c96aa138cfeab53cd4debc5a4e08b2189b upstream. "There is another problem with this piece of code. The sband will be NULL after second iteration on single band device and cause null pointer dereference. Everything is working with dual band card. Sorry, but i don't know how to explain this clearly in English. I have looked on the second patch for pid algorithm and found similar bug." Reported-by: Karol Szuster Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 94a9ef2fbeed9360a2036fcc79873dcf9ab7acf3 Author: Jiri Slaby Date: Mon May 4 18:10:28 2009 +0200 mac80211: pid, fix memory corruption commit 6909268dc93ae4b0b8e1ebb4b2fa70b1a47dd347 upstream. pid doesn't count with some band having more bitrates than the one associated the first time. Fix that by counting the maximal available bitrate count and allocate big enough space. Secondly, fix touching uninitialized memory which causes panics. Index sucked from this random memory points to the hell. The fix is to sort the rates on each band change. Signed-off-by: Jiri Slaby Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 5a28cafbab1d07e4161f00678b6a45620a2c2e4f Author: Jiri Slaby Date: Mon May 4 18:04:55 2009 +0200 mac80211: minstrel, fix memory corruption commit 8e532175277d9a5eae49768ed086555081f741a7 upstream. minstrel doesn't count max rate count in fact, since it doesn't use a loop variable `i' and hence allocs space only for bitrates found in the first band. Fix it by involving the `i' as an index so that it traverses all the bands now and finds the real max bitrate count. Signed-off-by: Jiri Slaby Cc: Felix Fietkau Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 485e8e39a85e8178978252cd17f218e6787851ee Author: Reinette Chatre Date: Thu Apr 30 13:56:31 2009 -0700 iwlwifi: update key flags at time key is set commit 299f5462087f3bc2141e6bc83ba7e2b15d8a07d2 upstream. We need to be symmetrical in what is done when key is set and cleared. This is important wrt the key flags as they are used during key clearing and if they are not set when the key is set the key cannot be cleared completely. This addresses the many occurences of the WARN found in iwl_set_tkip_dynamic_key_info() and tracked in http://www.kerneloops.org/searchweek.php?search=iwl_set_dynamic_key If calling iwl_set_tkip_dynamic_key_info()/iwl_remove_dynamic_key() pair a few times in a row will cause that we run out of key space. This is because the index stored in the key flags is used by iwl_remove_dynamic_key() to decide if it should remove the key. Unfortunately the key flags, and hence the key index is currently only set at the time the key is written to the device (in iwl_update_tkip_key()) and _not_ in iwl_set_tkip_dynamic_key_info(). Fix this by setting flags in iwl_set_tkip_dynamic_key_info(). Signed-off-by: Reinette Chatre Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 8f5e73f942179bc2aa9c93a53657f5c7bfe59701 Author: Jeff Kirsher Date: Tue Jun 2 16:38:52 2009 -0700 igb: fix LRO warning This fix is only needed for 2.6.29.y tree, since in 2.6.30 and later IGB has moved to using GRO instead of LRO. igb supports LRO, but was not setting any hooks to the ->set_flags ethtool_ops function. This would trigger warnings if the user tried to enable or disable LRO. Based on the patch provided by Stephen Hemminger Reported-by: Sergey Kononenko Signed-off-by: Jeff Kirsher CC: Stephen Hemminger Signed-off-by: Greg Kroah-Hartman commit 2a1fb867de86e7a09e00f2e6f18d37e2b97fd8d6 Author: Neil Horman Date: Tue Jun 2 01:29:58 2009 -0700 e1000: add missing length check to e1000 receive routine commit ea30e11970a96cfe5e32c03a29332554573b4a10 upstream. Patch to fix bad length checking in e1000. E1000 by default does two things: 1) Spans rx descriptors for packets that don't fit into 1 skb on recieve 2) Strips the crc from a frame by subtracting 4 bytes from the length prior to doing an skb_put Since the e1000 driver isn't written to support receiving packets that span multiple rx buffers, it checks the End of Packet bit of every frame, and discards it if its not set. This places us in a situation where, if we have a spanning packet, the first part is discarded, but the second part is not (since it is the end of packet, and it passes the EOP bit test). If the second part of the frame is small (4 bytes or less), we subtract 4 from it to remove its crc, underflow the length, and wind up in skb_over_panic, when we try to skb_put a huge number of bytes into the skb. This amounts to a remote DOS attack through careful selection of frame size in relation to interface MTU. The fix for this is already in the e1000e driver, as well as the e1000 sourceforge driver, but no one ever pushed it to e1000. This is lifted straight from e1000e, and prevents small frames from causing the underflow described above Signed-off-by: Neil Horman Tested-by: Andy Gospodarek Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 881db0622f9e7ccef8adfd5968b6fe547162ea87 Author: Eric Paris Date: Mon Jun 1 10:21:05 2009 -0400 SELinux: BUG in SELinux compat_net code This patch is not applicable to Linus's tree as the code in question has been removed for 2.6.30. I'm sending in case any of the stable maintainers would like to push to their branches (which I think anything pre 2.6.30 would like to do). Ubuntu users were experiencing a kernel panic when they enabled SELinux due to an old bug in our handling of the compatibility mode network controls, introduced Jan 1 2008 effad8df44261031a882e1a895415f7186a5098e Most distros have not used the compat_net code since the new code was introduced and so noone has hit this problem before. Ubuntu is the only distro I know that enabled that legacy cruft by default. But, I was ask to look at it and found that the above patch changed a call to avc_has_perm from if(send_perm) to if(!send_perm) in selinux_ip_postroute_iptables_compat(). The result is that users who turn on SELinux and have compat_net set can (and oftern will) BUG() in avc_has_perm_noaudit since they are requesting 0 permissions. This patch corrects that accidental bug introduction. Signed-off-by: Eric Paris Signed-off-by: Greg Kroah-Hartman commit e00f8a824904848780c649c86947366f50c8623c Author: Bartlomiej Zolnierkiewicz Date: Fri May 22 16:23:37 2009 +0200 ide: fix OOPS during ide-cd error recovery commit e3b29f05124b07303088795396ff858811d2acb8 upstream. On Tuesday 19 May 2009 20:29:28 Martin Lottermoser wrote: > hdc: cdrom_decode_status: error=0x40 <3>{ LastFailedSense=0x04 } > ide: failed opcode was: unknown > hdc: DMA disabled > ------------[ cut here ]------------ > kernel BUG at drivers/ide/ide-io.c:872! It is possible for ide-cd to ignore ide_error()'s return value under some circumstances. Workaround it in ide_intr() and ide_timer_expiry() by checking if there is a device/port reset pending currently. Fixes bug #13345: http://bugzilla.kernel.org/show_bug.cgi?id=13345 Reported-by: Martin Lottermoser Reported-and-tested-by: Modestas Vainius Cc: Borislav Petkov Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Greg Kroah-Hartman commit f9384896632d37a575ce544e6dea09f2a1ef4a04 Author: Bartlomiej Zolnierkiewicz Date: Sat May 30 20:06:54 2009 +0200 ide_pci_generic: add quirk for Netcell ATA RAID commit c339dfdd65b52bfd947ab29d1210314a2f6d622d upstream. We need to explicitly mark words 85-87 as valid ones since firmware doesn't do it. This should fix support for LBA48 and FLUSH CACHE [EXT] command which stopped working after we applied more strict checking of identify words in: commit 942dcd85bf8edf38cdc3745306ca250684d99a61 ("ide: idedisk_supports_lba48() -> ata_id_lba48_enabled()") and commit 4b58f17d7c45a8e5f4acda641bec388398b9c0fa ("ide: ide_id_has_flush_cache() -> ata_id_flush_enabled()") Reported-and-tested-by: "Trevor Hemsley" Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Greg Kroah-Hartman commit bfc71900a3fb609ce62b9b2e7bb9f5eac7a3f682 Author: Avi Kivity Date: Sat Jun 6 12:34:39 2009 +0300 KVM: Explicity initialize cpus_hardware_enabled commit a4c0364be3f43d3e17fe19270f8b3d64881606e6 upstream. Under CONFIG_MAXSMP, cpus_hardware_enabled is allocated from the heap and not statically initialized. This causes a crash on reboot when kvm thinks vmx is enabled on random nonexistent cpus and accesses nonexistent percpu lists. Fix by explicitly clearing the variable. Reported-and-tested-by: Yinghai Lu Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 987ea1e8654459f98d7539f79f1460f3cad3d094 Author: Bartlomiej Zolnierkiewicz Date: Fri May 22 16:23:36 2009 +0200 ide: fix 40-wire cable detection for TSST SH-S202* ATAPI devices (v2) commit 8369d5fa63260cc54464b4687aa6a0f78402d98e upstream. Since 2.6.26 we support UDMA66 on ATAPI devices requiring IVB quirk: commit 8588a2b732928b343233af9b1855705b8286bed4 ("ide: add SH-S202J to ivb_list[]") We also later added support for more such devices in: commit e97564f362a93f8c248246c19828895950341252 ("ide: More TSST drives with broken cable detection") and in: commit 3ced5c49bd2d1f2c7f769e3a54385883de63a652 ("ide: add TSSTcorp CDDVDW SH-S202H to ivb_list[]") It turns out that such devices lack cable detection altogether (which in turn results in incorrect detection of 40-wire cables by our current cable detection strategy) so always handle them by trusting host-side cable detection only. v2: Model detection fixup from Martin. Reported-and-tested-by: Martin Lottermoser Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Greg Kroah-Hartman commit 91b84c89188eb1189e05581d7d4318f9445dd0b8 Author: Shaohua Li Date: Tue May 19 16:09:54 2009 +0800 cpuidle: fix AMD C1E suspend hang commit 7d60e8ab0d5507229dfbdf456501cc378610fa01 upstream. When AMD C1E is enabled, local APIC timer will stop even in C1. To avoid suspend/resume hang, this patch removes C1 and replace it with a cpu_relax() in suspend/resume path. This hasn't any impact in runtime path. http://bugzilla.kernel.org/show_bug.cgi?id=13233 [ impact: avoid suspend/resume hang in AMD CPU with C1E enabled ] Tested-by: Dmitry Lyzhyn Signed-off-by: Shaohua Li Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit ab726ea2b8ceb78da2ed2e9fd6a60444f01e5d0d Author: Shaohua Li Date: Tue Jun 2 10:51:58 2009 +0800 cpuidle: make AMC C1E work in processor_idle commit 87ad57bacb25c3f24c54f142ef445f68277705f0 upstream When AMD C1E is enabled, local APIC timer will stop even in C1. This patch uses broadcast ipi to replace local APIC timer in C1. http://bugzilla.kernel.org/show_bug.cgi?id=13233 [ impact: avoid boot hang in AMD CPU with C1E enabled ] Tested-by: Dmitry Lyzhyn Signed-off-by: Shaohua Li Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 134ab0d6e68c12a684e114b1e27f7dbb187bacbf Author: Mike Frysinger Date: Tue Jun 2 14:22:49 2009 +0200 hwmon: (lm78) Add missing __devexit_p() commit 39d8bbedb9571a89d638f5b05358f26ab503d7a6 upstream. The remove function uses __devexit, so the .remove assignment needs __devexit_p() to fix a build error with hotplug disabled. Signed-off-by: Mike Frysinger Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit c04dc54255f357d80e22f5647968db7f6db0b2da Author: Peter Korsgaard Date: Mon May 18 11:13:54 2009 +0100 mtd_dataflash: unbreak erase support commit dbf8c11f821b6ff83302c34f2403b4f7231f50ae upstream. Commit 5b7f3a50 (fix dataflash 64-bit divisions) unfortunately introduced a typo. Erase addr and len were swapped in the pageaddr calculation, causing the wrong sectors to get erased. Signed-off-by: Peter Korsgaard Acked-by: Artem Bityutskiy Signed-off-by: David Woodhouse Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 277ea86273f1d58979d8120cc1e1d66238420b7e Author: Yinghai Lu Date: Wed Jun 3 00:13:13 2009 -0700 x86/pci: fix mmconfig detection with 32bit near 4g commit 75e613cdc7bb2ba3795b1bc3ddf19476c767ba68 upstream. Pascal reported and bisected a commit: | x86/PCI: don't call e820_all_mapped with -1 in the mmconfig case which broke one system system. ACPI: Using IOAPIC for interrupt routing PCI: MCFG configuration 0: base f0000000 segment 0 buses 0 - 255 PCI: MCFG area at f0000000 reserved in ACPI motherboard resources PCI: Using MMCONFIG for extended config space it didn't have PCI: updated MCFG configuration 0: base f0000000 segment 0 buses 0 - 63 anymore, and try to use 0xf000000 - 0xffffffff for mmconfig For 32bit, mcfg_res->end could be 32bit only (if 64 resources aren't used) So use end - 1 to pass the value in mcfg->end to avoid overflow. We don't need to worry about the e820 path, they are always 64 bit. Reported-by: Pascal Terjan Bisected-by: Pascal Terjan Tested-by: Pascal Terjan Signed-off-by: Yinghai Lu Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit a968478e750ca58051864b22e6a79c5b929a9a53 Author: Alan Stern Date: Wed May 27 11:25:52 2009 -0400 usb-serial: fix crash when sub-driver updates firmware commit 0a3c8549ea7e94d74a41096d42bc6cdf43d183bf upstream. This patch (as1244) fixes a crash in usb-serial that occurs when a sub-driver returns a positive value from its attach method, indicating that new firmware was loaded and the device will disconnect and reconnect. The usb-serial core then skips the step of registering the port devices; when the disconnect occurs, the attempt to unregister the ports fails dramatically. This problem shows up with Keyspan devices and it might affect others as well. When the attach method returns a positive value, the patch sets num_ports to 0. This tells usb_serial_disconnect() not to try unregistering any of the ports; instead they are cleaned up by destroy_serial(). Signed-off-by: Alan Stern Tested-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit a7e590d6d4525a2da2762f69d0b9aa719fd36ba1 Author: Clemens Ladisch Date: Wed May 27 10:49:30 2009 +0200 sound: usb-audio: make the MotU Fastlane work again commit 55de5ef970c680d8d75f2a9aa7e4f172140dbd9c upstream. Kernel 2.6.18 broke the MotU Fastlane, which uses duplicate endpoint numbers in a manner that is not only illegal but also confuses the kernel's endpoint descriptor caching mechanism. To work around this, we have to add a separate usb_set_interface() call to guide the USB core to the correct descriptors. Signed-off-by: Clemens Ladisch Reported-and-tested-by: David Fries Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 5a9766fb357d68962dca31dfae078e7ec8e98b13 Author: Warren Free Date: Fri May 8 10:27:08 2009 +0200 USB: isp1760: urb_dequeue doesn't always find the urbs commit 0afb20e00b5053170c85298fed842b32d20b4ea9 upstream. The option driver (and presumably others) allocates several URBs when it opens and tries to free them when it closes. The isp1760_urb_dequeue function gets called, but the packet being dequeued is not necessarily at the front of one of the 32 queues. If not, the isp1760_urb_done function doesn't get called for the URB and the process trying to free it hangs forever on a wait_queue. This patch does two things. If the URB being dequeued has others queued behind it, it re-queues them. And it searches the queues looking for the URB being dequeued rather than just looking at the one at the front of the queue. [bigeasy@linutronix] whitespace fixes, reformating Signed-off-by: Warren Free Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Greg Kroah-Hartman commit 93f152e56bb0930e252d3b2b979f6ac0dfdf6170 Author: Mel Gorman Date: Thu May 28 14:34:40 2009 -0700 mm: account for MAP_SHARED mappings using VM_MAYSHARE and not VM_SHARED in hugetlbfs commit f83a275dbc5ca1721143698e844243fcadfabf6a upstream. Addresses http://bugzilla.kernel.org/show_bug.cgi?id=13302 hugetlbfs reserves huge pages but does not fault them at mmap() time to ensure that future faults succeed. The reservation behaviour differs depending on whether the mapping was mapped MAP_SHARED or MAP_PRIVATE. For MAP_SHARED mappings, hugepages are reserved when mmap() is first called and are tracked based on information associated with the inode. Other processes mapping MAP_SHARED use the same reservation. MAP_PRIVATE track the reservations based on the VMA created as part of the mmap() operation. Each process mapping MAP_PRIVATE must make its own reservation. hugetlbfs currently checks if a VMA is MAP_SHARED with the VM_SHARED flag and not VM_MAYSHARE. For file-backed mappings, such as hugetlbfs, VM_SHARED is set only if the mapping is MAP_SHARED and the file was opened read-write. If a shared memory mapping was mapped shared-read-write for populating of data and mapped shared-read-only by other processes, then hugetlbfs would account for the mapping as if it was MAP_PRIVATE. This causes processes to fail to map the file MAP_SHARED even though it should succeed as the reservation is there. This patch alters mm/hugetlb.c and replaces VM_SHARED with VM_MAYSHARE when the intent of the code was to check whether the VMA was mapped MAP_SHARED or MAP_PRIVATE. Signed-off-by: Mel Gorman Cc: Hugh Dickins Cc: Ingo Molnar Cc: Lee Schermerhorn Cc: KOSAKI Motohiro Cc: Cc: Eric B Munson Cc: Adam Litke Cc: Andy Whitcroft Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f823c237fba7c7c7f2eec63359a89dfca11a1e6c Author: Mel Gorman Date: Thu May 28 14:34:37 2009 -0700 x86: ignore VM_LOCKED when determining if hugetlb-backed page tables can be shared or not commit 32b154c0b0bae2879bf4e549d861caf1759a3546 upstream. Addresses http://bugzilla.kernel.org/show_bug.cgi?id=13302 On x86 and x86-64, it is possible that page tables are shared beween shared mappings backed by hugetlbfs. As part of this, page_table_shareable() checks a pair of vma->vm_flags and they must match if they are to be shared. All VMA flags are taken into account, including VM_LOCKED. The problem is that VM_LOCKED is cleared on fork(). When a process with a shared memory segment forks() to exec() a helper, there will be shared VMAs with different flags. The impact is that the shared segment is sometimes considered shareable and other times not, depending on what process is checking. What happens is that the segment page tables are being shared but the count is inaccurate depending on the ordering of events. As the page tables are freed with put_page(), bad pmd's are found when some of the children exit. The hugepage counters also get corrupted and the Total and Free count will no longer match even when all the hugepage-backed regions are freed. This requires a reboot of the machine to "fix". This patch addresses the problem by comparing all flags except VM_LOCKED when deciding if pagetables should be shared or not for hugetlbfs-backed mapping. Signed-off-by: Mel Gorman Acked-by: Hugh Dickins Cc: Ingo Molnar Cc: Lee Schermerhorn Cc: KOSAKI Motohiro Cc: Cc: Eric B Munson Cc: Adam Litke Cc: Andy Whitcroft Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 500689eff402f957f55481166e09b79a9dd8b41d Author: Roel Kluin Date: Thu May 28 14:34:29 2009 -0700 drivers/serial/mpc52xx_uart.c: fix array overindexing check commit b898f4f869da5b9d41f297fff87aca4cd42d80b3 upstream. The check for an overindexing of mpc52xx_uart_{ports,nodes} has an off-by-one. Signed-off-by: Roel Kluin Acked-by: Wolfram Sang Acked-by: Grant Likely Cc: Benjamin Herrenschmidt Cc: Alan Cox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 46ccb84b4f0c31129022075d4c720ac111c0d56f Author: Dave Airlie Date: Wed May 6 09:04:52 2009 +1000 drm/r128: fix r128 ioremaps to use ioremap_wc. commit 42beefc0093725ec0f8cea340cc54c36ccaceea0 upstream. This should allow r128 to start working again since PAT changes. taken from F-11 kernel. Signed-off-by: Dave Airlie Cc: Venkatesh Pallipadi Signed-off-by: Greg Kroah-Hartman commit c1cc5093ab054f5d2c4942d3f5b0bf7b106ce975 Author: Luis R. Rodriguez Date: Wed May 13 17:04:42 2009 -0400 cfg80211: fix race between core hint and driver's custom apply commit 5078b2e32ad4b1f753b1c837c15892202f753c97 upstream. Its possible for cfg80211 to have scheduled the work and for the global workqueue to not have kicked in prior to a cfg80211 driver's regulatory hint or wiphy_apply_custom_regulatory(). Although this is very unlikely its possible and should fix this race. When this race would happen you are expected to have hit a null pointer dereference panic. Signed-off-by: Luis R. Rodriguez Tested-by: Alan Jenkins Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit fb6af04fa4363ec3cf4020e28a45dcbe9853620b Author: Avi Kivity Date: Sun May 24 22:19:00 2009 +0300 KVM: Fix PDPTR reloading on CR4 writes commit a2edf57f510cce6a389cc14e58c6ad0a4296d6f9 upstream. The processor is documented to reload the PDPTRs while in PAE mode if any of the CR4 bits PSE, PGE, or PAE change. Linux relies on this behaviour when zapping the low mappings of PAE kernels during boot. The code already handled changes to CR4.PAE; augment it to also notice changes to PSE and PGE. This triggered while booting an F11 PAE kernel; the futex initialization code runs before any CR3 reloads and writes to a NULL pointer; the futex subsystem ended up uninitialized, killing PI futexes and pulseaudio which uses them. Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit cd347a162c2056bff69d685b897ad74fccf1c7e0 Author: Avi Kivity Date: Sun May 24 22:15:25 2009 +0300 KVM: Make paravirt tlb flush also reload the PAE PDPTRs commit a8cd0244e9cebcf9b358d24c7e7410062f3665cb upstream. The paravirt tlb flush may be used not only to flush TLBs, but also to reload the four page-directory-pointer-table entries, as it is used as a replacement for reloading CR3. Change the code to do the entire CR3 reloading dance instead of simply flushing the TLB. Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 82b3c4cc1d1ab48121f5514e22e00c6dcf9e1fb7 Author: Breno Leitao Date: Fri May 22 21:30:39 2009 -0300 icom: fix rmmod crash commit 95caa0a9bdaf93607bd0cc8932f53112496f2f22 upstream. Actually the icom driver is crashing when is being removed because the driver is kfreeing the adapter structure before calling pci_release_regions(), which result in the following error: Unable to handle kernel paging request for data at address 0x6b6b6b6b6b6b6d33 Faulting instruction address: 0xc000000000246b80 Oops: Kernel access of bad area, sig: 11 [#1] .... [c000000012d436a0] [c0000000001002d0] .kfree+0x120/0x34c (unreliable) [c000000012d43730] [c000000000246d60] .pci_release_selected_regions+0x3c/0x68 [c000000012d437c0] [d000000002d54700] .icom_kref_release+0xf4/0x118 [icom] [c000000012d43850] [c000000000232e50] .kref_put+0x74/0x94 [c000000012d438d0] [d000000002d56c58] .icom_remove+0x40/0xa4 [icom] [c000000012d43960] [c000000000249e48] .pci_device_remove+0x50/0x90 [c000000012d439e0] [c0000000002d68d8] .__device_release_driver+0x94/0xd4 [c000000012d43a70] [c0000000002d7104] .driver_detach+0xf8/0x12c [c000000012d43b00] [c0000000002d549c] .bus_remove_driver+0xbc/0x11c [c000000012d43b90] [c0000000002d71dc] .driver_unregister+0x60/0x80 [c000000012d43c20] [c00000000024a07c] .pci_unregister_driver+0x44/0xe8 [c000000012d43cb0] [d000000002d56bf4] .icom_exit+0x1c/0x40 [icom] [c000000012d43d30] [c000000000095fa8] .SyS_delete_module+0x214/0x2a8 [c000000012d43e30] [c00000000000852c] syscall_exit+0x0/0x40 Signed-off-by: Breno Leitao Cc: Alan Cox Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f631a5124900fff41a53841c220b05433b847256 Author: Eric Paris Date: Wed May 13 12:50:40 2009 -0400 TPM: get_event_name stack corruption commit fbaa58696cef848de818768783ef185bd3f05158 upstream. get_event_name uses sprintf to fill a buffer declared on the stack. It fills the buffer 2 bytes at a time. What the code doesn't take into account is that sprintf(buf, "%02x", data) actually writes 3 bytes. 2 bytes for the data and then it nul terminates the string. Since we declare buf to be 40 characters long and then we write 40 bytes of data into buf sprintf is going to write 41 characters. The fix is to leave room in buf for the nul terminator. Signed-off-by: Eric Paris Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 6ff8713a30f8f4dff1174b4ea35a0b44679f49a9 Author: Ian Campbell Date: Tue May 19 08:25:48 2009 +0200 xen/blkfront: allow xenbus state transition to Closing->Closed when not Connected commit 28afea5b2ffaa48f4f43d22ae8edcc384c05df80 upstream. This situation can occur when attempting to attach a block device whose backend is an empty physical CD-ROM driver. The backend in this case will go directly from the Initialising state to Closing->Closed. Previously this would result in a NULL pointer deref on info->gd (xenbus_dev_fatal does not return as a1a15ac5 seems to expect) Signed-off-by: Ian Campbell Acked-by: Jeremy Fitzhardinge Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit eb52dd3fe61f1b0e51f48bd7785939167835210d Author: Thomas Gleixner Date: Mon May 18 21:20:10 2009 +0200 futex: setup writeable mapping for futex ops which modify user space data commit 64d1304a64477629cb16b75491a77bafe6f86963 upstream. The futex code installs a read only mapping via get_user_pages_fast() even if the futex op function has to modify user space data. The eventual fault was fixed up by futex_handle_fault() which walked the VMA with mmap_sem held. After the cleanup patches which removed the mmap_sem dependency of the futex code commit 4dc5b7a36a49eff97050894cf1b3a9a02523717 (futex: clean up fault logic) removed the private VMA walk logic from the futex code. This change results in a stale RO mapping which is not fixed up. Instead of reintroducing the previous fault logic we set up the mapping in get_user_pages_fast() read/write for all operations which modify user space data. Also handle private futexes in the same way and make the current unconditional access_ok(VERIFY_WRITE) depend on the futex op. Reported-by: Andreas Schwab Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 63eef0d3d33a89540e62207742118a6567bd4795 Author: Frank Filz Date: Mon May 18 17:41:40 2009 -0400 nfs: Fix NFS v4 client handling of MAY_EXEC in nfs_permission. commit 7ee2cb7f32b299c2b06a31fde155457203e4b7dd upstream. The problem is that permission checking is skipped if atomic open is possible, but when exec opens a file, it just opens it O_READONLY which means EXEC permission will not be checked at that time. This problem is observed by the following sequence (executed as root): mount -t nfs4 server:/ /mnt4 echo "ls" >/mnt4/foo chmod 744 /mnt4/foo su guest -c "mnt4/foo" Signed-off-by: Frank Filz Signed-off-by: Trond Myklebust Tested-by: Eugene Teo Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 7e3ab8deaa79f69dc99ce624f3cc857e746d62d4 Author: Inaky Perez-Gonzalez Date: Mon Mar 30 17:50:17 2009 -0700 wimax: fix oops if netlink fails to add attribute commit d1a2627a29667fe7c4a9d06e1579a2d65bd39bba upstream. When sending a message to user space using wimax_msg(), if nla_put() fails, correctly interpret the return code from wimax_msg_alloc() as an err ptr and return the error code instead of crashing (as it is assuming than non-NULL means the pointer is ok). Signed-off-by: Inaky Perez-Gonzalez Signed-off-by: Greg Kroah-Hartman commit 923811b7bd5e6dbc21a384147367e682e698eeda Author: David Woodhouse Date: Mon May 18 13:07:35 2009 +0100 Fix oops on close of hot-unplugged FTDI serial converter commit 80193195f87ebca6d7417516d6edeb3969631c15 upstream. Commit c45d6320 ("fix reference counting of ftdi_private") stopped ftdi_sio_port_remove() from directly freeing the port-private data, with the intention if the port was still open, it would be freed when ftdi_close() is eventually called and releases the last refcount on the structure. That's all very well, but ftdi_sio_port_remove() still contains a call to usb_set_serial_port_data(port, NULL) -- so by the time we get to ftdi_close() for the port which was unplugged, it _still_ oopses on dereferencing that NULL pointer, as it did before (and does in 2.6.29). The fix is just not to clear the private data in ftdi_sio_port_remove(). Then the refcount is properly reduced to zero when the final kref_put() happens in ftdi_close(). Remove a bogus comment too, while we're at it. And stop doing things inside "if (priv)" -- it must _always_ be there. Based loosely on an earlier patch by Daniel Mack, and suggestions by Alan Stern. Signed-off-by: David Woodhouse Tested-by: Daniel Mack Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 7b30cf45c0eaad6a87cf387a39a3638ebbced0fb Author: Nick Piggin Date: Tue May 5 19:13:44 2009 +1000 mm: SLUB fix reclaim_state commit 1eb5ac6466d4be7b15b38ce3ab709600f1bc891f upstream. SLUB does not correctly account reclaim_state.reclaimed_slab, so it will break memory reclaim. Account it like SLAB does. Cc: linux-mm@kvack.org Cc: Matt Mackall Acked-by: Christoph Lameter Signed-off-by: Nick Piggin Signed-off-by: Pekka Enberg Signed-off-by: Greg Kroah-Hartman commit 15d0699747ddaf0a5d5fb26c9f095193078817be Author: David S. Miller Date: Wed Apr 8 21:06:35 2009 -0700 sparc64: Fix smp_callin() locking. [ Upstream commit 8e255baa449df3049a8827a7f1f4f12b6921d0d1 ] Interrupts must be disabled when taking the IPI lock. Caught by lockdep. Reported-by: Meelis Roos Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2c525a3599fe8578fdb0372932dd52f1b271288b Author: David S. Miller Date: Fri Apr 17 04:14:15 2009 -0700 sparc: Fix bus type probing for ESP and LE devices. [ Upstream commit 956d039a2537cf79ca608450d36cc70e0e515482 ] If there is a dummy "espdma" or "ledma" parent device above ESP scsi or LE ethernet device nodes, we have to match the bus as SBUS. Otherwise the address and size cell counts are wrong and we don't calculate the final physical device resource values correctly at all. Commit 5280267c1dddb8d413595b87dc406624bb497946 ("sparc: Fix handling of LANCE and ESP parent nodes in of_device.c") was meant to fix this problem, but that only influences the inner loop of build_device_resources(). We need this logic to also kick in at the beginning of build_device_resources() as well, when we make the first attempt to determine the device's immediate parent bus type for 'reg' property element extraction. Based almost entirely upon a patch by Friedrich Oslage. Tested-by: Meelis Roos Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1b725462eb20e25c555dbf6aa3e0601b8b9849ed Author: Michael Buesch Date: Fri May 22 23:24:28 2009 +0000 r8169: avoid losing MSI interrupts [ Upstream commit f11a377b3f4e897d11f0e8d1fc688667e2f19708 ] The 8169 chip only generates MSI interrupts when all enabled event sources are quiescent and one or more sources transition to active. If not all of the active events are acknowledged, or a new event becomes active while the existing ones are cleared in the handler, we will not see a new interrupt. The current interrupt handler masks off the Rx and Tx events once the NAPI handler has been scheduled, which opens a race window in which we can get another Rx or Tx event and never ACK'ing it, stopping all activity until the link is reset (ifconfig down/up). Fix this by always ACK'ing all event sources, and loop in the handler until we have all sources quiescent. Signed-off-by: David Dillow Tested-by: Michael Buesch Tested-by: Michael Riepe Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f0edf706cf572c2a1c9100882107a3429b188aa6 Author: Jay Vosburgh Date: Tue Apr 14 16:53:14 2009 -0700 bonding: Remove debug printk [ Upstream commit 2690f8d62e98779c71625dba9a0fd525d8b2263d ] Remove debug printk I accidently left in as part of commit: commit 6146b1a4da98377e4abddc91ba5856bef8f23f1e Author: Jay Vosburgh Date: Tue Nov 4 17:51:15 2008 -0800 bonding: Fix ALB mode to balance traffic on VLANs Reported by Duncan Gibb Signed-off-by: Jay Vosburgh Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 37fec7992d53fb59d005de9c3ffb860d9d52af18 Author: Jay Vosburgh Date: Tue May 26 15:29:00 2009 -0700 bonding: fix alb mode locking regression [ Upstream commit 815bcc2719c12b6f5b511706e2d19728e07f0b02 ] Fix locking issue in alb MAC address management; removed incorrect locking and replaced with correct locking. This bug was introduced in commit 059fe7a578fba5bbb0fdc0365bfcf6218fa25eb0 ("bonding: Convert locks to _bh, rework alb locking for new locking") Bug reported by Paul Smith , who also tested the fix. Signed-off-by: Jay Vosburgh Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit bb280235b350509a284469c2bab036c796a23b12 Author: Finn Thain Date: Mon May 25 22:43:49 2009 -0700 mac8390: fix regression caused during net_device_ops conversion [ Upstream commit 217cbfa856dc1cbc2890781626c4032d9e3ec59f ] Changeset ca17584bf2ad1b1e37a5c0e4386728cc5fc9dabc ("mac8390: update to net_device_ops") broke mac8390 by adding 8390.o to the link. That meant that lib8390.c was included twice, once in mac8390.c and once in 8390.c, subject to different macros. This patch reverts that by avoiding the wrappers in 8390.c. They seem to be of no value since COMPAT_NET_DEV_OPS is going away soon. Tested with a Kinetics EtherPort card. Signed-off-by: Finn Thain Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 11f9c95f05a392a3f58362447197a1d1bc5302c7 Author: Patrick McHardy Date: Fri Apr 17 15:59:23 2009 -0700 vlan/macvlan: fix NULL pointer dereferences in ethtool handlers [ Upstream commit 7816a0a862d851d0b05710e7d94bfe390f3180e2 ] Check whether the underlying device provides a set of ethtool ops before checking for individual handlers to avoid NULL pointer dereferences. Reported-by: Art van Breemen Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f9a9727f0996480cd6dadfb55674364a7064ce60 Author: Stanislaw Gruszka Date: Wed Apr 15 02:26:49 2009 -0700 myr10ge: again fix lro_gen_skb() alignment [ Upstream commit 636d2f68a0814d84de26c021b2c15e3b4ffa29de ] Add LRO alignment initially committed in 621544eb8c3beaa859c75850f816dd9b056a00a3 ("[LRO]: fix lro_gen_skb() alignment") and removed in 0dcffac1a329be69bab0ac604bf7283737108e68 ("myri10ge: add multislices support") during conversion to multi-slice. Signed-off-by: Stanislaw Gruszka Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 94c571ca297247524159f6b045cd82beb6312876 Author: Florian Westphal Date: Thu May 21 15:07:12 2009 -0700 pktgen: do not access flows[] beyond its length [ Upstream commit 5b5f792a6a9a2f9ae812d151ed621f72e99b1725 ] typo -- pkt_dev->nflows is for stats only, the number of concurrent flows is stored in cflows. Reported-By: Vladimir Ivashchenko Signed-off-by: Florian Westphal Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c930a1bcf48a0ba7350c224071455afcb9da0882 Author: David S. Miller Date: Tue Apr 14 20:28:00 2009 -0700 Revert "rose: zero length frame filtering in af_rose.c" [ Upstream commit 6fd4777a1fec1f7757b5a302ad3fdcc1eae2abba ] This reverts commit 244f46ae6e9e18f6fc0be7d1f49febde4762c34b. Alan Cox did the research, and just like the other radio protocols zero-length frames have meaning because at the top level ROSE is X.25 PLP. So this zero-length filtering is invalid. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 224db0799320b9ad875e4115ad16ee64f44a2fea Author: Eric Dumazet Date: Tue May 19 20:14:28 2009 +0000 net: fix rtable leak in net/ipv4/route.c [ Upstream commit 1ddbcb005c395518c2cd0df504cff3d4b5c85853 ] Alexander V. Lukyanov found a regression in 2.6.29 and made a complete analysis found in http://bugzilla.kernel.org/show_bug.cgi?id=13339 Quoted here because its a perfect one : begin_of_quotation 2.6.29 patch has introduced flexible route cache rebuilding. Unfortunately the patch has at least one critical flaw, and another problem. rt_intern_hash calculates rthi pointer, which is later used for new entry insertion. The same loop calculates cand pointer which is used to clean the list. If the pointers are the same, rtable leak occurs, as first the cand is removed then the new entry is appended to it. This leak leads to unregister_netdevice problem (usage count > 0). Another problem of the patch is that it tries to insert the entries in certain order, to facilitate counting of entries distinct by all but QoS parameters. Unfortunately, referencing an existing rtable entry moves it to list beginning, to speed up further lookups, so the carefully built order is destroyed. For the first problem the simplest patch it to set rthi=0 when rthi==cand, but it will also destroy the ordering. end_of_quotation Problematic commit is 1080d709fb9d8cd4392f93476ee46a9d6ea05a5b (net: implement emergency route cache rebulds when gc_elasticity is exceeded) Trying to keep dst_entries ordered is too complex and breaks the fact that order should depend on the frequency of use for garbage collection. A possible fix is to make rt_intern_hash() simpler, and only makes rt_check_expire() a litle bit smarter, being able to cope with an arbitrary entries order. The added loop is running on cache hot data, while cpu is prefetching next object, so should be unnoticied. Reported-and-analyzed-by: Alexander V. Lukyanov Signed-off-by: Eric Dumazet Acked-by: Neil Horman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 00ec06b2727596bb52ea01d596da0fa55793bd5c Author: Eric Dumazet Date: Tue May 19 18:54:22 2009 +0000 net: fix length computation in rt_check_expire() [ Upstream commit cf8da764fc6959b7efb482f375dfef9830e98205 ] rt_check_expire() computes average and standard deviation of chain lengths, but not correclty reset length to 0 at beginning of each chain. This probably gives overflows for sum2 (and sum) on loaded machines instead of meaningful results. Signed-off-by: Eric Dumazet Acked-by: Neil Horman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit efe0627824eeb725500f76cdd28ce758d5d91fc7 Author: Eric Dumazet Date: Mon May 18 15:12:31 2009 -0700 sch_teql: should not dereference skb after ndo_start_xmit() [ Upstream commit c0f84d0d4be3f7d818b4ffb04d27f9bae64397f0 ] It is illegal to dereference a skb after a successful ndo_start_xmit() call. We must store skb length in a local variable instead. Bug was introduced in 2.6.27 by commit 0abf77e55a2459aa9905be4b226e4729d5b4f0cb (net_sched: Add accessor function for packet length for qdiscs) Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d7a6c1b0a5d74c37ada244880779750eda1a370e Author: Thomas Chenault Date: Mon May 18 21:43:27 2009 -0700 net: fix skb_seq_read returning wrong offset/length for page frag data [ Upstream commit 995b337952cdf7e05d288eede580257b632a8343 ] When called with a consumed value that is less than skb_headlen(skb) bytes into a page frag, skb_seq_read() incorrectly returns an offset/length relative to skb->data. Ensure that data which should come from a page frag does. Signed-off-by: Thomas Chenault Tested-by: Shyam Iyer Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3ae0f1042ff18706e652b2cff7419136cebf0f22 Author: Ilpo Jarvinen Date: Tue Apr 14 02:08:53 2009 -0700 tcp: fix >2 iw selection [ Upstream commit 86bcebafc5e7f5163ccf828792fe694b112ed6fa ] A long-standing feature in tcp_init_metrics() is such that any of its goto reset prevents call to tcp_init_cwnd(). Signed-off-by: Ilpo Jarvinen Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 35eca254c87cb5664e59da0e4ceb2a755d04c047 Author: Ilpo Jarvinen Date: Sun May 10 20:32:34 2009 +0000 tcp: fix MSG_PEEK race check [ Upstream commit 775273131810caa41dfc7f9e552ea5d8508caf40 ] Commit 518a09ef11 (tcp: Fix recvmsg MSG_PEEK influence of blocking behavior) lets the loop run longer than the race check did previously expect, so we need to be more careful with this check and consider the work we have been doing. I tried my best to deal with urg hole madness too which happens here: if (!sock_flag(sk, SOCK_URGINLINE)) { ++*seq; ... by using additional offset by one but I certainly have very little interest in testing that part. Signed-off-by: Ilpo Jarvinen Tested-by: Frans Pop Tested-by: Ian Zimmermann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit de9fbb9b8480bbcde060589621923fceb4b4a5d7 Author: Nicolas Dichtel Date: Mon Apr 27 02:58:59 2009 -0700 xfrm: wrong hash value for temporary SA [ Upstream commit 6a783c9067e3f71aac61a9262fe42c1f68efd4fc ] When kernel inserts a temporary SA for IKE, it uses the wrong hash value for dst list. Two hash values were calcultated before: one with source address and one with a wildcard source address. Bug hinted by Junwei Zhang Signed-off-by: Nicolas Dichtel Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman