commit 12010107aaf417503b7e413d84f2554080aebfe2 Author: Greg Kroah-Hartman Date: Thu Jul 2 16:41:20 2009 -0700 Linux 2.6.29.6 commit be5583f5440217b114eb0a0c172d85d92d86dfbb Author: Renaud Lottiaux Date: Tue Jun 30 11:41:34 2009 -0700 bsdacct: fix access to invalid filp in acct_on() commit df279ca8966c3de83105428e3391ab17690802a9 upstream. The file opened in acct_on and freshly stored in the ns->bacct struct can be closed in acct_file_reopen by a concurrent call after we release acct_lock and before we call mntput(file->f_path.mnt). Record file->f_path.mnt in a local variable and use this variable only. Signed-off-by: Renaud Lottiaux Signed-off-by: Louis Rilling Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 57b70321247d5decb480a8344c29ab5813901790 Author: Milan Broz Date: Mon Jun 22 10:12:11 2009 +0100 dm: sysfs skip output when device is being destroyed commit 4d89b7b4e4726893453d0fb4ddbb5b3e16353994 upstream. Do not process sysfs attributes when device is being destroyed. Otherwise code can cause BUG_ON(test_bit(DMF_FREEING, &md->flags)); in dm_put() call. Signed-off-by: Milan Broz Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 85e05eaba5840385843fe61d8db191be84fe3ac6 Author: Mikulas Patocka Date: Mon Jun 22 10:12:10 2009 +0100 dm mpath: validate hw_handler argument count commit e094f4f15f5169526c7200b9bde44b900548a81e upstream. Fix arg count parsing error in hw handlers. Signed-off-by: Mikulas Patocka Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 4869fdea77052c480c54b9e66a927ba036eab29e Author: Mikulas Patocka Date: Mon Jun 22 10:08:02 2009 +0100 dm mpath: validate table argument count commit 0e0497c0c017664994819f4602dc07fd95896c52 upstream. The parser reads the argument count as a number but doesn't check that sufficient arguments are supplied. This command triggers the bug: dmsetup create mpath --table "0 `blockdev --getsize /dev/mapper/cr0` multipath 0 0 2 1 round-robin 1000 0 1 1 /dev/mapper/cr0 round-robin 0 1 1 /dev/mapper/cr1 1000" kernel BUG at drivers/md/dm-mpath.c:530! Signed-off-by: Mikulas Patocka Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit f42f498bee4760d4db6f55cfab98f42ae7660e1c Author: Dimitri Sivanich Date: Tue Jun 23 12:37:04 2009 -0700 mm: fix handling of pagesets for downed cpus commit 364df0ebfbbb1330bfc6ca159f4d6020efc15a12 upstream. After downing/upping a cpu, an attempt to set /proc/sys/vm/percpu_pagelist_fraction results in an oops in percpu_pagelist_fraction_sysctl_handler(). If a processor is downed then we need to set the pageset pointer back to the boot pageset. Updates of the high water marks should not access pagesets of unpopulated zones (those pointer go to the boot pagesets which would be no longer functional if their size would be increased beyond zero). Signed-off-by: Dimitri Sivanich Signed-off-by: Christoph Lameter Reviewed-by: KOSAKI Motohiro Cc: Nick Piggin Cc: Mel Gorman Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 19073084ce0ae63d69d84628315a90e84cf801cc Author: Clemens Ladisch Date: Mon Jun 22 10:01:59 2009 +0200 sound: seq_midi_event: fix decoding of (N)RPN events commit 6423f9ea8035138d70bae1a278d3b57b743f8b3e upstream. When decoding (N)RPN sequencer events into raw MIDI commands, the extra_decode_xrpn() function had accidentally swapped the MSB and LSB controller values of both the parameter number and the data value. Signed-off-by: Clemens Ladisch Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 93203883b19d61bbeb7a23fe9166bdac0f5f877a Author: Andrew Vasquez Date: Wed Jun 17 10:30:31 2009 -0700 qla2xxx: Correct (again) overflow during dump-processing on large-memory ISP23xx parts. commit e18e963b7e533149676b5d387d0a56160df9f111 upstream. Commit 7b867cf76fbcc8d77867cbec6f509f71dce8a98f ([SCSI] qla2xxx: Refactor qla data structures) inadvertently reverted e792121ec85672c1fa48f79d13986a3f4f56c590 ([SCSI] qla2xxx: Correct overflow during dump-processing on large-memory ISP23xx parts.). Signed-off-by: Andrew Vasquez Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit de04a674cce8637098466b7487e79eebf69fd991 Author: Jiri Slaby Date: Mon Jun 22 18:42:10 2009 +0100 pcmcia/cm4000: fix lock imbalance commit 69ae59d7d8df14413cf0a97b3e372d7dc8352563 upstream. Don't return from switch/case, break instead, so that we unlock BKL. Signed-off-by: Jiri Slaby Signed-off-by: Alan Cox Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d58c84b663ef7991ca6e06de059d097b68510507 Author: Rafael J. Wysocki Date: Mon May 18 22:51:12 2009 +0200 PCI PM: Follow PCI_PM_CTRL_NO_SOFT_RESET during transitions from D3 commit f62795f1e892ca9269849fa83de97621da7e02c0 upstream. According to the PCI PM specification (PCI Bus Power Management Interface Specification, Rev. 1.2, Section 5.4.1) we are supposed to reinitialize devices that have PCI_PM_CTRL_NO_SOFT_RESET clear during all transitions from PCI_D3hot to PCI_D0, but we only do it if the device's current_state field is equal to PCI_UNKNOWN. This may lead to problems if a device with PCI_PM_CTRL_NO_SOFT_RESET unset is put into PCI_D3hot at run time by its driver and pci_set_power_state() is used to put it back into PCI_D0, because in that case the device will remain uninitialized after pci_set_power_state() has returned. Prevent that from happening by modifying pci_raw_set_power_state() to reinitialize devices with PCI_PM_CTRL_NO_SOFT_RESET unset during all transitions from D3 to D0. Signed-off-by: Rafael J. Wysocki Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit d0f16e278fc318c16b734ff2f8bd23e52f33f2ff Author: Rafael J. Wysocki Date: Sun Jun 14 21:25:02 2009 +0200 PCI PM: Fix handling of devices without PM support by pci_target_state() commit d2abdf62882d982c58e7a6b09ecdcfcc28075e2e upstream. If a PCI device is not power-manageable either by the platform, or with the help of the native PCI PM interface, pci_target_state() will return either PCI_D3hot, or PCI_POWER_ERROR for it, depending on whether or not the device is configured to wake up the system. Alas, none of these return values is correct, because each of them causes pci_prepare_to_sleep() to return error code, although it should complete successfully in such a case. Fix this problem by making pci_target_state() always return PCI_D0 for devices that cannot be power managed. Signed-off-by: Rafael J. Wysocki Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 1e05ac98c893a06e45266102ab221bfef01a61f6 Author: FUJITA Tomonori Date: Mon Jun 22 16:54:27 2009 +0100 parport_pc: set properly the dma_mask for parport_pc device commit dfa7c4d869b7d3d37b70f1de856f2901b6ebfcf0 upstream. parport_pc_probe_port() creates the own 'parport_pc' device if the device argument is NULL. Then parport_pc_probe_port() doesn't initialize the dma_mask and coherent_dma_mask of the device and calls dma_alloc_coherent with it. dma_alloc_coherent fails because dma_alloc_coherent() doesn't accept the uninitialized dma_mask: http://lkml.org/lkml/2009/6/16/150 Long ago, X86_32 and X86_64 had the own dma_alloc_coherent implementations; X86_32 accepted a device having dma_mask that is not initialized however X86_64 didn't. When we merged them, we chose to prohibit a device having dma_mask that is not initialized. I think that it's good to require drivers to set up dma_mask (and coherent_dma_mask) properly if the drivers want DMA. Signed-off-by: FUJITA Tomonori Reported-by: Malcom Blaney Tested-by: Malcom Blaney Signed-off-by: Alan Cox Acked-by: Jeff Garzik Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c6daac00e28deb1d922c222e7666557c6c7f7fb2 Author: Jens Rottmann Date: Mon Jun 22 16:51:49 2009 +0100 parport_pc: after superio probing restore original register values commit e2434dc1c19412639dd047a4d4eff8ed0e5d0d50 upstream. CONFIG_PARPORT_PC_SUPERIO probes for various superio chips by writing byte sequences to a set of different potential I/O ranges. But the probed ranges are not exclusive to parallel ports. Some of our boards just happen to have a watchdog in one of them. Took us almost a week to figure out why some distros reboot without warning after running flawlessly for 3 hours. For exactly 170 = 0xAA minutes, that is ... Fixed by restoring original values after probing. Also fixed too small request_region() in detect_and_report_it87(). Signed-off-by: Jens Rottmann Signed-off-by: Alan Cox Acked-by: Jeff Garzik Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 13f3674e1d342e28ced6ba0b0b9a9ddf3921df5c Author: Andreas Herrmann Date: Fri Jun 19 10:59:09 2009 +0200 x86: Set cpu_llc_id on AMD CPUs commit 99bd0c0fc4b04da54cb311953ef9489931c19c63 upstream. This counts when building sched domains in case NUMA information is not available. ( See cpu_coregroup_mask() which uses llc_shared_map which in turn is created based on cpu_llc_id. ) Currently Linux builds domains as follows: (example from a dual socket quad-core system) CPU0 attaching sched-domain: domain 0: span 0-7 level CPU groups: 0 1 2 3 4 5 6 7 ... CPU7 attaching sched-domain: domain 0: span 0-7 level CPU groups: 7 0 1 2 3 4 5 6 Ever since that is borked for multi-core AMD CPU systems. This patch fixes that and now we get a proper: CPU0 attaching sched-domain: domain 0: span 0-3 level MC groups: 0 1 2 3 domain 1: span 0-7 level CPU groups: 0-3 4-7 ... CPU7 attaching sched-domain: domain 0: span 4-7 level MC groups: 7 4 5 6 domain 1: span 0-7 level CPU groups: 4-7 0-3 This allows scheduler to assign tasks to cores on different sockets (i.e. that don't share last level cache) for performance reasons. Signed-off-by: Andreas Herrmann LKML-Reference: <20090619085909.GJ5218@alberich.amd.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit a134c9a9e0be16e272e12ba4cac39e51c8359ddc Author: Jiri Slaby Date: Mon Jun 22 18:42:18 2009 +0100 vt_ioctl: fix lock imbalance commit a115902f67ef51fbbe83e214fb761aaa9734c1ce upstream. Don't return from switch/case directly in vt_ioctl. Set ret and break instead so that we unlock BKL. Signed-off-by: Jiri Slaby Signed-off-by: Alan Cox Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 7786253062211453885cb7e86528ff96e9099268 Author: Dan Williams Date: Tue Jun 16 16:00:33 2009 -0700 md/raid5: add missing call to schedule() after prepare_to_wait() commit 7a3ab908948b6296ee7e81d42f7c176361c51975 upstream. In the unlikely event that reshape progresses past the current request while it is waiting for a stripe we need to schedule() before retrying for 2 reasons: 1/ Prevent list corruption from duplicated list_add() calls without intervening list_del(). 2/ Give the reshape code a chance to make some progress to resolve the conflict. Signed-off-by: Dan Williams Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 6e8ad8ea9d8c134f345ef3cca89c91aeadf2553e Author: Bob Copeland Date: Fri Jun 5 08:21:50 2009 -0400 mac80211: fix minstrel single-rate memory corruption commit 5ee58d7e6ad019675b4090582aec4fa1180d8703 upstream. The minstrel rate controller periodically looks up rate indexes in a sampling table. When accessing a specific row and column, minstrel correctly does a bounds check which, on the surface, appears to handle the case where mi->n_rates < 2. However, mi->sample_idx is actually defined as an unsigned, so the right hand side is taken to be a huge positive number when negative, and the check will always fail. Consequently, the RC will overrun the array and cause random memory corruption when communicating with a peer that has only a single rate. The max value of mi->sample_idx is around 25 so casting to int should have no ill effects. Without the change, uptime is a few minutes under load with an AP that has a single hard-coded rate, and both the AP and STA could potentially crash. With the change, both lasted 12 hours with a steady load. Thanks to Ognjen Maric for providing the single-rate clue so I could reproduce this. This fixes http://bugzilla.kernel.org/show_bug.cgi?id=12490 on the regression list (also http://bugzilla.kernel.org/show_bug.cgi?id=13000). Reported-by: Sergey S. Kostyliov Reported-by: Ognjen Maric Signed-off-by: Bob Copeland Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 40df2000dc79061fea477c4be54ef93ecc25f04a Author: Peter Zijlstra Date: Fri Jun 12 10:04:01 2009 +0200 lockdep: Select frame pointers on x86 commit 00540e5d54be972a94a3b2ce6da8621bebe731a2 upstream. x86 stack traces are a piece of crap without frame pointers, and its not like the 'performance gain' of not having stack pointers matters when you selected lockdep. Reported-by: Andrew Morton LKML-Reference: Signed-off-by: Peter Zijlstra Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 726634a6a31a685e69c954db32b6e8aa048c2ad2 Author: Yinghai Lu Date: Thu Jun 4 19:14:22 2009 -0700 x86: handle initrd that extends into unusable memory commit 8c5dd8f43367f4f266dd616f11658005bc2d20ef upstream. On a system where system memory (according e820) is not covered by mtrr, mtrr_trim_memory converts a portion of memory to reserved, but bootloader has already put the initrd in that range. Thus, we need to have 64bit to use relocate_initrd too. [ Impact: fix using initrd when mtrr_trim_memory happen ] Signed-off-by: Yinghai Lu Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 551f9324e3fe9b3981e6fd0dd6c8828d67879e3b Author: Jack Morgenstein Date: Fri Jun 5 10:36:24 2009 -0700 IB/mlx4: Add strong ordering to local inval and fast reg work requests commit 2ac6bf4ddc87c3b6b609f8fa82f6ebbffeac12f4 upstream. The ConnectX Programmer's Reference Manual states that the "SO" bit must be set when posting Fast Register and Local Invalidate send work requests. When this bit is set, the work request will be executed only after all previous work requests on the send queue have been executed. (If the bit is not set, Fast Register and Local Invalidate WQEs may begin execution too early, which violates the defined semantics for these operations) This fixes the issue with NFS/RDMA reported in Signed-off-by: Jack Morgenstein Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit f88319f901c05f61234274c1f7eb5437a3b4ef77 Author: Scott James Remnant Date: Thu Apr 2 16:56:47 2009 -0700 floppy: provide a PNP device table in the module. commit 83f9ef463bcb4ba7b4fee1d6212fac7d277010d3 upstream. The missing device table means that the floppy module is not auto-loaded, even when the appropriate PNP device (0700) is found. We don't actually use the table in the module, since the device doesn't have a struct pnp_driver, but it's sufficient to cause an alias in the module that udev/modprobe will use. Signed-off-by: Scott James Remnant Signed-off-by: Tim Gardner Cc: Bjorn Helgaas Cc: Philippe De Muyter Acked-by: Kay Sievers Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit db52480248341db734ba9543cdc1591b7f1958ad Author: Takashi Iwai Date: Tue Jun 2 11:37:01 2009 +0200 ALSA: ca0106 - Add missing registrations of vmaster controls commit 601e1cc5df940b59e71c947726640811897d30df upstream. Although the vmaster controls are created, they aren't registered thus they don't appear in the real world. Added the missing snd_ctl_add() calls. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 5f1d6d0642ddd6a06d27897f4e24f1167dfa1ef3 Author: Jean Delvare Date: Fri Jun 5 12:02:38 2009 +0200 x86: Add quirk for reboot stalls on a Dell Optiplex 360 commit 4a4aca641bc4598e77b866804f47c651ec4a764d upstream. The Dell Optiplex 360 hangs on reboot, just like the Optiplex 330, so the same quirk is needed. Signed-off-by: Jean Delvare Cc: Steve Conklin Cc: Leann Ogasawara LKML-Reference: <200906051202.38311.jdelvare@suse.de> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 63f0fc9af83927e17b686b774391c31ff3bdd58f Author: Greg Kroah-Hartman Date: Mon Jun 15 13:13:05 2009 -0700 USB: usbtmc: fix switch statment commit a92b63e7e4c185b4dd9e87762e2cb716e54482d0 upstream. Steve Holland pointed out that we forgot to call break; in the switch statment. This probably resolves a lot of the bug reports I've gotten for the driver lately. Stupid me... Reported-by: Steve Holland Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 2db2ebb8a1f6e8d6dfec590b4ed8af0c8135b7cb Author: Karsten Keil Date: Tue Jun 2 14:57:35 2009 +0200 ISDN: Fix DMA alloc for hfcpci commit 8a745b9d91962991ce87a649a4dc3af3206c2c8b upstream. Replace wrong code with correct DMA API functions. Signed-off-by: Karsten Keil Signed-off-by: Greg Kroah-Hartman commit 23ec811660ad80ddd94887bf1538caf29ff0a605 Author: Dirk Eibach Date: Thu Jun 18 16:49:15 2009 -0700 char: moxa, prevent opening unavailable ports commit a90b037583d5f1ae3e54e9c687c79df82d1d34a4 upstream. In moxa.c there are 32 minor numbers reserved for each device. The number of ports actually available per device is stored in moxa_board_conf->numPorts. This number is not considered in moxa_open(). Opening a port that is not available results in a kernel oops. This patch adds a test to moxa_open() that prevents opening unavailable ports. [akpm@linux-foundation.org: avoid multiple returns] Signed-off-by: Dirk Eibach Signed-off-by: Jiri Slaby Cc: Alan Cox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f36b53bbfd593b08456a1cf7196fdd84391c89b3 Author: Stephen Hemminger Date: Thu Jun 11 05:46:04 2009 -0700 bonding: fix multiple module load problem [ Upstream commit 130aa61a77b8518f1ea618e1b7d214d60b405f10 ] Some users still load bond module multiple times to create bonding devices. This accidentally was broken by a later patch about the time sysfs was fixed. According to Jay, it was broken by: commit b8a9787eddb0e4665f31dd1d64584732b2b5d051 Author: Jay Vosburgh Date: Fri Jun 13 18:12:04 2008 -0700 bonding: Allow setting max_bonds to zero Note: sysfs and procfs still produce WARN() messages when this is done so the sysfs method is the recommended API. Signed-off-by: Stephen Hemminger Signed-off-by: Jay Vosburgh Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 156e8908ca2ec54902fc92ea1107f2b0d88493b4 Author: Nicolas Ferre Date: Thu May 28 14:34:36 2009 -0700 atmel_lcdfb: correct fifo size for some products commit 53b7479bbdaedcc7846c66fd608fe66f1b5aa35b upstream. Remove wrong fifo size definition for some AT91 products. Due to a misunderstanding of some AT91 datasheets, a fifo size of 2048 (words) has been introduced by mistake. In fact, all products (AT91/AT32) are sharing the same fifo size of 512 words. Signed-off-by: Nicolas Ferre Cc: Andrew Victor Acked-by: Haavard Skinnemoen Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 860bd4a1f1df20a003e8867aae06b8acfa270e90 Author: Chuck Ebbert Date: Wed Jun 10 17:56:46 2009 -0400 atkbd: add forced release quirks for four more keyboard models Add atkbd forced key release quirks for four more notebook models. Rollup of: linux-2.6.git-391916985b009b8934d00f772a3bde0d8a495ebd.patch linux-2.6.git-adcb523eb39e0dd2f712d8dbd8e18b5d36a97825.patch linux-2.6.git-157f3a3e17cd498571db2a472dc3a15a7679ee3f.patch linux-2.6.git-e04126c79242d2740b469292d42c239bad7807cc.patch linux-2.6.git-9166d0f620d5dd4a128711bdeedb3e0f534d9d49.patch Cc: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 293befa334c31e96745c616ab7947b28922d9c59 Author: Shaohua Li Date: Mon Jun 8 09:27:25 2009 +0800 PCI: disable ASPM on VIA root-port-under-bridge configurations commit 8e822df700694ca6850d1e0c122fd7004b2778d8 upstream. VIA has a strange chipset, it has root port under a bridge. Disable ASPM for such strange chipset. Tested-by: Wolfgang Denk Signed-off-by: Shaohua Li Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 1a5194ba2557a9fa153e146c9a342efe7145e6c5 Author: Yinghai Lu Date: Tue Jun 16 15:31:16 2009 -0700 firmware_map: fix hang with x86/32bit commit 3b0fde0fac19c180317eb0601b3504083f4b9bf5 upstream. Addresses http://bugzilla.kernel.org/show_bug.cgi?id=13484 Peer reported: | The bug is introduced from kernel 2.6.27, if E820 table reserve the memory | above 4G in 32bit OS(BIOS-e820: 00000000fff80000 - 0000000120000000 | (reserved)), system will report Int 6 error and hang up. The bug is caused by | the following code in drivers/firmware/memmap.c, the resource_size_t is 32bit | variable in 32bit OS, the BUG_ON() will be invoked to result in the Int 6 | error. I try the latest 32bit Ubuntu and Fedora distributions, all hit this | bug. |====== |static int firmware_map_add_entry(resource_size_t start, resource_size_t end, | const char *type, | struct firmware_map_entry *entry) and it only happen with CONFIG_PHYS_ADDR_T_64BIT is not set. it turns out we need to pass u64 instead of resource_size_t for that. [akpm@linux-foundation.org: add comment] Reported-and-tested-by: Peer Chen Signed-off-by: Yinghai Lu Cc: Ingo Molnar Acked-by: H. Peter Anvin Cc: Thomas Gleixner Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 213c3d35d1cc32145a9e20c7c7fdefbf9889fe33 Author: Nick Piggin Date: Tue Jun 2 12:07:47 2009 +0200 fs: remove incorrect I_NEW warnings commit 545b9fd3d737afc0bb5203b1e79194a471605acd upstream. Some filesystems can call in to sync an inode that is still in the I_NEW state (eg. ext family, when mounted with -osync). This is OK because the filesystem has sole access to the new inode, so it can modify i_state without races (because no other thread should be modifying it, by definition of I_NEW). Ie. a false positive, so remove the warnings. The races are described here 7ef0d7377cb287e08f3ae94cebc919448e1f5dff, which is also where the warnings were introduced. Reported-by: Stephen Hemminger Signed-off-by: Nick Piggin Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 7fd62502841422ee97456d5897f3b3c5b9d72606 Author: Eric Dumazet Date: Tue Jun 9 04:01:02 2009 -0700 r8169: fix crash when large packets are received commit fdd7b4c3302c93f6833e338903ea77245eb510b4 upstream. Michael Tokarev reported receiving a large packet could crash a machine with RTL8169 NIC. ( original thread at http://lkml.org/lkml/2009/6/8/192 ) Problem is this driver tells that NIC frames up to 16383 bytes can be received but provides skb to rx ring allocated with smaller sizes (1536 bytes in case standard 1500 bytes MTU is used) When a frame larger than what was allocated by driver is received, dma transfert can occurs past the end of buffer and corrupt kernel memory. Fix is to tell to NIC what is the maximum size a frame can be. This bug is very old, (before git introduction, linux-2.6.10), and should be backported to stable versions. Reported-by: Michael Tokarev Signed-off-by: Eric Dumazet Tested-by: Michael Tokarev Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d4fffcf8300fccf8d734c6a4b45d6667a2426be8 Author: Jan Kara Date: Tue Jun 9 16:26:26 2009 -0700 jbd: fix race in buffer processing in commit code commit a61d90d75d0f9e86432c45b496b4b0fbf0fd03dc upstream. In commit code, we scan buffers attached to a transaction. During this scan, we sometimes have to drop j_list_lock and then we recheck whether the journal buffer head didn't get freed by journal_try_to_free_buffers(). But checking for buffer_jbd(bh) isn't enough because a new journal head could get attached to our buffer head. So add a check whether the journal head remained the same and whether it's still at the same transaction and list. This is a nasty bug and can cause problems like memory corruption (use after free) or trigger various assertions in JBD code (observed). Signed-off-by: Jan Kara Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5a2d8254ba67a1ce5a2cdcf934eea0fc63d41d08 Author: Peter Botha Date: Tue Jun 9 17:16:32 2009 -0700 char: mxser, fix ISA board lookup commit 96050dfb25966612008dcea7d342e91fa01e993c upstream. There's a bug in the mxser kernel module that still appears in the 2.6.29.4 kernel. mxser_get_ISA_conf takes a ioaddress as its first argument, by passing the not of the ioaddr, you're effectively passing 0 which means it won't be able to talk to an ISA card. I have tested this, and removing the ! fixes the problem. Cc: "Peter Botha" Signed-off-by: Jiri Slaby Acked-by: Alan Cox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5c652d98415a927dec43a1267d3e64a40dbb6936 Author: Alan Cox Date: Thu May 28 14:01:35 2009 +0100 8250: Fix oops from setserial commit b8e7e40abeac49644fec4a4f52ffe74c7b05eca0 upstream. If you setserial a port which has never been initialised we change the type but don't update the I/O method pointers. The same problem is true if you change the io type of a port - but nobody ever does that so nobody noticed! Remember the old type and when attaching if the type has changed reload the port accessor pointers. We can't do it blindly as some 8250 drivers load custom accessors and we must not stomp those. Tested-by: Victor Seryodkin Closes-bug: #13367 Signed-off-by: Alan Cox Signed-off-by: Linus Torvalds Cc: Kirill Smelkov Signed-off-by: Greg Kroah-Hartman commit 546eeb68fce4648c014679b2a57e4e7f8a6d4463 Author: Philippe De Muyter Date: Thu Apr 2 16:58:53 2009 -0700 parport: netmos 9845 & 9855 1P4S fixes commit 50db9d8e4ca17974595e3848cb65f9371a304de4 upstream. netmos serial/parallel adapters come in different flavour differing only by the number of parallel and serial ports, which are encoded in the subdevice ID. Last fix of Christian Pellegrin for 9855 2P2S broke support for 9855 1P4S, and works only by side-effect for the first parallel port of a 2P2S, as this first parallel port is found by reading the second addr entry of (struct parport_pc_pci) cards[netmos_9855], which is not initialized, and hence has value 0, which happens to be the BAR of the first parallel port. netmos_9xx5_combo entry in (struct parport_pc_pci) cards[], which is used for a 9845 1P4S must also be fixed for the parallel port support when there are 4 serial ports because this entry currently gives 2 as BAR index for the parallel port. Actually, in this case, BAR 2 is the 3rd serial port while the parallel port is at BAR 4. I fixed 9845 1P4S and 9855 1P4S support, while preserving 9855 2P2S support, - by creating a netmos_9855_2p entry and using it for 9855 boards with 2 parallel ports : 9855 2P2S and 9855 2P0S boards, - and by allowing netmos_parallel_init to change not only the number of parallel ports (0 or 1), but making it also change the BAR index of the parallel port when the serial ports are before the parallel port. PS: the netmos_9855_2p entry in (struct pciserial_board) pci_parport_serial_boards[] is needed because netmos_parallel_init has no clean way to replace FL_BASE2 by FL_BASE4 in the description of the serial ports in function of the number of parallel ports on the card. Tested with 9845 1P4S, 9855 1P4S and 9855 2P2S boards. Signed-off-by: Philippe De Muyter Tested-by: Christian Pellegrin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman